diff options
Diffstat (limited to 'src/identity-provider')
-rw-r--r-- | src/identity-provider/logfile.txt | 73 | ||||
-rw-r--r-- | src/identity-provider/plugin_rest_identity_provider.c | 453 | ||||
-rw-r--r-- | src/identity-provider/test_idp.conf | 5 | ||||
-rw-r--r-- | src/identity-provider/vgcore.2692 | bin | 0 -> 72450048 bytes |
4 files changed, 524 insertions, 7 deletions
diff --git a/src/identity-provider/logfile.txt b/src/identity-provider/logfile.txt new file mode 100644 index 000000000..a59f2478a --- /dev/null +++ b/src/identity-provider/logfile.txt | |||
@@ -0,0 +1,73 @@ | |||
1 | *** Error in `/usr/local/lib//gnunet/libexec/gnunet-rest-server': free(): invalid pointer: 0x00007f9c415c9275 *** | ||
2 | *** Error in `/usr/local/lib//gnunet/libexec/gnunet-rest-server': free(): invalid pointer: 0x00007f0888c25275 *** | ||
3 | *** Error in `/usr/local/lib//gnunet/libexec/gnunet-rest-server': free(): invalid pointer: 0x00007f7dee65b275 *** | ||
4 | Nov 23 13:58:28-246065 gnunet-rest-server-26879 ERROR Error: (null) | ||
5 | Nov 23 13:58:46-677968 gnunet-rest-server-26879 ERROR Error: Missing openid scope | ||
6 | Nov 23 13:59:34-165447 gnunet-rest-server-26901 ERROR Error: Missing openid scope | ||
7 | Nov 23 14:04:07-545573 gnunet-rest-server-28097 ERROR Error: Response type is not code | ||
8 | Nov 23 14:53:06-102430 gnunet-rest-server-30299 ERROR Error: Missing openid scope | ||
9 | Nov 23 14:54:04-248567 gnunet-rest-server-30798 ERROR Error: Missing openid scope | ||
10 | Nov 23 14:56:12-809322 gnunet-rest-server-31914 ERROR Error: Missing openid scope | ||
11 | Nov 23 14:56:39-819194 gnunet-rest-server-31914 ERROR Error: Missing openid scope | ||
12 | Nov 23 14:58:38-889573 gnunet-rest-server-601 ERROR Error: Missing openid scope | ||
13 | Nov 30 11:59:42-727619 gnunet-rest-server-9307 ERROR (null)Nov 30 12:00:28-889186 gnunet-rest-server-9307 ERROR (null)Nov 30 12:01:56-950658 gnunet-rest-server-10445 ERROR con_handle: /idp/authorize | ||
14 | Nov 30 12:01:56-982304 gnunet-rest-server-10445 ERROR url: /idp/authorize | ||
15 | Nov 30 12:08:22-749785 gnunet-rest-server-11652 ERROR con_handle: /idp/authorize | ||
16 | Nov 30 12:08:22-782042 gnunet-rest-server-11652 ERROR url: /idp/authorize | ||
17 | Nov 30 12:39:51-816632 gnunet-rest-server-14500 ERROR url: /idp/authorize | ||
18 | Dec 04 09:51:02-313753 gnunet-rest-server-1974 ERROR No default ego configured in identity service | ||
19 | Dec 04 09:51:09-311601 gnunet-rest-server-1974 ERROR No default ego configured in identity service | ||
20 | Failed to send data in request for `/idp/attributes/testego'. | ||
21 | Dec 04 11:58:11-490711 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
22 | Failed to send data in request for `/idp/tickets/testego'. | ||
23 | Dec 04 11:58:11-508689 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
24 | Failed to send data in request for `/names/'. | ||
25 | Dec 04 11:58:11-511015 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
26 | Failed to send data in request for `/idp/tickets/testego'. | ||
27 | Dec 04 12:38:15-960444 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
28 | Failed to send data in request for `/names/'. | ||
29 | Dec 04 12:38:16-003695 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
30 | Failed to send data in request for `/idp/attributes/testego'. | ||
31 | Dec 04 12:38:16-021887 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
32 | Failed to send data in request for `/idp/tickets/testego'. | ||
33 | Dec 04 12:38:29-977580 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
34 | Failed to send data in request for `/names/'. | ||
35 | Dec 04 12:38:30-008002 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
