External/ergo
1
0
Fork 1
mirror of https://github.com/ergochat/ergo.git synced 2025-12-20 02:00:11 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

add ip-check-script.exempt-sasl

Browse source
This commit is contained in:
Shivaram Lingamneni 2022-01-02 01:51:31 -05:00
parent 58d8421f44
commit 0a59f41cf9
5 changed files with 43 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

29
irc/server.go
View file

@ -200,7 +200,7 @@ func (server *Server) checkBans(config *Config, ipaddr net.IP, checkScripts bool
server.logger.Warning("internal", "unexpected ban result", err.Error())
}
if checkScripts && config.Server.IPCheckScript.Enabled {
if checkScripts && config.Server.IPCheckScript.Enabled && !config.Server.IPCheckScript.ExemptSASL {
output, err := CheckIPBan(server.semaphores.IPCheckScript, config.Server.IPCheckScript, ipaddr)
if err != nil {
server.logger.Error("internal", "couldn't check IP ban script", ipaddr.String(), err.Error())
@ -267,9 +267,26 @@ func (server *Server) handleAlwaysOnExpirations() {
}
}
//
// server functionality
//
// handles server.ip-check-script.exempt-sasl:
// run the ip check script at the end of the handshake, only for anonymous connections
func (server *Server) checkBanScriptExemptSASL(config *Config, session *Session) (outcome AuthOutcome) {
// TODO add caching for this; see related code in (*server).checkBans;
// we should probably just put an LRU around this instead of using the DLINE system
ipaddr := session.IP()
output, err := CheckIPBan(server.semaphores.IPCheckScript, config.Server.IPCheckScript, ipaddr)
if err != nil {
server.logger.Error("internal", "couldn't check IP ban script", ipaddr.String(), err.Error())
return authSuccess
}
if output.Result == IPBanned || output.Result == IPRequireSASL {
server.logger.Info("connect-ip", "Rejecting unauthenticated client due to ip-check-script", ipaddr.String())
if output.BanMessage != "" {
session.client.requireSASLMessage = output.BanMessage
}
return authFailSaslRequired
}
return authSuccess
}
func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
// XXX PROXY or WEBIRC MUST be sent as the first line of the session;
@ -294,6 +311,10 @@ func (server *Server) tryRegister(c *Client, session *Session) (exiting bool) {
// before completing the other registration commands
config := server.Config()
authOutcome := c.isAuthorized(server, config, session, c.requireSASL)
if authOutcome == authSuccess && c.account == "" &&
config.Server.IPCheckScript.Enabled && config.Server.IPCheckScript.ExemptSASL {
authOutcome = server.checkBanScriptExemptSASL(config, session)
}
var quitMessage string
switch authOutcome {
case authFailPass: