X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_sqlauth.cpp;h=43850d07fbe4a3c8d0ed16e169f0dc5e7fb536cc;hb=6cfabb0064cab52bbbab59974e53dc0fa1954da7;hp=9b8a27ab769060c42ee100f52c2815b6be00e6c9;hpb=54fb0cd5aa7d090d5c3da5ab54988c86ba8a2e8e;p=user%2Fhenk%2Fcode%2Finspircd.git diff --git a/src/modules/m_sqlauth.cpp b/src/modules/m_sqlauth.cpp index 9b8a27ab7..43850d07f 100644 --- a/src/modules/m_sqlauth.cpp +++ b/src/modules/m_sqlauth.cpp @@ -1,180 +1,226 @@ -/* +------------------------------------+ - * | Inspire Internet Relay Chat Daemon | - * +------------------------------------+ +/* + * InspIRCd -- Internet Relay Chat Daemon * - * InspIRCd: (C) 2002-2009 InspIRCd Development Team - * See: http://wiki.inspircd.org/Credits + * Copyright (C) 2015 Daniel Vassdal + * Copyright (C) 2013, 2017-2019 Sadie Powell + * Copyright (C) 2012-2015 Attila Molnar + * Copyright (C) 2012, 2019 Robby + * Copyright (C) 2009-2010 Daniel De Graaf + * Copyright (C) 2007-2008, 2010 Craig Edwards + * Copyright (C) 2007-2008 Robin Burchell + * Copyright (C) 2007 Dennis Friis * - * This program is free but copyrighted software; see - * the file COPYING for details. + * This file is part of InspIRCd. InspIRCd is free software: you can + * redistribute it and/or modify it under the terms of the GNU General Public + * License as published by the Free Software Foundation, version 2. * - * --------------------------------------------------- + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . */ + #include "inspircd.h" -#include "m_sqlv2.h" -#include "m_sqlutils.h" -#include "m_hash.h" +#include "modules/sql.h" +#include "modules/hash.h" +#include "modules/ssl.h" + +enum AuthState { + AUTH_STATE_NONE = 0, + AUTH_STATE_BUSY = 1, + AUTH_STATE_FAIL = 2 +}; + +class AuthQuery : public SQL::Query +{ + public: + const std::string uid; + LocalIntExt& pendingExt; + bool verbose; + const std::string& kdf; + const std::string& pwcolumn; + + AuthQuery(Module* me, const std::string& u, LocalIntExt& e, bool v, const std::string& kd, const std::string& pwcol) + : SQL::Query(me) + , uid(u) + , pendingExt(e) + , verbose(v) + , kdf(kd) + , pwcolumn(pwcol) + { + } -/* $ModDesc: Allow/Deny connections based upon an arbitary SQL table */ -/* $ModDep: m_sqlv2.h m_sqlutils.h m_hash.h */ + void OnResult(SQL::Result& res) CXX11_OVERRIDE + { + LocalUser* user = IS_LOCAL(ServerInstance->FindUUID(uid)); + if (!user) + return; + + if (res.Rows()) + { + if (!kdf.empty()) + { + HashProvider* hashprov = ServerInstance->Modules->FindDataService("hash/" + kdf); + if (!hashprov) + { + if (verbose) + ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (a provider for %s was not loaded)", user->GetFullRealHost().c_str(), kdf.c_str()); + pendingExt.set(user, AUTH_STATE_FAIL); + return; + } + + size_t colindex = 0; + if (!pwcolumn.empty() && !res.HasColumn(pwcolumn, colindex)) + { + if (verbose) + ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (the column specified (%s) was not returned)", user->GetFullRealHost().c_str(), pwcolumn.c_str()); + pendingExt.set(user, AUTH_STATE_FAIL); + return; + } + + SQL::Row row; + while (res.GetRow(row)) + { + if (hashprov->Compare(user->password, row[colindex])) + { + pendingExt.set(user, AUTH_STATE_NONE); + return; + } + } + + if (verbose) + ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (password from the SQL query did not match the user provided password)", user->GetFullRealHost().c_str()); + pendingExt.set(user, AUTH_STATE_FAIL); + return; + } + + pendingExt.set(user, AUTH_STATE_NONE); + } + else + { + if (verbose) + ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (SQL query returned no matches)", user->GetFullRealHost().c_str()); + pendingExt.set(user, AUTH_STATE_FAIL); + } + } + + void OnError(SQL::Error& error) CXX11_OVERRIDE + { + User* user = ServerInstance->FindNick(uid); + if (!user) + return; + pendingExt.set(user, AUTH_STATE_FAIL); + if (verbose) + ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (SQL query failed: %s)", user->GetFullRealHost().c_str(), error.ToString()); + } +}; class ModuleSQLAuth : public Module { - LocalIntExt sqlAuthed; - Module* SQLutils; - Module* SQLprovider; + LocalIntExt pendingExt; + dynamic_reference SQL; + UserCertificateAPI sslapi; std::string freeformquery; std::string killreason; std::string allowpattern; - std::string databaseid; - bool verbose; - -public: - ModuleSQLAuth() : sqlAuthed("sqlauth", this) + std::vector hash_algos; + std::string kdf; + std::string pwcolumn; + + public: + ModuleSQLAuth() + : pendingExt("sqlauth-wait", ExtensionItem::EXT_USER, this) + , SQL(this, "SQL") + , sslapi(this) { - SQLutils = ServerInstance->Modules->Find("m_sqlutils.so"); - if (!SQLutils) - throw ModuleException("Can't find m_sqlutils.so. Please load m_sqlutils.so before m_sqlauth.so."); - - ServiceProvider* prov = ServerInstance->Modules->FindService(SERVICE_DATA, "SQL"); - if (!prov) - throw ModuleException("Can't find an SQL provider module. Please load one before attempting to load m_sqlauth."); - SQLprovider = prov->creator; - - OnRehash(NULL); - Implementation eventlist[] = { I_OnUserDisconnect, I_OnCheckReady, I_OnRehash, I_OnUserRegister }; - ServerInstance->Modules->Attach(eventlist, this, 4); } - virtual ~ModuleSQLAuth() + void ReadConfig(ConfigStatus& status) CXX11_OVERRIDE { + ConfigTag* conf = ServerInstance->Config->ConfValue("sqlauth"); + std::string dbid = conf->getString("dbid"); + if (dbid.empty()) + SQL.SetProvider("SQL"); + else + SQL.SetProvider("SQL/" + dbid); + freeformquery = conf->getString("query"); + killreason = conf->getString("killreason"); + allowpattern = conf->getString("allowpattern"); + verbose = conf->getBool("verbose"); + kdf = conf->getString("kdf"); + pwcolumn = conf->getString("column"); + + hash_algos.clear(); + irc::commasepstream algos(conf->getString("hash", "md5,sha256")); + std::string algo; + while (algos.GetToken(algo)) + hash_algos.push_back(algo); } - void OnRehash(User* user) + ModResult OnUserRegister(LocalUser* user) CXX11_OVERRIDE { - ConfigReader Conf; + // Note this is their initial (unresolved) connect block + ConfigTag* tag = user->MyClass->config; + if (!tag->getBool("usesqlauth", true)) + return MOD_RES_PASSTHRU; - databaseid = Conf.ReadValue("sqlauth", "dbid", 0); /* Database ID, given to the SQL service provider */ - freeformquery = Conf.ReadValue("sqlauth", "query", 0); /* Field name where username can be found */ - killreason = Conf.ReadValue("sqlauth", "killreason", 0); /* Reason to give when access is denied to a user (put your reg details here) */ - allowpattern = Conf.ReadValue("sqlauth", "allowpattern",0 ); /* Allow nicks matching this pattern without requiring auth */ - verbose = Conf.ReadFlag("sqlauth", "verbose", 0); /* Set to true if failed connects should be reported to operators */ - } + if (!allowpattern.empty() && InspIRCd::Match(user->nick,allowpattern)) + return MOD_RES_PASSTHRU; - ModResult OnUserRegister(LocalUser* user) - { - if ((!allowpattern.empty()) && (InspIRCd::Match(user->nick,allowpattern))) - { - sqlAuthed.set(user, 1); + if (pendingExt.get(user)) return MOD_RES_PASSTHRU; - } - if (!CheckCredentials(user)) + if (!SQL) { + ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s (SQL database not present)", user->GetFullRealHost().c_str()); ServerInstance->Users->QuitUser(user, killreason); - return MOD_RES_DENY; + return MOD_RES_PASSTHRU; } - return MOD_RES_PASSTHRU; - } - bool CheckCredentials(LocalUser* user) - { - std::string thisquery = freeformquery; - std::string safepass = user->password; - std::string safegecos = user->fullname; - - /* Search and replace the escaped nick and escaped pass into the query */ - - SearchAndReplace(safepass, std::string("\""), std::string("\\\"")); - SearchAndReplace(safegecos, std::string("\""), std::string("\\\"")); - - SearchAndReplace(thisquery, std::string("$nick"), user->nick); - SearchAndReplace(thisquery, std::string("$pass"), safepass); - SearchAndReplace(thisquery, std::string("$host"), user->host); - SearchAndReplace(thisquery, std::string("$ip"), std::string(user->GetIPString())); - SearchAndReplace(thisquery, std::string("$gecos"), safegecos); - SearchAndReplace(thisquery, std::string("$ident"), user->ident); - SearchAndReplace(thisquery, std::string("$server"), std::string(user->server)); - SearchAndReplace(thisquery, std::string("$uuid"), user->uuid); - - HashProvider* md5 = ServerInstance->Modules->FindDataService("hash/md5"); - if (md5) - SearchAndReplace(thisquery, std::string("$md5pass"), md5->hexsum(user->password)); - - HashProvider* sha256 = ServerInstance->Modules->FindDataService("hash/sha256"); - if (sha256) - SearchAndReplace(thisquery, std::string("$sha256pass"), sha256->hexsum(user->password)); - - /* Build the query */ - SQLrequest req = SQLrequest(this, SQLprovider, databaseid, SQLquery(thisquery)); - - req.Send(); - /* When we get the query response from the service provider we will be given an ID to play with, - * just an ID number which is unique to this query. We need a way of associating that ID with a User - * so we insert it into a map mapping the IDs to users. - * Thankfully m_sqlutils provides this, it will associate a ID with a user or channel, and if the user quits it removes the - * association. This means that if the user quits during a query we will just get a failed lookup from m_sqlutils - telling - * us to discard the query. - */ - AssociateUser(this, SQLutils, req.id, user).Send(); - - return true; - } + pendingExt.set(user, AUTH_STATE_BUSY); - void OnRequest(Request& request) - { - if(strcmp(SQLRESID, request.id) == 0) + SQL::ParamMap userinfo; + SQL::PopulateUserInfo(user, userinfo); + userinfo["pass"] = user->password; + userinfo["certfp"] = sslapi ? sslapi->GetFingerprint(user) : ""; + + for (std::vector::const_iterator it = hash_algos.begin(); it != hash_algos.end(); ++it) { - SQLresult* res = static_cast(&request); + HashProvider* hashprov = ServerInstance->Modules->FindDataService("hash/" + *it); + if (hashprov && !hashprov->IsKDF()) + userinfo[*it + "pass"] = hashprov->Generate(user->password); + } - User* user = GetAssocUser(this, SQLutils, res->id).S().user; - UnAssociate(this, SQLutils, res->id).S(); + SQL->Submit(new AuthQuery(this, user->uuid, pendingExt, verbose, kdf, pwcolumn), freeformquery, userinfo); - if(user) - { - if(res->error.Id() == SQL_NO_ERROR) - { - if(res->Rows()) - { - /* We got a row in the result, this is enough really */ - sqlAuthed.set(user, 1); - } - else if (verbose) - { - /* No rows in result, this means there was no record matching the user */ - ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s!%s@%s (SQL query returned no matches)", user->nick.c_str(), user->ident.c_str(), user->host.c_str()); - } - } - else if (verbose) - { - ServerInstance->SNO->WriteGlobalSno('a', "Forbidden connection from %s!%s@%s (SQL query failed: %s)", user->nick.c_str(), user->ident.c_str(), user->host.c_str(), res->error.Str()); - } - } - else - { - return; - } - - if (!sqlAuthed.get(user)) - { - ServerInstance->Users->QuitUser(user, killreason); - } - } + return MOD_RES_PASSTHRU; } - ModResult OnCheckReady(LocalUser* user) + ModResult OnCheckReady(LocalUser* user) CXX11_OVERRIDE { - return sqlAuthed.get(user) ? MOD_RES_PASSTHRU : MOD_RES_DENY; + switch (pendingExt.get(user)) + { + case AUTH_STATE_NONE: + return MOD_RES_PASSTHRU; + case AUTH_STATE_BUSY: + return MOD_RES_DENY; + case AUTH_STATE_FAIL: + ServerInstance->Users->QuitUser(user, killreason); + return MOD_RES_DENY; + } + return MOD_RES_PASSTHRU; } - Version GetVersion() + Version GetVersion() CXX11_OVERRIDE { - return Version("Allow/Deny connections based upon an arbitary SQL table", VF_VENDOR); + return Version("Allows connecting users to be authenticated against an arbitrary SQL table.", VF_VENDOR); } - }; MODULE_INIT(ModuleSQLAuth)