INTERNAL ASK RULES
This commit is contained in:
		| @@ -12,7 +12,7 @@ type AuthConnector interface { | ||||
| 	Logout(token string, cookies ...*http.Cookie) (*Token, error) | ||||
| 	Introspect(token string, cookie ...*http.Cookie) (bool, error) | ||||
| 	Refresh(token *Token) (*Token, error) | ||||
| 	CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool | ||||
| 	CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool | ||||
| } | ||||
|  | ||||
| type Token struct { | ||||
|   | ||||
| @@ -245,7 +245,7 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string { | ||||
|  | ||||
| } | ||||
|  | ||||
| func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool { | ||||
| func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool { | ||||
| 	if forward == "" || method == "" { | ||||
| 		return false | ||||
| 	} | ||||
| @@ -262,7 +262,7 @@ func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host | ||||
| 		} | ||||
| 	} | ||||
| 	// ask keto for permission is in claims | ||||
| 	ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey) | ||||
| 	ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey, external) | ||||
| 	if err != nil { | ||||
| 		fmt.Println("Failed to decode claims", err) | ||||
| 	} | ||||
|   | ||||
| @@ -5,7 +5,7 @@ import "oc-auth/conf" | ||||
| // Tokenizer interface | ||||
| type ClaimService interface { | ||||
| 	AddClaimsToToken(userId string, host string) Claims | ||||
| 	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) | ||||
| 	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) | ||||
| } | ||||
|  | ||||
| // SessionClaims struct | ||||
|   | ||||
| @@ -16,7 +16,7 @@ import ( | ||||
| type HydraClaims struct{} | ||||
|  | ||||
| func (h HydraClaims) generateKey(relation string, path string) (string, error) { | ||||
| 	method, err := utils.ExtractMethod(relation, false) | ||||
| 	method, err := utils.ExtractMethod(relation, true) | ||||
| 	if err != nil { | ||||
| 		return "", err | ||||
| 	} | ||||
| @@ -25,11 +25,14 @@ func (h HydraClaims) generateKey(relation string, path string) (string, error) { | ||||
| } | ||||
|  | ||||
| // decode key expect to extract method and path from key | ||||
| func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) { | ||||
| func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string, error) { | ||||
| 	s := strings.Split(key, "_") | ||||
| 	if len(s) < 2 { | ||||
| 		return tools.GET, "", errors.New("invalid key") | ||||
| 	} | ||||
| 	if strings.Contains(strings.ToUpper(s[0]), "INTERNAL") && external { | ||||
| 		return tools.GET, "", errors.New("external ask for internal key") | ||||
| 	} | ||||
| 	meth, err := utils.ExtractMethod(s[0], false) | ||||
| 	if err != nil { | ||||
| 		return meth, "", err | ||||
| @@ -60,7 +63,7 @@ func (h HydraClaims) encodeSignature(host string) (string, error) { | ||||
| 	return SignDefault(hashed[:], spkiBlock.Bytes) | ||||
| } | ||||
|  | ||||
| func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) { | ||||
| func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) { | ||||
| 	idTokenClaims := sessionClaims.Session.IDToken | ||||
| 	if idTokenClaims["signature"] == nil { | ||||
| 		return false, errors.New("no signature found") | ||||
| @@ -81,9 +84,9 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str | ||||
| 			if strings.Contains(v, ":") { // is a param | ||||
| 				continue | ||||
| 			} else if v != splittedPath[i] { | ||||
| 				meth, _, err := h.decodeKey(m) | ||||
| 				meth, _, err := h.decodeKey(m, external) | ||||
| 				if err != nil { | ||||
| 					return false, err | ||||
| 					continue | ||||
| 				} | ||||
| 				perm := perms_connectors.Permission{ | ||||
| 					Relation: "permits" + strings.ToLower(meth.String()), | ||||
| @@ -99,14 +102,14 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str | ||||
| // add claims to token method of HydraTokenizer | ||||
| func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims { | ||||
| 	claims := Claims{} | ||||
| 	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false) | ||||
| 	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true) | ||||
| 	if err != nil { | ||||
| 		return claims | ||||
| 	} | ||||
| 	claims.Session.AccessToken = make(map[string]interface{}) | ||||
| 	claims.Session.IDToken = make(map[string]interface{}) | ||||
| 	for _, perm := range perms { | ||||
| 		key, err := h.generateKey(perm.Relation, perm.Object) | ||||
| 		key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Object) | ||||
| 		if err != nil { | ||||
| 			continue | ||||
| 		} | ||||
|   | ||||
		Reference in New Issue
	
	Block a user