void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-05 03:53:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Client & Central Controller updates to support additonal OIDC features (#1848)

Browse source 
Client side:
* Fix compatibility with OneLogin
* Requested scopes vary by OIDC provider. Different providers have different

Controller side:
*Update Postgres queries to latest Central schema
* Added Central Controller support for the different providers
* Base OIDC provider details are still attached to an org. Client ID & group/email lists are now associated with individual networks.
This commit is contained in:
Grant Limberg 2023-01-19 15:39:15 -08:00 committed by GitHub
parent a59f82093a
commit 0ae09577f6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 175 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
controller/DB.hpp
View file

@ -53,6 +53,7 @@ public:
, ssoNonce() , ssoNonce()
, ssoState() , ssoState()
, ssoClientID() , ssoClientID()
, ssoProvider("default")
{} {}
bool enabled; bool enabled;
@ -64,6 +65,7 @@ public:
std::string ssoNonce; std::string ssoNonce;
std::string ssoState; std::string ssoState;
std::string ssoClientID; std::string ssoClientID;
std::string ssoProvider;
}; };
/** /**

50
controller/PostgreSQL.cpp
View file

@ -34,7 +34,7 @@ using json = nlohmann::json;
namespace { namespace {
static const int DB_MINIMUM_VERSION = 20; static const int DB_MINIMUM_VERSION = 38;
static const char *_timestr() static const char *_timestr()
{ {
@ -442,20 +442,29 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
exit(7); exit(7);
} }
r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.issuer, org.sso_impl_version " r = w.exec_params(
"FROM ztc_network AS nw, ztc_org AS org " "SELECT oc.client_id, oc.authorization_endpoint, oc.issuer, oc.provider, oc.sso_impl_version "
"WHERE nw.id = $1 AND nw.sso_enabled = true AND org.owner_id = nw.owner_id", networkId); "FROM ztc_network AS n "
"INNER JOIN ztc_org o "
" ON o.owner_id = n.owner_id "
"LEFT OUTER JOIN ztc_network_oidc_config noc "
" ON noc.network_id = n.id "
"LEFT OUTER JOIN ztc_oidc_config oc "
" ON noc.client_id = oc.client_id AND noc.org_id = o.org_id "
"WHERE n.id = $1 AND n.sso_enabled = true", networkId);
std::string client_id = ""; std::string client_id = "";
std::string authorization_endpoint = ""; std::string authorization_endpoint = "";
std::string issuer = ""; std::string issuer = "";
std::string provider = "";
uint64_t sso_version = 0; uint64_t sso_version = 0;
if (r.size() == 1) { if (r.size() == 1) {
client_id = r.at(0)[0].as<std::string>(); client_id = r.at(0)[0].as<std::string>();
authorization_endpoint = r.at(0)[1].as<std::string>(); authorization_endpoint = r.at(0)[1].as<std::string>();
issuer = r.at(0)[2].as<std::string>(); issuer = r.at(0)[2].as<std::string>();
sso_version = r.at(0)[3].as<uint64_t>(); provider = r.at(0)[3].as<std::string>();
sso_version = r.at(0)[4].as<uint64_t>();
} else if (r.size() > 1) { } else if (r.size() > 1) {
fprintf(stderr, "ERROR: More than one auth endpoint for an organization?!?!? NetworkID: %s\n", networkId.c_str()); fprintf(stderr, "ERROR: More than one auth endpoint for an organization?!?!? NetworkID: %s\n", networkId.c_str());
} else { } else {
@ -485,18 +494,20 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
} else if (info.version == 1) { } else if (info.version == 1) {
info.ssoClientID = client_id; info.ssoClientID = client_id;
info.issuerURL = issuer; info.issuerURL = issuer;
info.ssoProvider = provider;
info.ssoNonce = nonce; info.ssoNonce = nonce;
info.ssoState = std::string(state_hex) + "_" +networkId; info.ssoState = std::string(state_hex) + "_" +networkId;
info.centralAuthURL = redirectURL; info.centralAuthURL = redirectURL;
#ifdef ZT_DEBUG #ifdef ZT_DEBUG
fprintf( fprintf(
stderr, stderr,
"ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s\n", "ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s\nprovider: %s\n",
info.ssoClientID.c_str(), info.ssoClientID.c_str(),
info.issuerURL.c_str(), info.issuerURL.c_str(),
info.ssoNonce.c_str(), info.ssoNonce.c_str(),
info.ssoState.c_str(), info.ssoState.c_str(),
info.centralAuthURL.c_str()); info.centralAuthURL.c_str(),
provider.c_str());
#endif #endif
} }
} else { } else {
@ -535,15 +546,21 @@ void PostgreSQL::initializeNetworks()
std::unordered_set<std::string> networkSet; std::unordered_set<std::string> networkSet;
char qbuf[2048] = {0}; char qbuf[2048] = {0};
sprintf(qbuf, "SELECT n.id, (EXTRACT(EPOCH FROM n.creation_time AT TIME ZONE 'UTC')*1000)::bigint as creation_time, n.capabilities, " sprintf(qbuf,
"SELECT n.id, (EXTRACT(EPOCH FROM n.creation_time AT TIME ZONE 'UTC')*1000)::bigint as creation_time, n.capabilities, "
"n.enable_broadcast, (EXTRACT(EPOCH FROM n.last_modified AT TIME ZONE 'UTC')*1000)::bigint AS last_modified, n.mtu, n.multicast_limit, n.name, n.private, n.remote_trace_level, " "n.enable_broadcast, (EXTRACT(EPOCH FROM n.last_modified AT TIME ZONE 'UTC')*1000)::bigint AS last_modified, n.mtu, n.multicast_limit, n.name, n.private, n.remote_trace_level, "
"n.remote_trace_target, n.revision, n.rules, n.tags, n.v4_assign_mode, n.v6_assign_mode, n.sso_enabled, (CASE WHEN n.sso_enabled THEN o.client_id ELSE NULL END) as client_id, " "n.remote_trace_target, n.revision, n.rules, n.tags, n.v4_assign_mode, n.v6_assign_mode, n.sso_enabled, (CASE WHEN n.sso_enabled THEN noc.client_id ELSE NULL END) as client_id, "
"(CASE WHEN n.sso_enabled THEN o.authorization_endpoint ELSE NULL END) as authorization_endpoint, d.domain, d.servers, " "(CASE WHEN n.sso_enabled THEN oc.authorization_endpoint ELSE NULL END) as authorization_endpoint, "
"(CASE WHEN n.sso_enabled THEN oc.provider ELSE NULL END) as provider, d.domain, d.servers, "
"ARRAY(SELECT CONCAT(host(ip_range_start),'|', host(ip_range_end)) FROM ztc_network_assignment_pool WHERE network_id = n.id) AS assignment_pool, " "ARRAY(SELECT CONCAT(host(ip_range_start),'|', host(ip_range_end)) FROM ztc_network_assignment_pool WHERE network_id = n.id) AS assignment_pool, "
"ARRAY(SELECT CONCAT(host(address),'/',bits::text,'|',COALESCE(host(via), 'NULL'))FROM ztc_network_route WHERE network_id = n.id) AS routes " "ARRAY(SELECT CONCAT(host(address),'/',bits::text,'|',COALESCE(host(via), 'NULL'))FROM ztc_network_route WHERE network_id = n.id) AS routes "
"FROM ztc_network n " "FROM ztc_network n "
"LEFT OUTER JOIN ztc_org o " "LEFT OUTER JOIN ztc_org o "
" ON o.owner_id = n.owner_id " " ON o.owner_id = n.owner_id "
"LEFT OUTER JOIN ztc_network_oidc_config noc "
" ON noc.network_id = n.id "
"LEFT OUTER JOIN ztc_oidc_config oc "
" ON noc.client_id = oc.client_id AND oc.org_id = o.org_id "
"LEFT OUTER JOIN ztc_network_dns d " "LEFT OUTER JOIN ztc_network_dns d "
" ON d.network_id = n.id " " ON d.network_id = n.id "
"WHERE deleted = false AND controller_id = '%s'", _myAddressStr.c_str()); "WHERE deleted = false AND controller_id = '%s'", _myAddressStr.c_str());
@ -574,6 +591,7 @@ void PostgreSQL::initializeNetworks()
, std::optional<bool> // ssoEnabled , std::optional<bool> // ssoEnabled
, std::optional<std::string> // clientId , std::optional<std::string> // clientId
, std::optional<std::string> // authorizationEndpoint , std::optional<std::string> // authorizationEndpoint
, std::optional<std::string> // ssoProvider
, std::optional<std::string> // domain , std::optional<std::string> // domain
, std::optional<std::string> // servers , std::optional<std::string> // servers
, std::string // assignmentPoolString , std::string // assignmentPoolString
@ -610,10 +628,11 @@ void PostgreSQL::initializeNetworks()
std::optional<bool> ssoEnabled = std::get<16>(row); std::optional<bool> ssoEnabled = std::get<16>(row);
std::optional<std::string> clientId = std::get<17>(row); std::optional<std::string> clientId = std::get<17>(row);
std::optional<std::string> authorizationEndpoint = std::get<18>(row); std::optional<std::string> authorizationEndpoint = std::get<18>(row);
std::optional<std::string> dnsDomain = std::get<19>(row); std::optional<std::string> ssoProvider = std::get<19>(row);
std::optional<std::string> dnsServers = std::get<20>(row); std::optional<std::string> dnsDomain = std::get<20>(row);
std::string assignmentPoolString = std::get<21>(row); std::optional<std::string> dnsServers = std::get<21>(row);
std::string routesString = std::get<22>(row); std::string assignmentPoolString = std::get<22>(row);
std::string routesString = std::get<23>(row);
config["id"] = nwid; config["id"] = nwid;
config["nwid"] = nwid; config["nwid"] = nwid;
@ -638,6 +657,7 @@ void PostgreSQL::initializeNetworks()
config["routes"] = json::array(); config["routes"] = json::array();
config["clientId"] = clientId.value_or(""); config["clientId"] = clientId.value_or("");
config["authorizationEndpoint"] = authorizationEndpoint.value_or(""); config["authorizationEndpoint"] = authorizationEndpoint.value_or("");
config["provider"] = ssoProvider.value_or("");
networkSet.insert(nwid); networkSet.insert(nwid);