36 | Failed to send data in request for `/idp/attributes/testego'. | ||
37 | Dec 04 12:38:30-036167 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
38 | Failed to send data in request for `/idp/attributes/testego'. | ||
39 | Dec 04 12:43:23-654462 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
40 | Failed to send data in request for `/idp/tickets/testego'. | ||
41 | Dec 04 12:43:23-655070 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
42 | Failed to send data in request for `/names/'. | ||
43 | Dec 04 12:43:23-665165 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 | ||
44 | Failed to send data in request for `/idp/tickets/testego'. | ||
45 | Dec 04 13:06:56-306701 gnunet-rest-server-9599 ERROR MHD encountered error handling request: 1 | ||
46 | Failed to send data in request for `/idp/attributes/testego'. | ||
47 | Dec 04 13:06:56-326200 gnunet-rest-server-9599 ERROR MHD encountered error handling request: 1 | ||
48 | Failed to send data in request for `/names/'. | ||
49 | Dec 04 13:06:56-331741 gnunet-rest-server-9599 ERROR MHD encountered error handling request: 1 | ||
50 | Dec 04 13:09:56-080335 gnunet-rest-server-10794 ERROR URL (response_type=code) | ||
51 | Dec 04 13:12:49-565164 gnunet-rest-server-11931 ERROR URL (response_type=code) | ||
52 | Failed to send data in request for `/idp/tickets/testego'. | ||
53 | Dec 04 13:12:49-586734 gnunet-rest-server-11931 ERROR MHD encountered error handling request: 1 | ||
54 | Failed to send data in request for `/idp/attributes/testego'. | ||
55 | Dec 04 13:12:49-592627 gnunet-rest-server-11931 ERROR MHD encountered error handling request: 1 | ||
56 | Failed to send data in request for `/names/'. | ||
57 | Dec 04 13:12:49-601007 gnunet-rest-server-11931 ERROR MHD encountered error handling request: 1 | ||
58 | Dec 04 13:15:25-370395 gnunet-rest-server-13261 ERROR URL (acr_values=true) | ||
59 | Failed to send data in request for `/idp/tickets/testego'. | ||
60 | Dec 04 13:15:25-395382 gnunet-rest-server-13261 ERROR MHD encountered error handling request: 1 | ||
61 | Failed to send data in request for `/idp/attributes/testego'. | ||
62 | Dec 04 13:15:25-399622 gnunet-rest-server-13261 ERROR MHD encountered error handling request: 1 | ||
63 | Failed to send data in request for `/names/'. | ||
64 | Dec 04 13:15:25-408151 gnunet-rest-server-13261 ERROR MHD encountered error handling request: 1 | ||
65 | Dec 04 13:36:24-427812 gnunet-rest-server-15336 ERROR URL (?response_type=code&client_id=test&scope=openid email&redirect_uri=https://google.com&nonce=11111&ui_locales=test&) | ||
66 | Failed to send data in request for `/idp/tickets/testego'. | ||
67 | Dec 04 13:36:24-450636 gnunet-rest-server-15336 ERROR MHD encountered error handling request: 1 | ||
68 | Failed to send data in request for `/idp/attributes/testego'. | ||
69 | Dec 04 13:36:24-456164 gnunet-rest-server-15336 ERROR MHD encountered error handling request: 1 | ||
70 | Failed to send data in request for `/names/'. | ||
71 | Dec 04 13:36:24-461431 gnunet-rest-server-15336 ERROR MHD encountered error handling request: 1 | ||
72 | Dec 04 13:39:02-052691 gnunet-rest-server-16482 ERROR URL (?response_type=code&client_id=test&scope=openid email&redirect_uri=https://google.com&nonce=1111&ui_locales=test&acr_values=true) | ||
73 | Dec 04 15:27:43-226881 gnunet-rest-server-16482 ERROR URL (?response_type=code&client_id=test&scope=openid email&redirect_uri=https://google.com&nonce=11111&ui_locales=test&acr_values=true) | ||
diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index 6eb856435..1aa1f818d 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c | |||
@@ -66,6 +66,16 @@ | |||
66 | #define GNUNET_REST_API_NS_IDENTITY_CONSUME "/idp/consume" | 66 | #define GNUNET_REST_API_NS_IDENTITY_CONSUME "/idp/consume" |
