[Debian-iot-packaging] [glewlwyd] 01/02: Import Upstream version 1.2.2
Thorsten Alteholz
alteholz at moszumanska.debian.org
Fri Oct 13 20:53:45 UTC 2017
This is an automated email from the git hooks/post-receive script.
alteholz pushed a commit to branch master
in repository glewlwyd.
commit d90299815d115e1e4d603245fb7d5680924b1409
Author: Thorsten Alteholz <debian at alteholz.de>
Date: Fri Oct 13 22:53:14 2017 +0200
Import Upstream version 1.2.2
---
INSTALL.md | 34 +++-
database/README.md | 31 +++
.../glewlwyd.init-db-only.mariadb.sql | 0
.../glewlwyd.init-db-only.sqlite3.sql | 0
glewlwyd.mariadb.sql => database/init-mariadb.sql | 32 ++-
.../init-sqlite3-md5.sql | 27 ++-
.../init-sqlite3-sha.sql | 27 ++-
.../init-sqlite3-sha256.sql | 27 ++-
.../init-sqlite3-sha512.sql | 27 ++-
webapp/init.sql => database/init-webapp-only.sql | 0
src/oauth.c | 214 +++++++++++----------
src/token.c | 16 +-
12 files changed, 318 insertions(+), 117 deletions(-)
diff --git a/INSTALL.md b/INSTALL.md
index 378fef2..48e74ca 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -109,6 +109,34 @@ Algorithms available are SHA1, SHA256, SHA512, MD5.
### Data storage backend initialisation
+#### TL;DR
+
+For a Mariadb/Mysql database, you must create a database or use an existing one first, example:
+
+```sql
+-- Create database and user
+CREATE DATABASE `glewlwyd`;
+GRANT ALL PRIVILEGES ON glewlwyd.* TO 'glewlwyd'@'%' identified BY 'glewlwyd';
+GRANT ALL PRIVILEGES ON glewlwyd.* TO 'glewlwyd'@'localhost' identified BY 'glewlwyd';
+FLUSH PRIVILEGES;
+```
+
+Then, use the script that fit your database backend and Digest algorithm in the [database](database) folder:
+
+- `database/init-mariadb.sql`
+- `database/init-sqlite3-md5.sql`
+- `database/init-sqlite3-sha.sql`
+- `database/init-sqlite3-sha256.sql`
+- `database/init-sqlite3-sha512.sql`
+
+##### Secuity warning!
+
+Those scripts create a valid database that allow to use glewlwyd but to avoid huge security issues, you must make 2 changes on your first connection:
+- Change the admin password when you connect to the application
+- Change the redirect_uri for the client `g_admin` with your real redirect_uri
+
+#### Detailed installation
+
You can use a MySql/MariaDB database or a SQLite3 database file.
Use the dedicated script, `glewlwyd.mariadb.sql` or `glewlwyd.sqlite3.sql` to initialize your database.
@@ -144,16 +172,16 @@ $ sqlite3 /var/cache/glewlwyd/glewlwyd.db < glewlwyd.sqlite3.sql
#### Register management webapp
-To be able to connect to the front-end application, you must register it first with the script `webapp/init.sql`. For example, run this command for the MySql/Mariadb database:
+To be able to connect to the front-end application, you must register it first with the script `database/init.sql`. For example, run this command for the MySql/Mariadb database:
```shell
-$ mysql glewlwyd < webapp/init.sql
+$ mysql glewlwyd < database/init.sql
```
For the sqlite3 database backend, use the following command:
```shell
-$ sqlite3 /var/cache/glewlwyd/glewlwyd.db < webapp/init.sql
+$ sqlite3 /var/cache/glewlwyd/glewlwyd.db < database/init.sql
```
### Authentication backend configuration
diff --git a/database/README.md b/database/README.md
new file mode 100644
index 0000000..0b7821e
--- /dev/null
+++ b/database/README.md
@@ -0,0 +1,31 @@
+# Glewlwyd database scripts
+
+This folder contains several scrpts to create or initialize the glewlwyd database.
