void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-05 20:13:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

code cleanup

Browse source
This commit is contained in:
Grant Limberg 2022-05-11 22:41:35 -07:00
parent 4151749dc9
commit e7fee4c6ce
No known key found for this signature in database
GPG key ID: 8F2F97D3BE8D7735
3 changed files with 362 additions and 318 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
zeroidc/src/error.rs
View file

@ -13,10 +13,11 @@
use thiserror::Error; use thiserror::Error;
#[derive(Error, Debug)] #[derive(Error, Debug)]
pub enum ZeroIDCError pub enum ZeroIDCError {
{
#[error(transparent)] #[error(transparent)]
DiscoveryError(#[from] openidconnect::DiscoveryError<openidconnect::reqwest::Error<reqwest::Error>>), DiscoveryError(
#[from] openidconnect::DiscoveryError<openidconnect::reqwest::Error<reqwest::Error>>,
),
#[error(transparent)] #[error(transparent)]
ParseError(#[from] url::ParseError), ParseError(#[from] url::ParseError),
@ -30,8 +31,6 @@ pub struct SSOExchangeError {
impl SSOExchangeError { impl SSOExchangeError {
pub fn new(message: String) -> Self { pub fn new(message: String) -> Self {
SSOExchangeError{ SSOExchangeError { message }
message
}
} }
} }

223
zeroidc/src/ext.rs
View file

@ -12,19 +12,17 @@
use std::ffi::{CStr, CString}; use std::ffi::{CStr, CString};
use std::os::raw::c_char; use std::os::raw::c_char;
use url::{Url}; use url::Url;
use crate::ZeroIDC; use crate::ZeroIDC;
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_new( pub extern "C" fn zeroidc_new(
issuer: *const c_char, issuer: *const c_char,
@ -56,25 +54,21 @@ pub extern "C" fn zeroidc_new(
auth_endpoint.to_str().unwrap(), auth_endpoint.to_str().unwrap(),
web_listen_port, web_listen_port,
) { ) {
Ok(idc) => { Ok(idc) => Box::into_raw(Box::new(idc)),
return Box::into_raw(Box::new(idc));
}
Err(s) => { Err(s) => {
println!("Error creating ZeroIDC instance: {}", s); println!("Error creating ZeroIDC instance: {}", s);
return std::ptr::null_mut(); std::ptr::null_mut()
} }
} }
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_delete(ptr: *mut ZeroIDC) { pub extern "C" fn zeroidc_delete(ptr: *mut ZeroIDC) {
if ptr.is_null() { if ptr.is_null() {
@ -85,21 +79,19 @@ pub extern "C" fn zeroidc_delete(ptr: *mut ZeroIDC) {
&mut *ptr &mut *ptr
}; };
idc.stop(); idc.stop();
unsafe { unsafe {
Box::from_raw(ptr); Box::from_raw(ptr);
} }
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_start(ptr: *mut ZeroIDC) { pub extern "C" fn zeroidc_start(ptr: *mut ZeroIDC) {
let idc = unsafe { let idc = unsafe {
@ -109,15 +101,13 @@ pub extern "C" fn zeroidc_start(ptr: *mut ZeroIDC) {
idc.start(); idc.start();
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_stop(ptr: *mut ZeroIDC) { pub extern "C" fn zeroidc_stop(ptr: *mut ZeroIDC) {
let idc = unsafe { let idc = unsafe {
@ -127,15 +117,13 @@ pub extern "C" fn zeroidc_stop(ptr: *mut ZeroIDC) {
idc.stop(); idc.stop();
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_is_running(ptr: *mut ZeroIDC) -> bool { pub extern "C" fn zeroidc_is_running(ptr: *mut ZeroIDC) -> bool {
let idc = unsafe { let idc = unsafe {
@ -156,20 +144,19 @@ pub extern "C" fn zeroidc_get_exp_time(ptr: *mut ZeroIDC) -> u64 {
id.get_exp_time() id.get_exp_time()
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_set_nonce_and_csrf( pub extern "C" fn zeroidc_set_nonce_and_csrf(
ptr: *mut ZeroIDC, ptr: *mut ZeroIDC,
csrf_token: *const c_char, csrf_token: *const c_char,
