diff options
-rw-r--r-- | guix/vkraus/services/webid-oidc.scm | 16 | ||||
-rw-r--r-- | po/fr.po | 25 | ||||
-rw-r--r-- | po/webid-oidc.pot | 12 | ||||
-rw-r--r-- | src/scm/webid-oidc/authorization-endpoint.scm | 10 | ||||
-rw-r--r-- | src/scm/webid-oidc/identity-provider.scm | 4 | ||||
-rw-r--r-- | src/scm/webid-oidc/program.scm | 34 | ||||
-rw-r--r-- | tests/authorization-endpoint-submit-form.scm | 3 |
7 files changed, 55 insertions, 49 deletions
diff --git a/guix/vkraus/services/webid-oidc.scm b/guix/vkraus/services/webid-oidc.scm index 23f0da3..8160b04 100644 --- a/guix/vkraus/services/webid-oidc.scm +++ b/guix/vkraus/services/webid-oidc.scm @@ -39,7 +39,7 @@ (key-file webid-oidc-issuer-configuration-key-file (default "/var/lib/webid-oidc/issuer/key.jwk")) (subject webid-oidc-issuer-configuration-subject) - (password webid-oidc-issuer-configuration-password) + (encrypted-password webid-oidc-issuer-configuration-encrypted-password) (jwks-uri webid-oidc-issuer-configuration-jwks-uri) (authorization-endpoint-uri webid-oidc-issuer-configuration-authorization-endpoint-uri) @@ -109,7 +109,7 @@ (key-file webid-oidc-server-configuration-key-file (default "/var/lib/webid-oidc/server/key.jwk")) (subject webid-oidc-server-configuration-subject) - (password webid-oidc-server-configuration-password) + (encrypted-password webid-oidc-server-configuration-encrypted-password) (jwks-uri webid-oidc-server-configuration-jwks-uri) (authorization-endpoint-uri webid-oidc-server-configuration-authorization-endpoint-uri) @@ -129,7 +129,7 @@ webid-oidc-issuer-configuration-issuer webid-oidc-issuer-configuration-key-file webid-oidc-issuer-configuration-subject - webid-oidc-issuer-configuration-password + webid-oidc-issuer-configuration-encrypted-password webid-oidc-issuer-configuration-jwks-uri webid-oidc-issuer-configuration-authorization-endpoint-uri webid-oidc-issuer-configuration-token-endpoint-uri @@ -175,7 +175,7 @@ webid-oidc-server-configuration-server-name webid-oidc-server-configuration-key-file webid-oidc-server-configuration-subject - webid-oidc-server-configuration-password + webid-oidc-server-configuration-encrypted-password webid-oidc-server-configuration-jwks-uri webid-oidc-server-configuration-authorization-endpoint-uri webid-oidc-server-configuration-token-endpoint-uri @@ -185,7 +185,7 @@ (define webid-oidc-issuer-shepherd-service (match-lambda (($ <webid-oidc-issuer-configuration> - webid-oidc ccs issuer key-file subject password jwks-uri + webid-oidc ccs issuer key-file subject encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri port extra-options) (with-imported-modules @@ -217,7 +217,7 @@ "--server-name" #$issuer "--key-file" #$key-file "--subject" #$subject - "--password" #$password + "--encrypted-password" #$encrypted-password "--jwks-uri" #$jwks-uri "--authorization-endpoint-uri" #$authorization-endpoint-uri "--token-endpoint-uri" #$token-endpoint-uri @@ -370,7 +370,7 @@ (define webid-oidc-server-shepherd-service (match-lambda (($ <webid-oidc-server-configuration> - webid-oidc ccs server-name key-file subject password jwks-uri + webid-oidc ccs server-name key-file subject encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri port extra-options) (with-imported-modules @@ -402,7 +402,7 @@ "--server-name" #$server-name "--key-file" #$key-file "--subject" #$subject - "--password" #$password + "--encrypted-password" #$encrypted-password "--jwks-uri" #$jwks-uri "--authorization-endpoint-uri" #$authorization-endpoint-uri "--token-endpoint-uri" #$token-endpoint-uri @@ -2,8 +2,8 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc 0.0.0\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-07-02 17:36+0200\n" -"PO-Revision-Date: 2021-07-02 16:26+0200\n" +"POT-Creation-Date: 