diff options
author | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2017-12-07 11:13:32 +0100 |
---|---|---|
committer | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2017-12-07 11:13:32 +0100 |
commit | c68eae71c8474e27725acec4e6b2194e20626042 (patch) | |
tree | bdd8237318ed55926e5fbd8a2fa5cd8213983f63 /src/identity-provider/plugin_rest_identity_provider.c | |
parent | e4a65af290c4fd85718b8497445ca16e0719bf5e (diff) | |
download | gnunet-c68eae71c8474e27725acec4e6b2194e20626042.tar.gz gnunet-c68eae71c8474e27725acec4e6b2194e20626042.zip |
-commit broken
Diffstat (limited to 'src/identity-provider/plugin_rest_identity_provider.c')
-rw-r--r-- | src/identity-provider/plugin_rest_identity_provider.c | 316 |
1 files changed, 166 insertions, 150 deletions
diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index d5e453a0e..1bef87ace 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c | |||
@@ -1027,156 +1027,172 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1027 | */ | 1027 | */ |
1028 | static void | 1028 | static void |
1029 | authorize_cont (struct GNUNET_REST_RequestHandle *con_handle, | 1029 | authorize_cont (struct GNUNET_REST_RequestHandle *con_handle, |
1030 | const char* url, | 1030 | const char* url, |
1031 | void *cls) | 1031 | void *cls) |
1032 | { | 1032 | { |
1033 | 1033 | ||
1034 | //TODO clean up method | 1034 | //TODO clean up method |
1035 | 1035 | ||
1036 | 1036 | ||
1037 | // The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification. | 1037 | // The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification. |
1038 | // The Authorization Server MUST verify that all the REQUIRED parameters are present and their usage conforms to this specification. | 1038 | // The Authorization Server MUST verify that all the REQUIRED parameters are present and their usage conforms to this specification. |
1039 | // If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request. The Authorization Server MUST NOT reply with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server. Such a request can be made either using an id_token_hint parameter or by requesting a specific Claim Value as described in Section 5.5.1, if the claims parameter is supported by the implementation. | 1039 | // If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request. The Authorization Server MUST NOT reply with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server. Such a request can be made either using an id_token_hint parameter or by requesting a specific Claim Value as described in Section 5.5.1, if the claims parameter is supported by the implementation. |
1040 | 1040 | ||
1041 | 1041 | ||
1042 | 1042 | ||
1043 | struct MHD_Response *resp; | 1043 | struct MHD_Response *resp; |
1044 | struct RequestHandle *handle = cls; | 1044 | struct RequestHandle *handle = cls; |
1045 | 1045 | ||
1046 | /* | 1046 | /* |
1047 | * response_type 0 | 1047 | * response_type 0 |
1048 | * client_id 1 | 1048 | * client_id 1 |
1049 | * scope 2 | 1049 | * scope 2 |
1050 | * redirect_uri 3 | 1050 | * redirect_uri 3 |
1051 | * state 4 | 1051 | * state 4 |
1052 | * nonce 5 | 1052 | * nonce 5 |
1053 | * display 6 | 1053 | * display 6 |
1054 | * prompt 7 | 1054 | * prompt 7 |
1055 | * max_age 8 | 1055 | * max_age 8 |
1056 | * ui_locales 9 | 1056 | * ui_locales 9 |
1057 | * response_mode 10 | 1057 | * response_mode 10 |
1058 | * id_token_hint 11 | 1058 | * id_token_hint 11 |
1059 | * login_hint 12 | 1059 | * login_hint 12 |
1060 | * acr_values 13 | 1060 | * acr_values 13 |
1061 | */ | 1061 | */ |
1062 | char* array[] = { "response_type", "client_id", "scope", "redirect_uri", | 1062 | char* array[] = { "response_type", "client_id", "scope", "redirect_uri", |
1063 | "state", "nonce", "display", "prompt", "max_age", "ui_locales", | 1063 | "state", "nonce", "display", "prompt", "max_age", "ui_locales", |
1064 | "response_mode", "id_token_hint","login_hint", "acr_values" }; | 1064 | "response_mode", "id_token_hint","login_hint", "acr_values" }; |
1065 | int array_size=14; | 1065 | int array_size=14; |
1066 | int bool_array[array_size]; | 1066 | int bool_array[array_size]; |
1067 | 1067 | ||
1068 | struct GNUNET_HashCode cache_key; | 1068 | struct GNUNET_HashCode cache_key; |
1069 | 1069 | ||
1070 | //iterates over each parameter and store used values in array array[] | 1070 | //iterates over each parameter and store used values in array array[] |
1071 | int iterator; | 1071 | int iterator; |
1072 | for( iterator = 0; iterator<array_size; iterator++){ | 1072 | for( iterator = 0; iterator<array_size; iterator++){ |
1073 | GNUNET_CRYPTO_hash (array[iterator], strlen (array[iterator]), &cache_key); | 1073 | GNUNET_CRYPTO_hash (array[iterator], strlen (array[iterator]), &cache_key); |
1074 | char* cache=GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, &cache_key); | 1074 | char* cache=GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, &cache_key); |
1075 | bool_array[iterator]=0; | 1075 | bool_array[iterator]=0; |
1076 | if(cache!=0){ | 1076 | if(cache!=0){ |
