Add OAuth bearer auth-info support (#1233)

CHANGES.md

@@ -153,6 +153,8 @@ Changes in CUPS v2.5b1 (YYYY-MM-DD)
 - Fixed job cleanup after daemon restart (Issue #1315)
 - Fixed unreachable block in IPP backend (Issue #1351)
 - Fixed memory leak in _cupsConvertOptions (Issue #1354)
+- Added OAuth Bearer auth-info support and OAuth metadata for shared queues
+  (Issue #1233)
 - Fixed missing write check in `cupsFileOpen/Fd` (Issue #1360)
 - Removed hash support for SHA2-512-224 and SHA2-512-256.
 - Removed `mantohtml` script for generating html pages (use

backend/ipp.c

@@ -88,6 +88,7 @@ static char		device_username[256] = "",
 					/* Password for device URI */
 static const char * const pattrs[] =	/* Printer attributes we want */
 {
+  "auth-info-required",
   "compression-supported",
   "copies-supported",
   "cups-version",
@@ -102,6 +103,8 @@ static const char * const pattrs[] =	/* Printer attributes we want */
   "marker-types",
   "media-col-supported",
   "multiple-document-handling-supported",
+  "oauth-authorization-scopes",
+  "oauth-authorization-server-uri",
   "operations-supported",
   "print-color-mode-supported",
   "print-scaling-supported",
@@ -254,7 +257,8 @@ main(int  argc,				/* I - Number of command-line args */
 		copies,			/* Number of copies for job */
 		copies_remaining;	/* Number of copies remaining */
   const char	*auth_info_required,		/* New auth-info-required value */
-    *content_type,		/* CONTENT_TYPE environment variable */
+		*auth_bearer,		/* AUTH_BEARER env variable */
+		*content_type,		/* CONTENT_TYPE environment variable */
 		*final_content_type,	/* FINAL_CONTENT_TYPE environment var */
 		*document_format;	/* document-format value */
   int		fd;			/* File descriptor */
@@ -392,6 +396,8 @@ main(int  argc,				/* I - Number of command-line args */
       final_content_type = "application/vnd.cups-raw";
   }
 
+  auth_bearer = getenv("AUTH_BEARER");
+
  /*
   * Extract the hostname and printer name from the URI...
   */
@@ -661,6 +667,9 @@ main(int  argc,				/* I - Number of command-line args */
                       0, NULL);
   httpSetTimeout(http, 30.0, timeout_cb, NULL);
 
+  if (auth_bearer)
+    httpSetAuthString(http, "Bearer", auth_bearer);
+
  /*
   * See if the printer supports SNMP...
   */
@@ -1000,6 +1009,8 @@ main(int  argc,				/* I - Number of command-line args */
 
 	if (!strncmp(www_auth, "Negotiate", 9))
 	  auth_info_required = "negotiate";
+        else if (!strncmp(www_auth, "Bearer", 6))
+          auth_info_required = "bearer";
         else if (www_auth[0])
           auth_info_required = "username,password";
 
@@ -1567,6 +1578,8 @@ main(int  argc,				/* I - Number of command-line args */
 
       if (!strncmp(www_auth, "Negotiate", 9))
 	auth_info_required = "negotiate";
+      else if (!strncmp(www_auth, "Bearer", 6))
+	auth_info_required = "bearer";
       else if (www_auth[0])
 	auth_info_required = "username,password";
 
@@ -1766,6 +1779,8 @@ main(int  argc,				/* I - Number of command-line args */
 
 	  if (!strncmp(www_auth, "Negotiate", 9))
 	    auth_info_required = "negotiate";
+	  else if (!strncmp(www_auth, "Bearer", 6))
+	    auth_info_required = "bearer";
 	  else if (www_auth[0])
 	    auth_info_required = "username,password";
 	}

cups/cupspm.md

@@ -135,6 +135,25 @@ Historically destinations have been manually maintained by the administrator of
 a system or network, but CUPS also supports dynamic discovery of destinations on
 the current network.
 
