Skip to content

Commit

Permalink
Merge pull request #564 from indigo-dc/fix/scopes-from-op
Browse files Browse the repository at this point in the history
Fix/scopes from op
  • Loading branch information
zachmann authored Jan 18, 2024
2 parents ff54a3c + e9a7796 commit 98bf5bf
Show file tree
Hide file tree
Showing 12 changed files with 81 additions and 45 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,15 @@

## oidc-agent 5.0.2

### Changes

- When an account configuration is generated and the OP returns scopes in the initial token flow, the account
configuration is updated with those scopes.

### Features

- Added option to `oidc-add` to load an account config directly into the agent without the agent checking if it works.

### Bugfixes

- Fixed a problem with the tmp dir path that could occur on some windows systems that prevented oidc-agent to start.
Expand Down
1 change: 1 addition & 0 deletions src/defines/agent_values.h
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
#define CONFIG_KEY_STATSCOLLECTSHARE "stats_collect_share"
#define CONFIG_KEY_STATSCOLLECTLOCATION "stats_collect_location"
#define CONFIG_KEY_LEGACYAUDMODE "legacy_aud_mode"
#define CONFIG_KEY_PLAINADD "skip-check"

#define ACCOUNTINFO_KEY_HASPUBCLIENT "pubclient"

Expand Down
6 changes: 4 additions & 2 deletions src/defines/ipc_values.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
#define IPC_KEY_ONLYAT "only_at"
#define IPC_KEY_MYTOKEN_OIDC_ISS "oidc_issuer"
#define IPC_KEY_MYTOKEN_MY_ISS "mytoken_issuer"
#define IPC_KEY_PLAINADD "plain_add"

// STATUS
#define STATUS_SUCCESS "success"
Expand Down Expand Up @@ -137,11 +138,12 @@
#define REQUEST_ADD_LIFETIME \
"{\"" IPC_KEY_REQUEST "\":\"" REQUEST_VALUE_ADD "\",\"" IPC_KEY_CONFIG \
"\":%s,\"" IPC_KEY_LIFETIME "\":%lu,\"" IPC_KEY_PASSWORDENTRY \
"\":%s,\"" IPC_KEY_CONFIRM "\":%d,\"" IPC_KEY_ALWAYSALLOWID "\":%d}"
"\":%s,\"" IPC_KEY_CONFIRM "\":%d,\"" IPC_KEY_ALWAYSALLOWID \
"\":%d,\"" IPC_KEY_PLAINADD "\":%d}"
#define REQUEST_ADD \
"{\"" IPC_KEY_REQUEST "\":\"" REQUEST_VALUE_ADD "\",\"" IPC_KEY_CONFIG \
"\":%s,\"" IPC_KEY_PASSWORDENTRY "\":%s,\"" IPC_KEY_CONFIRM \
"\":%d,\"" IPC_KEY_ALWAYSALLOWID "\":%d}"
"\":%d,\"" IPC_KEY_ALWAYSALLOWID "\":%d,\"" IPC_KEY_PLAINADD "\":%d}"
#define REQUEST_REMOVE \
"{\"" IPC_KEY_REQUEST "\":\"" REQUEST_VALUE_REMOVE "\",\"" IPC_KEY_SHORTNAME \
"\":\"%s\"}"
Expand Down
14 changes: 7 additions & 7 deletions src/oidc-add/add_handler.c
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,14 @@ void add_handleAdd(char* account, struct arguments* arguments) {

char* res = NULL;
if (storePW) {
res = ipc_cryptCommunicate(arguments->remote, REQUEST_ADD_LIFETIME, json_p,
arguments->lifetime.lifetime, pw_str,
arguments->confirm,
arguments->always_allow_idtoken);
res = ipc_cryptCommunicate(
arguments->remote, REQUEST_ADD_LIFETIME, json_p,
arguments->lifetime.lifetime, pw_str, arguments->confirm,
arguments->always_allow_idtoken, arguments->plainadd);
} else {
res = ipc_cryptCommunicate(arguments->remote, REQUEST_ADD, json_p, pw_str,
arguments->confirm,
arguments->always_allow_idtoken);
res = ipc_cryptCommunicate(
arguments->remote, REQUEST_ADD, json_p, pw_str, arguments->confirm,
arguments->always_allow_idtoken, arguments->plainadd);
}
secFree(pw_str);
secFree(json_p);
Expand Down
8 changes: 8 additions & 0 deletions src/oidc-add/oidc-add_options.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#include "oidc-add_options.h"

