1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-06 13:33:13 +02:00
Commit Graph

170 Commits

Author SHA1 Message Date
Bram Matthys c2d465c5dd Move chunk of code from start_of_normal_client_handshake() to
a function called start_dns_and_ident_lookup(). This can then
be easily called from other places as well, like the code k4be
did in src/modules/websocket.c to handle proxies.

Side-effect is that ident lookups would now be done, if we are
configured to do so, for forwarded webirc stuff (not that I
think many people use that feature at the moment...).
2023-05-26 11:24:01 +02:00
Bram Matthys 52472a9a88 Add support for set unknown-users { } and the like:
It is now possible to override some set settings per-security group by
having a set block with a name, like `set unknown-users { }`
* You could use this to set more limitations for unknown-users:
  ```
  set unknown-users {
          max-channels-per-user 5;
          static-quit "Quit";
          static-part yes;
  }
  ```
* Or to set higher values (higher than the normal set block)
  for trusted users:
  ```
  security-group trusted-bots {
          account { BotOne; BotTwo; }
  }
  set trusted-bots {
          max-channels-per-user 25;
  }
  ```
* Currently the following settings can be used in a set xxx { } block:
  set::auto-join, set::modes-on-connect, set::restrict-usermodes,
  set::max-channels-per-user, set::static-quit, set::static-part.
2023-05-22 12:07:43 +02:00
Bram Matthys 89075e532a Send throttling and some other error messages to SSL/TLS users (encrypted).
This is the start of "be more friendly to TLS users with disconnect
error messages" from https://bugs.unrealircd.org/view.php?id=5532

As that bug explains:
Consider doing the SSL/TLS handshake even for throttling errors and such
when the (reject) connection rate is below a certain amount per second.  If
it is higher than a certain rate, then fall back to the original behavior to
reject the user instantly without handshake or looking at any data.
Rationale: the current/original behavior is there so the ircd can handle
floods, both in terms of traffic and in terms of CPU usage (the SSL/TLS
handshake is quite costly after all).  The downside of the current behavior
is that TLS users don't see the error message, usually.  This feature
request tries to find a middle ground.

Still a TODO item:
* We don't detect high rates yet, so we only do this new behavior atm
  and not yet the old behavior during high connection rates.
* Verify that error messages/behavior hasn't changed (too) much,
  like the throttling and the banning disconnect messages.
2023-05-18 11:17:37 +02:00
Bram Matthys 2fd7c9cfc4 Set loop.terminating for RESTART also (so channeldb etc write the db) 2023-04-14 19:22:22 +02:00
Bram Matthys 254afbb9c6 Make set::hide-ban-reason not affect opers (eg. show full gline reason).
Suggested by Chris_dc in https://bugs.unrealircd.org/view.php?id=6252

This uses unrealircd.org/real-quit-reason internally, but is only
exposed to servers, never to users. It results in using that quit
reason for IRCOps, while using the regular quit reason for normal users.
2023-04-05 07:26:12 +02:00
Bram Matthys 1e315bb953 Add and use command_issued_by_rpc() helper function for internal logging
of commands issued by JSON-RPC.
2023-04-02 16:04:17 +02:00
Bram Matthys a3c151a16a RPC: add rpc.set_issuer, eg set to logged in user on the admin panel.
This so UnrealIRCd knows who is issuing the commands.
This information is then passed on to unrealircd.org/issued-by and
is planned to be used by the logging system too.

https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer
2023-03-31 12:55:31 +02:00
Bram Matthys 5871bd9463 Initial work on unrealircd.org/issued-by message tag.
This will communicate the original issuer of a command.
For example an "SAMODE #test +s" results in a SAMODE coming from
:maintest.test.net MODE ....etc....
And with this feature, we will communicate the IRCOp who did it:
@unrealircd.org/issued-by=OPER:Syzop..etc....
This tag is only sent to servers and to IRCOps, not to ordinary users.

The plan is to support the following variants:
Services: unrealircd.org/issued-by=SERVICES:NickServ@services.test.net
IRCOp:    unrealircd.org/issued-by=OPER:Syzop@maintest.test.net:Operblock_name
JSON-RPC: unrealircd.org/issued-by=RPC:adminpanel@irc1.test.net:Adminpanel_Actual_User

This first commit only adds SERVICES and OPER in the handlers of the
SVSNICK and SAMODE commands. The JSON-RPC variant and all of the other
commands have not been done yet.
2023-03-31 12:17:54 +02:00
Bram Matthys 7194799f93 Fix valid_vhost() rejecting user@host.
Reported by Lord255.
2023-03-24 13:19:57 +01:00
Bram Matthys e83c610b39 Add valid_vhost() and validate oper::vhost too just like vhost::vhost.
Actually make them both use this same function, even thought he original
vhost::vhost check was a bit more informational.

