Initial auxiliary groups code

2025-03-11 16:13:16 +01:00 · 2020-07-23 16:08:09 +12:00 · 2020-07-23 16:08:09 +12:00 · e4c9657ab9
commit e4c9657ab9
parent 84bee76968
3 changed files with 53 additions and 7 deletions
--- a/domain-server/src/DomainGatekeeper.cpp
+++ b/domain-server/src/DomainGatekeeper.cpp
@ -142,8 +142,11 @@ void DomainGatekeeper::processConnectRequestPacket(QSharedPointer<ReceivedMessag
    }
 }

-NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QString verifiedUsername, const QHostAddress& senderAddress,
-                                                        const QString& hardwareAddress, const QUuid& machineFingerprint) {
+NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QString verifiedUsername,
+                                                        QString verifiedAuxliaryUsername, 
+                                                        QStringList verifiedAuxiliaryUserGroups,
+                                                        const QHostAddress& senderAddress, const QString& hardwareAddress,
+                                                        const QUuid& machineFingerprint) {
    NodePermissions userPerms;

    userPerms.setAll(false);
@ -155,6 +158,23 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
 #endif
    }

+    // If this user is a known member of an externally-hosted group, give them the implied permissions.
+    // Do before processing verifiedUsername in case user is logged into the metaverse and is a member of a blacklist group.
+    if (!verifiedAuxliaryUsername.isEmpty() && !verifiedAuxiliaryUserGroups.isEmpty()) {
+        foreach (QString group, verifiedAuxiliaryUserGroups) {
+            if (_server->_settingsManager.getAllKnownGroupNames().contains(group)) {
+                userPerms |= _server->_settingsManager.getPermissionsForGroup(group, QUuid());
+//#ifdef WANT_DEBUG
+                qDebug() << "|  user-permissions: auxiliary user " << verifiedAuxliaryUsername << "is in group:" << group << "so:" << userPerms;
+//#endif
+
+            }
+        }
+
+        userPerms.setVerifiedAuxiliaryUserName(verifiedAuxliaryUsername);
+        userPerms.setVerifiedAuxiliaryUserGroups(verifiedAuxiliaryUserGroups);
+    }
+
    if (verifiedUsername.isEmpty()) {
        userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameAnonymous);
 #ifdef WANT_DEBUG
@ -275,6 +295,8 @@ void DomainGatekeeper::updateNodePermissions() {
        // the id and the username in NodePermissions will often be the same, but id is set before
        // authentication and verifiedUsername is only set once they user's key has been confirmed.
        QString verifiedUsername = node->getPermissions().getVerifiedUserName();
+        QString verifiedAuxiliaryUsername = node->getPermissions().getVerifiedAuxiliaryUserName();
+        QStringList verifiedAuxiliaryUserGroups = node->getPermissions().getVerifiedAuxiliaryUserGroups();
        NodePermissions userPerms(NodePermissionsKey(verifiedUsername, 0));

        if (node->getPermissions().isAssignment) {
@ -309,7 +331,9 @@ void DomainGatekeeper::updateNodePermissions() {
                               sendingAddress == QHostAddress::LocalHost);
            }

-            userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, connectingAddr.getAddress(), hardwareAddress, machineFingerprint);
+            userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, verifiedAuxiliaryUsername, 
+                                              verifiedAuxiliaryUserGroups,  connectingAddr.getAddress(), 
+                                              hardwareAddress, machineFingerprint);
        }

        node->setPermissions(userPerms);
@ -434,8 +458,22 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect
        }
    }

-    userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, nodeConnection.senderSockAddr.getAddress(),
-                                      nodeConnection.hardwareAddress, nodeConnection.machineFingerprint);
+    // Auxiliary user name and groups may be provided by an external authentication service.
+    // This is enabled in the server settings by ... #######: TODO: What server name or tag to set in the server's settings?
+    QString verifiedAuxiliaryUsername;
+    QStringList verifiedAuxiliaryUserGroups;
+
+    // #######: TODO: Obtain auxiliary login's user name and auxiliary groups if server tags indicate that this is required.
+    //                May already have auxiliary login's user name, in which case groups should probably be re-obtained to 
+    //                ensure that they're up to date.
+
+    // #######: TODO: Delete this development code.
+    verifiedAuxiliaryUsername = "a@b.c";
+    verifiedAuxiliaryUserGroups = QString("test-group").toLower().split(" ");
+
+    userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, verifiedAuxiliaryUsername, verifiedAuxiliaryUserGroups,
+                                      nodeConnection.senderSockAddr.getAddress(), nodeConnection.hardwareAddress,
+                                      nodeConnection.machineFingerprint);

    if (!userPerms.can(NodePermissions::Permission::canConnectToDomain)) {
        sendConnectionDeniedPacket("You lack the required permissions to connect to this domain.",
@ -1029,7 +1067,7 @@ void DomainGatekeeper::refreshGroupsCache() {

    updateNodePermissions();

-#if WANT_DEBUG
+#ifdef WANT_DEBUG
    _server->_settingsManager.debugDumpGroupsState();
 #endif
 }
--- a/domain-server/src/DomainGatekeeper.h
+++ b/domain-server/src/DomainGatekeeper.h
@ -120,7 +120,8 @@ private:
    QSet<QString> _domainOwnerFriends; // keep track of friends of the domain owner
    QSet<QString> _inFlightGroupMembershipsRequests; // keep track of which we've already asked for

-    NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername, const QHostAddress& senderAddress, 
+    NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername, QString verifiedAuxliaryUsername,
+                                          QStringList verifiedAuxiliaryUserGroups, const QHostAddress& senderAddress,
                                          const QString& hardwareAddress, const QUuid& machineFingerprint);

    void getGroupMemberships(const QString& username);
--- a/libraries/networking/src/NodePermissions.h
+++ b/libraries/networking/src/NodePermissions.h
@ -51,6 +51,11 @@ public:
    void setVerifiedUserName(QString userName) { _verifiedUserName = userName.toLower(); }
    const QString& getVerifiedUserName() const { return _verifiedUserName; }

+    void setVerifiedAuxiliaryUserName(QString userName) { _verifiedAuxiliaryUserName = userName.toLower(); }
+    const QString& getVerifiedAuxiliaryUserName() const { return _verifiedAuxiliaryUserName; }
+    void setVerifiedAuxiliaryUserGroups(QStringList userGroups) { _verifiedAuxiliaryUserGroups = userGroups; }
+    const QStringList& getVerifiedAuxiliaryUserGroups() const { return _verifiedAuxiliaryUserGroups; }
+
    void setGroupID(QUuid groupID) { _groupID = groupID; if (!groupID.isNull()) { _groupIDSet = true; }}
    QUuid getGroupID() const { return _groupID; }
    bool isGroup() const { return _groupIDSet; }
@ -99,6 +104,8 @@ protected:
    QString _id;
    QUuid _rankID { QUuid() }; // 0 unless this is for a group
    QString _verifiedUserName;
+    QString _verifiedAuxiliaryUserName;
+    QStringList _verifiedAuxiliaryUserGroups;

    bool _groupIDSet { false };
    QUuid _groupID;