From 85cbb726852fbdf3b70090e938c9fbe6d8678b61 Mon Sep 17 00:00:00 2001 From: f0x Date: Tue, 8 Oct 2024 15:43:17 +0200 Subject: [PATCH] configurable ca_certs, simplify network list sent to clients --- client/components/NetworkForm.vue | 6 ++--- package.json | 2 +- server/client.ts | 1 + server/config.ts | 43 ++++++++++++++++++++++++++----- server/models/network.ts | 9 ++++++- server/server.ts | 12 +++++++-- shared/types/config.ts | 2 +- yarn.lock | 28 ++++++++------------ 8 files changed, 72 insertions(+), 31 deletions(-) diff --git a/client/components/NetworkForm.vue b/client/components/NetworkForm.vue index 1edaef2a4..cbc47dd35 100644 --- a/client/components/NetworkForm.vue +++ b/client/components/NetworkForm.vue @@ -187,10 +187,10 @@ > diff --git a/package.json b/package.json index 3deab8912..f34378d6b 100644 --- a/package.json +++ b/package.json @@ -64,7 +64,7 @@ "file-type": "16.5.4", "filenamify": "4.3.0", "got": "11.8.5", - "irc-framework": "4.13.1", + "irc-framework": "https://github.com/revspace/nodejs-irc-framework", "is-utf8": "0.2.1", "ldapjs": "2.3.1", "linkify-it": "3.0.3", diff --git a/server/client.ts b/server/client.ts index f2f125941..876eada14 100644 --- a/server/client.ts +++ b/server/client.ts @@ -313,6 +313,7 @@ class Client { host: String(args.host || ""), port: parseInt(String(args.port), 10), tls: !!args.tls, + caCert: args.caCert, userDisconnected: !!args.userDisconnected, rejectUnauthorized: !!args.rejectUnauthorized, password: String(args.password || ""), diff --git a/server/config.ts b/server/config.ts index 32bb5f794..538b295f0 100644 --- a/server/config.ts +++ b/server/config.ts @@ -80,11 +80,22 @@ type StoragePolicy = { deletionPolicy: "statusOnly" | "everything"; }; -type NetworkTemplate = { +type TemplateNetwork = { + name: string, host: string, port: number, tls: boolean, - rejectUnauthorized: boolean // if TLS certificates are validated + rejectUnauthorized: boolean, + caCert?: Buffer +}; + +type NetworkInConfig = { + name: string, + host: string, + port: number, + tls: boolean, + rejectUnauthorized?: boolean, + caCert?: string }; export type ConfigType = { @@ -107,7 +118,7 @@ export type ConfigType = { leaveMessage: string; defaults: Defaults; lockNetwork: boolean; - networks: {[name: string]: NetworkTemplate}; + networks: {[name: string]: NetworkInConfig}; messageStorage: string[]; storagePolicy: StoragePolicy; useHexIp: boolean; @@ -124,9 +135,7 @@ class Config { path.join(__dirname, "..", "defaults", "config.js") )) as ConfigType; #homePath = ""; - networks = Object.fromEntries(Object.entries(this.values.networks).map(([name, network]) => { - return [name, {...network, name}]; - })); + networks: {[name: string]: TemplateNetwork} = this.parseNetworks(); getHomePath() { return this.#homePath; @@ -179,8 +188,30 @@ class Config { ); } + getNetworks() { + return this.networks; + } + + getNetworkNames() { + return Object.keys(this.networks); + } + + parseNetworks() { + return Object.fromEntries(Object.entries(this.values.networks).map(([name, network]) => { + return [name, { + name, + host: network.host, + port: network.port, + tls: network.tls !== undefined ? network.tls : true, + rejectUnauthorized: network.rejectUnauthorized !