diff options
| author | Vivien Kraus <vivien@planete-kraus.eu> | 2021-06-28 11:58:35 +0200 |
|---|---|---|
| committer | Vivien Kraus <vivien@planete-kraus.eu> | 2021-06-29 05:42:52 +0200 |
| commit | f4571f49b8bb5de20fd05e0fadb6d4f24ee7eac2 (patch) | |
| tree | c916c6a772f018137ba824b286debc32ffb9e709 | |
| parent | 44b1c28accd296a8ac5cf9e2edd564e23e3c7c65 (diff) | |
Add a full server.
| -rw-r--r-- | doc/webid-oidc.texi | 23 | ||||
| -rw-r--r-- | po/fr.po | 141 | ||||
| -rw-r--r-- | po/webid-oidc.pot | 128 | ||||
| -rw-r--r-- | src/scm/webid-oidc/program.scm | 92 | ||||
| -rw-r--r-- | src/scm/webid-oidc/resource-server.scm | 175 |
5 files changed, 432 insertions, 127 deletions
diff --git a/doc/webid-oidc.texi b/doc/webid-oidc.texi index c58597a..ba23010 100644 --- a/doc/webid-oidc.texi +++ b/doc/webid-oidc.texi @@ -441,6 +441,7 @@ the seed. @menu * Running webid-oidc reverse-proxy:: * The authenticator:: +* The full server:: * Resources stored on the server:: @end menu @@ -483,8 +484,8 @@ variable. @node The authenticator @section The authenticator -In @emph{(webid-oidc jws)}, the following function gives a simple API -for a web server: +In @emph{(webid-oidc resource-server)}, the following function gives a +simple API for a web server: @deffn function make-authenticator @var{jti-list} @var{[#server-uri]} @var{[#current-time]} @var{[#http-get]} Create an authenticator, i.e. a function that takes a request and @@ -517,6 +518,19 @@ the subject of the access token. If an error happens, it is thrown; the function always returns a valid URI. @end deffn +@node The full server +@section The full server + +@deffn {function from @emph{(webid-oidc resource-server)}} make-server @var{[#:server-uri]} @var{[#:owner]} @var{[#:authenticator]} @var{[#:current-time]} @var{[#:http-get]} +Return a server handler, a function taking 2 values, a request and a +request body, and returning 2 values, the response and response body. + +The optional @var{[#:authenticator]} argument defaults to the +webid-oidc authenticator, @var{[#:current-time]} defaults to a thunk +returning the system time and @var{[#:http-get]} to the web client +from @emph{(web client)}. +@end deffn + @node Resources stored on the server @section Resources stored on the server @@ -1252,11 +1266,6 @@ There was a request to delete the root storage, which is an error. There was a request to delete a non-empty container. @end deftp -@deftp {exception type} ¬-a-container @var{path} @var{content-type} -There was a request to create a resource in something that is not a -container. -@end deftp - @deftp {exception type} &cannot-fetch-group @var{group-uri} @var{cause} The access control could not fetch the group @var{group-uri} (with a known @var{cause}). This warning is continuable every time it is @@ -2,8 +2,8 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-06-27 23:23+0200\n" -"PO-Revision-Date: 2021-06-27 23:40+0200\n" +"POT-Creation-Date: 2021-06-28 22:58+0200\n" +"PO-Revision-Date: 2021-06-28 19:18+0200\n" "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n" "Language-Team: French <vivien@planete-kraus.eu>\n" "Language: fr\n" @@ -965,13 +965,23 @@ msgstr "" "<a href=~s>~a</a> peut maintenant s'identifier en votre nom. Vous devez " "toujours ajuster ses permissions." -#: src/scm/webid-oidc/resource-server.scm:68 +#: src/scm/webid-oidc/resource-server.scm:75 #, scheme-format msgid "~a: authentication failure: ~a\n" msgstr "~a : échec d’authentificationn : ~a\n" +#: src/scm/webid-oidc/resource-server.scm:204 +#, scheme-format +msgid "Warning: ~a\n" +msgstr "Avertissement : ~a\n" + +#: src/scm/webid-oidc/resource-server.scm:207 +#, scheme-format +msgid "Error: ~a\n" +msgstr "Erreur : ~a\n" + #: src/scm/webid-oidc/hello-world.scm:31 src/scm/webid-oidc/example-app.scm:100 -#: src/scm/webid-oidc/program.scm:79 +#: src/scm/webid-oidc/program.scm:81 msgid "command-line|version" msgstr "version" @@ -1011,7 +1021,7 @@ msgstr "" " définit le port à lier.\n" #: src/scm/webid-oidc/hello-world.scm:61 src/scm/webid-oidc/example-app.scm:143 -#: src/scm/webid-oidc/program.scm:344 +#: src/scm/webid-oidc/program.scm:352 #, scheme-format msgid "~a version ~a\n" msgstr "~a version ~a\n" @@ -1167,12 +1177,12 @@ msgstr "" msgid "There was an error: ~a\n" msgstr "Il y a eu une erreur : ~a\n" -#: src/scm/webid-oidc/program.scm:51 +#: src/scm/webid-oidc/program.scm:53 #, scheme-format msgid "~a: Internal server error: ~a\n" msgstr "~a : Erreur interne du serveur : ~a\n" -#: src/scm/webid-oidc/program.scm:62 +#: src/scm/webid-oidc/program.scm:64 #, scheme-format msgid "" "The client locale ~s can’t be approximated by system locale ~s (because ~a), " @@ -1181,75 +1191,75 @@ msgstr "" "La locale du client ~s ne peut pas être approchée par la locale système ~s " "(parce que ~a), on utilise C.