diff --git a/Dockerfile b/Dockerfile
index 32f9371..6f23bfc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,9 +10,6 @@ RUN go mod download
FROM golang:alpine AS builder
-ARG HOSTNAME=http://localhost
-ARG NAME=local
-
RUN apk add git
RUN go install github.com/beego/bee/v2@latest
diff --git a/Makefile b/Makefile
index 48918e0..5639c37 100644
--- a/Makefile
+++ b/Makefile
@@ -1,22 +1,18 @@
.DEFAULT_GOAL := all
-
build: clean
bee pack
-hydra:
- docker compose -f ./ldap-hydra/docker-compose.yml up -d
-
-keto:
- docker compose -f ./keto/docker-compose.yml up -d
-
run:
bee run -gendoc=true -downdoc=true
-run-dev:
- bee generate routers && HTTPPORT=8094 bee run -gendoc=true -downdoc=true
+purge:
+ lsof -t -i:8094 | xargs kill | true
-dev: hydra keto run-dev
+run-dev:
+ bee generate routers && bee run -gendoc=true -downdoc=true -runmode=prod
+
+dev: purge run-dev
debug:
bee run -downdebug -gendebug
@@ -36,4 +32,4 @@ publish-registry:
all: docker publish-kind publish-registry
-.PHONY: build run clean docker publish-kind publish-registry
\ No newline at end of file
+.PHONY: build run clean docker publish-kind publish-registry
diff --git a/auth.json b/auth.json
index 3ef7e97..72a7bba 100644
--- a/auth.json
+++ b/auth.json
@@ -1,9 +1,7 @@
{
- "port": 8080,
"MONGO_URL":"mongodb://localhost:27017/",
"MONGO_DATABASE":"DC_myDC",
- "natsurl":"http://localhost:4080",
- "login":"admin",
- "password":"admin",
- "oidcserver":"http://localhost:8080"
+ "NATS_URL": "nats://localhost:4222",
+ "LDAP_ENDPOINTS": "localhost:390",
+ "port": 8094
}
\ No newline at end of file
diff --git a/conf/app.conf b/conf/app.conf
index 3f1686b..4dbb489 100644
--- a/conf/app.conf
+++ b/conf/app.conf
@@ -1,5 +1,5 @@
appname = oc-auth
-httpport = 8080
+httpport = 8094
runmode = dev
autorender = false
copyrequestbody = true
diff --git a/conf/config.go b/conf/config.go
index d3f5285..b1d87c2 100644
--- a/conf/config.go
+++ b/conf/config.go
@@ -24,9 +24,12 @@ type Config struct {
AuthConnectorPort int
AuthConnectorAdminPort int
- PermissionConnectorHost string
+ PermissionConnectorWriteHost string
+ PermissionConnectorReadHost string
PermissionConnectorPort int
PermissionConnectorAdminPort int
+
+ Local bool
}
var instance *Config
diff --git a/controllers/oauth2.go b/controllers/oauth2.go
index 1acc7fb..28db564 100644
--- a/controllers/oauth2.go
+++ b/controllers/oauth2.go
@@ -8,8 +8,10 @@ import (
"oc-auth/conf"
"oc-auth/infrastructure"
auth_connectors "oc-auth/infrastructure/auth_connector"
+ "oc-auth/infrastructure/claims"
"regexp"
"strings"
+ "time"
oclib "cloud.o-forge.io/core/oc-lib"
model "cloud.o-forge.io/core/oc-lib/models/peer"
@@ -40,11 +42,15 @@ func (o *OAuthController) LogOut() {
var res auth_connectors.Token
json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
- token, err := infrastructure.GetAuthConnector().Logout(clientID, reqToken)
- if err != nil || token == nil {
- o.Data["json"] = err
+ if !conf.GetConfig().Local {
+ token, err := infrastructure.GetAuthConnector().Logout(clientID, reqToken)
+ if err != nil || token == nil {
+ o.Data["json"] = err
+ } else {
+ o.Data["json"] = token
+ }
} else {
- o.Data["json"] = token
+ o.Data["json"] = reqToken
}
o.ServeJSON()
}
@@ -57,14 +63,13 @@ func (o *OAuthController) LogOut() {
// @router /login [post]
func (o *OAuthController) Login() {
