auth

Dockerfile

@@ -10,9 +10,6 @@ RUN go mod download
 
 FROM golang:alpine AS builder
 
-ARG HOSTNAME=http://localhost
-ARG NAME=local
-
 RUN apk add git
 
 RUN go install github.com/beego/bee/v2@latest

Makefile

@@ -1,22 +1,18 @@
 .DEFAULT_GOAL := all
 
-
 build: clean
 	bee pack
 
-hydra:
-	docker compose -f ./ldap-hydra/docker-compose.yml up -d
-
-keto:
-	docker compose -f ./keto/docker-compose.yml up -d
-
 run:
 	bee run -gendoc=true -downdoc=true
 
-run-dev: 
-	bee generate routers && HTTPPORT=8094 bee run -gendoc=true -downdoc=true
+purge:
+	lsof -t -i:8094 | xargs kill | true
 
-dev: hydra keto run-dev
+run-dev:
+	bee generate routers && bee run -gendoc=true -downdoc=true -runmode=prod
+
+dev: purge run-dev
 
 debug:
 	bee run -downdebug -gendebug
@@ -36,4 +32,4 @@ publish-registry:
 
 all: docker publish-kind publish-registry
 
-.PHONY: build run clean docker publish-kind publish-registry
+.PHONY: build run clean docker publish-kind publish-registry

auth.json

@@ -1,9 +1,7 @@
 {
-    "port": 8080,
     "MONGO_URL":"mongodb://localhost:27017/", 
     "MONGO_DATABASE":"DC_myDC",
-    "natsurl":"http://localhost:4080", 
-    "login":"admin", 
-    "password":"admin",
-    "oidcserver":"http://localhost:8080"
+    "NATS_URL": "nats://localhost:4222",
+    "LDAP_ENDPOINTS": "localhost:390",
+    "port": 8094
 }

conf/app.conf

@@ -1,5 +1,5 @@
 appname = oc-auth
-httpport = 8080
+httpport = 8094
 runmode = dev
 autorender = false
 copyrequestbody = true

conf/config.go

@@ -24,9 +24,12 @@ type Config struct {
 	AuthConnectorPort      int
 	AuthConnectorAdminPort int
 
-	PermissionConnectorHost      string
+	PermissionConnectorWriteHost string
+	PermissionConnectorReadHost  string
 	PermissionConnectorPort      int
 	PermissionConnectorAdminPort int
+
+	Local bool
 }
 
 var instance *Config

controllers/oauth2.go

@@ -8,8 +8,10 @@ import (
 	"oc-auth/conf"
 	"oc-auth/infrastructure"
 	auth_connectors "oc-auth/infrastructure/auth_connector"
+	"oc-auth/infrastructure/claims"
 	"regexp"
 	"strings"
+	"time"
 
 	oclib "cloud.o-forge.io/core/oc-lib"
 	model "cloud.o-forge.io/core/oc-lib/models/peer"
@@ -40,11 +42,15 @@ func (o *OAuthController) LogOut() {
 	var res auth_connectors.Token
 	json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
 
-	token, err := infrastructure.GetAuthConnector().Logout(clientID, reqToken)
-	if err != nil || token == nil {
-		o.Data["json"] = err
+	if !conf.GetConfig().Local {
+		token, err := infrastructure.GetAuthConnector().Logout(clientID, reqToken)
+		if err != nil || token == nil {
+			o.Data["json"] = err
+		} else {
+			o.Data["json"] = token
+		}
 	} else {
-		o.Data["json"] = token
+		o.Data["json"] = reqToken
 	}
 	o.ServeJSON()
 }
@@ -57,14 +63,13 @@ func (o *OAuthController) LogOut() {
 // @router /login [post]
 func (o *OAuthController) Login() {
 	// authorize user
-	fmt.Println("Login", o.Ctx.Input.Query("client_id"), o.Ctx.Input.Param(":client_id"))
 	clientID := o.Ctx.Input.Query("client_id")
 	var res auth_connectors.Token
 	json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
+
 	if conf.GetConfig().SourceMode == "ldap" {
 		ldap := auth_connectors.New()
 		found, err := ldap.Authenticate(o.Ctx.Request.Context(), res.Username, res.Password)
-		fmt.Println("found", found, "err", err)
 		if err != nil || !found {
 			o.Data["json"] = err
 			o.Ctx.ResponseWriter.WriteHeader(401)
@@ -72,18 +77,44 @@ func (o *OAuthController) Login() {
 			return
 		}
 	}
-	token, err := infrastructure.GetAuthConnector().Login(
-		clientID, res.Username,
-		&http.Cookie{ // open a session
-			Name:  "csrf_token",
-			Value: o.XSRFToken(),
-		})
-	fmt.Println("token", token, "err", err)
-	if err != nil || token == nil {
-		o.Data["json"] = err
-		o.Ctx.ResponseWriter.WriteHeader(401)
+	if !conf.GetConfig().Local {
+		token, err := infrastructure.GetAuthConnector().Login(
+			clientID, res.Username,
+			&http.Cookie{ // open a session
+				Name:  "csrf_token",
+				Value: o.XSRFToken(),
+			})
+		if err != nil || token == nil {
+			o.Data["json"] = err
+			o.Ctx.ResponseWriter.WriteHeader(401)
+		} else {
+			o.Data["json"] = token
+		}
 	} else {
-		o.Data["json"] = token
+		t := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(
+			nil, fmt.Sprintf("%v", model.SELF.EnumIndex()), false)
+		if t.Err == "" && len(t.Data) > 0 {
+			token := &auth_connectors.Token{
+				Username:    res.Username,
+				Password:    res.Password,
+				TokenType:   "Bearer",
+				Active:      true,
+				ExpiresIn:   3600,
+				AccessToken: "localtoken",
+			}
+			now := time.Now().UTC()
+			now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
+			unix := now.Unix()
+			c := claims.GetClaims().AddClaimsToToken(clientID, res.Username, t.Data[0].(*model.Peer))
+			c.Session.AccessToken["exp"] = unix
+			b, _ := json.Marshal(c)
+			token.AccessToken = token.AccessToken + "." + base64.StdEncoding.EncodeToString(b)
+			o.Data["json"] = token
+
+		} else {
+			o.Data["json"] = t.Err
+			o.Ctx.ResponseWriter.WriteHeader(401)
+		}
 	}
 	o.ServeJSON()
 }
@@ -99,12 +130,16 @@ func (o *OAuthController) Refresh() {
 	var token auth_connectors.Token
 	json.Unmarshal(o.Ctx.Input.CopyBody(100000), &token)
 	// refresh token
-	newToken, err := infrastructure.GetAuthConnector().Refresh(clientID, &token)
-	if err != nil || newToken == nil {
-		o.Data["json"] = err
-		o.Ctx.ResponseWriter.WriteHeader(401)
+	if !conf.GetConfig().Local {
+		newToken, err := infrastructure.GetAuthConnector().Refresh(clientID, &token)
+		if err != nil || newToken == nil {
+			o.Data["json"] = err
+			o.Ctx.ResponseWriter.WriteHeader(401)
+		} else {
+			o.Data["json"] = newToken
+		}
 	} else {
-		o.Data["json"] = newToken
+		o.Data["json"] = token
 	}
 	o.ServeJSON()
 }
@@ -122,11 +157,12 @@ func (o *OAuthController) Introspect() {
 	} else {
 		reqToken = splitToken[1]
 	}
-
-	token, err := infrastructure.GetAuthConnector().Introspect(reqToken)
-	if err != nil || !token {
-		o.Data["json"] = err
-		o.Ctx.ResponseWriter.WriteHeader(401)
+	if !conf.GetConfig().Local {
+		token, err := infrastructure.GetAuthConnector().Introspect(reqToken)
+		if err != nil || !token {
+			o.Data["json"] = err
+			o.Ctx.ResponseWriter.WriteHeader(401)
+		}
 	}
 	o.ServeJSON()
 }
@@ -142,7 +178,7 @@ var whitelist = []string{
 // @Param	Authorization		header  string	false "auth token"
 // @Success 200 {string}
 // @router /forward [get]
-func (o *OAuthController) InternaisDraftlAuthForward() {
+func (o *OAuthController) InternalAuthForward() {
 	fmt.Println("InternalAuthForward")
 	reqToken := o.Ctx.Request.Header.Get("Authorization")
 	if reqToken == "" {