+
+If you use a MariaDB/Mysql database, you must have a valid access to the database first. The following script shows an example of how to create a database called `glewlwyd` with a user `glewlwyd` and a password `glewlwyd` that can be accessible from remote locations or localhost:
+
+```sql
+-- Create database and user
+CREATE DATABASE `glewlwyd`;
+GRANT ALL PRIVILEGES ON glewlwyd.* TO 'glewlwyd'@'%' identified BY 'glewlwyd';
+GRANT ALL PRIVILEGES ON glewlwyd.* TO 'glewlwyd'@'localhost' identified BY 'glewlwyd';
+FLUSH PRIVILEGES;
+```
+
+## init-[mariadb|sqlite3-md5|sqlite3-sha|sqlite3-sha256|sqlite3-sha512].sql
+
+These files are databse creation and initialization scripts used for the type of database you need. The user 'admin' has the password 'password'. Once the database is set and your glewlwyd.conf file is valid, you can start the glewlwyd service and go to the webpage http[s]://localhost:4593/app/index.html.
+
+### Secuity warning!
+
+Those scripts create a valid database that allow to use glewlwyd but to avoid huge security issues, you must make 2 changes on your first connection:
+- Change the admin password when you connect to the application
+- Change the redirect_uri for the client `g_admin` with your real redirect_uri
+
+## glewlwyd.init-db-only.[mariadb|sqlite3].sql
+
+These files create an empty database with only authorization types and default scopes, but with no client or user.
+
+## init-webapp-only.sql
+
+This file creates the webapp client values to be able to connect to the admin page
diff --git a/glewlwyd.mariadb.sql b/database/glewlwyd.init-db-only.mariadb.sql
similarity index 100%
copy from glewlwyd.mariadb.sql
copy to database/glewlwyd.init-db-only.mariadb.sql
diff --git a/glewlwyd.sqlite3.sql b/database/glewlwyd.init-db-only.sqlite3.sql
similarity index 100%
copy from glewlwyd.sqlite3.sql
copy to database/glewlwyd.init-db-only.sqlite3.sql
diff --git a/glewlwyd.mariadb.sql b/database/init-mariadb.sql
similarity index 84%
rename from glewlwyd.mariadb.sql
rename to database/init-mariadb.sql
index ca25b2c..dce24da 100644
--- a/glewlwyd.mariadb.sql
+++ b/database/init-mariadb.sql
@@ -1,9 +1,9 @@
--- Mysql/MariaDB init script
--- Create database and user
--- CREATE DATABASE `glewlwyd`;
--- GRANT ALL PRIVILEGES ON glewlwyd.* TO 'glewlwyd'@'%' identified BY 'glewlwyd';
--- FLUSH PRIVILEGES;
--- USE `glewlwyd`;
+-- ----------------------------------------------------- --
+-- Mariadb/Mysql Database --
+-- Initialize Glewlwyd Database for the backend server --
+-- The administration client app --
+-- And the default user 'admin' with password 'password' --
+-- ----------------------------------------------------- --
DROP TABLE IF EXISTS `g_refresh_token_scope`;
DROP TABLE IF EXISTS `g_code_scope`;
@@ -225,6 +225,8 @@ CREATE TABLE `g_refresh_token_scope` (
FOREIGN KEY(`gs_id`) REFERENCES `g_scope`(`gs_id`) ON DELETE CASCADE
);
+-- Initialize authorization types
+
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('authorization_code', 0, 'Authorization Code Grant - Access token: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('code', 1, 'Authorization Code Grant - Authorization: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('token', 2, 'Implicit Grant: https://tools.ietf.org/html/rfc6749#section-4.2');
@@ -232,3 +234,21 @@ INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('client_credentials', 4, 'Client Credentials Grant: https://tools.ietf.org/html/rfc6749#section-4.4');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create default scopes
+
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create Glewlwyd administration application client connection
+
+INSERT INTO g_client (gc_name, gc_description, gc_client_id) VALUES ('admin app', 'Glewlwyd administration app', 'g_admin');
