Ban only by machine fingerprint, when possible

2025-07-13 01:18:47 +02:00 · 2017-02-16 09:50:56 -07:00 · 2017-02-16 09:50:56 -07:00 · a8831e89ff
commit a8831e89ff
parent a3c123818d
1 changed files with 51 additions and 53 deletions
--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@ -30,6 +30,7 @@
 #include <NumericalConstants.h>
 #include <SettingHandle.h>
 #include <AvatarData.h> //for KillAvatarReason
+#include <FingerprintUtils.h>
 #include "DomainServerNodeData.h"

 const QString SETTINGS_DESCRIPTION_RELATIVE_PATH = "/resources/describe-settings.json";
@ -668,9 +669,31 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                    // ensure that the connect permission is clear
                    userPermissions->clear(NodePermissions::Permission::canConnectToDomain);
                } else {
-                    // otherwise we apply the kick to the IP from active socket for this node and the MAC address
+                    // remove connect permissions for the machine fingerprint
+                    DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
+                    if (nodeData) {
+                        // get this machine's fingerprint
+                        auto domainServerFingerprint = FingerprintUtils::getMachineFingerprint();

-                    // remove connect permissions for the IP (falling back to the public socket if not yet active)
+                        if (nodeData->getMachineFingerprint() == domainServerFingerprint) {
+                            qWarning() << "attempt to kick node running on same machine as domain server (by fingerprint), ignoring KickRequest";
+                            return;
+                        }
+                        NodePermissionsKey machineFingerprintKey(nodeData->getMachineFingerprint().toString(), 0);
+
+                        // check if there were already permissions for the fingerprint
+                        bool hadFingerprintPermissions = hasPermissionsForMachineFingerprint(nodeData->getMachineFingerprint());
+
+                        // grab or create permissions for the given fingerprint
+                        auto fingerprintPermissions = _machineFingerprintPermissions[machineFingerprintKey];
+
+                        // write them
+                        if (!hadFingerprintPermissions || fingerprintPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
+                            newPermissions = true;
+                            fingerprintPermissions->clear(NodePermissions::Permission::canConnectToDomain);
+                        }
+                    } else {
+                        // if no node data, all we can do is IP address
                        auto& kickAddress = matchingNode->getActiveSocket()
                            ? matchingNode->getActiveSocket()->getAddress()
                            : matchingNode->getPublicSocket().getAddress();
@ -685,6 +708,8 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re
                            qWarning() << "attempt to kick node running on same machine as domain server, ignoring KickRequest";
                            return;
                        }
+
+
                        NodePermissionsKey ipAddressKey(kickAddress.toString(), QUuid());

                        // check if there were already permissions for the IP
@ -698,37 +723,10 @@ void DomainServerSettingsManager::processNodeKickRequestPacket(QSharedPointer<Re

                            ipPermissions->clear(NodePermissions::Permission::canConnectToDomain);
                        }
-
-                    // potentially remove connect permissions for the MAC address and machine fingerprint
-                    DomainServerNodeData* nodeData = static_cast<DomainServerNodeData*>(matchingNode->getLinkedData());
-                    if (nodeData) {
-                        // mac address first
-                        NodePermissionsKey macAddressKey(nodeData->getHardwareAddress(), 0);
-
-                        bool hadMACPermissions = hasPermissionsForMAC(nodeData->getHardwareAddress());
-
-                        auto macPermissions = _macPermissions[macAddressKey];
-
-                        if (!hadMACPermissions || macPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
-                            newPermissions = true;
-
-                            macPermissions->clear(NodePermissions::Permission::canConnectToDomain);
-                        }
-
-                        // now for machine fingerprint
-                        NodePermissionsKey machineFingerprintKey(nodeData->getMachineFingerprint().toString(), 0);
-                        
-                        bool hadFingerprintPermissions = hasPermissionsForMachineFingerprint(nodeData->getMachineFingerprint());
-                        
-                        auto fingerprintPermissions = _machineFingerprintPermissions[machineFingerprintKey];
-                        
-                        if (!hadFingerprintPermissions || fingerprintPermissions->can(NodePermissions::Permission::canConnectToDomain)) {
-                            newPermissions = true;
-                            fingerprintPermissions->clear(NodePermissions::Permission::canConnectToDomain);
                    }
                }
-                }
-                // if we are here, then we kicked them, so send the KillAvatar message to everyone
+
+                // if we are here, then we kicked them, so send the KillAvatar message
                auto packet = NLPacket::create(PacketType::KillAvatar, NUM_BYTES_RFC4122_UUID + sizeof(KillAvatarReason), true);
                packet->write(nodeUUID.toRfc4122());
                packet->writePrimitive(KillAvatarReason::NoReason);