+### Authentication Attributes
+
+Destinations that proxy jobs to remote printers sometimes need additional
+authentication information. In addition to the standard options, CUPS can expose
+the following authentication-related attributes in `cups_dest_t.options`:
+
+- `"auth-info-required"`: Lists the authentication fields that are required for
+  the destination. Values include `"none"`, `"username,password"`,
+  `"domain,username,password"`, `"bearer"` (OAuth/OpenID HTTP Bearer token), and
+  `"negotiate"` (Kerberos).
+- `"oauth-authorization-server-uri"`: Provides the OAuth/OpenID authorization
+  server URI that clients should use when obtaining Bearer tokens.
+- `"oauth-authorization-scopes"`: Lists the OAuth/OpenID scopes that should be
+  requested when obtaining Bearer tokens.
+
+Applications that present destination details to users SHOULD display these
+attributes so that clients know when additional credentials or tokens are
+required.
+
 
 ## Finding Available Destinations
 

cups/dest.c

@@ -1293,6 +1293,8 @@ _cupsGetDests(http_t       *http,	/* I  - Connection to server or
 #ifdef __APPLE__
 		  "media-supported",
 #endif // __APPLE__
+		  "oauth-authorization-scopes",
+		  "oauth-authorization-server-uri",
 		  "printer-commands",
 		  "printer-defaults",
 		  "printer-info",
@@ -1395,7 +1397,7 @@ _cupsGetDests(http_t       *http,	/* I  - Connection to server or
 	    attr->value_tag != IPP_TAG_URI)
           continue;
 
-        if (!strcmp(attr->name, "auth-info-required") ||
+	if (!strcmp(attr->name, "auth-info-required") ||
 	    !strcmp(attr->name, "device-uri") ||
 	    !strcmp(attr->name, "marker-change-time") ||
 	    !strcmp(attr->name, "marker-colors") ||
@@ -1405,6 +1407,8 @@ _cupsGetDests(http_t       *http,	/* I  - Connection to server or
 	    !strcmp(attr->name, "marker-message") ||
 	    !strcmp(attr->name, "marker-names") ||
 	    !strcmp(attr->name, "marker-types") ||
+	    !strcmp(attr->name, "oauth-authorization-scopes") ||
+	    !strcmp(attr->name, "oauth-authorization-server-uri") ||
 	    !strcmp(attr->name, "printer-commands") ||
 	    !strcmp(attr->name, "printer-info") ||
             !strcmp(attr->name, "printer-is-shared") ||

cups/ipp-support.c

@@ -1607,6 +1607,8 @@ ippCreateRequestedArray(ipp_t *request)	// I - IPP request
   static const char * const printer_description[] =
   {					// printer-description group
     "auth-info-required",		// CUPS extension
+    "oauth-authorization-scopes",	// CUPS extension
+    "oauth-authorization-server-uri",	// CUPS extension
     "chamber-humidity-current",		// IPP 3D
     "chamber-temperature-current",	// IPP 3D
     "charset-configured",

doc/help/cupspm.html

@@ -1180,7 +1180,9 @@ <h3 class="title" id="finding-available-destinations">Finding Available Destinat
 <h3 class="title" id="basic-destination-information">Basic Destination Information</h3>
 <p>The <code>num_options</code> and <code>options</code> members of the <code>cups_dest_t</code> structure provide basic attributes about the destination in addition to the user default options and values for that destination. The following names are predefined for various destination attributes:</p>
 <ul>
-<li><p>&quot;auth-info-required&quot;: The type of authentication required for printing to this destination: &quot;none&quot;, &quot;username,password&quot;, &quot;domain,username,password&quot;, or &quot;negotiate&quot; (Kerberos).</p>
+<li><p>&quot;auth-info-required&quot;: The type of authentication required for printing to this destination: &quot;none&quot;, &quot;username,password&quot;, &quot;domain,username,password&quot;, &quot;bearer&quot; (OAuth/OpenID HTTP Bearer token), or &quot;negotiate&quot; (Kerberos).</p>
+<li><p>&quot;oauth-authorization-server-uri&quot;: The OAuth/OpenID authorization server URI to use when obtaining Bearer tokens for this destination.</p>
+<li><p>&quot;oauth-authorization-scopes&quot;: The OAuth/OpenID scope or scopes to request when obtaining Bearer tokens for this destination.</p>
 </li>
 <li><p>&quot;printer-info&quot;: The human-readable description of the destination such as &quot;My Laser Printer&quot;.</p>
 </li>

