oc-auth/infrastructure/claims/hydra_claims.go

package claims

import (
	"crypto/sha256"
	"encoding/pem"
	"errors"
	"oc-auth/conf"
	"oc-auth/infrastructure/perms_connectors"
	"oc-auth/infrastructure/utils"
	"os"
	"strings"
	"time"

	"cloud.o-forge.io/core/oc-lib/tools"
)

type HydraClaims struct{}

func (h HydraClaims) generateKey(relation string, path string) (string, error) {
	method, err := utils.ExtractMethod(relation, true)
	if err != nil {
		return "", err
	}
	p := strings.ReplaceAll(strings.ToUpper(path), "/", "_")
	return strings.ToLower(method.String()) + "_" + strings.ReplaceAll(p, ":", ""), nil
}

// decode key expect to extract method and path from key
func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string, error) {
	s := strings.Split(key, "_")
	if len(s) < 2 {
		return tools.GET, "", errors.New("invalid key")
	}
	if strings.Contains(strings.ToUpper(s[0]), "INTERNAL") && external {
		return tools.GET, "", errors.New("external ask for internal key")
	}
	meth, err := utils.ExtractMethod(s[0], false)
	if err != nil {
		return meth, "", err
	}
	p := strings.ReplaceAll(strings.ToLower(s[1]), "_", "/")
	return meth, p, nil
}

func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
	hashed := sha256.Sum256([]byte(host))
	spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
	err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
	if err != nil {
		return false, err
	}
	return true, nil
}

func (h HydraClaims) encodeSignature(host string) (string, error) {
	hashed := sha256.Sum256([]byte(host))
	// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
	content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
	if err != nil {
		return "", err
	}
	privateKey := string(content)
	spkiBlock, _ := pem.Decode([]byte(privateKey))
	return SignDefault(hashed[:], spkiBlock.Bytes)
}

func (h HydraClaims) clearBlank(path []string) []string {
	// clear blank
	newPath := []string{}
	for _, p := range path {
		if p != "" {
			newPath = append(newPath, p)
		}
	}
	return newPath
}

func (a HydraClaims) CheckExpiry(exp int64) bool {
	now := time.Now().UTC().Unix()
	return now <= exp
}

func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
	idTokenClaims := sessionClaims.Session.IDToken
	if idTokenClaims["signature"] == nil {
		return false, errors.New("no signature found")
	}
	signature := idTokenClaims["signature"].(string)
	if ok, err := h.DecodeSignature(host, signature, publicKey); !ok {
		return false, err
	}
	claims := sessionClaims.Session.AccessToken
	path := strings.ReplaceAll(forward, "http://"+host, "")
	splittedPath := h.clearBlank(strings.Split(path, "/"))
	if _, ok := claims["exp"].(float64); !ok || !h.CheckExpiry(int64(claims["exp"].(float64))) {
		return false, errors.New("token is expired")
	}
	for m, p := range claims {
		match := true
		splittedP := h.clearBlank(strings.Split(p.(string), "/"))
		if len(splittedP) != len(splittedPath) {
			continue
		}
		for i, v := range splittedP {
			if strings.Contains(v, ":") { // is a param
				continue
			} else if v != splittedPath[i] {
				match = false
				break
			}
		}
		if match {
			meth, _, err := h.decodeKey(m, external)
			if err != nil {
				continue
			}
			perm := perms_connectors.Permission{
				Relation: "permits" + strings.ToUpper(meth.String()),
				Object:   p.(string),
			}
			return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
		}
	}
	return false, errors.New("no permission found")
}

// add claims to token method of HydraTokenizer
func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
	claims := Claims{}
	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)
	if err != nil {
		return claims
	}
	claims.Session.AccessToken = make(map[string]interface{})
	claims.Session.IDToken = make(map[string]interface{})
	for _, perm := range perms {
		key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Subject)
		if err != nil {
			continue
		}
		claims.Session.AccessToken[key] = perm.Subject
	}
	sign, err := h.encodeSignature(host)
	if err != nil {
		return claims
	}
	claims.Session.IDToken["signature"] = sign
	return claims
}

// add signature in the token MISSING
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`package claims`

			`import (`
			`"crypto/sha256"`
			`"encoding/pem"`
			`"errors"`
			`"oc-auth/conf"`
			`"oc-auth/infrastructure/perms_connectors"`
			`"oc-auth/infrastructure/utils"`
			`"os"`
			`"strings"`
after test 2024-11-05 10:11:39 +01:00			`"time"`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00
			`"cloud.o-forge.io/core/oc-lib/tools"`
			`)`

			`type HydraClaims struct{}`

			`func (h HydraClaims) generateKey(relation string, path string) (string, error) {`
INTERNAL ASK RULES 2024-10-30 16:39:52 +01:00			`method, err := utils.ExtractMethod(relation, true)`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`if err != nil {`
			`return "", err`
			`}`
			`p := strings.ReplaceAll(strings.ToUpper(path), "/", "_")`
debugging claims 2024-11-04 09:43:35 +01:00			`return strings.ToLower(method.String()) + "_" + strings.ReplaceAll(p, ":", ""), nil`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`

