mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-04-13 22:12:56 +00:00
Restore sending of rejections but move it exclusively to a thread, widen netconf window to 30 minutes.
This commit is contained in:
Adam Ierymenko
parent
c492bf7eea
commit
a4e8847664
@ -1262,6 +1262,7 @@ void EmbeddedNetworkController::_request(
|
||||
}
|
||||
const bool newMember = ((!member.is_object())||(member.empty()));
|
||||
DB::initMember(member);
|
||||
_MemberStatusKey msk(nwid,identity.address().toInt());
|
||||
|
||||
{
|
||||
const std::string haveIdStr(OSUtils::jsonString(member["identity"],""));
|
||||
@ -1343,6 +1344,10 @@ void EmbeddedNetworkController::_request(
|
||||
authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
|
||||
info = _db.getSSOAuthInfo(member, _ssoRedirectURL);
|
||||
assert(info.enabled == networkSSOEnabled);
|
||||
|
||||
std::lock_guard<std::mutex> l(_expiringSoon_l);
|
||||
_expiringSoon.insert(std::pair<int64_t, _MemberStatusKey>(authenticationExpiryTime, msk));
|
||||
|
||||
if (authenticationExpiryTime <= now) {
|
||||
if (info.version == 0) {
|
||||
Dictionary<4096> authInfo;
|
||||
@ -1363,63 +1368,6 @@ void EmbeddedNetworkController::_request(
|
||||
_db.save(member,true);
|
||||
return;
|
||||
}
|
||||
#if 0
|
||||
// TODO: Get expiry time if auth is still valid
|
||||
|
||||
// else get new auth info & stuff
|
||||
info = _db.getSSOAuthInfo(member, _ssoRedirectURL);
|
||||
assert(info.enabled == networkSSOEnabled);
|
||||
|
||||
std::string memberId = member["id"];
|
||||
//fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
|
||||
authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
|
||||
fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
|
||||
if (authenticationExpiryTime < now) {
|
||||
fprintf(stderr, "Handling expired member\n");
|
||||
if (info.version == 0) {
|
||||
if (!info.authenticationURL.empty()) {
|
||||
_db.networkMemberSSOHasExpired(nwid, now);
|
||||
onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
|
||||
|
||||
Dictionary<4096> authInfo;
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, (uint64_t)0ULL);
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, info.authenticationURL.c_str());
|
||||
//fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
|
||||
|
||||
DB::cleanMember(member);
|
||||
_db.save(member,true);
|
||||
|
||||
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
|
||||
return;
|
||||
}
|
||||
}
|
||||
else if (info.version == 1) {
|
||||
_db.networkMemberSSOHasExpired(nwid, now);
|
||||
onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
|
||||
|
||||
Dictionary<8192> authInfo;
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version);
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str());
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str());
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str());
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str());
|
||||
authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str());
|
||||
|
||||
DB::cleanMember(member);
|
||||
_db.save(member, true);
|
||||
|
||||
fprintf(stderr, "Sending NC_ERROR_AUTHENTICATION_REQUIRED\n");
|
||||
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
|
||||
return;
|
||||
}
|
||||
else {
|
||||
fprintf(stderr, "invalid sso info.version %llu\n", info.version);
|
||||
}
|
||||
} else if (authorized) {
|
||||
fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime);
|
||||
//_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt());
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (authorized) {
|
||||
@ -1435,8 +1383,6 @@ void EmbeddedNetworkController::_request(
|
||||
member["vRev"] = vRev;
|
||||
member["vProto"] = vProto;
|
||||
|
||||
_MemberStatusKey msk(nwid,identity.address().toInt());
|
||||
|
||||
{
|
||||
std::lock_guard<std::mutex> l(_memberStatus_l);
|
||||
_MemberStatus &ms = _memberStatus[msk];
|
||||
@ -1448,13 +1394,6 @@ void EmbeddedNetworkController::_request(
|
||||
ms.lastRequestMetaData = metaData;
|
||||
ms.identity = identity;
|
||||
}
|
||||
|
||||
/*
|
||||
if (authenticationExpiryTime > 0) {
|
||||
std::lock_guard<std::mutex> l(_expiringSoon_l);
|
||||
_expiringSoon.insert(std::pair<int64_t, _MemberStatusKey>(authenticationExpiryTime, msk));
|
||||
}
|
||||
*/
|
||||
}
|
||||
} else {
|
||||
// If they are not authorized, STOP!