\n" -#: src/scm/webid-oidc/program.scm:81 +#: src/scm/webid-oidc/program.scm:83 msgid "command-line|help" msgstr "aide" -#: src/scm/webid-oidc/program.scm:83 +#: src/scm/webid-oidc/program.scm:85 msgid "command-line|server|port" msgstr "port" -#: src/scm/webid-oidc/program.scm:85 +#: src/scm/webid-oidc/program.scm:87 msgid "command-line|server|server-name" msgstr "nom-du-serveur" -#: src/scm/webid-oidc/program.scm:87 +#: src/scm/webid-oidc/program.scm:89 msgid "command-line|server|reverse-proxy|backend-uri" msgstr "uri-arrière-plan" -#: src/scm/webid-oidc/program.scm:89 +#: src/scm/webid-oidc/program.scm:91 msgid "command-line|server|reverse-proxy|header" msgstr "en-tête" -#: src/scm/webid-oidc/program.scm:91 +#: src/scm/webid-oidc/program.scm:93 msgid "command-line|server|issuer|key-file" msgstr "fichier-clé" -#: src/scm/webid-oidc/program.scm:93 +#: src/scm/webid-oidc/program.scm:95 msgid "command-line|server|issuer|subject" msgstr "sujet" -#: src/scm/webid-oidc/program.scm:95 +#: src/scm/webid-oidc/program.scm:97 msgid "command-line|server|issuer|password" msgstr "mot-de-passe" -#: src/scm/webid-oidc/program.scm:97 +#: src/scm/webid-oidc/program.scm:99 msgid "command-line|server|issuer|jwks-uri" msgstr "uri-jwks" -#: src/scm/webid-oidc/program.scm:99 +#: src/scm/webid-oidc/program.scm:101 msgid "command-line|server|issuer|authorization-endpoint-uri" msgstr "uri-terminal-autorisation" -#: src/scm/webid-oidc/program.scm:101 +#: src/scm/webid-oidc/program.scm:103 msgid "command-line|server|issuer|token-endpoint-uri" msgstr "uri-terminal-jeton" -#: src/scm/webid-oidc/program.scm:103 +#: src/scm/webid-oidc/program.scm:105 msgid "command-line|server|client-id" msgstr "id-client" -#: src/scm/webid-oidc/program.scm:105 +#: src/scm/webid-oidc/program.scm:107 msgid "command-line|server|redirect-uri" msgstr "uri-redirection" -#: src/scm/webid-oidc/program.scm:107 +#: src/scm/webid-oidc/program.scm:109 msgid "command-line|server|client-name" msgstr "nom-client" -#: src/scm/webid-oidc/program.scm:109 +#: src/scm/webid-oidc/program.scm:111 msgid "command-line|server|client-uri" msgstr "uri-client" -#: src/scm/webid-oidc/program.scm:111 +#: src/scm/webid-oidc/program.scm:113 msgid "command-line|log-file" msgstr "fichier-journal" -#: src/scm/webid-oidc/program.scm:113 +#: src/scm/webid-oidc/program.scm:115 msgid "command-line|error-file" msgstr "fichier-erreur" -#: src/scm/webid-oidc/program.scm:137 +#: src/scm/webid-oidc/program.scm:139 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" @@ -1263,6 +1273,9 @@ msgid "" " run an identity provider.\n" " ~a:\n" " serve the pages for a public application.\n" +" ~a:\n" +" run a full server, with identity provider and resource storage\n" +" facility.\n" "\n" "General options:\n" " -h, --~a:\n" @@ -1280,10 +1293,11 @@ msgid "" " -n URI, --~a=URI:\n" " set the public server URI (scheme, userinfo, host, and port).\n" "\n" -"Options for the reverse proxy:\n" +"Options for the resource server:\n" " -H HEADER, --~a=HEADER:\n" " the HEADER field contains the webid of the authenticated user,\n" -" XXX-Agent by default.\n" +" XXX-Agent by default. For the full server, disable webid-oidc\n" +" authentication.\n" " -b URI, --~a=URI:\n" " set the backend URI for the reverse proxy, only for the\n" " reverse-proxy command.\n" @@ -1322,8 +1336,9 @@ msgid "" "the user is the system administrator).~a\n" "\n" " XDG_DATA_HOME: where the program stores persistent data. The\n" -"identity provider stores the refresh tokens. For a system service, it\n" -"is recommended to set it to /var/lib.~a\n" +"identity provider stores the refresh tokens. The full server stores\n" +"the resources there. For a system service, it is recommended to set it\n" +"to /var/lib.~a\n" "\n" " XDG_CACHE_HOME: where the program stores and updates the seed file,\n" "and the web client cache. You can remove this directory at any\n" @@ -1395,6 +1410,9 @@ msgstr "" " exécute le fournisseur d’identité.\n" " ~a :\n" " sert les pages d’une application publique.\n" +" ~a :\n" +" exécute un serveur complet, avec un fournisseur d’identité et un\n" +" système de stockage des ressources.\n" "\n" "Options générales :\n" " -h, --~a :\n" @@ -1412,10 +1430,11 @@ msgstr "" " -n URI, --~a=URI :\n" " définit le nom public du serveur (schéma, userinfo, hôte, et port).