Merge and lots of bug fixes for async

Merge branch 'master' of https://github.com/scitokens/scitokens-cpp into scitokens_async

Author: djw8605

.github/workflows/ccpp.yml

@@ -15,13 +15,13 @@ env:
 jobs:
   build:
 
-    runs-on: ubuntu-latest
-
     strategy:
       matrix:
         external-gtest: [ YES, NO ]
+        os: [ ubuntu-latest, ubuntu-22.04 ]
 
-    name: Build with external_gtest=${{ matrix.external-gtest }}
+    runs-on: ${{ matrix.os }}
+    name: Build with external_gtest=${{ matrix.external-gtest }} on ${{ matrix.os }}
 
     steps:
     - uses: actions/checkout@v1

CMakeLists.txt

@@ -8,7 +8,6 @@ project( scitokens-cpp
 
 option( SCITOKENS_BUILD_UNITTESTS "Build the scitokens-cpp unit tests" OFF )
 option( SCITOKENS_EXTERNAL_GTEST "Use an external/pre-installed copy of GTest" OFF )
-option( SCITOKENS_WARNINGS_ARE_ERRORS "Turn compiler warnings into build errors" OFF)
 
 set( CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake;${CMAKE_MODULE_PATH}" )
 
@@ -39,7 +38,6 @@ endif()
 
 add_library(SciTokens SHARED src/scitokens.cpp src/scitokens_internal.cpp src/scitokens_cache.cpp)
 target_compile_features(SciTokens PUBLIC cxx_std_11) # Use at least C++11 for building and when linking to scitokens
-target_compile_options(SciTokens PRIVATE $<$<CXX_COMPILER_ID:GNU>:-Wall $<$<BOOL:${SCITOKENS_WARNINGS_ARE_ERRORS}>:-Werror>>)
 target_include_directories(SciTokens PUBLIC ${JWT_CPP_INCLUDES} "${PROJECT_SOURCE_DIR}/src" PRIVATE ${CURL_INCLUDES} ${OPENSSL_INCLUDE_DIRS} ${LIBCRYPTO_INCLUDE_DIRS} ${SQLITE_INCLUDE_DIRS}  ${UUID_INCLUDE_DIRS})
 
 target_link_libraries(SciTokens PUBLIC ${OPENSSL_LIBRARIES} ${LIBCRYPTO_LIBRARIES} ${CURL_LIBRARIES} ${SQLITE_LIBRARIES} ${UUID_LIBRARIES})
@@ -57,23 +55,18 @@ add_executable(scitokens-test src/test.cpp)
 #target_include_directories(scitokens-test PRIVATE "${PROJECT_SOURCE_DIR}" ${JWT_CPP_INCLUDES} ${CURL_INCLUDES} ${OPENSSL_INCLUDE_DIRS} ${LIBCRYPTO_INCLUDE_DIRS} ${SQLITE_INCLUDE_DIRS}  ${UUID_INCLUDE_DIRS})
 target_include_directories(scitokens-test PRIVATE "${PROJECT_SOURCE_DIR}" ${JWT_CPP_INCLUDES} ${LIBCRYPTO_INCLUDE_DIRS})
 target_link_libraries(scitokens-test SciTokens)
-target_compile_options(scitokens-test PRIVATE $<$<CXX_COMPILER_ID:GNU>:-Wall $<$<BOOL:${SCITOKENS_WARNINGS_ARE_ERRORS}>:-Werror>>)
 
 add_executable(scitokens-verify src/verify.cpp)
 target_link_libraries(scitokens-verify SciTokens)
-target_compile_options(scitokens-verify PRIVATE $<$<CXX_COMPILER_ID:GNU>:-Wall $<$<BOOL:${SCITOKENS_WARNINGS_ARE_ERRORS}>:-Werror>>)
 
 add_executable(scitokens-test-access src/test_access.cpp)
 target_link_libraries(scitokens-test-access SciTokens)
-target_compile_options(scitokens-test-access PRIVATE $<$<CXX_COMPILER_ID:GNU>:-Wall $<$<BOOL:${SCITOKENS_WARNINGS_ARE_ERRORS}>:-Werror>>)
 
 add_executable(scitokens-list-access src/list_access.cpp)
 target_link_libraries(scitokens-list-access SciTokens)
-target_compile_options(scitokens-list-access PRIVATE $<$<CXX_COMPILER_ID:GNU>:-Wall $<$<BOOL:${SCITOKENS_WARNINGS_ARE_ERRORS}>:-Werror>>)
 
 add_executable(scitokens-create src/create.cpp)
 target_link_libraries(scitokens-create SciTokens)
-target_compile_options(scitokens-create PRIVATE $<$<CXX_COMPILER_ID:GNU>:-Wall $<$<BOOL:${SCITOKENS_WARNINGS_ARE_ERRORS}>:-Werror>>)
 
 get_directory_property(TARGETS BUILDSYSTEM_TARGETS)
 install(

README.md

@@ -15,7 +15,7 @@ Building
 
 To build the `scitokens-cpp` library, the following dependencies are needed:
 
