1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-06 13:33:13 +02:00
Commit Graph

2746 Commits

Author SHA1 Message Date
Bram Matthys df8c5cfd76 Add ability to skip connect-flood and zlined checks via listener->options
with LISTENER_NO_CHECK_CONNECT_FLOOD and LISTENER_NO_CHECK_ZLINED.
2022-06-19 13:13:33 +00:00
Bram Matthys 60c83b4ba1 Move connect-flood and max-unknown-connections-per-ip into their own module.
These deal with set::anti-flood::everyone::connect-flood and
set::max-unknown-connections-per-ip respectively.

This adds a new hook HOOKTYPE_ACCEPT, that is mostly meant for internal
usage by UnrealIRCd. Most module coders will want to use the existing
hook HOOKTYPE_HANDSHAKE instead.

This also gets of check_banned() which is now spread over the individual
modules (eg: checking banned is done in tkl on HOOKTYPE_ACCEPT and
HOOKTYPE_IP_CHANGE).
2022-06-19 13:13:33 +00:00
Bram Matthys a09d4a7e88 Add CLIENT_STATUS_RPC and add SetRPC() and IsRPC(). 2022-06-19 13:13:33 +00:00
Bram Matthys 1830f3e53f Add RPC channel.list call to show list of channels (with all details) 2022-06-19 13:13:33 +00:00
Bram Matthys 61ba3727df JSON-RPC: Use proper error response with error codes according to
the official specification (one of JSON_RPC_ERROR_*).

Add proper rpc_error() and rpc_error_fmt()

Don't steal reference in rpc_response().
2022-06-19 13:13:33 +00:00
Bram Matthys 4cd520d327 Make user.list() RPC API return a list of all users with details.
This is the 1st RPC API call that actually works :D
2022-06-19 13:13:33 +00:00
Bram Matthys 31fc2843a2 Add "rpc" module. Supports parsing from *NIX domain sockets for starters. 2022-06-19 13:13:33 +00:00
Bram Matthys 53732e0f78 Warn if 'websocket' module is loaded without 'webserver' (= won't work). 2022-06-19 13:13:33 +00:00
Bram Matthys cbfcfa1428 Create src/modules/rpc directory 2022-06-19 13:13:33 +00:00
Bram Matthys 2397fb8a49 Split 'websocket' module up in 'webserver' and 'websocket' 2022-06-19 13:13:33 +00:00
Bram Matthys b5f35dfff5 Fix regular users being able to -o a service bot (that has umode +S).
Reported by ComputerTech in https://bugs.unrealircd.org/view.php?id=6126

HOOKTYPE_MODE_DEOP wasn't called.
2022-06-08 07:37:03 +02:00
Bram Matthys 1311c8a963 Fix connthrottle message when throttling (bug introduced in 6.0.4-rc1).
Reported by westor in https://bugs.unrealircd.org/view.php?id=6121
2022-06-01 08:49:35 +02:00
Bram Matthys d5989695e8 Remove last global 'buf' variables. This was already done a lot in time
but it seems there were still a couple left. These are now gone as well.
There seem to be no issues with the ones that were left, but it is just
too easy to get it wrong. Declaring buf in function now. This should be
faster anyway, since it is located on nearby memory (stack).

Inspired by previous find from westor (c708a99955c034e842f913479cc597d87b311394).
2022-06-01 08:34:48 +02:00
Bram Matthys 731adb308d set::restrict-commands: better error message if you use the same command twice (or more) 2022-05-30 13:05:04 +02:00
Bram Matthys c8ef9b2740 Fix set::restrict-commands::except not working. Reported by Rain. 2022-05-29 15:13:12 +02:00
Bram Matthys d47fdbede4 Add oper::auto-login. When set to yes, opers are automatically logged in
if the oper block permits, the user does not have to send "OPER xyz".

