irc: send ERR_SASLFAIL reply for auth fails (#30)

Reviewed-on: lavina/lavina#30
Co-authored-by: G1ng3r <saynulanude@gmail.com>
Co-committed-by: G1ng3r <saynulanude@gmail.com>
This commit is contained in:
G1ng3r 2024-02-06 23:08:14 +00:00 committed by Nikita Vilunov
parent 614be92be3
commit 7ff9ffdcf7
4 changed files with 157 additions and 37 deletions

View File

@ -180,14 +180,16 @@ async fn handle_registration<'a>(
writer.flush().await?; writer.flush().await?;
} }
CapabilitySubcommand::End => { CapabilitySubcommand::End => {
let Some((username, realname)) = future_username else { let Some((ref username, ref realname)) = future_username else {
todo!() todo!();
}; };
let Some(nickname) = future_nickname.clone() else { let Some(nickname) = future_nickname.clone() else {
todo!() todo!();
}; };
let username = username.clone();
let realname = realname.clone();
let candidate_user = RegisteredUser { let candidate_user = RegisteredUser {
nickname, nickname: nickname.clone(),
username, username,
realname, realname,
}; };
@ -197,7 +199,15 @@ async fn handle_registration<'a>(
break Ok(candidate_user); break Ok(candidate_user);
} else { } else {
let Some(candidate_password) = pass else { let Some(candidate_password) = pass else {
todo!(); sasl_fail_message(
config.server_name.clone(),
nickname.clone(),
"User credentials was not provided".into(),
)
.write_async(writer)
.await?;
writer.flush().await?;
continue;
}; };
auth_user(storage, &*candidate_user.nickname, &*candidate_password).await?; auth_user(storage, &*candidate_user.nickname, &*candidate_password).await?;
break Ok(candidate_user); break Ok(candidate_user);
@ -209,12 +219,20 @@ async fn handle_registration<'a>(
future_nickname = Some(nickname); future_nickname = Some(nickname);
} else if let Some((username, realname)) = future_username.clone() { } else if let Some((username, realname)) = future_username.clone() {
let candidate_user = RegisteredUser { let candidate_user = RegisteredUser {
nickname, nickname: nickname.clone(),
username, username,
realname, realname,
}; };
let Some(candidate_password) = pass else { let Some(candidate_password) = pass else {
todo!(); sasl_fail_message(
config.server_name.clone(),
nickname.clone(),
"User credentials was not provided".into(),
)
.write_async(writer)
.await?;
writer.flush().await?;
continue;
}; };
auth_user(storage, &*candidate_user.nickname, &*candidate_password).await?; auth_user(storage, &*candidate_user.nickname, &*candidate_password).await?;
break Ok(candidate_user); break Ok(candidate_user);
@ -227,12 +245,20 @@ async fn handle_registration<'a>(
future_username = Some((username, realname)); future_username = Some((username, realname));
} else if let Some(nickname) = future_nickname.clone() { } else if let Some(nickname) = future_nickname.clone() {
let candidate_user = RegisteredUser { let candidate_user = RegisteredUser {
nickname, nickname: nickname.clone(),
username, username,
realname, realname,
}; };
let Some(candidate_password) = pass else { let Some(candidate_password) = pass else {
todo!(); sasl_fail_message(
config.server_name.clone(),
nickname.clone(),
"User credentials was not provided".into(),
)
.write_async(writer)
.await?;
writer.flush().await?;
continue;
}; };
auth_user(storage, &*candidate_user.nickname, &*candidate_password).await?; auth_user(storage, &*candidate_user.nickname, &*candidate_password).await?;
break Ok(candidate_user); break Ok(candidate_user);
@ -255,38 +281,59 @@ async fn handle_registration<'a>(
.await?; .await?;
writer.flush().await?; writer.flush().await?;
} else { } else {
// TODO respond with 904 if let Some(nickname) = future_nickname.clone() {
todo!(); sasl_fail_message(
config.server_name.clone(),
nickname.clone(),
"Unsupported mechanism".into(),
)
.write_async(writer)
.await?;
writer.flush().await?;
} else {
break Err(anyhow::Error::msg("Wrong authentication sequence"));
}
} }
} else { } else {
let body = AuthBody::from_str(body.as_bytes())?; let body = AuthBody::from_str(body.as_bytes())?;
auth_user(storage, &body.login, &body.password).await?; if let Err(e) = auth_user(storage, &body.login, &body.password).await {
let login: Str = body.login.into(); tracing::warn!("Authentication failed: {:?}", e);
validated_user = Some(login.clone()); if let Some(nickname) = future_nickname.clone() {
ServerMessage { sasl_fail_message(config.server_name.clone(), nickname.clone(), "Bad credentials".into())
tags: vec![], .write_async(writer)
sender: Some(config.server_name.clone().into()), .await?;
body: ServerMessageBody::N900LoggedIn { writer.flush().await?;
nick: login.clone(), } else {
address: login.clone(), }
account: login.clone(), } else {
message: format!("You are now logged in as {}", login).into(), let login: Str = body.login.into();
}, validated_user = Some(login.clone());
ServerMessage {
tags: vec![],
sender: Some(config.server_name.clone().into()),
body: ServerMessageBody::N900LoggedIn {
nick: login.clone(),
address: login.clone(),
account: login.clone(),
message: format!("You are now logged in as {}", login).into(),
},
}
.write_async(writer)
.await?;
ServerMessage {
tags: vec![],
sender: Some(config.server_name.clone().into()),
body: ServerMessageBody::N903SaslSuccess {
nick: login.clone(),
message: "SASL authentication successful".into(),
},
}
.write_async(writer)
.await?;
writer.flush().await?;
} }
.write_async(writer)
.await?;
ServerMessage {
tags: vec![],
sender: Some(config.server_name.clone().into()),
body: ServerMessageBody::N903SaslSuccess {
nick: login.clone(),
message: "SASL authentication successful".into(),
},
}
.write_async(writer)
.await?;
writer.flush().await?;
} }
// TODO handle abortion of authentication // TODO handle abortion of authentication
} }
_ => {} _ => {}
@ -297,6 +344,14 @@ async fn handle_registration<'a>(
Ok(user) Ok(user)
} }
fn sasl_fail_message(sender: Str, nick: Str, text: Str) -> ServerMessage {
ServerMessage {
tags: vec![],
sender: Some(sender),
body: ServerMessageBody::N904SaslFail { nick, text },
}
}
async fn auth_user(storage: &mut Storage, login: &str, plain_password: &str) -> Result<()> { async fn auth_user(storage: &mut Storage, login: &str, plain_password: &str) -> Result<()> {
let stored_user = storage.retrieve_user_by_name(login).await?; let stored_user = storage.retrieve_user_by_name(login).await?;

