-merge

2 files changed, 274 insertions, 77 deletions

diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c
index 4a03221a0..bf0ce9053 100644
--- a/src/identity-provider/plugin_rest_identity_provider.c
+++ b/src/identity-provider/plugin_rest_identity_provider.c
@@ -71,6 +71,11 @@
 #define GNUNET_REST_API_NS_AUTHORIZE "/idp/authorize"
 
 /**
+ * Login namespace
+ */
+#define GNUNET_REST_API_NS_LOGIN "/idp/login"
+
+/**
  * Attribute key
  */
 #define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute"
@@ -127,6 +132,11 @@
 #define OIDC_NONCE_KEY "nonce"
 
 /**
+ * OIDC authorization header key
+ */
+#define OIDC_AUTHORIZATION_HEADER_KEY "Authorization"
+
+/**
  * OIDC expected response_type while authorizing
  */
 #define OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE "code"
@@ -153,6 +163,11 @@ char* OIDC_ignored_parameter_array [] =
 };
 
 /**
+ * OIDC authorized identities and times hashmap
+ */
+struct GNUNET_CONTAINER_MultiHashMap *OIDC_authorized_identities;
+
+/**
  * The configuration handle
  */
 const struct GNUNET_CONFIGURATION_Handle *cfg;
@@ -296,6 +311,16 @@ struct RequestHandle
   char *emsg;
 
   /**
+   * Error response uri
+   */
+  char *eredirect;
+
+  /**
+   * Error response description
+   */
+  char *edesc;
+
+  /**
    * Reponse code
    */
   int response_code;
@@ -377,6 +402,28 @@ do_error (void *cls)
 }
 
 /**
+ * Task run on error, sends error message.  Cleans up everything.
+ *
+ * @param cls the `struct RequestHandle`
+ */
+static void
+do_redirect_error (void *cls)
+{
+  struct RequestHandle *handle = cls;
+  struct MHD_Response *resp;
+  char* redirect;
+  //TODO handle->url is wrong
+  GNUNET_asprintf (&redirect,
+                   "%s?error=%s&error_description=%s",
+                   handle->eredirect, handle->emsg, handle->edesc );
+  resp = GNUNET_REST_create_response ("");
+  MHD_add_response_header (resp, "Location", redirect);
+  handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
+  cleanup_handle (handle);
+  GNUNET_free (redirect);
+}
+
+/**
  * Task run on timeout, sends error message.  Cleans up everything.
  *
  * @param cls the `struct RequestHandle`
@@ -1086,21 +1133,18 @@ authorize_cont (struct GNUNET_REST_RequestHandle *con_handle,
 {
   struct MHD_Response *resp;
   struct RequestHandle *handle = cls;
-  char *response_type;
-  char *client_id;
-  char *scope;
-  char *redirect_uri;
-  char *state;
-  char *nonce;
+  char *response_type, *client_id, *scope, *redirect_uri, *state = 0,
+      *nonce = 0;
+  struct timeval now, login_time;
+  OIDC_authorized_identities  = GNUNET_CONTAINER_multihashmap_create( 10, GNUNET_NO );
+  char *login_base_url, *new_redirect;
+  struct GNUNET_HashCode cache_key;
 
   //TODO clean up method
 
   /**   The Authorization Server MUST validate all the OAuth 2.0 parameters
    *    according to the OAuth 2.0 specification.
    */
-  /**   The Authorization Server MUST verify that all the REQUIRED parameters
-   *    are present and their usage conforms to this specification.
-   */
   /**
    *    If the sub (subject) Claim is requested with a specific value for the
    *    ID Token, the Authorization Server MUST only send a positive response
@@ -1115,74 +1159,104 @@ authorize_cont (struct GNUNET_REST_RequestHandle *con_handle,
    */
 
 
-  int size=sizeof(OIDC_ignored_parameter_array)/sizeof(char *);
 
