diff options
author | Phil <phil.buschmann@tum.de> | 2018-01-16 16:58:02 +0100 |
---|---|---|
committer | Phil <phil.buschmann@tum.de> | 2018-01-16 16:58:02 +0100 |
commit | c2077b1c8dd826192e8dc4be0567b2e6a61aa536 (patch) | |
tree | 9ee52e174f3480bdc8764c65e80f30cddaf878c3 /src | |
parent | a49f0792a13322b8445279dab6dafc6d13c83fbc (diff) | |
download | gnunet-c2077b1c8dd826192e8dc4be0567b2e6a61aa536.tar.gz gnunet-c2077b1c8dd826192e8dc4be0567b2e6a61aa536.zip |
-fix GET request
Diffstat (limited to 'src')
-rw-r--r-- | src/identity-provider/plugin_rest_identity_provider.c | 761 |
1 files changed, 405 insertions, 356 deletions
diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index d341abb0d..1c7313aa1 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c | |||
@@ -150,6 +150,7 @@ | |||
150 | * OIDC expected scope part while authorizing | 150 | * OIDC expected scope part while authorizing |
151 | */ | 151 | */ |
152 | #define OIDC_EXPECTED_AUTHORIZATION_SCOPE "openid" | 152 | #define OIDC_EXPECTED_AUTHORIZATION_SCOPE "openid" |
153 | |||
153 | /** | 154 | /** |
154 | * OIDC ignored parameter array | 155 | * OIDC ignored parameter array |
155 | */ | 156 | */ |
@@ -262,7 +263,7 @@ struct RequestHandle | |||
262 | /** | 263 | /** |
263 | * Pointer to ego private key | 264 | * Pointer to ego private key |
264 | */ | 265 | */ |
265 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_key; | 266 | struct GNUNET_CRYPTO_EcdsaPrivateKey priv_key; |
266 | 267 | ||
267 | /** | 268 | /** |
268 | * OIDC variables | 269 | * OIDC variables |
@@ -469,15 +470,19 @@ do_error (void *cls) | |||
469 | struct MHD_Response *resp; | 470 | struct MHD_Response *resp; |
470 | char *json_error; | 471 | char *json_error; |
471 | 472 | ||
472 | GNUNET_asprintf (&json_error, "{error : %s, error_description : %s}", | 473 | GNUNET_asprintf (&json_error, "{ \"error\" : \"%s\", \"error_description\" : \"%s\"%s%s%s}", |
473 | handle->emsg, (NULL != handle->edesc) ? handle->edesc : ""); | 474 | handle->emsg, |
475 | (NULL != handle->edesc) ? handle->edesc : "", | ||
476 | (NULL != handle->oidc->state) ? ", \"state\":\"" : "", | ||
477 | (NULL != handle->oidc->state) ? handle->oidc->state : "", | ||
478 | (NULL != handle->oidc->state) ? "\"" : ""); | ||
474 | if ( 0 == handle->response_code ) | 479 | if ( 0 == handle->response_code ) |
475 | { | 480 | { |
476 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 481 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
477 | } | 482 | } |
478 | resp = GNUNET_REST_create_response (json_error); | 483 | resp = GNUNET_REST_create_response (json_error); |
479 | handle->proc (handle->proc_cls, resp, handle->response_code); | 484 | handle->proc (handle->proc_cls, resp, handle->response_code); |
480 | cleanup_handle (handle); | 485 | GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); |
481 | GNUNET_free (json_error); | 486 | GNUNET_free (json_error); |
482 | } | 487 | } |
483 | 488 | ||
@@ -492,14 +497,15 @@ do_redirect_error (void *cls) | |||
492 | struct RequestHandle *handle = cls; | 497 | struct RequestHandle *handle = cls; |
493 | struct MHD_Response *resp; | 498 | struct MHD_Response *resp; |
494 | char* redirect; | 499 | char* redirect; |
495 | //TODO handle->url is wrong | ||
496 | GNUNET_asprintf (&redirect, | 500 | GNUNET_asprintf (&redirect, |
497 | "%s?error=%s&error_description=%s", | 501 | "%s?error=%s&error_description=%s%s%s", |
498 | handle->oidc->redirect_uri, handle->emsg, handle->edesc ); | 502 | handle->oidc->redirect_uri, handle->emsg, handle->edesc, |
503 | (NULL != handle->oidc->state) ? "&state=" : "", | ||
504 | (NULL != handle->oidc->state) ? handle->oidc->state : ""); | ||
499 | resp = GNUNET_REST_create_response (""); | 505 | resp = GNUNET_REST_create_response (""); |
500 | MHD_add_response_header (resp, "Location", redirect); | 506 | MHD_add_response_header (resp, "Location", redirect); |
501 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | 507 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); |
502 | cleanup_handle (handle); | 508 | GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); |
503 | GNUNET_free (redirect); | 509 | GNUNET_free (redirect); |
504 | } | 510 | } |
505 | 511 | ||
@@ -980,10 +986,10 @@ revoke_ticket_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
980 | strlen (rnd_str), | 986 | strlen (rnd_str), |
981 | &ticket.rnd, | 987 | &ticket.rnd, |
982 | sizeof (uint64_t)); | 988 | sizeof (uint64_t)); |
983 | // GNUNET_STRINGS_string_to_data (identity_str, | 989 | GNUNET_STRINGS_string_to_data (identity_str, |
984 | // strlen (identity_str), | 990 | strlen (identity_str), |
985 | // &ticket.identity,type filter text | 991 | &ticket.identity, |
986 | // sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); | 992 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); |
987 | GNUNET_STRINGS_string_to_data (audience_str, | 993 | GNUNET_STRINGS_string_to_data (audience_str, |
988 | strlen (audience_str), | 994 | strlen (audience_str), |
989 | &ticket.audience, | 995 | &ticket.audience, |
@@ -1206,7 +1212,7 @@ static void | |||
1206 | oidc_iteration_error (void *cls) | 1212 | oidc_iteration_error (void *cls) |
1207 | { | 1213 | { |
1208 | struct RequestHandle *handle = cls; | 1214 | struct RequestHandle *handle = cls; |
1209 | handle->emsg = GNUNET_strdup("unauthorized_client"); | 1215 | handle->emsg = GNUNET_strdup("INTERNAL_SERVER_ERROR"); |
1210 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 1216 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
1211 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1217 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1212 | } | 1218 | } |
@@ -1224,7 +1230,10 @@ oidc_ticket_issue_cb (void* cls, | |||
1224 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket, | 1230 | ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket, |
1225 | sizeof (struct GNUNET_IDENTITY_PROVIDER_Ticket)); | 1231 | sizeof (struct GNUNET_IDENTITY_PROVIDER_Ticket)); |
1226 | //TODO redirect to address | 1232 | //TODO redirect to address |
1227 | GNUNET_asprintf(&redirect_uri, "%s?code=%s&state=", handle->oidc->redirect_uri, ticket_str); | 1233 | GNUNET_asprintf (&redirect_uri, "%s?%s=%s&state=%s", |
1234 | handle->oidc->redirect_uri, | ||
1235 | handle->oidc->response_type, | ||
1236 | ticket_str, handle->oidc->state); | ||
1228 | MHD_add_response_header (resp, "Location", redirect_uri); | 1237 | MHD_add_response_header (resp, "Location", redirect_uri); |
