Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-08-08 12:57:59 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

debugging

Browse source
This commit is contained in:
bwent 2015-08-05 10:29:30 -07:00
parent b9364a47a1
commit fc385d9bc1
3 changed files with 59 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

93
domain-server/src/DomainServer.cpp
View file

@ -636,33 +636,51 @@ void DomainServer::processConnectRequestPacket(QSharedPointer<NLPacket> packet)
packetStream >> nodeInterestList; packetStream >> nodeInterestList;
if (packet->bytesLeftToRead() > 0) { if (packet->bytesLeftToRead() > 0) {
// try to verify username and usernameSignature // try to verify username
packetStream >> username >> usernameSignature; packetStream >> username;
} else {
// if user didn't include username and usernameSignature in connect request, send a connectionToken packet
QUuid& connectionToken = _connectionTokenHash[username.toLower()];
if(connectionToken.isNull()) {
// set up the connection token packet
connectionToken = QUuid::createUuid();
}
static auto connectionTokenPacket = NLPacket::create(PacketType::DomainServerConnectionToken, NUM_BYTES_RFC4122_UUID);
connectionTokenPacket->reset();
connectionTokenPacket->write(connectionToken.toRfc4122());
limitedNodeList->sendUnreliablePacket(*connectionTokenPacket, packet->getSenderSockAddr());
qDebug() << "Sending connection token. " << _connectionTokenHash[username.toLower()];
return;
} }
bool isRestrictingAccess =
_settingsManager.valueOrDefaultValueForKeyPath(RESTRICTED_ACCESS_SETTINGS_KEYPATH).toBool();
// //we always let in a user who is sending a packet from our local socket or from the localhost address
// bool isLocalUser = (senderSockAddr.getAddress() == DependencyManager::get<LimitedNodeList>()->getLocalSockAddr().getAddress()
// || senderSockAddr.getAddress() == QHostAddress::LocalHost);
// if username is empty, don't attempt to unpack username signature
if(isRestrictingAccess) {
if (!username.isEmpty()) {
qDebug() << "Reading username signature.";
packetStream >> usernameSignature;
if(usernameSignature.isEmpty()) {
// if user didn't include username and usernameSignature in connect request, send a connectionToken packet
QUuid& connectionToken = _connectionTokenHash[username.toLower()];
if(connectionToken.isNull()) {
connectionToken = QUuid::createUuid();
}
static auto connectionTokenPacket = NLPacket::create(PacketType::DomainServerConnectionToken, NUM_BYTES_RFC4122_UUID);
connectionTokenPacket->reset();
connectionTokenPacket->write(connectionToken.toRfc4122());
limitedNodeList->sendUnreliablePacket(*connectionTokenPacket, packet->getSenderSockAddr());
qDebug() << "Sending connection token. " << _connectionTokenHash[username.toLower()];
return;
}
}
}
QString reason; QString reason;
if (!isAssignment && !shouldAllowConnectionFromNode(username, usernameSignature, senderSockAddr, reason)) { if (!isAssignment && !shouldAllowConnectionFromNode(username, usernameSignature, senderSockAddr, reason)) {
// this is an agent and we've decided we won't let them connect - send them a packet to deny connection // this is an agent and we've decided we won't let them connect - send them a packet to deny connection
QByteArray utfString = reason.toUtf8(); QByteArray utfString = reason.toUtf8();
quint16 payloadSize = utfString.size(); quint16 payloadSize = utfString.size();
@ -812,6 +830,8 @@ bool DomainServer::verifyUserSignature(const QString& username,
// first load up the public key into an RSA struct // first load up the public key into an RSA struct
RSA* rsaPublicKey = d2i_RSA_PUBKEY(NULL, &publicKeyData, publicKeyArray.size()); RSA* rsaPublicKey = d2i_RSA_PUBKEY(NULL, &publicKeyData, publicKeyArray.size());
qDebug() << "Signature: " << usernameSignature.toHex();
if (rsaPublicKey) { if (rsaPublicKey) {
QByteArray decryptedArray(RSA_size(rsaPublicKey), 0); QByteArray decryptedArray(RSA_size(rsaPublicKey), 0);
int decryptResult = int decryptResult =
@ -827,7 +847,6 @@ bool DomainServer::verifyUserSignature(const QString& username,
qDebug() << "Error: " << err; qDebug() << "Error: " << err;
if (decryptResult != -1) { if (decryptResult != -1) {
if (usernameWithToken == decryptedArray) { if (usernameWithToken == decryptedArray) {
qDebug() << "Username signature matches for" << username << "- allowing connection."; qDebug() << "Username signature matches for" << username << "- allowing connection.";
@ -871,38 +890,34 @@ bool DomainServer::shouldAllowConnectionFromNode(const QString& username,
const QByteArray& usernameSignature, const QByteArray& usernameSignature,
const HifiSockAddr& senderSockAddr, const HifiSockAddr& senderSockAddr,
QString& reasonReturn) { QString& reasonReturn) {
bool isRestrictingAccess = bool isRestrictingAccess =
_settingsManager.valueOrDefaultValueForKeyPath(RESTRICTED_ACCESS_SETTINGS_KEYPATH).toBool(); _settingsManager.valueOrDefaultValueForKeyPath(RESTRICTED_ACCESS_SETTINGS_KEYPATH).toBool();
// we always let in a user who is sending a packet from our local socket or from the localhost address
// if (senderSockAddr.getAddress() == DependencyManager::get<LimitedNodeList>()->getLocalSockAddr().getAddress()
// || senderSockAddr.getAddress() == QHostAddress::LocalHost) {
// return true;
// }
if (isRestrictingAccess) {
if(isRestrictingAccess) {
QStringList allowedUsers = QStringList allowedUsers =
_settingsManager.valueOrDefaultValueForKeyPath(ALLOWED_USERS_SETTINGS_KEYPATH).toStringList(); _settingsManager.valueOrDefaultValueForKeyPath(ALLOWED_USERS_SETTINGS_KEYPATH).toStringList();
if (allowedUsers.contains(username, Qt::CaseInsensitive)) { if (allowedUsers.contains(username, Qt::CaseInsensitive)) {
if(username.isEmpty()) {
qDebug() << "Connect request denied - no username provided.";
reasonReturn = "No username provided";
return false;
}
if (!verifyUserSignature(username, usernameSignature, reasonReturn)) { if (!verifyUserSignature(username, usernameSignature, reasonReturn)) {
return false; return false;
} }
} else { } else {
qDebug() << "Connect request denied for user" << username << "not in allowed users list."; qDebug() << "Connect request denied for user" << username << "not in allowed users list.";
reasonReturn = "User not on whitelist."; reasonReturn = "User not on whitelist.";
return false; return false;
} }
} }
// either we aren't restricting users, or this user is in the allowed list // either we aren't restricting users, or this user is in the allowed list
// if this user is in the editors list, exempt them from the max-capacity check // if this user is in the editors list, exempt them from the max-capacity check
const QVariant* allowedEditorsVariant = const QVariant* allowedEditorsVariant =
valueForKeyPath(_settingsManager.getSettingsMap(), ALLOWED_EDITORS_SETTINGS_KEYPATH); valueForKeyPath(_settingsManager.getSettingsMap(), ALLOWED_EDITORS_SETTINGS_KEYPATH);
QStringList allowedEditors = allowedEditorsVariant ? allowedEditorsVariant->toStringList() : QStringList(); QStringList allowedEditors = allowedEditorsVariant ? allowedEditorsVariant->toStringList() : QStringList();
if (allowedEditors.contains(username)) { if (allowedEditors.contains(username)) {
if (verifyUserSignature(username, usernameSignature, reasonReturn)) { if (verifyUserSignature(username, usernameSignature, reasonReturn)) {

