diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp index 812fdd606..6a8c9dd4b 100644 --- a/controller/EmbeddedNetworkController.cpp +++ b/controller/EmbeddedNetworkController.cpp @@ -1338,7 +1338,7 @@ void EmbeddedNetworkController::_request( bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false); bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false); AuthInfo info; - if (networkSSOEnabled && ! memberSSOExempt) { + if (networkSSOEnabled && !memberSSOExempt) { info = _db.getSSOAuthInfo(member, _ssoRedirectURL); assert(info.enabled == networkSSOEnabled); @@ -1364,24 +1364,23 @@ void EmbeddedNetworkController::_request( return; } } else if (info.version == 1) { - if (!info.authenticationURL.empty()) { - _db.networkMemberSSOHasExpired(nwid, now); - onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt()); + _db.networkMemberSSOHasExpired(nwid, now); + onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt()); - Dictionary<8192> authInfo; - authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version); - authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str()); + Dictionary<8192> authInfo; + authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version); + authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str()); + authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str()); + authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str()); + authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str()); + authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str()); - DB::cleanMember(member); - _db.save(member, true); + DB::cleanMember(member); + _db.save(member, true); - _sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes()); - return; - } + fprintf(stderr, "Sending NC_ERROR_AUTHENTICATION_REQUIRED\n"); + _sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes()); + return; } else { fprintf(stderr, "invalid sso info.version %llu\n", info.version); } @@ -1472,6 +1471,7 @@ void EmbeddedNetworkController::_request( Utils::scopy(nc->centralAuthURL, sizeof(nc->centralAuthURL), info.centralAuthURL.c_str()); } if (!info.issuerURL.empty()) { + fprintf(stderr, "copying issuerURL to nc: %s\n", info.issuerURL.c_str()); Utils::scopy(nc->issuerURL, sizeof(nc->issuerURL), info.issuerURL.c_str()); } if (!info.ssoNonce.empty()) { diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index 15003b4eb..fbf3dd029 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -191,9 +191,9 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar } break; case Packet::ERROR_NETWORK_AUTHENTICATION_REQUIRED: { + fprintf(stderr, "\nPacket::ERROR_NETWORK_AUTHENTICATION_REQUIRED\n\n"); const SharedPtr network(RR->node->network(at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD))); if ((network)&&(network->controller() == peer->address())) { - bool noUrl = true; int s = (int)size() - (ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 8); if (s > 2) { const uint16_t errorDataSize = at(ZT_PROTO_VERB_ERROR_IDX_PAYLOAD + 8); @@ -204,55 +204,43 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar uint64_t authVer = authInfo.getUI(ZT_AUTHINFO_DICT_KEY_VERSION, 0ULL); if (authVer == 0) { + fprintf(stderr, "authVer == 1\n"); char authenticationURL[2048]; - + if (authInfo.get(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, authenticationURL, sizeof(authenticationURL)) > 0) { authenticationURL[sizeof(authenticationURL) - 1] = 0; // ensure always zero terminated network->setAuthenticationRequired(authenticationURL); - noUrl = false; } } else if (authVer == 1) { - bool haveIssuerURL = false; + fprintf(stderr, "authVer == 2\n"); char issuerURL[2048] = { 0 }; - bool haveCentralURL = false; char centralAuthURL[2048] = { 0 }; - bool haveNonce = false; char ssoNonce[64] = { 0 }; - bool