nonce: *const c_char) { nonce: *const c_char,
) {
let idc = unsafe { let idc = unsafe {
assert!(!ptr.is_null()); assert!(!ptr.is_null());
&mut *ptr &mut *ptr
@ -193,19 +180,17 @@ pub extern "C" fn zeroidc_set_nonce_and_csrf(
.to_str() .to_str()
.unwrap() .unwrap()
.to_string(); .to_string();
idc.set_nonce_and_csrf(csrf_token, nonce); idc.set_nonce_and_csrf(csrf_token, nonce);
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn free_cstr(s: *mut c_char) { pub extern "C" fn free_cstr(s: *mut c_char) {
if s.is_null() { if s.is_null() {
@ -218,40 +203,34 @@ pub extern "C" fn free_cstr(s: *mut c_char) {
} }
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_get_auth_url(ptr: *mut ZeroIDC) -> *mut c_char { pub extern "C" fn zeroidc_get_auth_url(ptr: *mut ZeroIDC) -> *mut c_char {
if ptr.is_null() { if ptr.is_null() {
println!("passed a null object"); println!("passed a null object");
return std::ptr::null_mut(); return std::ptr::null_mut();
} }
let idc = unsafe { let idc = unsafe { &mut *ptr };
&mut *ptr
};
let s = CString::new(idc.auth_url()).unwrap(); let s = CString::new(idc.auth_url()).unwrap();
return s.into_raw(); return s.into_raw();
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_token_exchange(idc: *mut ZeroIDC, code: *const c_char ) -> *mut c_char { pub extern "C" fn zeroidc_token_exchange(idc: *mut ZeroIDC, code: *const c_char) -> *mut c_char {
if idc.is_null() { if idc.is_null() {
println!("idc is null"); println!("idc is null");
return std::ptr::null_mut(); return std::ptr::null_mut();
@ -261,29 +240,29 @@ pub extern "C" fn zeroidc_token_exchange(idc: *mut ZeroIDC, code: *const c_char
println!("code is null"); println!("code is null");
return std::ptr::null_mut(); return std::ptr::null_mut();
} }
let idc = unsafe { let idc = unsafe { &mut *idc };
&mut *idc
};
let code = unsafe{CStr::from_ptr(code)}.to_str().unwrap(); let code = unsafe { CStr::from_ptr(code) }.to_str().unwrap();
let ret = idc.do_token_exchange(code); let ret = idc.do_token_exchange(code);
match ret { match ret {
Ok(ret) => { Ok(ret) => {
let ret = CString::new(ret).unwrap(); let ret = CString::new(ret).unwrap();
return ret.into_raw(); ret.into_raw()
}
},
Err(e) => { Err(e) => {
let errstr = format!("{{\"errorMessage\":\"{}\"\"}}", e).to_string(); let errstr = format!("{{\"errorMessage\":\"{}\"\"}}", e);
let ret = CString::new(errstr).unwrap(); let ret = CString::new(errstr).unwrap();
return ret.into_raw(); ret.into_raw()
} }
} }
} }
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_get_url_param_value(param: *const c_char, path: *const c_char) -> *mut c_char { pub extern "C" fn zeroidc_get_url_param_value(
param: *const c_char,
path: *const c_char,
) -> *mut c_char {
if param.is_null() { if param.is_null() {
println!("param is null"); println!("param is null");
return std::ptr::null_mut(); return std::ptr::null_mut();
@ -292,21 +271,21 @@ pub extern "C" fn zeroidc_get_url_param_value(param: *const c_char, path: *const
println!("path is null"); println!("path is null");
return std::ptr::null_mut(); return std::ptr::null_mut();
} }
let param = unsafe {CStr::from_ptr(param)}.to_str().unwrap(); let param = unsafe { CStr::from_ptr(param) }.to_str().unwrap();
let path = unsafe {CStr::from_ptr(path)}.to_str().unwrap(); let path = unsafe { CStr::from_ptr(path) }.to_str().unwrap();
let url = "http://localhost:9993".to_string() + path; let url = "http://localhost:9993".to_string() + path;
let url = Url::parse(&url).unwrap(); let url = Url::parse(&url).unwrap();
