diff options
| author | Phil <phil.buschmann@tum.de> | 2018-02-27 15:58:05 +0100 |
|---|---|---|
| committer | Phil <phil.buschmann@tum.de> | 2018-02-27 15:58:05 +0100 |
| commit | 5af7ba146c11433abd67497ed170a8591948a722 (patch) | |
| tree | 93a5742abdc88427e48c8dd99e6852927967a6dd /src | |
| parent | 699ff34b7203eb99d7ff1a45ff6b8309676c1102 (diff) | |
| download | gnunet-5af7ba146c11433abd67497ed170a8591948a722.tar.gz gnunet-5af7ba146c11433abd67497ed170a8591948a722.zip | |
-fix userinfo_endpoint
Diffstat (limited to 'src')
| -rw-r--r-- | src/identity-provider/plugin_rest_identity_provider.c | 89 |
1 files changed, 64 insertions, 25 deletions
diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index 9ba73ff1c..ef50077f5 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c | |||
| @@ -19,6 +19,7 @@ | |||
| 19 | */ | 19 | */ |
| 20 | /** | 20 | /** |
| 21 | * @author Martin Schanzenbach | 21 | * @author Martin Schanzenbach |
| 22 | * @author Philippe Buschmann | ||
| 22 | * @file identity/plugin_rest_identity.c | 23 | * @file identity/plugin_rest_identity.c |
| 23 | * @brief GNUnet Namestore REST plugin | 24 | * @brief GNUnet Namestore REST plugin |
| 24 | * | 25 | * |
| @@ -234,6 +235,7 @@ struct Plugin | |||
| 234 | { | 235 | { |
| 235 | const struct GNUNET_CONFIGURATION_Handle *cfg; | 236 | const struct GNUNET_CONFIGURATION_Handle *cfg; |
| 236 | }; | 237 | }; |
| 238 | |||
| 237 | /** | 239 | /** |
| 238 | * OIDC needed variables | 240 | * OIDC needed variables |
| 239 | */ | 241 | */ |
| @@ -546,7 +548,8 @@ do_error (void *cls) | |||
| 546 | 548 | ||
| 547 | 549 | ||
| 548 | /** | 550 | /** |
| 549 | * Task run on error, sends error message. Cleans up everything. | 551 | * Task run on error in userinfo endpoint, sends error header. Cleans up |
| 552 | * everything | ||
| 550 | * | 553 | * |
| 551 | * @param cls the `struct RequestHandle` | 554 | * @param cls the `struct RequestHandle` |
| 552 | */ | 555 | */ |
| @@ -569,7 +572,7 @@ do_userinfo_error (void *cls) | |||
| 569 | 572 | ||
| 570 | 573 | ||
| 571 | /** | 574 | /** |
| 572 | * Task run on error, sends error message. Cleans up everything. | 575 | * Task run on error, sends error message and redirects. Cleans up everything. |
| 573 | * | 576 | * |
| 574 | * @param cls the `struct RequestHandle` | 577 | * @param cls the `struct RequestHandle` |
| 575 | */ | 578 | */ |
| @@ -673,6 +676,12 @@ return_userinfo_response (void *cls) | |||
| 673 | cleanup_handle (handle); | 676 | cleanup_handle (handle); |
| 674 | } | 677 | } |
| 675 | 678 | ||
| 679 | /** | ||
| 680 | * Returns base64 encoded string without padding | ||
| 681 | * | ||
| 682 | * @param string the string to encode | ||
| 683 | * @return base64 encoded string | ||
| 684 | */ | ||
| 676 | static char* | 685 | static char* |
| 677 | base_64_encode(char *string) | 686 | base_64_encode(char *string) |
| 678 | { | 687 | { |
| @@ -1328,13 +1337,13 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 1328 | } | 1337 | } |
| 1329 | 1338 | ||
| 1330 | /** | 1339 | /** |
| 1331 | * Cookie interpretation | 1340 | * Interprets cookie header and pass its identity keystring to handle |
| 1332 | */ | 1341 | */ |
| 1333 | static void | 1342 | static void |
| 1334 | cookie_identity_interpretation (struct RequestHandle *handle) | 1343 | cookie_identity_interpretation (struct RequestHandle *handle) |
| 1335 | { | 1344 | { |
| 1336 | struct GNUNET_HashCode cache_key; | 1345 | struct GNUNET_HashCode cache_key; |
| 1337 | char* cookies; | 1346 | char *cookies; |