== undefined ? network.rejectUnauthorized : true, + caCert: network.caCert ? fs.readFileSync(network.caCert) : undefined + }]; + })); + } + merge(newConfig: ConfigType) { this._merge_config_objects(this.values, newConfig); + this.networks = this.parseNetworks(); } _merge_config_objects(oldConfig: ConfigType, newConfig: ConfigType) { diff --git a/server/models/network.ts b/server/models/network.ts index 1724cc3bc..d698163e4 100644 --- a/server/models/network.ts +++ b/server/models/network.ts @@ -21,6 +21,7 @@ type NetworkIrcOptions = { username: string; gecos: string; tls: boolean; + ca_certificate?: Buffer; rejectUnauthorized: boolean; webirc: WebIRC | null; client_certificate: ClientCertificateType | null; @@ -94,6 +95,7 @@ class Network { host!: string; port!: number; tls!: boolean; + caCert!: Buffer; userDisconnected!: boolean; rejectUnauthorized!: boolean; password!: string; @@ -247,7 +249,7 @@ class Network { if (Config.values.lockNetwork) { // This check is needed to prevent invalid user configurations - const allowedNetwork = Object.values(Config.networks).find((network) => { + const allowedNetwork = Object.values(Config.getNetworks()).find((network) => { return (this.name === network.name || this.host === network.host); }); @@ -261,6 +263,10 @@ class Network { this.port = allowedNetwork.port; this.tls = allowedNetwork.tls; this.rejectUnauthorized = allowedNetwork.rejectUnauthorized; + + if (allowedNetwork.caCert !== undefined) { + this.caCert = allowedNetwork.caCert; + } } if (this.host.length === 0) { @@ -319,6 +325,7 @@ class Network { this.irc.options.gecos = this.realname; this.irc.options.tls = this.tls; this.irc.options.rejectUnauthorized = this.rejectUnauthorized; + this.irc.options.ca_certificate = this.caCert; this.irc.options.webirc = this.createWebIrc(client); this.irc.options.client_certificate = null; diff --git a/server/server.ts b/server/server.ts index 6961aa110..364c5846a 100644 --- a/server/server.ts +++ b/server/server.ts @@ -873,7 +873,7 @@ function getClientConfiguration(data: AuthPerformData): SharedConfiguration | Lo useHexIp: Config.values.useHexIp, prefetch: Config.values.prefetch, fileUploadMaxFileSize: Uploader ? Uploader.getMaxFileSize() : undefined, // TODO can't be undefined? - networks: Config.networks + networks: Config.getNetworkNames() }; const defaultsOverride = { @@ -891,9 +891,17 @@ function getClientConfiguration(data: AuthPerformData): SharedConfiguration | Lo if (!Config.values.lockNetwork) { const defaultNetwork = Config.values.networks[Config.values.defaults.name]; + + if (defaultNetwork.rejectUnauthorized === undefined) { + defaultNetwork.rejectUnauthorized = true; + } + const defaults: ConfigNetDefaults = { ..._.clone(Config.values.defaults), - ..._.clone(defaultNetwork), + host: defaultNetwork.host, + port: defaultNetwork.port, + tls: defaultNetwork.tls, + rejectUnauthorized: defaultNetwork.rejectUnauthorized, ...defaultsOverride, }; const result: SharedConfiguration = { diff --git a/shared/types/config.ts b/shared/types/config.ts index 6f9d53ff0..a7486a498 100644 --- a/shared/types/config.ts +++ b/shared/types/config.ts @@ -24,7 +24,7 @@ type SharedConfigurationBase = { themes: ConfigTheme[]; defaultTheme: string; fileUploadMaxFileSize?: number; - networks: {[name: string]: NetworkTemplate}; + networks: string[]; }; export