13
0
geforkt von Mirrors/Velocity

Add config support for using file as forwarding secret (#712)

* add config support for using file as forwarding secret

* deprecate forwarding-secret and change default to forwarding-secret-file

* change forwarding-secret-file handling to a versioned system
Dieser Commit ist enthalten in:
logsym 2022-06-09 03:28:14 -04:00 committet von GitHub
Ursprung e45ca5f357
Commit da52d09338
Es konnte kein GPG-Schlüssel zu dieser Signatur gefunden werden
GPG-Schlüssel-ID: 4AEE18F83AFDEB23
2 geänderte Dateien mit 51 neuen und 11 gelöschten Zeilen

Datei anzeigen

@ -422,6 +422,12 @@ public class VelocityConfiguration implements ProxyConfig {
throw new RuntimeException("Default configuration file does not exist.");
}
// Create the forwarding-secret file on first-time startup if it doesn't exist
Path defaultForwardingSecretPath = Path.of("forwarding.secret");
if (!path.toFile().exists() && !defaultForwardingSecretPath.toFile().exists()) {
Files.writeString(defaultForwardingSecretPath, generateRandomString(12));
}
boolean mustResave = false;
CommentedFileConfig config = CommentedFileConfig.builder(path)
.defaultData(defaultConfigLocation)
@ -442,14 +448,39 @@ public class VelocityConfiguration implements ProxyConfig {
CommentedFileConfig defaultConfig = CommentedFileConfig.of(tmpFile, TomlFormat.instance());
defaultConfig.load();
// Retrieve the forwarding secret. First, from environment variable, then from config.
// Whether or not this config is version 1.0 which uses the deprecated "forwarding-secret" parameter
boolean legacyConfig = config.getOrElse("config-version", "").equalsIgnoreCase("1.0");
String forwardingSecretString;
byte[] forwardingSecret;
String forwardingSecretString = System.getenv()
.getOrDefault("VELOCITY_FORWARDING_SECRET", config.get("forwarding-secret"));
if (forwardingSecretString == null || forwardingSecretString.isEmpty()) {
forwardingSecretString = generateRandomString(12);
config.set("forwarding-secret", forwardingSecretString);
mustResave = true;
// Handle the previous (version 1.0) config
// There is duplicate/old code here in effort to make the future commit which abandons legacy config handling
// easier to implement. All that would be required is removing the if statement here and keeping the contents
// of the else block (with slight tidying).
if (legacyConfig) {
logger.warn("You are currently using a deprecated configuration version. The \"forwarding-secret\""
+ " parameter has been recognized as a security concern and has been removed in config version 2.0."
+ " It's recommended you rename your current \"velocity.toml\" to something else to allow Velocity"
+ " to generate a config file of the new version. You may then configure that file as you normally would."
+ " The only differences are the config-version and \"forwarding-secret\" has been replaced"
+ " by \"forwarding-secret-file\".");
// Default legacy handling
forwardingSecretString = System.getenv()
.getOrDefault("VELOCITY_FORWARDING_SECRET", config.get("forwarding-secret"));
if (forwardingSecretString == null || forwardingSecretString.isEmpty()) {
forwardingSecretString = generateRandomString(12);
config.set("forwarding-secret", forwardingSecretString);
mustResave = true;
}
} else {
// New handling
forwardingSecretString = System.getenv().getOrDefault("VELOCITY_FORWARDING_SECRET", "");
if (forwardingSecretString.isEmpty()) {
String forwardSecretFile = config.getOrElse("forwarding-secret-file", "");
forwardingSecretString = String.join("", Files.readAllLines(Path.of(forwardSecretFile)));
}
}
forwardingSecret = forwardingSecretString.getBytes(StandardCharsets.UTF_8);
@ -480,6 +511,14 @@ public class VelocityConfiguration implements ProxyConfig {
Boolean kickExisting = config.getOrElse("kick-existing-players", false);
Boolean enablePlayerAddressLogging = config.getOrElse("enable-player-address-logging", true);
// Throw an exception if the forwarding-secret file is empty and the proxy is using a
// forwarding mode that requires it.
if (forwardingSecret.length == 0
&& forwardingMode == PlayerInfoForwarding.MODERN
|| forwardingMode == PlayerInfoForwarding.BUNGEEGUARD) {
throw new RuntimeException("The forwarding-secret file must not be empty.");
}
return new VelocityConfiguration(
bind,
motd,

Datei anzeigen

@ -1,5 +1,5 @@
# Config version. Do not change this
config-version = "1.0"
config-version = "2.0"
# What port should the proxy be bound to? By default, we'll bind to all addresses on port 25577.
bind = "0.0.0.0:25577"
@ -36,8 +36,9 @@ prevent-client-proxy-connections = false
# Velocity's native forwarding. Only applicable for Minecraft 1.13 or higher.
player-info-forwarding-mode = "NONE"
# If you are using modern or BungeeGuard IP forwarding, configure a unique secret here.
forwarding-secret = ""
# If you are using modern or BungeeGuard IP forwarding, configure a file that contains a unique secret here.
# The file is expected to be UTF-8 encoded and not empty.
forwarding-secret-file = "forwarding.secret"
# Announce whether or not your server supports Forge. If you run a modded server, we
# suggest turning this on.