matrix-org
diff --git a/‎config.sample.yaml‎
Lines changed: 11 additions & 0 deletions b/‎config.sample.yaml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎config.schema.yml‎
Lines changed: 4 additions & 0 deletions b/‎config.schema.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/bridge/AdminRoomHandler.ts‎
Lines changed: 122 additions & 1 deletion b/‎src/bridge/AdminRoomHandler.ts‎
Lines changed: 122 additions & 1 deletion
diff --git a/‎src/datastore/DataStore.ts‎
Lines changed: 8 additions & 0 deletions b/‎src/datastore/DataStore.ts‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/datastore/NedbDataStore.ts‎
Lines changed: 51 additions & 0 deletions b/‎src/datastore/NedbDataStore.ts‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎src/datastore/postgres/PgDataStore.ts‎
Lines changed: 51 additions & 3 deletions b/‎src/datastore/postgres/PgDataStore.ts‎
Lines changed: 51 additions & 3 deletions
diff --git a/‎src/datastore/postgres/schema/v9.ts‎
Lines changed: 9 additions & 0 deletions b/‎src/datastore/postgres/schema/v9.ts‎
Lines changed: 9 additions & 0 deletions
@@ -164,6 +164,17 @@ ircService:
         # real matrix users in them, even if there is a mapping for the channel.
         # Default: true
         joinChannelsIfNoUsers: true
+        #
+        # Explicit key/cert to use when connecting. Optional.
+        # When setting up with https://freenode.net/kb/answer/certfp , you can copy these from the .pem file
+        #sslKey: |
+        #  -----BEGIN PRIVATE KEY-----
+        #  ...
+        #  -----END PRIVATE KEY-----
+        #saslCert: |
+        #  -----BEGIN CERTIFICATE-----
+        #  ...
+        #  -----END CERTIFICATE-----
 
       # Configuration for PMs / private 1:1 communications between users.
       privateMessages:
 
@@ -257,6 +257,10 @@ properties:
                                     type: "string"
                                 joinChannelsIfNoUsers:
                                     type: "boolean"
+                                saslKey:
+                                    type: "string"
+                                saslCert:
+                                    type: "string"
                         privateMessages:
                             type: "object"
                             properties:
 
@@ -91,6 +91,22 @@ const COMMANDS: {[command: string]: Command|Heading} = {
         example: `!username [irc.example.net] username`,
         summary: "Store a username to use for future connections.",
     },
+    "!storecert": {
+        example: `!storecert irc.example.net] -----BEGIN CERTIFICATE-----[...]`,
+        summary: `Store a SASL certificate for CertFP`,
+    },
+    "!storekey": {
+        example: `!storekey [irc.example.net] -----BEGIN PRIVATE KEY-----[...]`,
+        summary: `Store a SASL private key for CertFP`,
+    },
+    "!removecert": {
+        example: `!removecert [irc.example.net]`,
+        summary: `Remove a previously stored SASL certificate`,
+    },
+    "!removekey": {
+        example: `!removekey [irc.example.net]`,
+        summary: `Remove a previously stored SASL private key`,
+    },
     'Info': { heading: true},
     "!bridgeversion": {
         example: `!bridgeversion`,
@@ -176,6 +192,14 @@ export class AdminRoomHandler {
                 return await this.handleStorePass(req, args, event.sender);
             case "!removepass":
                 return await this.handleRemovePass(args, event.sender);
+            case "!storekey":
+                return await this.handleStoreKey(req, args, event.sender);
+            case "!storecert":
+                return await this.handleStoreCert(req, args, event.sender);
+            case "!removekey":
+                return await this.handleRemoveKey(args, event.sender);
+            case "!removecert":
+                return await this.handleRemoveCert(args, event.sender);
             case "!listrooms":
                 return await this.handleListRooms(args, event.sender);
             case "!quit":
@@ -469,7 +493,7 @@ export class AdminRoomHandler {
         let notice;
 
         try {
-            // Allow passwords with spaces
+            // Allow usernames with spaces
             const username = args[0]?.trim();
             if (!username) {
                 notice = new MatrixAction(
@@ -563,6 +587,103 @@ export class AdminRoomHandler {
         }
     }
 
