oc-auth/controllers/oauth2.go

package controllers

import (
	"encoding/base64"
	"encoding/json"
	"fmt"
	"net/http"
	"oc-auth/infrastructure"
	auth_connectors "oc-auth/infrastructure/auth_connector"
	"oc-auth/infrastructure/claims"
	"strings"

	oclib "cloud.o-forge.io/core/oc-lib"
	model "cloud.o-forge.io/core/oc-lib/models/peer"
	"cloud.o-forge.io/core/oc-lib/static"
	beego "github.com/beego/beego/v2/server/web"
)

// Operations about auth
type OAuthController struct {
	beego.Controller
}

// @Title Logout
// @Description unauthenticate user
// @Param	Authorization		header  string	false "auth token"
// @Success 200 {string}
// @router /ldap/logout [delete]
func (o *OAuthController) LogOutLDAP() {
	// authorize user
	reqToken := o.Ctx.Request.Header.Get("Authorization")
	splitToken := strings.Split(reqToken, "Bearer ")
	if len(splitToken) < 2 {
		reqToken = ""
	} else {
		reqToken = splitToken[1]
	}
	var res auth_connectors.Token
	json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)

	token, err := infrastructure.GetAuthConnector().Logout(reqToken)
	if err != nil || token == nil {
		o.Data["json"] = err
	} else {
		o.Data["json"] = token
	}
	o.ServeJSON()
}

// @Title Login
// @Description authenticate user
// @Param	body		body 	models.workflow	true		"The workflow content"
// @Success 200 {string}
// @router /ldap/login [post]
func (o *OAuthController) LoginLDAP() {
	// authorize user
	var res auth_connectors.Token
	json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
	ldap := auth_connectors.New()
	found, err := ldap.Authenticate(o.Ctx.Request.Context(), res.Username, res.Password)
	if err != nil || !found {
		o.Data["json"] = err
		o.Ctx.ResponseWriter.WriteHeader(401)
		o.ServeJSON()
		return
	}
	token, err := infrastructure.GetAuthConnector().Login(res.Username,
		&http.Cookie{ // open a session
			Name:  "csrf_token",
			Value: o.XSRFToken(),
		})
	if err != nil || token == nil {
		o.Data["json"] = err
		o.Ctx.ResponseWriter.WriteHeader(401)
	} else {
		o.Data["json"] = token
	}
	o.ServeJSON()
}

// @Title Claims
// @Description enrich token with claims
// @Param	body		body 	models.Token	true		"The token info"
// @Success 200 {string}
// @router /claims [post]
func (o *OAuthController) Claims() {
	// enrich token with claims
	var res claims.Claims
	json.Unmarshal(o.Ctx.Input.CopyBody(100000), &res)
	claims := res.Session.IDToken["id_token_claims"].(map[string]interface{})
	userName := claims["sub"].(string)
	_, loc := static.GetMyLocalJsonPeer()
	o.Data["json"] = infrastructure.GetClaims().AddClaimsToToken(userName, loc["url"].(string))
	o.ServeJSON()
}

// @Title Introspection
// @Description introspect token
// @Param	body		body 	models.Token	true		"The token info"
// @Success 200 {string}
// @router /refresh [post]
func (o *OAuthController) Refresh() {
	var token auth_connectors.Token
	json.Unmarshal(o.Ctx.Input.CopyBody(100000), &token)
	// refresh token
	newToken, err := infrastructure.GetAuthConnector().Refresh(&token)
	if err != nil || newToken == nil {
		o.Data["json"] = err
		o.Ctx.ResponseWriter.WriteHeader(401)
	} else {
		o.Data["json"] = newToken
	}
	o.ServeJSON()
}

// @Title Introspection
// @Description introspect token
// @Param	Authorization		header  string	false "auth token"
// @Success 200 {string}
// @router /introspect [get]
func (o *OAuthController) Introspect() {
	reqToken := o.Ctx.Request.Header.Get("Authorization")
	splitToken := strings.Split(reqToken, "Bearer ")
	if len(splitToken) < 2 {
		reqToken = ""
	} else {
		reqToken = splitToken[1]
	}
	token, err := infrastructure.GetAuthConnector().Introspect(reqToken)
	if err != nil || !token {
		o.Data["json"] = err
		o.Ctx.ResponseWriter.WriteHeader(401)
	}
	o.ServeJSON()
}