// authorize user
- fmt.Println("Login", o.Ctx.Input.Query("client_id"), o.Ctx.Input.Param(":client_id"))
clientID := o.Ctx.Input.Query("client_id")
var res auth_connectors.Token
json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
+
if conf.GetConfig().SourceMode == "ldap" {
ldap := auth_connectors.New()
found, err := ldap.Authenticate(o.Ctx.Request.Context(), res.Username, res.Password)
- fmt.Println("found", found, "err", err)
if err != nil || !found {
o.Data["json"] = err
o.Ctx.ResponseWriter.WriteHeader(401)
@@ -72,18 +77,44 @@ func (o *OAuthController) Login() {
return
}
}
- token, err := infrastructure.GetAuthConnector().Login(
- clientID, res.Username,
- &http.Cookie{ // open a session
- Name: "csrf_token",
- Value: o.XSRFToken(),
- })
- fmt.Println("token", token, "err", err)
- if err != nil || token == nil {
- o.Data["json"] = err
- o.Ctx.ResponseWriter.WriteHeader(401)
+ if !conf.GetConfig().Local {
+ token, err := infrastructure.GetAuthConnector().Login(
+ clientID, res.Username,
+ &http.Cookie{ // open a session
+ Name: "csrf_token",
+ Value: o.XSRFToken(),
+ })
+ if err != nil || token == nil {
+ o.Data["json"] = err
+ o.Ctx.ResponseWriter.WriteHeader(401)
+ } else {
+ o.Data["json"] = token
+ }
} else {
- o.Data["json"] = token
+ t := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(
+ nil, fmt.Sprintf("%v", model.SELF.EnumIndex()), false)
+ if t.Err == "" && len(t.Data) > 0 {
+ token := &auth_connectors.Token{
+ Username: res.Username,
+ Password: res.Password,
+ TokenType: "Bearer",
+ Active: true,
+ ExpiresIn: 3600,
+ AccessToken: "localtoken",
+ }
+ now := time.Now().UTC()
+ now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
+ unix := now.Unix()
+ c := claims.GetClaims().AddClaimsToToken(clientID, res.Username, t.Data[0].(*model.Peer))
+ c.Session.AccessToken["exp"] = unix
+ b, _ := json.Marshal(c)
+ token.AccessToken = token.AccessToken + "." + base64.StdEncoding.EncodeToString(b)
+ o.Data["json"] = token
+
+ } else {
+ o.Data["json"] = t.Err
+ o.Ctx.ResponseWriter.WriteHeader(401)
+ }
}
o.ServeJSON()
}
@@ -99,12 +130,16 @@ func (o *OAuthController) Refresh() {
var token auth_connectors.Token
json.Unmarshal(o.Ctx.Input.CopyBody(100000), &token)
// refresh token
- newToken, err := infrastructure.GetAuthConnector().Refresh(clientID, &token)
- if err != nil || newToken == nil {
- o.Data["json"] = err
- o.Ctx.ResponseWriter.WriteHeader(401)
+ if !conf.GetConfig().Local {
+ newToken, err := infrastructure.GetAuthConnector().Refresh(clientID, &token)
+ if err != nil || newToken == nil {
+ o.Data["json"] = err
+ o.Ctx.ResponseWriter.WriteHeader(401)
+ } else {
+ o.Data["json"] = newToken
+ }
} else {
- o.Data["json"] = newToken
+ o.Data["json"] = token
}
o.ServeJSON()
}
@@ -122,11 +157,12 @@ func (o *OAuthController) Introspect() {
} else {
reqToken = splitToken[1]
}
-
- token, err := infrastructure.GetAuthConnector().Introspect(reqToken)
- if err != nil || !token {
- o.Data["json"] = err
- o.Ctx.ResponseWriter.WriteHeader(401)
+ if !conf.GetConfig().Local {
+ token, err := infrastructure.GetAuthConnector().Introspect(reqToken)
+ if err != nil || !token {
+ o.Data["json"] = err
+ o.Ctx.ResponseWriter.WriteHeader(401)
+ }
}
o.ServeJSON()
}
@@ -142,7 +178,7 @@ var whitelist = []string{
// @Param Authorization header string false "auth token"
