diff options
| author | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-03-05 19:39:56 +0100 |
|---|---|---|
| committer | Schanzenbach, Martin <martin.schanzenbach@aisec.fraunhofer.de> | 2018-03-05 19:39:56 +0100 |
| commit | bb5a41d072ab7964006cb68a45e043d856cb630e (patch) | |
| tree | fd2fbf5bd6fdace3892a1ba2bdb712c81a485232 /src/identity-provider | |
| parent | d036b626b8eea15f99d91faf309843936289fde7 (diff) | |
start fixing gns
Diffstat (limited to 'src/identity-provider')
| -rw-r--r-- | src/identity-provider/gnunet-service-identity-provider.c | 19 | ||||
| -rw-r--r-- | src/identity-provider/identity-provider.conf | 2 | ||||
| -rw-r--r-- | src/identity-provider/plugin_rest_identity_provider.c | 76 |
3 files changed, 46 insertions, 51 deletions
diff --git a/src/identity-provider/gnunet-service-identity-provider.c b/src/identity-provider/gnunet-service-identity-provider.c index 265719d582..523eebf393 100644 --- a/src/identity-provider/gnunet-service-identity-provider.c +++ b/src/identity-provider/gnunet-service-identity-provider.c @@ -1668,7 +1668,6 @@ process_consume_abe_key (void *cls, uint32_t rd_count, size_t size; char *buf; char *scope; - char *lookup_query; handle->lookup_request = NULL; if (1 != rd_count) @@ -1720,18 +1719,15 @@ process_consume_abe_key (void *cls, uint32_t rd_count, for (scope = strtok (scopes, ","); NULL != scope; scope = strtok (NULL, ",")) { - GNUNET_asprintf (&lookup_query, - "%s.gnu", - scope); GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, - "Looking up %s\n", lookup_query); + "Looking up %s\n", scope); parallel_lookup = GNUNET_new (struct ParallelLookup); parallel_lookup->handle = handle; parallel_lookup->label = GNUNET_strdup (scope); parallel_lookup->lookup_start_time = GNUNET_TIME_absolute_get(); parallel_lookup->lookup_request = GNUNET_GNS_lookup (gns_handle, - lookup_query, + scope, &handle->ticket.identity, GNUNET_GNSRECORD_TYPE_ID_ATTR, GNUNET_GNS_LO_DEFAULT, @@ -1740,7 +1736,7 @@ process_consume_abe_key (void *cls, uint32_t rd_count, GNUNET_CONTAINER_DLL_insert (handle->parallel_lookups_head, handle->parallel_lookups_tail, parallel_lookup); - GNUNET_free (lookup_query); + GNUNET_free (scope); } GNUNET_free (scopes); GNUNET_free (buf); @@ -1756,7 +1752,6 @@ handle_consume_ticket_message (void *cls, { struct ConsumeTicketHandle *ch; struct IdpClient *idp = cls; - char* lookup_query; char* rnd_label; ch = GNUNET_new (struct ConsumeTicketHandle); @@ -1769,22 +1764,18 @@ handle_consume_ticket_message (void *cls, ch->ticket = *((struct GNUNET_IDENTITY_PROVIDER_Ticket*)&cm[1]); rnd_label = GNUNET_STRINGS_data_to_string_alloc (&ch->ticket.rnd, sizeof (uint64_t)); - GNUNET_asprintf (&lookup_query, - "%s.gnu", - rnd_label); GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, - "Looking for ABE key under %s\n", lookup_query); + "Looking for ABE key under %s\n", rnd_label); ch->lookup_start_time = GNUNET_TIME_absolute_get (); ch->lookup_request = GNUNET_GNS_lookup (gns_handle, - lookup_query, + rnd_label, &ch->ticket.identity, GNUNET_GNSRECORD_TYPE_ABE_KEY, GNUNET_GNS_LO_DEFAULT, &process_consume_abe_key, ch); GNUNET_free (rnd_label); - GNUNET_free (lookup_query); GNUNET_SERVICE_client_continue (idp->client); } diff --git a/src/identity-provider/identity-provider.conf b/src/identity-provider/identity-provider.conf index b78af35531..ea00289335 100644 --- a/src/identity-provider/identity-provider.conf +++ b/src/identity-provider/identity-provider.conf @@ -14,7 +14,7 @@ DATABASE = sqlite [identity-rest-plugin] #ADDRESS = https://identity.gnu:8000#/login -ADDRESS = https://identity.gnu/ui/#/login +ADDRESS = https://reclaim.id/ui/#/login PSW = secret EXPIRATION_TIME = 3600 diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index 3f9279d5c3..7b4ebf2fcc 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c @@ -409,6 +409,11 @@ struct RequestHandle char *url; /** + * The tld for redirect + */ + char *tld; + + /** * Error response message */ char *emsg; @@ -457,6 +462,8 @@ cleanup_handle (struct RequestHandle *handle) GNUNET_IDENTITY_PROVIDER_disconnect (handle->idp); if (NULL != handle->url) GNUNET_free (handle->url); + if (NULL != handle->tld) + GNUNET_free (handle->tld); if (NULL != handle->emsg) GNUNET_free (handle->emsg); if (NULL != handle->edesc) @@ -1463,6 +1470,8 @@ static void get_client_name_result (void *cls, char *code_base64_final_string; char *redirect_path; char *tmp; + char *tmp_prefix; + char *prefix; ticket_str = GNUNET_STRINGS_data_to_string_alloc (&handle->ticket, sizeof (struct GNUNET_IDENTITY_PROVIDER_Ticket)); //TODO change if more attributes are needed (see max_age) @@ -1476,8 +1485,13 @@ static void get_client_name_result (void *cls, redirect_path = strtok (tmp, "/"); redirect_path = strtok (NULL, "/"); redirect_path = strtok (NULL, "/"); - GNUNET_asprintf (&redirect_uri, "https://%s.gnu/%s?%s=%s&state=%s", - label, + tmp_prefix = GNUNET_strdup (handle->oidc->redirect_uri); + prefix = strrchr (tmp_prefix, + (unsigned char) '.'); + *prefix = '\0'; + GNUNET_asprintf (&redirect_uri, "%s.%s/%s?%s=%s&state=%s", + tmp_prefix, + handle->tld, redirect_path, handle->oidc->response_type, code_base64_final_string, handle->oidc->state); @@ -1486,6 +1500,7 @@ static void get_client_name_result (void *cls, handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle); GNUNET_free (tmp); + GNUNET_free (tmp_prefix); GNUNET_free (redirect_uri); GNUNET_free (ticket_str); GNUNET_free (code_json_string); @@ -1730,7 +1745,6 @@ static void namestore_iteration_finished (void *cls) struct RequestHandle *handle = cls; struct GNUNET_HashCode cache_key; - char *expected_redirect_uri; char *expected_scope; char delimiter[]=" "; int number_of_ignored_parameter, iterator; @@ -1766,23 +1780,9 @@ static void namestore_iteration_finished (void *cls) GNUNET_SCHEDULER_add_now (&do_error, handle); return; } - handle->oidc->redirect_uri = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); + handle->oidc->redirect_uri = GNUNET_strdup (GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key)); - GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey", handle->oidc->client_id); - // verify the redirect uri matches https://<client_id>.zkey[/xyz] - if( 0 != strncmp( expected_redirect_uri, handle->oidc->redirect_uri, strlen(expected_redirect_uri)) ) - { - handle->oidc->redirect_uri = NULL; - handle->emsg=GNUNET_strdup("invalid_request"); - handle->edesc=GNUNET_strdup("Invalid redirect_uri"); - GNUNET_SCHEDULER_add_now (&do_error, handle); - GNUNET_free(expected_redirect_uri); - return; - } - handle->oidc->redirect_uri = GNUNET_strdup(handle->oidc->redirect_uri); - - GNUNET_free(expected_redirect_uri); // REQUIRED value: response_type GNUNET_CRYPTO_hash (OIDC_RESPONSE_TYPE_KEY, strlen (OIDC_RESPONSE_TYPE_KEY), &cache_key); @@ -1897,6 +1897,9 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, { struct RequestHandle *handle = cls; struct GNUNET_HashCode cache_key; + struct EgoEntry *tmp_ego; + struct GNUNET_CRYPTO_EcdsaPublicKey pkey; + const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv_key; cookie_identity_interpretation(handle); @@ -1922,9 +1925,8 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, GNUNET_SCHEDULER_add_now (&do_error, handle); return; } - handle->oidc->client_id = GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, - &cache_key); - handle->oidc->client_id = GNUNET_strdup (handle->oidc->client_id); + handle->oidc->client_id = GNUNET_strdup (GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, + &cache_key)); if ( GNUNET_OK != GNUNET_CRYPTO_ecdsa_public_key_from_string (handle->oidc->client_id, @@ -1952,6 +1954,22 @@ authorize_endpoint (struct GNUNET_REST_RequestHandle *con_handle, handle->ego_entry = handle->ego_head; handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key (handle->ego_head->ego); handle->oidc->is_client_trusted = GNUNET_NO; + + //First check if client_id is one of our egos; TODO: handle other TLD cases: Delegation, from config + for (tmp_ego = handle->ego_head; NULL != tmp_ego; tmp_ego = tmp_ego->next) + { + priv_key = GNUNET_IDENTITY_ego_get_private_key (tmp_ego->ego); + GNUNET_CRYPTO_ecdsa_key_get_public (priv_key, + &pkey); + if ( 0 == memcmp (&pkey, &handle->oidc->client_pkey, + sizeof(struct GNUNET_CRYPTO_EcdsaPublicKey)) ) + { + handle->tld = GNUNET_strdup (tmp_ego->identifier); + handle->oidc->is_client_trusted = GNUNET_YES; + handle->ego_entry = handle->ego_tail; + } + } + // Checks if client_id is valid: handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start ( @@ -2217,20 +2235,6 @@ token_endpoint (struct GNUNET_REST_RequestHandle *con_handle, GNUNET_SCHEDULER_add_now (&do_error, handle); return; } - // check redirect_uri - GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey", client_id); - // verify the redirect uri matches https://<client_id>.zkey[/xyz] - if( 0 != strncmp( expected_redirect_uri, redirect_uri, strlen(expected_redirect_uri)) ) - { - GNUNET_free_non_null(user_psw); - handle->emsg=GNUNET_strdup("invalid_request"); - handle->edesc=GNUNET_strdup("Invalid redirect_uri"); - handle->response_code = MHD_HTTP_BAD_REQUEST; - GNUNET_SCHEDULER_add_now (&do_error, handle); - GNUNET_free(expected_redirect_uri); - return; - } - GNUNET_free(expected_redirect_uri); GNUNET_CRYPTO_hash (code, strlen (code), &cache_key); int i = 1; if ( GNUNET_SYSERR |