Switch the IRC access check to OFTC

Make some adjustments to the IRC access check script so that it
works in the OFTC network now. Also update the channel config to
reflect the new ACL paradigms there. Remove our volunteer operators
temporarily until we can confirm their nicks there. Also rip out the
channel forwarding for unregistered nicks, we can work on readding
it there later if we determine it's necessary after all, but it will
need implementing differently anyway if so.

Change-Id: Ib3c43ef5ba22191d869629cd01d3800f3e235ea4
This commit is contained in:
Jeremy Stanley 2021-05-24 18:51:42 +00:00
parent 9e35441f1a
commit e858068643
3 changed files with 29 additions and 84 deletions

View File

@ -14,9 +14,8 @@
# In general, to add a new channel for an official OpenStack project
# to this file, just add the name to the list in "channels" without
# anything else. Projects who wish to maintain full permissions
# outside the "official" infra list can optionally set "mask" to
# "full_mask".
# anything else. Additional admins or ops can be added as keys under the
# channel name.
# Each channel is a dictionary with a keys as follows
#
@ -24,16 +23,12 @@
# (str) unique channel name (no #)
# alumni:
# (list) list of nicks that should be removed from ChanServ access
# mask:
# (str) default mask for users with chanserv access but not
# otherwise listed in the channel or global config. Access is
# limited to the mask but otherwise left alone.
# mode:
# (str) mode mask for mlock. Note that flags here are enforced, but
# flags outside the list are left alone.
# *:
# (list) every other key is assumed to be a key in the "access:"
# list. The provided list of nicks will have the flags for that
# list. The provided list of nicks will have the levels for that
# key applied.
#
# NOTE each channel looks up these values in the "global:" list first.
@ -43,20 +38,10 @@
# Global definitions
#
# To forward unregistered users to a channel with +f you need to be an
# op in that channel. This pre-joins and ops (via chanserv) in the
# given channels.
op_channels:
- openstack-unregistered
# Access levels (map names in this file to chanserv flags):
# Access levels (map names in this file to chanserv access levels):
access:
masters: +AFRefiorstv
status: +Vt
meetbots: +O
operators: +Aeforstv
channel_op_mask: +AOVefortv
full_mask: +AFORVefiorstv
admins: MASTER
ops: CHANOP
# Define configuration that should apply to all channels.
global:
@ -74,51 +59,38 @@ global:
- Shrews
- dmsimard
- pabelanger
mask:
channel_op_mask
# This sets the following
# c : no colors
# n : message can not be sent from outside channel
# r : registered users only
# t : op to modify topic
# f : forward unregistered users to #openstack-unregistered
mode: '+cnrtf #openstack-unregistered'
masters:
- openstackinfra
operators:
- AJaeger
# https://www.oftc.net/ChannelModes/
# c - no color messages allowed
# n - no external messages (from clients that are not on the channels)
# t - only chanops may change Topic
# z - messages that would otherwise be blocked go to channel operators
# M - client may speak only when registered and identified to NickServ
# R - client may join only when registered and identified to NickServ
# S - client may join only when using SSL Connection
mode: '+cnt'
admins:
- clarkb
- diablo_rojo
- frickler
- fungi
- ianw
- jeblair
- jhesketh
- mnaser
- mtaylor
- ttx
status:
- openstackstatus
meetbots:
- open_stack
- mordred
- opendevaccess
ops:
- opendevmeet
- opendevstatus
# Individual channel configuration:
channels:
- name: airshipit
mask: full_mask
- name: airshipit-gerritbot
mask: full_mask
- name: cloudkitty
- name: edge-computing-group
- name: git-upstream
mask: full_mask
- name: heat
- name: kata-dev
mask: full_mask
- name: kata-general
mask: full_mask
- name: midonet
mask: full_mask
- name: oooq
- name: opendev
- name: opendev-meeting
@ -163,7 +135,6 @@ channels:
- name: openstack-golang
- name: openstack-ha
- name: openstack-helm
mask: full_mask
- name: openstack-horizon
- name: openstack-hyper-v
- name: openstack-i18n
@ -177,7 +148,6 @@ channels:
- name: openstack-kolla
- name: openstack-kuryr
- name: openstack-lbaas
mask: full_mask
- name: openstack-loci
- name: openstack-manila
- name: openstack-masakari
@ -203,7 +173,6 @@ channels:
- name: openstack-oslo
- name: openstack-pandaman
- name: openstack-placement
mask: full_mask
- name: openstack-poppy
- name: openstack-qa
- name: openstack-quota
@ -219,7 +188,6 @@ channels:
- name: openstack-snaps
- name: openstack-solar
- name: openstack-spaceport
mask: full_mask
- name: openstack-stable
- name: openstack-state-management
- name: openstack-steth
@ -228,7 +196,6 @@ channels:
- name: openstack-tc
- name: openstack-telemetry
- name: openstack-third-party-ci
mask: full_mask
- name: openstack-trove
- name: openstack-upstream-institute
- name: openstack-vahana
@ -240,7 +207,6 @@ channels:
- name: openstack-zaqar
- name: openstack-zun
- name: osism
mask: full_mask
- name: refstack
- name: senlin
- name: solum
@ -251,9 +217,7 @@ channels:
- name: swiftonhpss
- name: swift3
- name: syscompass
mask: full_mask
- name: tacker
mask: full_mask
- name: tripleo
- name: wsme
- name: zuul