1229 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | 1238 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); |
1230 | GNUNET_free (redirect_uri); | 1239 | GNUNET_free (redirect_uri); |
@@ -1238,11 +1247,18 @@ static void | |||
1238 | oidc_collect_finished_cb (void *cls) | 1247 | oidc_collect_finished_cb (void *cls) |
1239 | { | 1248 | { |
1240 | struct RequestHandle *handle = cls; | 1249 | struct RequestHandle *handle = cls; |
1241 | //Done | ||
1242 | handle->attr_it = NULL; | 1250 | handle->attr_it = NULL; |
1243 | handle->ticket_it = NULL; | 1251 | handle->ticket_it = NULL; |
1252 | if (NULL == handle->attr_list->list_head) | ||
1253 | { | ||
1254 | handle->emsg = GNUNET_strdup("invalid_scope"); | ||
1255 | handle->edesc = GNUNET_strdup("The requested scope is not available."); | ||
1256 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1257 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
1258 | return; | ||
1259 | } | ||
1244 | handle->idp_op = GNUNET_IDENTITY_PROVIDER_ticket_issue (handle->idp, | 1260 | handle->idp_op = GNUNET_IDENTITY_PROVIDER_ticket_issue (handle->idp, |
1245 | handle->priv_key, | 1261 | &handle->priv_key, |
1246 | &handle->oidc->client_pkey, | 1262 | &handle->oidc->client_pkey, |
1247 | handle->attr_list, | 1263 | handle->attr_list, |
1248 | &oidc_ticket_issue_cb, | 1264 | &oidc_ticket_issue_cb, |
@@ -1261,25 +1277,37 @@ oidc_attr_collect (void *cls, | |||
1261 | { | 1277 | { |
1262 | struct RequestHandle *handle = cls; | 1278 | struct RequestHandle *handle = cls; |
1263 | struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le; | 1279 | struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le; |
1280 | char* scope_variables; | ||
1281 | char delimiter[]=" "; | ||
1264 | 1282 | ||
1265 | if ((NULL == attr->name) || (NULL == attr->data)) | 1283 | if ( (NULL == attr->name) || (NULL == attr->data) ) |
1266 | { | 1284 | { |
1267 | GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it); | 1285 | GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it); |
1268 | return; | 1286 | return; |
1269 | } | 1287 | } |
1270 | 1288 | ||
1271 | if ( NULL == strstr(handle->oidc->scope,attr->name)) | 1289 | scope_variables = GNUNET_strdup(handle->oidc->scope); |
1290 | scope_variables = strtok (scope_variables, delimiter); | ||
1291 | while (NULL != scope_variables) | ||
1292 | { | ||
1293 | if ( 0 == strcmp (attr->name, scope_variables) ) | ||
1294 | { | ||
1295 | break; | ||
1296 | } | ||
1297 | scope_variables = strtok (NULL, delimiter); | ||
1298 | } | ||
1299 | if ( NULL == scope_variables ) | ||
1272 | { | 1300 | { |
1273 | GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it); | 1301 | GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it); |
1274 | return; | 1302 | return; |
1275 | } | 1303 | } |
1304 | GNUNET_free(scope_variables); | ||
1276 | 1305 | ||
1277 | GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Adding attribute: %s\n", | ||
1278 | attr->name); | ||
1279 | le = GNUNET_new(struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry); | 1306 | le = GNUNET_new(struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry); |
1280 | le->claim = GNUNET_IDENTITY_ATTRIBUTE_claim_new (attr->name, attr->type, | 1307 | le->claim = GNUNET_IDENTITY_ATTRIBUTE_claim_new (attr->name, attr->type, |
1281 | attr->data, attr->data_size); | 1308 | attr->data, attr->data_size); |
1282 | GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head, handle->attr_list->list_tail, le); | 1309 | GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head, |
1310 | handle->attr_list->list_tail, le); | ||
1283 | GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it); | 1311 | GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it); |
1284 | } | 1312 | } |
1285 | 1313 | ||
@@ -1308,17 +1336,16 @@ oidc_namestore_iteration_callback ( | |||
1308 | if ( NULL != handle->oidc->login_identity ) | 1336 | if ( NULL != handle->oidc->login_identity ) |
1309 | { | 1337 | { |
1310 | GNUNET_CRYPTO_ecdsa_public_key_from_string ( | 1338 | GNUNET_CRYPTO_ecdsa_public_key_from_string ( |
1311 | handle->oidc->login_identity, strlen (handle->oidc->login_identity), | 1339 | handle->oidc->login_identity, |
1340 | strlen (handle->oidc->login_identity), | ||
1312 | &login_identity_pkey); | 1341 | &login_identity_pkey); |
1313 | GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, | 1342 | GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, |
1314 | ¤t_zone_pkey); | 1343 | ¤t_zone_pkey); |
1315 | 1344 | ||
1316 | if ( 0 | 1345 | if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, |
1317 | == memcmp (rd[i].data, &handle->oidc->client_pkey, | ||
1318 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | 1346 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) |
1319 | { | 1347 | { |
1320 | if ( 0 | 1348 | if ( 0 == memcmp (&login_identity_pkey, ¤t_zone_pkey, |
1321 | == memcmp (&login_identity_pkey, ¤t_zone_pkey, | ||
1322 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | 1349 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) |
1323 | { | 1350 | { |
1324 | handle->oidc->client_trusted = GNUNET_YES; | 1351 | handle->oidc->client_trusted = GNUNET_YES; |
@@ -1327,8 +1354,7 @@ oidc_namestore_iteration_callback ( | |||
1327 | } | 1354 | } |
1328 | else | 1355 | else |
1329 | { | 1356 | { |
1330 | if ( 0 | 1357 | if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, |
1331 | == memcmp (rd[i].data, &handle->oidc->client_pkey, | ||
1332 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) | 1358 | sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) |
1333 | { | 1359 | { |
1334 | handle->oidc->client_trusted = GNUNET_YES; | 1360 | handle->oidc->client_trusted = GNUNET_YES; |
@@ -1354,6 +1380,8 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1354 | struct GNUNET_TIME_Absolute current_time, *relog_time; | 1380 | struct GNUNET_TIME_Absolute current_time, *relog_time; |
1355 | 1381 | ||
1356 | char *expected_redirect_uri; | 1382 | char *expected_redirect_uri; |
1383 | char *expected_scope; | ||
1384 | char delimiter[]=" "; | ||
1357 | char *identity_cookie; | 1385 | char *identity_cookie; |
1358 | char *login_base_url; | 1386 | char *login_base_url; |
1359 | char *new_redirect; | 1387 | char *new_redirect; |
@@ -1363,8 +1391,8 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1363 | handle->ego_entry = handle->ego_entry->next; | 1391 | handle->ego_entry = handle->ego_entry->next; |
1364 | 1392 | ||
