diff --git a/controllers/oauth2.go b/controllers/oauth2.go index a5252b4..04fc5b3 100644 --- a/controllers/oauth2.go +++ b/controllers/oauth2.go @@ -149,11 +149,11 @@ func (o *OAuthController) InternalAuthForward() { } else { reqToken = splitToken[1] } - origin, publicKey, _ := o.extractOrigin() + origin, publicKey, external := o.extractOrigin() if !infrastructure.GetAuthConnector().CheckAuthForward( //reqToken != "" && reqToken, publicKey, origin, o.Ctx.Request.Header.Get("X-Forwarded-Method"), - o.Ctx.Request.Header.Get("X-Forwarded-Uri")) && origin != "" && publicKey != "" { + o.Ctx.Request.Header.Get("X-Forwarded-Uri"), external) && origin != "" && publicKey != "" { o.Ctx.ResponseWriter.WriteHeader(401) o.ServeJSON() return diff --git a/infrastructure/auth_connector/auth_connector.go b/infrastructure/auth_connector/auth_connector.go index daf382f..69920d2 100644 --- a/infrastructure/auth_connector/auth_connector.go +++ b/infrastructure/auth_connector/auth_connector.go @@ -12,7 +12,7 @@ type AuthConnector interface { Logout(token string, cookies ...*http.Cookie) (*Token, error) Introspect(token string, cookie ...*http.Cookie) (bool, error) Refresh(token *Token) (*Token, error) - CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool + CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool } type Token struct { diff --git a/infrastructure/auth_connector/hydra_connector.go b/infrastructure/auth_connector/hydra_connector.go index 0723c38..12a4793 100644 --- a/infrastructure/auth_connector/hydra_connector.go +++ b/infrastructure/auth_connector/hydra_connector.go @@ -245,7 +245,7 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string { } -func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool { +func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool { if forward == "" || method == "" { return false } @@ -262,7 +262,7 @@ func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host } } // ask keto for permission is in claims - ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey) + ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey, external) if err != nil { fmt.Println("Failed to decode claims", err) } diff --git a/infrastructure/claims/claims.go b/infrastructure/claims/claims.go index 5bade17..bca9ee9 100644 --- a/infrastructure/claims/claims.go +++ b/infrastructure/claims/claims.go @@ -5,7 +5,7 @@ import "oc-auth/conf" // Tokenizer interface type ClaimService interface { AddClaimsToToken(userId string, host string) Claims - DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) + DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) } // SessionClaims struct diff --git a/infrastructure/claims/hydra_claims.go b/infrastructure/claims/hydra_claims.go index d6977fc..afd658c 100644 --- a/infrastructure/claims/hydra_claims.go +++ b/infrastructure/claims/hydra_claims.go @@ -16,7 +16,7 @@ import ( type HydraClaims struct{} func (h HydraClaims) generateKey(relation string, path string) (string, error) { - method, err := utils.ExtractMethod(relation, false) + method, err := utils.ExtractMethod(relation, true) if err != nil { return "", err } @@ -25,11 +25,14 @@ func (h HydraClaims) generateKey(relation string, path string) (string, error) { } // decode key expect to extract method and path from key -func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) { +func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string, error) { s := strings.Split(key, "_") if len(s) < 2 { return tools.GET, "", errors.New("invalid key") } + if strings.Contains(strings.ToUpper(s[0]), "INTERNAL") && external { + return tools.GET, "", errors.New("external ask for internal key") + } meth, err := utils.ExtractMethod(s[0], false) if err != nil { return meth, "", err @@ -60,7 +63,7 @@ func (h HydraClaims) encodeSignature(host string) (string, error) { return SignDefault(hashed[:], spkiBlock.Bytes) } -func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) { +func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) { idTokenClaims := sessionClaims.Session.IDToken if idTokenClaims["signature"] == nil { return false, errors.New("no signature found") @@ -81,9 +84,9 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str if strings.Contains(v, ":") { // is a param continue } else if v != splittedPath[i] { - meth, _, err := h.decodeKey(m) + meth, _, err := h.decodeKey(m, external) if err != nil { - return false, err + continue } perm := perms_connectors.Permission{ Relation: "permits" + strings.ToLower(meth.String()), @@ -99,14 +102,14 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str // add claims to token method of HydraTokenizer func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims { claims := Claims{} - perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false) + perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true) if err != nil { return claims } claims.Session.AccessToken = make(map[string]interface{}) claims.Session.IDToken = make(map[string]interface{}) for _, perm := range perms { - key, err := h.generateKey(perm.Relation, perm.Object) + key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Object) if err != nil { continue }