5
include/ZeroTierOne.h
View file

@ -1246,6 +1246,11 @@ typedef struct
* oidc client id * oidc client id
*/ */
char ssoClientID[256]; char ssoClientID[256];
/**
* sso provider
**/
char ssoProvider[64];
} ZT_VirtualNetworkConfig; } ZT_VirtualNetworkConfig;
/** /**

8
node/IncomingPacket.cpp
View file

@ -217,6 +217,7 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
char ssoNonce[64] = { 0 }; char ssoNonce[64] = { 0 };
char ssoState[128] = {0}; char ssoState[128] = {0};
char ssoClientID[256] = { 0 }; char ssoClientID[256] = { 0 };
char ssoProvider[64] = { 0 };
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) { if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
issuerURL[sizeof(issuerURL) - 1] = 0; issuerURL[sizeof(issuerURL) - 1] = 0;
@ -233,8 +234,13 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, ssoClientID, sizeof(ssoClientID)) > 0) { if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, ssoClientID, sizeof(ssoClientID)) > 0) {
ssoClientID[sizeof(ssoClientID) - 1] = 0; ssoClientID[sizeof(ssoClientID) - 1] = 0;
} }
if (authInfo.get(ZT_AUTHINFO_DICT_KEY_SSO_PROVIDER, ssoProvider, sizeof(ssoProvider)) > 0 ) {
ssoProvider[sizeof(ssoProvider) - 1] = 0;
} else {
strncpy(ssoProvider, "default", sizeof(ssoProvider));
}
network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState); network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoProvider, ssoNonce, ssoState);
} }
} }
} else { } else {

