diff options
author | Vivien Kraus <vivien@planete-kraus.eu> | 2021-10-17 14:52:14 +0200 |
---|---|---|
committer | Vivien Kraus <vivien@planete-kraus.eu> | 2021-10-21 09:45:14 +0200 |
commit | 1dc4802d231bf4083d387a6db0765730075cc752 (patch) | |
tree | 1dde8889f49ebeb7652d89bd1af8428480532201 | |
parent | 7debf052567f50d2c2510d80405069e53b0971bf (diff) |
Use the endpoint API
25 files changed, 1631 insertions, 3599 deletions
diff --git a/doc/disfluid.texi b/doc/disfluid.texi index 7e47022..3e6c91c 100644 --- a/doc/disfluid.texi +++ b/doc/disfluid.texi @@ -74,8 +74,7 @@ A PDF version of this manual is available at * The HTTP Link header:: * Content negociation:: * Server endpoints:: -* Running an Identity Provider:: -* Running a Resource Server:: +* Resources stored on the server:: * Running a client:: * Serialization to (S)XML:: * Exceptional conditions:: @@ -127,31 +126,12 @@ web browser. @node Invoking disfluid @chapter Invoking disfluid -The @samp{disfluid} program provides different modes of operations: - -@table @samp -@item reverse-proxy -Run an authenticating reverse proxy. With this command, you specify a -backend server. When an authenticated user makes a request, you -receive an additional header containing the user’s identity. -@item identity-provider -Run the identity provider only. -@item client-service -The client applications must serve some resources: namely, the client -manifest and the redirect URI. -@item server -Run both an identity provider and a resource server. -@end table - -The server is configured with command-line arguments, and environment -variables. +The @samp{disfluid} program runs a server, if the user specifies a +configuration file, or the graphical browser otherwise. @menu * General options:: -* General server configuration:: -* Configuration for the resource server:: -* Configuration for the identity provider:: -* Configuration for the client service:: +* Running a server:: @end menu @node General options @@ -164,22 +144,23 @@ administrator. You can control it with the @samp{LANG} environment variable. So if your locale is not English, you can have the same commands as in this manual by running with @code{LANG=C}. -The programs respect the @samp{XDG_DATA_HOME} and -@samp{XDG_CACHE_HOME} to store persistent data and disposable -data. The cache directory can be deleted at any time. If one of these -variables is not set, its value is computed from the @samp{HOME} -environment variable. - -@node General server configuration -@section General server configuration -All servers are published under the Affero GPL, which means that the -service provider needs to publish all changes made to the program to -users over the network. The @samp{disfluid} command provides a +The programs respect the @samp{XDG_DATA_HOME} (if not overriden by the +server configuration) and @samp{XDG_CACHE_HOME} to store persistent +data and disposable data. The cache directory can be deleted at any +time. If one of these variables is not set, its value is computed from +the @samp{HOME} environment variable. + +@node Running a server +@section Running a server +The disfluid code is published under the Affero GPL, which means that +the service provider needs to publish all changes made to the program +to users over the network. The @samp{disfluid} command provides a @samp{--complete-corresponding-source} option so that the system administrator can specify a means to download the source. The servers will add a @samp{Source:} header in each response, -containing the value of this configuration option. +containing the value of this configuration option. It can be, for +instance, an URI where to download the modified source code. The servers can be configured to redirect output and errors to a log file and an error file, with the @samp{--log-file} and @@ -190,8 +171,55 @@ configured with @samp{--port}. Since the servers do not support TLS, and they only support HTTP/1.1, they are intended to run behind a reverse proxy (even for the authenticating reverse proxy). -Finally, the servers are required to know their public name. This is -configured with the @samp{--server-name} option. +Finally, you configure the server by passing the +@samp{--configuration} parameter pointing to a configuration file. The +configuration file is plain guile code, that must evaluate to an +@code{<endpoint>}. + +Here is an example configuration that runs a resource server with an +identity provider: + +@lisp +(use-modules (webid-oidc server endpoint) + (webid-oidc server endpoint resource-server) + (webid-oidc server endpoint identity-provider) + (webid-oidc server endpoint authentication) + (webid-oidc oidc-configuration) + (oop goops)) + +(make <identity-provider> + #:host "example.com" + #:oidc-discovery + (make <oidc-discovery> + #:path "/.well-known/openid-configuration" + #:configuration + (make <oidc-configuration> + #:jwks-uri "https://example.com/keys" + #:authorization-endpoint "https://example.com/authorize" + #:token-endpoint "https://example.com/token")) + #:authorization-endpoint + (make <authorization-endpoint> + #:path "/authorize" + #:subject "https://example.com/profile/card#me" + #:encrypted-password (crypt "secretpassword123" "$6$secret.salt") + #:key-file "/var/lib/disfluid/key-file.jwk") + #:token-endpoint + (make <token-endpoint> + #:path "/token" + #:issuer "https://example.com" + #:key-file "/var/lib/disfluid/key-file.jwk") + #:jwks-endpoint + (make <jwks-endpoint> + #:path "/keys" + #:key-file "/var/lib/disfluid/key-file.jwk") + #:default + (make <authenticator> + #:backend + (make <resource-server> + #:server-name "https://example.com" + #:owner "https://example.com/profile/card#me") + #:server-uri "https://example.com")) +@end lisp The server will make requests on the world-wide web, for instance to download client manifests. The requests can be redirected with XML @@ -199,64 +227,6 @@ Catalog, by setting the @samp{XML_CATALOG_FILES} to a space-separated list of URIs (can be @code{file:} URIs). The requests cannot be directed to the file system. -@node Configuration for the resource server -@section Configuration for the resource server -The reverse proxy sets an identity header to authenticated -requests. By default, it is @samp{XXX-Agent}, but it can be configured -with @samp{--header}. - -The reverse proxy is configured to contact a backend URI with -@samp{--backend-uri}. This backend URI should not be directly exposed, -because a malicious user could set the identity header. - -@node Configuration for the identity provider -@section Configuration for the identity provider -The identity provider can only handle one user. If you want to handle -multiple users, it is highly advised to use a different host name for -each user, in case the server is accessed from a web browser. You can -set the identity of the user with @samp{--subject}, and write the -user’s password in a file. Pass the file name with -@samp{--encrypted-password-file}. You can pass the encrypted password -directly with @samp{--encrypted-password}, but the encrypted password -will be public. - -The encrypted password format is defined by the crypt function in the -C library. For glibc, it looks like this: -@code{$@var{N}$@var{salt}$@var{hash}}, where @var{N} is the algorithm -identifier, @var{salt} is the password salt annd @var{hash} is its -hash. - -The server uses a key, which is not the same thing as the TLS -certificate of the server (remember, the servers don’t support -TLS). It is in the JWK format. You set its file name with -@samp{--key-file}. If the key file does not exist, it will be -generated. - -Finally, the public openid configuration requires you to set the JWKS -URI (@samp{--jwks-uri}), authorization endpoint URI -(@samp{--authorization-endpoint-uri}) and token endpoint URI -(@samp{--token-endpoint-uri}). The identity provider will publish the -full URIs, but will respond to their path, regardless of the host. - -@node Configuration for the client service -@section Configuration for the client service -The client will serve a stupid page for the redirect URI that will -only display the authorization code. The redirect URI is set with -@samp{--redirect-uri}. - -The client ID is set with @samp{--client-id}. This is the URI under -which the client registrationn is served. - -Finally, you can set some cosmetic options, but since it can confuse -the user, they are hidden by default by the identity provider. - -@table @samp -@item --client-name -set the name of the application. -@item --client-uri -set an URI where to find more information about the client. -@end table - @node Running disfluid with GNU Guix @chapter Running disfluid with GNU Guix @@ -266,30 +236,17 @@ with guix. It defines the package at the latest commit, and a service definition in @emph{(vkraus services disfluid)}. @defvr {service type} disfluid-service-type -This service runs a bunch of disfluid servers with the @emph{disfluid} -system user, each with a unique name. The value it takes is an alist -of service configurations: the keys are unique names (to differenciate -the generated shepherd services), and the values are configuration -records for an issuer, reverse proxy, server, or client service. +This service runs a disfluid server with the @emph{disfluid} system +user. The value it takes is a service configuration. @end defvr -@deftp {configuration record} <disfluid-issuer-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{issuer} @var{key-file} @var{subject} @var{encrypted-password-file} @var{jwks-uri} @var{authorization-endpoint-uri} @var{token-endpoint-uri} @var{port} [@var{extra-options}] +@deftp {configuration record} <disfluid-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{port} @var{configuration-file} [@var{extra-options}] The configuration for the identity provider. The optional @var{disfluid} argument is the package containing the binary to run, if you want to apply some patches, and @var{extra-options} is an empty list by default. -@end deftp - -@deftp {configuration record} <disfluid-reverse-proxy-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{port} @var{inbound-uri} @var{outbound-uri} @var{header} [@var{extra-options}] -This record configures an authenticating reverse proxy. -@end deftp -@deftp {configuration record} <disfluid-client-service-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{client-id} @var{redirect-uri} [@var{client-name}] [@var{client-uri}] @var{port} [@var{extra-options}] -This record configures a server to serve public application pages. -@end deftp - -@deftp {configuration record} <disfluid-server-configuration> [@var{disfluid}] @var{complete-corresponding-source} @var{server-name} @var{key-file} @var{subject} @var{encrypted-password-file} @var{jwks-uri} @var{authorization-endpoint-uri} @var{token-endpoint-uri} @var{port} [@var{extra-options}] -The configuration for the full server. +@var{configuration-file} is a file-like object or a file name. @end deftp @node Common parameters @@ -1881,137 +1838,8 @@ Return the directory where @var{resource-server} stores persistent data. @end deffn -@node Running an Identity Provider -@chapter Running an Identity Provider - -This project is packaged with a barebones identity provider. It has an -authorization endpoint and a token endpoint (and it serves its public -keys), but it is only intended for one specific person. - -You can start it by invoking the @code{webid-oidc} program with the -@code{issuer} command, with the following options: - -@table @asis -@item @code{-h}, or @code{--help} -prints a summary of options and exit. -@item @code{-v}, or @code{--version} -prints the version of the program and exits. -@item @code{-n @var{URI}}, or @code{--server-name=@var{URI}} -sets the global server name of the identity provider. It should have -an empty path. -@item @code{-k @var{FILE.jwk}}, or @code{--key-file=@var{FILE.jwk}} -sets the file name where to read or generate a key for the identity -provider. This file should be JSON, containing the representation of a -JWK key pair. -@item @code{-s @var{WEBID}}, or @code{--subject=@var{WEBID}} -sets the webid of the only user of the identity provider. This is an -URI, pointing to a RDF node corresponding to the user’s profile. -@item @code{-w @var{PASSWORD}}, or @code{--password=@var{PASSWORD}} -sets the password that the user must enter to authorize an -application. -@item @code{-j @var{URI}}, or @code{--jwks-uri=@var{URI}} -tells the server that requests to @var{URI} should be responded with -the public key used to sign the tokens. -@item @code{-a @var{URI}}, or @code{--authorization-endpoint-uri=@var{URI}} -tells the server that requests to @var{URI} should be treated as -authorization requests. -@item @code{-t @var{URI}}, or @code{--token-endpoint-uri=@var{URI}} -tells the server that requests to @var{URI} should be treated as token -negociation requests. -@item @code{-p @var{PORT}}, or @code{--port=@var{PORT}} -change the port number used by the server. By default, it is set to -8080. -@item @code{-l @var{FILE.log}}, or @code{--log-file=@var{FILE.log}} -let the server dump all its output to @var{FILE.log}. Since I don’t -know how to deal with syslog, this is the only way to keep logs with a -shepherd service. -@item @code{-e @var{FILE.err}}, or @code{--error-file=@var{FILE.err}} -let the server dump all its errors to @var{FILE.err}. -@end table - -The program is sensitive to the environment variables. The most -important one is @emph{LANG}, which influences how the program is -internationalized to the server administrator (the pages served to the -user use the user agent’s locale). This changes the long form of the -options, and the language in the log files. - -The @emph{XDG_DATA_HOME} should point to some place where the program -will store refresh tokens, under the @code{webid-oidc} directory. For -a system service, you might want to define that environment to -@code{/var/lib}, for instance. - -The @emph{XDG_CACHE_HOME} should point to a directory where to store -the seed of the random number generator (under a @code{webid-oidc} -directory, again). Changing the seed only happens when a program -starts to require the random number generator. You can safely delete -this directory, but you need to restart the program to actually change -the seed. - -@node Running a Resource Server -@chapter Running a Resource Server - -@menu -* The authenticator:: -* The full server:: -* Resources stored on the server:: -@end menu - -A Solid server is the server that manages your data. It needs to check -that the proofs of possession are correct, and the possessed key is -signed by the identity provider. - -@node The authenticator -@section The authenticator - -In @emph{(webid-oidc resource-server)}, the following function gives a -simple API for a web server: - -@deffn function make-authenticator @var{jti-list} @var{[#server-uri]} @var{[#current-time]} @var{[#http-get]} -Create an authenticator, i.e. a function that takes a request and -request body and returns the webid of the authenticated user, or -@code{#f} if it is not authenticated. - -To prevent replay attacks, each request is signed by the client with a -different unique padding value. If such a value has already been seen, -then the request must fail. - -The authenticator expects the client to demonstrate the possession of -a key that the identity provider knows. So the client creates a DPoP -proof, targetted to a specific URI. In order to check that the URI is -correct, the authenticator needs the public URI of the service. - -The JTIs are checked within a small time frame. By default, the system -time will be used. Otherwise, you can customize the -@code{current-time} optional keyword argument, to pass a thunk -returning a time from @emph{(srfi srfi-19)}. - -You may want to customize the @var{http-get} optional keyword argument -to pass a function to replace @code{http-get} from @emph{(http -client)}. This function takes an URI and optional @code{#:headers} -arguments, makes the request, and return two values: the response, and -the response body. - -This function, in @emph{(webid-oidc resource-server)}, returns a web -request handler, taking the request and request body, and returning -the subject of the access token. If an error happens, it is thrown; -the function always returns a valid URI. -@end deffn - -@node The full server -@section The full server - -@deffn {function from @emph{(webid-oidc resource-server)}} make-server @var{[#:server-uri]} @var{[#:owner]} @var{[#:authenticator]} @var{[#:current-time]} @var{[#:http-get]} -Return a server handler, a function taking 2 values, a request and a -request body, and returning 2 values, the response and response body. - -The optional @var{[#:authenticator]} argument defaults to the -webid-oidc authenticator, @var{[#:current-time]} defaults to a thunk -returning the system time and @var{[#:http-get]} to the web client -from @emph{(web client)}. -@end deffn - @node Resources stored on the server -@section Resources stored on the server +@chapter Resources stored on the server To store and serve resources, the server has two distinct mechanisms. A @dfn{content} is a read-only possible value for a diff --git a/guix/vkraus/services/disfluid.scm b/guix/vkraus/services/disfluid.scm index 21adca2..66a13fe 100644 --- a/guix/vkraus/services/disfluid.scm +++ b/guix/vkraus/services/disfluid.scm @@ -28,382 +28,71 @@ #:use-module (ice-9 match) #:use-module (ice-9 optargs)) -(define-record-type* <disfluid-issuer-configuration> - disfluid-issuer-configuration - make-disfluid-issuer-configuration - disfluid-issuer-configuration? - (disfluid disfluid-issuer-configuration-disfluid - (default disfluid)) +(define-record-type* <disfluid-configuration> + disfluid-configuration + make-disfluid-configuration + disfluid-configuration? + (disfluid disfluid-configuration-disfluid + (default disfluid)) (complete-corresponding-source - disfluid-issuer-configuration-complete-corresponding-source) - (issuer disfluid-issuer-configuration-issuer) - (key-file disfluid-issuer-configuration-key-file) - (subject disfluid-issuer-configuration-subject) - (encrypted-password-file disfluid-issuer-configuration-encrypted-password-file) - (jwks-uri disfluid-issuer-configuration-jwks-uri) - (authorization-endpoint-uri - disfluid-issuer-configuration-authorization-endpoint-uri) - (token-endpoint-uri - disfluid-issuer-configuration-token-endpoint-uri) + disfluid-configuration-complete-corresponding-source) + (configuration disfluid-configuration-configuration) (port disfluid-issuer-configuration-port (default 8088)) (extra-options disfluid-issuer-configuration-extra-options (default '()))) -(define-record-type* <disfluid-reverse-proxy-configuration> - disfluid-reverse-proxy-configuration - make-disfluid-reverse-proxy-configuration - disfluid-reverse-proxy-configuration? - (disfluid disfluid-reverse-proxy-configuration-disfluid - (default disfluid)) - (complete-corresponding-source - disfluid-reverse-proxy-configuration-complete-corresponding-source) - (port disfluid-reverse-proxy-port (default 8090)) - (inbound-uri disfluid-reverse-proxy-configuration-inbound-uri) - (outbound-uri disfluid-reverse-proxy-configuration-outbound-uri) - (header disfluid-reverse-proxy-configuration-header - (default "XXX-Agent")) - (extra-options - disfluid-reverse-proxy-extra-options - (default '()))) - -(define-record-type* <disfluid-hello-configuration> - disfluid-hello-configuration - make-disfluid-hello-configuration - disfluid-hello-configuration? - (disfluid disfluid-hello-configuration-disfluid - (default disfluid)) - (complete-corresponding-source - disfluid-hello-configuration-complete-corresponding-source) - (port disfluid-hello-configuration-port (default 8089)) - (extra-options - disfluid-hello-configuration-extra-options - (default '()))) - -(define-record-type* <disfluid-client-service-configuration> - disfluid-client-service-configuration - make-disfluid-client-service-configuration - disfluid-client-service-configuration? - (disfluid disfluid-client-service-configuration-disfluid - (default disfluid)) - (complete-corresponding-source - disfluid-client-service-configuration-complete-corresponding-source) - (client-id disfluid-client-service-configuration-client-id) - (redirect-uri disfluid-client-service-configuration-redirect-uri) - (client-name disfluid-client-service-configuration-client-name (default "Example Solid App")) - (client-uri disfluid-client-service-configuration-client-uri (default "https://webid-oidc.planete-kraus.eu/Running-a-client.html#Running-a-client")) - (port disfluid-client-service-configuration-port (default 8088)) - (extra-options - disfluid-client-service-configuration-extra-options - (default '()))) - -(define-record-type* <disfluid-server-configuration> - disfluid-server-configuration - make-disfluid-server-configuration - disfluid-server-configuration? - (disfluid disfluid-server-configuration-disfluid - (default disfluid)) - (complete-corresponding-source - disfluid-server-configuration-complete-corresponding-source) - (server-name disfluid-server-configuration-server-name) - (key-file disfluid-server-configuration-key-file) - (subject disfluid-server-configuration-subject) - (encrypted-password-file disfluid-server-configuration-encrypted-password-file) - (jwks-uri disfluid-server-configuration-jwks-uri) - (authorization-endpoint-uri - disfluid-server-configuration-authorization-endpoint-uri) - (token-endpoint-uri - disfluid-server-configuration-token-endpoint-uri) - (port disfluid-server-configuration-port (default 8088)) - (extra-options - disfluid-issuer-configuration-extra-options - (default '()))) - -(export <disfluid-issuer-configuration> - disfluid-issuer-configuration - make-disfluid-issuer-configuration - disfluid-issuer-configuration? - disfluid-issuer-configuration-disfluid - disfluid-issuer-configuration-complete-corresponding-source - disfluid-issuer-configuration-issuer - disfluid-issuer-configuration-key-file - disfluid-issuer-configuration-subject - disfluid-issuer-configuration-encrypted-password-file - disfluid-issuer-configuration-jwks-uri - disfluid-issuer-configuration-authorization-endpoint-uri - disfluid-issuer-configuration-token-endpoint-uri +(export <disfluid-configuration> + disfluid-configuration + make-disfluid-configuration + disfluid-configuration? + disfluid-configuration-disfluid + disfluid-configuration-complete-corresponding-source + disfluid-configuration-configuration disfluid-issuer-configuration-port - disfluid-issuer-configuration-extra-options - <disfluid-reverse-proxy-configuration> - disfluid-reverse-proxy-configuration - make-disfluid-reverse-proxy-configuration - disfluid-reverse-proxy-configuration? - disfluid-reverse-proxy-configuration-disfluid - disfluid-reverse-proxy-configuration-complete-corresponding-source - disfluid-reverse-proxy-configuration-port - disfluid-reverse-proxy-configuration-inbound-uri - disfluid-reverse-proxy-configuration-outbound-uri - disfluid-reverse-proxy-configuration-header - disfluid-reverse-proxy-configuration-extra-options - <disfluid-hello-configuration> - disfluid-hello-configuration - make-disfluid-hello-configuration - disfluid-hello-configuration? - disfluid-hello-configuration-disfluid - disfluid-hello-configuration-complete-corresponding-source - disfluid-hello-configuration-port - disfluid-hello-configuration-extra-options - <disfluid-client-service-configuration> - disfluid-client-service-configuration - make-disfluid-client-service-configuration - disfluid-client-service-configuration? - disfluid-client-service-configuration-disfluid - disfluid-client-service-configuration-complete-corresponding-source - disfluid-client-service-configuration-client-id - disfluid-client-service-configuration-redirect-uri - disfluid-client-service-configuration-client-name - disfluid-client-service-configuration-client-uri - disfluid-client-service-configuration-port - disfluid-client-service-configuration-extra-options - <disfluid-server-configuration> - disfluid-server-configuration - make-disfluid-server-configuration - disfluid-server-configuration? - disfluid-server-configuration-disfluid - disfluid-server-configuration-complete-corresponding-source - disfluid-server-configuration-server-name - disfluid-server-configuration-key-file - disfluid-server-configuration-subject - disfluid-server-configuration-encrypted-password-file - disfluid-server-configuration-jwks-uri - disfluid-server-configuration-authorization-endpoint-uri - disfluid-server-configuration-token-endpoint-uri - disfluid-server-configuration-port - disfluid-server-configuration-extra-options) + disfluid-issuer-configuration-extra-options) (define configuration->shepherd-service (match-lambda - ((id . ($ <disfluid-issuer-configuration> - disfluid ccs issuer key-file subject encrypted-password-file jwks-uri - authorization-endpoint-uri token-endpoint-uri port extra-options)) - `(,(shepherd-service - (provision (list (string->symbol (format #f "disfluid-~a" id)))) - (documentation (format #f "Run a Solid identity provider (~a)" id)) - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - #~(begin - (let* ((user (getpwnam "disfluid")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/disfluid") - (prepare-directory #$(format #f "/var/lib/disfluid/~a" id)) - (prepare-directory #$(format #f "/var/cache/disfluid/~a" id))) - (make-forkexec-constructor - (list - (string-append #$disfluid "/bin/disfluid") - "identity-provider" - "-S" #$ccs - "-n" #$issuer - "-k" #$key-file - "-s" #$subject - "-W" #$encrypted-password-file - "-j" #$jwks-uri - "-a" #$authorization-endpoint-uri - "-t" #$token-endpoint-uri - "-p" (with-output-to-string (lambda () (display #$port))) - "-l" #$(format #f "issuer-~a.log" id) - "-e" #$(format #f "issuer-~a.err" id) - #$@extra-options) - #:user "disfluid" - #:group "disfluid" - #:directory "/var/log/disfluid" - #:environment-variables - '(#$(format #f "XDG_DATA_HOME=/var/lib/disfluid/~a" id) - #$(format #f "XDG_CACHE_HOME=/var/cache/disfluid/~a" id)))))) - (stop #~(make-kill-destructor))))) - ((id . ($ <disfluid-reverse-proxy-configuration> - disfluid ccs port inbound-uri outbound-uri header extra-options)) + (($ <disfluid-configuration> + disfluid ccs configuration port extra-options) `(,(shepherd-service - (provision (list (string->symbol (format #f "disfluid-~a" id)))) - (documentation (format #f "Run a Solid reverse proxy (~a)" id)) + (provision (list 'disfluid)) + (documentation (format #f "Run disfluid")) (requirement '(user-processes)) (modules '((gnu build shepherd) (gnu system file-systems))) (start (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - #~(begin - (let* ((user (getpwnam "disfluid")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/disfluid") - (prepare-directory #$(format #f "/var/lib/disfluid/~a" id)) - (prepare-directory #$(format #f "/var/cache/disfluid/~a" id))) - (make-forkexec-constructor - (list - (string-append #$disfluid "/bin/disfluid") - "reverse-proxy" - "-S" #$ccs - "-p" (with-output-to-string (lambda () (display #$port))) - "-n" #$inbound-uri - "-b" #$outbound-uri - "-H" #$header - "-l" #$(format #f "reverse-proxy-~a.log" id) - "-e" #$(format #f "reverse-proxy-~a.err" id) - #$@extra-options) - #:user "disfluid" - #:group "disfluid" - #:directory "/var/log/disfluid" - #:environment-variables - '(#$(format #f "XDG_DATA_HOME=/var/lib/disfluid/~a" id) - #$(format #f "XDG_CACHE_HOME=/var/cache/disfluid/~a" id)))))) - (stop #~(make-kill-destructor))))) - ((id . ($ <disfluid-hello-configuration> - disfluid ccs port extra-options)) - `(,(shepherd-service - (provision (list (string->symbol (format #f "disfluid-~a" id)))) - (documentation (format #f "Run a demonstration Solid server (~a)" id)) - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - #~(begin - (let* ((user (getpwnam "disfluid")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/disfluid") - (prepare-directory #$(format #f "/var/lib/disfluid/~a" id)) - (prepare-directory #$(format #f "/var/cache/disfluid/~a" id))) - (make-forkexec-constructor - (list - (string-append #$disfluid "/bin/disfluid-hello") - "-S" #$ccs - "-p" (with-output-to-string (lambda () (display #$port))) - "-l" #$(format #f "hello-~a.log" id) - "-e" #$(format #f "hello-~a.err" id) - #$@extra-options) - #:user "disfluid" - #:group "disfluid" - #:directory "/var/log/disfluid" - #:environment-variables - '(#$(format #f "XDG_DATA_HOME=/var/lib/disfluid/~a" id) - #$(format #f "XDG_CACHE_HOME=/var/cache/disfluid/~a" id)))))) - (stop #~(make-kill-destructor))))) - ((id . ($ <disfluid-client-service-configuration> - disfluid ccs client-id redirect-uri client-name client-uri port - extra-options)) - `(,(shepherd-service - (provision (list (string->symbol (format #f "disfluid-~a" id)))) - (documentation (format #f "Serve the public page for an application (~a)" id)) - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - #~(begin - (let* ((user (getpwnam "disfluid")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/disfluid") - (prepare-directory #$(format #f "/var/lib/disfluid/~a" id)) - (prepare-directory #$(format #f "/var/cache/disfluid/~a" id))) - (make-forkexec-constructor - (list - (string-append #$disfluid "/bin/disfluid") - "client-service" - "-S" #$ccs - "-c" #$client-id - "-r" #$redirect-uri - "-C" #$client-name - "-u" #$client-uri - "-p" (with-output-to-string (lambda () (display #$port))) - "-l" #$(format #f "client-service-~a.log" id) - "-e" #$(format #f "client-service-~a.err" id) - #$@extra-options) - #:user "disfluid" - #:group "disfluid" - #:directory "/var/log/disfluid" - #:environment-variables - '(#$(format #f "XDG_DATA_HOME=/var/lib/disfluid/~a" id) - #$(format #f "XDG_CACHE_HOME=/var/cache/disfluid/~a" id)))))) - (stop #~(make-kill-destructor))))) - ((id . ($ <disfluid-server-configuration> - disfluid ccs server-name key-file subject encrypted-password-file jwks-uri - authorization-endpoint-uri token-endpoint-uri port - extra-options)) - `(,(shepherd-service - (provision (list (string->symbol (format #f "disfluid-~a" id)))) - (documentation (format #f "Run a full server (~a)" id)) - (requirement '(user-processes)) - (modules '((gnu build shepherd) - (gnu system file-systems))) - (start - (with-imported-modules - (source-module-closure - '((gnu build shepherd) - (gnu system file-systems))) - #~(begin - (let* ((user (getpwnam "disfluid")) - (prepare-directory - (lambda (dir) - (mkdir-p dir) - (chown dir (passwd:uid user) (passwd:gid user)) - (chmod dir #o700)))) - (prepare-directory "/var/log/disfluid") - (prepare-directory #$(format #f "/var/lib/disfluid/~a" id)) - (prepare-directory #$(format #f "/var/cache/disfluid/~a" id))) - (make-forkexec-constructor - (list - (string-append #$disfluid "/bin/disfluid") - "server" - "-S" #$ccs - "-n" #$server-name - "-k" #$key-file - "-s" #$subject - "-W" #$encrypted-password-file - "-j" #$jwks-uri - "-a" #$authorization-endpoint-uri - "-t" #$token-endpoint-uri - "-p" (with-output-to-string (lambda () (display #$port))) - "-l" #$(format #f "server-~a.log" id) - "-e" #$(format #f "server-~a.err" id) - #$@extra-options) - #:user "disfluid" - #:group "disfluid" - #:directory "/var/log/disfluid" - #:environment-variables - '(#$(format #f "XDG_DATA_HOME=/var/lib/disfluid/~a" id) - #$(format #f "XDG_CACHE_HOME=/var/cache/disfluid/~a" id)))))) - (stop #~(make-kill-destructor))))) - ((items ...) - (apply append (map configuration->shepherd-service items))))) + (source-module-closure + '((gnu build shepherd) + (gnu system file-systems))) + #~(begin + (let* ((user (getpwnam "disfluid")) + (prepare-directory + (lambda (dir) + (mkdir-p dir) + (chown dir (passwd:uid user) (passwd:gid user)) + (chmod dir #o700)))) + (prepare-directory "/var/log/disfluid") + (prepare-directory "/var/lib/disfluid") + (prepare-directory "/var/cache/disfluid")) + (make-forkexec-constructor + (list + (string-append #$disfluid "/bin/disfluid") + "-S" #$ccs + "-c" #$configuration + "-p" (with-output-to-string (lambda () (display #$port))) + "-l" "server.log" + "-e" "server.err" + #$@extra-options) + #:user "disfluid" + #:group "disfluid" + #:directory "/var/log/disfluid" + #:environment-variables + '("XDG_DATA_HOME=/var/lib/disfluid" + "XDG_CACHE_HOME=/var/cache/disfluid"))))) + (stop #~(make-kill-destructor))))))) (define %disfluid-accounts (list (user-group (name "disfluid") @@ -418,48 +107,15 @@ (define configuration->log-rotation (match-lambda - ((id . ($ <disfluid-issuer-configuration>)) - `(,(log-rotation - (frequency 'daily) - (files - (map (lambda (ext) - (format #f "/var/log/disfluid/issuer-~a.~a" id ext)) - '("log err"))) - (options '("sharedscripts" "storedir /var/log/disfluid"))))) - ((id . ($ <disfluid-reverse-proxy-configuration>)) - `(,(log-rotation - (frequency 'daily) - (files - (map (lambda (ext) - (format #f "/var/log/disfluid/reverse-proxy-~a.~a" id ext)) - '("log err"))) - (options '("sharedscripts" "storedir /var/log/disfluid"))))) - ((id . ($ <disfluid-hello-configuration>)) - `(,(log-rotation - (frequency 'daily) - (files - (map (lambda (ext) - (format #f "/var/log/disfluid/hello-~a.~a" id ext)) - '("log err"))) - (options '("sharedscripts" "storedir /var/log/disfluid"))))) - ((id . ($ <disfluid-client-service-configuration>)) - `(,(log-rotation - (frequency 'daily) - (files - (map (lambda (ext) - (format #f "/var/log/disfluid/client-service-~a.~a" id ext)) - '("log err"))) - (options '("sharedscripts" "storedir /var/log/disfluid"))))) - ((id . ($ <disfluid-server-configuration>)) + (($ <disfluid-configuration> + disfluid ccs configuration port extra-options) `(,(log-rotation (frequency 'daily) (files (map (lambda (ext) - (format #f "/var/log/disfluid/server-~a.~a" id ext)) + (format #f "/var/log/disfluid/server.~a" ext)) '("log err"))) - (options '("sharedscripts" "storedir /var/log/disfluid"))))) - ((items ...) - (apply append (map configuration->log-rotation items))))) + (options '("sharedscripts" "storedir /var/log/disfluid"))))))) (define-public disfluid-service-type (service-type diff --git a/guix/vkraus/systems/test.scm b/guix/vkraus/systems/test.scm index 1bfc2b8..128ffee 100644 --- a/guix/vkraus/systems/test.scm +++ b/guix/vkraus/systems/test.scm @@ -21,12 +21,95 @@ #:use-module (vkraus packages disfluid) #:use-module (vkraus services disfluid)) +(define full-configuration + `((use-modules (webid-oidc server endpoint) + (webid-oidc server endpoint resource-server) + (webid-oidc server endpoint identity-provider) + (webid-oidc server endpoint client) + (webid-oidc oidc-configuration) + (oop goops)) + (make <router> + #:routed + (list + (make <identity-provider> + #:host "alice.localhost" + #:oidc-discovery + (make <oidc-discovery> + #:path "/.well-known/openid-configuration" + #:configuration + (make <oidc-configuration> + #:jwks-uri "http://alice.localhost/keys" + #:authorization-endpoint "http://alice.localhost/authorize" + #:token-endpoint "http://alice.localhost/token")) + #:authorization-endpoint + (make <authorization-endpoint> + #:path "/authorize" + #:subject "http://alice.localhost/profile/card#me" + #:encrypted-password ,(crypt "alice" "$6$.salt.for.Alice.") + #:key-file "/var/lib/disfluid/alice/key.jwk") + #:token-endpoint + (make <token-endpoint> + #:path "/token" + #:issuer "http://alice.localhost" + #:key-file "/var/lib/disfluid/alice/key.jwk") + #:jwks-endpoint + (make <jwks-endpoint> + #:path "/keys" + #:key-file "/var/lib/disfluid/alice/key.jwk") + #:default + (make <authenticator> + #:backend + (make <resource-server> + #:server-name "http://alice.localhost" + #:owner "http://alice.localhost/profile/card#me") + #:server-uri "http://alice.localhost")) + (make <identity-provider> + #:host "bob.localhost" + #:oidc-discovery + (make <oidc-discovery> + #:path "/.well-known/openid-configuration" + #:configuration + (make <oidc-configuration> + #:jwks-uri "http://bob.localhost/keys" + #:authorization-endpoint "http://bob.localhost/authorize" + #:token-endpoint "http://bob.localhost/token")) + #:authorization-endpoint + (make <authorization-endpoint> + #:path "/authorize" + #:subject "http://bob.localhost/profile/card#me" + #:encrypted-password ,(crypt "bob" "$6$And.salt.for.Bob") + #:key-file "/var/lib/disfluid/bob/key.jwk") + #:token-endpoint + (make <token-endpoint> + #:path "/token" + #:issuer "http://bob.localhost" + #:key-file "/var/lib/disfluid/bob/key.jwk") + #:jwks-endpoint + (make <jwks-endpoint> + #:path "/keys" + #:key-file "/var/lib/disfluid/bob/key.jwk") + #:default + (make <authenticator> + #:backend + (make <resource-server> + #:server-name "http://bob.localhost" + #:owner "http://bob.localhost/profile/card#me") + #:server-uri "http://bob.localhost")) + (make <client-id> + #:host "client.localhost" + #:client-id "https://client.localhost/id" + #:redirect-uris '("https://client.localhost/authorized") + #:client-name "Local Client Application" + #:client-uri "https://client.localhost/about" + #:grant-types '(authorization_code refresh_token) + #:response-types '(code)))))) + (operating-system (host-name "disfluid-test-system") (hosts-file (plain-file "hosts" - "127.0.0.1 localhost -::1 localhost + "127.0.0.1 localhost alice.localhost bob.localhost +::1 localhost alice.localhost bob.localhost ")) (users %base-user-accounts) (packages @@ -37,48 +120,18 @@ (append (list (service disfluid-service-type - `(("alice" - . ,(disfluid-server-configuration - (complete-corresponding-source "https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz") - (server-name "http://localhost:8081") - (subject "http://localhost:8081/alice#me") - (encrypted-password-file - (computed-file "alice-password" - #~(let ((salt "$6$.salt.for.Alice.") - (password "alice")) - (call-with-output-file #$output - (lambda (port) - (format port "~a\n" - (crypt password salt))))))) - (key-file "/var/lib/disfluid/alice/key.jwk") - (jwks-uri "http://localhost:8081/keys") - (authorization-endpoint-uri "http://localhost:8081/authorize") - (token-endpoint-uri "http://localhost:8081/token") - (port 8081))) - ("bob" - . ,(disfluid-server-configuration - (complete-corresponding-source "https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz") - (server-name "http://localhost:8082") - (subject "http://localhost:8082/bob#me") - (encrypted-password-file - (computed-file "bob-password" - #~(let ((salt "$6$And.salt.for.Bob") - (password "bob")) - (call-with-output-file #$output - (lambda (port) - (format port "~a\n" - (crypt password salt))))))) - (key-file "/var/lib/disfluid/bob/key.jwk") - (jwks-uri "http://localhost:8082/keys") - (authorization-endpoint-uri "http://localhost:8082/authorize") - (token-endpoint-uri "http://localhost:8082/token") - (port 8082)))))) + (disfluid-configuration + (complete-corresponding-source "http://ccs.local/disfluid.tar.gz") + (configuration + (scheme-file "disfluid-configuration.scm" + full-configuration)) + (port 8080)))) %base-services)) (timezone "Europe/Paris") (bootloader (bootloader-configuration (bootloader grub-efi-bootloader) - (target "/boot/efi"))) + (targets '("/boot/efi")))) (mapped-devices '()) (file-systems `(,(file-system diff --git a/po/POTFILES.in b/po/POTFILES.in index 23f2693..5834688 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -27,7 +27,6 @@ src/scm/webid-oidc/ChangeLog src/scm/webid-oidc/Makefile.am src/scm/webid-oidc/access-token.scm src/scm/webid-oidc/authorization-code.scm -src/scm/webid-oidc/authorization-endpoint.scm src/scm/webid-oidc/cache.scm src/scm/webid-oidc/catalog.scm src/scm/webid-oidc/client-manifest.scm @@ -58,7 +57,6 @@ src/scm/webid-oidc/example-app.scm src/scm/webid-oidc/fetch.scm src/scm/webid-oidc/hello-world.scm src/scm/webid-oidc/http-link.scm -src/scm/webid-oidc/identity-provider.scm src/scm/webid-oidc/jti.scm src/scm/webid-oidc/jwk.scm src/scm/webid-oidc/jws.scm @@ -70,8 +68,6 @@ src/scm/webid-oidc/program.scm src/scm/webid-oidc/provider-confirmation.scm src/scm/webid-oidc/rdf-index.scm src/scm/webid-oidc/refresh-token.scm -src/scm/webid-oidc/resource-server.scm -src/scm/webid-oidc/reverse-proxy.scm src/scm/webid-oidc/serializable.scm src/scm/webid-oidc/serve.scm src/scm/webid-oidc/server/create.scm @@ -90,7 +86,6 @@ src/scm/webid-oidc/server/update.scm src/scm/webid-oidc/simulation.scm src/scm/webid-oidc/stubs.scm src/scm/webid-oidc/testing.scm -src/scm/webid-oidc/token-endpoint.scm src/scm/webid-oidc/web-i18n.scm src/ui/account-widget.glade src/ui/authorization-prompt.glade diff --git a/po/disfluid.pot b/po/disfluid.pot index 872407d..542e896 100644 --- a/po/disfluid.pot +++ b/po/disfluid.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: disfluid SNAPSHOT\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-10-20 18:03+0200\n" +"POT-Creation-Date: 2021-10-20 18:13+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -276,31 +276,6 @@ msgid "" "client-id) or (#:jwt-header and #:jwt-payload) should be passed" msgstr "" -#: src/scm/webid-oidc/authorization-endpoint.scm:70 -#: src/scm/webid-oidc/client.scm:193 src/scm/webid-oidc/hello-world.scm:147 -#: src/scm/webid-oidc/identity-provider.scm:120 -#: src/scm/webid-oidc/resource-server.scm:124 -#: src/scm/webid-oidc/server/endpoint/client.scm:153 -#: src/scm/webid-oidc/server/endpoint/hello.scm:63 -#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:389 -#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:403 -#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:125 -#: src/scm/webid-oidc/token-endpoint.scm:68 -msgid "xml-lang|en" -msgstr "" - -#: src/scm/webid-oidc/authorization-endpoint.scm:73 -msgid "<h1>The authorization request failed</h1>" -msgstr "" - -#: src/scm/webid-oidc/authorization-endpoint.scm:78 -#: src/scm/webid-oidc/client.scm:201 src/scm/webid-oidc/hello-world.scm:155 -#: src/scm/webid-oidc/identity-provider.scm:128 -#: src/scm/webid-oidc/resource-server.scm:132 -#: src/scm/webid-oidc/token-endpoint.scm:76 -msgid "<p>No more information.</p>" -msgstr "" - #: src/scm/webid-oidc/cache.scm:94 #, scheme-format msgid "Dropping cache item ~a.~%" @@ -408,14 +383,10 @@ msgstr "" msgid "cannot serve the public manifest" msgstr "" -#: src/scm/webid-oidc/client.scm:137 +#: src/scm/webid-oidc/client.scm:133 msgid "accept-language-header|en-us" msgstr "" -#: src/scm/webid-oidc/client.scm:196 -msgid "<h1>The request failed</h1>" -msgstr "" - #: src/scm/webid-oidc/client/accounts.scm:118 #, scheme-format msgid "an authorization code is required: ~s, it can be obtained at ~s" @@ -885,31 +856,31 @@ msgstr "" msgid "cannot negociate a recognized RFD content type, got ~s" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:49 src/scm/webid-oidc/program.scm:240 +#: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/program.scm:239 msgid "command-line|version" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:51 src/scm/webid-oidc/program.scm:244 +#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:243 msgid "command-line|complete-corresponding-source" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:53 src/scm/webid-oidc/program.scm:246 +#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:245 msgid "command-line|help" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:55 +#: src/scm/webid-oidc/hello-world.scm:54 msgid "command-line|port" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:57 src/scm/webid-oidc/program.scm:278 +#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:251 msgid "command-line|log-file" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:59 src/scm/webid-oidc/program.scm:280 +#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:253 msgid "command-line|error-file" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:71 +#: src/scm/webid-oidc/hello-world.scm:70 #, scheme-format msgid "" "~a [OPTIONS]...\n" @@ -938,24 +909,38 @@ msgid "" " redirect the program errors to FILE.err.\n" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:104 +#: src/scm/webid-oidc/hello-world.scm:103 #, scheme-format msgid "~a version ~a\n" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:113 src/scm/webid-oidc/program.scm:642 +#: src/scm/webid-oidc/hello-world.scm:112 msgid "" "You are legally required to link to the complete corresponding source code.\n" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:123 +#: src/scm/webid-oidc/hello-world.scm:122 msgid "The port should be a number between 0 and 65535.\n" msgstr "" -#: src/scm/webid-oidc/hello-world.scm:150 +#: src/scm/webid-oidc/hello-world.scm:146 src/scm/webid-oidc/program.scm:145 +#: src/scm/webid-oidc/server/endpoint/client.scm:153 +#: src/scm/webid-oidc/server/endpoint/hello.scm:63 +#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:389 +#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:403 +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:125 +#: src/scm/webid-oidc/simulation.scm:90 +msgid "xml-lang|en" +msgstr "" + +#: src/scm/webid-oidc/hello-world.scm:149 msgid "<h1>Please authenticate</h1>" msgstr "" +#: src/scm/webid-oidc/hello-world.scm:154 +msgid "<p>No more information.</p>" +msgstr "" + #: src/scm/webid-oidc/http-link.scm:148 msgid "the #:anchor parameter should be a string or an URI reference" msgstr "" @@ -1000,18 +985,6 @@ msgstr "" msgid "the #:attribute-value parameter should be a string or URI" msgstr "" -#: src/scm/webid-oidc/identity-provider.scm:61 -msgid "reason-phrase|Not Found" -msgstr "" - -#: src/scm/webid-oidc/identity-provider.scm:64 -msgid "<p>Your request cannot be handled by the identity provider.</p>" -msgstr "" - -#: src/scm/webid-oidc/identity-provider.scm:123 -msgid "<h1>The identity provider request failed</h1>" -msgstr "" - #: src/scm/webid-oidc/jti.scm:59 #, scheme-format msgid "a replay has been detected with JTI ~s" @@ -1270,41 +1243,32 @@ msgid "" "passed" msgstr "" -#: src/scm/webid-oidc/program.scm:64 +#: src/scm/webid-oidc/program.scm:65 #, scheme-format msgid "~a: Warning: XML_CATALOG_FILES is set to ~s.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:67 +#: src/scm/webid-oidc/program.scm:68 #, scheme-format msgid "~a: ~s ~a ~s...\n" msgstr "" -#: src/scm/webid-oidc/program.scm:73 +#: src/scm/webid-oidc/program.scm:74 #, scheme-format msgid "~a: ~s ~a ~s: ~s ~a bytes\n" msgstr "" -#: src/scm/webid-oidc/program.scm:90 +#: src/scm/webid-oidc/program.scm:93 #, scheme-format msgid "~a: connecting to ~s\n" msgstr "" -#: src/scm/webid-oidc/program.scm:135 -msgid "really bad internal server error" +#: src/scm/webid-oidc/program.scm:147 src/scm/webid-oidc/simulation.scm:92 +msgid "An error happened…" msgstr "" -#: src/scm/webid-oidc/program.scm:142 -#, scheme-format -msgid "~a: ~a: Internal server error: ~a\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:148 -msgid "Internal Server Error" -msgstr "" - -#: src/scm/webid-oidc/program.scm:151 -msgid "Sorry, there was an error." +#: src/scm/webid-oidc/program.scm:150 src/scm/webid-oidc/simulation.scm:95 +msgid "<p>Sorry, an error happened.</p>" msgstr "" #: src/scm/webid-oidc/program.scm:172 @@ -1327,82 +1291,30 @@ msgstr "" msgid "(there was an error: ~a)" msgstr "" -#: src/scm/webid-oidc/program.scm:242 +#: src/scm/webid-oidc/program.scm:241 msgid "command-line|describe-project" msgstr "" -#: src/scm/webid-oidc/program.scm:248 +#: src/scm/webid-oidc/program.scm:247 msgid "command-line|server|port" msgstr "" -#: src/scm/webid-oidc/program.scm:250 -msgid "command-line|server|server-name" -msgstr "" - -#: src/scm/webid-oidc/program.scm:252 -msgid "command-line|server|reverse-proxy|backend-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:254 -msgid "command-line|server|reverse-proxy|header" -msgstr "" - -#: src/scm/webid-oidc/program.scm:256 -msgid "command-line|server|issuer|key-file" -msgstr "" - -#: src/scm/webid-oidc/program.scm:258 -msgid "command-line|server|issuer|subject" -msgstr "" - -#: src/scm/webid-oidc/program.scm:260 -msgid "command-line|server|issuer|encrypted-password" -msgstr "" - -#: src/scm/webid-oidc/program.scm:262 -msgid "command-line|server|issuer|encrypted-password-from-file" -msgstr "" - -#: src/scm/webid-oidc/program.scm:264 -msgid "command-line|server|issuer|jwks-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:266 -msgid "command-line|server|issuer|authorization-endpoint-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:268 -msgid "command-line|server|issuer|token-endpoint-uri" +#: src/scm/webid-oidc/program.scm:249 +msgid "command-line|server|configuration" msgstr "" #: src/scm/webid-oidc/program.scm:270 -msgid "command-line|server|client-id" -msgstr "" - -#: src/scm/webid-oidc/program.scm:272 -msgid "command-line|server|redirect-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:274 -msgid "command-line|server|client-name" -msgstr "" - -#: src/scm/webid-oidc/program.scm:276 -msgid "command-line|server|client-uri" -msgstr "" - -#: src/scm/webid-oidc/program.scm:310 #, scheme-format -msgid "Usage: ~a COMMAND [OPTIONS]...\n" +msgid "Usage: ~a [OPTIONS]...