Client & Central Controller updates to support additonal OIDC features (#1848)
Client side: * Fix compatibility with OneLogin * Requested scopes vary by OIDC provider. Different providers have different Controller side: *Update Postgres queries to latest Central schema * Added Central Controller support for the different providers * Base OIDC provider details are still attached to an org. Client ID & group/email lists are now associated with individual networks.
This commit is contained in:
Grant Limberg
GitHub
parent
a59f82093a
commit
0ae09577f6
11 changed files with 175 additions and 68 deletions
|
|
@ -34,7 +34,7 @@ using json = nlohmann::json;
|
|||
|
||||
namespace {
|
||||
|
||||
static const int DB_MINIMUM_VERSION = 20;
|
||||
static const int DB_MINIMUM_VERSION = 38;
|
||||
|
||||
static const char *_timestr()
|
||||
{
|
||||
|
|
@ -442,20 +442,29 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
|
|||
exit(7);
|
||||
}
|
||||
|
||||
r = w.exec_params("SELECT org.client_id, org.authorization_endpoint, org.issuer, org.sso_impl_version "
|
||||
"FROM ztc_network AS nw, ztc_org AS org "
|
||||
"WHERE nw.id = $1 AND nw.sso_enabled = true AND org.owner_id = nw.owner_id", networkId);
|
||||
r = w.exec_params(
|
||||
"SELECT oc.client_id, oc.authorization_endpoint, oc.issuer, oc.provider, oc.sso_impl_version "
|
||||
"FROM ztc_network AS n "
|
||||
"INNER JOIN ztc_org o "
|
||||
" ON o.owner_id = n.owner_id "
|
||||
"LEFT OUTER JOIN ztc_network_oidc_config noc "
|
||||
" ON noc.network_id = n.id "
|
||||
"LEFT OUTER JOIN ztc_oidc_config oc "
|
||||
" ON noc.client_id = oc.client_id AND noc.org_id = o.org_id "
|
||||
"WHERE n.id = $1 AND n.sso_enabled = true", networkId);
|
||||
|
||||
std::string client_id = "";
|
||||
std::string authorization_endpoint = "";
|
||||
std::string issuer = "";
|
||||
std::string provider = "";
|
||||
uint64_t sso_version = 0;
|
||||
|
||||
if (r.size() == 1) {
|
||||
client_id = r.at(0)[0].as<std::string>();
|
||||
authorization_endpoint = r.at(0)[1].as<std::string>();
|
||||
issuer = r.at(0)[2].as<std::string>();
|
||||
sso_version = r.at(0)[3].as<uint64_t>();
|
||||
provider = r.at(0)[3].as<std::string>();
|
||||
sso_version = r.at(0)[4].as<uint64_t>();
|
||||
} else if (r.size() > 1) {
|
||||
fprintf(stderr, "ERROR: More than one auth endpoint for an organization?!?!? NetworkID: %s\n", networkId.c_str());
|
||||
} else {
|
||||
|
|
@ -485,18 +494,20 @@ AuthInfo PostgreSQL::getSSOAuthInfo(const nlohmann::json &member, const std::str
|
|||
} else if (info.version == 1) {
|
||||
info.ssoClientID = client_id;
|
||||
info.issuerURL = issuer;
|
||||
info.ssoProvider = provider;
|
||||
info.ssoNonce = nonce;
|
||||
info.ssoState = std::string(state_hex) + "_" +networkId;
|
||||
info.centralAuthURL = redirectURL;
|
||||
#ifdef ZT_DEBUG
|
||||
fprintf(
|
||||
stderr,
|
||||
"ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s\n",
|
||||
"ssoClientID: %s\nissuerURL: %s\nssoNonce: %s\nssoState: %s\ncentralAuthURL: %s\nprovider: %s\n",
|
||||
info.ssoClientID.c_str(),
|
||||
info.issuerURL.c_str(),
|
||||
info.ssoNonce.c_str(),
|
||||
info.ssoState.c_str(),
|
||||
info.centralAuthURL.c_str());
|
||||
info.centralAuthURL.c_str(),
|
||||
provider.c_str());
|
||||
#endif
|
||||
}
|
||||
} else {
|
||||
|
|
@ -535,15 +546,21 @@ void PostgreSQL::initializeNetworks()
|
|||
std::unordered_set<std::string> networkSet;
|
||||
|
||||
char qbuf[2048] = {0};
|
||||
sprintf(qbuf, "SELECT n.id, (EXTRACT(EPOCH FROM n.creation_time AT TIME ZONE 'UTC')*1000)::bigint as creation_time, n.capabilities, "