4
node/Network.cpp
View file

@ -1450,6 +1450,7 @@ void Network::_externalConfig(ZT_VirtualNetworkConfig *ec) const
Utils::scopy(ec->ssoNonce, sizeof(ec->ssoNonce), _config.ssoNonce); Utils::scopy(ec->ssoNonce, sizeof(ec->ssoNonce), _config.ssoNonce);
Utils::scopy(ec->ssoState, sizeof(ec->ssoState), _config.ssoState); Utils::scopy(ec->ssoState, sizeof(ec->ssoState), _config.ssoState);
Utils::scopy(ec->ssoClientID, sizeof(ec->ssoClientID), _config.ssoClientID); Utils::scopy(ec->ssoClientID, sizeof(ec->ssoClientID), _config.ssoClientID);
Utils::scopy(ec->ssoProvider, sizeof(ec->ssoProvider), _config.ssoProvider);
} }
void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMulticastGroup) void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMulticastGroup)
@ -1556,7 +1557,7 @@ Membership &Network::_membership(const Address &a)
return _memberships[a]; return _memberships[a];
} }
void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state) void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char *ssoProvider, const char* nonce, const char* state)
{ {
Mutex::Lock _l(_lock); Mutex::Lock _l(_lock);
_netconfFailure = NETCONF_FAILURE_AUTHENTICATION_REQUIRED; _netconfFailure = NETCONF_FAILURE_AUTHENTICATION_REQUIRED;
@ -1568,6 +1569,7 @@ void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const
Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID); Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID);
Utils::scopy(_config.ssoNonce, sizeof(_config.ssoNonce), nonce); Utils::scopy(_config.ssoNonce, sizeof(_config.ssoNonce), nonce);
Utils::scopy(_config.ssoState, sizeof(_config.ssoState), state); Utils::scopy(_config.ssoState, sizeof(_config.ssoState), state);
Utils::scopy(_config.ssoProvider, sizeof(_config.ssoProvider), ssoProvider);
_sendUpdateEvent(tPtr); _sendUpdateEvent(tPtr);
} }

2
node/Network.hpp
View file

@ -241,7 +241,7 @@ public:
* set netconf failure to 'authentication required' along with info needed * set netconf failure to 'authentication required' along with info needed
* for sso full flow authentication. * for sso full flow authentication.
*/ */
void setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char* nonce, const char* state); void setAuthenticationRequired(void *tPtr, const char* issuerURL, const char* centralEndpoint, const char* clientID, const char *ssoProvider, const char* nonce, const char* state);
/** /**
* Causes this network to request an updated configuration from its master node now * Causes this network to request an updated configuration from its master node now

8
node/NetworkConfig.cpp
View file

@ -201,6 +201,7 @@ bool NetworkConfig::toDictionary(Dictionary<ZT_NETWORKCONFIG_DICT_CAPACITY> &d,b
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NONCE, this->ssoNonce)) return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_NONCE, this->ssoNonce)) return false;
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_STATE, this->ssoState)) return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_STATE, this->ssoState)) return false;
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID)) return false; if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID)) return false;
if (!d.add(ZT_NETWORKCONFIG_DICT_KEY_SSO_PROVIDER, this->ssoProvider)) return false;
} }
delete tmp; delete tmp;
@ -424,6 +425,12 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID, (unsigned int)sizeof(this->ssoClientID)) > 0) { if (d.get(ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID, this->ssoClientID, (unsigned int)sizeof(this->ssoClientID)) > 0) {
this->ssoClientID[sizeof(this->ssoClientID) - 1] = 0; this->ssoClientID[sizeof(this->ssoClientID) - 1] = 0;
} }
if (d.get(ZT_NETWORKCONFIG_DICT_KEY_SSO_PROVIDER, this->ssoProvider, (unsigned int)(sizeof(this->ssoProvider))) > 0) {
this->ssoProvider[sizeof(this->ssoProvider) - 1] = 0;
} else {
strncpy(this->ssoProvider, "default", sizeof(this->ssoProvider));
this->ssoProvider[sizeof(this->ssoProvider) - 1] = 0;
}
} else { } else {
this->authenticationURL[0] = 0; this->authenticationURL[0] = 0;
this->authenticationExpiryTime = 0; this->authenticationExpiryTime = 0;
@ -432,6 +439,7 @@ bool NetworkConfig::fromDictionary(const Dictionary<ZT_NETWORKCONFIG_DICT_CAPACI
this->ssoState[0] = 0; this->ssoState[0] = 0;
this->ssoClientID[0] = 0; this->ssoClientID[0] = 0;
this->issuerURL[0] = 0; this->issuerURL[0] = 0;
this->ssoProvider[0] = 0;
} }
} }
} }