controllers/version.go

@@ -14,7 +14,10 @@ type VersionController struct {
 // @Success 200
 // @router / [get]
 func (c *VersionController) GetAll() {
-	c.Data["json"] = map[string]string{"version": "1"}
+	c.Data["json"] = map[string]string{
+		"service": "oc-auth",
+		"version": "1",
+	}
 	c.ServeJSON()
 }
 
@@ -23,6 +26,9 @@ func (c *VersionController) GetAll() {
 // @Success 200
 // @router /discovery [get]
 func (c *VersionController) Get() {
-	c.Data["json"] = map[string]string{"version": "1"}
+	c.Data["json"] = map[string]string{
+		"service": "oc-auth",
+		"version": "1",
+	}
 	c.ServeJSON()
 }

docker-compose-2.yml

@@ -1,21 +0,0 @@
-version: '3.4'
-
-services:
-  oc-auth-2:
-    image: 'oc-auth-2:latest'
-    ports:
-      - 8095:8080
-    container_name: oc-auth-2
-    environment:
-          LDAP_ENDPOINTS: ldap-2:389
-          LDAP_BINDDN: cn=admin,dc=example,dc=com
-          LDAP_BINDPW: password
-          LDAP_BASEDN: "dc=example,dc=com"
-          LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
-    networks: 
-      - catalog
-    volumes:
-      - ./pem:/etc/oc/pem
-networks: 
-  catalog:
-    external: true

docker-compose.yml

@@ -1,20 +1,6 @@
 version: '3.4'
 
 services:
-  traefik:
-    image: traefik:v2.10.4
-    container_name: traefik
-    restart: unless-stopped
-    networks:
-      - catalog
-    command:
-      - "--api.insecure=true"
-      - "--providers.docker=true"
-      - "--entrypoints.web.address=:8000"
-    ports:
-      - "8000:8000"  # Expose Traefik on port 8000    
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
   oc-auth:
     image: 'oc-auth:latest'
     ports:
@@ -36,9 +22,10 @@ services:
           LDAP_BASEDN: "dc=example,dc=com"
           LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
     networks: 
-      - catalog
+      - oc
     volumes:
-      - ./pem:/etc/oc/pem
+      - ./pem/private.pem:/keys/private/private.pem
+      - ./pem/public.pem:/keys/public/public.pem
 networks: 
-  catalog:
+  oc:
     external: true

docker_auth.json

@@ -2,10 +2,10 @@
     "MONGO_URL":"mongodb://mongo:27017/", 
     "MONGO_DATABASE":"DC_myDC",
     "NATS_URL": "nats://nats:4222",
-    "PORT" : 8080,
     "AUTH_CONNECTOR_HOST": "hydra",
     "AUTH_CONNECTOR_PUBLIC_HOST": "hydra",
-    "PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
-    "PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
-    "LDAP_ENDPOINTS": "ldap:389"
+    "PRIVATE_KEY_PATH": "/keys/private/private.pem",
+    "PUBLIC_KEY_PATH": "/keys/public/public.pem",
+    "LDAP_ENDPOINTS": "ldap:389",
+    "LOCAL": false
 }

infrastructure/auth_connector/auth_connector.go

@@ -3,6 +3,7 @@ package auth_connectors
 import (
 	"net/http"
 	"oc-auth/conf"
+	"strings"
 
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
@@ -37,5 +38,10 @@ var a = map[string]AuthConnector{
 }
 
 func GetAuthConnector() AuthConnector {
-	return a[conf.GetConfig().Auth]
+	for k := range a {
+		if strings.Contains(conf.GetConfig().Auth, k) {
+			return a[k]
+		}
+	}
+	return nil
 }

infrastructure/auth_connector/hydra_connector.go

@@ -32,6 +32,9 @@ func (a HydraConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
 	host := conf.GetConfig().AuthConnectorHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
@@ -68,6 +71,7 @@ func (a HydraConnector) challenge(username string, url string, challenge string,
 	resp, err := a.Caller.CallRaw(http.MethodPut,
 		a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1],
 		body, "application/json", true, cookies...) // "remember": true, "subject": username
+	fmt.Println(a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1], resp, err)
 	if err != nil {
 		return nil, s[1], cookies, err
 	}
@@ -138,11 +142,11 @@ func (a HydraConnector) getClient(clientID string) string {
 }
 
 func (a HydraConnector) Login(clientID string, username string, cookies ...*http.Cookie) (t *Token, err error) {
-	fmt.Println("login", clientID, username)
 	clientID = a.getClient(clientID)
 	redirect, _, cookies, err := a.tryLog(username, a.getPath(false, true),
 		"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
 		"login", cookies...)
+	fmt.Println("login", clientID, username, a.getPath(false, true), redirect, err)
 	if err != nil || redirect == nil {
 		return nil, err
 	}
@@ -190,7 +194,6 @@ func (a HydraConnector) Login(clientID string, username string, cookies ...*http
 	unix := now.Unix()
 
 	c := claims.GetClaims().AddClaimsToToken(clientID, username, pp.Data[0].(*peer.Peer))
-	fmt.Println("claims", c.Session.AccessToken)
 	c.Session.AccessToken["exp"] = unix
 
 	b, _ = json.Marshal(c)
@@ -250,6 +253,9 @@ func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool,
 
 func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
 	host := conf.GetConfig().AuthConnectorHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	if isAdmin {
 		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"

infrastructure/auth_connector/ldap.go

@@ -228,7 +228,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPC
 		// It's sufficient to compare the DN's suffix with the base DN.
 		n, k := len(roleDN), len(cli.RoleBaseDN)
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
-			panic("You should never see that")
+			return nil, errors.New("You should never see that")
 		}
 		// The DN without the role's base DN must contain a CN and OU
 		// where the CN is for uniqueness only, and the OU is an application id.
@@ -322,7 +322,7 @@ func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, er
 		// It's sufficient to compare the DN's suffix with the base DN.
 		n, k := len(roleDN), len(cli.RoleBaseDN)
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
-			panic("You should never see that")
+			return nil, errors.New("You should never see that")
 		}
 		// The DN without the role's base DN must contain a CN and OU
 		// where the CN is for uniqueness only, and the OU is an application id.

infrastructure/claims/claims.go

@@ -2,6 +2,7 @@ package claims
 
 import (
 	"oc-auth/conf"
+	"strings"
 
 	"cloud.o-forge.io/core/oc-lib/models/peer"
 )
@@ -28,5 +29,10 @@ var t = map[string]ClaimService{
 }
 
 func GetClaims() ClaimService {
-	return t[conf.GetConfig().Auth]
+	for k := range t {
+		if strings.Contains(conf.GetConfig().Auth, k) {
+			return t[k]
+		}
+	}
+	return nil
 }

infrastructure/perms_connectors/keto_connector.go

@@ -56,7 +56,10 @@ func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission
 func (k KetoConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorReadHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
@@ -217,7 +220,10 @@ func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Perm
 func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
 	t := []Permission{}
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorReadHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
 		Permission{Object: object, Relation: relation, Subject: subject}, nil))
@@ -344,7 +350,10 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 		}
 		body["subject_set"] = map[string]interface{}{"namespace": k.namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
 	}
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorWriteHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
 	b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
 	if err != nil {
@@ -355,6 +364,7 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 	var data map[string]interface{}
 	err = json.Unmarshal(b, &data)
 	if err != nil {
+		fmt.Println(string(b), err)
 		log := oclib.GetLogger()
 		log.Error().Msg("createRelationShip2" + err.Error())
 		return nil, 500, err
@@ -382,7 +392,10 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
 	}
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorWriteHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
 	b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
 	if err != nil {

infrastructure/perms_connectors/perms_connector.go

@@ -2,6 +2,7 @@ package perms_connectors
 
 import (
 	"oc-auth/conf"
+	"strings"
 
