diff options
author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-06 08:45:40 +0200 |
---|---|---|
committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-06 08:45:40 +0200 |
commit | 1d4f5263ae72c12a42ec166ec8b1769620baaeda (patch) | |
tree | 4c5c6051b4ae968c4b3a5c82f1d51da452e9f1d3 /src/reclaim/plugin_rest_openid_connect.c | |
parent | 6e764f4abd8a3f14f03a5a167af7d5cb703fd1d5 (diff) | |
download | gnunet-1d4f5263ae72c12a42ec166ec8b1769620baaeda.tar.gz gnunet-1d4f5263ae72c12a42ec166ec8b1769620baaeda.zip |
reclaim: Refactoring and more standards compliance with respect to scopes
Diffstat (limited to 'src/reclaim/plugin_rest_openid_connect.c')
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 198 |
1 files changed, 67 insertions, 131 deletions
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 238cffb85..b294ba166 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -357,10 +357,6 @@ struct OIDC_Variables | |||
357 | */ | 357 | */ |
358 | char *code_verifier; | 358 | char *code_verifier; |
359 | 359 | ||
360 | /** | ||
361 | * The response JSON | ||
362 | */ | ||
363 | json_t *response; | ||
364 | }; | 360 | }; |
365 | 361 | ||
366 | /** | 362 | /** |
@@ -569,7 +565,6 @@ cleanup_handle (struct RequestHandle *handle) | |||
569 | GNUNET_free (handle->oidc->response_type); | 565 | GNUNET_free (handle->oidc->response_type); |
570 | GNUNET_free (handle->oidc->scope); | 566 | GNUNET_free (handle->oidc->scope); |
571 | GNUNET_free (handle->oidc->state); | 567 | GNUNET_free (handle->oidc->state); |
572 | json_decref (handle->oidc->response); | ||
573 | GNUNET_free (handle->oidc); | 568 | GNUNET_free (handle->oidc); |
574 | } | 569 | } |
575 | if (NULL!=handle->attr_idtoken_list) | 570 | if (NULL!=handle->attr_idtoken_list) |
@@ -691,27 +686,6 @@ do_timeout (void *cls) | |||
691 | 686 | ||
692 | 687 | ||
693 | /** | 688 | /** |
694 | * Return attributes for claim | ||
695 | * | ||
696 | * @param cls the request handle | ||
697 | */ | ||
698 | static void | ||
699 | return_userinfo_response (void *cls) | ||
700 | { | ||
701 | char *result_str; | ||
702 | struct RequestHandle *handle = cls; | ||
703 | struct MHD_Response *resp; | ||
704 | |||
705 | result_str = json_dumps (handle->oidc->response, 0); | ||
706 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR,"ID-Token: %s\n",result_str); | ||
707 | resp = GNUNET_REST_create_response (result_str); | ||
708 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); | ||
709 | GNUNET_free (result_str); | ||
710 | cleanup_handle (handle); | ||
711 | } | ||
712 | |||
713 | |||
714 | /** | ||
715 | * Respond to OPTIONS request | 689 | * Respond to OPTIONS request |
716 | * | 690 | * |
717 | * @param con_handle the connection handle | 691 | * @param con_handle the connection handle |
@@ -1153,9 +1127,6 @@ attr_in_claims_request (struct RequestHandle *handle, | |||
1153 | const char *attr_name, | 1127 | const char *attr_name, |
1154 | const char *claims_parameter) | 1128 | const char *claims_parameter) |
1155 | { | 1129 | { |
1156 | char *scope_variables; | ||
1157 | char *scope_variable; | ||
1158 | char delimiter[] = " "; | ||
1159 | int ret = GNUNET_NO; | 1130 | int ret = GNUNET_NO; |
1160 | json_t *root; | 1131 | json_t *root; |
1161 | json_error_t error; | 1132 | json_error_t error; |
@@ -1163,19 +1134,12 @@ attr_in_claims_request (struct RequestHandle *handle, | |||
1163 | const char *key; | 1134 | const char *key; |
1164 | json_t *value; | 1135 | json_t *value; |
1165 | 1136 | ||
1166 | scope_variables = GNUNET_strdup (handle->oidc->scope); | 1137 | /** Check if attribute is requested through standard scope **/ |
1167 | scope_variable = strtok (scope_variables, delimiter); | 1138 | if (GNUNET_YES == OIDC_check_scopes_for_claim_request (handle->oidc->scope, |
