void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-06 12:33:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Simplify SSO logic. SSO should just normally expire when it expires. No full deauth needed. Deauth is for really giving someone the boot.

Browse source
This commit is contained in:
Adam Ierymenko 2022-04-18 16:32:05 -04:00
parent 7e4da53c0b
commit cb086ff97f
No known key found for this signature in database
GPG key ID: C8877CF2D7A5D7F3
5 changed files with 25 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
controller/DB.cpp
View file

@ -196,14 +196,6 @@ void DB::networks(std::set<uint64_t> &networks)
networks.insert(n->first); networks.insert(n->first);
} }
void DB::networkMemberSSOHasExpired(uint64_t nwid, int64_t now) {
std::lock_guard<std::mutex> l(_networks_l);
auto nw = _networks.find(nwid);
if (nw != _networks.end()) {
nw->second->mostRecentDeauthTime = now;
}
}
void DB::_memberChanged(nlohmann::json &old,nlohmann::json &memberConfig,bool notifyListeners) void DB::_memberChanged(nlohmann::json &old,nlohmann::json &memberConfig,bool notifyListeners)
{ {
uint64_t memberId = 0; uint64_t memberId = 0;

1
controller/DB.hpp
View file

@ -135,7 +135,6 @@ public:
virtual void nodeIsOnline(const uint64_t networkId,const uint64_t memberId,const InetAddress &physicalAddress) = 0; virtual void nodeIsOnline(const uint64_t networkId,const uint64_t memberId,const InetAddress &physicalAddress) = 0;
virtual AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL) { return AuthInfo(); } virtual AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL) { return AuthInfo(); }
virtual void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
inline void addListener(DB::ChangeListener *const listener) inline void addListener(DB::ChangeListener *const listener)
{ {

8
controller/DBMirrorSet.cpp
View file

@ -137,14 +137,6 @@ AuthInfo DBMirrorSet::getSSOAuthInfo(const nlohmann::json &member, const std::st
return AuthInfo(); return AuthInfo();
} }
void DBMirrorSet::networkMemberSSOHasExpired(uint64_t nwid, int64_t ts)
{
std::lock_guard<std::mutex> l(_dbs_l);
for(auto d=_dbs.begin();d!=_dbs.end();++d) {
(*d)->networkMemberSSOHasExpired(nwid, ts);
}
}
void DBMirrorSet::networks(std::set<uint64_t> &networks) void DBMirrorSet::networks(std::set<uint64_t> &networks)
{ {
std::lock_guard<std::mutex> l(_dbs_l); std::lock_guard<std::mutex> l(_dbs_l);

1
controller/DBMirrorSet.hpp
View file

@ -52,7 +52,6 @@ public:
virtual void onNetworkMemberDeauthorize(const void *db,uint64_t networkId,uint64_t memberId); virtual void onNetworkMemberDeauthorize(const void *db,uint64_t networkId,uint64_t memberId);
AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL); AuthInfo getSSOAuthInfo(const nlohmann::json &member, const std::string &redirectURL);
void networkMemberSSOHasExpired(uint64_t nwid, int64_t ts);
inline void addDB(const std::shared_ptr<DB> &db) inline void addDB(const std::shared_ptr<DB> &db)
{ {

26
controller/EmbeddedNetworkController.cpp
View file

@ -1340,6 +1340,29 @@ void EmbeddedNetworkController::_request(
bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false); bool networkSSOEnabled = OSUtils::jsonBool(network["ssoEnabled"], false);
bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false); bool memberSSOExempt = OSUtils::jsonBool(member["ssoExempt"], false);
if (networkSSOEnabled && !memberSSOExempt) { if (networkSSOEnabled && !memberSSOExempt) {
authenticationExpiryTime = (int64_t)OSUtils::jsonInt(member["authenticationExpiryTime"], 0);
info = _db.getSSOAuthInfo(member, _ssoRedirectURL);
assert(info.enabled == networkSSOEnabled);
if (authenticationExpiryTime <= now) {
if (info.version == 0) {
Dictionary<4096> authInfo;
authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, (uint64_t)0ULL);
authInfo.add(ZT_AUTHINFO_DICT_KEY_AUTHENTICATION_URL, info.authenticationURL.c_str());
} else if (info.version == 1) {
Dictionary<8192> authInfo;
authInfo.add(ZT_AUTHINFO_DICT_KEY_VERSION, info.version);
authInfo.add(ZT_AUTHINFO_DICT_KEY_ISSUER_URL, info.issuerURL.c_str());
authInfo.add(ZT_AUTHINFO_DICT_KEY_CENTRAL_ENDPOINT_URL, info.centralAuthURL.c_str());
authInfo.add(ZT_AUTHINFO_DICT_KEY_NONCE, info.ssoNonce.c_str());
authInfo.add(ZT_AUTHINFO_DICT_KEY_STATE, info.ssoState.c_str());
authInfo.add(ZT_AUTHINFO_DICT_KEY_CLIENT_ID, info.ssoClientID.c_str());
_sender->ncSendError(nwid,requestPacketId,identity.address(),NetworkController::NC_ERROR_AUTHENTICATION_REQUIRED, authInfo.data(), authInfo.sizeBytes());
}
DB::cleanMember(member);
_db.save(member,true);
return;
}
#if 0
// TODO: Get expiry time if auth is still valid // TODO: Get expiry time if auth is still valid
// else get new auth info & stuff // else get new auth info & stuff
@ -1395,6 +1418,7 @@ void EmbeddedNetworkController::_request(
fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime); fprintf(stderr, "Setting member will expire to: %lld\n", authenticationExpiryTime);
//_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt()); //_db.memberWillExpire(authenticationExpiryTime, nwid, identity.address().toInt());
} }
#endif
} }
if (authorized) { if (authorized) {
@ -1464,7 +1488,7 @@ void EmbeddedNetworkController::_request(
nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU); nc->mtu = std::max(std::min((unsigned int)OSUtils::jsonInt(network["mtu"],ZT_DEFAULT_MTU),(unsigned int)ZT_MAX_MTU),(unsigned int)ZT_MIN_MTU);
nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL); nc->multicastLimit = (unsigned int)OSUtils::jsonInt(network["multicastLimit"],32ULL);
nc->ssoEnabled = OSUtils::jsonBool(network["ssoEnabled"], false); nc->ssoEnabled = networkSSOEnabled; //OSUtils::jsonBool(network["ssoEnabled"], false);
nc->ssoVersion = info.version; nc->ssoVersion = info.version;
if (info.version == 0) { if (info.version == 0) {