+    private async handleStoreKey(req: BridgeRequest, args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+        const domain = server.domain;
+        let notice;
+
+        try {
+            const key = args.join(' ').replace(/(-----([A-Z ]*)-----)\s*/g, '\n$1\n').trim().replace('\n\n', '\n');
+            if (key.length === 0) {
+                notice = new MatrixAction(
+                    "notice",
+                    "Format: '!storekey key' or '!storepass irc.server.name key'\n"
+                );
+            }
+            else {
+                await this.ircBridge.getStore().storeKey(userId, domain, key);
+                notice = new MatrixAction(
+                    "notice", `Successfully stored SASL key for ${domain}. Use !reconnect to reauthenticate.`
+                );
+            }
+        }
+        catch (err) {
+            req.log.error(err.stack);
+            return new MatrixAction(
+                "notice", `Failed to store SASL key: ${err.message}`
+            );
+        }
+        return notice;
+    }
+
+    private async handleRemoveKey(args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+
+        try {
+            await this.ircBridge.getStore().removeKey(userId, server.domain);
+            return new MatrixAction(
+                "notice", `Successfully removed SASL key.`
+            );
+        }
+        catch (err) {
+            return new MatrixAction(
+                "notice", `Failed to remove SASL key: ${err.message}`
+            );
+        }
+    }
+
+    private async handleStoreCert(req: BridgeRequest, args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+        const domain = server.domain;
+        let notice;
+
+        try {
+            const cert = args.join(' ').replace(/(-----([A-Z ]*)-----)\s*/g, '\n$1\n').trim().replace('\n\n', '\n');
+            if (cert.length === 0) {
+                notice = new MatrixAction(
+                    "notice",
+                    "Format: '!storecert cert' or '!storecert irc.server.name cert'\n"
+                );
+            }
+            else {
+                let config = await this.ircBridge.getStore().getIrcClientConfig(userId, server.domain);
+                if (!config) {
+                    config = IrcClientConfig.newConfig(
+                        new MatrixUser(userId), server.domain
+                    );
+                }
+                config.setSASLCert(cert);
+                await this.ircBridge.getStore().storeIrcClientConfig(config);
+                notice = new MatrixAction(
+                    "notice", `Successfully stored SASL cert for ${domain}. Use !reconnect to reauthenticate.`
+                );
+            }
+        }
+        catch (err) {
+            req.log.error(err.stack);
+            return new MatrixAction(
+                "notice", `Failed to store SASL cert: ${err.message}`
+            );
+        }
+        return notice;
+    }
+
+    private async handleRemoveCert(args: string[], userId: string) {
+        const server = this.extractServerFromArgs(args);
+
+        try {
+            await this.ircBridge.getStore().removeCert(userId, server.domain);
+            return new MatrixAction(
+                "notice", `Successfully removed SASL cert.`
+            );
+        }
+        catch (err) {
+            return new MatrixAction(
+                "notice", `Failed to remove SASL cert: ${err.message}`
+            );
+        }
+    }
+
     private async handleListRooms(args: string[], sender: string) {
         const server = this.extractServerFromArgs(args);
 
 
@@ -169,6 +169,14 @@ export interface DataStore {
 
     removePass(userId: string, domain: string): Promise<void>;
 
+    storeKey(userId: string, domain: string, key: string): Promise<void>;
+
+    removeKey(userId: string, domain: string): Promise<void>;
+
+    storeCert(userId: string, domain: string, cert: string): Promise<void>;
+
+    removeCert(userId: string, domain: string): Promise<void>;
+
     getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined>;
 
     getCountForUsernamePrefix(domain: string, usernamePrefix: string): Promise<number>;
 
@@ -575,6 +575,14 @@ export class NeDBDataStore implements DataStore {
             const decryptedPass = this.cryptoStore.decrypt(encryptedPass);
             clientConfig.setPassword(decryptedPass);
         }
+        const encryptedKey = clientConfig.getSASLKey();
+        if (encryptedKey) {
+            if (!this.cryptoStore) {
+                throw new Error(`Cannot decrypt SASL key of ${userId} - no private key`);
+            }
+            const decryptedKey = this.cryptoStore.decrypt(encryptedKey);
+            clientConfig.setPassword(decryptedKey);
+        }
         return clientConfig;
     }
 
@@ -604,6 +612,16 @@ export class NeDBDataStore implements DataStore {
             // Store the encrypted password, ready for the db
             config.setPassword(encryptedPass);
         }
+        const saslKey = config.getSASLKey();
+        if (saslKey) {
+            if (!this.cryptoStore) {
+                throw new Error(
+                    'Cannot store plaintext private keys'
+                );
+            }
+            const encryptedKey = this.cryptoStore.encrypt(saslKey);
+            config.setSASLKey(encryptedKey);
+        }
         userConfig[config.getDomain().replace(/\./g, "_")] = config.serialize();
         user.set("client_config", userConfig);
         await this.userStore.setMatrixUser(user);
@@ -648,6 +666,39 @@ export class NeDBDataStore implements DataStore {
         }
     }
 
