diff options
author | Vivien Kraus <vivien@planete-kraus.eu> | 2020-12-05 13:11:49 +0100 |
---|---|---|
committer | Vivien Kraus <vivien@planete-kraus.eu> | 2021-05-11 00:38:50 +0200 |
commit | e3cc9e6df0cc987637e7d83891ad981f33e98024 (patch) | |
tree | d3a1c4eb483d9dfd42a72b050f056495f59d53dc | |
parent | 80e8e02c7e691f499da0fa19f58802fbfdae921f (diff) |
Run the identity provider as a script
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | NEWS | 23 | ||||
-rwxr-xr-x | bootstrap | 1 | ||||
-rw-r--r-- | doc/manual.html | 106 | ||||
-rw-r--r-- | man/Makefile.am | 6 | ||||
-rw-r--r-- | po/fr.po | 101 | ||||
-rw-r--r-- | po/webid-oidc.pot | 16 | ||||
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/inst/webid-oidc/Makefile.am | 12 | ||||
-rw-r--r-- | src/pre-inst/webid-oidc/Makefile.am | 12 | ||||
-rw-r--r-- | src/scm/webid-oidc/identity-provider.scm | 26 | ||||
-rw-r--r-- | src/scm/webid-oidc/stubs.scm | 4 | ||||
-rwxr-xr-x | src/webid-oidc-issuer | 7 |
13 files changed, 193 insertions, 125 deletions
diff --git a/Makefile.am b/Makefile.am index 73af906..8e8a295 100644 --- a/Makefile.am +++ b/Makefile.am @@ -11,6 +11,8 @@ ACLOCAL_AMFLAGS = -I m4 AM_CPPFLAGS = -DLOCALEDIR=\"$(localedir)\" -I. -I$(srcdir) AM_CFLAGS = $(GUILE_CFLAGS) $(NETTLE_CFLAGS) nodist_noinst_SCRIPTS = pre-inst-env +dist_bin_SCRIPTS = +libexec_SCRIPTS = INDENTED = include_HEADERS = @@ -4,28 +4,7 @@ #+email: vivien@planete-kraus.eu * Initial features -** Add base64 encoding and decoding -** A random number generator -The code provides a thread-safe, parallel, random number generator. -** Generating a key pair -There is a function to generate a RSA or ECC key pair. -** Strip a public key -In order to avoid leaking the private components of a key, the -=strip-key= function keeps only the required parts. -** Hash some data -The function =hash= takes a string, and hashes its UTF-8 encoding. -** Hash a key -In DPoP, the identity provider hashes the client's key in the access -token so that resource servers can verify that the client uses the -correct key. -** Sign and verify signatures -The function =sign= creates a signature with a known JWA, and =verify= -verifies the signature. -** Encode and decode a JWS -The decoding function lets you fetch a key for validation. -** Web cache -Since DPoP and OIDC fetch a lot of things from the internet, it is in -our interest to add a web cache. +** The identity provider server is operational. # Local Variables: # mode: org # End: @@ -11,6 +11,7 @@ sed -i 's|SHELL = /bin/sh|SHELL = @SHELL@|g' po/Makefile.in.in || exit 1 mkdir -p .native || exit 1 cd .native || exit 1 bash ../configure SHELL=$(which sh) || exit 1 +sed -i "s|/usr/local/bin/guile|$(which guile)|g" ../src/webid-oidc-issuer || exit 1 make -j V=1 || exit 1 make -j dist || exit 1 cd .. || exit 1 diff --git a/doc/manual.html b/doc/manual.html index cd39115..14d5bd1 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -870,6 +870,112 @@ </p> </info:deftp> + <h1>Running an Identity Provider</h1> + <p> + This project is packaged with a barebones identity provider. It + has an authorization endpoint and a token endpoint (and it + serves its public keys), but it is only intended for one + specific person. + </p> + <p> + You can start it by invoking the <pre>webid-oidc-issuer</pre> + program, with the following options: + </p> + <ul> + <li> + <pre>-h</pre>, or <pre>--help</pre> prints a summary of + options and exit. + </li> + <li> + <pre>-v</pre>, or <pre>--version</pre> prints the version of + the program and exits. + </li> + <li> + <pre>-i <info:var>URI</info:var></pre>, or + <pre>--issuer=<info:var>URI</info:var></pre> sets the global + server name of the identity provider. It should have an empty + path. + </li> + <li> + <pre>-k <info:var>FILE.jwk</info:var></pre>, or + <pre>--key-file=<info:var>FILE.jwk</info:var></pre> sets