+INSERT INTO g_redirect_uri (gru_name, gru_uri, gc_id) VALUES ('uri_g_admin', '../app/index.html', (SELECT gc_id from g_client WHERE gc_client_id='g_admin'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='code'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='token'));
+
+-- Create admin user with admin scope
+
+INSERT INTO g_user (gu_login, gu_name, gu_email, gu_password, gu_enabled) VALUES ('admin', 'The Boss', 'boss at glewlwyd.domain', PASSWORD('password'), 1);
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_admin'));
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_profile'));
diff --git a/glewlwyd.sqlite3.sql b/database/init-sqlite3-md5.sql
similarity index 85%
copy from glewlwyd.sqlite3.sql
copy to database/init-sqlite3-md5.sql
index 6006730..9121a78 100644
--- a/glewlwyd.sqlite3.sql
+++ b/database/init-sqlite3-md5.sql
@@ -1,4 +1,9 @@
--- SQlite3 init script
+-- ----------------------------------------------------- --
+-- Sqlite3 Database/MD5 encoding --
+-- Initialize Glewlwyd Database for the backend server --
+-- The administration client app --
+-- And the default user 'admin' with password 'password' --
+-- ----------------------------------------------------- --
DROP TABLE IF EXISTS `g_refresh_token_scope`;
DROP TABLE IF EXISTS `g_code_scope`;
@@ -239,6 +244,8 @@ CREATE TABLE `g_refresh_token_scope` (
);
CREATE INDEX `i_g_refresh_token_scope` ON `g_refresh_token_scope`(`grts_id`);
+-- Initialize authorization types
+
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('authorization_code', 0, 'Authorization Code Grant - Access token: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('code', 1, 'Authorization Code Grant - Authorization: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('token', 2, 'Implicit Grant: https://tools.ietf.org/html/rfc6749#section-4.2');
@@ -246,3 +253,21 @@ INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('client_credentials', 4, 'Client Credentials Grant: https://tools.ietf.org/html/rfc6749#section-4.4');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create default scopes
+
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create Glewlwyd administration application client connection
+
+INSERT INTO g_client (gc_name, gc_description, gc_client_id) VALUES ('admin app', 'Glewlwyd administration app', 'g_admin');
+INSERT INTO g_redirect_uri (gru_name, gru_uri, gc_id) VALUES ('uri_g_admin', '../app/index.html', (SELECT gc_id from g_client WHERE gc_client_id='g_admin'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='code'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='token'));
+
+-- Create admin user with admin scope
+
+INSERT INTO g_user (gu_login, gu_name, gu_email, gu_password, gu_enabled) VALUES ('admin', 'The Boss', 'boss at glewlwyd.domain', '{MD5}X03MO1qnZdYdgyfeuILPmQ==', 1);
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_admin'));
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_profile'));
diff --git a/glewlwyd.sqlite3.sql b/database/init-sqlite3-sha.sql
similarity index 85%
copy from glewlwyd.sqlite3.sql
copy to database/init-sqlite3-sha.sql
index 6006730..0cbb324 100644
--- a/glewlwyd.sqlite3.sql
+++ b/database/init-sqlite3-sha.sql
@@ -1,4 +1,9 @@
--- SQlite3 init script
+-- ----------------------------------------------------- --
+-- Sqlite3 Database/SHA encoding --
+-- Initialize Glewlwyd Database for the backend server --
+-- The administration client app --
+-- And the default user 'admin' with password 'password' --
+-- ----------------------------------------------------- --
DROP TABLE IF EXISTS `g_refresh_token_scope`;
DROP TABLE IF EXISTS `g_code_scope`;
@@ -239,6 +244,8 @@ CREATE TABLE `g_refresh_token_scope` (
);
