bitbot-3.11-fork/modules/ircv3_sasl/__init__.py

#--depends-on config

import base64, hashlib, hmac, uuid
from src import ModuleManager, utils
from . import scram

CAP = utils.irc.Capability("sasl")

USERPASS_MECHANISMS = [
    "SCRAM-SHA-512",
    "SCRAM-SHA-256",
    "SCRAM-SHA-1",
    "PLAIN"
]

def _validate(s):
    mechanism, _, arguments = s.partition(" ")
    return {"mechanism": mechanism, "args": arguments}

@utils.export("serverset", {"setting": "sasl",
    "help": "Set the sasl username/password for this server",
    "validate": _validate, "example": "PLAIN BitBot:hunter2"})
@utils.export("serverset", {"setting": "sasl-hard-fail",
    "help": "Set whether a SASL failure should cause a disconnect",
    "validate": utils.bool_or_none, "example": "on"})
class Module(ModuleManager.BaseModule):
    def _best_userpass_mechanism(self, mechanisms):
        for potential_mechanism in USERPASS_MECHANISMS:
            if potential_mechanism in mechanisms:
                return potential_mechanism

    @utils.hook("received.cap.new")
    @utils.hook("received.cap.ls")
    def on_cap(self, event):
        has_sasl = "sasl" in event["capabilities"]
        our_sasl = event["server"].get_setting("sasl", None)

        do_sasl = False
        if has_sasl and our_sasl:
            if not event["capabilities"]["sasl"] == None:
                our_mechanism = our_sasl["mechanism"].upper()
                server_mechanisms = event["capabilities"]["sasl"].split(",")
                if our_mechanism == "USERPASS":
                    our_mechanism = self._best_userpass_mechanism(
                        server_mechanisms)
                do_sasl = our_mechanism in server_mechanisms
            else:
                do_sasl = True

        if do_sasl:
            cap = CAP.copy()
            cap.on_ack(lambda: self._sasl_ack(event["server"]))
            return cap

    def _sasl_ack(self, server):
        sasl = server.get_setting("sasl")
        mechanism = sasl["mechanism"].upper()
        if mechanism == "USERPASS":
            server_mechanisms = server.server_capabilities["sasl"]
            server_mechanisms = server_mechanisms or [
                USERPASS_MECHANISMS[0]]
            mechanism = self._best_userpass_mechanism(server_mechanisms)

        server.send_authenticate(mechanism)
        server.sasl_mechanism = mechanism
        server.wait_for_capability("sasl")

    @utils.hook("received.authenticate")
    def on_authenticate(self, event):
        sasl = event["server"].get_setting("sasl")
        mechanism = event["server"].sasl_mechanism

        auth_text = None
        if mechanism == "PLAIN":
            if event["message"] != "+":
                event["server"].send_authenticate("*")
            else:
                sasl_username, sasl_password = sasl["args"].split(":", 1)
                auth_text = ("%s\0%s\0%s" % (
                    sasl_username, sasl_username, sasl_password)).encode("utf8")

        elif mechanism == "EXTERNAL":
            if event["message"] != "+":
                event["server"].send_authenticate("*")
            else:
                auth_text = "+"

        elif mechanism.startswith("SCRAM-"):

            if event["message"] == "+":
                # start SCRAM handshake

                # create SCRAM helper
                sasl_username, sasl_password = sasl["args"].split(":", 1)
                algo = mechanism.split("SCRAM-", 1)[1]
                event["server"]._scram = scram.SCRAM(
                    algo, sasl_username, sasl_password)

                # generate client-first-message
                auth_text = event["server"]._scram.client_first()
            else:
                current_scram = event["server"]._scram
                data = base64.b64decode(event["message"])
                if current_scram.state == scram.SCRAMState.ClientFirst:
                    # use server-first-message to generate client-final-message
                    auth_text = current_scram.server_first(data)
                elif current_scram.state == scram.SCRAMState.ClientFinal:
                    # use server-final-message to check server proof
                    verified = current_scram.server_final(data)
                    del event["server"]._scram

                    if verified:
                        auth_text = "+"
                    else:
                        if current_scram.state == scram.SCRAMState.VerifyFailed:
                            # server gave a bad verification so we should panic
                            self._panic(event["server"], "SCRAM VerifyFailed")

        else:
            raise ValueError("unknown sasl mechanism '%s'" % mechanism)

        if not auth_text == None:
            if not auth_text == "+":
                auth_text = base64.b64encode(auth_text)
                auth_text = auth_text.decode("utf8")
            event["server"].send_authenticate(auth_text)

    def _end_sasl(self, server):
        server.capability_done("sasl")

