From 663a09b38de3e16b0919e8d7dd992f77c5266724 Mon Sep 17 00:00:00 2001
From: Grant Limberg <grant.limberg@zerotier.com>
Date: Wed, 1 Dec 2021 13:01:32 -0800
Subject: [PATCH] oidc stuff coming across the wire properly and generating a
 working login URL

---
 controller/PostgreSQL.cpp |  8 +++++---
 node/IncomingPacket.cpp   |  2 --
 node/Network.cpp          |  1 -
 service/OneService.cpp    |  7 +++----
 zeroidc/src/ext.rs        |  8 ++++++--
 zeroidc/src/lib.rs        | 15 ++++++++++++---
 6 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/controller/PostgreSQL.cpp b/controller/PostgreSQL.cpp
index 86ffe6855..28bd7b844 100644
--- a/controller/PostgreSQL.cpp
+++ b/controller/PostgreSQL.cpp
@@ -415,18 +415,20 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
 				exit(6);
 			}
 
-			r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.sso_impl_version "
+			r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.issuer, org.sso_impl_version "
 				"FROM ztc_network AS nw, ztc_org AS org "
 				"WHERE nw.id = $1 AND nw.sso_enabled = true AND org.owner_id = nw.owner_id", networkId);
 		
 			std::string client_id = "";
 			std::string authorization_endpoint = "";
+			std::string issuer = "";
 			uint64_t sso_version = 0;
 
 			if (r.size() == 1) {
 				client_id = r.at(0)[0].as<std::string>();
 				authorization_endpoint = r.at(0)[1].as<std::string>();
-				sso_version = r.at(0)[2].as<uint64_t>();
+				issuer = r.at(0)[2].as<std::string>();
+				sso_version = r.at(0)[3].as<uint64_t>();
 			} else if (r.size() > 1) {
 				fprintf(stderr, "ERROR: More than one auth endpoint for an organization?!?!? NetworkID: %s\n", networkId.c_str());
 			} else {
@@ -455,7 +457,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
 					info.authenticationURL = std::string(url);
 				} else if (info.version == 1) {
 					info.ssoClientID = client_id;
-					info.issuerURL = authorization_endpoint;
+					info.issuerURL = issuer;
 					info.ssoNonce = nonce;
 					info.ssoState = std::string(state_hex);
 					info.centralAuthURL = redirectURL;
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp
index f875d917b..62320a7d1 100644
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@@ -221,7 +221,6 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
 
 							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, issuerURL, sizeof(issuerURL)) > 0) {
 								issuerURL[sizeof(issuerURL) - 1] = 0;
-								fprintf(stderr, "Issuer URL from info: %s\n", issuerURL);
 							}
 							if (authInfo.get(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, centralAuthURL, sizeof(centralAuthURL))>0) {
 								centralAuthURL[sizeof(centralAuthURL) - 1] = 0;
@@ -236,7 +235,6 @@ bool IncomingPacket::_doERROR(const RuntimeEnvironment *RR,void *tPtr,const Shar
 								ssoClientID[sizeof(ssoClientID) - 1] = 0;
 							}
 
-							fprintf(stderr, "Setting auth required on network\n");
 							network->setAuthenticationRequired(tPtr, issuerURL, centralAuthURL, ssoClientID, ssoNonce, ssoState);
 						}
 					}
diff --git a/node/Network.cpp b/node/Network.cpp
index a8fa5ebca..c77f94a6d 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -1555,7 +1555,6 @@ void Network::setAuthenticationRequired(void *tPtr, const char* issuerURL, const
 	_config.ssoEnabled = true;
 	_config.ssoVersion = 1;
 
-	fprintf(stderr, "Network::setAuthenticationRequired issuerURL: %s\n", issuerURL);
 	Utils::scopy(_config.issuerURL, sizeof(_config.issuerURL), issuerURL);
 	Utils::scopy(_config.centralAuthURL, sizeof(_config.centralAuthURL), centralEndpoint);
 	Utils::scopy(_config.ssoClientID, sizeof(_config.ssoClientID), clientID);
diff --git a/service/OneService.cpp b/service/OneService.cpp
index cc579a61a..cd6e524ce 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -251,9 +251,7 @@ public:
 		const char* nwid = Utils::hex(nwc->nwid, nwbuf);
 		fprintf(stderr, "NetworkState::setConfig(%s)\n", nwid);
 
