mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-06-05 20:13:44 +02:00
Simplify SSO logic. SSO should just normally expire when it expires. No full deauth needed. Deauth is for really giving someone the boot.
This commit is contained in:
parent
7e4da53c0b
commit
cb086ff97f
5 changed files with 25 additions and 19 deletions
|
@ -196,14 +196,6 @@ void DB::networks(std::set<uint64_t> &networks)
|
||||||
networks.insert(n->first);
|
networks.insert(n->first);
|
||||||
}
|
}
|
||||||
|
|
||||||
void DB::networkMemberSSOHasExpired(uint64_t nwid, int64_t now) {
|
|
||||||
std::lock_guard<std::mutex> l(_networks_l);
|
|
||||||
auto nw = _networks.find(nwid);
|
|
||||||
if (nw != _networks.end()) {
|
|
||||||
nw->second->mostRecentDeauthTime = now;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
void DB::_memberChanged(nlohmann::json &old,nlohmann::json &memberConfig,bool notifyListeners)
|
void DB::_memberChanged(nlohmann::json &old,nlohmann::json &memberConfig,bool notifyListeners)
|
||||||
{
|
{
|
||||||
uint64_t memberId = 0;
|
uint64_t memberId = 0;
|
||||||
|
|
|
@ -135,7 +135,6 @@ public:
|
||||||
virtual void nodeIsOnline(const uint64_t networkId,const uint64_t memberId,const InetAddress &physicalAddress) = 0;
|
virtual void nodeIsOnline(const uint64_t networkId,const uint64_t memberId,const InetAddress &physicalAddress) = 0;
|
||||||
|
|
||||||
virtual AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL) { return AuthInfo(); }
|
virtual AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL) { return AuthInfo(); }
|
||||||
virtual void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
|
|
||||||
|
|
||||||
inline void addListener(DB::ChangeListener *const listener)
|
inline void addListener(DB::ChangeListener *const listener)
|
||||||
{
|
{
|
||||||
|
|
|
@ -137,14 +137,6 @@ AuthInfo DBMirrorSet::getSSOAuthInfo(const nlohmann::json &member, const std::st
|
||||||
return AuthInfo();
|
return AuthInfo();
|
||||||
}
|
}
|
||||||
|
|
||||||
void DBMirrorSet::networkMemberSSOHasExpired(uint64_t nwid, int64_t ts)
|
|
||||||
{
|
|
||||||
std::lock_guard<std::mutex> l(_dbs_l);
|
|
||||||
for(auto d=_dbs.begin();d!=_dbs.end();++d) {
|
|
||||||
(*d)->networkMemberSSOHasExpired(nwid, ts);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
void DBMirrorSet::networks(std::set<uint64_t> &networks)
|
void DBMirrorSet::networks(std::set<uint64_t> &networks)
|
||||||
{
|
{
|
||||||
std::lock_guard<std::mutex> l(_dbs_l);
|
std::lock_guard<std::mutex> l(_dbs_l);
|
||||||
|
|
|
@ -52,7 +52,6 @@ public:
|
||||||
virtual void onNetworkMemberDeauthorize(const void *db,uint64_t networkId,uint64_t memberId);
|
virtual void onNetworkMemberDeauthorize(const void *db,uint64_t networkId,uint64_t memberId);
|
||||||
|
|
||||||
AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL);
|
AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL);
|
||||||
void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
|
|
||||||
|
|
||||||
inline void addDB(const std::shared_ptr<DB> &db)
|
inline void addDB(const std::shared_ptr<DB> &db)
|
||||||
{
|
{
|
||||||
|
|
|
@ -1340,6 +1340,29 @@ void EmbeddedNetworkController::_request(
|
||||||
bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
|
bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
|
||||||
bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false);
|
bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false);
|
||||||
if (networkSSOEnabled && !memberSSOExempt) {
|
if (networkSSOEnabled && !memberSSOExempt) {
|
||||||
|
authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
|
||||||
|
info = _db.getSSOAuthInfo(member, _ssoRedirectURL);
|
||||||
|
assert(info.enabled == networkSSOEnabled);
|
||||||
|
if (authenticationExpiryTime <= now) {
|
||||||
|
if (info.version == 0) {
|
||||||
|
Dictionary<4096> authInfo;
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, (uint64_t)0ULL);
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, info.authenticationURL.c_str());
|
||||||
|
} else if (info.version == 1) {
|
||||||
|
Dictionary<8192> authInfo;
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version);
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str());
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str());
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str());
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str());
|
||||||
|
authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str());
|
||||||
|
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
|
||||||
|
}
|
||||||
|
DB::cleanMember(member);
|
||||||
|
_db.save(member,true);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
#if 0
|
||||||
// TODO: Get expiry time if auth is still valid
|
// TODO: Get expiry time if auth is still valid
|
||||||
|
|
||||||
// else get new auth info & stuff
|
// else get new auth info & stuff
|
||||||
|
@ -1395,6 +1418,7 @@ void EmbeddedNetworkController::_request(
|
||||||
fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime);
|
fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime);
|
||||||
//_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt());
|
//_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt());
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
if (authorized) {
|
if (authorized) {
|
||||||
|
@ -1464,7 +1488,7 @@ void EmbeddedNetworkController::_request(
|
||||||
nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU);
|
nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU);
|
||||||
nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL);
|
nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL);
|
||||||
|
|
||||||
nc->ssoEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
|
nc->ssoEnabled = networkSSOEnabled; //OSUtils::jsonBool(network["ssoEnabled"], false);
|
||||||
nc->ssoVersion = info.version;
|
nc->ssoVersion = info.version;
|
||||||
|
|
||||||
if (info.version == 0) {
|
if (info.version == 0) {
|
||||||
|
|
Loading…
Add table
Reference in a new issue