-   - [jwt-cpp](https://github.com/Thalhammer/jwt-cpp): A header-only C++ library for manipulating
+   - [jwt-cpp] v0.5.0 or later (https://github.com/Thalhammer/jwt-cpp): A header-only C++ library for manipulating
      JWTs.
    - OpenSSL 1.0 or later.
    - `sqlite3`

configs/export-symbols

@@ -3,6 +3,7 @@ global:
   scitoken*;
   validator*;
   enforcer*;
+  keycache*;
 
 local:
   *;

src/scitokens.cpp

@@ -284,21 +284,37 @@ int scitoken_deserialize_start(const char *value, SciToken *token, char const* c
             *err_msg = strdup(exc.what());
         }
         delete real_token;
+        *status_out = nullptr;
         return -1;
     }
+
+    // Check if we're done
+    if (status->m_status->m_done) {
+        *token = real_token;
+        *status_out = nullptr;
+        return 0;
+    }
+
     *token = real_token;
     *status_out = status.release();
     return 0;
 }
 
-int scitoken_deserialize_continue(SciToken token, SciTokenStatus *status, char **err_msg) {
+int scitoken_deserialize_continue(SciToken *token, SciTokenStatus *status, char **err_msg) {
     if (token == nullptr) {
         if (err_msg) {*err_msg = strdup("Output token not provided");}
         return -1;
     }
+
+    
     scitokens::SciToken *real_token = reinterpret_cast<scitokens::SciToken*>(token);
     std::unique_ptr<scitokens::SciTokenAsyncStatus> real_status(reinterpret_cast<scitokens::SciTokenAsyncStatus*>(*status));
 
+    if (*status == nullptr || real_status->m_status->m_done) {
+        *status = nullptr;
+        return 0;
+    }
+
     try {
         real_status = real_token->deserialize_continue(std::move(real_status));
     } catch (std::exception &exc) {
@@ -409,6 +425,18 @@ int validator_validate(Validator validator, SciToken scitoken, char **err_msg) {
 }
 
 
+int validator_set_time(Validator validator, time_t now, char **err_msg) {
+    if (validator == nullptr) {
+        if (err_msg) {*err_msg = strdup("Validator may not be a null pointer");}
+        return -1;
+    }
+    auto real_validator = reinterpret_cast<scitokens::Validator*>(validator);
+
+    real_validator->set_now(std::chrono::system_clock::from_time_t(now));
+
+    return 0;
+}
+
 Enforcer enforcer_create(const char *issuer, const char **audience_list, char **err_msg) {
     if (issuer == nullptr) {
         if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
@@ -478,6 +506,18 @@ Acl *convert_acls(scitokens::Enforcer::AclsList &acls_list, char **err_msg)
 
 }
 
+int enforcer_set_time(Enforcer enf, time_t now, char **err_msg) {
+    if (enf == nullptr) {
+        if (err_msg) {*err_msg = strdup("Enforcer may not be a null pointer");}
+        return -1;
+    }
+    auto real_enf = reinterpret_cast<scitokens::Enforcer*>(enf);
+
+    real_enf->set_now(std::chrono::system_clock::from_time_t(now));
+
+    return 0;
+}
+
 
 int enforcer_generate_acls(const Enforcer enf, const SciToken scitoken, Acl **acls, char **err_msg) {
     if (enf == nullptr) {
@@ -621,7 +661,6 @@ int scitoken_status_get_timeout_val(const SciTokenStatus *status, time_t expiry_
     struct timeval timeout_internal = real_status->get_timeout_val(expiry_time);
     timeout->tv_sec = timeout_internal.tv_sec;
     timeout->tv_usec = timeout_internal.tv_usec;
-
     return 0;
 }
 
