Flesh out domain groups code

domain-server/src/DomainGatekeeper.cpp

@@ -156,10 +156,8 @@ void DomainGatekeeper::processConnectRequestPacket(QSharedPointer<ReceivedMessag
 }
 
 NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QString verifiedUsername,
-                                                        QString verifiedDomainUserName, 
-                                                        QStringList verifiedDomainUserGroups,
-                                                        const QHostAddress& senderAddress, const QString& hardwareAddress,
-                                                        const QUuid& machineFingerprint) {
+                                                        QString verifiedDomainUserName, const QHostAddress& senderAddress, 
+                                                        const QString& hardwareAddress, const QUuid& machineFingerprint) {
     NodePermissions userPerms;
 
     userPerms.setAll(false);
@@ -173,19 +171,20 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
 
     // If this user is a known member of an externally-hosted group, give them the implied permissions.
     // Do before processing verifiedUsername in case user is logged into the metaverse and is a member of a blacklist group.
-    if (!verifiedDomainUserName.isEmpty() && !verifiedDomainUserGroups.isEmpty()) {
-        foreach (QString group, verifiedDomainUserGroups) {
-            if (_server->_settingsManager.getAllKnownGroupNames().contains(group)) {
-                userPerms |= _server->_settingsManager.getPermissionsForGroup(group, QUuid());
+    if (!verifiedDomainUserName.isEmpty()) {
+        auto userGroups = _domainGroupMemberships[verifiedDomainUserName];
+        foreach (QString userGroup, userGroups) {
+            if (_server->_settingsManager.getAllKnownGroupNames().contains(userGroup, Qt::CaseInsensitive)) {
+                userPerms |= _server->_settingsManager.getPermissionsForGroup(userGroup, QUuid()); // No rank for domain groups.
+// ####### Enable ifdef
 //#ifdef WANT_DEBUG
-                qDebug() << "|  user-permissions: domain user " << verifiedDomainUserName << "is in group:" << group << "so:" << userPerms;
+                qDebug() << "|  user-permissions: domain user " << verifiedDomainUserName << "is in group:" << userGroup 
+                    << "so:" << userPerms;
 //#endif
-
             }
         }
 
         userPerms.setVerifiedDomainUserName(verifiedDomainUserName);
-        userPerms.setVerifiedDomainUserGroups(verifiedDomainUserGroups);
     }
 
     if (verifiedUsername.isEmpty()) {
@@ -309,7 +308,6 @@ void DomainGatekeeper::updateNodePermissions() {
         // authentication and verifiedUsername is only set once they user's key has been confirmed.
         QString verifiedUsername = node->getPermissions().getVerifiedUserName();
         QString verifiedDomainUserName = node->getPermissions().getVerifiedDomainUserName();
-        QStringList verifiedDomainUserGroups = node->getPermissions().getVerifiedDomainUserGroups();
         NodePermissions userPerms(NodePermissionsKey(verifiedUsername, 0));
 
         if (node->getPermissions().isAssignment) {
@@ -345,8 +343,7 @@ void DomainGatekeeper::updateNodePermissions() {
             }
 
             userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, verifiedDomainUserName, 
-                                              verifiedDomainUserGroups, connectingAddr.getAddress(), 
-                                              hardwareAddress, machineFingerprint);
+                                              connectingAddr.getAddress(), hardwareAddress, machineFingerprint);
         }
 
         node->setPermissions(userPerms);
@@ -486,31 +483,28 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect
 
             // ####### TODO: OAuth2 corollary of metaverse code, above.
 
+            getDomainGroupMemberships(domainUsernameSignature); // Optimistically get started on group memberships.
+#ifdef WANT_DEBUG
+            qDebug() << "stalling login because we have no domain username-signature:" << domainUsername;
+#endif
             return SharedNodePointer();
         } else if (verifyDomainUserSignature(domainUsername, domainUsernameSignature, nodeConnection.senderSockAddr)) {
             // User's domain identity is confirmed.
-
-            // ####### TODO: Get user's domain group memberships (WordPress roles) from domain.
-            //               This may already be provided at the same time as the "verify" call to the domain API.
-            //               If it isn't, need to initiate getting them then handle their receipt along the lines of the 
-            //               metaverse code, above.
-            verifiedDomainUserGroups = QString("test-group").toLower().split(" ");
-
+            getDomainGroupMemberships(domainUsername);
             verifiedDomainUsername = domainUsername.toLower();
-
         } else {
             // User's identity didn't check out.
 
