diff options
| author | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2018-11-28 08:46:36 +0100 |
|---|---|---|
| committer | Schanzenbach, Martin <mschanzenbach@posteo.de> | 2018-11-28 08:46:36 +0100 |
| commit | 6af0c6d7c6b7f915b832df2bbb907e688deaa452 (patch) | |
| tree | 5abe642047628b6b021a1638245a2bd73d9be447 /src | |
| parent | 1eaf5ebe2fd89dfeaad71f9f511e919b72a715f0 (diff) | |
| download | gnunet-6af0c6d7c6b7f915b832df2bbb907e688deaa452.tar.gz gnunet-6af0c6d7c6b7f915b832df2bbb907e688deaa452.zip | |
REST: refactor OIDC plugin, towards cancel logic
Diffstat (limited to 'src')
| -rw-r--r-- | src/rest-plugins/plugin_rest_openid_connect.c | 385 |
1 files changed, 215 insertions, 170 deletions
diff --git a/src/rest-plugins/plugin_rest_openid_connect.c b/src/rest-plugins/plugin_rest_openid_connect.c index 3a0106c10..9325d5825 100644 --- a/src/rest-plugins/plugin_rest_openid_connect.c +++ b/src/rest-plugins/plugin_rest_openid_connect.c | |||
| @@ -136,6 +136,11 @@ | |||
| 136 | #define OIDC_COOKIE_HEADER_INFORMATION_KEY "Identity=" | 136 | #define OIDC_COOKIE_HEADER_INFORMATION_KEY "Identity=" |
| 137 | 137 | ||
| 138 | /** | 138 | /** |
| 139 | * OIDC cookie header if user cancelled | ||
| 140 | */ | ||
| 141 | #define OIDC_COOKIE_HEADER_ACCESS_DENIED "Identity=Denied" | ||
| 142 | |||
| 143 | /** | ||
| 139 | * OIDC expected response_type while authorizing | 144 | * OIDC expected response_type while authorizing |
| 140 | */ | 145 | */ |
| 141 | #define OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE "code" | 146 | #define OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE "code" |
| @@ -243,6 +248,11 @@ struct OIDC_Variables | |||
| 243 | char *login_identity; | 248 | char *login_identity; |
| 244 | 249 | ||
| 245 | /** | 250 | /** |
| 251 | * User cancelled authorization/login | ||
| 252 | */ | ||
| 253 | int user_cancelled; | ||
| 254 | |||
| 255 | /** | ||
| 246 | * The response JSON | 256 | * The response JSON |
| 247 | */ | 257 | */ |
| 248 | json_t *response; | 258 | json_t *response; |
| @@ -705,6 +715,7 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 705 | return; | 715 | return; |
| 706 | } | 716 | } |
| 707 | 717 | ||
| 718 | |||
| 708 | /** | 719 | /** |
| 709 | * Interprets cookie header and pass its identity keystring to handle | 720 | * Interprets cookie header and pass its identity keystring to handle |
| 710 | */ | 721 | */ |
| @@ -719,49 +730,70 @@ cookie_identity_interpretation (struct RequestHandle *handle) | |||
| 719 | //gets identity of login try with cookie | 730 | //gets identity of login try with cookie |
| 720 | GNUNET_CRYPTO_hash (OIDC_COOKIE_HEADER_KEY, strlen (OIDC_COOKIE_HEADER_KEY), | 731 | GNUNET_CRYPTO_hash (OIDC_COOKIE_HEADER_KEY, strlen (OIDC_COOKIE_HEADER_KEY), |
| 721 | &cache_key); | 732 | &cache_key); |
| 722 | if ( GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->header_param_map, | 733 | if ( GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->header_param_map, |
| 723 | &cache_key) ) | 734 | &cache_key) ) |
| 724 | { | 735 | { |
| 725 | //splits cookies and find 'Identity' cookie | 736 | GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, |
| 726 | cookies = GNUNET_CONTAINER_multihashmap_get ( handle->rest_handle->header_param_map, &cache_key); | 737 | "No cookie found\n"); |
| 727 | handle->oidc->login_identity = strtok(cookies, delimiter); | 738 | return; |
| 739 | } | ||
| 740 | //splits cookies and find 'Identity' cookie | ||