14
node/NetworkConfig.hpp
View file

@ -195,6 +195,8 @@ namespace ZeroTier {
#define ZT_NETWORKCONFIG_DICT_KEY_STATE "ssos" #define ZT_NETWORKCONFIG_DICT_KEY_STATE "ssos"
// client ID // client ID
#define ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID "ssocid" #define ZT_NETWORKCONFIG_DICT_KEY_CLIENT_ID "ssocid"
// SSO Provider
#define ZT_NETWORKCONFIG_DICT_KEY_SSO_PROVIDER "ssop"
// AuthInfo fields -- used by ncSendError for sso // AuthInfo fields -- used by ncSendError for sso
@ -212,6 +214,8 @@ namespace ZeroTier {
#define ZT_AUTHINFO_DICT_KEY_STATE "aS" #define ZT_AUTHINFO_DICT_KEY_STATE "aS"
// Client ID // Client ID
#define ZT_AUTHINFO_DICT_KEY_CLIENT_ID "aCID" #define ZT_AUTHINFO_DICT_KEY_CLIENT_ID "aCID"
// SSO Provider
#define ZT_AUTHINFO_DICT_KEY_SSO_PROVIDER "aSSOp"
// Legacy fields -- these are obsoleted but are included when older clients query // Legacy fields -- these are obsoleted but are included when older clients query
@ -289,6 +293,7 @@ public:
memset(ssoNonce, 0, sizeof(ssoNonce)); memset(ssoNonce, 0, sizeof(ssoNonce));
memset(ssoState, 0, sizeof(ssoState)); memset(ssoState, 0, sizeof(ssoState));
memset(ssoClientID, 0, sizeof(ssoClientID)); memset(ssoClientID, 0, sizeof(ssoClientID));
strncpy(ssoProvider, "default", sizeof(ssoProvider));
} }
/** /**
@ -699,6 +704,15 @@ public:
* oidc client id * oidc client id
*/ */
char ssoClientID[256]; char ssoClientID[256];
/**
* oidc provider
*
* because certain providers require specific scopes to be requested
* and others to be not requested in order to make everything work
* correctly
**/
char ssoProvider[64];
}; };
} // namespace ZeroTier } // namespace ZeroTier

2
service/OneService.cpp
View file

@ -303,11 +303,13 @@ public:
assert(_config.issuerURL != nullptr); assert(_config.issuerURL != nullptr);
assert(_config.ssoClientID != nullptr); assert(_config.ssoClientID != nullptr);
assert(_config.centralAuthURL != nullptr); assert(_config.centralAuthURL != nullptr);
assert(_config.ssoProvider != nullptr);
_idc = zeroidc::zeroidc_new( _idc = zeroidc::zeroidc_new(
_config.issuerURL, _config.issuerURL,
_config.ssoClientID, _config.ssoClientID,
_config.centralAuthURL, _config.centralAuthURL,
_config.ssoProvider,
_webPort _webPort
); );

8
zeroidc/src/ext.rs
View file

@ -28,6 +28,7 @@ pub extern "C" fn zeroidc_new(
issuer: *const c_char, issuer: *const c_char,
client_id: *const c_char, client_id: *const c_char,
auth_endpoint: *const c_char, auth_endpoint: *const c_char,
provider: *const c_char,
web_listen_port: u16, web_listen_port: u16,
) -> *mut ZeroIDC { ) -> *mut ZeroIDC {
if issuer.is_null() { if issuer.is_null() {
@ -40,6 +41,11 @@ pub extern "C" fn zeroidc_new(
return std::ptr::null_mut(); return std::ptr::null_mut();
} }
if provider.is_null() {
println!("provider is null");
return std::ptr::null_mut();
}
if auth_endpoint.is_null() { if auth_endpoint.is_null() {
println!("auth_endpoint is null"); println!("auth_endpoint is null");
return std::ptr::null_mut(); return std::ptr::null_mut();
@ -47,10 +53,12 @@ pub extern "C" fn zeroidc_new(
let issuer = unsafe { CStr::from_ptr(issuer) }; let issuer = unsafe { CStr::from_ptr(issuer) };
let client_id = unsafe { CStr::from_ptr(client_id) }; let client_id = unsafe { CStr::from_ptr(client_id) };
let provider = unsafe { CStr::from_ptr(provider) };
let auth_endpoint = unsafe { CStr::from_ptr(auth_endpoint) }; let auth_endpoint = unsafe { CStr::from_ptr(auth_endpoint) };
match ZeroIDC::new( match ZeroIDC::new(
issuer.to_str().unwrap(), issuer.to_str().unwrap(),
client_id.to_str().unwrap(), client_id.to_str().unwrap(),
provider.to_str().unwrap(),
auth_endpoint.to_str().unwrap(), auth_endpoint.to_str().unwrap(),
web_listen_port, web_listen_port,
) { ) {