let pairs = url.query_pairs(); let pairs = url.query_pairs();
for p in pairs { for p in pairs {
if p.0 == param { if p.0 == param {
let s = CString::new(p.1.into_owned()).unwrap(); let s = CString::new(p.1.into_owned()).unwrap();
return s.into_raw() return s.into_raw();
} }
} }
return std::ptr::null_mut(); std::ptr::null_mut()
} }
#[no_mangle] #[no_mangle]
@ -316,36 +295,32 @@ pub extern "C" fn zeroidc_network_id_from_state(state: *const c_char) -> *mut c_
return std::ptr::null_mut(); return std::ptr::null_mut();
} }
let state = unsafe{CStr::from_ptr(state)}.to_str().unwrap(); let state = unsafe { CStr::from_ptr(state) }.to_str().unwrap();
let split = state.split("_"); let split = state.split('_');
let split = split.collect::<Vec<&str>>(); let split = split.collect::<Vec<&str>>();
if split.len() != 2 { if split.len() != 2 {
return std::ptr::null_mut(); return std::ptr::null_mut();
} }
let s = CString::new(split[1]).unwrap(); let s = CString::new(split[1]).unwrap();
return s.into_raw(); s.into_raw()
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
#[no_mangle] #[no_mangle]
pub extern "C" fn zeroidc_kick_refresh_thread(idc: *mut ZeroIDC) { pub extern "C" fn zeroidc_kick_refresh_thread(idc: *mut ZeroIDC) {
if idc.is_null() { if idc.is_null() {
println!("idc is null"); println!("idc is null");
return; return;
} }
let idc = unsafe { let idc = unsafe { &mut *idc };
&mut *idc
};
idc.kick_refresh_thread(); idc.kick_refresh_thread();
} }

446
zeroidc/src/lib.rs
View file

@ -22,42 +22,41 @@ extern crate url;
use crate::error::*; use crate::error::*;
use bytes::Bytes; use bytes::Bytes;
use jwt::{Token}; use jwt::Token;
use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType}; use openidconnect::core::{CoreClient, CoreProviderMetadata, CoreResponseType};
use openidconnect::reqwest::http_client; use openidconnect::reqwest::http_client;
use openidconnect::{AccessToken, AccessTokenHash, AuthorizationCode, AuthenticationFlow, ClientId, CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse}; use openidconnect::{
AccessToken, AccessTokenHash, AuthenticationFlow, AuthorizationCode, ClientId, CsrfToken,
IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl,
RefreshToken, Scope, TokenResponse,
};
use std::error::Error; use std::error::Error;
use std::str::from_utf8; use std::str::from_utf8;
use std::sync::{Arc, Mutex}; use std::sync::{Arc, Mutex};
use std::thread::{sleep, spawn, JoinHandle}; use std::thread::{sleep, spawn, JoinHandle};
use std::time::{SystemTime, UNIX_EPOCH, Duration}; use std::time::{Duration, SystemTime, UNIX_EPOCH};
use time::{OffsetDateTime, format_description}; use time::{format_description, OffsetDateTime};
use url::Url; use url::Url;
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
pub struct ZeroIDC { pub struct ZeroIDC {
inner: Arc<Mutex<Inner>>, inner: Arc<Mutex<Inner>>,
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
struct Inner { struct Inner {
running: bool, running: bool,
auth_endpoint: String, auth_endpoint: String,
@ -82,40 +81,35 @@ impl Inner {
} }
fn csrf_func(csrf_token: String) -> Box<dyn Fn() -> CsrfToken> { fn csrf_func(csrf_token: String) -> Box<dyn Fn() -> CsrfToken> {
return Box::new(move || CsrfToken::new(csrf_token.to_string())); Box::new(move || CsrfToken::new(csrf_token.to_string()))
} }
fn nonce_func(nonce: String) -> Box<dyn Fn() -> Nonce> { fn nonce_func(nonce: String) -> Box<dyn Fn() -> Nonce> {