1077 | size_t size=strlen(cache)+1; | 1077 | size_t size=strlen(cache)+1; |
1078 | array[iterator]=(char*)malloc(size*sizeof(char)); | 1078 | array[iterator]=(char*)malloc(size*sizeof(char)); |
1079 | strncpy(array[iterator],cache,size); | 1079 | strncpy(array[iterator],cache,size); |
1080 | bool_array[iterator]=1; | 1080 | bool_array[iterator]=1; |
1081 | } | 1081 | } |
1082 | } | 1082 | } |
1083 | 1083 | ||
1084 | //MUST validate all the OAuth 2.0 parameters & that all the REQUIRED parameters are present and their usage conforms to this specification | 1084 | /* MUST validate all the OAuth 2.0 parameters & that all the |
1085 | 1085 | * REQUIRED parameters are present and their usage conforms to this specification | |
1086 | //required values: response_type, client_id, scope, redirect_uri | 1086 | */ |
1087 | if(!bool_array[0] || !bool_array[1] || !bool_array[2] || !bool_array[3]){ | 1087 | GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (array[iterator]), &cache_key); |
1088 | handle->emsg=GNUNET_strdup("invalid_request"); | 1088 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, |
1089 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 1089 | &key)) |
1090 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1090 | { |
1091 | return; | 1091 | handle->emsg=GNUNET_strdup("invalid_request"); |
1092 | } | 1092 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
1093 | //response_type = code | 1093 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1094 | if(strcmp(array[0],"code")!=0){ | 1094 | return; |
1095 | handle->emsg=GNUNET_strdup("invalid_response_type"); | 1095 | } |
1096 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 1096 | response_type = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, |
1097 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1097 | &key); |
1098 | return; | 1098 | |
1099 | } | 1099 | //required values: response_type, client_id, scope, redirect_uri |
1100 | //scope contains openid | 1100 | if(!bool_array[0] || !bool_array[1] || !bool_array[2] || !bool_array[3]){ |
1101 | if(strstr(array[2],"openid")==NULL){ | 1101 | handle->emsg=GNUNET_strdup("invalid_request"); |
1102 | handle->emsg=GNUNET_strdup("invalid_scope"); | 1102 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
1103 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 1103 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1104 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1104 | return; |
1105 | return; | 1105 | } |
1106 | } | 1106 | //response_type = code |
1107 | 1107 | if(strcmp(array[0],"code")!=0){ | |
1108 | //TODO check other values and use them accordingly | 1108 | handle->emsg=GNUNET_strdup("invalid_response_type"); |
1109 | 1109 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | |
1110 | 1110 | GNUNET_SCHEDULER_add_now (&do_error, handle); | |
1111 | char* redirect_url_to_login; | 1111 | return; |
1112 | 1112 | } | |
1113 | // if(){ | 1113 | //scope contains openid |
1114 | // | 1114 | if(strstr(array[2],"openid")==NULL){ |
1115 | // }else{ | 1115 | handle->emsg=GNUNET_strdup("invalid_scope"); |
1116 | // | 1116 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
1117 | // } | 1117 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1118 | if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg, | 1118 | return; |
1119 | "identity-rest-plugin", | 1119 | } |
1120 | "address", | 1120 | |
1121 | &redirect_url_to_login)){ | 1121 | //TODO check other values and use them accordingly |
1122 | 1122 | ||
1123 | char* build_array[] = { "response_type", "client_id", "scope", "redirect_uri", | 1123 | |
1124 | "state", "nonce", "display", "prompt", "max_age", "ui_locales", | 1124 | char* redirect_url_to_login; |
1125 | "response_mode", "id_token_hint","login_hint", "acr_values" }; | 1125 | |
1126 | 1126 | // if(){ | |
1127 | size_t redirect_parameter_size= strlen("?"); | 1127 | // |
1128 | for(iterator=0;iterator<array_size;iterator++){ | 1128 | // }else{ |
1129 | if(bool_array[iterator]){ | 1129 | // |
1130 | redirect_parameter_size += strlen(array[iterator]); | 1130 | // } |
1131 | redirect_parameter_size += strlen(build_array[iterator]); | 1131 | if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg, |
1132 | if(iterator==array_size-1) | 1132 | "identity-rest-plugin", |
1133 | { | 1133 | "address", |
1134 | redirect_parameter_size += strlen("="); | 1134 | &redirect_url_to_login)){ |
1135 | }else{ | 1135 | |
1136 | redirect_parameter_size += strlen("=&"); | 1136 | char* build_array[] = { "response_type", "client_id", "scope", "redirect_uri", |
1137 | } | 1137 | "state", "nonce", "display", "prompt", "max_age", "ui_locales", |
1138 | } | 1138 | "response_mode", "id_token_hint","login_hint", "acr_values" }; |
1139 | } | 1139 | GNUNET_asprintf (new_redirect, "%s=%s&...", |
1140 | 1140 | OIDC_REDIRECT_URI_KEY, redirect_uri, | |
1141 | char redirect_parameter[redirect_parameter_size+1]; | 1141 | OIDC_CLIENT_ID_KEY, client_id, |
1142 | redirect_parameter_size = 0; | 1142 | ...); |
1143 | redirect_parameter[redirect_parameter_size]='?'; | 1143 | size_t redirect_parameter_size= strlen("?"); |
