From: Shane Synan <digitalcircuit36939@gmail.com>
Date: Tue, 29 May 2018 16:51:35 +0000 (-0500)
Subject: Rename strict-ident, apply to non-identd response
X-Git-Tag: travis-deploy-test~82
X-Git-Url: https://git.quassel-irc.org/?p=quassel.git;a=commitdiff_plain;h=67e4eb295238453c94da41185bcdb20d908859d6

Rename strict-ident, apply to non-identd response

Rename "--oidentd-strict" to "--strict-ident", better representing
what it now does - makes all ident replies strict.

Apply strict ident matching to normal (non-identd-enabled) ident,
too.  This allows strict ident to be enforced on IRC networks that do
not check identd responses.

(Yes, some IRC networks behave this way, expecting your shared user
bouncer to enforce ident.  ZNC allows this, so Quassel probably
should too.  No need to run an ident server for those networks.)

Clean up functions, making them a little more generic.  This also
sets the stage for exposing the strict ident mode to the client later
on.
---

diff --git a/src/common/main.cpp b/src/common/main.cpp
index ee7cd434..accffc60 100644
--- a/src/common/main.cpp
+++ b/src/common/main.cpp
@@ -168,9 +168,9 @@ int main(int argc, char **argv)
     cliParser->addOption("select-authenticator", 0, "Select authentication backend", "authidentifier");
     cliParser->addSwitch("add-user", 0, "Starts an interactive session to add a new core user");
     cliParser->addOption("change-userpass", 0, "Starts an interactive session to change the password of the user identified by <username>", "username");
-    cliParser->addSwitch("oidentd", 0, "Enable oidentd integration");
+    cliParser->addSwitch("oidentd", 0, "Enable oidentd integration.  In most cases you should also enable --strict-ident");
     cliParser->addOption("oidentd-conffile", 0, "Set path to oidentd configuration file", "file");
-    cliParser->addSwitch("oidentd-strict", 0, "Use users' quasselcore username as ident reply. Ignores each user's configured ident setting. Only meaningful with --oidentd.");
+    cliParser->addSwitch("strict-ident", 0, "Use users' quasselcore username as ident reply. Ignores each user's configured ident setting.");
 #ifdef HAVE_SSL
     cliParser->addSwitch("require-ssl", 0, "Require SSL for remote (non-loopback) client connections");
     cliParser->addOption("ssl-cert", 0, "Specify the path to the SSL Certificate", "path", "configdir/quasselCert.pem");
diff --git a/src/core/core.cpp b/src/core/core.cpp
index 4edff846..1e5fe02b 100644
--- a/src/core/core.cpp
+++ b/src/core/core.cpp
@@ -271,11 +271,13 @@ void Core::init()
     connect(&_v6server, SIGNAL(newConnection()), this, SLOT(incomingConnection()));
     if (!startListening()) exit(1);  // TODO make this less brutal
 
+    _strictIdentEnabled = Quassel::isOptionSet("strict-ident");
+    if (_strictIdentEnabled) {
+        cacheSysIdent();
+    }
+
     if (Quassel::isOptionSet("oidentd")) {
-        _oidentdConfigGenerator = new OidentdConfigGenerator(Quassel::isOptionSet("oidentd-strict"), this);
-        if (Quassel::isOptionSet("oidentd-strict")) {
-            cacheSysIdent();
-        }
+        _oidentdConfigGenerator = new OidentdConfigGenerator(this);
     }
 }
 
@@ -825,7 +827,7 @@ SessionThread *Core::sessionForUser(UserId uid, bool restore)
     if (_sessions.contains(uid))
         return _sessions[uid];
 
-    SessionThread *session = new SessionThread(uid, restore, this);
+    SessionThread *session = new SessionThread(uid, restore, strictIdentEnabled(), this);
     _sessions[uid] = session;
     session->start();
     return session;
diff --git a/src/core/core.h b/src/core/core.h
index 45e15966..a9ede2e3 100644
--- a/src/core/core.h
+++ b/src/core/core.h
@@ -672,6 +672,14 @@ public:
 
     static inline QDateTime startTime() { return instance()->_startTime; }
     static inline bool isConfigured() { return instance()->_configured; }
+
+    /**
+     * Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+     *
+     * @return True if strict mode enabled, otherwise false
+     */
+    static inline bool strictIdentEnabled() { return instance()->_strictIdentEnabled; }
+
     static bool sslSupported();
 