return Box::new(move || Nonce::new(nonce.to_string())); Box::new(move || Nonce::new(nonce.to_string()))
} }
#[cfg(debug_assertions)] #[cfg(debug_assertions)]
fn systemtime_strftime<T>(dt: T, format: &str) -> String fn systemtime_strftime<T>(dt: T, format: &str) -> String
where T: Into<OffsetDateTime> where
T: Into<OffsetDateTime>,
{ {
let f = format_description::parse(format); let f = format_description::parse(format);
match f { match f {
Ok(f) => { Ok(f) => match dt.into().format(&f) {
match dt.into().format(&f) { Ok(s) => s,
Ok(s) => s, Err(_e) => "".to_string(),
Err(_e) => "".to_string(),
}
},
Err(_e) => {
"".to_string()
}, },
Err(_e) => "".to_string(),
} }
} }
#[cfg( #[cfg(any(
any( all(target_os = "linux", target_arch = "x86"),
all(target_os = "linux", target_arch = "x86"), all(target_os = "linux", target_arch = "x86_64"),
all(target_os = "linux", target_arch = "x86_64"), all(target_os = "linux", target_arch = "aarch64"),
all(target_os = "linux", target_arch = "aarch64"), target_os = "windows",
target_os = "windows", target_os = "macos",
target_os = "macos", ))]
)
)]
impl ZeroIDC { impl ZeroIDC {
pub fn new( pub fn new(
issuer: &str, issuer: &str,
@ -137,12 +131,14 @@ impl ZeroIDC {
url: None, url: None,
csrf_token: None, csrf_token: None,
nonce: None, nonce: None,
pkce_verifier: None, pkce_verifier: None,
})), })),
}; };
println!("issuer: {}, client_id: {}, auth_endopint: {}, local_web_port: {}", println!(
issuer, client_id, auth_ep, local_web_port); "issuer: {}, client_id: {}, auth_endopint: {}, local_web_port: {}",
issuer, client_id, auth_ep, local_web_port
);
let iss = IssuerUrl::new(issuer.to_string())?; let iss = IssuerUrl::new(issuer.to_string())?;
let provider_meta = CoreProviderMetadata::discover(&iss, http_client)?; let provider_meta = CoreProviderMetadata::discover(&iss, http_client)?;
@ -184,35 +180,53 @@ impl ZeroIDC {
let nonce = (*inner_local.lock().unwrap()).nonce.clone(); let nonce = (*inner_local.lock().unwrap()).nonce.clone();
while running { while running {
let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time); let exp =
UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time);
let now = SystemTime::now(); let now = SystemTime::now();
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
println!("refresh token thread tick, now: {}, exp: {}", systemtime_strftime(now, "[year]-[month]-[day] [hour]:[minute]:[second]"), systemtime_strftime(exp, "[year]-[month]-[day] [hour]:[minute]:[second]")); {
println!(
"refresh token thread tick, now: {}, exp: {}",
systemtime_strftime(
now,
"[year]-[month]-[day] [hour]:[minute]:[second]"
),
systemtime_strftime(
exp,
"[year]-[month]-[day] [hour]:[minute]:[second]"
)
);
} }
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone(); let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
if let Some(refresh_token) = refresh_token { if let Some(refresh_token) = refresh_token {
let should_kick = (*inner_local.lock().unwrap()).kick; let should_kick = (*inner_local.lock().unwrap()).kick;
if now >= (exp - Duration::from_secs(30)) || should_kick { if now >= (exp - Duration::from_secs(30)) || should_kick {
if should_kick { if should_kick {
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
{
println!("refresh thread kicked"); println!("refresh thread kicked");
} }
(*inner_local.lock().unwrap()).kick = false; (*inner_local.lock().unwrap()).kick = false;
} }
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
{
println!("Refresh Token: {}", refresh_token.secret()); println!("Refresh Token: {}", refresh_token.secret());
} }
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| { let token_response = (*inner_local.lock().unwrap())
let res = c.exchange_refresh_token(&refresh_token) .oidc_client
.request(http_client); .as_ref()
.map(|c| {
res let res = c
}); .exchange_refresh_token(&refresh_token)
.request(http_client);
res
});
if let Some(res) = token_response { if let Some(res) = token_response {
match res { match res {
Ok(res) => { Ok(res) => {
@ -223,78 +237,126 @@ impl ZeroIDC {
None => "".to_string(), None => "".to_string(),
}; };
let params = [("id_token", id_token.to_string()),("state", "refresh".to_string()),("extra_nonce", n)]; let params = [
#[cfg(debug_assertions)] { ("id_token", id_token.to_string()),
println!("New ID token: {}", id_token.to_string()); ("state", "refresh".to_string()),
("extra_nonce", n),
];
#[cfg(debug_assertions)]
{
println!(
"New ID token: {}",
id_token.to_string()
);
} }
let client = reqwest::blocking::Client::new(); let client = reqwest::blocking::Client::new();
let r = client.post((*inner_local.lock().unwrap()).auth_endpoint.clone()) let r = client
.post(
(*inner_local.lock().unwrap())
.auth_endpoint
.clone(),
)
.form(&params) .form(&params)
.send(); .send();
match r { match r {
Ok(r) => { Ok(r) => {
if r.status().is_success() { if r.status().is_success() {
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
println!("hit url: {}", r.url().as_str()); {
println!(
"hit url: {}",
r.url().as_str()
);
println!("status: {}", r.status()); println!("status: {}", r.status());
} }
let access_token = res.access_token(); let access_token = res.access_token();
let idt = &id_token.to_string(); let idt = &id_token.to_string();
let t: Result<Token<jwt::Header, jwt::Claims, jwt::Unverified<'_>>, jwt::Error> = let t: Result<
Token::parse_unverified(idt); Token<
jwt::Header,
jwt::Claims,
jwt::Unverified<'_>,
>,
jwt::Error,
> = Token::parse_unverified(idt);
if let Ok(t) = t { if let Ok(t) = t {
let claims = t.claims().registered.clone(); let claims =
t.claims().registered.clone();
match claims.expiration { match claims.expiration {
Some(exp) => { Some(exp) => {
(*inner_local.lock().unwrap()).exp_time = exp; (*inner_local
}, .lock()
.unwrap())
.exp_time = exp;
}
None => { None => {
panic!("expiration is None. This shouldn't happen") panic!("expiration is None. This shouldn't happen")
} }
} }
} }
(*inner_local.lock().unwrap()).access_token = Some(access_token.clone()); (*inner_local.lock().unwrap())
.access_token =
Some(access_token.clone());
if let Some(t) = res.refresh_token() { if let Some(t) = res.refresh_token() {
// println!("New Refresh Token: {}", t.secret()); // println!("New Refresh Token: {}", t.secret());
(*inner_local.lock().unwrap()).refresh_token = Some(t.clone()); (*inner_local.lock().unwrap())
.refresh_token =
Some(t.clone());
} }
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
{
println!("Central post succeeded"); println!("Central post succeeded");
} }
} else { } else {
println!("Central post failed: {}", r.status().to_string()); println!(
println!("hit url: {}", r.url().as_str()); "Central post failed: {}",
r.status()
);
println!(
"hit url: {}",
r.url().as_str()
);
println!("Status: {}", r.status()); println!("Status: {}", r.status());
if let Ok(body) = r.bytes() { if let Ok(body) = r.bytes() {
if let Ok(body) = std::str::from_utf8(&body) { if let Ok(body) =
std::str::from_utf8(&body)
{
println!("Body: {}", body); println!("Body: {}", body);
