From: Schanzenbach, Martin Date: Thu, 1 Mar 2018 16:52:45 +0000 (+0100) Subject: -fixes X-Git-Tag: v0.11.0pre66~200 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0f495e52f9d0011d95658f22e4f403653ba94230;p=oweals%2Fgnunet.git -fixes --- diff --git a/src/gns/gnunet-gns-proxy.c b/src/gns/gnunet-gns-proxy.c index 591dff04f..ba162c5e3 100644 --- a/src/gns/gnunet-gns-proxy.c +++ b/src/gns/gnunet-gns-proxy.c @@ -2246,6 +2246,8 @@ generate_gns_certificate (const char *name) sizeof (serial)); etime = time (NULL); tm_data = localtime (&etime); + tm_data->tm_hour--; + etime = mktime(tm_data); gnutls_x509_crt_set_activation_time (request, etime); tm_data->tm_year++; diff --git a/src/identity-provider/identity-provider.conf b/src/identity-provider/identity-provider.conf index 7ee5e50d8..b78af3553 100644 --- a/src/identity-provider/identity-provider.conf +++ b/src/identity-provider/identity-provider.conf @@ -12,5 +12,11 @@ UNIX_MATCH_GID = YES TOKEN_EXPIRATION_INTERVAL = 30 m DATABASE = sqlite +[identity-rest-plugin] +#ADDRESS = https://identity.gnu:8000#/login +ADDRESS = https://identity.gnu/ui/#/login +PSW = secret +EXPIRATION_TIME = 3600 + [identity-provider-sqlite] FILENAME = $GNUNET_DATA_HOME/identity-provider/sqlite.db diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index ef50077f5..3f9279d5c 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c @@ -378,6 +378,11 @@ struct RequestHandle */ struct GNUNET_IDENTITY_PROVIDER_TicketIterator *ticket_it; + /** + * A ticket + */ + struct GNUNET_IDENTITY_PROVIDER_Ticket ticket; + /** * Desired timeout for the lookup (default is no timeout). */ @@ -1444,43 +1449,79 @@ oidc_iteration_error (void *cls) GNUNET_SCHEDULER_add_now (&do_error, handle); } +static void get_client_name_result (void *cls, + const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone, + const char *label, + unsigned int rd_count, + const struct GNUNET_GNSRECORD_Data *rd) +{ + struct RequestHandle *handle = cls; + struct MHD_Response *resp; + char *ticket_str; + char *redirect_uri; + char *code_json_string; + char *code_base64_final_string; + char *redirect_path; + char *tmp; + ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket, + sizeof (struct GNUNET_IDENTITY_PROVIDER_Ticket)); + //TODO change if more attributes are needed (see max_age) + GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}", + ticket_str, + (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "", + (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "", + (NULL != handle->oidc->nonce) ? "\"" : ""); + code_base64_final_string = base_64_encode(code_json_string); + tmp = GNUNET_strdup (handle->oidc->redirect_uri); + redirect_path = strtok (tmp, "/"); + redirect_path = strtok (NULL, "/"); + redirect_path = strtok (NULL, "/"); + GNUNET_asprintf (&redirect_uri, "https://%s.gnu/%s?%s=%s&state=%s", + label, + redirect_path, + handle->oidc->response_type, + code_base64_final_string, handle->oidc->state); + resp = GNUNET_REST_create_response (""); + MHD_add_response_header (resp, "Location", redirect_uri); + handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); + GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); + GNUNET_free (tmp); + GNUNET_free (redirect_uri); + GNUNET_free (ticket_str); + GNUNET_free (code_json_string); + GNUNET_free (code_base64_final_string); + return; +} + +static void +get_client_name_error (void *cls) +{ + struct RequestHandle *handle = cls; + + handle->emsg = GNUNET_strdup("server_error"); + handle->edesc = GNUNET_strdup("Server cannot generate ticket, no name found for client."); + GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); +} + /** * Issues ticket and redirects to relying party with the authorization code as * parameter. Otherwise redirects with error */ static void oidc_ticket_issue_cb (void* cls, - const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket) + const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket) { struct RequestHandle *handle = cls; - struct