| 741 | cookies = GNUNET_CONTAINER_multihashmap_get ( handle->rest_handle->header_param_map, &cache_key); | ||
| 742 | handle->oidc->login_identity = strtok (cookies, delimiter); | ||
| 743 | handle->oidc->user_cancelled = GNUNET_NO; | ||
| 728 | 744 | ||
| 729 | while ( NULL != handle->oidc->login_identity ) | 745 | if (NULL == handle->oidc->login_identity) |
| 730 | { | 746 | { |
| 731 | if ( NULL != strstr (handle->oidc->login_identity, OIDC_COOKIE_HEADER_INFORMATION_KEY) ) | 747 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, |
| 732 | { | 748 | "Unable to parse cookie: %s\n", |
| 733 | break; | 749 | cookies); |
| 734 | } | 750 | return; |
| 735 | handle->oidc->login_identity = strtok (NULL, delimiter); | 751 | } |
| 736 | } | 752 | |
| 737 | GNUNET_CRYPTO_hash (handle->oidc->login_identity, strlen (handle->oidc->login_identity), | 753 | while ( NULL != handle->oidc->login_identity ) |
| 738 | &cache_key); | 754 | { |
| 739 | if ( GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (OIDC_identity_login_time, &cache_key) ) | 755 | if ( 0 == strcmp (handle->oidc->login_identity, |
| 740 | { | 756 | OIDC_COOKIE_HEADER_ACCESS_DENIED)) |
| 741 | relog_time = GNUNET_CONTAINER_multihashmap_get (OIDC_identity_login_time, | ||
| 742 | &cache_key); | ||
| 743 | current_time = GNUNET_TIME_absolute_get (); | ||
| 744 | // 30 min after old login -> redirect to login | ||
| 745 | if ( current_time.abs_value_us <= relog_time->abs_value_us ) | ||
| 746 | { | ||
| 747 | handle->oidc->login_identity = strtok(handle->oidc->login_identity, OIDC_COOKIE_HEADER_INFORMATION_KEY); | ||
| 748 | handle->oidc->login_identity = GNUNET_strdup(handle->oidc->login_identity); | ||
| 749 | } else { | ||
| 750 | handle->oidc->login_identity = NULL; | ||
| 751 | } | ||
| 752 | } | ||
| 753 | else | ||
| 754 | { | 757 | { |
| 758 | handle->oidc->user_cancelled = GNUNET_YES; | ||
| 755 | handle->oidc->login_identity = NULL; | 759 | handle->oidc->login_identity = NULL; |
| 760 | return; | ||
| 756 | } | 761 | } |
| 762 | if ( NULL != strstr (handle->oidc->login_identity, OIDC_COOKIE_HEADER_INFORMATION_KEY) ) | ||
| 763 | break; | ||
| 764 | handle->oidc->login_identity = strtok (NULL, delimiter); | ||
| 757 | } | 765 | } |
| 766 | GNUNET_CRYPTO_hash (handle->oidc->login_identity, strlen (handle->oidc->login_identity), | ||
| 767 | &cache_key); | ||
| 768 | if ( GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (OIDC_identity_login_time, &cache_key) ) | ||
| 769 | { | ||
| 770 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
| 771 | "Found cookie `%s', but no corresponding expiration entry present...\n", | ||
| 772 | handle->oidc->login_identity); | ||
| 773 | handle->oidc->login_identity = NULL; | ||
| 774 | return; | ||
| 775 | } | ||
| 776 | relog_time = GNUNET_CONTAINER_multihashmap_get (OIDC_identity_login_time, | ||
| 777 | &cache_key); | ||
| 778 | current_time = GNUNET_TIME_absolute_get (); | ||
| 779 | // 30 min after old login -> redirect to login | ||
| 780 | if ( current_time.abs_value_us > relog_time->abs_value_us ) | ||
| 781 | { | ||
| 782 | GNUNET_log (GNUNET_ERROR_TYPE_WARNING, | ||
| 783 | "Found cookie `%s', but it is expired.\n", | ||
| 784 | handle->oidc->login_identity); | ||
| 785 | handle->oidc->login_identity = NULL; | ||
| 786 | return; | ||
| 787 | } | ||
| 788 | handle->oidc->login_identity = strtok(handle->oidc->login_identity, OIDC_COOKIE_HEADER_INFORMATION_KEY); | ||
| 789 | handle->oidc->login_identity = GNUNET_strdup(handle->oidc->login_identity); | ||
| 758 | } | 790 | } |
| 759 | 791 | ||