1365 | if(NULL != handle->ego_entry){ | 1393 | if(NULL != handle->ego_entry){ |
1366 | handle->priv_key = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); | 1394 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); |
1367 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (handle->namestore_handle, handle->priv_key, | 1395 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (handle->namestore_handle, &handle->priv_key, |
1368 | &oidc_iteration_error, handle, &oidc_namestore_iteration_callback, handle, | 1396 | &oidc_iteration_error, handle, &oidc_namestore_iteration_callback, handle, |
1369 | &oidc_namestore_iteration_finished, handle); | 1397 | &oidc_namestore_iteration_finished, handle); |
1370 | return; | 1398 | return; |
@@ -1372,6 +1400,7 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1372 | if (GNUNET_YES != handle->oidc->client_trusted) | 1400 | if (GNUNET_YES != handle->oidc->client_trusted) |
1373 | { | 1401 | { |
1374 | handle->emsg = GNUNET_strdup("unauthorized_client"); | 1402 | handle->emsg = GNUNET_strdup("unauthorized_client"); |
1403 | //TODO rewrite error | ||
1375 | handle->edesc = GNUNET_strdup("Client is not trusted."); | 1404 | handle->edesc = GNUNET_strdup("Client is not trusted."); |
1376 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1405 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1377 | return; | 1406 | return; |
@@ -1433,16 +1462,6 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1433 | &cache_key); | 1462 | &cache_key); |
1434 | handle->oidc->scope = GNUNET_strdup(handle->oidc->scope); | 1463 | handle->oidc->scope = GNUNET_strdup(handle->oidc->scope); |
1435 | 1464 | ||
1436 | //RECOMMENDED value: state | ||
1437 | GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key); | ||
1438 | if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1439 | &cache_key)) | ||
1440 | { | ||
1441 | handle->oidc->state = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1442 | &cache_key); | ||
1443 | handle->oidc->state = GNUNET_strdup (handle->oidc->state); | ||
1444 | } | ||
1445 | |||
1446 | //OPTIONAL value: nonce | 1465 | //OPTIONAL value: nonce |
1447 | GNUNET_CRYPTO_hash (OIDC_NONCE_KEY, strlen (OIDC_NONCE_KEY), &cache_key); | 1466 | GNUNET_CRYPTO_hash (OIDC_NONCE_KEY, strlen (OIDC_NONCE_KEY), &cache_key); |
1448 | if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | 1467 | if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, |
@@ -1450,7 +1469,7 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1450 | { | 1469 | { |
1451 | handle->oidc->nonce = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | 1470 | handle->oidc->nonce = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, |
1452 | &cache_key); | 1471 | &cache_key); |
1453 | //ASK: what do we do with the nonce? | 1472 | //TODO: what do we do with the nonce? |
1454 | handle->oidc->nonce = GNUNET_strdup (handle->oidc->nonce); | 1473 | handle->oidc->nonce = GNUNET_strdup (handle->oidc->nonce); |
1455 | } | 1474 | } |
1456 | 1475 | ||
@@ -1481,16 +1500,29 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1481 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1500 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1482 | return; | 1501 | return; |
1483 | } | 1502 | } |
1503 | |||
1484 | // Checks if scope contains 'openid' | 1504 | // Checks if scope contains 'openid' |
1485 | if( NULL == strstr( handle->oidc->scope, OIDC_EXPECTED_AUTHORIZATION_SCOPE ) ) | 1505 | expected_scope = GNUNET_strdup(handle->oidc->scope); |
1506 | expected_scope = strtok (expected_scope, delimiter); | ||
1507 | while (NULL != expected_scope) | ||
1486 | { | 1508 | { |
1487 | handle->emsg=GNUNET_strdup("invalid_scope"); | 1509 | if ( 0 == strcmp (OIDC_EXPECTED_AUTHORIZATION_SCOPE, expected_scope) ) |
1510 | { | ||
1511 | break; | ||
1512 | } | ||
1513 | expected_scope = strtok (NULL, delimiter); | ||
1514 | } | ||
1515 | if (NULL == expected_scope) | ||
1516 | { | ||
1517 | handle->emsg = GNUNET_strdup("invalid_scope"); | ||
1488 | handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or " | 1518 | handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or " |
1489 | "malformed."); | 1519 | "malformed."); |
1490 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1520 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1491 | return; | 1521 | return; |
1492 | } | 1522 | } |
1493 | 1523 | ||
1524 | GNUNET_free(expected_scope); | ||
1525 | |||
1494 | if( NULL != handle->oidc->login_identity ) | 1526 | if( NULL != handle->oidc->login_identity ) |
1495 | { | 1527 | { |
1496 | GNUNET_asprintf(&identity_cookie,"Identity=%s",handle->oidc->login_identity); | 1528 | GNUNET_asprintf(&identity_cookie,"Identity=%s",handle->oidc->login_identity); |
@@ -1506,20 +1538,19 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1506 | 1538 | ||
1507 | current_time = GNUNET_TIME_absolute_get(); | 1539 | current_time = GNUNET_TIME_absolute_get(); |
1508 | 1540 | ||
1509 | GNUNET_CONTAINER_multihashmap_remove_all(OIDC_authorized_identities, &cache_key); | 1541 | //GNUNET_CONTAINER_multihashmap_remove_all(OIDC_authorized_identities, &cache_key); |
1510 | // 30 min after old login -> redirect to login | 1542 | // 30 min after old login -> redirect to login |
1511 | if ( current_time.abs_value_us <= relog_time->abs_value_us ) | 1543 | if ( current_time.abs_value_us <= relog_time->abs_value_us ) |
1512 | { | 1544 | { |
1513 | if ( GNUNET_OK != GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->login_identity, | 1545 | if ( GNUNET_OK != GNUNET_CRYPTO_ecdsa_public_key_from_string ( |
1514 | strlen (handle->oidc->login_identity), | 1546 | handle->oidc->login_identity, |
1515 | &pubkey)) | 1547 | strlen (handle->oidc->login_identity), &pubkey) ) |
1516 | { | 1548 | { |
1517 | handle->emsg=GNUNET_strdup("invalid_cookie"); | 1549 | handle->emsg=GNUNET_strdup("invalid_cookie"); |
1518 | handle->edesc=GNUNET_strdup("Test"); | 1550 | handle->edesc=GNUNET_strdup("The cookie of a login identity is not valid"); |
1519 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1551 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1520 | return; | 1552 | return; |
1521 | } | 1553 | } |
1522 | handle->priv_key=NULL; | ||
1523 | // iterate over egos and compare their public key | 1554 | // iterate over egos and compare their public key |
1524 | for (handle->ego_entry = handle->ego_head; | 1555 | for (handle->ego_entry = handle->ego_head; |