67 | 67 | ||
68 | /** | 68 | /** |
69 | * Authorize namespace | ||
70 | */ | ||
71 | #define GNUNET_REST_API_NS_AUTHORIZE "/idp/authorize" | ||
72 | |||
73 | /** | ||
74 | * Login namespace | ||
75 | */ | ||
76 | #define GNUNET_REST_API_NS_LOGIN "/idp/login" | ||
77 | |||
78 | /** | ||
69 | * Attribute key | 79 | * Attribute key |
70 | */ | 80 | */ |
71 | #define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute" | 81 | #define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute" |
@@ -91,6 +101,76 @@ | |||
91 | */ | 101 | */ |
92 | #define ID_REST_STATE_POST_INIT 1 | 102 | #define ID_REST_STATE_POST_INIT 1 |
93 | 103 | ||
104 | /** | ||
105 | * OIDC response_type key | ||
106 | */ | ||
107 | #define OIDC_RESPONSE_TYPE_KEY "response_type" | ||
108 | |||
109 | /** | ||
110 | * OIDC client_id key | ||
111 | */ | ||
112 | #define OIDC_CLIENT_ID_KEY "client_id" | ||
113 | |||
114 | /** | ||
115 | * OIDC scope key | ||
116 | */ | ||
117 | #define OIDC_SCOPE_KEY "scope" | ||
118 | |||
119 | /** | ||
120 | * OIDC redirect_uri key | ||
121 | */ | ||
122 | #define OIDC_REDIRECT_URI_KEY "redirect_uri" | ||
123 | |||
124 | /** | ||
125 | * OIDC state key | ||
126 | */ | ||
127 | #define OIDC_STATE_KEY "state" | ||
128 | |||
129 | /** | ||
130 | * OIDC nonce key | ||
131 | */ | ||
132 | #define OIDC_NONCE_KEY "nonce" | ||
133 | |||
134 | /** | ||
135 | * OIDC cookie header key | ||
136 | */ | ||
137 | #define OIDC_COOKIE_HEADER_KEY "Cookie" | ||
138 | |||
139 | /** | ||
140 | * OIDC cookie header information key | ||
141 | */ | ||
142 | #define OIDC_COOKIE_HEADER_INFORMATION_KEY "Identity=" | ||
143 | |||
144 | /** | ||
145 | * OIDC expected response_type while authorizing | ||
146 | */ | ||
147 | #define OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE "code" | ||
148 | |||
149 | /** | ||
150 | * OIDC expected scope part while authorizing | ||
151 | */ | ||
152 | #define OIDC_EXPECTED_AUTHORIZATION_SCOPE "openid" | ||
153 | |||
154 | |||
155 | /** | ||
156 | * OIDC ignored parameter array | ||
157 | */ | ||
158 | char* OIDC_ignored_parameter_array [] = | ||
159 | { | ||
160 | "display", | ||
161 | "prompt", | ||
162 | "max_age", | ||
163 | "ui_locales", | ||
164 | "response_mode", | ||
165 | "id_token_hint", | ||
166 | "login_hint", | ||
167 | "acr_values" | ||
168 | }; | ||
169 | |||
170 | /** | ||
171 | * OIDC authorized identities and times hashmap | ||
172 | */ | ||
173 | struct GNUNET_CONTAINER_MultiHashMap *OIDC_authorized_identities; | ||
94 | 174 | ||
95 | /** | 175 | /** |
96 | * The configuration handle | 176 | * The configuration handle |
@@ -236,6 +316,16 @@ struct RequestHandle | |||
236 | char *emsg; | 316 | char *emsg; |
237 | 317 | ||
238 | /** | 318 | /** |
319 | * Error response uri | ||
320 | */ | ||
321 | char *eredirect; | ||
322 | |||
323 | /** | ||
324 | * Error response description | ||
325 | */ | ||
326 | char *edesc; | ||
327 | |||
328 | /** | ||
239 | * Reponse code | 329 | * Reponse code |
240 | */ | 330 | */ |
241 | int response_code; | 331 | int response_code; |
@@ -308,7 +398,7 @@ do_error (void *cls) | |||
308 | char *json_error; | 398 | char *json_error; |
309 | 399 | ||
310 | GNUNET_asprintf (&json_error, | 400 | GNUNET_asprintf (&json_error, |
311 | "{Error while processing request: %s}", | 401 | "{error : %s}", |
312 | handle->emsg); | 402 | handle->emsg); |
313 | resp = GNUNET_REST_create_response (json_error); | 403 | resp = GNUNET_REST_create_response (json_error); |
314 | handle->proc (handle->proc_cls, resp, handle->response_code); | 404 | handle->proc (handle->proc_cls, resp, handle->response_code); |
@@ -317,6 +407,28 @@ do_error (void *cls) | |||
317 | } | 407 | } |