// @Success 200 {string}
// @router /forward [get]
-func (o *OAuthController) InternaisDraftlAuthForward() {
+func (o *OAuthController) InternalAuthForward() {
fmt.Println("InternalAuthForward")
reqToken := o.Ctx.Request.Header.Get("Authorization")
if reqToken == "" {
diff --git a/controllers/version.go b/controllers/version.go
index 04b6a99..b1344f9 100644
--- a/controllers/version.go
+++ b/controllers/version.go
@@ -14,7 +14,10 @@ type VersionController struct {
// @Success 200
// @router / [get]
func (c *VersionController) GetAll() {
- c.Data["json"] = map[string]string{"version": "1"}
+ c.Data["json"] = map[string]string{
+ "service": "oc-auth",
+ "version": "1",
+ }
c.ServeJSON()
}
@@ -23,6 +26,9 @@ func (c *VersionController) GetAll() {
// @Success 200
// @router /discovery [get]
func (c *VersionController) Get() {
- c.Data["json"] = map[string]string{"version": "1"}
+ c.Data["json"] = map[string]string{
+ "service": "oc-auth",
+ "version": "1",
+ }
c.ServeJSON()
}
diff --git a/docker-compose-2.yml b/docker-compose-2.yml
deleted file mode 100644
index c72e378..0000000
--- a/docker-compose-2.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-version: '3.4'
-
-services:
- oc-auth-2:
- image: 'oc-auth-2:latest'
- ports:
- - 8095:8080
- container_name: oc-auth-2
- environment:
- LDAP_ENDPOINTS: ldap-2:389
- LDAP_BINDDN: cn=admin,dc=example,dc=com
- LDAP_BINDPW: password
- LDAP_BASEDN: "dc=example,dc=com"
- LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
- networks:
- - catalog
- volumes:
- - ./pem:/etc/oc/pem
-networks:
- catalog:
- external: true
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 5771726..5badea0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,20 +1,6 @@
version: '3.4'
services:
- traefik:
- image: traefik:v2.10.4
- container_name: traefik
- restart: unless-stopped
- networks:
- - catalog
- command:
- - "--api.insecure=true"
- - "--providers.docker=true"
- - "--entrypoints.web.address=:8000"
- ports:
- - "8000:8000" # Expose Traefik on port 8000
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock
oc-auth:
image: 'oc-auth:latest'
ports:
@@ -36,9 +22,10 @@ services:
LDAP_BASEDN: "dc=example,dc=com"
LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
networks:
- - catalog
+ - oc
volumes:
- - ./pem:/etc/oc/pem
+ - ./pem/private.pem:/keys/private/private.pem
+ - ./pem/public.pem:/keys/public/public.pem
networks:
- catalog:
+ oc:
external: true
\ No newline at end of file
diff --git a/docker_auth.json b/docker_auth.json
index ad9079d..b96487b 100644
--- a/docker_auth.json
+++ b/docker_auth.json
@@ -2,10 +2,10 @@
"MONGO_URL":"mongodb://mongo:27017/",
"MONGO_DATABASE":"DC_myDC",
"NATS_URL": "nats://nats:4222",
- "PORT" : 8080,
"AUTH_CONNECTOR_HOST": "hydra",
"AUTH_CONNECTOR_PUBLIC_HOST": "hydra",
- "PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
- "PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
- "LDAP_ENDPOINTS": "ldap:389"
+ "PRIVATE_KEY_PATH": "/keys/private/private.pem",
+ "PUBLIC_KEY_PATH": "/keys/public/public.pem",
+ "LDAP_ENDPOINTS": "ldap:389",
+ "LOCAL": false
}
\ No newline at end of file
diff --git a/infrastructure/auth_connector/auth_connector.go b/infrastructure/auth_connector/auth_connector.go
index 39a23ab..9572752 100644
--- a/infrastructure/auth_connector/auth_connector.go
