From 576b4f03a5840fb65c65e9dad593032d819fe943 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@zerotier.com>
Date: Wed, 18 Aug 2021 12:17:40 -0400
Subject: [PATCH] Adjust deauth time window and send revocation when SSO
 members expire.

---
 controller/DB.cpp                        | 8 ++++++++
 controller/DB.hpp                        | 2 ++
 controller/DBMirrorSet.cpp               | 8 ++++++++
 controller/DBMirrorSet.hpp               | 1 +
 controller/EmbeddedNetworkController.cpp | 5 +++++
 make-mac.mk                              | 6 +++---
 6 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/controller/DB.cpp b/controller/DB.cpp
index 2edcadbbe..27578bf77 100644
--- a/controller/DB.cpp
+++ b/controller/DB.cpp
@@ -196,6 +196,14 @@ void DB::networks(std::set<uint64_t> &networks)
 		networks.insert(n->first);
 }
 
+void DB::networkMemberSSOHasExpired(uint64_t nwid, int64_t now) {
+	std::lock_guard<std::mutex> l(_networks_l);
+	auto nw = _networks.find(nwid);
+	if (nw != _networks.end()) {
+		nw->second->mostRecentDeauthTime = now;
+	}
+}
+
 void DB::_memberChanged(nlohmann::json &old,nlohmann::json &memberConfig,bool notifyListeners)
 {
 	uint64_t memberId = 0;
diff --git a/controller/DB.hpp b/controller/DB.hpp
index e0cef2b76..0a5d784c2 100644
--- a/controller/DB.hpp
+++ b/controller/DB.hpp
@@ -107,7 +107,9 @@ public:
 	virtual void eraseNetwork(const uint64_t networkId) = 0;
 	virtual void eraseMember(const uint64_t networkId,const uint64_t memberId) = 0;
 	virtual void nodeIsOnline(const uint64_t networkId,const uint64_t memberId,const InetAddress &physicalAddress) = 0;
+
 	virtual std::string getSSOAuthURL(const nlohmann::json &member, const std::string &redirectURL) { return ""; }
+	virtual void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
 
 	inline void addListener(DB::ChangeListener *const listener)
 	{
diff --git a/controller/DBMirrorSet.cpp b/controller/DBMirrorSet.cpp
index cf1f02194..de7ebefe1 100644
--- a/controller/DBMirrorSet.cpp
+++ b/controller/DBMirrorSet.cpp
@@ -137,6 +137,14 @@ std::string DBMirrorSet::getSSOAuthURL(const nlohmann::json &member, const std::
 	return "";
 }
 
+void DBMirrorSet::networkMemberSSOHasExpired(uint64_t nwid, int64_t ts)
+{
+	std::lock_guard<std::mutex> l(_dbs_l);
+	for(auto d=_dbs.begin();d!=_dbs.end();++d) { 
+		(*d)->networkMemberSSOHasExpired(nwid, ts);
+	}
+}
+
 void DBMirrorSet::networks(std::set<uint64_t> &networks)
 {
 	std::lock_guard<std::mutex> l(_dbs_l);
diff --git a/controller/DBMirrorSet.hpp b/controller/DBMirrorSet.hpp
index 83dc228aa..4ce962740 100644
--- a/controller/DBMirrorSet.hpp
+++ b/controller/DBMirrorSet.hpp
@@ -52,6 +52,7 @@ public:
 	virtual void onNetworkMemberDeauthorize(const void *db,uint64_t networkId,uint64_t memberId);
 
 	std::string getSSOAuthURL(const nlohmann::json &member, const std::string &redirectURL);
+	void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
 
 	inline void addDB(const std::shared_ptr<DB> &db)
 	{
diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 9a4a09844..da0d7965e 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -1369,11 +1369,16 @@ void EmbeddedNetworkController::_request(
 		fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
 		if (authenticationExpiryTime < now) {
 			if (!authenticationURL.empty()) {
+				_db.networkMemberSSOHasExpired(nwid, now);
+				onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
+
 				Dictionary<3072> authInfo;
 				authInfo.add("aU", authenticationURL.c_str());
 				fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
+
 				DB::cleanMember(member);
 				_db.save(member,true);
+
 				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
 				return;
 			}
diff --git a/make-mac.mk b/make-mac.mk
index c43661570..ffc8b5c96 100644
--- a/make-mac.mk
+++ b/make-mac.mk
@@ -75,7 +75,7 @@ ifeq ($(ZT_DEBUG),1)
 node/Salsa20.o node/SHA512.o node/C25519.o node/Poly1305.o: CFLAGS = -Wall -O2 -g $(INCLUDES) $(DEFS)
 else
 	CFLAGS?=-Ofast -fstack-protector-strong
-	CFLAGS+=$(ARCH_FLAGS) -Wall -flto -fPIE -mmacosx-version-min=10.7 -DNDEBUG -Wno-unused-private-field $(INCLUDES) $(DEFS)
+	CFLAGS+=$(ARCH_FLAGS) -Wall -flto -fPIE -mmacosx-version-min=10.13 -DNDEBUG -Wno-unused-private-field $(INCLUDES) $(DEFS)
 	STRIP=strip
 endif
 
@@ -93,10 +93,10 @@ CXXFLAGS=$(CFLAGS) -std=c++11 -stdlib=libc++
 all: one
 
 ext/x64-salsa2012-asm/salsa2012.o:
-	as -arch x86_64 -mmacosx-version-min=10.7 -o ext/x64-salsa2012-asm/salsa2012.o ext/x64-salsa2012-asm/salsa2012.s
+	as -arch x86_64 -mmacosx-version-min=10.13 -o ext/x64-salsa2012-asm/salsa2012.o ext/x64-salsa2012-asm/salsa2012.s
 
 mac-agent: FORCE
-	$(CC) -Ofast $(ARCH_FLAGS) -mmacosx-version-min=10.7 -o MacEthernetTapAgent osdep/MacEthernetTapAgent.c
+	$(CC) -Ofast $(ARCH_FLAGS) -mmacosx-version-min=10.13 -o MacEthernetTapAgent osdep/MacEthernetTapAgent.c
 	$(CODESIGN) -f --options=runtime -s $(CODESIGN_APP_CERT) MacEthernetTapAgent
 
 osdep/MacDNSHelper.o: osdep/MacDNSHelper.mm