Eg:
security-group Syzop { certfp "xyz"; }
oper Syzop {
	auto-login yes;
        mask { security-group Syzop; }
        operclass netadmin-with-override;
        class opers;
}

Then, if you connect with SSL with that certificate fingerprint,
you become IRCOp automatically.
2022-05-26 21:01:13 +02:00
Bram Matthys c183c06d06 Move HOOKTYPE_LOCAL_CONNECT slightly further down.
[skip ci]
2022-05-26 20:56:36 +02:00
Bram Matthys 96897289e0 Allow oper block without password, now that you can use security-group
and other selectors in 'mask'. This allows for things like:

security-group Syzop { certfp "xyz"; }

oper Syzop {
	mask { security-group Syzop; }
	operclass netadmin-with-override;
	class opers;
}

except ban {
	mask { security-group Syzop; }
	type all;
}

allow {
	mask { security-group Syzop; }
	class special;
	maxperip 32;
}

etc...

We do error on the obvious case of mask * and mask *@* when no password
is set, but otherwise try not to stop all cases of user stupidity
(there are just too many...).
2022-05-26 20:31:28 +02:00
Bram Matthys a4902e121c Fix crash when using 'account' in 'except ban'. 2022-05-26 17:31:45 +02:00
Bram Matthys c9f8c42281 Fix CIDR not working in match { ip ....; } 2022-05-26 17:03:17 +02:00
Bram Matthys fe11f77be6 Fix +H not working in set::modes-on-join.
Reported by ZarTek-Creole in https://bugs.unrealircd.org/view.php?id=6114

We now call HOOKTYPE_LOCAL_CHANMODE on the modes we set in modes-on-join,
where 'client' is '&me'. Should be fine, as we already did the same for
+P modes (indirectly) in channeldb.
2022-05-26 07:14:12 +02:00
Bram Matthys ce6be5df61 Reputation was synced correctly on IP basis (and thus the databases)
across servers if they differed, however the individual IP of users
was not updated until next add_scores() run. So, there would be an
up to 5 minute delay during which scores for individual users were
possibly too low, with all the effects that it could possibly have
nowadays such as restrict-commands, more stringent flood limits, etc.

If your servers are all linked all the time then you would not have
noticed this issue. It mostly matters if you are linking in a new
server or if the server has been delinked or out of order for days
or weeks.
2022-05-25 16:40:06 +02:00
Bram Matthys b28d8aecd7 Add "ip" to mask item and security-group for easy matching on IP.
So you can just use mask { ip { 127.*; 192.168.*; } } without
having to worry about hostnames like 127.example.net.
(Of course you could also have used CIDR notation)

Another benefit is that, since we are dealing with IP's only,
the matching is faster than going through the more universal
match_user() routine.
2022-05-25 08:34:22 +02:00
Bram Matthys 7ff4a3e897 Add the promised support of security group functionality in except ban { }
So now the example in the release notes actually works:
except ban {
    mask { security-group irccloud; }
    type { blacklist; connect-flood; handshake-data-flood; }
}
2022-05-25 08:01:05 +02:00
Bram Matthys c04ad96357 Add to JSON logging output: "geoip" with subitem "country_code".
Suggested by westor in https://bugs.unrealircd.org/view.php?id=6083

(It is not under "user" because the info can be useful before someone
 is considered a user, eg when flooding/rejected/etc)
2022-05-23 11:20:59 +02:00
Bram Matthys 0f7555e4c5 Add to JSON logging output: "tls" with subitems "cipher" and "certfp".
Suggested by westor in https://bugs.unrealircd.org/view.php?id=6083

