From 2ca7f3a4a03db3e7d7fa15504fa3d69e1c6bd217 Mon Sep 17 00:00:00 2001 From: José Bollo Date: Tue, 31 Oct 2017 10:50:24 +0100 Subject: Split in two: agl-identity-service and uds-ble-id-init-service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The binding is splitted in two parts and packeged as widgets. The two parts are: - uds-ble-id-init-service This service provides a UDS (User Data Service) over BLE. It detects writes to the email of the user to initiate the authentication process. - agl-identity-service This service queries the Forgerock's Edge Controller to fill user data and make it available. The actual code is not fully functionnal. Signed-off-by: José Bollo --- agl-identity-service/src/oidc-agent.c | 812 ++++++++++++++++++++++++++++++++++ 1 file changed, 812 insertions(+) create mode 100644 agl-identity-service/src/oidc-agent.c (limited to 'agl-identity-service/src/oidc-agent.c') diff --git a/agl-identity-service/src/oidc-agent.c b/agl-identity-service/src/oidc-agent.c new file mode 100644 index 0000000..1f09e7a --- /dev/null +++ b/agl-identity-service/src/oidc-agent.c @@ -0,0 +1,812 @@ +/* + * Copyright (C) 2017 "IoT.bzh" + * Author: José Bollo + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include + +#include + +#include "oidc-agent.h" +#include "escape.h" +#include "curl-wrap.h" + +/***************** utilities *************************/ + +static const char string_empty[] = ""; +static const char string_authorization_endpoint[] = "authorization_endpoint"; +static const char string_token_endpoint[] = "token_endpoint"; +#if 0 +static const char string_issuer[] = "issuer"; +static const char string_userinfo_endpoint[] = "userinfo_endpoint"; +static const char string_revocation_endpoint[] = "revocation_endpoint"; +static const char string_jwks_uri[] = "jwks_uri"; +#endif + +#define MAX_IDP_COUNT 20 +#define MAX_APPLI_COUNT 100 + +static struct json_object *idps; +static struct json_object *applis; + +static pthread_rwlock_t rwlock = PTHREAD_RWLOCK_INITIALIZER; + +/***************** utilities *************************/ + +/* + * Get the object of 'name' in the 'container' and return it. + * Creates the result if needed and add it to the container. + * When 'maxcount' isn't zero the final count will not exceed 'maxcount'. + */ +static struct json_object *j_container_item(struct json_object *container, const char *name, int maxcount) +{ + struct json_object *result; + + /* ensure object of 'name' exists */ + if (!json_object_object_get_ex(container, name, &result)) { + if (maxcount && json_object_object_length(container) >= maxcount) + return NULL; + result = json_object_new_object(); + if (!result) + return NULL; + json_object_object_add (container, name, result); + } + return result; +} + +/* + * Like 'j_container_item' but also creates the 'container' if needed. + */ +static struct json_object *j_container_item_make(struct json_object **container, const char *name, int maxcount) +{ + struct json_object *cont; + + /* ensure container exists */ + cont = *container; + if (!cont) { + cont = json_object_new_object(); + if (!cont) + return NULL; + *container = cont; + } + return j_container_item(cont, name, maxcount); +} + +/* + * Adds in 'dest' the fields of 'src' + * Also when the value of a field of 'src' is null, delete the field of 'dst' + */ +static void j_merge(struct json_object *dest, struct json_object *src) +{ + struct json_object_iter i; + json_object_object_foreachC(src, i) { + if (json_object_is_type(i.val, json_type_null)) + json_object_object_del(dest, i.key); + else + json_object_object_add(dest, i.key, json_object_get(i.val)); + } +} + +/***************** IDP **************************/ + +/* + * Set the values of 'desc' for the idp of 'name'. + * Return 0 on error or 1 on success. + */ +int oidc_idp_set(const char *name, struct json_object *desc) +{ + struct json_object *idp; + int result = 0; + + pthread_rwlock_wrlock(&rwlock); + idp = j_container_item_make(&idps, name, MAX_IDP_COUNT); + if (idp) { + j_merge(idp, desc); + result = 1; + } + pthread_rwlock_unlock(&rwlock); + return result; +} + +/* + * Return 1 if idp of 'name' exists or 0 otherwise. + */ +int oidc_idp_exists(const char *name) +{ + int result; + + pthread_rwlock_rdlock(&rwlock); + result = json_object_object_get_ex(idps, name, NULL); + pthread_rwlock_unlock(&rwlock); + + return result; +} + +/* + * Deletes the idp of 'name'. + */ +void oidc_idp_delete(const char *name) +{ + pthread_rwlock_wrlock(&rwlock); + json_object_object_del(idps, name); + pthread_rwlock_unlock(&rwlock); +} + +/***************** APPLI **************************/ + +/* + * Returns the name of the idp of the 'appli'. + * Returns NULL when appli isn't set or default idp isn't set. + */ +static const char *get_default_idp(const char *appli) +{ + struct json_object *a, *i; + + if (!json_object_object_get_ex(applis, appli, &a)) + return NULL; + if (!json_object_object_get_ex(a, string_empty, &i)) + return NULL; + return json_object_get_string(i); +} + +/* + * Returns the application data related to the 'appli' for the 'idp'. + * If 'ja' isn't null, returns in it the object for the application 'appli'. + * Returns NULL in case of error. + */ +static struct json_object *get_appli_idp(const char *appli, const char *idp, struct json_object **ja) +{ + struct json_object *a, *i; + + if (!json_object_object_get_ex(applis, appli, &a) || !json_object_object_get_ex(a, idp, &i)) + return NULL; + if (ja) + *ja = a; + return i; +} + +/* + * Set the description 'desc' for the application of 'name' and + * the 'idp'. When 'make_default' is set it, make it the default idp + * for the application. + * Return 0 on error or 1 on success. + */ +int oidc_appli_set(const char *name, const char *idp, struct json_object *desc, int make_default) +{ + struct json_object *a, *ai; + int result = 0; + + pthread_rwlock_wrlock(&rwlock); + a = j_container_item_make(&applis, name, MAX_APPLI_COUNT); + if (a) { + ai = j_container_item(a, idp, 0); + if (ai) { + j_merge(ai, desc); + if (make_default || !json_object_object_get_ex(a, string_empty, NULL)) + json_object_object_add(a, string_empty, json_object_new_string(idp)); + result = 1; + } + } + pthread_rwlock_unlock(&rwlock); + return result; +} + +/* + * Is the appli of 'name' defined? + * Return 1 if answer is yes or 0 for no. + */ +int oidc_appli_exists(const char *name) +{ + int result; + + pthread_rwlock_rdlock(&rwlock); + result = json_object_object_get_ex(applis, name, NULL); + pthread_rwlock_unlock(&rwlock); + + return result; +} + +/* + * Does the appli of 'name' has the 'idp' defined? + * Return 1 if answer is yes or 0 for no. + */ +int oidc_appli_has_idp(const char *name, const char *idp) +{ + int result; + + pthread_rwlock_rdlock(&rwlock); + result = !!get_appli_idp(name, idp, NULL); + pthread_rwlock_unlock(&rwlock); + + return result; +} + +/* + * Set 'idp' as default for the application of 'name'. + * Returns 0 on error (appli or idp for appli not existing) + * or 1 in case of success. + */ +int oidc_appli_set_default_idp(const char *name, const char *idp) +{ + struct json_object *a, *i; + + pthread_rwlock_wrlock(&rwlock); + i = get_appli_idp(name, idp, &a); + if (i) + json_object_object_add(a, string_empty, json_object_new_string(idp)); + pthread_rwlock_unlock(&rwlock); + + return !!i; +} + +/* + * Deletes the application of 'name' + */ +void oidc_appli_delete(const char *name) +{ + pthread_rwlock_wrlock(&rwlock); + json_object_object_del(applis, name); + pthread_rwlock_unlock(&rwlock); +} + +/***************** AUTHORISATION **************************/ + +/* parameters */ +enum param +{ + Param_Access_Token, + Param_Acr_Values, + Param_Authorization, + Param_Client_Id, + Param_Client_Secret, + Param_Code, + Param_Display, + Param_Error, + Param_Error_Description, + Param_Error_Uri, + Param_Expires_In, + Param_Grant_Type, + Param_Id_Token, + Param_Id_Token_Hint, + Param_Login_Hint, + Param_Max_Age, + Param_Nonce, + Param_Password, + Param_Prompt, + Param_Redirect_Uri, + Param_Refresh_Token, + Param_Response_Type, + Param_Scope, + Param_State, + Param_Token_Type, + Param_Ui_Locales, + Param_Username, + PARAM_COUNT +}; + +#if PARAM_COUNT > 30 +# error "Too much parameters" +#endif +#define PARAM(p) ((uint32_t)((uint32_t)1 << (Param_##p))) + +/* args of authorization requests */ +struct args +{ + struct json_object *appli; + struct json_object *idp; + struct json_object *args; + struct oidc_grant_cb cb; + int locked; + int refresh; + uint32_t mandatory; + uint32_t all; + struct json_object *header; + struct json_object *query; +}; + +/* Release the lock if needed */ +static void args_unlock(struct args *args) +{ + if (!args->locked) { + pthread_rwlock_unlock(&rwlock); + args->locked = 0; + } +} + +/* Release the memory needed by args */ +static void args_destroy(struct args *args) +{ + json_object_put(args->appli); + json_object_put(args->idp); + json_object_put(args->header); + json_object_put(args->query); + free(args); +} + +/* Send the success event with the gained tokens */ +static void args_send_success(struct args *args, struct json_object *result) +{ + args_unlock(args); + args->cb.success(args->cb.closure, result); + args_destroy(args); +} + +/* Sends the error event with the indice to the client of args */ +static void args_send_error(struct args *args, const char *message, const char *indice) +{ + args_unlock(args); + args->cb.error(args->cb.closure, message, indice); + args_destroy(args); +} + +/* Send the error and also return NULL */ +static inline struct args *args_send_error_null(struct args *args, const char *message, const char *indice) +{ + args_send_error(args, message, indice); + return NULL; +} + +/* creates a struct args from the arguments, returns NULL on error */ +struct args *mkargs(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb) +{ + struct args *result; + struct json_object *obj; + + /* allocates the args */ + result = calloc(1, sizeof *result); + if (!result) { + cb->error(cb->closure, "Out of memory", NULL); + return NULL; + } + + /* init of the structure */ + result->cb = *cb; + result->args = args; + result->header = json_object_new_object(); + result->query = json_object_new_object(); + + /* lock in read */ + pthread_rwlock_rdlock(&rwlock); + result->locked = 1; + + /* check previous allocations */ + if (!result->query || !result->header) { + return args_send_error_null(result, "Out of memory", NULL); + } + + /* check whether default idp */ + if (!idp) { + idp = get_default_idp(appli); + if (!idp) + return args_send_error_null(result, "No default IDP", NULL); + } + + /* get the IDP */ + if (!json_object_object_get_ex(idps, idp, &obj)) + return args_send_error_null(result, "Unknown IDP", idp); + result->idp = json_object_get(obj); + + /* get the appli */ + obj = get_appli_idp(appli, idp, NULL); + if (!obj) + return args_send_error_null(result, "Unknown APPLI for IDP", appli); + result->appli = json_object_get(obj); + + return result; +} + +/* get a value for a struct args */ +static struct json_object *args_object(struct args *args, const char *name) +{ + struct json_object *result; + + if (!json_object_object_get_ex(args->appli, name, &result) + && !json_object_object_get_ex(args->idp, name, &result) + && !json_object_object_get_ex(args->args, name, &result)) + result = NULL; + return result; +} + +/* get a string value for a struct args */ +static const char *args_string(struct args *args, const char *name) +{ + struct json_object *object = args_object(args, name); + return object ? json_object_get_string(object) : NULL; +} + +/* add a data */ +static int args_add(struct args *args, uint32_t val, const char *name, int query) +{ + struct json_object *obj, *dest; + + if (val & args->all) { + obj = args_object(args, name); + if (obj) { + dest = query ? args->query : args->header; + json_object_object_add(dest, name, json_object_get(obj)); + } + else if (val & args->mandatory) { + args_send_error(args, "Mandatory field missing", name); + return 0; + } + } + + return 1; +} + +/* + * Makes the CURL object for the given 'url' for either GET or POST depending + * on 'post' with the added 'header' fields and the given query parameters. + * Returns NULL on error. + * Ex: + * + * curl_json("http://iot.bzh/api", 0, {"X-Index": "no"}, {"fast":true,"item":"2345-hellfest"}) + * + * produces the query: + * + * GET /api?fast=true&item=2345-hellfest HTTP/1.1 + * Host: iot.bzh + * X-Index: no + * + * while the same but with post not null produces: + * + * POST /api HTTP/1.1 + * Host: iot.bzh + * X-Index: no + * Content-Type: application/x-www-form-urlencoded + * + * fast=true&item=2345-hellfest + * + */ +static CURL *curl_json(const char *url, int post, struct json_object *header, struct json_object *query) +{ + const char **args, *str; + struct json_object_iter i; + int idx; + CURL *result; + + /* create args array */ + idx = 1 + (json_object_object_length(query) << 1); + args = malloc((unsigned)idx * sizeof *args); + if (!args) + return NULL; + + /* fill the args array */ + args[--idx] = NULL; + json_object_object_foreachC(query, i) { + str = json_object_get_string(i.val); + args[--idx] = str; + args[--idx] = i.key; + } + + /* prepare the query */ + if (post) + result = curl_wrap_prepare_post(url, NULL, args); + else + result = curl_wrap_prepare_get(url, NULL, args); + free(args); + if(!result) + return NULL; + + /* add headers */ + if (header) { + json_object_object_foreachC(header, i) { + str = json_object_get_string(i.val); + if (!curl_wrap_add_header_value(result, i.key, str)) { + curl_easy_cleanup(result); + return NULL; + } + } + } + return result; +} + +/* + * Extract from the answer of 'curl' whose 'content' has 'size' bytes the + * embeded JSON object (if any). + * Returns it or returns NULL if the answer can't be interpreted. + */ +static struct json_object *decode_perform_result(CURL *curl, const char *content, size_t size) +{ + int i; + const char **args; + struct json_object *result; + + /* is it an url encoded answer? */ + if (curl_wrap_content_type_is(curl, "application/x-www-form-urlencoded")) { + /* yes, unescape as an array of strings */ + args = unescape_args(content); + if (!args) + result = NULL; + else { + /* wrap the key=value pairs in an object */ + result = json_object_new_object(); + if (result) { + for (i = 0 ; args[i] ; i += 2) + json_object_object_add(result, args[i], + json_object_new_string(args[i+1])); + } + free(args); + } + } else if (curl_wrap_content_type_is(curl, "application/json")) { + /* interpret the json */ + result = json_tokener_parse (content); + } else { + /* by default, still try to interpret the answer as if json */ + result = json_tokener_parse (content); + } + return result; +} + +/* + * Treats the result of the query 'curl' of 'content' of 'size' bytes for the 'args' + */ +static void perform_result(struct args *args, CURL *curl, const char *content, size_t size) +{ + struct json_object *obj, *at, *tt; + char *txt; + + /* get answer */ + obj = decode_perform_result(curl, content, size); + if (!obj) + return args_send_error(args, "unable to extract answer", content); + + /* process the answer */ + if (json_object_object_get_ex(obj, "access_token", &at) && json_object_object_get_ex(obj, "token_type", &tt)) { + if (!strcmp(json_object_get_string(tt), "bearer")) { + if (asprintf(&txt, "Bearer %s", json_object_get_string(at)) > 