Adjust deauth time window and send revocation when SSO members expire.

controller/DB.cpp

@@ -196,6 +196,14 @@ void DB::networks(std::set<uint64_t> &networks)
 		networks.insert(n->first);
 }
 
+void DB::networkMemberSSOHasExpired(uint64_t nwid, int64_t now) {
+	std::lock_guard<std::mutex> l(_networks_l);
+	auto nw = _networks.find(nwid);
+	if (nw != _networks.end()) {
+		nw->second->mostRecentDeauthTime = now;
+	}
+}
+
 void DB::_memberChanged(nlohmann::json &old,nlohmann::json &memberConfig,bool notifyListeners)
 {
 	uint64_t memberId = 0;

controller/DB.hpp

@@ -107,7 +107,9 @@ public:
 	virtual void eraseNetwork(const uint64_t networkId) = 0;
 	virtual void eraseMember(const uint64_t networkId,const uint64_t memberId) = 0;
 	virtual void nodeIsOnline(const uint64_t networkId,const uint64_t memberId,const InetAddress &physicalAddress) = 0;
+
 	virtual std::string getSSOAuthURL(const nlohmann::json &member, const std::string &redirectURL) { return ""; }
+	virtual void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
 
 	inline void addListener(DB::ChangeListener *const listener)
 	{

controller/DBMirrorSet.cpp

@@ -137,6 +137,14 @@ std::string DBMirrorSet::getSSOAuthURL(const nlohmann::json &member, const std::
 	return "";
 }
 
+void DBMirrorSet::networkMemberSSOHasExpired(uint64_t nwid, int64_t ts)
+{
+	std::lock_guard<std::mutex> l(_dbs_l);
+	for(auto d=_dbs.begin();d!=_dbs.end();++d) { 
+		(*d)->networkMemberSSOHasExpired(nwid, ts);
+	}
+}
+
 void DBMirrorSet::networks(std::set<uint64_t> &networks)
 {
 	std::lock_guard<std::mutex> l(_dbs_l);

controller/DBMirrorSet.hpp

@@ -52,6 +52,7 @@ public:
 	virtual void onNetworkMemberDeauthorize(const void *db,uint64_t networkId,uint64_t memberId);
 
 	std::string getSSOAuthURL(const nlohmann::json &member, const std::string &redirectURL);
+	void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
 
 	inline void addDB(const std::shared_ptr<DB> &db)
 	{

controller/EmbeddedNetworkController.cpp

@@ -1369,11 +1369,16 @@ void EmbeddedNetworkController::_request(
 		fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
 		if (authenticationExpiryTime < now) {
 			if (!authenticationURL.empty()) {
+				_db.networkMemberSSOHasExpired(nwid, now);
+				onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
+
 				Dictionary<3072> authInfo;
 				authInfo.add("aU", authenticationURL.c_str());
 				fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
+
 				DB::cleanMember(member);
 				_db.save(member,true);
+
 				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
 				return;
 			}

make-mac.mk

@@ -75,7 +75,7 @@ ifeq ($(ZT_DEBUG),1)
 node/Salsa20.o node/SHA512.o node/C25519.o node/Poly1305.o: CFLAGS = -Wall -O2 -g $(INCLUDES) $(DEFS)
 else
 	CFLAGS?=-Ofast -fstack-protector-strong
-	CFLAGS+=$(ARCH_FLAGS) -Wall -flto -fPIE -mmacosx-version-min=10.7 -DNDEBUG -Wno-unused-private-field $(INCLUDES) $(DEFS)
+	CFLAGS+=$(ARCH_FLAGS) -Wall -flto -fPIE -mmacosx-version-min=10.13 -DNDEBUG -Wno-unused-private-field $(INCLUDES) $(DEFS)
 	STRIP=strip
 endif
 
@@ -93,10 +93,10 @@ CXXFLAGS=$(CFLAGS) -std=c++11 -stdlib=libc++
 all: one
 
 ext/x64-salsa2012-asm/salsa2012.o:
-	as -arch x86_64 -mmacosx-version-min=10.7 -o ext/x64-salsa2012-asm/salsa2012.o ext/x64-salsa2012-asm/salsa2012.s
+	as -arch x86_64 -mmacosx-version-min=10.13 -o ext/x64-salsa2012-asm/salsa2012.o ext/x64-salsa2012-asm/salsa2012.s
 
 mac-agent: FORCE
-	$(CC) -Ofast $(ARCH_FLAGS) -mmacosx-version-min=10.7 -o MacEthernetTapAgent osdep/MacEthernetTapAgent.c
+	$(CC) -Ofast $(ARCH_FLAGS) -mmacosx-version-min=10.13 -o MacEthernetTapAgent osdep/MacEthernetTapAgent.c
 	$(CODESIGN) -f --options=runtime -s $(CODESIGN_APP_CERT) MacEthernetTapAgent
 
 osdep/MacDNSHelper.o: osdep/MacDNSHelper.mm