[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnunet] branch master updated (b81feeba2 -> 0f495e52f)
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnunet] branch master updated (b81feeba2 -> 0f495e52f) |
|
Date: |
Thu, 01 Mar 2018 17:52:47 +0100 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a change to branch master
in repository gnunet.
from b81feeba2 fixed inverted greater-than less-than
new 2363773d8 -token endpoint fix wip
new 699ff34b7 -Merge branch 'master' into identity_oidc
new 5af7ba146 -fix userinfo_endpoint
new 5b57bdd1d Merge branch 'identity_oidc'
new 0f495e52f -fixes
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
src/gns/gnunet-gns-proxy.c | 2 +
src/identity-provider/identity-provider.conf | 6 +
.../plugin_rest_identity_provider.c | 573 ++++++++++++---------
src/rest/gnunet-rest-server.c | 25 +-
src/rest/rest.conf | 1 +
5 files changed, 371 insertions(+), 236 deletions(-)
diff --git a/src/gns/gnunet-gns-proxy.c b/src/gns/gnunet-gns-proxy.c
index 591dff04f..ba162c5e3 100644
--- a/src/gns/gnunet-gns-proxy.c
+++ b/src/gns/gnunet-gns-proxy.c
@@ -2246,6 +2246,8 @@ generate_gns_certificate (const char *name)
sizeof (serial));
etime = time (NULL);
tm_data = localtime (&etime);
+ tm_data->tm_hour--;
+ etime = mktime(tm_data);
gnutls_x509_crt_set_activation_time (request,
etime);
tm_data->tm_year++;
diff --git a/src/identity-provider/identity-provider.conf
b/src/identity-provider/identity-provider.conf
index 7ee5e50d8..b78af3553 100644
--- a/src/identity-provider/identity-provider.conf
+++ b/src/identity-provider/identity-provider.conf
@@ -12,5 +12,11 @@ UNIX_MATCH_GID = YES
TOKEN_EXPIRATION_INTERVAL = 30 m
DATABASE = sqlite
+[identity-rest-plugin]
+#ADDRESS = https://identity.gnu:8000#/login
+ADDRESS = https://identity.gnu/ui/#/login
+PSW = secret
+EXPIRATION_TIME = 3600
+
[identity-provider-sqlite]
FILENAME = $GNUNET_DATA_HOME/identity-provider/sqlite.db
diff --git a/src/identity-provider/plugin_rest_identity_provider.c
b/src/identity-provider/plugin_rest_identity_provider.c
index 033c6e4ba..3f9279d5c 100644
--- a/src/identity-provider/plugin_rest_identity_provider.c
+++ b/src/identity-provider/plugin_rest_identity_provider.c
@@ -19,6 +19,7 @@
*/
/**
* @author Martin Schanzenbach
+ * @author Philippe Buschmann
* @file identity/plugin_rest_identity.c
* @brief GNUnet Namestore REST plugin
*
@@ -234,6 +235,7 @@ struct Plugin
{
const struct GNUNET_CONFIGURATION_Handle *cfg;
};
+
/**
* OIDC needed variables
*/
@@ -377,6 +379,11 @@ struct RequestHandle
struct GNUNET_IDENTITY_PROVIDER_TicketIterator *ticket_it;
/**
+ * A ticket
+ */
+ struct GNUNET_IDENTITY_PROVIDER_Ticket ticket;
+
+ /**
* Desired timeout for the lookup (default is no timeout).
*/
struct GNUNET_TIME_Relative timeout;
@@ -546,7 +553,8 @@ do_error (void *cls)
/**
- * Task run on error, sends error message. Cleans up everything.
+ * Task run on error in userinfo endpoint, sends error header. Cleans up
+ * everything
*
* @param cls the `struct RequestHandle`
*/
@@ -569,7 +577,7 @@ do_userinfo_error (void *cls)
/**
- * Task run on error, sends error message. Cleans up everything.
+ * Task run on error, sends error message and redirects. Cleans up everything.
*
* @param cls the `struct RequestHandle`
*/
@@ -673,6 +681,12 @@ return_userinfo_response (void *cls)
cleanup_handle (handle);
}
+/**
+ * Returns base64 encoded string without padding
+ *
+ * @param string the string to encode
+ * @return base64 encoded string
+ */
static char*
base_64_encode(char *string)
{
@@ -1328,13 +1342,13 @@ options_cont (struct GNUNET_REST_RequestHandle
*con_handle,
}
/**
- * Cookie interpretation
+ * Interprets cookie header and pass its identity keystring to handle
*/
static void
cookie_identity_interpretation (struct RequestHandle *handle)
{
struct GNUNET_HashCode cache_key;
- char* cookies;
+ char *cookies;
struct GNUNET_TIME_Absolute current_time, *relog_time;
char delimiter[] = "; ";
@@ -1378,7 +1392,7 @@ cookie_identity_interpretation (struct RequestHandle
*handle)
}
/**
- * Login redirection
+ * Redirects to login page stored in configuration file
*/
static void
login_redirection(void *cls)
@@ -1424,7 +1438,7 @@ login_redirection(void *cls)
}
/**
- * Function called if we had an error in zone-to-name mapping.
+ * Does internal server error when iteration failed.