1168 | while (NULL != scope_variable) | 1139 | attr_name)) |
1169 | { | 1140 | return GNUNET_YES; |
1170 | if (0 == strcmp (attr_name, scope_variable)) | ||
1171 | break; | ||
1172 | scope_variable = strtok (NULL, delimiter); | ||
1173 | } | ||
1174 | if (NULL != scope_variable) | ||
1175 | ret = GNUNET_YES; | ||
1176 | GNUNET_free (scope_variables); | ||
1177 | 1141 | ||
1178 | /** Try claims parameter if no in scope */ | 1142 | /** Try claims parameter if not in scope */ |
1179 | if ((NULL != handle->oidc->claims) && | 1143 | if ((NULL != handle->oidc->claims) && |
1180 | (GNUNET_YES != ret)) | 1144 | (GNUNET_YES != ret)) |
1181 | { | 1145 | { |
@@ -2122,13 +2086,13 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2122 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 2086 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
2123 | return; | 2087 | return; |
2124 | } | 2088 | } |
2125 | id_token = OIDC_id_token_new (&ticket.audience, | 2089 | id_token = OIDC_generate_id_token (&ticket.audience, |
2126 | &ticket.identity, | 2090 | &ticket.identity, |
2127 | cl, | 2091 | cl, |
2128 | al, | 2092 | al, |
2129 | &expiration_time, | 2093 | &expiration_time, |
2130 | (NULL != nonce) ? nonce : NULL, | 2094 | (NULL != nonce) ? nonce : NULL, |
2131 | jwt_secret); | 2095 | jwt_secret); |
2132 | access_token = OIDC_access_token_new (&ticket); | 2096 | access_token = OIDC_access_token_new (&ticket); |
2133 | OIDC_build_token_response (access_token, | 2097 | OIDC_build_token_response (access_token, |
2134 | id_token, | 2098 | id_token, |
@@ -2159,83 +2123,55 @@ consume_ticket (void *cls, | |||
2159 | const struct GNUNET_RECLAIM_Attestation *attest) | 2123 | const struct GNUNET_RECLAIM_Attestation *attest) |
2160 | { | 2124 | { |
2161 | struct RequestHandle *handle = cls; | 2125 | struct RequestHandle *handle = cls; |
2126 | struct GNUNET_RECLAIM_AttributeListEntry *ale; | ||
2127 | struct GNUNET_RECLAIM_AttestationListEntry *atle; | ||
2128 | struct MHD_Response *resp; | ||
2129 | char *result_str; | ||
2162 | handle->idp_op = NULL; | 2130 | handle->idp_op = NULL; |
2163 | 2131 | ||
2164 | if (NULL == identity) | 2132 | if (NULL == identity) |
2165 | { | 2133 | { |
2166 | GNUNET_SCHEDULER_add_now (&return_userinfo_response, handle); | 2134 | result_str = OIDC_generate_userinfo (&handle->ticket.identity, |
2135 | handle->attr_userinfo_list, | ||
2136 | handle->attests_list); | ||
2137 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Userinfo: %s\n", result_str); | ||
2138 | resp = GNUNET_REST_create_response (result_str); | ||
2139 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); | ||
2140 | GNUNET_free (result_str); | ||
2141 | cleanup_handle (handle); | ||
2167 | return; | 2142 | return; |
2168 | } | 2143 | } |
2169 | if (GNUNET_YES == GNUNET_RECLAIM_id_is_zero (&attr->attestation)) | 2144 | ale = GNUNET_new (struct GNUNET_RECLAIM_AttributeListEntry); |
2145 | ale->attribute = GNUNET_RECLAIM_attribute_new (attr->name, | ||
2146 | &attr->attestation, | ||
2147 | attr->type, | ||
2148 | attr->data, | ||
2149 | attr->data_size); | ||
2150 | ale->attribute->id = attr->id; | ||
2151 | ale->attribute->flag = attr->flag; | ||
2152 | ale->attribute->attestation = attr->attestation; | ||
2153 | GNUNET_CONTAINER_DLL_insert (handle->attr_userinfo_list->list_head, | ||
2154 | handle->attr_userinfo_list->list_tail, | ||
2155 | ale); | ||
2156 | for (atle = handle->attests_list->list_head; NULL != atle; atle = atle->next) | ||
2157 | { | ||
2158 | if (GNUNET_NO == GNUNET_RECLAIM_id_is_equal (&atle->attestation->id, | ||
2159 | &attest->id)) | ||
2160 | continue; | ||
2161 | break; /** already in list **/ | ||
2162 | } | ||
2163 | if (NULL == atle) | ||
2170 | { | 2164 | { |