#include "defines/agent_values.h"
#include "defines/settings.h"
#include "utils/commonFeatures.h"
#include "utils/config/add_config.h"
Expand All @@ -13,6 +14,7 @@
#define OPT_PW_FILE 7
#define OPT_REMOTE 8
#define OPT_PW_ENV 9
#define OPT_PLAINADD 10

static struct argp_option options[] = {
{0, 0, 0, 0, "General:", 1},
Expand Down Expand Up @@ -53,6 +55,10 @@ static struct argp_option options[] = {
"Always allow id-token requests without manual approval by the user for "
"this account configuration.",
1},
{CONFIG_KEY_PLAINADD, OPT_PLAINADD, 0, 0,
"Indicates that the agent should load the account configuration without "
"checking it, i.e. no access token is obtained on load.",
1},
{"remote", OPT_REMOTE, 0, 0,
"Use a remote central oidc-agent, instead of a local one.", 1},
{"force", 'f', 0, 0,
Expand Down Expand Up @@ -107,6 +113,7 @@ static error_t parse_opt(int key, char* arg, struct argp_state* state) {
arguments->pw_lifetime.argProvided = 1;
break;
case OPT_ALWAYS_ALLOW_IDTOKEN: arguments->always_allow_idtoken = 1; break;
case OPT_PLAINADD: arguments->plainadd = 1; break;
case 't':
if (!isdigit(*arg)) {
return ARGP_ERR_UNKNOWN;
Expand Down Expand Up @@ -169,6 +176,7 @@ void initArguments(struct arguments* arguments) {
arguments->always_allow_idtoken = 0;
arguments->remote = 0;
arguments->force = 0;
arguments->plainadd = getAddConfig()->plain_add;
arguments->pw_prompt_mode = getAddConfig()->pw_prompt_mode;
set_pw_prompt_mode(arguments->pw_prompt_mode);
}
29 changes: 15 additions & 14 deletions src/oidc-add/oidc-add_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -13,20 +13,21 @@ struct arguments {
char* pw_file;
char* pw_env;

unsigned char remove;
unsigned char removeAll;
unsigned char debug;
unsigned char verbose;
unsigned char listConfigured;
unsigned char listLoaded;
unsigned char print;
unsigned char lock;
unsigned char unlock;
unsigned char confirm;
unsigned char always_allow_idtoken;
unsigned char pw_prompt_mode;
unsigned char remote;
unsigned char force;
unsigned char remove : 1;
unsigned char removeAll : 1;
unsigned char debug : 1;
unsigned char verbose : 1;
unsigned char listConfigured : 1;
unsigned char listLoaded : 1;
unsigned char print : 1;
unsigned char lock : 1;
unsigned char unlock : 1;
unsigned char confirm : 1;
unsigned char always_allow_idtoken : 1;
unsigned char pw_prompt_mode : 2;
unsigned char remote : 1;
unsigned char force : 1;
unsigned char plainadd : 1;

struct lifetimeArg pw_lifetime;
struct lifetimeArg lifetime;
Expand Down
14 changes: 11 additions & 3 deletions src/oidc-agent/oidc/flows/oidc.c
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ char* parseTokenResponseCallbacks(
oidc_setInternalError("cannot return AT and ID token");
return NULL;
}
INIT_KEY_VALUE(OIDC_KEY_ACCESSTOKEN, OIDC_KEY_REFRESHTOKEN,
INIT_KEY_VALUE(OIDC_KEY_ACCESSTOKEN, OIDC_KEY_SCOPE, OIDC_KEY_REFRESHTOKEN,
MYTOKEN_KEY_MYTOKEN, OIDC_KEY_IDTOKEN, OIDC_KEY_EXPIRESIN,
OIDC_KEY_ERROR, OIDC_KEY_ERROR_DESCRIPTION);
if (CALL_GETJSONVALUES(res) < 0) {
Expand All @@ -90,8 +90,8 @@ char* parseTokenResponseCallbacks(
}
return NULL;
}
KEY_VALUE_VARS(access_token, refresh_token, mytoken, id_token, expires_in,
error, error_description);
KEY_VALUE_VARS(access_token, scope, refresh_token, mytoken, id_token,
expires_in, error, error_description);
if (_error || _error_description) {
errorHandling(_error, _error_description);
SEC_FREE_KEY_VALUES();
Expand All @@ -105,6 +105,14 @@ char* parseTokenResponseCallbacks(
}
secFree(_expires_in);
}
if (NULL != _scope && refreshFlow) {
// if we get a scope value back from the OP when the initial AT is obtained,
// we update the config, because it might be possible that the OP made
// changes to the scopes.
account_setScopeExact(a, _scope);
} else {
secFree(_scope);
}