This also checks the vhost in other paths that lead to oper vhost setting.

Reported by ji in https://bugs.unrealircd.org/view.php?id=5910
2023-03-22 10:26:05 +01:00
Bram Matthys eccf108866 Forgot second part of the patch in previous commit. 2023-03-18 14:01:58 +01:00
Bram Matthys 3bccc63125 Fix +S stripping too much on incorrect color codes.
Reported by semioriginal in https://bugs.unrealircd.org/view.php?id=5908
with the patch also by semioriginal.
2023-03-18 13:58:59 +01:00
Bram Matthys c43753cd4b Support NO_COLOR environment variable, as per https://no-color.org 2023-03-11 17:58:21 +01:00
Bram Matthys b9fcdcdb19 Make server.rehash for remote servers use two possible code paths:
* If the remote server (and all servers in-between) support RRPC
  then forward the RPC request as RRPC and let remote handle the
  response. The response will be the verbose rehash response.
* If not supported, then simply return boolean true as a response,
  and use oldskool :source_server REHASH dest_server over the wire
2023-01-13 18:09:12 +01:00
Bram Matthys b8cbe63915 Support server.rehash for remote servers with full detailed response.
(Required RPC modules to be loaded on the remote server, tho)

This adds support for remote async RPC requests that take a little longer,
in such a case we don't call free_client() upon return of rpc_call().
2023-01-13 16:51:47 +01:00
Bram Matthys 6a4ae9d9ec Support RPC calls to remote servers, where the RPC request/response is
sent over the IRC network. This makes it possible to fetch information
from remote servers that is not known locally, and also it makes it
possible to do more things, or do it easier.

This does require the remote servers to enable RPC as well, though,
eg: include "rpc.modules.default.conf";
(They don't need any listener or rpc-user blocks)

Code-wise it looks nice, like from rpc_server_module_list it is a simple:
/* Forward to remote */
rpc_send_request_to_remote(client, targetserver, request);

This is work in progress. In particular, there is no handling yet of
timeouts (eg if the request to the remote server, or the response
from it takes ages). Nor does it handle the case where the server
quits half-way through the request/response... that is: it does free
the request and such, but does not notify the RPC client about it.
That will need to be added, of course, likely soon.

Over the IRC network this uses the new RRPC command:
:<server> RRPC <REQ|RES> <source> <destination> <requestid> [S|C|F] :<request data>
A request looks like this (assuming it is short):
:001 RRPC REQ 001ABCDEF 002 abc SF :..this is the json request...
And then the response (assuming it is long) is like:
:001 RRPC REQ 001ABCDEF 002 abc S :..this is the json response...
:001 RRPC REQ 001ABCDEF 002 abc C :..more...
:001 RRPC REQ 001ABCDEF 002 abc C :..more...
:001 RRPC REQ 001ABCDEF 002 abc F :..and that was it.
There is currently no request/response limit, it is limited by memory.

Right now the only call using this is server.module_list when called
with a param of "server":"some.remote.server"
2023-01-13 12:45:51 +01:00
Bram Matthys 4378979ad5 Add valid_username() so we can use it at multiple places.
This gets rid of duplicate code in SETIDENT, CHGIDENT, and soon
in the RPC call. It does not get rid of make_valid_username()
in src/modules/nick.c which does something slightly different.
2023-01-07 15:11:52 +01:00
Bram Matthys b33628b765 JSON-RPC over Websockets: Fix bug with >64Kb responses.
Eg if there are 10.000 users online and you do user.list.
The old websocket framing assumed no response was >64Kb.

This also creates a new function websocket_create_packet_ex()
2023-01-04 13:10:09 +01:00
Bram Matthys eca0035e8d Actually fix previous-previous-commit cdd0e4116d 2022-12-21 10:09:23 +01:00
Bram Matthys 7c8918e22d Update rpc_error() to use JsonRpcError (enum) and add more error values. 2022-06-20 19:02:52 +02:00
Bram Matthys 853f0685ed Split off big chunk of websocket module into websocket_common module.
And load the websocket_common module by default (which is just an API).
2022-06-19 13:13:33 +00:00
Bram Matthys 4a68008b81 Rename some more:
* WEB() now has handle_request() and handle_body(), makes more sense.
* webserver_handle_body_data() -> webserver_handle_body()
* and similar cases
2022-06-19 13:13:33 +00:00
Bram Matthys 12f2cd8555 Rename webserver_handle_body_data() -> webserver_handle_request_body() 2022-06-19 13:13:33 +00:00
Bram Matthys 9afdcb7ff0 Add request body handler in webserver -- only a beginning, the
chunked encoding stuff is copied from the modulemanager and #if'd out.
The non-chunked is not OK yet either, as it must check the Content-Length,
while we currently assume a single packet == the complete request.
2022-06-19 13:13:33 +00:00
Bram Matthys 1d613a592c Remove freeing of client->local->listener and refdec from exit_client()
to free_client().
2022-06-19 13:13:33 +00:00
Bram Matthys a09d4a7e88 Add CLIENT_STATUS_RPC and add SetRPC() and IsRPC(). 2022-06-19 13:13:33 +00:00
Bram Matthys 61ba3727df JSON-RPC: Use proper error response with error codes according to
the official specification (one of JSON_RPC_ERROR_*).

