mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-02-22 02:16:38 +00:00
oidc stuff coming across the wire properly and generating a working login URL
This commit is contained in:
Grant Limberg
parent
eaccce743f
commit
663a09b38d
@ -415,18 +415,20 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
|
|||||||
exit(6);
|
exit(6);
|
||||||
}
|
}
|
||||||
|
|
||||||
r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.sso_impl_version "
|
r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.issuer, org.sso_impl_version "
|
||||||
"FROM ztc_network AS nw, ztc_org AS org "
|
"FROM ztc_network AS nw, ztc_org AS org "
|
||||||
"WHERE nw.id = $1 AND nw.sso_enabled = true AND org.owner_id = nw.owner_id", networkId);
|
"WHERE nw.id = $1 AND nw.sso_enabled = true AND org.owner_id = nw.owner_id", networkId);
|
||||||
|
|
||||||
std::string client_id = "";
|
std::string client_id = "";
|
||||||
std::string authorization_endpoint = "";
|
std::string authorization_endpoint = "";
|
||||||
|
std::string issuer = "";
|
||||||
uint64_t sso_version = 0;
|
uint64_t sso_version = 0;
|
||||||
|
|
||||||
if (r.size() == 1) {
|
if (r.size() == 1) {
|
||||||
client_id = r.at(0)[0].as<std::string>();
|
client_id = r.at(0)[0].as<std::string>();
|
||||||
authorization_endpoint = r.at(0)[1].as<std::string>();
|
authorization_endpoint = r.at(0)[1].as<std::string>();
|
||||||
sso_version = r.at(0)[2].as<uint64_t>();
|
issuer = r.at(0)[2].as<std::string>();
|
||||||
|
sso_version = r.at(0)[3].as<uint64_t>();
|
||||||
} else if (r.size() > 1) {
|
} else if (r.size() > 1) {
|
||||||
fprintf(stderr, "ERROR: More than one auth endpoint for an organization?!?!? NetworkID: %s\n", networkId.c_str());
|
fprintf(stderr, "ERROR: More than one auth endpoint for an organization?!?!? NetworkID: %s\n", networkId.c_str());
|
||||||
} else {
|
} else {
|
||||||
@ -455,7 +457,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
|
|||||||
info.authenticationURL = std::string(url);
|
info.authenticationURL = std::string(url);
|
||||||
} else if (info.version == 1) {
|
} else if (info.version == 1) {
|
||||||
info.ssoClientID = client_id;
|
info.ssoClientID = client_id;
|
||||||
info.issuerURL = authorization_endpoint;
|
info.issuerURL = issuer;
|
||||||
info.ssoNonce = nonce;
|
info.ssoNonce = nonce;
|
||||||
info.ssoState = std::string(state_hex);
|
info.ssoState = std::string(state_hex);
|
||||||
info.centralAuthURL = redirectURL;
|
info.centralAuthURL = redirectURL;
|
||||||
|
|||||||
@ -221,7 +221,6 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
|
|||||||
|
|
||||||
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
|
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
|
||||||
issuerURL[sizeof(issuerURL) - 1] = 0;
|
issuerURL[sizeof(issuerURL) - 1] = 0;
|
||||||
fprintf(stderr, "Issuer URL from info: %s\n", issuerURL);
|
|
||||||
}
|
}
|
||||||
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) {
|
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) {
|
||||||
centralAuthURL[sizeof(centralAuthURL) - 1] = 0;
|
centralAuthURL[sizeof(centralAuthURL) - 1] = 0;
|
||||||
@ -236,7 +235,6 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
|
|||||||
ssoClientID[sizeof(ssoClientID) - 1] = 0;
|
ssoClientID[sizeof(ssoClientID) - 1] = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
fprintf(stderr, "Setting auth required on network\n");
|
|
||||||
network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState);
|
network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1555,7 +1555,6 @@ void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const
|
|||||||
_config.ssoEnabled = true;
|
_config.ssoEnabled = true;
|
||||||
_config.ssoVersion = 1;
|
_config.ssoVersion = 1;
|
||||||
|
|
||||||
fprintf(stderr, "Network::setAuthenticationRequired issuerURL: %s\n", issuerURL);
|
|
||||||
Utils::scopy(_config.issuerURL, sizeof(_config.issuerURL), issuerURL);
|
Utils::scopy(_config.issuerURL, sizeof(_config.issuerURL), issuerURL);
|
||||||
Utils::scopy(_config.centralAuthURL, sizeof(_config.centralAuthURL), centralEndpoint);
|
Utils::scopy(_config.centralAuthURL, sizeof(_config.centralAuthURL), centralEndpoint);
|
||||||
Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID);
|
Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID);
|
||||||
|
|||||||
@ -251,9 +251,7 @@ public:
|
|||||||
const char* nwid = Utils::hex(nwc->nwid, nwbuf);
|
const char* nwid = Utils::hex(nwc->nwid, nwbuf);
|
||||||
fprintf(stderr, "NetworkState::setConfig(%s)\n", nwid);
|
fprintf(stderr, "NetworkState::setConfig(%s)\n", nwid);
|
||||||
|
|
||||||
fprintf(stderr, "issuerUrl before: %s\n", nwc->issuerURL);
|
|
||||||
memcpy(&_config, nwc, sizeof(ZT_VirtualNetworkConfig));
|
memcpy(&_config, nwc, sizeof(ZT_VirtualNetworkConfig));
|
||||||
fprintf(stderr, "issuerUrl after: %s\n", _config.issuerURL);
|
|
||||||
fprintf(stderr, "ssoEnabled: %s, ssoVersion: %d\n",
|
fprintf(stderr, "ssoEnabled: %s, ssoVersion: %d\n",
|
||||||
_config.ssoEnabled ? "true" : "false", _config.ssoVersion);
|
_config.ssoEnabled ? "true" : "false", _config.ssoVersion);
|
||||||
|
|
||||||
@ -443,7 +441,9 @@ static void _networkToJson(nlohmann::json &nj,NetworkState &ns)
|
|||||||
}
|
}
|
||||||
nj["dns"] = m;
|
nj["dns"] = m;
|
||||||
if (ns.config().ssoEnabled) {
|
if (ns.config().ssoEnabled) {
|
||||||
nj["authenticationURL"] = ns.getAuthURL();
|
const char* authURL = ns.getAuthURL();
|
||||||
|
fprintf(stderr, "Auth URL: %s\n", authURL);
|
||||||
|
nj["authenticationURL"] = authURL;
|
||||||
nj["authenticationExpiryTime"] = ns.config().authenticationExpiryTime;
|
nj["authenticationExpiryTime"] = ns.config().authenticationExpiryTime;
|
||||||
nj["ssoEnabled"] = ns.config().ssoEnabled;
|
nj["ssoEnabled"] = ns.config().ssoEnabled;
|
||||||
}
|
}
|
||||||
@ -2665,7 +2665,6 @@ public:
|
|||||||
// After setting up tap, fall through to CONFIG_UPDATE since we also want to do this...