char* refresh_token = account_getRefreshToken(a);
char* obtainedRTMT = _refresh_token ?: _mytoken;
Expand Down
12 changes: 7 additions & 5 deletions src/oidc-agent/oidcd/oidcd.c
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,8 @@ int oidcd_main(struct ipcPipe pipes, const struct arguments* arguments) {
IPC_KEY_NOSCHEME, IPC_KEY_CERTPATH, IPC_KEY_AUDIENCE,
IPC_KEY_ALWAYSALLOWID, IPC_KEY_FILENAME, IPC_KEY_DATA,
OIDC_KEY_REGISTRATION_CLIENT_URI, OIDC_KEY_REGISTRATION_ACCESS_TOKEN,
IPC_KEY_ONLYAT, AGENT_KEY_CONFIG_ENDPOINT, AGENT_KEY_MYTOKENPROFILE);
IPC_KEY_ONLYAT, AGENT_KEY_CONFIG_ENDPOINT, AGENT_KEY_MYTOKENPROFILE,
IPC_KEY_PLAINADD);
if (getJSONValuesFromString(q, pairs, sizeof(pairs) / sizeof(*pairs)) < 0) {
ipc_writeToPipe(pipes, RESPONSE_BADREQUEST, oidc_serror());
secFreeKeyValuePairs(pairs, sizeof(pairs) / sizeof(*pairs));
Expand All @@ -85,9 +86,9 @@ int oidcd_main(struct ipcPipe pipes, const struct arguments* arguments) {
lifetime, password, applicationHint, confirm, issuer,
noscheme, cert_path, audience, alwaysallowid, filename, data,
registration_client_uri, registration_access_token, only_at,
config_endpoint,
profile); // Gives variables for key_value values;
// e.g. _request=pairs[0].value
config_endpoint, profile,
plainadd); // Gives variables for key_value values;
// e.g. _request=pairs[0].value
if (_request == NULL) {
ipc_writeToPipe(pipes, RESPONSE_BADREQUEST, "No request type.");
secFreeKeyValuePairs(pairs, sizeof(pairs) / sizeof(*pairs));
Expand Down Expand Up @@ -121,7 +122,8 @@ int oidcd_main(struct ipcPipe pipes, const struct arguments* arguments) {
} else if (strequal(_request, REQUEST_VALUE_DEVICELOOKUP)) {
oidcd_handleDeviceLookup(pipes, _device, _only_at);
} else if (strequal(_request, REQUEST_VALUE_ADD)) {
oidcd_handleAdd(pipes, _config, _lifetime, _confirm, _alwaysallowid);
oidcd_handleAdd(pipes, _config, _lifetime, _confirm, _alwaysallowid,
_plainadd);
} else if (strequal(_request, REQUEST_VALUE_REMOVE)) {
oidcd_handleRm(pipes, _shortname);
} else if (strequal(_request, REQUEST_VALUE_REMOVEALL)) {
Expand Down
25 changes: 14 additions & 11 deletions src/oidc-agent/oidcd/oidcd_handler.c
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,8 @@ void oidcd_handleGen(struct ipcPipe pipes, const char* account_json,
* checks if an account is feasible (issuer config / AT retrievable) and adds it
* to the loaded list; does not check if account already loaded.
*/
oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account) {
oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account,
unsigned char plain_load) {
if (account == NULL) {
oidc_setArgNullFuncError(__func__);
return oidc_errno;
Expand All @@ -272,13 +273,15 @@ oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account) {
if (!strValid(account_getTokenEndpoint(account))) {
return oidc_errno;
}
if (getAccessTokenUsingRefreshFlow(account, FORCE_NEW_TOKEN, NULL, NULL,
pipes) == NULL) {
account_setDeath(account,
time(NULL) + 10); // with short timeout so no password
// required for re-authentication
db_addAccountEncrypted(account);
return oidc_errno;
if (!plain_load) {
if (getAccessTokenUsingRefreshFlow(account, FORCE_NEW_TOKEN, NULL, NULL,
pipes) == NULL) {
account_setDeath(account,
time(NULL) + 10); // with short timeout so no password
// required for re-authentication
db_addAccountEncrypted(account);
return oidc_errno;
}
}
db_addAccountEncrypted(account);
oidcd_handleUpdateIssuer(pipes, account_getIssuerUrl(account),
Expand All @@ -288,7 +291,7 @@ oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account) {