} }
} }
(*inner_local.lock().unwrap()).exp_time = 0; (*inner_local.lock().unwrap())
(*inner_local.lock().unwrap()).running = false; .exp_time = 0;
(*inner_local.lock().unwrap())
.running = false;
} }
}, }
Err(e) => { Err(e) => {
println!("Central post failed: {}", e.to_string()); println!(
println!("hit url: {}", e.url().unwrap().as_str()); "Central post failed: {}",
e.to_string()
);
println!(
"hit url: {}",
e.url().unwrap().as_str()
);
println!("Status: {}", e.status().unwrap()); println!("Status: {}", e.status().unwrap());
(*inner_local.lock().unwrap()).exp_time = 0; (*inner_local.lock().unwrap()).exp_time = 0;
(*inner_local.lock().unwrap()).running = false; (*inner_local.lock().unwrap()).running =
false;
} }
} }
}, }
None => { None => {
println!("no id token?!?"); println!("no id token?!?");
} }
} }
}, }
Err(e) => { Err(e) => {
println!("token error: {}", e); println!("token error: {}", e);
} }
@ -323,7 +385,7 @@ impl ZeroIDC {
pub fn stop(&mut self) { pub fn stop(&mut self) {
let local = self.inner.clone(); let local = self.inner.clone();
if self.is_running(){ if self.is_running() {
(*local.lock().unwrap()).running = false; (*local.lock().unwrap()).running = false;
} }
} }
@ -341,73 +403,75 @@ impl ZeroIDC {
pub fn set_nonce_and_csrf(&mut self, csrf_token: String, nonce: String) { pub fn set_nonce_and_csrf(&mut self, csrf_token: String, nonce: String) {
let local = Arc::clone(&self.inner); let local = Arc::clone(&self.inner);
(*local.lock().expect("can't lock inner")).as_opt().map(|i| { (*local.lock().expect("can't lock inner"))
if i.running { .as_opt()
println!("refresh thread running. not setting new nonce or csrf"); .map(|i| {
return if i.running {
} println!("refresh thread running. not setting new nonce or csrf");
return;
}
let need_verifier = match i.pkce_verifier { let need_verifier = match i.pkce_verifier {
None => true, None => true,
_ => false, _ => false,
}; };
let csrf_diff = if let Some(csrf) = i.csrf_token.clone() { let csrf_diff = if let Some(csrf) = i.csrf_token.clone() {
if *csrf.secret() != csrf_token { if *csrf.secret() != csrf_token {
true true
} else {
false
}
} else { } else {
false false
} };
} else {
false
};
let nonce_diff = if let Some(n) = i.nonce.clone() { let nonce_diff = if let Some(n) = i.nonce.clone() {
if *n.secret() != nonce { if *n.secret() != nonce {
true true
} else {
false
}
} else { } else {
false false
};
if need_verifier || csrf_diff || nonce_diff {
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
let r = i.oidc_client.as_ref().map(|c| {
let (auth_url, csrf_token, nonce) = c
.authorize_url(
AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
csrf_func(csrf_token),
nonce_func(nonce),
)
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("offline_access".to_string()))
.add_scope(Scope::new("openid".to_string()))
.set_pkce_challenge(pkce_challenge)
.url();
(auth_url, csrf_token, nonce)
});
if let Some(r) = r {
i.url = Some(r.0);
i.csrf_token = Some(r.1);
i.nonce = Some(r.2);
i.pkce_verifier = Some(pkce_verifier);
}
} }
} else { });
false
};
if need_verifier || csrf_diff || nonce_diff {
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
let r = i.oidc_client.as_ref().map(|c| {
let (auth_url, csrf_token, nonce) = c
.authorize_url(
AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
csrf_func(csrf_token),
nonce_func(nonce),
)
.add_scope(Scope::new("profile".to_string()))
.add_scope(Scope::new("email".to_string()))