@@ -692,3 +731,66 @@ int scitoken_status_get_max_fd(const SciTokenStatus *status, int *max_fd, char *
     *max_fd = real_status->get_max_fd();
     return 0;
 }
+
+
+int keycache_refresh_jwks(const char *issuer, char **err_msg)
+{
+    if (!issuer) {
+        if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
+        return -1;
+    }
+    try {
+        if (!scitokens::Validator::refresh_jwks(issuer)) {
+            if (err_msg) {*err_msg = strdup("Failed to refresh JWKS cache for issuer.");}
+            return -1;
+        }
+    } catch (std::exception &exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}
+
+
+int keycache_get_cached_jwks(const char *issuer, char **jwks, char **err_msg)
+{
+    if (!issuer) {
+        if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
+        return -1;
+    }
+    if (!jwks) {
+        if (err_msg) {*err_msg = strdup("JWKS output pointer may not be null.");}
+        return -1;
+    }
+    try {
+        *jwks = strdup(scitokens::Validator::get_jwks(issuer).c_str());
+    } catch(std::exception &exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}
+
+
+int keycache_set_jwks(const char *issuer, const char *jwks, char **err_msg)
+{
+    if (!issuer) {
+        if (err_msg) {*err_msg = strdup("Issuer may not be a null pointer");}
+        return -1;
+    }
+    if (!jwks) {
+        if (err_msg) {*err_msg = strdup("JWKS pointer may not be null.");}
+        return -1;
+    }
+    try {
+        if (!scitokens::Validator::store_jwks(issuer, jwks)) {
+            if (err_msg) {*err_msg = strdup("Failed to set the JWKS cache for issuer.");}
+            return -1;
+        }
+    } catch(std::exception &exc) {
+        if (err_msg) {*err_msg = strdup(exc.what());}
+        return -1;
+    }
+    return 0;
+}
+

src/scitokens.h

@@ -8,7 +8,10 @@
 #include <sys/select.h>
 
 #ifdef __cplusplus
+#include <ctime>
 extern "C" {
+#else
+#include <time.h>
 #endif
 
 typedef void * SciTokenKey;
@@ -106,6 +109,17 @@ int scitoken_deserialize(const char *value, SciToken *token, char const* const*
 int scitoken_deserialize_start(const char *value, SciToken *token, char const* const* allowed_issuers,
     SciTokenStatus *status, char **err_msg);
 
+/**
+ * @brief Continue the deserialization process for a token, updating the status object.
+ * 
+ * If the status object indicates that the token is complete, the token object will be
+ * populated and the status object will be nullptr.
+ * 
+ * @param token The token object, returned from scitoken_deserialize_start.
+ * @param status Status object for the deserialize.
+ * @param err_msg Destination for error message.
+ * @return int 0 on success, -1 on error.
+ */
 
 int scitoken_deserialize_continue(SciToken *token, SciTokenStatus *status, char **err_msg);
 
@@ -121,6 +135,12 @@ Validator validator_create();
  */
 void validator_set_token_profile(Validator, SciTokenProfile profile);
 
+/**
+ * Set the time to use with the validator.  Useful if you want to see if the token would
+ * have been valid at some time in the past.
+ */
+int validator_set_time(Validator validator, time_t now, char **err_msg);
+
 int validator_add(Validator validator, const char *claim, StringValidatorFunction validator_func, char **err_msg);
 
 int validator_add_critical_claims(Validator validator, const char **claims, char **err_msg);
@@ -142,6 +162,12 @@ void enforcer_destroy(Enforcer);
  */
 void enforcer_set_validate_profile(Enforcer, SciTokenProfile profile);
 
+/**
+ * Set the time to use with the enforcer.  Useful if you want to see if the token would
+ * have been valid at some time in the past.
+ */
+int enforcer_set_time(Enforcer enf, time_t now, char **err_msg);
+
 int enforcer_generate_acls(const Enforcer enf, const SciToken scitokens, Acl **acls, char **err_msg);
 
 /**
@@ -196,6 +222,38 @@ int scitoken_status_get_exc_fd_set(SciTokenStatus *status, fd_set **exc_fd_set,
  */
 int scitoken_status_get_max_fd(const SciTokenStatus *status, int *max_fd, char **err_msg);
 
+/**
+ * API for explicity managing the key cache.
+ *
+ * This manipulates the keycache for the current eUID.
+ */
+
+
+/**
+ * Refresh the JWKS in the keycache for a given issuer; the refresh will occur
+ * even if the JWKS is not otherwise due for updates.
+ * - Returns 0 on success, nonzero on failure.
+ */
+int keycache_refresh_jwks(const char *issuer, char **err_msg);
+
+/**
+ * Retrieve the JWKS from the keycache for a given issuer.
+ * - Returns 0 if successful, nonzero on failure.
+ * - If the existing JWKS has expired - or does not exist - this does not trigger a new
+ *   download of the JWKS from the issuer.  Instead, it will return a JWKS object with
+ *   an empty set of keys.
+ * - `jwks` is an output variable set to the contents of the JWKS in the key cache.
+ */
+int keycache_get_cached_jwks(const char *issuer, char **jwks, char **err_msg);
+
+/**
+ * Replace any existing key cache entry with one provided by the user.
+ * The expiration and next update time of the user-provided JWKS will utilize
+ * the same rules as a download from an issuer with no explicit cache lifetime directives.
+ * - `jwks` is value that will be set in the cache.
+ */
+int keycache_set_jwks(const char *issuer, const char *jwks, char **err_msg);
+
 #ifdef __cplusplus
 }
 #endif