\n" "\n" -"Options pour le proxy inverse :\n" +"Options pour le serveur de ressources :\n" " -H ENTÊTE, --~a=ENTÊTE :\n" " passe les requêtes avec un ENTÊTE optionnel défini par la valeur\n" -" du webid, XXX-Agent par défaut.\n" +" du webid, XXX-Agent par défaut. Pour le serveur complet,\n" +" désactive l’authentification par webid-oidc.\n" " -b URI, --~a=URI :\n" " définit l’URI d’arrière-plan pour le proxy inverse, uniquement\n" " pour la commande proxy-inversé.\n" @@ -1513,7 +1532,8 @@ msgstr "" "\n" " export LANG=fr_FR.UTF-8\n" " ~a ~a \\\n" -" --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' \\\n" +" --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' " +"\\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n" " --~a \"Example Solid Application\" \\\n" " --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client' \\\n" @@ -1522,53 +1542,57 @@ msgstr "" "Si vous trouvez une erreur dans le programme, envoyez-en un rapport à\n" "~a.\n" -#: src/scm/webid-oidc/program.scm:270 src/scm/webid-oidc/program.scm:326 -#: src/scm/webid-oidc/program.scm:427 +#: src/scm/webid-oidc/program.scm:277 src/scm/webid-oidc/program.scm:334 +#: src/scm/webid-oidc/program.scm:435 msgid "command-line|command|reverse-proxy" msgstr "proxy-inversé" -#: src/scm/webid-oidc/program.scm:271 src/scm/webid-oidc/program.scm:332 -#: src/scm/webid-oidc/program.scm:445 +#: src/scm/webid-oidc/program.scm:278 src/scm/webid-oidc/program.scm:340 +#: src/scm/webid-oidc/program.scm:453 msgid "command-line|command|identity-provider" msgstr "fournisseur-identité" -#: src/scm/webid-oidc/program.scm:272 src/scm/webid-oidc/program.scm:338 -#: src/scm/webid-oidc/program.scm:486 +#: src/scm/webid-oidc/program.scm:279 src/scm/webid-oidc/program.scm:346 +#: src/scm/webid-oidc/program.scm:494 msgid "command-line|command|client-service" msgstr "service-client" -#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:311 +#: src/scm/webid-oidc/program.scm:280 src/scm/webid-oidc/program.scm:520 +msgid "command-line|command|server" +msgstr "serveur" + #: src/scm/webid-oidc/program.scm:315 src/scm/webid-oidc/program.scm:319 +#: src/scm/webid-oidc/program.scm:323 src/scm/webid-oidc/program.scm:327 #, scheme-format msgid "an environment variable| It is currently set to ~s." msgstr " Elle vaut actuellement ~s." -#: src/scm/webid-oidc/program.scm:309 src/scm/webid-oidc/program.scm:313 #: src/scm/webid-oidc/program.scm:317 src/scm/webid-oidc/program.scm:321 +#: src/scm/webid-oidc/program.scm:325 src/scm/webid-oidc/program.scm:329 msgid "an environment variable| It is currently unset." msgstr " Elle n’est actuellement pas définie." -#: src/scm/webid-oidc/program.scm:352 +#: src/scm/webid-oidc/program.scm:360 #, scheme-format msgid "The --~a argument must be a number, not ~s.\n" msgstr "L’argument de --~a doit être un nombre, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:358 +#: src/scm/webid-oidc/program.scm:366 #, scheme-format msgid "The --~a argument must be an integer, not ~s.\n" msgstr "L’argument de --~a doit être un entier, pas ~s.\n" -#: src/scm/webid-oidc/program.scm:364 +#: src/scm/webid-oidc/program.scm:372 #, scheme-format msgid "The --~a argument must be positive, ~s is invalid.\n" msgstr "L’argument de --~a doit être positif, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:369 +#: src/scm/webid-oidc/program.scm:377 #, scheme-format msgid "The --~a argument must be less than 65536, ~s is invalid.\n" msgstr "L’argument de --~a doit être inférieur à 65536, ~s est invalide.\n" -#: src/scm/webid-oidc/program.scm:411 +#: src/scm/webid-oidc/program.scm:419 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" @@ -1577,17 +1601,18 @@ msgstr "" "Utilisation : ~a COMMANDE [OPTIONS]...\n" "Voir --~a (-h).\n" -#: src/scm/webid-oidc/program.scm:430 src/scm/webid-oidc/program.scm:448 +#: src/scm/webid-oidc/program.scm:438 src/scm/webid-oidc/program.scm:456 +#: src/scm/webid-oidc/program.scm:522 #, scheme-format msgid "You must pass --~a to set the server name.\n" msgstr "Vous devez passer --~a pour définir le nom du serveur.\n" -#: src/scm/webid-oidc/program.scm:434 +#: src/scm/webid-oidc/program.scm:442 #, scheme-format msgid "You must pass --~a to set the backend URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du service d’arrière-plan.