318 | 408 | ||
319 | /** | 409 | /** |
410 | * Task run on error, sends error message. Cleans up everything. | ||
411 | * | ||
412 | * @param cls the `struct RequestHandle` | ||
413 | */ | ||
414 | static void | ||
415 | do_redirect_error (void *cls) | ||
416 | { | ||
417 | struct RequestHandle *handle = cls; | ||
418 | struct MHD_Response *resp; | ||
419 | char* redirect; | ||
420 | //TODO handle->url is wrong | ||
421 | GNUNET_asprintf (&redirect, | ||
422 | "%s?error=%s&error_description=%s", | ||
423 | handle->eredirect, handle->emsg, handle->edesc ); | ||
424 | resp = GNUNET_REST_create_response (""); | ||
425 | MHD_add_response_header (resp, "Location", redirect); | ||
426 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | ||
427 | cleanup_handle (handle); | ||
428 | GNUNET_free (redirect); | ||
429 | } | ||
430 | |||
431 | /** | ||
320 | * Task run on timeout, sends error message. Cleans up everything. | 432 | * Task run on timeout, sends error message. Cleans up everything. |
321 | * | 433 | * |
322 | * @param cls the `struct RequestHandle` | 434 | * @param cls the `struct RequestHandle` |
@@ -793,10 +905,10 @@ revoke_ticket_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
793 | strlen (rnd_str), | 905 | strlen (rnd_str), |
794 | &ticket.rnd, | 906 | &ticket.rnd, |
795 | sizeof (uint64_t)); | 907 | sizeof (uint64_t)); |
796 | GNUNET_STRINGS_string_to_data (identity_str, | 908 | // GNUNET_STRINGS_string_to_data (identity_str, |
797 | strlen (identity_str), | 909 | // strlen (identity_str), |
798 | &ticket.identity, | 910 | // &ticket.identity,type filter text |
799 | sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); | 911 | // sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); |
800 | GNUNET_STRINGS_string_to_data (audience_str, | 912 | GNUNET_STRINGS_string_to_data (audience_str, |
801 | strlen (audience_str), | 913 | strlen (audience_str), |
802 | &ticket.audience, | 914 | &ticket.audience, |
@@ -1013,6 +1125,328 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1013 | } | 1125 | } |
1014 | 1126 | ||
1015 | /** | 1127 | /** |
1128 | * Respond to OPTIONS request | ||
1129 | * | ||
1130 | * @param con_handle the connection handle | ||
1131 | * @param url the url | ||
1132 | * @param cls the RequestHandle | ||
1133 | */ | ||
1134 | static void | ||
1135 | authorize_cont (struct GNUNET_REST_RequestHandle *con_handle, | ||
1136 | const char* url, | ||
1137 | void *cls) | ||
1138 | { | ||
1139 | struct MHD_Response *resp; | ||
1140 | struct RequestHandle *handle = cls; | ||
1141 | char *response_type; | ||
1142 | char *client_id; | ||
1143 | char *scope; | ||
1144 | char *redirect_uri; | ||
1145 | char *state = NULL; | ||
1146 | char *nonce = NULL; | ||
1147 | struct GNUNET_TIME_Absolute current_time, *relog_time; | ||
1148 | char *login_base_url, *new_redirect; | ||
1149 | struct GNUNET_HashCode cache_key; | ||
1150 | |||
1151 | //TODO clean up method | ||
1152 | |||
1153 | /** The Authorization Server MUST validate all the OAuth 2.0 parameters | ||
1154 | * according to the OAuth 2.0 specification. | ||
1155 | */ | ||
1156 | /** | ||
1157 | * If the sub (subject) Claim is requested with a specific value for the | ||
1158 | * ID Token, the Authorization Server MUST only send a positive response | ||
1159 | * if the End-User identified by that sub value has an active session with | ||
1160 | * the Authorization Server or has been Authenticated as a result of the | ||
1161 | * request. The Authorization Server MUST NOT reply with an ID Token or | ||
1162 | * Access Token for a different user, even if they have an active session | ||
1163 | * with the Authorization Server. Such a request can be made either using | ||
