bitbot-3.11-fork/modules/permissions.py

import base64, os
import scrypt

REQUIRES_IDENTIFY = ("You need to be identified to use that command "
 "(/msg %s register | /msg %s identify)")

class Module(object):
    def __init__(self, bot, events, exports):
        self.bot = bot
        events.on("new.user").hook(self.new_user)
        events.on("preprocess.command").hook(
            self.preprocess_command)
        events.on("received.part").hook(self.on_part)

        events.on("received.command.identify").hook(self.identify,
            private_only=True, min_args=2,
            usage="<account> <password>", help="Identify yourself")
        events.on("received.command.register").hook(self.register,
            private_only=True, min_args=1,
            usage="<password>", help="Register your nickname")
        events.on("received.command.logout").hook(self.logout,
             private_only=True, help="Sign out from the bot")
        events.on("received.command.resetpassword").hook(
            self.reset_password, private_only=True,
            help="Reset a user's password", min_args=2,
            usage="<nickname> <password>", permission="resetpassword")

        events.on("received.command.mypermissions").hook(
            self.my_permissions, authenticated=True)
        events.on("received.command.givepermission").hook(
            self.give_permission, min_args=2, permission="givepermission")
        events.on("received.command.removepermission").hook(
            self.remove_permission, min_args=2, permission="removepermission")

    def new_user(self, event):
        self._logout(event["user"])

    def on_part(self, event):
        if len(event["user"].channels) == 1 and event["user"
                ].identified_account_override:
            event["user"].send_notice("You no longer share any channels "
                "with me so you have been signed out")

    def _get_hash(self, server, account):
        hash, salt = server.get_user(account).get_setting("authentication",
            (None, None))
        return hash, salt

    def _make_salt(self):
        return base64.b64encode(os.urandom(64)).decode("utf8")

    def _make_hash(self, password, salt=None):
        salt = salt or self._make_salt()
        hash = base64.b64encode(scrypt.hash(password, salt)).decode("utf8")
        return hash, salt

    def _identified(self, server, user, account):
        user.identified_account_override = account
        user.identified_account_id_override = server.get_user(account).get_id()

    def _logout(self, user):
        user.identified_account_override = None
        user.identified_account_id_override = None

    def identify(self, event):
        identity_mechanism = event["server"].get_setting("identity-mechanism",
            "internal")
        if not identity_mechanism == "internal":
            event["stderr"].write("The 'identify' command isn't available "
                "on this network")
            return

        if not event["user"].channels:
            event["stderr"].write("You must share at least one channel "
                "with me before you can identify")
            return

        if not event["user"].identified_account_override:
            account = event["args_split"][0]
            password = " ".join(event["args_split"][1:])
            hash, salt = self._get_hash(event["server"], account)
            if hash and salt:
                attempt, _ = self._make_hash(password, salt)
                if attempt == hash:
                    self._identified(event["server"], event["user"], account)
                    event["stdout"].write("Correct password, you have "
                        "been identified as '%s'." % account)
                else:
                    event["stderr"].write("Incorrect password for '%s'" %
                        account)
            else:
                event["stderr"].write("Account '%s' is not registered" %
                    account)
        else:
            event["stderr"].write("You are already identified")

    def register(self, event):
        identity_mechanism = event["server"].get_setting("identity-mechanism",
            "internal")
        if not identity_mechanism == "internal":
            event["stderr"].write("The 'identify' command isn't available "
                "on this network")
            return

        hash, salt = self._get_hash(event["server"], event["user"].nickname)
        if not hash and not salt:
            password = event["args_split"][0]
            hash, salt = self._make_hash(password)
            event["user"].set_setting("authentication", [hash, salt])
            self._identified(event["server"], event["user"],
                event["user"].nickname)
            event["stdout"].write("Nickname registered successfully")
        else:
            event["stderr"].write("This nickname is already registered")

    def logout(self, event):
        if event["user"].identified_account_override:
            self._logout(event["user"])
            event["stdout"].write("You have been logged out")
        else:
            event["stderr"].write("You are not logged in")

    def reset_password(self, event):
        target = event["server"].get_user(event["args_split"][0])
        password = " ".join(event["args_split"][1:])
        registered = target.get_setting("authentication", None)

        if registered == None:
            event["stderr"].write("'%s' isn't registered" % target.nickname)
        else:
            hash, salt = self._make_hash(password)
            target.set_setting("authentication", [hash, salt])
            event["stdout"].write("Reset password for '%s'" %
                target.nickname)

    def preprocess_command(self, event):
        permission = event["hook"].kwargs.get("permission", None)
        authenticated = event["hook"].kwargs.get("authenticated", False)