\n" msgstr "" -#: src/scm/webid-oidc/program.scm:314 +#: src/scm/webid-oidc/program.scm:274 msgid "" "\n" -"Run the disfluid COMMAND." +"Run disfluid." msgstr "" -#: src/scm/webid-oidc/program.scm:317 +#: src/scm/webid-oidc/program.scm:277 msgid "" "\n" "This program is covered by the GNU Affero GPL, version 3 or\n" @@ -1412,87 +1324,13 @@ msgid "" "to all responses." msgstr "" -#: src/scm/webid-oidc/program.scm:324 -msgid "" -"\n" -"Available commands:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:326 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run an authenticating reverse proxy." -msgstr "" - -#: src/scm/webid-oidc/program.scm:329 src/scm/webid-oidc/program.scm:524 -#: src/scm/webid-oidc/program.scm:724 -msgid "command-line|command|reverse-proxy" -msgstr "" - -#: src/scm/webid-oidc/program.scm:330 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run an identity provider." -msgstr "" - -#: src/scm/webid-oidc/program.scm:333 src/scm/webid-oidc/program.scm:549 -#: src/scm/webid-oidc/program.scm:745 -msgid "command-line|command|identity-provider" -msgstr "" - -#: src/scm/webid-oidc/program.scm:334 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" serve the pages for a public application." -msgstr "" - -#: src/scm/webid-oidc/program.scm:337 src/scm/webid-oidc/program.scm:570 -#: src/scm/webid-oidc/program.scm:786 -msgid "command-line|command|client-service" -msgstr "" - -#: src/scm/webid-oidc/program.scm:338 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run a full server, with identity provider and resource storage\n" -" facility." -msgstr "" - -#: src/scm/webid-oidc/program.scm:342 src/scm/webid-oidc/program.scm:596 -#: src/scm/webid-oidc/program.scm:815 -msgid "command-line|command|server" -msgstr "" - -#: src/scm/webid-oidc/program.scm:344 -msgid "" -"\n" -"If no command is specified, run the browser." -msgstr "" - -#: src/scm/webid-oidc/program.scm:347 +#: src/scm/webid-oidc/program.scm:285 msgid "" "\n" "General options:" msgstr "" -#: src/scm/webid-oidc/program.scm:349 -#, scheme-format -msgid "" -"\n" -" -S MEANS, --~a=MEANS:\n" -" specify a way to download the complete corresponding source\n" -" code. For instance, this would be an URI pointing to a tarball." -msgstr "" - -#: src/scm/webid-oidc/program.scm:354 +#: src/scm/webid-oidc/program.scm:287 #, scheme-format msgid "" "\n" @@ -1500,7 +1338,7 @@ msgid "" " display a short help message and exit." msgstr "" -#: src/scm/webid-oidc/program.scm:358 +#: src/scm/webid-oidc/program.scm:291 #, scheme-format msgid "" "\n" @@ -1508,7 +1346,7 @@ msgid "" " display the version information (~a, released ~a) and exit." msgstr "" -#: src/scm/webid-oidc/program.scm:364 +#: src/scm/webid-oidc/program.scm:297 #, scheme-format msgid "" "\n" @@ -1516,7 +1354,7 @@ msgid "" " describe the project in the DOAP vocabulary and exit." msgstr "" -#: src/scm/webid-oidc/program.scm:368 +#: src/scm/webid-oidc/program.scm:301 #, scheme-format msgid "" "\n" @@ -1524,7 +1362,7 @@ msgid "" " redirect the program standard output to FILE.log." msgstr "" -#: src/scm/webid-oidc/program.scm:372 +#: src/scm/webid-oidc/program.scm:305 #, scheme-format msgid "" "\n" @@ -1532,164 +1370,45 @@ msgid "" " redirect the program errors to FILE.err." msgstr "" -#: src/scm/webid-oidc/program.scm:377 -msgid "" -"\n" -"General server-side options:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:379 -#, scheme-format -msgid "" -"\n" -" -p PORT, --~a=PORT:\n" -" set the server port to bind, 8080 by default." -msgstr "" - -#: src/scm/webid-oidc/program.scm:383 -#, scheme-format -msgid "" -"\n" -" -n URI, --~a=URI:\n" -" set the public server URI (scheme, userinfo, host, and port)." -msgstr "" - -#: src/scm/webid-oidc/program.scm:388 -msgid "" -"\n" -"Options for the resource server:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:390 -#, scheme-format -msgid "" -"\n" -" -H HEADER, --~a=HEADER:\n" -" the HEADER field contains the webid of the authenticated user,\n" -" XXX-Agent by default. For the full server, disable Solid-OIDC\n" -" authentication." -msgstr "" - -#: src/scm/webid-oidc/program.scm:396 -#, scheme-format -msgid "" -"\n" -" -b URI, --~a=URI:\n" -" set the backend URI for the reverse proxy, only for the\n" -" reverse-proxy command." -msgstr "" - -#: src/scm/webid-oidc/program.scm:402 -msgid "" -"\n" -"Options for the identity provider:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:404 -#, scheme-format -msgid "" -"\n" -" -k FILE, --~a=FILE.jwk:\n" -" set the file name of the key file. If it does not exist, a new\n" -" key is generated. The server does not offer an HTTPS service." -msgstr "" - -#: src/scm/webid-oidc/program.scm:409 -#, scheme-format -msgid "" -"\n" -" -s WEBID, --~a=WEBID:\n" -" set the identity of the subject." -msgstr "" - -#: src/scm/webid-oidc/program.scm:413 -#, scheme-format -msgid "" -"\n" -" -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n" -" set the encrypted password to recognize the user." -msgstr "" - -#: src/scm/webid-oidc/program.scm:417 -#, scheme-format -msgid "" -"\n" -" -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE:\n" -" load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE." -msgstr "" - -#: src/scm/webid-oidc/program.scm:421 -#, scheme-format -msgid "" -"\n" -" -j URI, --~a=URI:\n" -" set the URI to query the key of the server." -msgstr "" - -#: src/scm/webid-oidc/program.scm:425 -#, scheme-format -msgid "" -"\n" -" -a URI, --~a=URI:\n" -" set the authorization endpoint of the issuer." -msgstr "" - -#: src/scm/webid-oidc/program.scm:429 -#, scheme-format -msgid "" -"\n" -" -t URI, --~a=URI:\n" -" set the token endpoint of the issuer." -msgstr "" - -#: src/scm/webid-oidc/program.scm:434 -msgid "" -"\n" -"Options for the client service:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:436 -#, scheme-format +#: src/scm/webid-oidc/program.scm:310 msgid "" "\n" -" -c URI, --~a=URI:\n" -" set the web identifier of the client application, which is\n" -" dereferenced to a semantic resource." +"Running a server:" msgstr "" -#: src/scm/webid-oidc/program.scm:441 +#: src/scm/webid-oidc/program.scm:312 #, scheme-format msgid "" "\n" -" -r URI, --~a=URI:\n" -" set the redirection URI to get the authorization code back. The\n" -" page is presented with the code to paste in the application." +" -S MEANS, --~a=MEANS:\n" +" specify a way to download the complete corresponding source\n" +" code. For instance, this would be an URI pointing to a\n" +" tarball. This option is required if a server is implemented." msgstr "" -#: src/scm/webid-oidc/program.scm:446 +#: src/scm/webid-oidc/program.scm:318 #, scheme-format msgid "" "\n" -" -C NAME, --~a=NAME:\n" -" set the user-visible application name (may be misleading...)." +" -p PORT, --~a=PORT:\n" +" set the server port to bind, 8080 by default." msgstr "" -#: src/scm/webid-oidc/program.scm:450 +#: src/scm/webid-oidc/program.scm:322 #, scheme-format msgid "" "\n" -" -u URI, --~a=URI:\n" -" set an URI where someone would find more information about the\n" -" application (again, may be misleading)." +" -c FILE, --~a=FILE:\n" +" set up a server with configuration from FILE." msgstr "" -#: src/scm/webid-oidc/program.scm:456 +#: src/scm/webid-oidc/program.scm:327 msgid "" "\n" "Environment variables:" msgstr "" -#: src/scm/webid-oidc/program.scm:458 +#: src/scm/webid-oidc/program.scm:329 msgid "" "\n" " XML_CATALOG_FILES: the server will fetch resources on the web. By\n" @@ -1700,23 +1419,23 @@ msgid "" " content-type." msgstr "" -#: src/scm/webid-oidc/program.scm:466 src/scm/webid-oidc/program.scm:473 -#: src/scm/webid-oidc/program.scm:482 src/scm/webid-oidc/program.scm:490 -#: src/scm/webid-oidc/program.scm:498 +#: src/scm/webid-oidc/program.scm:337 src/scm/webid-oidc/program.scm:344 +#: src/scm/webid-oidc/program.scm:353 src/scm/webid-oidc/program.scm:361 +#: src/scm/webid-oidc/program.scm:369 #, scheme-format msgid "" "the-environment-variable|\n" " It is currently set to ~s." msgstr "" -#: src/scm/webid-oidc/program.scm:469 +#: src/scm/webid-oidc/program.scm:340 msgid "" "\n" " LANG: set the locale of the user interface (for the server commands,\n" " the user is the system administrator)." msgstr "" -#: src/scm/webid-oidc/program.scm:476 +#: src/scm/webid-oidc/program.scm:347 msgid "" "\n" " XDG_DATA_HOME: where the program stores persistent data. The\n" @@ -1725,7 +1444,7 @@ msgid "" " recommended to set it to /var/lib." msgstr "" -#: src/scm/webid-oidc/program.scm:485 +#: src/scm/webid-oidc/program.scm:356 msgid "" "\n" " XDG_CACHE_HOME: where the program stores and updates the seed file,\n" @@ -1733,7 +1452,7 @@ msgid "" " time. The seed file will be initialized from /dev/random." msgstr "" -#: src/scm/webid-oidc/program.scm:493 +#: src/scm/webid-oidc/program.scm:364 msgid "" "\n" " HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n" @@ -1741,141 +1460,14 @@ msgid "" " not used otherwise." msgstr "" -#: src/scm/webid-oidc/program.scm:502 -msgid "" -"\n" -"Running a reverse proxy" -msgstr "" - -#: src/scm/webid-oidc/program.scm:504 -msgid "" -"\n" -"Suppose that you operate data.provider.com. You want to run an\n" -"authenticating reverse proxy, that will receive incoming requests\n" -"through http://localhost:8080, and forward them to\n" -"https://private.data.provider.com. The backend will look for the\n" -"XXX-Agent header, and if it is found, then its value will be\n" -"considered the webid of the authenticated\n" -"user. https://private.data.provider.com should only accept requests\n" -"from this reverse proxy." -msgstr "" - -#: src/scm/webid-oidc/program.scm:514 -#, scheme-format -msgid "" -"\n" -" ~a ~a \\\n" -" --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n" -" --~a 8080 \\\n" -" --~a 'https://data.provider.com' \\\n" -" --~a 'https://private.data.provider.com' \\\n" -" --~a 'XXX-Agent' \\\n" -" --~a '/var/log/proxy.log' \\\n" -" --~a '/var/log/proxy.err'" -msgstr "" - -#: src/scm/webid-oidc/program.scm:529 -msgid "" -"\n" -"Running an identity provider" -msgstr "" - -#: src/scm/webid-oidc/program.scm:531 -msgid "" -"\n" -"The identity provider running at webid-oidc-demo.planete-kraus.eu is\n" -"invoked with the following options:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:535 -#, scheme-format -msgid "" -"\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" -" --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" -" --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" -" --~a $PORT" -msgstr "" - -#: src/scm/webid-oidc/program.scm:555 -msgid "" -"\n" -"Running the public pages for an application" -msgstr "" - -#: src/scm/webid-oidc/program.scm:557 -msgid "" -"\n" -"The example client application pages for\n" -"webid-oidc-demo.planete-kraus.eu are served this way:" -msgstr "" - -#: src/scm/webid-oidc/program.scm:561 -#, scheme-format -msgid "" -"\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' " -"\\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" -" --~a 'Example Solid Application' \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client." -"html#Running-a-client' \\\n" -" --~a $PORT" -msgstr "" - -#: src/scm/webid-oidc/program.scm:575 -msgid "" -"\n" -"Running a full server" -msgstr "" - -#: src/scm/webid-oidc/program.scm:578 -msgid "" -"\n" -"To run the server with identity provider and\n" -"resource server for one particular user, you need to combine the\n" -"options for the parts." -msgstr "" - -#: src/scm/webid-oidc/program.scm:582 -#, scheme-format -msgid "" -"\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://data.planete-kraus.eu' \\\n" -" --~a '/var/lib/disfluid/server/key.jwk' \\\n" -" --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" -" --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n" -" --~a 'https://data.planete-kraus.eu/keys' \\\n" -" --~a 'https://data.planete-kraus.eu/authorize' \\\n" -" --~a 'https://data.planete-kraus.eu/token' \\\n" -" --~a '...port...'" -msgstr "" - -#: src/scm/webid-oidc/program.scm:607 +#: src/scm/webid-oidc/program.scm:374 #, scheme-format msgid "" "\n" "If you find a bug, then please send a report to ~a." msgstr "" -#: src/scm/webid-oidc/program.scm:612 +#: src/scm/webid-oidc/program.scm:379 #, scheme-format msgid "" "~a version ~a\n" @@ -1883,103 +1475,29 @@ msgid "" "Rreleased ~a\n" msgstr "" -#: src/scm/webid-oidc/program.scm:649 +#: src/scm/webid-oidc/program.scm:414 #, scheme-format msgid "The --~a argument must be a number, not ~s.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:655 +#: src/scm/webid-oidc/program.scm:420 #, scheme-format msgid "The --~a argument must be an integer, not ~s.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:661 +#: src/scm/webid-oidc/program.scm:426 #, scheme-format msgid "The --~a argument must be positive, ~s is invalid.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:666 +#: src/scm/webid-oidc/program.scm:431 #, scheme-format msgid "The --~a argument must be less than 65536, ~s is invalid.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:694 -msgid "" -"You specified two different passwords: one directly, and one from a file. " -"Please set only one password.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:727 src/scm/webid-oidc/program.scm:748 -#: src/scm/webid-oidc/program.scm:817 -#, scheme-format -msgid "You must pass --~a to set the server name.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:731 -#, scheme-format -msgid "You must pass --~a to set the backend URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:752 src/scm/webid-oidc/program.scm:821 -#, scheme-format -msgid "" -"You must pass --~a to set the file where to store the identity provider " -"key.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:756 src/scm/webid-oidc/program.scm:825 -#, scheme-format -msgid "You must pass --~a to set the subject of the identity provider.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:760 -#, scheme-format -msgid "You must pass --~a or --~a to set the subject’s encrypted password.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:764 src/scm/webid-oidc/program.scm:833 -#, scheme-format -msgid "You must pass --~a to set the JWKS URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:768 src/scm/webid-oidc/program.scm:837 +#: src/scm/webid-oidc/program.scm:443 #, scheme-format -msgid "You must pass --~a to set the authorization endpoint URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:772 src/scm/webid-oidc/program.scm:841 -#, scheme-format -msgid "You must pass --~a to set the token endpoint URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:789 -#, scheme-format -msgid "You must pass --~a to set the application web ID.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:793 -#, scheme-format -msgid "You must pass --~a to set the redirection URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:797 -#, scheme-format -msgid "You must pass --~a to set the informative client name.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:801 -#, scheme-format -msgid "You must pass --~a to set the informative client URI.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:829 -#, scheme-format -msgid "You must pass --~a to set the subject’s encrypted password.\n" -msgstr "" - -#: src/scm/webid-oidc/program.scm:881 -#, scheme-format -msgid "Unknown command ~s\n" +msgid "--~a is required when running a server.\n" msgstr "" #: src/scm/webid-oidc/refresh-token.scm:171 @@ -1991,24 +1509,6 @@ msgstr "" msgid "the refresh token is bound to key ~s, which is not that one" msgstr "" -#: src/scm/webid-oidc/resource-server.scm:75 -msgid "" -"You need to pass #:server-uri URI where URI is the public URI of the server, " -"as a (web uri)." -msgstr "" - -#: src/scm/webid-oidc/resource-server.scm:97 -msgid "The owner is not defined." -msgstr "" - -#: src/scm/webid-oidc/resource-server.scm:127 -msgid "<h1>The resource server request failed</h1>" -msgstr "" - -#: src/scm/webid-oidc/reverse-proxy.scm:60 -msgid "#:endpoint argument is not present or not an URI." -msgstr "" - #: src/scm/webid-oidc/serializable.scm:58 msgid "a plugin class should have an explicit #:name and #:module-name" msgstr "" @@ -2439,7 +1939,7 @@ msgstr "" msgid "the auxiliary resource of type ~s at ~s is absent" msgstr "" -#: src/scm/webid-oidc/simulation.scm:130 +#: src/scm/webid-oidc/simulation.scm:135 #, scheme-format msgid "invalid credentials: response ~s ~s" msgstr "" @@ -2487,10 +1987,6 @@ msgstr "" msgid "an error happened while updating file ~s" msgstr "" -#: src/scm/webid-oidc/token-endpoint.scm:71 -msgid "<h1>The token request failed</h1>" -msgstr "" - #: src/ui/account-widget.glade:19 msgid "Identity:" msgstr "" @@ -2,8 +2,8 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-10-20 18:03+0200\n" -"PO-Revision-Date: 2021-10-19 11:36+0200\n" +"POT-Creation-Date: 2021-10-20 18:13+0200\n" +"PO-Revision-Date: 2021-10-20 18:19+0200\n" "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n" "Language-Team: French <vivien@planete-kraus.eu>\n" "Language: fr\n" @@ -307,31 +307,6 @@ msgstr "" "lors de la création d’un code d’autorisation, il faut soit passer les champs " "requis (#:webid et #:client-id), soit (#:jwt-header et #:jwt-payload)" -#: src/scm/webid-oidc/authorization-endpoint.scm:70 -#: src/scm/webid-oidc/client.scm:193 src/scm/webid-oidc/hello-world.scm:147 -#: src/scm/webid-oidc/identity-provider.scm:120 -#: src/scm/webid-oidc/resource-server.scm:124 -#: src/scm/webid-oidc/server/endpoint/client.scm:153 -#: src/scm/webid-oidc/server/endpoint/hello.scm:63 -#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:389 -#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:403 -#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:125 -#: src/scm/webid-oidc/token-endpoint.scm:68 -msgid "xml-lang|en" -msgstr "fr" - -#: src/scm/webid-oidc/authorization-endpoint.scm:73 -msgid "<h1>The authorization request failed</h1>" -msgstr "<h1>La requête d’autorisation a échoué</h1>" - -#: src/scm/webid-oidc/authorization-endpoint.scm:78 -#: src/scm/webid-oidc/client.scm:201 src/scm/webid-oidc/hello-world.scm:155 -#: src/scm/webid-oidc/identity-provider.scm:128 -#: src/scm/webid-oidc/resource-server.scm:132 -#: src/scm/webid-oidc/token-endpoint.scm:76 -msgid "<p>No more information.</p>" -msgstr "<p>Pas plus d’information.</p>" - #: src/scm/webid-oidc/cache.scm:94 #, scheme-format msgid "Dropping cache item ~a.~%" @@ -448,14 +423,10 @@ msgstr "" msgid "cannot serve the public manifest" msgstr "impossible de servir le manifeste public" -#: src/scm/webid-oidc/client.scm:137 +#: src/scm/webid-oidc/client.scm:133 msgid "accept-language-header|en-us" msgstr "fr-fr" -#: src/scm/webid-oidc/client.scm:196 -msgid "<h1>The request failed</h1>" -msgstr "<h1>La requête a échoué</h1>" - #: src/scm/webid-oidc/client/accounts.scm:118 #, scheme-format msgid "an authorization code is required: ~s, it can be obtained at ~s" @@ -970,31 +941,31 @@ msgstr "la requête a échoué de façon inattendue avec ~s ~s" msgid "cannot negociate a recognized RFD content type, got ~s" msgstr "impossible de négocier un type de contenu RDF reconnu, ayant obtenu ~s" -#: src/scm/webid-oidc/hello-world.scm:49 src/scm/webid-oidc/program.scm:240 +#: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/program.scm:239 msgid "command-line|version" msgstr "version" -#: src/scm/webid-oidc/hello-world.scm:51 src/scm/webid-oidc/program.scm:244 +#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:243 msgid "command-line|complete-corresponding-source" msgstr "code-source-correspondant-complet" -#: src/scm/webid-oidc/hello-world.scm:53 src/scm/webid-oidc/program.scm:246 +#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:245 msgid "command-line|help" msgstr "aide" -#: src/scm/webid-oidc/hello-world.scm:55 +#: src/scm/webid-oidc/hello-world.scm:54 msgid "command-line|port" msgstr "port" -#: src/scm/webid-oidc/hello-world.scm:57 src/scm/webid-oidc/program.scm:278 +#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:251 msgid "command-line|log-file" msgstr "fichier-journal" -#: src/scm/webid-oidc/hello-world.scm:59 src/scm/webid-oidc/program.scm:280 +#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:253 msgid "command-line|error-file" msgstr "fichier-erreur" -#: src/scm/webid-oidc/hello-world.scm:71 +#: src/scm/webid-oidc/hello-world.scm:70 #, scheme-format msgid "" "~a [OPTIONS]...\n" @@ -1048,26 +1019,40 @@ msgstr "" " -e FICHIER.err, --~a=FICHIER.err :\n" " redirige la sortie d’erreur du programme vers ce fichier.\n" -#: src/scm/webid-oidc/hello-world.scm:104 +#: src/scm/webid-oidc/hello-world.scm:103 #, scheme-format msgid "~a version ~a\n" msgstr "~a version ~a\n" -#: src/scm/webid-oidc/hello-world.scm:113 src/scm/webid-oidc/program.scm:642 +#: src/scm/webid-oidc/hello-world.scm:112 msgid "" "You are legally required to link to the complete corresponding source code.\n" msgstr "" "Vous êtes légalement tenu de fournir un lien vers le code source " "correspondant.\n" -#: src/scm/webid-oidc/hello-world.scm:123 +#: src/scm/webid-oidc/hello-world.scm:122 msgid "The port should be a number between 0 and 65535.\n" msgstr "Le port doit être un nombre entre 0 et 65535.\n" -#: src/scm/webid-oidc/hello-world.scm:150 +#: src/scm/webid-oidc/hello-world.scm:146 src/scm/webid-oidc/program.scm:145 +#: src/scm/webid-oidc/server/endpoint/client.scm:153 +#: src/scm/webid-oidc/server/endpoint/hello.scm:63 +#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:389 +#: src/scm/webid-oidc/server/endpoint/identity-provider.scm:403 +#: src/scm/webid-oidc/server/endpoint/reverse-proxy.scm:125 +#: src/scm/webid-oidc/simulation.scm:90 +msgid "xml-lang|en" +msgstr "fr" + +#: src/scm/webid-oidc/hello-world.scm:149 msgid "<h1>Please authenticate</h1>" msgstr "<h1>Veuillez vous authentifier</h1>" +#: src/scm/webid-oidc/hello-world.scm:154 +msgid "<p>No more information.</p>" +msgstr "<p>Pas plus d’information.</p>" + #: src/scm/webid-oidc/http-link.scm:148 msgid "the #:anchor parameter should be a string or an URI reference" msgstr "" @@ -1116,19 +1101,6 @@ msgid "the #:attribute-value parameter should be a string or URI" msgstr "" "le paramètre #:attribute-value doit être une chaîne de caractères ou une URI" -#: src/scm/webid-oidc/identity-provider.scm:61 -msgid "reason-phrase|Not Found" -msgstr "Non Trouvé" - -#: src/scm/webid-oidc/identity-provider.scm:64 -msgid "<p>Your request cannot be handled by the identity provider.</p>" -msgstr "" -"<p>Votre requête n’a pas pu être traitée par le fournisseur d’identité.</p>" - -#: src/scm/webid-oidc/identity-provider.scm:123 -msgid "<h1>The identity provider request failed</h1>" -msgstr "<h1>La requête du fournisseur d’identité a échoué</h1>" - #: src/scm/webid-oidc/jti.scm:59 #, scheme-format msgid "a replay has been detected with JTI ~s" @@ -1414,42 +1386,33 @@ msgstr "" "requis (#:alg, #:webid, #:iss, #:sub, #:aud, #:iat et #:exp) soit (#:jwt-" "header et #:jwt-payload)" -#: src/scm/webid-oidc/program.scm:64 +#: src/scm/webid-oidc/program.scm:65 #, scheme-format msgid "~a: Warning: XML_CATALOG_FILES is set to ~s.\n" msgstr "~a : Attention : XML_CATALOG_FILES vaut ~s.\n" -#: src/scm/webid-oidc/program.scm:67 +#: src/scm/webid-oidc/program.scm:68 #, scheme-format msgid "~a: ~s ~a ~s...\n" msgstr "~a : ~s ~a ~s…\n" -#: src/scm/webid-oidc/program.scm:73 +#: src/scm/webid-oidc/program.scm:74 #, scheme-format msgid "~a: ~s ~a ~s: ~s ~a bytes\n" msgstr "~a : ~s ~a ~s : ~s ~a octets\n" -#: src/scm/webid-oidc/program.scm:90 +#: src/scm/webid-oidc/program.scm:93 #, scheme-format msgid "~a: connecting to ~s\n" msgstr "~a : connexion à ~s\n" -#: src/scm/webid-oidc/program.scm:135 -msgid "really bad internal server error" -msgstr "erreur interne du serveur vraiment grave" - -#: src/scm/webid-oidc/program.scm:142 -#, scheme-format -msgid "~a: ~a: Internal server error: ~a\n" -msgstr "~a : ~a : Erreur interne du serveur : ~a\n" +#: src/scm/webid-oidc/program.scm:147 src/scm/webid-oidc/simulation.scm:92 +msgid "An error happened…" +msgstr "Une erreur est survenue…" -#: src/scm/webid-oidc/program.scm:148 -msgid "Internal Server Error" -msgstr "Erreur Interne du Serveur" - -#: src/scm/webid-oidc/program.scm:151 -msgid "Sorry, there was an error." -msgstr "Toutes nos excuses, il y a eu une erreurr." +#: src/scm/webid-oidc/program.scm:150 src/scm/webid-oidc/simulation.scm:95 +msgid "<p>Sorry, an error happened.</p>" +msgstr "<p>Désolé, une erreur est survenue.</p>" #: src/scm/webid-oidc/program.scm:172 #, scheme-format @@ -1471,84 +1434,32 @@ msgstr "~a : ~a" msgid "(there was an error: ~a)" msgstr "(il y a eu une erreur : ~a)" -#: src/scm/webid-oidc/program.scm:242 +#: src/scm/webid-oidc/program.scm:241 msgid "command-line|describe-project" msgstr "décrire-projet" -#: src/scm/webid-oidc/program.scm:248 +#: src/scm/webid-oidc/program.scm:247 msgid "command-line|server|port" msgstr "port" -#: src/scm/webid-oidc/program.scm:250 -msgid "command-line|server|server-name" -msgstr "nom-du-serveur" - -#: src/scm/webid-oidc/program.scm:252 -msgid "command-line|server|reverse-proxy|backend-uri" -msgstr "uri-arrière-plan" - -#: src/scm/webid-oidc/program.scm:254 -msgid "command-line|server|reverse-proxy|header" -msgstr "en-tête" - -#: src/scm/webid-oidc/program.scm:256 -msgid "command-line|server|issuer|key-file" -msgstr "fichier-clé" - -#: src/scm/webid-oidc/program.scm:258 -msgid "command-line|server|issuer|subject" -msgstr "sujet" - -#: src/scm/webid-oidc/program.scm:260 -msgid "command-line|server|issuer|encrypted-password" -msgstr "mot-de-passe-chiffré" - -#: src/scm/webid-oidc/program.scm:262 -msgid "command-line|server|issuer|encrypted-password-from-file" -msgstr "fichier-de-mot-de-passe-chiffré" - -#: src/scm/webid-oidc/program.scm:264 -msgid "command-line|server|issuer|jwks-uri" -msgstr "uri-jwks" - -#: src/scm/webid-oidc/program.scm:266 -msgid "command-line|server|issuer|authorization-endpoint-uri" -msgstr "uri-terminal-autorisation" - -#: src/scm/webid-oidc/program.scm:268 -msgid "command-line|server|issuer|token-endpoint-uri" -msgstr "uri-terminal-jeton" +#: src/scm/webid-oidc/program.scm:249 +msgid "command-line|server|configuration" +msgstr "configuration" #: src/scm/webid-oidc/program.scm:270 -msgid "command-line|server|client-id" -msgstr "id-client" - -#: src/scm/webid-oidc/program.scm:272 -msgid "command-line|server|redirect-uri" -msgstr "uri-redirection" - -#: src/scm/webid-oidc/program.scm:274 -msgid "command-line|server|client-name" -msgstr "nom-client" - -#: src/scm/webid-oidc/program.scm:276 -msgid "command-line|server|client-uri" -msgstr "uri-client" - -#: src/scm/webid-oidc/program.scm:310 #, scheme-format -msgid "Usage: ~a COMMAND [OPTIONS]...\n" -msgstr "Utilisation : ~a COMMANDE [OPTIONS]...\n" +msgid "Usage: ~a [OPTIONS]...\n" +msgstr "Utilisation : ~a [OPTIONS]...