|
// After setting up tap, fall through to CONFIG_UPDATE since we also want to do this...
|
||||||
|
|
||||||
case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE:
|
case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE:
|
||||||
fprintf(stderr, "conf update issuerURL: %s\n", nwc->issuerURL);
|
|
||||||
n.setConfig(nwc);
|
n.setConfig(nwc);
|
||||||
|
|
||||||
if (n.tap()) { // sanity check
|
if (n.tap()) { // sanity check
|
||||||
|
|||||||
@ -156,10 +156,14 @@ pub extern "C" fn zeroidc_auth_info_delete(ptr: *mut AuthInfo) {
|
|||||||
|
|
||||||
#[no_mangle]
|
#[no_mangle]
|
||||||
pub extern "C" fn zeroidc_get_auth_url(ptr: *mut AuthInfo) -> *const c_char {
|
pub extern "C" fn zeroidc_get_auth_url(ptr: *mut AuthInfo) -> *const c_char {
|
||||||
|
if ptr.is_null() {
|
||||||
|
println!("passed a null object");
|
||||||
|
return std::ptr::null_mut();
|
||||||
|
}
|
||||||
let ai = unsafe {
|
let ai = unsafe {
|
||||||
assert!(!ptr.is_null());
|
|
||||||
&mut *ptr
|
&mut *ptr
|
||||||
};
|
};
|
||||||
|
|
||||||
let s = CString::new(ai.url.to_string()).unwrap();
|
let s = CString::new(ai.url.to_string()).unwrap();
|
||||||
return s.as_ptr();
|
return s.into_raw();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -71,7 +71,10 @@ impl ZeroIDC {
|
|||||||
|
|
||||||
let provider_meta = match CoreProviderMetadata::discover(&iss, http_client) {
|
let provider_meta = match CoreProviderMetadata::discover(&iss, http_client) {
|
||||||
Ok(m) => m,
|
Ok(m) => m,
|
||||||
Err(e) => return Err(e.to_string()),
|
Err(e) => {
|
||||||
|
println!("Error discovering provider metadata");
|
||||||
|
return Err(e.to_string());
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
let r = format!("http://localhost:{}/sso", local_web_port);
|
let r = format!("http://localhost:{}/sso", local_web_port);
|
||||||
@ -85,7 +88,10 @@ impl ZeroIDC {
|
|||||||
|
|
||||||
let redirect = match RedirectUrl::new(redir_url.to_string()) {
|
let redirect = match RedirectUrl::new(redir_url.to_string()) {
|
||||||
Ok(s) => s,
|
Ok(s) => s,
|
||||||
Err(e) => return Err(e.to_string()),
|
Err(e) => {
|
||||||
|
println!("Error generating RedirectURL instance from string: {}", redir_url.to_string());
|
||||||
|
return Err(e.to_string());
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
(*idc.inner.lock().unwrap()).oidc_client = Some(
|
(*idc.inner.lock().unwrap()).oidc_client = Some(
|
||||||
@ -152,13 +158,16 @@ impl ZeroIDC {
|
|||||||
csrf_func(csrf_token),
|
csrf_func(csrf_token),
|
||||||
nonce_func(nonce),
|
nonce_func(nonce),
|
||||||
)
|
)
|
||||||
.add_scope(Scope::new("read".to_string()))
|
.add_scope(Scope::new("profile".to_string()))
|
||||||
|
.add_scope(Scope::new("email".to_string()))
|
||||||
.add_scope(Scope::new("offline_access".to_string()))
|
.add_scope(Scope::new("offline_access".to_string()))
|
||||||
.add_scope(Scope::new("openid".to_string()))
|
.add_scope(Scope::new("openid".to_string()))
|
||||||
.set_pkce_challenge(pkce_challenge)
|
.set_pkce_challenge(pkce_challenge)
|
||||||
.add_extra_param("network_id", network_id)
|
.add_extra_param("network_id", network_id)
|
||||||
.url();
|
.url();
|
||||||
|
|
||||||
|
println!("URL: {}", auth_url);
|
||||||
|
|
||||||
return AuthInfo {
|
return AuthInfo {
|
||||||
url: auth_url,
|
url: auth_url,
|
||||||
csrf_token,
|
csrf_token,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user