     /**
@@ -787,6 +795,9 @@ private:
 
     bool _configured;
 
+    /// Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+    bool _strictIdentEnabled;
+
     static std::unique_ptr<AbstractSqlMigrationReader> getMigrationReader(Storage *storage);
     static std::unique_ptr<AbstractSqlMigrationWriter> getMigrationWriter(Storage *storage);
     static void stdInEcho(bool on);
diff --git a/src/core/corenetwork.cpp b/src/core/corenetwork.cpp
index 51c61888..7d1dea91 100644
--- a/src/core/corenetwork.cpp
+++ b/src/core/corenetwork.cpp
@@ -583,7 +583,10 @@ void CoreNetwork::socketInitialized()
         nick = identity->nicks()[0];
     }
     putRawLine(serverEncode(QString("NICK %1").arg(nick)));
-    putRawLine(serverEncode(QString("USER %1 8 * :%2").arg(identity->ident(), identity->realName())));
+    // Only allow strict-compliant idents when strict mode is enabled
+    putRawLine(serverEncode(QString("USER %1 8 * :%2").arg(
+                                coreSession()->strictCompliantIdent(identity),
+                                identity->realName())));
 }
 
 
diff --git a/src/core/coresession.cpp b/src/core/coresession.cpp
index afaf48de..929895ae 100644
--- a/src/core/coresession.cpp
+++ b/src/core/coresession.cpp
@@ -58,9 +58,10 @@ public:
 };
 
 
-CoreSession::CoreSession(UserId uid, bool restoreState, QObject *parent)
+CoreSession::CoreSession(UserId uid, bool restoreState, bool strictIdentEnabled, QObject *parent)
     : QObject(parent),
     _user(uid),
+    _strictIdentEnabled(strictIdentEnabled),
     _signalProxy(new SignalProxy(SignalProxy::Server, this)),
     _aliasManager(this),
     _bufferSyncer(new CoreBufferSyncer(this)),
@@ -563,8 +564,14 @@ void CoreSession::createIdentity(const Identity &identity, const QVariantMap &ad
         createIdentity(coreIdentity);
 }
 
-const QString CoreSession::strictSysident() {
-    return Core::instance()->strictSysIdent(_user);
+const QString CoreSession::strictCompliantIdent(const CoreIdentity *identity) {
+    if (_strictIdentEnabled) {
+        // Strict mode enabled: only allow the user's Quassel username as an ident
+        return Core::instance()->strictSysIdent(_user);
+    } else {
+        // Strict mode disabled: allow any identity specified
+        return identity->ident();
+    }
 }
 
 void CoreSession::createIdentity(const CoreIdentity &identity)
diff --git a/src/core/coresession.h b/src/core/coresession.h
index e13ff64f..fe81a2b4 100644
--- a/src/core/coresession.h
+++ b/src/core/coresession.h
@@ -62,14 +62,24 @@ class CoreSession : public QObject
     Q_OBJECT
 
 public:
-    CoreSession(UserId, bool restoreState, QObject *parent = 0);
+    CoreSession(UserId, bool restoreState, bool strictIdentEnabled, QObject *parent = 0);
     ~CoreSession();
 
     QList<BufferInfo> buffers() const;
     inline UserId user() const { return _user; }
     CoreNetwork *network(NetworkId) const;
     CoreIdentity *identity(IdentityId) const;
-    const QString strictSysident();
+
+    /**
+     * Returns the optionally strict-compliant ident for the given user identity
+     *
+     * If strict mode is enabled, this will return the user's Quassel username for any identity,
+     * otherwise this will return the given identity's ident, whatever it may be.
+     *
+     * @return The user's ident, compliant with strict mode (when enabled)
+     */
+    const QString strictCompliantIdent(const CoreIdentity *identity);
+
     inline CoreNetworkConfig *networkConfig() const { return _networkConfig; }
     NetworkConnection *networkConnection(NetworkId) const;
 
@@ -210,6 +220,9 @@ private:
 
     UserId _user;
 
+    /// Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+    bool _strictIdentEnabled;
+
     SignalProxy *_signalProxy;
     CoreAliasManager _aliasManager;
     // QHash<NetworkId, NetworkConnection *> _connections;
diff --git a/src/core/oidentdconfiggenerator.cpp b/src/core/oidentdconfiggenerator.cpp
index bd4350da..c1bd71ab 100644
--- a/src/core/oidentdconfiggenerator.cpp
+++ b/src/core/oidentdconfiggenerator.cpp
@@ -23,10 +23,9 @@
 #include "corenetwork.h"
 #include "oidentdconfiggenerator.h"
 
