From e4c9657ab991d8289c694638bed40ad85d80da9d Mon Sep 17 00:00:00 2001 From: David Rowe Date: Thu, 23 Jul 2020 16:08:09 +1200 Subject: [PATCH] Initial auxiliary groups code --- domain-server/src/DomainGatekeeper.cpp | 50 +++++++++++++++++++--- domain-server/src/DomainGatekeeper.h | 3 +- libraries/networking/src/NodePermissions.h | 7 +++ 3 files changed, 53 insertions(+), 7 deletions(-) diff --git a/domain-server/src/DomainGatekeeper.cpp b/domain-server/src/DomainGatekeeper.cpp index 09a0446468..59a17d3ba9 100644 --- a/domain-server/src/DomainGatekeeper.cpp +++ b/domain-server/src/DomainGatekeeper.cpp @@ -142,8 +142,11 @@ void DomainGatekeeper::processConnectRequestPacket(QSharedPointer_settingsManager.getAllKnownGroupNames().contains(group)) { + userPerms |= _server->_settingsManager.getPermissionsForGroup(group, QUuid()); +//#ifdef WANT_DEBUG + qDebug() << "| user-permissions: auxiliary user " << verifiedAuxliaryUsername << "is in group:" << group << "so:" << userPerms; +//#endif + + } + } + + userPerms.setVerifiedAuxiliaryUserName(verifiedAuxliaryUsername); + userPerms.setVerifiedAuxiliaryUserGroups(verifiedAuxiliaryUserGroups); + } + if (verifiedUsername.isEmpty()) { userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameAnonymous); #ifdef WANT_DEBUG @@ -275,6 +295,8 @@ void DomainGatekeeper::updateNodePermissions() { // the id and the username in NodePermissions will often be the same, but id is set before // authentication and verifiedUsername is only set once they user's key has been confirmed. QString verifiedUsername = node->getPermissions().getVerifiedUserName(); + QString verifiedAuxiliaryUsername = node->getPermissions().getVerifiedAuxiliaryUserName(); + QStringList verifiedAuxiliaryUserGroups = node->getPermissions().getVerifiedAuxiliaryUserGroups(); NodePermissions userPerms(NodePermissionsKey(verifiedUsername, 0)); if (node->getPermissions().isAssignment) { @@ -309,7 +331,9 @@ void DomainGatekeeper::updateNodePermissions() { sendingAddress == QHostAddress::LocalHost); } - userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, connectingAddr.getAddress(), hardwareAddress, machineFingerprint); + userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, verifiedAuxiliaryUsername, + verifiedAuxiliaryUserGroups, connectingAddr.getAddress(), + hardwareAddress, machineFingerprint); } node->setPermissions(userPerms); @@ -434,8 +458,22 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect } } - userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, nodeConnection.senderSockAddr.getAddress(), - nodeConnection.hardwareAddress, nodeConnection.machineFingerprint); + // Auxiliary user name and groups may be provided by an external authentication service. + // This is enabled in the server settings by ... #######: TODO: What server name or tag to set in the server's settings? + QString verifiedAuxiliaryUsername; + QStringList verifiedAuxiliaryUserGroups; + + // #######: TODO: Obtain auxiliary login's user name and auxiliary groups if server tags indicate that this is required. + // May already have auxiliary login's user name, in which case groups should probably be re-obtained to + // ensure that they're up to date. + + // #######: TODO: Delete this development code. + verifiedAuxiliaryUsername = "a@b.c"; + verifiedAuxiliaryUserGroups = QString("test-group").toLower().split(" "); + + userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, verifiedAuxiliaryUsername, verifiedAuxiliaryUserGroups, + nodeConnection.senderSockAddr.getAddress(), nodeConnection.hardwareAddress, + nodeConnection.machineFingerprint); if (!userPerms.can(NodePermissions::Permission::canConnectToDomain)) { sendConnectionDeniedPacket("You lack the required permissions to connect to this domain.", @@ -1029,7 +1067,7 @@ void DomainGatekeeper::refreshGroupsCache() { updateNodePermissions(); -#if WANT_DEBUG +#ifdef WANT_DEBUG _server->_settingsManager.debugDumpGroupsState(); #endif } diff --git a/domain-server/src/DomainGatekeeper.h b/domain-server/src/DomainGatekeeper.h index 92b400882e..0fb9a8e36a 100644 --- a/domain-server/src/DomainGatekeeper.h +++ b/domain-server/src/DomainGatekeeper.h @@ -120,7 +120,8 @@ private: QSet _domainOwnerFriends; // keep track of friends of the domain owner QSet _inFlightGroupMembershipsRequests; // keep track of which we've already asked for - NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername, const QHostAddress& senderAddress, + NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername, QString verifiedAuxliaryUsername, + QStringList verifiedAuxiliaryUserGroups, const QHostAddress& senderAddress, const QString& hardwareAddress, const QUuid& machineFingerprint); void getGroupMemberships(const QString& username); diff --git a/libraries/networking/src/NodePermissions.h b/libraries/networking/src/NodePermissions.h index 583c1b29ac..ebbe2104c7 100644 --- a/libraries/networking/src/NodePermissions.h +++ b/libraries/networking/src/NodePermissions.h @@ -51,6 +51,11 @@ public: void setVerifiedUserName(QString userName) { _verifiedUserName = userName.toLower(); } const QString& getVerifiedUserName() const { return _verifiedUserName; } + void setVerifiedAuxiliaryUserName(QString userName) { _verifiedAuxiliaryUserName = userName.toLower(); } + const QString& getVerifiedAuxiliaryUserName() const { return _verifiedAuxiliaryUserName; } + void setVerifiedAuxiliaryUserGroups(QStringList userGroups) { _verifiedAuxiliaryUserGroups = userGroups; } + const QStringList& getVerifiedAuxiliaryUserGroups() const { return _verifiedAuxiliaryUserGroups; } + void setGroupID(QUuid groupID) { _groupID = groupID; if (!groupID.isNull()) { _groupIDSet = true; }} QUuid getGroupID() const { return _groupID; } bool isGroup() const { return _groupIDSet; } @@ -99,6 +104,8 @@ protected: QString _id; QUuid _rankID { QUuid() }; // 0 unless this is for a group QString _verifiedUserName; + QString _verifiedAuxiliaryUserName; + QStringList _verifiedAuxiliaryUserGroups; bool _groupIDSet { false }; QUuid _groupID;