X-Git-Url: https://diplodocus.org/git/nmh/blobdiff_plain/2e04b8ea0e57e411665aa6a8814ff65db0d4cd2b..2db8ea3cc5e4fb968f1872591cf1ff56fc408ff8:/sbr/oauth.c diff --git a/sbr/oauth.c b/sbr/oauth.c old mode 100644 new mode 100755 index b3e47a93..87ee7791 --- a/sbr/oauth.c +++ b/sbr/oauth.c @@ -26,13 +26,13 @@ #define JSON_TYPE "application/json" -/* We pretend access tokens expire 30 seconds earlier than they actually do to +/* We pretend access tokens expire 60 seconds earlier than they actually do to * allow for separate processes to use and refresh access tokens. The process * that uses the access token (post) has an error if the token is expired; the * process that refreshes the access token (send) must have already refreshed if * the expiration is close. * - * 30s is arbitrary, and hopefully is enough to allow for clock skew. + * 60s is arbitrary, and hopefully is enough to allow for clock skew. * Currently only Gmail supports XOAUTH2, and seems to always use a token * life-time of 3600s, but that is not guaranteed. It is possible for Gmail to * issue an access token with a life-time so short that even after send @@ -44,7 +44,7 @@ * (not counting header and not null-terminated) */ #define RESPONSE_BODY_MAX 8192 -/* Maxium size for URLs and URI-encoded query strings, null-terminated. +/* Maximum size for URLs and URI-encoded query strings, null-terminated. * * Actual maximum we need is based on the size of tokens (limited by * RESPONSE_BODY_MAX), code user copies from a web page (arbitrarily large), and @@ -54,46 +54,6 @@ */ #define URL_MAX 8192 -struct service_info { - /* Name of service, so we can search static SERVICES (below) and for - * determining default credential file name. */ - char *name; - - /* Human-readable name of the service; in mh_oauth_ctx::svc this is not - * another buffer to free, but a pointer to either static SERVICE data - * (below) or to the name field. */ - char *display_name; - - /* [1] 2.2 Client Identifier, 2.3.1 Client Password */ - char *client_id; - /* [1] 2.3.1 Client Password */ - char *client_secret; - /* [1] 3.1 Authorization Endpoint */ - char *auth_endpoint; - /* [1] 3.1.2 Redirection Endpoint */ - char *redirect_uri; - /* [1] 3.2 Token Endpoint */ - char *token_endpoint; - /* [1] 3.3 Access Token Scope */ - char *scope; -}; - -static const struct service_info SERVICES[] = { - /* https://developers.google.com/accounts/docs/OAuth2InstalledApp */ - { - /* name */ "gmail", - /* display_name */ "Gmail", - - /* client_id */ "91584523849-8lv9kgp1rvp8ahta6fa4b125tn2polcg.apps.googleusercontent.com", - /* client_secret */ "Ua8sX34xyv7hVrKM-U70dKI6", - - /* auth_endpoint */ "https://accounts.google.com/o/oauth2/auth", - /* redirect_uri */ "urn:ietf:wg:oauth:2.0:oob", - /* token_endpoint */ "https://accounts.google.com/o/oauth2/token", - /* scope */ "https://mail.google.com/" - } -}; - struct mh_oauth_cred { mh_oauth_ctx *ctx; @@ -114,7 +74,7 @@ struct mh_oauth_cred { }; struct mh_oauth_ctx { - struct service_info svc; + struct mh_oauth_service_info svc; CURL *curl; FILE *log; @@ -167,23 +127,22 @@ static boolean get_json_strings(const char *, size_t, FILE *, ...); static boolean make_query_url(char *, size_t, CURL *, const char *, ...); static boolean post(struct curl_ctx *, const char *, const char *); -char * -mh_oauth_do_xoauth(const char *user, const char *svc, FILE *log) +int +mh_oauth_do_xoauth(const char *user, const char *svc, unsigned char **oauth_res, + size_t *oauth_res_len, FILE *log) { mh_oauth_ctx *ctx; mh_oauth_cred *cred; char *fn; int failed_to_lock = 0; FILE *fp; - size_t client_res_len; char *client_res; - char *client_res_b64; if (!mh_oauth_new (&ctx, svc)) adios(NULL, mh_oauth_get_err_string(ctx)); if (log != NULL) mh_oauth_log_to(stderr, ctx); - fn = getcpy(mh_oauth_cred_fn(ctx)); + fn = mh_xstrdup(mh_oauth_cred_fn(svc)); fp = lkfopendata(fn, "r+", &failed_to_lock); if (fp == NULL) { if (errno == ENOENT) { @@ -223,18 +182,14 @@ mh_oauth_do_xoauth(const