*/
static void
oidc_iteration_error (void *cls)
@@ -1435,9 +1449,11 @@ oidc_iteration_error (void *cls)
GNUNET_SCHEDULER_add_now (&do_error, handle);
}
-static void
-oidc_ticket_issue_cb (void* cls,
- const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket)
+static void get_client_name_result (void *cls,
+ const struct GNUNET_CRYPTO_EcdsaPrivateKey
*zone,
+ const char *label,
+ unsigned int rd_count,
+ const struct GNUNET_GNSRECORD_Data *rd)
{
struct RequestHandle *handle = cls;
struct MHD_Response *resp;
@@ -1445,29 +1461,67 @@ oidc_ticket_issue_cb (void* cls,
char *redirect_uri;
char *code_json_string;
char *code_base64_final_string;
- handle->idp_op = NULL;
+ char *redirect_path;
+ char *tmp;
+ ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket,
+ sizeof (struct
GNUNET_IDENTITY_PROVIDER_Ticket));
+ //TODO change if more attributes are needed (see max_age)
+ GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}",
+ ticket_str,
+ (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "",
+ (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "",
+ (NULL != handle->oidc->nonce) ? "\"" : "");
+ code_base64_final_string = base_64_encode(code_json_string);
+ tmp = GNUNET_strdup (handle->oidc->redirect_uri);
+ redirect_path = strtok (tmp, "/");
+ redirect_path = strtok (NULL, "/");
+ redirect_path = strtok (NULL, "/");
+ GNUNET_asprintf (&redirect_uri, "https://%s.gnu/%s?%s=%s&state=%s";,
+ label,
+ redirect_path,
+ handle->oidc->response_type,
+ code_base64_final_string, handle->oidc->state);
resp = GNUNET_REST_create_response ("");
+ MHD_add_response_header (resp, "Location", redirect_uri);
+ handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
+ GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle);
+ GNUNET_free (tmp);
+ GNUNET_free (redirect_uri);
+ GNUNET_free (ticket_str);
+ GNUNET_free (code_json_string);
+ GNUNET_free (code_base64_final_string);
+ return;
+}
+
+static void
+get_client_name_error (void *cls)
+{
+ struct RequestHandle *handle = cls;
+
+ handle->emsg = GNUNET_strdup("server_error");
+ handle->edesc = GNUNET_strdup("Server cannot generate ticket, no name found
for client.");
+ GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
+}
+
+/**
+ * Issues ticket and redirects to relying party with the authorization code as
+ * parameter. Otherwise redirects with error
+ */
+static void
+oidc_ticket_issue_cb (void* cls,
+ const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket)
+{
+ struct RequestHandle *handle = cls;
+ handle->idp_op = NULL;
+ handle->ticket = *ticket;
if (NULL != ticket) {
- ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket,
- sizeof (struct
GNUNET_IDENTITY_PROVIDER_Ticket));
- //TODO change if more attributes are needed (see max_age)
- GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}",
- ticket_str,
- (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "",
- (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "",
- (NULL != handle->oidc->nonce) ? "\"" : "");
- code_base64_final_string = base_64_encode(code_json_string);
- GNUNET_asprintf (&redirect_uri, "%s?%s=%s&state=%s",
- handle->oidc->redirect_uri,
- handle->oidc->response_type,
- code_base64_final_string, handle->oidc->state);
- MHD_add_response_header (resp, "Location", redirect_uri);
- handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
- GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle);
- GNUNET_free (redirect_uri);
- GNUNET_free (ticket_str);
- GNUNET_free (code_json_string);
- GNUNET_free (code_base64_final_string);
+ GNUNET_NAMESTORE_zone_to_name (handle->namestore_handle,
+ &handle->priv_key,
+ &handle->oidc->client_pkey,
+ &get_client_name_error,
+ handle,
+ &get_client_name_result,
+ handle);
return;
}
handle->emsg = GNUNET_strdup("server_error");
@@ -1489,21 +1543,21 @@ oidc_collect_finished_cb (void *cls)
return;
}
handle->idp_op = GNUNET_IDENTITY_PROVIDER_ticket_issue (handle->idp,
- &handle->priv_key,
- &handle->oidc->client_pkey,
- handle->attr_list,
- &oidc_ticket_issue_cb,
- handle);
+ &handle->priv_key,
+
&handle->oidc->client_pkey,
+ handle->attr_list,
+
&oidc_ticket_issue_cb,
+ handle);
}
/**
- * Collect all attributes for an ego
+ * Collects all attributes for an ego if in scope parameter
*/
static void
oidc_attr_collect (void *cls,
- const struct GNUNET_CRYPTO_EcdsaPublicKey *identity,
- const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr)
+ const struct GNUNET_CRYPTO_EcdsaPublicKey *identity,
+ const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr)
{
struct RequestHandle *handle = cls;
struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le;
@@ -1530,21 +1584,22 @@ oidc_attr_collect (void *cls,
if ( NULL == scope_variable )
{
GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it);
+ GNUNET_free(scope_variables);
return;
}
GNUNET_free(scope_variables);
le = GNUNET_new(struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry);
le->claim = GNUNET_IDENTITY_ATTRIBUTE_claim_new (attr->name, attr->type,
- attr->data, attr->data_size);
+ attr->data,
attr->data_size);
GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head,
- handle->attr_list->list_tail, le);
+ handle->attr_list->list_tail, le);
GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it);
}
/**
- * Cookie and Time check
+ * Checks time and cookie and redirects accordingly
*/
static void
login_check (void *cls)
@@ -1560,50 +1615,50 @@ login_check (void *cls)
GNUNET_free(identity_cookie);
//No login time for identity -> redirect to login
if ( GNUNET_YES
- == GNUNET_CONTAINER_multihashmap_contains (OIDC_identity_login_time,
- &cache_key) )
+ == GNUNET_CONTAINER_multihashmap_contains (OIDC_identity_login_time,
+ &cache_key) )
{
relog_time = GNUNET_CONTAINER_multihashmap_get (OIDC_identity_login_time,
- &cache_key);
+ &cache_key);
current_time = GNUNET_TIME_absolute_get ();
// 30 min after old login -> redirect to login