| 760 | /** | 792 | /** |
| 761 | * Redirects to login page stored in configuration file | 793 | * Redirects to login page stored in configuration file |
| 762 | */ | 794 | */ |
| 763 | static void | 795 | static void |
| 764 | login_redirection(void *cls) | 796 | login_redirect (void *cls) |
| 765 | { | 797 | { |
| 766 | char *login_base_url; | 798 | char *login_base_url; |
| 767 | char *new_redirect; | 799 | char *new_redirect; |
| @@ -815,12 +847,14 @@ oidc_iteration_error (void *cls) | |||
| 815 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 847 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
| 816 | } | 848 | } |
| 817 | 849 | ||
| 850 | |||
| 851 | /** | ||
| 852 | * Issues ticket and redirects to relying party with the authorization code as | ||
| 853 | * parameter. Otherwise redirects with error | ||
| 854 | */ | ||
| 818 | static void | 855 | static void |
| 819 | get_client_name_result (void *cls, | 856 | oidc_ticket_issue_cb (void* cls, |
| 820 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone, | 857 | const struct GNUNET_RECLAIM_Ticket *ticket) |
| 821 | const char *label, | ||
| 822 | unsigned int rd_count, | ||
| 823 | const struct GNUNET_GNSRECORD_Data *rd) | ||
| 824 | { | 858 | { |
| 825 | struct RequestHandle *handle = cls; | 859 | struct RequestHandle *handle = cls; |
| 826 | struct MHD_Response *resp; | 860 | struct MHD_Response *resp; |
| @@ -829,6 +863,15 @@ get_client_name_result (void *cls, | |||
| 829 | char *code_json_string; | 863 | char *code_json_string; |
| 830 | char *code_base64_final_string; | 864 | char *code_base64_final_string; |
| 831 | 865 | ||
| 866 | handle->idp_op = NULL; | ||
| 867 | handle->ticket = *ticket; | ||
| 868 | if (NULL == ticket) | ||
| 869 | { | ||
| 870 | handle->emsg = GNUNET_strdup("server_error"); | ||
| 871 | handle->edesc = GNUNET_strdup("Server cannot generate ticket."); | ||
| 872 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 873 | return; | ||
| 874 | } | ||
| 832 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket, | 875 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket, |
| 833 | sizeof (struct GNUNET_RECLAIM_Ticket)); | 876 | sizeof (struct GNUNET_RECLAIM_Ticket)); |
| 834 | //TODO change if more attributes are needed (see max_age) | 877 | //TODO change if more attributes are needed (see max_age) |
| @@ -850,106 +893,6 @@ get_client_name_result (void *cls, | |||
| 850 | GNUNET_free (ticket_str); | 893 | GNUNET_free (ticket_str); |
| 851 | GNUNET_free (code_json_string); | 894 | GNUNET_free (code_json_string); |
| 852 | GNUNET_free (code_base64_final_string); | 895 | GNUNET_free (code_base64_final_string); |
| 853 | return; | ||
| 854 | |||
| 855 | } | ||
| 856 | |||
| 857 | |||
| 858 | static void | ||
| 859 | get_client_name_error (void *cls) | ||
| 860 | { | ||
| 861 | struct RequestHandle *handle = cls; | ||
| 862 | |||
| 863 | handle->emsg = GNUNET_strdup("server_error"); | ||
| 864 | handle->edesc = GNUNET_strdup("Server cannot generate ticket, no name found for client."); | ||
| 865 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 866 | } | ||
| 867 | |||
| 868 | |||
| 869 | static void | ||
| 870 | lookup_redirect_uri_result (void *cls, | ||
| 871 | uint32_t rd_count, | ||
| 872 | const struct GNUNET_GNSRECORD_Data *rd) | ||
| 873 | { | ||
| 874 | struct RequestHandle *handle = cls; | ||
| 875 | char *tmp; | ||
| 876 | char *tmp_key_str; | ||
| 877 | char *pos; | ||
| 878 | struct GNUNET_CRYPTO_EcdsaPublicKey redirect_zone; | ||
| 879 | |||
