Merge pull request #11883 from birarda/feat/kick-on-fingerprint

add option to kick logged in users by fingerprint too

domain-server/resources/describe-settings.json

@@ -916,6 +916,14 @@
               "default": false
             }
           ]
+        },
+        {
+          "name": "multi_kick_logged_in",
+          "type": "checkbox",
+          "label": "Multi-Kick for Logged In Users",
+          "help": "Kick logged in users by machine fingerprint (in addition to the default kick by username)",
+          "default": false,
+          "advanced": true
         }
       ]
     },

domain-server/src/DomainGatekeeper.cpp

@@ -183,6 +183,11 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
 
 #ifdef WANT_DEBUG
             qDebug() << "|  user-permissions: specific MAC matches, so:" << userPerms;
+#endif
+        } else if (_server->_settingsManager.hasPermissionsForMachineFingerprint(machineFingerprint)) {
+            userPerms = _server->_settingsManager.getPermissionsForMachineFingerprint(machineFingerprint);
+#ifdef WANT_DEBUG
+            qDebug(() << "| user-permissions: specific Machine Fingerprint matches, so: " << userPerms;
 #endif
         } else if (_server->_settingsManager.hasPermissionsForIP(senderAddress)) {
             // this user comes from an IP we have in our permissions table, apply those permissions

domain-server/src/DomainServerSettingsManager.cpp

@@ -672,7 +672,7 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                 bool newPermissions = false;
 
                 if (!verifiedUsername.isEmpty()) {
-                    // if we have a verified user name for this user, we apply the kick to the username
+                    // if we have a verified user name for this user, we first apply the kick to the username
 
                     // check if there were already permissions
                     bool hadPermissions = havePermissionsForName(verifiedUsername);
@@ -684,7 +684,14 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
 
                     // ensure that the connect permission is clear
                     userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
-                } else {
+                }
+
+                // if we didn't have a username, or this domain-server uses the "multi-kick" setting to
+                // kick logged in users via username AND machine fingerprint (or IP as fallback)
+                // then we remove connect permissions for the machine fingerprint (or IP as fallback)
+                const QString MULTI_KICK_SETTINGS_KEYPATH = "security.multi_kick_logged_in";
+
+                if (verifiedUsername.isEmpty() || valueOrDefaultValueForKeyPath(MULTI_KICK_SETTINGS_KEYPATH).toBool()) {
                     // remove connect permissions for the machine fingerprint
                     DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
                     if (nodeData) {
@@ -719,8 +726,8 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                         // TODO: soon we will have feedback (in the form of a message to the client) after we kick.  When we
                         // do, we will have a success flag, and perhaps a reason for failure.  For now, just don't do it.
                         if (kickAddress == limitedNodeList->getPublicSockAddr().getAddress() ||
-                                kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
+                            kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
-                                kickAddress.isLoopback() ) {
+                            kickAddress.isLoopback() ) {
                             qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
                             return;
                         }

libraries/networking/src/NodeList.cpp

@@ -385,9 +385,9 @@ void NodeList::sendDomainServerCheckIn() {
 
             packetStream << hardwareAddress;
 
-            // now add the machine fingerprint - a null UUID if logged in, real one if not logged in
+            // now add the machine fingerprint
             auto accountManager = DependencyManager::get<AccountManager>();
-            packetStream << (accountManager->isLoggedIn() ? QUuid() : FingerprintUtils::getMachineFingerprint());
+            packetStream << FingerprintUtils::getMachineFingerprint();
         }
 
         // pack our data to send to the domain-server including

libraries/networking/src/udt/PacketHeaders.cpp

@@ -57,7 +57,7 @@ PacketVersion versionForPacketType(PacketType packetType) {
             return static_cast<PacketVersion>(DomainConnectionDeniedVersion::IncludesExtraInfo);
 
         case PacketType::DomainConnectRequest:
-            return static_cast<PacketVersion>(DomainConnectRequestVersion::HasMachineFingerprint);
+            return static_cast<PacketVersion>(DomainConnectRequestVersion::AlwaysHasMachineFingerprint);
 
         case PacketType::DomainServerAddedNode:
             return static_cast<PacketVersion>(DomainServerAddedNodeVersion::PermissionsGrid);

libraries/networking/src/udt/PacketHeaders.h

@@ -247,7 +247,8 @@ enum class DomainConnectRequestVersion : PacketVersion {
     HasHostname,
     HasProtocolVersions,
     HasMACAddress,
-    HasMachineFingerprint
+    HasMachineFingerprint,
+    AlwaysHasMachineFingerprint
 };
 
 enum class DomainConnectionDeniedVersion : PacketVersion {