refresh tokens now working

Still investigating the best way to do a couple things, but we have something working

controller/EmbeddedNetworkController.cpp

@@ -1339,14 +1339,18 @@ void EmbeddedNetworkController::_request(
 	bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false);
 	AuthInfo info;
 	if (networkSSOEnabled && !memberSSOExempt) {
+		// TODO:  Get expiry time if auth is still valid
+
+		// else get new auth info & stuff
 		info = _db.getSSOAuthInfo(member, _ssoRedirectURL);
 		assert(info.enabled == networkSSOEnabled);
 
 		std::string memberId = member["id"];
 		//fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
 		uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
-		//fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
+		fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
 		if (authenticationExpiryTime < now) {
+			fprintf(stderr, "Handling expired member\n");
 			if (info.version == 0) {
 				if (!info.authenticationURL.empty()) {
 					_db.networkMemberSSOHasExpired(nwid, now);
@@ -1363,7 +1367,8 @@ void EmbeddedNetworkController::_request(
 					_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
 					return;
 				}
-			} else if (info.version == 1) {
+			}
+			else if (info.version == 1) {
 				_db.networkMemberSSOHasExpired(nwid, now);
 				onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
 
@@ -1381,10 +1386,12 @@ void EmbeddedNetworkController::_request(
 				fprintf(stderr, "Sending NC_ERROR_AUTHENTICATION_REQUIRED\n");
 				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
 				return;
-			} else {
+			}
+			else {
 				fprintf(stderr, "invalid sso info.version %llu\n", info.version);
 			}
 		} else if (authorized) {
+			fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime);
 			_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt());
 		}
 	}

controller/PostgreSQL.cpp

@@ -463,7 +463,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
 					info.centralAuthURL = redirectURL;
 					fprintf(
 						stderr,
-						"ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s",
+						"ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s\n",
 						info.ssoClientID.c_str(),
 						info.issuerURL.c_str(),
 						info.ssoNonce.c_str(),

ext/central-controller-docker/Dockerfile.builder

@@ -9,5 +9,5 @@ RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x
 RUN dnf -qy module disable postgresql
 RUN yum -y install epel-release && yum -y update && yum clean all
 RUN yum groupinstall -y "Development Tools" && yum clean all
-RUN yum install -y bash cmake postgresql10 postgresql10-devel clang jemalloc jemalloc-devel libpqxx libpqxx-devel && yum clean all
+RUN yum install -y bash cmake postgresql10 postgresql10-devel clang jemalloc jemalloc-devel libpqxx libpqxx-devel openssl-devel && yum clean all
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y

make-linux.mk

@@ -274,7 +274,7 @@ endif
 
 ifeq ($(ZT_CONTROLLER),1)
 	override CXXFLAGS+=-Wall -Wno-deprecated -std=c++17 -pthread $(INCLUDES) -DNDEBUG $(DEFS)
-	override LDLIBS+=-L/usr/pgsql-10/lib/ -lpqxx -lpq ext/hiredis-0.14.1/lib/centos8/libhiredis.a ext/redis-plus-plus-1.1.1/install/centos8/lib/libredis++.a
+	override LDLIBS+=-L/usr/pgsql-10/lib/ -lpqxx -lpq ext/hiredis-0.14.1/lib/centos8/libhiredis.a ext/redis-plus-plus-1.1.1/install/centos8/lib/libredis++.a -lssl -lcrypto
 	override DEFS+=-DZT_CONTROLLER_USE_LIBPQ
 	override INCLUDES+=-I/usr/pgsql-10/include -Iext/hiredis-0.14.1/include/ -Iext/redis-plus-plus-1.1.1/install/centos8/include/sw/
 endif

zeroidc/src/lib.rs

@@ -152,7 +152,7 @@ impl ZeroIDC {
                     println!("refresh token thread tick, now: {}, exp: {}", systemtime_strftime(now, "[year]-[month]-[day] [hour]:[minute]:[second]"), systemtime_strftime(exp, "[year]-[month]-[day] [hour]:[minute]:[second]"));
                     let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
                     if let Some(refresh_token) =  refresh_token {
-                        if now >= (exp - Duration::from_secs(15)) {
+                        if now >= (exp - Duration::from_secs(30)) {
                             let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
                                 let res = c.exchange_refresh_token(&refresh_token)
                                     .request(http_client);
@@ -167,6 +167,7 @@ impl ZeroIDC {
                                             Some(id_token) => {
 
                                                 let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
+                                                println!("New ID token: {}", id_token.to_string());
                                                 let client = reqwest::blocking::Client::new();
                                                 let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone())
                                                     .form(&params)