| 1338 | struct GNUNET_TIME_Absolute current_time, *relog_time; | 1347 | struct GNUNET_TIME_Absolute current_time, *relog_time; |
| 1339 | char delimiter[] = "; "; | 1348 | char delimiter[] = "; "; |
| 1340 | 1349 | ||
| @@ -1378,7 +1387,7 @@ cookie_identity_interpretation (struct RequestHandle *handle) | |||
| 1378 | } | 1387 | } |
| 1379 | 1388 | ||
| 1380 | /** | 1389 | /** |
| 1381 | * Login redirection | 1390 | * Redirects to login page stored in configuration file |
| 1382 | */ | 1391 | */ |
| 1383 | static void | 1392 | static void |
| 1384 | login_redirection(void *cls) | 1393 | login_redirection(void *cls) |
| @@ -1424,7 +1433,7 @@ login_redirection(void *cls) | |||
| 1424 | } | 1433 | } |
| 1425 | 1434 | ||
| 1426 | /** | 1435 | /** |
| 1427 | * Function called if we had an error in zone-to-name mapping. | 1436 | * Does internal server error when iteration failed. |
| 1428 | */ | 1437 | */ |
| 1429 | static void | 1438 | static void |
| 1430 | oidc_iteration_error (void *cls) | 1439 | oidc_iteration_error (void *cls) |
| @@ -1435,6 +1444,10 @@ oidc_iteration_error (void *cls) | |||
| 1435 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1444 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
| 1436 | } | 1445 | } |
| 1437 | 1446 | ||
| 1447 | /** | ||
| 1448 | * Issues ticket and redirects to relying party with the authorization code as | ||
| 1449 | * parameter. Otherwise redirects with error | ||
| 1450 | */ | ||
| 1438 | static void | 1451 | static void |
| 1439 | oidc_ticket_issue_cb (void* cls, | 1452 | oidc_ticket_issue_cb (void* cls, |
| 1440 | const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket) | 1453 | const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket) |
| @@ -1498,7 +1511,7 @@ oidc_collect_finished_cb (void *cls) | |||
| 1498 | 1511 | ||
| 1499 | 1512 | ||
| 1500 | /** | 1513 | /** |
| 1501 | * Collect all attributes for an ego | 1514 | * Collects all attributes for an ego if in scope parameter |
| 1502 | */ | 1515 | */ |
| 1503 | static void | 1516 | static void |
| 1504 | oidc_attr_collect (void *cls, | 1517 | oidc_attr_collect (void *cls, |
| @@ -1545,7 +1558,7 @@ oidc_attr_collect (void *cls, | |||
| 1545 | 1558 | ||
| 1546 | 1559 | ||
| 1547 | /** | 1560 | /** |
| 1548 | * Cookie and Time check | 1561 | * Checks time and cookie and redirects accordingly |
| 1549 | */ | 1562 | */ |
| 1550 | static void | 1563 | static void |
| 1551 | login_check (void *cls) | 1564 | login_check (void *cls) |
| @@ -1612,7 +1625,8 @@ login_check (void *cls) | |||
| 1612 | } | 1625 | } |
| 1613 | 1626 | ||
| 1614 | /** | 1627 | /** |
| 1615 | * Create a response with requested records | 1628 | * Searches for client_id in namestore. If found trust status stored in handle |
| 1629 | * Else continues to search | ||
| 1616 | * | 1630 | * |
| 1617 | * @param handle the RequestHandle | 1631 | * @param handle the RequestHandle |
| 1618 | */ | 1632 | */ |
| @@ -1960,14 +1974,19 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 1960 | return; | 1974 | return; |
| 1961 | } | 1975 | } |
| 1962 | 1976 | ||
| 1977 | /** | ||
| 1978 | * Responds to token url-encoded POST request | ||
| 1979 | * | ||
| 1980 | * @param con_handle the connection handle | ||
| 1981 | * @param url the url | ||
| 1982 | * @param cls the RequestHandle | ||
| 1983 | */ | ||
| 1963 | static void | 1984 | static void |
| 1964 | token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | 1985 | token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, |
| 1965 | const char* url, | 1986 | const char* url, |
| 1966 | void *cls) | 1987 | void *cls) |
| 1967 | { | 1988 | { |