0) { + json_object_object_add(obj, "authorization", json_object_new_string(txt)); + free(txt); + } + } + } + + /* merge the answer to the token args in case of refresh */ + if (args->refresh) + j_merge(args->args, obj); + + /* send the answer */ + args_send_success(args, obj); +} + +/* + * Treats the redirect answer of the query 'curl' of 'content' of 'size' bytes for the 'args' + */ +static void perform_redirect(struct args *args, CURL *curl, const char *content, size_t size) +{ + /* TODO: handle redirection for the normal flow */ + return args_send_error(args, "unhandled redirection", content); +} + +/* + * Handle the result of the query 'curl' of 'status'. If a data is returned, it is available in + * 'content' of 'size' bytes. + * When 'status' is 0, an error occured. Otherwise, 'statu' isn't zero. + */ +static void perform_callback(void *closure, int status, CURL *curl, const char *content, size_t size) +{ + long code; + struct args *args = closure; + + /* query error ? */ + if (!status + || curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &code) != CURLE_OK) + return args_send_error(args, "query error", NULL); /* TODO: IMPROVE? */ + + /* get the returned code */ + switch (code) { + case 200: + return perform_result(args, curl, content, size); + case 302: + return perform_redirect(args, curl, content, size); + case 400: + case 401: + return args_send_error(args, content ? : "returned code error", content ? "returned code error" : content); + default: + return args_send_error(args, content ? : "unexpected code error", content ? "unexpected code error" : content); + } +} + +/* + * Main function for performing OAuth2/OpenId Connect transactions. + * The structure 'args' is filled with the needed values: + * Application data as json object, IDP data as json object + * Contextual arguments for the transaction. + * 'endpoint' must be the name of an endpoint in the context of 'args'. + * 'operation' is the value that will get either response_type or grant_type, + * depending on the nature of the required parameters 'mandatory'. + * 'mandatory' designates the mandatory parameters. + * 'optional' designate the optional parameters. + */ +static void perform(struct args *args, const char *endpoint, const char *operation, uint32_t mandatory, uint32_t optional) +{ + int post; + const char *url, *type; + CURL *curl; + + /* set the flags */ + args->mandatory = mandatory; + args->all = mandatory | optional; + + /* get the endpoint */ + url = args_string(args, endpoint); + if (!url) + return args_send_error(args, "No endpoint", endpoint); + + /* get the operation type */ + if ((mandatory & PARAM(Response_Type)) == PARAM(Response_Type)) { + type = "response_type"; + post = 0; /* can be 1 sometimes so not risk here */ + } else if ((mandatory & PARAM(Grant_Type)) == PARAM(Grant_Type)) { + type = "grant_type"; + post = 1; /* must be 1 */ + } else + return args_send_error(args, "Unexpected operation Type", NULL); + + json_object_object_add(args->query, type, json_object_new_string(operation)); + + /* get the arguments */ + if (1 + && args_add(args, PARAM(Access_Token), "access_token", 1) + && args_add(args, PARAM(Acr_Values), "acr_values", 1) + && args_add(args, PARAM(Authorization), "authorization", 0) + && args_add(args, PARAM(Client_Id), "client_id", 1) + && args_add(args, PARAM(Client_Secret), "client_secret", 1) + && args_add(args, PARAM(Code), "code", 1) + && args_add(args, PARAM(Display), "display", 1) + && args_add(args, PARAM(Expires_In), "expires_in", 1) + && args_add(args, PARAM(Id_Token_Hint), "id_token_hint", 1) + && args_add(args, PARAM(Login_Hint), "login_hint", 1) + && args_add(args, PARAM(Max_Age), "max_age", 1) + && args_add(args, PARAM(Nonce), "nonce", 1) + && args_add(args, PARAM(Password), "password", 1) + && args_add(args, PARAM(Prompt), "prompt", 1) + && args_add(args, PARAM(Redirect_Uri), "redirect_uri", 