View File

@ -218,3 +218,51 @@ async fn scenario_cap_short_negotiation() -> Result<()> {
server.server.terminate().await?; server.server.terminate().await?;
Ok(()) Ok(())
} }
#[tokio::test]
async fn scenario_cap_sasl_fail() -> Result<()> {
let mut server = TestServer::start().await?;
// test scenario
server.storage.create_user("tester").await?;
server.storage.set_password("tester", "password").await?;
let mut stream = TcpStream::connect(server.server.addr).await?;
let mut s = TestScope::new(&mut stream);
s.send("CAP LS 302").await?;
s.send("NICK tester").await?;
s.send("USER UserName 0 * :Real Name").await?;
s.expect(":testserver CAP * LS :sasl=PLAIN").await?;
s.send("CAP REQ :sasl").await?;
s.expect(":testserver CAP tester ACK :sasl").await?;
s.send("AUTHENTICATE SHA256").await?;
s.expect(":testserver 904 tester :Unsupported mechanism").await?;
s.send("AUTHENTICATE PLAIN").await?;
s.expect(":testserver AUTHENTICATE +").await?;
s.send("AUTHENTICATE dGVzdGVyAHRlc3RlcgBwYXNzd29yZDE=").await?;
s.expect(":testserver 904 tester :Bad credentials").await?;
s.send("AUTHENTICATE dGVzdGVyAHRlc3RlcgBwYXNzd29yZA==").await?; // base64-encoded 'tester\x00tester\x00password'
s.expect(":testserver 900 tester tester tester :You are now logged in as tester").await?;
s.expect(":testserver 903 tester :SASL authentication successful").await?;
s.send("CAP END").await?;
s.expect(":testserver 001 tester :Welcome to Kek Server").await?;
s.expect(":testserver 002 tester :Welcome to Kek Server").await?;
s.expect(":testserver 003 tester :Welcome to Kek Server").await?;
s.expect(":testserver 004 tester testserver kek-0.1.alpha.3 r CFILPQbcefgijklmnopqrstvz").await?;
s.expect(":testserver 005 tester CHANTYPES=# :are supported by this server").await?;
s.expect_nothing().await?;
s.send("QUIT :Leaving").await?;
s.expect(":testserver ERROR :Leaving the server").await?;
s.expect_eof().await?;
stream.shutdown().await?;
// wrap up
server.server.terminate().await?;
Ok(())
}

View File

@ -30,6 +30,10 @@ fn token(input: &str) -> IResult<&str, &str> {
take_while(|i| i != '\n' && i != '\r')(input) take_while(|i| i != '\n' && i != '\r')(input)
} }
fn params(input: &str) -> IResult<&str, &str> {
take_while(|i| i != '\n' && i != '\r' && i != ':')(input)
}
#[derive(Clone, Debug, PartialEq, Eq)] #[derive(Clone, Debug, PartialEq, Eq)]
pub enum Chan { pub enum Chan {
/// #<name> — network-global channel, available from any server in the network. /// #<name> — network-global channel, available from any server in the network.

View File

@ -1,3 +1,5 @@
use std::sync::Arc;
use nonempty::NonEmpty; use nonempty::NonEmpty;
use tokio::io::AsyncWrite; use tokio::io::AsyncWrite;
use tokio::io::AsyncWriteExt; use tokio::io::AsyncWriteExt;
@ -152,6 +154,10 @@ pub enum ServerMessageBody {
N903SaslSuccess { N903SaslSuccess {
nick: Str, nick: Str,
message: Str, message: Str,
},
N904SaslFail {
nick: Str,
text: Str,
} }
} }
@ -369,6 +375,13 @@ impl ServerMessageBody {
writer.write_all(b" :").await?; writer.write_all(b" :").await?;
writer.write_all(message.as_bytes()).await?; writer.write_all(message.as_bytes()).await?;
} }
ServerMessageBody::N904SaslFail { nick, text } => {
writer.write_all(b"904").await?;
writer.write_all(b" ").await?;
writer.write_all(nick.as_bytes()).await?;
writer.write_all(b" :").await?;
writer.write_all(text.as_bytes()).await?;
}
} }
Ok(()) Ok(())
} }
@ -391,7 +404,7 @@ fn server_message_body(input: &str) -> IResult<&str, ServerMessageBody> {
server_message_body_notice, server_message_body_notice,
server_message_body_ping, server_message_body_ping,
server_message_body_pong, server_message_body_pong,
server_message_body_cap, server_message_body_cap
))(input) ))(input)
} }