From e8580686431ce586fc04025085f865be405313be Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Mon, 24 May 2021 18:51:42 +0000 Subject: [PATCH] Switch the IRC access check to OFTC Make some adjustments to the IRC access check script so that it works in the OFTC network now. Also update the channel config to reflect the new ACL paradigms there. Remove our volunteer operators temporarily until we can confirm their nicks there. Also rip out the channel forwarding for unregistered nicks, we can work on readding it there later if we determine it's necessary after all, but it will need implementing differently anyway if so. Change-Id: Ib3c43ef5ba22191d869629cd01d3800f3e235ea4 --- accessbot/channels.yaml | 78 +++++++++++---------------------------- tools/check_irc_access.py | 33 ++++------------- tox.ini | 2 +- 3 files changed, 29 insertions(+), 84 deletions(-) diff --git a/accessbot/channels.yaml b/accessbot/channels.yaml index 29c6a5cffe..07d8e1f166 100755 --- a/accessbot/channels.yaml +++ b/accessbot/channels.yaml @@ -14,9 +14,8 @@ # In general, to add a new channel for an official OpenStack project # to this file, just add the name to the list in "channels" without -# anything else. Projects who wish to maintain full permissions -# outside the "official" infra list can optionally set "mask" to -# "full_mask". +# anything else. Additional admins or ops can be added as keys under the +# channel name. # Each channel is a dictionary with a keys as follows # @@ -24,16 +23,12 @@ # (str) unique channel name (no #) # alumni: # (list) list of nicks that should be removed from ChanServ access -# mask: -# (str) default mask for users with chanserv access but not -# otherwise listed in the channel or global config. Access is -# limited to the mask but otherwise left alone. # mode: # (str) mode mask for mlock. Note that flags here are enforced, but # flags outside the list are left alone. # *: # (list) every other key is assumed to be a key in the "access:" -# list. The provided list of nicks will have the flags for that +# list. The provided list of nicks will have the levels for that # key applied. # # NOTE each channel looks up these values in the "global:" list first. @@ -43,20 +38,10 @@ # Global definitions # -# To forward unregistered users to a channel with +f you need to be an -# op in that channel. This pre-joins and ops (via chanserv) in the -# given channels. -op_channels: - - openstack-unregistered - -# Access levels (map names in this file to chanserv flags): +# Access levels (map names in this file to chanserv access levels): access: - masters: +AFRefiorstv - status: +Vt - meetbots: +O - operators: +Aeforstv - channel_op_mask: +AOVefortv - full_mask: +AFORVefiorstv + admins: MASTER + ops: CHANOP # Define configuration that should apply to all channels. global: @@ -74,51 +59,38 @@ global: - Shrews - dmsimard - pabelanger - mask: - channel_op_mask - # This sets the following - # c : no colors - # n : message can not be sent from outside channel - # r : registered users only - # t : op to modify topic - # f : forward unregistered users to #openstack-unregistered - mode: '+cnrtf #openstack-unregistered' - masters: - - openstackinfra - operators: - - AJaeger + # https://www.oftc.net/ChannelModes/ + # c - no color messages allowed + # n - no external messages (from clients that are not on the channels) + # t - only chanops may change Topic + # z - messages that would otherwise be blocked go to channel operators + # M - client may speak only when registered and identified to NickServ + # R - client may join only when registered and identified to NickServ + # S - client may join only when using SSL Connection + mode: '+cnt' + admins: - clarkb - - diablo_rojo - frickler - fungi - ianw - jeblair - - jhesketh - - mnaser - - mtaylor - - ttx - status: - - openstackstatus - meetbots: - - open_stack + - mordred + - opendevaccess + ops: + - opendevmeet + - opendevstatus # Individual channel configuration: channels: - name: airshipit - mask: full_mask - name: airshipit-gerritbot - mask: full_mask - name: cloudkitty - name: edge-computing-group - name: git-upstream - mask: full_mask - name: heat - name: kata-dev - mask: full_mask - name: kata-general - mask: full_mask - name: midonet - mask: full_mask - name: oooq - name: opendev - name: opendev-meeting @@ -163,7 +135,6 @@ channels: - name: openstack-golang - name: openstack-ha - name: openstack-helm - mask: full_mask - name: openstack-horizon - name: openstack-hyper-v - name: openstack-i18n @@ -177,7 +148,6 @@ channels: - name: openstack-kolla - name: openstack-kuryr - name: openstack-lbaas - mask: full_mask - name: openstack-loci - name: openstack-manila - name: openstack-masakari @@ -203,7 +173,6 @@ channels: - name: openstack-oslo - name: openstack-pandaman - name: openstack-placement - mask: full_mask - name: openstack-poppy - name: openstack-qa - name: openstack-quota @@ -219,7 +188,6 @@ channels: - name: openstack-snaps - name: openstack-solar - name: openstack-spaceport - mask: full_mask - name: openstack-stable - name: openstack-state-management - name: openstack-steth @@ -228,7 +196,6 @@ channels: - name: openstack-tc - name: openstack-telemetry - name: openstack-third-party-ci - mask: full_mask - name: openstack-trove - name: openstack-upstream-institute - name: openstack-vahana @@ -240,7 +207,6 @@ channels: - name: openstack-zaqar - name: openstack-zun - name: osism - mask: full_mask - name: refstack - name: senlin - name: solum @@ -251,9 +217,7 @@ channels: - name: swiftonhpss - name: swift3 - name: syscompass - mask: full_mask - name: tacker - mask: full_mask - name: tripleo - name: wsme - name: zuul diff --git a/tools/check_irc_access.py b/tools/check_irc_access.py index a538d967e3..7d90b89129 100755 --- a/tools/check_irc_access.py +++ b/tools/check_irc_access.py @@ -34,7 +34,6 @@ class CheckAccess(irc.client.SimpleIRCClient): def __init__(self, channels, nick, flags): irc.client.SimpleIRCClient.__init__(self) - self.identify_msg_cap = False self.channels = channels self.nick = nick self.flags = flags @@ -49,30 +48,10 @@ class CheckAccess(irc.client.SimpleIRCClient): sys.exit(0) def on_welcome(self, c, e): - self.identify_msg_cap = False - self.log.debug("Requesting identify-msg capability") - c.cap('REQ', 'identify-msg') - c.cap('END') - - def on_cap(self, c, e): - self.log.debug("Received cap response %s" % repr(e.arguments)) - if e.arguments[0] == 'ACK' and 'identify-msg' in e.arguments[1]: - self.log.debug("identify-msg cap acked") - self.identify_msg_cap = True - self.advance() + self.advance() def on_privnotice(self, c, e): - if not self.identify_msg_cap: - self.log.debug("Ignoring message because identify-msg " - "cap not enabled") - return - nick = e.source.split('!')[0] - auth = e.arguments[0][0] - msg = e.arguments[0][1:] - if auth != '+' or nick != 'ChanServ': - self.log.debug("Ignoring message from unauthenticated " - "user %s" % nick) - return + msg = e.arguments[0] self.advance(msg) def advance(self, msg=None): @@ -82,11 +61,13 @@ class CheckAccess(irc.client.SimpleIRCClient): return self.current_channel = self.channels.pop() self.current_list = [] - self.connection.privmsg('chanserv', 'access list %s' % + self.connection.privmsg('chanserv', 'access %s list' % self.current_channel) time.sleep(1) return - if msg.endswith('is not registered.'): + if not msg: + return + if msg.endswith('is not registered with channel services.'): self.failed = True print("%s is not registered with ChanServ." % self.current_channel) @@ -133,7 +114,7 @@ def main(): default='/etc/accessbot/channels.yaml', help='path to the config file') parser.add_argument('-s', dest='server', - default='chat.freenode.net', + default='irc.oftc.net', help='IRC server') parser.add_argument('-p', dest='port', default=6697, diff --git a/tox.ini b/tox.ini index 5b52749eb0..8fe1080bae 100644 --- a/tox.ini +++ b/tox.ini @@ -71,7 +71,7 @@ deps = ruamel.yaml irc commands = - {toxinidir}/tools/check_irc_access.py -l accessbot/channels.yaml openstackinfra + {toxinidir}/tools/check_irc_access.py -l accessbot/channels.yaml opendevaccess {toxinidir}/tools/irc_tests.py {toxinidir}/tools/check-channels-yaml.sh