ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-02-20 17:52:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

handle nonce rotation in controller better

Browse Source 
Won't generate new nonces until there are no active ones.
This commit is contained in:
Grant Limberg 2022-01-20 15:14:29 -08:00
parent 801be64ed3
commit c09010c25a
No known key found for this signature in database
GPG Key ID: 2BA62CCABBB4095A
1 changed files with 37 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
controller/PostgreSQL.cpp
View File

@ -386,6 +386,14 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
// check if the member exists first.
pqxx::row count = w.exec_params1("SELECT count(id) FROM ztc_member WHERE id = $1 AND network_id = $2 AND deleted = false", memberId, networkId);
if (count[0].as<int>() == 1) {
// get active nonce, if exists.
pqxx::result r = w.exec_params("SELECT nonce FROM ztc_sso_expiry "
"WHERE network_id = $1 AND member_id = $2 "
"AND ((NOW() AT TIME ZONE 'UTC') <= authentication_expiry_time) AND ((NOW() AT TIME ZONE 'UTC') <= nonce_expiration)",
networkId, memberId);
if (r.size() == 0) {
// no active nonce.
// find an unused nonce, if one exists.
pqxx::result r = w.exec_params("SELECT nonce FROM ztc_sso_expiry "
"WHERE network_id = $1 AND member_id = $2 "
@ -414,6 +422,14 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
fprintf(stderr, "> 1 unused nonce!\n");
exit(6);
}
} else if (r.size() == 1) {
nonce = r.at(0)[0].as<std::string>();
Utils::unhex(nonce.c_str(), nonceBytes, sizeof(nonceBytes));
} else {
// more than 1 nonce in use? Uhhh...
fprintf(stderr, "> 1 nonce in use for network member?!?\n");
exit(7);
}
r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.issuer, org.sso_impl_version "
"FROM ztc_network AS nw, ztc_org AS org "