oc-auth/infrastructure/claims/hydra_claims.go

134 lines
3.8 KiB
Go
Raw Normal View History

package claims
import (
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/pem"
"errors"
"oc-auth/conf"
"oc-auth/infrastructure/perms_connectors"
"oc-auth/infrastructure/utils"
"os"
"strings"
"cloud.o-forge.io/core/oc-lib/tools"
)
type HydraClaims struct{}
func (h HydraClaims) generateKey(relation string, path string) (string, error) {
method, err := utils.ExtractMethod(relation, false)
if err != nil {
return "", err
}
p := strings.ReplaceAll(strings.ToUpper(path), "/", "_")
return strings.ToLower(method.String()) + "_" + p, nil
}
// decode key expect to extract method and path from key
func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
s := strings.Split(key, "_")
if len(s) < 2 {
return tools.GET, "", errors.New("invalid key")
}
meth, err := utils.ExtractMethod(s[0], false)
if err != nil {
return meth, "", err
}
p := strings.ReplaceAll(strings.ToLower(s[1]), "_", "/")
return meth, p, nil
}
func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
hashed := sha256.Sum256([]byte(host))
// get public key into a variable
spkiBlock, _ := pem.Decode([]byte(publicKey))
key, _ := x509.ParsePKCS1PublicKey(spkiBlock.Bytes)
err := rsa.VerifyPKCS1v15(key, crypto.SHA256, hashed[:], []byte(signature))
if err != nil {
return false, err
}
return true, nil
}
func (h HydraClaims) encodeSignature(host string) (string, error) {
hashed := sha256.Sum256([]byte(host))
// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
content, err := os.ReadFile(conf.GetConfig().PVKPath)
if err != nil {
return "", err
}
privateKey := string(content)
spkiBlock, _ := pem.Decode([]byte(privateKey))
key, _ := x509.ParsePKCS1PrivateKey(spkiBlock.Bytes)
signature, err := rsa.SignPKCS1v15(rand.Reader, key, crypto.SHA256, hashed[:])
if err != nil {
return "", err
}
return string(signature), nil
}
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims map[string]interface{}, publicKey string) (bool, error) {
if sessionClaims["id_token"] == nil || sessionClaims["access_token"] == nil {
return false, errors.New("invalid session claims")
}
idTokenClaims := sessionClaims["id_token"].(map[string]interface{})
signature := idTokenClaims["signature"].(string)
if ok, err := h.DecodeSignature(host, signature, publicKey); !ok {
return false, err
}
claims := sessionClaims["access_token"].(map[string]interface{})
path := strings.ReplaceAll(forward, "http://"+host, "")
splittedPath := strings.Split(path, "/")
for m, p := range claims {
splittedP := strings.Split(p.(string), "/")
if len(splittedP) != len(splittedPath) {
return false, errors.New("invalid path")
}
for i, v := range splittedP {
if strings.Contains(v, ":") { // is a param
continue
} else if v != splittedPath[i] {
meth, _, err := h.decodeKey(m)
if err != nil {
return false, err
}
perm := perms_connectors.Permission{
Relation: "permits" + strings.ToLower(meth.String()),
Object: p.(string),
}
return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
}
}
}
return false, errors.New("no permission found")
}
// add claims to token method of HydraTokenizer
func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
claims := Claims{}
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId)
if err != nil {
return claims
}
for _, perm := range perms {
key, err := h.generateKey(perm.Relation, perm.Object)
if err != nil {
continue
}
claims.Session.AccessToken[key] = perm.Object
}
sign, err := h.encodeSignature(host)
if err != nil {
return claims
}
claims.Session.IDToken["signature"] = sign
return claims
}
// add signature in the token MISSING