CREATE INDEX `i_g_refresh_token_scope` ON `g_refresh_token_scope`(`grts_id`);
+-- Initialize authorization types
+
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('authorization_code', 0, 'Authorization Code Grant - Access token: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('code', 1, 'Authorization Code Grant - Authorization: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('token', 2, 'Implicit Grant: https://tools.ietf.org/html/rfc6749#section-4.2');
@@ -246,3 +253,21 @@ INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('client_credentials', 4, 'Client Credentials Grant: https://tools.ietf.org/html/rfc6749#section-4.4');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create default scopes
+
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create Glewlwyd administration application client connection
+
+INSERT INTO g_client (gc_name, gc_description, gc_client_id) VALUES ('admin app', 'Glewlwyd administration app', 'g_admin');
+INSERT INTO g_redirect_uri (gru_name, gru_uri, gc_id) VALUES ('uri_g_admin', '../app/index.html', (SELECT gc_id from g_client WHERE gc_client_id='g_admin'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='code'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='token'));
+
+-- Create admin user with admin scope
+
+INSERT INTO g_user (gu_login, gu_name, gu_email, gu_password, gu_enabled) VALUES ('admin', 'The Boss', 'boss at glewlwyd.domain', '{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=', 1);
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_admin'));
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_profile'));
diff --git a/glewlwyd.sqlite3.sql b/database/init-sqlite3-sha256.sql
similarity index 85%
copy from glewlwyd.sqlite3.sql
copy to database/init-sqlite3-sha256.sql
index 6006730..eb49d78 100644
--- a/glewlwyd.sqlite3.sql
+++ b/database/init-sqlite3-sha256.sql
@@ -1,4 +1,9 @@
--- SQlite3 init script
+-- ----------------------------------------------------- --
+-- Sqlite3 Database/SHA256 encoding --
+-- Initialize Glewlwyd Database for the backend server --
+-- The administration client app --
+-- And the default user 'admin' with password 'password' --
+-- ----------------------------------------------------- --
DROP TABLE IF EXISTS `g_refresh_token_scope`;
DROP TABLE IF EXISTS `g_code_scope`;
@@ -239,6 +244,8 @@ CREATE TABLE `g_refresh_token_scope` (
);
CREATE INDEX `i_g_refresh_token_scope` ON `g_refresh_token_scope`(`grts_id`);
+-- Initialize authorization types
+
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('authorization_code', 0, 'Authorization Code Grant - Access token: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('code', 1, 'Authorization Code Grant - Authorization: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('token', 2, 'Implicit Grant: https://tools.ietf.org/html/rfc6749#section-4.2');
@@ -246,3 +253,21 @@ INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('client_credentials', 4, 'Client Credentials Grant: https://tools.ietf.org/html/rfc6749#section-4.4');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create default scopes
+
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create Glewlwyd administration application client connection
+
+INSERT INTO g_client (gc_name, gc_description, gc_client_id) VALUES ('admin app', 'Glewlwyd administration app', 'g_admin');
+INSERT INTO g_redirect_uri (gru_name, gru_uri, gc_id) VALUES ('uri_g_admin', '../app/index.html', (SELECT gc_id from g_client WHERE gc_client_id='g_admin'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='code'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='token'));
+
+-- Create admin user with admin scope
+
+INSERT INTO g_user (gu_login, gu_name, gu_email, gu_password, gu_enabled) VALUES ('admin', 'The Boss', 'boss at glewlwyd.domain', '{SHA256}XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=', 1);
