From: Phil Date: Tue, 27 Feb 2018 14:58:05 +0000 (+0100) Subject: -fix userinfo_endpoint X-Git-Tag: v0.11.0pre66~201^2 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5af7ba146c11433abd67497ed170a8591948a722;p=oweals%2Fgnunet.git -fix userinfo_endpoint --- diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index 9ba73ff1c..ef50077f5 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c @@ -19,6 +19,7 @@ */ /** * @author Martin Schanzenbach + * @author Philippe Buschmann * @file identity/plugin_rest_identity.c * @brief GNUnet Namestore REST plugin * @@ -234,6 +235,7 @@ struct Plugin { const struct GNUNET_CONFIGURATION_Handle *cfg; }; + /** * OIDC needed variables */ @@ -546,7 +548,8 @@ do_error (void *cls) /** - * Task run on error, sends error message. Cleans up everything. + * Task run on error in userinfo endpoint, sends error header. Cleans up + * everything * * @param cls the `struct RequestHandle` */ @@ -569,7 +572,7 @@ do_userinfo_error (void *cls) /** - * Task run on error, sends error message. Cleans up everything. + * Task run on error, sends error message and redirects. Cleans up everything. * * @param cls the `struct RequestHandle` */ @@ -673,6 +676,12 @@ return_userinfo_response (void *cls) cleanup_handle (handle); } +/** + * Returns base64 encoded string without padding + * + * @param string the string to encode + * @return base64 encoded string + */ static char* base_64_encode(char *string) { @@ -1328,13 +1337,13 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle, } /** - * Cookie interpretation + * Interprets cookie header and pass its identity keystring to handle */ static void cookie_identity_interpretation (struct RequestHandle *handle) { struct GNUNET_HashCode cache_key; - char* cookies; + char *cookies; struct GNUNET_TIME_Absolute current_time, *relog_time; char delimiter[] = "; "; @@ -1378,7 +1387,7 @@ cookie_identity_interpretation (struct RequestHandle *handle) } /** - * Login redirection + * Redirects to login page stored in configuration file */ static void login_redirection(void *cls) @@ -1424,7 +1433,7 @@ login_redirection(void *cls) } /** - * Function called if we had an error in zone-to-name mapping. + * Does internal server error when iteration failed. */ static void oidc_iteration_error (void *cls) @@ -1435,6 +1444,10 @@ oidc_iteration_error (void *cls) GNUNET_SCHEDULER_add_now (&do_error, handle); } +/** + * Issues ticket and redirects to relying party with the authorization code as + * parameter. Otherwise redirects with error + */ static void oidc_ticket_issue_cb (void* cls, const struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket) @@ -1498,7 +1511,7 @@ oidc_collect_finished_cb (void *cls) /** - * Collect all attributes for an ego + * Collects all attributes for an ego if in scope parameter */ static void oidc_attr_collect (void *cls, @@ -1545,7 +1558,7 @@ oidc_attr_collect (void *cls, /** - * Cookie and Time check + * Checks time and cookie and redirects accordingly */ static void login_check (void *cls) @@ -1612,7 +1625,8 @@ login_check (void *cls) } /** - * Create a response with requested records + * Searches for client_id in namestore. If found trust status stored in handle + * Else continues to search * * @param handle the RequestHandle */ @@ -1960,14 +1974,19 @@ login_cont (struct GNUNET_REST_RequestHandle *con_handle, return; } +/** + * Responds to token url-encoded POST request + * + * @param con_handle the connection handle + * @param url the url + * @param cls the RequestHandle + */ static void token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, const char* url, void *cls) { //TODO static strings - - //TODO WWW-Authenticate 401 struct RequestHandle *handle = cls; struct GNUNET_HashCode cache_key; char *authorization, *credentials; @@ -2291,7 +2310,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, } //TODO OPTIONAL acr,amr,azp - //TODO lookup client for client == audience of ticket struct EgoEntry *ego_entry; for (ego_entry = handle->ego_head; NULL != ego_entry; ego_entry = ego_entry->next) { @@ -2351,9 +2369,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, MHD_add_response_header (resp, "Content-Type", "application/json"); handle->proc (handle->proc_cls, resp, MHD_HTTP_OK); - //TODO one time ticket/code - - //TODO free GNUNET_IDENTITY_ATTRIBUTE_list_destroy(cl); GNUNET_free(access_token_number); GNUNET_free(access_token); @@ -2365,7 +2380,9 