From efe0e8aa7bf5acbc604bff0906f5c212a2c4d81d Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@zerotier.com>
Date: Fri, 23 Jul 2021 19:05:59 -0400
Subject: [PATCH] Notification of about-to-expire status... almost there.

---
 controller/DB.hpp                        |  2 ++
 controller/DBMirrorSet.cpp               | 10 ++++-----
 controller/DBMirrorSet.hpp               |  4 ++--
 controller/EmbeddedNetworkController.cpp | 26 ++++++++++++++----------
 4 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/controller/DB.hpp b/controller/DB.hpp
index 67017f855..d7336bb81 100644
--- a/controller/DB.hpp
+++ b/controller/DB.hpp
@@ -35,6 +35,8 @@
 
 #include "../ext/json/json.hpp"
 
+#define ZT_MEMBER_AUTH_TIMEOUT_NOTIFY_BEFORE 10000
+
 namespace ZeroTier
 {
 
diff --git a/controller/DBMirrorSet.cpp b/controller/DBMirrorSet.cpp
index fd508342d..0bc16ce04 100644
--- a/controller/DBMirrorSet.cpp
+++ b/controller/DBMirrorSet.cpp
@@ -240,9 +240,9 @@ void DBMirrorSet::onNetworkMemberDeauthorize(const void *db,uint64_t networkId,u
 	_listener->onNetworkMemberDeauthorize(this,networkId,memberId);
 }
 
-std::vector<std::pair<uint64_t, uint64_t>> DBMirrorSet::membersExpiringSoon()
+std::set< std::pair<uint64_t, uint64_t> > DBMirrorSet::membersExpiringSoon()
 {
-	std::vector<std::pair<uint64_t, uint64_t>> soon;
+	std::set< std::pair<uint64_t, uint64_t> > soon;
 	std::unique_lock<std::mutex> l(_membersExpiringSoon_l);
 	int64_t now = OSUtils::now();
 	for(auto next=_membersExpiringSoon.begin();next!=_membersExpiringSoon.end();) {
@@ -259,11 +259,11 @@ std::vector<std::pair<uint64_t, uint64_t>> DBMirrorSet::membersExpiringSoon()
 					const bool ssoExempt = member["ssoExempt"];
 					const int64_t authenticationExpiryTime = member["authenticationExpiryTime"];
 					if ((authenticationExpiryTime == next->first)&&(authorized)&&(!ssoExempt)) {
-						if ((authenticationExpiryTime - now) > 10000) {
-							// Stop when we get to entries more than 10s in the future.
+						if ((authenticationExpiryTime - now) > ZT_MEMBER_AUTH_TIMEOUT_NOTIFY_BEFORE) {
+							// Stop when we get to entries too far in the future.
 							break;
 						} else {
-							soon.push_back(std::pair<uint64_t, uint64_t>(nwid, memberId));
+							soon.insert(std::pair<uint64_t, uint64_t>(nwid, memberId));
 						}
 					} else {
 						// Obsolete entry, no longer authorized, or SSO exempt.
diff --git a/controller/DBMirrorSet.hpp b/controller/DBMirrorSet.hpp
index 0a9996eda..ebb39b5d8 100644
--- a/controller/DBMirrorSet.hpp
+++ b/controller/DBMirrorSet.hpp
@@ -60,7 +60,7 @@ public:
 		_dbs.push_back(db);
 	}
 
-	std::vector<std::pair<uint64_t, uint64_t>> membersExpiringSoon();
+	std::set< std::pair<uint64_t, uint64_t> > membersExpiringSoon();
 	void memberExpiring(int64_t expTime, uint64_t nwid, uint64_t memberId);
 
 private:
@@ -69,7 +69,7 @@ private:
 	std::thread _syncCheckerThread;
 	std::vector< std::shared_ptr< DB > > _dbs;
 	mutable std::mutex _dbs_l;
-	std::multimap< int64_t, std::pair<uint64_t, uint64_t> > _membersExpiringSoon;
+	std::set< std::pair< int64_t, std::pair<uint64_t, uint64_t> > > _membersExpiringSoon;
 	mutable std::mutex _membersExpiringSoon_l;
 };
 
diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 971cc1b73..5709878c0 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1366,17 +1366,21 @@ void EmbeddedNetworkController::_request(
 		std::string memberId = member["id"];
 		fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
 		uint64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
-		fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
-		if (authenticationExpiryTime < now) {
-			std::string authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
-			if (!authenticationURL.empty()) {
-				Dictionary<3072> authInfo;
-				authInfo.add("aU", authenticationURL.c_str());
-				fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
-				DB::cleanMember(member);
-				_db.save(member,true);
-				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
-				return;
+		if (authenticationExpiryTime > 0) {
+			fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
+			if (authenticationExpiryTime < now) {
+				std::string authenticationURL = _db.getSSOAuthURL(member, _ssoRedirectURL);
+				if (!authenticationURL.empty()) {
+					Dictionary<3072> authInfo;
+					authInfo.add("aU", authenticationURL.c_str());
+					fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
+					DB::cleanMember(member);
+					_db.save(member,true);
+					_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
+					return;
+				}
+			} else {
+				_db.memberExpiring(authenticationExpiryTime, nwid, identity.address().toInt());
 			}
 		}
 	}