X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_sqlauth.cpp;h=0ae51a86eaa339d0bcb79e0bd5b5b3ce3a9e2243;hb=HEAD;hp=6763e82145d512736be922873d565dc08d34b6fb;hpb=67a4a9b62355ea57a2f4521ca5fc53bd4eac3a1f;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/m_sqlauth.cpp b/src/modules/m_sqlauth.cpp
index 6763e8214..0ae51a86e 100644
--- a/src/modules/m_sqlauth.cpp
+++ b/src/modules/m_sqlauth.cpp
@@ -1,191 +1,226 @@
-/*       +------------------------------------+
- *       | Inspire Internet Relay Chat Daemon |
- *       +------------------------------------+
+/*
+ * InspIRCd -- Internet Relay Chat Daemon
  *
- *  InspIRCd: (C) 2002-2009 InspIRCd Development Team
- * See: http://wiki.inspircd.org/Credits
+ *   Copyright (C) 2015 Daniel Vassdal <shutter@canternet.org>
+ *   Copyright (C) 2013, 2017-2019 Sadie Powell <sadie@witchery.services>
+ *   Copyright (C) 2012-2015 Attila Molnar <attilamolnar@hush.com>
+ *   Copyright (C) 2012, 2019 Robby <robby@chatbelgie.be>
+ *   Copyright (C) 2009-2010 Daniel De Graaf <danieldg@inspircd.org>
+ *   Copyright (C) 2007-2008 Robin Burchell <robin+git@viroteck.net>
+ *   Copyright (C) 2007 Dennis Friis <peavey@inspircd.org>
+ *   Copyright (C) 2005, 2007-2008, 2010 Craig Edwards <brain@inspircd.org>
  *
- * This program is free but copyrighted software; see
- *            the file COPYING for details.
+ * This file is part of InspIRCd.  InspIRCd is free software: you can
+ * redistribute it and/or modify it under the terms of the GNU General Public
+ * License as published by the Free Software Foundation, version 2.
  *
- * ---------------------------------------------------
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-#include "inspircd.h"
-#include "m_sqlv2.h"
-#include "m_sqlutils.h"
-#include "m_hash.h"
 
-/* $ModDesc: Allow/Deny connections based upon an arbitary SQL table */
-/* $ModDep: m_sqlv2.h m_sqlutils.h m_hash.h */
+#include "inspircd.h"
+#include "modules/sql.h"
+#include "modules/hash.h"
+#include "modules/ssl.h"
+
+enum AuthState {
+	AUTH_STATE_NONE = 0,
+	AUTH_STATE_BUSY = 1,
+	AUTH_STATE_FAIL = 2
+};
 
-class ModuleSQLAuth : public Module
+class AuthQuery : public SQL::Query
 {
-	LocalIntExt sqlAuthed;
-	Module* SQLutils;
-	Module* SQLprovider;
-
-	std::string freeformquery;
-	std::string killreason;
-	std::string allowpattern;
-	std::string databaseid;
-
+ public:
+	const std::string uid;
+	LocalIntExt& pendingExt;
 	bool verbose;
+	const std::string& kdf;
+	const std::string& pwcolumn;
+
+	AuthQuery(Module* me, const std::string& u, LocalIntExt& e, bool v, const std::string& kd, const std::string& pwcol)
+		: SQL::Query(me)
+		, uid(u)
+		, pendingExt(e)
+		, verbose(v)
+		, kdf(kd)
+		, pwcolumn(pwcol)
+	{
+	}
 
-public:
-	ModuleSQLAuth() : sqlAuthed("sqlauth", this)
+	void OnResult(SQL::Result& res) CXX11_OVERRIDE
 	{
-		ServerInstance->Modules->UseInterface("SQLutils");
-		ServerInstance->Modules->UseInterface("SQL");
+		LocalUser* user = IS_LOCAL(ServerInstance->FindUUID(uid));
+		if (!user)
+			return;
 