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
@@ -55,5 +56,10 @@ var c = map[string]PermConnector{
 }
 
 func GetPermissionConnector(scope string) PermConnector {
-	return c[conf.GetConfig().PermissionConnectorHost]
+	for k := range c {
+		if strings.Contains(conf.GetConfig().PermissionConnectorReadHost, k) {
+			return c[k]
+		}
+	}
+	return nil
 }

keto/docker-compose.yml

@@ -1,21 +0,0 @@
-version: '3.4'
-
-services:
-  keto:
-    image: oryd/keto:v0.7.0-alpha.1-sqlite
-    ports:
-      - "4466:4466"
-      - "4467:4467"
-    command: serve -c /home/ory/keto.yml
-    restart: on-failure
-    volumes:
-      - type: bind
-        source: .
-        target: /home/ory
-    container_name: keto
-    networks: 
-      - catalog
-
-networks: 
-  catalog:
-    external: true

keto/keto.yml

@@ -1,18 +0,0 @@
-version: v0.6.0-alpha.1
-
-log:
-  level: debug
-
-namespaces:
-  - id: 0
-    name: open-cloud
-
-dsn: memory
-
-serve:
-  read:
-    host: 0.0.0.0
-    port: 4466
-  write:
-    host: 0.0.0.0
-    port: 4467

ldap-hydra/docker-compose-2.yml

@@ -1,78 +0,0 @@
-version: "3"
-services:   
-    hydra-client-2: 
-        image: oryd/hydra:v2.2.0
-        container_name: hydra-client-2
-        environment:
-            HYDRA_ADMIN_URL: http://hydra-2:4445
-            ORY_SDK_URL: http://hydra-2:4445
-        command:
-            - create
-            - oauth2-client
-            - --skip-tls-verify
-            - --name
-            - test-client
-            - --secret
-            - oc-auth-got-secret
-            - --response-type
-            - id_token,token,code
-            - --grant-type
-            - implicit,refresh_token,authorization_code,client_credentials
-            - --scope
-            - openid,profile,email,roles
-            - --token-endpoint-auth-method
-            - client_secret_post
-            - --redirect-uri
-            - http://localhost:3000
-
-        networks:
-            - hydra-net
-            - catalog
-        deploy:
-            restart_policy:
-                condition: none
-        depends_on:
-            - hydra-2
-        healthcheck:
-            test: ["CMD", "curl", "-f", "http://hydra-2:4445"]
-            interval: 10s
-            timeout: 10s
-            retries: 10
-    hydra-2:
-        container_name: hydra-2
-        image: oryd/hydra:v2.2.0
-        environment:
-            SECRETS_SYSTEM: oc-auth-got-secret
-            LOG_LEAK_SENSITIVE_VALUES: true
-            URLS_SELF_ISSUER: http://hydra-2:4444
-            URLS_SELF_PUBLIC: http://hydra-2:4444
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
-            DSN: memory
-        command: serve all --dev
-        networks:
-            - hydra-net
-            - catalog
-        ports:
-            - "4446:4444"
-            - "4447:4445"
-        deploy:
-            restart_policy:
-                condition: on-failure
-    ldap-2:
-        image: pgarrett/ldap-alpine
-        container_name: ldap-2
-        volumes:  
-            - "./ldap-2.ldif:/ldif/ldap.ldif"
-        networks:
-            - hydra-net
-            - catalog
-        ports:
-            - "389:389"
-        deploy:
-            restart_policy:
-                condition: on-failure
-networks:    
-    hydra-net:
-    catalog:
-        external: true