|
||||
sprintf(qbuf,
|
||||
"SELECT n.id, (EXTRACT(EPOCH FROM n.creation_time AT TIME ZONE 'UTC')*1000)::bigint as creation_time, n.capabilities, "
|
||||
"n.enable_broadcast, (EXTRACT(EPOCH FROM n.last_modified AT TIME ZONE 'UTC')*1000)::bigint AS last_modified, n.mtu, n.multicast_limit, n.name, n.private, n.remote_trace_level, "
|
||||
"n.remote_trace_target, n.revision, n.rules, n.tags, n.v4_assign_mode, n.v6_assign_mode, n.sso_enabled, (CASE WHEN n.sso_enabled THEN o.client_id ELSE NULL END) as client_id, "
|
||||
"(CASE WHEN n.sso_enabled THEN o.authorization_endpoint ELSE NULL END) as authorization_endpoint, d.domain, d.servers, "
|
||||
"n.remote_trace_target, n.revision, n.rules, n.tags, n.v4_assign_mode, n.v6_assign_mode, n.sso_enabled, (CASE WHEN n.sso_enabled THEN noc.client_id ELSE NULL END) as client_id, "
|
||||
"(CASE WHEN n.sso_enabled THEN oc.authorization_endpoint ELSE NULL END) as authorization_endpoint, "
|
||||
"(CASE WHEN n.sso_enabled THEN oc.provider ELSE NULL END) as provider, d.domain, d.servers, "
|
||||
"ARRAY(SELECT CONCAT(host(ip_range_start),'|', host(ip_range_end)) FROM ztc_network_assignment_pool WHERE network_id = n.id) AS assignment_pool, "
|
||||
"ARRAY(SELECT CONCAT(host(address),'/',bits::text,'|',COALESCE(host(via), 'NULL'))FROM ztc_network_route WHERE network_id = n.id) AS routes "
|
||||
"FROM ztc_network n "
|
||||
"LEFT OUTER JOIN ztc_org o "
|
||||
" ON o.owner_id = n.owner_id "
|
||||
" ON o.owner_id = n.owner_id "
|
||||
"LEFT OUTER JOIN ztc_network_oidc_config noc "
|
||||
" ON noc.network_id = n.id "
|
||||
"LEFT OUTER JOIN ztc_oidc_config oc "
|
||||
" ON noc.client_id = oc.client_id AND oc.org_id = o.org_id "
|
||||
"LEFT OUTER JOIN ztc_network_dns d "
|
||||
" ON d.network_id = n.id "
|
||||
"WHERE deleted = false AND controller_id = '%s'", _myAddressStr.c_str());
|
||||
|
|
@ -574,6 +591,7 @@ void PostgreSQL::initializeNetworks()
|
|||
, std::optional<bool> // ssoEnabled
|
||||
, std::optional<std::string> // clientId
|
||||
, std::optional<std::string> // authorizationEndpoint
|
||||
, std::optional<std::string> // ssoProvider
|
||||
, std::optional<std::string> // domain
|
||||
, std::optional<std::string> // servers
|
||||
, std::string // assignmentPoolString
|
||||
|
|
@ -610,10 +628,11 @@ void PostgreSQL::initializeNetworks()
|
|||
std::optional<bool> ssoEnabled = std::get<16>(row);
|
||||
std::optional<std::string> clientId = std::get<17>(row);
|
||||
std::optional<std::string> authorizationEndpoint = std::get<18>(row);
|
||||
std::optional<std::string> dnsDomain = std::get<19>(row);
|
||||
std::optional<std::string> dnsServers = std::get<20>(row);
|
||||
std::string assignmentPoolString = std::get<21>(row);
|
||||
std::string routesString = std::get<22>(row);
|
||||
std::optional<std::string> ssoProvider = std::get<19>(row);
|
||||
std::optional<std::string> dnsDomain = std::get<20>(row);
|
||||
std::optional<std::string> dnsServers = std::get<21>(row);
|
||||
std::string assignmentPoolString = std::get<22>(row);
|
||||
std::string routesString = std::get<23>(row);
|
||||
|
||||
config["id"] = nwid;
|
||||
config["nwid"] = nwid;
|
||||
|
|
@ -638,6 +657,7 @@ void PostgreSQL::initializeNetworks()
|
|||
config["routes"] = json::array();
|
||||
config["clientId"] = clientId.value_or("");
|
||||
config["authorizationEndpoint"] = authorizationEndpoint.value_or("");
|
||||
config["provider"] = ssoProvider.value_or("");
|
||||
|
||||
networkSet.insert(nwid);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue