diff options
author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-04 10:09:45 +0200 |
---|---|---|
committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2020-08-04 10:09:45 +0200 |
commit | 080519e980d8f8a3b138c733f837417bdb1b6757 (patch) | |
tree | 992d8e5deac776df3b2710b98054041a6d2f23fb /src | |
parent | ba2050750fcb0b5c7919fda98bca4f7c13a36d14 (diff) | |
download | gnunet-080519e980d8f8a3b138c733f837417bdb1b6757.tar.gz gnunet-080519e980d8f8a3b138c733f837417bdb1b6757.zip |
reclaim: do not store access token instead piggyback ticket
Diffstat (limited to 'src')
-rw-r--r-- | src/reclaim/oidc_helper.c | 25 | ||||
-rw-r--r-- | src/reclaim/oidc_helper.h | 9 | ||||
-rw-r--r-- | src/reclaim/plugin_rest_openid_connect.c | 52 |
3 files changed, 31 insertions, 55 deletions
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c index ad2839200..b48738cc4 100644 --- a/src/reclaim/oidc_helper.c +++ b/src/reclaim/oidc_helper.c | |||
@@ -757,15 +757,28 @@ OIDC_build_token_response (const char *access_token, | |||
757 | * Generate a new access token | 757 | * Generate a new access token |
758 | */ | 758 | */ |
759 | char * | 759 | char * |
760 | OIDC_access_token_new () | 760 | OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket) |
761 | { | 761 | { |
762 | char *access_token; | 762 | char *access_token; |
763 | uint64_t random_number; | ||
764 | 763 | ||
765 | random_number = | 764 | GNUNET_STRINGS_base64_encode (ticket, |
766 | GNUNET_CRYPTO_random_u64 (GNUNET_CRYPTO_QUALITY_NONCE, UINT64_MAX); | 765 | sizeof(*ticket), |
767 | GNUNET_STRINGS_base64_encode (&random_number, | ||
768 | sizeof(uint64_t), | ||
769 | &access_token); | 766 | &access_token); |
770 | return access_token; | 767 | return access_token; |
771 | } | 768 | } |
769 | |||
770 | |||
771 | /** | ||
772 | * Parse an access token | ||
773 | */ | ||
774 | int | ||
775 | OIDC_access_token_parse (const char*token, | ||
776 | struct GNUNET_RECLAIM_Ticket **ticket) | ||
777 | { | ||
778 | if (sizeof (struct GNUNET_RECLAIM_Ticket) != | ||
779 | GNUNET_STRINGS_base64_decode (token, | ||
780 | strlen (token), | ||
781 | (void**) ticket)) | ||
782 | return GNUNET_SYSERR; | ||
783 | return GNUNET_OK; | ||
784 | } | ||
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h index 2c533357e..e84087fc3 100644 --- a/src/reclaim/oidc_helper.h +++ b/src/reclaim/oidc_helper.h | |||
@@ -117,7 +117,12 @@ OIDC_build_token_response (const char *access_token, | |||
117 | * Generate a new access token | 117 | * Generate a new access token |
118 | */ | 118 | */ |
119 | char* | 119 | char* |
120 | OIDC_access_token_new (); | 120 | OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket); |
121 | |||
122 | 121 | ||
122 | /** | ||
123 | * Parse an access token | ||
124 | */ | ||
125 | int | ||
126 | OIDC_access_token_parse (const char* token, | ||
127 | struct GNUNET_RECLAIM_Ticket **ticket); | ||
123 | #endif | 128 | #endif |
diff --git a/src/reclaim/plugin_rest_openid_connect.c b/src/reclaim/plugin_rest_openid_connect.c index 3db881244..eb602a08f 100644 --- a/src/reclaim/plugin_rest_openid_connect.c +++ b/src/reclaim/plugin_rest_openid_connect.c | |||
@@ -239,12 +239,6 @@ static char *OIDC_ignored_parameter_array[] = { "display", | |||
239 | struct GNUNET_CONTAINER_MultiHashMap *OIDC_cookie_jar_map; | 239 | struct GNUNET_CONTAINER_MultiHashMap *OIDC_cookie_jar_map; |
240 | 240 | ||
241 | /** | 241 | /** |
242 | * Hash map that links the issued access token to the corresponding ticket and | ||
243 | * ego | ||
244 | */ | ||
245 | struct GNUNET_CONTAINER_MultiHashMap *OIDC_access_token_map; | ||
246 | |||
247 | /** | ||
248 | * The configuration handle | 242 | * The configuration handle |
249 | */ | 243 | */ |
250 | const struct GNUNET_CONFIGURATION_Handle *cfg; | 244 | const struct GNUNET_CONFIGURATION_Handle *cfg; |
@@ -1980,26 +1974,6 @@ find_ego (struct RequestHandle *handle, | |||
1980 | } | 1974 | } |
1981 | 1975 | ||
1982 | 1976 | ||
1983 | static void | ||
1984 | persist_access_token (const struct RequestHandle *handle, | ||
1985 | const char *access_token, | ||
1986 | const struct GNUNET_RECLAIM_Ticket *ticket) | ||
1987 | { | ||
1988 | struct GNUNET_HashCode hc; | ||
1989 | struct GNUNET_RECLAIM_Ticket *ticketbuf; | ||
1990 | |||
1991 | GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc); | ||
1992 | ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket); | ||
1993 | *ticketbuf = *ticket; | ||
1994 | GNUNET_assert (GNUNET_SYSERR != | ||
1995 | GNUNET_CONTAINER_multihashmap_put ( | ||
1996 | OIDC_access_token_map, | ||
1997 | &hc, | ||
1998 | ticketbuf, | ||
1999 | GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); | ||
