oc-auth/infrastructure/claims/hydra_claims.go

package claims

import (
	"crypto/sha256"
	"encoding/pem"
	"errors"
	"oc-auth/conf"
	"oc-auth/infrastructure/perms_connectors"
	"oc-auth/infrastructure/utils"
	"os"
	"strings"

	"cloud.o-forge.io/core/oc-lib/tools"
)

type HydraClaims struct{}

func (h HydraClaims) generateKey(relation string, path string) (string, error) {
	method, err := utils.ExtractMethod(relation, false)
	if err != nil {
		return "", err
	}
	p := strings.ReplaceAll(strings.ToUpper(path), "/", "_")
	return strings.ToLower(method.String()) + "_" + p, nil
}

// decode key expect to extract method and path from key
func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
	s := strings.Split(key, "_")
	if len(s) < 2 {
		return tools.GET, "", errors.New("invalid key")
	}
	meth, err := utils.ExtractMethod(s[0], false)
	if err != nil {
		return meth, "", err
	}
	p := strings.ReplaceAll(strings.ToLower(s[1]), "_", "/")
	return meth, p, nil
}

func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
	hashed := sha256.Sum256([]byte(host))
	spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
	err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
	if err != nil {
		return false, err
	}
	return true, nil
}

func (h HydraClaims) encodeSignature(host string) (string, error) {
	hashed := sha256.Sum256([]byte(host))
	// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
	content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
	if err != nil {
		return "", err
	}
	privateKey := string(content)
	spkiBlock, _ := pem.Decode([]byte(privateKey))
	return SignDefault(hashed[:], spkiBlock.Bytes)
}

func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) {
	idTokenClaims := sessionClaims.Session.IDToken
	if idTokenClaims["signature"] == nil {
		return false, errors.New("no signature found")
	}
	signature := idTokenClaims["signature"].(string)
	if ok, err := h.DecodeSignature(host, signature, publicKey); !ok {
		return false, err
	}
	claims := sessionClaims.Session.AccessToken
	path := strings.ReplaceAll(forward, "http://"+host, "")
	splittedPath := strings.Split(path, "/")
	for m, p := range claims {
		splittedP := strings.Split(p.(string), "/")
		if len(splittedP) != len(splittedPath) {
			return false, errors.New("invalid path")
		}
		for i, v := range splittedP {
			if strings.Contains(v, ":") { // is a param
				continue
			} else if v != splittedPath[i] {
				meth, _, err := h.decodeKey(m)
				if err != nil {
					return false, err
				}
				perm := perms_connectors.Permission{
					Relation: "permits" + strings.ToLower(meth.String()),
					Object:   p.(string),
				}
				return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
			}
		}
	}
	return false, errors.New("no permission found")
}

// add claims to token method of HydraTokenizer
func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
	claims := Claims{}
	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false)
	if err != nil {
		return claims
	}
	claims.Session.AccessToken = make(map[string]interface{})
	claims.Session.IDToken = make(map[string]interface{})
	for _, perm := range perms {
		key, err := h.generateKey(perm.Relation, perm.Object)
		if err != nil {
			continue
		}
		claims.Session.AccessToken[key] = perm.Object
	}
	sign, err := h.encodeSignature(host)
	if err != nil {
		return claims
	}
	claims.Session.IDToken["signature"] = sign
	return claims
}

// add signature in the token MISSING