| 1968 | //TODO static strings | 1989 | //TODO static strings |
| 1969 | |||
| 1970 | //TODO WWW-Authenticate 401 | ||
| 1971 | struct RequestHandle *handle = cls; | 1990 | struct RequestHandle *handle = cls; |
| 1972 | struct GNUNET_HashCode cache_key; | 1991 | struct GNUNET_HashCode cache_key; |
| 1973 | char *authorization, *credentials; | 1992 | char *authorization, *credentials; |
| @@ -2291,7 +2310,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2291 | } | 2310 | } |
| 2292 | //TODO OPTIONAL acr,amr,azp | 2311 | //TODO OPTIONAL acr,amr,azp |
| 2293 | 2312 | ||
| 2294 | //TODO lookup client for client == audience of ticket | ||
| 2295 | struct EgoEntry *ego_entry; | 2313 | struct EgoEntry *ego_entry; |
| 2296 | for (ego_entry = handle->ego_head; NULL != ego_entry; ego_entry = ego_entry->next) | 2314 | for (ego_entry = handle->ego_head; NULL != ego_entry; ego_entry = ego_entry->next) |
| 2297 | { | 2315 | { |
| @@ -2351,9 +2369,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2351 | MHD_add_response_header (resp, "Content-Type", "application/json"); | 2369 | MHD_add_response_header (resp, "Content-Type", "application/json"); |
| 2352 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); | 2370 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); |
| 2353 | 2371 | ||
| 2354 | //TODO one time ticket/code | ||
| 2355 | |||
| 2356 | //TODO free | ||
| 2357 | GNUNET_IDENTITY_ATTRIBUTE_list_destroy(cl); | 2372 | GNUNET_IDENTITY_ATTRIBUTE_list_destroy(cl); |
| 2358 | GNUNET_free(access_token_number); | 2373 | GNUNET_free(access_token_number); |
| 2359 | GNUNET_free(access_token); | 2374 | GNUNET_free(access_token); |
| @@ -2365,7 +2380,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2365 | GNUNET_SCHEDULER_add_now(&cleanup_handle_delayed, handle); | 2380 | GNUNET_SCHEDULER_add_now(&cleanup_handle_delayed, handle); |
| 2366 | } | 2381 | } |
| 2367 | 2382 | ||
| 2368 | 2383 | /** | |
| 2384 | * Collects claims and stores them in handle | ||
| 2385 | */ | ||
| 2369 | static void | 2386 | static void |
| 2370 | consume_ticket (void *cls, | 2387 | consume_ticket (void *cls, |
| 2371 | const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, | 2388 | const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, |
| @@ -2384,16 +2401,24 @@ consume_ticket (void *cls, | |||
| 2384 | json_string(attr->data)); | 2401 | json_string(attr->data)); |
| 2385 | } | 2402 | } |
| 2386 | 2403 | ||
| 2404 | /** | ||
| 2405 | * Responds to userinfo GET and url-encoded POST request | ||
| 2406 | * | ||
| 2407 | * @param con_handle the connection handle | ||
| 2408 | * @param url the url | ||
| 2409 | * @param cls the RequestHandle | ||
| 2410 | */ | ||
| 2387 | static void | 2411 | static void |
| 2388 | userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | 2412 | userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, |
| 2389 | const char* url, void *cls) | 2413 | const char* url, void *cls) |
| 2390 | { | 2414 | { |
| 2415 | //TODO expiration time | ||
| 2391 | struct RequestHandle *handle = cls; | 2416 | struct RequestHandle *handle = cls; |
| 2392 | char delimiter[] = " "; | 2417 | char delimiter[] = " "; |
| 2393 | char delimiter_db[] = ";"; | 2418 | char delimiter_db[] = ";"; |
| 2394 | struct GNUNET_HashCode cache_key; | 2419 | struct GNUNET_HashCode cache_key; |
| 2395 | char *authorization, *authorization_type, *authorization_access_token; | 2420 | char *authorization, *authorization_type, *authorization_access_token; |
| 2396 | char *client_ticket; | 2421 | char *client_ticket, *client, *ticket_str; |