+++ b/infrastructure/auth_connector/auth_connector.go
@@ -3,6 +3,7 @@ package auth_connectors
import (
"net/http"
"oc-auth/conf"
+ "strings"
"cloud.o-forge.io/core/oc-lib/tools"
)
@@ -37,5 +38,10 @@ var a = map[string]AuthConnector{
}
func GetAuthConnector() AuthConnector {
- return a[conf.GetConfig().Auth]
+ for k := range a {
+ if strings.Contains(conf.GetConfig().Auth, k) {
+ return a[k]
+ }
+ }
+ return nil
}
diff --git a/infrastructure/auth_connector/hydra_connector.go b/infrastructure/auth_connector/hydra_connector.go
index f89ee77..baa3b37 100644
--- a/infrastructure/auth_connector/hydra_connector.go
+++ b/infrastructure/auth_connector/hydra_connector.go
@@ -32,6 +32,9 @@ func (a HydraConnector) Status() tools.State {
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
var responseBody map[string]interface{}
host := conf.GetConfig().AuthConnectorHost
+ if conf.GetConfig().Local {
+ host = "localhost"
+ }
port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
if err != nil {
@@ -68,6 +71,7 @@ func (a HydraConnector) challenge(username string, url string, challenge string,
resp, err := a.Caller.CallRaw(http.MethodPut,
a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1],
body, "application/json", true, cookies...) // "remember": true, "subject": username
+ fmt.Println(a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1], resp, err)
if err != nil {
return nil, s[1], cookies, err
}
@@ -138,11 +142,11 @@ func (a HydraConnector) getClient(clientID string) string {
}
func (a HydraConnector) Login(clientID string, username string, cookies ...*http.Cookie) (t *Token, err error) {
- fmt.Println("login", clientID, username)
clientID = a.getClient(clientID)
redirect, _, cookies, err := a.tryLog(username, a.getPath(false, true),
"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
"login", cookies...)
+ fmt.Println("login", clientID, username, a.getPath(false, true), redirect, err)
if err != nil || redirect == nil {
return nil, err
}
@@ -190,7 +194,6 @@ func (a HydraConnector) Login(clientID string, username string, cookies ...*http
unix := now.Unix()
c := claims.GetClaims().AddClaimsToToken(clientID, username, pp.Data[0].(*peer.Peer))
- fmt.Println("claims", c.Session.AccessToken)
c.Session.AccessToken["exp"] = unix
b, _ = json.Marshal(c)
@@ -250,6 +253,9 @@ func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool,
func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
host := conf.GetConfig().AuthConnectorHost
+ if conf.GetConfig().Local {
+ host = "localhost"
+ }
port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
if isAdmin {
port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
diff --git a/infrastructure/auth_connector/ldap.go b/infrastructure/auth_connector/ldap.go
index 0d0c57d..32bec74 100644
--- a/infrastructure/auth_connector/ldap.go
+++ b/infrastructure/auth_connector/ldap.go
@@ -228,7 +228,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPC
// It's sufficient to compare the DN's suffix with the base DN.
n, k := len(roleDN), len(cli.RoleBaseDN)
if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
- panic("You should never see that")
+ return nil, errors.New("You should never see that")
}
// The DN without the role's base DN must contain a CN and OU
// where the CN is for uniqueness only, and the OU is an application id.
@@ -322,7 +322,7 @@ func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, er
// It's sufficient to compare the DN's suffix with the base DN.
n, k := len(roleDN), len(cli.RoleBaseDN)
if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
- panic("You should never see that")
+ return nil, errors.New("You should never see that")
}
// The DN without the role's base DN must contain a CN and OU
// where the CN is for uniqueness only, and the OU is an application id.
diff --git a/infrastructure/claims/claims.go b/infrastructure/claims/claims.go
index 7281a65..8b6fb3c 100644
--- a/infrastructure/claims/claims.go
+++ b/infrastructure/claims/claims.go
@@ -2,6 +2,7 @@ package claims
import (
"oc-auth/conf"
+ "strings"
"cloud.o-forge.io/core/oc-lib/models/peer"
)
@@ -28,5 +29,10 @@ var t = map[string]ClaimService{
}
func GetClaims() ClaimService {
- return t[conf.GetConfig().Auth]
+ for k := range t {
+ if strings.Contains(conf.GetConfig().Auth, k) {
+ return t[k]
+ }
+ }
+ return nil
}
diff --git a/infrastructure/perms_connectors/keto_connector.go b/infrastructure/perms_connectors/keto_connector.go
index e65b432..408c023 100644
--- a/infrastructure/perms_connectors/keto_connector.go
+++ b/infrastructure/perms_connectors/keto_connector.go
@@ -56,7 +56,10 @@ func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission
func (k KetoConnector) Status() tools.State {
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
var responseBody map[string]interface{}
- host := conf.GetConfig().PermissionConnectorHost
+ host := conf.GetConfig().PermissionConnectorReadHost
+ if conf.GetConfig().Local {
+ host = "localhost"
+ }
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
if err != nil {
@@ -217,7 +220,10 @@ func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Perm
func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
t := []Permission{}
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
- host := conf.GetConfig().PermissionConnectorHost
+ host := conf.GetConfig().PermissionConnectorReadHost
+ if conf.GetConfig().Local {
+ host = "localhost"
+ }
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
Permission{Object: object, Relation: relation, Subject: subject}, nil))
@@ -344,7 +350,10 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
}
body["subject_set"] = map[string]interface{}{"namespace": k.namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
}
- host := conf.GetConfig().PermissionConnectorHost
+ host := conf.GetConfig().PermissionConnectorWriteHost
+ if conf.GetConfig().Local {
+ host = "localhost"
+ }
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
if err != nil {
@@ -355,6 +364,7 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
var data map[string]interface{}
err = json.Unmarshal(b, &data)
if err != nil {
+ fmt.Println(string(b), err)
log := oclib.GetLogger()
log.Error().Msg("createRelationShip2" + err.Error())
return nil, 500, err
@@ -382,7 +392,10 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
}
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
- host := conf.GetConfig().PermissionConnectorHost
+ host := conf.GetConfig().PermissionConnectorWriteHost
+ if conf.GetConfig().Local {
+ host = "localhost"
+ }
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
if err != nil {
diff --git a/infrastructure/perms_connectors/perms_connector.go b/infrastructure/perms_connectors/perms_connector.go
index 9560725..8a6e27e 100644
--- a/infrastructure/perms_connectors/perms_connector.go
+++ b/infrastructure/perms_connectors/perms_connector.go
@@ -2,6 +2,7 @@ package perms_connectors
import (
"oc-auth/conf"
+ "strings"
"cloud.o-forge.io/core/oc-lib/tools"
)
@@ -55,5 +56,10 @@ var c = map[string]PermConnector{
}
func GetPermissionConnector(scope string) PermConnector {
- return c[conf.GetConfig().PermissionConnectorHost]
+ for k := range c {
+ if strings.Contains(conf.GetConfig().PermissionConnectorReadHost, k) {
+ return c[k]
+ }
+ }
+ return nil
}
diff --git a/keto/docker-compose.yml b/keto/docker-compose.yml
deleted file mode 100644
index 34f2f1a..0000000
--- a/keto/docker-compose.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-version: '3.4'
-
-services:
- keto:
- image: oryd/keto:v0.7.0-alpha.1-sqlite
- ports:
- - "4466:4466"
- - "4467:4467"
- command: serve -c /home/ory/keto.yml
- restart: on-failure
- volumes:
- - type: bind
- source: .
