Allow host-matching for oper blocks

https://bugs.cmpct.info/show_bug.cgi?id=78
cmpct · Oct 16, 2016 · 500ac13 · 500ac13
1 parent 5de6919
commit 500ac13
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/ircd.xml b/ircd.xml
@@ -69,10 +69,9 @@
     </advanced>
 
     <opers>
-        <!-- Supported hash values: http://search.cpan.org/~mshelor/Digest-SHA-5.96/lib/Digest/SHA.pm#EXPORTABLE_FUNCTIONS -->
-        <!-- Supported hash values: sha1, sha256, sha512, and the ones inbetween. -->
+        <!-- https://wiki.cmpct.info/w/IRCd:Documentation/IRCops -->
+        <!-- See the wiki for descriptions of these parameters -->
         <!-- Pick your own password! Default is 'password' for the 'sam' user. -->
-        <!-- Set tls='1' if you want tls-only opers. -->
-        <oper name='sam' password='5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8' hash='sha256'/>
+        <oper name='sam' password='5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8' hash='sha256' tls='0' host='*@*'/>
     </opers>
 </config>
diff --git a/lib/IRCd/Modules/Oper.pm b/lib/IRCd/Modules/Oper.pm
@@ -29,8 +29,8 @@ sub pkt_oper {
     my $u_name       = $splitMessage[1];
     my $u_password   = $splitMessage[2];
 
-    my ($c_name, $c_password, $c_hash, $c_type, $c_tls);
-    my $got_match = 0;
+    my ($c_name, $c_password, $c_hash, $c_type, $c_tls, $c_host);
+    my $got_match  = 0;
 
     # XXX: Workaround for XML::Simple modifying behaviour basted on number of elements (one oper || many)
     if(!$opers->{$u_name}) {
@@ -41,6 +41,7 @@ sub pkt_oper {
         $c_hash      = $oper->{hash} . '_hex';
         $c_type      = $oper->{type} // 'UNIMPLEMENTED';
         $c_tls       = $oper->{tls}  // 0;
+        $c_host      = $oper->{host} // '*';
         $ircd->{log}->debug("[$client->{nick}] Found ircop $u_name [$c_type]");
         # XXX: Support something other than SHA*
         if(my $hash_ref = Digest::SHA->can($c_hash)) {
@@ -51,10 +52,30 @@ sub pkt_oper {
         } else {
             $ircd->{log}->warn("[$client->{nick}] No such hash function as $c_hash! EDIT YOUR CONFIG FILE.");
         }
+
+        # Does the <oper> block require TLS (and is the user connected via TLS)?
         if($c_tls and !$client->{modes}->{z}->has($client)) {
             $ircd->{log}->warn("[$client->{nick}] User tried to authenicate as $u_name [$c_type] [tls: $c_tls] without using TLS!");
             $got_match = 0;
         }
+        # Does the <oper> block provide a host for $client to match?
+        if($c_host) {
+            # Host looks like 'user@host'
+            my @u_host = split('@', $c_host);
+            my $u_user = lc($u_host[0]) // '*';
+            my $u_host = lc($u_host[1]) // '*';
+            $u_user =~ s/\*/\.*/;
+            $u_host =~ s/\*/\.*/;
+
+            # We don't tell the user any specific reason for the lack of success
+            # This is a security feature
+            if($client->{ident} =~ $u_user and $client->{host} =~ $u_host) {
+                $ircd->{log}->info("User [$client->{nick}] matches $u_user\@$u_host");
+            } else {
+                $ircd->{log}->info("User [$client->{nick}] Host tuplet ($client->{ident}\@$client->{host}) DOESN'T match regex ($u_user\@$u_host)");
+                $got_match  = 0;
+            }
+        }
     }
     if(!$got_match) {
         # Incorrect credentials, sorry