From 5cd89921f98a67ffc0330e62ef3dad15777663d3 Mon Sep 17 00:00:00 2001 From: Aleksander <170264518+t-aleksander@users.noreply.github.com> Date: Tue, 28 Jan 2025 09:36:06 +0100 Subject: [PATCH] Fix certificates for proxy communication and optional openid nonce issues (#974) * fix root certs * bump version * remove nonce check on the frontend * remove nonce --- Cargo.lock | 2 +- Cargo.toml | 4 ++-- src/grpc/mod.rs | 2 +- web/src/pages/allow/OpenidAllowPage.tsx | 7 +++---- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4cd06061d..f65d3c8f9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1048,7 +1048,7 @@ dependencies = [ [[package]] name = "defguard" -version = "1.2.1" +version = "1.2.2" dependencies = [ "anyhow", "argon2", diff --git a/Cargo.toml b/Cargo.toml index ab341ff6c..e339fca50 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "defguard" -version = "1.2.1" +version = "1.2.2" edition = "2021" license-file = "LICENSE.md" homepage = "https://defguard.net/" @@ -84,7 +84,7 @@ tokio = { version = "1", features = [ ] } tokio-stream = "0.1" tokio-util = "0.7" -tonic = { version = "0.12", features = ["gzip", "tls", "tls-roots"] } +tonic = { version = "0.12", features = ["gzip", "tls", "tls-native-roots"] } tonic-health = "0.12" totp-lite = { version = "2.0" } tower-http = { version = "0.6", features = ["fs", "trace"] } diff --git a/src/grpc/mod.rs b/src/grpc/mod.rs index 8ae3d0529..2ecfc79ce 100644 --- a/src/grpc/mod.rs +++ b/src/grpc/mod.rs @@ -455,7 +455,7 @@ pub async fn run_grpc_bidi_stream( let tls = ClientTlsConfig::new().ca_certificate(Certificate::from_pem(ca)); endpoint.tls_config(tls)? } else { - endpoint + endpoint.tls_config(ClientTlsConfig::new().with_enabled_roots())? }; loop { diff --git a/web/src/pages/allow/OpenidAllowPage.tsx b/web/src/pages/allow/OpenidAllowPage.tsx index 4086a3529..04bdcee7d 100644 --- a/web/src/pages/allow/OpenidAllowPage.tsx +++ b/web/src/pages/allow/OpenidAllowPage.tsx @@ -27,7 +27,6 @@ export const OpenidAllowPage = () => { const [scope, setScope] = useState(''); const [responseType, setResponseType] = useState(''); const [clientId, setClientId] = useState(''); - const [nonce, setNonce] = useState(''); const [redirectUri, setRedirectUri] = useState(''); const [state, setState] = useState(''); const [name, setName] = useState(''); @@ -42,7 +41,8 @@ export const OpenidAllowPage = () => { const { LL } = useI18nContext(); const paramsValid = useMemo(() => { - const check = [scope, responseType, clientId, nonce, redirectUri, state]; + // nonce is optional in the auth code flow, just pass it as is further if it's in the params + const check = [scope, responseType, clientId, redirectUri, state]; for (const item of check) { if (typeof item === 'undefined' || item === null) { toaster.error('OpenID Params invalid.'); @@ -50,7 +50,7 @@ export const OpenidAllowPage = () => { } } return true; - }, [clientId, nonce, redirectUri, responseType, scope, state, toaster]); + }, [clientId, redirectUri, responseType, scope, state, toaster]); const handleSubmit = useCallback( (allow: boolean) => { @@ -68,7 +68,6 @@ export const OpenidAllowPage = () => { setScope(params.get('scope')); setResponseType(params.get('response_type')); setClientId(params.get('client_id')); - setNonce(params.get('nonce')); setState(params.get('state')); setRedirectUri(params.get('redirect_uri')); }, [params]);