| 880 | handle->gns_op = NULL; | ||
| 881 | if (0 == rd_count) | ||
| 882 | { | ||
| 883 | handle->emsg = GNUNET_strdup("server_error"); | ||
| 884 | handle->edesc = GNUNET_strdup("Server cannot generate ticket, redirect uri not found."); | ||
| 885 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 886 | return; | ||
| 887 | } | ||
| 888 | for (int i = 0; i < rd_count; i++) | ||
| 889 | { | ||
| 890 | if (GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_REDIRECT != rd[i].record_type) | ||
| 891 | continue; | ||
| 892 | if (0 != strcmp (rd[i].data, | ||
| 893 | handle->oidc->redirect_uri)) | ||
| 894 | continue; | ||
| 895 | tmp = GNUNET_strdup (rd[i].data); | ||
| 896 | pos = strrchr (tmp, | ||
| 897 | (unsigned char) '.'); | ||
| 898 | *pos = '\0'; | ||
| 899 | handle->redirect_prefix = GNUNET_strdup (tmp); | ||
| 900 | tmp_key_str = pos + 1; | ||
| 901 | pos = strchr (tmp_key_str, | ||
| 902 | (unsigned char) '/'); | ||
| 903 | *pos = '\0'; | ||
| 904 | handle->redirect_suffix = GNUNET_strdup (pos + 1); | ||
| 905 | |||
| 906 | GNUNET_STRINGS_string_to_data (tmp_key_str, | ||
| 907 | strlen (tmp_key_str), | ||
| 908 | &redirect_zone, | ||
| 909 | sizeof (redirect_zone)); | ||
| 910 | |||
| 911 | GNUNET_NAMESTORE_zone_to_name (handle->namestore_handle, | ||
| 912 | &handle->priv_key, | ||
| 913 | &redirect_zone, | ||
| 914 | &get_client_name_error, | ||
| 915 | handle, | ||
| 916 | &get_client_name_result, | ||
| 917 | handle); | ||
| 918 | GNUNET_free (tmp); | ||
| 919 | return; | ||
| 920 | } | ||
| 921 | handle->emsg = GNUNET_strdup("server_error"); | ||
| 922 | handle->edesc = GNUNET_strdup("Server cannot generate ticket, redirect uri not found."); | ||
| 923 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 924 | } | ||
| 925 | |||
| 926 | /** | ||
| 927 | * Issues ticket and redirects to relying party with the authorization code as | ||
| 928 | * parameter. Otherwise redirects with error | ||
| 929 | */ | ||
| 930 | static void | ||
| 931 | oidc_ticket_issue_cb (void* cls, | ||
| 932 | const struct GNUNET_RECLAIM_Ticket *ticket) | ||
| 933 | { | ||
| 934 | struct RequestHandle *handle = cls; | ||
| 935 | |||
| 936 | handle->idp_op = NULL; | ||
| 937 | handle->ticket = *ticket; | ||
| 938 | if (NULL == ticket) | ||
| 939 | { | ||
| 940 | handle->emsg = GNUNET_strdup("server_error"); | ||
| 941 | handle->edesc = GNUNET_strdup("Server cannot generate ticket."); | ||
| 942 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 943 | return; | ||
| 944 | } | ||
| 945 | handle->gns_op = GNUNET_GNS_lookup (handle->gns_handle, | ||
| 946 | "+", | ||
| 947 | &handle->oidc->client_pkey, | ||
| 948 | GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_REDIRECT, | ||
| 949 | GNUNET_GNS_LO_DEFAULT, | ||
| 950 | &lookup_redirect_uri_result, | ||
| 951 | handle); | ||
| 952 | |||
| 953 | } | 896 | } |
| 954 | 897 | ||
| 955 | static void | 898 | static void |
| @@ -1025,7 +968,7 @@ oidc_attr_collect (void *cls, | |||
| 1025 | * Checks time and cookie and redirects accordingly | 968 | * Checks time and cookie and redirects accordingly |
| 1026 | */ | 969 | */ |
| 1027 | static void | 970 | static void |
| 1028 | login_check (void *cls) | 971 | code_redirect (void *cls) |
| 1029 | { | 972 | { |
| 1030 | struct RequestHandle *handle = cls; | 973 | struct RequestHandle *handle = cls; |
| 1031 | struct GNUNET_TIME_Absolute current_time, *relog_time; | 974 | struct GNUNET_TIME_Absolute current_time, *relog_time; |
| @@ -1067,27 +1010,126 @@ login_check (void *cls) | |||
