Mirrors/overte-AleziaKurdis
3
0
Fork 0
mirror of https://github.com/AleziaKurdis/overte.git synced 2025-04-07 06:14:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add improved functionality for Users.kick API.

Browse source 
Add banByUsername, banByFingerprint, and banByIP parameters.
This commit is contained in:
Kalila L 2021-03-11 01:03:54 -05:00
parent bab76f777d
commit 78cc98bc7b
7 changed files with 90 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

103
domain-server/src/DomainServerSettingsManager.cpp
View file

@ -863,6 +863,18 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
// pull the UUID being kicked from the packet
QUuid nodeUUID = QUuid::fromRfc4122(message->readWithoutCopy(NUM_BYTES_RFC4122_UUID));
bool hasOptionalBanParameters = false;
bool banByUsername = false;
bool banByFingerprint = false;
bool banByIP = false;
// pull optional ban parameters from the packet
if (message.data()->getSize() > NUM_BYTES_RFC4122_UUID) {
hasOptionalBanParameters = true;
message->readPrimitive(&banByUsername);
message->readPrimitive(&banByFingerprint);
message->readPrimitive(&banByIP);
}
if (!nodeUUID.isNull() && nodeUUID != sendingNode->getUUID()) {
// make sure we actually have a node with this UUID
auto limitedNodeList = DependencyManager::get<LimitedNodeList>();
@ -881,24 +893,40 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
if (!verifiedUsername.isEmpty()) {
// if we have a verified user name for this user, we first apply the kick to the username
// check if there were already permissions
bool hadPermissions = havePermissionsForName(verifiedUsername);
// grab or create permissions for the given username
auto userPermissions = _agentPermissions[matchingNode->getPermissions().getKey()];
newPermissions = !hadPermissions || userPermissions->can(NodePermissions::Permission::canConnectToDomain);
// ensure that the connect permission is clear
userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
// if we have optional ban parameters, we should ban the username based on the parameter
if (hasOptionalBanParameters) {
if (banByUsername) {
// check if there were already permissions
bool hadPermissions = havePermissionsForName(verifiedUsername);
// grab or create permissions for the given username
auto userPermissions = _agentPermissions[matchingNode->getPermissions().getKey()];
newPermissions = !hadPermissions || userPermissions->can(NodePermissions::Permission::canConnectToDomain);
// ensure that the connect permission is clear
userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
} else {
// check if there were already permissions
bool hadPermissions = havePermissionsForName(verifiedUsername);
// grab or create permissions for the given username
auto userPermissions = _agentPermissions[matchingNode->getPermissions().getKey()];
newPermissions = !hadPermissions || userPermissions->can(NodePermissions::Permission::canConnectToDomain);
// ensure that the connect permission is clear
userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
}
// if we didn't have a username, or this domain-server uses the "multi-kick" setting to
// kick logged in users via username AND machine fingerprint (or IP as fallback)
// then we remove connect permissions for the machine fingerprint (or IP as fallback)
const QString MULTI_KICK_SETTINGS_KEYPATH = "security.multi_kick_logged_in";
if (verifiedUsername.isEmpty() || valueOrDefaultValueForKeyPath(MULTI_KICK_SETTINGS_KEYPATH).toBool()) {
qDebug() << "verifiedUsername.isEmpty()" << verifiedUsername.isEmpty();
if (banByFingerprint || verifiedUsername.isEmpty() || valueOrDefaultValueForKeyPath(MULTI_KICK_SETTINGS_KEYPATH).toBool()) {
// remove connect permissions for the machine fingerprint
DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
if (nodeData) {
@ -923,36 +951,39 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
fingerprintPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
} else {
// if no node data, all we can do is IP address
auto& kickAddress = matchingNode->getActiveSocket()
? matchingNode->getActiveSocket()->getAddress()
: matchingNode->getPublicSocket().getAddress();
// if no node data, all we can do is ban by IP address
banByIP = true;
}
}
if (banByIP) {
auto& kickAddress = matchingNode->getActiveSocket()
? matchingNode->getActiveSocket()->getAddress()
: matchingNode->getPublicSocket().getAddress();
// probably isLoopback covers it, as whenever I try to ban an agent on same machine as the domain-server
// it is always 127.0.0.1, but looking at the public and local addresses just to be sure
// TODO: soon we will have feedback (in the form of a message to the client) after we kick. When we
// do, we will have a success flag, and perhaps a reason for failure. For now, just don't do it.
if (kickAddress == limitedNodeList->getPublicSockAddr().getAddress() ||
kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
kickAddress.isLoopback() ) {
qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
return;
}
// probably isLoopback covers it, as whenever I try to ban an agent on same machine as the domain-server
// it is always 127.0.0.1, but looking at the public and local addresses just to be sure
// TODO: soon we will have feedback (in the form of a message to the client) after we kick. When we
// do, we will have a success flag, and perhaps a reason for failure. For now, just don't do it.
if (kickAddress == limitedNodeList->getPublicSockAddr().getAddress() ||
kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
kickAddress.isLoopback() ) {
qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
return;
}
NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid());
NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid());
// check if there were already permissions for the IP
bool hadIPPermissions = hasPermissionsForIP(kickAddress);
// check if there were already permissions for the IP
bool hadIPPermissions = hasPermissionsForIP(kickAddress);
// grab or create permissions for the given IP address
auto ipPermissions = _ipPermissions[ipAddressKey];
// grab or create permissions for the given IP address
auto ipPermissions = _ipPermissions[ipAddressKey];
if (!hadIPPermissions || ipPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
if (!hadIPPermissions || ipPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
ipPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
ipPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
}