-		SQLutils = ServerInstance->Modules->Find("m_sqlutils.so");
-		if (!SQLutils)
-			throw ModuleException("Can't find m_sqlutils.so. Please load m_sqlutils.so before m_sqlauth.so.");
+		if (res.Rows())
+		{
+			if (!kdf.empty())
+			{
+				HashProvider* hashprov = ServerInstance->Modules->FindDataService<HashProvider>("hash/" + kdf);
+				if (!hashprov)
+				{
+					if (verbose)
+						ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (a provider for %s was not loaded)", user->GetFullRealHost().c_str(), kdf.c_str());
+					pendingExt.set(user, AUTH_STATE_FAIL);
+					return;
+				}
 
-		SQLprovider = ServerInstance->Modules->FindFeature("SQL");
-		if (!SQLprovider)
-			throw ModuleException("Can't find an SQL provider module. Please load one before attempting to load m_sqlauth.");
+				size_t colindex = 0;
+				if (!pwcolumn.empty() && !res.HasColumn(pwcolumn, colindex))
+				{
+					if (verbose)
+						ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (the column specified (%s) was not returned)", user->GetFullRealHost().c_str(), pwcolumn.c_str());
+					pendingExt.set(user, AUTH_STATE_FAIL);
+					return;
+				}
 
-		OnRehash(NULL);
-		Implementation eventlist[] = { I_OnUserDisconnect, I_OnCheckReady, I_OnRehash, I_OnUserRegister };
-		ServerInstance->Modules->Attach(eventlist, this, 4);
+				SQL::Row row;
+				while (res.GetRow(row))
+				{
+					if (hashprov->Compare(user->password, row[colindex]))
+					{
+						pendingExt.set(user, AUTH_STATE_NONE);
+						return;
+					}
+				}
+
+				if (verbose)
+					ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (password from the SQL query did not match the user provided password)", user->GetFullRealHost().c_str());
+				pendingExt.set(user, AUTH_STATE_FAIL);
+				return;
+			}
+
+			pendingExt.set(user, AUTH_STATE_NONE);
+		}
+		else
+		{
+			if (verbose)
+				ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (SQL query returned no matches)", user->GetFullRealHost().c_str());
+			pendingExt.set(user, AUTH_STATE_FAIL);
+		}
 	}
 
-	virtual ~ModuleSQLAuth()
+	void OnError(SQL::Error& error) CXX11_OVERRIDE
 	{
-		ServerInstance->Modules->DoneWithInterface("SQL");
-		ServerInstance->Modules->DoneWithInterface("SQLutils");
+		User* user = ServerInstance->FindNick(uid);
+		if (!user)
+			return;
+		pendingExt.set(user, AUTH_STATE_FAIL);
+		if (verbose)
+			ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (SQL query failed: %s)", user->GetFullRealHost().c_str(), error.ToString());
 	}
+};
 
+class ModuleSQLAuth : public Module
+{
+	LocalIntExt pendingExt;
+	dynamic_reference<SQL::Provider> SQL;
+	UserCertificateAPI sslapi;
 
-	void OnRehash(User* user)
+	std::string freeformquery;
+	std::string killreason;
+	std::string allowpattern;
+	bool verbose;
+	std::vector<std::string> hash_algos;
+	std::string kdf;
+	std::string pwcolumn;
+
+ public:
+	ModuleSQLAuth()
+		: pendingExt("sqlauth-wait", ExtensionItem::EXT_USER, this)
+		, SQL(this, "SQL")
+		, sslapi(this)
 	{
-		ConfigReader Conf;
-
-		databaseid	= Conf.ReadValue("sqlauth", "dbid", 0);			/* Database ID, given to the SQL service provider */
-		freeformquery	= Conf.ReadValue("sqlauth", "query", 0);	/* Field name where username can be found */
-		killreason	= Conf.ReadValue("sqlauth", "killreason", 0);	/* Reason to give when access is denied to a user (put your reg details here) */
-		allowpattern	= Conf.ReadValue("sqlauth", "allowpattern",0 );	/* Allow nicks matching this pattern without requiring auth */
-		verbose		= Conf.ReadFlag("sqlauth", "verbose", 0);		/* Set to true if failed connects should be reported to operators */
 	}
 
