kick logged in by fingerprint/ip if enabled in DS settings

2025-04-08 06:32:35 +02:00 · 2017-11-27 18:13:40 -08:00 · 2017-11-27 18:13:40 -08:00 · 8978254037
commit 8978254037
parent 83d13717fe
5 changed files with 24 additions and 8 deletions
--- a/domain-server/resources/describe-settings.json
+++ b/domain-server/resources/describe-settings.json
@ -916,6 +916,14 @@
              "default": false
            }
          ]
+        },
+        {
+          "name": "multi_kick_logged_in",
+          "type": "checkbox",
+          "label": "Multi-Kick for Logged In Users",
+          "help": "Kick logged in users by machine fingerprint (in addition to the default kick by username)",
+          "default": false,
+          "advanced": true
        }
      ]
    },
--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@ -672,7 +672,7 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                bool newPermissions = false;

                if (!verifiedUsername.isEmpty()) {
-                    // if we have a verified user name for this user, we apply the kick to the username
+                    // if we have a verified user name for this user, we first apply the kick to the username

                    // check if there were already permissions
                    bool hadPermissions = havePermissionsForName(verifiedUsername);
@ -684,7 +684,14 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re

                    // ensure that the connect permission is clear
                    userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
-                } else {
+                }
+
+                // if we didn't have a username, or this domain-server uses the "multi-kick" setting to
+                // kick logged in users via username AND machine fingerprint (or IP as fallback)
+                // then we remove connect permissions for the machine fingerprint (or IP as fallback)
+                const QString MULTI_KICK_SETTINGS_KEYPATH = "security.multi_kick_logged_in";
+
+                if (verifiedUsername.isEmpty() || valueOrDefaultValueForKeyPath(MULTI_KICK_SETTINGS_KEYPATH).toBool()) {
                    // remove connect permissions for the machine fingerprint
                    DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
                    if (nodeData) {
@ -719,8 +726,8 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                        // TODO: soon we will have feedback (in the form of a message to the client) after we kick.  When we
                        // do, we will have a success flag, and perhaps a reason for failure.  For now, just don't do it.
                        if (kickAddress == limitedNodeList->getPublicSockAddr().getAddress() ||
-                                kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
-                                kickAddress.isLoopback() ) {
+                            kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
+                            kickAddress.isLoopback() ) {
                            qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
                            return;
                        }
--- a/libraries/networking/src/NodeList.cpp
+++ b/libraries/networking/src/NodeList.cpp
@ -385,9 +385,9 @@ void NodeList::sendDomainServerCheckIn() {

            packetStream << hardwareAddress;

-            // now add the machine fingerprint - a null UUID if logged in, real one if not logged in
+            // now add the machine fingerprint
            auto accountManager = DependencyManager::get<AccountManager>();
-            packetStream << (accountManager->isLoggedIn() ? QUuid() : FingerprintUtils::getMachineFingerprint());
+            packetStream << FingerprintUtils::getMachineFingerprint();
        }

        // pack our data to send to the domain-server including
--- a/libraries/networking/src/udt/PacketHeaders.cpp
+++ b/libraries/networking/src/udt/PacketHeaders.cpp
@ -57,7 +57,7 @@ PacketVersion versionForPacketType(PacketType packetType) {
            return static_cast<PacketVersion>(DomainConnectionDeniedVersion::IncludesExtraInfo);

        case PacketType::DomainConnectRequest:
-            return static_cast<PacketVersion>(DomainConnectRequestVersion::HasMachineFingerprint);
+            return static_cast<PacketVersion>(DomainConnectRequestVersion::AlwaysHasMachineFingerprint);

        case PacketType::DomainServerAddedNode:
            return static_cast<PacketVersion>(DomainServerAddedNodeVersion::PermissionsGrid);
--- a/libraries/networking/src/udt/PacketHeaders.h
+++ b/libraries/networking/src/udt/PacketHeaders.h
@ -247,7 +247,8 @@ enum class DomainConnectRequestVersion : PacketVersion {
    HasHostname,
    HasProtocolVersions,
    HasMACAddress,
-    HasMachineFingerprint
+    HasMachineFingerprint,
+    AlwaysHasMachineFingerprint
 };

 enum class DomainConnectionDeniedVersion : PacketVersion {