doc/help/man-filter.html

@@ -103,6 +103,7 @@ <h2 id="filter-7.log-messages">Log Messages</h2>
 Sets the named job or printer attribute(s). The following job attributes can be set: &quot;job-media-progress&quot;. The following printer attributes can be set:
 &quot;auth-info-required&quot;, &quot;marker-colors&quot;, &quot;marker-high-levels&quot;, &quot;marker-levels&quot;,
 &quot;marker-low-levels&quot;, &quot;marker-message&quot;, &quot;marker-names&quot;, &quot;marker-types&quot;,
+&quot;oauth-authorization-scopes&quot;, &quot;oauth-authorization-server-uri&quot;,
 &quot;printer-alert&quot;, and &quot;printer-alert-description&quot;.
 </p>
     <p style="margin-left: 2.5em; text-indent: -2.5em;"><strong>CRIT: </strong><em>message</em><br>

doc/help/spec-ipp.html

@@ -1022,11 +1022,17 @@ <h4 id='auth-info-required'><span class="info">Deprecated</span>auth-info-requir
       <li>'domain': A domain name is required.</li>
       <li>'negotiate': Kerberos is required - this keyword can only appear by itself and causes cupsd to collect the UID of the printing user.</li>
       <li>'none': No authentication is required - this keyword can only appear by itself.</li>
-      <li>'oauth': An OAuth/OpenID access token is required - this keyword can only appear by itself.</li>
+      <li>'bearer': An OAuth/OpenID access token (HTTP "Bearer" token from RFC 6750) is required - this keyword can only appear by itself.</li>
       <li>'password': A password is required.</li>
       <li>'username': A username is required. Some protocols (like SMB) prefix the username with the domain, for example "DOMAIN\user".</li>
     </ul>
 
+    <h4 id='oauth-authorization-server-uri'><span class="info">Extension</span>oauth-authorization-server-uri (uri)</h4>
+    <p>The "oauth-authorization-server-uri" attribute specifies the OAuth 2.0/OpenID Connect authorization server URI that clients SHOULD use when retrieving Bearer tokens for this destination.</p>
+
+    <h4 id='oauth-authorization-scopes'><span class="info">Extension</span>oauth-authorization-scopes (1setOf name(MAX))</h4>
+    <p>The "oauth-authorization-scopes" attribute specifies the OAuth/OpenID scopes that MUST be requested when obtaining Bearer tokens for this destination.</p>
+
     <h4 id='job-k-limit'><span class="info">Deprecated</span>job-k-limit (integer)</h4>
     <p>The "job-k-limit" attribute specifies the maximum number of kilobytes that may be printed by a user, including banner files. The default value of 0 specifies that there is no limit.
 

man/filter.7

@@ -99,6 +99,7 @@ Sets the "printer-state-message" attribute and adds the specified message to the
 Sets the named job or printer attribute(s). The following job attributes can be set: "job-media-progress". The following printer attributes can be set:
 "auth-info-required", "marker-colors", "marker-high-levels", "marker-levels",
 "marker-low-levels", "marker-message", "marker-names", "marker-types",
+"oauth-authorization-scopes", "oauth-authorization-server-uri",
 "printer-alert", and "printer-alert-description".
 .TP 5
 \fBCRIT: \fImessage\fR

scheduler/conf.c

@@ -3589,6 +3589,7 @@ read_cups_files_conf(cups_file_t *fp)	/* I - File to read from */
   static const char * const prohibited_env[] =
   {					/* Prohibited environment variables */
     "APPLE_LANGUAGE",
+    "AUTH_BEARER",
     "AUTH_DOMAIN",
     "AUTH_INFO_REQUIRED",
     "AUTH_NEGOTIATE",

scheduler/dirsvc.c

@@ -259,7 +259,8 @@ dnssdBuildTxtRecord(
                 *ptr;                   /* Pointer in string */
   cupsd_listener_t *lis;                /* Current listener */
   const char    *admin_scheme = "http"; /* Admin page URL scheme */
-  ipp_attribute_t *urf_supported;	/* urf-supported attribute */
+  ipp_attribute_t *urf_supported,	/* urf-supported attribute */
+		*attr;			/* Generic attribute */
 