if ( current_time.abs_value_us <= relog_time->abs_value_us )
{
if ( GNUNET_OK
- != GNUNET_CRYPTO_ecdsa_public_key_from_string (
- handle->oidc->login_identity,
- strlen (handle->oidc->login_identity), &pubkey) )
+ != GNUNET_CRYPTO_ecdsa_public_key_from_string (
+
handle->oidc->login_identity,
+ strlen
(handle->oidc->login_identity), &pubkey) )
{
- handle->emsg = GNUNET_strdup("invalid_cookie");
- handle->edesc = GNUNET_strdup(
- "The cookie of a login identity is not valid");
- GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
- return;
+ handle->emsg = GNUNET_strdup("invalid_cookie");
+ handle->edesc = GNUNET_strdup(
+ "The cookie of a login identity is not
valid");
+ GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
+ return;
}
// iterate over egos and compare their public key
for (handle->ego_entry = handle->ego_head;
- NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next)
+ NULL != handle->ego_entry; handle->ego_entry =
handle->ego_entry->next)
{
- GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &ego_pkey);
- if ( 0
- == memcmp (&ego_pkey, &pubkey,
- sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
- {
- handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (
- handle->ego_entry->ego);
- handle->resp_object = GNUNET_JSONAPI_document_new ();
- handle->idp = GNUNET_IDENTITY_PROVIDER_connect (cfg);
- handle->attr_list = GNUNET_new(
- struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList);
- handle->attr_it = GNUNET_IDENTITY_PROVIDER_get_attributes_start (
- handle->idp, &handle->priv_key, &oidc_iteration_error, handle,
- &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle);
- return;
- }
+ GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &ego_pkey);
+ if ( 0
+ == memcmp (&ego_pkey, &pubkey,
+ sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
+ {
+ handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (
+
handle->ego_entry->ego);
+ handle->resp_object = GNUNET_JSONAPI_document_new ();
+ handle->idp = GNUNET_IDENTITY_PROVIDER_connect (cfg);
+ handle->attr_list = GNUNET_new(
+ struct
GNUNET_IDENTITY_ATTRIBUTE_ClaimList);
+ handle->attr_it = GNUNET_IDENTITY_PROVIDER_get_attributes_start (
+
handle->idp, &handle->priv_key, &oidc_iteration_error, handle,
+
&oidc_attr_collect, handle, &oidc_collect_finished_cb, handle);
+ return;
+ }
}
handle->emsg = GNUNET_strdup("invalid_cookie");
handle->edesc = GNUNET_strdup(
- "The cookie of the login identity is not valid");
+ "The cookie of the login identity is not
valid");
GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
return;
}
@@ -1611,15 +1666,16 @@ login_check (void *cls)
}
/**
- * Create a response with requested records
+ * Searches for client_id in namestore. If found trust status stored in handle
+ * Else continues to search
*
* @param handle the RequestHandle
*/
static void
namestore_iteration_callback (
- void *cls, const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_key,
- const char *rname, unsigned int rd_len,
- const struct GNUNET_GNSRECORD_Data *rd)
+ void *cls, const struct
GNUNET_CRYPTO_EcdsaPrivateKey *zone_key,
+ const char *rname, unsigned int rd_len,
+ const struct GNUNET_GNSRECORD_Data *rd)
{
struct RequestHandle *handle = cls;
struct GNUNET_CRYPTO_EcdsaPublicKey login_identity_pkey;
@@ -1634,28 +1690,28 @@ namestore_iteration_callback (
if ( NULL != handle->oidc->login_identity )
{
GNUNET_CRYPTO_ecdsa_public_key_from_string (
- handle->oidc->login_identity,
- strlen (handle->oidc->login_identity),
- &login_identity_pkey);
+ handle->oidc->login_identity,
+ strlen
(handle->oidc->login_identity),
+ &login_identity_pkey);
GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego,
- ¤t_zone_pkey);
+ ¤t_zone_pkey);
if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey,
- sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
+ sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
{
- if ( 0 == memcmp (&login_identity_pkey, ¤t_zone_pkey,
- sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
- {
- handle->oidc->is_client_trusted = GNUNET_YES;
- }
+ if ( 0 == memcmp (&login_identity_pkey, ¤t_zone_pkey,
+ sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
+ {
+ handle->oidc->is_client_trusted = GNUNET_YES;
+ }
}
}
else
{
if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey,
- sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
+ sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) )
{
- handle->oidc->is_client_trusted = GNUNET_YES;
+ handle->oidc->is_client_trusted = GNUNET_YES;
}
}
}
@@ -1686,24 +1742,24 @@ static void namestore_iteration_finished (void *cls)
{
handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key
(handle->ego_entry->ego);
handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start
(handle->namestore_handle, &handle->priv_key,
- &oidc_iteration_error, handle,
&namestore_iteration_callback, handle,
- &namestore_iteration_finished,
handle);
+
&oidc_iteration_error, handle, &namestore_iteration_callback, handle,
+
&namestore_iteration_finished, handle);
return;
}
if (GNUNET_NO == handle->oidc->is_client_trusted)
{
handle->emsg = GNUNET_strdup("unauthorized_client");
handle->edesc = GNUNET_strdup("The client is not authorized to request an "
- "authorization code using this method.");
+ "authorization code using this method.");
GNUNET_SCHEDULER_add_now (&do_error, handle);
return;
}
// REQUIRED value: redirect_uri
GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY),
- &cache_key);
+ &cache_key);
if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->url_param_map,
- &cache_key))
+ &cache_key))
{
handle->emsg=GNUNET_strdup("invalid_request");
handle->edesc=GNUNET_strdup("missing parameter redirect_uri");
@@ -1711,12 +1767,13 @@ static void namestore_iteration_finished (void *cls)
return;
}
handle->oidc->redirect_uri =
GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
- &cache_key);
+ &cache_key);
GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey";,
handle->oidc->client_id);
// verify the redirect uri matches https://<client_id>.zkey[/xyz]
if( 0 != strncmp( expected_redirect_uri, handle->oidc->redirect_uri,
strlen(expected_redirect_uri)) )
{
+ handle->oidc->redirect_uri = NULL;
handle->emsg=GNUNET_strdup("invalid_request");
handle->edesc=GNUNET_strdup("Invalid redirect_uri");
GNUNET_SCHEDULER_add_now (&do_error, handle);
@@ -1728,9 +1785,9 @@ static void namestore_iteration_finished (void *cls)
GNUNET_free(expected_redirect_uri);
// REQUIRED value: response_type
GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (OIDC_RESPONSE_TYPE_KEY),
- &cache_key);
+ &cache_key);
if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->url_param_map,
- &cache_key))
+ &cache_key))
{
handle->emsg=GNUNET_strdup("invalid_request");
handle->edesc=GNUNET_strdup("missing parameter response_type");
@@ -1738,13 +1795,13 @@ static void namestore_iteration_finished (void *cls)
return;
}
handle->oidc->response_type =
GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
- &cache_key);
+ &cache_key);
handle->oidc->response_type = GNUNET_strdup (handle->oidc->response_type);
// REQUIRED value: scope
GNUNET_CRYPTO_hash (OIDC_SCOPE_KEY, strlen (OIDC_SCOPE_KEY), &cache_key);
if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->url_param_map,
- &cache_key))
+ &cache_key))
{
handle->emsg=GNUNET_strdup("invalid_request");
handle->edesc=GNUNET_strdup("missing parameter scope");
@@ -1752,16 +1809,16 @@ static void namestore_iteration_finished (void *cls)
return;
}
handle->oidc->scope =
GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
- &cache_key);
+ &cache_key);
handle->oidc->scope = GNUNET_strdup(handle->oidc->scope);
//OPTIONAL value: nonce
GNUNET_CRYPTO_hash (OIDC_NONCE_KEY, strlen (OIDC_NONCE_KEY), &cache_key);
if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->url_param_map,
- &cache_key))
+ &cache_key))
{
handle->oidc->nonce =
GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
- &cache_key);
+ &cache_key);
handle->oidc->nonce = GNUNET_strdup (handle->oidc->nonce);
}
@@ -1770,14 +1827,14 @@ static void namestore_iteration_finished (void *cls)
for( iterator = 0; iterator < number_of_ignored_parameter; iterator++ )
{
GNUNET_CRYPTO_hash (OIDC_ignored_parameter_array[iterator],
- strlen(OIDC_ignored_parameter_array[iterator]),
- &cache_key);
+ strlen(OIDC_ignored_parameter_array[iterator]),
+ &cache_key);
if(GNUNET_YES ==
GNUNET_CONTAINER_multihashmap_contains(handle->rest_handle->url_param_map,
- &cache_key))
+ &cache_key))
{
handle->emsg=GNUNET_strdup("access_denied");
GNUNET_asprintf (&handle->edesc, "Server will not handle parameter: %s",
- OIDC_ignored_parameter_array[iterator]);
+ OIDC_ignored_parameter_array[iterator]);
GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
return;
}
@@ -1788,28 +1845,30 @@ static void namestore_iteration_finished (void *cls)
{
handle->emsg=GNUNET_strdup("unsupported_response_type");
handle->edesc=GNUNET_strdup("The authorization server does not support "
- "obtaining this authorization code.");
+ "obtaining this authorization code.");
GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
return;
}
// Checks if scope contains 'openid'
expected_scope = GNUNET_strdup(handle->oidc->scope);
- expected_scope = strtok (expected_scope, delimiter);
- while (NULL != expected_scope)
+ char* test;
+ test = strtok (expected_scope, delimiter);
+ while (NULL != test)
{
if ( 0 == strcmp (OIDC_EXPECTED_AUTHORIZATION_SCOPE, expected_scope) )
{
break;
}
- expected_scope = strtok (NULL, delimiter);
+ test = strtok (NULL, delimiter);
}
- if (NULL == expected_scope)
+ if (NULL == test)
{
handle->emsg = GNUNET_strdup("invalid_scope");
handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or "
- "malformed.");
+ "malformed.");
GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
+ GNUNET_free(expected_scope);
return;
}
@@ -1833,8 +1892,8 @@ static void namestore_iteration_finished (void *cls)
*/
static void
authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
- const char* url,
- void *cls)
+ const char* url,
+ void *cls)
{
struct RequestHandle *handle = cls;
struct GNUNET_HashCode cache_key;
@@ -1844,18 +1903,18 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
//RECOMMENDED value: state - REQUIRED for answers
GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key);
if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->url_param_map,
- &cache_key))
+ &cache_key))
{
handle->oidc->state =
GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
- &cache_key);
+ &cache_key);
handle->oidc->state = GNUNET_strdup (handle->oidc->state);
}
// REQUIRED value: client_id
GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY),
- &cache_key);
+ &cache_key);
if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->url_param_map,
- &cache_key))
+ &cache_key))
{
handle->emsg=GNUNET_strdup("invalid_request");
handle->edesc=GNUNET_strdup("missing parameter client_id");
@@ -1864,17 +1923,17 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
handle->oidc->client_id =
GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map,
- &cache_key);
+ &cache_key);
handle->oidc->client_id = GNUNET_strdup (handle->oidc->client_id);
if ( GNUNET_OK
- != GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id,
- strlen
(handle->oidc->client_id),
-
&handle->oidc->client_pkey) )
+ != GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id,
+ strlen
(handle->oidc->client_id),
+
&handle->oidc->client_pkey) )
{
handle->emsg = GNUNET_strdup("unauthorized_client");
handle->edesc = GNUNET_strdup("The client is not authorized to request an "
- "authorization code using this method.");
+ "authorization code using this method.");
handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
GNUNET_SCHEDULER_add_now (&do_error, handle);
return;
@@ -1896,9 +1955,9 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
