From: Phil Date: Thu, 7 Dec 2017 13:03:56 +0000 (+0000) Subject: --commit still broken X-Git-Tag: v0.11.0pre66~201^2~31^2 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=089a4f09b10e80dc5443f7be66eb07a6b8f76b3a;p=oweals%2Fgnunet.git --commit still broken --- diff --git a/src/identity-provider/logfile.txt b/src/identity-provider/logfile.txt new file mode 100644 index 000000000..a59f2478a --- /dev/null +++ b/src/identity-provider/logfile.txt @@ -0,0 +1,73 @@ +*** Error in `/usr/local/lib//gnunet/libexec/gnunet-rest-server': free(): invalid pointer: 0x00007f9c415c9275 *** +*** Error in `/usr/local/lib//gnunet/libexec/gnunet-rest-server': free(): invalid pointer: 0x00007f0888c25275 *** +*** Error in `/usr/local/lib//gnunet/libexec/gnunet-rest-server': free(): invalid pointer: 0x00007f7dee65b275 *** +Nov 23 13:58:28-246065 gnunet-rest-server-26879 ERROR Error: (null) +Nov 23 13:58:46-677968 gnunet-rest-server-26879 ERROR Error: Missing openid scope +Nov 23 13:59:34-165447 gnunet-rest-server-26901 ERROR Error: Missing openid scope +Nov 23 14:04:07-545573 gnunet-rest-server-28097 ERROR Error: Response type is not code +Nov 23 14:53:06-102430 gnunet-rest-server-30299 ERROR Error: Missing openid scope +Nov 23 14:54:04-248567 gnunet-rest-server-30798 ERROR Error: Missing openid scope +Nov 23 14:56:12-809322 gnunet-rest-server-31914 ERROR Error: Missing openid scope +Nov 23 14:56:39-819194 gnunet-rest-server-31914 ERROR Error: Missing openid scope +Nov 23 14:58:38-889573 gnunet-rest-server-601 ERROR Error: Missing openid scope +Nov 30 11:59:42-727619 gnunet-rest-server-9307 ERROR (null)Nov 30 12:00:28-889186 gnunet-rest-server-9307 ERROR (null)Nov 30 12:01:56-950658 gnunet-rest-server-10445 ERROR con_handle: /idp/authorize +Nov 30 12:01:56-982304 gnunet-rest-server-10445 ERROR url: /idp/authorize +Nov 30 12:08:22-749785 gnunet-rest-server-11652 ERROR con_handle: /idp/authorize +Nov 30 12:08:22-782042 gnunet-rest-server-11652 ERROR url: /idp/authorize +Nov 30 12:39:51-816632 gnunet-rest-server-14500 ERROR url: /idp/authorize +Dec 04 09:51:02-313753 gnunet-rest-server-1974 ERROR No default ego configured in identity service +Dec 04 09:51:09-311601 gnunet-rest-server-1974 ERROR No default ego configured in identity service +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 11:58:11-490711 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 11:58:11-508689 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 11:58:11-511015 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 12:38:15-960444 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 12:38:16-003695 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 12:38:16-021887 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 12:38:29-977580 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 12:38:30-008002 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 12:38:30-036167 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 12:43:23-654462 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 12:43:23-655070 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 12:43:23-665165 gnunet-rest-server-6760 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 13:06:56-306701 gnunet-rest-server-9599 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 13:06:56-326200 gnunet-rest-server-9599 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 13:06:56-331741 gnunet-rest-server-9599 ERROR MHD encountered error handling request: 1 +Dec 04 13:09:56-080335 gnunet-rest-server-10794 ERROR URL (response_type=code) +Dec 04 13:12:49-565164 gnunet-rest-server-11931 ERROR URL (response_type=code) +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 13:12:49-586734 gnunet-rest-server-11931 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 13:12:49-592627 gnunet-rest-server-11931 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 13:12:49-601007 gnunet-rest-server-11931 ERROR MHD encountered error handling request: 1 +Dec 04 13:15:25-370395 gnunet-rest-server-13261 ERROR URL (acr_values=true) +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 13:15:25-395382 gnunet-rest-server-13261 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 13:15:25-399622 gnunet-rest-server-13261 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 13:15:25-408151 gnunet-rest-server-13261 ERROR MHD encountered error handling request: 1 +Dec 04 13:36:24-427812 gnunet-rest-server-15336 ERROR URL (?response_type=code&client_id=test&scope=openid email&redirect_uri=https://google.com&nonce=11111&ui_locales=test&) +Failed to send data in request for `/idp/tickets/testego'. +Dec 04 13:36:24-450636 gnunet-rest-server-15336 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/idp/attributes/testego'. +Dec 04 13:36:24-456164 gnunet-rest-server-15336 ERROR MHD encountered error handling request: 1 +Failed to send data in request for `/names/'. +Dec 04 13:36:24-461431 gnunet-rest-server-15336 