-  GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Size %i = 8\n", size);
-
-  struct GNUNET_HashCode cache_key;
-
-  GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (OIDC_RESPONSE_TYPE_KEY),
-                      &cache_key);
+  // REQUIRED value: client_id
+  GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY),
+                      &cache_key);
   if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
                                                            &cache_key))
   {
-    //TODO error
-
+    handle->emsg=GNUNET_strdup("invalid_request");
+    handle->edesc=GNUNET_strdup("Missing parameter: client_id");
+    GNUNET_SCHEDULER_add_now (&do_error, handle);
+    return;
   }
-  response_type = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
-                                                    &cache_key);
-
+  client_id = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
+                                                &cache_key);
 
-  GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY),
+  // Checks if client_id is valid:
+  // TODO change check (lookup trusted public_key?)
+//  if( strcmp( client_id, "localhost" ) != 0 )
+//  {
+//    handle->emsg=GNUNET_strdup("unauthorized_client");
+//    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+//    GNUNET_SCHEDULER_add_now (&do_error, handle);
+//    return;
+//  }
+
+  // REQUIRED value: redirect_uri
+  GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY),
                       &cache_key);
   if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
                                                            &cache_key))
   {
-    //TODO error
+    handle->emsg=GNUNET_strdup("invalid_request");
+    handle->edesc=GNUNET_strdup("Missing parameter: redirect_uri");
+    GNUNET_SCHEDULER_add_now (&do_error, handle);
+    return;
   }
-  client_id = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
+  redirect_uri = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
                                                 &cache_key);
 
-  //TODO verify if client_id is in delegation from selected identity, i.e. use GNUNET_NAMESTORE_zone_to_name() to verify
-  GNUNET_CRYPTO_hash (OIDC_SCOPE_KEY, strlen (OIDC_SCOPE_KEY), &cache_key);
+  // Checks if redirect_uri is valid:
+  // TODO change check (check client_id->public key == address)
+//  if( strcmp( redirect_uri, "https://localhost:8000" ) != 0 )
+//  {
+//    handle->emsg=GNUNET_strdup("invalid_request");
+//    handle->edesc=GNUNET_strdup("Invalid or mismatching redirect_uri");
+//    GNUNET_SCHEDULER_add_now (&do_error, handle);
+//    return;
+//  }
+  handle->eredirect = GNUNET_strdup(redirect_uri);
+
+  // REQUIRED value: response_type
+  GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (OIDC_RESPONSE_TYPE_KEY),
+                      &cache_key);
   if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
                                                            &cache_key))
   {
-    //TODO error
+    handle->emsg=GNUNET_strdup("invalid_request");
+    handle->edesc=GNUNET_strdup("Missing parameter: response_type");
+    GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
+    return;
   }
-  scope = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
-                                            &cache_key);
+  response_type = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
+                                                    &cache_key);
 
-  GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY),
-                      &cache_key);
+  // REQUIRED value: scope
+  GNUNET_CRYPTO_hash (OIDC_SCOPE_KEY, strlen (OIDC_SCOPE_KEY), &cache_key);
   if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
                                                            &cache_key))
   {
-    //TODO error
+    handle->emsg=GNUNET_strdup("invalid_request");
+    handle->edesc=GNUNET_strdup("Missing parameter: scope");
+    GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
+    return;
   }
-  redirect_uri = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
-                                                &cache_key);
+  scope = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
+                                            &cache_key);
 
+  //RECOMMENDED value: state
   GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key);
-  if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
+  if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
                                                            &cache_key))
   {
-    //TODO error
+    state = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
+                                              &cache_key);
   }
-  state = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
-                                            &cache_key);
 
+  //OPTIONAL value: nonce
   GNUNET_CRYPTO_hash (OIDC_NONCE_KEY, strlen (OIDC_NONCE_KEY), &cache_key);
-  if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
+  if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map,
                                                            &cache_key))
   {
-    //TODO error
+    nonce = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
+                                              &cache_key);
   }
-  nonce = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
-                                            &cache_key);
 