type ConfigNetDefaults = { diff --git a/yarn.lock b/yarn.lock index 33a05e5b9..6a1b8f94d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3151,7 +3151,7 @@ core-js-compat@^3.21.0, core-js-compat@^3.22.1: dependencies: browserslist "^4.23.3" -core-js@^3.27.2: +core-js@^3.38.1: version "3.38.1" resolved "https://registry.yarnpkg.com/core-js/-/core-js-3.38.1.tgz#aa375b79a286a670388a1a363363d53677c0383e" integrity sha512-OP35aUorbU3Zvlx7pjsFdu1rGNnD4pgw/CWoYzRY3t2EzoVT7shKHY1dlAy3f41cGIO7ZDPQimhGFTlEYkG/Hw== @@ -4022,7 +4022,7 @@ eventemitter3@^4.0.4: resolved "https://registry.yarnpkg.com/eventemitter3/-/eventemitter3-4.0.7.tgz#2de9b68f6528d5644ef5c59526a1b4a07306169f" integrity sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw== -eventemitter3@^5.0.0: +eventemitter3@^5.0.1: version "5.0.1" resolved "https://registry.yarnpkg.com/eventemitter3/-/eventemitter3-5.0.1.tgz#53f5ffd0a492ac800721bb42c66b841de96423c4" integrity sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA== @@ -4943,21 +4943,20 @@ ipaddr.js@1.9.1: resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz#bff38543eeb8984825079ff3a2a8e6cbd46781b3" integrity sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g== -irc-framework@4.13.1: - version "4.13.1" - resolved "https://registry.yarnpkg.com/irc-framework/-/irc-framework-4.13.1.tgz#9850ffd220c6ddded960f8b95d0612d646f9a1b7" - integrity sha512-oUdNyc5CLwYjsp5AP479EgdMMTepwYK9kury7sWzMV6IeMyKc6fExk6tnhN/jTWpiDKsYtbPAb01wE7yVtLcsQ== +"irc-framework@https://github.com/revspace/nodejs-irc-framework": + version "4.14.0" + resolved "https://github.com/revspace/nodejs-irc-framework#7444a1f3e7509342a26b909b2bfd5a9e955db6c8" dependencies: buffer "^6.0.3" - core-js "^3.27.2" - eventemitter3 "^5.0.0" + core-js "^3.38.1" + eventemitter3 "^5.0.1" grapheme-splitter "^1.0.4" iconv-lite "^0.6.3" isomorphic-textencoder "^1.0.1" lodash "^4.17.21" middleware-handler "^0.2.0" - regenerator-runtime "^0.13.11" - socks "^2.7.1" + regenerator-runtime "^0.14.1" + socks "^2.8.3" stream-browserify "^3.0.0" util "^0.12.5" @@ -7336,12 +7335,7 @@ regenerate@^1.4.2: resolved "https://registry.yarnpkg.com/regenerate/-/regenerate-1.4.2.tgz#b9346d8827e8f5a32f7ba29637d398b69014848a" integrity sha512-zrceR/XhGYU/d/opr2EKO7aRHUeiBI8qjtfHqADTwZd6Szfy16la6kqD0MIUs5z5hx6AaKa+PixpPrR289+I0A== -regenerator-runtime@^0.13.11: - version "0.13.11" - resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.13.11.tgz#f6dca3e7ceec20590d07ada785636a90cdca17f9" - integrity sha512-kY1AZVr2Ra+t+piVaJ4gxaFaReZVH40AKNo7UCX6W+dEwBo/2oZJzqfuN1qLq1oL45o56cPaTXELwrTh8Fpggg== - -regenerator-runtime@^0.14.0: +regenerator-runtime@^0.14.0, regenerator-runtime@^0.14.1: version "0.14.1" resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.14.1.tgz#356ade10263f685dda125100cd862c1db895327f" integrity sha512-dYnhHh0nJoMfnkZs6GmmhFknAGRrLznOu5nc9ML+EJxGvrx6H7teuevqVqCuPcPK//3eDrrjQhehXVx9cnkGdw== @@ -7877,7 +7871,7 @@ socks-proxy-agent@^6.0.0: debug "^4.3.3" socks "^2.6.2" -socks@^2.6.2, socks@^2.7.1: +socks@^2.6.2, socks@^2.8.3: version "2.8.3" resolved "https://registry.yarnpkg.com/socks/-/socks-2.8.3.tgz#1ebd0f09c52ba95a09750afe3f3f9f724a800cb5" integrity sha512-l5x7VUUWbjVFbafGLxPWkYsHIhEvmF85tbIeFZWc8ZPtoMyybuEhL7Jye/ooC4/d48FgOjSJXgsF/AJPYCW8Zw==