Skip to content

Commit

Permalink
Merge pull request #31 from KIT-SCC/dev
Browse files Browse the repository at this point in the history
Changes naming of provider config to account config
  • Loading branch information
zachmann authored Sep 12, 2017
2 parents 6da8f52 + 59bd4ca commit 8dd7c92
Show file tree
Hide file tree
Showing 12 changed files with 114 additions and 87 deletions.
38 changes: 19 additions & 19 deletions README.MD
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ an X-session or a login session, and all other windows or programs are started a
clients to the oidc-agent program. Through use of environment variables the agent
can be located and automatically used to handle oidc tokens.

The agent initially does not have any providers loaded. You can load a
provider configuration by using oidc-add. Multiple provider configurations may
The agent initially does not have any configurations loaded. You can load a
account configuration by using oidc-add. Multiple accounts configurations may
be loaded in oidc-agent concurrently. oidc-add is also used to remove a loaded
configuration from oidc-agent.

Expand Down Expand Up @@ -47,15 +47,15 @@ eval `oidc-agent`
```

### oidc-gen
You can use oidc-gen to generate a new oidc provider config.
You can use oidc-gen to generate a new oidc account config.
Most likely you do not have already a client registered and don't want to do it through a web
interface. If the provider supports dynamic registration (iam does), you can let the agent
register a new client for you. This is the default option. You can run ```oidc-gen``` to start this flow. Using iam
password grant type is not supported using dynamic registration. The client is registered
and you have to contact the provider to update the client config manually. After that is
done, you can specify the saved client config file to oidc-gen using ```oidc-gen -f <filepath>```
and finish the provider configuration. Afterwards the config is added to oidc-agent
and can be used by oidc-add normally to add and remove the provider from the agent.
and finish the account configuration. Afterwards the config is added to oidc-agent
and can be used by oidc-add normally to add and remove the account configuration from the agent.

If you have already a registered client (e.g. because the provider does not support dynamic registration) you can run
```oidc-gen -m``` for manual configuration. oidc-gen will prompt you for the relevant
Expand All @@ -71,7 +71,7 @@ configuration oidc-add is your friend.

### oidc-add
oidc-add will add an existing configuration to the oidc-agent, making it useable. You
have to provide the short name of the provider configuration via command line
have to provide the short name of the account configuration via command line
argument.
```
oidc-add <shortname>
Expand All @@ -81,30 +81,30 @@ oidc-add <shortname>
clients can use the provided api to communicate with oidc-agent. An example client is
oidc-token.

The api provides functions for getting a list of currently loaded providers and access token. They can be easily used. Alternative a client can directly communicate with the oidc-agent through UNIX domain sockets. The socket address can be get from the environment variable which is set by the agent. The request has to be sent json encoded. We use a UNIX domain socket of type ```SOCK_SEQPACKET```.
The api provides functions for getting a list of currently loaded account configs and access token. They can be easily used. Alternative a client can directly communicate with the oidc-agent through UNIX domain sockets. The socket address can be get from the environment variable which is set by the agent. The request has to be sent json encoded. We use a UNIX domain socket of type ```SOCK_SEQPACKET```.
The following fields and values have to be present for the different calls:

#### List of Providers:
#### List of Accounts:

##### Request
| field | value |
|---------|---------------|
| request | provider_list |
| request | account_list |

example:
```
{"request":"provider_list"}
{"request":"account_list"}
```

##### Response
| field | value |
|---------------|-----------------------|
| status | success |
| provider_list | JSON Array of strings |
| account_list | JSON Array of strings |

example:
```
{"status":"success", "provider_list":["iam", "test"]}
{"status":"success", "account_list":["iam", "test"]}
```

##### Error Response
Expand All @@ -123,12 +123,12 @@ example:
| field | value |
|------------------|------------------------|
| request | access_token |
| provider | <provider_shortname> |
| account | <account_shortname> |
| min_valid_period | <min_valid_period> [s] |

example:
```
{"request":"access_token", "provider":"iam", "min_valid_period":60}
{"request":"access_token", "account":"iam", "min_valid_period":60}
```

##### Response
Expand All @@ -150,20 +150,20 @@ example:

example:
```
{"status":"failure", "error":"Provider not loaded"}
{"status":"failure", "error":"Account not loaded"}
```

#### oidc-token
oidc-token is n example client using the provided C-api and can be used to easily get an oidc access token from the command line.

oidc-token can list the currently loaded providers and get an access token.
oidc-token can list the currently loaded accounts and get an access token.

For displaying a list of loaded providers run
For displaying a list of loaded accounts run
```
oidc-token -l
```

To get an access token for one provider you have to specify the short name and
To get an access token for one account config you have to specify the short name and
how long the access token should be valid at least. The time is given in
seconds. If no minimum period of validity is specified, the default value 0 will
be used. This means that the access token might not be valid anymore even when
Expand All @@ -172,7 +172,7 @@ access token is issued and returned. We guarantee that the token will be valid
the specific time, if it is below the server's maximum, otherwise it will be the
provider's maximum.

The following call will get an access token for the provider with the short name
The following call will get an access token for the account with the short name
'iam'. The access token will be valid at least for 60 seconds.
```
oidc-token iam -t 60
Expand Down
28 changes: 14 additions & 14 deletions src/api.c
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@
#include "oidc_error.h"