140
zeroidc/src/lib.rs
View file

@ -59,7 +59,9 @@ pub struct ZeroIDC {
))] ))]
struct Inner { struct Inner {
running: bool, running: bool,
issuer: String,
auth_endpoint: String, auth_endpoint: String,
provider: String,
oidc_thread: Option<JoinHandle<()>>, oidc_thread: Option<JoinHandle<()>>,
oidc_client: Option<openidconnect::core::CoreClient>, oidc_client: Option<openidconnect::core::CoreClient>,
access_token: Option<AccessToken>, access_token: Option<AccessToken>,
@ -114,12 +116,15 @@ impl ZeroIDC {
pub fn new( pub fn new(
issuer: &str, issuer: &str,
client_id: &str, client_id: &str,
provider: &str,
auth_ep: &str, auth_ep: &str,
local_web_port: u16, local_web_port: u16,
) -> Result<ZeroIDC, ZeroIDCError> { ) -> Result<ZeroIDC, ZeroIDCError> {
let idc = ZeroIDC { let idc = ZeroIDC {
inner: Arc::new(Mutex::new(Inner { inner: Arc::new(Mutex::new(Inner {
running: false, running: false,
issuer: issuer.to_string(),
provider: provider.to_string(),
auth_endpoint: auth_ep.to_string(), auth_endpoint: auth_ep.to_string(),
oidc_thread: None, oidc_thread: None,
oidc_client: None, oidc_client: None,
@ -148,7 +153,7 @@ impl ZeroIDC {
let redirect = RedirectUrl::new(redir_url.to_string())?; let redirect = RedirectUrl::new(redir_url.to_string())?;
(*idc.inner.lock().unwrap()).oidc_client = Some( idc.inner.lock().unwrap().oidc_client = Some(
CoreClient::from_provider_metadata( CoreClient::from_provider_metadata(
provider_meta, provider_meta,
ClientId::new(client_id.to_string()), ClientId::new(client_id.to_string()),
@ -163,25 +168,25 @@ impl ZeroIDC {
fn kick_refresh_thread(&mut self) { fn kick_refresh_thread(&mut self) {
let local = Arc::clone(&self.inner); let local = Arc::clone(&self.inner);
(*local.lock().unwrap()).kick = true; local.lock().unwrap().kick = true;
} }
fn start(&mut self) { fn start(&mut self) {
let local = Arc::clone(&self.inner); let local = Arc::clone(&self.inner);
if !(*local.lock().unwrap()).running { if !local.lock().unwrap().running {
let inner_local = Arc::clone(&self.inner); let inner_local = Arc::clone(&self.inner);
(*local.lock().unwrap()).oidc_thread = Some(spawn(move || { local.lock().unwrap().oidc_thread = Some(spawn(move || {
(*inner_local.lock().unwrap()).running = true; inner_local.lock().unwrap().running = true;
let mut running = true; let mut running = true;
// Keep a copy of the initial nonce used to get the tokens // Keep a copy of the initial nonce used to get the tokens
// Will be needed later when verifying the responses from refresh tokens // Will be needed later when verifying the responses from refresh tokens
let nonce = (*inner_local.lock().unwrap()).nonce.clone(); let nonce = inner_local.lock().unwrap().nonce.clone();
while running { while running {
let exp = let exp =
UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time); UNIX_EPOCH + Duration::from_secs(inner_local.lock().unwrap().exp_time);
let now = SystemTime::now(); let now = SystemTime::now();
#[cfg(debug_assertions)] #[cfg(debug_assertions)]
@ -198,17 +203,17 @@ impl ZeroIDC {
) )
); );
} }
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone(); let refresh_token = inner_local.lock().unwrap().refresh_token.clone();
if let Some(refresh_token) = refresh_token { if let Some(refresh_token) = refresh_token {
let should_kick = (*inner_local.lock().unwrap()).kick; let should_kick = inner_local.lock().unwrap().kick;
if now >= (exp - Duration::from_secs(30)) || should_kick { if now >= (exp - Duration::from_secs(30)) || should_kick {
if should_kick { if should_kick {
#[cfg(debug_assertions)] #[cfg(debug_assertions)]
{ {
println!("refresh thread kicked"); println!("refresh thread kicked");