void oidcd_handleAdd(struct ipcPipe pipes, const char* account_json,
const char* timeout_str, const char* confirm_str,
const char* alwaysallowid) {
const char* alwaysallowid, const char* plain_load_str) {
agent_log(DEBUG, "Handle Add request");
struct oidc_account* account = getAccountFromJSON(account_json);
if (account == NULL) {
Expand Down Expand Up @@ -319,7 +322,7 @@ void oidcd_handleAdd(struct ipcPipe pipes, const char* account_json,
secFreeAccount(account);
return;
}
if (addAccount(pipes, account) != OIDC_SUCCESS) {
if (addAccount(pipes, account, strToBit(plain_load_str)) != OIDC_SUCCESS) {
char* help = getHelpWithAccountInfo(account);
if (help != NULL) {
ipc_writeToPipe(pipes, RESPONSE_ERROR_INFO, oidc_serror(), help);
Expand Down Expand Up @@ -423,7 +426,7 @@ oidc_error_t oidcd_autoload(struct ipcPipe pipes, const char* short_name,
account_setDeath(account, agent_state.defaultTimeout
? time(NULL) + agent_state.defaultTimeout
: 0);
return addAccount(pipes, account);
return addAccount(pipes, account, 0);
}

#define CONFIRMATION_MODE_AT 0
Expand Down
2 changes: 1 addition & 1 deletion src/oidc-agent/oidcd/oidcd_handler.h
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ void oidcd_handleReauthenticate(struct ipcPipe pipes, char* short_name,
const struct arguments* arguments);
void oidcd_handleAdd(struct ipcPipe, const char* account_json,
const char* timeout_str, const char* confirm_str,
const char* alwaysallowid);
const char* alwaysallowid, const char* plain_load_str);
void oidcd_handleDelete(struct ipcPipe, const char* account_json);
void oidcd_handleDeleteClient(struct ipcPipe pipes, const char* client_uri,
const char* registration_access_token,
Expand Down
5 changes: 3 additions & 2 deletions src/utils/config/add_config.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,18 +25,19 @@ static add_config_t* _getAddConfig(const char* json) {
}

INIT_KEY_VALUE(CONFIG_KEY_STOREPW, CONFIG_KEY_PWPROMPTMODE,
CONFIG_KEY_DEBUGLOGGING);
CONFIG_KEY_DEBUGLOGGING, CONFIG_KEY_PLAINADD);
if (getJSONValuesFromString(json, pairs, sizeof(pairs) / sizeof(*pairs)) <
0) {
SEC_FREE_KEY_VALUES();
oidc_perror();
exit(oidc_errno);
}
KEY_VALUE_VARS(store_pw, pw_prompt, debug);
KEY_VALUE_VARS(store_pw, pw_prompt, debug, plainadd);
add_config_t* c = secAlloc(sizeof(add_config_t));
c->store_pw = strToBit(_store_pw);
c->pw_prompt_mode = parse_prompt_mode(_pw_prompt);
c->debug = strToBit(_debug);
c->plain_add = strToBit(_plainadd);
SEC_FREE_KEY_VALUES();
return c;
}
Expand Down
1 change: 1 addition & 0 deletions src/utils/config/add_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ struct add_config {
unsigned char store_pw : 1;
unsigned char pw_prompt_mode : 2;
unsigned char debug : 1;
unsigned char plain_add : 1;
};

typedef struct add_config add_config_t;
Expand Down

0 comments on commit 98bf5bf

Please sign in to comment.