View File

@ -34,7 +34,6 @@ class CheckAccess(irc.client.SimpleIRCClient):
def __init__(self, channels, nick, flags):
irc.client.SimpleIRCClient.__init__(self)
self.identify_msg_cap = False
self.channels = channels
self.nick = nick
self.flags = flags
@ -49,30 +48,10 @@ class CheckAccess(irc.client.SimpleIRCClient):
sys.exit(0)
def on_welcome(self, c, e):
self.identify_msg_cap = False
self.log.debug("Requesting identify-msg capability")
c.cap('REQ', 'identify-msg')
c.cap('END')
def on_cap(self, c, e):
self.log.debug("Received cap response %s" % repr(e.arguments))
if e.arguments[0] == 'ACK' and 'identify-msg' in e.arguments[1]:
self.log.debug("identify-msg cap acked")
self.identify_msg_cap = True
self.advance()
def on_privnotice(self, c, e):
if not self.identify_msg_cap:
self.log.debug("Ignoring message because identify-msg "
"cap not enabled")
return
nick = e.source.split('!')[0]
auth = e.arguments[0][0]
msg = e.arguments[0][1:]
if auth != '+' or nick != 'ChanServ':
self.log.debug("Ignoring message from unauthenticated "
"user %s" % nick)
return
msg = e.arguments[0]
self.advance(msg)
def advance(self, msg=None):
@ -82,11 +61,13 @@ class CheckAccess(irc.client.SimpleIRCClient):
return
self.current_channel = self.channels.pop()
self.current_list = []
self.connection.privmsg('chanserv', 'access list %s' %
self.connection.privmsg('chanserv', 'access %s list' %
self.current_channel)
time.sleep(1)
return
if msg.endswith('is not registered.'):
if not msg:
return
if msg.endswith('is not registered with channel services.'):
self.failed = True
print("%s is not registered with ChanServ." %
self.current_channel)
@ -133,7 +114,7 @@ def main():
default='/etc/accessbot/channels.yaml',
help='path to the config file')
parser.add_argument('-s', dest='server',
default='chat.freenode.net',
default='irc.oftc.net',
help='IRC server')
parser.add_argument('-p', dest='port',
default=6697,

View File

@ -71,7 +71,7 @@ deps =
ruamel.yaml
irc
commands =
{toxinidir}/tools/check_irc_access.py -l accessbot/channels.yaml openstackinfra
{toxinidir}/tools/check_irc_access.py -l accessbot/channels.yaml opendevaccess
{toxinidir}/tools/irc_tests.py
{toxinidir}/tools/check-channels-yaml.sh