| 1067 | == memcmp (&ego_pkey, &pubkey, | 1010 | == memcmp (&ego_pkey, &pubkey, |
| 1068 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | 1011 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) |
| 1069 | { | 1012 | { |
| 1070 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key ( | 1013 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); |
| 1071 | handle->ego_entry->ego); | ||
| 1072 | handle->idp = GNUNET_RECLAIM_connect (cfg); | 1014 | handle->idp = GNUNET_RECLAIM_connect (cfg); |
| 1073 | handle->attr_list = GNUNET_new( | 1015 | handle->attr_list = GNUNET_new(struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); |
| 1074 | struct GNUNET_RECLAIM_ATTRIBUTE_ClaimList); | 1016 | handle->attr_it = GNUNET_RECLAIM_get_attributes_start (handle->idp, |
| 1075 | handle->attr_it = GNUNET_RECLAIM_get_attributes_start ( | 1017 | &handle->priv_key, |
| 1076 | handle->idp, &handle->priv_key, &oidc_iteration_error, handle, | 1018 | &oidc_iteration_error, |
| 1077 | &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle); | 1019 | handle, |
| 1020 | &oidc_attr_collect, | ||
| 1021 | handle, | ||
| 1022 | &oidc_collect_finished_cb, | ||
| 1023 | handle); | ||
| 1078 | return; | 1024 | return; |
| 1079 | } | 1025 | } |
| 1080 | } | 1026 | } |
| 1081 | //handle->emsg = GNUNET_strdup("invalid_cookie"); | 1027 | GNUNET_SCHEDULER_add_now (&login_redirect, handle); |
| 1082 | //handle->edesc = GNUNET_strdup( | ||
| 1083 | // "The cookie of the login identity is not valid"); | ||
| 1084 | //GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 1085 | GNUNET_SCHEDULER_add_now (&login_redirection,handle); | ||
| 1086 | return; | 1028 | return; |
| 1087 | } | 1029 | } |
| 1088 | } | 1030 | } |
| 1089 | } | 1031 | } |
| 1090 | 1032 | ||
| 1033 | |||
| 1034 | static void | ||
| 1035 | build_redirect (void *cls) | ||
| 1036 | { | ||
| 1037 | struct RequestHandle *handle = cls; | ||
| 1038 | struct MHD_Response *resp; | ||
| 1039 | char* redirect_uri; | ||
| 1040 | |||
| 1041 | if (GNUNET_YES == handle->oidc->user_cancelled) | ||
| 1042 | { | ||
| 1043 | GNUNET_asprintf (&redirect_uri, "%s.%s/%s?error=%s&error_description=%s&state=%s", | ||
| 1044 | handle->redirect_prefix, | ||
| 1045 | handle->tld, | ||
| 1046 | handle->redirect_suffix, | ||
| 1047 | "access_denied", | ||
| 1048 | "User denied access", | ||
| 1049 | handle->oidc->state); | ||
| 1050 | resp = GNUNET_REST_create_response (""); | ||
| 1051 | MHD_add_response_header (resp, "Location", redirect_uri); | ||
| 1052 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | ||
| 1053 | GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); | ||
| 1054 | GNUNET_free (redirect_uri); | ||
| 1055 | return; | ||
| 1056 | } | ||
| 1057 | GNUNET_SCHEDULER_add_now (&code_redirect, handle); | ||
| 1058 | } | ||
| 1059 | |||
| 1060 | |||
| 1061 | static void | ||
| 1062 | lookup_redirect_uri_result (void *cls, | ||
| 1063 | uint32_t rd_count, | ||
| 1064 | const struct GNUNET_GNSRECORD_Data *rd) | ||
| 1065 | { | ||
| 1066 | struct RequestHandle *handle = cls; | ||
| 1067 | char *tmp; | ||
| 1068 | char *tmp_key_str; | ||
| 1069 | char *pos; | ||
| 1070 | struct GNUNET_CRYPTO_EcdsaPublicKey redirect_zone; | ||
| 1071 | |||
| 1072 | handle->gns_op = NULL; | ||
| 1073 | if (0 == rd_count) | ||
| 1074 | { | ||
| 1075 | handle->emsg = GNUNET_strdup("server_error"); | ||
| 1076 | handle->edesc = GNUNET_strdup("Server cannot generate ticket, redirect uri not found."); | ||
| 1077 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 1078 | return; | ||
