Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-08-08 20:56:52 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

book-keeping around groups and ranks

Browse source
This commit is contained in:
Seth Alves 2016-07-22 11:40:23 -07:00
parent 97b40ab87d
commit adba4cde0b
8 changed files with 263 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
domain-server/resources/describe-settings.json
View file

@ -526,7 +526,7 @@
"groups": [ "groups": [
{ {
"label": "Group", "label": "Group",
"span": 4 "span": 5
}, },
{ {
"label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in. Group permissions are only granted if the user doesn&rsquo;t have their own row in the previous section.</p>'>?</a>", "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in. Group permissions are only granted if the user doesn&rsquo;t have their own row in the previous section.</p>'>?</a>",
@ -540,8 +540,12 @@
"label": "Group Name" "label": "Group Name"
}, },
{ {
"name": "rank", "name": "rank_id",
"label": "Rank" "label": "Rank ID"
},
{
"name": "rank_order",
"label": "Rank Order"
}, },
{ {
"name": "rank_name", "name": "rank_name",
@ -605,7 +609,7 @@
"groups": [ "groups": [
{ {
"label": "Group", "label": "Group",
"span": 4 "span": 5
}, },
{ {
"label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in. Group permissions are only granted if the user doesn&rsquo;t have their own row in the previous section.</p>'>?</a>", "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide User Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users in specific groups can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users in specific groups can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users in specific groups can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users in specific groups can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users in specific groups can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether user in specific groups can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Permissions granted to a specific user will be a union of the permissions granted to the groups they are in. Group permissions are only granted if the user doesn&rsquo;t have their own row in the previous section.</p>'>?</a>",
@ -619,8 +623,12 @@
"label": "Group Name" "label": "Group Name"
}, },
{ {
"name": "rank", "name": "rank_id",
"label": "Rank" "label": "Rank ID"
},
{
"name": "rank_order",
"label": "Rank Order"
}, },
{ {
"name": "rank_name", "name": "rank_name",

93
domain-server/src/DomainGatekeeper.cpp
View file

@ -150,10 +150,12 @@ NodePermissions DomainGatekeeper::applyPermissionsForUser(bool isLocalUser,
// if this user is a known member of a group, give them the implied permissions // if this user is a known member of a group, give them the implied permissions
foreach (QUuid groupID, _server->_settingsManager.getGroupIDs()) { foreach (QUuid groupID, _server->_settingsManager.getGroupIDs()) {
int rank = _server->_settingsManager.isGroupMember(verifiedUsername, groupID); QUuid rankID = _server->_settingsManager.isGroupMember(verifiedUsername, groupID);
if (rank >= 0) { if (rankID != QUuid()) {
userPerms |= _server->_settingsManager.getPermissionsForGroup(groupID, rank); userPerms |= _server->_settingsManager.getPermissionsForGroup(groupID, rankID);
qDebug() << "user-permissions: user is in group:" << groupID << " rank:" << rank << "so:" << userPerms;
GroupRank rank = _server->_settingsManager.getGroupRank(groupID, rankID);
qDebug() << "user-permissions: user is in group:" << groupID << " rank:" << rank.name << "so:" << userPerms;
} }
} }
@ -161,12 +163,14 @@ NodePermissions DomainGatekeeper::applyPermissionsForUser(bool isLocalUser,
qDebug() << "------------------ checking blacklists ----------------------"; qDebug() << "------------------ checking blacklists ----------------------";
qDebug() << _server->_settingsManager.getBlacklistGroupIDs(); qDebug() << _server->_settingsManager.getBlacklistGroupIDs();
foreach (QUuid groupID, _server->_settingsManager.getBlacklistGroupIDs()) { foreach (QUuid groupID, _server->_settingsManager.getBlacklistGroupIDs()) {
if (_server->_settingsManager.isGroupMember(verifiedUsername, groupID)) { QUuid rankID = _server->_settingsManager.isGroupMember(verifiedUsername, groupID);
int rank = _server->_settingsManager.isGroupMember(verifiedUsername, groupID); if (rankID != QUuid()) {
qDebug() << groupID << verifiedUsername << "is member with rank" << rank; QUuid rankID = _server->_settingsManager.isGroupMember(verifiedUsername, groupID);
if (rank >= 0) { if (rankID != QUuid()) {
userPerms &= ~_server->_settingsManager.getForbiddensForGroup(groupID, rank); userPerms &= ~_server->_settingsManager.getForbiddensForGroup(groupID, rankID);
qDebug() << "user-permissions: user is in blacklist group:" << groupID << " rank:" << rank
GroupRank rank = _server->_settingsManager.getGroupRank(groupID, rankID);
qDebug() << "user-permissions: user is in blacklist group:" << groupID << " rank:" << rank.name
<< "so:" << userPerms; << "so:" << userPerms;
} }
} else { } else {
@ -197,6 +201,7 @@ void DomainGatekeeper::updateNodePermissions() {
if (node->getPermissions().isAssignment) { if (node->getPermissions().isAssignment) {
// this node is an assignment-client // this node is an assignment-client
userPerms.isAssignment = true; userPerms.isAssignment = true;
userPerms.permissions |= NodePermissions::Permission::canConnectToDomain;
userPerms.permissions |= NodePermissions::Permission::canAdjustLocks; userPerms.permissions |= NodePermissions::Permission::canAdjustLocks;
userPerms.permissions |= NodePermissions::Permission::canRezPermanentEntities; userPerms.permissions |= NodePermissions::Permission::canRezPermanentEntities;
userPerms.permissions |= NodePermissions::Permission::canRezTemporaryEntities; userPerms.permissions |= NodePermissions::Permission::canRezTemporaryEntities;
@ -263,9 +268,10 @@ SharedNodePointer DomainGatekeeper::processAssignmentConnectRequest(const NodeCo
// cleanup the PendingAssignedNodeData for this assignment now that it's connecting // cleanup the PendingAssignedNodeData for this assignment now that it's connecting
_pendingAssignedNodes.erase(it); _pendingAssignedNodes.erase(it);
// always allow assignment clients to create and destroy entities
NodePermissions userPerms; NodePermissions userPerms;
userPerms.isAssignment = true; userPerms.isAssignment = true;
userPerms.permissions |= NodePermissions::Permission::canConnectToDomain;
// always allow assignment clients to create and destroy entities
userPerms.permissions |= NodePermissions::Permission::canAdjustLocks; userPerms.permissions |= NodePermissions::Permission::canAdjustLocks;
userPerms.permissions |= NodePermissions::Permission::canRezPermanentEntities; userPerms.permissions |= NodePermissions::Permission::canRezPermanentEntities;
userPerms.permissions |= NodePermissions::Permission::canRezTemporaryEntities; userPerms.permissions |= NodePermissions::Permission::canRezTemporaryEntities;
@ -701,33 +707,63 @@ void DomainGatekeeper::processICEPingReplyPacket(QSharedPointer<ReceivedMessage>
} }
} }
// void DomainGatekeeper::getGroupMemberships(const QString& username) {
// // loop through the groups mentioned on the settings page and ask if this user is in each. The replies
// // will be received asynchronously and permissions will be updated as the answers come in.
// QList<QUuid> groupIDs = _server->_settingsManager.getGroupIDs() + _server->_settingsManager.getBlacklistGroupIDs();
// // TODO -- use alternative that allows checking entire group list in one call
// foreach (QUuid groupID, groupIDs) {
// if (groupID.isNull()) {
// continue;
// }
// getIsGroupMember(username, groupID);
// }
// }
// void DomainGatekeeper::getIsGroupMember(const QString& username, const QUuid groupID) {
// JSONCallbackParameters callbackParams;
// callbackParams.jsonCallbackReceiver = this;
// callbackParams.jsonCallbackMethod = "getIsGroupMemberJSONCallback";
// callbackParams.errorCallbackReceiver = this;
// callbackParams.errorCallbackMethod = "getIsGroupMemberErrorCallback";
// const QString GET_IS_GROUP_MEMBER_PATH = "api/v1/groups/%1/members/%2";
// QString groupIDStr = groupID.toString().mid(1,36);
// DependencyManager::get<AccountManager>()->sendRequest(GET_IS_GROUP_MEMBER_PATH.arg(groupIDStr).arg(username),
// AccountManagerAuth::Required,
// QNetworkAccessManager::GetOperation, callbackParams);
// }
void DomainGatekeeper::getGroupMemberships(const QString& username) { void DomainGatekeeper::getGroupMemberships(const QString& username) {
// loop through the groups mentioned on the settings page and ask if this user is in each. The replies // loop through the groups mentioned on the settings page and ask if this user is in each. The replies
// will be received asynchronously and permissions will be updated as the answers come in. // will be received asynchronously and permissions will be updated as the answers come in.
QList<QUuid> groupIDs = _server->_settingsManager.getGroupIDs() + _server->_settingsManager.getBlacklistGroupIDs();
// TODO -- use alternative that allows checking entire group list in one call
foreach (QUuid groupID, groupIDs) {
if (groupID.isNull()) {
continue;
}
getIsGroupMember(username, groupID);
}
}
void DomainGatekeeper::getIsGroupMember(const QString& username, const QUuid groupID) { QJsonObject json;
QSet<QString> groupIDSet;
foreach (QUuid groupID, _server->_settingsManager.getGroupIDs() + _server->_settingsManager.getBlacklistGroupIDs()) {
groupIDSet += groupID.toString().mid(1,36);
}
QJsonArray groupIDs = QJsonArray::fromStringList(groupIDSet.toList());
json["groups"] = groupIDs;
JSONCallbackParameters callbackParams; JSONCallbackParameters callbackParams;
callbackParams.jsonCallbackReceiver = this; callbackParams.jsonCallbackReceiver = this;
callbackParams.jsonCallbackMethod = "getIsGroupMemberJSONCallback"; callbackParams.jsonCallbackMethod = "getIsGroupMemberJSONCallback";
callbackParams.errorCallbackReceiver = this; callbackParams.errorCallbackReceiver = this;
callbackParams.errorCallbackMethod = "getIsGroupMemberErrorCallback"; callbackParams.errorCallbackMethod = "getIsGroupMemberErrorCallback";
const QString GET_IS_GROUP_MEMBER_PATH = "api/v1/groups/%1/members/%2"; const QString GET_IS_GROUP_MEMBER_PATH = "api/v1/groups/members/%2";
QString groupIDStr = groupID.toString().mid(1,36); DependencyManager::get<AccountManager>()->sendRequest(GET_IS_GROUP_MEMBER_PATH.arg(username),
DependencyManager::get<AccountManager>()->sendRequest(GET_IS_GROUP_MEMBER_PATH.arg(groupIDStr).arg(username),
AccountManagerAuth::Required, AccountManagerAuth::Required,
QNetworkAccessManager::GetOperation, callbackParams); QNetworkAccessManager::PostOperation, callbackParams,
QJsonDocument(json).toJson());
} }
void DomainGatekeeper::getIsGroupMemberJSONCallback(QNetworkReply& requestReply) { void DomainGatekeeper::getIsGroupMemberJSONCallback(QNetworkReply& requestReply) {
// { // {
// "data":{ // "data":{
@ -746,8 +782,6 @@ void DomainGatekeeper::getIsGroupMemberJSONCallback(QNetworkReply& requestReply)
// } // }
QJsonObject jsonObject = QJsonDocument::fromJson(requestReply.readAll()).object(); QJsonObject jsonObject = QJsonDocument::fromJson(requestReply.readAll()).object();
qDebug() << "********* getIsGroupMember api call returned:" << QJsonDocument(jsonObject).toJson(QJsonDocument::Compact); qDebug() << "********* getIsGroupMember api call returned:" << QJsonDocument(jsonObject).toJson(QJsonDocument::Compact);
@ -760,8 +794,9 @@ void DomainGatekeeper::getIsGroupMemberJSONCallback(QNetworkReply& requestReply)
_server->_settingsManager.clearGroupMemberships(username); _server->_settingsManager.clearGroupMemberships(username);
foreach (auto groupID, groups.keys()) { foreach (auto groupID, groups.keys()) {
QJsonObject group = groups[groupID].toObject(); QJsonObject group = groups[groupID].toObject();
int order = group["order"].toInt(); QJsonObject rank = group["rank"].toObject();
_server->_settingsManager.recordGroupMembership(username, groupID, order); QUuid rankID = QUuid(rank["id"].toString());
_server->_settingsManager.recordGroupMembership(username, groupID, rankID);
} }
} else { } else {
qDebug() << "getIsGroupMember api call returned:" << QJsonDocument(jsonObject).toJson(QJsonDocument::Compact); qDebug() << "getIsGroupMember api call returned:" << QJsonDocument(jsonObject).toJson(QJsonDocument::Compact);

2
domain-server/src/DomainGatekeeper.h
View file

@ -107,7 +107,7 @@ private:
NodePermissions applyPermissionsForUser(bool isLocalUser, NodePermissions userPerms, QString verifiedUsername); NodePermissions applyPermissionsForUser(bool isLocalUser, NodePermissions userPerms, QString verifiedUsername);
void getGroupMemberships(const QString& username); void getGroupMemberships(const QString& username);
void getIsGroupMember(const QString& username, const QUuid groupID); // void getIsGroupMember(const QString& username, const QUuid groupID);
void getDomainOwnerFriendsList(); void getDomainOwnerFriendsList();
}; };

153
domain-server/src/DomainServerSettingsManager.cpp
View file

@ -347,11 +347,31 @@ void DomainServerSettingsManager::packPermissionsForMap(QString mapName,
// convert details for each member of the subsection // convert details for each member of the subsection
QVariantList* permissionsList = reinterpret_cast<QVariantList*>(permissions); QVariantList* permissionsList = reinterpret_cast<QVariantList*>(permissions);
(*permissionsList).clear(); (*permissionsList).clear();
foreach (NodePermissionsKey userKey, agentPermissions.keys()) { QList<NodePermissionsKey> permissionsKeys = agentPermissions.keys();
// when a group is added from the domain-server settings page, the config map has a group-name with
// no ID or rank. We need to leave that there until we get a valid response back from the api.
// once we have the ranks and IDs, we need to delete the original entry so that it doesn't show
// up in the settings-page with undefined's after it.
QHash<QString, bool> groupNamesWithRanks;
// note which groups have rank/ID information
foreach (NodePermissionsKey userKey, permissionsKeys) {
NodePermissionsPointer perms = agentPermissions[userKey];
if (perms->getRankID() != QUuid()) {
groupNamesWithRanks[userKey.first] = true;
}
}
// convert each group-name / rank-id pair to a variant-map
foreach (NodePermissionsKey userKey, permissionsKeys) {
NodePermissionsPointer perms = agentPermissions[userKey]; NodePermissionsPointer perms = agentPermissions[userKey];
if (perms->isGroup()) { if (perms->isGroup()) {
QVector<QString> rankNames = _groupRanks[perms->getGroupID()]; if (perms->getRankID() == QUuid() && groupNamesWithRanks.contains(userKey.first)) {
*permissionsList += perms->toVariant(rankNames); // skip over the entry that was created when the user added the group.
continue;
}
QHash<QUuid, GroupRank>& groupRanks = _groupRanks[perms->getGroupID()];
*permissionsList += perms->toVariant(groupRanks);
} else { } else {
*permissionsList += perms->toVariant(); *permissionsList += perms->toVariant();
} }
@ -462,7 +482,7 @@ void DomainServerSettingsManager::unpackPermissions() {
} }
if (perms->isGroup()) { if (perms->isGroup()) {
// the group-id was cached. hook-up the uuid in the uuid->group hash // the group-id was cached. hook-up the uuid in the uuid->group hash
_groupPermissionsByUUID[GroupByUUIDKey(perms->getGroupID(), perms->getRank())] = _groupPermissions[idKey]; _groupPermissionsByUUID[GroupByUUIDKey(perms->getGroupID(), perms->getRankID())] = _groupPermissions[idKey];
needPack |= setGroupID(perms->getID(), perms->getGroupID()); needPack |= setGroupID(perms->getID(), perms->getGroupID());
} }
} }
@ -481,7 +501,7 @@ void DomainServerSettingsManager::unpackPermissions() {
} }
if (perms->isGroup()) { if (perms->isGroup()) {
// the group-id was cached. hook-up the uuid in the uuid->group hash // the group-id was cached. hook-up the uuid in the uuid->group hash
_groupForbiddensByUUID[GroupByUUIDKey(perms->getGroupID(), perms->getRank())] = _groupForbiddens[idKey]; _groupForbiddensByUUID[GroupByUUIDKey(perms->getGroupID(), perms->getRankID())] = _groupForbiddens[idKey];
needPack |= setGroupID(perms->getID(), perms->getGroupID()); needPack |= setGroupID(perms->getID(), perms->getGroupID());
} }
} }
@ -541,10 +561,10 @@ bool DomainServerSettingsManager::ensurePermissionsForGroupRanks() {
QList<QUuid> permissionGroupIDs = getGroupIDs(); QList<QUuid> permissionGroupIDs = getGroupIDs();
foreach (QUuid groupID, permissionGroupIDs) { foreach (QUuid groupID, permissionGroupIDs) {
QString groupName = _groupNames[groupID]; QString groupName = _groupNames[groupID];
int rankCountForGroup = _groupRanks[groupID].size(); QHash<QUuid, GroupRank>& ranksForGroup = _groupRanks[groupID];
for (int rank = 0; rank < rankCountForGroup; rank++) { foreach (QUuid rankID, ranksForGroup.keys()) {
NodePermissionsKey nameKey = NodePermissionsKey(groupName, rank); NodePermissionsKey nameKey = NodePermissionsKey(groupName, rankID);
GroupByUUIDKey idKey = GroupByUUIDKey(groupID, rank); GroupByUUIDKey idKey = GroupByUUIDKey(groupID, rankID);
NodePermissionsPointer perms; NodePermissionsPointer perms;
if (_groupPermissions.contains(nameKey)) { if (_groupPermissions.contains(nameKey)) {
perms = _groupPermissions[nameKey]; perms = _groupPermissions[nameKey];
@ -561,10 +581,10 @@ bool DomainServerSettingsManager::ensurePermissionsForGroupRanks() {
QList<QUuid> forbiddenGroupIDs = getBlacklistGroupIDs(); QList<QUuid> forbiddenGroupIDs = getBlacklistGroupIDs();
foreach (QUuid groupID, forbiddenGroupIDs) { foreach (QUuid groupID, forbiddenGroupIDs) {
QString groupName = _groupNames[groupID]; QString groupName = _groupNames[groupID];
int rankCountForGroup = _groupRanks[groupID].size(); QHash<QUuid, GroupRank>& ranksForGroup = _groupRanks[groupID];
for (int rank = 0; rank < rankCountForGroup; rank++) { foreach (QUuid rankID, ranksForGroup.keys()) {
NodePermissionsKey nameKey = NodePermissionsKey(groupName, rank); NodePermissionsKey nameKey = NodePermissionsKey(groupName, rankID);
GroupByUUIDKey idKey = GroupByUUIDKey(groupID, rank); GroupByUUIDKey idKey = GroupByUUIDKey(groupID, rankID);
NodePermissionsPointer perms; NodePermissionsPointer perms;
if (_groupForbiddens.contains(nameKey)) { if (_groupForbiddens.contains(nameKey)) {
perms = _groupForbiddens[nameKey]; perms = _groupForbiddens[nameKey];
@ -610,8 +630,8 @@ NodePermissions DomainServerSettingsManager::getPermissionsForName(const QString
return nullPermissions; return nullPermissions;
} }
NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QString& groupName, int rank) const { NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QString& groupName, QUuid rankID) const {
NodePermissionsKey groupRankKey = NodePermissionsKey(groupName, rank); NodePermissionsKey groupRankKey = NodePermissionsKey(groupName, rankID);
if (_groupPermissions.contains(groupRankKey)) { if (_groupPermissions.contains(groupRankKey)) {
return *(_groupPermissions[groupRankKey].get()); return *(_groupPermissions[groupRankKey].get());
} }
@ -620,8 +640,8 @@ NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QStrin
return nullPermissions; return nullPermissions;
} }
NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QUuid& groupID, int rank) const { NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QUuid& groupID, QUuid rankID) const {
GroupByUUIDKey byUUIDKey = GroupByUUIDKey(groupID, rank); GroupByUUIDKey byUUIDKey = GroupByUUIDKey(groupID, rankID);
if (!_groupPermissionsByUUID.contains(byUUIDKey)) { if (!_groupPermissionsByUUID.contains(byUUIDKey)) {
NodePermissions nullPermissions; NodePermissions nullPermissions;
nullPermissions.setAll(false); nullPermissions.setAll(false);
@ -631,8 +651,8 @@ NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QUuid&
return getPermissionsForGroup(groupKey.first, groupKey.second); return getPermissionsForGroup(groupKey.first, groupKey.second);
} }
NodePermissions DomainServerSettingsManager::getForbiddensForGroup(const QString& groupName, int rank) const { NodePermissions DomainServerSettingsManager::getForbiddensForGroup(const QString& groupName, QUuid rankID) const {
NodePermissionsKey groupRankKey = NodePermissionsKey(groupName, rank); NodePermissionsKey groupRankKey = NodePermissionsKey(groupName, rankID);
if (_groupForbiddens.contains(groupRankKey)) { if (_groupForbiddens.contains(groupRankKey)) {
return *(_groupForbiddens[groupRankKey].get()); return *(_groupForbiddens[groupRankKey].get());
} }
@ -642,8 +662,8 @@ NodePermissions DomainServerSettingsManager::getForbiddensForGroup(const QString
return nullForbiddens; return nullForbiddens;
} }
NodePermissions DomainServerSettingsManager::getForbiddensForGroup(const QUuid& groupID, int rank) const { NodePermissions DomainServerSettingsManager::getForbiddensForGroup(const QUuid& groupID, QUuid rankID) const {
GroupByUUIDKey byUUIDKey = GroupByUUIDKey(groupID, rank); GroupByUUIDKey byUUIDKey = GroupByUUIDKey(groupID, rankID);
if (!_groupForbiddensByUUID.contains(byUUIDKey)) { if (!_groupForbiddensByUUID.contains(byUUIDKey)) {
NodePermissions nullForbiddens; NodePermissions nullForbiddens;
// XXX should this be setAll(true) ? // XXX should this be setAll(true) ?
@ -1042,9 +1062,14 @@ bool permissionVariantLessThan(const QVariant &v1, const QVariant &v2) {
return v1.toString() < v2.toString(); return v1.toString() < v2.toString();
} }
if (m1.contains("rank_name") && m2.contains("rank_name") && // if (m1.contains("rank_name") && m2.contains("rank_name") &&
// m1["permissions_id"].toString() == m2["permissions_id"].toString()) {
// return m1["rank_name"].toString() < m2["rank_name"].toString();
// }
if (m1.contains("rank_order") && m2.contains("rank_order") &&
m1["permissions_id"].toString() == m2["permissions_id"].toString()) { m1["permissions_id"].toString() == m2["permissions_id"].toString()) {
return m1["rank_name"].toString() < m2["rank_name"].toString(); return m1["rank_order"].toInt() < m2["rank_order"].toInt();
} }
return m1["permissions_id"].toString() < m2["permissions_id"].toString(); return m1["permissions_id"].toString() < m2["permissions_id"].toString();
@ -1062,6 +1087,16 @@ void DomainServerSettingsManager::sortPermissions() {
QList<QVariant>* permissionsList = reinterpret_cast<QVariantList*>(permissions); QList<QVariant>* permissionsList = reinterpret_cast<QVariantList*>(permissions);
std::sort((*permissionsList).begin(), (*permissionsList).end(), permissionVariantLessThan); std::sort((*permissionsList).begin(), (*permissionsList).end(), permissionVariantLessThan);
} }
QVariant* groupPermissions = valueForKeyPath(_configMap.getUserConfig(), GROUP_PERMISSIONS_KEYPATH);
if (groupPermissions && groupPermissions->canConvert(QMetaType::QVariantList)) {
QList<QVariant>* permissionsList = reinterpret_cast<QVariantList*>(groupPermissions);
std::sort((*permissionsList).begin(), (*permissionsList).end(), permissionVariantLessThan);
}
QVariant* forbiddenPermissions = valueForKeyPath(_configMap.getUserConfig(), GROUP_FORBIDDENS_KEYPATH);
if (forbiddenPermissions && forbiddenPermissions->canConvert(QMetaType::QVariantList)) {
QList<QVariant>* permissionsList = reinterpret_cast<QVariantList*>(forbiddenPermissions);
std::sort((*permissionsList).begin(), (*permissionsList).end(), permissionVariantLessThan);
}
} }
void DomainServerSettingsManager::persistToFile() { void DomainServerSettingsManager::persistToFile() {
@ -1138,10 +1173,15 @@ void DomainServerSettingsManager::apiRefreshGroupInformation() {
return; return;
} }
bool changed = false;
QStringList groupNames = getAllKnownGroupNames(); QStringList groupNames = getAllKnownGroupNames();
foreach (QString groupName, groupNames) { foreach (QString groupName, groupNames) {
if (_groupIDs.contains(groupName.toLower())) { QString lowerGroupName = groupName.toLower();
// we already know about this one if (_groupIDs.contains(lowerGroupName)) {
// we already know about this one. recall setGroupID in case the group has been
// added to another section (the same group is found in both groups and blacklists).
changed = setGroupID(groupName, _groupIDs[lowerGroupName]);
continue; continue;
} }
apiGetGroupID(groupName); apiGetGroupID(groupName);
@ -1151,6 +1191,12 @@ void DomainServerSettingsManager::apiRefreshGroupInformation() {
apiGetGroupRanks(groupID); apiGetGroupRanks(groupID);
} }
changed |= ensurePermissionsForGroupRanks();
if (changed) {
packPermissions();
}
unpackPermissions(); unpackPermissions();
} }
@ -1222,8 +1268,6 @@ void DomainServerSettingsManager::apiGetGroupIDErrorCallback(QNetworkReply& requ
} }
void DomainServerSettingsManager::apiGetGroupRanks(const QUuid& groupID) { void DomainServerSettingsManager::apiGetGroupRanks(const QUuid& groupID) {
_groupRanksLastFetched[groupID] = usecTimestampNow();
JSONCallbackParameters callbackParams; JSONCallbackParameters callbackParams;
callbackParams.jsonCallbackReceiver = this; callbackParams.jsonCallbackReceiver = this;
callbackParams.jsonCallbackMethod = "apiGetGroupRanksJSONCallback"; callbackParams.jsonCallbackMethod = "apiGetGroupRanksJSONCallback";
@ -1278,18 +1322,32 @@ void DomainServerSettingsManager::apiGetGroupRanksJSONCallback(QNetworkReply& re
foreach (auto groupID, groups.keys()) { foreach (auto groupID, groups.keys()) {
QJsonObject group = groups[groupID].toObject(); QJsonObject group = groups[groupID].toObject();
QJsonArray ranks = group["ranks"].toArray(); QJsonArray ranks = group["ranks"].toArray();
QHash<QUuid, GroupRank>& ranksForGroup = _groupRanks[groupID];
QHash<QUuid, bool> idsFromThisUpdate;
for (int rankIndex = 0; rankIndex < ranks.size(); rankIndex++) { for (int rankIndex = 0; rankIndex < ranks.size(); rankIndex++) {
QJsonObject rank = ranks.at(rankIndex).toObject(); QJsonObject rank = ranks.at(rankIndex).toObject();
QString rankName = rank["name"].toString();
QUuid rankID = QUuid(rank["id"].toString());
int rankOrder = rank["order"].toInt(); int rankOrder = rank["order"].toInt();
QVector<QString>& ranksForGroup = _groupRanks[groupID]; QString rankName = rank["name"].toString();
if (ranksForGroup.size() < rankOrder + 1) { int rankMembersCount = rank["members_count"].toInt();
ranksForGroup.resize(rankOrder + 1);
GroupRank groupRank(rankID, rankOrder, rankName, rankMembersCount);
if (ranksForGroup[rankID] != groupRank) {
ranksForGroup[rankID] = groupRank;
changed = true; changed = true;
} }
if (ranksForGroup[rankOrder] != rankName) {
ranksForGroup[rankOrder] = rankName; idsFromThisUpdate[rankID] = true;
changed = true; }
// clean up any that went away
foreach (QUuid rankID, ranksForGroup.keys()) {
if (!idsFromThisUpdate.contains(rankID)) {
ranksForGroup.remove(rankID);
} }
} }
} }
@ -1307,20 +1365,20 @@ void DomainServerSettingsManager::apiGetGroupRanksErrorCallback(QNetworkReply& r
qDebug() << "******************** getGroupRanks api call failed:" << requestReply.error(); qDebug() << "******************** getGroupRanks api call failed:" << requestReply.error();
} }
void DomainServerSettingsManager::recordGroupMembership(const QString& name, const QUuid groupID, int rank) { void DomainServerSettingsManager::recordGroupMembership(const QString& name, const QUuid groupID, QUuid rankID) {
if (rank >= 0) { if (rankID != QUuid()) {
_groupMembership[name][groupID] = rank; _groupMembership[name][groupID] = rankID;
} else { } else {
_groupMembership[name].remove(groupID); _groupMembership[name].remove(groupID);
} }
} }
int DomainServerSettingsManager::isGroupMember(const QString& name, const QUuid& groupID) { QUuid DomainServerSettingsManager::isGroupMember(const QString& name, const QUuid& groupID) {
const QHash<QUuid, int>& groupsForName = _groupMembership[name]; const QHash<QUuid, QUuid>& groupsForName = _groupMembership[name];
if (groupsForName.contains(groupID)) { if (groupsForName.contains(groupID)) {
return groupsForName[groupID]; return groupsForName[groupID];
} }
return -1; return QUuid();
} }
QList<QUuid> DomainServerSettingsManager::getGroupIDs() { QList<QUuid> DomainServerSettingsManager::getGroupIDs() {
@ -1370,9 +1428,10 @@ void DomainServerSettingsManager::debugDumpGroupsState() {
qDebug() << "_groupRanks:"; qDebug() << "_groupRanks:";
foreach (QUuid groupID, _groupRanks.keys()) { foreach (QUuid groupID, _groupRanks.keys()) {
QVector<QString>& ranksForGroup = _groupRanks[groupID]; QHash<QUuid, GroupRank>& ranksForGroup = _groupRanks[groupID];
QString readableRanks; QString readableRanks;
foreach (QString rankName, ranksForGroup) { foreach (QUuid rankID, ranksForGroup.keys()) {
QString rankName = ranksForGroup[rankID].name;
if (readableRanks == "") { if (readableRanks == "") {
readableRanks = rankName; readableRanks = rankName;
} else { } else {
@ -1381,4 +1440,14 @@ void DomainServerSettingsManager::debugDumpGroupsState() {
} }
qDebug() << "| " << groupID << "==>" << readableRanks; qDebug() << "| " << groupID << "==>" << readableRanks;
} }
qDebug() << "_groupMembership";
foreach (QString userName, _groupMembership.keys()) {
QHash<QUuid, QUuid>& groupsForUser = _groupMembership[userName];
QString line = "";
foreach (QUuid groupID, groupsForUser.keys()) {
line += " g=" + groupID.toString() + ",r=" + groupsForUser[groupID].toString();
}
qDebug() << "| " << userName << line;
}
} }

