[gnunet] branch master updated: reclaim: do not store access token inste

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnunet] branch master updated: reclaim: do not store access token inste

From:	gnunet
Subject:	[gnunet] branch master updated: reclaim: do not store access token instead piggyback ticket
Date:	Tue, 04 Aug 2020 10:15:56 +0200

This is an automated email from the git hooks/post-receive script.

martin-schanzenbach pushed a commit to branch master
in repository gnunet.

The following commit(s) were added to refs/heads/master by this push:
     new 080519e98 reclaim: do not store access token instead piggyback ticket
080519e98 is described below

commit 080519e980d8f8a3b138c733f837417bdb1b6757
Author: Martin Schanzenbach <mschanzenbach@posteo.de>
AuthorDate: Tue Aug 4 10:09:45 2020 +0200

    reclaim: do not store access token instead piggyback ticket
---
 src/reclaim/oidc_helper.c                | 25 +++++++++++----
 src/reclaim/oidc_helper.h                |  9 ++++--
 src/reclaim/plugin_rest_openid_connect.c | 52 +++-----------------------------
 3 files changed, 31 insertions(+), 55 deletions(-)

diff --git a/src/reclaim/oidc_helper.c b/src/reclaim/oidc_helper.c
index ad2839200..b48738cc4 100644
--- a/src/reclaim/oidc_helper.c
+++ b/src/reclaim/oidc_helper.c
@@ -757,15 +757,28 @@ OIDC_build_token_response (const char *access_token,
  * Generate a new access token
  */
 char *
-OIDC_access_token_new ()
+OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket)
 {
   char *access_token;
-  uint64_t random_number;
 
-  random_number =
-    GNUNET_CRYPTO_random_u64 (GNUNET_CRYPTO_QUALITY_NONCE, UINT64_MAX);
-  GNUNET_STRINGS_base64_encode (&random_number,
-                                sizeof(uint64_t),
+  GNUNET_STRINGS_base64_encode (ticket,
+                                sizeof(*ticket),
                                 &access_token);
   return access_token;
 }
+
+
+/**
+ * Parse an access token
+ */
+int
+OIDC_access_token_parse (const char*token,
+                         struct GNUNET_RECLAIM_Ticket **ticket)
+{
+  if (sizeof (struct GNUNET_RECLAIM_Ticket) !=
+      GNUNET_STRINGS_base64_decode (token,
+                                    strlen (token),
+                                    (void**) ticket))
+    return GNUNET_SYSERR;
+  return GNUNET_OK;
+}
diff --git a/src/reclaim/oidc_helper.h b/src/reclaim/oidc_helper.h
index 2c533357e..e84087fc3 100644
--- a/src/reclaim/oidc_helper.h
+++ b/src/reclaim/oidc_helper.h
@@ -117,7 +117,12 @@ OIDC_build_token_response (const char *access_token,
  * Generate a new access token
  */
 char*
-OIDC_access_token_new ();
-
+OIDC_access_token_new (const struct GNUNET_RECLAIM_Ticket *ticket);
 
+/**
+ * Parse an access token
+ */
+int
+OIDC_access_token_parse (const char* token,
+                         struct GNUNET_RECLAIM_Ticket **ticket);
 #endif
diff --git a/src/reclaim/plugin_rest_openid_connect.c 
b/src/reclaim/plugin_rest_openid_connect.c
index 3db881244..eb602a08f 100644
--- a/src/reclaim/plugin_rest_openid_connect.c
+++ b/src/reclaim/plugin_rest_openid_connect.c
@@ -238,12 +238,6 @@ static char *OIDC_ignored_parameter_array[] = { "display",
  */
 struct GNUNET_CONTAINER_MultiHashMap *OIDC_cookie_jar_map;
 
-/**
- * Hash map that links the issued access token to the corresponding ticket and
- * ego
- */
-struct GNUNET_CONTAINER_MultiHashMap *OIDC_access_token_map;
-
 /**
  * The configuration handle
  */
@@ -1980,26 +1974,6 @@ find_ego (struct RequestHandle *handle,
 }
 