2171 | char *tmp_value; | 2165 | /** Attestation matches for attribute, add **/ |
2172 | json_t *value; | 2166 | atle = GNUNET_new (struct GNUNET_RECLAIM_AttestationListEntry); |
2173 | tmp_value = GNUNET_RECLAIM_attribute_value_to_string (attr->type, | 2167 | atle->attestation = GNUNET_RECLAIM_attestation_new (attest->name, |
2174 | attr->data, | 2168 | attest->type, |
2175 | attr->data_size); | 2169 | attest->data, |
2176 | value = json_string (tmp_value); | 2170 | attest->data_size); |
2177 | json_object_set_new (handle->oidc->response, attr->name, value); | 2171 | GNUNET_CONTAINER_DLL_insert (handle->attests_list->list_head, |
2178 | GNUNET_free (tmp_value); | 2172 | handle->attests_list->list_tail, |
2179 | return; | 2173 | atle); |
2180 | } | 2174 | } |
2181 | json_t *claim_sources; | ||
2182 | json_t *claim_sources_jwt; | ||
2183 | json_t *claim_names; | ||
2184 | char *attest_val_str; | ||
2185 | claim_sources = json_object_get (handle->oidc->response,"_claim_sources"); | ||
2186 | claim_names = json_object_get (handle->oidc->response,"_claim_names"); | ||
2187 | attest_val_str = | ||
2188 | GNUNET_RECLAIM_attestation_value_to_string (attest->type, | ||
2189 | attest->data, | ||
2190 | attest->data_size); | ||
2191 | if ((NULL == claim_sources) && (NULL == claim_names) ) | ||
2192 | { | ||
2193 | claim_sources = json_object (); | ||
2194 | claim_names = json_object (); | ||
2195 | } | ||
2196 | char *source_name; | ||
2197 | int i = 0; | ||
2198 | GNUNET_asprintf (&source_name, "src%d", i); | ||
2199 | while (NULL != (claim_sources_jwt = json_object_get (claim_sources, | ||
2200 | source_name))) | ||
2201 | { | ||
2202 | if (0 == strcmp (json_string_value (json_object_get (claim_sources_jwt, | ||
2203 | "JWT")), | ||
2204 | attest_val_str)) | ||
2205 | { | ||
2206 | // Adapt only the claim names | ||
2207 | json_object_set_new (claim_names, attr->data, | ||
2208 | json_string (source_name)); | ||
2209 | json_object_set (handle->oidc->response, | ||
2210 | "_claim_names", claim_names); | ||
2211 | break; | ||
2212 | } | ||
2213 | i++; | ||
2214 | GNUNET_free (source_name); | ||
2215 | GNUNET_asprintf (&source_name, "src%d", i); | ||
2216 | } | ||
2217 | |||
2218 | // Create new one | ||
2219 | if (NULL == claim_sources_jwt) | ||
2220 | { | ||
2221 | claim_sources_jwt = json_object (); | ||
2222 | // Set the JWT for names | ||
2223 | json_object_set_new (claim_names, attr->data, | ||
2224 | json_string (source_name)); | ||
2225 | // Set the JWT for the inner source | ||
2226 | json_object_set_new (claim_sources_jwt, "JWT", | ||
2227 | json_string (attest_val_str)); | ||
2228 | // Set the JWT for the source | ||
2229 | json_object_set_new (claim_sources, source_name, claim_sources_jwt); | ||
2230 | // Set as claims | ||
2231 | json_object_set (handle->oidc->response, "_claim_names", claim_names); | ||
2232 | json_object_set (handle->oidc->response, "_claim_sources",claim_sources); | ||
2233 | } | ||
2234 | |||
2235 | json_decref (claim_sources); | ||
2236 | json_decref (claim_names); | ||
2237 | json_decref (claim_sources_jwt); | ||
2238 | GNUNET_free (attest_val_str); | ||
2239 | } | 2175 | } |
2240 | 2176 | ||
2241 | 2177 | ||
@@ -2253,14 +2189,13 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2253 | { | 2189 | { |
2254 | // TODO expiration time | 2190 | // TODO expiration time |
2255 | struct RequestHandle *handle = cls; | 2191 | struct RequestHandle *handle = cls; |
2192 | struct GNUNET_RECLAIM_Ticket *ticket; | ||
2256 | char delimiter[] = " "; | 2193 | char delimiter[] = " "; |
2257 | struct GNUNET_HashCode cache_key; | 2194 | struct GNUNET_HashCode cache_key; |
2258 | char *authorization; | 2195 | char *authorization; |
2259 | char *authorization_type; | 2196 | char *authorization_type; |
