From a33d7c64fe1932707fda20e7b41d7e2351b3f388 Mon Sep 17 00:00:00 2001
From: Grant Limberg <grant.limberg@zerotier.com>
Date: Tue, 30 Nov 2021 17:27:13 -0800
Subject: [PATCH] more fixin

---
 controller/EmbeddedNetworkController.cpp | 28 +++------------------
 controller/PostgreSQL.cpp                | 32 +++++++++++++++++++++++-
 service/OneService.cpp                   |  7 +++++-
 3 files changed, 41 insertions(+), 26 deletions(-)

diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 4ce48fa26..812fdd606 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -63,29 +63,6 @@ namespace ZeroTier {
 
 namespace {
 
-std::string url_encode(const std::string &value) {
-    std::ostringstream escaped;
-    escaped.fill('0');
-    escaped << std::hex;
-
-    for (std::string::const_iterator i = value.begin(), n = value.end(); i != n; ++i) {
-        std::string::value_type c = (*i);
-
-        // Keep alphanumeric and other accepted characters intact
-        if (isalnum(c) || c == '-' || c == '_' || c == '.' || c == '~') {
-            escaped << c;
-            continue;
-        }
-
-        // Any other characters are percent-encoded
-        escaped << std::uppercase;
-        escaped << '%' << std::setw(2) << int((unsigned char) c);
-        escaped << std::nouppercase;
-    }
-
-    return escaped.str();
-}
-
 static json _renderRule(ZT_VirtualNetworkRule &rule)
 {
 	char tmp[128];
@@ -503,7 +480,7 @@ EmbeddedNetworkController::~EmbeddedNetworkController()
 }
 
 void EmbeddedNetworkController::setSSORedirectURL(const std::string &url) {
-	_ssoRedirectURL = url_encode(url);
+	_ssoRedirectURL = url;
 }
 
 void EmbeddedNetworkController::init(const Identity &signingId,Sender *sender)
@@ -1494,6 +1471,9 @@ void EmbeddedNetworkController::_request(
 		if (!info.centralAuthURL.empty()) {
 			Utils::scopy(nc->centralAuthURL, sizeof(nc->centralAuthURL), info.centralAuthURL.c_str());
 		}
+		if (!info.issuerURL.empty()) {
+			Utils::scopy(nc->issuerURL, sizeof(nc->issuerURL), info.issuerURL.c_str());
+		}
 		if (!info.ssoNonce.empty()) {
 			Utils::scopy(nc->ssoNonce, sizeof(nc->ssoNonce), info.ssoNonce.c_str());
 		}
diff --git a/controller/PostgreSQL.cpp b/controller/PostgreSQL.cpp
index 14e210540..15d359f82 100644
--- a/controller/PostgreSQL.cpp
+++ b/controller/PostgreSQL.cpp
@@ -80,6 +80,28 @@ std::vector<std::string> split(std::string str, char delim){
 	return tokens;
 }
 
+std::string url_encode(const std::string &value) {
+    std::ostringstream escaped;
+    escaped.fill('0');
+    escaped << std::hex;
+
+    for (std::string::const_iterator i = value.begin(), n = value.end(); i != n; ++i) {
+        std::string::value_type c = (*i);
+
+        // Keep alphanumeric and other accepted characters intact
+        if (isalnum(c) || c == '-' || c == '_' || c == '.' || c == '~') {
+            escaped << c;
+            continue;
+        }
+
+        // Any other characters are percent-encoded
+        escaped << std::uppercase;
+        escaped << '%' << std::setw(2) << int((unsigned char) c);
+        escaped << std::nouppercase;
+    }
+
+    return escaped.str();
+}
 
 } // anonymous namespace
 
@@ -425,7 +447,7 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
 					OSUtils::ztsnprintf(url, sizeof(authenticationURL),
 						"%s?response_type=id_token&response_mode=form_post&scope=openid+email+profile&redirect_uri=%s&nonce=%s&state=%s&client_id=%s",
 						authorization_endpoint.c_str(),
-						redirectURL.c_str(),
+						url_encode(redirectURL).c_str(),
 						nonce.c_str(),
 						state_hex,
 						client_id.c_str());
@@ -436,6 +458,14 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
 					info.ssoNonce = nonce;
 					info.ssoState = std::string(state_hex);
 					info.centralAuthURL = redirectURL;
+					fprintf(
+						stderr,
+						"ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s",
+						info.ssoClientID.c_str(),
+						info.issuerURL.c_str(),
+						info.ssoNonce.c_str(),
+						info.ssoState.c_str(),
+						info.centralAuthURL.c_str());
 				}
 			}  else {
 				fprintf(stderr, "client_id: %s\nauthorization_endpoint: %s\n", client_id.c_str(), authorization_endpoint.c_str());
diff --git a/service/OneService.cpp b/service/OneService.cpp
index b30747fb7..274b5b9c7 100644
--- a/service/OneService.cpp
+++ b/service/OneService.cpp
@@ -253,7 +253,7 @@ public:
 		memcpy(&_config, nwc, sizeof(ZT_VirtualNetworkConfig));
 		fprintf(stderr, "ssoEnabled: %s, ssoVersion: %d\n", 
 			_config.ssoEnabled ? "true" : "false", _config.ssoVersion);
-			
+
 		if (_config.ssoEnabled && _config.ssoVersion == 1) {
 			fprintf(stderr, "ssoEnabled for %s\n", nwid);
 			if (_idc == nullptr)
@@ -261,6 +261,11 @@ public:
 				assert(_config.issuerURL != nullptr);
 				assert(_config.ssoClientID != nullptr);
 				assert(_config.centralAuthURL != nullptr);
+
+				fprintf(stderr, "Issuer URL: %s\n", _config.issuerURL);
+				fprintf(stderr, "Client ID: %s\n", _config.ssoClientID);
+				fprintf(stderr, "Central Auth URL: %s\n", _config.centralAuthURL);
+				
 				char buf[17] = {};
 				_idc = zeroidc::zeroidc_new(
 					Utils::hex(_config.nwid, buf),