From 364ad87e2b9b7a7a7af2377f29ede5e749e93910 Mon Sep 17 00:00:00 2001
From: Grant Limberg <grant.limberg@zerotier.com>
Date: Sat, 5 Jun 2021 13:44:45 -0700
Subject: [PATCH] add ssoEnabled flag to network config

---
 controller/EmbeddedNetworkController.cpp |  7 ++++---
 controller/PostgreSQL.cpp                | 17 ++++++++++++-----
 include/ZeroTierOne.h                    |  9 +++++++--
 node/Network.cpp                         |  1 +
 node/NetworkConfig.cpp                   | 22 +++++++++++++++-------
 node/NetworkConfig.hpp                   | 16 +++++++++++++---
 one.cpp                                  |  6 +++---
 service/OneService.cpp                   |  1 +
 8 files changed, 56 insertions(+), 23 deletions(-)

diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 490dddc12..e2eaf75b6 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -720,7 +720,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 					try {
 						if (b.count("activeBridge")) member["activeBridge"] = OSUtils::jsonBool(b["activeBridge"], false);
 						if (b.count("noAutoAssignIps")) member["noAutoAssignIps"] = OSUtils::jsonBool(b["noAutoAssignIps"], false);
-						if (b.count("authenticationExpiryTime")) member["authenticationExpiryTime"] = (int64_t)OSUtils::jsonInt(b["authenticationExpiryTime"], -1LL);
+						if (b.count("authenticationExpiryTime")) member["authenticationExpiryTime"] = (uint64_t)OSUtils::jsonInt(b["authenticationExpiryTime"], 0ULL);
 						if (b.count("authenticationURL")) member["authenticationURL"] = OSUtils::jsonString(b["authenticationURL"], "");
 
 						if (b.count("remoteTraceTarget")) {
@@ -1365,9 +1365,9 @@ void EmbeddedNetworkController::_request(
 	if (networkSSOEnabled && !memberSSOExempt) {
 		std::string memberId = member["id"];
 		fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
-		int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
+		uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
 		fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
-		if ((authenticationExpiryTime == 0) || (authenticationExpiryTime < now)) {
+		if (authenticationExpiryTime < now) {
 			std::string authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
 			if (!authenticationURL.empty()) {
 				Dictionary<3072> authInfo;
@@ -1445,6 +1445,7 @@ void EmbeddedNetworkController::_request(
 	nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU);
 	nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL);
 
+	nc->ssoEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
 	nc->authenticationExpiryTime = OSUtils::jsonInt(member["authenticationExpiryTime"], 0LL);
 
 
diff --git a/controller/PostgreSQL.cpp b/controller/PostgreSQL.cpp
index c9637800b..229f4aa88 100644
--- a/controller/PostgreSQL.cpp
+++ b/controller/PostgreSQL.cpp
@@ -26,6 +26,8 @@
 #include <climits>
 
 
+#define ZT_TRACE 1
+
 using json = nlohmann::json;
 
