ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-02-20 09:46:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add ssoEnabled flag to network config

Browse Source
This commit is contained in:
Grant Limberg 2021-06-05 13:44:45 -07:00
parent 9380ef708a
commit 364ad87e2b
No known key found for this signature in database
GPG Key ID: 2BA62CCABBB4095A
8 changed files with 56 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
controller/EmbeddedNetworkController.cpp
View File

@ -720,7 +720,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
try {
if (b.count("activeBridge")) member["activeBridge"] = OSUtils::jsonBool(b["activeBridge"], false);
if (b.count("noAutoAssignIps")) member["noAutoAssignIps"] = OSUtils::jsonBool(b["noAutoAssignIps"], false);
if (b.count("authenticationExpiryTime")) member["authenticationExpiryTime"] = (int64_t)OSUtils::jsonInt(b["authenticationExpiryTime"], -1LL);
if (b.count("authenticationExpiryTime")) member["authenticationExpiryTime"] = (uint64_t)OSUtils::jsonInt(b["authenticationExpiryTime"], 0ULL);
if (b.count("authenticationURL")) member["authenticationURL"] = OSUtils::jsonString(b["authenticationURL"], "");
if (b.count("remoteTraceTarget")) {
@ -1365,9 +1365,9 @@ void EmbeddedNetworkController::_request(
if (networkSSOEnabled && !memberSSOExempt) {
std::string memberId = member["id"];
fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
if ((authenticationExpiryTime == 0) || (authenticationExpiryTime < now)) {
if (authenticationExpiryTime < now) {
std::string authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
if (!authenticationURL.empty()) {
Dictionary<3072> authInfo;
@ -1445,6 +1445,7 @@ void EmbeddedNetworkController::_request(
nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU);
nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL);
nc->ssoEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
nc->authenticationExpiryTime = OSUtils::jsonInt(member["authenticationExpiryTime"], 0LL);

17
controller/PostgreSQL.cpp
View File

@ -26,6 +26,8 @@
#include <climits>
#define ZT_TRACE 1
using json = nlohmann::json;
namespace {
@ -233,10 +235,13 @@ bool PostgreSQL::save(nlohmann::json &record,bool notifyListeners)
fprintf(stderr, "PostgreSQL::save\n");
bool modified = false;
try {
if (!record.is_object())
if (!record.is_object()) {
fprintf(stderr, "record is not an object?!?\n");
return false;
}
const std::string objtype = record["objtype"];
if (objtype == "network") {
fprintf(stderr, "network save\n");
const uint64_t nwid = OSUtils::jsonIntHex(record["id"],0ULL);
if (nwid) {
nlohmann::json old;
@ -1114,11 +1119,11 @@ void PostgreSQL::commitThread()
"INSERT INTO ztc_network (id, creation_time, owner_id, controller_id, capabilities, enable_broadcast, "
"last_modified, mtu, multicast_limit, name, private, "
"remote_trace_level, remote_trace_target, rules, rules_source, "
"tags, v4_assign_mode, v6_assign_mode) VALUES ("
"tags, v4_assign_mode, v6_assign_mode, sso_enabled) VALUES ("
"$1, TO_TIMESTAMP($5::double precision/1000), "
"(SELECT user_id AS owner_id FROM ztc_global_permissions WHERE authorize = true AND del = true AND modify = true AND read = true LIMIT 1),"
"$2, $3, $4, TO_TIMESTAMP($5::double precision/1000), "
"$6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16) "
"$6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, 17) "
"ON CONFLICT (id) DO UPDATE set controller_id = EXCLUDED.controller_id, "
"capabilities = EXCLUDED.capabilities, enable_broadcast = EXCLUDED.enable_broadcast, "
"last_modified = EXCLUDED.last_modified, mtu = EXCLUDED.mtu, "
@ -1126,7 +1131,8 @@ void PostgreSQL::commitThread()
"private = EXCLUDED.private, remote_trace_level = EXCLUDED.remote_trace_level, "
"remote_trace_target = EXCLUDED.remote_trace_target, rules = EXCLUDED.rules, "
"rules_source = EXCLUDED.rules_source, tags = EXCLUDED.tags, "
"v4_assign_mode = EXCLUDED.v4_assign_mode, v6_assign_mode = EXCLUDED.v6_assign_mode",
"v4_assign_mode = EXCLUDED.v4_assign_mode, v6_assign_mode = EXCLUDED.v6_assign_mode, "
"sso_enabled = EXCLUDED.sso_enabled",
id,
_myAddressStr,
OSUtils::jsonDump((*config)["capabilitles"], -1),
@ -1142,7 +1148,8 @@ void PostgreSQL::commitThread()
rulesSource,
OSUtils::jsonDump((*config)["tags"], -1),
OSUtils::jsonDump((*config)["v4AssignMode"],-1),
OSUtils::jsonDump((*config)["v6AssignMode"], -1));
OSUtils::jsonDump((*config)["v6AssignMode"], -1),
OSUtils::jsonBool((*config)["ssoEnabled"], false));
res = w.exec_params0("DELETE FROM ztc_network_assignment_pool WHERE network_id = $1", 0);