ERROR MHD encountered error handling request: 1 +Dec 04 13:39:02-052691 gnunet-rest-server-16482 ERROR URL (?response_type=code&client_id=test&scope=openid email&redirect_uri=https://google.com&nonce=1111&ui_locales=test&acr_values=true) +Dec 04 15:27:43-226881 gnunet-rest-server-16482 ERROR URL (?response_type=code&client_id=test&scope=openid email&redirect_uri=https://google.com&nonce=11111&ui_locales=test&acr_values=true) diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index 1bef87ace..1ad0aef42 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c @@ -70,7 +70,6 @@ */ #define GNUNET_REST_API_NS_AUTHORIZE "/idp/authorize" - /** * Attribute key */ @@ -97,6 +96,55 @@ */ #define ID_REST_STATE_POST_INIT 1 +/** + * OIDC response_type key + */ +#define OIDC_RESPONSE_TYPE_KEY "response_type" + +/** + * OIDC client_id key + */ +#define OIDC_CLIENT_ID_KEY "client_id" + +/** + * OIDC scope key + */ +#define OIDC_SCOPE_KEY "scope" + +/** + * OIDC redirect_uri key + */ +#define OIDC_REDIRECT_URI_KEY "redirect_uri" + +/** + * OIDC state key + */ +#define OIDC_STATE_KEY "state" + +/** + * OIDC nonce key + */ +#define OIDC_NONCE_KEY "nonce" + +/** + * OIDC expected response_type while authorizing + */ +#define OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE "code" + +/** + * OIDC expected scope part while authorizing + */ +#define OIDC_EXPECTED_AUTHORIZATION_SCOPE "openid" + + +/** + * OIDC ignored parameter array + */ +char* OIDC_ignored_parameter_array [] = +{ + "display", "prompt", "max_age", "ui_locales", "response_mode", + "id_token_hint", "login_hint", "acr_values" +}; /** * The configuration handle @@ -799,10 +847,10 @@ revoke_ticket_cont (struct GNUNET_REST_RequestHandle *con_handle, strlen (rnd_str), &ticket.rnd, sizeof (uint64_t)); - GNUNET_STRINGS_string_to_data (identity_str, - strlen (identity_str), - &ticket.identity, - sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); +// GNUNET_STRINGS_string_to_data (identity_str, +// strlen (identity_str), +// &ticket.identity,type filter text +// sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)); GNUNET_STRINGS_string_to_data (audience_str, strlen (audience_str), &ticket.audience, @@ -1030,88 +1078,120 @@ authorize_cont (struct GNUNET_REST_RequestHandle *con_handle, const char* url, void *cls) { + struct MHD_Response *resp; + struct RequestHandle *handle = cls; + char *response_type, *client_id, *scope, *redirect_uri, *state, *nonce; //TODO clean up method + /** The Authorization Server MUST validate all the OAuth 2.0 parameters + * according to the OAuth 2.0 specification. + */ + /** The Authorization Server MUST verify that all the REQUIRED parameters + * are present and their usage conforms to this specification. + */ + /** + * If the sub (subject) Claim is requested with a specific value for the + * ID Token, the Authorization Server MUST only send a positive response + * if the End-User identified by that sub value has an active session with + * the Authorization Server or has been Authenticated as a result of the + * request. The Authorization Server MUST NOT reply with an ID Token or + * Access Token for a different user, even if they have an active session + * with the Authorization Server. Such a request can be made either using + * an id_token_hint parameter or by requesting a specific Claim Value as + * described in Section 5.5.1, if the claims parameter is supported by + * the implementation. + */ - // The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification. - // The Authorization Server MUST verify that all the REQUIRED parameters are present and their usage conforms to this specification. - // If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request. The Authorization Server MUST NOT reply with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server. Such a request can be made either using an id_token_hint parameter or by requesting a specific Claim Value as described in Section 5.5.1, if the claims parameter is supported by the implementation. + int size=sizeof(OIDC_ignored_parameter_array)/sizeof(char *); + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, "Size %i = 8\n", size); - struct MHD_Response *resp; - struct RequestHandle *handle = cls; + struct GNUNET_HashCode cache_key; - /* - * response_type 0 - * client_id 1 - * scope 2 - * redirect_uri 3 - * state 4 - * nonce 5 - * display 6 - * prompt 7 - * max_age 8 - * ui_locales 9 - * response_mode 10 - * id_token_hint 11 - * login_hint 12 - * acr_values 13 - */ - char* array[] = { "response_type", "client_id", "scope", "redirect_uri", - "state", "nonce", "display", "prompt", "max_age", "ui_locales", - "response_mode", "id_token_hint","login_hint", "acr_values" }; - int array_size=14; - int bool_array[array_size]; + GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (OIDC_RESPONSE_TYPE_KEY), + &cache_key); + if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, + &cache_key)) + { + //TODO error - struct GNUNET_HashCode cache_key; + } + response_type = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key); - //iterates over each parameter and store used values in array array[] - int iterator; - for( iterator = 0; iteratorrest_handle->url_param_map, &cache_key); - bool_array[iterator]=0; - if(cache!