        identity_mechanism = event["server"].get_setting("identity-mechanism",
            "internal")
        identified_account = None
        if identity_mechanism == "internal":
            identified_account = event["user"].identified_account_override
        elif identity_mechanism == "ircv3-account":
            identified_account = (event["user"].identified_account or
                event["tags"].get("account", None))

        identified_user = None
        permissions = []
        if identified_account:
            identified_user = event["server"].get_user(identified_account)
            permissions = identified_user.get_setting("permissions", [])

        if permission:
            has_permission = permission and (
                permission in permissions or "*" in permissions)
            if not identified_account or not has_permission:
                return "You do not have permission to do that"
        elif authenticated:
            if not identified_account:
                return REQUIRES_IDENTIFY % (event["server"].nickname,
                    event["server"].nickname)

    def my_permissions(self, event):
        permissions = event["user"].get_setting("permissions", [])
        event["stdout"].write("Your permissions: %s" % ", ".join(permissions))

    def _get_user_details(self, server, nickname):
        target = server.get_user(nickname)
        registered = bool(target.get_setting("authentication", None))
        permissions = target.get_setting("permissions", [])
        return [target, registered, permissions]

    def give_permission(self, event):
        permission = event["args_split"][1].lower()
        target, registered, permissions = self._get_user_details(
            event["server"], event["args_split"][0])

        if target.identified_account == None:
            event["stderr"].write("%s isn't registered" % target.nickname)
            return

        if permission in permissions:
            event["stderr"].write("%s already has permission '%s'" % (
                target.nickname, permission))
        else:
            permissions.append(permission)
            target.set_setting("permissions", permissions)
            event["stdout"].write("Gave permission '%s' to %s" % (
                permission, target.nickname))
    def remove_permission(self, event):
        permission = event["args_split"][1].lower()
        target, registered, permissions = self._get_user_details(
            event["server"], event["args_split"][0])

        if target.identified_account == None:
            event["stderr"].write("%s isn't registered" % target.nickname)
            return

        if not permission in permissions:
            event["stderr"].write("%s already has permission '%s'" % (
                target.nickname, permission))
        else:
            permissions.remove(permission)
            if not permissions:
                target.del_setting("permissions")
            else:
                target.set_setting("permissions", permissions)
            event["stdout"].write("Removed permission '%s' from %s" % (
                permission, target.nickname))
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`import base64, os`
			`import scrypt`

Add the ability to only require authentication if your nickname is registered 2018-08-28 17:16:19 +00:00			`REQUIRES_IDENTIFY = ("You need to be identified to use that command "`
			`"(/msg %s register \| /msg %s identify)")`

added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`class Module(object):`
give an Exports object (actually, ExportsContex object) to each module, to facilitate things like !set and !channelset without using the events system 2018-09-02 18:54:45 +00:00			`def __init__(self, bot, events, exports):`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`self.bot = bot`
Fix a huge security issue: sign users out when they change nickname 2018-09-04 08:59:18 +00:00			`events.on("new.user").hook(self.new_user)`
			`events.on("preprocess.command").hook(`
added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00			`self.preprocess_command)`
Fix a huge security issue: sign users out when they change nickname 2018-09-04 08:59:18 +00:00			`events.on("received.part").hook(self.on_part)`
Added !resetpassword in permissions.py 2018-09-03 10:30:54 +00:00
Refactor everything to use delimited events 2018-09-19 12:25:12 +00:00			`events.on("received.command.identify").hook(self.identify,`
			`private_only=True, min_args=2,`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`usage="<account> <password>", help="Identify yourself")`
Refactor everything to use delimited events 2018-09-19 12:25:12 +00:00			`events.on("received.command.register").hook(self.register,`
			`private_only=True, min_args=1,`
added usage help to a lot of modules, added a verbose option to karma.py. 2016-04-06 11:02:44 +00:00			`usage="<password>", help="Register your nickname")`
Give modules event objects with "context"s, to facilitate purging all the event hooks for a module 2018-08-31 11:55:52 +00:00			`events.on("received.command.logout").hook(self.logout,`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00			`private_only=True, help="Sign out from the bot")`
Added !resetpassword in permissions.py 2018-09-03 10:30:54 +00:00			`events.on("received.command.resetpassword").hook(`
			`self.reset_password, private_only=True,`
			`help="Reset a user's password", min_args=2,`
			`usage="<nickname> <password>", permission="resetpassword")`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00
Give modules event objects with "context"s, to facilitate purging all the event hooks for a module 2018-08-31 11:55:52 +00:00			`events.on("received.command.mypermissions").hook(`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00			`self.my_permissions, authenticated=True)`
Give modules event objects with "context"s, to facilitate purging all the event hooks for a module 2018-08-31 11:55:52 +00:00			`events.on("received.command.givepermission").hook(`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00			`self.give_permission, min_args=2, permission="givepermission")`
Give modules event objects with "context"s, to facilitate purging all the event hooks for a module 2018-08-31 11:55:52 +00:00			`events.on("received.command.removepermission").hook(`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00			`self.remove_permission, min_args=2, permission="removepermission")`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00
			`def new_user(self, event):`
			`self._logout(event["user"])`