+  int number_of_ignored_parameter = sizeof(OIDC_ignored_parameter_array) / sizeof(char *);
   int iterator;
-  for( iterator = 0; iterator < size; iterator++ )
+  for( iterator = 0; iterator < number_of_ignored_parameter; iterator++ )
   {
     GNUNET_CRYPTO_hash (OIDC_ignored_parameter_array[iterator],
                         strlen(OIDC_ignored_parameter_array[iterator]),
@@ -1190,61 +1264,183 @@ authorize_cont (struct GNUNET_REST_RequestHandle *con_handle,
     if(GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains(handle->rest_handle->url_param_map,
                                                             &cache_key))
     {
-      //TODO error
+      handle->emsg=GNUNET_strdup("access_denied");
+      //TODO rewrite error description
+      handle->edesc=GNUNET_strdup("Server will not handle parameter");
+      GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
+      return;
     }
   }
 
-
-  //response_type = code
+  // Checks if response_type is 'code'
   if( strcmp( response_type, OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE ) != 0 )
   {
-    //TODO error
+    handle->emsg=GNUNET_strdup("unsupported_response_type");
+    handle->edesc=GNUNET_strdup("The authorization server does not support "
+                                "obtaining this authorization code.");
+    GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
+    return;
   }
-  //scope contains openid
+  // Checks if scope contains 'openid'
   if( strstr( scope, OIDC_EXPECTED_AUTHORIZATION_SCOPE ) == NULL )
   {
     handle->emsg=GNUNET_strdup("invalid_scope");
-    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-    GNUNET_SCHEDULER_add_now (&do_error, handle);
+    handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or "
+                                "malformed.");
+    GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
     return;
   }
 
+
   //TODO check other values and use them accordingly
 
 
-  char* login_base_url;
 
-  //    if(){
-  //
-  //    }else{
-  //
-  //    }
-  if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg,
-                                                          "identity-rest-plugin",
-                                                          "address",
-                                                          &login_base_url))
+
+  //if header-authorization == ID
+    //if ID is still logged
+      // ego get Public Key of Identity
+      // return token with public key?
+  // save request
+
+  GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY,
+                      strlen (OIDC_AUTHORIZATION_HEADER_KEY),
+                      &cache_key);
+  //No Authorization Parameter -> redirect to login
+  if(GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains(con_handle->header_param_map,
+                                                          &cache_key))
   {
-    char* new_redirect;
-    GNUNET_asprintf (&new_redirect, "%s?%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s",
-                     login_base_url,
-                     OIDC_RESPONSE_TYPE_KEY, response_type,
-                     OIDC_CLIENT_ID_KEY, client_id,
-                     OIDC_REDIRECT_URI_KEY, redirect_uri,
-                     OIDC_SCOPE_KEY, scope,
-                     OIDC_STATE_KEY, state,
-                     OIDC_NONCE_KEY, nonce
-                    );
+    if ( GNUNET_OK
+        == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin",
+                                                  "address", &login_base_url) )
+    {
+      GNUNET_asprintf (&new_redirect, "%s?%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s",
+                       login_base_url,
+                       OIDC_RESPONSE_TYPE_KEY,
+                       response_type,
+                       OIDC_CLIENT_ID_KEY,
+                       client_id,
+                       OIDC_REDIRECT_URI_KEY,
+                       redirect_uri,
+                       OIDC_SCOPE_KEY,
+                       scope,
+                       OIDC_STATE_KEY,
+                       (state) ? state : "",
+                       OIDC_NONCE_KEY,
+                       (nonce) ? nonce : "");
+      resp = GNUNET_REST_create_response ("");
+      MHD_add_response_header (resp, "Location", new_redirect);
+    }
+    else
+    {
+      handle->emsg = GNUNET_strdup("No server configuration");
+      handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+      GNUNET_SCHEDULER_add_now (&do_error, handle);
+      return;
+    }
+    handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
+    cleanup_handle (handle);
+    GNUNET_free(new_redirect);
+    return;
+  }
+  else
+  {
+    char* identity = GNUNET_CONTAINER_multihashmap_get ( con_handle->header_param_map,
+                                                         &cache_key);
+    GNUNET_CRYPTO_hash (identity, strlen (identity), &cache_key);
+    if(GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains(OIDC_authorized_identities,
+                                                           &cache_key))
+    {
+      login_time = *(struct timeval *)GNUNET_CONTAINER_multihashmap_get(OIDC_authorized_identities,
+                                                                    &cache_key);
+      gettimeofday(&now, NULL);
+      //After 30 minutes redirect to login
+      if( now.tv_sec - login_time.tv_sec >= 1800)
+      {
+        //TODO remove redundancy [redirect to login]
+        if ( GNUNET_OK
+            == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin",
+                                                      "address", &login_base_url) )
+        {
+          GNUNET_asprintf (&new_redirect, "%s?%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s",
+                           login_base_url,
+                           OIDC_RESPONSE_TYPE_KEY,
+                           response_type,
+                           OIDC_CLIENT_ID_KEY,
+                           client_id,
+                           OIDC_REDIRECT_URI_KEY,
+                           redirect_uri,
+                           OIDC_SCOPE_KEY,
+                           scope,
+                           OIDC_STATE_KEY,
+                           (state) ? state : "",
+                           OIDC_NONCE_KEY,
+                           (nonce) ? nonce : "");
+          resp = GNUNET_REST_create_response ("");
+          MHD_add_response_header (resp, "Location", new_redirect);
+        }
+        else
+        {
+          handle->emsg = GNUNET_strdup("No server configuration");
+          handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+          GNUNET_SCHEDULER_add_now (&do_error, handle);
+          return;
+        }
+        handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
+        cleanup_handle (handle);
+        GNUNET_free(new_redirect);
+        return;
+      }
+    }
+    else
+    {
+      gettimeofday( &now, NULL );
+      GNUNET_CONTAINER_multihashmap_put( OIDC_authorized_identities, &cache_key, &now,
+                                         GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY);
+    }
     resp = GNUNET_REST_create_response ("");
-    MHD_add_response_header (resp, "Location", new_redirect);
-  }else{
-    handle->emsg=GNUNET_strdup("No server on localhost:8000");
-    handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-    GNUNET_SCHEDULER_add_now (&do_error, handle);
+//    MHD_add_response_header (resp, "Access-Control-Allow-Origin", "*");
+    MHD_add_response_header (resp, "Location", redirect_uri);
+    handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
+    cleanup_handle (handle);
     return;
   }
+}
 