\n" -#: src/scm/webid-oidc/program.scm:314 +#: src/scm/webid-oidc/program.scm:274 msgid "" "\n" -"Run the disfluid COMMAND." +"Run disfluid." msgstr "" "\n" -"Exécute la COMMANDE disfluid." +"Exécute disfluid." -#: src/scm/webid-oidc/program.scm:317 +#: src/scm/webid-oidc/program.scm:277 msgid "" "\n" "This program is covered by the GNU Affero GPL, version 3 or\n" @@ -1564,89 +1475,7 @@ msgstr "" "code source complet correspondant (avec vos modifications) sans\n" "frais. Le serveur ajoute un en-tête « Source: » à toutes les réponses." -#: src/scm/webid-oidc/program.scm:324 -msgid "" -"\n" -"Available commands:" -msgstr "" -"\n" -"Commandes disponibles :" - -#: src/scm/webid-oidc/program.scm:326 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run an authenticating reverse proxy." -msgstr "" -"\n" -" ~a :\n" -" exécute le proxy inverse authentifiant." - -#: src/scm/webid-oidc/program.scm:329 src/scm/webid-oidc/program.scm:524 -#: src/scm/webid-oidc/program.scm:724 -msgid "command-line|command|reverse-proxy" -msgstr "proxy-inversé" - -#: src/scm/webid-oidc/program.scm:330 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run an identity provider." -msgstr "" -"\n" -" ~a :\n" -" exécute un fournisseur d’identité." - -#: src/scm/webid-oidc/program.scm:333 src/scm/webid-oidc/program.scm:549 -#: src/scm/webid-oidc/program.scm:745 -msgid "command-line|command|identity-provider" -msgstr "fournisseur-identité" - -#: src/scm/webid-oidc/program.scm:334 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" serve the pages for a public application." -msgstr "" -"\n" -" ~a :\n" -" sert les pages d’une application publique." - -#: src/scm/webid-oidc/program.scm:337 src/scm/webid-oidc/program.scm:570 -#: src/scm/webid-oidc/program.scm:786 -msgid "command-line|command|client-service" -msgstr "service-client" - -#: src/scm/webid-oidc/program.scm:338 -#, scheme-format -msgid "" -"\n" -" ~a:\n" -" run a full server, with identity provider and resource storage\n" -" facility." -msgstr "" -"\n" -" ~a :\n" -" exécute un serveur complet, avec un fournisseur d’identité et\n" -" une fonction de stockage de ressources." - -#: src/scm/webid-oidc/program.scm:342 src/scm/webid-oidc/program.scm:596 -#: src/scm/webid-oidc/program.scm:815 -msgid "command-line|command|server" -msgstr "serveur" - -#: src/scm/webid-oidc/program.scm:344 -msgid "" -"\n" -"If no command is specified, run the browser." -msgstr "" -"\n" -"Si aucune commande n’est spécifiée, exécute le navigateur." - -#: src/scm/webid-oidc/program.scm:347 +#: src/scm/webid-oidc/program.scm:285 msgid "" "\n" "General options:" @@ -1654,21 +1483,7 @@ msgstr "" "\n" "Options générales :" -#: src/scm/webid-oidc/program.scm:349 -#, scheme-format -msgid "" -"\n" -" -S MEANS, --~a=MEANS:\n" -" specify a way to download the complete corresponding source\n" -" code. For instance, this would be an URI pointing to a tarball." -msgstr "" -"\n" -" -S MOYEN, --~a=MOYEN :\n" -" spécifie un moyen de télécharger le code source complet\n" -" correspondant. Par exemple, MOYEN serait une URI pointant vers\n" -" l’archive de code." - -#: src/scm/webid-oidc/program.scm:354 +#: src/scm/webid-oidc/program.scm:287 #, scheme-format msgid "" "\n" @@ -1679,7 +1494,7 @@ msgstr "" " -h, --~a :\n" " affiche un court message d’aide et quitte." -#: src/scm/webid-oidc/program.scm:358 +#: src/scm/webid-oidc/program.scm:291 #, scheme-format msgid "" "\n" @@ -1690,7 +1505,7 @@ msgstr "" " -v, --~a :\n" " affiche le numéro de version (~a, publiée le ~a) et quitte." -#: src/scm/webid-oidc/program.scm:364 +#: src/scm/webid-oidc/program.scm:297 #, scheme-format msgid "" "\n" @@ -1701,7 +1516,7 @@ msgstr "" " --~a :\n" " décrit le projet dans le vocabulaire DOAP et quitte." -#: src/scm/webid-oidc/program.scm:368 +#: src/scm/webid-oidc/program.scm:301 #, scheme-format msgid "" "\n" @@ -1712,7 +1527,7 @@ msgstr "" " -l FICHIER.journal, --~a=FICHIER.journal :\n" " redirige la sortie standard du programme vers FICHIER.journal." -#: src/scm/webid-oidc/program.scm:372 +#: src/scm/webid-oidc/program.scm:305 #, scheme-format msgid "" "\n" @@ -1723,225 +1538,53 @@ msgstr "" " -e FICHIER.erreurs, --~a=FICHIER.erreurs :\n" " redirige les erreurs du programme vers FICHIER.erreurs." -#: src/scm/webid-oidc/program.scm:377 -msgid "" -"\n" -"General server-side options:" -msgstr "" -"\n" -"Options générales pour un serveur :" - -#: src/scm/webid-oidc/program.scm:379 -#, scheme-format -msgid "" -"\n" -" -p PORT, --~a=PORT:\n" -" set the server port to bind, 8080 by default." -msgstr "" -"\n" -" -p PORT, --~a=PORT :\n" -" définit le port à lier, 8080 par défaut." - -#: src/scm/webid-oidc/program.scm:383 -#, scheme-format -msgid "" -"\n" -" -n URI, --~a=URI:\n" -" set the public server URI (scheme, userinfo, host, and port)." -msgstr "" -"\n" -" -n URI, --~a=URI :\n" -" définit l’URI publique du serveur (schéma, identifiant de\n" -" l’utilisateur, hôte et port)." - -#: src/scm/webid-oidc/program.scm:388 -msgid "" -"\n" -"Options for the resource server:" -msgstr "" -"\n" -"Options pour le serveur de ressources :" - -#: src/scm/webid-oidc/program.scm:390 -#, scheme-format -msgid "" -"\n" -" -H HEADER, --~a=HEADER:\n" -" the HEADER field contains the webid of the authenticated user,\n" -" XXX-Agent by default. For the full server, disable Solid-OIDC\n" -" authentication." -msgstr "" -"\n" -" -H EN-TÊTE, --~a=EN-TÊTE :\n" -" le champ EN-TÊTE contiendra l’identifiant webid de l’utilisateur\n" -" authentifié, XXX-Agent par défaut. Pour un serveur complet, ceci\n" -" désactive l’authentification par Solid-OIDC." - -#: src/scm/webid-oidc/program.scm:396 -#, scheme-format -msgid "" -"\n" -" -b URI, --~a=URI:\n" -" set the backend URI for the reverse proxy, only for the\n" -" reverse-proxy command." -msgstr "" -"\n" -" -b URI, --~a=URI :\n" -" définit l’URI sortante du proxy inversé, seulement pour la\n" -" commande proxy-inversé." - -#: src/scm/webid-oidc/program.scm:402 -msgid "" -"\n" -"Options for the identity provider:" -msgstr "" -"\n" -"Options du fournisseur d’identité :" - -#: src/scm/webid-oidc/program.scm:404 -#, scheme-format -msgid "" -"\n" -" -k FILE, --~a=FILE.jwk:\n" -" set the file name of the key file. If it does not exist, a new\n" -" key is generated. The server does not offer an HTTPS service." -msgstr "" -"\n" -" -k FICHIER.jwk, --~a=FICHIER.jwk :\n" -" définit le nom du fichier de clé. S’il n’existe pas, une\n" -" nouvelle clé sera générée. Le serveur n’offre pas de service\n" -" HTTPS." - -#: src/scm/webid-oidc/program.scm:409 -#, scheme-format -msgid "" -"\n" -" -s WEBID, --~a=WEBID:\n" -" set the identity of the subject." -msgstr "" -"\n" -" -s WEBID, --~a=WEBID :\n" -" définit l'identité du sujet." - -#: src/scm/webid-oidc/program.scm:413 -#, scheme-format -msgid "" -"\n" -" -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n" -" set the encrypted password to recognize the user." -msgstr "" -"\n" -" -w MOT_DE_PASSE_CHIFFRÉ, --~a=MOT_DE_PASSE_CHIFFRÉ :\n" -" définit le mot de passe chiffré pour reconnaître l’utilisateur." - -#: src/scm/webid-oidc/program.scm:417 -#, scheme-format -msgid "" -"\n" -" -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE:\n" -" load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE." -msgstr "" -"\n" -" -w FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ, --" -"~a=FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ :\n" -" lit le mot de passe chiffré de l’utilisateur dans " -"FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ." - -#: src/scm/webid-oidc/program.scm:421 -#, scheme-format -msgid "" -"\n" -" -j URI, --~a=URI:\n" -" set the URI to query the key of the server." -msgstr "" -"\n" -" -j URI, --~a=URI :\n" -" définit l’URI pour requêter les clés du serveur." - -#: src/scm/webid-oidc/program.scm:425 -#, scheme-format -msgid "" -"\n" -" -a URI, --~a=URI:\n" -" set the authorization endpoint of the issuer." -msgstr "" -"\n" -" -a URI, --~a=URI :\n" -" définit l'URI du terminal d'autorisation de l’émetteur\n" -" d’identité." - -#: src/scm/webid-oidc/program.scm:429 -#, scheme-format -msgid "" -"\n" -" -t URI, --~a=URI:\n" -" set the token endpoint of the issuer." -msgstr "" -"\n" -" -t URI, --~a=URI :\n" -" définit le terminal de jeton de l’émetteur d’identité." - -#: src/scm/webid-oidc/program.scm:434 -msgid "" -"\n" -"Options for the client service:" -msgstr "" -"\n" -"Options pour le service associé à un client :" - -#: src/scm/webid-oidc/program.scm:436 -#, scheme-format +#: src/scm/webid-oidc/program.scm:310 msgid "" "\n" -" -c URI, --~a=URI:\n" -" set the web identifier of the client application, which is\n" -" dereferenced to a semantic resource." +"Running a server:" msgstr "" "\n" -" -c URI, --~a=URI :\n" -" définit l’identifiant web de l’application client, qui est\n" -" déréférencé pour une ressource sémantique." +"Exécution d’un serveur :" -#: src/scm/webid-oidc/program.scm:441 +#: src/scm/webid-oidc/program.scm:312 #, scheme-format msgid "" "\n" -" -r URI, --~a=URI:\n" -" set the redirection URI to get the authorization code back. The\n" -" page is presented with the code to paste in the application." +" -S MEANS, --~a=MEANS:\n" +" specify a way to download the complete corresponding source\n" +" code. For instance, this would be an URI pointing to a\n" +" tarball. This option is required if a server is implemented." msgstr "" "\n" -" -r URI, --~a=URI :\n" -" définit l’URI de redirection pour récupérer le code\n" -" d’autorisation. La page de redirection affiche le code à coller\n" -" dans l’application." +" -S MOYEN, --~a=MOYEN :\n" +" spécifie un moyen de télécharger le code source complet\n" +" correspondant. Par exemple, MOYEN serait une URI pointant vers\n" +" l’archive de code. Cette option est requise si un serveur est\n" +" exécuté." -#: src/scm/webid-oidc/program.scm:446 +#: src/scm/webid-oidc/program.scm:318 #, scheme-format msgid "" "\n" -" -C NAME, --~a=NAME:\n" -" set the user-visible application name (may be misleading...)." +" -p PORT, --~a=PORT:\n" +" set the server port to bind, 8080 by default." msgstr "" "\n" -" -C NOM, --~a=NOM :\n" -" définit le nom de l’application visible par l’utilisateur (peut\n" -" être trompeur…)." +" -p PORT, --~a=PORT :\n" +" définit le port à lier, 8080 par défaut." -#: src/scm/webid-oidc/program.scm:450 +#: src/scm/webid-oidc/program.scm:322 #, scheme-format msgid "" "\n" -" -u URI, --~a=URI:\n" -" set an URI where someone would find more information about the\n" -" application (again, may be misleading)." +" -c FILE, --~a=FILE:\n" +" set up a server with configuration from FILE." msgstr "" "\n" -" -u URI, --~a=URI :\n" -" définit l’URI présentant plus d’informations à propos de\n" -" l’application (peut aussi être trompeur)." +" -c FICHIER, --~a=FICHIER :\n" +" met en place un serveur dont la configuration vient de FICHIER." -#: src/scm/webid-oidc/program.scm:456 +#: src/scm/webid-oidc/program.scm:327 msgid "" "\n" "Environment variables:" @@ -1949,7 +1592,7 @@ msgstr "" "\n" "Variables d’environnement :" -#: src/scm/webid-oidc/program.scm:458 +#: src/scm/webid-oidc/program.scm:329 msgid "" "\n" " XML_CATALOG_FILES: the server will fetch resources on the web. By\n" @@ -1968,9 +1611,9 @@ msgstr "" " fichiers depuis le système de fichiers, parce qu’il n’y a pas de\n" " moyen de spécifier le type de contenu." -#: src/scm/webid-oidc/program.scm:466 src/scm/webid-oidc/program.scm:473 -#: src/scm/webid-oidc/program.scm:482 src/scm/webid-oidc/program.scm:490 -#: src/scm/webid-oidc/program.scm:498 +#: src/scm/webid-oidc/program.scm:337 src/scm/webid-oidc/program.scm:344 +#: src/scm/webid-oidc/program.scm:353 src/scm/webid-oidc/program.scm:361 +#: src/scm/webid-oidc/program.scm:369 #, scheme-format msgid "" "the-environment-variable|\n" @@ -1979,7 +1622,7 @@ msgstr "" " \n" " Elle vaut actuellement ~s." -#: src/scm/webid-oidc/program.scm:469 +#: src/scm/webid-oidc/program.scm:340 msgid "" "\n" " LANG: set the locale of the user interface (for the server commands,\n" @@ -1989,7 +1632,7 @@ msgstr "" " LANG : définit la locale de l’interface utilisateur (pour les\n" " commandes serveur, l’utilisateur est l’administrateur système)." -#: src/scm/webid-oidc/program.scm:476 +#: src/scm/webid-oidc/program.scm:347 msgid "" "\n" " XDG_DATA_HOME: where the program stores persistent data. The\n" @@ -2004,7 +1647,7 @@ msgstr "" " ici. Pour un service système, il est recommandé d’utiliser\n" " /var/lib." -#: src/scm/webid-oidc/program.scm:485 +#: src/scm/webid-oidc/program.scm:356 msgid "" "\n" " XDG_CACHE_HOME: where the program stores and updates the seed file,\n" @@ -2017,7 +1660,7 @@ msgstr "" " supprimer ce dossier n’importe quand. Le fichier de graine sera\n" " initialisé à partir de /dev/random." -#: src/scm/webid-oidc/program.scm:493 +#: src/scm/webid-oidc/program.scm:364 msgid "" "\n" " HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n" @@ -2029,214 +1672,7 @@ msgstr "" " valeur est calculée à partir de la variable d’environnement\n" " HOME. Elle n’est pas utilisée autrement." -#: src/scm/webid-oidc/program.scm:502 -msgid "" -"\n" -"Running a reverse proxy" -msgstr "" -"\n" -"Exécution d’un proxy inversé" - -#: src/scm/webid-oidc/program.scm:504 -msgid "" -"\n" -"Suppose that you operate data.provider.com. You want to run an\n" -"authenticating reverse proxy, that will receive incoming requests\n" -"through http://localhost:8080, and forward them to\n" -"https://private.data.provider.com. The backend will look for the\n" -"XXX-Agent header, and if it is found, then its value will be\n" -"considered the webid of the authenticated\n" -"user. https://private.data.provider.com should only accept requests\n" -"from this reverse proxy." -msgstr "" -"\n" -"Supposons que vous opériez data.provider.com. Vous voulez exécuter un\n" -"proxy inversé authentifiant, qui recevra les requêtes entrantes à\n" -"travers http://localhost:8080, et les redirigera vers\n" -"https://private.data.provider.com. L’arrière-boutique recherchera\n" -"l’en-tête XXX-Agent, et s’il est trouvé, alors sa valeur sera\n" -"considérée comme le webid de l’utilisateur\n" -"authentifié. https://private.data.provider.com ne doit accepter que\n" -"les requêtes depuis ce proxy inversé." - -#: src/scm/webid-oidc/program.scm:514 -#, scheme-format -msgid "" -"\n" -" ~a ~a \\\n" -" --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n" -" --~a 8080 \\\n" -" --~a 'https://data.provider.com' \\\n" -" --~a 'https://private.data.provider.com' \\\n" -" --~a 'XXX-Agent' \\\n" -" --~a '/var/log/proxy.log' \\\n" -" --~a '/var/log/proxy.err'" -msgstr "" -"\n" -" export LANG=fr_FR.UTF-8\n" -" ~a ~a \\\n" -" --~a 'https://data.provider.com/code-source-serveur.tar.gz \\\n" -" --~a 8080 \\\n" -" --~a 'https://data.provider.com \\\n" -" --~a 'https://private.data.provider.com \\\n" -" --~a 'XXX-Agent' \\\n" -" --~a '/var/log/proxy.log' \\\n" -" --~a '/var/log/proxy.err'" - -#: src/scm/webid-oidc/program.scm:529 -msgid "" -"\n" -"Running an identity provider" -msgstr "" -"\n" -"Exécution d’un fournisseur d’identité" - -#: src/scm/webid-oidc/program.scm:531 -msgid "" -"\n" -"The identity provider running at webid-oidc-demo.planete-kraus.eu is\n" -"invoked with the following options:" -msgstr "" -"\n" -"Le fournisseur d’identité qui tourne sur\n" -"webid-oidc-demo.planete-kraus.eu est invoqué avec les options\n" -"suivantes :" - -#: src/scm/webid-oidc/program.scm:535 -#, scheme-format -msgid "" -"\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" -" --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" -" --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" -" --~a $PORT" -msgstr "" -"\n" -" export LANG=fr_FR.UTF-8\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" -" --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" -" --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" -" --~a $PORT" - -#: src/scm/webid-oidc/program.scm:555 -msgid "" -"\n" -"Running the public pages for an application" -msgstr "" -"\n" -"Service des pages publiques pour une application" - -#: src/scm/webid-oidc/program.scm:557 -msgid "" -"\n" -"The example client application pages for\n" -"webid-oidc-demo.planete-kraus.eu are served this way:" -msgstr "" -"\n" -"Les pages de l’application client d’exemple pour\n" -"webid-oidc-demo.planete-kraus.eu sont servies de cette façon :" - -#: src/scm/webid-oidc/program.scm:561 -#, scheme-format -msgid "" -"\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' " -"\\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" -" --~a 'Example Solid Application' \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client." -"html#Running-a-client' \\\n" -" --~a $PORT" -msgstr "" -"\n" -" export LANG=fr_FR.UTF-8\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' " -"\\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" -" --~a 'Example Solid Application' \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client." -"html#Running-a-client' \\\n" -" --~a $PORT" - -#: src/scm/webid-oidc/program.scm:575 -msgid "" -"\n" -"Running a full server" -msgstr "" -"\n" -"Exécution d’un serveur complet" - -#: src/scm/webid-oidc/program.scm:578 -msgid "" -"\n" -"To run the server with identity provider and\n" -"resource server for one particular user, you need to combine the\n" -"options for the parts." -msgstr "" -"\n" -"Pour exécuter un serveur avec à la fois un fournisseur d’identité et\n" -"un serveur de ressources pour un utilisateur particulier, vous devez\n" -"combiner les options des parties." - -#: src/scm/webid-oidc/program.scm:582 -#, scheme-format -msgid "" -"\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://data.planete-kraus.eu' \\\n" -" --~a '/var/lib/disfluid/server/key.jwk' \\\n" -" --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" -" --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n" -" --~a 'https://data.planete-kraus.eu/keys' \\\n" -" --~a 'https://data.planete-kraus.eu/authorize' \\\n" -" --~a 'https://data.planete-kraus.eu/token' \\\n" -" --~a '...port...'" -msgstr "" -"\n" -" export LANG=fr_FR.UTF-8\n" -" export XDG_DATA_HOME=/var/lib\n" -" export XDG_CACHE_HOME=/var/cache\n" -" ~a ~a \\\n" -" --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" -"source.tar.gz' \\\n" -" --~a 'https://data.planete-kraus.eu' \\\n" -" --~a '/var/lib/disfluid/server/key.jwk' \\\n" -" --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" -" --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n" -" --~a 'https://data.planete-kraus.eu/keys' \\\n" -" --~a 'https://data.planete-kraus.eu/authorize' \\\n" -" --~a 'https://data.planete-kraus.eu/token' \\\n" -" --~a '...port...'" - -#: src/scm/webid-oidc/program.scm:607 +#: src/scm/webid-oidc/program.scm:374 #, scheme-format msgid "" "\n" @@ -2245,7 +1681,7 @@ msgstr "" "\n" "Si vous trouvez une erreur, veuillez en envoyer un rapport à ~a." -#: src/scm/webid-oidc/program.scm:612 +#: src/scm/webid-oidc/program.scm:379 #, scheme-format msgid "" "~a version ~a\n" @@ -2256,117 +1692,30 @@ msgstr "" "\n" "Publiée le ~a\n" -#: src/scm/webid-oidc/program.scm:649 +#: src/scm/webid-oidc/program.scm:414 #, scheme-format msgid "The --~a argument must be a number, not ~s.\n" msgstr "L’argument de --~a doit être un nombre, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:655 +#: src/scm/webid-oidc/program.scm:420 #, scheme-format msgid "The --~a argument must be an integer, not ~s.\n" msgstr "L’argument de --~a doit être un entier, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:661 +#: src/scm/webid-oidc/program.scm:426 #, scheme-format msgid "The --~a argument must be positive, ~s is invalid.\n" msgstr "L’argument de --~a doit être positif, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:666 +#: src/scm/webid-oidc/program.scm:431 #, scheme-format msgid "The --~a argument must be less than 65536, ~s is invalid.\n" msgstr "L’argument de --~a doit être inférieur à 65536, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:694 -msgid "" -"You specified two different passwords: one directly, and one from a file. " -"Please set only one password.\n" -msgstr "" -"Vous avez spécifié deux mots de passe différents : l’un directement,\n" -"et un autre depuis un fichier. Veuillez n’en spécifier qu’un.\n" - -#: src/scm/webid-oidc/program.scm:727 src/scm/webid-oidc/program.scm:748 -#: src/scm/webid-oidc/program.scm:817 -#, scheme-format -msgid "You must pass --~a to set the server name.\n" -msgstr "Vous devez passer --~a pour définir le nom du serveur.\n" - -#: src/scm/webid-oidc/program.scm:731 -#, scheme-format -msgid "You must pass --~a to set the backend URI.\n" -msgstr "Vous devez passer --~a pour définir l'URI du service d’arrière-plan.\n" - -#: src/scm/webid-oidc/program.scm:752 src/scm/webid-oidc/program.scm:821 -#, scheme-format -msgid "" -"You must pass --~a to set the file where to store the identity provider " -"key.\n" -msgstr "" -"Vous devez passer --~a pour définir le nom du fichier pour sauvegarder\n" -"la clé du fournisseur d’identité.\n" - -#: src/scm/webid-oidc/program.scm:756 src/scm/webid-oidc/program.scm:825 -#, scheme-format -msgid "You must pass --~a to set the subject of the identity provider.\n" -msgstr "" -"Vous devez passer --~a pour définir le sujet du fournisseur d’identité.\n" - -#: src/scm/webid-oidc/program.scm:760 -#, scheme-format -msgid "You must pass --~a or --~a to set the subject’s encrypted password.\n" -msgstr "" -"Vous devez passer --~a ou --~a pour définir le mot de passe chiffré du " -"sujet.\n" - -#: src/scm/webid-oidc/program.scm:764 src/scm/webid-oidc/program.scm:833 -#, scheme-format -msgid "You must pass --~a to set the JWKS URI.\n" -msgstr "Vous devez passer --~a pour définir l'URI du JWKS.\n" - -#: src/scm/webid-oidc/program.scm:768 src/scm/webid-oidc/program.scm:837 -#, scheme-format -msgid "You must pass --~a to set the authorization endpoint URI.\n" -msgstr "" -"Vous devez passer --~a pour définir l'URI du terminal d'autorisation.\n" - -#: src/scm/webid-oidc/program.scm:772 src/scm/webid-oidc/program.scm:841 -#, scheme-format -msgid "You must pass --~a to set the token endpoint URI.\n" -msgstr "Vous devez passer --~a pour définir l'URI du terminal de jeton.\n" - -#: src/scm/webid-oidc/program.scm:789 -#, scheme-format -msgid "You must pass --~a to set the application web ID.\n" -msgstr "" -"Vous devez passer --~a pour définir l'identifiant web de l’application.\n" - -#: src/scm/webid-oidc/program.scm:793 -#, scheme-format -msgid "You must pass --~a to set the redirection URI.\n" -msgstr "Vous devez passer --~a pour définir l'URI de redirection.\n" - -#: src/scm/webid-oidc/program.scm:797 -#, scheme-format -msgid "You must pass --~a to set the informative client name.\n" -msgstr "" -"Vous devez passer --~a pour donner un nom pour l’application à titre " -"informatif.\n" - -#: src/scm/webid-oidc/program.scm:801 -#, scheme-format -msgid "You must pass --~a to set the informative client URI.\n" -msgstr "" -"Vous devez passer --~a pour définir l'URI du client, à titre informatif.\n" - -#: src/scm/webid-oidc/program.scm:829 +#: src/scm/webid-oidc/program.scm:443 #, scheme-format -msgid "You must pass --~a to set the subject’s encrypted password.\n" -msgstr "" -"Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n" - -#: src/scm/webid-oidc/program.scm:881 -#, scheme-format -msgid "Unknown command ~s\n" -msgstr "Commande inconnue ~s\n" +msgid "--~a is required when running a server.\n" +msgstr "--~a est requis pour exécuter un serveur.\n" #: src/scm/webid-oidc/refresh-token.scm:171 msgid "the refresh token does not exist" @@ -2378,26 +1727,6 @@ msgid "the refresh token is bound to key ~s, which is not that one" msgstr "" "le jeton de rafraîchissement est lié à la clé ~s, ce n’est pas celle utilisée" -#: src/scm/webid-oidc/resource-server.scm:75 -msgid "" -"You need to pass #:server-uri URI where URI is the public URI of the server, " -"as a (web uri)." -msgstr "" -"Vous devez passer #:server-uri URI où URI est l’URI publique du serveur, " -"comme dans (web uri)." - -#: src/scm/webid-oidc/resource-server.scm:97 -msgid "The owner is not defined." -msgstr "Le propriétaire n’est pas défini." - -#: src/scm/webid-oidc/resource-server.scm:127 -msgid "<h1>The resource server request failed</h1>" -msgstr "<h1>La requête du serveur de ressource a échoué</h1>" - -#: src/scm/webid-oidc/reverse-proxy.scm:60 -msgid "#:endpoint argument is not present or not an URI." -msgstr "l’argument de #:endpoint n’est pas présent, ou pas une URI." - #: src/scm/webid-oidc/serializable.scm:58 msgid "a plugin class should have an explicit #:name and #:module-name" msgstr "" @@ -2848,7 +2177,7 @@ msgstr "Le serveur de sortie n’a pas pu être contacté." msgid "the auxiliary resource of type ~s at ~s is absent" msgstr "la ressource auxiliaire de type ~s à ~s est absente" -#: src/scm/webid-oidc/simulation.scm:130 +#: src/scm/webid-oidc/simulation.scm:135 #, scheme-format msgid "invalid credentials: response ~s ~s" msgstr "identifiants invalides : réponse ~s ~s" @@ -2896,10 +2225,6 @@ msgstr "pendant la mise à jour du fichier ~s : ~a" msgid "an error happened while updating file ~s" msgstr "une erreur est survenue pendant la mise à jour du fichier ~s" -#: src/scm/webid-oidc/token-endpoint.scm:71 -msgid "<h1>The token request failed</h1>" -msgstr "<h1>La requête de jeton a échoué</h1>" - #: src/ui/account-widget.glade:19 msgid "Identity:" msgstr "Identité :" @@ -3032,6 +2357,617 @@ msgstr "Contenu :" msgid "Discard edits" msgstr "Rejeter les modifications" +#~ msgid "<h1>The authorization request failed</h1>" +#~ msgstr "<h1>La requête d’autorisation a échoué</h1>" + +#~ msgid "really bad internal server error" +#~ msgstr "erreur interne du serveur vraiment grave" + +#~ msgid "<p>Your request cannot be handled by the identity provider.</p>" +#~ msgstr "" +#~ "<p>Votre requête n’a pas pu être traitée par le fournisseur d’identité.</" +#~ "p>" + +#~ msgid "<h1>The request failed</h1>" +#~ msgstr "<h1>La requête a échoué</h1>" + +#~ msgid "<h1>The identity provider request failed</h1>" +#~ msgstr "<h1>La requête du fournisseur d’identité a échoué</h1>" + +#, scheme-format +#~ msgid "~a: ~a: Internal server error: ~a\n" +#~ msgstr "~a : ~a : Erreur interne du serveur : ~a\n" + +#~ msgid "Internal Server Error" +#~ msgstr "Erreur Interne du Serveur" + +#~ msgid "Sorry, there was an error." +#~ msgstr "Toutes nos excuses, il y a eu une erreurr." + +#~ msgid "command-line|server|server-name" +#~ msgstr "nom-du-serveur" + +#~ msgid "command-line|server|reverse-proxy|backend-uri" +#~ msgstr "uri-arrière-plan" + +#~ msgid "command-line|server|reverse-proxy|header" +#~ msgstr "en-tête" + +#~ msgid "command-line|server|issuer|key-file" +#~ msgstr "fichier-clé" + +#~ msgid "command-line|server|issuer|subject" +#~ msgstr "sujet" + +#~ msgid "command-line|server|issuer|encrypted-password" +#~ msgstr "mot-de-passe-chiffré" + +#~ msgid "command-line|server|issuer|encrypted-password-from-file" +#~ msgstr "fichier-de-mot-de-passe-chiffré" + +#~ msgid "command-line|server|issuer|jwks-uri" +#~ msgstr "uri-jwks" + +#~ msgid "command-line|server|issuer|authorization-endpoint-uri" +#~ msgstr "uri-terminal-autorisation" + +#~ msgid "command-line|server|issuer|token-endpoint-uri" +#~ msgstr "uri-terminal-jeton" + +#~ msgid "command-line|server|client-id" +#~ msgstr "id-client" + +#~ msgid "command-line|server|redirect-uri" +#~ msgstr "uri-redirection" + +#~ msgid "command-line|server|client-name" +#~ msgstr "nom-client" + +#~ msgid "command-line|server|client-uri" +#~ msgstr "uri-client" + +#~ msgid "" +#~ "\n" +#~ "Available commands:" +#~ msgstr "" +#~ "\n" +#~ "Commandes disponibles :" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " ~a:\n" +#~ " run an authenticating reverse proxy." +#~ msgstr "" +#~ "\n" +#~ " ~a :\n" +#~ " exécute le proxy inverse authentifiant." + +#~ msgid "command-line|command|reverse-proxy" +#~ msgstr "proxy-inversé" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " ~a:\n" +#~ " run an identity provider." +#~ msgstr "" +#~ "\n" +#~ " ~a :\n" +#~ " exécute un fournisseur d’identité." + +#~ msgid "command-line|command|identity-provider" +#~ msgstr "fournisseur-identité" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " ~a:\n" +#~ " serve the pages for a public application." +#~ msgstr "" +#~ "\n" +#~ " ~a :\n" +#~ " sert les pages d’une application publique." + +#~ msgid "command-line|command|client-service" +#~ msgstr "service-client" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " ~a:\n" +#~ " run a full server, with identity provider and resource storage\n" +#~ " facility." +#~ msgstr "" +#~ "\n" +#~ " ~a :\n" +#~ " exécute un serveur complet, avec un fournisseur d’identité et\n" +#~ " une fonction de stockage de ressources." + +#~ msgid "command-line|command|server" +#~ msgstr "serveur" + +#~ msgid "" +#~ "\n" +#~ "If no command is specified, run the browser." +#~ msgstr "" +#~ "\n" +#~ "Si aucune commande n’est spécifiée, exécute le navigateur." + +#~ msgid "" +#~ "\n" +#~ "General server-side options:" +#~ msgstr "" +#~ "\n" +#~ "Options générales pour un serveur :" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -n URI, --~a=URI:\n" +#~ " set the public server URI (scheme, userinfo, host, and port)." +#~ msgstr "" +#~ "\n" +#~ " -n URI, --~a=URI :\n" +#~ " définit l’URI publique du serveur (schéma, identifiant de\n" +#~ " l’utilisateur, hôte et port)." + +#~ msgid "" +#~ "\n" +#~ "Options for the resource server:" +#~ msgstr "" +#~ "\n" +#~ "Options pour le serveur de ressources :" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -H HEADER, --~a=HEADER:\n" +#~ " the HEADER field contains the webid of the authenticated user,\n" +#~ " XXX-Agent by default. For the full server, disable Solid-OIDC\n" +#~ " authentication." +#~ msgstr "" +#~ "\n" +#~ " -H EN-TÊTE, --~a=EN-TÊTE :\n" +#~ " le champ EN-TÊTE contiendra l’identifiant webid de l’utilisateur\n" +#~ " authentifié, XXX-Agent par défaut. Pour un serveur complet, ceci\n" +#~ " désactive l’authentification par Solid-OIDC." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -b URI, --~a=URI:\n" +#~ " set the backend URI for the reverse proxy, only for the\n" +#~ " reverse-proxy command." +#~ msgstr "" +#~ "\n" +#~ " -b URI, --~a=URI :\n" +#~ " définit l’URI sortante du proxy inversé, seulement pour la\n" +#~ " commande proxy-inversé." + +#~ msgid "" +#~ "\n" +#~ "Options for the identity provider:" +#~ msgstr "" +#~ "\n" +#~ "Options du fournisseur d’identité :" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -k FILE, --~a=FILE.jwk:\n" +#~ " set the file name of the key file. If it does not exist, a new\n" +#~ " key is generated. The server does not offer an HTTPS service." +#~ msgstr "" +#~ "\n" +#~ " -k FICHIER.jwk, --~a=FICHIER.jwk :\n" +#~ " définit le nom du fichier de clé. S’il n’existe pas, une\n" +#~ " nouvelle clé sera générée. Le serveur n’offre pas de service\n" +#~ " HTTPS." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -s WEBID, --~a=WEBID:\n" +#~ " set the identity of the subject." +#~ msgstr "" +#~ "\n" +#~ " -s WEBID, --~a=WEBID :\n" +#~ " définit l'identité du sujet." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n" +#~ " set the encrypted password to recognize the user." +#~ msgstr "" +#~ "\n" +#~ " -w MOT_DE_PASSE_CHIFFRÉ, --~a=MOT_DE_PASSE_CHIFFRÉ :\n" +#~ " définit le mot de passe chiffré pour reconnaître l’utilisateur." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE:\n" +#~ " load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE." +#~ msgstr "" +#~ "\n" +#~ " -w FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ, --" +#~ "~a=FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ :\n" +#~ " lit le mot de passe chiffré de l’utilisateur dans " +#~ "FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -j URI, --~a=URI:\n" +#~ " set the URI to query the key of the server." +#~ msgstr "" +#~ "\n" +#~ " -j URI, --~a=URI :\n" +#~ " définit l’URI pour requêter les clés du serveur." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -a URI, --~a=URI:\n" +#~ " set the authorization endpoint of the issuer." +#~ msgstr "" +#~ "\n" +#~ " -a URI, --~a=URI :\n" +#~ " définit l'URI du terminal d'autorisation de l’émetteur\n" +#~ " d’identité." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -t URI, --~a=URI:\n" +#~ " set the token endpoint of the issuer." +#~ msgstr "" +#~ "\n" +#~ " -t URI, --~a=URI :\n" +#~ " définit le terminal de jeton de l’émetteur d’identité." + +#~ msgid "" +#~ "\n" +#~ "Options for the client service:" +#~ msgstr "" +#~ "\n" +#~ "Options pour le service associé à un client :" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -c URI, --~a=URI:\n" +#~ " set the web identifier of the client application, which is\n" +#~ " dereferenced to a semantic resource." +#~ msgstr "" +#~ "\n" +#~ " -c URI, --~a=URI :\n" +#~ " définit l’identifiant web de l’application client, qui est\n" +#~ " déréférencé pour une ressource sémantique." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -r URI, --~a=URI:\n" +#~ " set the redirection URI to get the authorization code back. The\n" +#~ " page is presented with the code to paste in the application." +#~ msgstr "" +#~ "\n" +#~ " -r URI, --~a=URI :\n" +#~ " définit l’URI de redirection pour récupérer le code\n" +#~ " d’autorisation. La page de redirection affiche le code à coller\n" +#~ " dans l’application." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -C NAME, --~a=NAME:\n" +#~ " set the user-visible application name (may be misleading...)." +#~ msgstr "" +#~ "\n" +#~ " -C NOM, --~a=NOM :\n" +#~ " définit le nom de l’application visible par l’utilisateur (peut\n" +#~ " être trompeur…)." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " -u URI, --~a=URI:\n" +#~ " set an URI where someone would find more information about the\n" +#~ " application (again, may be misleading)." +#~ msgstr "" +#~ "\n" +#~ " -u URI, --~a=URI :\n" +#~ " définit l’URI présentant plus d’informations à propos de\n" +#~ " l’application (peut aussi être trompeur)." + +#~ msgid "" +#~ "\n" +#~ "Running a reverse proxy" +#~ msgstr "" +#~ "\n" +#~ "Exécution d’un proxy inversé" + +#~ msgid "" +#~ "\n" +#~ "Suppose that you operate data.provider.com. You want to run an\n" +#~ "authenticating reverse proxy, that will receive incoming requests\n" +#~ "through http://localhost:8080, and forward them to\n" +#~ "https://private.data.provider.com. The backend will look for the\n" +#~ "XXX-Agent header, and if it is found, then its value will be\n" +#~ "considered the webid of the authenticated\n" +#~ "user. https://private.data.provider.com should only accept requests\n" +#~ "from this reverse proxy." +#~ msgstr "" +#~ "\n" +#~ "Supposons que vous opériez data.provider.com. Vous voulez exécuter un\n" +#~ "proxy inversé authentifiant, qui recevra les requêtes entrantes à\n" +#~ "travers http://localhost:8080, et les redirigera vers\n" +#~ "https://private.data.provider.com. L’arrière-boutique recherchera\n" +#~ "l’en-tête XXX-Agent, et s’il est trouvé, alors sa valeur sera\n" +#~ "considérée comme le webid de l’utilisateur\n" +#~ "authentifié. https://private.data.provider.com ne doit accepter que\n" +#~ "les requêtes depuis ce proxy inversé." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n" +#~ " --~a 8080 \\\n" +#~ " --~a 'https://data.provider.com' \\\n" +#~ " --~a 'https://private.data.provider.com' \\\n" +#~ " --~a 'XXX-Agent' \\\n" +#~ " --~a '/var/log/proxy.log' \\\n" +#~ " --~a '/var/log/proxy.err'" +#~ msgstr "" +#~ "\n" +#~ " export LANG=fr_FR.UTF-8\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://data.provider.com/code-source-serveur.tar.gz \\\n" +#~ " --~a 8080 \\\n" +#~ " --~a 'https://data.provider.com \\\n" +#~ " --~a 'https://private.data.provider.com \\\n" +#~ " --~a 'XXX-Agent' \\\n" +#~ " --~a '/var/log/proxy.log' \\\n" +#~ " --~a '/var/log/proxy.err'" + +#~ msgid "" +#~ "\n" +#~ "Running an identity provider" +#~ msgstr "" +#~ "\n" +#~ "Exécution d’un fournisseur d’identité" + +#~ msgid "" +#~ "\n" +#~ "The identity provider running at webid-oidc-demo.planete-kraus.eu is\n" +#~ "invoked with the following options:" +#~ msgstr "" +#~ "\n" +#~ "Le fournisseur d’identité qui tourne sur\n" +#~ "webid-oidc-demo.planete-kraus.eu est invoqué avec les options\n" +#~ "suivantes :" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " export XDG_DATA_HOME=/var/lib\n" +#~ " export XDG_CACHE_HOME=/var/cache\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +#~ "source.tar.gz' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" +#~ " --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" +#~ " --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" +#~ " --~a $PORT" +#~ msgstr "" +#~ "\n" +#~ " export LANG=fr_FR.UTF-8\n" +#~ " export XDG_DATA_HOME=/var/lib\n" +#~ " export XDG_CACHE_HOME=/var/cache\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +#~ "source.tar.gz' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" +#~ " --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" +#~ " --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" +#~ " --~a $PORT" + +#~ msgid "" +#~ "\n" +#~ "Running the public pages for an application" +#~ msgstr "" +#~ "\n" +#~ "Service des pages publiques pour une application" + +#~ msgid "" +#~ "\n" +#~ "The example client application pages for\n" +#~ "webid-oidc-demo.planete-kraus.eu are served this way:" +#~ msgstr "" +#~ "\n" +#~ "Les pages de l’application client d’exemple pour\n" +#~ "webid-oidc-demo.planete-kraus.eu sont servies de cette façon :" + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +#~ "source.tar.gz' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/example-" +#~ "application#id' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" +#~ " --~a 'Example Solid Application' \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client." +#~ "html#Running-a-client' \\\n" +#~ " --~a $PORT" +#~ msgstr "" +#~ "\n" +#~ " export LANG=fr_FR.UTF-8\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +#~ "source.tar.gz' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/example-" +#~ "application#id' \\\n" +#~ " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" +#~ " --~a 'Example Solid Application' \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client." +#~ "html#Running-a-client' \\\n" +#~ " --~a $PORT" + +#~ msgid "" +#~ "\n" +#~ "To run the server with identity provider and\n" +#~ "resource server for one particular user, you need to combine the\n" +#~ "options for the parts." +#~ msgstr "" +#~ "\n" +#~ "Pour exécuter un serveur avec à la fois un fournisseur d’identité et\n" +#~ "un serveur de ressources pour un utilisateur particulier, vous devez\n" +#~ "combiner les options des parties." + +#, scheme-format +#~ msgid "" +#~ "\n" +#~ " export XDG_DATA_HOME=/var/lib\n" +#~ " export XDG_CACHE_HOME=/var/cache\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +#~ "source.tar.gz' \\\n" +#~ " --~a 'https://data.planete-kraus.eu' \\\n" +#~ " --~a '/var/lib/disfluid/server/key.jwk' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" +#~ " --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/keys' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/authorize' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/token' \\\n" +#~ " --~a '...port...'" +#~ msgstr "" +#~ "\n" +#~ " export LANG=fr_FR.UTF-8\n" +#~ " export XDG_DATA_HOME=/var/lib\n" +#~ " export XDG_CACHE_HOME=/var/cache\n" +#~ " ~a ~a \\\n" +#~ " --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-" +#~ "source.tar.gz' \\\n" +#~ " --~a 'https://data.planete-kraus.eu' \\\n" +#~ " --~a '/var/lib/disfluid/server/key.jwk' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/vivien#me' \\\n" +#~ " --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/keys' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/authorize' \\\n" +#~ " --~a 'https://data.planete-kraus.eu/token' \\\n" +#~ " --~a '...port...'" + +#~ msgid "" +#~ "You specified two different passwords: one directly, and one from a file. " +#~ "Please set only one password.\n" +#~ msgstr "" +#~ "Vous avez spécifié deux mots de passe différents : l’un directement,\n" +#~ "et un autre depuis un fichier. Veuillez n’en spécifier qu’un.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the server name.\n" +#~ msgstr "Vous devez passer --~a pour définir le nom du serveur.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the backend URI.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour définir l'URI du service d’arrière-plan.\n" + +#, scheme-format +#~ msgid "" +#~ "You must pass --~a to set the file where to store the identity provider " +#~ "key.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour définir le nom du fichier pour sauvegarder\n" +#~ "la clé du fournisseur d’identité.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the subject of the identity provider.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour définir le sujet du fournisseur d’identité.\n" + +#, scheme-format +#~ msgid "" +#~ "You must pass --~a or --~a to set the subject’s encrypted password.\n" +#~ msgstr "" +#~ "Vous devez passer --~a ou --~a pour définir le mot de passe chiffré du " +#~ "sujet.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the JWKS URI.\n" +#~ msgstr "Vous devez passer --~a pour définir l'URI du JWKS.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the authorization endpoint URI.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour définir l'URI du terminal d'autorisation.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the token endpoint URI.\n" +#~ msgstr "Vous devez passer --~a pour définir l'URI du terminal de jeton.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the application web ID.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour définir l'identifiant web de l’application.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the redirection URI.\n" +#~ msgstr "Vous devez passer --~a pour définir l'URI de redirection.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the informative client name.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour donner un nom pour l’application à titre " +#~ "informatif.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the informative client URI.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour définir l'URI du client, à titre informatif.\n" + +#, scheme-format +#~ msgid "You must pass --~a to set the subject’s encrypted password.\n" +#~ msgstr "" +#~ "Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n" + +#, scheme-format +#~ msgid "Unknown command ~s\n" +#~ msgstr "Commande inconnue ~s\n" + +#~ msgid "" +#~ "You need to pass #:server-uri URI where URI is the public URI of the " +#~ "server, as a (web uri)." +#~ msgstr "" +#~ "Vous devez passer #:server-uri URI où URI est l’URI publique du serveur, " +#~ "comme dans (web uri)." + +#~ msgid "The owner is not defined." +#~ msgstr "Le propriétaire n’est pas défini." + +#~ msgid "<h1>The resource server request failed</h1>" +#~ msgstr "<h1>La requête du serveur de ressource a échoué</h1>" + +#~ msgid "#:endpoint argument is not present or not an URI." +#~ msgstr "l’argument de #:endpoint n’est pas présent, ou pas une URI." + +#~ msgid "<h1>The token request failed</h1>" +#~ msgstr "<h1>La requête de jeton a échoué</h1>" + #~ msgid "Bad Request" #~ msgstr "Requête invalide" @@ -4055,9 +3991,6 @@ msgstr "Rejeter les modifications" #~ msgid "Sending a request: ~s\n" #~ msgstr "Envoi d’une requête : ~s\n" -#~ msgid "comand-line|help" -#~ msgstr "aide" - #, scheme-format #~ msgid "" #~ "Usage: ~a [OPTIONS]...\n" diff --git a/src/scm/webid-oidc/Makefile.am b/src/scm/webid-oidc/Makefile.am index 1d5066b..fe6b458 100644 --- a/src/scm/webid-oidc/Makefile.am +++ b/src/scm/webid-oidc/Makefile.am @@ -31,14 +31,9 @@ dist_webidoidcmod_DATA += \ %reldir%/authorization-code.scm \ %reldir%/refresh-token.scm \ %reldir%/oidc-id-token.scm \ - %reldir%/authorization-endpoint.scm \ - %reldir%/token-endpoint.scm \ - %reldir%/identity-provider.scm \ %reldir%/provider-confirmation.scm \ - %reldir%/resource-server.scm \ %reldir%/hello-world.scm \ %reldir%/program.scm \ - %reldir%/reverse-proxy.scm \ %reldir%/client.scm \ %reldir%/example-app.scm \ %reldir%/rdf-index.scm \ @@ -67,14 +62,9 @@ webidoidcgo_DATA += \ %reldir%/authorization-code.go \ %reldir%/refresh-token.go \ %reldir%/oidc-id-token.go \ - %reldir%/authorization-endpoint.go \ - %reldir%/token-endpoint.go \ - %reldir%/identity-provider.go \ %reldir%/provider-confirmation.go \ - %reldir%/resource-server.go \ %reldir%/hello-world.go \ %reldir%/program.go \ - %reldir%/reverse-proxy.go \ %reldir%/client.go \ %reldir%/example-app.go \ %reldir%/rdf-index.go \ diff --git a/src/scm/webid-oidc/authorization-endpoint.scm b/src/scm/webid-oidc/authorization-endpoint.scm deleted file mode 100644 index 74417aa..0000000 --- a/src/scm/webid-oidc/authorization-endpoint.scm +++ /dev/null @@ -1,85 +0,0 @@ -;; disfluid, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see <https://www.gnu.org/licenses/>. - -(define-module (webid-oidc authorization-endpoint) - #:use-module (webid-oidc errors) - #:use-module (webid-oidc server endpoint) - #:use-module (webid-oidc server endpoint identity-provider) - #:use-module (webid-oidc jwk) - #:use-module (webid-oidc authorization-code) - #:use-module (webid-oidc client-manifest) - #:use-module (webid-oidc web-i18n) - #:use-module ((webid-oidc parameters) #:prefix p:) - #:use-module (web uri) - #:use-module (web request) - #:use-module (web response) - #:use-module (rnrs bytevectors) - #:use-module (srfi srfi-19) - #:use-module (srfi srfi-26) - #:use-module (ice-9 receive) - #:use-module (ice-9 optargs) - #:use-module (ice-9 match) - #:use-module (sxml simple) - #:use-module (oop goops) - #:declarative? #t - #:duplicates (merge-generics) - #:export - ( - - make-authorization-endpoint - - )) - -(define (make-authorization-endpoint subject encrypted-password jwk-file) - (define endpoint - (make <authorization-endpoint> - #:subject subject - #:encrypted-password encrypted-password - #:key-file jwk-file)) - (lambda (request request-body) - (when (bytevector? request-body) - (set! request-body (utf8->string request-body))) - (parameterize ((web-locale request)) - (with-exception-handler - (lambda (exn) - (unless (web-exception? exn) - (raise-exception exn)) - (values - (build-response - #:code (web-exception-code exn) - #:reason-phrase (web-exception-reason-phrase exn) - #:headers `((content-type application/xhtml+xml))) - (call-with-output-string - (cute sxml->xml - `(*TOP* - (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") - (html (@ (xmlns "http://www.w3.org/1999/xhtml") - (xml:lang ,(W_ "xml-lang|en"))) - (body - ,(call-with-input-string - (format #f (W_ "<h1>The authorization request failed</h1>")) - xml->sxml) - ,(if (user-message? exn) - (user-message-sxml exn) - (call-with-input-string - (format #f (W_ "<p>No more information.</p>")) - xml->sxml))))) - <>)))) - (lambda () - (receive (response response-body response-meta) - (handle endpoint request request-body) - (values response response-body))) - #:unwind? #t)))) diff --git a/src/scm/webid-oidc/client.scm b/src/scm/webid-oidc/client.scm index ee0b72c..1948d86 100644 --- a/src/scm/webid-oidc/client.scm +++ b/src/scm/webid-oidc/client.scm @@ -62,10 +62,6 @@ #:export ( request - - serve-application - - <extended-client-manifest> ) #:declarative? #t) @@ -169,40 +165,3 @@ (scan-arguments args (or headers new-headers) non-header-args method)) ((kw value args ...) (scan-arguments args headers `(,value ,kw ,@non-header-args) method))))) - -(define* (serve-application id redirect-uri . args) - (let ((endpoint (apply make <client-id> - #:client-id id - #:redirect-uris (list redirect-uri) - args))) - (lambda (request request-body) - (with-exception-handler - (lambda (exn) - (unless (web-exception? exn) - (raise-exception exn)) - (values - (build-response - #:code (web-exception-code exn) - #:reason-phrase (web-exception-reason-phrase exn) - #:headers `((content-type application/xhtml+xml))) - (call-with-output-string - (cute sxml->xml - `(*TOP* - (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") - (html (@ (xmlns "http://www.w3.org/1999/xhtml") - (xml:lang ,(W_ "xml-lang|en"))) - (body - ,(call-with-input-string - (format #f (W_ "<h1>The request failed</h1>")) - xml->sxml) - ,(if (user-message? exn) - (user-message-sxml exn) - (call-with-input-string - (format #f (W_ "<p>No more information.</p>")) - xml->sxml))))) - <>)))) - (lambda () - (receive (response response-body response-meta) - (handle endpoint request request-body) - (values response response-body))) - #:unwind? #t)))) diff --git a/src/scm/webid-oidc/hello-world.scm b/src/scm/webid-oidc/hello-world.scm index 4d97657..68d7644 100644 --- a/src/scm/webid-oidc/hello-world.scm +++ b/src/scm/webid-oidc/hello-world.scm @@ -17,7 +17,6 @@ (define-module (webid-oidc hello-world) #:use-module (webid-oidc server endpoint) #:use-module (webid-oidc server endpoint hello) - #:use-module (webid-oidc resource-server) #:use-module (webid-oidc server log) #:use-module (webid-oidc web-i18n) #:use-module ((webid-oidc config) #:prefix cfg:) diff --git a/src/scm/webid-oidc/identity-provider.scm b/src/scm/webid-oidc/identity-provider.scm deleted file mode 100644 index 5970574..0000000 --- a/src/scm/webid-oidc/identity-provider.scm +++ /dev/null @@ -1,135 +0,0 @@ -;; disfluid, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see <https://www.gnu.org/licenses/>. - -(define-module (webid-oidc identity-provider) - #:use-module (webid-oidc errors) - #:use-module (webid-oidc authorization-endpoint) - #:use-module (webid-oidc token-endpoint) - #:use-module (webid-oidc server endpoint) - #:use-module (webid-oidc server endpoint identity-provider) - #:use-module (webid-oidc oidc-configuration) - #:use-module (webid-oidc jwk) - #:use-module ((webid-oidc config) #:prefix cfg:) - #:use-module ((webid-oidc stubs) #:prefix stubs:) - #:use-module ((webid-oidc parameters) #:prefix p:) - #:use-module (webid-oidc jti) - #:use-module (web request) - #:use-module (web response) - #:use-module (web uri) - #:use-module (web server) - #:use-module (webid-oidc cache) - #:use-module (ice-9 optargs) - #:use-module (ice-9 receive) - #:use-module (webid-oidc web-i18n) - #:use-module (ice-9 getopt-long) - #:use-module (ice-9 suspendable-ports) - #:use-module (ice-9 match) - #:use-module (ice-9 exceptions) - #:use-module (sxml simple) - #:use-module (sxml match) - #:use-module (srfi srfi-19) - #:use-module (srfi srfi-26) - #:use-module (rnrs bytevectors) - #:use-module (oop goops) - #:duplicates (merge-generics) - #:declarative? #t - #:export - ( - - make-identity-provider - - )) - -(define-class <default> (<endpoint>)) - -(define-method (handle (endpoint <default>) request request-body) - (raise-exception - (make-exception - (make-web-exception 404 (W_ "reason-phrase|Not Found")) - (make-user-message - (call-with-input-string - (format #f (W_ "<p>Your request cannot be handled by the identity provider.</p>")) - xml->sxml))))) - -(define* (make-identity-provider - issuer - key-file - subject - encrypted-password - jwks-uri - authorization-endpoint-uri - token-endpoint-uri) - (let ((discovery - (make <oidc-discovery> - #:path "/.well-known/openid-configuration" - #:configuration - (make <oidc-configuration> - #:jwks-uri jwks-uri - #:authorization-endpoint authorization-endpoint-uri - #:token-endpoint token-endpoint-uri))) - (authz - (make <authorization-endpoint> - #:subject subject - #:encrypted-password encrypted-password - #:key-file key-file - #:path (uri-path authorization-endpoint-uri))) - (token - (make <token-endpoint> - #:path (uri-path token-endpoint-uri) - #:issuer issuer - #:key-file key-file)) - (jwks - (make <jwks-endpoint> - #:path (uri-path jwks-uri) - #:key-file key-file))) - (let ((idp (make <identity-provider> - #:oidc-discovery discovery - #:authorization-endpoint authz - #:token-endpoint token - #:jwks-endpoint jwks - #:default (make <default>)))) - (lambda (request request-body) - (parameterize ((web-locale request)) - (with-exception-handler - (lambda (exn) - (unless (web-exception? exn) - (raise-exception exn)) - (values - (build-response - #:code (web-exception-code exn) - #:reason-phrase (web-exception-reason-phrase exn) - #:headers `((content-type application/xhtml+xml))) - (call-with-output-string - (cute sxml->xml - `(*TOP* - (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") - (html (@ (xmlns "http://www.w3.org/1999/xhtml") - (xml:lang ,(W_ "xml-lang|en"))) - (body - ,(call-with-input-string - (format #f (W_ "<h1>The identity provider request failed</h1>")) - xml->sxml) - ,(if (user-message? exn) - (user-message-sxml exn) - (call-with-input-string - (format #f (W_ "<p>No more information.