|
|
|
@@ -1,274 +1,278 @@ |
1 | #include <uuid/uuid.h> |
1 | #include <uuid/uuid.h> |
2 | #include <iostream> |
2 | #include <iostream> |
3 | #include <cassert> |
3 | #include <cassert> |
4 | #include <string> |
4 | #include <string> |
5 | #include <ext/algorithm> |
| |
6 | using namespace std; |
5 | using namespace std; |
7 | #include <kingate/exception.h> |
6 | #include <kingate/exception.h> |
8 | #include <kingate/plaincgi.h> |
7 | #include <kingate/plaincgi.h> |
9 | #include <kingate/cgi_gateway.h> |
8 | #include <kingate/cgi_gateway.h> |
10 | #include <opkele/exception.h> |
9 | #include <opkele/exception.h> |
11 | #include <opkele/util.h> |
10 | #include <opkele/util.h> |
12 | #include <opkele/uris.h> |
11 | #include <opkele/uris.h> |
13 | #include <opkele/extension.h> |
12 | #include <opkele/extension.h> |
14 | #include <opkele/association.h> |
13 | #include <opkele/association.h> |
15 | #include <opkele/debug.h> |
14 | #include <opkele/debug.h> |
16 | #include <opkele/verify_op.h> |
15 | #include <opkele/verify_op.h> |
17 | #include <opkele/sreg.h> |
16 | #include <opkele/sreg.h> |
18 | |
17 | |
| |
18 | #include "config.h" |
| |
19 | #ifdef HAVE_EXT_ALGORITHM_H |
| |
20 | # include <ext/algorithm> |
| |
21 | #endif |
| |
22 | |
19 | #include "sqlite.h" |
23 | #include "sqlite.h" |
20 | #include "kingate_openid_message.h" |
24 | #include "kingate_openid_message.h" |
21 | |
25 | |
22 | static const string get_self_url(const kingate::cgi_gateway& gw) { |
26 | static const string get_self_url(const kingate::cgi_gateway& gw) { |
23 | bool s = gw.has_meta("SSL_PROTOCOL_VERSION"); |
27 | bool s = gw.has_meta("SSL_PROTOCOL_VERSION"); |
24 | string rv = s?"https://":"http://"; |
28 | string rv = s?"https://":"http://"; |
25 | rv += gw.http_request_header("Host"); |
29 | rv += gw.http_request_header("Host"); |
26 | const string& port = gw.get_meta("SERVER_PORT"); |
30 | const string& port = gw.get_meta("SERVER_PORT"); |
27 | if( port!=(s?"443":"80") ) { |
31 | if( port!=(s?"443":"80") ) { |
28 | rv += ':'; rv += port; |
32 | rv += ':'; rv += port; |
29 | } |
33 | } |
30 | rv += gw.get_meta("REQUEST_URI"); |
34 | rv += gw.get_meta("REQUEST_URI"); |
31 | string::size_type q = rv.find('?'); |
35 | string::size_type q = rv.find('?'); |
32 | if(q!=string::npos) |
36 | if(q!=string::npos) |
33 | rv.erase(q); |
37 | rv.erase(q); |
34 | return rv; |
38 | return rv; |
35 | } |
39 | } |
36 | |
40 | |
37 | class opdb_t : public sqlite3_t { |
41 | class opdb_t : public sqlite3_t { |
38 | public: |
42 | public: |
39 | opdb_t() |
43 | opdb_t() |
40 | : sqlite3_t("/tmp/OP.db") { |
44 | : sqlite3_t("/tmp/OP.db") { |
41 | assert(_D); |
45 | assert(_D); |
42 | char **resp; int nr,nc; char *errm; |
46 | char **resp; int nr,nc; char *errm; |
43 | if(sqlite3_get_table( |
47 | if(sqlite3_get_table( |
44 | _D, "SELECT a_op FROM assoc LIMIT 0", |
48 | _D, "SELECT a_op FROM assoc LIMIT 0", |
45 | &resp,&nr,&nc,&errm)!=SQLITE_OK) { |
49 | &resp,&nr,&nc,&errm)!=SQLITE_OK) { |
46 | extern const char *__OP_db_bootstrap; |