6
interface/src/Application.cpp
View file

@ -2493,7 +2493,7 @@ Application::Application(int& argc, char** argv, QElapsedTimer& startupTimer, bo
return viewFrustum.getPosition();
});
DependencyManager::get<UsersScriptingInterface>()->setKickConfirmationOperator([this] (const QUuid& nodeID) { userKickConfirmation(nodeID); });
DependencyManager::get<UsersScriptingInterface>()->setKickConfirmationOperator([this] (const QUuid& nodeID, bool banByUsername, bool banByFingerprint, bool banByIP) { userKickConfirmation(nodeID, banByUsername, banByFingerprint, banByIP); });
render::entities::WebEntityRenderer::setAcquireWebSurfaceOperator([=](const QString& url, bool htmlContent, QSharedPointer<OffscreenQmlSurface>& webSurface, bool& cachedWebSurface) {
bool isTablet = url == TabletScriptingInterface::QML;
@ -3575,7 +3575,7 @@ void Application::onDesktopRootItemCreated(QQuickItem* rootItem) {
_desktopRootItemCreated = true;
}
void Application::userKickConfirmation(const QUuid& nodeID) {
void Application::userKickConfirmation(const QUuid& nodeID, bool banByUsername, bool banByFingerprint, bool banByIP) {
auto avatarHashMap = DependencyManager::get<AvatarHashMap>();
auto avatar = avatarHashMap->getAvatarBySessionID(nodeID);
@ -3600,7 +3600,7 @@ void Application::userKickConfirmation(const QUuid& nodeID) {
// ask the NodeList to kick the user with the given session ID
if (yes) {
DependencyManager::get<NodeList>()->kickNodeBySessionID(nodeID);
DependencyManager::get<NodeList>()->kickNodeBySessionID(nodeID, banByUsername, banByFingerprint, banByIP);
}
DependencyManager::get<UsersScriptingInterface>()->setWaitForKickResponse(false);

2
interface/src/Application.h
View file

@ -608,7 +608,7 @@ private:
void toggleTabletUI(bool shouldOpen = false) const;
bool shouldCaptureMouse() const;
void userKickConfirmation(const QUuid& nodeID);
void userKickConfirmation(const QUuid& nodeID, bool banByUsername, bool banByFingerprint, bool banByIP);
MainWindow* _window;
QElapsedTimer& _sessionRunTimer;

8
libraries/networking/src/NodeList.cpp
View file

@ -1263,17 +1263,21 @@ float NodeList::getInjectorGain() {
return _injectorGain;
}
void NodeList::kickNodeBySessionID(const QUuid& nodeID) {
void NodeList::kickNodeBySessionID(const QUuid& nodeID, bool banByUsername, bool banByFingerprint, bool banByIP) {
// send a request to domain-server to kick the node with the given session ID
// the domain-server will handle the persistence of the kick (via username or IP)
if (!nodeID.isNull() && getSessionUUID() != nodeID ) {
if (getThisNodeCanKick()) {
// setup the packet
auto kickPacket = NLPacket::create(PacketType::NodeKickRequest, NUM_BYTES_RFC4122_UUID, true);
auto kickPacket = NLPacket::create(PacketType::NodeKickRequest, NUM_BYTES_RFC4122_UUID + (sizeof(bool) * 3), true);
// write the node ID to the packet
kickPacket->write(nodeID.toRfc4122());
// write the ban parameters to the packet
kickPacket->writePrimitive(banByUsername);
kickPacket->writePrimitive(banByFingerprint);
kickPacket->writePrimitive(banByIP);
qCDebug(networking) << "Sending packet to kick node" << uuidStringWithoutCurlyBraces(nodeID);