</p>")) - xml->sxml))))) - <>)))) - (lambda () - (receive (response response-body response-meta) - (handle idp request request-body) - (values response response-body))) - #:unwind? #t)))))) diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm index 6a70cdc..319dd43 100644 --- a/src/scm/webid-oidc/program.scm +++ b/src/scm/webid-oidc/program.scm @@ -17,11 +17,9 @@ (define-module (webid-oidc program) #:use-module (webid-oidc errors) #:use-module (webid-oidc server log) - #:use-module (webid-oidc reverse-proxy) - #:use-module (webid-oidc identity-provider) #:use-module (webid-oidc client) - #:use-module (webid-oidc resource-server) #:use-module (webid-oidc server create) + #:use-module (webid-oidc server endpoint) #:use-module (webid-oidc jti) #:use-module (webid-oidc offloading) #:use-module (webid-oidc catalog) @@ -39,12 +37,15 @@ #:use-module (ice-9 textual-ports) #:use-module (ice-9 exceptions) #:use-module (srfi srfi-19) + #:use-module (srfi srfi-26) #:use-module (rnrs bytevectors) #:use-module (web uri) #:use-module (web request) #:use-module (web response) #:use-module (webid-oidc cache) - #:use-module (web server)) + #:use-module (web server) + #:use-module (sxml simple) + #:declarative? #f) (define logging-mutex (make-mutex)) @@ -82,20 +83,20 @@ (f)))) (define (setup-http-request f) - (let ((base-http-request (p:anonymous-http-request))) - (parameterize ((p:anonymous-http-request - (lambda* (uri . args) - (with-mutex logging-mutex - (format (current-output-port) - (G_ "~a: connecting to ~s\n") - (date->string (time-utc->date (current-time))) - (uri-host uri))) - (apply base-http-request uri args)))) - (use-cache - (lambda () - (use-catalog + (use-logging-request + (lambda () + (let ((base-http-request (p:anonymous-http-request))) + (parameterize ((p:anonymous-http-request + (lambda* (uri . args) + (with-mutex logging-mutex + (format (current-output-port) + (G_ "~a: connecting to ~s\n") + (date->string (time-utc->date (current-time))) + (uri-host uri))) + (apply base-http-request uri args)))) + (use-cache (lambda () - (use-logging-request + (use-catalog (lambda () (f)))))))))) @@ -107,8 +108,8 @@ (address (sockaddr:addr peer))) (inet-ntop family address))))) -(define (handler-with-log log-file error-file complete-corresponding-source handler) - (lambda (request request-body) +(define (handler-with-log endpoint log-file error-file complete-corresponding-source) + (lambda (request request-body . _) (when log-file (prepare-log-file log-file)) (when error-file @@ -126,80 +127,78 @@ ;; Fix the date (p:current-date ((p:current-date))) (web-locale request)) - (call/ec - (lambda (return) - (with-exception-handler - (lambda (error) - (unless (exception-with-message? error) - (let ((final-message - (format #f (G_ "really bad internal server error")))) - (raise-exception - (make-exception - (make-exception-with-message final-message) - error)))) - (with-mutex logging-mutex - (format (current-error-port) - (G_ "~a: ~a: Internal server error: ~a\n") - (date->string ((p:current-date))) - (request-ip-address request) - (exception-message error))) - (return - (build-response #:code 500 - #:reason-phrase (W_ "Internal Server Error") - #:headers `((source . ,complete-corresponding-source) - (date . ,((p:current-date))))) - (W_ "Sorry, there was an error."))) - (lambda () - (receive (response response-body user cause) - (call-with-values - (lambda () - (handler request request-body)) - (case-lambda - ((response response-body) - (values response response-body #f #f)) - ((response response-body user) - (values response response-body user #f)) - ((response response-body user cause) - (values response response-body user cause)))) - (let ((logging-port - (let ((response-code (response-code response))) - (if (>= response-code 400) - ;; That’s an error - (current-error-port) - (current-output-port))))) - (with-mutex logging-mutex - (format logging-port - (G_ "~a: ~s ~a ~s ~a\n") - (if user - (format #f (G_ "~a: ~a (~a)") - (date->string (time-utc->date (current-time))) - (uri->string user) - (request-ip-address request)) - (format #f (G_ "~a: ~a") - (date->string (time-utc->date (current-time))) - (request-ip-address request))) - (request-method request) - (uri-path (request-uri request)) - (response-code response) - (if (and cause (exception-with-message? cause)) - (string-append - (response-reason-phrase response) - " " - (format #f (G_ "(there was an error: ~a)") - (exception-message cause))) - (response-reason-phrase response))))) - (return - (build-response - #:version (response-version response) - #:code (response-code response) - #:reason-phrase (response-reason-phrase response) - #:headers `((source . ,complete-corresponding-source) - (date . ,((p:current-date))) - ,@(response-headers response)) - #:port (response-port response) - #:validate-headers? #t) - response-body))) - #:unwind? #t)))))) + (receive (response response-body user cause) + (call/ec + (lambda (return) + (with-exception-handler + (lambda (error) + (if (web-exception? error) + (return + (build-response #:code (web-exception-code error) + #:reason-phrase (web-exception-reason-phrase error) + #:headers `((content-type application/xhtml-xml))) + (call-with-output-string + (cute sxml->xml + `(*TOP* + (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") + (html (@ (xmlns "http://www.w3.org/1999/xhtml") + (xml:lang ,(W_ "xml-lang|en"))) + (head + (title ,(W_ "An error happened…"))) + (body + ,(call-with-input-string + (format #f (W_ "<p>Sorry, an error happened.</p>")) + xml->sxml) + ,(user-message-sxml error)))) + <>)) + (and (caused-by-user? error) + (caused-by-user-webid error)) + error) + ;; Other kind of exception + (raise-exception error))) + (lambda () + (receive (response response-body response-meta) + (handle endpoint request request-body) + (values response response-body (assq-ref response-meta 'user) #f))) + #:unwind? #t))) + (let ((logging-port + (let ((response-code (response-code response))) + (if (>= response-code 400) + ;; That’s an error + (current-error-port) + (current-output-port))))) + (with-mutex logging-mutex + (format logging-port + (G_ "~a: ~s ~a ~s ~a\n") + (if user + (format #f (G_ "~a: ~a (~a)") + (date->string (time-utc->date (current-time))) + (uri->string user) + (request-ip-address request)) + (format #f (G_ "~a: ~a") + (date->string (time-utc->date (current-time))) + (request-ip-address request))) + (request-method request) + (uri-path (request-uri request)) + (response-code response) + (if (and cause (exception-with-message? cause)) + (string-append + (response-reason-phrase response) + " " + (format #f (G_ "(there was an error: ~a)") + (exception-message cause))) + (response-reason-phrase response))))) + (values + (build-response + #:version (response-version response) + #:code (response-code response) + #:reason-phrase (response-reason-phrase response) + #:headers `((source . ,complete-corresponding-source) + (date . ,((p:current-date))) + ,@(response-headers response)) + #:port (response-port response) + #:validate-headers? #t) + response-body))))) (define (serve-one-client* handler implementation server state) ;; Same as serve-one-client, except it is served in a promise. @@ -218,7 +217,7 @@ (define* (run-server* handler - #:optional + #:key (implementation 'http) (open-params '()) . state) @@ -246,34 +245,8 @@ (string->symbol (G_ "command-line|help"))) (port-sym (string->symbol (G_ "command-line|server|port"))) - (server-name-sym - (string->symbol (G_ "command-line|server|server-name"))) - (backend-uri-sym - (string->symbol (G_ "command-line|server|reverse-proxy|backend-uri"))) - (header-sym - (string->symbol (G_ "command-line|server|reverse-proxy|header"))) - (key-file-sym - (string->symbol (G_ "command-line|server|issuer|key-file"))) - (subject-sym - (string->symbol (G_ "command-line|server|issuer|subject"))) - (encrypted-password-sym - (string->symbol (G_ "command-line|server|issuer|encrypted-password"))) - (encrypted-password-from-file-sym - (string->symbol (G_ "command-line|server|issuer|encrypted-password-from-file"))) - (jwks-uri-sym - (string->symbol (G_ "command-line|server|issuer|jwks-uri"))) - (authorization-endpoint-uri-sym - (string->symbol (G_ "command-line|server|issuer|authorization-endpoint-uri"))) - (token-endpoint-uri-sym - (string->symbol (G_ "command-line|server|issuer|token-endpoint-uri"))) - (client-id-sym - (string->symbol (G_ "command-line|server|client-id"))) - (redirect-uri-sym - (string->symbol (G_ "command-line|server|redirect-uri"))) - (client-name-sym - (string->symbol (G_ "command-line|server|client-name"))) - (client-uri-sym - (string->symbol (G_ "command-line|server|client-uri"))) + (configuration-sym + (string->symbol (G_ "command-line|server|configuration"))) (log-file-sym (string->symbol (G_ "command-line|log-file"))) (error-file-sym @@ -289,30 +262,17 @@ (,help-sym (single-char #\h) (value #f)) (,log-file-sym (single-char #\l) (value #t)) (,error-file-sym (single-char #\e) (value #t)) - (,key-file-sym (single-char #\k) (value #t)) - (,subject-sym (single-char #\s) (value #t)) - (,encrypted-password-sym (single-char #\w) (value #t)) - (,encrypted-password-from-file-sym (single-char #\W) (value #t)) - (,jwks-uri-sym (single-char #\j) (value #t)) - (,authorization-endpoint-uri-sym (single-char #\a) (value #t)) - (,token-endpoint-uri-sym (single-char #\t) (value #t)) - (,client-id-sym (single-char #\c) (value #t)) - (,redirect-uri-sym (single-char #\r) (value #t)) - (,client-name-sym (single-char #\C) (value #t)) - (,client-uri-sym (single-char #\u) (value #t)) - (,port-sym (single-char #\p) (value #t)) - (,server-name-sym (single-char #\n) (value #t)) - (,header-sym (single-char #\H) (value #t)) - (,backend-uri-sym (single-char #\b) (value #t))))) + (,configuration-sym (single-char #\c) (value #t)) + (,port-sym (single-char #\p) (value #t))))) (getopt-long (command-line) spec)))) (cond ((option-ref options help-sym #f) - (format #t (G_ "Usage: ~a COMMAND [OPTIONS]... + (format #t (G_ "Usage: ~a [OPTIONS]... ") (car (command-line))) (format #t (G_ " -Run the disfluid COMMAND.")) +Run disfluid.")) (format #t "\n") (format #t (G_ " This program is covered by the GNU Affero GPL, version 3 or @@ -321,37 +281,10 @@ the network to download the complete corresponding source code (with your modifications) at no cost. The server adds a \"Source:\" header to all responses.")) (format #t "\n") - (format #t (G_ " -Available commands:")) - (format #t (G_ " - ~a: - run an authenticating reverse proxy.") - (G_ "command-line|command|reverse-proxy")) - (format #t (G_ " - ~a: - run an identity provider.") - (G_ "command-line|command|identity-provider")) - (format #t (G_ " - ~a: - serve the pages for a public application.") - (G_ "command-line|command|client-service")) - (format #t (G_ " - ~a: - run a full server, with identity provider and resource storage - facility.") - (G_ "command-line|command|server")) - (format #t "\n") - (format #t (G_ " -If no command is specified, run the browser.")) (format #t "\n") (format #t (G_ " General options:")) (format #t (G_ " - -S MEANS, --~a=MEANS: - specify a way to download the complete corresponding source - code. For instance, this would be an URI pointing to a tarball.") - complete-corresponding-source-sym) - (format #t (G_ " -h, --~a: display a short help message and exit.") help-sym) @@ -375,83 +308,21 @@ General options:")) error-file-sym) (format #t "\n") (format #t (G_ " -General server-side options:")) +Running a server:")) + (format #t (G_ " + -S MEANS, --~a=MEANS: + specify a way to download the complete corresponding source + code. For instance, this would be an URI pointing to a + tarball. This option is required if a server is implemented.") + complete-corresponding-source-sym) (format #t (G_ " -p PORT, --~a=PORT: set the server port to bind, 8080 by default.") port-sym) (format #t (G_ " - -n URI, --~a=URI: - set the public server URI (scheme, userinfo, host, and port).") - server-name-sym) - (format #t "\n") - (format #t (G_ " -Options for the resource server:")) - (format #t (G_ " - -H HEADER, --~a=HEADER: - the HEADER field contains the webid of the authenticated user, - XXX-Agent by default. For the full server, disable Solid-OIDC - authentication.") - header-sym) - (format #t (G_ " - -b URI, --~a=URI: - set the backend URI for the reverse proxy, only for the - reverse-proxy command.") - backend-uri-sym) - (format #t "\n") - (format #t (G_ " -Options for the identity provider:")) - (format #t (G_ " - -k FILE, --~a=FILE.jwk: - set the file name of the key file. If it does not exist, a new - key is generated. The server does not offer an HTTPS service.") - key-file-sym) - (format #t (G_ " - -s WEBID, --~a=WEBID: - set the identity of the subject.") - subject-sym) - (format #t (G_ " - -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD: - set the encrypted password to recognize the user.") - encrypted-password-sym) - (format #t (G_ " - -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE: - load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE.") - encrypted-password-from-file-sym) - (format #t (G_ " - -j URI, --~a=URI: - set the URI to query the key of the server.") - jwks-uri-sym) - (format #t (G_ " - -a URI, --~a=URI: - set the authorization endpoint of the issuer.") - authorization-endpoint-uri-sym) - (format #t (G_ " - -t URI, --~a=URI: - set the token endpoint of the issuer.") - token-endpoint-uri-sym) - (format #t "\n") - (format #t (G_ " -Options for the client service:")) - (format #t (G_ " - -c URI, --~a=URI: - set the web identifier of the client application, which is - dereferenced to a semantic resource.") - client-id-sym) - (format #t (G_ " - -r URI, --~a=URI: - set the redirection URI to get the authorization code back. The - page is presented with the code to paste in the application.") - redirect-uri-sym) - (format #t (G_ " - -C NAME, --~a=NAME: - set the user-visible application name (may be misleading...).") - client-name-sym) - (format #t (G_ " - -u URI, --~a=URI: - set an URI where someone would find more information about the - application (again, may be misleading).") - client-uri-sym) + -c FILE, --~a=FILE: + set up a server with configuration from FILE.") + configuration-sym) (format #t "\n") (format #t (G_ " Environment variables:")) @@ -499,110 +370,6 @@ Environment variables:")) It is currently set to ~s.") (getenv "HOME"))) (format #t "\n") - (format #t (G_ " -Running a reverse proxy")) - (format #t (G_ " -Suppose that you operate data.provider.com. You want to run an -authenticating reverse proxy, that will receive incoming requests -through http://localhost:8080, and forward them to -https://private.data.provider.com. The backend will look for the -XXX-Agent header, and if it is found, then its value will be -considered the webid of the authenticated -user. https://private.data.provider.com should only accept requests -from this reverse proxy.")) - (format #t "\n") - (format #t (G_ " - ~a ~a \\ - --~a 'https://data.provider.com/server-source-code.tar.gz' \\ - --~a 8080 \\ - --~a 'https://data.provider.com' \\ - --~a 'https://private.data.provider.com' \\ - --~a 'XXX-Agent' \\ - --~a '/var/log/proxy.log' \\ - --~a '/var/log/proxy.err'") - (car (command-line)) - (G_ "command-line|command|reverse-proxy") - complete-corresponding-source-sym - port-sym server-name-sym backend-uri-sym header-sym - log-file-sym error-file-sym) - (format #t "\n") - (format #t (G_ " -Running an identity provider")) - (format #t (G_ " -The identity provider running at webid-oidc-demo.planete-kraus.eu is -invoked with the following options:")) - (format #t "\n") - (format #t (G_ " - export XDG_DATA_HOME=/var/lib - export XDG_CACHE_HOME=/var/cache - ~a ~a \\ - --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz' \\ - --~a 'https://webid-oidc-demo.planete-kraus.eu' \\ - --~a '/var/lib/webid-oidc/issuer/key.jwk' \\ - --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\ - --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\ - --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\ - --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\ - --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\ - --~a $PORT") - (car (command-line)) - (G_ "command-line|command|identity-provider") - complete-corresponding-source-sym - server-name-sym key-file-sym subject-sym encrypted-password-from-file-sym - jwks-uri-sym authorization-endpoint-uri-sym - token-endpoint-uri-sym port-sym) - (format #t "\n") - (format #t (G_ " -Running the public pages for an application")) - (format #t (G_ " -The example client application pages for -webid-oidc-demo.planete-kraus.eu are served this way:")) - (format #t "\n") - (format #t (G_ " - ~a ~a \\ - --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz' \\ - --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' \\ - --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\ - --~a 'Example Solid Application' \\ - --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client.html#Running-a-client' \\ - --~a $PORT") - (car (command-line)) - (G_ "command-line|command|client-service") - complete-corresponding-source-sym - client-id-sym redirect-uri-sym client-name-sym client-uri-sym - port-sym) - (format #t "\n") - (format #t (G_ " -Running a full server")) - (format #t "\n") - (format #t (G_ " -To run the server with identity provider and -resource server for one particular user, you need to combine the -options for the parts.")) - (format #t (G_ " - export XDG_DATA_HOME=/var/lib - export XDG_CACHE_HOME=/var/cache - ~a ~a \\ - --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz' \\ - --~a 'https://data.planete-kraus.eu' \\ - --~a '/var/lib/disfluid/server/key.jwk' \\ - --~a 'https://data.planete-kraus.eu/vivien#me' \\ - --~a '/etc/disfluid/data.planete-kraus.eu/password' \\ - --~a 'https://data.planete-kraus.eu/keys' \\ - --~a 'https://data.planete-kraus.eu/authorize' \\ - --~a 'https://data.planete-kraus.eu/token' \\ - --~a '...port...'") - (car (command-line)) - (G_ "command-line|command|server") - complete-corresponding-source-sym - server-name-sym - key-file-sym - subject-sym - encrypted-password-from-file-sym - jwks-uri-sym - authorization-endpoint-uri-sym - token-endpoint-uri-sym - port-sym) (format #t "\n") (format #t (G_ " If you find a bug, then please send a report to ~a.") @@ -634,14 +401,12 @@ Rreleased ~a\n") cfg:version (date->string cfg:release-date "~1"))) (else - (let ((rest (option-ref options '() '())) - (complete-corresponding-source - (let ((str (option-ref options complete-corresponding-source-sym #f))) - (unless (or (null? (option-ref options '() '())) str) - (format (current-error-port) - (G_ "You are legally required to link to the complete corresponding source code.\n")) - (exit 1)) - str)) + (let ((complete-corresponding-source + (option-ref options complete-corresponding-source-sym #f)) + (log-file-name + (option-ref options log-file-sym #f)) + (error-file-name + (option-ref options error-file-sym #f)) (port (let ((port (string->number (option-ref options port-sym "8080")))) (unless port @@ -667,220 +432,27 @@ Rreleased ~a\n") port-sym port) (exit 1)) port)) - (server-name - (let ((str (option-ref options server-name-sym #f))) - (and str - (string->uri str)))) - (backend-uri - (let ((str (option-ref options backend-uri-sym #f))) - (and str - (string->uri str)))) - (header - (let ((str (option-ref options header-sym #f))) - (and str - (string->symbol str)))) - (key-file (option-ref options key-file-sym #f)) - (subject - (let ((str (option-ref options subject-sym #f))) - (and str (string->uri str)))) - (encrypted-password - (let ((direct (option-ref options encrypted-password-sym #f)) - (from-file - (let ((filename (option-ref options encrypted-password-from-file-sym #f))) - (and filename - (call-with-input-file filename get-line))))) - (when (and direct from-file (not (equal? direct from-file))) - (format (current-error-port) - (G_ "You specified two different passwords: one directly, and one from a file. Please set only one password.\n")) - (exit 1)) - (or direct from-file))) - (jwks-uri - (let ((str (option-ref options jwks-uri-sym #f))) - (and str (string->uri str)))) - (authorization-endpoint-uri - (let ((str (option-ref options authorization-endpoint-uri-sym #f))) - (and str (string->uri str)))) - (token-endpoint-uri - (let ((str (option-ref options token-endpoint-uri-sym #f))) - (and str (string->uri str)))) - (client-id - (let ((str (option-ref options client-id-sym #f))) - (and str (string->uri str)))) - (redirect-uri - (let ((str (option-ref options redirect-uri-sym #f))) - (and str (string->uri str)))) - (client-name - (option-ref options client-name-sym #f)) - (client-uri - (option-ref options client-uri-sym #f))) - (when (null? rest) - (eval - '(main) - (resolve-module '(webid-oidc client gui))) - (exit 0)) - (let ((command (car rest)) - (non-options (cdr rest))) - (cond - ((equal? command (G_ "command-line|command|reverse-proxy")) - (begin - (unless server-name - (format (current-error-port) (G_ "You must pass --~a to set the server name.\n") - server-name-sym) - (exit 1)) - (unless backend-uri - (format (current-error-port) (G_ "You must pass --~a to set the backend URI.\n") - backend-uri-sym) - (exit 1)) - (run-server* - (handler-with-log - (option-ref options log-file-sym #f) - (option-ref options error-file-sym #f) - complete-corresponding-source - (make-reverse-proxy - #:server-uri server-name - #:endpoint backend-uri - #:auth-header header)) - 'http - (list #:port port)))) - ((equal? command (G_ "command-line|command|identity-provider")) + (configuration + (let ((file-name (option-ref options configuration-sym #f))) + (and file-name + (load file-name))))) + (if configuration (begin - (unless server-name - (format (current-error-port) (G_ "You must pass --~a to set the server name.\n") - server-name-sym) - (exit 1)) - (unless key-file - (format (current-error-port) (G_ "You must pass --~a to set the file where to store the identity provider key.\n") - key-file-sym) - (exit 1)) - (unless subject - (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n") - subject-sym) - (exit 1)) - (unless encrypted-password - (format (current-error-port) (G_ "You must pass --~a or --~a to set the subject’s encrypted password.\n") - encrypted-password-sym encrypted-password-from-file-sym) - (exit 1)) - (unless jwks-uri - (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n") - jwks-uri-sym) - (exit 1)) - (unless authorization-endpoint-uri - (format (current-error-port) (G_ "You must pass --~a to set the authorization endpoint URI.\n") - authorization-endpoint-uri-sym) - (exit 1)) - (unless token-endpoint-uri - (format (current-error-port) (G_ "You must pass --~a to set the token endpoint URI.\n") - token-endpoint-uri-sym) - (exit 1)) - (let ((handler - (make-identity-provider - server-name key-file subject encrypted-password jwks-uri - authorization-endpoint-uri token-endpoint-uri))) - (run-server* - (handler-with-log - (option-ref options log-file-sym #f) - (option-ref options error-file-sym #f) - complete-corresponding-source handler) - 'http - (list #:port port))))) - ((equal? command (G_ "command-line|command|client-service")) - (begin - (unless client-id - (format (current-error-port) (G_ "You must pass --~a to set the application web ID.\n") - client-id-sym) - (exit 1)) - (unless redirect-uri - (format (current-error-port) (G_ "You must pass --~a to set the redirection URI.\n") - redirect-uri-sym) - (exit 1)) - (unless client-name - (format (current-error-port) (G_ "You must pass --~a to set the informative client name.\n") - client-name-sym) - (exit 1)) - (unless client-uri - (format (current-error-port) (G_ "You must pass --~a to set the informative client URI.\n") - client-uri-sym) + (unless complete-corresponding-source + (format (current-error-port) + (G_ "--~a is required when running a server.\n") + complete-corresponding-source-sym) (exit 1)) - (let ((handler - (serve-application client-id redirect-uri - #:client-name client-name - #:client-uri client-uri))) - (run-server* - (handler-with-log - (option-ref options log-file-sym #f) - (option-ref options error-file-sym #f) - complete-corresponding-source handler) - 'http - (list #:port port))))) - ((equal? command (G_ "command-line|command|server")) - (unless server-name - (format (current-error-port) (G_ "You must pass --~a to set the server name.\n") - server-name-sym) - (exit 1)) - (unless key-file - (format (current-error-port) (G_ "You must pass --~a to set the file where to store the identity provider key.\n") - key-file-sym) - (exit 1)) - (unless subject - (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n") - subject-sym) - (exit 1)) - (unless encrypted-password - (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n") - encrypted-password-sym) - (exit 1)) - (unless jwks-uri - (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n") - jwks-uri-sym) - (exit 1)) - (unless authorization-endpoint-uri - (format (current-error-port) (G_ "You must pass --~a to set the authorization endpoint URI.\n") - authorization-endpoint-uri-sym) - (exit 1)) - (unless token-endpoint-uri - (format (current-error-port) (G_ "You must pass --~a to set the token endpoint URI.