50 | extern const char *__OP_db_bootstrap; |
47 | DOUT_("Bootstrapping DB"); |
51 | DOUT_("Bootstrapping DB"); |
48 | if(sqlite3_exec(_D,__OP_db_bootstrap,NULL,NULL,&errm)!=SQLITE_OK) |
52 | if(sqlite3_exec(_D,__OP_db_bootstrap,NULL,NULL,&errm)!=SQLITE_OK) |
49 | throw opkele::exception(OPKELE_CP_ string("Failed to boostrap SQLite database: ")+errm); |
53 | throw opkele::exception(OPKELE_CP_ string("Failed to boostrap SQLite database: ")+errm); |
50 | }else |
54 | }else |
51 | sqlite3_free_table(resp); |
55 | sqlite3_free_table(resp); |
52 | } |
56 | } |
53 | }; |
57 | }; |
54 | |
58 | |
55 | class example_op_t : public opkele::verify_OP { |
59 | class example_op_t : public opkele::verify_OP { |
56 | public: |
60 | public: |
57 | kingate::cgi_gateway& gw; |
61 | kingate::cgi_gateway& gw; |
58 | opdb_t db; |
62 | opdb_t db; |
59 | kingate::cookie htc; |
63 | kingate::cookie htc; |
60 | |
64 | |
61 | |
65 | |
62 | example_op_t(kingate::cgi_gateway& g) |
66 | example_op_t(kingate::cgi_gateway& g) |
63 | : gw(g) { |
67 | : gw(g) { |
64 | try { |
68 | try { |
65 | htc = gw.cookies.get_cookie("htop_session"); |
69 | htc = gw.cookies.get_cookie("htop_session"); |
66 | sqlite3_mem_t<char*> S = sqlite3_mprintf( |
70 | sqlite3_mem_t<char*> S = sqlite3_mprintf( |
67 | "SELECT 1 FROM ht_sessions WHERE hts_id=%Q", |
71 | "SELECT 1 FROM ht_sessions WHERE hts_id=%Q", |
68 | htc.get_value().c_str()); |
72 | htc.get_value().c_str()); |
69 | sqlite3_table_t T; int nr,nc; |
73 | sqlite3_table_t T; int nr,nc; |
70 | db.get_table(S,T,&nr,&nc); |
74 | db.get_table(S,T,&nr,&nc); |
71 | if(nr<1) |
75 | if(nr<1) |
72 | throw kingate::exception_notfound(CODEPOINT,"forcing cookie generation"); |
76 | throw kingate::exception_notfound(CODEPOINT,"forcing cookie generation"); |
73 | }catch(kingate::exception_notfound& kenf) { |
77 | }catch(kingate::exception_notfound& kenf) { |
74 | uuid_t uuid; uuid_generate(uuid); |
78 | uuid_t uuid; uuid_generate(uuid); |
75 | htc = kingate::cookie("htop_session",opkele::util::encode_base64(uuid,sizeof(uuid))); |
79 | htc = kingate::cookie("htop_session",opkele::util::encode_base64(uuid,sizeof(uuid))); |
76 | sqlite3_mem_t<char*> S = sqlite3_mprintf( |
80 | sqlite3_mem_t<char*> S = sqlite3_mprintf( |
77 | "INSERT INTO ht_sessions (hts_id) VALUES (%Q)", |
81 | "INSERT INTO ht_sessions (hts_id) VALUES (%Q)", |
78 | htc.get_value().c_str()); |
82 | htc.get_value().c_str()); |
79 | db.exec(S); |
83 | db.exec(S); |
80 | } |
84 | } |
81 | } |
85 | } |
82 | |
86 | |
83 | void set_authorized(bool a) { |
87 | void set_authorized(bool a) { |
84 | sqlite3_mem_t<char*> |
88 | sqlite3_mem_t<char*> |
85 | S = sqlite3_mprintf( |
89 | S = sqlite3_mprintf( |
86 | "UPDATE ht_sessions" |
90 | "UPDATE ht_sessions" |
87 | " SET authorized=%d" |
91 | " SET authorized=%d" |
88 | " WHERE hts_id=%Q", |
92 | " WHERE hts_id=%Q", |
89 | (int)a,htc.get_value().c_str()); |
93 | (int)a,htc.get_value().c_str()); |
90 | db.exec(S); |
94 | db.exec(S); |
91 | } |
95 | } |
92 | bool get_authorized() { |