.add_scope(Scope::new("offline_access".to_string()))
.add_scope(Scope::new("openid".to_string()))
.set_pkce_challenge(pkce_challenge)
.url();
(auth_url, csrf_token, nonce)
});
if let Some(r) = r {
i.url = Some(r.0);
i.csrf_token = Some(r.1);
i.nonce = Some(r.2);
i.pkce_verifier = Some(pkce_verifier);
}
}
});
} }
pub fn auth_url(&self) -> String { pub fn auth_url(&self) -> String {
let url = (*self.inner.lock().expect("can't lock inner")).as_opt().map(|i| { let url = (*self.inner.lock().expect("can't lock inner"))
match i.url.clone() { .as_opt()
.map(|i| match i.url.clone() {
Some(u) => u.to_string(), Some(u) => u.to_string(),
_ => "".to_string(), _ => "".to_string(),
} });
});
match url { match url {
Some(url) => url.to_string(), Some(url) => url.to_string(),
@ -423,13 +487,14 @@ impl ZeroIDC {
let token_response = i.oidc_client.as_ref().map(|c| { let token_response = i.oidc_client.as_ref().map(|c| {
println!("auth code: {}", code); println!("auth code: {}", code);
let r = c.exchange_code(AuthorizationCode::new(code.to_string())) let r = c
.exchange_code(AuthorizationCode::new(code.to_string()))
.set_pkce_verifier(verifier) .set_pkce_verifier(verifier)
.request(http_client); .request(http_client);
// validate the token hashes // validate the token hashes
match r { match r {
Ok(res) =>{ Ok(res) => {
let n = match i.nonce.clone() { let n = match i.nonce.clone() {
Some(n) => n, Some(n) => n,
None => { None => {
@ -437,7 +502,7 @@ impl ZeroIDC {
return None; return None;
} }
}; };
let id = match res.id_token() { let id = match res.id_token() {
Some(t) => t, Some(t) => t,
None => { None => {
@ -463,7 +528,10 @@ impl ZeroIDC {
}; };
if let Some(expected_hash) = claims.access_token_hash() { if let Some(expected_hash) = claims.access_token_hash() {
let actual_hash = match AccessTokenHash::from_token(res.access_token(), &signing_algo) { let actual_hash = match AccessTokenHash::from_token(
res.access_token(),
&signing_algo,
) {
Ok(h) => h, Ok(h) => h,
Err(e) => { Err(e) => {
println!("Error hashing access token: {}", e); println!("Error hashing access token: {}", e);
@ -477,77 +545,80 @@ impl ZeroIDC {
} }
} }
Some(res) Some(res)
}, }
Err(e) => { Err(e) => {
println!("token response error: {:?}", e.to_string()); println!("token response error: {:?}", e.to_string());
println!("\t {:?}", e.source()); println!("\t {:?}", e.source());
return None; None
}, }
} }
}); });
if let Some(Some(tok)) = token_response { if let Some(Some(tok)) = token_response {
let id_token = tok.id_token().unwrap(); let id_token = tok.id_token().unwrap();
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
{
println!("ID token: {}", id_token.to_string()); println!("ID token: {}", id_token.to_string());
} }
let mut split = "".to_string(); let mut split = "".to_string();
match i.csrf_token.clone() { if let Some(tok) = i.csrf_token.clone() {
Some(csrf_token) => { split = tok.secret().to_owned();
split = csrf_token.secret().to_owned();
},
_ => (),
} }
let split = split.split("_").collect::<Vec<&str>>(); let split = split.split('_').collect::<Vec<&str>>();
if split.len() == 2 { if split.len() == 2 {
let params = [("id_token", id_token.to_string()),("state", split[0].to_string())]; let params = [
("id_token", id_token.to_string()),
("state", split[0].to_string()),
];
let client = reqwest::blocking::Client::new(); let client = reqwest::blocking::Client::new();
let res = client.post(i.auth_endpoint.clone()) let res = client.post(i.auth_endpoint.clone()).form(&params).send();