the + file name where to read or generate a key for the identity + provider. This file should be JSON, containing the + representation of a JWK key pair. + </li> + <li> + <pre>-s <info:var>WEBID</info:var></pre>, or + <pre>--subject=<info:var>WEBID</info:var></pre> sets the webid + of the only user of the identity provider. This is an URI, + pointing to a RDF node corresponding to the user’s profile. + </li> + <li> + <pre>-w <info:var>PASSWORD</info:var></pre>, or + <pre>--password=<info:var>PASSWORD</info:var></pre>, sets the + password that the user must enter to authorize an + application. + </li> + <li> + <pre>-j <info:var>URI</info:var></pre>, or + <pre>--jwks-uri=<info:var>URI</info:var></pre> tells the + server that requests to <info:var>URI</info:var> should be + responded with the public key used to sign the tokens. + </li> + <li> + <pre>-a <info:var>URI</info:var></pre>, or + <pre>--authorization-endpoint-uri=<info:var>URI</info:var></pre> + tells the server that requests to <info:var>URI</info:var> + should be treated as authorization requests. + </li> + <li> + <pre>-t <info:var>URI</info:var></pre>, or + <pre>--token-endpoint-uri=<info:var>URI</info:var></pre> tells + the server that requests to <info:var>URI</info:var> should be + treated as token negociation requests. + </li> + <li> + <pre>-p <info:var>PORT</info:var></pre>, or + <pre>--port=<info:var>PORT</info:var></pre>, change the port + number used by the server. By default, it is set to 8080. + </li> + <li> + <pre>-l <info:var>FILE.log</info:var></pre>, or + <pre>--log-file=<info:var>FILE.log</info:var></pre> let the + server dump all its output to + <info:var>FILE.log</info:var>. Since I don’t know how to deal + with syslog, this is the only way to keep logs with a shepherd + service. + </li> + <li> + <pre>-e <info:var>FILE.err</info:var></pre>, or + <pre>--error-file=<info:var>FILE.err</info:var></pre> let the + server dump all its errors to <info:var>FILE.err</info:var>. + </li> + </ul> + <p> + The program is sensitive to the environment variables. The most + important one is <emph>LANG</emph>, which influences how the + program is internationalized to the server administrator (the + pages served to the user use the user agent’s locale). This + changes the long form of the options, and the language in the + log files. + </p> + <p> + The <emph>XDG_DATA_HOME</emph> should point to some place where + the program will store refresh tokens, under the + <pre>webid-oidc</pre> directory. For a system service, you might + want to define that environment to <pre>/var/lib</pre>, for + instance. + </p> + <p> + The <emph>XDG_CACHE_HOME</emph> should point to a directory + where to store the seed of the random number generator (under a + <pre>webid-oidc</pre> directory, again). Changing the seed only + happens when a program starts to require the random number + generator. You can safely delete this directory, but you need to + restart the program to actually change the seed. + </p> + <h1 type="appendix">GNU Free Documentation License</h1> <info:gfdl /> diff --git a/man/Makefile.am b/man/Makefile.am index 4008ab9..ac01459 100644 --- a/man/Makefile.am +++ b/man/Makefile.am @@ -1,3 +1,7 @@ -dist_man8_MANS = +dist_man8_MANS = webid-oidc-issuer.man EXTRA_DIST = ./reset-env + +webid-oidc-issuer.man: ../src/scm/webid-oidc/identity-provider.scm ../configure.ac + $(AM_V_GEN) ../pre-inst-env ./reset-env $(HELP2MAN) $(srcdir)/../src/webid-oidc-issuer > $@-t + mv $@-t $(srcdir)/$@ @@ -2,7 +2,7 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-05-10 22:55+0200\n" +"POT-Creation-Date: 2021-05-10 22:56+0200\n" "PO-Revision-Date: 2021-05-10 14:31+0200\n" "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n" "Language-Team: French <vivien@planete-kraus.eu>\n" @@ -748,77 +748,7 @@ msgid "comand-line|error-file" msgstr "fichier-erreur" #: src/scm/webid-oidc/identity-provider.scm:187 -#, fuzzy, scheme-format -#| msgid "" -#| "Usage: ~a [OPTIONS]...