Restore sending of rejections but move it exclusively to a thread, widen netconf window to 30 minutes.

2025-06-05 20:13:44 +02:00 · 2022-04-19 10:37:58 -04:00 · 2022-04-19 10:37:58 -04:00 · a4e8847664
commit a4e8847664
parent c492bf7eea
3 changed files with 20 additions and 84 deletions
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@ -1262,6 +1262,7 @@ void EmbeddedNetworkController::_request(
 	}
 	const bool newMember = ((!member.is_object())||(member.empty()));
 	DB::initMember(member);
 	_MemberStatusKey msk(nwid,identity.address().toInt());
 	{
 		const std::string haveIdStr(OSUtils::jsonString(member["identity"],""));
@ -1343,6 +1344,10 @@ void EmbeddedNetworkController::_request(
 		authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
 		info = _db.getSSOAuthInfo(member, _ssoRedirectURL);
 		assert(info.enabled == networkSSOEnabled);
 		std::lock_guard<std::mutex> l(_expiringSoon_l);
 		_expiringSoon.insert(std::pair<int64_t, _MemberStatusKey>(authenticationExpiryTime, msk));
 		if (authenticationExpiryTime <= now) {
 			if (info.version == 0) {
 				Dictionary<4096> authInfo;
@ -1363,63 +1368,6 @@ void EmbeddedNetworkController::_request(
 			_db.save(member,true);
 			return;
 		}
 #if 0
 		// TODO:  Get expiry time if auth is still valid
 		// else get new auth info & stuff
 		info = _db.getSSOAuthInfo(member, _ssoRedirectURL);
 		assert(info.enabled == networkSSOEnabled);
 		std::string memberId = member["id"];
 		//fprintf(stderr, "ssoEnabled && !ssoExempt %s-%s\n", nwids, memberId.c_str());
 		authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
 		fprintf(stderr, "authExpiryTime: %lld\n", authenticationExpiryTime);
 		if (authenticationExpiryTime < now) {
 			fprintf(stderr, "Handling expired member\n");
 			if (info.version == 0) {
 				if (!info.authenticationURL.empty()) {
 					_db.networkMemberSSOHasExpired(nwid, now);
 					onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
 					Dictionary<4096> authInfo;
 					authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, (uint64_t)0ULL);
 					authInfo.add(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, info.authenticationURL.c_str());
 					//fprintf(stderr, "sending auth URL: %s\n", authenticationURL.c_str());
 					DB::cleanMember(member);
 					_db.save(member,true);
 					_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
 					return;
 				}
 			}
 			else if (info.version == 1) {
 				_db.networkMemberSSOHasExpired(nwid, now);
 				onNetworkMemberDeauthorize(&_db, nwid, identity.address().toInt());
 				Dictionary<8192> authInfo;
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version);
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str());
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str());
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str());
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str());
 				authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str());
 				DB::cleanMember(member);
 				_db.save(member, true);
 				fprintf(stderr, "Sending NC_ERROR_AUTHENTICATION_REQUIRED\n");
 				_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
 				return;
 			}
 			else {
 				fprintf(stderr, "invalid sso info.version %llu\n", info.version);
 			}
 		} else if (authorized) {
 			fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime);
 			//_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt());
 		}
 #endif
 	}
 	if (authorized) {
@ -1435,8 +1383,6 @@ void EmbeddedNetworkController::_request(
 			member["vRev"] = vRev;
 			member["vProto"] = vProto;
 			_MemberStatusKey msk(nwid,identity.address().toInt());
 			{
 				std::lock_guard<std::mutex> l(_memberStatus_l);
 				_MemberStatus &ms = _memberStatus[msk];
@ -1448,13 +1394,6 @@ void EmbeddedNetworkController::_request(
 				ms.lastRequestMetaData = metaData;
 				ms.identity = identity;
 			}
 			/*
 			if (authenticationExpiryTime > 0) {
 				std::lock_guard<std::mutex> l(_expiringSoon_l);
 				_expiringSoon.insert(std::pair<int64_t, _MemberStatusKey>(authenticationExpiryTime, msk));
 			}
 			*/
 		}
 	} else {
 		// If they are not authorized, STOP!
@ -1887,7 +1826,8 @@ void EmbeddedNetworkController::_startThreads()
 	const long hwc = std::max((long)std::thread::hardware_concurrency(),(long)1);
 	for(long t=0;t<hwc;++t) {
 		_threads.emplace_back([this]() {
-			std::vector< std::pair<uint64_t, uint64_t> > expired;
+			std::vector<_MemberStatusKey> expired;
 			nlohmann::json network, member;
 			for(;;) {
 				_RQEntry *qe = (_RQEntry *)0;
 				auto timedWaitResult = _queue.get(qe, 1000);
@ -1906,7 +1846,6 @@ void EmbeddedNetworkController::_startThreads()
 					}
 				}
 				/*
 				expired.clear();
 				int64_t now = OSUtils::now();
 				{
@ -1914,27 +1853,24 @@ void EmbeddedNetworkController::_startThreads()
 					for(auto s=_expiringSoon.begin();s!=_expiringSoon.end();) {
 						const int64_t when = s->first;
 						if (when <= now) {
-							// Remove expired entries and if they are still correct as per the network status, deauth them.
+							network.clear();
-							std::lock_guard<std::mutex> l(_memberStatus_l);
+							member.clear();
-							_MemberStatus &ms = _memberStatus[s->second];
+							if (_db.get(s->second.networkId, network, s->second.nodeId, member)) {
-							if ((ms.authenticationExpiryTime > 0)&&(ms.authenticationExpiryTime <= now)) {
+								int64_t authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
-								expired.push_back(std::pair<uint64_t, uint64_t>(s->second.networkId, s->second.nodeId));
+								if (authenticationExpiryTime <= now) {
 									expired.push_back(s->second);
 								}
 							}
 							_expiringSoon.erase(s++);
-						} else if ((when - now) > 500) {
+						} else {
 							// Don't bother going further into the future than necessary.
 							break;
 						} else {
 							// Skip not yet expired entries.
 							++s;
 						}
 					}
 				}
 				for(auto e=expired.begin();e!=expired.end();++e) {
-					onNetworkMemberDeauthorize(nullptr, e->first, e->second);
+					onNetworkMemberDeauthorize(nullptr, e->networkId, e->nodeId);
 				}
 				*/
 			}
 		});
 	}
--- a/controller/EmbeddedNetworkController.hpp
+++ b/controller/EmbeddedNetworkController.hpp
@ -154,8 +154,8 @@ private:
 	std::unordered_map< _MemberStatusKey,_MemberStatus,_MemberStatusHash > _memberStatus;
 	std::mutex _memberStatus_l;
-	//std::multimap< int64_t, _MemberStatusKey > _expiringSoon;
+	std::multimap< int64_t, _MemberStatusKey > _expiringSoon;
-	//std::mutex _expiringSoon_l;
+	std::mutex _expiringSoon_l;
 	RedisConfig *_rc;
 	std::string _ssoRedirectURL;
--- a/node/NetworkConfig.hpp
+++ b/node/NetworkConfig.hpp
@ -41,9 +41,9 @@
 #include "Trace.hpp"
 /**
- * Default maximum time delta for COMs, tags, and capabilities
+ * Default time delta for COMs, tags, and capabilities
 */
-#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_DFL_MAX_DELTA ((int64_t)(1000 * 60 * 15))
+#define ZT_NETWORKCONFIG_DEFAULT_CREDENTIAL_TIME_DFL_MAX_DELTA ((int64_t)(1000 * 60 * 30))
 /**
 * Maximum time delta for COMs, tags, and capabilities