configurable ca_certs, simplify network list sent to clients

revspace · Oct 8, 2024 · 85cbb72 · 85cbb72
1 parent fa60ba2
commit 85cbb72
Show file tree

Hide file tree

Showing 8 changed files with 72 additions and 31 deletions.
diff --git a/client/components/NetworkForm.vue b/client/components/NetworkForm.vue
@@ -187,10 +187,10 @@
 					>
 						<option
 							v-for="network in store.state.serverConfiguration?.networks"
-							:key="network.name"
-							:value="network.name"
+							:key="network"
+							:value="network"
 						>
-							{{ network.name }}
+							{{ network }}
 						</option>
 					</select>
 				</div>

diff --git a/package.json b/package.json
@@ -64,7 +64,7 @@
     "file-type": "16.5.4",
     "filenamify": "4.3.0",
     "got": "11.8.5",
-    "irc-framework": "4.13.1",
+    "irc-framework": "https://github.com/revspace/nodejs-irc-framework",
     "is-utf8": "0.2.1",
     "ldapjs": "2.3.1",
     "linkify-it": "3.0.3",

diff --git a/server/client.ts b/server/client.ts
@@ -313,6 +313,7 @@ class Client {
 			host: String(args.host || ""),
 			port: parseInt(String(args.port), 10),
 			tls: !!args.tls,
+			caCert: args.caCert,
 			userDisconnected: !!args.userDisconnected,
 			rejectUnauthorized: !!args.rejectUnauthorized,
 			password: String(args.password || ""),

diff --git a/server/config.ts b/server/config.ts
@@ -80,11 +80,22 @@ type StoragePolicy = {
 	deletionPolicy: "statusOnly" | "everything";
 };
 
-type NetworkTemplate = {
+type TemplateNetwork = {
+	name: string,
 	host: string,
 	port: number,
 	tls: boolean,
-	rejectUnauthorized: boolean // if TLS certificates are validated 
+	rejectUnauthorized: boolean,
+	caCert?: Buffer
+};
+
+type NetworkInConfig = {
+	name: string,
+	host: string,
+	port: number,
+	tls: boolean,
+	rejectUnauthorized?: boolean,
+	caCert?: string
 };
 
 export type ConfigType = {
@@ -107,7 +118,7 @@ export type ConfigType = {
 	leaveMessage: string;
 	defaults: Defaults;
 	lockNetwork: boolean;
-	networks: {[name: string]: NetworkTemplate};
+	networks: {[name: string]: NetworkInConfig};
 	messageStorage: string[];
 	storagePolicy: StoragePolicy;
 	useHexIp: boolean;
@@ -124,9 +135,7 @@ class Config {
 		path.join(__dirname, "..", "defaults", "config.js")
 	)) as ConfigType;
 	#homePath = "";
-	networks = Object.fromEntries(Object.entries(this.values.networks).map(([name, network]) => {
-		return [name, {...network, name}];
-	}));
+	networks: {[name: string]: TemplateNetwork} = this.parseNetworks();
 
 	getHomePath() {
 		return this.#homePath;
@@ -179,8 +188,30 @@ class Config {
 		);
 	}
 
+	getNetworks() {
+		return this.networks;
+	}
+
+	getNetworkNames() {
+		return Object.keys(this.networks);
+	}
+
+	parseNetworks() {
+		return Object.fromEntries(Object.entries(this.values.networks).map(([name, network]) => {
+			return [name, <TemplateNetwork>{
+				name,
+				host: network.host,
+				port: network.port,
+				tls: network.tls !== undefined ? network.tls : true,
+				rejectUnauthorized: network.rejectUnauthorized !== undefined ? network.rejectUnauthorized : true,
+				caCert: network.caCert ? fs.readFileSync(network.caCert) : undefined
+			}];
+		}));
+	}
+
 	merge(newConfig: ConfigType) {
 		this._merge_config_objects(this.values, newConfig);
+		this.networks = this.parseNetworks();
 	}
 