1525 | NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next) | 1556 | NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next) |
@@ -1527,25 +1558,25 @@ static void oidc_namestore_iteration_finished (void *cls) | |||
1527 | GNUNET_IDENTITY_ego_get_public_key( handle->ego_entry->ego, &ego_pkey ); | 1558 | GNUNET_IDENTITY_ego_get_public_key( handle->ego_entry->ego, &ego_pkey ); |
1528 | if ( 0 == memcmp(&ego_pkey,&pubkey, sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey))) | 1559 | if ( 0 == memcmp(&ego_pkey,&pubkey, sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey))) |
1529 | { | 1560 | { |
1530 | handle->priv_key = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); | 1561 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key ( |
1531 | break; | 1562 | handle->ego_entry->ego); |
1563 | handle->resp_object = GNUNET_JSONAPI_document_new (); | ||
1564 | handle->idp = GNUNET_IDENTITY_PROVIDER_connect (cfg); | ||
1565 | handle->attr_list = GNUNET_new( | ||
1566 | struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList); | ||
1567 | handle->attr_it = GNUNET_IDENTITY_PROVIDER_get_attributes_start ( | ||
1568 | handle->idp, &handle->priv_key, &oidc_iteration_error, handle, | ||
1569 | &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle); | ||
1570 | return; | ||
1532 | } | 1571 | } |
1533 | } | 1572 | } |
1534 | if ( NULL != handle->priv_key ) | 1573 | handle->emsg=GNUNET_strdup("invalid_cookie"); |
1535 | { | 1574 | handle->edesc = GNUNET_strdup( |
1536 | handle->resp_object = GNUNET_JSONAPI_document_new (); | 1575 | "The cookie of a login identity is not valid"); |
1537 | handle->idp = GNUNET_IDENTITY_PROVIDER_connect (cfg); | 1576 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1538 | handle->attr_list = GNUNET_new (struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList); | ||
1539 | handle->attr_it = GNUNET_IDENTITY_PROVIDER_get_attributes_start ( | ||
1540 | handle->idp, handle->priv_key, &oidc_iteration_error, handle, &oidc_attr_collect, | ||
1541 | handle, &oidc_collect_finished_cb, handle); | ||
1542 | GNUNET_free(relog_time); | ||
1543 | return; | ||
1544 | } | ||
1545 | //TODO add error | ||
1546 | return; | 1577 | return; |
1547 | } | 1578 | } |
1548 | GNUNET_free(relog_time); | 1579 | //GNUNET_free(relog_time); |
1549 | } | 1580 | } |
1550 | } | 1581 | } |
1551 | 1582 | ||
@@ -1620,10 +1651,28 @@ authorize_get_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1620 | } | 1651 | } |
1621 | handle->oidc->login_identity = strtok (NULL, delimiter); | 1652 | handle->oidc->login_identity = strtok (NULL, delimiter); |
1622 | } | 1653 | } |
1623 | handle->oidc->login_identity = strtok(cookies, OIDC_COOKIE_HEADER_INFORMATION_KEY); | 1654 | GNUNET_CRYPTO_hash (handle->oidc->login_identity, strlen (handle->oidc->login_identity), |
1624 | handle->oidc->login_identity = GNUNET_strdup(handle->oidc->login_identity); | 1655 | &cache_key); |
1656 | if ( GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (OIDC_authorized_identities, &cache_key) ) | ||
1657 | { | ||
1658 | handle->oidc->login_identity = strtok(handle->oidc->login_identity, OIDC_COOKIE_HEADER_INFORMATION_KEY); | ||
1659 | handle->oidc->login_identity = GNUNET_strdup(handle->oidc->login_identity); | ||
1660 | } | ||
1661 | else | ||
1662 | { | ||
1663 | handle->oidc->login_identity = NULL; | ||
1664 | } | ||
1625 | } | 1665 | } |
1626 | 1666 | ||
1667 | //RECOMMENDED value: state - REQUIRED for answers | ||
1668 | GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key); | ||
1669 | if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1670 | &cache_key)) | ||
1671 | { | ||
1672 | handle->oidc->state = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1673 | &cache_key); | ||
1674 | handle->oidc->state = GNUNET_strdup (handle->oidc->state); | ||
1675 | } | ||
1627 | 1676 | ||
1628 | // REQUIRED value: client_id | 1677 | // REQUIRED value: client_id |
1629 | GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY), | 1678 | GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY), |
@@ -1646,7 +1695,7 @@ authorize_get_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1646 | strlen (handle->oidc->client_id), | 1695 | strlen (handle->oidc->client_id), |
1647 | &handle->oidc->client_pkey) ) | 1696 | &handle->oidc->client_pkey) ) |
1648 | { | 1697 | { |
1649 | //ASK rewrite error? | 1698 | //TODO rewrite error? |
1650 | handle->emsg = GNUNET_strdup("unauthorized_client"); | 1699 | handle->emsg = GNUNET_strdup("unauthorized_client"); |
1651 | handle->edesc = GNUNET_strdup("The client is not authorized to request an " | 1700 | handle->edesc = GNUNET_strdup("The client is not authorized to request an " |
1652 | "authorization code using this method."); | 1701 | "authorization code using this method."); |
@@ -1658,305 +1707,306 @@ authorize_get_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1658 | 1707 | ||
1659 | if ( NULL == handle->ego_head ) | 1708 | if ( NULL == handle->ego_head ) |
1660 | { | 1709 | { |
1661 | //ASK throw error or ignore if egos are missing? | 1710 | //TODO throw error or ignore if egos are missing? |
1662 | handle->emsg = GNUNET_strdup("Missing egos."); | 1711 | handle->emsg = GNUNET_strdup("server_error"); |
1712 | handle->edesc = GNUNET_strdup ("Egos are missing"); | ||
1663 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 1713 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
1664 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1714 | GNUNET_SCHEDULER_add_now (&do_error, handle); |
1665 | return; | 1715 | return; |
1666 | } | 1716 | } |
1667 | 1717 | ||
1668 | handle->ego_entry = handle->ego_head; | 1718 | handle->ego_entry = handle->ego_head; |
1669 | handle->priv_key = GNUNET_IDENTITY_ego_get_private_key (handle->ego_head->ego); | 1719 | handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_head->ego); |
1670 | handle->oidc->client_trusted = GNUNET_NO; | 1720 | handle->oidc->client_trusted = GNUNET_NO; |
1671 | 1721 | ||
1672 | // Checks if client_id is valid: | 1722 | // Checks if client_id is valid: |
1673 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start ( | 1723 | handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start ( |
1674 | handle->namestore_handle, handle->priv_key, &oidc_iteration_error, | 1724 | handle->namestore_handle, &handle->priv_key, &oidc_iteration_error, |
1675 | handle, &oidc_namestore_iteration_callback, handle, | 1725 | handle, &oidc_namestore_iteration_callback, handle, |