haveState = false; char ssoState[128] = {0}; - bool haveClientID = false; char ssoClientID[256] = { 0 }; if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) { issuerURL[sizeof(issuerURL) - 1] = 0; - haveIssuerURL = true; } if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) { centralAuthURL[sizeof(centralAuthURL) - 1] = 0; - haveCentralURL = true; } if (authInfo.get(ZT_AUTHINFO_DICT_KEY_NONCE, ssoNonce, sizeof(ssoNonce)) > 0) { ssoNonce[sizeof(ssoNonce) - 1] = 0; - haveNonce = true; } if (authInfo.get(ZT_AUTHINFO_DICT_KEY_STATE, ssoState, sizeof(ssoState)) > 0) { ssoState[sizeof(ssoState) - 1] = 0; - haveState = true; } if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, ssoClientID, sizeof(ssoClientID)) > 0) { ssoClientID[sizeof(ssoClientID) - 1] = 0; - haveClientID = true; } - noUrl = ! (haveIssuerURL && haveCentralURL && haveNonce && haveState && haveClientID); - - if (!noUrl) { - network->setAuthenticationRequired(issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState); - } + fprintf(stderr, "Setting auth required on network\n"); + network->setAuthenticationRequired(issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState); } } - } - if (noUrl) { + } else { + fprintf(stderr, "authinfo??????\n"); network->setAuthenticationRequired(""); } } diff --git a/node/NetworkConfig.cpp b/node/NetworkConfig.cpp index 2b76b6730..4615b66a7 100644 --- a/node/NetworkConfig.cpp +++ b/node/NetworkConfig.cpp @@ -412,6 +412,7 @@ bool NetworkConfig::fromDictionary(const DictionaryissuerURL, (unsigned int)sizeof(this->issuerURL)) > 0) { this->issuerURL[sizeof(this->issuerURL) - 1] = 0; + fprintf(stderr, "Loaded issuer url: %s\n", this->issuerURL); } if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CENTRAL_ENDPOINT_URL, this->centralAuthURL, (unsigned int)sizeof(this->centralAuthURL)) > 0) { this->centralAuthURL[sizeof(this->centralAuthURL) - 1] = 0; @@ -432,6 +433,7 @@ bool NetworkConfig::fromDictionary(const DictionaryssoNonce[0] = 0; this->ssoState[0] = 0; this->ssoClientID[0] = 0; + this->issuerURL[0] = 0; } } } diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp index 8c08838c5..b09b8aa19 100644 --- a/node/NetworkConfig.hpp +++ b/node/NetworkConfig.hpp @@ -94,7 +94,7 @@ namespace ZeroTier { // Dictionary capacity needed for max size network config -#define ZT_NETWORKCONFIG_DICT_CAPACITY (4096 + (sizeof(ZT_VirtualNetworkRule) * ZT_MAX_NETWORK_RULES) + (sizeof(Capability) * ZT_MAX_NETWORK_CAPABILITIES) + (sizeof(Tag) * ZT_MAX_NETWORK_TAGS) + (sizeof(CertificateOfOwnership) * ZT_MAX_CERTIFICATES_OF_OWNERSHIP)) +#define ZT_NETWORKCONFIG_DICT_CAPACITY (4096 + (sizeof(ZT_VirtualNetworkConfig)) + (sizeof(ZT_VirtualNetworkRule) * ZT_MAX_NETWORK_RULES) + (sizeof(Capability) * ZT_MAX_NETWORK_CAPABILITIES) + (sizeof(Tag) * ZT_MAX_NETWORK_TAGS) + (sizeof(CertificateOfOwnership) * ZT_MAX_CERTIFICATES_OF_OWNERSHIP)) // Dictionary capacity needed for max size network meta-data #define ZT_NETWORKCONFIG_METADATA_DICT_CAPACITY 1024 diff --git a/node/Node.cpp b/node/Node.cpp index 5b0fa8cc5..75acc35de 100644 --- a/node/Node.cpp +++ b/node/Node.cpp @@ -741,8 +741,10 @@ void Node::ncSendError(uint64_t nwid,uint64_t requestPacketId,const Address &des n->setAccessDenied(); break; case NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED: { - } + fprintf(stderr, "\n\nGot auth required\n\n"); + break; + } default: break; } diff --git a/service/OneService.cpp b/service/OneService.cpp index 274b5b9c7..89734a690 100644 --- a/service/OneService.cpp +++ b/service/OneService.cpp @@ -275,6 +275,11 @@ public: _webPort ); + if (_idc == nullptr) { + fprintf(stderr, "idc is null\n"); + return; + } + fprintf(stderr, "idc created (%s, %s, %s)\n", _config.issuerURL, _config.ssoClientID, _config.centralAuthURL); }