- target: /home/ory
- container_name: keto
- networks:
- - catalog
-
-networks:
- catalog:
- external: true
diff --git a/keto/keto.yml b/keto/keto.yml
deleted file mode 100644
index 1074ac8..0000000
--- a/keto/keto.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-version: v0.6.0-alpha.1
-
-log:
- level: debug
-
-namespaces:
- - id: 0
- name: open-cloud
-
-dsn: memory
-
-serve:
- read:
- host: 0.0.0.0
- port: 4466
- write:
- host: 0.0.0.0
- port: 4467
diff --git a/ldap-hydra/docker-compose-2.yml b/ldap-hydra/docker-compose-2.yml
deleted file mode 100644
index 2fe27d0..0000000
--- a/ldap-hydra/docker-compose-2.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-version: "3"
-services:
- hydra-client-2:
- image: oryd/hydra:v2.2.0
- container_name: hydra-client-2
- environment:
- HYDRA_ADMIN_URL: http://hydra-2:4445
- ORY_SDK_URL: http://hydra-2:4445
- command:
- - create
- - oauth2-client
- - --skip-tls-verify
- - --name
- - test-client
- - --secret
- - oc-auth-got-secret
- - --response-type
- - id_token,token,code
- - --grant-type
- - implicit,refresh_token,authorization_code,client_credentials
- - --scope
- - openid,profile,email,roles
- - --token-endpoint-auth-method
- - client_secret_post
- - --redirect-uri
- - http://localhost:3000
-
- networks:
- - hydra-net
- - catalog
- deploy:
- restart_policy:
- condition: none
- depends_on:
- - hydra-2
- healthcheck:
- test: ["CMD", "curl", "-f", "http://hydra-2:4445"]
- interval: 10s
- timeout: 10s
- retries: 10
- hydra-2:
- container_name: hydra-2
- image: oryd/hydra:v2.2.0
- environment:
- SECRETS_SYSTEM: oc-auth-got-secret
- LOG_LEAK_SENSITIVE_VALUES: true
- URLS_SELF_ISSUER: http://hydra-2:4444
- URLS_SELF_PUBLIC: http://hydra-2:4444
- WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
- WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
- DSN: memory
- command: serve all --dev
- networks:
- - hydra-net
- - catalog
- ports:
- - "4446:4444"
- - "4447:4445"
- deploy:
- restart_policy:
- condition: on-failure
- ldap-2:
- image: pgarrett/ldap-alpine
- container_name: ldap-2
- volumes:
- - "./ldap-2.ldif:/ldif/ldap.ldif"
- networks:
- - hydra-net
- - catalog
- ports:
- - "389:389"
- deploy:
- restart_policy:
- condition: on-failure
-networks:
- hydra-net:
- catalog:
- external: true
diff --git a/ldap-hydra/docker-compose.yml b/ldap-hydra/docker-compose.yml
deleted file mode 100644
index 225fd91..0000000
--- a/ldap-hydra/docker-compose.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-version: "3"
-services:
- hydra-client:
- image: oryd/hydra:v2.2.0
- container_name: hydra-client
- environment:
- HYDRA_ADMIN_URL: http://hydra:4445
- ORY_SDK_URL: http://hydra:4445
- command:
- - create
- - oauth2-client
- - --skip-tls-verify
- - --name
- - test-client
- - --secret
- - oc-auth-got-secret
- - --response-type
- - id_token,token,code
- - --grant-type
- - implicit,refresh_token,authorization_code,client_credentials
- - --scope
- - openid,profile,email,roles
- - --token-endpoint-auth-method
- - client_secret_post
- - --redirect-uri
- - http://localhost:3000
-
- networks:
- - hydra-net
- - catalog
- deploy:
- restart_policy:
- condition: none
- depends_on:
- - hydra
- healthcheck:
- test: ["CMD", "curl", "-f", "http://hydra:4445"]
- interval: 10s
- timeout: 10s
- retries: 10
- hydra:
- container_name: hydra
- image: oryd/hydra:v2.2.0
- environment:
- SECRETS_SYSTEM: oc-auth-got-secret
- LOG_LEAK_SENSITIVE_VALUES: true
- # OAUTH2_TOKEN_HOOK_URL: http://oc-auth:8080/oc/claims
- URLS_SELF_ISSUER: http://hydra:4444
- URLS_SELF_PUBLIC: http://hydra:4444
- WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
- WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
- DSN: memory
- command: serve all --dev
- networks:
- - hydra-net
- - catalog
- ports:
- - "4444:4444"
- - "4445:4445"
- deploy:
- restart_policy:
- condition: on-failure
- ldap:
- image: pgarrett/ldap-alpine
- container_name: ldap
- volumes:
- - "./ldap.ldif:/ldif/ldap.ldif"
- networks:
- - hydra-net
- - catalog
- ports:
- - "390:389"
- deploy:
- restart_policy:
- condition: on-failure
-networks:
- hydra-net:
- catalog:
- external: true
diff --git a/ldap-hydra/ldap-2.ldif b/ldap-hydra/ldap-2.ldif
deleted file mode 100644
index 79ac6b6..0000000
--- a/ldap-hydra/ldap-2.ldif
+++ /dev/null
@@ -1,24 +0,0 @@
-dn: uid=admin2,ou=Users,dc=example,dc=com
-objectClass: inetOrgPerson
-cn: Admin2
-sn: Istrator
-uid: admin2
-userPassword: admin2
-mail: admin2@example.com
-ou: Users
-
-dn: ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: AppRoles
-description: AppRoles
-
-dn: ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: App1
-description: App1
-
-dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: groupofnames
-cn: traveler
-description: traveler
-member: uid=admin2,ou=Users,dc=example,dc=com
\ No newline at end of file
diff --git a/ldap-hydra/ldap.ldif b/ldap-hydra/ldap.ldif
deleted file mode 100644
index 135cb79..0000000
--- a/ldap-hydra/ldap.ldif
+++ /dev/null
@@ -1,24 +0,0 @@
-dn: uid=admin,ou=Users,dc=example,dc=com
-objectClass: inetOrgPerson
-cn: Admin
-sn: Istrator
-uid: admin
-userPassword: admin
-mail: admin@example.com
-ou: Users
-
-dn: ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: AppRoles
-description: AppRoles
-
-dn: ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: App1
-description: App1
-
-dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: groupofnames
-cn: traveler
-description: traveler
-member: uid=admin,ou=Users,dc=example,dc=com
\ No newline at end of file
diff --git a/main.go b/main.go
index f134847..7eda6cb 100644
--- a/main.go
+++ b/main.go
@@ -11,6 +11,7 @@ import (
"os"
"strconv"
"strings"
+ "time"
oclib "cloud.o-forge.io/core/oc-lib"
peer "cloud.o-forge.io/core/oc-lib/models/peer"
@@ -43,9 +44,11 @@ func main() {
conf.GetConfig().AuthConnectPublicHost = o.GetStringDefault("AUTH_CONNECTOR_PUBLIC_HOST", "localhost")
conf.GetConfig().AuthConnectorPort = o.GetIntDefault("AUTH_CONNECTOR_PORT", 4444)
conf.GetConfig().AuthConnectorAdminPort = o.GetIntDefault("AUTH_CONNECTOR_ADMIN_PORT", 4445)
- conf.GetConfig().PermissionConnectorHost = o.GetStringDefault("PERMISSION_CONNECTOR_HOST", "keto")
+ conf.GetConfig().PermissionConnectorWriteHost = o.GetStringDefault("PERMISSION_CONNECTOR_WRITE_HOST", "keto")
+ conf.GetConfig().PermissionConnectorReadHost = o.GetStringDefault("PERMISSION_CONNECTOR_READ_HOST", "keto")
conf.GetConfig().PermissionConnectorPort = o.GetIntDefault("PERMISSION_CONNECTOR_PORT", 4466)
conf.GetConfig().PermissionConnectorAdminPort = o.GetIntDefault("PERMISSION_CONNECTOR_ADMIN_PORT", 4467)
+ conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)
// config LDAP