2260 | char *authorization_access_token; | 2197 | char *authorization_access_token; |
2261 | struct GNUNET_RECLAIM_Ticket *ticket; | ||
2262 | const struct EgoEntry *aud_ego; | 2198 | const struct EgoEntry *aud_ego; |
2263 | const struct EgoEntry *iss_ego; | ||
2264 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; | 2199 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *privkey; |
2265 | 2200 | ||
2266 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, | 2201 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, |
@@ -2316,9 +2251,10 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2316 | 2251 | ||
2317 | } | 2252 | } |
2318 | GNUNET_assert (NULL != ticket); | 2253 | GNUNET_assert (NULL != ticket); |
2319 | aud_ego = find_ego (handle, &ticket->audience); | 2254 | handle->ticket = *ticket; |
2320 | iss_ego = find_ego (handle, &ticket->identity); | 2255 | GNUNET_free (ticket); |
2321 | if ((NULL == aud_ego) || (NULL == iss_ego)) | 2256 | aud_ego = find_ego (handle, &handle->ticket.audience); |
2257 | if (NULL == aud_ego) | ||
2322 | { | 2258 | { |
2323 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); | 2259 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); |
2324 | handle->edesc = GNUNET_strdup ("The access token expired"); | 2260 | handle->edesc = GNUNET_strdup ("The access token expired"); |
@@ -2328,16 +2264,16 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2328 | return; | 2264 | return; |
2329 | } | 2265 | } |
2330 | 2266 | ||
2331 | handle->oidc->response = json_object (); | ||
2332 | json_object_set_new (handle->oidc->response, | ||
2333 | "sub", | ||
2334 | json_string (iss_ego->keystring)); | ||
2335 | privkey = GNUNET_IDENTITY_ego_get_private_key (aud_ego->ego); | 2267 | privkey = GNUNET_IDENTITY_ego_get_private_key (aud_ego->ego); |
2268 | handle->attr_userinfo_list = | ||
2269 | GNUNET_new (struct GNUNET_RECLAIM_AttributeList); | ||
2270 | handle->attests_list = | ||
2271 | GNUNET_new (struct GNUNET_RECLAIM_AttestationList); | ||
2336 | 2272 | ||
2337 | handle->idp_op = GNUNET_RECLAIM_ticket_consume (idp, | 2273 | handle->idp_op = GNUNET_RECLAIM_ticket_consume (idp, |
2338 | privkey, | 2274 | privkey, |
2339 | ticket, | 2275 | &handle->ticket, |
2340 | consume_ticket, | 2276 | &consume_ticket, |
2341 | handle); | 2277 | handle); |
2342 | GNUNET_free (authorization); | 2278 | GNUNET_free (authorization); |
2343 | } | 2279 | } |
@@ -2535,6 +2471,7 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2535 | cleanup_handle (handle); | 2471 | cleanup_handle (handle); |
2536 | } | 2472 | } |
2537 | 2473 | ||
2474 | |||
2538 | /** | 2475 | /** |
2539 | * Respond to OPTIONS request | 2476 | * Respond to OPTIONS request |
2540 | * | 2477 | * |
@@ -2544,8 +2481,8 @@ oidc_config_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2544 | */ | 2481 | */ |
2545 | static void | 2482 | static void |
2546 | oidc_config_cors (struct GNUNET_REST_RequestHandle *con_handle, | 2483 | oidc_config_cors (struct GNUNET_REST_RequestHandle *con_handle, |
2547 | const char *url, | 2484 | const char *url, |
2548 | void *cls) | 2485 | void *cls) |
2549 | { | 2486 | { |
2550 | struct MHD_Response *resp; | 2487 | struct MHD_Response *resp; |
2551 | struct RequestHandle *handle = cls; | 2488 | struct RequestHandle *handle = cls; |
@@ -2560,7 +2497,6 @@ oidc_config_cors (struct GNUNET_REST_RequestHandle *con_handle, | |||
2560 | } | 2497 | } |
2561 | 2498 | ||
2562 | 2499 | ||
2563 | |||
2564 | static enum GNUNET_GenericReturnValue | 2500 | static enum GNUNET_GenericReturnValue |
2565 | rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle, | 2501 | rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle, |
2566 | GNUNET_REST_ResultProcessor proc, | 2502 | GNUNET_REST_ResultProcessor proc, |