             // ####### TODO: OAuth2 corollary of metaverse code, above.
 
 #ifdef WANT_DEBUG
-            qDebug() << "stalling login because signature verification failed:" << username;
+            qDebug() << "stalling login because domain signature verification failed:" << domainUsername;
 #endif
             return SharedNodePointer();
         }
     }
 
-    userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, verifiedDomainUsername, verifiedDomainUserGroups,
+    userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, verifiedDomainUsername,
                                       nodeConnection.senderSockAddr.getAddress(), nodeConnection.hardwareAddress,
                                       nodeConnection.machineFingerprint);
 
@@ -1004,7 +998,6 @@ void DomainGatekeeper::getGroupMemberships(const QString& username) {
                                                           AccountManagerAuth::Required,
                                                           QNetworkAccessManager::PostOperation, callbackParams,
                                                           QJsonDocument(json).toJson());
-
 }
 
 QString extractUsernameFromGroupMembershipsReply(QNetworkReply* requestReply) {
@@ -1059,6 +1052,18 @@ void DomainGatekeeper::getIsGroupMemberErrorCallback(QNetworkReply* requestReply
     _inFlightGroupMembershipsRequests.remove(extractUsernameFromGroupMembershipsReply(requestReply));
 }
 
+
+void DomainGatekeeper::getDomainGroupMemberships(const QString& domainUserName) {
+
+    // ####### TODO: Get user's domain group memberships (WordPress roles) from domain.
+    //         This may be able to be provided at the same time as the "authenticate user" call to the domain API, in which case
+    //         a copy of some of the following code can be made there. However, this code is still needed for refreshing groups.
+
+    QStringList wordpressGroupsForUser = QStringList("siLVer");
+    _domainGroupMemberships[domainUserName] = wordpressGroupsForUser;
+}
+
+
 void DomainGatekeeper::getDomainOwnerFriendsList() {
     JSONCallbackParameters callbackParams;
     callbackParams.callbackReceiver = this;
@@ -1107,6 +1112,7 @@ void DomainGatekeeper::getDomainOwnerFriendsListErrorCallback(QNetworkReply* req
     qDebug() << "getDomainOwnerFriendsList api call failed:" << requestReply->error();
 }
 
+// ####### TODO: Domain equivalent or addition
 void DomainGatekeeper::refreshGroupsCache() {
     // if agents are connected to this domain, refresh our cached information about groups and memberships in such.
     getDomainOwnerFriendsList();

domain-server/src/DomainGatekeeper.h

@@ -128,14 +128,17 @@ private:
     QSet<QString> _inFlightGroupMembershipsRequests; // keep track of which we've already asked for
 
     NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername, QString verifiedDomainUsername,
-                                          QStringList verifiedDomainUserGroups, const QHostAddress& senderAddress,
-                                          const QString& hardwareAddress, const QUuid& machineFingerprint);
+                                          const QHostAddress& senderAddress, const QString& hardwareAddress, 
+                                          const QUuid& machineFingerprint);
 
     void getGroupMemberships(const QString& username);
     // void getIsGroupMember(const QString& username, const QUuid groupID);
     void getDomainOwnerFriendsList();
 
+    // Login and groups for domain, separate from metaverse.
     bool domainHasLogin();
+    void getDomainGroupMemberships(const QString& domainUserName);
+    QHash<QString, QStringList> _domainGroupMemberships;  // <domainUserName, [domainGroupName]>
 
     // Local ID management.
     void initLocalIDManagement();

libraries/networking/src/NodePermissions.h

@@ -54,8 +54,6 @@ public:
 
     void setVerifiedDomainUserName(QString userName) { _verifiedDomainUserName = userName.toLower(); }
     const QString& getVerifiedDomainUserName() const { return _verifiedDomainUserName; }
-    void setVerifiedDomainUserGroups(QStringList userGroups) { _verifiedDomainUserGroups = userGroups; }
-    const QStringList& getVerifiedDomainUserGroups() const { return _verifiedDomainUserGroups; }
 
     void setGroupID(QUuid groupID) { _groupID = groupID; if (!groupID.isNull()) { _groupIDSet = true; }}
     QUuid getGroupID() const { return _groupID; }
@@ -106,7 +104,6 @@ protected:
     QUuid _rankID { QUuid() }; // 0 unless this is for a group
     QString _verifiedUserName;
     QString _verifiedDomainUserName;
-    QStringList _verifiedDomainUserGroups;
 
     bool _groupIDSet { false };
     QUuid _groupID;