Add proper rpc_error() and rpc_error_fmt()

Don't steal reference in rpc_response().
2022-06-19 13:13:33 +00:00
Bram Matthys 4cd520d327 Make user.list() RPC API return a list of all users with details.
This is the 1st RPC API call that actually works :D
2022-06-19 13:13:33 +00:00
Bram Matthys 2397fb8a49 Split 'websocket' module up in 'webserver' and 'websocket' 2022-06-19 13:13:33 +00:00
Bram Matthys b4f6c83821 Fix multiline log messages not working, they showed up as single lines
with their content added together.
2022-05-30 08:59:44 +02:00
Bram Matthys 7740d64042 Limit individual JSON strings to 512 bytes and call StripControlCodes()
on each string. Note that the entire JSON dump may still be much larger,
this is just about each individual string item within an object.

This commit also adds a more flexible StripControlCodesEx() function
to the core (which is used by the logging system), the existing
StripControlCodes() function is unchanged and can still be used.

+/** Strip color, bold, underline, and reverse codes from a string.
+ * @param text                 The input text
+ * @param output               The buffer for the output text
+ * @param outputlen            The length of the output buffer
+ * @param strip_all_low_ascii  If set to 1 then all ASCII < 32 is stripped
+ *                             (the ASCII control codes), otherwise we only
+ *                             strip the IRC control- and color codes.
+ * @returns The new string, which will be 'output', or in unusual cases (outputlen==0) will be NULL.
+ */
+const char *StripControlCodesEx(const char *text, char *output, size_t outputlen, int strip_all_low_ascii)
 {
2022-05-23 10:35:52 +02:00
Bram Matthys 3fbdb7fd4b Move StripControlCodes() from message.c to misc.c.
Because I need in the core (again) due to early calls / calls during
rehashes / etc...
2022-05-23 10:10:47 +02:00
Bram Matthys 9075e2fa70 Move all the security group and mask code to src/securitygroup.c 2022-05-16 13:54:52 +02:00
Bram Matthys a1c8292a1d Fix incorrect sizeof() in commit from yesterday. 2022-05-15 06:49:58 +02:00
Bram Matthys 510b4b5505 Integrate security-group functionality in allow::mask.
(Also call it allow::match in the future, but accept allow::mask still)

This is the first of several commits to convert all ::mask items.
See https://www.unrealircd.org/docs/Mask_item for the consequences.
In short, you can now use all of the security-group items directly
in a mask, eg:
allow {
    mask { account TrustedUser; }
    class clients;
    maxperip 10;
}
2022-05-14 07:51:51 +02:00
Bram Matthys 10bddc1232 Extended server bans are now more clearly exposed in security-group { }.
The extban module API is used behind the scenes. To the server admin
the functionality appears in a more natural way:
        account { <list>; };
        country { <list>; };
        realname { <list>; };
        certfp { <list>; };
In the same way, they appear as exclude-xxx options too:
        exclude-account { <list>; };
        exclude-country { <list>; };
        exclude-realname { <list>; };
        exclude-certfp { <list>; };

Modules can add additional fields (3rd party modules too!).

Module coders:
See src/modules/extbans/realname.c for a simple example. In short:
1) You need to register your extban in both MOD_TEST and MOD_INIT
2) Other than that, the existing rules for extended server bans apply:
   a) Your req.is_banned_events needs to include BANCHK_TKL
   b) Your req.options needs to include EXTBOPT_TKL
Be advised that for modules that are called in extended server bans
the client may be missing several fields, for example client->user could
be NULL, so be careful with accessing everything in your module.
2022-05-13 20:13:34 +02:00
Bram Matthys a544001eeb Add security-group::security-group, this as a shorthand for
security-group { mask ~security-group:xyz; }

Module coders (again, slightly unrelated):
Added unreal_add_names() function which can be used to transform
a list of names in the config to a linked list (NameList).
2022-05-13 14:07:05 +02:00
Bram Matthys 50e5d91c79 Add SVSO command which services can use to make someone IRCOp.
This existed in UnrealIRCd 3.2.x but was later removed when
switching to the new operclass system.
Requested by Valware in https://bugs.unrealircd.org/view.php?id=6041

Syntax: SVSO <uid|nick> <oper account> <operclass> <class> <modes> <snomask> <vhost>
All these parameters need to be set, you cannot leave any of them out,
HOWEVER some can be set to "-" to skip setting them, this is true for:
<class>, <modes>, <snomask>, <vhost>

In UnrealIRCd the <operclass> will be prefixed by "services:" if not already
present. It is up to you to include or omit it.

If you want to set any swhoises you need to use the SWHOIS s2s command,
other than that this command basically does everything for you,
in fact it uses the same code as the OPER command does.
Most of the "user is now ircop" code has been moved out of cmd_oper() to
a new function make_oper() that is called by both cmd_oper() and cmd_svso().

This function also changes the hook HOOKTYPE_LOCAL_OPER:
It no longer passes a ConfigItem_oper struct, since we can't do that for
remote opers. Instead it passes oper name and oper class.
The complete definition is now:
int hooktype_local_oper(Client *client, int add, const char *oper_block, const char *operclass);
2022-05-07 18:53:59 +02:00
Bram Matthys ef6ea6ee32 When using "RESTART" the newly started IRCd could possibly not log or been
missing other functionality.
Reported by DarthGandalf in https://bugs.unrealircd.org/view.php?id=5918

The cause was that all fd's were closed, including 0/1/2. We now reopen
those and map them to /dev/null, like we do later again.
2022-01-31 10:24:13 +01:00
Bram Matthys 39688517b0 Make "./unrealircd rehash" show output on the terminal, same for
"./unrealircd reloadtls" and there is now also a "./unrealircd status"

The output is colorized if the terminal supports it (just like on the
boot screen) and also the exit status is 0 for success and non-0 for
failure. The purpose of all this is that you can easily detect rehash
errors on the command line.

These three commands communicate to UnrealIRCd via the new control
UNIX socket, which is in ~/data/unrealircd.ctl.
This also does a lot of other stuff because we now have an internal
tool called bin/unrealircdctl which is called by ./unrealircd for
some of the commands to communicate to the unrealircd.ctl socket.
Later on more of the existing functionality may be moved to that
tool and we may also provide it on Windows in CLI mode so people
have more of the same functionality as on *NIX.
2022-01-02 20:17:36 +01:00
alicetries b3c191fc23 Update short_date function to avoid crash if year > 9999 (#174) 2021-12-19 10:29:20 +01:00
Bram Matthys 1b308c7ca0 Remove seemingly needless looping on SQUITs, as suggested by
Polsaker in https://github.com/unrealircd/unrealircd/pull/158

Have not tested this thoroughly on a larg(er) network, but if
there is any time to apply this patch, then it is now during
6.0.0 beta.
2021-11-01 17:32:58 +01:00
Bram Matthys 01815adfba Fix about 8 log messages that were incomplete (due to invalid var expansion) 2021-11-01 10:11:46 +01:00
Bram Matthys d128510ee4 More fixes for $client.detail -> $client.details 2021-11-01 07:11:56 +01:00
Bram Matthys 57cb9ebc20 Consistently use $existing_client instead of $other_client.
Fixes some expansion issues (too), as reported by delta.
2021-10-30 17:41:15 +02:00
Bram Matthys b41db3ccb7 Handle NULL in delletterfromstring(). Fixes crash via set_snomask() from SVSSNO. 2021-10-27 16:07:11 +02:00
Bram Matthys 707575bc32 Resolve a number of todo items, most by simply removing them :D 2021-09-25 16:54:29 +02:00
Bram Matthys 4a4d069f11 Get rid of ignore for -Wformat-nonliteral in two entire files,
now it is only in 5 functions in entire UnrealIRCd. Acceptable.
2021-09-25 15:16:45 +02:00
Bram Matthys 847f2fc384 Remove is_ip_valid() as we already have is_valid_ip(), and update
the doxygen docs a bit for that function.
2021-09-25 08:17:47 +02:00
Bram Matthys 4b079dbd1b Add JOIN/PART/KICK logging (snomask 'j').
This also changes the remove_user_from_channel() function to have an
extra parameter to hide it from logs. This is used for KICK (already
logged) and QUIT (which would be stupid to generate 10 part log lines for).
2021-09-24 16:08:41 +02:00