-		fprintf(stderr, "issuerUrl before: %s\n", nwc->issuerURL);
 		memcpy(&_config, nwc, sizeof(ZT_VirtualNetworkConfig));
-		fprintf(stderr, "issuerUrl after: %s\n", _config.issuerURL);
 		fprintf(stderr, "ssoEnabled: %s, ssoVersion: %d\n", 
 			_config.ssoEnabled ? "true" : "false", _config.ssoVersion);
 
@@ -443,7 +441,9 @@ static void _networkToJson(nlohmann::json &nj,NetworkState &ns)
 	}
 	nj["dns"] = m;
 	if (ns.config().ssoEnabled) {
-		nj["authenticationURL"] = ns.getAuthURL();
+		const char* authURL = ns.getAuthURL();
+		fprintf(stderr, "Auth URL: %s\n", authURL);
+		nj["authenticationURL"] = authURL;
 		nj["authenticationExpiryTime"] = ns.config().authenticationExpiryTime;
 		nj["ssoEnabled"] = ns.config().ssoEnabled;
 	}
@@ -2665,7 +2665,6 @@ public:
 				// After setting up tap, fall through to CONFIG_UPDATE since we also want to do this...
 
 			case ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE:
-				fprintf(stderr, "conf update issuerURL: %s\n", nwc->issuerURL);
 				n.setConfig(nwc);
 
 				if (n.tap()) { // sanity check
diff --git a/zeroidc/src/ext.rs b/zeroidc/src/ext.rs
index ab69829ac..d6f451378 100644
--- a/zeroidc/src/ext.rs
+++ b/zeroidc/src/ext.rs
@@ -156,10 +156,14 @@ pub extern "C" fn zeroidc_auth_info_delete(ptr: *mut AuthInfo) {
 
 #[no_mangle]
 pub extern "C" fn zeroidc_get_auth_url(ptr: *mut AuthInfo) -> *const c_char {
+    if ptr.is_null() {
+        println!("passed a null object");
+        return std::ptr::null_mut();
+    }
     let ai = unsafe {
-        assert!(!ptr.is_null());
         &mut *ptr
     };
+    
     let s = CString::new(ai.url.to_string()).unwrap();
-    return s.as_ptr();
+    return s.into_raw();
 }
diff --git a/zeroidc/src/lib.rs b/zeroidc/src/lib.rs
index a0dca8892..1a744e45c 100644
--- a/zeroidc/src/lib.rs
+++ b/zeroidc/src/lib.rs
@@ -71,7 +71,10 @@ impl ZeroIDC {
 
         let provider_meta = match CoreProviderMetadata::discover(&iss, http_client) {
             Ok(m) => m,
-            Err(e) => return Err(e.to_string()),
+            Err(e) => {
+                println!("Error discovering provider metadata");
+                return Err(e.to_string());
+            },
         };
 
         let r = format!("http://localhost:{}/sso", local_web_port);
@@ -85,7 +88,10 @@ impl ZeroIDC {
 
         let redirect = match RedirectUrl::new(redir_url.to_string()) {
             Ok(s) => s,
-            Err(e) => return Err(e.to_string()),
+            Err(e) => {
+                println!("Error generating RedirectURL instance from string: {}", redir_url.to_string());
+                return Err(e.to_string());
+            }
         };
 
         (*idc.inner.lock().unwrap()).oidc_client = Some(
@@ -152,13 +158,16 @@ impl ZeroIDC {
                     csrf_func(csrf_token),
                     nonce_func(nonce),
                 )
-                .add_scope(Scope::new("read".to_string()))
+                .add_scope(Scope::new("profile".to_string()))
+                .add_scope(Scope::new("email".to_string()))
                 .add_scope(Scope::new("offline_access".to_string()))
                 .add_scope(Scope::new("openid".to_string()))
                 .set_pkce_challenge(pkce_challenge)
                 .add_extra_param("network_id", network_id)
                 .url();
 
+            println!("URL: {}", auth_url);
+
             return AuthInfo {
                 url: auth_url,
                 csrf_token,