13
0
geforkt von Mirrors/Velocity

Add config support for using file as forwarding secret (#712)

* add config support for using file as forwarding secret

* deprecate forwarding-secret and change default to forwarding-secret-file

* change forwarding-secret-file handling to a versioned system
Dieser Commit ist enthalten in:
logsym 2022-06-09 03:28:14 -04:00 committet von GitHub
Ursprung e45ca5f357
Commit da52d09338
Es konnte kein GPG-Schlüssel zu dieser Signatur gefunden werden
GPG-Schlüssel-ID: 4AEE18F83AFDEB23
2 geänderte Dateien mit 51 neuen und 11 gelöschten Zeilen

Datei anzeigen

@ -422,6 +422,12 @@ public class VelocityConfiguration implements ProxyConfig {
throw new RuntimeException("Default configuration file does not exist."); throw new RuntimeException("Default configuration file does not exist.");
} }
// Create the forwarding-secret file on first-time startup if it doesn't exist
Path defaultForwardingSecretPath = Path.of("forwarding.secret");
if (!path.toFile().exists() && !defaultForwardingSecretPath.toFile().exists()) {
Files.writeString(defaultForwardingSecretPath, generateRandomString(12));
}
boolean mustResave = false; boolean mustResave = false;
CommentedFileConfig config = CommentedFileConfig.builder(path) CommentedFileConfig config = CommentedFileConfig.builder(path)
.defaultData(defaultConfigLocation) .defaultData(defaultConfigLocation)
@ -442,14 +448,39 @@ public class VelocityConfiguration implements ProxyConfig {
CommentedFileConfig defaultConfig = CommentedFileConfig.of(tmpFile, TomlFormat.instance()); CommentedFileConfig defaultConfig = CommentedFileConfig.of(tmpFile, TomlFormat.instance());
defaultConfig.load(); defaultConfig.load();
// Retrieve the forwarding secret. First, from environment variable, then from config. // Whether or not this config is version 1.0 which uses the deprecated "forwarding-secret" parameter
boolean legacyConfig = config.getOrElse("config-version", "").equalsIgnoreCase("1.0");
String forwardingSecretString;
byte[] forwardingSecret; byte[] forwardingSecret;
String forwardingSecretString = System.getenv()
.getOrDefault("VELOCITY_FORWARDING_SECRET", config.get("forwarding-secret")); // Handle the previous (version 1.0) config
if (forwardingSecretString == null || forwardingSecretString.isEmpty()) { // There is duplicate/old code here in effort to make the future commit which abandons legacy config handling
forwardingSecretString = generateRandomString(12); // easier to implement. All that would be required is removing the if statement here and keeping the contents
config.set("forwarding-secret", forwardingSecretString); // of the else block (with slight tidying).
mustResave = true; if (legacyConfig) {
logger.warn("You are currently using a deprecated configuration version. The \"forwarding-secret\""
+ " parameter has been recognized as a security concern and has been removed in config version 2.0."
+ " It's recommended you rename your current \"velocity.toml\" to something else to allow Velocity"
+ " to generate a config file of the new version. You may then configure that file as you normally would."
+ " The only differences are the config-version and \"forwarding-secret\" has been replaced"
+ " by \"forwarding-secret-file\".");
// Default legacy handling
forwardingSecretString = System.getenv()
.getOrDefault("VELOCITY_FORWARDING_SECRET", config.get("forwarding-secret"));
if (forwardingSecretString == null || forwardingSecretString.isEmpty()) {
forwardingSecretString = generateRandomString(12);
config.set("forwarding-secret", forwardingSecretString);
mustResave = true;
}
} else {
// New handling
forwardingSecretString = System.getenv().getOrDefault("VELOCITY_FORWARDING_SECRET", "");
if (forwardingSecretString.isEmpty()) {
String forwardSecretFile = config.getOrElse("forwarding-secret-file", "");
forwardingSecretString = String.join("", Files.readAllLines(Path.of(forwardSecretFile)));
}
} }
forwardingSecret = forwardingSecretString.getBytes(StandardCharsets.UTF_8); forwardingSecret = forwardingSecretString.getBytes(StandardCharsets.UTF_8);
@ -480,6 +511,14 @@ public class VelocityConfiguration implements ProxyConfig {
Boolean kickExisting = config.getOrElse("kick-existing-players", false); Boolean kickExisting = config.getOrElse("kick-existing-players", false);
Boolean enablePlayerAddressLogging = config.getOrElse("enable-player-address-logging", true); Boolean enablePlayerAddressLogging = config.getOrElse("enable-player-address-logging", true);
// Throw an exception if the forwarding-secret file is empty and the proxy is using a
// forwarding mode that requires it.
if (forwardingSecret.length == 0
&& forwardingMode == PlayerInfoForwarding.MODERN
|| forwardingMode == PlayerInfoForwarding.BUNGEEGUARD) {
throw new RuntimeException("The forwarding-secret file must not be empty.");
}
return new VelocityConfiguration( return new VelocityConfiguration(
bind, bind,
motd, motd,

Datei anzeigen

@ -1,5 +1,5 @@
# Config version. Do not change this # Config version. Do not change this
config-version = "1.0" config-version = "2.0"
# What port should the proxy be bound to? By default, we'll bind to all addresses on port 25577. # What port should the proxy be bound to? By default, we'll bind to all addresses on port 25577.
bind = "0.0.0.0:25577" bind = "0.0.0.0:25577"
@ -36,8 +36,9 @@ prevent-client-proxy-connections = false
# Velocity's native forwarding. Only applicable for Minecraft 1.13 or higher. # Velocity's native forwarding. Only applicable for Minecraft 1.13 or higher.
player-info-forwarding-mode = "NONE" player-info-forwarding-mode = "NONE"
# If you are using modern or BungeeGuard IP forwarding, configure a unique secret here. # If you are using modern or BungeeGuard IP forwarding, configure a file that contains a unique secret here.
forwarding-secret = "" # The file is expected to be UTF-8 encoded and not empty.
forwarding-secret-file = "forwarding.secret"
# Announce whether or not your server supports Forge. If you run a modded server, we # Announce whether or not your server supports Forge. If you run a modded server, we
# suggest turning this on. # suggest turning this on.
@ -151,4 +152,4 @@ port = 25577
map = "Velocity" map = "Velocity"
# Whether plugins should be shown in query response by default or not # Whether plugins should be shown in query response by default or not
show-plugins = false show-plugins = false