Add SASL CertFP support for both bot and users

* Users can manage key and cert via ![store,remove][cert,key]` commands
* Bot configured under botConfig

Author: 3nprob

config.sample.yaml

@@ -164,6 +164,17 @@ ircService:
         # real matrix users in them, even if there is a mapping for the channel.
         # Default: true
         joinChannelsIfNoUsers: true
+        #
+        # Explicit key/cert to use when connecting. Optional.
+        # When setting up with https://freenode.net/kb/answer/certfp , you can copy these from the .pem file
+        #sslKey: |
+        #  -----BEGIN PRIVATE KEY-----
+        #  ...
+        #  -----END PRIVATE KEY-----
+        #saslCert: |
+        #  -----BEGIN CERTIFICATE-----
+        #  ...
+        #  -----END CERTIFICATE-----
 
       # Configuration for PMs / private 1:1 communications between users.
       privateMessages:

config.schema.yml

@@ -228,6 +228,10 @@ properties:
                                     type: "string"
                                 joinChannelsIfNoUsers:
                                     type: "boolean"
+                                saslKey:
+                                    type: "string"
+                                saslCert:
+                                    type: "string"
                         privateMessages:
                             type: "object"
                             properties:

src/bridge/AdminRoomHandler.ts

@@ -86,6 +86,22 @@ const COMMANDS: {[command: string]: Command|Heading} = {
         example: `!username [irc.example.net] username`,
         summary: "Store a username to use for future connections.",
     },
+    "!storecert": {
+        example: `!storecert irc.example.net] -----BEGIN CERTIFICATE-----[...]`,
+        summary: `Store a SASL certificate for CertFP`,
+    },
+    "!storekey": {
+        example: `!storekey [irc.example.net] -----BEGIN PRIVATE KEY-----[...]`,
+        summary: `Store a SASL private key for CertFP`,
+    },
+    "!removecert": {
+        example: `!removecert [irc.example.net]`,
+        summary: `Remove a previously stored SASL certificate`,
+    },
+    "!removekey": {
+        example: `!removekey [irc.example.net]`,
+        summary: `Remove a previously stored SASL private key`,
+    },
     'Info': { heading: true},
     "!bridgeversion": {
         example: `!bridgeversion`,
@@ -166,6 +182,14 @@ export class AdminRoomHandler {
                 return await this.handleStorePass(req, args, event.sender);
             case "!removepass":
                 return await this.handleRemovePass(args, event.sender);
+            case "!storekey":
+                return await this.handleStoreKey(req, args, event.sender);
+            case "!storecert":
+                return await this.handleStoreCert(req, args, event.sender);
+            case "!removekey":
+                return await this.handleRemoveKey(args, event.sender);
+            case "!removecert":
+                return await this.handleRemoveCert(args, event.sender);
             case "!listrooms":
                 return await this.handleListRooms(args, event.sender);
             case "!quit":
@@ -463,7 +487,7 @@ export class AdminRoomHandler {
         let notice;
 
         try {
-            // Allow passwords with spaces
+            // Allow usernames with spaces
             const username = args[0]?.trim();
             if (!username) {
                 notice = new MatrixAction(
@@ -557,6 +581,96 @@ export class AdminRoomHandler {
         }
     }
 