|
||||
@ -1887,7 +1826,8 @@ void EmbeddedNetworkController::_startThreads()
|
||||
const long hwc = std::max((long)std::thread::hardware_concurrency(),(long)1);
|
||||
for(long t=0;t<hwc;++t) {
|
||||
_threads.emplace_back([this]() {
|
||||
std::vector< std::pair<uint64_t, uint64_t> > expired;
|
||||
std::vector<_MemberStatusKey> expired;
|
||||
nlohmann::json network, member;
|
||||
for(;;) {
|
||||
_RQEntry *qe = (_RQEntry *)0;
|
||||
auto timedWaitResult = _queue.get(qe, 1000);
|
||||
@ -1906,7 +1846,6 @@ void EmbeddedNetworkController::_startThreads()
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
expired.clear();
|
||||
int64_t now = OSUtils::now();
|
||||
{
|
||||
@ -1914,27 +1853,24 @@ void EmbeddedNetworkController::_startThreads()
|
||||
for(auto s=_expiringSoon.begin();s!=_expiringSoon.end();) {
|
||||
const int64_t when = s->first;
|
||||
if (when <= now) {
|
||||
// Remove expired entries and if they are still correct as per the network status, deauth them.
|
||||
std::lock_guard<std::mutex> l(_memberStatus_l);
|
||||
_MemberStatus &ms = _memberStatus[s->second];
|
||||
if ((ms.authenticationExpiryTime > 0)&&(ms.authenticationExpiryTime <= now)) {
|
||||
expired.push_back(std::pair<uint64_t, uint64_t>(s->second.networkId, s->second.nodeId));
|
||||
network.clear();
|
||||
member.clear();
|
||||
if (_db.get(s->second.networkId, network, s->second.nodeId, member)) {
|
||||
int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
|
||||
if (authenticationExpiryTime <= now) {
|
||||
expired.push_back(s->second);
|
||||
}
|
||||
}
|
||||
_expiringSoon.erase(s++);
|
||||
} else if ((when - now) > 500) {
|
||||
} else {
|
||||
// Don't bother going further into the future than necessary.
|
||||
break;
|
||||
} else {
|
||||
// Skip not yet expired entries.
|
||||
++s;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for(auto e=expired.begin();e!=expired.end();++e) {
|
||||
onNetworkMemberDeauthorize(nullptr, e->first, e->second);
|
||||
onNetworkMemberDeauthorize(nullptr, e->networkId, e->nodeId);
|
||||
}
|
||||
*/
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@ -154,8 +154,8 @@ private:
|
||||
std::unordered_map< _MemberStatusKey,_MemberStatus,_MemberStatusHash > _memberStatus;
|
||||
std::mutex _memberStatus_l;
|
||||
|
||||
//std::multimap< int64_t, _MemberStatusKey > _expiringSoon;
|
||||
//std::mutex _expiringSoon_l;
|
||||
std::multimap< int64_t, _MemberStatusKey > _expiringSoon;
|
||||
std::mutex _expiringSoon_l;
|
||||
|
||||
RedisConfig *_rc;
|
||||
std::string _ssoRedirectURL;
|
||||
|
||||
@ -41,9 +41,9 @@
|
||||
#include "Trace.hpp"
|
||||
|
||||
/**
|
||||
* Default maximum time delta for COMs, tags, and capabilities
|
||||
* Default time delta for COMs, tags, and capabilities
|
||||
*/
|
||||
#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_DFL_MAX_DELTA ((int64_t)(1000 * 60 * 15))
|
||||
#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_DFL_MAX_DELTA ((int64_t)(1000 * 60 * 30))
|
||||
|
||||
/**
|
||||
* Maximum time delta for COMs, tags, and capabilities
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user