3
libraries/networking/src/DataServerAccountInfo.cpp
View file

@ -153,7 +153,8 @@ QByteArray DataServerAccountInfo::getUsernameSignature(const QUuid& connectionTo
qCDebug(networking) << "Error encrypting username signature."; qCDebug(networking) << "Error encrypting username signature.";
qCDebug(networking) << "Will re-attempt on next domain-server check in."; qCDebug(networking) << "Will re-attempt on next domain-server check in.";
} else { } else {
qDebug(networking) << "Signing username with connectionUUID"; qDebug(networking) << "Signing username with connectionUUID " << connectionToken;
qDebug() << "Signature: " << usernameSignature.toHex();
return usernameSignature; return usernameSignature;
} }

4
libraries/networking/src/NodeList.cpp
View file

@ -279,6 +279,7 @@ void NodeList::sendDomainServerCheckIn() {
if (!_domainHandler.isConnected() ) { if (!_domainHandler.isConnected() ) {
DataServerAccountInfo& accountInfo = AccountManager::getInstance().getAccountInfo(); DataServerAccountInfo& accountInfo = AccountManager::getInstance().getAccountInfo();
packetStream << accountInfo.getUsername();
// get connection token from the domain-server // get connection token from the domain-server
const QUuid& connectionToken = _domainHandler.getConnectionToken(); const QUuid& connectionToken = _domainHandler.getConnectionToken();
@ -287,8 +288,9 @@ void NodeList::sendDomainServerCheckIn() {
const QByteArray& usernameSignature = AccountManager::getInstance().getAccountInfo().getUsernameSignature(connectionToken); const QByteArray& usernameSignature = AccountManager::getInstance().getAccountInfo().getUsernameSignature(connectionToken);
if (!usernameSignature.isEmpty()) { if (!usernameSignature.isEmpty()) {
packetStream << accountInfo.getUsername() << usernameSignature; packetStream << usernameSignature;
} }
} }