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_admin'));
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_profile'));
diff --git a/glewlwyd.sqlite3.sql b/database/init-sqlite3-sha512.sql
similarity index 85%
rename from glewlwyd.sqlite3.sql
rename to database/init-sqlite3-sha512.sql
index 6006730..e43128c 100644
--- a/glewlwyd.sqlite3.sql
+++ b/database/init-sqlite3-sha512.sql
@@ -1,4 +1,9 @@
--- SQlite3 init script
+-- ----------------------------------------------------- --
+-- Sqlite3 Database/SHA512 encoding --
+-- Initialize Glewlwyd Database for the backend server --
+-- The administration client app --
+-- And the default user 'admin' with password 'password' --
+-- ----------------------------------------------------- --
DROP TABLE IF EXISTS `g_refresh_token_scope`;
DROP TABLE IF EXISTS `g_code_scope`;
@@ -239,6 +244,8 @@ CREATE TABLE `g_refresh_token_scope` (
);
CREATE INDEX `i_g_refresh_token_scope` ON `g_refresh_token_scope`(`grts_id`);
+-- Initialize authorization types
+
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('authorization_code', 0, 'Authorization Code Grant - Access token: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('code', 1, 'Authorization Code Grant - Authorization: https://tools.ietf.org/html/rfc6749#section-4.1');
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('token', 2, 'Implicit Grant: https://tools.ietf.org/html/rfc6749#section-4.2');
@@ -246,3 +253,21 @@ INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('
INSERT INTO g_authorization_type (got_name, got_code, got_description) VALUES ('client_credentials', 4, 'Client Credentials Grant: https://tools.ietf.org/html/rfc6749#section-4.4');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create default scopes
+
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_admin', 'Glewlwyd admin scope');
+INSERT INTO g_scope (gs_name, gs_description) VALUES ('g_profile', 'Glewlwyd profile scope');
+
+-- Create Glewlwyd administration application client connection
+
+INSERT INTO g_client (gc_name, gc_description, gc_client_id) VALUES ('admin app', 'Glewlwyd administration app', 'g_admin');
+INSERT INTO g_redirect_uri (gru_name, gru_uri, gc_id) VALUES ('uri_g_admin', '../app/index.html', (SELECT gc_id from g_client WHERE gc_client_id='g_admin'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='code'));
+INSERT INTO g_client_authorization_type (gc_client_id, got_id) VALUES ('g_admin', (SELECT got_id from g_authorization_type WHERE got_name='token'));
+
+-- Create admin user with admin scope
+
+INSERT INTO g_user (gu_login, gu_name, gu_email, gu_password, gu_enabled) VALUES ('admin', 'The Boss', 'boss at glewlwyd.domain', '{SHA512}sQnzu7wkTrgkQZF+0G1hi5AI3Qmzvv0bXgc5THBqi7mAsdd4Xll27ASbRt9fEyavWi6m0QP9B8lThf+rDKy8hg==', 1);
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_admin'));
+INSERT INTO g_user_scope (gu_id, gs_id) VALUES ((SELECT gu_id from g_user WHERE gu_login='admin'), (SELECT gs_id from g_scope WHERE gs_name='g_profile'));
diff --git a/webapp/init.sql b/database/init-webapp-only.sql
similarity index 100%
rename from webapp/init.sql
rename to database/init-webapp-only.sql
diff --git a/src/oauth.c b/src/oauth.c
index 6fba57b..a7d9a03 100644
--- a/src/oauth.c
+++ b/src/oauth.c
@@ -452,7 +452,7 @@ int check_auth_type_client_credentials_grant (const struct _u_request * request,
int get_access_token_from_refresh (const struct _u_request * request, struct _u_response * response, void * user_data) {
struct config_elements * config = (struct config_elements *)user_data;