\n" -#: src/scm/webid-oidc/program.scm:452 +#: src/scm/webid-oidc/program.scm:460 src/scm/webid-oidc/program.scm:526 #, scheme-format msgid "" "You must pass --~a to set the file where to store the identity provider " @@ -1596,58 +1621,58 @@ msgstr "" "Vous devez passer --~a pour définir le nom du fichier pour sauvegarder\n" "la clé du fournisseur d’identité.\n" -#: src/scm/webid-oidc/program.scm:456 +#: src/scm/webid-oidc/program.scm:464 src/scm/webid-oidc/program.scm:530 #, scheme-format msgid "You must pass --~a to set the subject of the identity provider.\n" msgstr "" "Vous devez passer --~a pour définir le sujet du fournisseur d’identité.\n" -#: src/scm/webid-oidc/program.scm:460 +#: src/scm/webid-oidc/program.scm:468 src/scm/webid-oidc/program.scm:534 #, scheme-format msgid "You must pass --~a to set the subject’s password.\n" msgstr "Vous devez passer --~a pour définir le mot de passe du sujet.\n" -#: src/scm/webid-oidc/program.scm:464 +#: src/scm/webid-oidc/program.scm:472 src/scm/webid-oidc/program.scm:538 #, scheme-format msgid "You must pass --~a to set the JWKS URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du JWKS.\n" -#: src/scm/webid-oidc/program.scm:468 +#: src/scm/webid-oidc/program.scm:476 src/scm/webid-oidc/program.scm:542 #, scheme-format msgid "You must pass --~a to set the authorization endpoint URI.\n" msgstr "" "Vous devez passer --~a pour définir l'URI du terminal d'autorisation.\n" -#: src/scm/webid-oidc/program.scm:472 +#: src/scm/webid-oidc/program.scm:480 src/scm/webid-oidc/program.scm:546 #, scheme-format msgid "You must pass --~a to set the token endpoint URI.\n" msgstr "Vous devez passer --~a pour définir l'URI du terminal de jeton.\n" -#: src/scm/webid-oidc/program.scm:489 +#: src/scm/webid-oidc/program.scm:497 #, scheme-format msgid "You must pass --~a to set the application web ID.\n" msgstr "" "Vous devez passer --~a pour définir l'identifiant web de l’application.\n" -#: src/scm/webid-oidc/program.scm:493 +#: src/scm/webid-oidc/program.scm:501 #, scheme-format msgid "You must pass --~a to set the redirection URI.\n" msgstr "Vous devez passer --~a pour définir l'URI de redirection.\n" -#: src/scm/webid-oidc/program.scm:497 +#: src/scm/webid-oidc/program.scm:505 #, scheme-format msgid "You must pass --~a to set the informative client name.\n" msgstr "" "Vous devez passer --~a pour donner un nom pour l’application à titre " "informatif.\n" -#: src/scm/webid-oidc/program.scm:501 +#: src/scm/webid-oidc/program.scm:509 #, scheme-format msgid "You must pass --~a to set the informative client URI.\n" msgstr "" "Vous devez passer --~a pour définir l'URI du client, à titre informatif.\n" -#: src/scm/webid-oidc/program.scm:513 +#: src/scm/webid-oidc/program.scm:589 #, scheme-format msgid "Unknown command ~s\n" msgstr "Commande inconnue ~s\n" diff --git a/po/webid-oidc.pot b/po/webid-oidc.pot index 74b3c31..800e63c 100644 --- a/po/webid-oidc.pot +++ b/po/webid-oidc.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc SNAPSHOT\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-06-27 23:23+0200\n" +"POT-Creation-Date: 2021-06-28 22:58+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -926,13 +926,23 @@ msgid "" "permissions." msgstr "" -#: src/scm/webid-oidc/resource-server.scm:68 +#: src/scm/webid-oidc/resource-server.scm:75 #, scheme-format msgid "~a: authentication failure: ~a\n" msgstr "" +#: src/scm/webid-oidc/resource-server.scm:204 +#, scheme-format +msgid "Warning: ~a\n" +msgstr "" + +#: src/scm/webid-oidc/resource-server.scm:207 +#, scheme-format +msgid "Error: ~a\n" +msgstr "" + #: src/scm/webid-oidc/hello-world.scm:31 src/scm/webid-oidc/example-app.scm:100 -#: src/scm/webid-oidc/program.scm:79 +#: src/scm/webid-oidc/program.scm:81 msgid "command-line|version" msgstr "" @@ -961,7 +971,7 @@ msgid "" msgstr "" #: src/scm/webid-oidc/hello-world.scm:61 src/scm/webid-oidc/example-app.scm:143 -#: src/scm/webid-oidc/program.scm:344 +#: src/scm/webid-oidc/program.scm:352 #, scheme-format msgid "~a version ~a\n" msgstr "" @@ -1076,87 +1086,87 @@ msgstr "" msgid "There was an error: ~a\n" msgstr "" -#: src/scm/webid-oidc/program.scm:51 +#: src/scm/webid-oidc/program.scm:53 #, scheme-format msgid "~a: Internal server error: ~a\n" msgstr "" -#: src/scm/webid-oidc/program.scm:62 +#: src/scm/webid-oidc/program.scm:64 #, scheme-format msgid "" "The client locale ~s can’t be approximated by system locale ~s (because ~a), " "using C.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:81 +#: src/scm/webid-oidc/program.scm:83 msgid "command-line|help" msgstr "" -#: src/scm/webid-oidc/program.scm:83 +#: src/scm/webid-oidc/program.scm:85 msgid "command-line|server|port" msgstr "" -#: src/scm/webid-oidc/program.scm:85 +#: src/scm/webid-oidc/program.scm:87 msgid "command-line|server|server-name" msgstr "" -#: src/scm/webid-oidc/program.scm:87 +#: src/scm/webid-oidc/program.scm:89 msgid "command-line|server|reverse-proxy|backend-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:89 +#: src/scm/webid-oidc/program.scm:91 msgid "command-line|server|reverse-proxy|header" msgstr "" -#: src/scm/webid-oidc/program.scm:91 +#: src/scm/webid-oidc/program.scm:93 msgid "command-line|server|issuer|key-file" msgstr "" -#: src/scm/webid-oidc/program.scm:93 +#: src/scm/webid-oidc/program.scm:95 msgid "command-line|server|issuer|subject" msgstr "" -#: src/scm/webid-oidc/program.scm:95 +#: src/scm/webid-oidc/program.scm:97 msgid "command-line|server|issuer|password" msgstr "" -#: src/scm/webid-oidc/program.scm:97 +#: src/scm/webid-oidc/program.scm:99 msgid "command-line|server|issuer|jwks-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:99 +#: src/scm/webid-oidc/program.scm:101 msgid "command-line|server|issuer|authorization-endpoint-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:101 +#: src/scm/webid-oidc/program.scm:103 msgid "command-line|server|issuer|token-endpoint-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:103 +#: src/scm/webid-oidc/program.scm:105 msgid "command-line|server|client-id" msgstr "" -#: src/scm/webid-oidc/program.scm:105 +#: src/scm/webid-oidc/program.scm:107 msgid "command-line|server|redirect-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:107 +#: src/scm/webid-oidc/program.scm:109 msgid "command-line|server|client-name" msgstr "" -#: src/scm/webid-oidc/program.scm:109 +#: src/scm/webid-oidc/program.scm:111 msgid "command-line|server|client-uri" msgstr "" -#: src/scm/webid-oidc/program.scm:111 +#: src/scm/webid-oidc/program.scm:113 msgid "command-line|log-file" msgstr "" -#: src/scm/webid-oidc/program.scm:113 +#: src/scm/webid-oidc/program.scm:115 msgid "command-line|error-file" msgstr "" -#: src/scm/webid-oidc/program.scm:137 +#: src/scm/webid-oidc/program.scm:139 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" @@ -1170,6 +1180,9 @@ msgid "" " run an identity provider.\n" " ~a:\n" " serve the pages for a public application.\n" +" ~a:\n" +" run a full server, with identity provider and resource storage\n" +" facility.\n" "\n" "General options:\n" " -h, --~a:\n" @@ -1187,10 +1200,11 @@ msgid "" " -n URI, --~a=URI:\n" " set the public server URI (scheme, userinfo, host, and port).\n" "\n" -"Options for the reverse proxy:\n" +"Options for the resource server:\n" " -H HEADER, --~a=HEADER:\n" " the HEADER field contains the webid of the authenticated user,\n" -" XXX-Agent by default.\n" +" XXX-Agent by default. For the full server, disable webid-oidc\n" +" authentication.\n" " -b URI, --~a=URI:\n" " set the backend URI for the reverse proxy, only for the\n" " reverse-proxy command.\n" @@ -1229,8 +1243,9 @@ msgid "" "the user is the system administrator).~a\n" "\n" " XDG_DATA_HOME: where the program stores persistent data. The\n" -"identity provider stores the refresh tokens. For a system service, it\n" -"is recommended to set it to /var/lib.~a\n" +"identity provider stores the refresh tokens. The full server stores\n" +"the resources there. For a system service, it is recommended to set it\n" +"to /var/lib.~a\n" "\n" " XDG_CACHE_HOME: where the program stores and updates the seed file,\n" "and the web client cache. You can remove this directory at any\n" @@ -1292,122 +1307,127 @@ msgid "" "If you find a bug, then please send a report to ~a.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:270 src/scm/webid-oidc/program.scm:326 -#: src/scm/webid-oidc/program.scm:427 +#: src/scm/webid-oidc/program.scm:277 src/scm/webid-oidc/program.scm:334 +#: src/scm/webid-oidc/program.scm:435 msgid "command-line|command|reverse-proxy" msgstr "" -#: src/scm/webid-oidc/program.scm:271 src/scm/webid-oidc/program.scm:332 -#: src/scm/webid-oidc/program.scm:445 +#: src/scm/webid-oidc/program.scm:278 src/scm/webid-oidc/program.scm:340 +#: src/scm/webid-oidc/program.scm:453 msgid "command-line|command|identity-provider" msgstr "" -#: src/scm/webid-oidc/program.scm:272 src/scm/webid-oidc/program.scm:338 -#: src/scm/webid-oidc/program.scm:486 +#: src/scm/webid-oidc/program.scm:279 src/scm/webid-oidc/program.scm:346 +#: src/scm/webid-oidc/program.scm:494 msgid "command-line|command|client-service" msgstr "" -#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:311 +#: src/scm/webid-oidc/program.scm:280 src/scm/webid-oidc/program.scm:520 +msgid "command-line|command|server" +msgstr "" + #: src/scm/webid-oidc/program.scm:315 src/scm/webid-oidc/program.scm:319 +#: src/scm/webid-oidc/program.scm:323 src/scm/webid-oidc/program.scm:327 #, scheme-format msgid "an environment variable| It is currently set to ~s." msgstr "" -#: src/scm/webid-oidc/program.scm:309 src/scm/webid-oidc/program.scm:313 #: src/scm/webid-oidc/program.scm:317 src/scm/webid-oidc/program.scm:321 +#: src/scm/webid-oidc/program.scm:325 src/scm/webid-oidc/program.scm:329 msgid "an environment variable| It is currently unset." msgstr "" -#: src/scm/webid-oidc/program.scm:352 +#: src/scm/webid-oidc/program.scm:360 #, scheme-format msgid "The --~a argument must be a number, not ~s.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:358 +#: src/scm/webid-oidc/program.scm:366 #, scheme-format msgid "The --~a argument must be an integer, not ~s.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:364 +#: src/scm/webid-oidc/program.scm:372 #, scheme-format msgid "The --~a argument must be positive, ~s is invalid.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:369 +#: src/scm/webid-oidc/program.scm:377 #, scheme-format msgid "The --~a argument must be less than 65536, ~s is invalid.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:411 +#: src/scm/webid-oidc/program.scm:419 #, scheme-format msgid "" "Usage: ~a COMMAND [OPTIONS]...\n" "See --~a (-h).\n" msgstr "" -#: src/scm/webid-oidc/program.scm:430 src/scm/webid-oidc/program.scm:448 +#: src/scm/webid-oidc/program.scm:438 src/scm/webid-oidc/program.scm:456 +#: src/scm/webid-oidc/program.scm:522 #, scheme-format msgid "You must pass --~a to set the server name.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:434 +#: src/scm/webid-oidc/program.scm:442 #, scheme-format msgid "You must pass --~a to set the backend URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:452 +#: src/scm/webid-oidc/program.scm:460 src/scm/webid-oidc/program.scm:526 #, scheme-format msgid "" "You must pass --~a to set the file where to store the identity provider " "key.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:456 +#: src/scm/webid-oidc/program.scm:464 src/scm/webid-oidc/program.scm:530 #, scheme-format msgid "You must pass --~a to set the subject of the identity provider.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:460 +#: src/scm/webid-oidc/program.scm:468 src/scm/webid-oidc/program.scm:534 #, scheme-format msgid "You must pass --~a to set the subject’s password.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:464 +#: src/scm/webid-oidc/program.scm:472 src/scm/webid-oidc/program.scm:538 #, scheme-format msgid "You must pass --~a to set the JWKS URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:468 +#: src/scm/webid-oidc/program.scm:476 src/scm/webid-oidc/program.scm:542 #, scheme-format msgid "You must pass --~a to set the authorization endpoint URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:472 +#: src/scm/webid-oidc/program.scm:480 src/scm/webid-oidc/program.scm:546 #, scheme-format msgid "You must pass --~a to set the token endpoint URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:489 +#: src/scm/webid-oidc/program.scm:497 #, scheme-format msgid "You must pass --~a to set the application web ID.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:493 +#: src/scm/webid-oidc/program.scm:501 #, scheme-format msgid "You must pass --~a to set the redirection URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:497 +#: src/scm/webid-oidc/program.scm:505 #, scheme-format msgid "You must pass --~a to set the informative client name.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:501 +#: src/scm/webid-oidc/program.scm:509 #, scheme-format msgid "You must pass --~a to set the informative client URI.