-OidentdConfigGenerator::OidentdConfigGenerator(bool strict, QObject *parent) :
+OidentdConfigGenerator::OidentdConfigGenerator(QObject *parent) :
     QObject(parent),
-    _initialized(false),
-    _strict(strict)
+    _initialized(false)
 {
     if (!_initialized)
         init();
@@ -71,11 +70,9 @@ bool OidentdConfigGenerator::init()
 
 
 QString OidentdConfigGenerator::sysIdentForIdentity(const CoreIdentity *identity) const {
-    if (!_strict) {
-        return identity->ident();
-    }
+    // Make sure the identity's ident complies with strict mode if enabled
     const CoreNetwork *network = qobject_cast<CoreNetwork *>(sender());
-    return network->coreSession()->strictSysident();
+    return network->coreSession()->strictCompliantIdent(identity);
 }
 
 
diff --git a/src/core/oidentdconfiggenerator.h b/src/core/oidentdconfiggenerator.h
index 375636ce..bfd351fe 100644
--- a/src/core/oidentdconfiggenerator.h
+++ b/src/core/oidentdconfiggenerator.h
@@ -59,11 +59,7 @@ class OidentdConfigGenerator : public QObject
 {
     Q_OBJECT
 public:
-    /**
-     * @param strict If false, any identity a user chooses is reported to servers as authoritative.
-     *               If true, the user's quassel username is always reported.
-     */
-    explicit OidentdConfigGenerator(bool strict = false, QObject *parent = 0);
+    explicit OidentdConfigGenerator(QObject *parent = 0);
     ~OidentdConfigGenerator();
 
 public slots:
diff --git a/src/core/sessionthread.cpp b/src/core/sessionthread.cpp
index e7dab9a9..7b8bc105 100644
--- a/src/core/sessionthread.cpp
+++ b/src/core/sessionthread.cpp
@@ -25,12 +25,13 @@
 #include "sessionthread.h"
 #include "signalproxy.h"
 
-SessionThread::SessionThread(UserId uid, bool restoreState, QObject *parent)
+SessionThread::SessionThread(UserId uid, bool restoreState, bool strictIdentEnabled, QObject *parent)
     : QThread(parent),
     _session(0),
     _user(uid),
     _sessionInitialized(false),
-    _restoreState(restoreState)
+    _restoreState(restoreState),
+    _strictIdentEnabled(strictIdentEnabled)
 {
     connect(this, SIGNAL(initialized()), this, SLOT(setSessionInitialized()));
 }
@@ -120,7 +121,7 @@ void SessionThread::addInternalClientToSession(InternalPeer *internalPeer)
 
 void SessionThread::run()
 {
-    _session = new CoreSession(user(), _restoreState);
+    _session = new CoreSession(user(), _restoreState, _strictIdentEnabled);
     connect(this, SIGNAL(addRemoteClient(RemotePeer*)), _session, SLOT(addClient(RemotePeer*)));
     connect(this, SIGNAL(addInternalClient(InternalPeer*)), _session, SLOT(addClient(InternalPeer*)));
     connect(_session, SIGNAL(sessionState(Protocol::SessionState)), Core::instance(), SIGNAL(sessionState(Protocol::SessionState)));
diff --git a/src/core/sessionthread.h b/src/core/sessionthread.h
index 097bd245..c215590f 100644
--- a/src/core/sessionthread.h
+++ b/src/core/sessionthread.h
@@ -36,7 +36,7 @@ class SessionThread : public QThread
     Q_OBJECT
 
 public:
-    SessionThread(UserId user, bool restoreState, QObject *parent = 0);
+    SessionThread(UserId user, bool restoreState, bool strictIdentEnabled, QObject *parent = 0);
     ~SessionThread();
 
     void run();
@@ -64,6 +64,9 @@ private:
     bool _sessionInitialized;
     bool _restoreState;
 
+    /// Whether or not strict ident mode is enabled, locking users' idents to Quassel username
+    bool _strictIdentEnabled;
+
     bool isSessionInitialized();
     void addClientToSession(QObject *peer);
     void addRemoteClientToSession(RemotePeer *remotePeer);