2000 | } | ||
2001 | |||
2002 | |||
2003 | /** | 1977 | /** |
2004 | * Responds to token url-encoded POST request | 1978 | * Responds to token url-encoded POST request |
2005 | * | 1979 | * |
@@ -2148,13 +2122,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2148 | &expiration_time, | 2122 | &expiration_time, |
2149 | (NULL != nonce) ? nonce : NULL, | 2123 | (NULL != nonce) ? nonce : NULL, |
2150 | jwt_secret); | 2124 | jwt_secret); |
2151 | access_token = OIDC_access_token_new (); | 2125 | access_token = OIDC_access_token_new (&ticket); |
2152 | OIDC_build_token_response (access_token, | 2126 | OIDC_build_token_response (access_token, |
2153 | id_token, | 2127 | id_token, |
2154 | &expiration_time, | 2128 | &expiration_time, |
2155 | &json_response); | 2129 | &json_response); |
2156 | 2130 | ||
2157 | persist_access_token (handle, access_token, &ticket); | ||
2158 | resp = GNUNET_REST_create_response (json_response); | 2131 | resp = GNUNET_REST_create_response (json_response); |
2159 | MHD_add_response_header (resp, "Cache-Control", "no-store"); | 2132 | MHD_add_response_header (resp, "Cache-Control", "no-store"); |
2160 | MHD_add_response_header (resp, "Pragma", "no-cache"); | 2133 | MHD_add_response_header (resp, "Pragma", "no-cache"); |
@@ -2324,22 +2297,17 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
2324 | return; | 2297 | return; |
2325 | } | 2298 | } |
2326 | 2299 | ||
2327 | GNUNET_CRYPTO_hash (authorization_access_token, | 2300 | if (GNUNET_OK != OIDC_access_token_parse (authorization_access_token, |
2328 | strlen (authorization_access_token), | 2301 | &ticket)) |
2329 | &cache_key); | ||
2330 | if (GNUNET_NO == | ||
2331 | GNUNET_CONTAINER_multihashmap_contains (OIDC_access_token_map, | ||
2332 | &cache_key)) | ||
2333 | { | 2302 | { |
2334 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); | 2303 | handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN); |
2335 | handle->edesc = GNUNET_strdup ("The access token expired"); | 2304 | handle->edesc = GNUNET_strdup ("The access token is invalid"); |
2336 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2305 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
2337 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2306 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
2338 | GNUNET_free (authorization); | 2307 | GNUNET_free (authorization); |
2339 | return; | 2308 | return; |
2309 | |||
2340 | } | 2310 | } |
2341 | ticket = | ||
2342 | GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key); | ||
2343 | GNUNET_assert (NULL != ticket); | 2311 | GNUNET_assert (NULL != ticket); |
2344 | aud_ego = find_ego (handle, &ticket->audience); | 2312 | aud_ego = find_ego (handle, &ticket->audience); |
2345 | iss_ego = find_ego (handle, &ticket->identity); | 2313 | iss_ego = find_ego (handle, &ticket->identity); |
@@ -2523,9 +2491,6 @@ rest_identity_process_request (struct GNUNET_REST_RequestHandle *rest_handle, | |||
2523 | if (NULL == OIDC_cookie_jar_map) | 2491 | if (NULL == OIDC_cookie_jar_map) |
2524 | OIDC_cookie_jar_map = GNUNET_CONTAINER_multihashmap_create (10, | 2492 | OIDC_cookie_jar_map = GNUNET_CONTAINER_multihashmap_create (10, |
2525 | GNUNET_NO); | 2493 | GNUNET_NO); |
2526 | if (NULL == OIDC_access_token_map) | ||
2527 | OIDC_access_token_map = | ||
2528 | GNUNET_CONTAINER_multihashmap_create (10, GNUNET_NO); | ||
2529 | handle->response_code = 0; | 2494 | handle->response_code = 0; |
2530 | handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL; | 2495 | handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL; |
2531 | handle->proc_cls = proc_cls; | 2496 | handle->proc_cls = proc_cls; |
@@ -2606,13 +2571,6 @@ libgnunet_plugin_rest_openid_connect_done (void *cls) | |||
2606 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); | 2571 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); |
2607 | GNUNET_CONTAINER_multihashmap_destroy (OIDC_cookie_jar_map); | 2572 | GNUNET_CONTAINER_multihashmap_destroy (OIDC_cookie_jar_map); |
2608 | 2573 | ||
2609 | hashmap_it = | ||
2610 | GNUNET_CONTAINER_multihashmap_iterator_create (OIDC_access_token_map); | ||
2611 | while (GNUNET_YES == | ||
2612 | GNUNET_CONTAINER_multihashmap_iterator_next (hashmap_it, NULL, | ||
2613 | value)) | ||
2614 | GNUNET_free (value); | ||
2615 | GNUNET_CONTAINER_multihashmap_destroy (OIDC_access_token_map); | ||
2616 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); | 2574 | GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it); |
2617 | GNUNET_free (allow_methods); | 2575 | GNUNET_free (allow_methods); |
2618 | GNUNET_free (api); | 2576 | GNUNET_free (api); |