30
domain-server/src/DomainServerSettingsManager.h
View file

@ -30,7 +30,8 @@ const QString AGENT_PERMISSIONS_KEYPATH = "security.permissions";
const QString GROUP_PERMISSIONS_KEYPATH = "security.group_permissions"; const QString GROUP_PERMISSIONS_KEYPATH = "security.group_permissions";
const QString GROUP_FORBIDDENS_KEYPATH = "security.group_forbiddens"; const QString GROUP_FORBIDDENS_KEYPATH = "security.group_forbiddens";
using GroupByUUIDKey = QPair<QUuid, int>; using GroupByUUIDKey = QPair<QUuid, QUuid>; // groupID, rankID
class DomainServerSettingsManager : public QObject { class DomainServerSettingsManager : public QObject {
Q_OBJECT Q_OBJECT
@ -58,32 +59,34 @@ public:
QStringList getAllNames() const; QStringList getAllNames() const;
// these give access to permissions for specific groups from the domain-server settings page // these give access to permissions for specific groups from the domain-server settings page
bool havePermissionsForGroup(const QString& groupName, int rank) const { bool havePermissionsForGroup(const QString& groupName, QUuid rankID) const {
return _groupPermissions.contains(groupName, rank); return _groupPermissions.contains(groupName, rankID);
} }
NodePermissions getPermissionsForGroup(const QString& groupName, int rank) const; NodePermissions getPermissionsForGroup(const QString& groupName, QUuid rankID) const;
NodePermissions getPermissionsForGroup(const QUuid& groupID, int rank) const; NodePermissions getPermissionsForGroup(const QUuid& groupID, QUuid rankID) const;
// these remove permissions from users in certain groups // these remove permissions from users in certain groups
bool haveForbiddensForGroup(const QString& groupName, int rank) const { return _groupForbiddens.contains(groupName, rank); } bool haveForbiddensForGroup(const QString& groupName, QUuid rankID) const {
NodePermissions getForbiddensForGroup(const QString& groupName, int rank) const; return _groupForbiddens.contains(groupName, rankID);
NodePermissions getForbiddensForGroup(const QUuid& groupID, int rank) const; }
NodePermissions getForbiddensForGroup(const QString& groupName, QUuid rankID) const;
NodePermissions getForbiddensForGroup(const QUuid& groupID, QUuid rankID) const;
QStringList getAllKnownGroupNames(); QStringList getAllKnownGroupNames();
bool setGroupID(const QString& groupName, const QUuid& groupID); bool setGroupID(const QString& groupName, const QUuid& groupID);
GroupRank getGroupRank(QUuid groupID, QUuid rankID) { return _groupRanks[groupID][rankID]; }
QList<QUuid> getGroupIDs(); QList<QUuid> getGroupIDs();
QList<QUuid> getBlacklistGroupIDs(); QList<QUuid> getBlacklistGroupIDs();
// these are used to locally cache the result of calling "api/v1/groups/.../is_member/..." on metaverse's api // these are used to locally cache the result of calling "api/v1/groups/.../is_member/..." on metaverse's api
void clearGroupMemberships(const QString& name) { _groupMembership[name].clear(); } void clearGroupMemberships(const QString& name) { _groupMembership[name].clear(); }
void recordGroupMembership(const QString& name, const QUuid groupID, int rank); void recordGroupMembership(const QString& name, const QUuid groupID, QUuid rankID);
int isGroupMember(const QString& name, const QUuid& groupID); // returns rank or -1 if not a member QUuid isGroupMember(const QString& name, const QUuid& groupID); // returns rank or -1 if not a member
// calls http api to refresh group information // calls http api to refresh group information
void apiRefreshGroupInformation(); void apiRefreshGroupInformation();
signals: signals:
void updateNodePermissions(); void updateNodePermissions();
@ -138,11 +141,10 @@ private:
QHash<QUuid, QString> _groupNames; // keep track of group-id to group-name mappings QHash<QUuid, QString> _groupNames; // keep track of group-id to group-name mappings
// remember the responses to api/v1/groups/%1/ranks // remember the responses to api/v1/groups/%1/ranks
QHash<QUuid, QVector<QString>> _groupRanks; // QHash<group-id, QVector<rank-name>> QHash<QUuid, QHash<QUuid, GroupRank>> _groupRanks; // QHash<group-id, QHash<rankID, rank>>
QHash<QUuid, quint64> _groupRanksLastFetched; // when did we last update _groupRanks
// keep track of answers to api queries about which users are in which groups // keep track of answers to api queries about which users are in which groups
QHash<QString, QHash<QUuid, int>> _groupMembership; // QHash<user-name, QHash<group-id, rank>> QHash<QString, QHash<QUuid, QUuid>> _groupMembership; // QHash<user-name, QHash<group-id, rank-id>>
void debugDumpGroupsState(); void debugDumpGroupsState();

36
libraries/networking/src/GroupRank.h Normal file
View file

@ -0,0 +1,36 @@
//
// GroupRank.h
// libraries/networking/src/
//
// Created by Seth Alves on 2016-7-21.
// Copyright 2016 High Fidelity, Inc.
//
// Distributed under the Apache License, Version 2.0.
// See the accompanying file LICENSE or http://www.apache.org/licenses/LICENSE-2.0.html
//
#ifndef hifi_GroupRank_h
#define hifi_GroupRank_h
class GroupRank {
public:
GroupRank() : id(QUuid()), order(-1), name(""), membersCount(-1) {}
GroupRank(QUuid id, unsigned int order, QString name, unsigned int membersCount) :
id(id), order(order), name(name), membersCount(membersCount) {}
QUuid id;
int order;
QString name;
int membersCount;
};
inline bool operator==(const GroupRank& lhs, const GroupRank& rhs) {
return
lhs.id == rhs.id &&
lhs.order == rhs.order &&
lhs.name == rhs.name &&
lhs.membersCount == rhs.membersCount;
}
inline bool operator!=(const GroupRank& lhs, const GroupRank& rhs) { return !(lhs == rhs); }
#endif // hifi_GroupRank_h