| 1079 | } | ||
| 1080 | for (int i = 0; i < rd_count; i++) | ||
| 1081 | { | ||
| 1082 | if (GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_REDIRECT != rd[i].record_type) | ||
| 1083 | continue; | ||
| 1084 | if (0 != strcmp (rd[i].data, | ||
| 1085 | handle->oidc->redirect_uri)) | ||
| 1086 | continue; | ||
| 1087 | tmp = GNUNET_strdup (rd[i].data); | ||
| 1088 | pos = strrchr (tmp, | ||
| 1089 | (unsigned char) '.'); | ||
| 1090 | *pos = '\0'; | ||
| 1091 | handle->redirect_prefix = GNUNET_strdup (tmp); | ||
| 1092 | tmp_key_str = pos + 1; | ||
| 1093 | pos = strchr (tmp_key_str, | ||
| 1094 | (unsigned char) '/'); | ||
| 1095 | *pos = '\0'; | ||
| 1096 | handle->redirect_suffix = GNUNET_strdup (pos + 1); | ||
| 1097 | |||
| 1098 | GNUNET_STRINGS_string_to_data (tmp_key_str, | ||
| 1099 | strlen (tmp_key_str), | ||
| 1100 | &redirect_zone, | ||
| 1101 | sizeof (redirect_zone)); | ||
| 1102 | GNUNET_SCHEDULER_add_now (&build_redirect, handle); | ||
| 1103 | GNUNET_free (tmp); | ||
| 1104 | return; | ||
| 1105 | } | ||
| 1106 | handle->emsg = GNUNET_strdup("server_error"); | ||
| 1107 | handle->edesc = GNUNET_strdup("Server cannot generate ticket, redirect uri not found."); | ||
| 1108 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
| 1109 | } | ||
| 1110 | |||
| 1111 | |||
| 1112 | |||
| 1113 | /** | ||
| 1114 | * Initiate redirect back to client. | ||
| 1115 | */ | ||
| 1116 | static void | ||
| 1117 | client_redirect (void *cls) | ||
| 1118 | { | ||
| 1119 | struct RequestHandle *handle = cls; | ||
| 1120 | |||
| 1121 | /* Lookup client redirect uri to verify request */ | ||
| 1122 | handle->gns_op = GNUNET_GNS_lookup (handle->gns_handle, | ||
| 1123 | "+", | ||
| 1124 | &handle->oidc->client_pkey, | ||
| 1125 | GNUNET_GNSRECORD_TYPE_RECLAIM_OIDC_REDIRECT, | ||
| 1126 | GNUNET_GNS_LO_DEFAULT, | ||
| 1127 | &lookup_redirect_uri_result, | ||
| 1128 | handle); | ||
| 1129 | |||
| 1130 | } | ||
| 1131 | |||
| 1132 | |||
| 1091 | /** | 1133 | /** |
| 1092 | * Iteration over all results finished, build final | 1134 | * Iteration over all results finished, build final |
| 1093 | * response. | 1135 | * response. |
| @@ -1210,13 +1252,11 @@ build_authz_response (void *cls) | |||
| 1210 | 1252 | ||
| 1211 | GNUNET_free(expected_scope); | 1253 | GNUNET_free(expected_scope); |
| 1212 | 1254 | ||
| 1213 | if( NULL != handle->oidc->login_identity ) | 1255 | if ( (NULL == handle->oidc->login_identity) && |
| 1214 | { | 1256 | (GNUNET_NO == handle->oidc->user_cancelled)) |
| 1215 | GNUNET_SCHEDULER_add_now(&login_check,handle); | 1257 | GNUNET_SCHEDULER_add_now (&login_redirect, handle); |
| 1216 | return; | 1258 | else |
| 1217 | } | 1259 | GNUNET_SCHEDULER_add_now (&client_redirect, handle); |
| 1218 | |||
| 1219 | GNUNET_SCHEDULER_add_now(&login_redirection,handle); | ||
| 1220 | } | 1260 | } |
| 1221 | 1261 | ||
| 1222 | /** | 1262 | /** |
| @@ -1264,7 +1304,7 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 1264 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_key; | 1304 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_key; |
| 1265 | struct GNUNET_CRYPTO_EcdsaPublicKey pkey; | 1305 | struct GNUNET_CRYPTO_EcdsaPublicKey pkey; |
| 1266 | 1306 | ||
| 1267 | cookie_identity_interpretation(handle); | 1307 | cookie_identity_interpretation (handle); |
| 1268 | 1308 | ||
| 1269 | //RECOMMENDED value: state - REQUIRED for answers | 1309 | //RECOMMENDED value: state - REQUIRED for answers |