+    private async handleStoreKey(req: BridgeRequest, args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+        const domain = server.domain;
+        let notice;
+
+        try {
+            const key = args.join('\n');
+            if (key.length === 0) {
+                notice = new MatrixAction(
+                    "notice",
+                    "Format: '!storekey key' or '!storepass irc.server.name key'\n"
+                );
+            }
+            else {
+                await this.ircBridge.getStore().storeKey(userId, domain, key);
+                notice = new MatrixAction(
+                    "notice", `Successfully stored SASL key for ${domain}. Use !reconnect to reauthenticate.`
+                );
+            }
+        }
+        catch (err) {
+            req.log.error(err.stack);
+            return new MatrixAction(
+                "notice", `Failed to store SASL key: ${err.message}`
+            );
+        }
+        return notice;
+    }
+
+    private async handleRemoveKey(args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+
+        try {
+            await this.ircBridge.getStore().removeKey(userId, server.domain);
+            return new MatrixAction(
+                "notice", `Successfully removed SASL key.`
+            );
+        }
+        catch (err) {
+            return new MatrixAction(
+                "notice", `Failed to remove SASL key: ${err.message}`
+            );
+        }
+    }
+
+    private async handleStoreCert(req: BridgeRequest, args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+        const domain = server.domain;
+        let notice;
+
+        try {
+            const cert = args.join('\n');
+            if (cert.length === 0) {
+                notice = new MatrixAction(
+                    "notice",
+                    "Format: '!storecert cert' or '!storecert irc.server.name cert'\n"
+                );
+            }
+            else {
+                await this.ircBridge.getStore().storeCert(userId, domain, cert);
+                notice = new MatrixAction(
+                    "notice", `Successfully stored SASL cert for ${domain}. Use !reconnect to reauthenticate.`
+                );
+            }
+        }
+        catch (err) {
+            req.log.error(err.stack);
+            return new MatrixAction(
+                "notice", `Failed to store SASL cert: ${err.message}`
+            );
+        }
+        return notice;
+    }
+
+    private async handleRemoveCert(args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+
+        try {
+            await this.ircBridge.getStore().removeCert(userId, server.domain);
+            return new MatrixAction(
+                "notice", `Successfully removed SASL cert.`
+            );
+        }
+        catch (err) {
+            return new MatrixAction(
+                "notice", `Failed to remove SASL cert: ${err.message}`
+            );
+        }
+    }
+
     private async handleListRooms(args: string[], sender: string) {
         const server = this.extractServerFromArgs(args);
 

src/datastore/DataStore.ts

@@ -162,6 +162,14 @@ export interface DataStore {
 
     removePass(userId: string, domain: string): Promise<void>;
 
+    storeKey(userId: string, domain: string, key: string): Promise<void>;
+
+    removeKey(userId: string, domain: string): Promise<void>;
+
+    storeCert(userId: string, domain: string, cert: string): Promise<void>;
+
+    removeCert(userId: string, domain: string): Promise<void>;
+
     getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined>;
 
     getCountForUsernamePrefix(domain: string, usernamePrefix: string): Promise<number>;

src/datastore/NedbDataStore.ts

@@ -542,6 +542,14 @@ export class NeDBDataStore implements DataStore {
             const decryptedPass = this.cryptoStore.decrypt(encryptedPass);
             clientConfig.setPassword(decryptedPass);
         }
+        const encryptedKey = clientConfig.getSASLKey();
+        if (encryptedKey) {
+            if (!this.cryptoStore) {
+                throw new Error(`Cannot decrypt SASL key of ${userId} - no private key`);
+            }
+            const decryptedKey = this.cryptoStore.decrypt(encryptedKey);
+            clientConfig.setPassword(decryptedKey);
+        }
         return clientConfig;
     }
 
@@ -571,6 +579,16 @@ export class NeDBDataStore implements DataStore {
             // Store the encrypted password, ready for the db
             config.setPassword(encryptedPass);
         }
+        const saslKey = config.getSASLKey();
+        if (saslKey) {
+            if (!this.cryptoStore) {
+                throw new Error(
+                    'Cannot store plaintext private keys'
+                );
+            }
+            const encryptedKey = this.cryptoStore.encrypt(saslKey);
+            config.setSASLKey(encryptedKey);
+        }
         userConfig[config.getDomain().replace(/\./g, "_")] = config.serialize();
         user.set("client_config", userConfig);
         await this.userStore.setMatrixUser(user);
@@ -607,6 +625,39 @@ export class NeDBDataStore implements DataStore {
         }
     }
 
+    public async storeKey(userId: string, domain: string, key: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (!config) {
+            throw new Error(`${userId} does not have an IRC client configured for ${domain}`);
+        }
+        config.setSASLKey(key);
+        await this.storeIrcClientConfig(config);
+    }
+
+    public async removeKey(userId: string, domain: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (config) {
+            config.setSASLKey();
+            await this.storeIrcClientConfig(config);
+        }
+    }
+
+    public async storeCert(userId: string, domain: string, cert: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (!config) {
+            throw new Error(`${userId} does not have an IRC client configured for ${domain}`);
+        }
+        config.setSASLCert(cert);
+        await this.storeIrcClientConfig(config);
+    }
+
+    public async removeCert(userId: string, domain: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (config) {
+            config.setSASLCert();
+            await this.storeIrcClientConfig(config);
+        }
+    }
     public async getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined> {
         const domainKey = domain.replace(/\./g, "_");
         const matrixUsers = await this.userStore.getByMatrixData({

src/datastore/postgres/PgDataStore.ts

@@ -52,7 +52,7 @@ interface RoomRecord {
 export class PgDataStore implements DataStore {
     private serverMappings: {[domain: string]: IrcServer} = {};
 