| 2397 | struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket; | 2422 | struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket; |
| 2398 | 2423 | ||
| 2399 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, | 2424 | GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, |
| @@ -2413,6 +2438,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2413 | handle->rest_handle->header_param_map, &cache_key); | 2438 | handle->rest_handle->header_param_map, &cache_key); |
| 2414 | 2439 | ||
| 2415 | //split header in "Bearer" and access_token | 2440 | //split header in "Bearer" and access_token |
| 2441 | authorization = GNUNET_strdup(authorization); | ||
| 2416 | authorization_type = strtok (authorization, delimiter); | 2442 | authorization_type = strtok (authorization, delimiter); |
| 2417 | if ( 0 != strcmp ("Bearer", authorization_type) ) | 2443 | if ( 0 != strcmp ("Bearer", authorization_type) ) |
| 2418 | { | 2444 | { |
| @@ -2420,6 +2446,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2420 | handle->edesc = GNUNET_strdup("No Access Token"); | 2446 | handle->edesc = GNUNET_strdup("No Access Token"); |
| 2421 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2447 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2422 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2448 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2449 | GNUNET_free(authorization); | ||
| 2423 | return; | 2450 | return; |
| 2424 | } | 2451 | } |
| 2425 | authorization_access_token = strtok (NULL, delimiter); | 2452 | authorization_access_token = strtok (NULL, delimiter); |
| @@ -2429,6 +2456,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2429 | handle->edesc = GNUNET_strdup("No Access Token"); | 2456 | handle->edesc = GNUNET_strdup("No Access Token"); |
| 2430 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2457 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2431 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2458 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2459 | GNUNET_free(authorization); | ||
| 2432 | return; | 2460 | return; |
| 2433 | } | 2461 | } |
| 2434 | 2462 | ||
| @@ -2442,25 +2470,28 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2442 | handle->edesc = GNUNET_strdup("The Access Token expired"); | 2470 | handle->edesc = GNUNET_strdup("The Access Token expired"); |
| 2443 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2471 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2444 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2472 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2473 | GNUNET_free(authorization); | ||
| 2445 | return; | 2474 | return; |
| 2446 | } | 2475 | } |
| 2447 | 2476 | ||
| 2448 | client_ticket = GNUNET_CONTAINER_multihashmap_get(OIDC_interpret_access_token, | 2477 | client_ticket = GNUNET_CONTAINER_multihashmap_get(OIDC_interpret_access_token, |
| 2449 | &cache_key); | 2478 | &cache_key); |
| 2450 | 2479 | client_ticket = GNUNET_strdup(client_ticket); | |
| 2451 | client_ticket = strtok(client_ticket,delimiter_db); | 2480 | client = strtok(client_ticket,delimiter_db); |
| 2452 | if (NULL == client_ticket) | 2481 | if (NULL == client) |
| 2453 | { | 2482 | { |
| 2454 | handle->emsg = GNUNET_strdup("invalid_token"); | 2483 | handle->emsg = GNUNET_strdup("invalid_token"); |
| 2455 | handle->edesc = GNUNET_strdup("The Access Token expired"); | 2484 | handle->edesc = GNUNET_strdup("The Access Token expired"); |
| 2456 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2485 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2457 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2486 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2487 | GNUNET_free(authorization); | ||