1164 | * an id_token_hint parameter or by requesting a specific Claim Value as | ||
1165 | * described in Section 5.5.1, if the claims parameter is supported by | ||
1166 | * the implementation. | ||
1167 | */ | ||
1168 | |||
1169 | |||
1170 | |||
1171 | // REQUIRED value: client_id | ||
1172 | GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY), | ||
1173 | &cache_key); | ||
1174 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1175 | &cache_key)) | ||
1176 | { | ||
1177 | handle->emsg=GNUNET_strdup("invalid_request"); | ||
1178 | handle->edesc=GNUNET_strdup("Missing parameter: client_id"); | ||
1179 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1180 | return; | ||
1181 | } | ||
1182 | client_id = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1183 | &cache_key); | ||
1184 | struct GNUNET_CRYPTO_EcdsaPublicKey pubkey; | ||
1185 | GNUNET_CRYPTO_ecdsa_public_key_from_string(client_id, | ||
1186 | strlen (client_id), | ||
1187 | &pubkey); | ||
1188 | // GNUNET_NAMESTORE_zone_to_name(); | ||
1189 | // Checks if client_id is valid: | ||
1190 | // TODO use GNUNET_NAMESTORE_zone_to_name() function to verify that a delegation to the client_id exists | ||
1191 | // TODO change check (lookup trusted public_key?) | ||
1192 | // if( strcmp( client_id, "localhost" ) != 0 ) | ||
1193 | // { | ||
1194 | // handle->emsg=GNUNET_strdup("unauthorized_client"); | ||
1195 | // handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1196 | // GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1197 | // return; | ||
1198 | // } | ||
1199 | |||
1200 | // REQUIRED value: redirect_uri | ||
1201 | // TODO verify the redirect uri matches https://<client_id>.zkey[/xyz] | ||
1202 | GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), | ||
1203 | &cache_key); | ||
1204 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1205 | &cache_key)) | ||
1206 | { | ||
1207 | handle->emsg=GNUNET_strdup("invalid_request"); | ||
1208 | handle->edesc=GNUNET_strdup("Missing parameter: redirect_uri"); | ||
1209 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1210 | return; | ||
1211 | } | ||
1212 | redirect_uri = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1213 | &cache_key); | ||
1214 | |||
1215 | // verify the redirect uri matches https://<client_id>.zkey[/xyz] | ||
1216 | // TODO change check (check client_id->public key == address) | ||
1217 | // if( strcmp( redirect_uri, "https://localhost:8000" ) != 0 ) | ||
1218 | // { | ||
1219 | // handle->emsg=GNUNET_strdup("invalid_request"); | ||
1220 | // handle->edesc=GNUNET_strdup("Invalid or mismatching redirect_uri"); | ||
1221 | // GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1222 | // return; | ||
1223 | // } | ||
1224 | handle->eredirect = GNUNET_strdup(redirect_uri); | ||
1225 | |||
1226 | // REQUIRED value: response_type | ||
1227 | GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (OIDC_RESPONSE_TYPE_KEY), | ||
1228 | &cache_key); | ||
1229 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1230 | &cache_key)) | ||
1231 | { | ||
1232 | handle->emsg=GNUNET_strdup("invalid_request"); | ||
1233 | handle->edesc=GNUNET_strdup("Missing parameter: response_type"); | ||
1234 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
1235 | return; | ||
1236 | } | ||
1237 | response_type = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1238 | &cache_key); | ||
1239 | |||
1240 | // REQUIRED value: scope | ||
1241 | GNUNET_CRYPTO_hash (OIDC_SCOPE_KEY, strlen (OIDC_SCOPE_KEY), &cache_key); | ||
1242 | if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1243 | &cache_key)) | ||
1244 | { | ||
1245 | handle->emsg=GNUNET_strdup("invalid_request"); | ||
1246 | handle->edesc=GNUNET_strdup("Missing parameter: scope"); | ||