// Checks if client_id is valid:
handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (
- handle->namestore_handle, &handle->priv_key, &oidc_iteration_error,
- handle, &namestore_iteration_callback, handle,
- &namestore_iteration_finished, handle);
+
handle->namestore_handle, &handle->priv_key, &oidc_iteration_error,
+ handle,
&namestore_iteration_callback, handle,
+
&namestore_iteration_finished, handle);
}
/**
@@ -1922,46 +1981,56 @@ login_cont (struct GNUNET_REST_RequestHandle
*con_handle,
json_t *root;
json_error_t error;
json_t *identity;
- root = json_loads (handle->rest_handle->data, 0, &error);
+ char term_data[handle->rest_handle->data_size+1];
+ term_data[handle->rest_handle->data_size] = '\0';
+ GNUNET_memcpy (term_data, handle->rest_handle->data,
handle->rest_handle->data_size);
+ root = json_loads (term_data, JSON_DECODE_ANY, &error);
identity = json_object_get (root, "identity");
if ( json_is_string(identity) )
{
GNUNET_asprintf (&cookie, "Identity=%s", json_string_value (identity));
-
+ MHD_add_response_header (resp, "Set-Cookie", cookie);
+ MHD_add_response_header (resp, "Access-Control-Allow-Methods", "POST");
GNUNET_CRYPTO_hash (cookie, strlen (cookie), &cache_key);
current_time = GNUNET_new(struct GNUNET_TIME_Absolute);
*current_time = GNUNET_TIME_relative_to_absolute (
- GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_minute_ (),
- 30));
+
GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_minute_ (),
+
30));
last_time = GNUNET_CONTAINER_multihashmap_get(OIDC_identity_login_time,
&cache_key);
if (NULL != last_time)
{
GNUNET_free(last_time);
}
GNUNET_CONTAINER_multihashmap_put (
- OIDC_identity_login_time, &cache_key, current_time,
- GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE);
+ OIDC_identity_login_time, &cache_key,
current_time,
+
GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE);
handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
+ GNUNET_free(cookie);
}
else
{
handle->proc (handle->proc_cls, resp, MHD_HTTP_BAD_REQUEST);
}
- GNUNET_free(cookie);
json_decref (root);
GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle);
return;
}
+/**
+ * Responds to token url-encoded POST request
+ *
+ * @param con_handle the connection handle
+ * @param url the url
+ * @param cls the RequestHandle
+ */
static void
token_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
const char* url,
void *cls)
{
//TODO static strings
-
struct RequestHandle *handle = cls;
struct GNUNET_HashCode cache_key;
char *authorization, *credentials;
@@ -1981,10 +2050,10 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
* Check Authorization
*/
GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY,
- strlen (OIDC_AUTHORIZATION_HEADER_KEY),
- &cache_key);
+ strlen (OIDC_AUTHORIZATION_HEADER_KEY),
+ &cache_key);
if ( GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->header_param_map,
- &cache_key) )
+ &cache_key) )
{
handle->emsg=GNUNET_strdup("invalid_client");
handle->edesc=GNUNET_strdup("missing authorization");
@@ -1994,7 +2063,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
authorization = GNUNET_CONTAINER_multihashmap_get (
handle->rest_handle->header_param_map, &cache_key);
- //TODO authorization pointer will be moved as well
//split header in "Basic" and [content]
credentials = strtok (authorization, delimiter);
if (0 != strcmp ("Basic",credentials))
@@ -2039,13 +2107,16 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
GNUNET_SCHEDULER_add_now (&do_error, handle);
return;
}
+
//check client password
if ( GNUNET_OK
- == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin",
- "psw", &expected_psw) )
+ == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin",
+ "psw", &expected_psw) )
{
if (0 != strcmp (expected_psw, psw))
{
+ GNUNET_free_non_null(user_psw);
+ GNUNET_free(expected_psw);
handle->emsg=GNUNET_strdup("invalid_client");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_error, handle);
@@ -2055,12 +2126,14 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
else
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("server_error");
handle->edesc = GNUNET_strdup ("gnunet configuration failed");
handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
GNUNET_SCHEDULER_add_now (&do_error, handle);
return;
}
+
//check client_id
for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry->next; )
{
@@ -2073,6 +2146,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
if (GNUNET_NO == client_exists)
{
+ GNUNET_free_non_null(user_psw);
handle->emsg=GNUNET_strdup("invalid_client");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_error, handle);
@@ -2087,9 +2161,10 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
//REQUIRED grant_type
GNUNET_CRYPTO_hash (OIDC_GRANT_TYPE_KEY, strlen (OIDC_GRANT_TYPE_KEY),
&cache_key);
if ( GNUNET_NO
- == GNUNET_CONTAINER_multihashmap_contains (
- handle->rest_handle->url_param_map, &cache_key) )
+ == GNUNET_CONTAINER_multihashmap_contains (
+
handle->rest_handle->url_param_map, &cache_key) )
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("missing parameter grant_type");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2097,14 +2172,15 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
grant_type = GNUNET_CONTAINER_multihashmap_get (
- handle->rest_handle->url_param_map, &cache_key);
+
handle->rest_handle->url_param_map, &cache_key);
//REQUIRED code
GNUNET_CRYPTO_hash (OIDC_CODE_KEY, strlen (OIDC_CODE_KEY), &cache_key);
if ( GNUNET_NO
- == GNUNET_CONTAINER_multihashmap_contains (
- handle->rest_handle->url_param_map, &cache_key) )
+ == GNUNET_CONTAINER_multihashmap_contains (
+
handle->rest_handle->url_param_map, &cache_key) )
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("missing parameter code");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2112,15 +2188,16 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
