Merge branch 'prerel' into ci/add-parent-child

.gitlab-ci.yml

@@ -145,5 +145,4 @@ trigger-win-installer:
                     --upstream-pipeline-id ${TRIGGERED_PIPELINE_ID}
   artifacts:
     paths:
-      - "results/*"
-
+      - "results/*"

CHANGELOG.md

@@ -12,11 +12,21 @@
 <!-- ### Dependencies -->
 <!--  -->
 
-## oidc-agent 5.0.2
+## oidc-agent 5.1.0
+
+### Changes
+
+- When an account configuration is generated and the OP returns scopes in the initial token flow, the account
+  configuration is updated with those scopes.
+
+### Features
+
+- Added option to `oidc-add` to load an account config directly into the agent without the agent checking if it works.
 
 ### Bugfixes
 
 - Fixed a problem with the tmp dir path that could occur on some windows systems that prevented oidc-agent to start.
+- Fixed a potential segmentation fault when the oidc-agent dir is empty and account configs are listed.
 
 ## oidc-agent 5.0.1
 

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2017 - 2023 Karlsruhe Institute of Technology - Steinbuch Centre for Computing
+Copyright (c) 2017 - 2024 Karlsruhe Institute of Technology - Steinbuch Centre for Computing
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

VERSION

@@ -1 +1 @@
-5.0.2
+5.1.0

src/defines/agent_values.h

@@ -50,6 +50,7 @@
 #define CONFIG_KEY_STATSCOLLECTSHARE "stats_collect_share"
 #define CONFIG_KEY_STATSCOLLECTLOCATION "stats_collect_location"
 #define CONFIG_KEY_LEGACYAUDMODE "legacy_aud_mode"
+#define CONFIG_KEY_PLAINADD "skip-check"
 
 #define ACCOUNTINFO_KEY_HASPUBCLIENT "pubclient"
 

src/defines/ipc_values.h

@@ -36,6 +36,7 @@
 #define IPC_KEY_ONLYAT "only_at"
 #define IPC_KEY_MYTOKEN_OIDC_ISS "oidc_issuer"
 #define IPC_KEY_MYTOKEN_MY_ISS "mytoken_issuer"
+#define IPC_KEY_PLAINADD "plain_add"
 
 // STATUS
 #define STATUS_SUCCESS "success"
@@ -137,11 +138,12 @@
 #define REQUEST_ADD_LIFETIME                                             \
   "{\"" IPC_KEY_REQUEST "\":\"" REQUEST_VALUE_ADD "\",\"" IPC_KEY_CONFIG \
   "\":%s,\"" IPC_KEY_LIFETIME "\":%lu,\"" IPC_KEY_PASSWORDENTRY          \
-  "\":%s,\"" IPC_KEY_CONFIRM "\":%d,\"" IPC_KEY_ALWAYSALLOWID "\":%d}"
+  "\":%s,\"" IPC_KEY_CONFIRM "\":%d,\"" IPC_KEY_ALWAYSALLOWID            \
+  "\":%d,\"" IPC_KEY_PLAINADD "\":%d}"
 #define REQUEST_ADD                                                      \
   "{\"" IPC_KEY_REQUEST "\":\"" REQUEST_VALUE_ADD "\",\"" IPC_KEY_CONFIG \
   "\":%s,\"" IPC_KEY_PASSWORDENTRY "\":%s,\"" IPC_KEY_CONFIRM            \
-  "\":%d,\"" IPC_KEY_ALWAYSALLOWID "\":%d}"
+  "\":%d,\"" IPC_KEY_ALWAYSALLOWID "\":%d,\"" IPC_KEY_PLAINADD "\":%d}"
 #define REQUEST_REMOVE                                                         \
   "{\"" IPC_KEY_REQUEST "\":\"" REQUEST_VALUE_REMOVE "\",\"" IPC_KEY_SHORTNAME \
   "\":\"%s\"}"

src/oidc-add/add_handler.c

@@ -80,14 +80,14 @@ void add_handleAdd(char* account, struct arguments* arguments) {
 
   char* res = NULL;
   if (storePW) {
-    res = ipc_cryptCommunicate(arguments->remote, REQUEST_ADD_LIFETIME, json_p,
-                               arguments->lifetime.lifetime, pw_str,
-                               arguments->confirm,
-                               arguments->always_allow_idtoken);
+    res = ipc_cryptCommunicate(
+        arguments->remote, REQUEST_ADD_LIFETIME, json_p,
+        arguments->lifetime.lifetime, pw_str, arguments->confirm,
+        arguments->always_allow_idtoken, arguments->plainadd);
   } else {
-    res = ipc_cryptCommunicate(arguments->remote, REQUEST_ADD, json_p, pw_str,
-                               arguments->confirm,
-                               arguments->always_allow_idtoken);
+    res = ipc_cryptCommunicate(
+        arguments->remote, REQUEST_ADD, json_p, pw_str, arguments->confirm,
+        arguments->always_allow_idtoken, arguments->plainadd);
   }
   secFree(pw_str);
   secFree(json_p);

src/oidc-add/oidc-add_options.c

@@ -1,5 +1,6 @@
 #include "oidc-add_options.h"
 