=0){ - size_t size=strlen(cache)+1; - array[iterator]=(char*)malloc(size*sizeof(char)); - strncpy(array[iterator],cache,size); - bool_array[iterator]=1; - } + + GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY), + &cache_key); + if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, + &cache_key)) + { + //TODO error } + client_id = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key); - /* MUST validate all the OAuth 2.0 parameters & that all the - * REQUIRED parameters are present and their usage conforms to this specification - */ - GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (array[iterator]), &cache_key); + + GNUNET_CRYPTO_hash (OIDC_SCOPE_KEY, strlen (OIDC_SCOPE_KEY), &cache_key); if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, - &key)) + &cache_key)) { - handle->emsg=GNUNET_strdup("invalid_request"); - handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; - GNUNET_SCHEDULER_add_now (&do_error, handle); - return; + //TODO error } - response_type = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &key); + scope = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key); - //required values: response_type, client_id, scope, redirect_uri - if(!bool_array[0] || !bool_array[1] || !bool_array[2] || !bool_array[3]){ - handle->emsg=GNUNET_strdup("invalid_request"); - handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; - GNUNET_SCHEDULER_add_now (&do_error, handle); - return; + GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), + &cache_key); + if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, + &cache_key)) + { + //TODO error + } + redirect_uri = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key); + + GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key); + if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, + &cache_key)) + { + //TODO error } + state = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key); + + GNUNET_CRYPTO_hash (OIDC_NONCE_KEY, strlen (OIDC_NONCE_KEY), &cache_key); + if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, + &cache_key)) + { + //TODO error + } + nonce = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key); + + int iterator; + for( iterator = 0; iterator < size; iterator++ ) + { + GNUNET_CRYPTO_hash (OIDC_ignored_parameter_array[iterator], + strlen(OIDC_ignored_parameter_array[iterator]), + &cache_key); + if(GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains(handle->rest_handle->url_param_map, + &cache_key)) + { + //TODO error + } + } + + //response_type = code - if(strcmp(array[0],"code")!=0){ - handle->emsg=GNUNET_strdup("invalid_response_type"); - handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; - GNUNET_SCHEDULER_add_now (&do_error, handle); - return; + if( strcmp( response_type, OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE ) != 0 ) + { + //TODO error } //scope contains openid - if(strstr(array[2],"openid")==NULL){ + if( strstr( scope, OIDC_EXPECTED_AUTHORIZATION_SCOPE ) == NULL ) + { handle->emsg=GNUNET_strdup("invalid_scope"); handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; GNUNET_SCHEDULER_add_now (&do_error, handle); @@ -1121,7 +1201,7 @@ authorize_cont (struct GNUNET_REST_RequestHandle *con_handle, //TODO check other values and use them accordingly - char* redirect_url_to_login; + char* login_base_url; // if(){ // @@ -1131,67 +1211,29 @@ authorize_cont (struct GNUNET_REST_RequestHandle *con_handle, if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin", "address", - &redirect_url_to_login)){ - - char* build_array[] = { "response_type", "client_id", "scope", "redirect_uri", - "state", "nonce", "display", "prompt", "max_age", "ui_locales", - "response_mode", "id_token_hint","login_hint", "acr_values" }; - GNUNET_asprintf (new_redirect, "%s=%s&...", + &login_base_url)) + { + char* new_redirect; + GNUNET_asprintf (&new_redirect, "%s?%s=%s&%s=%s&%s=%s&%s=%s&%s=%s&%s=%s", + login_base_url, + OIDC_RESPONSE_TYPE_KEY, response_type, + OIDC_CLIENT_ID_KEY, client_id, OIDC_REDIRECT_URI_KEY, redirect_uri, - OIDC_CLIENT_ID_KEY, client_id, - ...); - size_t redirect_parameter_size= strlen("?"); - for(iterator=0;iteratoremsg=GNUNET_strdup("No server on localhost:8000"); handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; GNUNET_SCHEDULER_add_now (&do_error, handle); return; - // resp = GNUNET_REST_create_response (""); - // MHD_add_response_header (resp, "Location", array[3]); } handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); cleanup_handle (handle); - for(iterator=0; iterator