1247 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
1248 | return; | ||
1249 | } | ||
1250 | scope = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1251 | &cache_key); | ||
1252 | |||
1253 | //RECOMMENDED value: state | ||
1254 | GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key); | ||
1255 | if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1256 | &cache_key)) | ||
1257 | { | ||
1258 | state = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1259 | &cache_key); | ||
1260 | } | ||
1261 | |||
1262 | //OPTIONAL value: nonce | ||
1263 | GNUNET_CRYPTO_hash (OIDC_NONCE_KEY, strlen (OIDC_NONCE_KEY), &cache_key); | ||
1264 | if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, | ||
1265 | &cache_key)) | ||
1266 | { | ||
1267 | nonce = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, | ||
1268 | &cache_key); | ||
1269 | } | ||
1270 | |||
1271 | int number_of_ignored_parameter = sizeof(OIDC_ignored_parameter_array) / sizeof(char *); | ||
1272 | int iterator; | ||
1273 | for( iterator = 0; iterator < number_of_ignored_parameter; iterator++ ) | ||
1274 | { | ||
1275 | GNUNET_CRYPTO_hash (OIDC_ignored_parameter_array[iterator], | ||
1276 | strlen(OIDC_ignored_parameter_array[iterator]), | ||
1277 | &cache_key); | ||
1278 | if(GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains(handle->rest_handle->url_param_map, | ||
1279 | &cache_key)) | ||
1280 | { | ||
1281 | handle->emsg=GNUNET_strdup("access_denied"); | ||
1282 | //TODO rewrite error description | ||
1283 | handle->edesc=GNUNET_strdup("Server will not handle parameter"); | ||
1284 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
1285 | return; | ||
1286 | } | ||
1287 | } | ||
1288 | |||
1289 | // Checks if response_type is 'code' | ||
1290 | if( strcmp( response_type, OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE ) != 0 ) | ||
1291 | { | ||
1292 | handle->emsg=GNUNET_strdup("unsupported_response_type"); | ||
1293 | handle->edesc=GNUNET_strdup("The authorization server does not support " | ||
1294 | "obtaining this authorization code."); | ||
1295 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
1296 | return; | ||
1297 | } | ||
1298 | // Checks if scope contains 'openid' | ||
1299 | if( strstr( scope, OIDC_EXPECTED_AUTHORIZATION_SCOPE ) == NULL ) | ||
1300 | { | ||
1301 | handle->emsg=GNUNET_strdup("invalid_scope"); | ||
1302 | handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or " | ||
1303 | "malformed."); | ||
1304 | GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); | ||
1305 | return; | ||
1306 | } | ||
1307 | |||
1308 | |||
1309 | //TODO check other values and use them accordingly | ||
1310 | |||
1311 | |||
1312 | GNUNET_CRYPTO_hash (OIDC_COOKIE_HEADER_KEY, strlen (OIDC_COOKIE_HEADER_KEY), | ||
1313 | &cache_key); | ||
1314 | //No identity-cookie -> redirect to login | ||
1315 | if ( GNUNET_YES | ||
1316 | == GNUNET_CONTAINER_multihashmap_contains (con_handle->header_param_map, | ||
1317 | &cache_key) ) | ||
1318 | { | ||
1319 | //split cookies and find 'Identity' cookie | ||
1320 | char* cookies = GNUNET_CONTAINER_multihashmap_get ( | ||
1321 | con_handle->header_param_map, &cache_key); | ||
1322 | char delimiter[] = "; "; | ||
1323 | char *identity_cookie; | ||
1324 | identity_cookie = strtok(cookies, delimiter); | ||
1325 | |||
1326 | while(identity_cookie != NULL) | ||
1327 | { | ||
1328 | if(strstr( identity_cookie, OIDC_COOKIE_HEADER_INFORMATION_KEY ) != NULL) | ||
1329 | { | ||
1330 | break; | ||
1331 | } | ||
1332 | identity_cookie = strtok(NULL, delimiter); | ||
1333 | } | ||
1334 | GNUNET_CRYPTO_hash (identity_cookie, strlen (identity_cookie), &cache_key); | ||
1335 | |||
1336 | //No login time for identity -> redirect to login | ||
1337 | if ( GNUNET_YES | ||
