From a4e8847664199f9131b2f2c4a7c1878d82e82fcf Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Tue, 19 Apr 2022 10:37:58 -0400 Subject: [PATCH] Restore sending of rejections but move it exclusively to a thread, widen netconf window to 30 minutes. --- controller/EmbeddedNetworkController.cpp | 96 ++++-------------------- controller/EmbeddedNetworkController.hpp | 4 +- node/NetworkConfig.hpp | 4 +- 3 files changed, 20 insertions(+), 84 deletions(-) diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp index 7fed2a647..f7a2e01ed 100644 --- a/controller/EmbeddedNetworkController.cpp +++ b/controller/EmbeddedNetworkController.cpp @@ -1262,6 +1262,7 @@ void EmbeddedNetworkController::_request( } const bool newMember = ((!member.is_object())||(member.empty())); DB::initMember(member); + _MemberStatusKey msk(nwid,identity.address().toInt()); { const std::string haveIdStr(OSUtils::jsonString(member["identity"],"")); @@ -1343,6 +1344,10 @@ void EmbeddedNetworkController::_request( authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0); info = _db.getSSOAuthInfo(member, _ssoRedirectURL); assert(info.enabled == networkSSOEnabled); + + std::lock_guard l(_expiringSoon_l); + _expiringSoon.insert(std::pair(authenticationExpiryTime, msk)); + if (authenticationExpiryTime <= now) { if (info.version == 0) { Dictionary<4096> authInfo; @@ -1363,63 +1368,6 @@ void EmbeddedNetworkController::_request( _db.save(member,true); return; } -#if 0 - // TODO: Get expiry time if auth is still valid - - // else get new auth info & stuff - info = _db.getSSOAuthInfo(member, _ssoRedirectURL); - assert(info.enabled == networkSSOEnabled); - - std::string memberId = member["id"]; - //fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str()); - authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0); - fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime); - if (authenticationExpiryTime < now) { - fprintf(stderr, "Handling expired member\n"); - if (info.version == 0) { - if (!info.authenticationURL.empty()) { - _db.networkMemberSSOHasExpired(nwid, now); - onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt()); - - Dictionary<4096> authInfo; - authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, (uint64_t)0ULL); - authInfo.add(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, info.authenticationURL.c_str()); - //fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str()); - - DB::cleanMember(member); - _db.save(member,true); - - _sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes()); - return; - } - } - else if (info.version == 1) { - _db.networkMemberSSOHasExpired(nwid, now); - onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt()); - - Dictionary<8192> authInfo; - authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version); - authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str()); - authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str()); - - DB::cleanMember(member); - _db.save(member, true); - - fprintf(stderr, "Sending NC_ERROR_AUTHENTICATION_REQUIRED\n"); - _sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes()); - return; - } - else { - fprintf(stderr, "invalid sso info.version %llu\n", info.version); - } - } else if (authorized) { - fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime); - //_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt()); - } -#endif } if (authorized) { @@ -1435,8 +1383,6 @@ void EmbeddedNetworkController::_request( member["vRev"] = vRev; member["vProto"] = vProto; - _MemberStatusKey msk(nwid,identity.address().toInt()); - { std::lock_guard l(_memberStatus_l); _MemberStatus &ms = _memberStatus[msk]; @@ -1448,13 +1394,6 @@ void EmbeddedNetworkController::_request( ms.lastRequestMetaData = metaData; ms.identity = identity; } - - /* - if (authenticationExpiryTime > 0) { - std::lock_guard l(_expiringSoon_l); - _expiringSoon.insert(std::pair(authenticationExpiryTime, msk)); - } - */ } } else { // If they are not authorized, STOP! @@ -1887,7 +1826,8 @@ void EmbeddedNetworkController::_startThreads() const long hwc = std::max((long)std::thread::hardware_concurrency(),(long)1); for(long t=0;t > expired; + std::vector<_MemberStatusKey> expired; + nlohmann::json network, member; for(;;) { _RQEntry *qe = (_RQEntry *)0; auto timedWaitResult = _queue.get(qe, 1000); @@ -1906,7 +1846,6 @@ void EmbeddedNetworkController::_startThreads() } } - /* expired.clear(); int64_t now = OSUtils::now(); { @@ -1914,27 +1853,24 @@ void EmbeddedNetworkController::_startThreads() for(auto s=_expiringSoon.begin();s!=_expiringSoon.end();) { const int64_t when = s->first; if (when <= now) { - // Remove expired entries and if they are still correct as per the network status, deauth them. - std::lock_guard l(_memberStatus_l); - _MemberStatus &ms = _memberStatus[s->second]; - if ((ms.authenticationExpiryTime > 0)&&(ms.authenticationExpiryTime <= now)) { - expired.push_back(std::pair(s->second.networkId, s->second.nodeId)); + network.clear(); + member.clear(); + if (_db.get(s->second.networkId, network, s->second.nodeId, member)) { + int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0); + if (authenticationExpiryTime <= now) { + expired.push_back(s->second); + } } _expiringSoon.erase(s++); - } else if ((when - now) > 500) { + } else { // Don't bother going further into the future than necessary. break; - } else { - // Skip not yet expired entries. - ++s; } } } - for(auto e=expired.begin();e!=expired.end();++e) { - onNetworkMemberDeauthorize(nullptr, e->first, e->second); + onNetworkMemberDeauthorize(nullptr, e->networkId, e->nodeId); } - */ } }); } diff --git a/controller/EmbeddedNetworkController.hpp b/controller/EmbeddedNetworkController.hpp index 0a5cc2f3e..6a6c919cd 100644 --- a/controller/EmbeddedNetworkController.hpp +++ b/controller/EmbeddedNetworkController.hpp @@ -154,8 +154,8 @@ private: std::unordered_map< _MemberStatusKey,_MemberStatus,_MemberStatusHash > _memberStatus; std::mutex _memberStatus_l; - //std::multimap< int64_t, _MemberStatusKey > _expiringSoon; - //std::mutex _expiringSoon_l; + std::multimap< int64_t, _MemberStatusKey > _expiringSoon; + std::mutex _expiringSoon_l; RedisConfig *_rc; std::string _ssoRedirectURL; diff --git a/node/NetworkConfig.hpp b/node/NetworkConfig.hpp index c8ffe2bf5..846f922da 100644 --- a/node/NetworkConfig.hpp +++ b/node/NetworkConfig.hpp @@ -41,9 +41,9 @@ #include "Trace.hpp" /** - * Default maximum time delta for COMs, tags, and capabilities + * Default time delta for COMs, tags, and capabilities */ -#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_DFL_MAX_DELTA ((int64_t)(1000 * 60 * 15)) +#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_DFL_MAX_DELTA ((int64_t)(1000 * 60 * 30)) /** * Maximum time delta for COMs, tags, and capabilities