From b1e0e6d7081ccc356ef04d5274af91387e4003bf Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Mon, 25 Jul 2016 17:35:22 -0700
Subject: [PATCH] use replacement for IP address perms, not additive

---
 .../resources/describe-settings.json          | 67 +------------------
 domain-server/src/DomainGatekeeper.cpp        | 33 +++++++--
 domain-server/src/DomainGatekeeper.h          |  3 +-
 .../src/DomainServerSettingsManager.cpp       | 17 +++--
 .../src/DomainServerSettingsManager.h         |  7 +-
 5 files changed, 44 insertions(+), 83 deletions(-)

diff --git a/domain-server/resources/describe-settings.json b/domain-server/resources/describe-settings.json
index 11d21b3ab0..cfba2ae4f3 100644
--- a/domain-server/resources/describe-settings.json
+++ b/domain-server/resources/describe-settings.json
@@ -649,72 +649,7 @@
               "span": 1
             },
             {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide IP Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users from specific IPs can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific IPs can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users from specific IPs can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users from specific IPs can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users from specific IPs can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users from specific IPs can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>IP address permissions override group permissions. IP address permissions are only granted if the user does not have their own row in the users section.</p>'>?</a>",
-              "span": 6
-            }
-          ],
-
-          "columns": [
-            {
-              "name": "permissions_id",
-              "label": ""
-            },
-            {
-              "name": "id_can_connect",
-              "label": "Connect",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_adjust_locks",
-              "label": "Lock / Unlock",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez",
-              "label": "Rez",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_rez_tmp",
-              "label": "Rez Temporary",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_write_to_asset_server",
-              "label": "Write Assets",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            },
-            {
-              "name": "id_can_connect_past_max_capacity",
-              "label": "Ignore Max Capacity",
-              "type": "checkbox",
-              "editable": true,
-              "default": false
-            }
-          ]
-        },
-        {
-          "name": "ip_forbiddens",
-          "type": "table",
-          "caption": "Permissions denied to Users from IP Addresses",
-          "can_add_new_rows": true,
-          "groups": [
-            {
-              "label": "IP",
-              "span": 1
-            },
-            {
-              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide IP Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users from specific IPs can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific IPs can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users from specific IPs can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users from specific IPs can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users from specific IPs can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users from specific IPs can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>IP address permission denials override group permission denials. IP address permission denials are only applied if the user does not have their own row in the users section.</p>'>?</a>",
+              "label": "Permissions <a data-toggle='tooltip' data-html='true' title='<p><strong>Domain-Wide IP Permissions</strong></p><ul><li><strong>Connect</strong><br />Sets whether users from specific IPs can connect to the domain.</li><li><strong>Lock / Unlock</strong><br />Sets whether users from specific IPs can change the &ldquo;locked&rdquo; property of an entity (either from on to off or off to on).</li><li><strong>Rez</strong><br />Sets whether users from specific IPs can create new entities.</li><li><strong>Rez Temporary</strong><br />Sets whether users from specific IPs can create new entities with a finite lifetime.</li><li><strong>Write Assets</strong><br />Sets whether users from specific IPs can make changes to the domain&rsquo;s asset-server assets.</li><li><strong>Ignore Max Capacity</strong><br />Sets whether users from specific IPs can connect even if the domain has reached or exceeded its maximum allowed agents.</li></ul><p>Note that permissions assigned to a specific IP will supersede any parameter-level permissions that might otherwise apply to that user (from groups or standard permissions above). IP address permissions are overriden if the user has their own row in the users section.</p>'>?</a>",
               "span": 6
             }
           ],
diff --git a/domain-server/src/DomainGatekeeper.cpp b/domain-server/src/DomainGatekeeper.cpp
index 5b2e5a2bb0..0abbf38c72 100644
--- a/domain-server/src/DomainGatekeeper.cpp
+++ b/domain-server/src/DomainGatekeeper.cpp
@@ -120,8 +120,9 @@ void DomainGatekeeper::processConnectRequestPacket(QSharedPointer<ReceivedMessag
     }
 }
 
-NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QString verifiedUsername) {
+NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QString verifiedUsername, const QHostAddress& senderAddress) {
     NodePermissions userPerms;
+
     userPerms.setAll(false);
 
     if (isLocalUser) {
@@ -136,16 +137,31 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
 #ifdef WANT_DEBUG
         qDebug() << "|  user-permissions: unverified or no username for" << userPerms.getID() << ", so:" << userPerms;
 #endif
+
+        if (_server->_settingsManager.hasPermissionsForIP(senderAddress)) {
+            // this user comes from an IP we have in our permissions table, apply those permissions
+            userPerms = _server->_settingsManager.getPermissionsForIP(senderAddress);
+
+#ifdef WANT_DEBUG
+            qDebug() << "|  user-permissions: specific IP matches, so:" << userPerms;
+#endif
+        }
     } else {
         userPerms.setID(verifiedUsername);
         if (_server->_settingsManager.havePermissionsForName(verifiedUsername)) {
             userPerms = _server->_settingsManager.getPermissionsForName(verifiedUsername);
-            userPerms.setVerifiedUserName(verifiedUsername);
 #ifdef WANT_DEBUG
             qDebug() << "|  user-permissions: specific user matches, so:" << userPerms;
+#endif
+        } else if (_server->_settingsManager.hasPermissionsForIP(senderAddress)) {
+            // this user comes from an IP we have in our permissions table, apply those permissions
+            userPerms = _server->_settingsManager.getPermissionsForIP(senderAddress);
+
+#ifdef WANT_DEBUG
+            qDebug() << "|  user-permissions: specific IP matches, so:" << userPerms;
 #endif
         } else {
-            userPerms.setVerifiedUserName(verifiedUsername);
+
             // they are logged into metaverse, but we don't have specific permissions for them.
             userPerms |= _server->_settingsManager.getStandardPermissionsForName(NodePermissions::standardNameLoggedIn);
 #ifdef WANT_DEBUG
@@ -191,6 +207,8 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
                 }
             }
         }
+
+        userPerms.setVerifiedUserName(verifiedUsername);
     }
 
 #ifdef WANT_DEBUG
@@ -225,7 +243,12 @@ void DomainGatekeeper::updateNodePermissions() {
             const QHostAddress& addr = node->getLocalSocket().getAddress();
             bool isLocalUser = (addr == limitedNodeList->getLocalSockAddr().getAddress() ||
                                 addr == QHostAddress::LocalHost);
-            userPerms = setPermissionsForUser(isLocalUser, verifiedUsername);
+
+            // at this point we don't have a sending socket for packets from this node - assume it is the active socket
+            // or the public socket if we haven't activated a socket for the node yet
+            HifiSockAddr connectingAddr = node->getActiveSocket() ? node->getPublicSocket() : *node->getActiveSocket();
+
+            userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, connectingAddr.getAddress());
         }
 
         node->setPermissions(userPerms);
@@ -337,7 +360,7 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect
         }
     }
 
-    userPerms = setPermissionsForUser(isLocalUser, verifiedUsername);
+    userPerms = setPermissionsForUser(isLocalUser, verifiedUsername, nodeConnection.senderSockAddr.getAddress());
 
     if (!userPerms.can(NodePermissions::Permission::canConnectToDomain)) {
         sendConnectionDeniedPacket("You lack the required permissions to connect to this domain.",
diff --git a/domain-server/src/DomainGatekeeper.h b/domain-server/src/DomainGatekeeper.h
index 12697b8f3b..06ecfcf285 100644
--- a/domain-server/src/DomainGatekeeper.h
+++ b/domain-server/src/DomainGatekeeper.h
@@ -106,7 +106,8 @@ private:
     QSet<QString> _domainOwnerFriends; // keep track of friends of the domain owner
     QSet<QString> _inFlightGroupMembershipsRequests; // keep track of which we've already asked for
 
-    NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername);
+    NodePermissions setPermissionsForUser(bool isLocalUser, QString verifiedUsername, const QHostAddress& senderAddress);
+
     void getGroupMemberships(const QString& username);
     // void getIsGroupMember(const QString& username, const QUuid groupID);
     void getDomainOwnerFriendsList();
diff --git a/domain-server/src/DomainServerSettingsManager.cpp b/domain-server/src/DomainServerSettingsManager.cpp
index d5bc732c13..81794b2899 100644
--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@@ -421,9 +421,6 @@ void DomainServerSettingsManager::packPermissions() {
     // save settings for IP addresses
     packPermissionsForMap("permissions", _ipPermissions, IP_PERMISSIONS_KEYPATH);
 
