From 897825403753d9c93dfb146cb55f1a1d6037660b Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Mon, 27 Nov 2017 18:13:40 -0800
Subject: [PATCH] kick logged in by fingerprint/ip if enabled in DS settings

---
 domain-server/resources/describe-settings.json    |  8 ++++++++
 domain-server/src/DomainServerSettingsManager.cpp | 15 +++++++++++----
 libraries/networking/src/NodeList.cpp             |  4 ++--
 libraries/networking/src/udt/PacketHeaders.cpp    |  2 +-
 libraries/networking/src/udt/PacketHeaders.h      |  3 ++-
 5 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/domain-server/resources/describe-settings.json b/domain-server/resources/describe-settings.json
index d55da6c848..31f224667c 100644
--- a/domain-server/resources/describe-settings.json
+++ b/domain-server/resources/describe-settings.json
@@ -916,6 +916,14 @@
               "default": false
             }
           ]
+        },
+        {
+          "name": "multi_kick_logged_in",
+          "type": "checkbox",
+          "label": "Multi-Kick for Logged In Users",
+          "help": "Kick logged in users by machine fingerprint (in addition to the default kick by username)",
+          "default": false,
+          "advanced": true
         }
       ]
     },
diff --git a/domain-server/src/DomainServerSettingsManager.cpp b/domain-server/src/DomainServerSettingsManager.cpp
index b12e2d90f0..a4d3e675aa 100644
--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@@ -672,7 +672,7 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                 bool newPermissions = false;
 
                 if (!verifiedUsername.isEmpty()) {
-                    // if we have a verified user name for this user, we apply the kick to the username
+                    // if we have a verified user name for this user, we first apply the kick to the username
 
                     // check if there were already permissions
                     bool hadPermissions = havePermissionsForName(verifiedUsername);
@@ -684,7 +684,14 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
 
                     // ensure that the connect permission is clear
                     userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
-                } else {
+                }
+
+                // if we didn't have a username, or this domain-server uses the "multi-kick" setting to
+                // kick logged in users via username AND machine fingerprint (or IP as fallback)
+                // then we remove connect permissions for the machine fingerprint (or IP as fallback)
+                const QString MULTI_KICK_SETTINGS_KEYPATH = "security.multi_kick_logged_in";
+
+                if (verifiedUsername.isEmpty() || valueOrDefaultValueForKeyPath(MULTI_KICK_SETTINGS_KEYPATH).toBool()) {
                     // remove connect permissions for the machine fingerprint
                     DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
                     if (nodeData) {
@@ -719,8 +726,8 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                         // TODO: soon we will have feedback (in the form of a message to the client) after we kick.  When we
                         // do, we will have a success flag, and perhaps a reason for failure.  For now, just don't do it.
                         if (kickAddress == limitedNodeList->getPublicSockAddr().getAddress() ||
-                                kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
-                                kickAddress.isLoopback() ) {
+                            kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
+                            kickAddress.isLoopback() ) {
                             qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
                             return;
                         }
diff --git a/libraries/networking/src/NodeList.cpp b/libraries/networking/src/NodeList.cpp
index 63ec460de8..5a72006a8c 100644
--- a/libraries/networking/src/NodeList.cpp
+++ b/libraries/networking/src/NodeList.cpp
@@ -385,9 +385,9 @@ void NodeList::sendDomainServerCheckIn() {
 
             packetStream << hardwareAddress;
 
-            // now add the machine fingerprint - a null UUID if logged in, real one if not logged in
+            // now add the machine fingerprint
             auto accountManager = DependencyManager::get<AccountManager>();
-            packetStream << (accountManager->isLoggedIn() ? QUuid() : FingerprintUtils::getMachineFingerprint());
+            packetStream << FingerprintUtils::getMachineFingerprint();
         }
 
         // pack our data to send to the domain-server including
diff --git a/libraries/networking/src/udt/PacketHeaders.cpp b/libraries/networking/src/udt/PacketHeaders.cpp
index c2c1d75726..fa5028e1bb 100644
--- a/libraries/networking/src/udt/PacketHeaders.cpp
+++ b/libraries/networking/src/udt/PacketHeaders.cpp
@@ -57,7 +57,7 @@ PacketVersion versionForPacketType(PacketType packetType) {
             return static_cast<PacketVersion>(DomainConnectionDeniedVersion::IncludesExtraInfo);
 
         case PacketType::DomainConnectRequest:
-            return static_cast<PacketVersion>(DomainConnectRequestVersion::HasMachineFingerprint);
+            return static_cast<PacketVersion>(DomainConnectRequestVersion::AlwaysHasMachineFingerprint);
 
         case PacketType::DomainServerAddedNode:
             return static_cast<PacketVersion>(DomainServerAddedNodeVersion::PermissionsGrid);
diff --git a/libraries/networking/src/udt/PacketHeaders.h b/libraries/networking/src/udt/PacketHeaders.h
index c4c1758ed2..e5cb87c379 100644
--- a/libraries/networking/src/udt/PacketHeaders.h
+++ b/libraries/networking/src/udt/PacketHeaders.h
@@ -247,7 +247,8 @@ enum class DomainConnectRequestVersion : PacketVersion {
     HasHostname,
     HasProtocolVersions,
     HasMACAddress,
-    HasMachineFingerprint
+    HasMachineFingerprint,
+    AlwaysHasMachineFingerprint
 };
 
 enum class DomainConnectionDeniedVersion : PacketVersion {