2
libraries/networking/src/NodeList.h
View file

@ -86,7 +86,7 @@ public:
void setInjectorGain(float gain);
float getInjectorGain();
void kickNodeBySessionID(const QUuid& nodeID);
void kickNodeBySessionID(const QUuid& nodeID, bool banByUsername = true, bool banByFingerprint = true, bool banByIP = false);
void muteNodeBySessionID(const QUuid& nodeID);
void requestUsernameFromSessionID(const QUuid& nodeID);
bool getRequestsDomainListData() { return _requestsDomainListData; }

7
libraries/script-engine/src/UsersScriptingInterface.cpp
View file

@ -4,6 +4,7 @@
//
// Created by Stephen Birarda on 2016-07-11.
// Copyright 2016 High Fidelity, Inc.
// Copyright 2021 Vircadia contributors.
//
// Distributed under the Apache License, Version 2.0.
// See the accompanying file LICENSE or http://www.apache.org/licenses/LICENSE-2.0.html
@ -51,15 +52,15 @@ float UsersScriptingInterface::getAvatarGain(const QUuid& nodeID) {
return DependencyManager::get<NodeList>()->getAvatarGain(nodeID);
}
void UsersScriptingInterface::kick(const QUuid& nodeID) {
void UsersScriptingInterface::kick(const QUuid& nodeID, bool banByUsername, bool banByFingerprint, bool banByIP) {
if (_kickConfirmationOperator) {
bool waitingForKickResponse = _kickResponseLock.resultWithReadLock<bool>([&] { return _waitingForKickResponse; });
if (getCanKick() && !waitingForKickResponse) {
_kickConfirmationOperator(nodeID);
_kickConfirmationOperator(nodeID, banByUsername, banByFingerprint, banByIP);
}
} else {
DependencyManager::get<NodeList>()->kickNodeBySessionID(nodeID);
DependencyManager::get<NodeList>()->kickNodeBySessionID(nodeID, banByUsername, banByFingerprint, banByIP);
}
}

12
libraries/script-engine/src/UsersScriptingInterface.h
View file

@ -4,6 +4,7 @@
//
// Created by Stephen Birarda on 2016-07-11.
// Copyright 2016 High Fidelity, Inc.
// Copyright 2021 Vircadia contributors.
//
// Distributed under the Apache License, Version 2.0.
// See the accompanying file LICENSE or http://www.apache.org/licenses/LICENSE-2.0.html
@ -41,7 +42,7 @@ class UsersScriptingInterface : public QObject, public Dependency {
public:
UsersScriptingInterface();
void setKickConfirmationOperator(std::function<void(const QUuid& nodeID)> kickConfirmationOperator) {
void setKickConfirmationOperator(std::function<void(const QUuid& nodeID, bool banByUsername, bool banByFingerprint, bool banByIP)> kickConfirmationOperator) {
_kickConfirmationOperator = kickConfirmationOperator;
}
@ -112,12 +113,15 @@ public slots:
/**jsdoc
* Kicks and bans a user. This removes them from the server and prevents them from returning. The ban is by user name if
* available, or machine fingerprint otherwise.
* available and by machine fingerprint.
* <p>This function only works if you're an administrator of the domain you're in.</p>
* @function Users.kick
* @param {Uuid} sessionID - The session ID of the user to kick and ban.
* @param {boolean} [banByUsername=true] - Should ban the user's username.
* @param {boolean} [banByFingerprint=true] - Should ban the user's machine fingerprint.
* @param {boolean} [banByIP=false] - Should ban the user's IP address.
*/
void kick(const QUuid& nodeID);
void kick(const QUuid& nodeID, bool banByUsername = true, bool banByFingerprint = true, bool banByIP = false);
/**jsdoc
* Mutes a user's microphone for everyone. The mute is not permanent: the user can unmute themselves.
@ -237,7 +241,7 @@ private:
bool getRequestsDomainListData();
void setRequestsDomainListData(bool requests);
std::function<void(const QUuid& nodeID)> _kickConfirmationOperator;
std::function<void(const QUuid& nodeID, bool banByUsername, bool banByFingerprint, bool banByIP)> _kickConfirmationOperator;
ReadWriteLockable _kickResponseLock;
bool _waitingForKickResponse { false };