MHD_Response *resp; - char *ticket_str; - char *redirect_uri; - char *code_json_string; - char *code_base64_final_string; handle->idp_op = NULL; - resp = GNUNET_REST_create_response (""); + handle->ticket = *ticket; if (NULL != ticket) { - ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket, - sizeof (struct GNUNET_IDENTITY_PROVIDER_Ticket)); - //TODO change if more attributes are needed (see max_age) - GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}", - ticket_str, - (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "", - (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "", - (NULL != handle->oidc->nonce) ? "\"" : ""); - code_base64_final_string = base_64_encode(code_json_string); - GNUNET_asprintf (&redirect_uri, "%s?%s=%s&state=%s", - handle->oidc->redirect_uri, - handle->oidc->response_type, - code_base64_final_string, handle->oidc->state); - MHD_add_response_header (resp, "Location", redirect_uri); - handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); - GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); - GNUNET_free (redirect_uri); - GNUNET_free (ticket_str); - GNUNET_free (code_json_string); - GNUNET_free (code_base64_final_string); + GNUNET_NAMESTORE_zone_to_name (handle->namestore_handle, + &handle->priv_key, + &handle->oidc->client_pkey, + &get_client_name_error, + handle, + &get_client_name_result, + handle); return; } handle->emsg = GNUNET_strdup("server_error"); @@ -1502,11 +1543,11 @@ oidc_collect_finished_cb (void *cls) return; } handle->idp_op = GNUNET_IDENTITY_PROVIDER_ticket_issue (handle->idp, - &handle->priv_key, - &handle->oidc->client_pkey, - handle->attr_list, - &oidc_ticket_issue_cb, - handle); + &handle->priv_key, + &handle->oidc->client_pkey, + handle->attr_list, + &oidc_ticket_issue_cb, + handle); } @@ -1515,8 +1556,8 @@ oidc_collect_finished_cb (void *cls) */ static void oidc_attr_collect (void *cls, - const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, - const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr) + const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, + const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr) { struct RequestHandle *handle = cls; struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le; @@ -1550,9 +1591,9 @@ oidc_attr_collect (void *cls, le = GNUNET_new(struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry); le->claim = GNUNET_IDENTITY_ATTRIBUTE_claim_new (attr->name, attr->type, - attr->data, attr->data_size); + attr->data, attr->data_size); GNUNET_CONTAINER_DLL_insert(handle->attr_list->list_head, - handle->attr_list->list_tail, le); + handle->attr_list->list_tail, le); GNUNET_IDENTITY_PROVIDER_get_attributes_next (handle->attr_it); } @@ -1574,50 +1615,50 @@ login_check (void *cls) GNUNET_free(identity_cookie); //No login time for identity -> redirect to login if ( GNUNET_YES - == GNUNET_CONTAINER_multihashmap_contains (OIDC_identity_login_time, - &cache_key) ) + == GNUNET_CONTAINER_multihashmap_contains (OIDC_identity_login_time, + &cache_key) ) { relog_time = GNUNET_CONTAINER_multihashmap_get (OIDC_identity_login_time, - &cache_key); + &cache_key); current_time = GNUNET_TIME_absolute_get (); // 30 min after old login -> redirect to login if ( current_time.abs_value_us <= relog_time->abs_value_us ) { if ( GNUNET_OK - != GNUNET_CRYPTO_ecdsa_public_key_from_string ( - handle->oidc->login_identity, - strlen (handle->oidc->login_identity), &pubkey) ) + != GNUNET_CRYPTO_ecdsa_public_key_from_string ( + handle->oidc->login_identity, + strlen (handle->oidc->login_identity), &pubkey) ) { - handle->emsg = GNUNET_strdup("invalid_cookie"); - handle->edesc = GNUNET_strdup( - "The cookie of a login identity is not valid"); - GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); - return; + handle->emsg = GNUNET_strdup("invalid_cookie"); + handle->edesc = GNUNET_strdup( + "The cookie of a login identity is not valid"); + GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); + return; } // iterate