-	ModResult OnUserRegister(User* user)
+	void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE
 	{
-		if ((!allowpattern.empty()) && (InspIRCd::Match(user->nick,allowpattern)))
-		{
-			sqlAuthed.set(user, 1);
-			return MOD_RES_PASSTHRU;
-		}
-
-		if (!CheckCredentials(user))
-		{
-			ServerInstance->Users->QuitUser(user, killreason);
-			return MOD_RES_DENY;
-		}
-		return MOD_RES_PASSTHRU;
+		ConfigTag* conf = ServerInstance->Config->ConfValue("sqlauth");
+		std::string dbid = conf->getString("dbid");
+		if (dbid.empty())
+			SQL.SetProvider("SQL");
+		else
+			SQL.SetProvider("SQL/" + dbid);
+		freeformquery = conf->getString("query");
+		killreason = conf->getString("killreason");
+		allowpattern = conf->getString("allowpattern");
+		verbose = conf->getBool("verbose");
+		kdf = conf->getString("kdf");
+		pwcolumn = conf->getString("column");
+
+		hash_algos.clear();
+		irc::commasepstream algos(conf->getString("hash", "md5,sha256"));
+		std::string algo;
+		while (algos.GetToken(algo))
+			hash_algos.push_back(algo);
 	}
 
-	bool CheckCredentials(User* user)
+	ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE
 	{
-		std::string thisquery = freeformquery;
-		std::string safepass = user->password;
-		std::string safegecos = user->fullname;
-
-		/* Search and replace the escaped nick and escaped pass into the query */
-
-		SearchAndReplace(safepass, std::string("\""), std::string("\\\""));
-		SearchAndReplace(safegecos, std::string("\""), std::string("\\\""));
+		// Note this is their initial (unresolved) connect block
+		ConfigTag* tag = user->MyClass->config;
+		if (!tag->getBool("usesqlauth", true))
+			return MOD_RES_PASSTHRU;
 
-		SearchAndReplace(thisquery, std::string("$nick"), user->nick);
-		SearchAndReplace(thisquery, std::string("$pass"), safepass);
-		SearchAndReplace(thisquery, std::string("$host"), user->host);
-		SearchAndReplace(thisquery, std::string("$ip"), std::string(user->GetIPString()));
-		SearchAndReplace(thisquery, std::string("$gecos"), safegecos);
-		SearchAndReplace(thisquery, std::string("$ident"), user->ident);
-		SearchAndReplace(thisquery, std::string("$server"), std::string(user->server));
-		SearchAndReplace(thisquery, std::string("$uuid"), user->uuid);
+		if (!allowpattern.empty() && InspIRCd::Match(user->nick,allowpattern))
+			return MOD_RES_PASSTHRU;
 
-		Module* HashMod = ServerInstance->Modules->Find("m_md5.so");
+		if (pendingExt.get(user))
+			return MOD_RES_PASSTHRU;
 
-		if (HashMod)
+		if (!SQL)
 		{
-			SearchAndReplace(thisquery, std::string("$md5pass"), HashRequest(this, HashMod, user->password).hex());
+			ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (SQL database not present)", user->GetFullRealHost().c_str());
+			ServerInstance->Users->QuitUser(user, killreason);
+			return MOD_RES_PASSTHRU;
 		}
 
-		HashMod = ServerInstance->Modules->Find("m_sha256.so");
+		pendingExt.set(user, AUTH_STATE_BUSY);
 
