Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-07-12 21:58:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Ban only by machine fingerprint, when possible

Browse source
This commit is contained in:
David Kelly 2017-02-16 09:50:56 -07:00
parent a3c123818d
commit a8831e89ff
1 changed files with 51 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
domain-server/src/DomainServerSettingsManager.cpp
View file

@ -30,6 +30,7 @@
#include <NumericalConstants.h> #include <NumericalConstants.h>
#include <SettingHandle.h> #include <SettingHandle.h>
#include <AvatarData.h> //for KillAvatarReason #include <AvatarData.h> //for KillAvatarReason
#include <FingerprintUtils.h>
#include "DomainServerNodeData.h" #include "DomainServerNodeData.h"
const QString SETTINGS_DESCRIPTION_RELATIVE_PATH = "/resources/describe-settings.json"; const QString SETTINGS_DESCRIPTION_RELATIVE_PATH = "/resources/describe-settings.json";
@ -668,9 +669,31 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
// ensure that the connect permission is clear // ensure that the connect permission is clear
userPermissions->clear(NodePermissions::Permission::canConnectToDomain); userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
} else { } else {
// otherwise we apply the kick to the IP from active socket for this node and the MAC address // remove connect permissions for the machine fingerprint
DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
if (nodeData) {
// get this machine's fingerprint
auto domainServerFingerprint = FingerprintUtils::getMachineFingerprint();
// remove connect permissions for the IP (falling back to the public socket if not yet active) if (nodeData->getMachineFingerprint() == domainServerFingerprint) {
qWarning() << "attempt to kick node running on same machine as domain server (by fingerprint), ignoring KickRequest";
return;
}
NodePermissionsKey machineFingerprintKey(nodeData->getMachineFingerprint().toString(), 0);
// check if there were already permissions for the fingerprint
bool hadFingerprintPermissions = hasPermissionsForMachineFingerprint(nodeData->getMachineFingerprint());
// grab or create permissions for the given fingerprint
auto fingerprintPermissions = _machineFingerprintPermissions[machineFingerprintKey];
// write them
if (!hadFingerprintPermissions || fingerprintPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
fingerprintPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
} else {
// if no node data, all we can do is IP address
auto& kickAddress = matchingNode->getActiveSocket() auto& kickAddress = matchingNode->getActiveSocket()
? matchingNode->getActiveSocket()->getAddress() ? matchingNode->getActiveSocket()->getAddress()
: matchingNode->getPublicSocket().getAddress(); : matchingNode->getPublicSocket().getAddress();
@ -685,6 +708,8 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest"; qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
return; return;
} }
NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid()); NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid());
// check if there were already permissions for the IP // check if there were already permissions for the IP
@ -698,37 +723,10 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
ipPermissions->clear(NodePermissions::Permission::canConnectToDomain); ipPermissions->clear(NodePermissions::Permission::canConnectToDomain);
} }
// potentially remove connect permissions for the MAC address and machine fingerprint
DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
if (nodeData) {
// mac address first
NodePermissionsKey macAddressKey(nodeData->getHardwareAddress(), 0);
bool hadMACPermissions = hasPermissionsForMAC(nodeData->getHardwareAddress());
auto macPermissions = _macPermissions[macAddressKey];
if (!hadMACPermissions || macPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
macPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
// now for machine fingerprint
NodePermissionsKey machineFingerprintKey(nodeData->getMachineFingerprint().toString(), 0);
bool hadFingerprintPermissions = hasPermissionsForMachineFingerprint(nodeData->getMachineFingerprint());
auto fingerprintPermissions = _machineFingerprintPermissions[machineFingerprintKey];
if (!hadFingerprintPermissions || fingerprintPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
fingerprintPermissions->clear(NodePermissions::Permission::canConnectToDomain);
} }
} }
}
// if we are here, then we kicked them, so send the KillAvatar message to everyone // if we are here, then we kicked them, so send the KillAvatar message
auto packet = NLPacket::create(PacketType::KillAvatar, NUM_BYTES_RFC4122_UUID + sizeof(KillAvatarReason), true); auto packet = NLPacket::create(PacketType::KillAvatar, NUM_BYTES_RFC4122_UUID + sizeof(KillAvatarReason), true);
packet->write(nodeUUID.toRfc4122()); packet->write(nodeUUID.toRfc4122());
packet->writePrimitive(KillAvatarReason::NoReason); packet->writePrimitive(KillAvatarReason::NoReason);