.form(&params)
.send();
match res { match res {
Ok(res) => { Ok(res) => {
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
{
println!("hit url: {}", res.url().as_str()); println!("hit url: {}", res.url().as_str());
println!("Status: {}", res.status()); println!("Status: {}", res.status());
} }
let idt = &id_token.to_string(); let idt = &id_token.to_string();
let t: Result<Token<jwt::Header, jwt::Claims, jwt::Unverified<'_>>, jwt::Error>= let t: Result<
Token::parse_unverified(idt); Token<jwt::Header, jwt::Claims, jwt::Unverified<'_>>,
jwt::Error,
> = Token::parse_unverified(idt);
if let Ok(t) = t { if let Ok(t) = t {
let claims = t.claims().registered.clone(); let claims = t.claims().registered.clone();
match claims.expiration { match claims.expiration {
Some(exp) => { Some(exp) => {
i.exp_time = exp; i.exp_time = exp;
println!("Set exp time to: {:?}", i.exp_time); println!("Set exp time to: {:?}", i.exp_time);
}, }
None => { None => {
panic!("expiration is None. This shouldn't happen"); panic!("expiration is None. This shouldn't happen");
} }
} }
} }
i.access_token = Some(tok.access_token().clone()); i.access_token = Some(tok.access_token().clone());
if let Some(t) = tok.refresh_token() { if let Some(t) = tok.refresh_token() {
i.refresh_token = Some(t.clone()); i.refresh_token = Some(t.clone());
should_start = true; should_start = true;
} }
#[cfg(debug_assertions)] { #[cfg(debug_assertions)]
{
let access_token = tok.access_token(); let access_token = tok.access_token();
println!("Access Token: {}", access_token.secret()); println!("Access Token: {}", access_token.secret());
let refresh_token = tok.refresh_token(); let refresh_token = tok.refresh_token();
println!("Refresh Token: {}", refresh_token.unwrap().secret()); println!("Refresh Token: {}", refresh_token.unwrap().secret());
} }
let bytes = match res.bytes() { let bytes = match res.bytes() {
Ok(bytes) => bytes, Ok(bytes) => bytes,
Err(_) => Bytes::from(""), Err(_) => Bytes::from(""),
@ -558,38 +629,37 @@ impl ZeroIDC {
Err(_) => "".to_string(), Err(_) => "".to_string(),
}; };
return Ok(bytes); Ok(bytes)
}, }
Err(res) => { Err(res) => {
println!("error result: {}", res); println!("error result: {}", res);
println!("hit url: {}", res.url().unwrap().as_str()); println!("hit url: {}", res.url().unwrap().as_str());
println!("Status: {}", res.status().unwrap()); println!("Status: {}", res.status().unwrap());
println!("Post error: {}", res.to_string()); println!("Post error: {}", res);
i.exp_time = 0; i.exp_time = 0;
return Err(SSOExchangeError::new("error from central endpoint".to_string())); Err(SSOExchangeError::new(
"error from central endpoint".to_string(),
))
} }
} }
} else { } else {
return Err(SSOExchangeError::new("error splitting state token".to_string())); Err(SSOExchangeError::new(
"error splitting state token".to_string(),
))
} }
} else { } else {
return Err(SSOExchangeError::new("invalid token response".to_string())); Err(SSOExchangeError::new("invalid token response".to_string()))
} }
} else { } else {
return Err(SSOExchangeError::new("invalid pkce verifier".to_string())); Err(SSOExchangeError::new("invalid pkce verifier".to_string()))
} }
}); });
if should_start { if should_start {
self.start(); self.start();
} }
match res { match res {
Some(res) => { Some(res) => res,
return res; _ => Err(SSOExchangeError::new("invalid result".to_string())),
}, }
_ => {
return Err(SSOExchangeError::new("invalid result".to_string()));
},
};
} }
} }