1338 | == GNUNET_CONTAINER_multihashmap_contains (OIDC_authorized_identities, | ||
1339 | &cache_key) ) | ||
1340 | { | ||
1341 | relog_time = GNUNET_CONTAINER_multihashmap_get ( | ||
1342 | OIDC_authorized_identities, &cache_key); | ||
1343 | |||
1344 | current_time = GNUNET_TIME_absolute_get(); | ||
1345 | |||
1346 | GNUNET_CONTAINER_multihashmap_remove_all(OIDC_authorized_identities, &cache_key); | ||
1347 | // 30 min after old login -> redirect to login | ||
1348 | if ( current_time.abs_value_us <= relog_time->abs_value_us ) | ||
1349 | { | ||
1350 | resp = GNUNET_REST_create_response (""); | ||
1351 | // code = struct GNUNET_IDENTITY_PROVIDER_Ticket | ||
1352 | GNUNET_IDENTITY_PROVIDER_t | ||
1353 | MHD_add_response_header (resp, "Location", redirect_uri); | ||
1354 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | ||
1355 | cleanup_handle (handle); | ||
1356 | GNUNET_free(relog_time); | ||
1357 | return; | ||
1358 | } | ||
1359 | GNUNET_free(relog_time); | ||
1360 | } | ||
1361 | } | ||
1362 | |||
1363 | |||
1364 | // login redirection | ||
1365 | if ( GNUNET_OK | ||
1366 | == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin", | ||
1367 | "address", &login_base_url) ) | ||
1368 | { | ||
1369 | GNUNET_asprintf (&new_redirect, "%s?%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s", | ||
1370 | login_base_url, | ||
1371 | OIDC_RESPONSE_TYPE_KEY, | ||
1372 | response_type, | ||
1373 | OIDC_CLIENT_ID_KEY, | ||
1374 | client_id, | ||
1375 | OIDC_REDIRECT_URI_KEY, | ||
1376 | redirect_uri, | ||
1377 | OIDC_SCOPE_KEY, | ||
1378 | scope, | ||
1379 | OIDC_STATE_KEY, | ||
1380 | (NULL == state) ? state : "", | ||
1381 | OIDC_NONCE_KEY, | ||
1382 | (NULL == nonce) ? nonce : ""); | ||
1383 | resp = GNUNET_REST_create_response (""); | ||
1384 | MHD_add_response_header (resp, "Location", new_redirect); | ||
1385 | } | ||
1386 | else | ||
1387 | { | ||
1388 | handle->emsg = GNUNET_strdup("No server configuration"); | ||
1389 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1390 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1391 | return; | ||
1392 | } | ||
1393 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | ||
1394 | cleanup_handle (handle); | ||
1395 | GNUNET_free(new_redirect); | ||
1396 | return; | ||
1397 | } | ||
1398 | |||
1399 | |||
1400 | /** | ||
1401 | * Combines an identity with a login time and responds OK to login request | ||
1402 | * | ||
1403 | * @param con_handle the connection handle | ||
1404 | * @param url the url | ||
1405 | * @param cls the RequestHandle | ||
1406 | */ | ||
1407 | static void | ||
1408 | login_cont (struct GNUNET_REST_RequestHandle *con_handle, | ||
1409 | const char* url, | ||
1410 | void *cls) | ||
1411 | { | ||
1412 | |||
1413 | |||
1414 | struct MHD_Response *resp = GNUNET_REST_create_response (""); | ||
1415 | struct RequestHandle *handle = cls; | ||
1416 | struct GNUNET_HashCode cache_key; | ||
1417 | struct GNUNET_TIME_Absolute *current_time; | ||
1418 | char* cookie; | ||
1419 | json_t *root; | ||
1420 | json_error_t error; | ||
1421 | json_t *identity; | ||
1422 | root = json_loads (handle->rest_handle->data, 0, &error); | ||
1423 | identity = json_object_get (root, "identity"); | ||
1424 | if ( json_is_string(identity) ) | ||
1425 | { | ||
1426 | GNUNET_asprintf (&cookie, "Identity=%s", json_string_value (identity)); | ||
1427 | |||
1428 | GNUNET_CRYPTO_hash (cookie, strlen (cookie), &cache_key); | ||
1429 | current_time = GNUNET_new(struct GNUNET_TIME_Absolute); | ||
1430 | *current_time = GNUNET_TIME_relative_to_absolute ( | ||
1431 | GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_minute_ (), | ||
1432 | 30)); | ||
1433 | GNUNET_CONTAINER_multihashmap_put ( | ||