9
include/ZeroTierOne.h
View File

@ -1345,15 +1345,20 @@ typedef struct
*/
ZT_VirtualNetworkDNS dns;
/**
* sso enabled
*/
bool ssoEnabled;
/**
* If the status us AUTHENTICATION_REQUIRED, this may contain a URL for authentication.
*/
char authenticationURL[2048];
/**
* Time that current authentication expires or -1 if external authentication is not required.
* Time that current authentication expires. only valid if ssoEnabled is true
*/
int64_t authenticationExpiryTime;
uint64_t authenticationExpiryTime;
} ZT_VirtualNetworkConfig;
/**

1
node/Network.cpp
View File

@ -1435,6 +1435,7 @@ void Network::_externalConfig(ZT_VirtualNetworkConfig *ec) const
Utils::scopy(ec->authenticationURL, sizeof(ec->authenticationURL), _authenticationURL.c_str());
ec->authenticationExpiryTime = _config.authenticationExpiryTime;
ec->ssoEnabled = _config.ssoEnabled;
}
void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMulticastGroup)

22
node/NetworkConfig.cpp
View File

@ -182,10 +182,11 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_DNS,*tmp)) return false;
}
if (this->authenticationURL[0]) {
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false;
}
if (this->authenticationExpiryTime >= 0) {
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, this->ssoEnabled)) return false;
if (this->ssoEnabled) {
if (this->authenticationURL[0]) {
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false;
}
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, this->authenticationExpiryTime)) return false;
}
@ -373,12 +374,19 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
DNS::deserializeDNS(*tmp, p, &dns);
}
if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) {
this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0; // ensure null terminated
this->ssoEnabled = d.getB(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, false);
if (this->ssoEnabled) {
if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) {
this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0; // ensure null terminated
} else {
this->authenticationURL[0] = 0;
}
this->authenticationExpiryTime = d.getI(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, 0);
} else {
this->authenticationURL[0] = 0;
this->authenticationExpiryTime = 0;
}
this->authenticationExpiryTime = d.getI(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, -1);
}
//printf("~~~\n%s\n~~~\n",d.data());

16
node/NetworkConfig.hpp
View File

@ -178,6 +178,8 @@ namespace ZeroTier {
#define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATES_OF_OWNERSHIP "COO"
// dns (binary blobs)
#define ZT_NETWORKCONFIG_DICT_KEY_DNS "DNS"
// sso enabld
#define ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED "ssoe"
// authentication URL
#define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL "aurl"
// authentication expiry
@ -237,7 +239,10 @@ public:
tags(),
certificatesOfOwnership(),
type(ZT_NETWORK_TYPE_PRIVATE),
dnsCount(0)
dnsCount(0),
ssoEnabled(false),
authenticationURL(),
authenticationExpiryTime(0)
{
name[0] = 0;
memset(specialists, 0, sizeof(uint64_t)*ZT_MAX_NETWORK_SPECIALISTS);
@ -609,15 +614,20 @@ public:
*/
ZT_VirtualNetworkDNS dns;
/**
* SSO enabled flag.
*/
bool ssoEnabled;
/**
* Authentication URL if authentication is required
*/
char authenticationURL[2048];
/**
* Time current authentication expires or -1 if external authentication is disabled
* Time current authentication expires or 0 if external authentication is disabled
*/
int64_t authenticationExpiryTime;
uint64_t authenticationExpiryTime;
};
} // namespace ZeroTier

6
one.cpp
View File

@ -795,12 +795,12 @@ static int cli(int argc,char **argv)
OSUtils::jsonString(n["type"],"-").c_str(),
OSUtils::jsonString(n["portDeviceName"],"-").c_str(),
aa.c_str());
int64_t authenticationExpiryTime = n["authenticationExpiryTime"];
if (authenticationExpiryTime >= 0) {
if (OSUtils::jsonBool(n["ssoEnabled"], false)) {
uint64_t authenticationExpiryTime = n["authenticationExpiryTime"];
if (status == "AUTHENTICATION_REQUIRED") {
printf(" AUTH EXPIRED, URL: %s" ZT_EOL_S, OSUtils::jsonString(n["authenticationURL"], "(null)").c_str());
} else if (status == "OK") {
printf(" AUTH OK, expires in: %lld seconds" ZT_EOL_S, (authenticationExpiryTime - OSUtils::now()) / 1000LL);
printf(" AUTH OK, expires in: %lld seconds" ZT_EOL_S, ((int64_t)authenticationExpiryTime - OSUtils::now()) / 1000LL);
}
}
}

1
service/OneService.cpp
View File

@ -254,6 +254,7 @@ static void _networkToJson(nlohmann::json &nj,const ZT_VirtualNetworkConfig *nc,
nj["authenticationURL"] = nc->authenticationURL;
nj["authenticationExpiryTime"] = nc->authenticationExpiryTime;
nj["ssoEnabled"] = nc->ssoEnabled;
}
static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer)