mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-06-07 04:53:44 +02:00
Fix hash verification on refresh
This commit is contained in:
parent
8fccf3136c
commit
a69e91c541
1 changed files with 115 additions and 85 deletions
|
@ -159,6 +159,10 @@ impl ZeroIDC {
|
||||||
(*inner_local.lock().unwrap()).running = true;
|
(*inner_local.lock().unwrap()).running = true;
|
||||||
let mut running = true;
|
let mut running = true;
|
||||||
|
|
||||||
|
// Keep a copy of the initial nonce used to get the tokens
|
||||||
|
// Will be needed later when verifying the responses from refresh tokens
|
||||||
|
let nonce = (*inner_local.lock().unwrap()).nonce.clone();
|
||||||
|
|
||||||
while running {
|
while running {
|
||||||
let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time);
|
let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time);
|
||||||
let now = SystemTime::now();
|
let now = SystemTime::now();
|
||||||
|
@ -169,121 +173,147 @@ impl ZeroIDC {
|
||||||
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
|
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
|
||||||
if let Some(refresh_token) = refresh_token {
|
if let Some(refresh_token) = refresh_token {
|
||||||
if now >= (exp - Duration::from_secs(30)) {
|
if now >= (exp - Duration::from_secs(30)) {
|
||||||
let nonce = (*inner_local.lock().unwrap()).nonce.clone();
|
|
||||||
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
|
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
|
||||||
let res = c.exchange_refresh_token(&refresh_token)
|
let res = c.exchange_refresh_token(&refresh_token)
|
||||||
.request(http_client);
|
.request(http_client);
|
||||||
|
|
||||||
|
res
|
||||||
|
});
|
||||||
|
|
||||||
|
if let Some(res) = token_response {
|
||||||
match res {
|
match res {
|
||||||
Ok(res) => {
|
Ok(res) => {
|
||||||
let n = match nonce {
|
|
||||||
|
let n = match nonce.clone() {
|
||||||
Some(n) => n,
|
Some(n) => n,
|
||||||
None => {
|
None => {
|
||||||
return None;
|
println!("err: no nonce");
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
let id = match res.id_token() {
|
let id = match res.id_token() {
|
||||||
Some(t) => t,
|
Some(t) => t,
|
||||||
None => {
|
None => {
|
||||||
return None;
|
println!("err: no id_token");
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
let claims = match id.claims(&c.id_token_verifier(), &n) {
|
let verified = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
|
||||||
Ok(c) => c,
|
let claims = match id.claims(&c.id_token_verifier(), &n) {
|
||||||
Err(_e) => {
|
Ok(c) => c,
|
||||||
return None;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
let signing_algo = match id.signing_alg() {
|
|
||||||
Ok(s) => s,
|
|
||||||
Err(_) => {
|
|
||||||
return None;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
if let Some(expected_hash) = claims.access_token_hash() {
|
|
||||||
let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
|
|
||||||
Ok(h) => h,
|
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
println!("Error hashing access token: {}", e);
|
println!("claims err: {}", e);
|
||||||
return None;
|
return false;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
if actual_hash != *expected_hash {
|
let signing_algo = match id.signing_alg() {
|
||||||
println!("token hash error");
|
Ok(s) => s,
|
||||||
return None;
|
Err(e) => {
|
||||||
|
println!("alg err: {}", e);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
if let Some(expected_hash) = claims.access_token_hash() {
|
||||||
|
let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) {
|
||||||
|
Ok(h) => h,
|
||||||
|
Err(e) => {
|
||||||
|
println!("Error hashing access token: {}", e);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
if actual_hash != *expected_hash {
|
||||||
|
println!("token hash error");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
return true;
|
||||||
return Some(res);
|
});
|
||||||
},
|
|
||||||
Err(_e) => {
|
match verified {
|
||||||
return None;
|
Some(verified) => {
|
||||||
}
|
if !verified {
|
||||||
};
|
println!("not verified.");
|
||||||
});
|
|
||||||
|
|
||||||
if let Some(Some(res)) = token_response{
|
|
||||||
match res.id_token() {
|
|
||||||
Some(id_token) => {
|
|
||||||
let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
|
|
||||||
#[cfg(debug_assertions)] {
|
|
||||||
println!("New ID token: {}", id_token.to_string());
|
|
||||||
}
|
|
||||||
let client = reqwest::blocking::Client::new();
|
|
||||||
let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone())
|
|
||||||
.form(¶ms)
|
|
||||||
.send();
|
|
||||||
|
|
||||||
match r {
|
|
||||||
Ok(r) => {
|
|
||||||
if r.status().is_success() {
|
|
||||||
#[cfg(debug_assertions)] {
|
|
||||||
println!("hit url: {}", r.url().as_str());
|
|
||||||
println!("status: {}", r.status());
|
|
||||||
}
|
|
||||||
|
|
||||||
let access_token = res.access_token();
|
|
||||||
let at = access_token.secret();
|
|
||||||
let exp = dangerous_insecure_decode::<Exp>(&at);
|
|
||||||
|
|
||||||
if let Ok(e) = exp {
|
|
||||||
(*inner_local.lock().unwrap()).exp_time = e.claims.exp
|
|
||||||
}
|
|
||||||
|
|
||||||
(*inner_local.lock().unwrap()).access_token = Some(access_token.clone());
|
|
||||||
if let Some(t) = res.refresh_token() {
|
|
||||||
// println!("New Refresh Token: {}", t.secret());
|
|
||||||
(*inner_local.lock().unwrap()).refresh_token = Some(t.clone());
|
|
||||||
}
|
|
||||||
#[cfg(debug_assertions)] {
|
|
||||||
println!("Central post succeeded");
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
println!("Central post failed: {}", r.status().to_string());
|
|
||||||
println!("hit url: {}", r.url().as_str());
|
|
||||||
println!("Status: {}", r.status());
|
|
||||||
(*inner_local.lock().unwrap()).exp_time = 0;
|
|
||||||
(*inner_local.lock().unwrap()).running = false;
|
(*inner_local.lock().unwrap()).running = false;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
Err(e) => {
|
None => {
|
||||||
|
println!("no verification performed?");
|
||||||
println!("Central post failed: {}", e.to_string());
|
|
||||||
println!("hit url: {}", e.url().unwrap().as_str());
|
|
||||||
println!("Status: {}", e.status().unwrap());
|
|
||||||
(*inner_local.lock().unwrap()).exp_time = 0;
|
|
||||||
(*inner_local.lock().unwrap()).running = false;
|
(*inner_local.lock().unwrap()).running = false;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
match res.id_token() {
|
||||||
|
Some(id_token) => {
|
||||||
|
let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
|
||||||
|
#[cfg(debug_assertions)] {
|
||||||
|
println!("New ID token: {}", id_token.to_string());
|
||||||
|
}
|
||||||
|
let client = reqwest::blocking::Client::new();
|
||||||
|
let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone())
|
||||||
|
.form(¶ms)
|
||||||
|
.send();
|
||||||
|
|
||||||
|
match r {
|
||||||
|
Ok(r) => {
|
||||||
|
if r.status().is_success() {
|
||||||
|
#[cfg(debug_assertions)] {
|
||||||
|
println!("hit url: {}", r.url().as_str());
|
||||||
|
println!("status: {}", r.status());
|
||||||
|
}
|
||||||
|
|
||||||
|
let access_token = res.access_token();
|
||||||
|
let at = access_token.secret();
|
||||||
|
let exp = dangerous_insecure_decode::<Exp>(&at);
|
||||||
|
|
||||||
|
if let Ok(e) = exp {
|
||||||
|
(*inner_local.lock().unwrap()).exp_time = e.claims.exp
|
||||||
|
}
|
||||||
|
|
||||||
|
(*inner_local.lock().unwrap()).access_token = Some(access_token.clone());
|
||||||
|
if let Some(t) = res.refresh_token() {
|
||||||
|
// println!("New Refresh Token: {}", t.secret());
|
||||||
|
(*inner_local.lock().unwrap()).refresh_token = Some(t.clone());
|
||||||
|
}
|
||||||
|
#[cfg(debug_assertions)] {
|
||||||
|
println!("Central post succeeded");
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
println!("Central post failed: {}", r.status().to_string());
|
||||||
|
println!("hit url: {}", r.url().as_str());
|
||||||
|
println!("Status: {}", r.status());
|
||||||
|
(*inner_local.lock().unwrap()).exp_time = 0;
|
||||||
|
(*inner_local.lock().unwrap()).running = false;
|
||||||
|
}
|
||||||
|
},
|
||||||
|
Err(e) => {
|
||||||
|
|
||||||
|
println!("Central post failed: {}", e.to_string());
|
||||||
|
println!("hit url: {}", e.url().unwrap().as_str());
|
||||||
|
println!("Status: {}", e.status().unwrap());
|
||||||
|
(*inner_local.lock().unwrap()).exp_time = 0;
|
||||||
|
(*inner_local.lock().unwrap()).running = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
None => {
|
||||||
|
println!("no id token?!?");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
None => {
|
Err(e) => {
|
||||||
println!("no id token?!?");
|
println!("token error: {}", e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
println!("token response??");
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
println!("waiting to refresh");
|
println!("waiting to refresh");
|
||||||
|
|
Loading…
Add table
Reference in a new issue