1144 | for(iterator=0;iterator<array_size;iterator++){ | 1144 | for(iterator=0;iterator<array_size;iterator++){ |
1145 | if(bool_array[iterator]){ | 1145 | if(bool_array[iterator]){ |
1146 | //If not last parameter | 1146 | redirect_parameter_size += strlen(array[iterator]); |
1147 | if(iterator!=array_size-1) | 1147 | redirect_parameter_size += strlen(build_array[iterator]); |
1148 | { | 1148 | if(iterator==array_size-1) |
1149 | char cache[strlen(array[iterator])+strlen(build_array[iterator])+2+1]; | 1149 | { |
1150 | snprintf(cache,sizeof(cache),"%s=%s&", build_array[iterator], array[iterator]); | 1150 | redirect_parameter_size += strlen("="); |
1151 | strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+2 ); | 1151 | }else{ |
1152 | }else{ | 1152 | redirect_parameter_size += strlen("=&"); |
1153 | char cache[strlen(array[iterator])+strlen(build_array[iterator])+1+1]; | 1153 | } |
1154 | snprintf(cache,sizeof(cache),"%s=%s", build_array[iterator], array[iterator]); | 1154 | } |
1155 | strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+1 ); | 1155 | } |
1156 | } | 1156 | |
1157 | } | 1157 | char redirect_parameter[redirect_parameter_size+1]; |
1158 | } | 1158 | redirect_parameter_size = 0; |
1159 | char redirect_component[strlen(redirect_url_to_login)+strlen(redirect_parameter)+1]; | 1159 | redirect_parameter[redirect_parameter_size]='?'; |
1160 | snprintf(redirect_component, sizeof(redirect_component), "%s%s", redirect_url_to_login, redirect_parameter); | 1160 | for(iterator=0;iterator<array_size;iterator++){ |
1161 | resp = GNUNET_REST_create_response (""); | 1161 | if(bool_array[iterator]){ |
1162 | MHD_add_response_header (resp, "Location", redirect_component); | 1162 | //If not last parameter |
1163 | }else{ | 1163 | if(iterator!=array_size-1) |
1164 | handle->emsg=GNUNET_strdup("No server on localhost:8000"); | 1164 | { |
1165 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 1165 | char cache[strlen(array[iterator])+strlen(build_array[iterator])+2+1]; |
1166 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1166 | snprintf(cache,sizeof(cache),"%s=%s&", build_array[iterator], array[iterator]); |
1167 | return; | 1167 | strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+2 ); |
1168 | // resp = GNUNET_REST_create_response (""); | 1168 | }else{ |
1169 | // MHD_add_response_header (resp, "Location", array[3]); | 1169 | char cache[strlen(array[iterator])+strlen(build_array[iterator])+1+1]; |
1170 | } | 1170 | snprintf(cache,sizeof(cache),"%s=%s", build_array[iterator], array[iterator]); |
1171 | 1171 | strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+1 ); | |
1172 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | 1172 | } |
1173 | cleanup_handle (handle); | 1173 | } |
1174 | for(iterator=0; iterator<array_size; iterator++){ | 1174 | } |
1175 | if(bool_array[iterator]){ | 1175 | char redirect_component[strlen(redirect_url_to_login)+strlen(redirect_parameter)+1]; |
1176 | free(array[iterator]); | 1176 | snprintf(redirect_component, sizeof(redirect_component), "%s%s", redirect_url_to_login, redirect_parameter); |
1177 | } | 1177 | resp = GNUNET_REST_create_response (""); |
1178 | } | 1178 | MHD_add_response_header (resp, "Location", redirect_component); |
1179 | return; | 1179 | }else{ |
1180 | handle->emsg=GNUNET_strdup("No server on localhost:8000"); | ||
1181 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1182 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1183 | return; | ||
1184 | // resp = GNUNET_REST_create_response (""); | ||
1185 | // MHD_add_response_header (resp, "Location", array[3]); | ||
1186 | } | ||
1187 | |||
1188 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | ||
1189 | cleanup_handle (handle); | ||
1190 | for(iterator=0; iterator<array_size; iterator++){ | ||
1191 | if(bool_array[iterator]){ | ||
1192 | free(array[iterator]); | ||
1193 | } | ||
1194 | } | ||
1195 | return; | ||
1180 | } | 1196 | } |
1181 | 1197 | ||
1182 | /** | 1198 | /** |
@@ -1192,8 +1208,8 @@ init_cont (struct RequestHandle *handle) | |||
1192 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont}, | 1208 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont}, |
1193 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont}, | 1209 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont}, |
1194 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, | 1210 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, |
1195 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, | 1211 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, |
1196 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, | 1212 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, |
1197 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, | 1213 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, |
1198 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, | 1214 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, |
1199 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, | 1215 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, |