// @Title AuthForward
// @Description auth forward
// @Param	Authorization		header  string	false "auth token"
// @Param	body		body 	models.workflow	true		"The workflow content"
// @Success 200 {string}
// @router /forward [get]
func (o *OAuthController) InternalAuthForward() {
	reqToken := o.Ctx.Request.Header.Get("Authorization")
	splitToken := strings.Split(reqToken, "Bearer ")
	if len(splitToken) < 2 {
		reqToken = ""
	} else {
		reqToken = splitToken[1]
	}
	origin, publicKey, external := o.extractOrigin()
	if reqToken != "" && !o.checkAuthForward(reqToken, publicKey) && origin != "" {
		fmt.Println("Unauthorized", origin, reqToken)
		o.Ctx.ResponseWriter.WriteHeader(401)
		o.ServeJSON()
		return
	}
	token, err := infrastructure.GetAuthConnector().Introspect(reqToken, &http.Cookie{
		Name:  "csrf_token",
		Value: o.XSRFToken(),
	}) // may be a problem... we should check if token is valid on our side
	// prefers a refresh token call
	if err != nil || external {
		fmt.Println("Unauthorized 2", err, external) // error
		o.Ctx.ResponseWriter.WriteHeader(401)
	} else if token && !external { // redirect to login
		o.Data["json"] = token
	}
	o.ServeJSON()
}

func (o *OAuthController) extractOrigin() (string, string, bool) {
	external := true
	publicKey := ""
	origin := o.Ctx.Request.Header.Get("X-Forwarded-Host")
	if origin == "" {
		origin = o.Ctx.Request.Header.Get("Origin")
	}
	idLoc, loc := static.GetMyLocalJsonPeer()
	if origin != "" { // is external
		peer := oclib.Search(nil, origin, oclib.LibDataEnum(oclib.PEER))
		if peer.Code != 200 {
			return "", "", external
		}
		p := peer.Data[0]
		if strings.Contains(origin, "localhost") || strings.Contains(origin, "127.0.0.1") || idLoc == p.GetID() {
			external = false
		}
		publicKey = p.(*model.Peer).PublicKey
	} else {
		external = false
		publicKey = loc["public_key"].(string)
	}
	return origin, publicKey, external
}

func (o *OAuthController) checkAuthForward(reqToken string, publicKey string) bool {
	bytes, err := base64.StdEncoding.DecodeString(reqToken) // Converting data
	if err != nil {
		fmt.Println("Failed to Decode secret", err)
		return false
	}
	var decodedToken map[string]interface{}
	err = json.Unmarshal(bytes, &decodedToken)
	if err != nil {
		fmt.Println("Failed to parse secret", err)
		return false
	} else if decodedToken["session"] != nil {
		host := o.Ctx.Request.Header.Get("X-Forwarded-Host")
		method := o.Ctx.Request.Header.Get("X-Forwarded-Method")
		forward := o.Ctx.Request.Header.Get("X-Forwarded-Uri")
		if forward == "" || method == "" {
			fmt.Println("Forwarded headers are missing")
			return false
		}
		// ask keto for permission is in claims
		ok, err := infrastructure.GetClaims().DecodeClaimsInToken(
			host, method, forward, decodedToken["session"].(map[string]interface{}), publicKey)
		if err != nil {
			fmt.Println("Failed to decode claims", err)
		}
		return ok
	}
	return false
}
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`package controllers`

			`import (`
			`"encoding/base64"`
			`"encoding/json"`
			`"fmt"`
			`"net/http"`
			`"oc-auth/infrastructure"`
			`auth_connectors "oc-auth/infrastructure/auth_connector"`
			`"oc-auth/infrastructure/claims"`
			`"strings"`

			`oclib "cloud.o-forge.io/core/oc-lib"`
			`model "cloud.o-forge.io/core/oc-lib/models/peer"`
			`"cloud.o-forge.io/core/oc-lib/static"`
			`beego "github.com/beego/beego/v2/server/web"`
			`)`