 	_merge_config_objects(oldConfig: ConfigType, newConfig: ConfigType) {

diff --git a/server/models/network.ts b/server/models/network.ts
@@ -21,6 +21,7 @@ type NetworkIrcOptions = {
 	username: string;
 	gecos: string;
 	tls: boolean;
+	ca_certificate?: Buffer;
 	rejectUnauthorized: boolean;
 	webirc: WebIRC | null;
 	client_certificate: ClientCertificateType | null;
@@ -94,6 +95,7 @@ class Network {
 	host!: string;
 	port!: number;
 	tls!: boolean;
+	caCert!: Buffer;
 	userDisconnected!: boolean;
 	rejectUnauthorized!: boolean;
 	password!: string;
@@ -247,7 +249,7 @@ class Network {
 		if (Config.values.lockNetwork) {
 			// This check is needed to prevent invalid user configurations
 
-			const allowedNetwork = Object.values(Config.networks).find((network) => {
+			const allowedNetwork = Object.values(Config.getNetworks()).find((network) => {
 				return (this.name === network.name || this.host === network.host);
 			});
 
@@ -261,6 +263,10 @@ class Network {
 			this.port = allowedNetwork.port;
 			this.tls = allowedNetwork.tls;
 			this.rejectUnauthorized = allowedNetwork.rejectUnauthorized;
+
+			if (allowedNetwork.caCert !== undefined) {
+				this.caCert = allowedNetwork.caCert;
+			}
 		}
 
 		if (this.host.length === 0) {
@@ -319,6 +325,7 @@ class Network {
 		this.irc.options.gecos = this.realname;
 		this.irc.options.tls = this.tls;
 		this.irc.options.rejectUnauthorized = this.rejectUnauthorized;
+		this.irc.options.ca_certificate = this.caCert;
 		this.irc.options.webirc = this.createWebIrc(client);
 		this.irc.options.client_certificate = null;
 

diff --git a/server/server.ts b/server/server.ts
@@ -873,7 +873,7 @@ function getClientConfiguration(data: AuthPerformData): SharedConfiguration | Lo
 		useHexIp: Config.values.useHexIp,
 		prefetch: Config.values.prefetch,
 		fileUploadMaxFileSize: Uploader ? Uploader.getMaxFileSize() : undefined, // TODO can't be undefined?
-		networks: Config.networks
+		networks: Config.getNetworkNames()
 	};
 
 	const defaultsOverride = {
@@ -891,9 +891,17 @@ function getClientConfiguration(data: AuthPerformData): SharedConfiguration | Lo
 
 	if (!Config.values.lockNetwork) {
 		const defaultNetwork = Config.values.networks[Config.values.defaults.name];
+
+		if (defaultNetwork.rejectUnauthorized === undefined) {
+			defaultNetwork.rejectUnauthorized = true;
+		}
+
 		const defaults: ConfigNetDefaults = {
 			..._.clone(Config.values.defaults),
-			..._.clone(defaultNetwork),
+			host: defaultNetwork.host,
+			port: defaultNetwork.port,
+			tls: defaultNetwork.tls,
+			rejectUnauthorized: defaultNetwork.rejectUnauthorized,
 			...defaultsOverride,
 		};
 		const result: SharedConfiguration = {

diff --git a/shared/types/config.ts b/shared/types/config.ts
@@ -24,7 +24,7 @@ type SharedConfigurationBase = {
 	themes: ConfigTheme[];
 	defaultTheme: string;
 	fileUploadMaxFileSize?: number;
-	networks: {[name: string]: NetworkTemplate};
+	networks: string[];
 };
 
 export type ConfigNetDefaults = {

diff --git a/yarn.lock b/yarn.lock
@@ -3151,7 +3151,7 @@ core-js-compat@^3.21.0, core-js-compat@^3.22.1:
   dependencies:
     browserslist "^4.23.3"
 
-core-js@^3.27.2:
+core-js@^3.38.1:
   version "3.38.1"
   resolved "https://registry.yarnpkg.com/core-js/-/core-js-3.38.1.tgz#aa375b79a286a670388a1a363363d53677c0383e"
   integrity sha512-OP35aUorbU3Zvlx7pjsFdu1rGNnD4pgw/CWoYzRY3t2EzoVT7shKHY1dlAy3f41cGIO7ZDPQimhGFTlEYkG/Hw==
@@ -4022,7 +4022,7 @@ eventemitter3@^4.0.4:
   resolved "https://registry.yarnpkg.com/eventemitter3/-/eventemitter3-4.0.7.tgz#2de9b68f6528d5644ef5c59526a1b4a07306169f"
   integrity sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==
 
