ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-02-21 02:01:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

oidc stuff coming across the wire properly and generating a working login URL

Browse Source
This commit is contained in:
Grant Limberg 2021-12-01 13:01:32 -08:00
parent eaccce743f
commit 663a09b38d
No known key found for this signature in database
GPG Key ID: 2BA62CCABBB4095A
6 changed files with 26 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
controller/PostgreSQL.cpp
View File

@ -415,18 +415,20 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
exit(6);
}
r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.sso_impl_version "
r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.issuer, org.sso_impl_version "
"FROM ztc_network AS nw, ztc_org AS org "
"WHERE nw.id = $1 AND nw.sso_enabled = true AND org.owner_id = nw.owner_id", networkId);
std::string client_id = "";
std::string authorization_endpoint = "";
std::string issuer = "";
uint64_t sso_version = 0;
if (r.size() == 1) {
client_id = r.at(0)[0].as<std::string>();
authorization_endpoint = r.at(0)[1].as<std::string>();
sso_version = r.at(0)[2].as<uint64_t>();
issuer = r.at(0)[2].as<std::string>();
sso_version = r.at(0)[3].as<uint64_t>();
} else if (r.size() > 1) {
fprintf(stderr, "ERROR: More than one auth endpoint for an organization?!?!? NetworkID: %s\n", networkId.c_str());
} else {
@ -455,7 +457,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
info.authenticationURL = std::string(url);
} else if (info.version == 1) {
info.ssoClientID = client_id;
info.issuerURL = authorization_endpoint;
info.issuerURL = issuer;
info.ssoNonce = nonce;
info.ssoState = std::string(state_hex);
info.centralAuthURL = redirectURL;

2
node/IncomingPacket.cpp
View File

@ -221,7 +221,6 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
issuerURL[sizeof(issuerURL) - 1] = 0;
fprintf(stderr, "Issuer URL from info: %s\n", issuerURL);
}
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) {
centralAuthURL[sizeof(centralAuthURL) - 1] = 0;
@ -236,7 +235,6 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
ssoClientID[sizeof(ssoClientID) - 1] = 0;
}
fprintf(stderr, "Setting auth required on network\n");
network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState);
}
}

1
node/Network.cpp
View File

@ -1555,7 +1555,6 @@ void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const
_config.ssoEnabled = true;
_config.ssoVersion = 1;
fprintf(stderr, "Network::setAuthenticationRequired issuerURL: %s\n", issuerURL);
Utils::scopy(_config.issuerURL, sizeof(_config.issuerURL), issuerURL);
Utils::scopy(_config.centralAuthURL, sizeof(_config.centralAuthURL), centralEndpoint);
Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID);

7
service/OneService.cpp
View File

@ -251,9 +251,7 @@ public:
const char* nwid = Utils::hex(nwc->nwid, nwbuf);
fprintf(stderr, "NetworkState::setConfig(%s)\n", nwid);
fprintf(stderr, "issuerUrl before: %s\n", nwc->issuerURL);
memcpy(&_config, nwc, sizeof(ZT_VirtualNetworkConfig));
fprintf(stderr, "issuerUrl after: %s\n", _config.issuerURL);
fprintf(stderr, "ssoEnabled: %s, ssoVersion: %d\n",
_config.ssoEnabled ? "true" : "false", _config.ssoVersion);
@ -443,7 +441,9 @@ static void _networkToJson(nlohmann::json &nj,NetworkState &ns)
}
nj["dns"] = m;
if (ns.config().ssoEnabled) {
nj["authenticationURL"] = ns.getAuthURL();
const char* authURL = ns.getAuthURL();
fprintf(stderr, "Auth URL: %s\n", authURL);
nj["authenticationURL"] = authURL;
nj["authenticationExpiryTime"] = ns.config().authenticationExpiryTime;
nj["ssoEnabled"] = ns.config().ssoEnabled;
}
@ -2665,7 +2665,6 @@ public:
// After setting up tap, fall through to CONFIG_UPDATE since we also want to do this...
case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE:
fprintf(stderr, "conf update issuerURL: %s\n", nwc->issuerURL);
n.setConfig(nwc);
if (n.tap()) { // sanity check

8
zeroidc/src/ext.rs
View File

@ -156,10 +156,14 @@ pub extern "C" fn zeroidc_auth_info_delete(ptr: *mut AuthInfo) {
#[no_mangle]
pub extern "C" fn zeroidc_get_auth_url(ptr: *mut AuthInfo) -> *const c_char {
if ptr.is_null() {
println!("passed a null object");
return std::ptr::null_mut();
}
let ai = unsafe {
assert!(!ptr.is_null());
&mut *ptr
};
let s = CString::new(ai.url.to_string()).unwrap();
return s.as_ptr();
return s.into_raw();
}

15
zeroidc/src/lib.rs
View File

@ -71,7 +71,10 @@ impl ZeroIDC {
let provider_meta = match CoreProviderMetadata::discover(&iss, http_client) {
Ok(m) => m,
Err(e) => return Err(e.to_string()),
Err(e) => {
println!("Error discovering provider metadata");
return Err(e.to_string());
},
};
let r = format!("http://localhost:{}/sso", local_web_port);
@ -85,7 +88,10 @@ impl ZeroIDC {
let redirect = match RedirectUrl::new(redir_url.to_string()) {
Ok(s) => s,
Err(e) => return Err(e.to_string()),
Err(e) => {
println!("Error generating RedirectURL instance from string: {}", redir_url.to_string());
return Err(e.to_string());
}
};
(*idc.inner.lock().unwrap()).oidc_client = Some(
@ -152,13 +158,16 @@ impl ZeroIDC {
csrf_func(csrf_token),
nonce_func(nonce),
)
.add_scope(Scope::new("read".to_string()))
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("offline_access".to_string()))
.add_scope(Scope::new("openid".to_string()))
.set_pkce_challenge(pkce_challenge)
.add_extra_param("network_id", network_id)
.url();
println!("URL: {}", auth_url);
return AuthInfo {
url: auth_url,
csrf_token,