-    // save settings for IP address blacklist
-    packPermissionsForMap("permissions", _ipForbiddens, IP_FORBIDDENS_KEYPATH);
-
     // save settings for groups
     packPermissionsForMap("permissions", _groupPermissions, GROUP_PERMISSIONS_KEYPATH);
 
@@ -457,7 +454,7 @@ bool DomainServerSettingsManager::unpackPermissionsForKeypath(const QString& key
 
         if (mapPointer->contains(idKey)) {
             qDebug() << "Duplicate name in permissions table for" << keyPath << " - " << id;
-            (*mapPointer)[idKey] |= perms;
+            *((*mapPointer)[idKey]) |= *perms;
             needPack = true;
         } else {
             (*mapPointer)[idKey] = perms;
@@ -480,8 +477,8 @@ void DomainServerSettingsManager::unpackPermissions() {
     needPack |= unpackPermissionsForKeypath(AGENT_STANDARD_PERMISSIONS_KEYPATH, &_standardAgentPermissions);
 
     needPack |= unpackPermissionsForKeypath(AGENT_PERMISSIONS_KEYPATH, &_agentPermissions);
+
     needPack |= unpackPermissionsForKeypath(IP_PERMISSIONS_KEYPATH, &_ipPermissions);
-    needPack |= unpackPermissionsForKeypath(IP_FORBIDDENS_KEYPATH, &_ipForbiddens);
 
     needPack |= unpackPermissionsForKeypath(GROUP_PERMISSIONS_KEYPATH, &_groupPermissions,
         [&](NodePermissionsPointer perms){
@@ -634,6 +631,16 @@ NodePermissions DomainServerSettingsManager::getPermissionsForName(const QString
     return nullPermissions;
 }
 
+NodePermissions DomainServerSettingsManager::getPermissionsForIP(const QHostAddress& address) const {
+    NodePermissionsKey ipKey = NodePermissionsKey(address.toString(), 0);
+    if (_ipPermissions.contains(ipKey)) {
+        return *(_ipPermissions[ipKey].get());
+    }
+    NodePermissions nullPermissions;
+    nullPermissions.setAll(false);
+    return nullPermissions;
+}
+
 NodePermissions DomainServerSettingsManager::getPermissionsForGroup(const QString& groupName, QUuid rankID) const {
     NodePermissionsKey groupRankKey = NodePermissionsKey(groupName, rankID);
     if (_groupPermissions.contains(groupRankKey)) {
diff --git a/domain-server/src/DomainServerSettingsManager.h b/domain-server/src/DomainServerSettingsManager.h
index 754b62a72b..440cd8fe24 100644
--- a/domain-server/src/DomainServerSettingsManager.h
+++ b/domain-server/src/DomainServerSettingsManager.h
@@ -28,7 +28,6 @@ const QString SETTINGS_PATH_JSON = SETTINGS_PATH + ".json";
 const QString AGENT_STANDARD_PERMISSIONS_KEYPATH = "security.standard_permissions";
 const QString AGENT_PERMISSIONS_KEYPATH = "security.permissions";
 const QString IP_PERMISSIONS_KEYPATH = "security.ip_permissions";
-const QString IP_FORBIDDENS_KEYPATH = "security.ip_forbiddens";
 const QString GROUP_PERMISSIONS_KEYPATH = "security.group_permissions";
 const QString GROUP_FORBIDDENS_KEYPATH = "security.group_forbiddens";
 
@@ -61,13 +60,9 @@ public:
     QStringList getAllNames() const;
 
     // these give access to permissions for specific IPs from the domain-server settings page
-    bool havePermissionsForIP(const QHostAddress& address) const { return _ipPermissions.contains(address.toString(), 0); }
+    bool hasPermissionsForIP(const QHostAddress& address) const { return _ipPermissions.contains(address.toString(), 0); }
     NodePermissions getPermissionsForIP(const QHostAddress& address) const;
 
-    // these remove permissions from users connecting from specific IPs
-    bool haveForbiddensForIP(const QHostAddress& address) const { return _ipForbiddens.contains(address.toString(), 0); }
-    NodePermissions getForbiddensForIP(const QHostAddress& address) const;
-
     // these give access to permissions for specific groups from the domain-server settings page
     bool havePermissionsForGroup(const QString& groupName, QUuid rankID) const {
         return _groupPermissions.contains(groupName, rankID);