} }
(*inner_local.lock().unwrap()).kick = false; inner_local.lock().unwrap().kick = false;
} }
#[cfg(debug_assertions)] #[cfg(debug_assertions)]
@ -216,10 +221,8 @@ impl ZeroIDC {
println!("Refresh Token: {}", refresh_token.secret()); println!("Refresh Token: {}", refresh_token.secret());
} }
let token_response = (*inner_local.lock().unwrap()) let token_response =
.oidc_client inner_local.lock().unwrap().oidc_client.as_ref().map(|c| {
.as_ref()
.map(|c| {
let res = c let res = c
.exchange_refresh_token(&refresh_token) .exchange_refresh_token(&refresh_token)
.request(http_client); .request(http_client);
@ -252,7 +255,9 @@ impl ZeroIDC {
let client = reqwest::blocking::Client::new(); let client = reqwest::blocking::Client::new();
let r = client let r = client
.post( .post(
(*inner_local.lock().unwrap()) inner_local
.lock()
.unwrap()
.auth_endpoint .auth_endpoint
.clone(), .clone(),
) )
@ -289,10 +294,10 @@ impl ZeroIDC {
match claims.expiration { match claims.expiration {
Some(exp) => { Some(exp) => {
println!("exp: {}", exp); println!("exp: {}", exp);
(*inner_local inner_local
.lock() .lock()
.unwrap()) .unwrap()
.exp_time = exp; .exp_time = exp;
} }
None => { None => {
panic!("expiration is None. This shouldn't happen") panic!("expiration is None. This shouldn't happen")
@ -302,12 +307,16 @@ impl ZeroIDC {
panic!("error parsing claims"); panic!("error parsing claims");
} }
(*inner_local.lock().unwrap()) inner_local
.lock()
.unwrap()
.access_token = .access_token =
Some(access_token.clone()); Some(access_token.clone());
if let Some(t) = res.refresh_token() { if let Some(t) = res.refresh_token() {
// println!("New Refresh Token: {}", t.secret()); // println!("New Refresh Token: {}", t.secret());
(*inner_local.lock().unwrap()) inner_local
.lock()
.unwrap()
.refresh_token = .refresh_token =
Some(t.clone()); Some(t.clone());
} }
@ -333,10 +342,10 @@ impl ZeroIDC {
} }
} }
(*inner_local.lock().unwrap()) inner_local.lock().unwrap().exp_time =
.exp_time = 0; 0;
(*inner_local.lock().unwrap()) inner_local.lock().unwrap().running =
.running = false; false;
} }
} }
Err(e) => { Err(e) => {
@ -346,29 +355,28 @@ impl ZeroIDC {
e.url().unwrap().as_str() e.url().unwrap().as_str()
); );
println!("Status: {}", e.status().unwrap()); println!("Status: {}", e.status().unwrap());
(*inner_local.lock().unwrap()).exp_time = 0; inner_local.lock().unwrap().exp_time = 0;
(*inner_local.lock().unwrap()).running = inner_local.lock().unwrap().running = false;
false;
} }
} }
} }
None => { None => {
println!("no id token?!?"); println!("no id token?!?");
(*inner_local.lock().unwrap()).exp_time = 0; inner_local.lock().unwrap().exp_time = 0;
(*inner_local.lock().unwrap()).running = false; inner_local.lock().unwrap().running = false;
} }
} }
} }
Err(e) => { Err(e) => {
println!("token error: {}", e); println!("token error: {}", e);
(*inner_local.lock().unwrap()).exp_time = 0; inner_local.lock().unwrap().exp_time = 0;
(*inner_local.lock().unwrap()).running = false; inner_local.lock().unwrap().running = false;
} }
} }
} else { } else {
println!("token response??"); println!("token response??");
(*inner_local.lock().unwrap()).exp_time = 0; inner_local.lock().unwrap().exp_time = 0;
(*inner_local.lock().unwrap()).running = false; inner_local.lock().unwrap().running = false;
} }
} else { } else {
#[cfg(debug_assertions)] #[cfg(debug_assertions)]
@ -376,19 +384,19 @@ impl ZeroIDC {
} }
} else { } else {
println!("no refresh token?"); println!("no refresh token?");
(*inner_local.lock().unwrap()).exp_time = 0; inner_local.lock().unwrap().exp_time = 0;
(*inner_local.lock().unwrap()).running = false; inner_local.lock().unwrap().running = false;
