[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnunet] branch master updated: reclaim: do not store access token inste
From: |
gnunet |
Subject: |
[gnunet] branch master updated: reclaim: do not store access token instead piggyback ticket |
Date: |
Tue, 04 Aug 2020 10:15:56 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
The following commit(s) were added to refs/heads/master by this push:
new 080519e98 reclaim: do not store access token instead piggyback ticket
080519e98 is described below
commit 080519e980d8f8a3b138c733f837417bdb1b6757
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
AuthorDate: Tue Aug 4 10:09:45 2020 +0200
reclaim: do not store access token instead piggyback ticket
---
src/reclaim/oidc_helper.c | 25 +++++++++++----
src/reclaim/oidc_helper.h | 9 ++++--
src/reclaim/plugin_rest_openid_connect.c | 52 +++-----------------------------
3 files changed, 31 insertions(+), 55 deletions(-)
diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c
index ad2839200..b48738cc4 100644
--- a/src/reclaim/oidc_helper.c
+++ b/src/reclaim/oidc_helper.c
@@ -757,15 +757,28 @@ OIDC_build_token_response (const char *access_token,
* Generate a new access token
*/
char *
-OIDC_access_token_new ()
+OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket)
{
char *access_token;
- uint64_t random_number;
- random_number =
- GNUNET_CRYPTO_random_u64 (GNUNET_CRYPTO_QUALITY_NONCE, UINT64_MAX);
- GNUNET_STRINGS_base64_encode (&random_number,
- sizeof(uint64_t),
+ GNUNET_STRINGS_base64_encode (ticket,
+ sizeof(*ticket),
&access_token);
return access_token;
}
+
+
+/**
+ * Parse an access token
+ */
+int
+OIDC_access_token_parse (const char*token,
+ struct GNUNET_RECLAIM_Ticket **ticket)
+{
+ if (sizeof (struct GNUNET_RECLAIM_Ticket) !=
+ GNUNET_STRINGS_base64_decode (token,
+ strlen (token),
+ (void**) ticket))
+ return GNUNET_SYSERR;
+ return GNUNET_OK;
+}
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h
index 2c533357e..e84087fc3 100644
--- a/src/reclaim/oidc_helper.h
+++ b/src/reclaim/oidc_helper.h
@@ -117,7 +117,12 @@ OIDC_build_token_response (const char *access_token,
* Generate a new access token
*/
char*
-OIDC_access_token_new ();
-
+OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket);
+/**
+ * Parse an access token
+ */
+int
+OIDC_access_token_parse (const char* token,
+ struct GNUNET_RECLAIM_Ticket **ticket);
#endif
diff --git a/src/reclaim/plugin_rest_openid_connect.c
b/src/reclaim/plugin_rest_openid_connect.c
index 3db881244..eb602a08f 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -238,12 +238,6 @@ static char *OIDC_ignored_parameter_array[] = { "display",
*/
struct GNUNET_CONTAINER_MultiHashMap *OIDC_cookie_jar_map;
-/**
- * Hash map that links the issued access token to the corresponding ticket and
- * ego
- */
-struct GNUNET_CONTAINER_MultiHashMap *OIDC_access_token_map;
-
/**
* The configuration handle
*/
@@ -1980,26 +1974,6 @@ find_ego (struct RequestHandle *handle,
}
-static void
-persist_access_token (const struct RequestHandle *handle,
- const char *access_token,
- const struct GNUNET_RECLAIM_Ticket *ticket)
-{
- struct GNUNET_HashCode hc;
- struct GNUNET_RECLAIM_Ticket *ticketbuf;
-
- GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc);
- ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket);
- *ticketbuf = *ticket;
- GNUNET_assert (GNUNET_SYSERR !=
- GNUNET_CONTAINER_multihashmap_put (
- OIDC_access_token_map,
- &hc,
- ticketbuf,
- GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
-}
-
-
/**
* Responds to token url-encoded POST request
*
@@ -2148,13 +2122,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
&expiration_time,
(NULL != nonce) ? nonce : NULL,
jwt_secret);
- access_token = OIDC_access_token_new ();
+ access_token = OIDC_access_token_new (&ticket);
OIDC_build_token_response (access_token,
id_token,
&expiration_time,
&json_response);
- persist_access_token (handle, access_token, &ticket);
resp = GNUNET_REST_create_response (json_response);
MHD_add_response_header (resp, "Cache-Control", "no-store");
MHD_add_response_header (resp, "Pragma", "no-cache");
@@ -2324,22 +2297,17 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle
*con_handle,
return;
}
- GNUNET_CRYPTO_hash (authorization_access_token,
- strlen (authorization_access_token),
- &cache_key);
- if (GNUNET_NO ==
- GNUNET_CONTAINER_multihashmap_contains (OIDC_access_token_map,
- &cache_key))
+ if (GNUNET_OK != OIDC_access_token_parse (authorization_access_token,
+ &ticket))
{
handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN);
- handle->edesc = GNUNET_strdup ("The access token expired");
+ handle->edesc = GNUNET_strdup ("The access token is invalid");
handle->response_code = MHD_HTTP_UNAUTHORIZED;
GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
GNUNET_free (authorization);
return;
+
}
- ticket =
- GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key);
GNUNET_assert (NULL != ticket);
aud_ego = find_ego (handle, &ticket->audience);
iss_ego = find_ego (handle, &ticket->identity);
@@ -2523,9 +2491,6 @@ rest_identity_process_request (struct
GNUNET_REST_RequestHandle *rest_handle,
if (NULL == OIDC_cookie_jar_map)
OIDC_cookie_jar_map = GNUNET_CONTAINER_multihashmap_create (10,
GNUNET_NO);
- if (NULL == OIDC_access_token_map)
- OIDC_access_token_map =
- GNUNET_CONTAINER_multihashmap_create (10, GNUNET_NO);
handle->response_code = 0;
handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL;
handle->proc_cls = proc_cls;
@@ -2606,13 +2571,6 @@ libgnunet_plugin_rest_openid_connect_done (void *cls)
GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it);
GNUNET_CONTAINER_multihashmap_destroy (OIDC_cookie_jar_map);
- hashmap_it =
- GNUNET_CONTAINER_multihashmap_iterator_create (OIDC_access_token_map);
- while (GNUNET_YES ==
- GNUNET_CONTAINER_multihashmap_iterator_next (hashmap_it, NULL,
- value))
- GNUNET_free (value);
- GNUNET_CONTAINER_multihashmap_destroy (OIDC_access_token_map);
GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it);
GNUNET_free (allow_methods);
GNUNET_free (api);
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [gnunet] branch master updated: reclaim: do not store access token instead piggyback ticket,
gnunet <=