code = GNUNET_CONTAINER_multihashmap_get (handle->rest_handle->url_param_map,
- &cache_key);
+ &cache_key);
//REQUIRED redirect_uri
GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY),
- &cache_key);
+ &cache_key);
if ( GNUNET_NO
- == GNUNET_CONTAINER_multihashmap_contains (
- handle->rest_handle->url_param_map, &cache_key) )
+ == GNUNET_CONTAINER_multihashmap_contains (
+
handle->rest_handle->url_param_map, &cache_key) )
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("missing parameter redirect_uri");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2128,12 +2205,13 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
redirect_uri = GNUNET_CONTAINER_multihashmap_get (
- handle->rest_handle->url_param_map, &cache_key);
+
handle->rest_handle->url_param_map, &cache_key);
//Check parameter grant_type == "authorization_code"
if (0 != strcmp(OIDC_GRANT_TYPE_VALUE, grant_type))
{
+ GNUNET_free_non_null(user_psw);
handle->emsg=GNUNET_strdup("unsupported_grant_type");
handle->response_code = MHD_HTTP_BAD_REQUEST;
GNUNET_SCHEDULER_add_now (&do_error, handle);
@@ -2144,6 +2222,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
// verify the redirect uri matches https://<client_id>.zkey[/xyz]
if( 0 != strncmp( expected_redirect_uri, redirect_uri,
strlen(expected_redirect_uri)) )
{
+ GNUNET_free_non_null(user_psw);
handle->emsg=GNUNET_strdup("invalid_request");
handle->edesc=GNUNET_strdup("Invalid redirect_uri");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2152,17 +2231,21 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
GNUNET_free(expected_redirect_uri);
- GNUNET_CRYPTO_hash(code, strlen(code), &cache_key);
- if ( GNUNET_YES ==
GNUNET_CONTAINER_multihashmap_contains(OIDC_ticket_once,&cache_key))
+ GNUNET_CRYPTO_hash (code, strlen (code), &cache_key);
+ int i = 1;
+ if ( GNUNET_SYSERR
+ == GNUNET_CONTAINER_multihashmap_put (OIDC_ticket_once,
+ &cache_key,
+ &i,
+
GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY) )
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("Cannot use the same code more than once");
handle->response_code = MHD_HTTP_BAD_REQUEST;
GNUNET_SCHEDULER_add_now (&do_error, handle);
return;
}
- int i=1;
-
GNUNET_CONTAINER_multihashmap_put(OIDC_ticket_once,&cache_key,&i,GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE);
//decode code
GNUNET_STRINGS_base64_decode(code,strlen(code),&code_output);
@@ -2174,6 +2257,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
if(ticket_string == NULL && !json_is_string(ticket_string))
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("invalid code");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2183,11 +2267,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket = GNUNET_new(struct
GNUNET_IDENTITY_PROVIDER_Ticket);
if ( GNUNET_OK
- != GNUNET_STRINGS_string_to_data (json_string_value(ticket_string),
- strlen
(json_string_value(ticket_string)),
- ticket,
- sizeof(struct
GNUNET_IDENTITY_PROVIDER_Ticket)))
+ != GNUNET_STRINGS_string_to_data (json_string_value(ticket_string),
+ strlen
(json_string_value(ticket_string)),
+ ticket,
+ sizeof(struct
GNUNET_IDENTITY_PROVIDER_Ticket)))
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("invalid code");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2200,6 +2285,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
GNUNET_IDENTITY_ego_get_public_key(handle->ego_entry->ego,&pub_key);
if (0 != memcmp(&pub_key,&ticket->audience,sizeof(struct
GNUNET_CRYPTO_EcdsaPublicKey)))
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("invalid code");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2211,9 +2297,10 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
//create jwt
unsigned long long int expiration_time;
if ( GNUNET_OK
- != GNUNET_CONFIGURATION_get_value_number(cfg, "identity-rest-plugin",
- "expiration_time",
&expiration_time) )
+ != GNUNET_CONFIGURATION_get_value_number(cfg, "identity-rest-plugin",
+ "expiration_time",
&expiration_time) )
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("server_error");
handle->edesc = GNUNET_strdup ("gnunet configuration failed");
handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
@@ -2225,51 +2312,48 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct
GNUNET_IDENTITY_ATTRIBUTE_ClaimList);
//aud REQUIRED public key client_id must be there
GNUNET_IDENTITY_ATTRIBUTE_list_add(cl,
- "aud",
- GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
- client_id,
- strlen(client_id));
+ "aud",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ client_id,
+ strlen(client_id));
//exp REQUIRED time expired from config
- //TODO time as seconds
struct GNUNET_TIME_Absolute exp_time = GNUNET_TIME_relative_to_absolute (
- GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (),
- expiration_time));
+
GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (),
+
expiration_time));
const char* exp_time_string =
GNUNET_STRINGS_absolute_time_to_string(exp_time);
GNUNET_IDENTITY_ATTRIBUTE_list_add (cl,
- "exp",
- GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
- exp_time_string,
- strlen(exp_time_string));
+ "exp",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ exp_time_string,
+ strlen(exp_time_string));
//iat REQUIRED time now
- //TODO time as seconds
struct GNUNET_TIME_Absolute time_now = GNUNET_TIME_absolute_get();
const char* time_now_string =
GNUNET_STRINGS_absolute_time_to_string(time_now);
GNUNET_IDENTITY_ATTRIBUTE_list_add (cl,
- "iat",
- GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
- time_now_string,
- strlen(time_now_string));
+ "iat",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ time_now_string,
+ strlen(time_now_string));
//nonce only if nonce is provided
if ( NULL != nonce && json_is_string(nonce) )
{
GNUNET_IDENTITY_ATTRIBUTE_list_add (cl,
- "nonce",
- GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
- json_string_value(nonce),
- strlen(json_string_value(nonce)));