 
  /*
@@ -330,6 +331,32 @@ dnssdBuildTxtRecord(
   if (get_auth_info_required(p, value, sizeof(value)))
     num_txt = cupsAddOption("air", value, num_txt, txt);
 
+  if ((attr = ippFindAttribute(p->attrs, "oauth-authorization-server-uri",
+                               IPP_TAG_URI)) != NULL)
+    num_txt = cupsAddOption("oauth-uri", attr->values[0].string.text,
+                            num_txt, txt);
+
+  if ((attr = ippFindAttribute(p->attrs, "oauth-authorization-scopes",
+                               IPP_TAG_NAME)) != NULL)
+  {
+    value[0] = '\0';
+    for (i = 0, ptr = value; i < attr->num_values; i ++)
+    {
+      const char *scope = attr->values[i].string.text;
+
+      if (ptr > value && ptr < (value + sizeof(value) - 1))
+        *ptr++ = ' ';
+
+      cupsCopyString(ptr, scope, sizeof(value) - (size_t)(ptr - value));
+      ptr += strlen(ptr);
+
+      if (ptr >= (value + sizeof(value) - 1))
+        break;
+    }
+
+    num_txt = cupsAddOption("oauth-scope", value, num_txt, txt);
+  }
+
   num_txt = cupsAddOption("UUID", p->uuid + 9, num_txt, txt);
 
   num_txt = cupsAddOption("TLS", "1.3", num_txt, txt);

scheduler/ipp.c

@@ -9495,6 +9495,9 @@ save_auth_info(
       else if (!strcmp(dest->auth_info_required[i], "negotiate"))
         cupsdSetStringf(job->auth_env + i, "AUTH_NEGOTIATE=%s",
 	                auth_info->values[i].string.text);
+      else if (!strcmp(dest->auth_info_required[i], "bearer"))
+        cupsdSetStringf(job->auth_env + i, "AUTH_BEARER=%s",
+	                auth_info->values[i].string.text);
       else
         i --;
     }

scheduler/job.c

@@ -2051,6 +2051,8 @@ cupsdLoadJob(cupsd_job_t *job)		/* I - Job */
 	    cupsdSetStringf(job->auth_env + i, "AUTH_PASSWORD=%s", data);
 	  else if (!strcmp(line, "negotiate"))
 	    cupsdSetStringf(job->auth_env + i, "AUTH_NEGOTIATE=%s", value);
+	  else if (!strcmp(line, "bearer"))
+	    cupsdSetStringf(job->auth_env + i, "AUTH_BEARER=%s", data);
 	  else
 	    continue;
 
@@ -5414,6 +5416,22 @@ update_job(cupsd_job_t *job)		/* I - Job to check */
         cupsdMarkDirty(CUPSD_DIRTY_PRINTERS);
       }
 
+      if ((attr = cupsGetOption("oauth-authorization-server-uri", num_attrs,
+                                attrs)) != NULL)
+      {
+        cupsdSetPrinterAttr(job->printer, "oauth-authorization-server-uri",
+                            (char *)attr);
+        cupsdMarkDirty(CUPSD_DIRTY_PRINTERS);
+      }
+
+      if ((attr = cupsGetOption("oauth-authorization-scopes", num_attrs,
+                                attrs)) != NULL)
+      {
+        cupsdSetPrinterAttr(job->printer, "oauth-authorization-scopes",
+                            (char *)attr);
+        cupsdMarkDirty(CUPSD_DIRTY_PRINTERS);
+      }
+
       cupsFreeOptions(num_attrs, attrs);
     }
     else if (loglevel == CUPSD_LOG_PPD)