-  handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
+
+/**
+ * Respond to LOGIN request
+ *
+ * @param con_handle the connection handle
+ * @param url the url
+ * @param cls the RequestHandle
+ */
+static void
+login_cont (struct GNUNET_REST_RequestHandle *con_handle,
+                const char* url,
+                void *cls)
+{
+  struct MHD_Response *resp = GNUNET_REST_create_response ("");
+  struct RequestHandle *handle = cls;
+  char* cookie;
+  json_t *root;
+  json_error_t error;
+  json_t *identity;
+  root = json_loads( handle->rest_handle->data, 0, &error );
+  identity = json_object_get(root, "identity");
+  if(json_is_string(identity))
+  {
+    GNUNET_asprintf(&cookie,"Identity=%s",json_string_value(identity));
+    MHD_add_response_header (resp, "Set-Cookie", cookie);
+    handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
+  }
+  else
+  {
+    handle->proc (handle->proc_cls, resp, MHD_HTTP_BAD_REQUEST);
+  }
+  json_decref(root);
   cleanup_handle (handle);
+  GNUNET_free(cookie);
   return;
 }
 
@@ -1262,6 +1458,7 @@ init_cont (struct RequestHandle *handle)
     {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont},
     {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont},
     {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
+    {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont},
     {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
     {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont},
     {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont},
diff --git a/src/rest/rest.conf b/src/rest/rest.conf
index b86e6c1a0..f74d772e8 100644
--- a/src/rest/rest.conf
+++ b/src/rest/rest.conf
@@ -3,4 +3,4 @@ UNIXPATH = $GNUNET_USER_RUNTIME_DIR/gnunet-service-rest.sock
 BINARY=gnunet-rest-server
 REST_PORT=7776
 REST_ALLOW_HEADERS=Authorization,Accept,Content-Type
-REST_ALLOW_ORIGIN=*
+REST_ALLOW_ORIGIN=http://localhost:8000