\n" msgstr "" -#: src/scm/webid-oidc/program.scm:513 +#: src/scm/webid-oidc/program.scm:589 #, scheme-format msgid "Unknown command ~s\n" msgstr "" diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm index c53be5d..2ab1cbe 100644 --- a/src/scm/webid-oidc/program.scm +++ b/src/scm/webid-oidc/program.scm @@ -3,6 +3,8 @@ #:use-module (webid-oidc reverse-proxy) #:use-module (webid-oidc identity-provider) #:use-module (webid-oidc client) + #:use-module (webid-oidc resource-server) + #:use-module (webid-oidc server create) #:use-module (webid-oidc jti) #:use-module ((webid-oidc stubs) #:prefix stubs:) #:use-module ((webid-oidc config) #:prefix cfg:) @@ -145,6 +147,9 @@ Available commands: run an identity provider. ~a: serve the pages for a public application. + ~a: + run a full server, with identity provider and resource storage + facility. General options: -h, --~a: @@ -162,10 +167,11 @@ General server-side options: -n URI, --~a=URI: set the public server URI (scheme, userinfo, host, and port). -Options for the reverse proxy: +Options for the resource server: -H HEADER, --~a=HEADER: the HEADER field contains the webid of the authenticated user, - XXX-Agent by default. + XXX-Agent by default. For the full server, disable webid-oidc + authentication. -b URI, --~a=URI: set the backend URI for the reverse proxy, only for the reverse-proxy command. @@ -204,8 +210,9 @@ Environment variables: the user is the system administrator).~a XDG_DATA_HOME: where the program stores persistent data. The -identity provider stores the refresh tokens. For a system service, it -is recommended to set it to /var/lib.~a +identity provider stores the refresh tokens. The full server stores +the resources there. For a system service, it is recommended to set it +to /var/lib.~a XDG_CACHE_HOME: where the program stores and updates the seed file, and the web client cache. You can remove this directory at any @@ -270,6 +277,7 @@ If you find a bug, then please send a report to ~a. (G_ "command-line|command|reverse-proxy") (G_ "command-line|command|identity-provider") (G_ "command-line|command|client-service") + (G_ "command-line|command|server") ;; General options ;; help help-sym @@ -509,7 +517,75 @@ If you find a bug, then please send a report to ~a. (handler-with-log handler) 'http (list #:port port))))) - (else - (format (current-error-port) (G_ "Unknown command ~s\n") - command) - (exit 1)))))))))) + ((equal? command (G_ "command-line|command|server")) + (unless server-name + (format (current-error-port) (G_ "You must pass --~a to set the server name.\n") + server-name-sym) + (exit 1)) + (unless key-file + (format (current-error-port) (G_ "You must pass --~a to set the file where to store the identity provider key.\n") + key-file-sym) + (exit 1)) + (unless subject + (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n") + subject-sym) + (exit 1)) + (unless password + (format (current-error-port) (G_ "You must pass --~a to set the subject’s password.\n") + password-sym) + (exit 1)) + (unless jwks-uri + (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n") + jwks-uri-sym) + (exit 1)) + (unless authorization-endpoint-uri + (format (current-error-port) (G_ "You must pass --~a to set the authorization endpoint URI.\n") + authorization-endpoint-uri-sym) + (exit 1)) + (unless token-endpoint-uri + (format (current-error-port) (G_ "You must pass --~a to set the token endpoint URI.\n") + token-endpoint-uri-sym) + (exit 1)) + (let ((jti-list (make-jti-list))) + (let ((resource-handler + (make-resource-server + #:server-uri server-name + #:owner subject + #:authenticator + (if header + (begin + (set! header + (string->symbol + (string-downcase + (symbol->string header)))) + (lambda (request request-body) + (let ((value (assq-ref (request-headers request) header))) + (and value (string->uri value))))) + (make-authenticator + jti-list + #:server-uri server-name + #:http-get cache-http-get)) + #:http-get cache-http-get)) + (identity-provider-handler + (make-identity-provider + server-name key-file subject password jwks-uri + authorization-endpoint-uri token-endpoint-uri + jti-list + #:current-time current-time + #:http-get cache-http-get))) + (create-root server-name subject) + (run-server + (lambda (request request-body) + (let ((path (uri-path (request-uri request)))) + (if (or (equal? path "/.well-known/openid-configuration") + (equal? path (uri-path jwks-uri)) + (equal? path (uri-path authorization-endpoint-uri)) + (equal? path (uri-path token-endpoint-uri))) + (identity-provider-handler request request-body) + (resource-handler request request-body)))) + 'http + (list #:port port))))) + (else + (format (current-error-port) (G_ "Unknown command ~s\n") + command) + (exit 1)))))))))) diff --git a/src/scm/webid-oidc/resource-server.scm b/src/scm/webid-oidc/resource-server.scm index cef6a0c..c69bc51 100644 --- a/src/scm/webid-oidc/resource-server.scm +++ b/src/scm/webid-oidc/resource-server.scm @@ -4,6 +4,12 @@ #:use-module (webid-oidc provider-confirmation) #:use-module (webid-oidc jwk) #:use-module (webid-oidc dpop-proof) + #:use-module (webid-oidc server create) + #:use-module (webid-oidc server read) + #:use-module (webid-oidc server