    @utils.hook("received.908")
    def sasl_mechanisms(self, event):
        server_mechanisms = event["args"][1].split(",")
        mechanism = self._best_userpass_mechanism(server_mechanimsms)
        event["server"].sasl_mechanism = mechanism
        event["server"].send_authenticate(mechanism)

    @utils.hook("received.903")
    def sasl_success(self, event):
        self._end_sasl(event["server"])
    @utils.hook("received.904")
    def sasl_failure(self, event):
        self._panic(event["server"], "ERR_SASLFAIL (%s)" % event["args"][1])

    @utils.hook("received.907")
    def sasl_already(self, event):
        self._end_sasl(event["server"])

    def _panic(self, server, message):
        if server.get_setting("sasl-hard-fail", True):
            message = "SASL panic for %s: %s" % (str(server), message)
            if not server.from_init:
                self.log.error(message)
                self.bot.disconnect(server)
            else:
                self.bot.panic(reason=message)
        else:
            self.log.warn("SASL failure for %s: %s" % (str(server), message))
            self._end_sasl(server)
Add `depends-on` hashflags to relevant modules 2019-05-25 20:40:06 +00:00			`#--depends-on config`

Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`import base64, hashlib, hmac, uuid`
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`from src import ModuleManager, utils`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`from . import scram`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00
Switch to using Capability.copy() for sasl 2019-05-19 10:13:37 +00:00			`CAP = utils.irc.Capability("sasl")`

Support a `USERPASS` sasl mechanism that picks the best user:pass mech (sasl) 2019-02-14 11:57:53 +00:00			`USERPASS_MECHANISMS = [`
			`"SCRAM-SHA-512",`
			`"SCRAM-SHA-256",`
			`"SCRAM-SHA-1",`
			`"PLAIN"`
			`]`

Remove `self` param of _validate 2019-05-23 14:36:04 +00:00			`def _validate(s):`
`arguments` was not defined if they weren't provided (sasl) 2019-02-06 11:22:13 +00:00			`mechanism, _, arguments = s.partition(" ")`
Move all exports to @Utils.export calls 2018-09-27 11:08:07 +00:00			`return {"mechanism": mechanism, "args": arguments}`
Add nickserv-password and sasl to !serverset 2018-09-09 09:04:21 +00:00
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.export("serverset", {"setting": "sasl",`
Move all exports to @Utils.export calls 2018-09-27 11:08:07 +00:00			`"help": "Set the sasl username/password for this server",`
'hunder2' -> 'hunter2'. meme typos D: 2019-06-04 08:30:33 +00:00			`"validate": _validate, "example": "PLAIN BitBot:hunter2"})`
Add a setting to disable "hard" sasl failure 2019-06-17 13:22:08 +00:00			`@utils.export("serverset", {"setting": "sasl-hard-fail",`
			`"help": "Set whether a SASL failure should cause a disconnect",`
			`"validate": utils.bool_or_none, "example": "on"})`
Move all exports to @Utils.export calls 2018-09-27 11:08:07 +00:00			`class Module(ModuleManager.BaseModule):`
Support a `USERPASS` sasl mechanism that picks the best user:pass mech (sasl) 2019-02-14 11:57:53 +00:00			`def _best_userpass_mechanism(self, mechanisms):`
			`for potential_mechanism in USERPASS_MECHANISMS:`
			`if potential_mechanism in mechanisms:`
			`return potential_mechanism`