2021-07-03 11:07+0200\n" +"PO-Revision-Date: 2021-07-03 11:08+0200\n" "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n" "Language-Team: French <vivien@planete-kraus.eu>\n" "Language: fr\n" @@ -1277,8 +1277,8 @@ msgid "command-line|server|issuer|subject" msgstr "sujet" #: src/scm/webid-oidc/program.scm:157 -msgid "command-line|server|issuer|password" -msgstr "mot-de-passe" +msgid "command-line|server|issuer|encrypted-password" +msgstr "mot-de-passe-chiffré" #: src/scm/webid-oidc/program.scm:159 msgid "command-line|server|issuer|jwks-uri" @@ -1366,8 +1366,8 @@ msgid "" " key is generated.\n" " -s WEBID, --~a=WEBID:\n" " set the identity of the subject.\n" -" -w PASSWORD, --~a=PASSWORD:\n" -" set the password to recognize the user.\n" +" -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n" +" set the encrypted password to recognize the user.\n" " -j URI, --~a=URI:\n" " set the URI to query the key of the server.\n" " -a URI, --~a=URI:\n" @@ -1439,7 +1439,7 @@ msgid "" " --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" " --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" -" --~a \"$PASSWORD\" \\\n" +" --~a \"$ENCRYPTED_PASSWORD\" \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" @@ -1518,8 +1518,8 @@ msgstr "" " nouvelle clé sera générée.\n" " -s WEBID, --~a=WEBID :\n" " définit l’identité du sujet.\n" -" -w MOTDEPASSE, --~a=MOTDEPASSE :\n" -" définit le mot de passe pour reconnaître l’utilisateur.\n" +" -w MOT_DE_PASSE_CHIFFRÉ, --~a=MOT_DE_PASSE_CHIFFRÉ :\n" +" définit le mot de passe chiffré pour reconnaître l’utilisateur.\n" " -j URI, --~a=URI :\n" " définit l’URI à requêter pour obtenir la clé du serveur.\n" " -a URI, --~a=URI :\n" @@ -1596,7 +1596,7 @@ msgstr "" " --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" " --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" -" --~a \"$MOTDEPASSE\" \\\n" +" --~a \"$MOT_DE_PASSE_CHIFFRÉ\" \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" @@ -1707,8 +1707,9 @@ msgstr "" #: src/scm/webid-oidc/program.scm:548 src/scm/webid-oidc/program.scm:620 #, scheme-format -msgid "You must pass --~a to set the subject’s password.\n" -msgstr "Vous devez passer --~a pour définir le mot de passe du sujet.\n" +msgid "You must pass --~a to set the subject’s encrypted password.\n" +msgstr "" +"Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n" #: src/scm/webid-oidc/program.scm:552 src/scm/webid-oidc/program.scm:624 #, scheme-format diff --git a/po/webid-oidc.pot b/po/webid-oidc.pot index 5b1bdbf..1090ce1 100644 --- a/po/webid-oidc.pot +++ b/po/webid-oidc.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: webid-oidc SNAPSHOT\n" "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n" -"POT-Creation-Date: 2021-07-02 17:36+0200\n" +"POT-Creation-Date: 2021-07-03 11:07+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <LL@li.org>\n" @@ -1165,7 +1165,7 @@ msgid "command-line|server|issuer|subject" msgstr "" #: src/scm/webid-oidc/program.scm:157 -msgid "command-line|server|issuer|password" +msgid "command-line|server|issuer|encrypted-password" msgstr "" #: src/scm/webid-oidc/program.scm:159 @@ -1254,8 +1254,8 @@ msgid "" " key is generated.\n" " -s WEBID, --~a=WEBID:\n" " set the identity of the subject.\n" -" -w PASSWORD, --~a=PASSWORD:\n" -" set the password to recognize the user.\n" +" -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n" +" set the encrypted password to recognize the user.\n" " -j URI, --~a=URI:\n" " set the URI to query the key of the server.