Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-07-12 22:19:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Ban only by machine fingerprint, when possible

Browse source
This commit is contained in:
David Kelly 2017-02-16 09:50:56 -07:00
parent a3c123818d
commit a8831e89ff
1 changed files with 51 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

88
domain-server/src/DomainServerSettingsManager.cpp
View file

@ -30,6 +30,7 @@
#include <NumericalConstants.h> #include <NumericalConstants.h>
#include <SettingHandle.h> #include <SettingHandle.h>
#include <AvatarData.h> //for KillAvatarReason #include <AvatarData.h> //for KillAvatarReason
#include <FingerprintUtils.h>
#include "DomainServerNodeData.h" #include "DomainServerNodeData.h"
const QString SETTINGS_DESCRIPTION_RELATIVE_PATH = "/resources/describe-settings.json"; const QString SETTINGS_DESCRIPTION_RELATIVE_PATH = "/resources/describe-settings.json";
@ -668,67 +669,64 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
// ensure that the connect permission is clear // ensure that the connect permission is clear
userPermissions->clear(NodePermissions::Permission::canConnectToDomain); userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
} else { } else {
// otherwise we apply the kick to the IP from active socket for this node and the MAC address // remove connect permissions for the machine fingerprint
// remove connect permissions for the IP (falling back to the public socket if not yet active)
auto& kickAddress = matchingNode->getActiveSocket()
? matchingNode->getActiveSocket()->getAddress()
: matchingNode->getPublicSocket().getAddress();
// probably isLoopback covers it, as whenever I try to ban an agent on same machine as the domain-server
// it is always 127.0.0.1, but looking at the public and local addresses just to be sure
// TODO: soon we will have feedback (in the form of a message to the client) after we kick. When we
// do, we will have a success flag, and perhaps a reason for failure. For now, just don't do it.
if (kickAddress == limitedNodeList->getPublicSockAddr().getAddress() ||
kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
kickAddress.isLoopback() ) {
qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
return;
}
NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid());
// check if there were already permissions for the IP
bool hadIPPermissions = hasPermissionsForIP(kickAddress);
// grab or create permissions for the given IP address
auto ipPermissions = _ipPermissions[ipAddressKey];
if (!hadIPPermissions || ipPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
ipPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
// potentially remove connect permissions for the MAC address and machine fingerprint
DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData()); DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
if (nodeData) { if (nodeData) {
// mac address first // get this machine's fingerprint
NodePermissionsKey macAddressKey(nodeData->getHardwareAddress(), 0); auto domainServerFingerprint = FingerprintUtils::getMachineFingerprint();
bool hadMACPermissions = hasPermissionsForMAC(nodeData->getHardwareAddress()); if (nodeData->getMachineFingerprint() == domainServerFingerprint) {
qWarning() << "attempt to kick node running on same machine as domain server (by fingerprint), ignoring KickRequest";
auto macPermissions = _macPermissions[macAddressKey]; return;
if (!hadMACPermissions || macPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
macPermissions->clear(NodePermissions::Permission::canConnectToDomain);
} }
// now for machine fingerprint
NodePermissionsKey machineFingerprintKey(nodeData->getMachineFingerprint().toString(), 0); NodePermissionsKey machineFingerprintKey(nodeData->getMachineFingerprint().toString(), 0);
// check if there were already permissions for the fingerprint
bool hadFingerprintPermissions = hasPermissionsForMachineFingerprint(nodeData->getMachineFingerprint()); bool hadFingerprintPermissions = hasPermissionsForMachineFingerprint(nodeData->getMachineFingerprint());
// grab or create permissions for the given fingerprint
auto fingerprintPermissions = _machineFingerprintPermissions[machineFingerprintKey]; auto fingerprintPermissions = _machineFingerprintPermissions[machineFingerprintKey];
// write them
if (!hadFingerprintPermissions || fingerprintPermissions->can(NodePermissions::Permission::canConnectToDomain)) { if (!hadFingerprintPermissions || fingerprintPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true; newPermissions = true;
fingerprintPermissions->clear(NodePermissions::Permission::canConnectToDomain); fingerprintPermissions->clear(NodePermissions::Permission::canConnectToDomain);
} }
} else {
// if no node data, all we can do is IP address
auto& kickAddress = matchingNode->getActiveSocket()
? matchingNode->getActiveSocket()->getAddress()
: matchingNode->getPublicSocket().getAddress();
// probably isLoopback covers it, as whenever I try to ban an agent on same machine as the domain-server
// it is always 127.0.0.1, but looking at the public and local addresses just to be sure
// TODO: soon we will have feedback (in the form of a message to the client) after we kick. When we
// do, we will have a success flag, and perhaps a reason for failure. For now, just don't do it.
if (kickAddress == limitedNodeList->getPublicSockAddr().getAddress() ||
kickAddress == limitedNodeList->getLocalSockAddr().getAddress() ||
kickAddress.isLoopback() ) {
qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
return;
}
NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid());
// check if there were already permissions for the IP
bool hadIPPermissions = hasPermissionsForIP(kickAddress);
// grab or create permissions for the given IP address
auto ipPermissions = _ipPermissions[ipAddressKey];
if (!hadIPPermissions || ipPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
newPermissions = true;
ipPermissions->clear(NodePermissions::Permission::canConnectToDomain);
}
} }
} }
// if we are here, then we kicked them, so send the KillAvatar message to everyone
// if we are here, then we kicked them, so send the KillAvatar message
auto packet = NLPacket::create(PacketType::KillAvatar, NUM_BYTES_RFC4122_UUID + sizeof(KillAvatarReason), true); auto packet = NLPacket::create(PacketType::KillAvatar, NUM_BYTES_RFC4122_UUID + sizeof(KillAvatarReason), true);
packet->write(nodeUUID.toRfc4122()); packet->write(nodeUUID.toRfc4122());
packet->writePrimitive(KillAvatarReason::NoReason); packet->writePrimitive(KillAvatarReason::NoReason);