From 15c6e2ec70b4c43e04e1d79d9743c535c6a530a0 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Tue, 15 Nov 2016 14:06:25 -0800 Subject: Fix member deauthorization time threshold bug. --- controller/EmbeddedNetworkController.cpp | 50 +++++++++++++++++--------------- controller/EmbeddedNetworkController.hpp | 2 ++ 2 files changed, 28 insertions(+), 24 deletions(-) diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp index 7f885b4e..b2ca732a 100644 --- a/controller/EmbeddedNetworkController.cpp +++ b/controller/EmbeddedNetworkController.cpp @@ -697,6 +697,8 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST( const bool newAuth = _jB(b["authorized"],false); if (newAuth != _jB(member["authorized"],false)) { member["authorized"] = newAuth; + member[((newAuth) ? "lastAuthorizedTime" : "lastDeauthorizedTime")] = now; + json ah; ah["a"] = newAuth; ah["by"] = "api"; @@ -1278,23 +1280,14 @@ void EmbeddedNetworkController::_request( // Determine whether and how member is authorized const char *authorizedBy = (const char *)0; + bool autoAuthorized = false; + json autoAuthCredentialType,autoAuthCredential; if (_jB(member["authorized"],false)) { authorizedBy = "memberIsAuthorized"; } else if (!_jB(network["private"],true)) { authorizedBy = "networkIsPublic"; - if (!member.count("authorized")) { - member["authorized"] = true; - json ah; - ah["a"] = true; - ah["by"] = authorizedBy; - ah["ts"] = now; - ah["ct"] = json(); - ah["c"] = json(); - member["authHistory"].push_back(ah); - member["lastModified"] = now; - json &revj = member["revision"]; - member["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL); - } + if (!member.count("authorized")) + autoAuthorized = true; } else { char presentedAuth[512]; if (metaData.get(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_AUTH,presentedAuth,sizeof(presentedAuth)) > 0) { @@ -1329,17 +1322,9 @@ void EmbeddedNetworkController::_request( } if (usable) { authorizedBy = "token"; - member["authorized"] = true; - json ah; - ah["a"] = true; - ah["by"] = authorizedBy; - ah["ts"] = now; - ah["ct"] = "token"; - ah["c"] = tstr; - member["authHistory"].push_back(ah); - member["lastModified"] = now; - json &revj = member["revision"]; - member["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL); + autoAuthorized = true; + autoAuthCredentialType = "token"; + autoAuthCredential = tstr; } } } @@ -1349,6 +1334,23 @@ void EmbeddedNetworkController::_request( } } + // If we auto-authorized, update member record + if ((autoAuthorized)&&(authorizedBy)) { + member["authorized"] = true; + member["lastAuthorizedTime"] = now; + + json ah; + ah["a"] = true; + ah["by"] = authorizedBy; + ah["ts"] = now; + ah["ct"] = autoAuthCredentialType; + ah["c"] = autoAuthCredential; + member["authHistory"].push_back(ah); + + json &revj = member["revision"]; + member["revision"] = (revj.is_number() ? ((uint64_t)revj + 1ULL) : 1ULL); + } + // Log this request if (requestPacketId) { // only log if this is a request, not for generated pushes json rlEntry = json::object(); diff --git a/controller/EmbeddedNetworkController.hpp b/controller/EmbeddedNetworkController.hpp index 0169b1d3..cde6522d 100644 --- a/controller/EmbeddedNetworkController.hpp +++ b/controller/EmbeddedNetworkController.hpp @@ -145,6 +145,8 @@ private: if (!member.count("creationTime")) member["creationTime"] = OSUtils::now(); if (!member.count("noAutoAssignIps")) member["noAutoAssignIps"] = false; if (!member.count("revision")) member["revision"] = 0ULL; + if (!member.count("lastDeauthorizedTime")) member["lastDeauthorizedTime"] = 0ULL; + if (!member.count("lastAuthorizedTime")) member["lastAuthorizedTime"] = 0ULL; member["objtype"] = "member"; } inline void _initNetwork(nlohmann::json &network) -- cgit v1.2.3