96 | bool get_authorized() { |
93 | sqlite3_mem_t<char*> |
97 | sqlite3_mem_t<char*> |
94 | S = sqlite3_mprintf( |
98 | S = sqlite3_mprintf( |
95 | "SELECT authorized" |
99 | "SELECT authorized" |
96 | " FROM ht_sessions" |
100 | " FROM ht_sessions" |
97 | " WHERE hts_id=%Q", |
101 | " WHERE hts_id=%Q", |
98 | htc.get_value().c_str()); |
102 | htc.get_value().c_str()); |
99 | sqlite3_table_t T; int nr,nc; |
103 | sqlite3_table_t T; int nr,nc; |
100 | db.get_table(S,T,&nr,&nc); |
104 | db.get_table(S,T,&nr,&nc); |
101 | assert(nr==1); assert(nc=1); |
105 | assert(nr==1); assert(nc=1); |
102 | return opkele::util::string_to_long(T.get(1,0,nc)); |
106 | return opkele::util::string_to_long(T.get(1,0,nc)); |
103 | } |
107 | } |
104 | |
108 | |
105 | ostream& cookie_header(ostream& o) const { |
109 | ostream& cookie_header(ostream& o) const { |
106 | o << "Set-Cookie: " << htc.set_cookie_header() << "\n"; |
110 | o << "Set-Cookie: " << htc.set_cookie_header() << "\n"; |
107 | return o; |
111 | return o; |
108 | } |
112 | } |
109 | |
113 | |
110 | opkele::assoc_t alloc_assoc(const string& type,size_t klength,bool sl) { |
114 | opkele::assoc_t alloc_assoc(const string& type,size_t klength,bool sl) { |
111 | uuid_t uuid; uuid_generate(uuid); |
115 | uuid_t uuid; uuid_generate(uuid); |
112 | string a_handle = opkele::util::encode_base64(uuid,sizeof(uuid)); |
116 | string a_handle = opkele::util::encode_base64(uuid,sizeof(uuid)); |
113 | opkele::secret_t a_secret; |
117 | opkele::secret_t a_secret; |
114 | generate_n( |
118 | generate_n( |
115 | back_insert_iterator<opkele::secret_t>(a_secret),klength, |
119 | back_insert_iterator<opkele::secret_t>(a_secret),klength, |
116 | rand ); |
120 | rand ); |
117 | string ssecret; a_secret.to_base64(ssecret); |
121 | string ssecret; a_secret.to_base64(ssecret); |
118 | time_t now = time(0); |
122 | time_t now = time(0); |
119 | int expires_in = sl?3600*2:3600*24*7*2; |
123 | int expires_in = sl?3600*2:3600*24*7*2; |
120 | sqlite3_mem_t<char*> |
124 | sqlite3_mem_t<char*> |
121 | S = sqlite3_mprintf( |
125 | S = sqlite3_mprintf( |
122 | "INSERT INTO assoc" |
126 | "INSERT INTO assoc" |
123 | " (a_handle,a_type,a_ctime,a_etime,a_secret,a_stateless)" |
127 | " (a_handle,a_type,a_ctime,a_etime,a_secret,a_stateless)" |
124 | " VALUES (" |
128 | " VALUES (" |
125 | " %Q,%Q,datetime('now')," |
129 | " %Q,%Q,datetime('now')," |
126 | " datetime('now','+%d seconds')," |
130 | " datetime('now','+%d seconds')," |
127 | " %Q,%d );", |
131 | " %Q,%d );", |
128 | a_handle.c_str(), type.c_str(), |
132 | a_handle.c_str(), type.c_str(), |
129 | expires_in, |
133 | expires_in, |
130 | ssecret.c_str(), sl ); |
134 | ssecret.c_str(), sl ); |
131 | db.exec(S); |
135 | db.exec(S); |
132 | return opkele::assoc_t(new opkele::association( |
136 | return opkele::assoc_t(new opkele::association( |
133 | "", |
137 | "", |
134 | a_handle, type, a_secret, |
138 | a_handle, type, a_secret, |
135 | now+expires_in, sl )); |
139 | now+expires_in, sl )); |
136 | } |
140 | } |
137 | |
141 | |