char* getProviderRequest() {
char* fmt = "{\"request\":\"provider_list\"}";
char* getAccountRequest() {
char* fmt = "{\"request\":\"account_list\"}";
return fmt;
}

char* getAccessTokenRequest(const char* providername, unsigned long min_valid_period) {
char* fmt = "{\"request\":\"access_token\", \"provider\":\"%s\", \"min_valid_period\":%lu}";
char* fmt = "{\"request\":\"access_token\", \"account\":\"%s\", \"min_valid_period\":%lu}";
char* request = calloc(sizeof(char), snprintf(NULL, 0, fmt, providername, min_valid_period)+1);
sprintf(request, fmt, providername, min_valid_period);
return request;
Expand All @@ -39,17 +39,17 @@ char* communicate(char* json_request) {
return response;
}

/** @fn char* getAccessToken(const char* providername, unsigned long min_valid_period)
* @brief gets an valid access token for a provider
* @param providername the short name of the provider for whom an access token
/** @fn char* getAccessToken(const char* accountname, unsigned long min_valid_period)
* @brief gets an valid access token for a account config
* @param accountname the short name of the account config for which an access token
* should be returned
* @param min_valid_period the minium period of time the access token has to be valid
* in seconds
* @return a pointer to the access token. Has to be freed after usage. On
* failure NULL is returned and oidc_errno is set.
*/
char* getAccessToken(const char* providername, unsigned long min_valid_period) {
char* request = getAccessTokenRequest(providername, min_valid_period);
char* getAccessToken(const char* accountname, unsigned long min_valid_period) {
char* request = getAccessTokenRequest(accountname, min_valid_period);
char* response = communicate(request);
if(response==NULL) {
return NULL;
Expand Down Expand Up @@ -79,22 +79,22 @@ char* getAccessToken(const char* providername, unsigned long min_valid_period) {
}
}

/** @fn char* getLoadedProvider()
* @brief gets a a list of currently loaded providers
/** @fn char* getLoadedAccount()
* @brief gets a a list of currently loaded accounts
* @return a pointer to the JSON Array String containing all the short names
* of the currently loaded providers. Has to be freed after usage.
* of the currently loaded accounts. Has to be freed after usage.
* On failure NULL is returned and oidc_errno is set.
*/
char* getLoadedProvider() {
char* request = getProviderRequest();
char* getLoadedAccounts() {
char* request = getAccountRequest();
char* response = communicate(request);
if(response==NULL) {
return NULL;
}
struct key_value pairs[3];
pairs[0].key = "status";
pairs[1].key = "error";
pairs[2].key = "provider_list";
pairs[2].key = "account_list";
if(getJSONValues(response, pairs, sizeof(pairs)/sizeof(*pairs))<0) {
fprintf(stderr, "Read malformed data. Please hand in bug report.\n");
clearFreeString(response);
Expand Down
4 changes: 2 additions & 2 deletions src/api.h
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

#define OIDC_SOCK_ENV_NAME "OIDC_SOCK"

char* getAccessToken(const char* providername, unsigned long min_valid_period) ;
char* getLoadedProvider() ;
char* getAccessToken(const char* accountname, unsigned long min_valid_period) ;
char* getLoadedAccounts() ;
extern char* oidc_perror();
#endif // OIDC_API_H
2 changes: 1 addition & 1 deletion src/ipc.c
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,7 @@ oidc_error_t ipc_write(int _sock, char* fmt, ...) {
vsprintf(msg, fmt, original);
syslog(LOG_AUTHPRIV|LOG_DEBUG, "ipc writing to socket %d\n",_sock);
syslog(LOG_AUTHPRIV|LOG_DEBUG, "ipc write %s\n",msg);
if(write(_sock, msg, strlen(msg)+1) < 0) {
if(write(_sock, msg, strlen(msg)) < 0) {
syslog(LOG_AUTHPRIV|LOG_ALERT, "writing on stream socket: %m");
clearFreeString(msg);
oidc_errno = OIDC_EWRITE;
Expand Down
2 changes: 1 addition & 1 deletion src/ipc.h
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
#define RESPONSE_ERROR_ENDPOINT "{\"status\":\"failure\", \"error\":\"%s\", \"token_endpoint\":\"%s\", \"authorization_endpoint\":\"%s\", \"registration_endpoint\":\"%s\", \"revocation_endpoint\":\"%s\"}"
#define RESPONSE_STATUS_ENDPOINT_REFRESH "{\"status\":\"%s\", \"token_endpoint\":\"%s\", \"authorization_endpoint\":\"%s\", \"registration_endpoint\":\"%s\", \"revocation_endpoint\":\"%s\", \"refresh_token\":\"%s\"}"
#define RESPONSE_STATUS_ACCESS "{\"status\":\"%s\", \"access_token\":\"%s\"}"
#define RESPONSE_STATUS_PROVIDER "{\"status\":\"%s\", \"provider_list\":%s}"
#define RESPONSE_STATUS_ACCOUNT "{\"status\":\"%s\", \"account_list\":%s}"
#define RESPONSE_STATUS_REGISTER "{\"status\":\"%s\", \"response\":%s}"
#define RESPONSE_ERROR "{\"status\":\"failure\", \"error\":\"%s\"}"

Expand Down
10 changes: 5 additions & 5 deletions src/oidc-add.c
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ struct arguments {
Order of fields: {NAME, KEY, ARG, FLAGS, DOC}.
*/
static struct argp_option options[] = {
{"remove", 'r', 0, 0, "the provider is removed, not added", 0},
{"remove", 'r', 0, 0, "the account config is removed, not added", 0},
{"debug", 'g', 0, 0, "sets the log level to DEBUG", 0},
{"verbose", 'v', 0, 0, "enables verbose mode. The send data will be printed.", 0},
{0}
Expand Down Expand Up @@ -77,13 +77,13 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
A description of the non-option command-line arguments
that we accept.
*/
static char args_doc[] = "PROVIDER_SHORTNAME";
static char args_doc[] = "ACCOUNT_SHORTNAME";

/*
DOC. Field 4 in ARGP.
Program documentation.
*/
static char doc[] = "oidc-add -- A client for adding and removing providers to the oidc-agent";
static char doc[] = "oidc-add -- A client for adding and removing accounts to the oidc-agent";

/*
The ARGP structure itself.
Expand Down Expand Up @@ -114,12 +114,12 @@ int main(int argc, char** argv) {
char* provider = arguments.args[0];

