Forward For WS

2026-04-01 17:16:18 +02:00
parent 744caf9a5e
commit 284667e95c
10 changed files with 570 additions and 66 deletions
--- a/infrastructure/claims/claims.go
+++ b/infrastructure/claims/claims.go
@@ -1,10 +1,13 @@
 package claims

 import (
+	"fmt"
 	"oc-auth/conf"
+	"reflect"
 	"strings"

 	"cloud.o-forge.io/core/oc-lib/models/peer"
+	"github.com/google/go-cmp/cmp"
 )

 // ClaimService builds and verifies OAuth2 session claims
@@ -14,7 +17,7 @@ type ClaimService interface {
 	BuildConsentSession(clientID string, userId string, peer *peer.Peer) Claims

 	// DecodeClaimsInToken verifies permissions from claims extracted from a JWT
-	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error)
+	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error)
 }

 // SessionClaims contains access_token and id_token claim maps
@@ -32,6 +35,88 @@ var t = map[string]ClaimService{
 	"hydra": HydraClaims{},
 }

+func cleanMap(m map[string]interface{}) map[string]interface{} {
+	if m == nil {
+		return map[string]interface{}{}
+	}
+
+	ignored := map[string]bool{
+		"exp": true,
+		"iat": true,
+		"nbf": true,
+	}
+
+	out := make(map[string]interface{})
+
+	for k, v := range m {
+		if ignored[k] {
+			continue
+		}
+
+		switch val := v.(type) {
+		case map[string]interface{}:
+			out[k] = cleanMap(val)
+		default:
+			out[k] = val
+		}
+	}
+
+	return out
+}
+
+func (c *Claims) EqualExt(ext map[string]interface{}) bool {
+	claims := &Claims{}
+	claims.SessionFromExt(ext)
+
+	return c.EqualClaims(claims)
+}
+
+func (c *Claims) EqualClaims(claims *Claims, permsKey ...string) bool {
+	c.normalizeClaims()
+	claims.normalizeClaims()
+
+	if len(permsKey) > 0 {
+		for _, p := range permsKey {
+			if !(claims.Session.AccessToken[p] != nil && c.Session.AccessToken[p] != nil && claims.Session.AccessToken[p] == c.Session.AccessToken[p]) {
+				return false
+			}
+		}
+		return true
+	}
+	ok := reflect.DeepEqual(c.Session, claims.Session)
+	if !ok {
+		fmt.Println(cmp.Diff(c.Session, claims.Session))
+	}
+	return ok
+}
+
+func (c *Claims) normalizeClaims() {
+	c.Session.AccessToken = cleanMap(c.Session.AccessToken)
+	c.Session.IDToken = cleanMap(c.Session.IDToken)
+}
+
+func (c *Claims) SessionFromExt(ext map[string]interface{}) {
+	var access map[string]interface{}
+	var id map[string]interface{}
+
+	if v, ok := ext["access_token"].(map[string]interface{}); ok && v != nil {
+		access = v
+	} else {
+		access = map[string]interface{}{}
+	}
+
+	if v, ok := ext["id_token"].(map[string]interface{}); ok && v != nil {
+		id = v
+	} else {
+		id = map[string]interface{}{}
+	}
+
+	c.Session = SessionClaims{
+		AccessToken: access,
+		IDToken:     id,
+	}
+}
+
 func GetClaims() ClaimService {
 	for k := range t {
 		if strings.Contains(conf.GetConfig().Auth, k) {
--- a/infrastructure/claims/hydra_claims.go
+++ b/infrastructure/claims/hydra_claims.go
@@ -81,22 +81,21 @@ func (h HydraClaims) clearBlank(path []string) []string {
 }

 // DecodeClaimsInToken verifies permissions from claims in a standard JWT (via introspection)
-func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
+func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error) {
 	logger := oclib.GetLogger()
 	idTokenClaims := sessionClaims.Session.IDToken

 	// Signature verification: skip if signature is empty (internal requests)
 	if sig, ok := idTokenClaims["signature"].(string); ok && sig != "" {
 		if ok, err := h.DecodeSignature(host, sig, publicKey); !ok {
-			return false, err
+			return false, "", err
 		}
 	}

 	claims := sessionClaims.Session.AccessToken
 	if claims == nil {
-		return false, errors.New("no access_token claims found")
+		return false, "", errors.New("no access_token claims found")
 	}
-
 	path := strings.ReplaceAll(forward, "http://"+host, "")
 	splittedPath := h.clearBlank(strings.Split(path, "/"))

@@ -105,11 +104,11 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 		if !ok {
 			continue
 		}
-		match := true
 		splittedP := h.clearBlank(strings.Split(pStr, "/"))
 		if len(splittedP) != len(splittedPath) {
 			continue
 		}
+		match := true
 		for i, v := range splittedP {
 			if strings.Contains(v, ":") { // is a param
 				continue
@@ -127,11 +126,11 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 				Relation: "permits" + strings.ToUpper(meth.String()),
 				Object:   pStr,
 			}
-			return perms_connectors.GetPermissionConnector("").CheckPermission(perm, nil, true), nil
+			return perms_connectors.GetPermissionConnector("").CheckPermission(perm, nil, true), m, nil
 		}
 	}
 	logger.Error().Msg("No permission found for " + method + " " + forward)
-	return false, errors.New("no permission found")
+	return false, "", errors.New("no permission found")
 }

 // BuildConsentSession builds the session payload for Hydra consent accept.
@@ -162,7 +161,9 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 		return c
 	}

-	c.Session.IDToken["username"] = userId
+	c.Session.AccessToken["peer_id"] = p.UUID
+
+	c.Session.IDToken["user_id"] = userId
 	c.Session.IDToken["peer_id"] = p.UUID
 	c.Session.IDToken["client_id"] = clientID

@@ -172,6 +173,13 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 		return c
 	}
 	c.Session.IDToken["groups"] = groups
+
+	roles, err := perms_connectors.KetoConnector{}.GetRoleByUser(userId)
+	if err != nil {
+		logger.Error().Msg("Failed to get roles for user " + userId + ": " + err.Error())
+		return c
+	}
+	c.Session.IDToken["roles"] = roles
 	c.Session.IDToken["signature"] = sign
 	return c
 }