void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-06 12:33:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Just some comments

Browse source
This commit is contained in:
Grant Limberg 2021-12-16 22:07:17 -08:00
parent a69e91c541
commit 057356a725
No known key found for this signature in database
GPG key ID: 2BA62CCABBB4095A
3 changed files with 34 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
service/OneService.cpp
View file

@ -261,9 +261,7 @@ public:
// fprintf(stderr, "Client ID: %s\n", _config.ssoClientID); // fprintf(stderr, "Client ID: %s\n", _config.ssoClientID);
// fprintf(stderr, "Central Auth URL: %s\n", _config.centralAuthURL); // fprintf(stderr, "Central Auth URL: %s\n", _config.centralAuthURL);
char buf[17] = {};
_idc = zeroidc::zeroidc_new( _idc = zeroidc::zeroidc_new(
Utils::hex(_config.nwid, buf),
_config.issuerURL, _config.issuerURL,
_config.ssoClientID, _config.ssoClientID,
_config.centralAuthURL, _config.centralAuthURL,

38
zeroidc/src/ext.rs
View file

@ -1,3 +1,15 @@
/*
* Copyright (c)2021 ZeroTier, Inc.
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file in the project's root directory.
*
* Change Date: 2025-01-01
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2.0 of the Apache License.
*/
use std::ffi::{CStr, CString}; use std::ffi::{CStr, CString};
use std::os::raw::c_char; use std::os::raw::c_char;
use url::{Url}; use url::{Url};
@ -6,17 +18,11 @@ use crate::ZeroIDC;
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_new( pub extern "C" fn zeroidc_new(
network_id: *const c_char,
issuer: *const c_char, issuer: *const c_char,
client_id: *const c_char, client_id: *const c_char,
auth_endpoint: *const c_char, auth_endpoint: *const c_char,
web_listen_port: u16, web_listen_port: u16,
) -> *mut ZeroIDC { ) -> *mut ZeroIDC {
if network_id.is_null() {
println!("network_id is null");
return std::ptr::null_mut();
}
if issuer.is_null() { if issuer.is_null() {
println!("issuer is null"); println!("issuer is null");
return std::ptr::null_mut(); return std::ptr::null_mut();
@ -32,12 +38,10 @@ pub extern "C" fn zeroidc_new(
return std::ptr::null_mut(); return std::ptr::null_mut();
} }
let network_id = unsafe {CStr::from_ptr(network_id) };
let issuer = unsafe { CStr::from_ptr(issuer) }; let issuer = unsafe { CStr::from_ptr(issuer) };
let client_id = unsafe { CStr::from_ptr(client_id) }; let client_id = unsafe { CStr::from_ptr(client_id) };
let auth_endpoint = unsafe { CStr::from_ptr(auth_endpoint) }; let auth_endpoint = unsafe { CStr::from_ptr(auth_endpoint) };
match ZeroIDC::new( match ZeroIDC::new(
network_id.to_str().unwrap(),
issuer.to_str().unwrap(), issuer.to_str().unwrap(),
client_id.to_str().unwrap(), client_id.to_str().unwrap(),
auth_endpoint.to_str().unwrap(), auth_endpoint.to_str().unwrap(),
@ -101,24 +105,6 @@ pub extern "C" fn zeroidc_get_exp_time(ptr: *mut ZeroIDC) -> u64 {
id.get_exp_time() id.get_exp_time()
} }
// #[no_mangle]
// pub extern "C" fn zeroidc_process_form_post(ptr: *mut ZeroIDC, body: *const c_char) -> bool {
// let idc = unsafe {
// assert!(!ptr.is_null());
// &mut *ptr
// };
// if body.is_null() {
// println!("body is null");
// return false
// }
// let body = unsafe { CStr::from_ptr(body) }
// .to_str().unwrap().to_string();
// false
// }
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_set_nonce_and_csrf( pub extern "C" fn zeroidc_set_nonce_and_csrf(
ptr: *mut ZeroIDC, ptr: *mut ZeroIDC,

