Rename "--oidentd-strict" to "--strict-ident", better representing
what it now does - makes all ident replies strict.
Apply strict ident matching to normal (non-identd-enabled) ident,
too. This allows strict ident to be enforced on IRC networks that do
not check identd responses.
(Yes, some IRC networks behave this way, expecting your shared user
bouncer to enforce ident. ZNC allows this, so Quassel probably
should too. No need to run an ident server for those networks.)
Clean up functions, making them a little more generic. This also
sets the stage for exposing the strict ident mode to the client later
on.
cliParser->addOption("select-authenticator", 0, "Select authentication backend", "authidentifier");
cliParser->addSwitch("add-user", 0, "Starts an interactive session to add a new core user");
cliParser->addOption("change-userpass", 0, "Starts an interactive session to change the password of the user identified by <username>", "username");
cliParser->addOption("select-authenticator", 0, "Select authentication backend", "authidentifier");
cliParser->addSwitch("add-user", 0, "Starts an interactive session to add a new core user");
cliParser->addOption("change-userpass", 0, "Starts an interactive session to change the password of the user identified by <username>", "username");
- cliParser->addSwitch("oidentd", 0, "Enable oidentd integration");
+ cliParser->addSwitch("oidentd", 0, "Enable oidentd integration. In most cases you should also enable --strict-ident");
cliParser->addOption("oidentd-conffile", 0, "Set path to oidentd configuration file", "file");
cliParser->addOption("oidentd-conffile", 0, "Set path to oidentd configuration file", "file");
- cliParser->addSwitch("oidentd-strict", 0, "Use users' quasselcore username as ident reply. Ignores each user's configured ident setting. Only meaningful with --oidentd.");
+ cliParser->addSwitch("strict-ident", 0, "Use users' quasselcore username as ident reply. Ignores each user's configured ident setting.");
#ifdef HAVE_SSL
cliParser->addSwitch("require-ssl", 0, "Require SSL for remote (non-loopback) client connections");
cliParser->addOption("ssl-cert", 0, "Specify the path to the SSL Certificate", "path", "configdir/quasselCert.pem");
#ifdef HAVE_SSL
cliParser->addSwitch("require-ssl", 0, "Require SSL for remote (non-loopback) client connections");
cliParser->addOption("ssl-cert", 0, "Specify the path to the SSL Certificate", "path", "configdir/quasselCert.pem");
connect(&_v6server, SIGNAL(newConnection()), this, SLOT(incomingConnection()));
if (!startListening()) exit(1); // TODO make this less brutal
connect(&_v6server, SIGNAL(newConnection()), this, SLOT(incomingConnection()));
if (!startListening()) exit(1); // TODO make this less brutal
+ _strictIdentEnabled = Quassel::isOptionSet("strict-ident");
+ if (_strictIdentEnabled) {
+ cacheSysIdent();
+ }
+
if (Quassel::isOptionSet("oidentd")) {
if (Quassel::isOptionSet("oidentd")) {
- _oidentdConfigGenerator = new OidentdConfigGenerator(Quassel::isOptionSet("oidentd-strict"), this);
- if (Quassel::isOptionSet("oidentd-strict")) {
- cacheSysIdent();
- }
+ _oidentdConfigGenerator = new OidentdConfigGenerator(this);
if (_sessions.contains(uid))
return _sessions[uid];
if (_sessions.contains(uid))
return _sessions[uid];
- SessionThread *session = new SessionThread(uid, restore, this);
+ SessionThread *session = new SessionThread(uid, restore, strictIdentEnabled(), this);
_sessions[uid] = session;
session->start();
return session;
_sessions[uid] = session;
session->start();