We still need to 'CAP REQ :sasl' when we get 'CAP NEW :sasl' (sasl) 2019-02-09 02:58:25 +00:00			`@utils.hook("received.cap.new")`
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.hook("received.cap.ls")`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00			`def on_cap(self, event):`
Support CAP 3.2 2018-09-07 14:51:41 +00:00			`has_sasl = "sasl" in event["capabilities"]`
Don't just listen for 'sasl=PLAIN' in IRCv3 CAP 3.2 2018-09-17 10:49:23 +00:00			`our_sasl = event["server"].get_setting("sasl", None)`
Support CAP 3.2 2018-09-07 14:51:41 +00:00
Don't just listen for 'sasl=PLAIN' in IRCv3 CAP 3.2 2018-09-17 10:49:23 +00:00			`do_sasl = False`
			`if has_sasl and our_sasl:`
			`if not event["capabilities"]["sasl"] == None:`
			`our_mechanism = our_sasl["mechanism"].upper()`
Support a `USERPASS` sasl mechanism that picks the best user:pass mech (sasl) 2019-02-14 11:57:53 +00:00			`server_mechanisms = event["capabilities"]["sasl"].split(",")`
			`if our_mechanism == "USERPASS":`
			`our_mechanism = self._best_userpass_mechanism(`
			`server_mechanisms)`
			`do_sasl = our_mechanism in server_mechanisms`
Don't just listen for 'sasl=PLAIN' in IRCv3 CAP 3.2 2018-09-17 10:49:23 +00:00			`else:`
Typo in sasl.py; proceed with sasl regardless of mechanism when using CAP 3.1 2018-09-17 12:25:11 +00:00			`do_sasl = True`
Don't just listen for 'sasl=PLAIN' in IRCv3 CAP 3.2 2018-09-17 10:49:23 +00:00
			`if do_sasl:`
Switch to using Capability.copy() for sasl 2019-05-19 10:13:37 +00:00			`cap = CAP.copy()`
Revamp how CAPs are tracked through REQ and ACK/NAK etc 2019-05-11 17:22:40 +00:00			`cap.on_ack(lambda: self._sasl_ack(event["server"]))`
			`return cap`
Support CAP 3.2 2018-09-07 14:51:41 +00:00
Revamp how CAPs are tracked through REQ and ACK/NAK etc 2019-05-11 17:22:40 +00:00			`def _sasl_ack(self, server):`
			`sasl = server.get_setting("sasl")`
			`mechanism = sasl["mechanism"].upper()`
			`if mechanism == "USERPASS":`
			`server_mechanisms = server.server_capabilities["sasl"]`
			`server_mechanisms = server_mechanisms or [`
			`USERPASS_MECHANISMS[0]]`
			`mechanism = self._best_userpass_mechanism(server_mechanisms)`
Support a `USERPASS` sasl mechanism that picks the best user:pass mech (sasl) 2019-02-14 11:57:53 +00:00
Revamp how CAPs are tracked through REQ and ACK/NAK etc 2019-05-11 17:22:40 +00:00			`server.send_authenticate(mechanism)`
			`server.sasl_mechanism = mechanism`
			`server.wait_for_capability("sasl")`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00
Move src/Utils.py in to src/utils/, splitting functionality out in to modules of related functionality 2018-10-03 12:22:37 +00:00			`@utils.hook("received.authenticate")`
move sasl logic to it's own module 2018-07-15 22:56:06 +00:00			`def on_authenticate(self, event):`
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`sasl = event["server"].get_setting("sasl")`
Support a `USERPASS` sasl mechanism that picks the best user:pass mech (sasl) 2019-02-14 11:57:53 +00:00			`mechanism = event["server"].sasl_mechanism`
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00
`auth_text` would not be present in a failure scenario 2019-02-06 15:36:59 +00:00			`auth_text = None`
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`if mechanism == "PLAIN":`
			`if event["message"] != "+":`
			`event["server"].send_authenticate("*")`
			`else:`
			`sasl_username, sasl_password = sasl["args"].split(":", 1)`
			`auth_text = ("%s\0%s\0%s" % (`
			`sasl_username, sasl_username, sasl_password)).encode("utf8")`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`elif mechanism == "EXTERNAL":`
			`if event["message"] != "+":`
			`event["server"].send_authenticate("*")`
			`else:`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00			`auth_text = "+"`
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00
			`elif mechanism.startswith("SCRAM-"):`
Move parsing username, password and algorithm to the only place that uses it and add comments (sasl.scram) 2019-02-06 21:49:44 +00:00
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`if event["message"] == "+":`
			`# start SCRAM handshake`
Move parsing username, password and algorithm to the only place that uses it and add comments (sasl.scram) 2019-02-06 21:49:44 +00:00
			`# create SCRAM helper`
			`sasl_username, sasl_password = sasl["args"].split(":", 1)`
Restrict scram algorithms to IANA Hash Function Textual Names (sasl.scram) 2019-02-06 22:28:50 +00:00			`algo = mechanism.split("SCRAM-", 1)[1]`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`event["server"]._scram = scram.SCRAM(`
			`algo, sasl_username, sasl_password)`
Move parsing username, password and algorithm to the only place that uses it and add comments (sasl.scram) 2019-02-06 21:49:44 +00:00
			`# generate client-first-message`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`auth_text = event["server"]._scram.client_first()`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00			`else:`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`current_scram = event["server"]._scram`
Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`data = base64.b64decode(event["message"])`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`if current_scram.state == scram.SCRAMState.ClientFirst:`
Move parsing username, password and algorithm to the only place that uses it and add comments (sasl.scram) 2019-02-06 21:49:44 +00:00			`# use server-first-message to generate client-final-message`
Type annotate scram.py and don't pass base64 data to scram.py functions 2019-02-06 08:50:19 +00:00			`auth_text = current_scram.server_first(data)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`elif current_scram.state == scram.SCRAMState.ClientFinal:`
Move parsing username, password and algorithm to the only place that uses it and add comments (sasl.scram) 2019-02-06 21:49:44 +00:00			`# use server-final-message to check server proof`
"+" as part of a SASL handshake is irc-specific so remove it from scram.py 2019-02-06 11:07:50 +00:00			`verified = current_scram.server_final(data)`
Move sasl.py to a directory module and move SCRAM logic to a different file, move `github/module.py` to `github/__init__.py` 2019-02-05 15:54:20 +00:00			`del event["server"]._scram`
Disconnect from server and throw an exception if SCRAM server verification fails (sasl) 2019-02-05 17:03:41 +00:00
"+" as part of a SASL handshake is irc-specific so remove it from scram.py 2019-02-06 11:07:50 +00:00			`if verified:`
			`auth_text = "+"`
			`else:`
Only panic about a scram failure if it's a server-final-message failure (sasl) 2019-02-06 15:38:59 +00:00			`if current_scram.state == scram.SCRAMState.VerifyFailed:`
Move parsing username, password and algorithm to the only place that uses it and add comments (sasl.scram) 2019-02-06 21:49:44 +00:00			`# server gave a bad verification so we should panic`
panic() if a sasl dance fails on first connection, disconnect on reconnect sasl fail 2019-06-17 13:07:44 +00:00			`self._panic(event["server"], "SCRAM VerifyFailed")`
Disconnect from server and throw an exception if SCRAM server verification fails (sasl) 2019-02-05 17:03:41 +00:00
Support SCRAM SASL mechanisms (sasl.py) 2019-02-05 12:17:25 +00:00			`else:`
			`raise ValueError("unknown sasl mechanism '%s'" % mechanism)`
Support EXTERNAL sasl authentication 2018-09-17 10:31:40 +00:00
Only send `auth_text` if it's not None (sasl) 2019-02-06 15:37:24 +00:00			`if not auth_text == None:`
			`if not auth_text == "+":`
			`auth_text = base64.b64encode(auth_text)`
			`auth_text = auth_text.decode("utf8")`
			`event["server"].send_authenticate(auth_text)`
Only "finish" a sasl handshake when we get a 900 2018-09-07 15:04:37 +00:00
Handle 904 (ERR_SASLFAIL) in sasl.py 2018-09-17 11:56:41 +00:00			`def _end_sasl(self, server):`
			`server.capability_done("sasl")`
Log a WARN when we get a 904 (failed sasl) 2019-02-06 16:25:43 +00:00
'received.numeric.###' -> 'received.###' throughout project 2019-02-16 15:53:14 +00:00			`@utils.hook("received.908")`
Support a `USERPASS` sasl mechanism that picks the best user:pass mech (sasl) 2019-02-14 11:57:53 +00:00			`def sasl_mechanisms(self, event):`
			`server_mechanisms = event["args"][1].split(",")`
			`mechanism = self._best_userpass_mechanism(server_mechanimsms)`
			`event["server"].sasl_mechanism = mechanism`
			`event["server"].send_authenticate(mechanism)`