			`// decode key expect to extract method and path from key`
INTERNAL ASK RULES 2024-10-30 16:39:52 +01:00			`func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string, error) {`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`s := strings.Split(key, "_")`
			`if len(s) < 2 {`
			`return tools.GET, "", errors.New("invalid key")`
			`}`
INTERNAL ASK RULES 2024-10-30 16:39:52 +01:00			`if strings.Contains(strings.ToUpper(s[0]), "INTERNAL") && external {`
			`return tools.GET, "", errors.New("external ask for internal key")`
			`}`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`meth, err := utils.ExtractMethod(s[0], false)`
			`if err != nil {`
			`return meth, "", err`
			`}`
			`p := strings.ReplaceAll(strings.ToLower(s[1]), "_", "/")`
			`return meth, p, nil`
			`}`

			`func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {`
			`hashed := sha256.Sum256([]byte(host))`
BAHAMAS 2024-10-30 12:38:25 +01:00			`spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable`
			`err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`if err != nil {`
			`return false, err`
			`}`
			`return true, nil`
			`}`

			`func (h HydraClaims) encodeSignature(host string) (string, error) {`
			`hashed := sha256.Sum256([]byte(host))`
			`// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH`
BAHAMAS 2024-10-30 12:38:25 +01:00			`content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`if err != nil {`
			`return "", err`
			`}`
			`privateKey := string(content)`
			`spkiBlock, _ := pem.Decode([]byte(privateKey))`
BAHAMAS 2024-10-30 12:38:25 +01:00			`return SignDefault(hashed[:], spkiBlock.Bytes)`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`

debugging claims 2024-11-04 09:43:35 +01:00			`func (h HydraClaims) clearBlank(path []string) []string {`
			`// clear blank`
			`newPath := []string{}`
			`for _, p := range path {`
			`if p != "" {`
			`newPath = append(newPath, p)`
			`}`
			`}`
			`return newPath`
			`}`

after test 2024-11-05 10:11:39 +01:00			`func (a HydraClaims) CheckExpiry(exp int64) bool {`
			`now := time.Now().UTC().Unix()`
			`return now <= exp`
			`}`

INTERNAL ASK RULES 2024-10-30 16:39:52 +01:00			`func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {`
BAHAMAS 2024-10-30 12:38:25 +01:00			`idTokenClaims := sessionClaims.Session.IDToken`
			`if idTokenClaims["signature"] == nil {`
			`return false, errors.New("no signature found")`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`
			`signature := idTokenClaims["signature"].(string)`
			`if ok, err := h.DecodeSignature(host, signature, publicKey); !ok {`
			`return false, err`
			`}`
BAHAMAS 2024-10-30 12:38:25 +01:00			`claims := sessionClaims.Session.AccessToken`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`path := strings.ReplaceAll(forward, "http://"+host, "")`
debugging claims 2024-11-04 09:43:35 +01:00			`splittedPath := h.clearBlank(strings.Split(path, "/"))`
after test 2024-11-05 10:11:39 +01:00			`if _, ok := claims["exp"].(float64); !ok \|\| !h.CheckExpiry(int64(claims["exp"].(float64))) {`
			`return false, errors.New("token is expired")`
			`}`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`for m, p := range claims {`
debugging claims 2024-11-04 09:43:35 +01:00			`match := true`
			`splittedP := h.clearBlank(strings.Split(p.(string), "/"))`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`if len(splittedP) != len(splittedPath) {`
casual debug for claims 2024-10-30 17:05:12 +01:00			`continue`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`
			`for i, v := range splittedP {`
			`if strings.Contains(v, ":") { // is a param`
			`continue`
			`} else if v != splittedPath[i] {`
debugging claims 2024-11-04 09:43:35 +01:00			`match = false`
			`break`
			`}`
			`}`
			`if match {`
			`meth, _, err := h.decodeKey(m, external)`
			`if err != nil {`
			`continue`
			`}`
			`perm := perms_connectors.Permission{`
			`Relation: "permits" + strings.ToUpper(meth.String()),`
			`Object: p.(string),`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`
debugging claims 2024-11-04 09:43:35 +01:00			`return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`
			`}`
			`return false, errors.New("no permission found")`
			`}`

			`// add claims to token method of HydraTokenizer`
			`func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {`
			`claims := Claims{}`
INTERNAL ASK RULES 2024-10-30 16:39:52 +01:00			`perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`if err != nil {`
			`return claims`
			`}`
BAHAMAS 2024-10-30 12:38:25 +01:00			`claims.Session.AccessToken = make(map[string]interface{})`
			`claims.Session.IDToken = make(map[string]interface{})`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`for _, perm := range perms {`
debugging claims 2024-11-04 09:43:35 +01:00			`key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Subject)`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`if err != nil {`
			`continue`
			`}`
debugging claims 2024-11-04 09:43:35 +01:00			`claims.Session.AccessToken[key] = perm.Subject`
Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding 2024-10-28 14:58:11 +01:00			`}`
			`sign, err := h.encodeSignature(host)`
			`if err != nil {`
			`return claims`
			`}`
			`claims.Session.IDToken["signature"] = sign`
			`return claims`
			`}`

			`// add signature in the token MISSING`