138 | opkele::assoc_t retrieve_assoc(const string& h) { |
142 | opkele::assoc_t retrieve_assoc(const string& h) { |
139 | sqlite3_mem_t<char*> |
143 | sqlite3_mem_t<char*> |
140 | S = sqlite3_mprintf( |
144 | S = sqlite3_mprintf( |
141 | "SELECT" |
145 | "SELECT" |
142 | " a_handle,a_type,a_secret,a_stateless," |
146 | " a_handle,a_type,a_secret,a_stateless," |
143 | " strftime('%%s',a_etime) AS a_etime," |
147 | " strftime('%%s',a_etime) AS a_etime," |
144 | " a_itime" |
148 | " a_itime" |
145 | " FROM assoc" |
149 | " FROM assoc" |
146 | " WHERE a_handle=%Q AND a_itime IS NULL" |
150 | " WHERE a_handle=%Q AND a_itime IS NULL" |
147 | " AND datetime('now') < a_etime" |
151 | " AND datetime('now') < a_etime" |
148 | " LIMIT 1", |
152 | " LIMIT 1", |
149 | h.c_str() ); |
153 | h.c_str() ); |
150 | sqlite3_table_t T; |
154 | sqlite3_table_t T; |
151 | int nr,nc; |
155 | int nr,nc; |
152 | db.get_table(S,T,&nr,&nc); |
156 | db.get_table(S,T,&nr,&nc); |
153 | if(nr<1) |
157 | if(nr<1) |
154 | throw opkele::failed_lookup(OPKELE_CP_ |
158 | throw opkele::failed_lookup(OPKELE_CP_ |
155 | "couldn't retrieve valid unexpired assoc"); |
159 | "couldn't retrieve valid unexpired assoc"); |
156 | assert(nr==1); assert(nc==6); |
160 | assert(nr==1); assert(nc==6); |
157 | opkele::secret_t secret; opkele::util::decode_base64(T.get(1,2,nc),secret); |
161 | opkele::secret_t secret; opkele::util::decode_base64(T.get(1,2,nc),secret); |
158 | return opkele::assoc_t(new opkele::association( |
162 | return opkele::assoc_t(new opkele::association( |
159 | "", h, T.get(1,1,nc), secret, |
163 | "", h, T.get(1,1,nc), secret, |
160 | strtol(T.get(1,4,nc),0,0), |
164 | strtol(T.get(1,4,nc),0,0), |
161 | strtol(T.get(1,3,nc),0,0) )); |
165 | strtol(T.get(1,3,nc),0,0) )); |
162 | } |
166 | } |
163 | |
167 | |
164 | string& alloc_nonce(string& nonce) { |
168 | string& alloc_nonce(string& nonce) { |
165 | uuid_t uuid; uuid_generate(uuid); |
169 | uuid_t uuid; uuid_generate(uuid); |
166 | nonce += opkele::util::encode_base64(uuid,sizeof(uuid)); |
170 | nonce += opkele::util::encode_base64(uuid,sizeof(uuid)); |
167 | sqlite3_mem_t<char*> |
171 | sqlite3_mem_t<char*> |
168 | S = sqlite3_mprintf( |
172 | S = sqlite3_mprintf( |
169 | "INSERT INTO nonces" |
173 | "INSERT INTO nonces" |
170 | " (n_once) VALUES (%Q)", |
174 | " (n_once) VALUES (%Q)", |
171 | nonce.c_str() ); |
175 | nonce.c_str() ); |
172 | db.exec(S); |
176 | db.exec(S); |
173 | return nonce; |
177 | return nonce; |
174 | } |
178 | } |
175 | bool check_nonce(const string& nonce) { |
179 | bool check_nonce(const string& nonce) { |
176 | sqlite3_mem_t<char*> |
180 | sqlite3_mem_t<char*> |
177 | S = sqlite3_mprintf( |
181 | S = sqlite3_mprintf( |
178 | "SELECT 1" |
182 | "SELECT 1" |
179 | " FROM nonces" |
183 | " FROM nonces" |
180 | " WHERE n_once=%Q AND n_itime IS NULL", |
184 | " WHERE n_once=%Q AND n_itime IS NULL", |
181 | nonce.c_str()); |
185 | nonce.c_str()); |
182 | sqlite3_table_t T; |
186 | sqlite3_table_t T; |
183 | int nr,nc; |
187 | int nr,nc; |