 namespace {
@@ -233,10 +235,13 @@ bool PostgreSQL::save(nlohmann::json &record,bool notifyListeners)
 	fprintf(stderr, "PostgreSQL::save\n");
 	bool modified = false;
 	try {
-		if (!record.is_object())
+		if (!record.is_object()) {
+			fprintf(stderr, "record is not an object?!?\n");
 			return false;
+		}
 		const std::string objtype = record["objtype"];
 		if (objtype == "network") {
+			fprintf(stderr, "network save\n");
 			const uint64_t nwid = OSUtils::jsonIntHex(record["id"],0ULL);
 			if (nwid) {
 				nlohmann::json old;
@@ -1114,11 +1119,11 @@ void PostgreSQL::commitThread()
 						"INSERT INTO ztc_network (id, creation_time, owner_id, controller_id, capabilities, enable_broadcast, "
 						"last_modified, mtu, multicast_limit, name, private, "
 						"remote_trace_level, remote_trace_target, rules, rules_source, "
-						"tags, v4_assign_mode, v6_assign_mode) VALUES ("
+						"tags, v4_assign_mode, v6_assign_mode, sso_enabled) VALUES ("
 						"$1, TO_TIMESTAMP($5::double precision/1000), "
 						"(SELECT user_id AS owner_id FROM ztc_global_permissions WHERE authorize = true AND del = true AND modify = true AND read = true LIMIT 1),"
 						"$2, $3, $4, TO_TIMESTAMP($5::double precision/1000), "
-						"$6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16) "
+						"$6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, 17) "
 						"ON CONFLICT (id) DO UPDATE set controller_id = EXCLUDED.controller_id, "
 						"capabilities = EXCLUDED.capabilities, enable_broadcast = EXCLUDED.enable_broadcast, "
 						"last_modified = EXCLUDED.last_modified, mtu = EXCLUDED.mtu, "
@@ -1126,7 +1131,8 @@ void PostgreSQL::commitThread()
 						"private = EXCLUDED.private, remote_trace_level = EXCLUDED.remote_trace_level, "
 						"remote_trace_target = EXCLUDED.remote_trace_target, rules = EXCLUDED.rules, "
 						"rules_source = EXCLUDED.rules_source, tags = EXCLUDED.tags, "
-						"v4_assign_mode = EXCLUDED.v4_assign_mode, v6_assign_mode = EXCLUDED.v6_assign_mode",
+						"v4_assign_mode = EXCLUDED.v4_assign_mode, v6_assign_mode = EXCLUDED.v6_assign_mode, "
+						"sso_enabled = EXCLUDED.sso_enabled",
 						id,
 						_myAddressStr,
 						OSUtils::jsonDump((*config)["capabilitles"], -1),
@@ -1142,7 +1148,8 @@ void PostgreSQL::commitThread()
 						rulesSource,
 						OSUtils::jsonDump((*config)["tags"], -1),
 						OSUtils::jsonDump((*config)["v4AssignMode"],-1),
-						OSUtils::jsonDump((*config)["v6AssignMode"], -1));
+						OSUtils::jsonDump((*config)["v6AssignMode"], -1),
+						OSUtils::jsonBool((*config)["ssoEnabled"], false));
 
 					res = w.exec_params0("DELETE FROM ztc_network_assignment_pool WHERE network_id = $1", 0);
 
diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index f59efd5d9..f0a232480 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -1345,15 +1345,20 @@ typedef struct
 	 */
 	ZT_VirtualNetworkDNS dns;
 
+	/**
+	 * sso enabled
+	 */
+	bool ssoEnabled;
+
 	/**
 	 * If the status us AUTHENTICATION_REQUIRED, this may contain a URL for authentication.
 	 */
 	char authenticationURL[2048];
 
 	/**
-	 * Time that current authentication expires or -1 if external authentication is not required.
+	 * Time that current authentication expires. only valid if ssoEnabled is true
 	 */
-	int64_t authenticationExpiryTime;
+	uint64_t authenticationExpiryTime;
 } ZT_VirtualNetworkConfig;
 
 /**
diff --git a/node/Network.cpp b/node/Network.cpp
index f8d204de4..a9007258f 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -1435,6 +1435,7 @@ void Network::_externalConfig(ZT_VirtualNetworkConfig *ec) const
 
 	Utils::scopy(ec->authenticationURL, sizeof(ec->authenticationURL), _authenticationURL.c_str());
 	ec->authenticationExpiryTime = _config.authenticationExpiryTime;
+	ec->ssoEnabled = _config.ssoEnabled;
 }
 
 void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMulticastGroup)
diff --git a/node/NetworkConfig.cpp b/node/NetworkConfig.cpp
index 2673311f7..6d148cc45 100644
--- a/node/NetworkConfig.cpp
+++ b/node/NetworkConfig.cpp
@@ -182,10 +182,11 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_DNS,*tmp)) return false;
 		}
 
-		if (this->authenticationURL[0]) {
-			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false;
-		}
-		if (this->authenticationExpiryTime >= 0) {
+		if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, this->ssoEnabled)) return false;
+		if (this->ssoEnabled) {
+			if (this->authenticationURL[0]) {
+				if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false;
+			}
 			if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, this->authenticationExpiryTime)) return false;
 		}
 
@@ -373,12 +374,19 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
 				DNS::deserializeDNS(*tmp, p, &dns);
 			}
 
-			if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) {
-				this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0; // ensure null terminated
+
+			this->ssoEnabled = d.getB(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, false);
+			if (this->ssoEnabled) {
+				if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) {
+					this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0; // ensure null terminated
+				} else {
+					this->authenticationURL[0] = 0;
+				}
+				this->authenticationExpiryTime = d.getI(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, 0);
 			} else {
 				this->authenticationURL[0] = 0;
+				this->authenticationExpiryTime = 0;
 			}
-			this->authenticationExpiryTime = d.getI(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, -1);
 		}
 
 		//printf("~~~\n%s\n~~~\n",d.data());
diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp
index d022359dd..301852adf 100644
--- a/node/NetworkConfig.hpp
+++ b/node/NetworkConfig.hpp
@@ -178,6 +178,8 @@ namespace ZeroTier {
 #define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATES_OF_OWNERSHIP "COO"
 // dns (binary blobs)
 #define ZT_NETWORKCONFIG_DICT_KEY_DNS "DNS"
+// sso enabld
+#define ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED "ssoe"
 // authentication URL
 #define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL "aurl"
 // authentication expiry
@@ -237,7 +239,10 @@ public:
 		tags(),
 		certificatesOfOwnership(),
 		type(ZT_NETWORK_TYPE_PRIVATE),
-		dnsCount(0)
+		dnsCount(0),
+		ssoEnabled(false),
+		authenticationURL(),
+		authenticationExpiryTime(0)
 	{
 		name[0] = 0;
 		memset(specialists, 0, sizeof(uint64_t)*ZT_MAX_NETWORK_SPECIALISTS);
@@ -609,15 +614,20 @@ public:
 	 */
 	ZT_VirtualNetworkDNS dns;
 
+	/**
+	 * SSO enabled flag.
+	 */
+	bool ssoEnabled;
+
 	/**
 	 * Authentication URL if authentication is required
 	 */
 	char authenticationURL[2048];
 
 	/**
-	 * Time current authentication expires or -1 if external authentication is disabled
+	 * Time current authentication expires or 0 if external authentication is disabled
 	 */
-	int64_t authenticationExpiryTime;
+	uint64_t authenticationExpiryTime;
 };
 
 } // namespace ZeroTier
diff --git a/one.cpp b/one.cpp
index eb3198e7e..3d09245ba 100644
--- a/one.cpp
+++ b/one.cpp
@@ -795,12 +795,12 @@ static int cli(int argc,char **argv)
 								OSUtils::jsonString(n["type"],"-").c_str(),
 								OSUtils::jsonString(n["portDeviceName"],"-").c_str(),
 								aa.c_str());
-							int64_t authenticationExpiryTime = n["authenticationExpiryTime"];
-							if (authenticationExpiryTime >= 0) {
+							if (OSUtils::jsonBool(n["ssoEnabled"], false)) {
+								uint64_t authenticationExpiryTime = n["authenticationExpiryTime"];
 								if (status == "AUTHENTICATION_REQUIRED") {
 									printf("    AUTH EXPIRED, URL: %s" ZT_EOL_S, OSUtils::jsonString(n["authenticationURL"], "(null)").c_str());
 								} else if (status == "OK") {
-									printf("    AUTH OK, expires in: %lld seconds" ZT_EOL_S, (authenticationExpiryTime - OSUtils::now()) / 1000LL);
+									printf("    AUTH OK, expires in: %lld seconds" ZT_EOL_S, ((int64_t)authenticationExpiryTime - OSUtils::now()) / 1000LL);
 								}
 							}
 						}
diff --git a/service/OneService.cpp b/service/OneService.cpp
index e545a2cc0..60c55a548 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -254,6 +254,7 @@ static void _networkToJson(nlohmann::json &nj,const ZT_VirtualNetworkConfig *nc,
 
 	nj["authenticationURL"] = nc->authenticationURL;
 	nj["authenticationExpiryTime"] = nc->authenticationExpiryTime;
+	nj["ssoEnabled"] = nc->ssoEnabled;
 }
 
 static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer)