mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-02-21 10:01:46 +00:00
add ssoEnabled flag to network config
This commit is contained in:
Grant Limberg
parent
9380ef708a
commit
364ad87e2b
@ -720,7 +720,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
|
|||||||
try {
|
try {
|
||||||
if (b.count("activeBridge")) member["activeBridge"] = OSUtils::jsonBool(b["activeBridge"], false);
|
if (b.count("activeBridge")) member["activeBridge"] = OSUtils::jsonBool(b["activeBridge"], false);
|
||||||
if (b.count("noAutoAssignIps")) member["noAutoAssignIps"] = OSUtils::jsonBool(b["noAutoAssignIps"], false);
|
if (b.count("noAutoAssignIps")) member["noAutoAssignIps"] = OSUtils::jsonBool(b["noAutoAssignIps"], false);
|
||||||
if (b.count("authenticationExpiryTime")) member["authenticationExpiryTime"] = (int64_t)OSUtils::jsonInt(b["authenticationExpiryTime"], -1LL);
|
if (b.count("authenticationExpiryTime")) member["authenticationExpiryTime"] = (uint64_t)OSUtils::jsonInt(b["authenticationExpiryTime"], 0ULL);
|
||||||
if (b.count("authenticationURL")) member["authenticationURL"] = OSUtils::jsonString(b["authenticationURL"], "");
|
if (b.count("authenticationURL")) member["authenticationURL"] = OSUtils::jsonString(b["authenticationURL"], "");
|
||||||
|
|
||||||
if (b.count("remoteTraceTarget")) {
|
if (b.count("remoteTraceTarget")) {
|
||||||
@ -1365,9 +1365,9 @@ void EmbeddedNetworkController::_request(
|
|||||||
if (networkSSOEnabled && !memberSSOExempt) {
|
if (networkSSOEnabled && !memberSSOExempt) {
|
||||||
std::string memberId = member["id"];
|
std::string memberId = member["id"];
|
||||||
fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
|
fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
|
||||||
int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
|
uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
|
||||||
fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
|
fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
|
||||||
if ((authenticationExpiryTime == 0) || (authenticationExpiryTime < now)) {
|
if (authenticationExpiryTime < now) {
|
||||||
std::string authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
|
std::string authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
|
||||||
if (!authenticationURL.empty()) {
|
if (!authenticationURL.empty()) {
|
||||||
Dictionary<3072> authInfo;
|
Dictionary<3072> authInfo;
|
||||||
@ -1445,6 +1445,7 @@ void EmbeddedNetworkController::_request(
|
|||||||
nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU);
|
nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU);
|
||||||
nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL);
|
nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL);
|
||||||
|
|
||||||
|
nc->ssoEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
|
||||||
nc->authenticationExpiryTime = OSUtils::jsonInt(member["authenticationExpiryTime"], 0LL);
|
nc->authenticationExpiryTime = OSUtils::jsonInt(member["authenticationExpiryTime"], 0LL);
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -26,6 +26,8 @@
|
|||||||
#include <climits>
|
#include <climits>
|
||||||
|
|
||||||
|
|
||||||
|
#define ZT_TRACE 1
|
||||||
|
|
||||||
using json = nlohmann::json;
|
using json = nlohmann::json;
|
||||||
|
|
||||||
namespace {
|
namespace {
|
||||||
@ -233,10 +235,13 @@ bool PostgreSQL::save(nlohmann::json &record,bool notifyListeners)
|
|||||||
fprintf(stderr, "PostgreSQL::save\n");
|
fprintf(stderr, "PostgreSQL::save\n");
|
||||||
bool modified = false;
|
bool modified = false;
|
||||||
try {
|
try {
|
||||||
if (!record.is_object())
|
if (!record.is_object()) {
|
||||||
|
fprintf(stderr, "record is not an object?!?\n");
|
||||||
return false;
|
return false;
|
||||||
|
}
|
||||||
const std::string objtype = record["objtype"];
|
const std::string objtype = record["objtype"];
|
||||||
if (objtype == "network") {
|
if (objtype == "network") {
|
||||||
|
fprintf(stderr, "network save\n");
|
||||||
const uint64_t nwid = OSUtils::jsonIntHex(record["id"],0ULL);
|
const uint64_t nwid = OSUtils::jsonIntHex(record["id"],0ULL);
|
||||||
if (nwid) {
|
if (nwid) {
|
||||||
nlohmann::json old;
|
nlohmann::json old;
|
||||||
@ -1114,11 +1119,11 @@ void PostgreSQL::commitThread()
|
|||||||
"INSERT INTO ztc_network (id, creation_time, owner_id, controller_id, capabilities, enable_broadcast, "
|
"INSERT INTO ztc_network (id, creation_time, owner_id, controller_id, capabilities, enable_broadcast, "
|
||||||
"last_modified, mtu, multicast_limit, name, private, "
|
"last_modified, mtu, multicast_limit, name, private, "
|
||||||
"remote_trace_level, remote_trace_target, rules, rules_source, "
|
"remote_trace_level, remote_trace_target, rules, rules_source, "
|
||||||
"tags, v4_assign_mode, v6_assign_mode) VALUES ("
|
"tags, v4_assign_mode, v6_assign_mode, sso_enabled) VALUES ("
|
||||||
"$1, TO_TIMESTAMP($5::double precision/1000), "
|
"$1, TO_TIMESTAMP($5::double precision/1000), "
|
||||||
"(SELECT user_id AS owner_id FROM ztc_global_permissions WHERE authorize = true AND del = true AND modify = true AND read = true LIMIT 1),"
|
"(SELECT user_id AS owner_id FROM ztc_global_permissions WHERE authorize = true AND del = true AND modify = true AND read = true LIMIT 1),"
|
||||||
"$2, $3, $4, TO_TIMESTAMP($5::double precision/1000), "
|
"$2, $3, $4, TO_TIMESTAMP($5::double precision/1000), "
|
||||||
"$6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16) "
|
"$6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, 17) "
|
||||||
"ON CONFLICT (id) DO UPDATE set controller_id = EXCLUDED.controller_id, "
|
"ON CONFLICT (id) DO UPDATE set controller_id = EXCLUDED.controller_id, "
|
||||||
"capabilities = EXCLUDED.capabilities, enable_broadcast = EXCLUDED.enable_broadcast, "
|
"capabilities = EXCLUDED.capabilities, enable_broadcast = EXCLUDED.enable_broadcast, "
|
||||||
"last_modified = EXCLUDED.last_modified, mtu = EXCLUDED.mtu, "
|
"last_modified = EXCLUDED.last_modified, mtu = EXCLUDED.mtu, "
|
||||||
@ -1126,7 +1131,8 @@ void PostgreSQL::commitThread()
|
|||||||
"private = EXCLUDED.private, remote_trace_level = EXCLUDED.remote_trace_level, "
|
"private = EXCLUDED.private, remote_trace_level = EXCLUDED.remote_trace_level, "
|
||||||
"remote_trace_target = EXCLUDED.remote_trace_target, rules = EXCLUDED.rules, "
|
"remote_trace_target = EXCLUDED.remote_trace_target, rules = EXCLUDED.rules, "
|
||||||
"rules_source = EXCLUDED.rules_source, tags = EXCLUDED.tags, "
|
"rules_source = EXCLUDED.rules_source, tags = EXCLUDED.tags, "
|
||||||
"v4_assign_mode = EXCLUDED.v4_assign_mode, v6_assign_mode = EXCLUDED.v6_assign_mode",
|
"v4_assign_mode = EXCLUDED.v4_assign_mode, v6_assign_mode = EXCLUDED.v6_assign_mode, "
|
||||||
|
"sso_enabled = EXCLUDED.sso_enabled",
|
||||||
id,
|
id,
|
||||||
_myAddressStr,
|
_myAddressStr,
|
||||||
OSUtils::jsonDump((*config)["capabilitles"], -1),
|
OSUtils::jsonDump((*config)["capabilitles"], -1),
|
||||||
@ -1142,7 +1148,8 @@ void PostgreSQL::commitThread()
|
|||||||
rulesSource,
|
rulesSource,
|
||||||
OSUtils::jsonDump((*config)["tags"], -1),
|
OSUtils::jsonDump((*config)["tags"], -1),
|
||||||
OSUtils::jsonDump((*config)["v4AssignMode"],-1),
|
OSUtils::jsonDump((*config)["v4AssignMode"],-1),
|
||||||
OSUtils::jsonDump((*config)["v6AssignMode"], -1));
|
OSUtils::jsonDump((*config)["v6AssignMode"], -1),
|
||||||
|
OSUtils::jsonBool((*config)["ssoEnabled"], false));
|
||||||
|
|
||||||
res = w.exec_params0("DELETE FROM ztc_network_assignment_pool WHERE network_id = $1", 0);
|
res = w.exec_params0("DELETE FROM ztc_network_assignment_pool WHERE network_id = $1", 0);
|
||||||
|
|
||||||
|
|||||||
@ -1345,15 +1345,20 @@ typedef struct
|
|||||||
*/
|
*/
|
||||||
ZT_VirtualNetworkDNS dns;
|
ZT_VirtualNetworkDNS dns;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* sso enabled
|
||||||
|
*/
|
||||||
|
bool ssoEnabled;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* If the status us AUTHENTICATION_REQUIRED, this may contain a URL for authentication.
|
* If the status us AUTHENTICATION_REQUIRED, this may contain a URL for authentication.
|
||||||
*/
|
*/
|
||||||
char authenticationURL[2048];
|
char authenticationURL[2048];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Time that current authentication expires or -1 if external authentication is not required.
|
* Time that current authentication expires. only valid if ssoEnabled is true
|
||||||
*/
|
*/
|
||||||
int64_t authenticationExpiryTime;
|
uint64_t authenticationExpiryTime;
|
||||||
} ZT_VirtualNetworkConfig;
|
} ZT_VirtualNetworkConfig;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -1435,6 +1435,7 @@ void Network::_externalConfig(ZT_VirtualNetworkConfig *ec) const
|
|||||||
|
|
||||||
Utils::scopy(ec->authenticationURL, sizeof(ec->authenticationURL), _authenticationURL.c_str());
|
Utils::scopy(ec->authenticationURL, sizeof(ec->authenticationURL), _authenticationURL.c_str());
|
||||||
ec->authenticationExpiryTime = _config.authenticationExpiryTime;
|
ec->authenticationExpiryTime = _config.authenticationExpiryTime;
|
||||||
|
ec->ssoEnabled = _config.ssoEnabled;
|
||||||
}
|
}
|
||||||
|
|
||||||
void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMulticastGroup)
|
void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMulticastGroup)
|
||||||
|
|||||||
@ -182,10 +182,11 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
|
|||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_DNS,*tmp)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_DNS,*tmp)) return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (this->authenticationURL[0]) {
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, this->ssoEnabled)) return false;
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false;
|
if (this->ssoEnabled) {
|
||||||
}
|
if (this->authenticationURL[0]) {
|
||||||
if (this->authenticationExpiryTime >= 0) {
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL)) return false;
|
||||||
|
}
|
||||||
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, this->authenticationExpiryTime)) return false;
|
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, this->authenticationExpiryTime)) return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -373,12 +374,19 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
|
|||||||
DNS::deserializeDNS(*tmp, p, &dns);
|
DNS::deserializeDNS(*tmp, p, &dns);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) {
|
|
||||||
this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0; // ensure null terminated
|
this->ssoEnabled = d.getB(ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED, false);
|
||||||
|
if (this->ssoEnabled) {
|
||||||
|
if (d.get(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL, this->authenticationURL, (unsigned int)sizeof(this->authenticationURL)) > 0) {
|
||||||
|
this->authenticationURL[sizeof(this->authenticationURL) - 1] = 0; // ensure null terminated
|
||||||
|
} else {
|
||||||
|
this->authenticationURL[0] = 0;
|
||||||
|
}
|
||||||
|
this->authenticationExpiryTime = d.getI(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, 0);
|
||||||
} else {
|
} else {
|
||||||
this->authenticationURL[0] = 0;
|
this->authenticationURL[0] = 0;
|
||||||
|
this->authenticationExpiryTime = 0;
|
||||||
}
|
}
|
||||||
this->authenticationExpiryTime = d.getI(ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_EXPIRY_TIME, -1);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//printf("~~~\n%s\n~~~\n",d.data());
|
//printf("~~~\n%s\n~~~\n",d.data());
|
||||||
|
|||||||
@ -178,6 +178,8 @@ namespace ZeroTier {
|
|||||||
#define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATES_OF_OWNERSHIP "COO"
|
#define ZT_NETWORKCONFIG_DICT_KEY_CERTIFICATES_OF_OWNERSHIP "COO"
|
||||||
// dns (binary blobs)
|
// dns (binary blobs)
|
||||||
#define ZT_NETWORKCONFIG_DICT_KEY_DNS "DNS"
|
#define ZT_NETWORKCONFIG_DICT_KEY_DNS "DNS"
|
||||||
|
// sso enabld
|
||||||
|
#define ZT_NETWORKCONFIG_DICT_KEY_SSO_ENABLED "ssoe"
|
||||||
// authentication URL
|
// authentication URL
|
||||||
#define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL "aurl"
|
#define ZT_NETWORKCONFIG_DICT_KEY_AUTHENTICATION_URL "aurl"
|
||||||
// authentication expiry
|
// authentication expiry
|
||||||
@ -237,7 +239,10 @@ public:
|
|||||||
tags(),
|
tags(),
|
||||||
certificatesOfOwnership(),
|
certificatesOfOwnership(),
|
||||||
type(ZT_NETWORK_TYPE_PRIVATE),
|
type(ZT_NETWORK_TYPE_PRIVATE),
|
||||||
dnsCount(0)
|
dnsCount(0),
|
||||||
|
ssoEnabled(false),
|
||||||
|
authenticationURL(),
|
||||||
|
authenticationExpiryTime(0)
|
||||||
{
|
{
|
||||||
name[0] = 0;
|
name[0] = 0;
|
||||||
memset(specialists, 0, sizeof(uint64_t)*ZT_MAX_NETWORK_SPECIALISTS);
|
memset(specialists, 0, sizeof(uint64_t)*ZT_MAX_NETWORK_SPECIALISTS);
|
||||||
@ -609,15 +614,20 @@ public:
|
|||||||
*/
|
*/
|
||||||
ZT_VirtualNetworkDNS dns;
|
ZT_VirtualNetworkDNS dns;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* SSO enabled flag.
|
||||||
|
*/
|
||||||
|
bool ssoEnabled;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Authentication URL if authentication is required
|
* Authentication URL if authentication is required
|
||||||
*/
|
*/
|
||||||
char authenticationURL[2048];
|
char authenticationURL[2048];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Time current authentication expires or -1 if external authentication is disabled
|
* Time current authentication expires or 0 if external authentication is disabled
|
||||||
*/
|
*/
|
||||||
int64_t authenticationExpiryTime;
|
uint64_t authenticationExpiryTime;
|
||||||
};
|
};
|
||||||
|
|
||||||
} // namespace ZeroTier
|
} // namespace ZeroTier
|
||||||
|
|||||||
6
one.cpp
6
one.cpp
@ -795,12 +795,12 @@ static int cli(int argc,char **argv)
|
|||||||
OSUtils::jsonString(n["type"],"-").c_str(),
|
OSUtils::jsonString(n["type"],"-").c_str(),
|
||||||
OSUtils::jsonString(n["portDeviceName"],"-").c_str(),
|
OSUtils::jsonString(n["portDeviceName"],"-").c_str(),
|
||||||
aa.c_str());
|
aa.c_str());
|
||||||
int64_t authenticationExpiryTime = n["authenticationExpiryTime"];
|
if (OSUtils::jsonBool(n["ssoEnabled"], false)) {
|
||||||
if (authenticationExpiryTime >= 0) {
|
uint64_t authenticationExpiryTime = n["authenticationExpiryTime"];
|
||||||
if (status == "AUTHENTICATION_REQUIRED") {
|
if (status == "AUTHENTICATION_REQUIRED") {
|
||||||
printf(" AUTH EXPIRED, URL: %s" ZT_EOL_S, OSUtils::jsonString(n["authenticationURL"], "(null)").c_str());
|
printf(" AUTH EXPIRED, URL: %s" ZT_EOL_S, OSUtils::jsonString(n["authenticationURL"], "(null)").c_str());
|
||||||
} else if (status == "OK") {
|
} else if (status == "OK") {
|
||||||
printf(" AUTH OK, expires in: %lld seconds" ZT_EOL_S, (authenticationExpiryTime - OSUtils::now()) / 1000LL);
|
printf(" AUTH OK, expires in: %lld seconds" ZT_EOL_S, ((int64_t)authenticationExpiryTime - OSUtils::now()) / 1000LL);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -254,6 +254,7 @@ static void _networkToJson(nlohmann::json &nj,const ZT_VirtualNetworkConfig *nc,
|
|||||||
|
|
||||||
nj["authenticationURL"] = nc->authenticationURL;
|
nj["authenticationURL"] = nc->authenticationURL;
|
||||||
nj["authenticationExpiryTime"] = nc->authenticationExpiryTime;
|
nj["authenticationExpiryTime"] = nc->authenticationExpiryTime;
|
||||||
|
nj["ssoEnabled"] = nc->ssoEnabled;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer)
|
static void _peerToJson(nlohmann::json &pj,const ZT_Peer *peer)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user