aboutsummaryrefslogtreecommitdiff
path: root/src/modules/m_sslinfo.cpp
diff options
context:
space:
mode:
authorGravatar Sadie Powell2022-12-11 09:58:27 +0000
committerGravatar Sadie Powell2022-12-11 10:14:33 +0000
commit3c6e24665f52e3a38adfe4ab6a9adcbbb4926ca2 (patch)
treeb2b51956059bd7636aeeb81233aff05983c7687e /src/modules/m_sslinfo.cpp
parentImprove the oper login flow and error messages. (diff)
Move <oper:autologin> from m_sslinfo to core_oper and rework.
- Promote autologin to a core concept with visibility in events. - Replace the binary yes/no value with strict/relaxed/never. This intentionally breaks v3 oper block autologin as admins will need to review them for the security implications of the new behaviour.
Diffstat (limited to 'src/modules/m_sslinfo.cpp')
-rw-r--r--src/modules/m_sslinfo.cpp30
1 files changed, 11 insertions, 19 deletions
diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp
index d89f74006..bd47dc676 100644
--- a/src/modules/m_sslinfo.cpp
+++ b/src/modules/m_sslinfo.cpp
@@ -323,21 +323,27 @@ public:
return MOD_RES_PASSTHRU;
}
- ModResult OnPreOperLogin(LocalUser* user, const std::shared_ptr<OperAccount>& oper) override
+ ModResult OnPreOperLogin(LocalUser* user, const std::shared_ptr<OperAccount>& oper, bool automatic) override
{
auto cert = cmd.sslapi.GetCertificate(user);
if (oper->GetConfig()->getBool("sslonly") && !cert)
{
- ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not connected using TLS.",
- user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str());
+ if (!automatic)
+ {
+ ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not connected using TLS.",
+ user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str());
+ }
return MOD_RES_DENY;
}
const std::string fingerprint = oper->GetConfig()->getString("fingerprint");
if (!fingerprint.empty() && (!cert || !MatchFP(cert, fingerprint)))
{
- ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not using the correct TLS client certificate.",
- user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str());
+ if (!automatic)
+ {
+ ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not using the correct TLS client certificate.",
+ user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str());
+ }
return MOD_RES_DENY;
}
@@ -365,20 +371,6 @@ public:
if (cert && !cert->GetFingerprint().empty())
text.append(" and your TLS client certificate fingerprint is ").append(cert->GetFingerprint());
user->WriteNotice(text);
-
- if (!cert)
- return;
-
- // Find an auto-oper block for this user
- for (const auto& [_, info] : ServerInstance->Config->OperAccounts)
- {
- const auto& oper = info->GetConfig();
- if (!oper->getBool("autologin"))
- continue; // No autologin for this block.
-
- if (!user->OperLogin(info))
- continue; // Some other field does not match.
- }
}
ModResult OnSetConnectClass(LocalUser* user, const ConnectClass::Ptr& myclass) override