diff options
| author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-04 10:09:45 +0200 |
|---|---|---|
| committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-04 10:09:45 +0200 |
| commit | 080519e980d8f8a3b138c733f837417bdb1b6757 (patch) | |
| tree | 992d8e5deac776df3b2710b98054041a6d2f23fb | |
| parent | ba2050750fcb0b5c7919fda98bca4f7c13a36d14 (diff) | |
| download | gnunet-080519e980d8f8a3b138c733f837417bdb1b6757.tar.gz gnunet-080519e980d8f8a3b138c733f837417bdb1b6757.zip | |
reclaim: do not store access token instead piggyback ticket
| -rw-r--r-- | src/reclaim/oidc_helper.c | 25 | ||||
| -rw-r--r-- | src/reclaim/oidc_helper.h | 9 | ||||
| -rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 52 |
3 files changed, 31 insertions, 55 deletions
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c index ad2839200..b48738cc4 100644 --- a/src/reclaim/oidc_helper.c +++ b/src/reclaim/oidc_helper.c | |||
| @@ -757,15 +757,28 @@ OIDC_build_token_response (const char *access_token, | |||
| 757 | * Generate a new access token | 757 | * Generate a new access token |
| 758 | */ | 758 | */ |
| 759 | char * | 759 | char * |
| 760 | OIDC_access_token_new () | 760 | OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket) |
| 761 | { | 761 | { |
| 762 | char *access_token; | 762 | char *access_token; |
| 763 | uint64_t random_number; | ||
| 764 | 763 | ||
| 765 | random_number = | 764 | GNUNET_STRINGS_base64_encode (ticket, |
| 766 | GNUNET_CRYPTO_random_u64 (GNUNET_CRYPTO_QUALITY_NONCE, UINT64_MAX); | 765 | sizeof(*ticket), |
| 767 | GNUNET_STRINGS_base64_encode (&random_number, | ||
| 768 | sizeof(uint64_t), | ||
| 769 | &access_token); | 766 | &access_token); |
| 770 | return access_token; | 767 | return access_token; |
| 771 | } | 768 | } |
| 769 | |||
| 770 | |||
| 771 | /** | ||
| 772 | * Parse an access token | ||
| 773 | */ | ||
| 774 | int | ||
| 775 | OIDC_access_token_parse (const char*token, | ||
| 776 | struct GNUNET_RECLAIM_Ticket **ticket) | ||
| 777 | { | ||
| 778 | if (sizeof (struct GNUNET_RECLAIM_Ticket) != | ||
| 779 | GNUNET_STRINGS_base64_decode (token, | ||
| 780 | strlen (token), | ||
| 781 | (void**) ticket)) | ||
| 782 | return GNUNET_SYSERR; | ||
| 783 | return GNUNET_OK; | ||
| 784 | } | ||
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h index 2c533357e..e84087fc3 100644 --- a/src/reclaim/oidc_helper.h +++ b/src/reclaim/oidc_helper.h | |||
| @@ -117,7 +117,12 @@ OIDC_build_token_response (const char *access_token, | |||
| 117 | * Generate a new access token | 117 | * Generate a new access token |
| 118 | */ | 118 | */ |
| 119 | char* | 119 | char* |
| 120 | OIDC_access_token_new (); | 120 | OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket); |
| 121 | |||
| 122 | 121 | ||
| 122 | /** | ||
| 123 | * Parse an access token | ||
| 124 | */ | ||
| 125 | int | ||
| 126 | OIDC_access_token_parse (const char* token, | ||
| 127 | struct GNUNET_RECLAIM_Ticket **ticket); | ||
| 123 | #endif | 128 | #endif |
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 3db881244..eb602a08f 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
| @@ -239,12 +239,6 @@ static char *OIDC_ignored_parameter_array[] = { "display", | |||
| 239 | struct GNUNET_CONTAINER_MultiHashMap *OIDC_cookie_jar_map; | 239 | struct GNUNET_CONTAINER_MultiHashMap *OIDC_cookie_jar_map; |
| 240 | 240 | ||
| 241 | /** | 241 | /** |
| 242 | * Hash map that links the issued access token to the corresponding ticket and | ||
| 243 | * ego | ||
| 244 | */ | ||
| 245 | struct GNUNET_CONTAINER_MultiHashMap *OIDC_access_token_map; | ||
| 246 | |||
| 247 | /** | ||
| 248 | * The configuration handle | 242 | * The configuration handle |
| 249 | */ | 243 | */ |
| 250 | const struct GNUNET_CONFIGURATION_Handle *cfg; | 244 | const struct GNUNET_CONFIGURATION_Handle *cfg; |
| @@ -1980,26 +1974,6 @@ find_ego (struct RequestHandle *handle, | |||
| 1980 | } | 1974 | } |
| 1981 | 1975 | ||
| 1982 | 1976 | ||
| 1983 | static void | ||
| 1984 | persist_access_token (const struct RequestHandle *handle, | ||
| 1985 | const char *access_token, | ||
| 1986 | const struct GNUNET_RECLAIM_Ticket *ticket) | ||
| 1987 | { | ||
| 1988 | struct GNUNET_HashCode hc; | ||
| 1989 | struct GNUNET_RECLAIM_Ticket *ticketbuf; | ||
| 1990 | |||
| 1991 | GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc); | ||
| 1992 | ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket); | ||
| 1993 | *ticketbuf = *ticket; | ||
| 1994 | GNUNET_assert (GNUNET_SYSERR != | ||
| 1995 | GNUNET_CONTAINER_multihashmap_put ( | ||
| 1996 | OIDC_access_token_map, | ||
| 1997 | &hc, | ||
| 1998 | ticketbuf, | ||
| 1999 | GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); | ||
| 2000 | } | ||
| 2001 | |||
| 2002 | |||
| 2003 | /** | 1977 | /** |
| 2004 | * Responds to token url-encoded POST request | 1978 | * Responds to token url-encoded POST request |
| 2005 | * | 1979 | * |
| @@ -2148,13 +2122,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2148 | &expiration_time, | 2122 | &expiration_time, |
| 2149 | (NULL != nonce) ? nonce : NULL, | 2123 | (NULL != nonce) ? nonce : NULL, |
| 2150 | jwt_secret); | 2124 | jwt_secret); |
| 2151 | access_token = OIDC_access_token_new (); | 2125 | access_token = OIDC_access_token_new (&ticket); |
| 2152 | OIDC_build_token_response (access_token, | 2126 | OIDC_build_token_response (access_token, |
| 2153 | id_token, | 2127 | id_token, |
| 2154 | &expiration_time, | 2128 | &expiration_time, |
| 2155 | &json_response); | 2129 | &json_response); |
| 2156 | 2130 | ||
| 2157 | persist_access_token (handle, access_token, &ticket); | ||
| 2158 | resp = GNUNET_REST_create_response (json_response); | 2131 | resp = GNUNET_REST_create_response (json_response); |
| 2159 | MHD_add_response_header (resp, "Cache-Control", "no-store"); | 2132 | MHD_add_response_header (resp, "Cache-Control", "no-store"); |
| 2160 | MHD_add_response_header (resp, "Pragma", "no-cache"); | 2133 | MHD_add_response_header (resp, "Pragma", "no-cache"); |
| @@ -2324,22 +2297,17 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2324 | return; | 2297 | return; |
| 2325 | } | 2298 | } |
| 2326 | 2299 | ||
| 2327 | GNUNET_CRYPTO_hash (authorization_access_token, | 2300 | if (GNUNET_OK != OIDC_access_token_parse (authorization_access_token, |
| 2328 | strlen (authorization_access_token), | 2301 | &ticket)) |
| 2329 | &cache_key); | ||
| 2330 | if (GNUNET_NO == | ||
| 2331 | GNUNET_CONTAINER_multihashmap_contains (OIDC_access_token_map, | ||
| 2332 | &cache_key)) | ||
| 2333 | { | 2302 | { |
| 2334 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); | 2303 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); |
| 2335 | handle->edesc = GNUNET_strdup ("The access token expired"); | 2304 | handle->edesc = GNUNET_strdup ("The access token is invalid"); |
| 2336 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2305 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2337 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2306 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2338 | GNUNET_free (authorization); | 2307 | GNUNET_free (authorization); |
| 2339 | return; | 2308 | return; |
| 2309 | |||
| 2340 | } | 2310 | } |
| 2341 | ticket = | ||
| 2342 | GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key); | ||
| 2343 | GNUNET_assert (NULL != ticket); | 2311 | GNUNET_assert (NULL != ticket); |
| 2344 | aud_ego = find_ego (handle, &ticket->audience); | 2312 | aud_ego = find_ego (handle, &ticket->audience); |
| 2345 | iss_ego = find_ego (handle, &ticket->identity); | 2313 | iss_ego = find_ego (handle, &ticket->identity); |
| @@ -2523,9 +2491,6 @@ rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle, | |||
| 2523 | if (NULL == OIDC_cookie_jar_map) | 2491 | if (NULL == OIDC_cookie_jar_map) |
| 2524 | OIDC_cookie_jar_map = GNUNET_CONTAINER_multihashmap_create (10, | 2492 | OIDC_cookie_jar_map = GNUNET_CONTAINER_multihashmap_create (10, |
| 2525 | GNUNET_NO); | 2493 | GNUNET_NO); |
| 2526 | if (NULL == OIDC_access_token_map) | ||
| 2527 | OIDC_access_token_map = | ||
| 2528 | GNUNET_CONTAINER_multihashmap_create (10, GNUNET_NO); | ||
| 2529 | handle->response_code = 0; | 2494 | handle->response_code = 0; |
| 2530 | handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL; | 2495 | handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL; |
| 2531 | handle->proc_cls = proc_cls; | 2496 | handle->proc_cls = proc_cls; |
| @@ -2606,13 +2571,6 @@ libgnunet_plugin_rest_openid_connect_done (void *cls) | |||
| 2606 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); | 2571 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); |
| 2607 | GNUNET_CONTAINER_multihashmap_destroy (OIDC_cookie_jar_map); | 2572 | GNUNET_CONTAINER_multihashmap_destroy (OIDC_cookie_jar_map); |
| 2608 | 2573 | ||
| 2609 | hashmap_it = | ||
| 2610 | GNUNET_CONTAINER_multihashmap_iterator_create (OIDC_access_token_map); | ||
| 2611 | while (GNUNET_YES == | ||
| 2612 | GNUNET_CONTAINER_multihashmap_iterator_next (hashmap_it, NULL, | ||
| 2613 | value)) | ||
| 2614 | GNUNET_free (value); | ||
| 2615 | GNUNET_CONTAINER_multihashmap_destroy (OIDC_access_token_map); | ||
| 2616 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); | 2574 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); |
| 2617 | GNUNET_free (allow_methods); | 2575 | GNUNET_free (allow_methods); |
| 2618 | GNUNET_free (api); | 2576 | GNUNET_free (api); |