Merge branch 'master' of https://github.com/highfidelity/hifi into metavoxels

2025-08-08 12:37:51 +02:00 · 2014-10-17 11:41:01 -07:00 · 2014-10-17 11:41:01 -07:00 · f115416a5d
commit f115416a5d
parent 1fdfb51600 8e047f2f9f
2 changed files with 53 additions and 50 deletions
--- a/domain-server/resources/describe-settings.json
+++ b/domain-server/resources/describe-settings.json
@ -64,7 +64,7 @@
        "name": "allowed_users",
        "type": "table",
        "label": "Allowed Users",
-        "help": "List the High Fidelity names for people you want to be able to connect to this domain.<br/>An empty list means everyone.<br/>You can always connect from this machine.",
+        "help": "List the High Fidelity names for people you want to be able to connect to this domain.<br/>An empty list means everyone.<br/>You can always connect from the domain-server machine.",
        "numbered": false,
        "columns": [
          {
--- a/domain-server/src/DomainServer.cpp
+++ b/domain-server/src/DomainServer.cpp
@ -11,6 +11,7 @@

 #include <openssl/err.h>
 #include <openssl/rsa.h>
+#include <openssl/x509.h>

 #include <QtCore/QDir>
 #include <QtCore/QJsonDocument>
@ -615,16 +616,17 @@ const QString ALLOWED_USERS_SETTINGS_KEYPATH = "security.allowed_users";
 bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
                                                 const QByteArray& usernameSignature,
                                                 const HifiSockAddr& senderSockAddr) {
-    static const QVariant* allowedUsersVariant = valueForKeyPath(_settingsManager.getSettingsMap(),
+    const QVariant* allowedUsersVariant = valueForKeyPath(_settingsManager.getSettingsMap(),
                                                                 ALLOWED_USERS_SETTINGS_KEYPATH);
-    static QStringList allowedUsers = allowedUsersVariant ? allowedUsersVariant->toStringList() : QStringList();
+    QStringList allowedUsers = allowedUsersVariant ? allowedUsersVariant->toStringList() : QStringList();
+    
+    // we always let in a user who is sending a packet from our local socket or from the localhost address
+    if (senderSockAddr.getAddress() == LimitedNodeList::getInstance()->getLocalSockAddr().getAddress()
+        || senderSockAddr.getAddress() == QHostAddress::LocalHost) {
+        return true;
+    }
    
    if (allowedUsers.count() > 0) {
-        // this is an agent, we need to ask them to provide us with their signed username to see if they are allowed in
-        // we always let in a user who is sending a packet from our local socket or from the localhost address
-        
-        if (senderSockAddr.getAddress() != LimitedNodeList::getInstance()->getLocalSockAddr().getAddress()
-            && senderSockAddr.getAddress() != QHostAddress::LocalHost) {
        if (allowedUsers.contains(username)) {
            // it's possible this user can be allowed to connect, but we need to check their username signature
            
@ -635,7 +637,7 @@ bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
                const unsigned char* publicKeyData = reinterpret_cast<const unsigned char*>(publicKeyArray.constData());
                
                // first load up the public key into an RSA struct
-                    RSA* rsaPublicKey = d2i_RSAPublicKey(NULL, &publicKeyData, publicKeyArray.size());
+                RSA* rsaPublicKey = d2i_RSA_PUBKEY(NULL, &publicKeyData, publicKeyArray.size());
                
                if (rsaPublicKey) {
                    QByteArray decryptedArray(RSA_size(rsaPublicKey), 0);
@ -668,7 +670,8 @@ bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
            }
        
            requestUserPublicKey(username);
-            }
+        } else {
+            qDebug() << "Connect request denied for user" << username << "not in allowed users list.";
        }
    } else {
        // since we have no allowed user list, let them all in