\n" -#| "\n" -#| "Run the Solid identity provider for a specific user.\n" -#| "\n" -#| "Options:\n" -#| " -h, --help:\n" -#| " display this help message and exit.\n" -#| " -v, --version:\n" -#| " display the version information (~a) and exit.\n" -#| " -i URI, --issuer=URI:\n" -#| " set the public server host name.\n" -#| " -k FILE, --key-file=FILE.jwk:\n" -#| " set the file name of the key file. If it does not exist, a new\n" -#| " key is generated.\n" -#| " -s WEBID, --subject=WEBID:\n" -#| " set the identity of the subject.\n" -#| " -w PASSWORD, --password=PASSWORD:\n" -#| " set the password to recognize the user.\n" -#| " -j URI, --jwks-uri=URI:\n" -#| " set the URI to query the key of the server.\n" -#| " -a URI, --authorization-endpoint-uri=URI:\n" -#| " set the authorization endpoint of the issuer.\n" -#| " -t URI, --token-endpoint-uri=URI:\n" -#| " set the token endpoint of the issuer.\n" -#| " -p PORT, --port=PORT:\n" -#| " set the port to bind (instead of 8080).\n" -#| " -l FILE.log, --log-file=FILE.log:\n" -#| " dump the standard output to that file.\n" -#| " -e FILE.err, --error-file=FILE.err:\n" -#| " dump the standard error to that file.\n" -#| "\n" -#| "Environment variables:\n" -#| "\n" -#| " LANG: set the locale of the sysadmin-facing interface (the user\n" -#| "pages are translated according to the user agent’s Accept-language\n" -#| "header), for log files and command-line interface. It is currently ~a.\n" -#| "\n" -#| " XDG_DATA_HOME: where to store the refresh tokens (under the\n" -#| "webid-oidc directory). For a system service, it is recommended to set\n" -#| "it to /var/lib. Currently set to ~a.\n" -#| "\n" -#| " XDG_CACHE_HOME: where to store and update the seed file for the\n" -#| "random number generator. If you remove it, you need to restart the\n" -#| "program to use a different seed. Currently set to ~a.\n" -#| "\n" -#| " HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n" -#| "computed from the value of the HOME environment variable. It is not\n" -#| "used otherwise. Currently set to ~a.\n" -#| "\n" -#| "Example used in webid-oidc-demo.planete-kraus.eu (except it’s managed\n" -#| "by shepherd in reality):\n" -#| "\n" -#| " export LANG=C\n" -#| " export XDG_DATA_HOME=/var/lib\n" -#| " export XDG_CACHE_HOME=/var/cache\n" -#| " webid-oidc-issuer \\\n" -#| " --issuer https://webid-oidc-demo.planete-kraus.eu \\\n" -#| " --key-file /var/lib/webid-oidc/issuer/key.jwk \\\n" -#| " --subject https://webid-oidc-demo.planete-kraus.eu/profile/card#me " -#| "\\\n" -#| " --password \"$PASSWORD\" \\\n" -#| " --jwks-uri https://webid-oidc-demo.planete-kraus.eu/keys \\\n" -#| " --authorization-endpoint-uri https://webid-oidc-demo.planete-kraus." -#| "eu/authorize \\\n" -#| " --token-endpoint-uri https://webid-oidc-demo.planete-kraus.eu/token " -#| "\\\n" -#| " --port $PORT\n" -#| "\n" -#| "If you find a bug, send a report to ~a.\n" +#, scheme-format msgid "" "Usage: ~a [OPTIONS]...\n" "\n" @@ -881,9 +811,10 @@ msgid "" " --subject https://webid-oidc-demo.planete-kraus.eu/profile/card#me \\\n" " --password \"$PASSWORD\" \\\n" " --jwks-uri https://webid-oidc-demo.planete-kraus.eu/keys \\\n" -" --authorization-endpoint https://webid-oidc-demo.planete-kraus.eu/" +" --authorization-endpoint-uri https://webid-oidc-demo.planete-kraus.eu/" "authorize \\\n" -" --token-endpoint https://webid-oidc-demo.planete-kraus.eu/token \\\n" +" --token-endpoint-uri https://webid-oidc-demo.planete-kraus.eu/token " +"\\\n" " --port $PORT\n" "\n" "If you find a bug, send a report to ~a.\n" @@ -1000,11 +931,19 @@ msgid "The port should be a number between 0 and 65535.\n" msgstr "Le port doit être un nombre entre 0 et 65535.