char *user, const char *svc, FILE *log) free(fn); /* XXX writeBase64raw modifies the source buffer! make a copy */ - client_res = getcpy(mh_oauth_sasl_client_response(&client_res_len, user, + client_res = mh_xstrdup(mh_oauth_sasl_client_response(oauth_res_len, user, cred)); mh_oauth_cred_free(cred); mh_oauth_free(ctx); - client_res_b64 = mh_xmalloc(((((client_res_len) + 2) / 3 ) * 4) + 1); - if (writeBase64raw((unsigned char *)client_res, client_res_len, - (unsigned char *)client_res_b64) != OK) { - adios(NULL, "base64 encoding of XOAUTH2 client response failed"); - } - free(client_res); - return client_res_b64; + *oauth_res = (unsigned char *) client_res; + + return OK; } static boolean @@ -283,116 +238,28 @@ set_err_http(mh_oauth_ctx *ctx, const struct curl_ctx *curl_ctx) free(error); } -/* Copy service info so we don't have to free it only sometimes. */ -static void -copy_svc(struct service_info *to, const struct service_info *from) -{ - to->display_name = from->display_name; -#define copy(_field_) to->_field_ = getcpy(from->_field_) - copy(name); - copy(scope); - copy(client_id); - copy(client_secret); - copy(auth_endpoint); - copy(token_endpoint); - copy(redirect_uri); -#undef copy -} - -/* Return profile component node name for a service parameter. */ -static char * -node_name_for_svc(const char *base_name, const char *svc) -{ - char *result = mh_xmalloc(sizeof "oauth-" - 1 - + strlen(svc) - + 1 /* '-' */ - + strlen(base_name) - + 1 /* '\0' */); - sprintf(result, "oauth-%s-%s", svc, base_name); - /* TODO: s/_/-/g ? */ - return result; -} - -/* Update one service_info field if overridden in profile. */ -static void -update_svc_field(char **field, const char *base_name, const char *svc) -{ - char *name = node_name_for_svc(base_name, svc); - const char *value = context_find(name); - if (value != NULL) { - free(*field); - *field = getcpy(value); - } - free(name); -} - -/* Update all service_info fields that are overridden in profile. */ -static boolean -update_svc(struct service_info *svc, const char *svc_name, mh_oauth_ctx *ctx) -{ -#define update(name) \ - update_svc_field(&svc->name, #name, svc_name); \ - if (svc->name == NULL) { \ - set_err_details(ctx, MH_OAUTH_BAD_PROFILE, #name " is missing"); \ - return FALSE; \ - } - update(scope); - update(client_id); - update(client_secret); - update(auth_endpoint); - update(token_endpoint); - update(redirect_uri); -#undef update - - if (svc->name == NULL) { - svc->name = getcpy(svc_name); - } - - if (svc->display_name == NULL) { - svc->display_name = svc->name; - } - - return TRUE; -} - static char * make_user_agent() { const char *curl = curl_version_info(CURLVERSION_NOW)->version; - char *s = mh_xmalloc(strlen(user_agent) - + 1 - + sizeof "libcurl" - + 1 - + strlen(curl) - + 1); - sprintf(s, "%s libcurl/%s", user_agent, curl); - return s; + return concat(user_agent, " libcurl/", curl, NULL); } boolean mh_oauth_new(mh_oauth_ctx **result, const char *svc_name) { - mh_oauth_ctx *ctx = *result = mh_xmalloc(sizeof *ctx); - size_t i; + mh_oauth_ctx *ctx; + NEW(ctx); + *result = ctx; ctx->curl = NULL; ctx->log = NULL; ctx->cred_fn = ctx->sasl_client_res = ctx->err_formatted = NULL; - ctx->svc.name = ctx->svc.display_name = NULL; - ctx->svc.scope = ctx->svc.client_id = NULL; - ctx->svc.client_secret = ctx->svc.auth_endpoint = NULL; - ctx->svc.token_endpoint = ctx->svc.redirect_uri = NULL; - - for (i = 0; i < sizeof SERVICES / sizeof SERVICES[0]; i++) { - if (strcmp(SERVICES[i].name, svc_name) == 0) { - copy_svc(&ctx->svc, &SERVICES[i]); - break; - } - } - - if (!update_svc(&ctx->svc, svc_name, ctx)) { + if (!mh_oauth_get_service_info(svc_name, &ctx->svc, ctx->err_buf, + sizeof(ctx->err_buf))) { + set_err_details(ctx, MH_OAUTH_BAD_PROFILE, ctx->err_buf); return FALSE; } @@ -456,7 +323,6 @@ mh_oauth_get_err_code(const mh_oauth_ctx *ctx) const char * mh_oauth_get_err_string(mh_oauth_ctx *ctx) { - char *result; const char *base; free(ctx->err_formatted); @@ -500,12 +366,11 @@ mh_oauth_get_err_string(mh_oauth_ctx *ctx) base = "unknown error"; } if (ctx->err_details == NULL) { - return ctx->err_formatted = getcpy(base); + return ctx->err_formatted = mh_xstrdup(base); } - /* length of the two strings plus ": " and '\0' */ - result = mh_xmalloc(strlen(base) + strlen(ctx->err_details) + 3); - sprintf(result, "%s: %s", base, ctx->err_details); - return ctx->err_formatted = result; + + ctx->err_formatted = concat(base, ": ", ctx->err_details, NULL); + return ctx->err_formatted; } const char * @@ -635,7 +500,7 @@ mh_oauth_authorize(const char *code, mh_oauth_ctx *ctx) return NULL; } - result = mh_xmalloc(sizeof *result); + NEW(result); result->ctx = ctx; result->access_token = result->refresh_token = NULL; @@ -692,36 +557,6 @@ mh_oauth_cred_free(mh_oauth_cred *cred) free(cred); } -const char * -mh_oauth_cred_fn(mh_oauth_ctx *ctx) -{ - char *result, *result_if_allocated; - const char *svc = ctx->svc.name; - - char *component = node_name_for_svc("credential-file", svc); - result = context_find(component); - free(component); - - if (result == NULL) { - result = mh_xmalloc(sizeof "oauth-" - 1 - + strlen(svc) - + 1 /* '\0' */); - sprintf(result, "oauth-%s", svc); - result_if_allocated = result; - } else { - result_if_allocated = NULL; - } - - if (result[0] != '/') { - const char *tmp = m_maildir(result); - free(result_if_allocated); - result = getcpy(tmp); - } - - free(ctx->cred_fn); - return ctx->cred_fn = result; -} - /* for loading multi-user cred files */ struct user_creds { mh_oauth_cred *creds; @@ -780,7 +615,8 @@ load_creds(struct user_creds **result, FILE *fp, mh_oauth_ctx *ctx) int state; m_getfld_state_t getfld_ctx = 0; - struct user_creds *user_creds = mh_xmalloc(sizeof *user_creds); + struct user_creds *user_creds; + NEW(user_creds); user_creds->alloc = 4; user_creds->len = 0; user_creds->creds = mh_xmalloc(user_creds->alloc * sizeof *user_creds->creds); @@ -972,17 +808,13 @@ const char * mh_oauth_sasl_client_response(size_t *res_len, const char *user, const mh_oauth_cred *cred) { - size_t len = sizeof "user=" - 1 - + strlen(user) - + sizeof "\1auth=Bearer " - 1 - + strlen(cred->access_token) - + sizeof "\1\1" - 1; - free(cred->ctx->sasl_client_res); - cred->ctx->sasl_client_res = mh_xmalloc(len + 1); - *res_len = len; - sprintf(cred->ctx->sasl_client_res, "user=%s\1auth=Bearer %s\1\1", - user, cred->access_token); - return cred->ctx->sasl_client_res; + char **p; + + p = &cred->ctx->sasl_client_res; + free(*p); + *p = concat("user=", user, "\1auth=Bearer ", cred->access_token, "\1\1", NULL); + *res_len = strlen(*p); + return *p; } /******************************************************************************* @@ -1008,7 +840,10 @@ make_query_url(char *s, size_t size, CURL *curl, const char *base_url, ...) len = 0; prefix = ""; } else { - len = sprintf(s, "%s", base_url); + len = strlen(base_url); + if (len > size - 1) /* Less one for NUL. */ + return FALSE; + strcpy(s, base_url); prefix = "?"; } @@ -1062,7 +897,7 @@ debug_callback(const CURL *handle, curl_infotype type, const char *data, } fwrite(data, 1, size, fp); if (data[size - 1] != '\n') { - fputs("\n", fp); + putc('\n', fp); } fflush(fp); return 0; @@ -1114,6 +949,14 @@ post(struct curl_ctx *ctx, const char *url, const char *req_body) curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback); curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx); + if (strncmp(url, "http://127.0.0.1:", 17) == 0) { + /* Hack: on Cygwin, curl doesn't fail to connect with ECONNREFUSED. + Instead, it waits to timeout. So set a really short timeout, but + just on localhost (for convenience of the user, and the test + suite). */ + curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 2L); + } + status = curl_easy_perform(curl); /* first check for error from callback */ if (ctx->too_big) { @@ -1288,5 +1131,4 @@ get_json_strings(const char *input, size_t input_len, FILE *log, ...) free(tokens); return result; } - #endif