1676 | &oidc_namestore_iteration_finished, handle); | 1726 | &oidc_namestore_iteration_finished, handle); |
1677 | } | 1727 | } |
1678 | 1728 | ||
1679 | /** | 1729 | ///** |
1680 | * Respond to authorization POST request | 1730 | // * Respond to authorization POST request |
1681 | * | 1731 | // * |
1682 | * @param con_handle the connection handle | 1732 | // * @param con_handle the connection handle |
1683 | * @param url the url | 1733 | // * @param url the url |
1684 | * @param cls the RequestHandle | 1734 | // * @param cls the RequestHandle |
1685 | */ | 1735 | // */ |
1686 | static void | 1736 | //static void |
1687 | authorize_post_cont (struct GNUNET_REST_RequestHandle *con_handle, | 1737 | //authorize_post_cont (struct GNUNET_REST_RequestHandle *con_handle, |
1688 | const char* url, | 1738 | // const char* url, |
1689 | void *cls) | 1739 | // void *cls) |
1690 | { | 1740 | //{ |
1691 | /** The Authorization Server MUST validate all the OAuth 2.0 parameters | 1741 | // /** The Authorization Server MUST validate all the OAuth 2.0 parameters |
1692 | * according to the OAuth 2.0 specification. | 1742 | // * according to the OAuth 2.0 specification. |
1693 | */ | 1743 | // */ |
1694 | /** | 1744 | // /** |
1695 | * If the sub (subject) Claim is requested with a specific value for the | 1745 | // * If the sub (subject) Claim is requested with a specific value for the |
1696 | * ID Token, the Authorization Server MUST only send a positive response | 1746 | // * ID Token, the Authorization Server MUST only send a positive response |
1697 | * if the End-User identified by that sub value has an active session with | 1747 | // * if the End-User identified by that sub value has an active session with |
1698 | * the Authorization Server or has been Authenticated as a result of the | 1748 | // * the Authorization Server or has been Authenticated as a result of the |
1699 | * request. The Authorization Server MUST NOT reply with an ID Token or | 1749 | // * request. The Authorization Server MUST NOT reply with an ID Token or |
1700 | * Access Token for a different user, even if they have an active session | 1750 | // * Access Token for a different user, even if they have an active session |
1701 | * with the Authorization Server. Such a request can be made either using | 1751 | // * with the Authorization Server. Such a request can be made either using |
1702 | * an id_token_hint parameter or by requesting a specific Claim Value as | 1752 | // * an id_token_hint parameter or by requesting a specific Claim Value as |
1703 | * described in Section 5.5.1, if the claims parameter is supported by | 1753 | // * described in Section 5.5.1, if the claims parameter is supported by |
1704 | * the implementation. | 1754 | // * the implementation. |
1705 | */ | 1755 | // */ |
1706 | 1756 | // | |
1707 | struct MHD_Response *resp; | 1757 | // struct MHD_Response *resp; |
1708 | struct RequestHandle *handle = cls; | 1758 | // struct RequestHandle *handle = cls; |
1709 | const char *response_type; | 1759 | // const char *response_type; |
1710 | const char *client_id; | 1760 | // const char *client_id; |
1711 | char *scope; | 1761 | // char *scope; |
1712 | const char *redirect_uri; | 1762 | // const char *redirect_uri; |
1713 | const char *state = NULL; | 1763 | // const char *state = NULL; |
1714 | const char *nonce = NULL; | 1764 | // const char *nonce = NULL; |
1715 | struct GNUNET_TIME_Absolute current_time, *relog_time; | 1765 | // struct GNUNET_TIME_Absolute current_time, *relog_time; |
1716 | char *login_base_url; | 1766 | // char *login_base_url; |
1717 | char *new_redirect; | 1767 | // char *new_redirect; |
1718 | char *expected_redirect_uri; | 1768 | // char *expected_redirect_uri; |
1719 | json_t *cache_object; | 1769 | // json_t *cache_object; |
1720 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_pkey; | 1770 | // const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_pkey; |
1721 | struct GNUNET_CRYPTO_EcdsaPublicKey pubkey; | 1771 | // struct GNUNET_CRYPTO_EcdsaPublicKey pubkey; |
1722 | struct GNUNET_HashCode cache_key; | 1772 | // struct GNUNET_HashCode cache_key; |
1723 | int number_of_ignored_parameter, iterator; | 1773 | // int number_of_ignored_parameter, iterator; |
1724 | 1774 | // | |
1725 | json_t *root; | 1775 | // json_t *root; |
1726 | json_error_t error; | 1776 | // json_error_t error; |
1727 | root = json_loads (handle->rest_handle->data, 0, &error); | 1777 | // root = json_loads (handle->rest_handle->data, 0, &error); |
1728 | 1778 | // | |
1729 | // REQUIRED value: client_id | 1779 | // // REQUIRED value: client_id |
1730 | cache_object = json_object_get (root, OIDC_CLIENT_ID_KEY); | 1780 | // cache_object = json_object_get (root, OIDC_CLIENT_ID_KEY); |
1731 | if( NULL==cache_object || !json_is_string(cache_object)) | 1781 | // if( NULL==cache_object || !json_is_string(cache_object)) |
1732 | { | 1782 | // { |
1733 | handle->emsg=GNUNET_strdup("invalid_request"); | 1783 | // handle->emsg=GNUNET_strdup("invalid_request"); |
1734 | handle->edesc=GNUNET_strdup("Missing parameter: client_id"); | 1784 | // handle->edesc=GNUNET_strdup("Missing parameter: client_id"); |
1735 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1785 | // GNUNET_SCHEDULER_add_now (&do_error, handle); |
1736 | return; | 1786 | // return; |
1737 | } | 1787 | // } |
1738 | client_id = json_string_value(cache_object); | 1788 | // client_id = json_string_value(cache_object); |
1739 | if ( GNUNET_OK | 1789 | // if ( GNUNET_OK |
1740 | != GNUNET_CRYPTO_ecdsa_public_key_from_string (client_id, | 1790 | // != GNUNET_CRYPTO_ecdsa_public_key_from_string (client_id, |
1741 | strlen (client_id), | 1791 | // strlen (client_id), |
1742 | &pubkey) ) | 1792 | // &pubkey) ) |
1743 | { | 1793 | // { |
1744 | handle->emsg=GNUNET_strdup("unauthorized_client"); | 1794 | // handle->emsg=GNUNET_strdup("unauthorized_client"); |
1745 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 1795 | // handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
1746 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1796 | // GNUNET_SCHEDULER_add_now (&do_error, handle); |
1747 | } | 1797 | // } |
1748 | 1798 | // | |
1749 | // Checks if client_id is valid: | 1799 | // // Checks if client_id is valid: |
1750 | handle->namestore_handle = GNUNET_NAMESTORE_connect(cfg); | 1800 | // handle->namestore_handle = GNUNET_NAMESTORE_connect(cfg); |
1751 | zone_pkey = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); | 1801 | // zone_pkey = GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); |