184 | db.get_table(S,T,&nr,&nc); |
188 | db.get_table(S,T,&nr,&nc); |
185 | return nr>=1; |
189 | return nr>=1; |
186 | } |
190 | } |
187 | void invalidate_nonce(const string& nonce) { |
191 | void invalidate_nonce(const string& nonce) { |
188 | sqlite3_mem_t<char*> |
192 | sqlite3_mem_t<char*> |
189 | S = sqlite3_mprintf( |
193 | S = sqlite3_mprintf( |
190 | "UPDATE nonces" |
194 | "UPDATE nonces" |
191 | " SET n_itime=datetime('now')" |
195 | " SET n_itime=datetime('now')" |
192 | " WHERE n_once=%Q", |
196 | " WHERE n_once=%Q", |
193 | nonce.c_str()); |
197 | nonce.c_str()); |
194 | db.exec(S); |
198 | db.exec(S); |
195 | } |
199 | } |
196 | |
200 | |
197 | const string get_op_endpoint() const { |
201 | const string get_op_endpoint() const { |
198 | return get_self_url(gw); |
202 | return get_self_url(gw); |
199 | } |
203 | } |
200 | |
204 | |
201 | }; |
205 | }; |
202 | |
206 | |
203 | int main(int,char **) { |
207 | int main(int,char **) { |
204 | try { |
208 | try { |
205 | kingate::plaincgi_interface ci; |
209 | kingate::plaincgi_interface ci; |
206 | kingate::cgi_gateway gw(ci); |
210 | kingate::cgi_gateway gw(ci); |
207 | string op; |
211 | string op; |
208 | try { op = gw.get_param("op"); }catch(kingate::exception_notfound&) { } |
212 | try { op = gw.get_param("op"); }catch(kingate::exception_notfound&) { } |
209 | string message; |
213 | string message; |
210 | if(op=="set_password") { |
214 | if(op=="set_password") { |
211 | example_op_t OP(gw); |
215 | example_op_t OP(gw); |
212 | string password = gw.get_param("password"); |
216 | string password = gw.get_param("password"); |
213 | sqlite3_mem_t<char*> |
217 | sqlite3_mem_t<char*> |
214 | Sget = sqlite3_mprintf("SELECT s_password FROM setup LIMIT 1"); |
218 | Sget = sqlite3_mprintf("SELECT s_password FROM setup LIMIT 1"); |
215 | sqlite3_table_t T; int nr,nc; |
219 | sqlite3_table_t T; int nr,nc; |
216 | OP.db.get_table(Sget,T,&nr,&nc); |
220 | OP.db.get_table(Sget,T,&nr,&nc); |
217 | if(nr>=1) |
221 | if(nr>=1) |
218 | throw opkele::exception(OPKELE_CP_ "Password already set"); |
222 | throw opkele::exception(OPKELE_CP_ "Password already set"); |
219 | sqlite3_mem_t<char*> |
223 | sqlite3_mem_t<char*> |
220 | Sset = sqlite3_mprintf( |
224 | Sset = sqlite3_mprintf( |
221 | "INSERT INTO setup (s_password) VALUES (%Q)", |
225 | "INSERT INTO setup (s_password) VALUES (%Q)", |
222 | password.c_str()); |
226 | password.c_str()); |
223 | OP.db.exec(Sset); |
227 | OP.db.exec(Sset); |
224 | op.clear(); |
228 | op.clear(); |
225 | message = "password set"; |
229 | message = "password set"; |
226 | }else if(op=="login") { |
230 | }else if(op=="login") { |
227 | example_op_t OP(gw); |
231 | example_op_t OP(gw); |
228 | string password = gw.get_param("password"); |
232 | string password = gw.get_param("password"); |
229 | sqlite3_mem_t<char*> |
233 | sqlite3_mem_t<char*> |
230 | Sget = sqlite3_mprintf("SELECT s_password FROM setup LIMIT 1"); |
234 | Sget = sqlite3_mprintf("SELECT s_password FROM setup LIMIT 1"); |
231 | sqlite3_table_t T; int nr,nc; |