over egos and compare their public key for (handle->ego_entry = handle->ego_head; - NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next) + NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next) { - GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &ego_pkey); - if ( 0 - == memcmp (&ego_pkey, &pubkey, - sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) - { - handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key ( - handle->ego_entry->ego); - handle->resp_object = GNUNET_JSONAPI_document_new (); - handle->idp = GNUNET_IDENTITY_PROVIDER_connect (cfg); - handle->attr_list = GNUNET_new( - struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList); - handle->attr_it = GNUNET_IDENTITY_PROVIDER_get_attributes_start ( - handle->idp, &handle->priv_key, &oidc_iteration_error, handle, - &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle); - return; - } + GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, &ego_pkey); + if ( 0 + == memcmp (&ego_pkey, &pubkey, + sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) + { + handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key ( + handle->ego_entry->ego); + handle->resp_object = GNUNET_JSONAPI_document_new (); + handle->idp = GNUNET_IDENTITY_PROVIDER_connect (cfg); + handle->attr_list = GNUNET_new( + struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList); + handle->attr_it = GNUNET_IDENTITY_PROVIDER_get_attributes_start ( + handle->idp, &handle->priv_key, &oidc_iteration_error, handle, + &oidc_attr_collect, handle, &oidc_collect_finished_cb, handle); + return; + } } handle->emsg = GNUNET_strdup("invalid_cookie"); handle->edesc = GNUNET_strdup( - "The cookie of the login identity is not valid"); + "The cookie of the login identity is not valid"); GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); return; } @@ -1632,9 +1673,9 @@ login_check (void *cls) */ static void namestore_iteration_callback ( - void *cls, const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_key, - const char *rname, unsigned int rd_len, - const struct GNUNET_GNSRECORD_Data *rd) + void *cls, const struct GNUNET_CRYPTO_EcdsaPrivateKey *zone_key, + const char *rname, unsigned int rd_len, + const struct GNUNET_GNSRECORD_Data *rd) { struct RequestHandle *handle = cls; struct GNUNET_CRYPTO_EcdsaPublicKey login_identity_pkey; @@ -1649,28 +1690,28 @@ namestore_iteration_callback ( if ( NULL != handle->oidc->login_identity ) { GNUNET_CRYPTO_ecdsa_public_key_from_string ( - handle->oidc->login_identity, - strlen (handle->oidc->login_identity), - &login_identity_pkey); + handle->oidc->login_identity, + strlen (handle->oidc->login_identity), + &login_identity_pkey); GNUNET_IDENTITY_ego_get_public_key (handle->ego_entry->ego, - ¤t_zone_pkey); + ¤t_zone_pkey); if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, - sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) + sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) { - if ( 0 == memcmp (&login_identity_pkey, ¤t_zone_pkey, - sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) - { - handle->oidc->is_client_trusted = GNUNET_YES; - } + if ( 0 == memcmp (&login_identity_pkey, ¤t_zone_pkey, + sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) + { + handle->oidc->is_client_trusted = GNUNET_YES; + } } } else { if ( 0 == memcmp (rd[i].data, &handle->oidc->client_pkey, - sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) + sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) { - handle->oidc->is_client_trusted = GNUNET_YES; + handle->oidc->is_client_trusted = GNUNET_YES; } } } @@ -1701,24 +1742,24 @@ static void namestore_iteration_finished (void *cls) { handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego); handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (handle->namestore_handle, &handle->priv_key, - &oidc_iteration_error, handle, &namestore_iteration_callback, handle, - &namestore_iteration_finished, handle); + &oidc_iteration_error, handle, &namestore_iteration_callback, handle, + &namestore_iteration_finished, handle); return; } if (GNUNET_NO == handle->oidc->is_client_trusted) { handle->emsg = GNUNET_strdup("unauthorized_client"); handle->edesc = GNUNET_strdup("The client is not authorized to request an " - "authorization code using this method."); + "authorization code using this method."); GNUNET_SCHEDULER_add_now (&do_error, handle); return; } // REQUIRED value: redirect_uri GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), - &cache_key); + &cache_key); if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, - &cache_key)) + &cache_key)) { handle->emsg=GNUNET_strdup("invalid_request"); handle->edesc=GNUNET_strdup("missing parameter redirect_uri"); @@ -1726,7 +1767,7 @@ static void namestore_iteration_finished (void *cls) return; } handle->oidc->redirect_uri = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); + &cache_key); GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey", handle->oidc->client_id); // verify the redirect uri matches https://.zkey[/xyz] @@ -1744,9 +1785,9 @@ static void namestore_iteration_finished (void *cls) GNUNET_free(expected_redirect_uri); // REQUIRED value: response_type GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (OIDC_RESPONSE_TYPE_KEY), - &cache_key); + &cache_key); if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, - &cache_key)) + &cache_key)) { handle->emsg=GNUNET_strdup("invalid_request"); handle->edesc=GNUNET_strdup("missing parameter response_type"); @@ -1754,13 +1795,13 @@ static void namestore_iteration_finished (void *cls) return; } handle->oidc->response_type = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); + &cache_key); handle->oidc->response_type = GNUNET_strdup (handle->oidc->response_type); // REQUIRED value: scope GNUNET_CRYPTO_hash (OIDC_SCOPE_KEY, strlen (OIDC_SCOPE_KEY), &cache_key); if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, - &cache_key)) + &cache_key)) { handle->emsg=GNUNET_strdup("invalid_request"); handle->edesc=GNUNET_strdup("missing parameter scope"); @@ -1768,16 +1809,16 @@ static void namestore_iteration_finished (void *cls) return; } handle->oidc->scope = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); + &cache_key); handle->oidc->scope = GNUNET_strdup(handle->oidc->scope); //OPTIONAL value: nonce GNUNET_CRYPTO_hash (OIDC_NONCE_KEY, strlen (OIDC_NONCE_KEY), &cache_key); if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, - &cache_key)) + &cache_key)) { handle->oidc->nonce = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); + &cache_key); handle->oidc->nonce = GNUNET_strdup (handle->oidc->nonce); } @@ -1786,14 +1827,14 @@ static void namestore_iteration_finished (void *cls) for( iterator = 0; iterator < number_of_ignored_parameter; iterator++ ) { GNUNET_CRYPTO_hash (OIDC_ignored_parameter_array[iterator], - strlen(OIDC_ignored_parameter_array[iterator]), - &cache_key); + strlen(OIDC_ignored_parameter_array[iterator]), + &cache_key); if(GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains(handle->rest_handle->url_param_map, - &cache_key)) + &cache_key)) { handle->emsg=GNUNET_strdup("access_denied"); GNUNET_asprintf (&handle->edesc, "Server will not handle parameter: %s", - OIDC_ignored_parameter_array[iterator]); + OIDC_ignored_parameter_array[iterator]); GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); return; } @@ -1804,7 +1845,7 @@ static void namestore_iteration_finished (void *cls) { handle->emsg=GNUNET_strdup("unsupported_response_type"); handle->edesc=GNUNET_strdup("The authorization server does not support " - "obtaining this authorization code."); + "obtaining this authorization code."); GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); return; } @@ -1825,7 +1866,7 @@ static void namestore_iteration_finished (void *cls) { handle->emsg = GNUNET_strdup("invalid_scope"); handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or " - "malformed."); + "malformed."); GNUNET_SCHEDULER_add_now (&do_redirect_error, handle); GNUNET_free(expected_scope); return; @@ -1851,8 +1892,8 @@ static void namestore_iteration_finished (void *cls) */ static void authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, - const char* url, - void *cls) + const char* url, + void *cls) { struct RequestHandle *handle = cls; struct GNUNET_HashCode cache_key; @@ -1862,18 +1903,18 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, //RECOMMENDED value: state - REQUIRED for answers GNUNET_CRYPTO_hash (OIDC_STATE_KEY, strlen (OIDC_STATE_KEY), &cache_key); if (GNUNET_YES == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, - &cache_key)) + &cache_key)) { handle->oidc->state = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); + &cache_key); handle->oidc->state = GNUNET_strdup (handle->oidc->state); } // REQUIRED value: client_id GNUNET_CRYPTO_hash (OIDC_CLIENT_ID_KEY, strlen (OIDC_CLIENT_ID_KEY), - &cache_key); + &cache_key); if (GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->url_param_map, - &cache_key)) + &cache_key)) { handle->emsg=GNUNET_strdup("invalid_request"); handle->edesc=GNUNET_strdup("missing parameter client_id"); @@ -1882,17 +1923,17 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } handle->oidc->client_id = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); + &cache_key); handle->oidc->client_id = GNUNET_strdup (handle->oidc->client_id); if ( GNUNET_OK - != GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id, - strlen (handle->oidc->client_id), - &handle->oidc->client_pkey) ) + != GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id, + strlen (handle->oidc->client_id), + &handle->oidc->client_pkey) ) { handle->emsg = GNUNET_strdup("unauthorized_client"); handle->edesc = GNUNET_strdup("The client is not authorized to request an " - "authorization code using this method."); + "authorization code using this method."); handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; GNUNET_SCHEDULER_add_now (&do_error, handle); return; @@ -1914,9 +1955,9 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, // Checks if client_id is valid: handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start ( - handle->namestore_handle, &handle->priv_key, &oidc_iteration_error, - handle, &namestore_iteration_callback, handle, - &namestore_iteration_finished, handle); + handle->namestore_handle, &handle->priv_key, &oidc_iteration_error, + handle, &namestore_iteration_callback, handle, + &namestore_iteration_finished, handle); } /** @@ -1940,7 +1981,10 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, json_t *root; json_error_t error; json_t *identity; - root = json_loads (handle->rest_handle->data, 0, &error); + char term_data[handle->rest_handle->data_size+1]; + term_data[handle->rest_handle->data_size] = '\0'; + GNUNET_memcpy (term_data, handle->rest_handle->data, handle->rest_handle->data_size); + root = json_loads (term_data, JSON_DECODE_ANY, &error); identity = json_object_get (root, "identity"); if ( json_is_string(identity) ) { @@ -1951,16 +1995,16 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, current_time = GNUNET_new(struct GNUNET_TIME_Absolute); *current_time = GNUNET_TIME_relative_to_absolute ( - GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_minute_ (), - 30)); + GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_minute_ (), + 30)); last_time = GNUNET_CONTAINER_multihashmap_get(OIDC_identity_login_time, &cache_key); if (NULL != last_time) { GNUNET_free(last_time); } GNUNET_CONTAINER_multihashmap_put ( - OIDC_identity_login_time, &cache_key, current_time, - GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE); + OIDC_identity_login_time, &cache_key, current_time, + GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE); handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); GNUNET_free(cookie); @@ -2006,10 +2050,10 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, * Check Authorization */ GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, - strlen (OIDC_AUTHORIZATION_HEADER_KEY), - &cache_key); + strlen (OIDC_AUTHORIZATION_HEADER_KEY), + &cache_key); if ( GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (handle->rest_handle->header_param_map, - &cache_key) ) + &cache_key) ) { handle->emsg=GNUNET_strdup("invalid_client"); handle->edesc=GNUNET_strdup("missing authorization"); @@ -2066,8 +2110,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, //check client password if ( GNUNET_OK - == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin", - "psw", &expected_psw) ) + == GNUNET_CONFIGURATION_get_value_string (cfg, "identity-rest-plugin", + "psw", &expected_psw) ) { if (0 != strcmp (expected_psw, psw)) { @@ -2117,8 +2161,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, //REQUIRED grant_type GNUNET_CRYPTO_hash (OIDC_GRANT_TYPE_KEY, strlen (OIDC_GRANT_TYPE_KEY), &cache_key); if ( GNUNET_NO - == GNUNET_CONTAINER_multihashmap_contains ( - handle->rest_handle->url_param_map, &cache_key) ) + == GNUNET_CONTAINER_multihashmap_contains ( + handle->rest_handle->url_param_map, &cache_key) ) { GNUNET_free_non_null(user_psw); handle->emsg = GNUNET_strdup("invalid_request"); @@ -2128,13 +2172,13 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } grant_type = GNUNET_CONTAINER_multihashmap_get ( - handle->rest_handle->url_param_map, &cache_key); + handle->rest_handle->url_param_map, &cache_key); //REQUIRED code GNUNET_CRYPTO_hash (OIDC_CODE_KEY, strlen (OIDC_CODE_KEY), &cache_key); if ( GNUNET_NO - == GNUNET_CONTAINER_multihashmap_contains ( - handle->rest_handle->url_param_map, &cache_key) ) + == GNUNET_CONTAINER_multihashmap_contains ( + handle->rest_handle->url_param_map, &cache_key) ) { GNUNET_free_non_null(user_psw); handle->emsg = GNUNET_strdup("invalid_request"); @@ -2144,14 +2188,14 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } code = GNUNET_CONTAINER_multihashmap_get (handle->rest_handle->url_param_map, - &cache_key); + &cache_key); //REQUIRED redirect_uri GNUNET_CRYPTO_hash (OIDC_REDIRECT_URI_KEY, strlen (OIDC_REDIRECT_URI_KEY), - &cache_key); + &cache_key); if ( GNUNET_NO - == GNUNET_CONTAINER_multihashmap_contains ( - handle->rest_handle->url_param_map, &cache_key) ) + == GNUNET_CONTAINER_multihashmap_contains ( + handle->rest_handle->url_param_map, &cache_key) ) { GNUNET_free_non_null(user_psw); handle->emsg = GNUNET_strdup("invalid_request"); @@ -2161,7 +2205,7 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } redirect_uri = GNUNET_CONTAINER_multihashmap_get ( - handle->rest_handle->url_param_map, &cache_key); + handle->rest_handle->url_param_map, &cache_key); //Check parameter grant_type == "authorization_code" @@ -2190,10 +2234,10 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, GNUNET_CRYPTO_hash (code, strlen (code), &cache_key); int i = 1; if ( GNUNET_SYSERR - == GNUNET_CONTAINER_multihashmap_put (OIDC_ticket_once, - &cache_key, - &i, - GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY) ) + == GNUNET_CONTAINER_multihashmap_put (OIDC_ticket_once, + &cache_key, + &i, + GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY) ) { GNUNET_free_non_null(user_psw); handle->emsg = GNUNET_strdup("invalid_request"); @@ -2223,10 +2267,10 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket = GNUNET_new(struct GNUNET_IDENTITY_PROVIDER_Ticket); if ( GNUNET_OK - != GNUNET_STRINGS_string_to_data (json_string_value(ticket_string), - strlen (json_string_value(ticket_string)), - ticket, - sizeof(struct GNUNET_IDENTITY_PROVIDER_Ticket))) + != GNUNET_STRINGS_string_to_data (json_string_value(ticket_string), + strlen (json_string_value(ticket_string)), + ticket, + sizeof(struct GNUNET_IDENTITY_PROVIDER_Ticket))) { GNUNET_free_non_null(user_psw); handle->emsg = GNUNET_strdup("invalid_request"); @@ -2253,8 +2297,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, //create jwt unsigned long long int expiration_time; if ( GNUNET_OK - != GNUNET_CONFIGURATION_get_value_number(cfg, "identity-rest-plugin", - "expiration_time", &expiration_time) ) + != GNUNET_CONFIGURATION_get_value_number(cfg, "identity-rest-plugin", + "expiration_time", &expiration_time) ) { GNUNET_free_non_null(user_psw); handle->emsg = GNUNET_strdup("server_error"); @@ -2268,45 +2312,45 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList); //aud REQUIRED public key client_id must be there GNUNET_IDENTITY_ATTRIBUTE_list_add(cl, - "aud", - GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, - client_id, - strlen(client_id)); + "aud", + GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, + client_id, + strlen(client_id)); //exp REQUIRED time expired from config struct GNUNET_TIME_Absolute exp_time = GNUNET_TIME_relative_to_absolute ( - GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), - expiration_time)); + GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (), + expiration_time)); const char* exp_time_string = GNUNET_STRINGS_absolute_time_to_string(exp_time); GNUNET_IDENTITY_ATTRIBUTE_list_add (cl, - "exp", - GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, - exp_time_string, - strlen(exp_time_string)); + "exp", + GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, + exp_time_string, + strlen(exp_time_string)); //iat REQUIRED time now struct GNUNET_TIME_Absolute time_now = GNUNET_TIME_absolute_get(); const char* time_now_string = GNUNET_STRINGS_absolute_time_to_string(time_now); GNUNET_IDENTITY_ATTRIBUTE_list_add (cl, - "iat", - GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, - time_now_string, - strlen(time_now_string)); + "iat", + GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, + time_now_string, + strlen(time_now_string)); //nonce only if nonce is provided if ( NULL != nonce && json_is_string(nonce) ) { GNUNET_IDENTITY_ATTRIBUTE_list_add (cl, - "nonce", - GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, - json_string_value(nonce), - strlen(json_string_value(nonce))); + "nonce", + GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, + json_string_value(nonce), + strlen(json_string_value(nonce))); } //auth_time only if max_age is provided if ( NULL != max_age && json_is_string(max_age) ) { GNUNET_IDENTITY_ATTRIBUTE_list_add (cl, - "auth_time", - GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, - json_string_value(max_age), - strlen(json_string_value(max_age))); + "auth_time", + GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING, + json_string_value(max_age), + strlen(json_string_value(max_age))); } //TODO OPTIONAL acr,amr,azp @@ -2330,8 +2374,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } char *id_token = jwt_create_from_list(&ticket->audience, - cl, - GNUNET_IDENTITY_ego_get_private_key(ego_entry->ego)); + cl, + GNUNET_IDENTITY_ego_get_private_key(ego_entry->ego)); //Create random access_token char* access_token_number; @@ -2342,26 +2386,26 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, GNUNET_STRINGS_base64_encode(access_token_number,strlen(access_token_number),&access_token); - + //TODO OPTIONAL add refresh_token and scope GNUNET_asprintf (&json_response, - "{ \"access_token\" : \"%s\", " - "\"token_type\" : \"Bearer\", " - "\"expires_in\" : %d, " - "\"id_token\" : \"%s\"}", - access_token, - expiration_time, - id_token); + "{ \"access_token\" : \"%s\", " + "\"token_type\" : \"Bearer\", " + "\"expires_in\" : %d, " + "\"id_token\" : \"%s\"}", + access_token, + expiration_time, + id_token); GNUNET_CRYPTO_hash(access_token, strlen(access_token), &cache_key); char *id_ticket_combination; GNUNET_asprintf(&id_ticket_combination, - "%s;%s", - client_id, - json_string_value(ticket_string)); + "%s;%s", + client_id, + json_string_value(ticket_string)); GNUNET_CONTAINER_multihashmap_put(OIDC_interpret_access_token, - &cache_key, - id_ticket_combination, - GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE); + &cache_key, + id_ticket_combination, + GNUNET_CONTAINER_MULTIHASHMAPOPTION_REPLACE); resp = GNUNET_REST_create_response (json_response); MHD_add_response_header (resp, "Cache-Control", "no-store"); @@ -2385,8 +2429,8 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, */ static void consume_ticket (void *cls, - const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, - const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr) + const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, + const struct GNUNET_IDENTITY_ATTRIBUTE_Claim *attr) { struct RequestHandle *handle = cls; @@ -2397,8 +2441,8 @@ consume_ticket (void *cls, } json_object_set_new (handle->oidc->response, - attr->name, - json_string(attr->data)); + attr->name, + json_string(attr->data)); } /** @@ -2410,7 +2454,7 @@ consume_ticket (void *cls, */ static void userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, - const char* url, void *cls) + const char* url, void *cls) { //TODO expiration time struct RequestHandle *handle = cls; @@ -2422,11 +2466,11 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket; GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, - strlen (OIDC_AUTHORIZATION_HEADER_KEY), - &cache_key); + strlen (OIDC_AUTHORIZATION_HEADER_KEY), + &cache_key); if ( GNUNET_NO - == GNUNET_CONTAINER_multihashmap_contains ( - handle->rest_handle->header_param_map, &cache_key) ) + == GNUNET_CONTAINER_multihashmap_contains ( + handle->rest_handle->header_param_map, &cache_key) ) { handle->emsg = GNUNET_strdup("invalid_token"); handle->edesc = GNUNET_strdup("No Access Token"); @@ -2435,7 +2479,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, return; } authorization = GNUNET_CONTAINER_multihashmap_get ( - handle->rest_handle->header_param_map, &cache_key); + handle->rest_handle->header_param_map, &cache_key); //split header in "Bearer" and access_token authorization = GNUNET_strdup(authorization); @@ -2461,10 +2505,10 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, } GNUNET_CRYPTO_hash (authorization_access_token, - strlen (authorization_access_token), - &cache_key); + strlen (authorization_access_token), + &cache_key); if ( GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains (OIDC_interpret_access_token, - &cache_key) ) + &cache_key) ) { handle->emsg = GNUNET_strdup("invalid_token"); handle->edesc = GNUNET_strdup("The Access Token expired"); @@ -2475,7 +2519,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, } client_ticket = GNUNET_CONTAINER_multihashmap_get(OIDC_interpret_access_token, - &cache_key); + &cache_key); client_ticket = GNUNET_strdup(client_ticket); client = strtok(client_ticket,delimiter_db); if (NULL == client) @@ -2519,10 +2563,10 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, } ticket = GNUNET_new(struct GNUNET_IDENTITY_PROVIDER_Ticket); if ( GNUNET_OK - != GNUNET_STRINGS_string_to_data (ticket_str, - strlen (ticket_str), - ticket, - sizeof(struct GNUNET_IDENTITY_PROVIDER_Ticket))) + != GNUNET_STRINGS_string_to_data (ticket_str, + strlen (ticket_str), + ticket, + sizeof(struct GNUNET_IDENTITY_PROVIDER_Ticket))) { handle->emsg = GNUNET_strdup("invalid_token"); handle->edesc = GNUNET_strdup("The Access Token expired"); @@ -2538,11 +2582,11 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->oidc->response = json_object(); json_object_set_new( handle->oidc->response, "sub", json_string( handle->ego_entry->keystring)); handle->idp_op = GNUNET_IDENTITY_PROVIDER_ticket_consume ( - handle->idp, - GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego), - ticket, - consume_ticket, - handle); + handle->idp, + GNUNET_IDENTITY_ego_get_private_key (handle->ego_entry->ego), + ticket, + consume_ticket, + handle); GNUNET_free(ticket); GNUNET_free(authorization); GNUNET_free(client_ticket); @@ -2737,7 +2781,7 @@ libgnunet_plugin_rest_identity_provider_done (void *cls) struct GNUNET_CONTAINER_MultiHashMapIterator *hashmap_it; void *value = NULL; hashmap_it = GNUNET_CONTAINER_multihashmap_iterator_create ( - OIDC_identity_login_time); + OIDC_identity_login_time); while (GNUNET_YES == GNUNET_CONTAINER_multihashmap_iterator_next (hashmap_it, NULL, value)) {