			`// Operations about auth`
			`type OAuthController struct {`
			`beego.Controller`
			`}`

			`// @Title Logout`
			`// @Description unauthenticate user`
			`// @Param Authorization header string false "auth token"`
			`// @Success 200 {string}`
			`// @router /ldap/logout [delete]`
			`func (o *OAuthController) LogOutLDAP() {`
			`// authorize user`
			`reqToken := o.Ctx.Request.Header.Get("Authorization")`
			`splitToken := strings.Split(reqToken, "Bearer ")`
			`if len(splitToken) < 2 {`
			`reqToken = ""`
			`} else {`
			`reqToken = splitToken[1]`
			`}`
			`var res auth_connectors.Token`
			`json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)`

			`token, err := infrastructure.GetAuthConnector().Logout(reqToken)`
			`if err != nil \|\| token == nil {`
			`o.Data["json"] = err`
			`} else {`
			`o.Data["json"] = token`
			`}`
			`o.ServeJSON()`
			`}`

			`// @Title Login`
			`// @Description authenticate user`
			`// @Param body body models.workflow true "The workflow content"`
			`// @Success 200 {string}`
			`// @router /ldap/login [post]`
			`func (o *OAuthController) LoginLDAP() {`
			`// authorize user`
			`var res auth_connectors.Token`
			`json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)`
			`ldap := auth_connectors.New()`
			`found, err := ldap.Authenticate(o.Ctx.Request.Context(), res.Username, res.Password)`
			`if err != nil \|\| !found {`
			`o.Data["json"] = err`
			`o.Ctx.ResponseWriter.WriteHeader(401)`
			`o.ServeJSON()`
			`return`
			`}`
			`token, err := infrastructure.GetAuthConnector().Login(res.Username,`
			`&http.Cookie{ // open a session`
			`Name: "csrf_token",`
			`Value: o.XSRFToken(),`
			`})`
			`if err != nil \|\| token == nil {`
			`o.Data["json"] = err`
			`o.Ctx.ResponseWriter.WriteHeader(401)`
			`} else {`
			`o.Data["json"] = token`
			`}`
			`o.ServeJSON()`
			`}`

			`// @Title Claims`
			`// @Description enrich token with claims`
			`// @Param body body models.Token true "The token info"`
			`// @Success 200 {string}`
			`// @router /claims [post]`
			`func (o *OAuthController) Claims() {`
			`// enrich token with claims`
			`var res claims.Claims`
			`json.Unmarshal(o.Ctx.Input.CopyBody(100000), &res)`
			`claims := res.Session.IDToken["id_token_claims"].(map[string]interface{})`
			`userName := claims["sub"].(string)`
			`_, loc := static.GetMyLocalJsonPeer()`
			`o.Data["json"] = infrastructure.GetClaims().AddClaimsToToken(userName, loc["url"].(string))`
			`o.ServeJSON()`
			`}`

			`// @Title Introspection`
			`// @Description introspect token`
			`// @Param body body models.Token true "The token info"`
			`// @Success 200 {string}`
			`// @router /refresh [post]`
			`func (o *OAuthController) Refresh() {`
			`var token auth_connectors.Token`
			`json.Unmarshal(o.Ctx.Input.CopyBody(100000), &token)`
			`// refresh token`
			`newToken, err := infrastructure.GetAuthConnector().Refresh(&token)`
			`if err != nil \|\| newToken == nil {`
			`o.Data["json"] = err`
			`o.Ctx.ResponseWriter.WriteHeader(401)`
			`} else {`
			`o.Data["json"] = newToken`
			`}`
			`o.ServeJSON()`
			`}`

			`// @Title Introspection`
			`// @Description introspect token`
			`// @Param Authorization header string false "auth token"`
			`// @Success 200 {string}`
			`// @router /introspect [get]`
			`func (o *OAuthController) Introspect() {`
			`reqToken := o.Ctx.Request.Header.Get("Authorization")`
			`splitToken := strings.Split(reqToken, "Bearer ")`
			`if len(splitToken) < 2 {`
			`reqToken = ""`
			`} else {`
			`reqToken = splitToken[1]`
			`}`
			`token, err := infrastructure.GetAuthConnector().Introspect(reqToken)`
			`if err != nil \|\| !token {`
			`o.Data["json"] = err`
			`o.Ctx.ResponseWriter.WriteHeader(401)`
			`}`
			`o.ServeJSON()`
			`}`