+ "nonce",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ json_string_value(nonce),
+ strlen(json_string_value(nonce)));
}
//auth_time only if max_age is provided
if ( NULL != max_age && json_is_string(max_age) )
{
GNUNET_IDENTITY_ATTRIBUTE_list_add (cl,
- "auth_time",
- GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
- json_string_value(max_age),
- strlen(json_string_value(max_age)));
+ "auth_time",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ json_string_value(max_age),
+ strlen(json_string_value(max_age)));
}
//TODO OPTIONAL acr,amr,azp
- //TODO lookup client for client == audience of ticket
struct EgoEntry *ego_entry;
for (ego_entry = handle->ego_head; NULL != ego_entry; ego_entry =
ego_entry->next)
{
@@ -2281,6 +2365,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
}
if ( NULL == ego_entry )
{
+ GNUNET_free_non_null(user_psw);
handle->emsg = GNUNET_strdup("invalid_request");
handle->edesc = GNUNET_strdup("invalid code....");
handle->response_code = MHD_HTTP_BAD_REQUEST;
@@ -2289,8 +2374,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
char *id_token = jwt_create_from_list(&ticket->audience,
- cl,
-
GNUNET_IDENTITY_ego_get_private_key(ego_entry->ego));
+ cl,
+
GNUNET_IDENTITY_ego_get_private_key(ego_entry->ego));
//Create random access_token
char* access_token_number;
@@ -2301,26 +2386,26 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
GNUNET_STRINGS_base64_encode(access_token_number,strlen(access_token_number),&access_token);
-
+
//TODO OPTIONAL add refresh_token and scope
GNUNET_asprintf (&json_response,
- "{ \"access_token\" : \"%s\", "
- "\"token_type\" : \"Bearer\", "
- "\"expires_in\" : %d, "
- "\"id_token\" : \"%s\"}",
- access_token,
- expiration_time,
- id_token);
+ "{ \"access_token\" : \"%s\", "
+ "\"token_type\" : \"Bearer\", "
+ "\"expires_in\" : %d, "
+ "\"id_token\" : \"%s\"}",
+ access_token,
+ expiration_time,
+ id_token);
GNUNET_CRYPTO_hash(access_token, strlen(access_token), &cache_key);
char *id_ticket_combination;
GNUNET_asprintf(&id_ticket_combination,
- "%s;%s",
- client_id,
- json_string_value(ticket_string));
+ "%s;%s",
+ client_id,
+ json_string_value(ticket_string));
GNUNET_CONTAINER_multihashmap_put(OIDC_interpret_access_token,
- &cache_key,
- id_ticket_combination,
-
GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE);
+ &cache_key,
+ id_ticket_combination,
+
GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE);
resp = GNUNET_REST_create_response (json_response);
MHD_add_response_header (resp, "Cache-Control", "no-store");
@@ -2328,9 +2413,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
MHD_add_response_header (resp, "Content-Type", "application/json");
handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
- //TODO one time ticket/code
-
- //TODO free
GNUNET_IDENTITY_ATTRIBUTE_list_destroy(cl);
GNUNET_free(access_token_number);
GNUNET_free(access_token);
@@ -2342,11 +2424,13 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
GNUNET_SCHEDULER_add_now(&cleanup_handle_delayed, handle);
}
-
+/**
+ * Collects claims and stores them in handle
+ */
static void
consume_ticket (void *cls,
- const struct GNUNET_CRYPTO_EcdsaPublicKey *identity,
- const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr)
+ const struct GNUNET_CRYPTO_EcdsaPublicKey *identity,
+ const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr)
{
struct RequestHandle *handle = cls;
@@ -2357,28 +2441,36 @@ consume_ticket (void *cls,
}
json_object_set_new (handle->oidc->response,
- attr->name,
- json_string(attr->data));
+ attr->name,
+ json_string(attr->data));
}
+/**
+ * Responds to userinfo GET and url-encoded POST request
+ *
+ * @param con_handle the connection handle
+ * @param url the url
+ * @param cls the RequestHandle
+ */
static void
userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle,
- const char* url, void *cls)
+ const char* url, void *cls)
{
+ //TODO expiration time
struct RequestHandle *handle = cls;
char delimiter[] = " ";
char delimiter_db[] = ";";
struct GNUNET_HashCode cache_key;
char *authorization, *authorization_type, *authorization_access_token;
- char *client_ticket;
+ char *client_ticket, *client, *ticket_str;
struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket;
GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY,
- strlen (OIDC_AUTHORIZATION_HEADER_KEY),
- &cache_key);
+ strlen (OIDC_AUTHORIZATION_HEADER_KEY),
+ &cache_key);
if ( GNUNET_NO
- == GNUNET_CONTAINER_multihashmap_contains (
- handle->rest_handle->header_param_map, &cache_key) )
+ == GNUNET_CONTAINER_multihashmap_contains (
+
handle->rest_handle->header_param_map, &cache_key) )
{
handle->emsg = GNUNET_strdup("invalid_token");
handle->edesc = GNUNET_strdup("No Access Token");
@@ -2387,10 +2479,10 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
authorization = GNUNET_CONTAINER_multihashmap_get (
- handle->rest_handle->header_param_map, &cache_key);
+
handle->rest_handle->header_param_map, &cache_key);
- //TODO authorization pointer will be moved as well
//split header in "Bearer" and access_token
+ authorization = GNUNET_strdup(authorization);
authorization_type = strtok (authorization, delimiter);
if ( 0 != strcmp ("Bearer", authorization_type) )
{
@@ -2398,6 +2490,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
handle->edesc = GNUNET_strdup("No Access Token");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
+ GNUNET_free(authorization);
return;
}
authorization_access_token = strtok (NULL, delimiter);
@@ -2407,38 +2500,42 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
handle->edesc = GNUNET_strdup("No Access Token");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
+ GNUNET_free(authorization);
return;
}
GNUNET_CRYPTO_hash (authorization_access_token,
- strlen (authorization_access_token),
- &cache_key);
+ strlen (authorization_access_token),
+ &cache_key);
if ( GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains
(OIDC_interpret_access_token,
- &cache_key) )
+ &cache_key) )
{
handle->emsg = GNUNET_strdup("invalid_token");
handle->edesc = GNUNET_strdup("The Access Token expired");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
+ GNUNET_free(authorization);
return;
}
client_ticket =
GNUNET_CONTAINER_multihashmap_get(OIDC_interpret_access_token,
- &cache_key);
-
- client_ticket = strtok(client_ticket,delimiter_db);
- if (NULL == client_ticket)
+ &cache_key);
+ client_ticket = GNUNET_strdup(client_ticket);
+ client = strtok(client_ticket,delimiter_db);
+ if (NULL == client)
{
handle->emsg = GNUNET_strdup("invalid_token");
handle->edesc = GNUNET_strdup("The Access Token expired");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
+ GNUNET_free(authorization);
+ GNUNET_free(client_ticket);
return;
}
handle->ego_entry = handle->ego_head;
for(; NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next)
{
- if (0 == strcmp(handle->ego_entry->keystring,client_ticket))
+ if (0 == strcmp(handle->ego_entry->keystring,client))
{
break;
}
@@ -2449,29 +2546,35 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
handle->edesc = GNUNET_strdup("The Access Token expired");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
+ GNUNET_free(authorization);
+ GNUNET_free(client_ticket);
return;
}
- client_ticket = strtok(NULL, delimiter_db);
- if (NULL == client_ticket)
+ ticket_str = strtok(NULL, delimiter_db);
+ if (NULL == ticket_str)
{
handle->emsg = GNUNET_strdup("invalid_token");
handle->edesc = GNUNET_strdup("The Access Token expired");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
+ GNUNET_free(authorization);
+ GNUNET_free(client_ticket);
return;
}
ticket = GNUNET_new(struct GNUNET_IDENTITY_PROVIDER_Ticket);
if ( GNUNET_OK
- != GNUNET_STRINGS_string_to_data (client_ticket,
- strlen (client_ticket),
- ticket,
- sizeof(struct
GNUNET_IDENTITY_PROVIDER_Ticket)))
+ != GNUNET_STRINGS_string_to_data (ticket_str,
+ strlen (ticket_str),
+ ticket,
+ sizeof(struct
GNUNET_IDENTITY_PROVIDER_Ticket)))
{
handle->emsg = GNUNET_strdup("invalid_token");
handle->edesc = GNUNET_strdup("The Access Token expired");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
GNUNET_free(ticket);
+ GNUNET_free(authorization);
+ GNUNET_free(client_ticket);
return;
}
@@ -2479,12 +2582,14 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
handle->oidc->response = json_object();
json_object_set_new( handle->oidc->response, "sub", json_string(
handle->ego_entry->keystring));
handle->idp_op = GNUNET_IDENTITY_PROVIDER_ticket_consume (
- handle->idp,
- GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego),
- ticket,
- consume_ticket,
- handle);
+ handle->idp,
+
GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego),
+ ticket,
+ consume_ticket,
+ handle);
GNUNET_free(ticket);
+ GNUNET_free(authorization);
+ GNUNET_free(client_ticket);
}
@@ -2676,7 +2781,7 @@ libgnunet_plugin_rest_identity_provider_done (void *cls)
struct GNUNET_CONTAINER_MultiHashMapIterator *hashmap_it;
void *value = NULL;
hashmap_it = GNUNET_CONTAINER_multihashmap_iterator_create (
- OIDC_identity_login_time);
+
OIDC_identity_login_time);
while (GNUNET_YES ==
GNUNET_CONTAINER_multihashmap_iterator_next (hashmap_it, NULL, value))
{
diff --git a/src/rest/gnunet-rest-server.c b/src/rest/gnunet-rest-server.c
index fdcd4f9c5..2f840be8b 100644
--- a/src/rest/gnunet-rest-server.c
+++ b/src/rest/gnunet-rest-server.c
@@ -119,6 +119,11 @@ static char* allow_origin;
static char* allow_headers;
/**
+ * Allowed Credentials (CORS)
+ */
+static char* allow_credentials;
+
+/**
* MHD Connection handle
*/
struct MhdConnectionHandle
@@ -301,7 +306,7 @@ post_data_iter (void *cls,
GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
- "Could not load add url param `%s'=%s\n",
+ "Could not load add url param '%s'=%s\n",
key, data);
GNUNET_free(val);
}
@@ -404,7 +409,7 @@ create_response (void *cls,
&header_iterator,
rest_conndata_handle);
con_handle->pp = MHD_create_post_processor(con,
- 4000,
+ 65536,
post_data_iter,
rest_conndata_handle);
if (*upload_data_size)
@@ -430,6 +435,12 @@ create_response (void *cls,
MHD_HTTP_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN,
allow_origin);
}
+ if (NULL != allow_credentials)
+ {
+ MHD_add_response_header (con_handle->response,
+ "Access-Control-Allow-Credentials",
+ allow_credentials);
+ }
if (NULL != allow_headers)
{
MHD_add_response_header (con_handle->response,
@@ -660,6 +671,7 @@ do_shutdown (void *cls)
"Shutting down...\n");
kill_httpd ();
GNUNET_free_non_null (allow_origin);
+ GNUNET_free_non_null (allow_credentials);
GNUNET_free_non_null (allow_headers);
}
@@ -804,6 +816,15 @@ run (void *cls,
}
if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "rest",
+
"REST_ALLOW_CREDENTIALS",
+ &allow_credentials))
+ {
+ //No origin specified
+ GNUNET_log (GNUNET_ERROR_TYPE_INFO,
+ "No CORS Access-Control-Allow-Origin Header will be
sent...\n");
+ }
+
+ if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_string (cfg, "rest",
"REST_ALLOW_HEADERS",
&allow_headers))
{
diff --git a/src/rest/rest.conf b/src/rest/rest.conf
index f74d772e8..0a919df20 100644
--- a/src/rest/rest.conf
+++ b/src/rest/rest.conf
@@ -4,3 +4,4 @@ BINARY=gnunet-rest-server
REST_PORT=7776
REST_ALLOW_HEADERS=Authorization,Accept,Content-Type
REST_ALLOW_ORIGIN=http://localhost:8000
+REST_ALLOW_CREDENTIALS=true
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnunet] branch master updated (b81feeba2 -> 0f495e52f),
gnunet <=
- [GNUnet-SVN] [gnunet] 04/05: Merge branch 'identity_oidc', gnunet, 2018/03/01
- [GNUnet-SVN] [gnunet] 02/05: -Merge branch 'master' into identity_oidc, gnunet, 2018/03/01
- [GNUnet-SVN] [gnunet] 01/05: -token endpoint fix wip, gnunet, 2018/03/01
- [GNUnet-SVN] [gnunet] 03/05: -fix userinfo_endpoint, gnunet, 2018/03/01
- [GNUnet-SVN] [gnunet] 05/05: -fixes, gnunet, 2018/03/01