-eventemitter3@^5.0.0:
+eventemitter3@^5.0.1:
   version "5.0.1"
   resolved "https://registry.yarnpkg.com/eventemitter3/-/eventemitter3-5.0.1.tgz#53f5ffd0a492ac800721bb42c66b841de96423c4"
   integrity sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==
@@ -4943,21 +4943,20 @@ [email protected]:
   resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz#bff38543eeb8984825079ff3a2a8e6cbd46781b3"
   integrity sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==
 
-[email protected]:
-  version "4.13.1"
-  resolved "https://registry.yarnpkg.com/irc-framework/-/irc-framework-4.13.1.tgz#9850ffd220c6ddded960f8b95d0612d646f9a1b7"
-  integrity sha512-oUdNyc5CLwYjsp5AP479EgdMMTepwYK9kury7sWzMV6IeMyKc6fExk6tnhN/jTWpiDKsYtbPAb01wE7yVtLcsQ==
+"irc-framework@https://github.com/revspace/nodejs-irc-framework":
+  version "4.14.0"
+  resolved "https://github.com/revspace/nodejs-irc-framework#7444a1f3e7509342a26b909b2bfd5a9e955db6c8"
   dependencies:
     buffer "^6.0.3"
-    core-js "^3.27.2"
-    eventemitter3 "^5.0.0"
+    core-js "^3.38.1"
+    eventemitter3 "^5.0.1"
     grapheme-splitter "^1.0.4"
     iconv-lite "^0.6.3"
     isomorphic-textencoder "^1.0.1"
     lodash "^4.17.21"
     middleware-handler "^0.2.0"
-    regenerator-runtime "^0.13.11"
-    socks "^2.7.1"
+    regenerator-runtime "^0.14.1"
+    socks "^2.8.3"
     stream-browserify "^3.0.0"
     util "^0.12.5"
 
@@ -7336,12 +7335,7 @@ regenerate@^1.4.2:
   resolved "https://registry.yarnpkg.com/regenerate/-/regenerate-1.4.2.tgz#b9346d8827e8f5a32f7ba29637d398b69014848a"
   integrity sha512-zrceR/XhGYU/d/opr2EKO7aRHUeiBI8qjtfHqADTwZd6Szfy16la6kqD0MIUs5z5hx6AaKa+PixpPrR289+I0A==
 
-regenerator-runtime@^0.13.11:
-  version "0.13.11"
-  resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.13.11.tgz#f6dca3e7ceec20590d07ada785636a90cdca17f9"
-  integrity sha512-kY1AZVr2Ra+t+piVaJ4gxaFaReZVH40AKNo7UCX6W+dEwBo/2oZJzqfuN1qLq1oL45o56cPaTXELwrTh8Fpggg==
-
-regenerator-runtime@^0.14.0:
+regenerator-runtime@^0.14.0, regenerator-runtime@^0.14.1:
   version "0.14.1"
   resolved "https://registry.yarnpkg.com/regenerator-runtime/-/regenerator-runtime-0.14.1.tgz#356ade10263f685dda125100cd862c1db895327f"
   integrity sha512-dYnhHh0nJoMfnkZs6GmmhFknAGRrLznOu5nc9ML+EJxGvrx6H7teuevqVqCuPcPK//3eDrrjQhehXVx9cnkGdw==
@@ -7877,7 +7871,7 @@ socks-proxy-agent@^6.0.0:
     debug "^4.3.3"
     socks "^2.6.2"
 
-socks@^2.6.2, socks@^2.7.1:
+socks@^2.6.2, socks@^2.8.3:
   version "2.8.3"
   resolved "https://registry.yarnpkg.com/socks/-/socks-2.8.3.tgz#1ebd0f09c52ba95a09750afe3f3f9f724a800cb5"
   integrity sha512-l5x7VUUWbjVFbafGLxPWkYsHIhEvmF85tbIeFZWc8ZPtoMyybuEhL7Jye/ooC4/d48FgOjSJXgsF/AJPYCW8Zw==