INTERNAL ASK RULES

2024-10-30 16:39:52 +01:00 · 2024-10-30 16:39:52 +01:00 · 2ca16c07b3
commit 2ca16c07b3
parent d33d2eb343
5 changed files with 16 additions and 13 deletions
--- a/controllers/oauth2.go
+++ b/controllers/oauth2.go
@ -149,11 +149,11 @@ func (o *OAuthController) InternalAuthForward() {
 	} else {
 		reqToken = splitToken[1]
 	}
-	origin, publicKey, _ := o.extractOrigin()
+	origin, publicKey, external := o.extractOrigin()
 	if !infrastructure.GetAuthConnector().CheckAuthForward( //reqToken != "" &&
 		reqToken, publicKey, origin,
 		o.Ctx.Request.Header.Get("X-Forwarded-Method"),
-		o.Ctx.Request.Header.Get("X-Forwarded-Uri")) && origin != "" && publicKey != "" {
+		o.Ctx.Request.Header.Get("X-Forwarded-Uri"), external) && origin != "" && publicKey != "" {
 		o.Ctx.ResponseWriter.WriteHeader(401)
 		o.ServeJSON()
 		return
--- a/infrastructure/auth_connector/auth_connector.go
+++ b/infrastructure/auth_connector/auth_connector.go
@ -12,7 +12,7 @@ type AuthConnector interface {
 	Logout(token string, cookies ...*http.Cookie) (*Token, error)
 	Introspect(token string, cookie ...*http.Cookie) (bool, error)
 	Refresh(token *Token) (*Token, error)
-	CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool
+	CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool
 }

 type Token struct {
--- a/infrastructure/auth_connector/hydra_connector.go
+++ b/infrastructure/auth_connector/hydra_connector.go
@ -245,7 +245,7 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {

 }

-func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool {
+func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool {
 	if forward == "" || method == "" {
 		return false
 	}
@ -262,7 +262,7 @@ func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host
 		}
 	}
 	// ask keto for permission is in claims
-	ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey)
+	ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey, external)
 	if err != nil {
 		fmt.Println("Failed to decode claims", err)
 	}
--- a/infrastructure/claims/claims.go
+++ b/infrastructure/claims/claims.go
@ -5,7 +5,7 @@ import "oc-auth/conf"
 // Tokenizer interface
 type ClaimService interface {
 	AddClaimsToToken(userId string, host string) Claims
-	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error)
+	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error)
 }

 // SessionClaims struct
--- a/infrastructure/claims/hydra_claims.go
+++ b/infrastructure/claims/hydra_claims.go
@ -16,7 +16,7 @@ import (
 type HydraClaims struct{}

 func (h HydraClaims) generateKey(relation string, path string) (string, error) {
-	method, err := utils.ExtractMethod(relation, false)
+	method, err := utils.ExtractMethod(relation, true)
 	if err != nil {
 		return "", err
 	}
@ -25,11 +25,14 @@ func (h HydraClaims) generateKey(relation string, path string) (string, error) {
 }

 // decode key expect to extract method and path from key
-func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
+func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string, error) {
 	s := strings.Split(key, "_")
 	if len(s) < 2 {
 		return tools.GET, "", errors.New("invalid key")
 	}
+	if strings.Contains(strings.ToUpper(s[0]), "INTERNAL") && external {
+		return tools.GET, "", errors.New("external ask for internal key")
+	}
 	meth, err := utils.ExtractMethod(s[0], false)
 	if err != nil {
 		return meth, "", err
@ -60,7 +63,7 @@ func (h HydraClaims) encodeSignature(host string) (string, error) {
 	return SignDefault(hashed[:], spkiBlock.Bytes)
 }

-func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) {
+func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
 	idTokenClaims := sessionClaims.Session.IDToken
 	if idTokenClaims["signature"] == nil {
 		return false, errors.New("no signature found")
@ -81,9 +84,9 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 			if strings.Contains(v, ":") { // is a param
 				continue
 			} else if v != splittedPath[i] {
-				meth, _, err := h.decodeKey(m)
+				meth, _, err := h.decodeKey(m, external)
 				if err != nil {
-					return false, err
+					continue
 				}
 				perm := perms_connectors.Permission{
 					Relation: "permits" + strings.ToLower(meth.String()),
@ -99,14 +102,14 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 // add claims to token method of HydraTokenizer
 func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
 	claims := Claims{}
-	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false)
+	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)
 	if err != nil {
 		return claims
 	}
 	claims.Session.AccessToken = make(map[string]interface{})
 	claims.Session.IDToken = make(map[string]interface{})
 	for _, perm := range perms {
-		key, err := h.generateKey(perm.Relation, perm.Object)
+		key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Object)
 		if err != nil {
 			continue
 		}