1752 | //TODO: fix | 1802 | // //TODO: fix |
1753 | // GNUNET_NAMESTORE_zone_to_name (handle->namestore_handle, zone_pkey, &pubkey, | 1803 | //// GNUNET_NAMESTORE_zone_to_name (handle->namestore_handle, zone_pkey, &pubkey, |
1754 | // zone_to_name_error, handle, zone_to_name_cb, | 1804 | //// zone_to_name_error, handle, zone_to_name_cb, |
1755 | // handle); | 1805 | //// handle); |
1756 | 1806 | // | |
1757 | // REQUIRED value: redirect_uri | 1807 | // // REQUIRED value: redirect_uri |
1758 | cache_object = json_object_get (root, OIDC_REDIRECT_URI_KEY); | 1808 | // cache_object = json_object_get (root, OIDC_REDIRECT_URI_KEY); |
1759 | if( NULL==cache_object || !json_is_string(cache_object)) | 1809 | // if( NULL==cache_object || !json_is_string(cache_object)) |
1760 | { | 1810 | // { |
1761 | handle->emsg=GNUNET_strdup("invalid_request"); | 1811 | // handle->emsg=GNUNET_strdup("invalid_request"); |
1762 | handle->edesc=GNUNET_strdup("Missing parameter: redirect_uri"); | 1812 | // handle->edesc=GNUNET_strdup("Missing parameter: redirect_uri"); |
1763 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1813 | // GNUNET_SCHEDULER_add_now (&do_error, handle); |
1764 | return; | 1814 | // return; |
1765 | } | 1815 | // } |
1766 | redirect_uri = json_string_value(cache_object); | 1816 | // redirect_uri = json_string_value(cache_object); |
1767 | 1817 | // | |
1768 | GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey", client_id); | 1818 | // GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey", client_id); |
1769 | 1819 | // | |
1770 | // verify the redirect uri matches https://<client_id>.zkey[/xyz] | 1820 | // // verify the redirect uri matches https://<client_id>.zkey[/xyz] |
1771 | if( 0 != strncmp( expected_redirect_uri, redirect_uri, strlen(expected_redirect_uri)) ) | 1821 | // if( 0 != strncmp( expected_redirect_uri, redirect_uri, strlen(expected_redirect_uri)) ) |
1772 | { | 1822 | // { |
1773 | handle->emsg=GNUNET_strdup("invalid_request"); | 1823 | // handle->emsg=GNUNET_strdup("invalid_request"); |
1774 | handle->edesc=GNUNET_strdup("Invalid redirect_uri"); | 1824 | // handle->edesc=GNUNET_strdup("Invalid redirect_uri"); |
1775 | GNUNET_free(expected_redirect_uri); | 1825 | // GNUNET_free(expected_redirect_uri); |
1776 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 1826 | // GNUNET_SCHEDULER_add_now (&do_error, handle); |
1777 | return; | 1827 | // return; |
1778 | } | 1828 | // } |
1779 | handle->oidc->redirect_uri = GNUNET_strdup(redirect_uri); | 1829 | // handle->oidc->redirect_uri = GNUNET_strdup(redirect_uri); |
1780 | 1830 | // | |
1781 | // REQUIRED value: response_type | 1831 | // // REQUIRED value: response_type |
1782 | cache_object = json_object_get (root, OIDC_RESPONSE_TYPE_KEY); | 1832 | // cache_object = json_object_get (root, OIDC_RESPONSE_TYPE_KEY); |
1783 | if( NULL==cache_object || !json_is_string(cache_object)) | 1833 | // if( NULL==cache_object || !json_is_string(cache_object)) |
1784 | { | 1834 | // { |
1785 | handle->emsg=GNUNET_strdup("invalid_request"); | 1835 | // handle->emsg=GNUNET_strdup("invalid_request"); |
1786 | handle->edesc=GNUNET_strdup("Missing parameter: response_type"); | 1836 | // handle->edesc=GNUNET_strdup("Missing parameter: response_type"); |
1787 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1837 | // GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1788 | return; | 1838 | // return; |
1789 | } | 1839 | // } |
1790 | response_type = json_string_value(cache_object); | 1840 | // response_type = json_string_value(cache_object); |
1791 | 1841 | // | |
1792 | // REQUIRED value: scope | 1842 | // // REQUIRED value: scope |
1793 | cache_object = json_object_get (root, OIDC_SCOPE_KEY); | 1843 | // cache_object = json_object_get (root, OIDC_SCOPE_KEY); |
1794 | if( NULL==cache_object || !json_is_string(cache_object)) | 1844 | // if( NULL==cache_object || !json_is_string(cache_object)) |
1795 | { | 1845 | // { |
1796 | handle->emsg=GNUNET_strdup("invalid_request"); | 1846 | // handle->emsg=GNUNET_strdup("invalid_request"); |
1797 | handle->edesc=GNUNET_strdup("Missing parameter: scope"); | 1847 | // handle->edesc=GNUNET_strdup("Missing parameter: scope"); |
1798 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1848 | // GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1799 | return; | 1849 | // return; |
1800 | } | 1850 | // } |
1801 | scope = json_string_value(cache_object); | 1851 | // scope = json_string_value(cache_object); |
1802 | 1852 | // | |
1803 | //RECOMMENDED value: state | 1853 | // //RECOMMENDED value: state |
1804 | cache_object = json_object_get (root, OIDC_STATE_KEY); | 1854 | // cache_object = json_object_get (root, OIDC_STATE_KEY); |
1805 | if( NULL!=cache_object || json_is_string(cache_object)) | 1855 | // if( NULL!=cache_object || json_is_string(cache_object)) |
1806 | { | 1856 | // { |
1807 | state = json_string_value(cache_object); | 1857 | // state = json_string_value(cache_object); |
1808 | } | 1858 | // } |
1809 | 1859 | // | |
1810 | //OPTIONAL value: nonce | 1860 | // //OPTIONAL value: nonce |
1811 | cache_object = json_object_get (root, OIDC_NONCE_KEY); | 1861 | // cache_object = json_object_get (root, OIDC_NONCE_KEY); |
1812 | if( NULL!=cache_object || json_is_string(cache_object)) | 1862 | // if( NULL!=cache_object || json_is_string(cache_object)) |
1813 | { | 1863 | // { |
1814 | nonce = json_string_value(cache_object); | 1864 | // nonce = json_string_value(cache_object); |
1815 | } | 1865 | // } |
1816 | 1866 | // | |
1817 | //TODO check other values and use them accordingly | 1867 | // //TODO check other values and use them accordingly |
1818 | number_of_ignored_parameter = sizeof(OIDC_ignored_parameter_array) / sizeof(char *); | 1868 | // number_of_ignored_parameter = sizeof(OIDC_ignored_parameter_array) / sizeof(char *); |
1819 | for( iterator = 0; iterator < number_of_ignored_parameter; iterator++ ) | 1869 | // for( iterator = 0; iterator < number_of_ignored_parameter; iterator++ ) |
1820 | { | 1870 | // { |
1821 | cache_object = json_object_get (root, OIDC_ignored_parameter_array[iterator]); | 1871 | // cache_object = json_object_get (root, OIDC_ignored_parameter_array[iterator]); |
1822 | if(json_is_string(cache_object)) | 1872 | // if(json_is_string(cache_object)) |
1823 | { | 1873 | // { |
1824 | handle->emsg=GNUNET_strdup("access_denied"); | 1874 | // handle->emsg=GNUNET_strdup("access_denied"); |