\n") - token-endpoint-uri-sym) - (exit 1)) - (let ((resource-handler - (make-resource-server - #:server-uri server-name - #:owner subject - #:authenticator - (if header - (begin - (set! header - (string->symbol - (string-downcase - (symbol->string header)))) - (lambda (request request-body) - (let ((value (assq-ref (request-headers request) header))) - (and value (string->uri value))))) - (make-authenticator - #:server-uri server-name)))) - (identity-provider-handler - (make-identity-provider - server-name key-file subject encrypted-password jwks-uri - authorization-endpoint-uri token-endpoint-uri))) - (create-root server-name subject) (run-server* - (handler-with-log - (option-ref options log-file-sym #f) - (option-ref options error-file-sym #f) - complete-corresponding-source - (lambda (request request-body) - (let ((path (uri-path (request-uri request)))) - (if (or (equal? path "/.well-known/openid-configuration") - (equal? path (uri-path jwks-uri)) - (equal? path (uri-path authorization-endpoint-uri)) - (equal? path (uri-path token-endpoint-uri))) - (identity-provider-handler request request-body) - (resource-handler request request-body))))) - 'http - (list #:port port)))) - (else - (format (current-error-port) (G_ "Unknown command ~s\n") - command) - (exit 1)))))))))) + (handler-with-log configuration + log-file-name + error-file-name + complete-corresponding-source) + #:implementation 'http + #:open-params (list #:port port))) + (eval + '(main) + (resolve-module '(webid-oidc client gui)))))))))) (define-public (main) (setup-http-request inner-main)) diff --git a/src/scm/webid-oidc/resource-server.scm b/src/scm/webid-oidc/resource-server.scm deleted file mode 100644 index 95fa78a..0000000 --- a/src/scm/webid-oidc/resource-server.scm +++ /dev/null @@ -1,139 +0,0 @@ -;; disfluid, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see <https://www.gnu.org/licenses/>. - -(define-module (webid-oidc resource-server) - #:use-module (webid-oidc errors) - #:use-module (webid-oidc provider-confirmation) - #:use-module (webid-oidc jwk) - #:use-module (webid-oidc dpop-proof) - #:use-module (webid-oidc serve) - #:use-module (webid-oidc server endpoint) - #:use-module (webid-oidc server endpoint authentication) - #:use-module (webid-oidc server endpoint resource-server) - #:use-module ((webid-oidc server create) #:prefix ldp:) - #:use-module ((webid-oidc server read) #:prefix ldp:) - #:use-module ((webid-oidc server update) #:prefix ldp:) - #:use-module ((webid-oidc server delete) #:prefix ldp:) - #:use-module ((webid-oidc server resource wac) #:prefix wac:) - #:use-module ((webid-oidc server resource path) #:prefix ldp:) - #:use-module ((webid-oidc server resource content) #:prefix ldp:) - #:use-module (webid-oidc server precondition) - #:use-module (webid-oidc server endpoint) - #:use-module (webid-oidc server endpoint authentication) - #:use-module (webid-oidc http-link) - #:use-module ((webid-oidc parameters) #:prefix p:) - #:use-module ((webid-oidc config) #:prefix cfg:) - #:use-module (webid-oidc jti) - #:use-module (webid-oidc access-token) - #:use-module (web request) - #:use-module (web response) - #:use-module (web uri) - #:use-module (web server) - #:use-module (ice-9 optargs) - #:use-module (ice-9 receive) - #:use-module (webid-oidc web-i18n) - #:use-module (ice-9 getopt-long) - #:use-module (ice-9 suspendable-ports) - #:use-module (ice-9 control) - #:use-module (ice-9 match) - #:use-module (ice-9 exceptions) - #:use-module (sxml simple) - #:use-module (srfi srfi-19) - #:use-module (srfi srfi-26) - #:use-module (oop goops) - #:duplicates (merge-generics) - #:declarative? #t - #:export - ( - make-authenticator - make-resource-server - )) - -(define-class <stub-endpoint> (<endpoint>)) - -(define return - (make-parameter #f)) - -(define-method (handle (endpoint <stub-endpoint>) request request-body) - ((return) (assq-ref (request-meta request) 'user))) - -(define* (make-authenticator #:key (server-uri #f)) - (unless (and server-uri (uri? server-uri)) - (fail (G_ "You need to pass #:server-uri URI where URI is the public URI of the server, as a (web uri)."))) - (let* ((backend (make <stub-endpoint>)) - (endpoint (make <authenticator> - #:backend backend - #:server-uri server-uri))) - (lambda (request request-body) - (parameterize ((web-locale request)) - (with-exception-handler - (lambda (error) - #f) - (lambda () - (let/ec ret - (parameterize ((return ret)) - (handle endpoint request request-body)))) - #:unwind? #t))))) - -(define* (make-resource-server - #:key - (server-uri #f) - (owner #f) - (authenticator #f)) - (unless owner - (fail (G_ "The owner is not defined."))) - (declare-link-header!) - (define resource-server - (make <resource-server> - #:server-name server-uri - #:owner owner)) - (define authenticator - (make <authenticator> - #:backend resource-server - #:server-uri server-uri)) - (lambda (request request-body) - (let/ec return - (parameterize ((web-locale request)) - (with-exception-handler - (lambda (exn) - (unless (web-exception? exn) - (raise-exception exn)) - (return - (build-response - #:code (web-exception-code exn) - #:reason-phrase (web-exception-reason-phrase exn) - #:headers `((content-type application/xhtml+xml))) - (call-with-output-string - (cute sxml->xml - `(*TOP* - (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") - (html (@ (xmlns "http://www.w3.org/1999/xhtml") - (xml:lang ,(W_ "xml-lang|en"))) - (body - ,(call-with-input-string - (format #f (W_ "<h1>The resource server request failed</h1>")) - xml->sxml) - ,(if (user-message? exn) - (user-message-sxml exn) - (call-with-input-string - (format #f (W_ "<p>No more information.</p>")) - xml->sxml))))) - <>)))) - (lambda () - (receive (response response-body response-meta) - (handle authenticator request request-body) - (return response response-body))) - #:unwind? #t))))) diff --git a/src/scm/webid-oidc/reverse-proxy.scm b/src/scm/webid-oidc/reverse-proxy.scm deleted file mode 100644 index 4221fa5..0000000 --- a/src/scm/webid-oidc/reverse-proxy.scm +++ /dev/null @@ -1,90 +0,0 @@ -;; disfluid, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see <https://www.gnu.org/licenses/>. - -(define-module (webid-oidc reverse-proxy) - #:use-module (webid-oidc errors) - #:use-module ((webid-oidc stubs) #:prefix stubs:) - #:use-module (webid-oidc resource-server) - #:use-module ((webid-oidc config) #:prefix cfg:) - #:use-module ((webid-oidc parameters) #:prefix p:) - #:use-module (ice-9 optargs) - #:use-module (ice-9 receive) - #:use-module (ice-9 i18n) - #:use-module (ice-9 getopt-long) - #:use-module (ice-9 suspendable-ports) - #:use-module (srfi srfi-19) - #:use-module (rnrs bytevectors) - #:use-module (web uri) - #:use-module (web client) ;; required to pass the request along - #:use-module (web request) - #:use-module (web response) - #:use-module (webid-oidc cache) - #:use-module (webid-oidc web-i18n) - #:use-module (web server) - #:use-module (webid-oidc server endpoint) - #:use-module (webid-oidc server endpoint reverse-proxy) - #:declarative? #t - #:export - ( - make-reverse-proxy - )) - -(define* (make-reverse-proxy - #:key - (server-uri #f) - (endpoint #f) - (auth-header 'XXX-Agent)) - (set! auth-header - ;; We need to remove the lowercase version of auth-header from - ;; all incoming requests! - (string->symbol - (string-downcase - (symbol->string auth-header)))) - (define authenticate - (make-authenticator - #:server-uri server-uri)) - (unless (and endpoint (uri? endpoint)) - (fail (G_ "#:endpoint argument is not present or not an URI."))) - (define backend - (make <reverse-proxy> - #:backend-uri endpoint - #:authentication-header auth-header)) - (lambda (request request-body) - (let ((agent - (catch #t - (lambda () - (authenticate request request-body)) - (lambda (key . args) - (case key - ((invalid-access-token - invalid-proof - unconfirmed-issuer) - #f) - (else - (apply throw key args)))))) - (request-time ((p:current-date)))) - (parameterize ((p:current-date request-time) - (web-locale request)) - (set! request - (build-request (request-uri request) - #:method (request-method request) - #:version (request-version request) - #:headers (request-headers request) - #:port (request-port request) - #:meta `((user . ,agent) ,@(request-meta request)))) - (receive (response response-body response-meta) - (handle backend request request-body) - (values response response-body)))))) diff --git a/src/scm/webid-oidc/simulation.scm b/src/scm/webid-oidc/simulation.scm index 0accdc4..38c22ae 100644 --- a/src/scm/webid-oidc/simulation.scm +++ b/src/scm/webid-oidc/simulation.scm @@ -16,8 +16,7 @@ (define-module (webid-oidc simulation) #:use-module ((webid-oidc client) #:prefix client:) - #:use-module (webid-oidc identity-provider) - #:use-module (webid-oidc resource-server) + #:use-module (webid-oidc server endpoint) #:use-module (webid-oidc web-i18n) #:use-module (webid-oidc errors) #:use-module ((webid-oidc parameters) #:prefix p:) @@ -29,36 +28,37 @@ #:use-module (ice-9 receive) #:use-module (ice-9 optargs) #:use-module (ice-9 match) + #:use-module (ice-9 control) + #:use-module (srfi srfi-26) + #:use-module (sxml simple) + #:use-module (oop goops) #:export ( <simulation> - make-simulation - simulation? - simulation-scroll-log! + endpoint + log + + scroll-log! request get post grant-authorization - add-server! - add-client! ) #:declarative? #t) -(define-record-type <simulation> - (make-full-simulation handlers-rev log-rev) - simulation? - (handlers-rev simulation-handlers-rev simulation-handlers-rev-set!) - (log-rev simulation-log-rev simulation-log-rev-set!)) +(define-class <simulation> () + (endpoint #:init-keyword #:endpoint #:getter endpoint) + (log-rev #:getter log-rev #:init-value '())) -(define (make-simulation) - (make-full-simulation '() '())) +(define-method (log (simulation <simulation>)) + (reverse (log-rev simulation))) -(define (simulation-scroll-log! simulation) - (let ((log (reverse (simulation-log-rev simulation)))) - (simulation-log-rev-set! simulation '()) - log)) +(define-method (scroll-log! (simulation <simulation>)) + (let ((the-log (log simulation))) + (slot-set! simulation 'log-rev '()) + the-log)) (define* (request simulation uri #:key @@ -66,12 +66,7 @@ (body #f) (version '(1 . 1)) (headers '())) - (let ((server-uri - (build-uri (uri-scheme uri) - #:userinfo (uri-userinfo uri) - #:host (uri-host uri) - #:port (uri-port uri))) - (rq + (let ((rq (build-request uri #:method method #:version version @@ -79,23 +74,34 @@ #:port (open-output-string))) (rq-body body)) (receive (response response-body) - (let find-handler ((handlers - (reverse - (simulation-handlers-rev simulation)))) - (match handlers - (() - (values - (build-response #:code 404 - #:reason-phrase "Not Found") - "Resource not found.")) - (((server . handler) tl ...) - (if (equal? server server-uri) - (receive (response response-body . _) - (handler rq rq-body) - (if (eqv? (response-code response) 404) - (find-handler tl) - (values response response-body))) - (find-handler tl))))) + (let/ec return + (with-exception-handler + (lambda (error) + (when (web-exception? error) + (return + (build-response #:code (web-exception-code error) + #:reason-phrase (web-exception-reason-phrase error) + #:headers `((content-type application/xhtml-xml))) + (call-with-output-string + (cute sxml->xml + `(*TOP* + (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") + (html (@ (xmlns "http://www.w3.org/1999/xhtml") + (xml:lang ,(W_ "xml-lang|en"))) + (head + (title ,(W_ "An error happened…"))) + (body + ,(call-with-input-string + (format #f (W_ "<p>Sorry, an error happened.</p>")) + xml->sxml) + ,(user-message-sxml error)))) + <>)))) + ;; Other kind of exception + (raise-exception error)) + (lambda () + (receive (response response-body response-meta) + (handle (endpoint simulation) rq rq-body) + (values response response-body))))) (unless (response-date response) ;; We need to set a date. (set! response @@ -105,10 +111,9 @@ #:headers `((date . ,((p:current-date))) ,@(response-headers response)) #:port (response-port response)))) - (simulation-log-rev-set! - simulation - `((,rq ,rq-body ,response ,response-body) - ,@(simulation-log-rev simulation))) + (slot-set! simulation 'log-rev + `((,rq ,rq-body ,response ,response-body) + ,@(slot-ref simulation 'log-rev))) (values response response-body)))) (define* (get simulation uri . args) @@ -134,51 +139,3 @@ (query (uri-query uri)) (code (substring query (string-length "code=")))) code))) - -(define (add-server! simulation server-uri owner) - (define (with-path uri path) - (build-uri (uri-scheme uri) - #:userinfo (uri-userinfo uri) - #:host (uri-host uri) - #:port (uri-port uri) - #:path path)) - (let ((identity-provider - (make-identity-provider - server-uri - (string-append (p:data-home) - "/" - (uri-encode (uri->string server-uri)) - "/key.jwk") - owner - (crypt "password" "xxx") - (with-path server-uri "/keys") - (with-path server-uri "/authorize") - (with-path server-uri "/token"))) - (server - (make-resource-server - #:server-uri server-uri - #:owner owner))) - (define (handle request body) - (let ((path (uri-path (request-uri request)))) - (if (member path - '("/.well-known/openid-configuration" - "/keys" - "/authorize" - "/token")) - (identity-provider request body) - (server request body)))) - ;; Ensure that the profile exists - (server:create-root server-uri owner) - (simulation-handlers-rev-set! - simulation - `((,server-uri . ,handle) - ,@(simulation-handlers-rev simulation))))) - -(define (add-client! simulation server-uri client-id redirect-uri name uri) - (simulation-handlers-rev-set! - simulation - `((,server-uri - . ,(client:serve-application client-id redirect-uri - #:client-name name - #:client-uri uri)) - ,@(simulation-handlers-rev simulation)))) diff --git a/src/scm/webid-oidc/testing.scm b/src/scm/webid-oidc/testing.scm index c26ab5e..f594b6d 100644 --- a/src/scm/webid-oidc/testing.scm +++ b/src/scm/webid-oidc/testing.scm @@ -20,7 +20,6 @@ #:use-module (srfi srfi-9) #:use-module (ice-9 optargs) #:use-module (webid-oidc parameters) - #:use-module (webid-oidc resource-server) #:use-module (webid-oidc refresh-token) #:use-module (webid-oidc client)) diff --git a/src/scm/webid-oidc/token-endpoint.scm b/src/scm/webid-oidc/token-endpoint.scm deleted file mode 100644 index f96e768..0000000 --- a/src/scm/webid-oidc/token-endpoint.scm +++ /dev/null @@ -1,94 +0,0 @@ -;; disfluid, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see <https://www.gnu.org/licenses/>. - -(define-module (webid-oidc token-endpoint) - #:use-module (webid-oidc server endpoint identity-provider) - #:use-module (webid-oidc errors) - #:use-module (webid-oidc server endpoint) - #:use-module (webid-oidc authorization-code) - #:use-module (webid-oidc dpop-proof) - #:use-module (webid-oidc jws) - #:use-module (webid-oidc jwk) - #:use-module (webid-oidc oidc-id-token) - #:use-module (webid-oidc access-token) - #:use-module (webid-oidc web-i18n) - #:use-module ((webid-oidc parameters) #:prefix p:) - #:use-module ((webid-oidc stubs) #:prefix stubs:) - #:use-module ((webid-oidc refresh-token) #:prefix refresh:) - #:use-module (web request) - #:use-module (web response) - #:use-module (web uri) - #:use-module (ice-9 optargs) - #:use-module (ice-9 receive) - #:use-module (ice-9 control) - #:use-module (ice-9 exceptions) - #:use-module (srfi srfi-19) - #:use-module (srfi srfi-26) - #:use-module (rnrs bytevectors) - #:use-module (sxml simple) - #:use-module (sxml match) - #:use-module (oop goops) - #:duplicates (merge-generics) - #:declarative? #t - #:export - ( - make-token-endpoint - )) - -(define (try-handle-web-failure thunk) - (call/ec - (lambda (return) - (with-exception-handler - (lambda (error) - (unless (web-exception? error) - (raise-exception error)) - (return - (build-response - #:code (web-exception-code error) - #:reason-phrase (web-exception-reason-phrase error) - #:headers `((content-type application/xhtml+xml))) - (call-with-output-string - (cute sxml->xml - `(*TOP* - (*PI* xml "version=\"1.0\" encoding=\"utf-8\"") - (html (@ (xmlns "http://www.w3.org/1999/xhtml") - (xml:lang ,(W_ "xml-lang|en"))) - (body - ,(call-with-input-string - (format #f (W_ "<h1>The token request failed</h1>")) - xml->sxml) - ,(if (user-message? error) - (user-message-sxml error) - (call-with-input-string - (format #f (W_ "<p>No more information.</p>")) - xml->sxml))))) - <>)))) - thunk)))) - -(define (make-token-endpoint token-endpoint-uri iss issuer-key-file) - (define endpoint - (make <token-endpoint> - #:issuer iss - #:key-file issuer-key-file)) - (lambda (request request-body) - (when (bytevector? request-body) - (set! request-body (utf8->string request-body))) - (try-handle-web-failure - (lambda () - (parameterize ((web-locale request)) - (receive (response response-body response-meta) - (handle endpoint request request-body) - (values response response-body))))))) diff --git a/tests/authorization-endpoint-get-form.scm b/tests/authorization-endpoint-get-form.scm index 25b7128..a3cbf2b 100644 --- a/tests/authorization-endpoint-get-form.scm +++ b/tests/authorization-endpoint-get-form.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -14,17 +14,22 @@ ;; You should have received a copy of the GNU Affero General Public License ;; along with this program. If not, see <https://www.gnu.org/licenses/>. -(use-modules (webid-oidc authorization-endpoint) - (webid-oidc jwk) - (webid-oidc testing) - ((webid-oidc parameters) #:prefix p:) - (web uri) - (web request) - (web response) - (srfi srfi-19) - (web response) - (ice-9 optargs) - (ice-9 receive)) +(define-module (tests authorization-endpoint-get-form) + #:use-module (webid-oidc jwk) + #:use-module (webid-oidc testing) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module (web uri) + #:use-module (web request) + #:use-module (web response) + #:use-module (srfi srfi-19) + #:use-module (web response) + #:use-module (ice-9 optargs) + #:use-module (ice-9 receive) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint identity-provider) + #:use-module (oop goops) + #:duplicates (merge-generics) + #:declarative? #t) (with-test-environment "authorization-endpoint-get-form" @@ -32,16 +37,18 @@ (define subject (string->uri "https://authorization-endpoint-get-form.scm/profile/card#me")) (define password "p4ssw0rd") (define endpoint - (make-authorization-endpoint - subject password "key-file.jwk")) - (receive (response response-body) + (make <authorization-endpoint> + #:subject subject + #:encrypted-password (crypt password "$6$some.salt.data") + #:key-file "key-file.jwk")) + (receive (response response-body response-meta) (parameterize ((p:current-date 0)) - (endpoint - (build-request (string->uri - (format #f "https://authorization-endpoint-get-form.scm/authorize?client_id=~a&redirect_uri=~a" - (uri-encode "https://authorization-endpoint-get-form.scm/client/card#app") - (uri-encode "https://authorization-endpoint-get-form.scm/client/redirect")))) - "")) + (handle endpoint + (build-request (string->uri + (format #f "https://authorization-endpoint-get-form.scm/authorize?client_id=~a&redirect_uri=~a" + (uri-encode "https://authorization-endpoint-get-form.scm/client/card#app") + (uri-encode "https://authorization-endpoint-get-form.scm/client/redirect")))) + "")) (unless (eq? (response-code response) 200) (exit 3)) (unless (response-content-type response) diff --git a/tests/authorization-endpoint-no-args.scm b/tests/authorization-endpoint-no-args.scm index 7976d9d..0cc2fab 100644 --- a/tests/authorization-endpoint-no-args.scm +++ b/tests/authorization-endpoint-no-args.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -14,17 +14,22 @@ ;; You should have received a copy of the GNU Affero General Public License ;; along with this program. If not, see <https://www.gnu.org/licenses/>. -(use-modules (webid-oidc authorization-endpoint) - (webid-oidc jwk) - (webid-oidc testing) - ((webid-oidc parameters) #:prefix p:) - (web uri) - (web request) - (web response) - (srfi srfi-19) - (web response) - (ice-9 optargs) - (ice-9 receive)) +(define-module (tests authorization-endpoint-no-args) + #:use-module (webid-oidc jwk) + #:use-module (webid-oidc testing) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module (web uri) + #:use-module (web request) + #:use-module (web response) + #:use-module (srfi srfi-19) + #:use-module (web response) + #:use-module (ice-9 optargs) + #:use-module (ice-9 receive) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint identity-provider) + #:use-module (oop goops) + #:duplicates (merge-generics) + #:declarative? #t) (with-test-environment "authorization-endpoint-no-args" @@ -32,12 +37,25 @@ (define subject (string->uri "https://authorization-endpoint-get-form.scm/profile/card#me")) (define password "p4ssw0rd") (define endpoint - (make-authorization-endpoint subject password "./key-file.jwk")) - (receive (response response-body) + (make <authorization-endpoint> + #:subject subject + #:encrypted-password (crypt password "$6$some.salt.data") + #:key-file "key-file.jwk")) + (with-exception-handler + (lambda (exn) + (unless (and (web-exception? exn) + (eqv? (web-exception-code exn) 400)) + (raise-exception + (make-exception + (make-exception-with-message + "I was expected a 400 response.") + exn)))) + (lambda () (parameterize ((p:current-date 0)) - (endpoint - (build-request (string->uri - "https://authorization-endpoint-get-form.scm/authorize")) - "")) - (unless (eq? (response-code response) 400) - (exit 3))))) + (handle endpoint + (build-request (string->uri + "https://authorization-endpoint-get-form.scm/authorize")) + "") + (exit 3))) + #:unwind? #t + #:unwind-for-type &web-exception))) diff --git a/tests/authorization-endpoint-submit-form.scm b/tests/authorization-endpoint-submit-form.scm index 78216a9..de5c76c 100644 --- a/tests/authorization-endpoint-submit-form.scm +++ b/tests/authorization-endpoint-submit-form.scm @@ -15,13 +15,15 @@ ;; along with this program. If not, see <https://www.gnu.org/licenses/>. (define-module (tests authorization-endpoint-submit-form) - #:use-module (webid-oidc authorization-endpoint) #:use-module (webid-oidc authorization-code) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint identity-provider) #:use-module (webid-oidc client-manifest) #:use-module (webid-oidc jwk) #:use-module (webid-oidc cache) #:use-module (webid-oidc jti) #:use-module (webid-oidc testing) + #:use-module (webid-oidc errors) #:use-module ((webid-oidc parameters) #:prefix p:) #:use-module ((webid-oidc stubs) #:prefix stubs:) #:use-module (web uri) @@ -31,6 +33,7 @@ #:use-module (web response) #:use-module (ice-9 optargs) #:use-module (ice-9 receive) + #:use-module (ice-9 exceptions) #:use-module (oop goops) #:declarative? #t #:duplicates (merge-generics)) @@ -54,8 +57,10 @@ (define the-response (car served)) (define the-response-body (cdr served)) (define endpoint - (make-authorization-endpoint - subject encrypted-password "key-file.jwk")) + (make <authorization-endpoint> + #:subject subject + #:encrypted-password encrypted-password + #:key-file "key-file.jwk")) (parameterize ((p:anonymous-http-request (lambda* (uri #:key (headers '()) #:allow-other-keys) (unless (equal? uri what-uri-to-expect) @@ -63,30 +68,43 @@ (values the-response the-response-body)))) (use-cache (lambda () - (receive (response response-body) + (with-exception-handler + (lambda (exn) + (unless (and (web-exception? exn) + (eqv? (web-exception-code exn) 401)) + (raise-exception + (make-exception + (make-exception-with-message + (if (web-exception? exn) + (format #f "the error code should be 401, not ~a" + (web-exception-code exn)) + (format #f "there should be a web error"))) + exn)))) + (lambda () ;; The password is fake! (parameterize ((p:current-date 0)) - (endpoint - (build-request (string->uri - (format #f "https://authorization-endpoint-submit-form.scm/authorize?client_id=~a&redirect_uri=~a" - (uri-encode (uri->string client)) - (uri-encode (uri->string redirect)))) - #:headers '((content-type application/x-www-form-urlencoded)) - #:method 'POST - #:port #t) - "password=fake")) - (when (eq? (response-code response) 302) - (exit 3))) - (receive (response response-body) + (handle endpoint + (build-request (string->uri + (format #f "https://authorization-endpoint-submit-form.scm/authorize?client_id=~a&redirect_uri=~a" + (uri-encode (uri->string client)) + (uri-encode (uri->string redirect)))) + #:headers '((content-type application/x-www-form-urlencoded)) + #:method 'POST + #:port #t) + "password=fake") + (exit 3))) + #:unwind? #t + #:unwind-for-type &web-exception) + (receive (response response-body response-meta) (parameterize ((p:current-date 0)) - (endpoint - (build-request (string->uri - (format #f "https://authorization-endpoint-submit-form.scm/authorize?client_id=~a&redirect_uri=~a" - (uri-encode (uri->string client)) - (uri-encode (uri->string redirect)))) - #:headers '((content-type application/x-www-form-urlencoded)) - #:method 'POST - #:port #t) + (handle endpoint + (build-request (string->uri + (format #f "https://authorization-endpoint-submit-form.scm/authorize?client_id=~a&redirect_uri=~a" + (uri-encode (uri->string client)) + (uri-encode (uri->string redirect)))) + #:headers '((content-type application/x-www-form-urlencoded)) + #:method 'POST + #:port #t) "password=p4ssw0rd")) (unless (eq? (response-code response) 302) (exit 4)) diff --git a/tests/client-manifest-not-modified.scm b/tests/client-manifest-not-modified.scm index 26f4852..9026c87 100644 --- a/tests/client-manifest-not-modified.scm +++ b/tests/client-manifest-not-modified.scm @@ -1,4 +1,4 @@ -;; webid-oidc, implementation of the Solid specification +;; disfluid, implementation of the Solid specification ;; Copyright (C) 2020, 2021 Vivien Kraus ;; This program is free software: you can redistribute it and/or modify @@ -14,31 +14,40 @@ ;; You should have received a copy of the GNU Affero General Public License ;; along with this program. If not, see <https://www.gnu.org/licenses/>. -(use-modules (webid-oidc client) - (webid-oidc testing) - (webid-oidc errors) - (web uri) - (srfi srfi-19) - (web request) - (web response) - (ice-9 optargs) - (ice-9 receive)) +(define-module (tests client-manifest-not-modified) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint client) + #:use-module (webid-oidc client) + #:use-module (webid-oidc testing) + #:use-module (webid-oidc errors) + #:use-module (web uri) + #:use-module (srfi srfi-19) + #:use-module (web request) + #:use-module (web response) + #:use-module (ice-9 optargs) + #:use-module (ice-9 receive) + #:use-module (oop goops) + #:declarative? #t + #:duplicates (merge-generics)) (with-test-environment "client-manifest-not-modified" (lambda () - (let ((handler (serve-application - (string->uri "https://example.com/manifest") - (string->uri "https://example.com/authorized")))) - (receive (response response-body) - (handler (build-request (string->uri "https://example.com/manifest")) - "") - (let ((etag (response-etag response))) - (unless etag - (exit 1)) - (receive (second-response second-response-body) - (handler (build-request (string->uri "https://example.com/manifest") - #:headers `((if-none-match . (,etag)))) - "") - (unless (eqv? (response-code second-response) 304) - (exit 2)))))))) + (define endpoint + (make <client-id> + #:client-id (string->uri "https://example.com/manifest") + #:redirect-uris (list (string->uri "https://example.com/authorized")))) + (receive (response response-body response-meta) + (handle endpoint + (build-request (string->uri "https://example.com/manifest")) + #f) + (let ((etag (response-etag response))) + (unless etag + (exit 1)) + (receive (second-response second-response-body second-response-meta) + (handle endpoint + (build-request (string->uri "https://example.com/manifest") + #:headers `((if-none-match . (,etag)))) + #f) + (unless (eqv? (response-code second-response) 304) + (exit 2))))))) diff --git a/tests/client-workflow.scm b/tests/client-workflow.scm index ed1c1b4..63d505a 100644 --- a/tests/client-workflow.scm +++ b/tests/client-workflow.scm @@ -19,9 +19,15 @@ #:use-module ((webid-oidc client accounts) #:prefix client:) #:use-module ((webid-oidc jwk) #:prefix jwk:) #:use-module (webid-oidc testing) + #:use-module (webid-oidc oidc-configuration) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint resource-server) + #:use-module (webid-oidc server endpoint identity-provider) + #:use-module (webid-oidc server endpoint client) + #:use-module (webid-oidc server endpoint authentication) #:use-module ((webid-oidc stubs) #:prefix stubs:) #:use-module ((webid-oidc refresh-token) #:prefix refresh:) - #:use-module ((webid-oidc simulation) #:prefix sim:) + #:use-module (webid-oidc simulation) #:use-module ((webid-oidc parameters) #:prefix p:) #:use-module (web uri) #:use-module (web request) @@ -33,6 +39,7 @@ #:use-module (ice-9 hash-table) #:use-module (ice-9 match) #:use-module (oop goops) + #:declarative? #t #:duplicates (merge-generics)) ;; In this example, a user firsts requests an account, then logs in @@ -59,39 +66,75 @@ (with-test-environment "client-workflow" (lambda () - (let ((simulation (sim:make-simulation)) + (let ((simulation + (make <simulation> + #:endpoint + (make <router> + #:routed + (list + (make <identity-provider> + #:host "server.client-workflow.scm" + #:oidc-discovery + (make <oidc-discovery> + #:path "/.well-known/openid-configuration" + #:configuration + (make <oidc-configuration> + #:jwks-uri "https://server.client-workflow.scm/keys" + #:authorization-endpoint "https://server.client-workflow.scm/authorize" + #:token-endpoint "https://server.client-workflow.scm/token")) + #:authorization-endpoint + (make <authorization-endpoint> + #:path "/authorize" + #:subject "https://server.client-workflow.scm/alice#me" + #:encrypted-password (crypt "password" "$6$password") + #:key-file "key-file.jwk") + #:token-endpoint + (make <token-endpoint> + #:path "/token" + #:issuer "https://server.client-workflow.scm" + #:key-file "key-file.jwk") + #:jwks-endpoint + (make <jwks-endpoint> + #:path "/keys" + #:key-file "key-file.jwk") + #:default + (make <authenticator> + #:backend + (make <resource-server> + #:server-name "https://server.client-workflow.scm" + #:owner "https://server.client-workflow.scm/alice#me") + #:server-uri "https://server.client-workflow.scm")) + (make <client-id> + #:host "client.client-workflow.scm" + #:client-id "https://client.client-workflow.scm/id" + #:redirect-uris '("https://client.client-workflow.scm/authorized") + #:client-name "Client workflow test" + #:client-uri "https://client.client-workflow.scm/about" + #:grant-types '(authorization_code refresh_token) + #:response-types '(code)))))) (account #f)) - (sim:add-server! simulation - (string->uri "https://server@client-workflow.scm") - (string->uri "https://server@client-workflow.scm/alice#me")) - (sim:add-client! simulation - (string->uri "https://client@client-workflow.scm") - (string->uri "https://client@client-workflow.scm/id") - (string->uri "https://client@client-workflow.scm/authorized") - "Client workflow test" - (string->uri "https://client@client-workflow.scm/about")) (parameterize ((client:client (make <client:client> - #:client-id "https://client@client-workflow.scm/id" + #:client-id "https://client.client-workflow.scm/id" #:redirect-uri - (string->uri "https://client@client-workflow.scm/authorized"))) + (string->uri "https://client.client-workflow.scm/authorized"))) (p:anonymous-http-request - (cute sim:request simulation <...