15
libraries/networking/src/NodePermissions.cpp
View file

@ -32,8 +32,8 @@ NodePermissions::NodePermissions(QMap<QString, QVariant> perms) {
_groupIDSet = true; _groupIDSet = true;
} }
} }
if (perms.contains("rank")) { if (perms.contains("rank_id")) {
_rank = perms["rank"].toInt(); _rankID = QUuid(perms["rank_id"].toString());
} }
permissions = NodePermissions::Permissions(); permissions = NodePermissions::Permissions();
@ -46,14 +46,15 @@ NodePermissions::NodePermissions(QMap<QString, QVariant> perms) {
Permission::canConnectPastMaxCapacity : Permission::none; Permission::canConnectPastMaxCapacity : Permission::none;
} }
QVariant NodePermissions::toVariant(QVector<QString> rankNames) { QVariant NodePermissions::toVariant(QHash<QUuid, GroupRank> groupRanks) {
QMap<QString, QVariant> values; QMap<QString, QVariant> values;
values["permissions_id"] = _id; values["permissions_id"] = _id;
if (_groupIDSet) { if (_groupIDSet) {
values["group_id"] = _groupID; values["group_id"] = _groupID;
values["rank"] = _rank; if (groupRanks.contains(_rankID)) {
if (rankNames.size() > _rank) { values["rank_id"] = _rankID;
values["rank_name"] = rankNames[_rank]; values["rank_name"] = groupRanks[_rankID].name;
values["rank_order"] = groupRanks[_rankID].order;
} }
} }
values["id_can_connect"] = can(Permission::canConnectToDomain); values["id_can_connect"] = can(Permission::canConnectToDomain);
@ -147,7 +148,7 @@ QDataStream& operator>>(QDataStream& in, NodePermissions& perms) {
QDebug operator<<(QDebug debug, const NodePermissions& perms) { QDebug operator<<(QDebug debug, const NodePermissions& perms) {
debug.nospace() << "[permissions: " << perms.getID() << "/" << perms.getVerifiedUserName() << " -- "; debug.nospace() << "[permissions: " << perms.getID() << "/" << perms.getVerifiedUserName() << " -- ";
debug.nospace() << "rank=" << perms.getRank() debug.nospace() << "rank=" << perms.getRankID()
<< ", groupID=" << perms.getGroupID() << "/" << (perms.isGroup() ? "y" : "n"); << ", groupID=" << perms.getGroupID() << "/" << (perms.isGroup() ? "y" : "n");
if (perms.can(NodePermissions::Permission::canConnectToDomain)) { if (perms.can(NodePermissions::Permission::canConnectToDomain)) {
debug << " connect"; debug << " connect";

23
libraries/networking/src/NodePermissions.h
View file

@ -18,21 +18,24 @@
#include <QVariant> #include <QVariant>
#include <QUuid> #include <QUuid>
#include "GroupRank.h"
class NodePermissions; class NodePermissions;
using NodePermissionsPointer = std::shared_ptr<NodePermissions>; using NodePermissionsPointer = std::shared_ptr<NodePermissions>;
using NodePermissionsKey = QPair<QString, int>; using NodePermissionsKey = QPair<QString, QUuid>; // name, rankID
using NodePermissionsKeyList = QList<QPair<QString, int>>; using NodePermissionsKeyList = QList<QPair<QString, QUuid>>;
class NodePermissions { class NodePermissions {
public: public:
NodePermissions() { _id = QUuid::createUuid().toString(); _rank = 0; } NodePermissions() { _id = QUuid::createUuid().toString(); _rankID = QUuid(); }
NodePermissions(const QString& name) { _id = name.toLower(); _rank = 0; } NodePermissions(const QString& name) { _id = name.toLower(); _rankID = QUuid(); }
NodePermissions(const NodePermissionsKey& key) { _id = key.first.toLower(); _rank = key.second; } NodePermissions(const NodePermissionsKey& key) { _id = key.first.toLower(); _rankID = key.second; }
NodePermissions(QMap<QString, QVariant> perms); NodePermissions(QMap<QString, QVariant> perms);
QString getID() const { return _id; } // a user-name or a group-name, not verified QString getID() const { return _id; } // a user-name or a group-name, not verified
int getRank() const { return _rank; } QUuid getRankID() const { return _rankID; }
NodePermissionsKey getKey() const { return NodePermissionsKey(_id, _rank); } NodePermissionsKey getKey() const { return NodePermissionsKey(_id, _rankID); }
// the _id member isn't authenticated/verified and _username is. // the _id member isn't authenticated/verified and _username is.
void setVerifiedUserName(QString userName) { _verifiedUserName = userName.toLower(); } void setVerifiedUserName(QString userName) { _verifiedUserName = userName.toLower(); }
@ -63,7 +66,7 @@ public:
Q_DECLARE_FLAGS(Permissions, Permission) Q_DECLARE_FLAGS(Permissions, Permission)
Permissions permissions; Permissions permissions;
QVariant toVariant(QVector<QString> rankNames = QVector<QString>()); QVariant toVariant(QHash<QUuid, GroupRank> groupRanks = QHash<QUuid, GroupRank>());
void setAll(bool value); void setAll(bool value);
@ -81,7 +84,7 @@ public:
protected: protected:
QString _id; QString _id;
int _rank { 0 }; // 0 unless this is for a group QUuid _rankID { QUuid() }; // 0 unless this is for a group
QString _verifiedUserName; QString _verifiedUserName;
bool _groupIDSet { false }; bool _groupIDSet { false };
@ -107,7 +110,7 @@ public:
bool contains(const NodePermissionsKey& key) const { bool contains(const NodePermissionsKey& key) const {
return _data.contains(NodePermissionsKey(key.first.toLower(), key.second)); return _data.contains(NodePermissionsKey(key.first.toLower(), key.second));
} }
bool contains(const QString& keyFirst, int keySecond) const { bool contains(const QString& keyFirst, QUuid keySecond) const {
return _data.contains(NodePermissionsKey(keyFirst.toLower(), keySecond)); return _data.contains(NodePermissionsKey(keyFirst.toLower(), keySecond));
} }
QList<NodePermissionsKey> keys() const { return _data.keys(); } QList<NodePermissionsKey> keys() const { return _data.keys(); }