| 1270 | GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key); | 1310 | GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key); |
| @@ -1366,13 +1406,24 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 1366 | GNUNET_memcpy (term_data, handle->rest_handle->data, handle->rest_handle->data_size); | 1406 | GNUNET_memcpy (term_data, handle->rest_handle->data, handle->rest_handle->data_size); |
| 1367 | root = json_loads (term_data, JSON_DECODE_ANY, &error); | 1407 | root = json_loads (term_data, JSON_DECODE_ANY, &error); |
| 1368 | identity = json_object_get (root, "identity"); | 1408 | identity = json_object_get (root, "identity"); |
| 1369 | if ( json_is_string(identity) ) | 1409 | if ( !json_is_string(identity) ) |
| 1370 | { | 1410 | { |
| 1371 | GNUNET_asprintf (&cookie, "Identity=%s", json_string_value (identity)); | 1411 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, |
| 1372 | MHD_add_response_header (resp, "Set-Cookie", cookie); | 1412 | "Error parsing json string from %s\n", |
| 1373 | MHD_add_response_header (resp, "Access-Control-Allow-Methods", "POST"); | 1413 | term_data); |
| 1374 | GNUNET_CRYPTO_hash (cookie, strlen (cookie), &cache_key); | 1414 | handle->proc (handle->proc_cls, resp, MHD_HTTP_BAD_REQUEST); |
| 1415 | json_decref (root); | ||
| 1416 | GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); | ||
| 1417 | return; | ||
| 1418 | } | ||
| 1419 | GNUNET_asprintf (&cookie, "Identity=%s", json_string_value (identity)); | ||
| 1420 | MHD_add_response_header (resp, "Set-Cookie", cookie); | ||
| 1421 | MHD_add_response_header (resp, "Access-Control-Allow-Methods", "POST"); | ||
| 1422 | GNUNET_CRYPTO_hash (cookie, strlen (cookie), &cache_key); | ||
| 1375 | 1423 | ||
| 1424 | if (0 != strcmp (json_string_value (identity), | ||
| 1425 | "Denied")) | ||
| 1426 | { | ||
| 1376 | current_time = GNUNET_new(struct GNUNET_TIME_Absolute); | 1427 | current_time = GNUNET_new(struct GNUNET_TIME_Absolute); |
| 1377 | *current_time = GNUNET_TIME_relative_to_absolute ( | 1428 | *current_time = GNUNET_TIME_relative_to_absolute ( |
| 1378 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), | 1429 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), |
| @@ -1385,20 +1436,14 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
| 1385 | GNUNET_CONTAINER_multihashmap_put ( | 1436 | GNUNET_CONTAINER_multihashmap_put ( |
| 1386 | OIDC_identity_login_time, &cache_key, current_time, | 1437 | OIDC_identity_login_time, &cache_key, current_time, |
| 1387 | GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE); | 1438 | GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE); |
| 1388 | |||
| 1389 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); | ||
| 1390 | GNUNET_free(cookie); | ||
| 1391 | } | ||
| 1392 | else | ||
| 1393 | { | ||
| 1394 | handle->proc (handle->proc_cls, resp, MHD_HTTP_BAD_REQUEST); | ||
| 1395 | } | 1439 | } |
| 1440 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); | ||
| 1441 | GNUNET_free(cookie); | ||
| 1396 | json_decref (root); | 1442 | json_decref (root); |
| 1397 | GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); | 1443 | GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); |
| 1398 | return; | ||
| 1399 | } | 1444 | } |
| 1400 | 1445 | ||
| 1401 | static int | 1446 | static int |
| 1402 | check_authorization (struct RequestHandle *handle, | 1447 | check_authorization (struct RequestHandle *handle, |
| 1403 | struct GNUNET_CRYPTO_EcdsaPublicKey *cid) | 1448 | struct GNUNET_CRYPTO_EcdsaPublicKey *cid) |
| 1404 | { | 1449 | { |