conf.GetConfig().SourceMode = o.GetStringDefault("SOURCE_MODE", "ldap")
@@ -54,12 +57,10 @@ func main() {
conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password")
conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com")
conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com")
- err := generateSelfPeer()
- if err != nil {
- panic(err)
- }
- generateRole()
- discovery()
+ go generateSelfPeer()
+ go generateRole()
+ go discovery()
+ beego.BConfig.Listen.HTTPPort = o.GetIntDefault("port", 8080)
beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
AllowAllOrigins: true,
AllowMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
@@ -80,22 +81,29 @@ func generateRole() {
if conf.GetConfig().SourceMode == "ldap" {
ldap := auth_connectors.New()
roles, err := ldap.GetRoles(context.Background())
- if err != nil {
- panic(err)
- }
- fmt.Println("ROLE", roles)
- for _, role := range roles {
- for r, m := range role.Members {
- infrastructure.GetPermissionConnector("").CreateRole(r)
- for _, p := range m {
- infrastructure.GetPermissionConnector("").BindRole(r, p)
+ if err == nil {
+ fmt.Println("ROLE", roles)
+ for _, role := range roles {
+ for r, m := range role.Members {
+ infrastructure.GetPermissionConnector("").CreateRole(r)
+ for _, p := range m {
+ infrastructure.GetPermissionConnector("").BindRole(r, p)
+ }
}
}
+ } else {
+ time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+ generateRole()
}
}
}
func generateSelfPeer() error {
+ defer func() {
+ if r := recover(); r != nil {
+ fmt.Println("Recovered in f", r)
+ }
+ }()
// TODO check if files at private & public path are set
// check if files at private & public path are set
if _, err := os.Stat(conf.GetConfig().PrivateKeyPath); errors.Is(err, os.ErrNotExist) {
@@ -127,21 +135,34 @@ func generateSelfPeer() error {
AbstractObject: utils.AbstractObject{
Name: o.GetStringDefault("NAME", "local"),
},
- PublicKey: file,
- State: peer.SELF,
+ PublicKey: file,
+ State: peer.SELF,
+ WalletAddress: "my-wallet",
}
data := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).StoreOne(peer.Serialize(peer))
if data.Err != "" {
+ time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+ generateSelfPeer()
return errors.New(data.Err)
}
return nil
}
func discovery() {
+ defer func() {
+ if r := recover(); r != nil {
+ fmt.Println("Recovered in f", r)
+ }
+ }()
api := tools.API{}
conn := infrastructure.GetPermissionConnector("")
-
- conn.CreateRole(conf.GetConfig().AdminRole)
+ fmt.Println("AdminRole", conn, conf.GetConfig().PermissionConnectorWriteHost)
+ _, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
+ if err != nil {
+ time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+ discovery()
+ return
+ }
conn.BindRole(conf.GetConfig().AdminRole, "admin")
addPermissions := func(m map[string]interface{}) {
for k, v := range m {
diff --git a/oc-auth b/oc-auth
index d502e11..6a94890 100755
Binary files a/oc-auth and b/oc-auth differ
diff --git a/routers/commentsRouter.go b/routers/commentsRouter.go
index 2c3767f..47c3c11 100644
--- a/routers/commentsRouter.go
+++ b/routers/commentsRouter.go
@@ -81,7 +81,7 @@ func init() {
beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
beego.ControllerComments{
- Method: "InternaisDraftlAuthForward",
+ Method: "InternalAuthForward",
Router: `/forward`,
AllowHTTPMethods: []string{"get"},
MethodParams: param.Make(),