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, GNUNET_SCHEDULER_add_now(&cleanup_handle_delayed, handle); } - +/** + * Collects claims and stores them in handle + */ static void consume_ticket (void *cls, const struct GNUNET_CRYPTO_EcdsaPublicKey *identity, @@ -2384,16 +2401,24 @@ consume_ticket (void *cls, json_string(attr->data)); } +/** + * Responds to userinfo GET and url-encoded POST request + * + * @param con_handle the connection handle + * @param url the url + * @param cls the RequestHandle + */ static void userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, const char* url, void *cls) { + //TODO expiration time struct RequestHandle *handle = cls; char delimiter[] = " "; char delimiter_db[] = ";"; struct GNUNET_HashCode cache_key; char *authorization, *authorization_type, *authorization_access_token; - char *client_ticket; + char *client_ticket, *client, *ticket_str; struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket; GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, @@ -2413,6 +2438,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->rest_handle->header_param_map, &cache_key); //split header in "Bearer" and access_token + authorization = GNUNET_strdup(authorization); authorization_type = strtok (authorization, delimiter); if ( 0 != strcmp ("Bearer", authorization_type) ) { @@ -2420,6 +2446,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->edesc = GNUNET_strdup("No Access Token"); handle->response_code = MHD_HTTP_UNAUTHORIZED; GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); + GNUNET_free(authorization); return; } authorization_access_token = strtok (NULL, delimiter); @@ -2429,6 +2456,7 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->edesc = GNUNET_strdup("No Access Token"); handle->response_code = MHD_HTTP_UNAUTHORIZED; GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); + GNUNET_free(authorization); return; } @@ -2442,25 +2470,28 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->edesc = GNUNET_strdup("The Access Token expired"); handle->response_code = MHD_HTTP_UNAUTHORIZED; GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); + GNUNET_free(authorization); return; } client_ticket = GNUNET_CONTAINER_multihashmap_get(OIDC_interpret_access_token, &cache_key); - - client_ticket = strtok(client_ticket,delimiter_db); - if (NULL == client_ticket) + client_ticket = GNUNET_strdup(client_ticket); + client = strtok(client_ticket,delimiter_db); + if (NULL == client) { handle->emsg = GNUNET_strdup("invalid_token"); handle->edesc = GNUNET_strdup("The Access Token expired"); handle->response_code = MHD_HTTP_UNAUTHORIZED; GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); + GNUNET_free(authorization); + GNUNET_free(client_ticket); return; } handle->ego_entry = handle->ego_head; for(; NULL != handle->ego_entry; handle->ego_entry = handle->ego_entry->next) { - if (0 == strcmp(handle->ego_entry->keystring,client_ticket)) + if (0 == strcmp(handle->ego_entry->keystring,client)) { break; } @@ -2471,21 +2502,25 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->edesc = GNUNET_strdup("The Access Token expired"); handle->response_code = MHD_HTTP_UNAUTHORIZED; GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); + GNUNET_free(authorization); + GNUNET_free(client_ticket); return; } - client_ticket = strtok(NULL, delimiter_db); - if (NULL == client_ticket) + ticket_str = strtok(NULL, delimiter_db); + if (NULL == ticket_str) { handle->emsg = GNUNET_strdup("invalid_token"); handle->edesc = GNUNET_strdup("The Access Token expired"); handle->response_code = MHD_HTTP_UNAUTHORIZED; GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); + GNUNET_free(authorization); + GNUNET_free(client_ticket); return; } ticket = GNUNET_new(struct GNUNET_IDENTITY_PROVIDER_Ticket); if ( GNUNET_OK - != GNUNET_STRINGS_string_to_data (client_ticket, - strlen (client_ticket), + != GNUNET_STRINGS_string_to_data (ticket_str, + strlen (ticket_str), ticket, sizeof(struct GNUNET_IDENTITY_PROVIDER_Ticket))) { @@ -2494,6 +2529,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->response_code = MHD_HTTP_UNAUTHORIZED; GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle); GNUNET_free(ticket); + GNUNET_free(authorization); + GNUNET_free(client_ticket); return; } @@ -2507,6 +2544,8 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle *con_handle, consume_ticket, handle); GNUNET_free(ticket); + GNUNET_free(authorization); + GNUNET_free(client_ticket); }