-    public static readonly LATEST_SCHEMA = 6;
+    public static readonly LATEST_SCHEMA = 7;
     private pgPool: Pool;
     private hasEnded = false;
     private cryptoStore?: StringCrypto;
@@ -485,7 +485,7 @@ export class PgDataStore implements DataStore {
 
     public async getIrcClientConfig(userId: string, domain: string): Promise<IrcClientConfig | null> {
         const res = await this.pgPool.query(
-            "SELECT config, password FROM client_config WHERE user_id = $1 and domain = $2",
+            "SELECT config, password, sasl_key FROM client_config WHERE user_id = $1 and domain = $2",
             [
                 userId,
                 domain
@@ -498,6 +498,9 @@ export class PgDataStore implements DataStore {
         if (row.password && this.cryptoStore) {
             config.password = this.cryptoStore.decrypt(row.password);
         }
+        if (row.sasl_key && this.cryptoStore) {
+            config.saslKey = this.cryptoStore.decrypt(row.sasl_key);
+        }
         return new IrcClientConfig(userId, domain, config);
     }
 
@@ -513,11 +516,17 @@ export class PgDataStore implements DataStore {
         if (password && this.cryptoStore) {
             password = this.cryptoStore.encrypt(password);
         }
+        let saslKey = config.getSASLKey();
+        if (saslKey && this.cryptoStore) {
+            saslKey = this.cryptoStore.encrypt(saslKey);
+        }
         const parameters = {
             user_id: userId,
             domain: config.getDomain(),
             // either use the decrypted password, or whatever is stored already.
             password,
+            sasl_key: saslKey,
+            sasl_cert: config.getSASLCert(),
             config: JSON.stringify(config.serialize(true)),
         };
         const statement = PgDataStore.BuildUpsertStatement(
@@ -578,6 +587,45 @@ export class PgDataStore implements DataStore {
             [userId, domain]);
     }
 
+    public async storeKey(userId: string, domain: string, key: string, encrypt = true): Promise<void> {
+        let sasl_key = key;
+        if (encrypt) {
+            if (!this.cryptoStore) {
+                throw Error("Password encryption is not configured.")
+            }
+            sasl_key = this.cryptoStore.encrypt(sasl_key);
+        }
+        const parameters = {
+            user_id: userId,
+            domain,
+            sasl_key,
+        };
+        const statement = PgDataStore.BuildUpsertStatement("client_config",
+            "ON CONSTRAINT cons_client_config_unique", Object.keys(parameters));
+        await this.pgPool.query(statement, Object.values(parameters));
+    }
+
+    public async removeKey(userId: string, domain: string): Promise<void> {
+        await this.pgPool.query("UPDATE client_config SET sasl_key = NULL WHERE user_id = $1 AND domain = $2",
+            [userId, domain]);
+    }
+
+    public async storeCert(userId: string, domain: string, cert: string): Promise<void> {
+        const parameters = {
+            user_id: userId,
+            domain,
+            sasl_cert: cert,
+        };
+        const statement = PgDataStore.BuildUpsertStatement("client_config",
+            "ON CONSTRAINT cons_client_config_unique", Object.keys(parameters));
+        await this.pgPool.query(statement, Object.values(parameters));
+    }
+
+    public async removeCert(userId: string, domain: string): Promise<void> {
+        await this.pgPool.query("UPDATE client_config SET sasl_cert = NULL WHERE user_id = $1 AND domain = $2",
+            [userId, domain]);
+    }
+
     public async getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined> {
         // This will need a join
         const res = await this.pgPool.query(

src/datastore/postgres/schema/v7.ts

@@ -0,0 +1,8 @@
+import { PoolClient } from "pg";
+
+export async function runSchema(connection: PoolClient) {
+    await connection.query(`
+ALTER TABLE client_config ADD COLUMN sasl_cert TEXT;
+ALTER TABLE client_config ADD COLUMN sasl_key TEXT;
+    `);
+}