if(!providerConfigExists(provider)) {
printf("No provider configured with that short name\n");
printf("No account configured with that short name\n");
exit(EXIT_FAILURE);
}
struct oidc_provider* p = NULL;
while(NULL==p) {
char* password = promptPassword("Enter encrpytion password for provider %s: ", provider);
char* password = promptPassword("Enter encrpytion password for account config %s: ", provider);
p = decryptProvider(provider, password);
clearFreeString(password);
}
Expand Down
16 changes: 8 additions & 8 deletions src/oidc-agent.c
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ void handleAdd(int sock, struct oidc_provider** loaded_p, size_t* loaded_p_count
}
if(NULL!=findProvider(*loaded_p, *loaded_p_count, *provider)) {
freeProvider(provider);
ipc_write(sock, RESPONSE_ERROR, "provider already loaded");
ipc_write(sock, RESPONSE_ERROR, "account already loaded");
return;
}
if(retrieveAccessTokenRefreshFlowOnly(provider, FORCE_NEW_TOKEN)!=OIDC_SUCCESS) {
Expand Down Expand Up @@ -205,7 +205,7 @@ void handleRm(int sock, struct oidc_provider** loaded_p, size_t* loaded_p_count,
}
if(NULL==findProvider(*loaded_p, *loaded_p_count, *provider)) {
freeProvider(provider);
ipc_write(sock, RESPONSE_ERROR, revoke ? "Could not revoke token: provider not loaded" : "provider not loaded");
ipc_write(sock, RESPONSE_ERROR, revoke ? "Could not revoke token: account not loaded" : "account not loaded");
return;
}
if(revoke && revokeToken(provider)!=OIDC_SUCCESS) {
Expand All @@ -221,14 +221,14 @@ void handleRm(int sock, struct oidc_provider** loaded_p, size_t* loaded_p_count,
void handleToken(int sock, struct oidc_provider* loaded_p, size_t loaded_p_count, char* short_name, char* min_valid_period_str) {
syslog(LOG_AUTHPRIV|LOG_DEBUG, "Handle Token request");
if(short_name==NULL || min_valid_period_str== NULL) {
ipc_write(sock, RESPONSE_ERROR, "Bad request. Need provider name and min_valid_period for getting access token.");
ipc_write(sock, RESPONSE_ERROR, "Bad request. Need account name and min_valid_period for getting access token.");
return;
}
struct oidc_provider key = {0, short_name, 0};
time_t min_valid_period = atoi(min_valid_period_str);
struct oidc_provider* provider = findProvider(loaded_p, loaded_p_count, key);
if(provider==NULL) {
ipc_write(sock, RESPONSE_ERROR, "Provider not loaded.");
ipc_write(sock, RESPONSE_ERROR, "Account not loaded.");
return;
}
if(retrieveAccessTokenRefreshFlowOnly(provider, min_valid_period)!=0) {
Expand All @@ -241,7 +241,7 @@ void handleToken(int sock, struct oidc_provider* loaded_p, size_t loaded_p_count
void handleList(int sock, struct oidc_provider* loaded_p, size_t loaded_p_count) {
syslog(LOG_AUTHPRIV|LOG_DEBUG, "Handle list request");
char* providerList = getProviderNameList(loaded_p, loaded_p_count);
ipc_write(sock, RESPONSE_STATUS_PROVIDER, "success", oidc_errno==OIDC_EARGNULL ? "[]" : providerList);
ipc_write(sock, RESPONSE_STATUS_ACCOUNT, "success", oidc_errno==OIDC_EARGNULL ? "[]" : providerList);
clearFreeString(providerList);
}

Expand All @@ -254,7 +254,7 @@ void handleRegister(int sock, struct oidc_provider* loaded_p, size_t loaded_p_co
}
if(NULL!=findProvider(loaded_p, loaded_p_count, *provider)) {
freeProvider(provider);
ipc_write(sock, RESPONSE_ERROR, "A provider with this shortname is already loaded. I will not register a new one.");
ipc_write(sock, RESPONSE_ERROR, "A account with this shortname is already loaded. I will not register a new one.");
return;
}
if(getEndpoints(provider)!=OIDC_SUCCESS) {
Expand Down Expand Up @@ -369,7 +369,7 @@ int main(int argc, char** argv) {
if(NULL!=q) {
struct key_value pairs[4];
pairs[0].key = "request"; pairs[0].value = NULL;
pairs[1].key = "provider"; pairs[1].value = NULL;
pairs[1].key = "account"; pairs[1].value = NULL;
pairs[2].key = "min_valid_period"; pairs[2].value = NULL;
pairs[3].key = "config"; pairs[3].value = NULL;
if(getJSONValues(q, pairs, sizeof(pairs)/sizeof(*pairs))<0) {
Expand All @@ -386,7 +386,7 @@ int main(int argc, char** argv) {
handleRm(*(con->msgsock), loaded_p_addr, &loaded_p_count, pairs[3].value, 1);
} else if(strcmp(pairs[0].value, "access_token")==0) {
handleToken(*(con->msgsock), *loaded_p_addr, loaded_p_count, pairs[1].value, pairs[2].value);
} else if(strcmp(pairs[0].value, "provider_list")==0) {
} else if(strcmp(pairs[0].value, "account_list")==0) {
handleList(*(con->msgsock), *loaded_p_addr, loaded_p_count);
} else if(strcmp(pairs[0].value, "register")==0) {
handleRegister(*(con->msgsock), *loaded_p_addr, loaded_p_count, pairs[3].value);
Expand Down
Loading

0 comments on commit 8dd7c92

Please sign in to comment.