30
zeroidc/src/lib.rs
View file

@ -1,3 +1,15 @@
/*
* Copyright (c)2021 ZeroTier, Inc.
*
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file in the project's root directory.
*
* Change Date: 2025-01-01
*
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2.0 of the Apache License.
*/
pub mod ext; pub mod ext;
extern crate base64; extern crate base64;
@ -27,7 +39,6 @@ pub struct ZeroIDC {
struct Inner { struct Inner {
running: bool, running: bool,
network_id: String,
auth_endpoint: String, auth_endpoint: String,
oidc_thread: Option<JoinHandle<()>>, oidc_thread: Option<JoinHandle<()>>,
oidc_client: Option<openidconnect::core::CoreClient>, oidc_client: Option<openidconnect::core::CoreClient>,
@ -80,7 +91,6 @@ fn systemtime_strftime<T>(dt: T, format: &str) -> String
impl ZeroIDC { impl ZeroIDC {
fn new( fn new(
network_id: &str,
issuer: &str, issuer: &str,
client_id: &str, client_id: &str,
auth_ep: &str, auth_ep: &str,
@ -89,7 +99,6 @@ impl ZeroIDC {
let idc = ZeroIDC { let idc = ZeroIDC {
inner: Arc::new(Mutex::new(Inner { inner: Arc::new(Mutex::new(Inner {
running: false, running: false,
network_id: network_id.to_string(),
auth_endpoint: auth_ep.to_string(), auth_endpoint: auth_ep.to_string(),
oidc_thread: None, oidc_thread: None,
oidc_client: None, oidc_client: None,
@ -162,7 +171,7 @@ impl ZeroIDC {
// Keep a copy of the initial nonce used to get the tokens // Keep a copy of the initial nonce used to get the tokens
// Will be needed later when verifying the responses from refresh tokens // Will be needed later when verifying the responses from refresh tokens
let nonce = (*inner_local.lock().unwrap()).nonce.clone(); let nonce = (*inner_local.lock().unwrap()).nonce.clone();
while running { while running {
let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time); let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time);
let now = SystemTime::now(); let now = SystemTime::now();
@ -200,6 +209,7 @@ impl ZeroIDC {
} }
}; };
// verify & validate claims
let verified = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| { let verified = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
let claims = match id.claims(&c.id_token_verifier(), &n) { let claims = match id.claims(&c.id_token_verifier(), &n) {
Ok(c) => c, Ok(c) => c,
@ -271,6 +281,10 @@ impl ZeroIDC {
let access_token = res.access_token(); let access_token = res.access_token();
let at = access_token.secret(); let at = access_token.secret();
// yes this function is called `dangerous_insecure_decode`
// and it doesn't validate the jwt token signature,
// but if we've gotten this far, our claims have already
// been validated up above
let exp = dangerous_insecure_decode::<Exp>(&at); let exp = dangerous_insecure_decode::<Exp>(&at);
if let Ok(e) = exp { if let Ok(e) = exp {
@ -350,10 +364,6 @@ impl ZeroIDC {
} }
} }
fn get_network_id(&mut self) -> String {
return (*self.inner.lock().unwrap()).network_id.clone();
}
fn get_exp_time(&mut self) -> u64 { fn get_exp_time(&mut self) -> u64 {
return (*self.inner.lock().unwrap()).exp_time; return (*self.inner.lock().unwrap()).exp_time;
} }
@ -438,6 +448,8 @@ impl ZeroIDC {
let r = c.exchange_code(AuthorizationCode::new(code.to_string())) let r = c.exchange_code(AuthorizationCode::new(code.to_string()))
.set_pkce_verifier(verifier) .set_pkce_verifier(verifier)
.request(http_client); .request(http_client);
// validate the token hashes
match r { match r {
Ok(res) =>{ Ok(res) =>{
let n = match i.nonce.clone() { let n = match i.nonce.clone() {
@ -525,6 +537,8 @@ impl ZeroIDC {
} }
let at = tok.access_token().secret(); let at = tok.access_token().secret();
// see previous note about this function's use
let exp = dangerous_insecure_decode::<Exp>(&at); let exp = dangerous_insecure_decode::<Exp>(&at);
if let Ok(e) = exp { if let Ok(e) = exp {
i.exp_time = e.claims.exp i.exp_time = e.claims.exp