(It is not under "user" because it is for servers too)
2022-05-23 11:07:08 +02:00
Bram Matthys 3fbdb7fd4b Move StripControlCodes() from message.c to misc.c.
Because I need in the core (again) due to early calls / calls during
rehashes / etc...
2022-05-23 10:10:47 +02:00
Bram Matthys 5d9a201df8 Don't show security-groups of ulines like NickServ (since it is irrelevant anyway).
Reported by Lord255.
2022-05-16 11:22:57 +02:00
Bram Matthys 2108bb48fa Run labeled-response through the quick path. 2022-05-16 09:53:23 +02:00
Bram Matthys 519d027a62 Fix geoip_base_unserialize() check being the wrong way around.
Could have caused a memory leak but likely did not happen at all
in practice.
2022-05-15 19:34:46 +02:00
Bram Matthys c037486263 Add blacklist::except for exempting users from individual blacklists,
this is a https://www.unrealircd.org/docs/Mask_item so very flexible.

Note that most people would want to use except ban { } instead to
simply exempt from ALL blacklists. (that one does not yet have the
flexible mask capability though.. but it wil have it soon..)
2022-05-15 15:13:19 +02:00
Bram Matthys 0b45e34e62 Simplifly RPL_HOSTHIDDEN notification.
Pretty much everywhere we had:
0001 userhost_changed(client);
0002 if (MyUser(client))
0003         sendnumeric(client, RPL_HOSTHIDDEN, client->user->virthost);

Lines 2-3 are now integrated in userhost_changed().

Also fix two issues with CHGHOST in make_oper():
* if user was -x, modes had +x and a vhost, it would send the cloaked
  host in the original vhost, while it should have been the real host
* if user was -x and went +x without vhost (so only uncloaked to cloaked)
  then no CHGHOST message was sent at all
2022-05-15 07:45:00 +02:00
Bram Matthys 9e0340d4c1 Change restrict-commands to use ::except which is a
https://www.unrealircd.org/docs/Mask_item so has more functionality.

The old style config still works and UnrealIRCd won't complain
about it for now.
2022-05-14 18:50:24 +02:00
Bram Matthys 3241338cf3 Add set::connthrottle::except, which is a mask item.
Automatically convert the old options ::sasl-bypass, ::webirc-bypass
and ::minimum-reputation-score, so nobody needs to update their config.

The example.conf has been updated.
2022-05-14 15:31:30 +02:00
Bram Matthys 915b603a6a Add set::antirandom::except, which is a mask item.
Automatically convert the old style ::except-hosts and ::except-webirc
so nobody needs to update their config.
2022-05-14 15:17:29 +02:00
Bram Matthys f0ddbdaa44 Add set::antimixedutf8::except, which is a mask item too. 2022-05-14 15:07:33 +02:00
Bram Matthys e09470b0bd Integrate security-group functionality in link::incoming::mask. 2022-05-14 08:28:26 +02:00
Bram Matthys 67fdd63bc3 Integrate security-group functionality in vhost::mask. 2022-05-14 08:19:05 +02:00
Bram Matthys ec4df2da7d Integrate security-group functionality in tld::mask. 2022-05-14 08:10:20 +02:00
Bram Matthys 759908ba3a Integrate security-group functionality in oper::mask. 2022-05-14 08:03:12 +02:00
Bram Matthys 510b4b5505 Integrate security-group functionality in allow::mask.
(Also call it allow::match in the future, but accept allow::mask still)

This is the first of several commits to convert all ::mask items.
See https://www.unrealircd.org/docs/Mask_item for the consequences.
In short, you can now use all of the security-group items directly
in a mask, eg:
allow {
    mask { account TrustedUser; }
    class clients;
    maxperip 10;
}
2022-05-14 07:51:51 +02:00
Bram Matthys 10bddc1232 Extended server bans are now more clearly exposed in security-group { }.
The extban module API is used behind the scenes. To the server admin
the functionality appears in a more natural way:
        account { <list>; };
        country { <list>; };
        realname { <list>; };
        certfp { <list>; };
In the same way, they appear as exclude-xxx options too:
        exclude-account { <list>; };
        exclude-country { <list>; };
        exclude-realname { <list>; };
        exclude-certfp { <list>; };

Modules can add additional fields (3rd party modules too!).