+    public async storeKey(userId: string, domain: string, key: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (!config) {
+            throw new Error(`${userId} does not have an IRC client configured for ${domain}`);
+        }
+        config.setSASLKey(key);
+        await this.storeIrcClientConfig(config);
+    }
+
+    public async removeKey(userId: string, domain: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (config) {
+            config.setSASLKey();
+            await this.storeIrcClientConfig(config);
+        }
+    }
+
+    public async storeCert(userId: string, domain: string, cert: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (!config) {
+            throw new Error(`${userId} does not have an IRC client configured for ${domain}`);
+        }
+        config.setSASLCert(cert);
+        await this.storeIrcClientConfig(config);
+    }
+
+    public async removeCert(userId: string, domain: string) {
+        const config = await this.getIrcClientConfig(userId, domain);
+        if (config) {
+            config.setSASLCert();
+            await this.storeIrcClientConfig(config);
+        }
+    }
     public async getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined> {
         const domainKey = domain.replace(/\./g, "_");
         const matrixUsers = await this.userStore.getByMatrixData({
 
@@ -54,7 +54,7 @@ interface RoomRecord {
 export class PgDataStore implements DataStore {
     private serverMappings: {[domain: string]: IrcServer} = {};
 
-    public static readonly LATEST_SCHEMA = 8;
+    public static readonly LATEST_SCHEMA = 9;
     private pgPool: Pool;
     private hasEnded = false;
     private cryptoStore?: StringCrypto;
@@ -502,7 +502,7 @@ export class PgDataStore implements DataStore {
 
     public async getIrcClientConfig(userId: string, domain: string): Promise<IrcClientConfig | null> {
         const res = await this.pgPool.query(
-            "SELECT config, password FROM client_config WHERE user_id = $1 and domain = $2",
+            "SELECT config, password, sasl_cert, sasl_key FROM client_config WHERE user_id = $1 and domain = $2",
             [
                 userId,
                 domain
@@ -515,6 +515,10 @@ export class PgDataStore implements DataStore {
         if (row.password && this.cryptoStore) {
             config.password = this.cryptoStore.decrypt(row.password);
         }
+        if (row.sasl_key && this.cryptoStore) {
+            config.saslKey = this.cryptoStore.decrypt(row.sasl_key);
+        }
+        config.saslCert = row.sasl_cert;
         return new IrcClientConfig(userId, domain, config);
     }
 
@@ -530,11 +534,16 @@ export class PgDataStore implements DataStore {
         if (password && this.cryptoStore) {
             password = this.cryptoStore.encrypt(password);
         }
+        let saslKey = config.getSASLKey();
+        if (saslKey && this.cryptoStore) {
+            saslKey = this.cryptoStore.encrypt(saslKey);
+        }
         const parameters = {
             user_id: userId,
             domain: config.getDomain(),
-            // either use the decrypted password, or whatever is stored already.
             password,
+            sasl_key: saslKey,
+            sasl_cert: config.getSASLCert(),
             config: JSON.stringify(config.serialize(true)),
         };
         const statement = PgDataStore.BuildUpsertStatement(
@@ -613,6 +622,45 @@ export class PgDataStore implements DataStore {
             [userId, domain]);
     }
 
+    public async storeKey(userId: string, domain: string, key: string, encrypt = true): Promise<void> {
+        let sasl_key = key;
+        if (encrypt) {
+            if (!this.cryptoStore) {
+                throw Error("Password encryption is not configured.")
+            }
+            sasl_key = this.cryptoStore.encrypt(sasl_key);
+        }
+        const parameters = {
+            user_id: userId,
+            domain,
+            sasl_key,
+        };
+        const statement = PgDataStore.BuildUpsertStatement("client_config",
+            "ON CONSTRAINT cons_client_config_unique", Object.keys(parameters));
+        await this.pgPool.query(statement, Object.values(parameters));
+    }
+
+    public async removeKey(userId: string, domain: string): Promise<void> {
+        await this.pgPool.query("UPDATE client_config SET sasl_key = NULL WHERE user_id = $1 AND domain = $2",
+            [userId, domain]);
+    }
+
+    public async storeCert(userId: string, domain: string, cert: string): Promise<void> {
+        const parameters = {
+            user_id: userId,
+            domain,
+            sasl_cert: cert,
+        };
+        const statement = PgDataStore.BuildUpsertStatement("client_config",
+            "ON CONSTRAINT cons_client_config_unique", Object.keys(parameters));
+        await this.pgPool.query(statement, Object.values(parameters));
+    }
+
+    public async removeCert(userId: string, domain: string): Promise<void> {
+        await this.pgPool.query("UPDATE client_config SET sasl_cert = NULL WHERE user_id = $1 AND domain = $2",
+            [userId, domain]);
+    }
+
     public async getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined> {
         // This will need a join
         const res = await this.pgPool.query(
 
@@ -0,0 +1,9 @@
+import { PoolClient } from "pg";
+
+export async function runSchema(connection: PoolClient) {
+    await connection.query(`
+        ALTER TABLE client_config ADD COLUMN sasl_cert TEXT;
+        ALTER TABLE client_config ADD COLUMN sasl_key TEXT;
+    `);
+}
+