+#include "defines/agent_values.h"
 #include "defines/settings.h"
 #include "utils/commonFeatures.h"
 #include "utils/config/add_config.h"
@@ -13,6 +14,7 @@
 #define OPT_PW_FILE 7
 #define OPT_REMOTE 8
 #define OPT_PW_ENV 9
+#define OPT_PLAINADD 10
 
 static struct argp_option options[] = {
     {0, 0, 0, 0, "General:", 1},
@@ -53,6 +55,10 @@ static struct argp_option options[] = {
      "Always allow id-token requests without manual approval by the user for "
      "this account configuration.",
      1},
+    {CONFIG_KEY_PLAINADD, OPT_PLAINADD, 0, 0,
+     "Indicates that the agent should load the account configuration without "
+     "checking it, i.e. no access token is obtained on load.",
+     1},
     {"remote", OPT_REMOTE, 0, 0,
      "Use a remote central oidc-agent, instead of a local one.", 1},
     {"force", 'f', 0, 0,
@@ -107,6 +113,7 @@ static error_t parse_opt(int key, char* arg, struct argp_state* state) {
       arguments->pw_lifetime.argProvided = 1;
       break;
     case OPT_ALWAYS_ALLOW_IDTOKEN: arguments->always_allow_idtoken = 1; break;
+    case OPT_PLAINADD: arguments->plainadd = 1; break;
     case 't':
       if (!isdigit(*arg)) {
         return ARGP_ERR_UNKNOWN;
@@ -169,6 +176,7 @@ void initArguments(struct arguments* arguments) {
   arguments->always_allow_idtoken    = 0;
   arguments->remote                  = 0;
   arguments->force                   = 0;
+  arguments->plainadd                = getAddConfig()->plain_add;
   arguments->pw_prompt_mode          = getAddConfig()->pw_prompt_mode;
   set_pw_prompt_mode(arguments->pw_prompt_mode);
 }

src/oidc-add/oidc-add_options.h

@@ -13,20 +13,21 @@ struct arguments {
   char* pw_file;
   char* pw_env;
 
-  unsigned char remove;
-  unsigned char removeAll;
-  unsigned char debug;
-  unsigned char verbose;
-  unsigned char listConfigured;
-  unsigned char listLoaded;
-  unsigned char print;
-  unsigned char lock;
-  unsigned char unlock;
-  unsigned char confirm;
-  unsigned char always_allow_idtoken;
-  unsigned char pw_prompt_mode;
-  unsigned char remote;
-  unsigned char force;
+  unsigned char remove : 1;
+  unsigned char removeAll : 1;
+  unsigned char debug : 1;
+  unsigned char verbose : 1;
+  unsigned char listConfigured : 1;
+  unsigned char listLoaded : 1;
+  unsigned char print : 1;
+  unsigned char lock : 1;
+  unsigned char unlock : 1;
+  unsigned char confirm : 1;
+  unsigned char always_allow_idtoken : 1;
+  unsigned char pw_prompt_mode : 2;
+  unsigned char remote : 1;
+  unsigned char force : 1;
+  unsigned char plainadd : 1;
 
   struct lifetimeArg pw_lifetime;
   struct lifetimeArg lifetime;

src/oidc-agent/oidc/flows/oidc.c

@@ -79,7 +79,7 @@ char* parseTokenResponseCallbacks(
     oidc_setInternalError("cannot return AT and ID token");
     return NULL;
   }
-  INIT_KEY_VALUE(OIDC_KEY_ACCESSTOKEN, OIDC_KEY_REFRESHTOKEN,
+  INIT_KEY_VALUE(OIDC_KEY_ACCESSTOKEN, OIDC_KEY_SCOPE, OIDC_KEY_REFRESHTOKEN,
                  MYTOKEN_KEY_MYTOKEN, OIDC_KEY_IDTOKEN, OIDC_KEY_EXPIRESIN,
                  OIDC_KEY_ERROR, OIDC_KEY_ERROR_DESCRIPTION);
   if (CALL_GETJSONVALUES(res) < 0) {
@@ -90,8 +90,8 @@ char* parseTokenResponseCallbacks(
     }
     return NULL;
   }
-  KEY_VALUE_VARS(access_token, refresh_token, mytoken, id_token, expires_in,
-                 error, error_description);
+  KEY_VALUE_VARS(access_token, scope, refresh_token, mytoken, id_token,
+                 expires_in, error, error_description);
   if (_error || _error_description) {
     errorHandling(_error, _error_description);
     SEC_FREE_KEY_VALUES();
@@ -105,6 +105,14 @@ char* parseTokenResponseCallbacks(
     }
     secFree(_expires_in);
   }
+  if (NULL != _scope && refreshFlow) {
+    // if we get a scope value back from the OP when the initial AT is obtained,
+    // we update the config, because it might be possible that the OP made
+    // changes to the scopes.
+    account_setScopeExact(a, _scope);
+  } else {
+    secFree(_scope);
+  }
 
   char* refresh_token = account_getRefreshToken(a);
   char* obtainedRTMT  = _refresh_token ?: _mytoken;

src/oidc-agent/oidcd/oidcd.c

@@ -72,7 +72,8 @@ int oidcd_main(struct ipcPipe pipes, const struct arguments* arguments) {
         IPC_KEY_NOSCHEME, IPC_KEY_CERTPATH, IPC_KEY_AUDIENCE,
         IPC_KEY_ALWAYSALLOWID, IPC_KEY_FILENAME, IPC_KEY_DATA,
         OIDC_KEY_REGISTRATION_CLIENT_URI, OIDC_KEY_REGISTRATION_ACCESS_TOKEN,
-        IPC_KEY_ONLYAT, AGENT_KEY_CONFIG_ENDPOINT, AGENT_KEY_MYTOKENPROFILE);
+        IPC_KEY_ONLYAT, AGENT_KEY_CONFIG_ENDPOINT, AGENT_KEY_MYTOKENPROFILE,
+        IPC_KEY_PLAINADD);
     if (getJSONValuesFromString(q, pairs, sizeof(pairs) / sizeof(*pairs)) < 0) {
       ipc_writeToPipe(pipes, RESPONSE_BADREQUEST, oidc_serror());
       secFreeKeyValuePairs(pairs, sizeof(pairs) / sizeof(*pairs));
@@ -85,9 +86,9 @@ int oidcd_main(struct ipcPipe pipes, const struct arguments* arguments) {
                    lifetime, password, applicationHint, confirm, issuer,
                    noscheme, cert_path, audience, alwaysallowid, filename, data,
                    registration_client_uri, registration_access_token, only_at,
-                   config_endpoint,
-                   profile);  // Gives variables for key_value values;
-                              // e.g. _request=pairs[0].value
+                   config_endpoint, profile,
+                   plainadd);  // Gives variables for key_value values;
+                               // e.g. _request=pairs[0].value
     if (_request == NULL) {
       ipc_writeToPipe(pipes, RESPONSE_BADREQUEST, "No request type.");
       secFreeKeyValuePairs(pairs, sizeof(pairs) / sizeof(*pairs));
@@ -121,7 +122,8 @@ int oidcd_main(struct ipcPipe pipes, const struct arguments* arguments) {
     } else if (strequal(_request, REQUEST_VALUE_DEVICELOOKUP)) {
       oidcd_handleDeviceLookup(pipes, _device, _only_at);
     } else if (strequal(_request, REQUEST_VALUE_ADD)) {
-      oidcd_handleAdd(pipes, _config, _lifetime, _confirm, _alwaysallowid);
+      oidcd_handleAdd(pipes, _config, _lifetime, _confirm, _alwaysallowid,
+                      _plainadd);
     } else if (strequal(_request, REQUEST_VALUE_REMOVE)) {
       oidcd_handleRm(pipes, _shortname);
     } else if (strequal(_request, REQUEST_VALUE_REMOVEALL)) {

src/oidc-agent/oidcd/oidcd_handler.c

@@ -261,7 +261,8 @@ void oidcd_handleGen(struct ipcPipe pipes, const char* account_json,
  * checks if an account is feasible (issuer config / AT retrievable) and adds it
  * to the loaded list; does not check if account already loaded.
  */
-oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account) {
+oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account,
+                        unsigned char plain_load) {
   if (account == NULL) {
     oidc_setArgNullFuncError(__func__);
     return oidc_errno;
@@ -272,13 +273,15 @@ oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account) {
   if (!strValid(account_getTokenEndpoint(account))) {
     return oidc_errno;
   }
-  if (getAccessTokenUsingRefreshFlow(account, FORCE_NEW_TOKEN, NULL, NULL,
-                                     pipes) == NULL) {
-    account_setDeath(account,
-                     time(NULL) + 10);  // with short timeout so no password
-                                        // required for re-authentication
-    db_addAccountEncrypted(account);
-    return oidc_errno;
+  if (!plain_load) {
+    if (getAccessTokenUsingRefreshFlow(account, FORCE_NEW_TOKEN, NULL, NULL,
+                                       pipes) == NULL) {
+      account_setDeath(account,
+                       time(NULL) + 10);  // with short timeout so no password
+                                          // required for re-authentication
+      db_addAccountEncrypted(account);
+      return oidc_errno;
+    }
   }
   db_addAccountEncrypted(account);
   oidcd_handleUpdateIssuer(pipes, account_getIssuerUrl(account),
@@ -288,7 +291,7 @@ oidc_error_t addAccount(struct ipcPipe pipes, struct oidc_account* account) {
 