| 2488 | GNUNET_free(client_ticket); | ||
| 2458 | return; | 2489 | return; |
| 2459 | } | 2490 | } |
| 2460 | handle->ego_entry = handle->ego_head; | 2491 | handle->ego_entry = handle->ego_head; |
| 2461 | for(; NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next) | 2492 | for(; NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next) |
| 2462 | { | 2493 | { |
| 2463 | if (0 == strcmp(handle->ego_entry->keystring,client_ticket)) | 2494 | if (0 == strcmp(handle->ego_entry->keystring,client)) |
| 2464 | { | 2495 | { |
| 2465 | break; | 2496 | break; |
| 2466 | } | 2497 | } |
| @@ -2471,21 +2502,25 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2471 | handle->edesc = GNUNET_strdup("The Access Token expired"); | 2502 | handle->edesc = GNUNET_strdup("The Access Token expired"); |
| 2472 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2503 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2473 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2504 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2505 | GNUNET_free(authorization); | ||
| 2506 | GNUNET_free(client_ticket); | ||
| 2474 | return; | 2507 | return; |
| 2475 | } | 2508 | } |
| 2476 | client_ticket = strtok(NULL, delimiter_db); | 2509 | ticket_str = strtok(NULL, delimiter_db); |
| 2477 | if (NULL == client_ticket) | 2510 | if (NULL == ticket_str) |
| 2478 | { | 2511 | { |
| 2479 | handle->emsg = GNUNET_strdup("invalid_token"); | 2512 | handle->emsg = GNUNET_strdup("invalid_token"); |
| 2480 | handle->edesc = GNUNET_strdup("The Access Token expired"); | 2513 | handle->edesc = GNUNET_strdup("The Access Token expired"); |
| 2481 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2514 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2482 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2515 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2516 | GNUNET_free(authorization); | ||
| 2517 | GNUNET_free(client_ticket); | ||
| 2483 | return; | 2518 | return; |
| 2484 | } | 2519 | } |
| 2485 | ticket = GNUNET_new(struct GNUNET_IDENTITY_PROVIDER_Ticket); | 2520 | ticket = GNUNET_new(struct GNUNET_IDENTITY_PROVIDER_Ticket); |
| 2486 | if ( GNUNET_OK | 2521 | if ( GNUNET_OK |
| 2487 | != GNUNET_STRINGS_string_to_data (client_ticket, | 2522 | != GNUNET_STRINGS_string_to_data (ticket_str, |
| 2488 | strlen (client_ticket), | 2523 | strlen (ticket_str), |
| 2489 | ticket, | 2524 | ticket, |
| 2490 | sizeof(struct GNUNET_IDENTITY_PROVIDER_Ticket))) | 2525 | sizeof(struct GNUNET_IDENTITY_PROVIDER_Ticket))) |
| 2491 | { | 2526 | { |
| @@ -2494,6 +2529,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2494 | handle->response_code = MHD_HTTP_UNAUTHORIZED; | 2529 | handle->response_code = MHD_HTTP_UNAUTHORIZED; |
| 2495 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); | 2530 | GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); |
| 2496 | GNUNET_free(ticket); | 2531 | GNUNET_free(ticket); |
| 2532 | GNUNET_free(authorization); | ||
| 2533 | GNUNET_free(client_ticket); | ||
| 2497 | return; | 2534 | return; |
| 2498 | } | 2535 | } |
| 2499 | 2536 | ||
| @@ -2507,6 +2544,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 2507 | consume_ticket, | 2544 | consume_ticket, |
| 2508 | handle); | 2545 | handle); |
| 2509 | GNUNET_free(ticket); | 2546 | GNUNET_free(ticket); |
| 2547 | GNUNET_free(authorization); | ||
| 2548 | GNUNET_free(client_ticket); | ||
| 2510 | 2549 | ||
| 2511 | } | 2550 | } |
| 2512 | 2551 | ||