char * access_token, * token_hash, * clause_expired_at, * last_seen_value, * scope, * scope_list_save, * scope_escaped, * scope_list_escaped = NULL, * saveptr = NULL, * clause_scope_list, * new_scope_list = NULL, * tmp;
- json_t * j_query, * j_result = NULL, * j_result2 = NULL, * j_element, * j_auth = NULL;
+ json_t * j_query, * j_result = NULL, * j_result2 = NULL, * j_element, * j_auth = NULL, * j_user;
size_t index;
int res;
const char * refresh_token = u_map_get(request->map_post_body, "refresh_token");
@@ -502,122 +502,134 @@ int get_access_token_from_refresh (const struct _u_request * request, struct _u_
json_decref(j_query);
if (res == H_OK && json_array_size(j_result) > 0) {
if (!jwt_decode(&jwt, refresh_token, (const unsigned char *)config->jwt_decode_key, strlen(config->jwt_decode_key)) && jwt_get_alg(jwt) == jwt_get_alg(config->jwt)) {
- last_seen_value = msprintf(config->conn->type==HOEL_DB_TYPE_MARIADB?"FROM_UNIXTIME(%d)":"%d", now);
- j_query = json_pack("{sss{s{ss}}s{ss}}",
- "table",
- GLEWLWYD_TABLE_REFRESH_TOKEN,
- "set",
- "grt_last_seen",
- "raw",
- last_seen_value,
- "where",
- "grt_hash",
- token_hash);
- o_free(last_seen_value);
- res = h_update(config->conn, j_query, NULL);
- json_decref(j_query);
- if (res == H_OK) {
- if (config->use_scope) {
- // Get scope
- if (u_map_get(request->map_post_body, "scope") != NULL) {
- scope_list_save = o_strdup(u_map_get(request->map_post_body, "scope"));
- scope = strtok_r(scope_list_save, " ", &saveptr);
- while (scope != NULL) {
- scope_escaped = h_escape_string(config->conn, scope);
- if (scope_list_escaped == NULL) {
- scope_list_escaped = msprintf("'%s'", scope_escaped);
- } else {
- tmp = msprintf("%s,'%s'", scope_list_escaped, scope_escaped);
- o_free(scope_list_escaped);
- scope_list_escaped = tmp;
- }
- o_free(scope_escaped);
- scope = strtok_r(NULL, " ", &saveptr);
- }
- clause_scope_list = msprintf("IN (SELECT `gs_id` FROM `%s` WHERE `grt_id` = (SELECT `grt_id` FROM `%s` WHERE `grt_hash` = '%s' AND `grt_enabled` = 1) AND `gs_id` IN (SELECT `gs_id` FROM `%s` WHERE `gs_name` IN (%s)))", GLEWLWYD_TABLE_REFRESH_TOKEN_SCOPE, GLEWLWYD_TABLE_REFRESH_TOKEN, token_hash, GLEWLWYD_TABLE_SCOPE, scope_list_escaped);
- o_free(scope_list_save);
- o_free(scope_list_escaped);
- } else {
- clause_scope_list = msprintf("IN (SELECT `gs_id` FROM `%s` WHERE `grt_id` = (SELECT `grt_id` FROM `%s` WHERE `grt_hash` = '%s' AND `grt_enabled` = 1))", GLEWLWYD_TABLE_REFRESH_TOKEN_SCOPE, GLEWLWYD_TABLE_REFRESH_TOKEN, token_hash);
- }
- j_query = json_pack("{sss[s]s{s{ssss}}}",
+ j_user = get_user(config, jwt_get_grant(jwt, "username"), NULL);
+ if (check_result_value(j_user, G_OK)) {
+ if (json_object_get(json_object_get(j_user, "user"), "enabled") == json_true()) {
+ last_seen_value = msprintf(config->conn->type==HOEL_DB_TYPE_MARIADB?"FROM_UNIXTIME(%d)":"%d", now);
+ j_query = json_pack("{sss{s{ss}}s{ss}}",
"table",
- GLEWLWYD_TABLE_SCOPE,
- "columns",
- "gs_name",
- "where",
- "gs_id",
- "operator",
+ GLEWLWYD_TABLE_REFRESH_TOKEN,
+ "set",
+ "grt_last_seen",
"raw",
- "value",
- clause_scope_list);
- o_free(clause_scope_list);
- res = h_select(config->conn, j_query, &j_result2, NULL);
+ last_seen_value,
+ "where",
+ "grt_hash",
+ token_hash);
+ o_free(last_seen_value);
+ res = h_update(config->conn, j_query, NULL);
json_decref(j_query);
- if (res == H_OK && json_array_size(j_result2) > 0) {
- json_array_foreach(j_result2, index, j_element) {
- if (new_scope_list == NULL) {
- new_scope_list = o_strdup(json_string_value(json_object_get(j_element, "gs_name")));
+ if (res == H_OK) {
+ if (config->use_scope) {
+ // Get scope
+ if (u_map_get(request->map_post_body, "scope") != NULL) {
+ scope_list_save = o_strdup(u_map_get(request->map_post_body, "scope"));
+ scope = strtok_r(scope_list_save, " ", &saveptr);
+ while (scope != NULL) {
+ scope_escaped = h_escape_string(config->conn, scope);