			`def on_part(self, event):`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`if len(event["user"].channels) == 1 and event["user"`
			`].identified_account_override:`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`event["user"].send_notice("You no longer share any channels "`
			`"with me so you have been signed out")`

Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`def _get_hash(self, server, account):`
			`hash, salt = server.get_user(account).get_setting("authentication",`
			`(None, None))`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`return hash, salt`
added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`def _make_salt(self):`
			`return base64.b64encode(os.urandom(64)).decode("utf8")`
added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`def _make_hash(self, password, salt=None):`
			`salt = salt or self._make_salt()`
			`hash = base64.b64encode(scrypt.hash(password, salt)).decode("utf8")`
			`return hash, salt`
added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`def _identified(self, server, user, account):`
			`user.identified_account_override = account`
User.id doesn't exist anymore; it's User.get_id() 2018-09-18 23:45:01 +00:00			`user.identified_account_id_override = server.get_user(account).get_id()`
added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`def _logout(self, user):`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`user.identified_account_override = None`
			`user.identified_account_id_override = None`
added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`def identify(self, event):`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`identity_mechanism = event["server"].get_setting("identity-mechanism",`
			`"internal")`
			`if not identity_mechanism == "internal":`
			`event["stderr"].write("The 'identify' command isn't available "`
			`"on this network")`
			`return`

ironed out some little issues with permissions.py. 2016-04-04 17:48:39 +00:00			`if not event["user"].channels:`
			`event["stderr"].write("You must share at least one channel "`
			`"with me before you can identify")`
			`return`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00
			`if not event["user"].identified_account_override:`
			`account = event["args_split"][0]`
			`password = " ".join(event["args_split"][1:])`
			`hash, salt = self._get_hash(event["server"], account)`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`if hash and salt:`
			`attempt, _ = self._make_hash(password, salt)`
			`if attempt == hash:`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`self._identified(event["server"], event["user"], account)`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`event["stdout"].write("Correct password, you have "`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`"been identified as '%s'." % account)`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`else:`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`event["stderr"].write("Incorrect password for '%s'" %`
			`account)`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`else:`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`event["stderr"].write("Account '%s' is not registered" %`
			`account)`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`else:`
			`event["stderr"].write("You are already identified")`

			`def register(self, event):`
Only allow the register command on networks that support internal identity 2018-09-18 23:45:14 +00:00			`identity_mechanism = event["server"].get_setting("identity-mechanism",`
			`"internal")`
			`if not identity_mechanism == "internal":`
			`event["stderr"].write("The 'identify' command isn't available "`
			`"on this network")`
			`return`

Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`hash, salt = self._get_hash(event["server"], event["user"].nickname)`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`if not hash and not salt:`
			`password = event["args_split"][0]`
			`hash, salt = self._make_hash(password)`
			`event["user"].set_setting("authentication", [hash, salt])`
permissions._identified takes server, user and nickname 2018-09-19 00:19:04 +00:00			`self._identified(event["server"], event["user"],`
			`event["user"].nickname)`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`event["stdout"].write("Nickname registered successfully")`
			`else:`
			`event["stderr"].write("This nickname is already registered")`

			`def logout(self, event):`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`if event["user"].identified_account_override:`
added permissions.py which contains code for identifying/registering/logouting users. updated README.md to reflect the newly required scrypt module. 2016-04-04 17:42:37 +00:00			`self._logout(event["user"])`
			`event["stdout"].write("You have been logged out")`
			`else:`
			`event["stderr"].write("You are not logged in")`
added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00
Added !resetpassword in permissions.py 2018-09-03 10:30:54 +00:00			`def reset_password(self, event):`
			`target = event["server"].get_user(event["args_split"][0])`
			`password = " ".join(event["args_split"][1:])`
			`registered = target.get_setting("authentication", None)`

			`if registered == None:`
			`event["stderr"].write("'%s' isn't registered" % target.nickname)`
			`else:`
			`hash, salt = self._make_hash(password)`
			`target.set_setting("authentication", [hash, salt])`
			`event["stdout"].write("Reset password for '%s'" %`
			`target.nickname)`

added the code to prevent users using certain commands based on permissions. 2016-04-06 17:23:02 +00:00			`def preprocess_command(self, event):`
			`permission = event["hook"].kwargs.get("permission", None)`
Added code to preprocess check a command that only requires authentication, not a permission 2018-08-18 17:28:41 +00:00			`authenticated = event["hook"].kwargs.get("authenticated", False)`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00
			`identity_mechanism = event["server"].get_setting("identity-mechanism",`
			`"internal")`
			`identified_account = None`
			`if identity_mechanism == "internal":`
			`identified_account = event["user"].identified_account_override`
			`elif identity_mechanism == "ircv3-account":`
Support account-tag in permissions.py 2018-09-05 14:39:29 +00:00			`identified_account = (event["user"].identified_account or`
			`event["tags"].get("account", None))`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00
			`identified_user = None`
			`permissions = []`
			`if identified_account:`
			`identified_user = event["server"].get_user(identified_account)`
			`permissions = identified_user.get_setting("permissions", [])`
Add the ability to only require authentication if your nickname is registered 2018-08-28 17:16:19 +00:00
get user permissions every time they try to use a command that requires permissions, instead of caching their permissions when they sign in 2018-08-02 22:00:42 +00:00			`if permission:`
			`has_permission = permission and (`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`permission in permissions or "*" in permissions)`
			`if not identified_account or not has_permission:`
get user permissions every time they try to use a command that requires permissions, instead of caching their permissions when they sign in 2018-08-02 22:00:42 +00:00			`return "You do not have permission to do that"`
Added code to preprocess check a command that only requires authentication, not a permission 2018-08-18 17:28:41 +00:00			`elif authenticated:`
Support IRCv3's account-notify/extended-join along with WHOX to replace internal register/identify 2018-09-05 10:58:10 +00:00			`if not identified_account:`
Add the ability to only require authentication if your nickname is registered 2018-08-28 17:16:19 +00:00			`return REQUIRES_IDENTIFY % (event["server"].nickname,`
			`event["server"].nickname)`
added a command to show you what permissions you have. 2016-05-17 13:50:48 +00:00
			`def my_permissions(self, event):`
get user permissions every time they try to use a command that requires permissions, instead of caching their permissions when they sign in 2018-08-02 22:00:42 +00:00			`permissions = event["user"].get_setting("permissions", [])`
added a command to show you what permissions you have. 2016-05-17 13:50:48 +00:00			`event["stdout"].write("Your permissions: %s" % ", ".join(permissions))`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00
			`def _get_user_details(self, server, nickname):`
			`target = server.get_user(nickname)`
			`registered = bool(target.get_setting("authentication", None))`
			`permissions = target.get_setting("permissions", [])`
			`return [target, registered, permissions]`

			`def give_permission(self, event):`
			`permission = event["args_split"][1].lower()`
			`target, registered, permissions = self._get_user_details(`
			`event["server"], event["args_split"][0])`

Add .reloadallmodules, and fix permissions. 2018-09-23 10:01:24 +00:00			`if target.identified_account == None:`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00			`event["stderr"].write("%s isn't registered" % target.nickname)`
			`return`

			`if permission in permissions:`
			`event["stderr"].write("%s already has permission '%s'" % (`
			`target.nickname, permission))`
			`else:`
			`permissions.append(permission)`
			`target.set_setting("permissions", permissions)`
			`event["stdout"].write("Gave permission '%s' to %s" % (`
			`permission, target.nickname))`
			`def remove_permission(self, event):`
			`permission = event["args_split"][1].lower()`
			`target, registered, permissions = self._get_user_details(`
			`event["server"], event["args_split"][0])`

Add .reloadallmodules, and fix permissions. 2018-09-23 10:01:24 +00:00			`if target.identified_account == None:`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00			`event["stderr"].write("%s isn't registered" % target.nickname)`
			`return`

			`if not permission in permissions:`
			`event["stderr"].write("%s already has permission '%s'" % (`
			`target.nickname, permission))`
			`else:`
			`permissions.remove(permission)`
Delete "permissions" setting when it's empty 2018-08-29 13:34:52 +00:00			`if not permissions:`
			`target.del_setting("permissions")`
			`else:`
			`target.set_setting("permissions", permissions)`
Add !givepermission and !removepermission to permissions.py 2018-08-28 15:53:21 +00:00			`event["stdout"].write("Removed permission '%s' from %s" % (`
			`permission, target.nickname))`