diff options
| author | 2022-12-11 09:58:27 +0000 | |
|---|---|---|
| committer | 2022-12-11 10:14:33 +0000 | |
| commit | 3c6e24665f52e3a38adfe4ab6a9adcbbb4926ca2 (patch) | |
| tree | b2b51956059bd7636aeeb81233aff05983c7687e /src/modules/m_sslinfo.cpp | |
| parent | Improve the oper login flow and error messages. (diff) | |
Move <oper:autologin> from m_sslinfo to core_oper and rework.
- Promote autologin to a core concept with visibility in events.
- Replace the binary yes/no value with strict/relaxed/never. This
intentionally breaks v3 oper block autologin as admins will need
to review them for the security implications of the new behaviour.
Diffstat (limited to 'src/modules/m_sslinfo.cpp')
| -rw-r--r-- | src/modules/m_sslinfo.cpp | 30 |
1 files changed, 11 insertions, 19 deletions
diff --git a/src/modules/m_sslinfo.cpp b/src/modules/m_sslinfo.cpp index d89f74006..bd47dc676 100644 --- a/src/modules/m_sslinfo.cpp +++ b/src/modules/m_sslinfo.cpp @@ -323,21 +323,27 @@ public: return MOD_RES_PASSTHRU; } - ModResult OnPreOperLogin(LocalUser* user, const std::shared_ptr<OperAccount>& oper) override + ModResult OnPreOperLogin(LocalUser* user, const std::shared_ptr<OperAccount>& oper, bool automatic) override { auto cert = cmd.sslapi.GetCertificate(user); if (oper->GetConfig()->getBool("sslonly") && !cert) { - ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not connected using TLS.", - user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str()); + if (!automatic) + { + ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not connected using TLS.", + user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str()); + } return MOD_RES_DENY; } const std::string fingerprint = oper->GetConfig()->getString("fingerprint"); if (!fingerprint.empty() && (!cert || !MatchFP(cert, fingerprint))) { - ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not using the correct TLS client certificate.", - user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str()); + if (!automatic) + { + ServerInstance->SNO.WriteGlobalSno('o', "%s (%s) [%s] failed to log into the \x02%s\x02 oper account because they are not using the correct TLS client certificate.", + user->nick.c_str(), user->MakeHost().c_str(), user->GetIPString().c_str(), oper->GetName().c_str()); + } return MOD_RES_DENY; } @@ -365,20 +371,6 @@ public: if (cert && !cert->GetFingerprint().empty()) text.append(" and your TLS client certificate fingerprint is ").append(cert->GetFingerprint()); user->WriteNotice(text); - - if (!cert) - return; - - // Find an auto-oper block for this user - for (const auto& [_, info] : ServerInstance->Config->OperAccounts) - { - const auto& oper = info->GetConfig(); - if (!oper->getBool("autologin")) - continue; // No autologin for this block. - - if (!user->OperLogin(info)) - continue; // Some other field does not match. - } } ModResult OnSetConnectClass(LocalUser* user, const ConnectClass::Ptr& myclass) override |