Module coders:
See src/modules/extbans/realname.c for a simple example. In short:
1) You need to register your extban in both MOD_TEST and MOD_INIT
2) Other than that, the existing rules for extended server bans apply:
   a) Your req.is_banned_events needs to include BANCHK_TKL
   b) Your req.options needs to include EXTBOPT_TKL
Be advised that for modules that are called in extended server bans
the client may be missing several fields, for example client->user could
be NULL, so be careful with accessing everything in your module.
2022-05-13 20:13:34 +02:00
Bram Matthys 085490d780 Show in WHOIS in which security-group a user is in (to IRCOps only)
The set::whois-details name for this is: security-groups.
https://www.unrealircd.org/docs/Set_block#set::whois-details
By default it is shown ONLY to IRCOps, not even to 'self' for normal users.

If you want to hide it for everyone, even to IRCOps, eg because you
feel it is useless information, then you can use:
set {
        whois-details {
		security-groups { everyone none; self none; oper none; }
	}
}
2022-05-13 13:14:46 +02:00
Bram Matthys f1a18ce37e Communicate "creationtime" of users. Right now this info is only known
locally, as the only timestamp regarding users that is communicated across
the network is about the "last nick change" ("has this nick since...").
2022-05-13 12:27:21 +02:00
Bram Matthys 4a03943996 Fix antirandom log message when user is denied (only showed nick).
Reported by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6093
2022-05-13 08:09:46 +02:00
Bram Matthys 06c6eb164e Only validate for local users sending the tag 2022-05-13 07:56:30 +02:00
Valerie Pond 61f7dd746e Add IRCv3 +draft/channel-context (#205)
https://github.com/delthas/ircv3-specifications/blob/feature-channel/client-tags/channel-context.md
2022-05-13 07:39:41 +02:00
Bram Matthys b154591a58 Some source files indicated the license was "GPLv2", which was meant to
be (and is now clarified to be) "GPLv2 or later".
Reported by libsys in https://bugs.unrealircd.org/view.php?id=6099
2022-05-11 06:41:11 +02:00
Bram Matthys 50e5d91c79 Add SVSO command which services can use to make someone IRCOp.
This existed in UnrealIRCd 3.2.x but was later removed when
switching to the new operclass system.
Requested by Valware in https://bugs.unrealircd.org/view.php?id=6041

Syntax: SVSO <uid|nick> <oper account> <operclass> <class> <modes> <snomask> <vhost>
All these parameters need to be set, you cannot leave any of them out,
HOWEVER some can be set to "-" to skip setting them, this is true for:
<class>, <modes>, <snomask>, <vhost>

In UnrealIRCd the <operclass> will be prefixed by "services:" if not already
present. It is up to you to include or omit it.

If you want to set any swhoises you need to use the SWHOIS s2s command,
other than that this command basically does everything for you,
in fact it uses the same code as the OPER command does.
Most of the "user is now ircop" code has been moved out of cmd_oper() to
a new function make_oper() that is called by both cmd_oper() and cmd_svso().

This function also changes the hook HOOKTYPE_LOCAL_OPER:
It no longer passes a ConfigItem_oper struct, since we can't do that for
remote opers. Instead it passes oper name and oper class.
The complete definition is now:
int hooktype_local_oper(Client *client, int add, const char *oper_block, const char *operclass);
2022-05-07 18:53:59 +02:00
Bram Matthys 84f3efc105 Fix issue with modes-on-join and +f: 3t#b1 would be converted to 3t#b,
thus the 'unset time' would be stripped.
This was because the timedban module was seen as 'unavailable' when
checking the +f syntax so early in the booting process.
We now assume timedban is available during config testing, if it later
turns out it is not available the 'unset time' is still stripped
when setting the mode on JOIN.

Reported by ctcp.
2022-05-07 08:18:05 +02:00