1434 | OIDC_authorized_identities, &cache_key, current_time, | ||
1435 | GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE); | ||
1436 | |||
1437 | handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); | ||
1438 | } | ||
1439 | else | ||
1440 | { | ||
1441 | handle->proc (handle->proc_cls, resp, MHD_HTTP_BAD_REQUEST); | ||
1442 | } | ||
1443 | GNUNET_free(cookie); | ||
1444 | json_decref (root); | ||
1445 | cleanup_handle (handle); | ||
1446 | return; | ||
1447 | } | ||
1448 | |||
1449 | /** | ||
1016 | * Handle rest request | 1450 | * Handle rest request |
1017 | * | 1451 | * |
1018 | * @param handle the request handle | 1452 | * @param handle the request handle |
@@ -1025,6 +1459,9 @@ init_cont (struct RequestHandle *handle) | |||
1025 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont}, | 1459 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont}, |
1026 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont}, | 1460 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont}, |
1027 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, | 1461 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, |
1462 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, | ||
1463 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont}, | ||
1464 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, | ||
1028 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, | 1465 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, |
1029 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, | 1466 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, |
1030 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, | 1467 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, |
@@ -1109,7 +1546,11 @@ rest_identity_process_request(struct GNUNET_REST_RequestHandle *rest_handle, | |||
1109 | void *proc_cls) | 1546 | void *proc_cls) |
1110 | { | 1547 | { |
1111 | struct RequestHandle *handle = GNUNET_new (struct RequestHandle); | 1548 | struct RequestHandle *handle = GNUNET_new (struct RequestHandle); |
1112 | 1549 | if ( NULL == OIDC_authorized_identities ) | |
1550 | { | ||
1551 | OIDC_authorized_identities = GNUNET_CONTAINER_multihashmap_create (10, | ||
1552 | GNUNET_NO); | ||
1553 | } | ||
1113 | handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL; | 1554 | handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL; |
1114 | handle->proc_cls = proc_cls; | 1555 | handle->proc_cls = proc_cls; |
1115 | handle->proc = proc; | 1556 | handle->proc = proc; |
diff --git a/src/identity-provider/test_idp.conf b/src/identity-provider/test_idp.conf index 2b76c7bf2..95111df3e 100644 --- a/src/identity-provider/test_idp.conf +++ b/src/identity-provider/test_idp.conf | |||
@@ -8,7 +8,7 @@ AUTOSTART = YES | |||
8 | 8 | ||
9 | [rest] | 9 | [rest] |
10 | AUTOSTART = YES | 10 | AUTOSTART = YES |
11 | #PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=/tmp/restlog | 11 | PREFIX = valgrind --leak-check=full --track-origins=yes --log-file=/tmp/restlog |
12 | 12 | ||
13 | [transport] | 13 | [transport] |
14 | PLUGINS = | 14 | PLUGINS = |
@@ -26,3 +26,6 @@ DEFAULT_LOOKUP_TIMEOUT = 15 s | |||
26 | RECORD_PUT_INTERVAL = 1 h | 26 | RECORD_PUT_INTERVAL = 1 h |
27 | ZONE_PUBLISH_TIME_WINDOW = 1 h | 27 | ZONE_PUBLISH_TIME_WINDOW = 1 h |
28 | DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0 | 28 | DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0 |
29 | |||
30 | [identity-rest-plugin] | ||
31 | address = http://localhost:8000/#/identities \ No newline at end of file | ||
diff --git a/src/identity-provider/vgcore.2692 b/src/identity-provider/vgcore.2692 new file mode 100644 index 000000000..d5691a6f6 --- /dev/null +++ b/src/identity-provider/vgcore.2692 | |||
Binary files differ | |||