1825 | GNUNET_asprintf (&handle->edesc, "Server will not handle parameter: %s", | 1875 | // GNUNET_asprintf (&handle->edesc, "Server will not handle parameter: %s", |
1826 | OIDC_ignored_parameter_array[iterator]); | 1876 | // OIDC_ignored_parameter_array[iterator]); |
1827 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1877 | // GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1828 | return; | 1878 | // return; |
1829 | } | 1879 | // } |
1830 | } | 1880 | // } |
1831 | 1881 | // | |
1832 | // Checks if response_type is 'code' | 1882 | // // Checks if response_type is 'code' |
1833 | if( 0 != strcmp( response_type, OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE ) ) | 1883 | // if( 0 != strcmp( response_type, OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE ) ) |
1834 | { | 1884 | // { |
1835 | handle->emsg=GNUNET_strdup("unsupported_response_type"); | 1885 | // handle->emsg=GNUNET_strdup("unsupported_response_type"); |
1836 | handle->edesc=GNUNET_strdup("The authorization server does not support " | 1886 | // handle->edesc=GNUNET_strdup("The authorization server does not support " |
1837 | "obtaining this authorization code."); | 1887 | // "obtaining this authorization code."); |
1838 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1888 | // GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1839 | return; | 1889 | // return; |
1840 | } | 1890 | // } |
1841 | // Checks if scope contains 'openid' | 1891 | // // Checks if scope contains 'openid' |
1842 | if( NULL == strstr( scope, OIDC_EXPECTED_AUTHORIZATION_SCOPE ) ) | 1892 | // if( NULL == strstr( scope, OIDC_EXPECTED_AUTHORIZATION_SCOPE ) ) |
1843 | { | 1893 | // { |
1844 | handle->emsg=GNUNET_strdup("invalid_scope"); | 1894 | // handle->emsg=GNUNET_strdup("invalid_scope"); |
1845 | handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or " | 1895 | // handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or " |
1846 | "malformed."); | 1896 | // "malformed."); |
1847 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | 1897 | // GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); |
1848 | return; | 1898 | // return; |
1849 | } | 1899 | // } |
1850 | 1900 | // | |
1851 | 1901 | // | |
1852 | GNUNET_CRYPTO_hash (OIDC_COOKIE_HEADER_KEY, strlen (OIDC_COOKIE_HEADER_KEY), | 1902 | // GNUNET_CRYPTO_hash (OIDC_COOKIE_HEADER_KEY, strlen (OIDC_COOKIE_HEADER_KEY), |
1853 | &cache_key); | 1903 | // &cache_key); |
1854 | //No identity-cookie -> redirect to login | 1904 | // //No identity-cookie -> redirect to login |
1855 | if ( GNUNET_YES | 1905 | // if ( GNUNET_YES |
1856 | == GNUNET_CONTAINER_multihashmap_contains (con_handle->header_param_map, | 1906 | // == GNUNET_CONTAINER_multihashmap_contains (con_handle->header_param_map, |
1857 | &cache_key) ) | 1907 | // &cache_key) ) |
1858 | { | 1908 | // { |
1859 | //split cookies and find 'Identity' cookie | 1909 | // //split cookies and find 'Identity' cookie |
1860 | char* cookies = GNUNET_CONTAINER_multihashmap_get ( | 1910 | // char* cookies = GNUNET_CONTAINER_multihashmap_get ( |
1861 | con_handle->header_param_map, &cache_key); | 1911 | // con_handle->header_param_map, &cache_key); |
1862 | char delimiter[] = "; "; | 1912 | // char delimiter[] = "; "; |
1863 | char *identity_cookie; | 1913 | // char *identity_cookie; |
1864 | identity_cookie = strtok(cookies, delimiter); | 1914 | // identity_cookie = strtok(cookies, delimiter); |
1865 | 1915 | // | |
1866 | while ( NULL != identity_cookie ) | 1916 | // while ( NULL != identity_cookie ) |
1867 | { | 1917 | // { |
1868 | if ( NULL != strstr (identity_cookie, OIDC_COOKIE_HEADER_INFORMATION_KEY) ) | 1918 | // if ( NULL != strstr (identity_cookie, OIDC_COOKIE_HEADER_INFORMATION_KEY) ) |
1869 | { | 1919 | // { |
1870 | break; | 1920 | // break; |
1871 | } | 1921 | // } |
1872 | identity_cookie = strtok (NULL, delimiter); | 1922 | // identity_cookie = strtok (NULL, delimiter); |
1873 | } | 1923 | // } |
1874 | GNUNET_CRYPTO_hash (identity_cookie, strlen (identity_cookie), &cache_key); | 1924 | // GNUNET_CRYPTO_hash (identity_cookie, strlen (identity_cookie), &cache_key); |
1875 | 1925 | // | |
1876 | //No login time for identity -> redirect to login | 1926 | // //No login time for identity -> redirect to login |
1877 | if ( GNUNET_YES | 1927 | // if ( GNUNET_YES |
1878 | == GNUNET_CONTAINER_multihashmap_contains (OIDC_authorized_identities, | 1928 | // == GNUNET_CONTAINER_multihashmap_contains (OIDC_authorized_identities, |
1879 | &cache_key) ) | 1929 | // &cache_key) ) |
1880 | { | 1930 | // { |
1881 | relog_time = GNUNET_CONTAINER_multihashmap_get ( | 1931 | // relog_time = GNUNET_CONTAINER_multihashmap_get ( |
1882 | OIDC_authorized_identities, &cache_key); | 1932 | // OIDC_authorized_identities, &cache_key); |
1883 | 1933 | // | |
1884 | current_time = GNUNET_TIME_absolute_get(); | 1934 | // current_time = GNUNET_TIME_absolute_get(); |
1885 | 1935 | // | |
1886 | GNUNET_CONTAINER_multihashmap_remove_all(OIDC_authorized_identities, &cache_key); | 1936 | // GNUNET_CONTAINER_multihashmap_remove_all(OIDC_authorized_identities, &cache_key); |
1887 | // 30 min after old login -> redirect to login | 1937 | // // 30 min after old login -> redirect to login |
1888 | if ( current_time.abs_value_us <= relog_time->abs_value_us ) | 1938 | // if ( current_time.abs_value_us <= relog_time->abs_value_us ) |
1889 | { | 1939 | // { |
1890 | resp = GNUNET_REST_create_response (""); | 1940 | // resp = GNUNET_REST_create_response (""); |
1891 | 1941 | // | |
1892 | GNUNET_CRYPTO_ecdsa_public_key_from_string (identity_cookie, | 1942 | // GNUNET_CRYPTO_ecdsa_public_key_from_string (identity_cookie, |
1893 | strlen (identity_cookie), | 1943 | // strlen (identity_cookie), |
1894 | &pubkey); | 1944 | // &pubkey); |
1895 | 1945 | // | |
1896 | // iterate over egos and compare their public key | 1946 | // // iterate over egos and compare their public key |
1897 | // GNUNET_IDENTITY_PROVIDER_get_attributes_start | 1947 | //// GNUNET_IDENTITY_PROVIDER_get_attributes_start |
1898 | // iterate over scope variables | 1948 | // // iterate over scope variables |
1899 | char delimiter[] = " "; | 1949 | // char delimiter[] = " "; |
1900 | char *scope_attribute; | 1950 | // char *scope_attribute; |
1901 | scope_attribute = strtok(scope, delimiter); | 1951 | // scope_attribute = strtok(scope, delimiter); |
1902 | 1952 | // | |
1903 | while ( NULL != scope_attribute ) | 1953 | // while ( NULL != scope_attribute ) |
