diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md index 6848de0d6..d72e472c9 100644 --- a/doc/RELEASE-NOTES.md +++ b/doc/RELEASE-NOTES.md @@ -15,12 +15,14 @@ in progress and may not always be a stable version. since UnrealIRCd 5.0.8 we warn if a SSL/TLS certificate is (nearly) expired. This new option allows turning it off, it is (still) on by default. * [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC): - Similar to oper and operclass, you can now restrict an - [rpc-user](https://www.unrealircd.org/docs/Rpc-user_block) via - rpc-user::rpc-class. The rpc-class is defined in an + Similar to oper and operclass, in an + [rpc-user](https://www.unrealircd.org/docs/Rpc-user_block) you now have + to specify an rpc-user::rpc-class. The rpc-class is defined in an [rpc-class block](https://www.unrealircd.org/docs/Rpc-class_block) and configures what JSON methods can be called. - **NOTE: This is work in progress, things are not fully contained yet!** + There are two default json-rpc classes: + * `full`: access to all JSON-RPC Methods + * `read-only`: access to things list *server_ban.list* but not to *server_ban.add* ### Changes: * IRCOps with the operclass `locop` can now only `REHASH` the local server diff --git a/doc/conf/rpc-class.default.conf b/doc/conf/rpc-class.default.conf new file mode 100644 index 000000000..3cec24bbd --- /dev/null +++ b/doc/conf/rpc-class.default.conf @@ -0,0 +1,39 @@ +/* This file defines a number of default rpc-class blocks which you can + * use in your rpc-user blocks (via rpc-user::rpc-class). + * + * This file is normally included via rpc.modules.default.conf, or you + * can do so from your unrealircd.conf through: + * include "rpc-class.default.conf"; + * + * The rpc-class block is documented at: + * https://www.unrealircd.org/docs/Rpc-class_block + * + * DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN DURING NEXT UPGRADE!! + * DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN DURING NEXT UPGRADE!! + * DO NOT EDIT THIS FILE! IT WILL BE OVERWRITTEN DURING NEXT UPGRADE!! + * If you want to tweak rpc-class { } blocks, simply define your own + * and optionally use 'parent read-only' or the like if you want to inherit. + * Do not edit the build-in rpc-classes from below ('full' and 'read-only'). + */ + +rpc-class full { + permissions { + all; + } +} + +rpc-class read-only { + permissions { + rpc; + stats; + log; + user { list; get; } + whowas { get; } + server { list; get; } + channel { list; get; } + server_ban { list; get; } + server_ban_exception { list; get; } + spamfilter { list; get; } + name_ban { list; get; } + } +} diff --git a/doc/conf/rpc.modules.default.conf b/doc/conf/rpc.modules.default.conf index ade28a6b5..27f183a0f 100644 --- a/doc/conf/rpc.modules.default.conf +++ b/doc/conf/rpc.modules.default.conf @@ -60,3 +60,6 @@ log { } } @endif + +/* Also load the default rpc-class { } blocks */ +include "rpc-class.default.conf"; diff --git a/src/modules/rpc/rpc.c b/src/modules/rpc/rpc.c index 5c9676669..2e5bd0b85 100644 --- a/src/modules/rpc/rpc.c +++ b/src/modules/rpc/rpc.c @@ -371,7 +371,7 @@ static int valid_rpc_user_name(const char *str) int rpc_config_test_rpc_user(ConfigFile *cf, ConfigEntry *ce, int type, int *errs) { int errors = 0; - char has_match = 1, has_password = 1; + char has_match = 0, has_password = 0, has_rpc_class = 0; ConfigEntry *cep; /* We are only interested in rpc-user { } */ @@ -409,6 +409,7 @@ int rpc_config_test_rpc_user(ConfigFile *cf, ConfigEntry *ce, int type, int *err } else if (!strcmp(cep->name, "rpc-class")) { + has_rpc_class = 1; if (!cep->value) { config_error_empty(cep->file->filename, @@ -423,6 +424,30 @@ int rpc_config_test_rpc_user(ConfigFile *cf, ConfigEntry *ce, int type, int *err } } + if (!has_match) + { + config_error_missing(ce->file->filename, ce->line_number, + "rpc-user::mask"); + errors++; + } + + if (!has_password) + { + config_error_missing(ce->file->filename, ce->line_number, + "rpc-user::password"); + errors++; + } + + if (!has_rpc_class) + { + config_warn("%s:%d: rpc-user block should have a ::rpc-class item to indicate " + "the permissions, like: rpc-user %s { rpc-class full; ....etc.... }", + ce->file->filename, ce->line_number, ce->value); + config_warn("See https://www.unrealircd.org/docs/Rpc-user_block. For now, this " + "is a warning and we assume you want rpc-class 'full', but in later " + "versions this will become an error."); + } + *errs = errors; return errors ? -1 : 1; } @@ -606,6 +631,13 @@ OperPermission ValidatePermissionsForJSONRPC(const char *path, Client *client) if (r->rpc_class == NULL) return OPER_ALLOW; + /* The 'full' is a virtual rpc-class, actually. So we can do a shortcut. + * We have a clear (triple) warning about this in operclass.default.conf + * that you should not fiddle with build-in classes so this should be OK. + */ + if (!strcmp(r->rpc_class, "full")) + return OPER_ALLOW; + ce_operClass = find_rpc_class(r->rpc_class); if (!ce_operClass) return OPER_DENY;