From b3fbbd3124970308b52f82c9ccede12780e24703 Mon Sep 17 00:00:00 2001 From: Grant Limberg Date: Tue, 7 Dec 2021 16:29:50 -0800 Subject: [PATCH] refresh tokens now working Still investigating the best way to do a couple things, but we have something working --- controller/EmbeddedNetworkController.cpp | 13 ++++++++++--- controller/PostgreSQL.cpp | 2 +- ext/central-controller-docker/Dockerfile.builder | 2 +- make-linux.mk | 2 +- zeroidc/src/lib.rs | 3 ++- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp index 6a8c9dd4b..054bcddc5 100644 --- a/controller/EmbeddedNetworkController.cpp +++ b/controller/EmbeddedNetworkController.cpp @@ -1339,14 +1339,18 @@ void EmbeddedNetworkController::_request( bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false); AuthInfo info; if (networkSSOEnabled && !memberSSOExempt) { + // TODO: Get expiry time if auth is still valid + + // else get new auth info & stuff info = _db.getSSOAuthInfo(member, _ssoRedirectURL); assert(info.enabled == networkSSOEnabled); std::string memberId = member["id"]; //fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str()); uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0); - //fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime); + fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime); if (authenticationExpiryTime < now) { + fprintf(stderr, "Handling expired member\n"); if (info.version == 0) { if (!info.authenticationURL.empty()) { _db.networkMemberSSOHasExpired(nwid, now); @@ -1363,7 +1367,8 @@ void EmbeddedNetworkController::_request( _sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes()); return; } - } else if (info.version == 1) { + } + else if (info.version == 1) { _db.networkMemberSSOHasExpired(nwid, now); onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt()); @@ -1381,10 +1386,12 @@ void EmbeddedNetworkController::_request( fprintf(stderr, "Sending NC_ERROR_AUTHENTICATION_REQUIRED\n"); _sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes()); return; - } else { + } + else { fprintf(stderr, "invalid sso info.version %llu\n", info.version); } } else if (authorized) { + fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime); _db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt()); } } diff --git a/controller/PostgreSQL.cpp b/controller/PostgreSQL.cpp index 66075fd1e..e199f05bb 100644 --- a/controller/PostgreSQL.cpp +++ b/controller/PostgreSQL.cpp @@ -463,7 +463,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str info.centralAuthURL = redirectURL; fprintf( stderr, - "ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s", + "ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s\n", info.ssoClientID.c_str(), info.issuerURL.c_str(), info.ssoNonce.c_str(), diff --git a/ext/central-controller-docker/Dockerfile.builder b/ext/central-controller-docker/Dockerfile.builder index 573b1ef69..5c2787570 100644 --- a/ext/central-controller-docker/Dockerfile.builder +++ b/ext/central-controller-docker/Dockerfile.builder @@ -9,5 +9,5 @@ RUN yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x RUN dnf -qy module disable postgresql RUN yum -y install epel-release && yum -y update && yum clean all RUN yum groupinstall -y "Development Tools" && yum clean all -RUN yum install -y bash cmake postgresql10 postgresql10-devel clang jemalloc jemalloc-devel libpqxx libpqxx-devel && yum clean all +RUN yum install -y bash cmake postgresql10 postgresql10-devel clang jemalloc jemalloc-devel libpqxx libpqxx-devel openssl-devel && yum clean all RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y diff --git a/make-linux.mk b/make-linux.mk index 95567f2ea..b001d4ce2 100644 --- a/make-linux.mk +++ b/make-linux.mk @@ -274,7 +274,7 @@ endif ifeq ($(ZT_CONTROLLER),1) override CXXFLAGS+=-Wall -Wno-deprecated -std=c++17 -pthread $(INCLUDES) -DNDEBUG $(DEFS) - override LDLIBS+=-L/usr/pgsql-10/lib/ -lpqxx -lpq ext/hiredis-0.14.1/lib/centos8/libhiredis.a ext/redis-plus-plus-1.1.1/install/centos8/lib/libredis++.a + override LDLIBS+=-L/usr/pgsql-10/lib/ -lpqxx -lpq ext/hiredis-0.14.1/lib/centos8/libhiredis.a ext/redis-plus-plus-1.1.1/install/centos8/lib/libredis++.a -lssl -lcrypto override DEFS+=-DZT_CONTROLLER_USE_LIBPQ override INCLUDES+=-I/usr/pgsql-10/include -Iext/hiredis-0.14.1/include/ -Iext/redis-plus-plus-1.1.1/install/centos8/include/sw/ endif diff --git a/zeroidc/src/lib.rs b/zeroidc/src/lib.rs index c9251950b..bd9f96f3c 100644 --- a/zeroidc/src/lib.rs +++ b/zeroidc/src/lib.rs @@ -152,7 +152,7 @@ impl ZeroIDC { println!("refresh token thread tick, now: {}, exp: {}", systemtime_strftime(now, "[year]-[month]-[day] [hour]:[minute]:[second]"), systemtime_strftime(exp, "[year]-[month]-[day] [hour]:[minute]:[second]")); let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone(); if let Some(refresh_token) = refresh_token { - if now >= (exp - Duration::from_secs(15)) { + if now >= (exp - Duration::from_secs(30)) { let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| { let res = c.exchange_refresh_token(&refresh_token) .request(http_client); @@ -167,6 +167,7 @@ impl ZeroIDC { Some(id_token) => { let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())]; + println!("New ID token: {}", id_token.to_string()); let client = reqwest::blocking::Client::new(); let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone()) .form(¶ms)