More OAuth/OpenID changes for the scheduler:

author Michael R Sweet <msweet@msweet.org>

Fri, 16 May 2025 22:35:15 +0000 (18:35 -0400)

committer Michael R Sweet <msweet@msweet.org>

Fri, 16 May 2025 22:35:15 +0000 (18:35 -0400)
author Michael R Sweet <msweet@msweet.org>
Fri, 16 May 2025 22:35:15 +0000 (18:35 -0400)
committer Michael R Sweet <msweet@msweet.org>
Fri, 16 May 2025 22:35:15 +0000 (18:35 -0400)
diff --git a/scheduler/auth.c b/scheduler/auth.c

index 08252844c15a99692a1a2ecb94b932e1cd03aaf8..a3ca5ef6b038e7f0836f1bf0ee1b11c01ffceb8d 100644 (file)
--- a/scheduler/auth.c
+++ b/scheduler/auth.c
@@ -710,7 +710,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
    else if (!strncmp(authorization, "Bearer ", 7))
    {
      // OAuth/OpenID authorization using JWT bearer tokens...
-    cups_jwt_t *jwt;                   // JWT decoded from bearer token...
+    cups_jwt_t *jwt;                   // JWT user information
      const char *sub,                   // Subject/user ID
                 *name,                  // Real name
                 *email;                 // Email address
@@ -724,35 +724,22 @@ cupsdAuthorize(cupsd_client_t *con)       /* I - Client connection */
        authorization = bearer;          // Use the cookie value for authorization
  
      // Decode and validate the JWT...
-    if ((jwt = cupsJWTImportString(authorization, CUPS_JWS_FORMAT_COMPACT)) == NULL)
+    if ((jwt = cupsOAuthGetUserId(OAuthServer, OAuthMetadata, authorization)) == NULL)
      {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to import JWT Bearer token: %s", cupsGetErrorString());
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get user information from bearer token: %s", cupsGetErrorString());
        cupsCopyString(con->autherror, cupsGetErrorString(), sizeof(con->autherror));
        return;
      }
-    else if (!cupsJWTHasValidSignature(jwt, OAuthJWKS))
-    {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "JWT Bearer token signature is bad.");
-      cupsCopyString(con->autherror, "Invalid JWT signature.", sizeof(con->autherror));
-      cupsJWTDelete(jwt);
-      return;
-    }
-    else if (cupsJWTGetClaimNumber(jwt, CUPS_JWT_EXP) < time(NULL))
-    {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "JWT Bearer token is expired.");
-      cupsCopyString(con->autherror, "Expired JWT.", sizeof(con->autherror));
-      cupsJWTDelete(jwt);
-      return;
-    }
      else if ((sub = cupsJWTGetClaimString(jwt, CUPS_JWT_SUB)) == NULL)
      {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing subject name in JWT Bearer token.");
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing subject name in user information.");
        cupsCopyString(con->autherror, "Missing subject name.", sizeof(con->autherror));
        cupsJWTDelete(jwt);
        return;
      }
  
      // Good JWT, grab information from it and return...
+    con->type         = CUPSD_AUTH_BEARER;
      con->autherror[0] = '\0';
      con->password[0]  = '\0';
  
diff --git a/scheduler/auth.h b/scheduler/auth.h

index adc0ccdea43ef580e91c1a500fc1f54ed321a6e5..37f458b581f01a9753db36209c24f85163af9f44 100644 (file)
--- a/scheduler/auth.h
+++ b/scheduler/auth.h
@@ -10,7 +10,7 @@
   */
  
  #include <pwd.h>
-#include <cups/jwt.h>
+#include <cups/oauth.h>
  
  
  /*
diff --git a/scheduler/conf.c b/scheduler/conf.c

index aec274448c3778ba6d16bb48985c7b105491b5b8..73c34bc93ca337547a7850fa15f97f7f61534581 100644 (file)
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3698,7 +3698,8 @@ read_cups_files_conf(cups_file_t *fp)     /* I - File to read from */
        * OAuthGroup NAME FILENAME
        */
  
-      char *filename;                  /* Filename on line */
+      char     temp[1024],                     /* Temporary filename */
+               *filename;                      /* Filename on line */
  
        for (filename = value; *filename; filename ++)
        {
@@ -3709,6 +3710,13 @@ read_cups_files_conf(cups_file_t *fp)    /* I - File to read from */
        while (*filename && isspace(*filename & 255))
          *filename++ = '\0';
  
+      if (*filename != '/')
+      {
+        // Convert relative filename to CUPS_SERVERROOT/filename
+        snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, filename);
+        filename = temp;
+      }
+
        if (*filename && !access(filename, R_OK))
        {
          if (!cupsdAddOAuthGroup(value, filename) && (FatalErrors & CUPSD_FATAL_CONFIG))
diff --git a/scheduler/env.c b/scheduler/env.c

index 03fa0b1bca7f5c9e2729b6980a24143781dc4df0..0d6468b3d0aa6db39cd4ac83bb91ff26213ee525 100644 (file)
--- a/scheduler/env.c
+++ b/scheduler/env.c
@@ -1,7 +1,7 @@
  /*
   * Environment management routines for the CUPS scheduler.
   *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2025 by OpenPrinting.
   * Copyright © 2007-2016 by Apple Inc.
   * Copyright © 1997-2006 by Easy Software Products, all rights reserved.
   *
@@ -9,10 +9,6 @@
   * information.
   */
  
-/*
- * Include necessary headers...
- */
-
  #include "cupsd.h"
author	Michael R Sweet <msweet@msweet.org>
	Fri, 16 May 2025 22:35:15 +0000 (18:35 -0400)
committer	Michael R Sweet <msweet@msweet.org>
	Fri, 16 May 2025 22:35:15 +0000 (18:35 -0400)
scheduler/auth.c		patch \| blob \| blame \| history
scheduler/auth.h		patch \| blob \| blame \| history
scheduler/conf.c		patch \| blob \| blame \| history
scheduler/env.c		patch \| blob \| blame \| history