} }
sleep(Duration::from_secs(1)); sleep(Duration::from_secs(1));
{ {
running = (*inner_local.lock().unwrap()).running; running = inner_local.lock().unwrap().running;
} }
} }
// end run loop // end run loop
println!("thread done!"); println!("thread done!");
(*inner_local.lock().unwrap()).running = false; inner_local.lock().unwrap().running = false;
println!("set idc thread running flag to false"); println!("set idc thread running flag to false");
})); }));
} }
@ -397,19 +405,19 @@ impl ZeroIDC {
pub fn stop(&mut self) { pub fn stop(&mut self) {
let local = self.inner.clone(); let local = self.inner.clone();
if self.is_running() { if self.is_running() {
(*local.lock().unwrap()).running = false; local.lock().unwrap().running = false;
} }
} }
pub fn is_running(&mut self) -> bool { pub fn is_running(&mut self) -> bool {
let local = Arc::clone(&self.inner); let local = Arc::clone(&self.inner);
let running = (*local.lock().unwrap()).running; let running = local.lock().unwrap().running;
running running
} }
pub fn get_exp_time(&mut self) -> u64 { pub fn get_exp_time(&mut self) -> u64 {
return (*self.inner.lock().unwrap()).exp_time; return self.inner.lock().unwrap().exp_time;
} }
pub fn set_nonce_and_csrf(&mut self, csrf_token: String, nonce: String) { pub fn set_nonce_and_csrf(&mut self, csrf_token: String, nonce: String) {
@ -439,20 +447,53 @@ impl ZeroIDC {
if need_verifier || csrf_diff || nonce_diff { if need_verifier || csrf_diff || nonce_diff {
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256(); let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
let r = i.oidc_client.as_ref().map(|c| { let r = i.oidc_client.as_ref().map(|c| {
let (auth_url, csrf_token, nonce) = c let mut auth_builder = c
.authorize_url( .authorize_url(
AuthenticationFlow::<CoreResponseType>::AuthorizationCode, AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
csrf_func(csrf_token), csrf_func(csrf_token),
nonce_func(nonce), nonce_func(nonce),
) )
.add_scope(Scope::new("profile".to_string())) .set_pkce_challenge(pkce_challenge);
.add_scope(Scope::new("email".to_string())) match i.provider.as_str() {
.add_scope(Scope::new("offline_access".to_string())) "auth0" => {
.add_scope(Scope::new("openid".to_string())) auth_builder = auth_builder
.set_pkce_challenge(pkce_challenge) .add_scope(Scope::new("profile".to_string()))
.url(); .add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("offline_access".to_string()));
}
"okta" => {
auth_builder = auth_builder
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("groups".to_string()))
.add_scope(Scope::new("offline_access".to_string()));
}
"keycloak" => {
auth_builder = auth_builder
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()));
}
"onelogin" => {
auth_builder = auth_builder
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("groups".to_string()))
}
"default" => {
auth_builder = auth_builder
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("offline_access".to_string()));
}
_ => {
auth_builder = auth_builder
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("offline_access".to_string()));
}
}
(auth_url, csrf_token, nonce) auth_builder.url()
}); });
if let Some(r) = r { if let Some(r) = r {
@ -653,8 +694,7 @@ impl ZeroIDC {
} }
Err(res) => { Err(res) => {
println!("error result: {}", res); println!("error result: {}", res);
println!("hit url: {}", res.url().unwrap().as_str()); println!("hit url: {}", i.auth_endpoint.clone());
println!("Status: {}", res.status().unwrap());
println!("Post error: {}", res); println!("Post error: {}", res);
i.exp_time = 0; i.exp_time = 0;
i.running = false; i.running = false;