return session;
static inline QDateTime startTime() { return instance()->_startTime; }
static inline bool isConfigured() { return instance()->_configured; }
static inline QDateTime startTime() { return instance()->_startTime; }
static inline bool isConfigured() { return instance()->_configured; }
+
+ /**
+ * Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+ *
+ * @return True if strict mode enabled, otherwise false
+ */
+ static inline bool strictIdentEnabled() { return instance()->_strictIdentEnabled; }
+
static bool sslSupported();
/**
static bool sslSupported();
/**
+ /// Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+ bool _strictIdentEnabled;
+
static std::unique_ptr<AbstractSqlMigrationReader> getMigrationReader(Storage *storage);
static std::unique_ptr<AbstractSqlMigrationWriter> getMigrationWriter(Storage *storage);
static void stdInEcho(bool on);
static std::unique_ptr<AbstractSqlMigrationReader> getMigrationReader(Storage *storage);
static std::unique_ptr<AbstractSqlMigrationWriter> getMigrationWriter(Storage *storage);
static void stdInEcho(bool on);
nick = identity->nicks()[0];
}
putRawLine(serverEncode(QString("NICK %1").arg(nick)));
nick = identity->nicks()[0];
}
putRawLine(serverEncode(QString("NICK %1").arg(nick)));
- putRawLine(serverEncode(QString("USER %1 8 * :%2").arg(identity->ident(), identity->realName())));
+ // Only allow strict-compliant idents when strict mode is enabled
+ putRawLine(serverEncode(QString("USER %1 8 * :%2").arg(
+ coreSession()->strictCompliantIdent(identity),
+ identity->realName())));
-CoreSession::CoreSession(UserId uid, bool restoreState, QObject *parent)
+CoreSession::CoreSession(UserId uid, bool restoreState, bool strictIdentEnabled, QObject *parent)
: QObject(parent),
_user(uid),
: QObject(parent),
_user(uid),
+ _strictIdentEnabled(strictIdentEnabled),
_signalProxy(new SignalProxy(SignalProxy::Server, this)),
_aliasManager(this),
_bufferSyncer(new CoreBufferSyncer(this)),
_signalProxy(new SignalProxy(SignalProxy::Server, this)),
_aliasManager(this),
_bufferSyncer(new CoreBufferSyncer(this)),
createIdentity(coreIdentity);
}
createIdentity(coreIdentity);
}
-const QString CoreSession::strictSysident() {
- return Core::instance()->strictSysIdent(_user);
+const QString CoreSession::strictCompliantIdent(const CoreIdentity *identity) {
+ if (_strictIdentEnabled) {
+ // Strict mode enabled: only allow the user's Quassel username as an ident
+ return Core::instance()->strictSysIdent(_user);
+ } else {
+ // Strict mode disabled: allow any identity specified
+ return identity->ident();
+ }
}
void CoreSession::createIdentity(const CoreIdentity &identity)
}
void CoreSession::createIdentity(const CoreIdentity &identity)
- CoreSession(UserId, bool restoreState, QObject *parent = 0);
+ CoreSession(UserId, bool restoreState, bool strictIdentEnabled, QObject *parent = 0);
~CoreSession();
QList<BufferInfo> buffers() const;
inline UserId user() const { return _user; }
CoreNetwork *network(NetworkId) const;
CoreIdentity *identity(IdentityId) const;
~CoreSession();
QList<BufferInfo> buffers() const;
inline UserId user() const { return _user; }
CoreNetwork *network(NetworkId) const;
CoreIdentity *identity(IdentityId) const;
- const QString strictSysident();
+
+ /**
+ * Returns the optionally strict-compliant ident for the given user identity
+ *
+ * If strict mode is enabled, this will return the user's Quassel username for any identity,
+ * otherwise this will return the given identity's ident, whatever it may be.