1904 | { | 1954 | // { |
1905 | if ( NULL == strstr (scope_attribute, OIDC_EXPECTED_AUTHORIZATION_SCOPE) ) | 1955 | // if ( NULL == strstr (scope_attribute, OIDC_EXPECTED_AUTHORIZATION_SCOPE) ) |
1906 | { | 1956 | // { |
1907 | // claim attribute from ego | 1957 | // // claim attribute from ego |
1908 | scope_attribute = strtok (NULL, delimiter); | 1958 | // scope_attribute = strtok (NULL, delimiter); |
1909 | } | 1959 | // } |
1910 | } | 1960 | // } |
1911 | // create an authorization code | 1961 | // // create an authorization code |
1912 | 1962 | // | |
1913 | // GNUNET_IDENTITY_PROVIDER_t | 1963 | //// GNUNET_IDENTITY_PROVIDER_t |
1914 | 1964 | // | |
1915 | MHD_add_response_header (resp, "Location", redirect_uri); | 1965 | // MHD_add_response_header (resp, "Location", redirect_uri); |
1916 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | 1966 | // handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); |
1917 | cleanup_handle (handle); | 1967 | // cleanup_handle (handle); |
1918 | GNUNET_free(relog_time); | 1968 | // GNUNET_free(relog_time); |
1919 | return; | 1969 | // return; |
1920 | } | 1970 | // } |
1921 | GNUNET_free(relog_time); | 1971 | // GNUNET_free(relog_time); |
1922 | } | 1972 | // } |
1923 | } | 1973 | // } |
1924 | 1974 | // | |
1925 | 1975 | // | |
1926 | // login redirection | 1976 | // // login redirection |
1927 | if ( GNUNET_OK | 1977 | // if ( GNUNET_OK |
1928 | == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin", | 1978 | // == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin", |
1929 | "address", &login_base_url) ) | 1979 | // "address", &login_base_url) ) |
1930 | { | 1980 | // { |
1931 | GNUNET_asprintf (&new_redirect, "%s?%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s", | 1981 | // GNUNET_asprintf (&new_redirect, "%s?%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s", |
1932 | login_base_url, | 1982 | // login_base_url, |
1933 | OIDC_RESPONSE_TYPE_KEY, | 1983 | // OIDC_RESPONSE_TYPE_KEY, |
1934 | response_type, | 1984 | // response_type, |
1935 | OIDC_CLIENT_ID_KEY, | 1985 | // OIDC_CLIENT_ID_KEY, |
1936 | client_id, | 1986 | // client_id, |
1937 | OIDC_REDIRECT_URI_KEY, | 1987 | // OIDC_REDIRECT_URI_KEY, |
1938 | redirect_uri, | 1988 | // redirect_uri, |
1939 | OIDC_SCOPE_KEY, | 1989 | // OIDC_SCOPE_KEY, |
1940 | scope, | 1990 | // scope, |
1941 | OIDC_STATE_KEY, | 1991 | // OIDC_STATE_KEY, |
1942 | (NULL == state) ? state : "", | 1992 | // (NULL == state) ? state : "", |
1943 | OIDC_NONCE_KEY, | 1993 | // OIDC_NONCE_KEY, |
1944 | (NULL == nonce) ? nonce : ""); | 1994 | // (NULL == nonce) ? nonce : ""); |
1945 | resp = GNUNET_REST_create_response (""); | 1995 | // resp = GNUNET_REST_create_response (""); |
1946 | MHD_add_response_header (resp, "Location", new_redirect); | 1996 | // MHD_add_response_header (resp, "Location", new_redirect); |
1947 | } | 1997 | // } |
1948 | else | 1998 | // else |
1949 | { | 1999 | // { |
1950 | handle->emsg = GNUNET_strdup("No server configuration"); | 2000 | // handle->emsg = GNUNET_strdup("No server configuration"); |
1951 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | 2001 | // handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; |
1952 | GNUNET_SCHEDULER_add_now (&do_error, handle); | 2002 | // GNUNET_SCHEDULER_add_now (&do_error, handle); |
1953 | return; | 2003 | // return; |
1954 | } | 2004 | // } |
1955 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | 2005 | // handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); |
1956 | cleanup_handle (handle); | 2006 | // cleanup_handle (handle); |
1957 | GNUNET_free(new_redirect); | 2007 | // GNUNET_free(new_redirect); |
1958 | return; | 2008 | // return; |
1959 | } | 2009 | //} |
1960 | 2010 | ||
1961 | 2011 | ||
1962 | /** | 2012 | /** |
@@ -1971,8 +2021,6 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1971 | const char* url, | 2021 | const char* url, |
1972 | void *cls) | 2022 | void *cls) |
1973 | { | 2023 | { |
1974 | |||
1975 | |||
1976 | struct MHD_Response *resp = GNUNET_REST_create_response (""); | 2024 | struct MHD_Response *resp = GNUNET_REST_create_response (""); |
1977 | struct RequestHandle *handle = cls; | 2025 | struct RequestHandle *handle = cls; |
1978 | struct GNUNET_HashCode cache_key; | 2026 | struct GNUNET_HashCode cache_key; |
@@ -1988,6 +2036,7 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1988 | GNUNET_asprintf (&cookie, "Identity=%s", json_string_value (identity)); | 2036 | GNUNET_asprintf (&cookie, "Identity=%s", json_string_value (identity)); |
1989 | 2037 | ||
1990 | GNUNET_CRYPTO_hash (cookie, strlen (cookie), &cache_key); | 2038 | GNUNET_CRYPTO_hash (cookie, strlen (cookie), &cache_key); |
2039 | |||
1991 | current_time = GNUNET_new(struct GNUNET_TIME_Absolute); | 2040 | current_time = GNUNET_new(struct GNUNET_TIME_Absolute); |
1992 | *current_time = GNUNET_TIME_relative_to_absolute ( | 2041 | *current_time = GNUNET_TIME_relative_to_absolute ( |
1993 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_minute_ (), | 2042 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_minute_ (), |
@@ -2004,7 +2053,7 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
2004 | } | 2053 | } |
2005 | GNUNET_free(cookie); | 2054 | GNUNET_free(cookie); |
2006 | json_decref (root); | 2055 | json_decref (root); |
2007 | cleanup_handle (handle); | 2056 | GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); |
2008 | return; | 2057 | return; |
2009 | } | 2058 | } |
2010 | 2059 | ||
@@ -2023,7 +2072,7 @@ init_cont (struct RequestHandle *handle) | |||
2023 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, | 2072 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, |
2024 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_get_cont}, | 2073 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_get_cont}, |
2025 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont}, | 2074 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont}, |
2026 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_post_cont}, | 2075 | // {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_post_cont}, |
2027 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, | 2076 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, |
2028 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, | 2077 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, |
2029 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, | 2078 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, |