235 | sqlite3_table_t T; int nr,nc; |
232 | OP.db.get_table(Sget,T,&nr,&nc); |
236 | OP.db.get_table(Sget,T,&nr,&nc); |
233 | if(nr<1) |
237 | if(nr<1) |
234 | throw opkele::exception(OPKELE_CP_ "no password set"); |
238 | throw opkele::exception(OPKELE_CP_ "no password set"); |
235 | if(password!=T.get(1,0,nc)) |
239 | if(password!=T.get(1,0,nc)) |
236 | throw opkele::exception(OPKELE_CP_ "wrong password"); |
240 | throw opkele::exception(OPKELE_CP_ "wrong password"); |
237 | OP.set_authorized(true); |
241 | OP.set_authorized(true); |
238 | op.clear(); |
242 | op.clear(); |
239 | message = "logged in"; |
243 | message = "logged in"; |
240 | OP.cookie_header(cout); |
244 | OP.cookie_header(cout); |
241 | }else if(op=="logout") { |
245 | }else if(op=="logout") { |
242 | example_op_t OP(gw); |
246 | example_op_t OP(gw); |
243 | OP.set_authorized(false); |
247 | OP.set_authorized(false); |
244 | op.clear(); |
248 | op.clear(); |
245 | message = "logged out"; |
249 | message = "logged out"; |
246 | } |
250 | } |
247 | string omode; |
251 | string omode; |
248 | try { omode = gw.get_param("openid.mode"); }catch(kingate::exception_notfound&) { } |
252 | try { omode = gw.get_param("openid.mode"); }catch(kingate::exception_notfound&) { } |
249 | if(op=="xrds") { |
253 | if(op=="xrds") { |
250 | cout << |
254 | cout << |
251 | "Content-type: application/xrds+xml\n\n" |
255 | "Content-type: application/xrds+xml\n\n" |
252 | "<?xml version='1.0' encoding='utf-8'?>" |
256 | "<?xml version='1.0' encoding='utf-8'?>" |
253 | "<xrds:XRDS xmlns:xrds='xri://$xrds' xmlns='xri://$xrd*($v*2.0)'>" |
257 | "<xrds:XRDS xmlns:xrds='xri://$xrds' xmlns='xri://$xrd*($v*2.0)'>" |
254 | "<XRD>" |
258 | "<XRD>" |
255 | "<Service>" |
259 | "<Service>" |
256 | "<Type>" STURI_OPENID20 "</Type>" |
260 | "<Type>" STURI_OPENID20 "</Type>" |
257 | "<URI>" << get_self_url(gw) << "</URI>" |
261 | "<URI>" << get_self_url(gw) << "</URI>" |
258 | "</Service>"; |
262 | "</Service>"; |
259 | if(gw.has_param("idsel")){ |
263 | if(gw.has_param("idsel")){ |
260 | cout << |
264 | cout << |
261 | "<Service>" |
265 | "<Service>" |
262 | "<Type>" STURI_OPENID20_OP "</Type>" |
266 | "<Type>" STURI_OPENID20_OP "</Type>" |
263 | "<URI>" << get_self_url(gw) << "</URI>"; |
267 | "<URI>" << get_self_url(gw) << "</URI>"; |
264 | } |
268 | } |
265 | cout << |
269 | cout << |
266 | "</XRD>" |
270 | "</XRD>" |
267 | "</xrds:XRDS>"; |
271 | "</xrds:XRDS>"; |
268 | }else if(op=="id_res" || op=="cancel") { |
272 | }else if(op=="id_res" || op=="cancel") { |
269 | kingate_openid_message_t inm(gw); |
273 | kingate_openid_message_t inm(gw); |
270 | example_op_t OP(gw); |
274 | example_op_t OP(gw); |
271 | if(gw.get_param("hts_id")!=OP.htc.get_value()) |
275 | if(gw.get_param("hts_id")!=OP.htc.get_value()) |
272 | throw opkele::exception(OPKELE_CP_ "toying around, huh?"); |
276 | throw opkele::exception(OPKELE_CP_ "toying around, huh?"); |
273 | opkele::sreg_t sreg; |
277 | opkele::sreg_t sreg; |
274 | OP.checkid_(inm,sreg); |
278 | OP.checkid_(inm,sreg); |
|