+ if (scope_list_escaped == NULL) {
+ scope_list_escaped = msprintf("'%s'", scope_escaped);
+ } else {
+ tmp = msprintf("%s,'%s'", scope_list_escaped, scope_escaped);
+ o_free(scope_list_escaped);
+ scope_list_escaped = tmp;
+ }
+ o_free(scope_escaped);
+ scope = strtok_r(NULL, " ", &saveptr);
+ }
+ clause_scope_list = msprintf("IN (SELECT `gs_id` FROM `%s` WHERE `grt_id` = (SELECT `grt_id` FROM `%s` WHERE `grt_hash` = '%s' AND `grt_enabled` = 1) AND `gs_id` IN (SELECT `gs_id` FROM `%s` WHERE `gs_name` IN (%s)))", GLEWLWYD_TABLE_REFRESH_TOKEN_SCOPE, GLEWLWYD_TABLE_REFRESH_TOKEN, token_hash, GLEWLWYD_TABLE_SCOPE, scope_list_escaped);
+ o_free(scope_list_save);
+ o_free(scope_list_escaped);
} else {
- tmp = msprintf("%s %s", new_scope_list, json_string_value(json_object_get(j_element, "gs_name")));
+ clause_scope_list = msprintf("IN (SELECT `gs_id` FROM `%s` WHERE `grt_id` = (SELECT `grt_id` FROM `%s` WHERE `grt_hash` = '%s' AND `grt_enabled` = 1))", GLEWLWYD_TABLE_REFRESH_TOKEN_SCOPE, GLEWLWYD_TABLE_REFRESH_TOKEN, token_hash);
+ }
+ j_query = json_pack("{sss[s]s{s{ssss}}}",
+ "table",
+ GLEWLWYD_TABLE_SCOPE,
+ "columns",
+ "gs_name",
+ "where",
+ "gs_id",
+ "operator",
+ "raw",
+ "value",
+ clause_scope_list);
+ o_free(clause_scope_list);
+ res = h_select(config->conn, j_query, &j_result2, NULL);
+ json_decref(j_query);
+ if (res == H_OK && json_array_size(j_result2) > 0) {
+ json_array_foreach(j_result2, index, j_element) {
+ if (new_scope_list == NULL) {
+ new_scope_list = o_strdup(json_string_value(json_object_get(j_element, "gs_name")));
+ } else {
+ tmp = msprintf("%s %s", new_scope_list, json_string_value(json_object_get(j_element, "gs_name")));
+ o_free(new_scope_list);
+ new_scope_list = tmp;
+ }
+ }
+ access_token = generate_access_token(config, refresh_token, jwt_get_grant(jwt, "username"), GLEWLWYD_AUHORIZATION_TYPE_REFRESH_TOKEN, ip_source, new_scope_list, now);
o_free(new_scope_list);
- new_scope_list = tmp;
+ if (access_token != NULL) {
+ json_body = json_pack("{sssssisi}",
+ "access_token",
+ access_token,
+ "token_type",
+ "bearer",
+ "expires_in",
+ config->access_token_expiration,
+ "iat",
+ now);
+ ulfius_set_json_body_response(response, 200, json_body);
+ } else {
+ y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error generating access_token");
+ json_body = json_pack("{ss}", "error", "server_error");
+ ulfius_set_json_body_response(response, 500, json_body);
+ }
+ o_free(access_token);
+ } else if (res != H_OK) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error database while validating refresh_token");
+ json_body = json_pack("{ss}", "error", "server_error");
+ ulfius_set_json_body_response(response, 500, json_body);
+ } else {
+ json_body = json_pack("{ss}", "error", "invalid_scope");
+ ulfius_set_json_body_response(response, 400, json_body);
}
- }
- access_token = generate_access_token(config, refresh_token, jwt_get_grant(jwt, "username"), GLEWLWYD_AUHORIZATION_TYPE_REFRESH_TOKEN, ip_source, new_scope_list, now);
- o_free(new_scope_list);
- if (access_token != NULL) {
- json_body = json_pack("{sssssisi}",
- "access_token",
- access_token,
- "token_type",
- "bearer",
- "expires_in",
- config->access_token_expiration,
- "iat",
- now);
- ulfius_set_json_body_response(response, 200, json_body);
+ json_decref(j_result2);
} else {
- y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error generating access_token");
- json_body = json_pack("{ss}", "error", "server_error");
- ulfius_set_json_body_response(response, 500, json_body);
+ access_token = generate_access_token(config, refresh_token, jwt_get_grant(jwt, "username"), GLEWLWYD_AUHORIZATION_TYPE_REFRESH_TOKEN, ip_source, new_scope_list, now);
+ o_free(new_scope_list);