ldap-hydra/docker-compose.yml

@@ -1,79 +0,0 @@
-version: "3"
-services:   
-    hydra-client: 
-        image: oryd/hydra:v2.2.0
-        container_name: hydra-client
-        environment:
-            HYDRA_ADMIN_URL: http://hydra:4445
-            ORY_SDK_URL: http://hydra:4445
-        command:
-            - create
-            - oauth2-client
-            - --skip-tls-verify
-            - --name
-            - test-client
-            - --secret
-            - oc-auth-got-secret
-            - --response-type
-            - id_token,token,code
-            - --grant-type
-            - implicit,refresh_token,authorization_code,client_credentials
-            - --scope
-            - openid,profile,email,roles
-            - --token-endpoint-auth-method
-            - client_secret_post
-            - --redirect-uri
-            - http://localhost:3000
-
-        networks:
-            - hydra-net
-            - catalog
-        deploy:
-            restart_policy:
-                condition: none
-        depends_on:
-            - hydra
-        healthcheck:
-            test: ["CMD", "curl", "-f", "http://hydra:4445"]
-            interval: 10s
-            timeout: 10s
-            retries: 10
-    hydra:
-        container_name: hydra
-        image: oryd/hydra:v2.2.0
-        environment:
-            SECRETS_SYSTEM: oc-auth-got-secret
-            LOG_LEAK_SENSITIVE_VALUES: true
-            # OAUTH2_TOKEN_HOOK_URL: http://oc-auth:8080/oc/claims
-            URLS_SELF_ISSUER: http://hydra:4444
-            URLS_SELF_PUBLIC: http://hydra:4444
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
-            DSN: memory
-        command: serve all --dev
-        networks:
-            - hydra-net
-            - catalog
-        ports:
-            - "4444:4444"
-            - "4445:4445"
-        deploy:
-            restart_policy:
-                condition: on-failure
-    ldap:
-        image: pgarrett/ldap-alpine
-        container_name: ldap
-        volumes:  
-            - "./ldap.ldif:/ldif/ldap.ldif"
-        networks:
-            - hydra-net
-            - catalog
-        ports:
-            - "390:389"
-        deploy:
-            restart_policy:
-                condition: on-failure
-networks:    
-    hydra-net:
-    catalog:
-        external: true

ldap-hydra/ldap-2.ldif

@@ -1,24 +0,0 @@
-dn: uid=admin2,ou=Users,dc=example,dc=com
-objectClass: inetOrgPerson
-cn: Admin2
-sn: Istrator
-uid: admin2
-userPassword: admin2
-mail: admin2@example.com
-ou: Users
-
-dn: ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: AppRoles
-description: AppRoles
-
-dn: ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: App1
-description: App1
-
-dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: groupofnames
-cn: traveler
-description: traveler
-member: uid=admin2,ou=Users,dc=example,dc=com

ldap-hydra/ldap.ldif

@@ -1,24 +0,0 @@
-dn: uid=admin,ou=Users,dc=example,dc=com
-objectClass: inetOrgPerson
-cn: Admin
-sn: Istrator
-uid: admin
-userPassword: admin
-mail: admin@example.com
-ou: Users
-
-dn: ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: AppRoles
-description: AppRoles
-
-dn: ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: App1
-description: App1
-
-dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: groupofnames
-cn: traveler
-description: traveler
-member: uid=admin,ou=Users,dc=example,dc=com

main.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"time"
 
 	oclib "cloud.o-forge.io/core/oc-lib"
 	peer "cloud.o-forge.io/core/oc-lib/models/peer"
@@ -43,9 +44,11 @@ func main() {
 	conf.GetConfig().AuthConnectPublicHost = o.GetStringDefault("AUTH_CONNECTOR_PUBLIC_HOST", "localhost")
 	conf.GetConfig().AuthConnectorPort = o.GetIntDefault("AUTH_CONNECTOR_PORT", 4444)
 	conf.GetConfig().AuthConnectorAdminPort = o.GetIntDefault("AUTH_CONNECTOR_ADMIN_PORT", 4445)
-	conf.GetConfig().PermissionConnectorHost = o.GetStringDefault("PERMISSION_CONNECTOR_HOST", "keto")
+	conf.GetConfig().PermissionConnectorWriteHost = o.GetStringDefault("PERMISSION_CONNECTOR_WRITE_HOST", "keto")
+	conf.GetConfig().PermissionConnectorReadHost = o.GetStringDefault("PERMISSION_CONNECTOR_READ_HOST", "keto")
 	conf.GetConfig().PermissionConnectorPort = o.GetIntDefault("PERMISSION_CONNECTOR_PORT", 4466)
 	conf.GetConfig().PermissionConnectorAdminPort = o.GetIntDefault("PERMISSION_CONNECTOR_ADMIN_PORT", 4467)
+	conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)
 
 	// config LDAP
 	conf.GetConfig().SourceMode = o.GetStringDefault("SOURCE_MODE", "ldap")
@@ -54,12 +57,10 @@ func main() {
 	conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password")
 	conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com")
 	conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com")
-	err := generateSelfPeer()
-	if err != nil {
-		panic(err)
-	}
-	generateRole()
-	discovery()
+	go generateSelfPeer()
+	go generateRole()
+	go discovery()
+	beego.BConfig.Listen.HTTPPort = o.GetIntDefault("port", 8080)
 	beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
 		AllowAllOrigins:  true,
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
@@ -80,22 +81,29 @@ func generateRole() {
 	if conf.GetConfig().SourceMode == "ldap" {
 		ldap := auth_connectors.New()
 		roles, err := ldap.GetRoles(context.Background())
-		if err != nil {
-			panic(err)
-		}
-		fmt.Println("ROLE", roles)
-		for _, role := range roles {
-			for r, m := range role.Members {
-				infrastructure.GetPermissionConnector("").CreateRole(r)
-				for _, p := range m {
-					infrastructure.GetPermissionConnector("").BindRole(r, p)
+		if err == nil {
+			fmt.Println("ROLE", roles)
+			for _, role := range roles {
+				for r, m := range role.Members {
+					infrastructure.GetPermissionConnector("").CreateRole(r)
+					for _, p := range m {
+						infrastructure.GetPermissionConnector("").BindRole(r, p)
+					}
 				}
 			}
+		} else {
+			time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+			generateRole()
 		}
 	}
 }
 
 func generateSelfPeer() error {
+	defer func() {
+		if r := recover(); r != nil {
+			fmt.Println("Recovered in f", r)
+		}
+	}()
 	// TODO check if files at private & public path are set
 	// check if files at private & public path are set
 	if _, err := os.Stat(conf.GetConfig().PrivateKeyPath); errors.Is(err, os.ErrNotExist) {
@@ -127,21 +135,34 @@ func generateSelfPeer() error {
 		AbstractObject: utils.AbstractObject{
 			Name: o.GetStringDefault("NAME", "local"),
 		},
-		PublicKey: file,
-		State:     peer.SELF,
+		PublicKey:     file,
+		State:         peer.SELF,
+		WalletAddress: "my-wallet",
 	}
 	data := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).StoreOne(peer.Serialize(peer))
 	if data.Err != "" {
+		time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+		generateSelfPeer()
 		return errors.New(data.Err)
 	}
 	return nil
 }
 
 func discovery() {
+	defer func() {
+		if r := recover(); r != nil {
+			fmt.Println("Recovered in f", r)
+		}
+	}()
 	api := tools.API{}
 	conn := infrastructure.GetPermissionConnector("")
-
-	conn.CreateRole(conf.GetConfig().AdminRole)
+	fmt.Println("AdminRole", conn, conf.GetConfig().PermissionConnectorWriteHost)
+	_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
+	if err != nil {
+		time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+		discovery()
+		return
+	}
 	conn.BindRole(conf.GetConfig().AdminRole, "admin")
 	addPermissions := func(m map[string]interface{}) {
 		for k, v := range m {

routers/commentsRouter.go

@@ -81,7 +81,7 @@ func init() {
 
     beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
         beego.ControllerComments{
-            Method: "InternaisDraftlAuthForward",
+            Method: "InternalAuthForward",
             Router: `/forward`,
             AllowHTTPMethods: []string{"get"},
             MethodParams: param.Make(),