INTERNAL ASK RULES
This commit is contained in:
parent
d33d2eb343
commit
2ca16c07b3
@ -149,11 +149,11 @@ func (o *OAuthController) InternalAuthForward() {
|
|||||||
} else {
|
} else {
|
||||||
reqToken = splitToken[1]
|
reqToken = splitToken[1]
|
||||||
}
|
}
|
||||||
origin, publicKey, _ := o.extractOrigin()
|
origin, publicKey, external := o.extractOrigin()
|
||||||
if !infrastructure.GetAuthConnector().CheckAuthForward( //reqToken != "" &&
|
if !infrastructure.GetAuthConnector().CheckAuthForward( //reqToken != "" &&
|
||||||
reqToken, publicKey, origin,
|
reqToken, publicKey, origin,
|
||||||
o.Ctx.Request.Header.Get("X-Forwarded-Method"),
|
o.Ctx.Request.Header.Get("X-Forwarded-Method"),
|
||||||
o.Ctx.Request.Header.Get("X-Forwarded-Uri")) && origin != "" && publicKey != "" {
|
o.Ctx.Request.Header.Get("X-Forwarded-Uri"), external) && origin != "" && publicKey != "" {
|
||||||
o.Ctx.ResponseWriter.WriteHeader(401)
|
o.Ctx.ResponseWriter.WriteHeader(401)
|
||||||
o.ServeJSON()
|
o.ServeJSON()
|
||||||
return
|
return
|
||||||
|
|||||||
@ -12,7 +12,7 @@ type AuthConnector interface {
|
|||||||
Logout(token string, cookies ...*http.Cookie) (*Token, error)
|
Logout(token string, cookies ...*http.Cookie) (*Token, error)
|
||||||
Introspect(token string, cookie ...*http.Cookie) (bool, error)
|
Introspect(token string, cookie ...*http.Cookie) (bool, error)
|
||||||
Refresh(token *Token) (*Token, error)
|
Refresh(token *Token) (*Token, error)
|
||||||
CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool
|
CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool
|
||||||
}
|
}
|
||||||
|
|
||||||
type Token struct {
|
type Token struct {
|
||||||
|
|||||||
@ -245,7 +245,7 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool {
|
func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool {
|
||||||
if forward == "" || method == "" {
|
if forward == "" || method == "" {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
@ -262,7 +262,7 @@ func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// ask keto for permission is in claims
|
// ask keto for permission is in claims
|
||||||
ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey)
|
ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey, external)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
fmt.Println("Failed to decode claims", err)
|
fmt.Println("Failed to decode claims", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5,7 +5,7 @@ import "oc-auth/conf"
|
|||||||
// Tokenizer interface
|
// Tokenizer interface
|
||||||
type ClaimService interface {
|
type ClaimService interface {
|
||||||
AddClaimsToToken(userId string, host string) Claims
|
AddClaimsToToken(userId string, host string) Claims
|
||||||
DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error)
|
DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error)
|
||||||
}
|
}
|
||||||
|
|
||||||
// SessionClaims struct
|
// SessionClaims struct
|
||||||
|
|||||||
@ -16,7 +16,7 @@ import (
|
|||||||
type HydraClaims struct{}
|
type HydraClaims struct{}
|
||||||
|
|
||||||
func (h HydraClaims) generateKey(relation string, path string) (string, error) {
|
func (h HydraClaims) generateKey(relation string, path string) (string, error) {
|
||||||
method, err := utils.ExtractMethod(relation, false)
|
method, err := utils.ExtractMethod(relation, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
@ -25,11 +25,14 @@ func (h HydraClaims) generateKey(relation string, path string) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// decode key expect to extract method and path from key
|
// decode key expect to extract method and path from key
|
||||||
func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
|
func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string, error) {
|
||||||
s := strings.Split(key, "_")
|
s := strings.Split(key, "_")
|
||||||
if len(s) < 2 {
|
if len(s) < 2 {
|
||||||
return tools.GET, "", errors.New("invalid key")
|
return tools.GET, "", errors.New("invalid key")
|
||||||
}
|
}
|
||||||
|
if strings.Contains(strings.ToUpper(s[0]), "INTERNAL") && external {
|
||||||
|
return tools.GET, "", errors.New("external ask for internal key")
|
||||||
|
}
|
||||||
meth, err := utils.ExtractMethod(s[0], false)
|
meth, err := utils.ExtractMethod(s[0], false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return meth, "", err
|
return meth, "", err
|
||||||
@ -60,7 +63,7 @@ func (h HydraClaims) encodeSignature(host string) (string, error) {
|
|||||||
return SignDefault(hashed[:], spkiBlock.Bytes)
|
return SignDefault(hashed[:], spkiBlock.Bytes)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) {
|
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
|
||||||
idTokenClaims := sessionClaims.Session.IDToken
|
idTokenClaims := sessionClaims.Session.IDToken
|
||||||
if idTokenClaims["signature"] == nil {
|
if idTokenClaims["signature"] == nil {
|
||||||
return false, errors.New("no signature found")
|
return false, errors.New("no signature found")
|
||||||
@ -81,9 +84,9 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
|
|||||||
if strings.Contains(v, ":") { // is a param
|
if strings.Contains(v, ":") { // is a param
|
||||||
continue
|
continue
|
||||||
} else if v != splittedPath[i] {
|
} else if v != splittedPath[i] {
|
||||||
meth, _, err := h.decodeKey(m)
|
meth, _, err := h.decodeKey(m, external)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, err
|
continue
|
||||||
}
|
}
|
||||||
perm := perms_connectors.Permission{
|
perm := perms_connectors.Permission{
|
||||||
Relation: "permits" + strings.ToLower(meth.String()),
|
Relation: "permits" + strings.ToLower(meth.String()),
|
||||||
@ -99,14 +102,14 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
|
|||||||
// add claims to token method of HydraTokenizer
|
// add claims to token method of HydraTokenizer
|
||||||
func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
|
func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
|
||||||
claims := Claims{}
|
claims := Claims{}
|
||||||
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false)
|
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return claims
|
return claims
|
||||||
}
|
}
|
||||||
claims.Session.AccessToken = make(map[string]interface{})
|
claims.Session.AccessToken = make(map[string]interface{})
|
||||||
claims.Session.IDToken = make(map[string]interface{})
|
claims.Session.IDToken = make(map[string]interface{})
|
||||||
for _, perm := range perms {
|
for _, perm := range perms {
|
||||||
key, err := h.generateKey(perm.Relation, perm.Object)
|
key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Object)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user