+ if (access_token != NULL) {
+ json_body = json_pack("{sssssisi}",
+ "access_token",
+ access_token,
+ "token_type",
+ "bearer",
+ "expires_in",
+ config->access_token_expiration,
+ "iat",
+ now);
+ ulfius_set_json_body_response(response, 200, json_body);
+ } else {
+ y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error generating access_token");
+ json_body = json_pack("{ss}", "error", "server_error");
+ ulfius_set_json_body_response(response, 500, json_body);
+ }
+ o_free(access_token);
}
- o_free(access_token);
- } else if (res != H_OK) {
- y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error database while validating refresh_token");
- json_body = json_pack("{ss}", "error", "server_error");
- ulfius_set_json_body_response(response, 500, json_body);
- } else {
- json_body = json_pack("{ss}", "error", "invalid_scope");
- ulfius_set_json_body_response(response, 400, json_body);
- }
- json_decref(j_result2);
- } else {
- access_token = generate_access_token(config, refresh_token, jwt_get_grant(jwt, "username"), GLEWLWYD_AUHORIZATION_TYPE_REFRESH_TOKEN, ip_source, new_scope_list, now);
- o_free(new_scope_list);
- if (access_token != NULL) {
- json_body = json_pack("{sssssisi}",
- "access_token",
- access_token,
- "token_type",
- "bearer",
- "expires_in",
- config->access_token_expiration,
- "iat",
- now);
- ulfius_set_json_body_response(response, 200, json_body);
} else {
- y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error generating access_token");
+ y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error updating grt_last_seen");
json_body = json_pack("{ss}", "error", "server_error");
ulfius_set_json_body_response(response, 500, json_body);
}
- o_free(access_token);
+ } else {
+ json_body = json_pack("{ss}", "error", "access_denied");
+ ulfius_set_json_body_response(response, 401, json_body);
}
} else {
- y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error updating grt_last_seen");
json_body = json_pack("{ss}", "error", "server_error");
ulfius_set_json_body_response(response, 500, json_body);
- }
+ }
+ json_decref(j_user);
} else {
y_log_message(Y_LOG_LEVEL_ERROR, "get_access_token_from_refresh - Error decoding refresh_token");
json_body = json_pack("{ss}", "error", "server_error");
diff --git a/src/token.c b/src/token.c
index f949109..4dfcb25 100644
--- a/src/token.c
+++ b/src/token.c
@@ -501,8 +501,8 @@ char * generate_authorization_code(struct config_elements * config, const char *
* Validates if a session token is valid
*/
json_t * session_check(struct config_elements * config, const char * session_value) {
- json_t * j_query, * j_result, * j_return, * j_grants;
- char * session_hash, * clause_expired_at, * grants;
+ json_t * j_query, * j_result, * j_return, * j_grants = NULL, * j_user;
+ char * session_hash, * clause_expired_at, * grants = NULL;
const char * type;
int res;
jwt_t * jwt = NULL;
@@ -558,7 +558,17 @@ json_t * session_check(struct config_elements * config, const char * session_val
j_grants = json_loads(grants, JSON_DECODE_ANY, NULL);
o_free(grants);
if (j_grants != NULL) {
- j_return = json_pack("{siso}", "result", G_OK, "grants", j_grants);
+ j_user = get_user(config, jwt_get_grant(jwt, "username"), NULL);
+ if (check_result_value(j_user, G_OK)) {
+ if (json_object_get(json_object_get(j_user, "user"), "enabled") == json_true()) {
+ j_return = json_pack("{siso}", "result", G_OK, "grants", j_grants);
+ } else {
+ j_return = json_pack("{si}", "result", G_ERROR_UNAUTHORIZED);
+ }
+ } else {
+ j_return = json_pack("{si}", "result", G_ERROR);
+ }
+ json_decref(j_user);
} else {
j_return = json_pack("{si}", "result", G_ERROR);
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-iot/glewlwyd.git
More information about the Debian-iot-packaging
mailing list