\n" #: src/scm/webid-oidc/identity-provider.scm:341 -#, fuzzy, scheme-format -#| msgid "~a: Internal server error: ~a\n" -msgid "Internal server error: ~a\n" +#, scheme-format +msgid "~a: Internal server error: ~a\n" msgstr "~a : Erreur interne du serveur : ~a\n" +#: src/scm/webid-oidc/identity-provider.scm:352 +#, scheme-format +msgid "" +"The client locale ~s can’t be approximated by system locale ~s (because ~a), " +"using C.\n" +msgstr "" +"La locale du client ~s ne peut pas être approchée par la locale système ~s " +"(parce que ~a), on utilise C.\n" + #: src/scm/webid-oidc/authorization-page-unsafe.scm:29 msgid "xml-lang|en" msgstr "fr" @@ -1177,14 +1116,6 @@ msgstr "" #~ msgstr ", " #, scheme-format -#~ msgid "" -#~ "The client locale ~s can’t be approximated by system locale ~s (because " -#~ "~a), using C.\n" -#~ msgstr "" -#~ "La locale du client ~s ne peut pas être approchée par la locale système " -#~ "~s (parce que ~a), on utilise C.\n" - -#, scheme-format #~ msgid "~a: authentication failure: ~a\n" #~ msgstr "~a : échec d’authentificationn : ~a\n" diff --git a/po/webid-oidc.pot b/po/webid-oidc.pot index e80fad2..a50d88b 100644 --- a/po/webid-oidc.pot +++ b/po/webid-oidc.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc SNAPSHOT\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-05-10 22:55+0200\n" +"POT-Creation-Date: 2021-05-10 22:56+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -796,9 +796,10 @@ msgid "" " --subject https://webid-oidc-demo.planete-kraus.eu/profile/card#me \\\n" " --password \"$PASSWORD\" \\\n" " --jwks-uri https://webid-oidc-demo.planete-kraus.eu/keys \\\n" -" --authorization-endpoint https://webid-oidc-demo.planete-kraus.eu/" +" --authorization-endpoint-uri https://webid-oidc-demo.planete-kraus.eu/" "authorize \\\n" -" --token-endpoint https://webid-oidc-demo.planete-kraus.eu/token \\\n" +" --token-endpoint-uri https://webid-oidc-demo.planete-kraus.eu/token " +"\\\n" " --port $PORT\n" "\n" "If you find a bug, send a report to ~a.\n" @@ -843,7 +844,14 @@ msgstr "" #: src/scm/webid-oidc/identity-provider.scm:341 #, scheme-format -msgid "Internal server error: ~a\n" +msgid "~a: Internal server error: ~a\n" +msgstr "" + +#: src/scm/webid-oidc/identity-provider.scm:352 +#, scheme-format +msgid "" +"The client locale ~s can’t be approximated by system locale ~s (because ~a), " +"using C.\n" msgstr "" #: src/scm/webid-oidc/authorization-page-unsafe.scm:29 diff --git a/src/Makefile.am b/src/Makefile.am index 72181cb..83d4a04 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,5 +1,7 @@ lib_LTLIBRARIES += %reldir%/libwebidoidc.la +dist_bin_SCRIPTS += %reldir%/webid-oidc-issuer + AM_CPPFLAGS += -I %reldir% -I $(srcdir)/%reldir% GUILD_OPTIONS = diff --git a/src/inst/webid-oidc/Makefile.am b/src/inst/webid-oidc/Makefile.am index ac2778b..c6edc5c 100644 --- a/src/inst/webid-oidc/Makefile.am +++ b/src/inst/webid-oidc/Makefile.am @@ -2,6 +2,12 @@ webidoidcmod_DATA += %reldir%/config.scm webidoidcgo_DATA += %reldir%/config.go %reldir%/config.scm: $(top_builddir)/config.status - $(AM_V_GEN) mkdir -p %reldir% && (echo "(define-module (webid-oidc config))" ; \ - echo "(define-public libdir \"$(libdir)\")") \ - > $@-t && mv $@-t $@ + $(AM_V_GEN) mkdir -p %reldir% \ + && (echo "(define-module (webid-oidc config))" ; \ + echo "(define-public libdir \"$(libdir)\")" ; \ + echo "(define-public localedir \"$(localedir)\")" ; \ + echo "(define-public version \"$(VERSION)\")" ; \ + echo "(define-public package \"$(PACKAGE)\")" ; \ + echo "(define-public package-bugreport \"$(PACKAGE_BUGREPORT)\")") \ + > $@-t \ + && mv $@-t $@ diff --git a/src/pre-inst/webid-oidc/Makefile.am b/src/pre-inst/webid-oidc/Makefile.am index fa8c4e1..0503c8d 100644 --- a/src/pre-inst/webid-oidc/Makefile.am +++ b/src/pre-inst/webid-oidc/Makefile.am @@ -5,6 +5,12 @@ CLEANFILES += %reldir%/config.go %reldir%/config.scm BUILT_SOURCES += %reldir%/config.scm %reldir%/config.scm: $(top_builddir)/config.status - $(AM_V_GEN) mkdir -p %reldir% && (echo "(define-module (webid-oidc config))" ; \ - echo "(define-public libdir \"$(abs_top_builddir)/src/.libs\")") \ - > $@-t && mv $@-t $@ + $(AM_V_GEN) mkdir -p %reldir% \ + && (echo "(define-module (webid-oidc config))" ; \ + echo "(define-public libdir \"$(abs_top_builddir)/src/.libs\")" ; \ + echo "(define-public localedir \"$(localedir)\")" ; \ + echo "(define-public version \"$(VERSION)\")" ; \ + echo "(define-public package \"$(PACKAGE)\")" ; \ + echo "(define-public package-bugreport \"$(PACKAGE_BUGREPORT)\")") \ + > $@-t \ + && mv $@-t $@ diff --git a/src/scm/webid-oidc/identity-provider.scm b/src/scm/webid-oidc/identity-provider.scm index b4efd91..09c80ba 100644 --- a/src/scm/webid-oidc/identity-provider.scm +++ b/src/scm/webid-oidc/identity-provider.scm @@ -243,8 +243,8 @@ by shepherd in reality): --subject https://webid-oidc-demo.planete-kraus.eu/profile/card#me \\ --password \"$PASSWORD\" \\ --jwks-uri https://webid-oidc-demo.planete-kraus.eu/keys \\ - --authorization-endpoint https://webid-oidc-demo.planete-kraus.eu/authorize \\ - --token-endpoint https://webid-oidc-demo.planete-kraus.eu/token \\ + --authorization-endpoint-uri https://webid-oidc-demo.planete-kraus.eu/authorize \\ + --token-endpoint-uri https://webid-oidc-demo.planete-kraus.eu/token \\ --port $PORT If you find a bug, send a report to ~a. @@ -277,10 +277,10 @@ If you find a bug, send a report to ~a. (option-ref options error-file-sym #f)) (jti-list (make-jti-list))) (when log-file-string - (set-current-output-port (open-output-file* log-file-string)) + (set-current-output-port (stubs:open-output-file* log-file-string)) (setvbuf (current-output-port) 'none)) (when error-file-string - (set-current-error-port (open-output-file* error-file-string)) + (set-current-error-port (stubs:open-output-file* error-file-string)) (setvbuf (current-error-port) 'none)) (unless (and issuer (string->uri issuer)) (format (current-error-port) @@ -336,13 +336,25 @@ If you find a bug, send a report to ~a. (with-exception-handler (lambda (error) (format (current-error-port) - (G_ "Internal server error: ~a\n") + (G_ "~a: Internal server error: ~a\n") + (date->string (time-utc->date (current-time))) (error->str error)) (values (build-response #:code 500 #:reason-phrase "Internal Server Error") "Sorry, there was an error.")) (lambda () - (handler request request-body)))))) + (with-exception-handler + (lambda (error) + (format (current-error-port) + (G_ "The client locale ~s can’t be approximated by system locale ~s (because ~a), using C.\n") + ((record-accessor &unknown-client-locale 'web-locale) error) + ((record-accessor &unknown-client-locale 'c-locale) error) + (error->str error))) + (lambda () + (handler request request-body)) + #:unwind? #t + #:unwind-for-type &unknown-client-locale)) + #:unwind? #t)))) (install-suspendable-ports!) - (run-server handler 'http (list #:port (string->number port-string))))))))))) + (run-server handler-with-log 'http (list #:port (string->number port-string))))))))))) diff --git a/src/scm/webid-oidc/stubs.scm b/src/scm/webid-oidc/stubs.scm index ee24724..b750e7d 100644 --- a/src/scm/webid-oidc/stubs.scm +++ b/src/scm/webid-oidc/stubs.scm @@ -137,6 +137,10 @@ (else (throw key subr message args rest)))))) +(define-public (open-output-file* filename . args) + (mkdir-p (dirname filename)) + (apply open-output-file filename args)) + (define-public (call-with-output-file* filename . args) (mkdir-p (dirname filename)) (apply call-with-output-file filename args)) diff --git a/src/webid-oidc-issuer b/src/webid-oidc-issuer new file mode 100755 index 0000000..6dd2960 --- /dev/null +++ b/src/webid-oidc-issuer @@ -0,0 +1,7 @@ +#!/usr/local/bin/guile \ +--no-auto-compile -s +!# + +(use-modules (webid-oidc identity-provider)) + +(main) |