 
-static void
-persist_access_token (const struct RequestHandle *handle,
-                      const char *access_token,
-                      const struct GNUNET_RECLAIM_Ticket *ticket)
-{
-  struct GNUNET_HashCode hc;
-  struct GNUNET_RECLAIM_Ticket *ticketbuf;
-
-  GNUNET_CRYPTO_hash (access_token, strlen (access_token), &hc);
-  ticketbuf = GNUNET_new (struct GNUNET_RECLAIM_Ticket);
-  *ticketbuf = *ticket;
-  GNUNET_assert (GNUNET_SYSERR !=
-                 GNUNET_CONTAINER_multihashmap_put (
-                   OIDC_access_token_map,
-                   &hc,
-                   ticketbuf,
-                   GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY));
-}
-
-
 /**
  * Responds to token url-encoded POST request
  *
@@ -2148,13 +2122,12 @@ token_endpoint (struct GNUNET_REST_RequestHandle 
*con_handle,
                                 &expiration_time,
                                 (NULL != nonce) ? nonce : NULL,
                                 jwt_secret);
-  access_token = OIDC_access_token_new ();
+  access_token = OIDC_access_token_new (&ticket);
   OIDC_build_token_response (access_token,
                              id_token,
                              &expiration_time,
                              &json_response);
 
-  persist_access_token (handle, access_token, &ticket);
   resp = GNUNET_REST_create_response (json_response);
   MHD_add_response_header (resp, "Cache-Control", "no-store");
   MHD_add_response_header (resp, "Pragma", "no-cache");
@@ -2324,22 +2297,17 @@ userinfo_endpoint (struct GNUNET_REST_RequestHandle 
*con_handle,
     return;
   }
 
-  GNUNET_CRYPTO_hash (authorization_access_token,
-                      strlen (authorization_access_token),
-                      &cache_key);
-  if (GNUNET_NO ==
-      GNUNET_CONTAINER_multihashmap_contains (OIDC_access_token_map,
-                                              &cache_key))
+  if (GNUNET_OK != OIDC_access_token_parse (authorization_access_token,
+                                            &ticket))
   {
     handle->emsg = GNUNET_strdup (OIDC_ERROR_KEY_INVALID_TOKEN);
-    handle->edesc = GNUNET_strdup ("The access token expired");
+    handle->edesc = GNUNET_strdup ("The access token is invalid");
     handle->response_code = MHD_HTTP_UNAUTHORIZED;
     GNUNET_SCHEDULER_add_now (&do_userinfo_error, handle);
     GNUNET_free (authorization);
     return;
+
   }
-  ticket =
-    GNUNET_CONTAINER_multihashmap_get (OIDC_access_token_map, &cache_key);
   GNUNET_assert (NULL != ticket);
   aud_ego = find_ego (handle, &ticket->audience);
   iss_ego = find_ego (handle, &ticket->identity);
@@ -2523,9 +2491,6 @@ rest_identity_process_request (struct 
GNUNET_REST_RequestHandle *rest_handle,
   if (NULL == OIDC_cookie_jar_map)
     OIDC_cookie_jar_map = GNUNET_CONTAINER_multihashmap_create (10,
                                                                 GNUNET_NO);
-  if (NULL == OIDC_access_token_map)
-    OIDC_access_token_map =
-      GNUNET_CONTAINER_multihashmap_create (10, GNUNET_NO);
   handle->response_code = 0;
   handle->timeout = GNUNET_TIME_UNIT_FOREVER_REL;
   handle->proc_cls = proc_cls;
@@ -2606,13 +2571,6 @@ libgnunet_plugin_rest_openid_connect_done (void *cls)
   GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it);
   GNUNET_CONTAINER_multihashmap_destroy (OIDC_cookie_jar_map);
 
-  hashmap_it =
-    GNUNET_CONTAINER_multihashmap_iterator_create (OIDC_access_token_map);
-  while (GNUNET_YES ==
-         GNUNET_CONTAINER_multihashmap_iterator_next (hashmap_it, NULL,
-                                                      value))
-    GNUNET_free (value);
-  GNUNET_CONTAINER_multihashmap_destroy (OIDC_access_token_map);
   GNUNET_CONTAINER_multihashmap_iterator_destroy (hashmap_it);
   GNUNET_free (allow_methods);
   GNUNET_free (api);

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[gnunet] branch master updated: reclaim: do not store access token instead piggyback ticket, gnunet <=

Prev by Date: [taler-merchant] branch master updated: correctly compare refund amount in GET /private/orders
Next by Date: [gnunet] branch master updated: fix missing API conversion
Previous by thread: [taler-merchant] branch master updated: correctly compare refund amount in GET /private/orders
Next by thread: [gnunet] branch master updated: fix missing API conversion
Index(es):
- Date
- Thread