			`// @Title AuthForward`
			`// @Description auth forward`
			`// @Param Authorization header string false "auth token"`
			`// @Param body body models.workflow true "The workflow content"`
			`// @Success 200 {string}`
			`// @router /forward [get]`
			`func (o *OAuthController) InternalAuthForward() {`
			`reqToken := o.Ctx.Request.Header.Get("Authorization")`
			`splitToken := strings.Split(reqToken, "Bearer ")`
			`if len(splitToken) < 2 {`
			`reqToken = ""`
			`} else {`
			`reqToken = splitToken[1]`
			`}`
			`origin, publicKey, external := o.extractOrigin()`
			`if reqToken != "" && !o.checkAuthForward(reqToken, publicKey) && origin != "" {`
			`fmt.Println("Unauthorized", origin, reqToken)`
			`o.Ctx.ResponseWriter.WriteHeader(401)`
			`o.ServeJSON()`
			`return`
			`}`
			`token, err := infrastructure.GetAuthConnector().Introspect(reqToken, &http.Cookie{`
			`Name: "csrf_token",`
			`Value: o.XSRFToken(),`
			`}) // may be a problem... we should check if token is valid on our side`
			`// prefers a refresh token call`
			`if err != nil \|\| external {`
			`fmt.Println("Unauthorized 2", err, external) // error`
			`o.Ctx.ResponseWriter.WriteHeader(401)`
			`} else if token && !external { // redirect to login`
			`o.Data["json"] = token`
			`}`
			`o.ServeJSON()`
			`}`

			`func (o *OAuthController) extractOrigin() (string, string, bool) {`
			`external := true`
			`publicKey := ""`
			`origin := o.Ctx.Request.Header.Get("X-Forwarded-Host")`
			`if origin == "" {`
			`origin = o.Ctx.Request.Header.Get("Origin")`
			`}`
			`idLoc, loc := static.GetMyLocalJsonPeer()`
			`if origin != "" { // is external`
			`peer := oclib.Search(nil, origin, oclib.LibDataEnum(oclib.PEER))`
			`if peer.Code != 200 {`
			`return "", "", external`
			`}`
			`p := peer.Data[0]`
			`if strings.Contains(origin, "localhost") \|\| strings.Contains(origin, "127.0.0.1") \|\| idLoc == p.GetID() {`
			`external = false`
			`}`
			`publicKey = p.(*model.Peer).PublicKey`
			`} else {`
			`external = false`
			`publicKey = loc["public_key"].(string)`
			`}`
			`return origin, publicKey, external`
			`}`

			`func (o *OAuthController) checkAuthForward(reqToken string, publicKey string) bool {`
			`bytes, err := base64.StdEncoding.DecodeString(reqToken) // Converting data`
			`if err != nil {`
			`fmt.Println("Failed to Decode secret", err)`
			`return false`
			`}`
			`var decodedToken map[string]interface{}`
			`err = json.Unmarshal(bytes, &decodedToken)`
			`if err != nil {`
			`fmt.Println("Failed to parse secret", err)`
			`return false`
			`} else if decodedToken["session"] != nil {`
			`host := o.Ctx.Request.Header.Get("X-Forwarded-Host")`
			`method := o.Ctx.Request.Header.Get("X-Forwarded-Method")`
			`forward := o.Ctx.Request.Header.Get("X-Forwarded-Uri")`
			`if forward == "" \|\| method == "" {`
			`fmt.Println("Forwarded headers are missing")`
			`return false`
			`}`
			`// ask keto for permission is in claims`
			`ok, err := infrastructure.GetClaims().DecodeClaimsInToken(`
			`host, method, forward, decodedToken["session"].(map[string]interface{}), publicKey)`
			`if err != nil {`
			`fmt.Println("Failed to decode claims", err)`
			`}`
			`return ok`
			`}`
			`return false`
			`}`