>))) + (cute (@ (webid-oidc simulation) request) simulation <...>))) (parameterize ((p:current-date 0) (client:authorization-process (lambda* (uri #:key reason) - (sim:grant-authorization simulation uri)))) + (grant-authorization simulation uri)))) (receive (new-account response response-body) (begin (set! account - (make <client:account> #:issuer "https://server@client-workflow.scm")) + (make <client:account> #:issuer "https://server.client-workflow.scm")) (client:request account - (string->uri "https://server@client-workflow.scm/"))) + (string->uri "https://server.client-workflow.scm/"))) (set! account new-account) (unless (eqv? (response-code response) 200) ;; Only Alice can read that resource. (exit 3))) - (match (sim:simulation-scroll-log! simulation) + (match (scroll-log! simulation) ;; 1. The client gets the oidc configuration of the ;; server. @@ -124,39 +167,39 @@ (and ;; 1. Get the authorization endpoint. (equal? (request-uri get-oidc-config-request) - (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (string->uri "https://server.client-workflow.scm/.well-known/openid-configuration")) (eqv? (response-code get-oidc-config-response) 200) ;; 2. The server checks the client ID. (equal? (request-uri get-client-id-request) - (string->uri "https://client@client-workflow.scm/id")) + (string->uri "https://client.client-workflow.scm/id")) (eqv? (response-code get-client-id-response) 200) ;; 3. The authorization request completes. (string-prefix? - "https://server@client-workflow.scm/authorize?" + "https://server.client-workflow.scm/authorize?" (uri->string (request-uri authorization-request))) (eq? (request-method authorization-request) 'POST) (eqv? (response-code authorization-response) 302) (string-prefix? - "https://client@client-workflow.scm/authorized?" + "https://client.client-workflow.scm/authorized?" (uri->string (response-location authorization-response))) ;; 4. Token negociation. (equal? (request-uri token-request) - (string->uri "https://server@client-workflow.scm/token")) + (string->uri "https://server.client-workflow.scm/token")) (eqv? (response-code token-response) 200) ;; 5. The final request. (equal? (request-uri final-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code final-response) 200)) (exit 4))))) ;; 1 hour later, the access token should have expired. (parameterize ((p:current-date 3600)) (receive (new-account response response-body) - (client:request account (string->uri "https://server@client-workflow.scm/")) + (client:request account (string->uri "https://server.client-workflow.scm/")) (set! account new-account) (unless (eqv? (response-code response) 200) ;; Only Alice can read that resource. (exit 5))) - (match (sim:simulation-scroll-log! simulation) + (match (scroll-log! simulation) ;; 1. and 2. The client starts sending the request, the server ;; querries the identity provider and keys. @@ -187,39 +230,39 @@ ;; 3. The client realizes that the access token is ;; expired. (equal? (request-uri naively-try-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code naively-try-response) 401) (eqv? (time-second (date->time-utc (response-date naively-try-response))) 3600) ;; 4. The client discovers the token endpoint. (equal? (request-uri get-token-endpoint-request) - (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (string->uri "https://server.client-workflow.scm/.well-known/openid-configuration")) (eqv? (response-code get-token-endpoint-response) 200) ;; 5. Refresh the access token. (equal? (request-uri refresh-request) - (string->uri "https://server@client-workflow.scm/token")) + (string->uri "https://server.client-workflow.scm/token")) (eqv? (response-code refresh-response) 200) ;; 10. Send again. (equal? (request-uri with-new-refresh-token-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code with-new-refresh-token-response) 200)) (exit 6))))) ;; Wait another hour, and we’ll need to update the refresh ;; token again, but this time it’s not there anymore. (parameterize ((p:current-date 7200)) (refresh:remove-refresh-token - (string->uri "https://server@client-workflow.scm/alice#me") - (string->uri "https://client@client-workflow.scm/id")) + (string->uri "https://server.client-workflow.scm/alice#me") + (string->uri "https://client.client-workflow.scm/id")) (with-exception-handler (lambda (error) (unless (client:refresh-token-expired? error) (exit 7))) (lambda () - (client:request account (string->uri "https://server@client-workflow.scm/")) + (client:request account (string->uri "https://server.client-workflow.scm/")) (exit 8)) #:unwind? #t #:unwind-for-type client:&refresh-token-expired) - (match (sim:simulation-scroll-log! simulation) + (match (scroll-log! simulation) ;; 1. and 2. The client starts sending the request, the server ;; querries the identity provider and keys. @@ -239,15 +282,15 @@ ;; 3. The client realizes that the access token is ;; expired. (equal? (request-uri naively-try-request) - (string->uri "https://server@client-workflow.scm/")) + (string->uri "https://server.client-workflow.scm/")) (eqv? (response-code naively-try-response) 401) (eqv? (time-second (date->time-utc (response-date naively-try-response))) 7200) ;; 4. The client discovers the token endpoint. (equal? (request-uri get-token-endpoint-request) - (string->uri "https://server@client-workflow.scm/.well-known/openid-configuration")) + (string->uri "https://server.client-workflow.scm/.well-known/openid-configuration")) (eqv? (response-code get-token-endpoint-response) 200) ;; 5. The client tries to refresh. (equal? (request-uri refresh-request) - (string->uri "https://server@client-workflow.scm/token")) + (string->uri "https://server.client-workflow.scm/token")) (eqv? (response-code refresh-response) 403)))))))) diff --git a/tests/resource-server.scm b/tests/resource-server.scm index 767088d..94f2816 100644 --- a/tests/resource-server.scm +++ b/tests/resource-server.scm @@ -16,13 +16,14 @@ (define-module (tests resource-server) #:use-module (webid-oidc provider-confirmation) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint authentication) #:use-module (webid-oidc jti) #:use-module (webid-oidc jwk) #:use-module (webid-oidc jws) #:use-module (webid-oidc oidc-configuration) #:use-module (webid-oidc access-token) #:use-module (webid-oidc dpop-proof) - #:use-module (webid-oidc resource-server) #:use-module (webid-oidc testing) #:use-module ((webid-oidc parameters) #:prefix p:) #:use-module (web uri) @@ -30,10 +31,18 @@ #:use-module (srfi srfi-19) #:use-module (web response) #:use-module (ice-9 optargs) + #:use-module (ice-9 control) #:use-module (ice-9 receive) #:use-module (oop goops) #:duplicates (merge-generics)) +(define-class <backend> (<endpoint>)) + +(define return (make-parameter values)) + +(define-method (handle (backend <backend>) request request-body) + ((return) (assq-ref (request-meta request) 'user))) + (with-test-environment "resource-server" (lambda () @@ -91,12 +100,15 @@ DPoP: ~a\r\n\r\n" read-request)) (define rq-body "") (define authenticator - (make-authenticator - #:server-uri server-uri)) + (make <authenticator> + #:backend (make <backend>) + #:server-uri server-uri)) (define parsed - (parameterize ((p:current-date 20) - (p:anonymous-http-request http-get)) - (authenticator rq rq-body))) + (let/ec ret + (parameterize ((p:current-date 20) + (p:anonymous-http-request http-get) + (return ret)) + (handle authenticator rq rq-body)))) (unless (uri? parsed) (exit 2)) (unless (equal? parsed subject) diff --git a/tests/token-endpoint-issue.scm b/tests/token-endpoint-issue.scm index f986e8e..757e650 100644 --- a/tests/token-endpoint-issue.scm +++ b/tests/token-endpoint-issue.scm @@ -14,23 +14,29 @@ ;; You should have received a copy of the GNU Affero General Public License ;; along with this program. If not, see <https://www.gnu.org/licenses/>. -(use-modules (webid-oidc token-endpoint) - (webid-oidc authorization-code) - (webid-oidc dpop-proof) - (webid-oidc access-token) - (webid-oidc jwk) - (webid-oidc jws) - (webid-oidc jti) - (webid-oidc testing) - ((webid-oidc stubs) #:prefix stubs:) - ((webid-oidc parameters) #:prefix p:) - (web uri) - (web request) - (web response) - (srfi srfi-19) - (web response) - (ice-9 optargs) - (ice-9 receive)) +(define-module (tests token-endpoint-refresh) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint identity-provider) + #:use-module (webid-oidc authorization-code) + #:use-module (webid-oidc refresh-token) + #:use-module (webid-oidc dpop-proof) + #:use-module (webid-oidc jwk) + #:use-module (webid-oidc access-token) + #:use-module (webid-oidc jws) + #:use-module (webid-oidc jti) + #:use-module (webid-oidc testing) + #:use-module ((webid-oidc stubs) #:prefix stubs:) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module (web uri) + #:use-module (web request) + #:use-module (web response) + #:use-module (srfi srfi-19) + #:use-module (web response) + #:use-module (ice-9 optargs) + #:use-module (ice-9 receive) + #:use-module (oop goops) + #:duplicates (merge-generics) + #:declarative? #t) (with-test-environment "token-endpoint-issue" @@ -46,18 +52,27 @@ (define subject (string->uri "https://token-endpoint-issue.scm/profile/card#me")) (define client (string->uri "https://token-endpoint-issue.scm/client/card#app")) (define issuer (string->uri "https://issuer.token-endpoint-issue.scm")) + (define endpoint + (make <token-endpoint> + #:issuer "https://issuer.token-endpoint-issue.scm" + #:key-file "key-file.jwk")) (define authz (parameterize ((p:current-date 0)) (issue <authorization-code> key #:webid subject #:client-id client))) - (define endpoint - (make-token-endpoint - (string->uri "https://token-endpoint-issue.scm/token") - issuer "key-file.jwk")) - (receive (response response-body . _) - ;; The code is fake! + (with-exception-handler + (lambda (exn) + (unless (and (web-exception? exn) + (eqv? (web-exception-code exn) 400)) + (raise-exception + (make-exception + (make-exception-with-message + (format #f "the error code should be 400")) + exn)))) + (lambda () + ;; The refresh token is fake! (let ((dpop (parameterize ((p:current-date 0)) (issue <dpop-proof> @@ -67,69 +82,70 @@ #:htu (string->uri "https://token-endpoint-issue.scm/token"))))) (parameterize ((p:current-date 0)) - (endpoint - (build-request (string->uri - "http://localhost:8080/token") - #:headers `((content-type application/x-www-form-urlencoded) - (dpop . ,dpop)) - #:method 'POST - #:port #t) - "grant_type=authorization_code&code=fake"))) - (unless (eq? (response-code response) 400) + (handle endpoint + (build-request (string->uri + "http://localhost:8080/token") + #:headers `((content-type application/x-www-form-urlencoded) + (dpop . ,dpop)) + #:method 'POST + #:port #t) + "grant_type=authorization_code&code=fake"))) (exit 3)) - (receive (response response-body . _) - (let ((dpop - (parameterize ((p:current-date 10)) - (issue <dpop-proof> - client-key - #:jwk (public-key client-key) - #:htm 'POST - #:htu (string->uri - "https://token-endpoint-issue.scm/token"))))) - (parameterize ((p:current-date 10)) - (endpoint - (build-request (string->uri - "http://localhost:8080/token") - #:headers `((content-type application/x-www-form-urlencoded) - (dpop . ,dpop)) - #:method 'POST - #:port #t) - (string-append "grant_type=authorization_code&code=" authz)))) - (unless (eq? (response-code response) 200) - (exit 4)) - (unless (eq? (car (response-content-type response)) 'application/json) - (exit 5)) - (let ((response (stubs:json-string->scm response-body))) - (let ((access-token-enc (assq-ref response 'access_token)) - (refresh-token-enc (assq-ref response 'refresh_token))) - (unless access-token-enc - (exit 6)) - (unless refresh-token-enc - (exit 7)) - (let ((access-token - (parameterize ((p:current-date 20) - (p:anonymous-http-request - (lambda* (uri . args) - (cond - ((equal? uri (string->uri "https://issuer.token-endpoint-issue.scm/.well-known/openid-configuration")) - (values (build-response #:headers '((content-type application/json))) - "{ + #:unwind? #t + #:unwind-for-type &web-exception) + (receive (response response-body . _) + (let ((dpop + (parameterize ((p:current-date 10)) + (issue <dpop-proof> + client-key + #:jwk (public-key client-key) + #:htm 'POST + #:htu (string->uri + "https://token-endpoint-issue.scm/token"))))) + (parameterize ((p:current-date 10)) + (handle endpoint + (build-request (string->uri + "http://localhost:8080/token") + #:headers `((content-type application/x-www-form-urlencoded) + (dpop . ,dpop)) + #:method 'POST + #:port #t) + (string-append "grant_type=authorization_code&code=" authz)))) + (unless (eq? (response-code response) 200) + (exit 4)) + (unless (eq? (car (response-content-type response)) 'application/json) + (exit 5)) + (let ((response (stubs:json-string->scm response-body))) + (let ((access-token-enc (assq-ref response 'access_token)) + (refresh-token-enc (assq-ref response 'refresh_token))) + (unless access-token-enc + (exit 6)) + (unless refresh-token-enc + (exit 7)) + (let ((access-token + (parameterize ((p:current-date 20) + (p:anonymous-http-request + (lambda* (uri . args) + (cond + ((equal? uri (string->uri "https://issuer.token-endpoint-issue.scm/.well-known/openid-configuration")) + (values (build-response #:headers '((content-type application/json))) + "{ \"jwks_uri\": \"https://token-endpoint-issue.scm/keys\", \"token_endpoint\": \"https://token-endpoint-issue.scm/token\", \"authorization_endpoint\": \"https://token-endpoint-issue.scm/authorize\", \"solid_oidc_supported\": \"https://solidproject.org/TR/solid-oidc\" }")) - ((equal? uri (string->uri "https://token-endpoint-issue.scm/keys")) - (values (build-response #:headers '((content-type application/json))) - (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key)))))))) - (else - (format (current-error-port) "Unknown URI: ~s\n" (uri->string uri)) - (exit 11)))))) - (decode <access-token> access-token-enc)))) - (unless access-token - (exit 8)) - (let ((access-token-cnf/jkt (cnf/jkt access-token))) - (unless access-token-cnf/jkt - (exit 9)) - (unless (string=? access-token-cnf/jkt (jkt client-key)) - (exit 10)))))))))) + ((equal? uri (string->uri "https://token-endpoint-issue.scm/keys")) + (values (build-response #:headers '((content-type application/json))) + (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key)))))))) + (else + (format (current-error-port) "Unknown URI: ~s\n" (uri->string uri)) + (exit 11)))))) + (decode <access-token> access-token-enc)))) + (unless access-token + (exit 8)) + (let ((access-token-cnf/jkt (cnf/jkt access-token))) + (unless access-token-cnf/jkt + (exit 9)) + (unless (string=? access-token-cnf/jkt (jkt client-key)) + (exit 10))))))))) diff --git a/tests/token-endpoint-refresh.scm b/tests/token-endpoint-refresh.scm index 91effe0..d338f2f 100644 --- a/tests/token-endpoint-refresh.scm +++ b/tests/token-endpoint-refresh.scm @@ -14,24 +14,29 @@ ;; You should have received a copy of the GNU Affero General Public License ;; along with this program. If not, see <https://www.gnu.org/licenses/>. -(use-modules (webid-oidc token-endpoint) - (webid-oidc authorization-code) - (webid-oidc refresh-token) - (webid-oidc dpop-proof) - (webid-oidc jwk) - (webid-oidc access-token) - (webid-oidc jws) - (webid-oidc jti) - (webid-oidc testing) - ((webid-oidc stubs) #:prefix stubs:) - ((webid-oidc parameters) #:prefix p:) - (web uri) - (web request) - (web response) - (srfi srfi-19) - (web response) - (ice-9 optargs) - (ice-9 receive)) +(define-module (tests token-endpoint-refresh) + #:use-module (webid-oidc server endpoint) + #:use-module (webid-oidc server endpoint identity-provider) + #:use-module (webid-oidc authorization-code) + #:use-module (webid-oidc refresh-token) + #:use-module (webid-oidc dpop-proof) + #:use-module (webid-oidc jwk) + #:use-module (webid-oidc access-token) + #:use-module (webid-oidc jws) + #:use-module (webid-oidc jti) + #:use-module (webid-oidc testing) + #:use-module ((webid-oidc stubs) #:prefix stubs:) + #:use-module ((webid-oidc parameters) #:prefix p:) + #:use-module (web uri) + #:use-module (web request) + #:use-module (web response) + #:use-module (srfi srfi-19) + #:use-module (web response) + #:use-module (ice-9 optargs) + #:use-module (ice-9 receive) + #:use-module (oop goops) + #:duplicates (merge-generics) + #:declarative? #t) (with-test-environment "token-endpoint-refresh" @@ -44,16 +49,25 @@ port #:pretty #t))) (define client-key (generate-key #:n-size 2048)) - (define subject (string->uri "https://token-endpoint-issue.scm/profile/card#me")) - (define client (string->uri "https://token-endpoint-issue.scm/client/card#app")) - (define issuer (string->uri "https://issuer.token-endpoint-issue.scm")) + (define subject (string->uri "https://token-endpoint-refresh.scm/profile/card#me")) + (define client (string->uri "https://token-endpoint-refresh.scm/client/card#app")) + (define issuer (string->uri "https://issuer.token-endpoint-refresh.scm")) (define refresh-code (issue-refresh-token subject client (jkt client-key))) (define endpoint - (make-token-endpoint - (string->uri "https://token-endpoint-issue.scm/token") - issuer "key-file.jwk")) - (receive (response response-body . _) + (make <token-endpoint> + #:issuer "https://issuer.token-endpoint-refresh.scm" + #:key-file "key-file.jwk")) + (with-exception-handler + (lambda (exn) + (unless (and (web-exception? exn) + (eqv? (web-exception-code exn) 400)) + (raise-exception + (make-exception + (make-exception-with-message + (format #f "the error code should be 400")) + exn)))) + (lambda () ;; The refresh token is fake! (let ((dpop (parameterize ((p:current-date 0)) @@ -62,72 +76,73 @@ #:jwk (public-key client-key) #:htm 'POST #:htu (string->uri - "https://token-endpoint-issue.scm/token"))))) + "https://token-endpoint-refresh.scm/token"))))) (parameterize ((p:current-date 0)) - (endpoint - (build-request (string->uri - "http://localhost:8080/token") - #:headers `((content-type application/x-www-form-urlencoded) - (dpop . ,dpop)) - #:method 'POST - #:port #t) - "refresh_token=fake"))) - (unless (eq? (response-code response) 400) + (handle endpoint + (build-request (string->uri + "http://localhost:8080/token") + #:headers `((content-type application/x-www-form-urlencoded) + (dpop . ,dpop)) + #:method 'POST + #:port #t) + "refresh_token=fake"))) (exit 3)) - (receive (response response-body) - (let ((dpop - (parameterize ((p:current-date 10)) - (issue <dpop-proof> - client-key - #:jwk (public-key client-key) - #:htm 'POST - #:htu (string->uri - "https://token-endpoint-issue.scm/token"))))) - (parameterize ((p:current-date 10)) - (endpoint - (build-request (string->uri - "http://localhost:8080/token") - #:headers `((content-type application/x-www-form-urlencoded) - (dpop . ,dpop)) - #:method 'POST - #:port #t) - (string-append "grant_type=refresh_token&refresh_token=" refresh-code)))) - (unless (eq? (response-code response) 200) - (exit 4)) - (unless (eq? (car (response-content-type response)) 'application/json) - (exit 5)) - (let ((response (stubs:json-string->scm response-body))) - (let ((access-token-enc (assq-ref response 'access_token)) - (refresh-token-enc (assq-ref response 'refresh_token))) - (unless access-token-enc - (exit 6)) - (unless refresh-token-enc - (exit 7)) - (let ((access-token - (parameterize ((p:current-date 20) - (p:anonymous-http-request - (lambda* (uri . args) - (cond - ((equal? uri (string->uri "https://issuer.token-endpoint-issue.scm/.well-known/openid-configuration")) - (values (build-response #:headers '((content-type application/json))) - "{ - \"jwks_uri\": \"https://token-endpoint-issue.scm/keys\", - \"token_endpoint\": \"https://token-endpoint-issue.scm/token\", - \"authorization_endpoint\": \"https://token-endpoint-issue.scm/authorize\", + #:unwind? #t + #:unwind-for-type &web-exception) + (receive (response response-body response-meta) + (let ((dpop + (parameterize ((p:current-date 10)) + (issue <dpop-proof> + client-key + #:jwk (public-key client-key) + #:htm 'POST + #:htu (string->uri + "https://token-endpoint-refresh.scm/token"))))) + (parameterize ((p:current-date 10)) + (handle endpoint + (build-request (string->uri + "http://localhost:8080/token") + #:headers `((content-type application/x-www-form-urlencoded) + (dpop . ,dpop)) + #:method 'POST + #:port #t) + (string-append "grant_type=refresh_token&refresh_token=" refresh-code)))) + (unless (eq? (response-code response) 200) + (exit 4)) + (unless (eq? (car (response-content-type response)) 'application/json) + (exit 5)) + (let ((response (stubs:json-string->scm response-body))) + (let ((access-token-enc (assq-ref response 'access_token)) + (refresh-token-enc (assq-ref response 'refresh_token))) + (unless access-token-enc + (exit 6)) + (unless refresh-token-enc + (exit 7)) + (let ((access-token + (parameterize ((p:current-date 20) + (p:anonymous-http-request + (lambda* (uri . args) + (cond + ((equal? uri (string->uri "https://issuer.token-endpoint-refresh.scm/.well-known/openid-configuration")) + (values (build-response #:headers '((content-type application/json))) + "{ + \"jwks_uri\": \"https://token-endpoint-refresh.scm/keys\", + \"token_endpoint\": \"https://token-endpoint-refresh.scm/token\", + \"authorization_endpoint\": \"https://token-endpoint-refresh.scm/authorize\", \"solid_oidc_supported\": \"https://solidproject.org/TR/solid-oidc\" }")) - ((equal? uri (string->uri "https://token-endpoint-issue.scm/keys")) - (values (build-response #:headers '((content-type application/json))) - (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key)))))))) - (else - (exit 8)))))) - (decode <access-token> access-token-enc)))) - (unless access-token - (exit 9)) - (let ((access-token-cnf/jkt (cnf/jkt access-token))) - (unless access-token-cnf/jkt - (exit 10)) - (unless (string=? access-token-cnf/jkt (jkt client-key)) - (exit 11)))) - (unless (string=? refresh-token-enc refresh-code) - (exit 12)))))))) + ((equal? uri (string->uri "https://token-endpoint-refresh.scm/keys")) + (values (build-response #:headers '((content-type application/json))) + (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key)))))))) + (else + (exit 8)))))) + (decode <access-token> access-token-enc)))) + (unless access-token + (exit 9)) + (let ((access-token-cnf/jkt (cnf/jkt access-token))) + (unless access-token-cnf/jkt + (exit 10)) + (unless (string=? access-token-cnf/jkt (jkt client-key)) + (exit 11)))) + (unless (string=? refresh-token-enc refresh-code) + (exit 12))))))) |