'received.numeric.###' -> 'received.###' throughout project 2019-02-16 15:53:14 +00:00			`@utils.hook("received.903")`
Only "finish" a sasl handshake when we get a 900 2018-09-07 15:04:37 +00:00			`def sasl_success(self, event):`
Handle 904 (ERR_SASLFAIL) in sasl.py 2018-09-17 11:56:41 +00:00			`self._end_sasl(event["server"])`
'received.numeric.###' -> 'received.###' throughout project 2019-02-16 15:53:14 +00:00			`@utils.hook("received.904")`
Fix a copypaste fail that caused sasl.py to have two sasl_success functions 2018-09-17 12:10:22 +00:00			`def sasl_failure(self, event):`
panic() if a sasl dance fails on first connection, disconnect on reconnect sasl fail 2019-06-17 13:07:44 +00:00			`self._panic(event["server"], "ERR_SASLFAIL (%s)" % event["args"][1])`
Handle ERR_SASLALREADY 2019-05-12 10:48:28 +00:00
			`@utils.hook("received.907")`
			`def sasl_already(self, event):`
			`self._end_sasl(event["server"])`
panic() if a sasl dance fails on first connection, disconnect on reconnect sasl fail 2019-06-17 13:07:44 +00:00
			`def _panic(self, server, message):`
Add a setting to disable "hard" sasl failure 2019-06-17 13:22:08 +00:00			`if server.get_setting("sasl-hard-fail", True):`
			`message = "SASL panic for %s: %s" % (str(server), message)`
			`if not server.from_init:`
			`self.log.error(message)`
			`self.bot.disconnect(server)`
			`else:`
			`self.bot.panic(reason=message)`
panic() if a sasl dance fails on first connection, disconnect on reconnect sasl fail 2019-06-17 13:07:44 +00:00			`else:`
WARN log for soft SASL failure 2019-06-17 17:22:12 +00:00			`self.log.warn("SASL failure for %s: %s" % (str(server), message))`
_end_sasl takes a server param 2019-06-17 17:11:02 +00:00			`self._end_sasl(server)`