+ *
+ * @return The user's ident, compliant with strict mode (when enabled)
+ */
+ const QString strictCompliantIdent(const CoreIdentity *identity);
+
inline CoreNetworkConfig *networkConfig() const { return _networkConfig; }
NetworkConnection *networkConnection(NetworkId) const;
inline CoreNetworkConfig *networkConfig() const { return _networkConfig; }
NetworkConnection *networkConnection(NetworkId) const;
+ /// Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+ bool _strictIdentEnabled;
+
SignalProxy *_signalProxy;
CoreAliasManager _aliasManager;
// QHash<NetworkId, NetworkConnection *> _connections;
SignalProxy *_signalProxy;
CoreAliasManager _aliasManager;
// QHash<NetworkId, NetworkConnection *> _connections;
#include "corenetwork.h"
#include "oidentdconfiggenerator.h"
#include "corenetwork.h"
#include "oidentdconfiggenerator.h"
-OidentdConfigGenerator::OidentdConfigGenerator(bool strict, QObject *parent) :
+OidentdConfigGenerator::OidentdConfigGenerator(QObject *parent) :
- _initialized(false),
- _strict(strict)
{
if (!_initialized)
init();
{
if (!_initialized)
init();
QString OidentdConfigGenerator::sysIdentForIdentity(const CoreIdentity *identity) const {
QString OidentdConfigGenerator::sysIdentForIdentity(const CoreIdentity *identity) const {
- if (!_strict) {
- return identity->ident();
- }
+ // Make sure the identity's ident complies with strict mode if enabled
const CoreNetwork *network = qobject_cast<CoreNetwork *>(sender());
const CoreNetwork *network = qobject_cast<CoreNetwork *>(sender());
- return network->coreSession()->strictSysident();
+ return network->coreSession()->strictCompliantIdent(identity);
- /**
- * @param strict If false, any identity a user chooses is reported to servers as authoritative.
- * If true, the user's quassel username is always reported.
- */
- explicit OidentdConfigGenerator(bool strict = false, QObject *parent = 0);
+ explicit OidentdConfigGenerator(QObject *parent = 0);
~OidentdConfigGenerator();
public slots:
~OidentdConfigGenerator();
public slots:
#include "sessionthread.h"
#include "signalproxy.h"
#include "sessionthread.h"
#include "signalproxy.h"
-SessionThread::SessionThread(UserId uid, bool restoreState, QObject *parent)
+SessionThread::SessionThread(UserId uid, bool restoreState, bool strictIdentEnabled, QObject *parent)
: QThread(parent),
_session(0),
_user(uid),
_sessionInitialized(false),
: QThread(parent),
_session(0),
_user(uid),
_sessionInitialized(false),
- _restoreState(restoreState)
+ _restoreState(restoreState),
+ _strictIdentEnabled(strictIdentEnabled)
{
connect(this, SIGNAL(initialized()), this, SLOT(setSessionInitialized()));
}
{
connect(this, SIGNAL(initialized()), this, SLOT(setSessionInitialized()));
}
void SessionThread::run()
{
void SessionThread::run()
{
- _session = new CoreSession(user(), _restoreState);
+ _session = new CoreSession(user(), _restoreState, _strictIdentEnabled);
connect(this, SIGNAL(addRemoteClient(RemotePeer*)), _session, SLOT(addClient(RemotePeer*)));
connect(this, SIGNAL(addInternalClient(InternalPeer*)), _session, SLOT(addClient(InternalPeer*)));
connect(_session, SIGNAL(sessionState(Protocol::SessionState)), Core::instance(), SIGNAL(sessionState(Protocol::SessionState)));
connect(this, SIGNAL(addRemoteClient(RemotePeer*)), _session, SLOT(addClient(RemotePeer*)));
connect(this, SIGNAL(addInternalClient(InternalPeer*)), _session, SLOT(addClient(InternalPeer*)));
connect(_session, SIGNAL(sessionState(Protocol::SessionState)), Core::instance(), SIGNAL(sessionState(Protocol::SessionState)));
- SessionThread(UserId user, bool restoreState, QObject *parent = 0);
+ SessionThread(UserId user, bool restoreState, bool strictIdentEnabled, QObject *parent = 0);
~SessionThread();
void run();
~SessionThread();
void run();
bool _sessionInitialized;
bool _restoreState;
bool _sessionInitialized;
bool _restoreState;
+ /// Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+ bool _strictIdentEnabled;
+
bool isSessionInitialized();
void addClientToSession(QObject *peer);
void addRemoteClientToSession(RemotePeer *remotePeer);
bool isSessionInitialized();
void addClientToSession(QObject *peer);
void addRemoteClientToSession(RemotePeer *remotePeer);