\n" " -a URI, --~a=URI:\n" @@ -1327,7 +1327,7 @@ msgid "" " --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n" " --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n" -" --~a \"$PASSWORD\" \\\n" +" --~a \"$ENCRYPTED_PASSWORD\" \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n" " --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n" @@ -1433,7 +1433,7 @@ msgstr "" #: src/scm/webid-oidc/program.scm:548 src/scm/webid-oidc/program.scm:620 #, scheme-format -msgid "You must pass --~a to set the subject’s password.\n" +msgid "You must pass --~a to set the subject’s encrypted password.\n" msgstr "" #: src/scm/webid-oidc/program.scm:552 src/scm/webid-oidc/program.scm:624 diff --git a/src/scm/webid-oidc/authorization-endpoint.scm b/src/scm/webid-oidc/authorization-endpoint.scm index 3c4a730..9ff994c 100644 --- a/src/scm/webid-oidc/authorization-endpoint.scm +++ b/src/scm/webid-oidc/authorization-endpoint.scm @@ -29,7 +29,11 @@ #:use-module (ice-9 receive) #:use-module (ice-9 optargs)) -(define*-public (make-authorization-endpoint subject the-password alg jwk validity +(define (verify-password encrypted-password password) + (let ((c (crypt password encrypted-password))) + (string=? c encrypted-password))) + +(define*-public (make-authorization-endpoint subject encrypted-password alg jwk validity #:key (http-get http-get) (current-time current-time)) @@ -81,7 +85,7 @@ (error-no-redirect-uri locale)) ((and (eq? method 'POST) (string? password) - (string=? password the-password)) + (verify-password encrypted-password password)) (with-exception-handler (lambda (error) (error-application locale error)) @@ -123,7 +127,7 @@ (else (authorization-page locale (not (and password - (string=? password the-password))) + (verify-password encrypted-password password))) client-id uri))))))) diff --git a/src/scm/webid-oidc/identity-provider.scm b/src/scm/webid-oidc/identity-provider.scm index 37a01be..8bd3e5b 100644 --- a/src/scm/webid-oidc/identity-provider.scm +++ b/src/scm/webid-oidc/identity-provider.scm @@ -53,7 +53,7 @@ issuer key-file subject - password + encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri @@ -79,7 +79,7 @@ 'RS256 'ES256))) (let ((authorization-endpoint - (make-authorization-endpoint subject password alg key 120 + (make-authorization-endpoint subject encrypted-password alg key 120 #:current-time current-time #:http-get http-get)) (token-endpoint diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm index 7e47c2b..f083700 100644 --- a/src/scm/webid-oidc/program.scm +++ b/src/scm/webid-oidc/program.scm @@ -153,8 +153,8 @@ (string->symbol (G_ "command-line|server|issuer|key-file"))) (subject-sym (string->symbol (G_ "command-line|server|issuer|subject"))) - (password-sym - (string->symbol (G_ "command-line|server|issuer|password"))) + (encrypted-password-sym + (string->symbol (G_ "command-line|server|issuer|encrypted-password"))) (jwks-uri-sym (string->symbol (G_ "command-line|server|issuer|jwks-uri"))) (authorization-endpoint-uri-sym @@ -182,7 +182,7 @@ (,error-file-sym (single-char #\e) (value #t)) (,key-file-sym (single-char #\k) (value #t)) (,subject-sym (single-char #\s) (value #t)) - (,password-sym (single-char #\w) (value #t)) + (,encrypted-password-sym (single-char #\w) (value #t)) (,jwks-uri-sym (single-char #\j) (value #t)) (,authorization-endpoint-uri-sym (single-char #\a) (value #t)) (,token-endpoint-uri-sym (single-char #\t) (value #t)) @@ -252,8 +252,8 @@ Options for the identity provider: key is generated. -s WEBID, --~a=WEBID: set the identity of the subject. - -w PASSWORD, --~a=PASSWORD: - set the password to recognize the user. + -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD: + set the encrypted password to recognize the user. -j URI, --~a=URI: set the URI to query the key of the server. -a URI, --~a=URI: @@ -324,7 +324,7 @@ invoked with the following options: --~a 'https://webid-oidc-demo.planete-kraus.eu' \\ --~a '/var/lib/webid-oidc/issuer/key.jwk' \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\ - --~a \"$PASSWORD\" \\ + --~a \"$ENCRYPTED_PASSWORD\" \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\ --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\ @@ -375,7 +375,7 @@ If you find a bug, then please send a report to ~a. ;; Options for the identity provider key-file-sym subject-sym - password-sym + encrypted-password-sym jwks-uri-sym authorization-endpoint-uri-sym token-endpoint-uri-sym @@ -414,7 +414,7 @@ If you find a bug, then please send a report to ~a. (car (command-line)) (G_ "command-line|command|identity-provider") complete-corresponding-source-sym - server-name-sym key-file-sym subject-sym password-sym + server-name-sym key-file-sym subject-sym encrypted-password-sym jwks-uri-sym authorization-endpoint-uri-sym token-endpoint-uri-sym port-sym ;; Running the public pages for an application @@ -478,7 +478,7 @@ If you find a bug, then please send a report to ~a. (subject (let ((str (option-ref options subject-sym #f))) (and str (string->uri str)))) - (password (option-ref options password-sym #f)) + (encrypted-password (option-ref options encrypted-password-sym #f)) (jwks-uri (let ((str (option-ref options jwks-uri-sym #f))) (and str (string->uri str)))) @@ -544,9 +544,9 @@ If you find a bug, then please send a report to ~a. (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n") subject-sym) (exit 1)) - (unless password - (format (current-error-port) (G_ "You must pass --~a to set the subject’s password.\n") - password-sym) + (unless encrypted-password + (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n") + encrypted-password-sym) (exit 1)) (unless jwks-uri (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n") @@ -562,7 +562,7 @@ If you find a bug, then please send a report to ~a. (exit 1)) (let ((handler (make-identity-provider - server-name key-file subject password jwks-uri + server-name key-file subject encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri (make-jti-list) #:current-time current-time @@ -616,9 +616,9 @@ If you find a bug, then please send a report to ~a. (format (current-error-port) (G_ "You must pass --~a to set the subject of the identity provider.\n") subject-sym) (exit 1)) - (unless password - (format (current-error-port) (G_ "You must pass --~a to set the subject’s password.\n") - password-sym) + (unless encrypted-password + (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n") + encrypted-password-sym) (exit 1)) (unless jwks-uri (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n") @@ -654,7 +654,7 @@ If you find a bug, then please send a report to ~a. #:http-get cache-http-get)) (identity-provider-handler (make-identity-provider - server-name key-file subject password jwks-uri + server-name key-file subject encrypted-password jwks-uri authorization-endpoint-uri token-endpoint-uri jti-list #:current-time current-time diff --git a/tests/authorization-endpoint-submit-form.scm b/tests/authorization-endpoint-submit-form.scm index 90de696..f379e38 100644 --- a/tests/authorization-endpoint-submit-form.scm +++ b/tests/authorization-endpoint-submit-form.scm @@ -38,6 +38,7 @@ (define client (string->uri "https://authorization-endpoint-submit-form.scm/client/card#app")) (define redirect (string->uri "https://authorization-endpoint-submit-form.scm/client/redirect")) (define password "p4ssw0rd") + (define encrypted-password (crypt password "$6$this.is.the.salt")) (define validity 120) (define the-time 0) (define (current-time) @@ -61,7 +62,7 @@ (define jti-list (make-jti-list)) (define endpoint (make-authorization-endpoint - subject password alg key validity + subject encrypted-password alg key validity #:http-get cached-http-get #:current-time current-time)) (receive (response response-body) |