1) + && args_add(args, PARAM(Refresh_Token), "refresh_token", 1) + && args_add(args, PARAM(Scope), "scope", 1) + && args_add(args, PARAM(State), "state", 1) + && args_add(args, PARAM(Token_Type), "token_type", 1) + && args_add(args, PARAM(Ui_Locales), "ui_locales", 1) + && args_add(args, PARAM(Username), "username", 1) + ) { + /* creates the curl query */ + curl = curl_json(url, post, args->header, args->query); + if (!curl) + return args_send_error(args, "out of memory", NULL); + + /* release data */ + args_unlock(args); + + /* perform the request to the server */ + curl_wrap_do(curl, perform_callback, args); + } +} + +/* perform a grant of flow Flow_Resource_Owner_Password_Credentials_Grant */ +static void grant_owner_password(struct args *args) +{ + perform(args, string_token_endpoint, "password", + PARAM(Grant_Type) | PARAM(Username) | PARAM(Password), + PARAM(Scope) | PARAM(Authorization) + ); +} + +/* perform a grant of flow Flow_Client_Credentials_Grant */ +static void grant_client_credentials(struct args *args) +{ + perform(args, string_token_endpoint, "client_credentials", + PARAM(Grant_Type), + PARAM(Scope) | PARAM(Authorization) + ); +} + +/* switches the requests depending on 'flow' */ +static void grant(struct args *args, enum oidc_grant_flow flow) +{ + /* ensure args is valid */ + if (!args) + return; + + /* process for flow */ + switch(flow) { + + case Flow_Resource_Owner_Password_Credentials_Grant: + grant_owner_password(args); + break; + + case Flow_Client_Credentials_Grant: + grant_client_credentials(args); + break; + + case Flow_Authorization_Code_Grant: + case Flow_Implicit_Grant: + case Flow_Extension_Grant: + args_send_error(args, "Unsupported flow", NULL); + break; + + case Flow_Invalid: + default: + args_send_error(args, "Invalid flow", NULL); + break; + } +} + +/* + * Initiates a grant with the given 'flow'. + * 'appli' and 'idp' designates the appli and the idp that have been recorded. + * when idp == NULL or idp == "", the default idp of 'appli' is used. + * 'args' contains parameters expected in plus for the grant transaction. + * 'cb' describes the callback actions that are called before + * the function returns. + */ +void oidc_grant(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb, enum oidc_grant_flow flow) +{ + grant(mkargs(appli, idp, args, cb), flow); +} + +/* + * Like oidc_grant for flow Flow_Resource_Owner_Password_Credentials_Grant + */ +void oidc_grant_owner_password(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb) +{ + grant(mkargs(appli, idp, args, cb), Flow_Resource_Owner_Password_Credentials_Grant); +} + +/* + * Like oidc_grant for flow Flow_Client_Credentials_Grant + */ +void oidc_grant_client_credentials(const char *appli, const char *idp, struct json_object *args, const struct oidc_grant_cb *cb) +{ + grant(mkargs(appli, idp, args, cb), Flow_Client_Credentials_Grant); +} + +/* + * Refreshes the 'token' for the 'appli' and the 'idp'. + * 'cb' describes the callback actions that are called before + * the function returns. + */ +void oidc_token_refresh(const char *appli, const char *idp, struct json_object *token, const struct oidc_grant_cb *cb) +{ + struct args *args; + + args = mkargs(appli, idp, token, cb); + if (!args) + return; + args->refresh = 1; + perform(args, string_token_endpoint, "refresh_token", + PARAM(Grant_Type) | PARAM(Refresh_Token), + PARAM(Scope) | PARAM(Authorization) + ); +} + +/* + * Adds the header "authorisation" with the bearer access_token of 'token'. + * Return 1 on case of success or 0 otherwise. + */ +int oidc_add_bearer(CURL *curl, struct json_object *token) +{ + struct json_object *bearer; + + return json_object_object_get_ex(token, "authorization", &bearer) + && curl_wrap_add_header_value(curl, "authorization", json_object_get_string(bearer)); +} + + -- cgit 1.2.3-korg