From: Michael R Sweet Date: Fri, 16 May 2025 22:35:15 +0000 (-0400) Subject: More OAuth/OpenID changes for the scheduler: X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f214077c436236df7ceac9247ed48ddff58a2f4c;p=thirdparty%2Fcups.git More OAuth/OpenID changes for the scheduler: - Instead of treating the bearer token as a JWT, use the userinfo endpoint (via cupsOAuthGetUserId) to get the user information and (as a side-effect) validate the bearer token. - Set the verified AuthType when get have a valid token. - Support OAuth group files relative to the cupsd.conf file. --- diff --git a/scheduler/auth.c b/scheduler/auth.c index 08252844c1..a3ca5ef6b0 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -710,7 +710,7 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ else if (!strncmp(authorization, "Bearer ", 7)) { // OAuth/OpenID authorization using JWT bearer tokens... - cups_jwt_t *jwt; // JWT decoded from bearer token... + cups_jwt_t *jwt; // JWT user information const char *sub, // Subject/user ID *name, // Real name *email; // Email address @@ -724,35 +724,22 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ authorization = bearer; // Use the cookie value for authorization // Decode and validate the JWT... - if ((jwt = cupsJWTImportString(authorization, CUPS_JWS_FORMAT_COMPACT)) == NULL) + if ((jwt = cupsOAuthGetUserId(OAuthServer, OAuthMetadata, authorization)) == NULL) { - cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to import JWT Bearer token: %s", cupsGetErrorString()); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get user information from bearer token: %s", cupsGetErrorString()); cupsCopyString(con->autherror, cupsGetErrorString(), sizeof(con->autherror)); return; } - else if (!cupsJWTHasValidSignature(jwt, OAuthJWKS)) - { - cupsdLogClient(con, CUPSD_LOG_ERROR, "JWT Bearer token signature is bad."); - cupsCopyString(con->autherror, "Invalid JWT signature.", sizeof(con->autherror)); - cupsJWTDelete(jwt); - return; - } - else if (cupsJWTGetClaimNumber(jwt, CUPS_JWT_EXP) < time(NULL)) - { - cupsdLogClient(con, CUPSD_LOG_ERROR, "JWT Bearer token is expired."); - cupsCopyString(con->autherror, "Expired JWT.", sizeof(con->autherror)); - cupsJWTDelete(jwt); - return; - } else if ((sub = cupsJWTGetClaimString(jwt, CUPS_JWT_SUB)) == NULL) { - cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing subject name in JWT Bearer token."); + cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing subject name in user information."); cupsCopyString(con->autherror, "Missing subject name.", sizeof(con->autherror)); cupsJWTDelete(jwt); return; } // Good JWT, grab information from it and return... + con->type = CUPSD_AUTH_BEARER; con->autherror[0] = '\0'; con->password[0] = '\0'; diff --git a/scheduler/auth.h b/scheduler/auth.h index adc0ccdea4..37f458b581 100644 --- a/scheduler/auth.h +++ b/scheduler/auth.h @@ -10,7 +10,7 @@ */ #include -#include +#include /* diff --git a/scheduler/conf.c b/scheduler/conf.c index aec274448c..73c34bc93c 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -3698,7 +3698,8 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */ * OAuthGroup NAME FILENAME */ - char *filename; /* Filename on line */ + char temp[1024], /* Temporary filename */ + *filename; /* Filename on line */ for (filename = value; *filename; filename ++) { @@ -3709,6 +3710,13 @@ read_cups_files_conf(cups_file_t *fp) /* I - File to read from */ while (*filename && isspace(*filename & 255)) *filename++ = '\0'; + if (*filename != '/') + { + // Convert relative filename to CUPS_SERVERROOT/filename + snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, filename); + filename = temp; + } + if (*filename && !access(filename, R_OK)) { if (!cupsdAddOAuthGroup(value, filename) && (FatalErrors & CUPSD_FATAL_CONFIG)) diff --git a/scheduler/env.c b/scheduler/env.c index 03fa0b1bca..0d6468b3d0 100644 --- a/scheduler/env.c +++ b/scheduler/env.c @@ -1,7 +1,7 @@ /* * Environment management routines for the CUPS scheduler. * - * Copyright © 2020-2024 by OpenPrinting. + * Copyright © 2020-2025 by OpenPrinting. * Copyright © 2007-2016 by Apple Inc. * Copyright © 1997-2006 by Easy Software Products, all rights reserved. * @@ -9,10 +9,6 @@ * information. */ -/* - * Include necessary headers... - */ - #include "cupsd.h"