-		if (HashMod)
+		SQL::ParamMap userinfo;
+		SQL::PopulateUserInfo(user, userinfo);
+		userinfo["pass"] = user->password;
+		userinfo["certfp"] = sslapi ? sslapi->GetFingerprint(user) : "";
+
+		for (std::vector<std::string>::const_iterator it = hash_algos.begin(); it != hash_algos.end(); ++it)
 		{
-			SearchAndReplace(thisquery, std::string("$sha256pass"), HashRequest(this, HashMod, user->password).hex());
+			HashProvider* hashprov = ServerInstance->Modules->FindDataService<HashProvider>("hash/" + *it);
+			if (hashprov && !hashprov->IsKDF())
+				userinfo[*it + "pass"] = hashprov->Generate(user->password);
 		}
 
-		/* Build the query */
-		SQLrequest req = SQLrequest(this, SQLprovider, databaseid, SQLquery(thisquery));
-
-		req.Send();
-		/* When we get the query response from the service provider we will be given an ID to play with,
-		 * just an ID number which is unique to this query. We need a way of associating that ID with a User
-		 * so we insert it into a map mapping the IDs to users.
-		 * Thankfully m_sqlutils provides this, it will associate a ID with a user or channel, and if the user quits it removes the
-		 * association. This means that if the user quits during a query we will just get a failed lookup from m_sqlutils - telling
-		 * us to discard the query.
-		 */
-		AssociateUser(this, SQLutils, req.id, user).Send();
+		SQL->Submit(new AuthQuery(this, user->uuid, pendingExt, verbose, kdf, pwcolumn), freeformquery, userinfo);
 
-		return true;
+		return MOD_RES_PASSTHRU;
 	}
 
-	void OnRequest(Request& request)
+	ModResult OnCheckReady(LocalUser* user) CXX11_OVERRIDE
 	{
-		if(strcmp(SQLRESID, request.id) == 0)
+		switch (pendingExt.get(user))
 		{
-			SQLresult* res = static_cast<SQLresult*>(&request);
-
-			User* user = GetAssocUser(this, SQLutils, res->id).S().user;
-			UnAssociate(this, SQLutils, res->id).S();
-
-			if(user)
-			{
-				if(res->error.Id() == SQL_NO_ERROR)
-				{
-					if(res->Rows())
-					{
-						/* We got a row in the result, this is enough really */
-						sqlAuthed.set(user, 1);
-					}
-					else if (verbose)
-					{
-						/* No rows in result, this means there was no record matching the user */
-						ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s!%s@%s (SQL query returned no matches)", user->nick.c_str(), user->ident.c_str(), user->host.c_str());
-					}
-				}
-				else if (verbose)
-				{
-					ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s!%s@%s (SQL query failed: %s)", user->nick.c_str(), user->ident.c_str(), user->host.c_str(), res->error.Str());
-				}
-			}
-			else
-			{
-				return;
-			}
-
-			if (!sqlAuthed.get(user))
-			{
+			case AUTH_STATE_NONE:
+				return MOD_RES_PASSTHRU;
+			case AUTH_STATE_BUSY:
+				return MOD_RES_DENY;
+			case AUTH_STATE_FAIL:
 				ServerInstance->Users->QuitUser(user, killreason);
-			}
+				return MOD_RES_DENY;
 		}
+		return MOD_RES_PASSTHRU;
 	}
 
-	ModResult OnCheckReady(User* user)
-	{
-		return sqlAuthed.get(user) ? MOD_RES_PASSTHRU : MOD_RES_DENY;
-	}
-
-	Version GetVersion()
+	Version GetVersion() CXX11_OVERRIDE
 	{
-		return Version("Allow/Deny connections based upon an arbitary SQL table", VF_VENDOR);
+		return Version("Allows connecting users to be authenticated against an arbitrary SQL table.", VF_VENDOR);
 	}
-
 };
 
 MODULE_INIT(ModuleSQLAuth)