 void oidcd_handleAdd(struct ipcPipe pipes, const char* account_json,
                      const char* timeout_str, const char* confirm_str,
-                     const char* alwaysallowid) {
+                     const char* alwaysallowid, const char* plain_load_str) {
   agent_log(DEBUG, "Handle Add request");
   struct oidc_account* account = getAccountFromJSON(account_json);
   if (account == NULL) {
@@ -319,7 +322,7 @@ void oidcd_handleAdd(struct ipcPipe pipes, const char* account_json,
     secFreeAccount(account);
     return;
   }
-  if (addAccount(pipes, account) != OIDC_SUCCESS) {
+  if (addAccount(pipes, account, strToBit(plain_load_str)) != OIDC_SUCCESS) {
     char* help = getHelpWithAccountInfo(account);
     if (help != NULL) {
       ipc_writeToPipe(pipes, RESPONSE_ERROR_INFO, oidc_serror(), help);
@@ -423,7 +426,7 @@ oidc_error_t oidcd_autoload(struct ipcPipe pipes, const char* short_name,
   account_setDeath(account, agent_state.defaultTimeout
                                 ? time(NULL) + agent_state.defaultTimeout
                                 : 0);
-  return addAccount(pipes, account);
+  return addAccount(pipes, account, 0);
 }
 
 #define CONFIRMATION_MODE_AT 0

src/oidc-agent/oidcd/oidcd_handler.h

@@ -13,7 +13,7 @@ void oidcd_handleReauthenticate(struct ipcPipe pipes, char* short_name,
                                 const struct arguments* arguments);
 void oidcd_handleAdd(struct ipcPipe, const char* account_json,
                      const char* timeout_str, const char* confirm_str,
-                     const char* alwaysallowid);
+                     const char* alwaysallowid, const char* plain_load_str);
 void oidcd_handleDelete(struct ipcPipe, const char* account_json);
 void oidcd_handleDeleteClient(struct ipcPipe pipes, const char* client_uri,
                               const char* registration_access_token,

src/utils/commonFeatures.c

@@ -11,8 +11,9 @@
 #include "utils/system_runner.h"
 
 void common_handleListConfiguredAccountConfigs() {
+  oidc_errno   = OIDC_SUCCESS;
   list_t* list = getAccountConfigFileList();
-  if (list == NULL) {
+  if (list == NULL || list->len == 0) {
     if (oidc_errno != OIDC_SUCCESS) {
       oidc_perror();
       exit(EXIT_FAILURE);

src/utils/config/add_config.c

@@ -25,18 +25,19 @@ static add_config_t* _getAddConfig(const char* json) {
   }
 
   INIT_KEY_VALUE(CONFIG_KEY_STOREPW, CONFIG_KEY_PWPROMPTMODE,
-                 CONFIG_KEY_DEBUGLOGGING);
+                 CONFIG_KEY_DEBUGLOGGING, CONFIG_KEY_PLAINADD);
   if (getJSONValuesFromString(json, pairs, sizeof(pairs) / sizeof(*pairs)) <
       0) {
     SEC_FREE_KEY_VALUES();
     oidc_perror();
     exit(oidc_errno);
   }
-  KEY_VALUE_VARS(store_pw, pw_prompt, debug);
+  KEY_VALUE_VARS(store_pw, pw_prompt, debug, plainadd);
   add_config_t* c   = secAlloc(sizeof(add_config_t));
   c->store_pw       = strToBit(_store_pw);
   c->pw_prompt_mode = parse_prompt_mode(_pw_prompt);
   c->debug          = strToBit(_debug);
+  c->plain_add      = strToBit(_plainadd);
   SEC_FREE_KEY_VALUES();
   return c;
 }

src/utils/config/add_config.h

@@ -5,6 +5,7 @@ struct add_config {
   unsigned char store_pw : 1;
   unsigned char pw_prompt_mode : 2;
   unsigned char debug : 1;
+  unsigned char plain_add : 1;
 };
 
 typedef struct add_config add_config_t;