commit d09dacf70f2ff28a7730dd770ad3ceff0b94caa1
parent a982cab1748401f96d714430dbbe7711818d3258
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Mon, 16 Jun 2025 21:24:52 +0200
Make AuthZ for APIs backwards-compatible
Diffstat:
6 files changed, 64 insertions(+), 18 deletions(-)
diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c
@@ -203,7 +203,7 @@ static const struct GNUNET_CONFIGURATION_Handle *cfg;
/**
* Initial authorization token.
*/
-char *TMH_default_auth;
+char *TMH_default_pass;
enum GNUNET_GenericReturnValue
@@ -1649,17 +1649,17 @@ url_handler (void *cls,
hc->instance = TMH_lookup_instance (NULL);
if ( (0 == strcmp ("admin",
instance_id)) &&
- (NULL != TMH_default_auth) &&
+ (NULL != TMH_default_pass) &&
(NULL != hc->instance) )
{
/* Override default instance access control */
GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Command-line override of access control\n");
- TMH_compute_auth (TMH_default_auth,
+ TMH_compute_auth (TMH_default_pass,
&hc->instance->auth.auth_salt,
&hc->instance->auth.auth_hash);
hc->instance->auth_override = true;
- GNUNET_free (TMH_default_auth);
+ GNUNET_free (TMH_default_pass);
}
GNUNET_free (instance_id);
if (NULL == slash)
@@ -1672,17 +1672,17 @@ url_handler (void *cls,
/* use 'default' */
use_default = true;
hc->instance = TMH_lookup_instance (NULL);
- if ( (NULL != TMH_default_auth) &&
+ if ( (NULL != TMH_default_pass) &&
(NULL != hc->instance) )
{
/* Override default instance access control */
GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Command-line override of access control\n");
- TMH_compute_auth (TMH_default_auth,
+ TMH_compute_auth (TMH_default_pass,
&hc->instance->auth.auth_salt,
&hc->instance->auth.auth_hash);
hc->instance->auth_override = true;
- GNUNET_free (TMH_default_auth);
+ GNUNET_free (TMH_default_pass);
}
}
if (NULL != hc->instance)
@@ -1924,7 +1924,7 @@ url_handler (void *cls,
control), as we then also have no data to protect. */
// FIXME this must somehow carry over to tokens
if ( (0 == GNUNET_CONTAINER_multihashmap_size (TMH_by_id_map)) &&
- (NULL == TMH_default_auth) )
+ (NULL == TMH_default_pass) )
{
hc->auth_scope = TMH_AS_ALL;
}
@@ -1975,9 +1975,35 @@ url_handler (void *cls,
hc->instance->settings.id,
&hc->auth_scope);
if (TALER_EC_NONE != ec)
- return TALER_MHD_reply_with_ec (connection,
- ec,
- NULL);
+ {
+ // FIXME: Deprecated, remove after 1.1
+ if (0 == strncasecmp (auth,
+ RFC_8959_PREFIX,
+ strlen (RFC_8959_PREFIX)))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ "Trying deprecated secret-token:password API authN\n")
+ ;
+ if (GNUNET_OK != TMH_check_auth (auth + strlen (RFC_8959_PREFIX),
+ &hc->instance->auth.auth_salt,
+ &hc->instance->auth.auth_hash))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+ "Login failed\n");
+ hc->auth_scope = TMH_AS_NONE;
+ }
+ else
+ {
+ hc->auth_scope = TMH_AS_ALL;
+ }
+ }
+ else
+ {
+ return TALER_MHD_reply_with_ec (connection,
+ ec,
+ NULL);
+ }
+ }
}
}
else
@@ -2297,10 +2323,10 @@ run (void *cls,
(void) cls;
(void) args;
(void) cfgfile;
- tok = getenv ("TALER_MERCHANT_TOKEN");
+ tok = getenv ("TALER_MERCHANT_PASSWORD");
if ( (NULL != tok) &&
- (NULL == TMH_default_auth) )
- TMH_default_auth = GNUNET_strdup (tok);
+ (NULL == TMH_default_pass) )
+ TMH_default_pass = GNUNET_strdup (tok);
cfg = config;
GNUNET_log (GNUNET_ERROR_TYPE_INFO,
"Starting taler-merchant-httpd\n");
@@ -2505,7 +2531,7 @@ main (int argc,
"auth",
"TOKEN",
"use TOKEN to initially authenticate access to the default instance (you can also set the TALER_MERCHANT_TOKEN environment variable instead)",
- &TMH_default_auth),
+ &TMH_default_pass),
GNUNET_GETOPT_option_version (PACKAGE_VERSION "-" VCS_VERSION),
GNUNET_GETOPT_OPTION_END
};
diff --git a/src/backend/taler-merchant-httpd.h b/src/backend/taler-merchant-httpd.h
@@ -726,7 +726,7 @@ extern struct GNUNET_TIME_Relative TMH_legal_expiration;
/**
* Initial authorization token.
*/
-extern char *TMH_default_auth;
+extern char *TMH_default_pass;
/**
diff --git a/src/backend/taler-merchant-httpd_helper.c b/src/backend/taler-merchant-httpd_helper.c
@@ -626,6 +626,24 @@ TMH_check_auth_config (struct MHD_Connection *connection,
auth_wellformed = true;
}
}
+ else if (0 == strcmp (auth_method,
+ "token"))
+ {
+ const char *token = json_string_value (json_object_get (jauth,
+ "token"));
+ if ((NULL == token) ||
+ (0 != strncasecmp (RFC_8959_PREFIX,
+ token,
+ strlen (RFC_8959_PREFIX))))
+ {
+ GNUNET_break_op (0);
+ }
+ else
+ {
+ *auth_password = token + strlen (RFC_8959_PREFIX);
+ auth_wellformed = true;
+ }
+ }
if (! auth_wellformed)
{
diff --git a/src/backend/taler-merchant-httpd_private-post-instances-ID-auth.c b/src/backend/taler-merchant-httpd_private-post-instances-ID-auth.c
@@ -193,7 +193,7 @@ retry:
/* The default auth string should've been
cleared with the first request
for the default instance. */
- GNUNET_assert (NULL == TMH_default_auth);
+ GNUNET_assert (NULL == TMH_default_pass);
}
TMH_reload_instances (mi->settings.id);
return TALER_MHD_reply_static (connection,
diff --git a/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c b/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c
@@ -134,6 +134,8 @@ TMH_private_post_instances_ID_token (const struct TMH_RequestHandler *rh,
MHD_HTTP_OK,
GNUNET_JSON_pack_string ("access_token",
tok),
+ GNUNET_JSON_pack_string ("token",
+ tok),
GNUNET_JSON_pack_string ("scope",
scope),
GNUNET_JSON_pack_bool ("refreshable",
diff --git a/src/backend/taler-merchant-httpd_private-post-instances.c b/src/backend/taler-merchant-httpd_private-post-instances.c
@@ -367,7 +367,7 @@ retry:
if (0 == strcmp (is.id,
"admin"))
{
- GNUNET_free (TMH_default_auth); /* clear it if the default instance was
+ GNUNET_free (TMH_default_pass); /* clear it if the default instance was
created */
}