update) + #:use-module (webid-oidc server delete) + #:use-module (webid-oidc server precondition) + #:use-module (webid-oidc http-link) #:use-module ((webid-oidc config) #:prefix cfg:) #:use-module (webid-oidc jti) #:use-module (webid-oidc access-token) @@ -17,6 +23,7 @@ #:use-module (ice-9 i18n) #:use-module (ice-9 getopt-long) #:use-module (ice-9 suspendable-ports) + #:use-module (ice-9 control) #:use-module (sxml simple) #:use-module (srfi srfi-19)) @@ -84,3 +91,171 @@ (confirm-provider subject issuer #:http-get http-get) subject))) #:unwind? #t)))))) + +(define (handle-errors f g) + (call/ec + (lambda (do-return) + (define (return . args) + (apply do-return args)) + (with-exception-handler + (lambda (error) + (g return error)) + (lambda () + (f return)))))) + +(define*-public (make-resource-server + #:key + (server-uri #f) + (owner #f) + (authenticator #f) + (current-time current-time) + (http-get http-get)) + (unless owner + (error "The owner is not defined.")) + (declare-link-header!) + (unless authenticator + (set! authenticator + (make-authenticator (make-jti-list) + #:server-uri server-uri + #:current-time current-time + #:http-get http-get))) + (lambda (request request-body) + (let ((user (authenticator request request-body))) + (handle-errors + (lambda (return) + (let ((method (request-method request))) + (case method + ((GET HEAD OPTIONS) + (receive (headers content) + (read server-uri owner user + (uri-path (request-uri request)) + #:http-get http-get) + (with-exception-handler + (lambda (error) + (return + (build-response + #:headers headers) + (if (eq? method 'GET) + content + ""))) + (lambda () + (unless (or (request-if-match request) + (request-if-none-match request)) + ;; Act as if the precondition failed + (raise-exception + (make-precondition-failed + (uri-path (request-uri request)) + (request-if-match request) + (request-if-none-match request) + (car (assq-ref headers 'etag))))) + (check-precondition + (uri-path (request-uri request)) + (request-if-match request) + (request-if-none-match request) + (car (assq-ref headers 'etag))) + (return + (build-response + #:code 304 + #:reason-phrase "Not Modified" + #:headers headers) + ""))))) + ((PUT) + (return + (build-response + #:headers + `((etag . (,(update server-uri owner user + (uri-path (request-uri request)) + (request-if-match request) + (request-if-none-match request) + (request-content-type request) + request-body + #:http-get http-get) + . #f)))) + "")) + ((POST) + (let ((types + (map car + (filter + (lambda (link) + (equal? (assq-ref link 'rel) "type")) + (request-links request))))) + (return + (build-response + #:headers + `((location . ,(create server-uri owner user + (uri-path (request-uri request)) + types + (assq-ref (request-headers request) 'slug) + (request-content-type request) + request-body + #:http-get http-get)))) + ""))) + ((DELETE) + (delete server-uri owner user + (uri-path (request-uri request)) + (request-if-match request) + (request-if-none-match request) + #:http-get http-get) + (return + (build-response) + ""))))) + (lambda (return error) + (if (cannot-fetch-group? error) + (format (current-error-port) (G_ "Warning: ~a\n") + (error->str error)) + (begin + (format (current-error-port) (G_ "Error: ~a\n") + (error->str error)) + (cond + ((uri-slash-semantics-error? error) + (return + (build-response + #:code 301 + #:reason-phrase "Found" + #:headers + `((location + . ,(build-uri + (uri-scheme server-uri) + #:userinfo (uri-userinfo server-uri) + #:host (uri-host server-uri) + #:port (uri-port server-uri) + #:path (uri-slash-semantics-error-expected-path error))))) + "")) + ((or (path-not-found? error) + (auxiliary-resource-absent? error) + (forbidden? error)) + (if user + ;; That’s a forbidden + (return + (build-response #:code 403 #:reason-phrase "Forbidden") + "") + (return + (build-response #:code 401 #:reason-phrase "Unauthorized" + #:headers `((www-authenticate . ((DPoP))))) + ""))) + ((or (cannot-delete-root? error)) + (return + (build-response + #:code 405 + #:reason-phrase "Method Not Allowed") + "")) + ((or (container-not-empty? error) + (incorrect-containment-triples? error) + (path-is-auxiliary? error)) + (return + (build-response + #:code 409 + #:reason-phrase "Conflict") + "")) + ((unsupported-media-type? error) + (return + (build-response + #:code 415 + #:reason-phrase "Unsupported Media Type") + "")) + ((precondition-failed? error) + (return + (build-response + #:code 412 + #:reason-phrase "Precondition Failed") + "")))))))))) |