diff --git a/service/OneService.cpp b/service/OneService.cpp index 418921536..78dc65bd3 100644 --- a/service/OneService.cpp +++ b/service/OneService.cpp @@ -261,9 +261,7 @@ public: // fprintf(stderr, "Client ID: %s\n", _config.ssoClientID); // fprintf(stderr, "Central Auth URL: %s\n", _config.centralAuthURL); - char buf[17] = {}; _idc = zeroidc::zeroidc_new( - Utils::hex(_config.nwid, buf), _config.issuerURL, _config.ssoClientID, _config.centralAuthURL, diff --git a/zeroidc/src/ext.rs b/zeroidc/src/ext.rs index d39f82452..9bf0181bc 100644 --- a/zeroidc/src/ext.rs +++ b/zeroidc/src/ext.rs @@ -1,3 +1,15 @@ +/* + * Copyright (c)2021 ZeroTier, Inc. + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file in the project's root directory. + * + * Change Date: 2025-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2.0 of the Apache License. + */ + use std::ffi::{CStr, CString}; use std::os::raw::c_char; use url::{Url}; @@ -6,17 +18,11 @@ use crate::ZeroIDC; #[no_mangle] pub extern "C" fn zeroidc_new( - network_id: *const c_char, issuer: *const c_char, client_id: *const c_char, auth_endpoint: *const c_char, web_listen_port: u16, ) -> *mut ZeroIDC { - if network_id.is_null() { - println!("network_id is null"); - return std::ptr::null_mut(); - - } if issuer.is_null() { println!("issuer is null"); return std::ptr::null_mut(); @@ -32,12 +38,10 @@ pub extern "C" fn zeroidc_new( return std::ptr::null_mut(); } - let network_id = unsafe {CStr::from_ptr(network_id) }; let issuer = unsafe { CStr::from_ptr(issuer) }; let client_id = unsafe { CStr::from_ptr(client_id) }; let auth_endpoint = unsafe { CStr::from_ptr(auth_endpoint) }; match ZeroIDC::new( - network_id.to_str().unwrap(), issuer.to_str().unwrap(), client_id.to_str().unwrap(), auth_endpoint.to_str().unwrap(), @@ -101,24 +105,6 @@ pub extern "C" fn zeroidc_get_exp_time(ptr: *mut ZeroIDC) -> u64 { id.get_exp_time() } -// #[no_mangle] -// pub extern "C" fn zeroidc_process_form_post(ptr: *mut ZeroIDC, body: *const c_char) -> bool { -// let idc = unsafe { -// assert!(!ptr.is_null()); -// &mut *ptr -// }; - -// if body.is_null() { -// println!("body is null"); -// return false -// } - -// let body = unsafe { CStr::from_ptr(body) } -// .to_str().unwrap().to_string(); - -// false -// } - #[no_mangle] pub extern "C" fn zeroidc_set_nonce_and_csrf( ptr: *mut ZeroIDC, diff --git a/zeroidc/src/lib.rs b/zeroidc/src/lib.rs index 188064312..cedaf90c1 100644 --- a/zeroidc/src/lib.rs +++ b/zeroidc/src/lib.rs @@ -1,3 +1,15 @@ +/* + * Copyright (c)2021 ZeroTier, Inc. + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file in the project's root directory. + * + * Change Date: 2025-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2.0 of the Apache License. + */ + pub mod ext; extern crate base64; @@ -27,7 +39,6 @@ pub struct ZeroIDC { struct Inner { running: bool, - network_id: String, auth_endpoint: String, oidc_thread: Option>, oidc_client: Option, @@ -80,7 +91,6 @@ fn systemtime_strftime(dt: T, format: &str) -> String impl ZeroIDC { fn new( - network_id: &str, issuer: &str, client_id: &str, auth_ep: &str, @@ -89,7 +99,6 @@ impl ZeroIDC { let idc = ZeroIDC { inner: Arc::new(Mutex::new(Inner { running: false, - network_id: network_id.to_string(), auth_endpoint: auth_ep.to_string(), oidc_thread: None, oidc_client: None, @@ -162,7 +171,7 @@ impl ZeroIDC { // Keep a copy of the initial nonce used to get the tokens // Will be needed later when verifying the responses from refresh tokens let nonce = (*inner_local.lock().unwrap()).nonce.clone(); - + while running { let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time); let now = SystemTime::now(); @@ -200,6 +209,7 @@ impl ZeroIDC { } }; + // verify & validate claims let verified = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| { let claims = match id.claims(&c.id_token_verifier(), &n) { Ok(c) => c, @@ -271,6 +281,10 @@ impl ZeroIDC { let access_token = res.access_token(); let at = access_token.secret(); + // yes this function is called `dangerous_insecure_decode` + // and it doesn't validate the jwt token signature, + // but if we've gotten this far, our claims have already + // been validated up above let exp = dangerous_insecure_decode::(&at); if let Ok(e) = exp { @@ -350,10 +364,6 @@ impl ZeroIDC { } } - fn get_network_id(&mut self) -> String { - return (*self.inner.lock().unwrap()).network_id.clone(); - } - fn get_exp_time(&mut self) -> u64 { return (*self.inner.lock().unwrap()).exp_time; } @@ -438,6 +448,8 @@ impl ZeroIDC { let r = c.exchange_code(AuthorizationCode::new(code.to_string())) .set_pkce_verifier(verifier) .request(http_client); + + // validate the token hashes match r { Ok(res) =>{ let n = match i.nonce.clone() { @@ -525,6 +537,8 @@ impl ZeroIDC { } let at = tok.access_token().secret(); + + // see previous note about this function's use let exp = dangerous_insecure_decode::(&at); if let Ok(e) = exp { i.exp_time = e.claims.exp