auth

2025-04-01 10:16:26 +02:00
parent 5ca9a10d14
commit 3d42ce6820
25 changed files with 185 additions and 369 deletions
--- a/infrastructure/auth_connector/auth_connector.go
+++ b/infrastructure/auth_connector/auth_connector.go
@@ -3,6 +3,7 @@ package auth_connectors
 import (
 	"net/http"
 	"oc-auth/conf"
+	"strings"

 	"cloud.o-forge.io/core/oc-lib/tools"
 )
@@ -37,5 +38,10 @@ var a = map[string]AuthConnector{
 }

 func GetAuthConnector() AuthConnector {
-	return a[conf.GetConfig().Auth]
+	for k := range a {
+		if strings.Contains(conf.GetConfig().Auth, k) {
+			return a[k]
+		}
+	}
+	return nil
 }
--- a/infrastructure/auth_connector/hydra_connector.go
+++ b/infrastructure/auth_connector/hydra_connector.go
@@ -32,6 +32,9 @@ func (a HydraConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
 	host := conf.GetConfig().AuthConnectorHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
@@ -68,6 +71,7 @@ func (a HydraConnector) challenge(username string, url string, challenge string,
 	resp, err := a.Caller.CallRaw(http.MethodPut,
 		a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1],
 		body, "application/json", true, cookies...) // "remember": true, "subject": username
+	fmt.Println(a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1], resp, err)
 	if err != nil {
 		return nil, s[1], cookies, err
 	}
@@ -138,11 +142,11 @@ func (a HydraConnector) getClient(clientID string) string {
 }

 func (a HydraConnector) Login(clientID string, username string, cookies ...*http.Cookie) (t *Token, err error) {
-	fmt.Println("login", clientID, username)
 	clientID = a.getClient(clientID)
 	redirect, _, cookies, err := a.tryLog(username, a.getPath(false, true),
 		"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
 		"login", cookies...)
+	fmt.Println("login", clientID, username, a.getPath(false, true), redirect, err)
 	if err != nil || redirect == nil {
 		return nil, err
 	}
@@ -190,7 +194,6 @@ func (a HydraConnector) Login(clientID string, username string, cookies ...*http
 	unix := now.Unix()

 	c := claims.GetClaims().AddClaimsToToken(clientID, username, pp.Data[0].(*peer.Peer))
-	fmt.Println("claims", c.Session.AccessToken)
 	c.Session.AccessToken["exp"] = unix

 	b, _ = json.Marshal(c)
@@ -250,6 +253,9 @@ func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool,

 func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
 	host := conf.GetConfig().AuthConnectorHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	if isAdmin {
 		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
--- a/infrastructure/auth_connector/ldap.go
+++ b/infrastructure/auth_connector/ldap.go
@@ -228,7 +228,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPC
 		// It's sufficient to compare the DN's suffix with the base DN.
 		n, k := len(roleDN), len(cli.RoleBaseDN)
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
-			panic("You should never see that")
+			return nil, errors.New("You should never see that")
 		}
 		// The DN without the role's base DN must contain a CN and OU
 		// where the CN is for uniqueness only, and the OU is an application id.
@@ -322,7 +322,7 @@ func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, er
 		// It's sufficient to compare the DN's suffix with the base DN.
 		n, k := len(roleDN), len(cli.RoleBaseDN)
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
-			panic("You should never see that")
+			return nil, errors.New("You should never see that")
 		}
 		// The DN without the role's base DN must contain a CN and OU
 		// where the CN is for uniqueness only, and the OU is an application id.
--- a/infrastructure/claims/claims.go
+++ b/infrastructure/claims/claims.go
@@ -2,6 +2,7 @@ package claims

 import (
 	"oc-auth/conf"
+	"strings"

 	"cloud.o-forge.io/core/oc-lib/models/peer"
 )
@@ -28,5 +29,10 @@ var t = map[string]ClaimService{
 }

 func GetClaims() ClaimService {
-	return t[conf.GetConfig().Auth]
+	for k := range t {
+		if strings.Contains(conf.GetConfig().Auth, k) {
+			return t[k]
+		}
+	}
+	return nil
 }
--- a/infrastructure/perms_connectors/keto_connector.go
+++ b/infrastructure/perms_connectors/keto_connector.go
@@ -56,7 +56,10 @@ func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission
 func (k KetoConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorReadHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
@@ -217,7 +220,10 @@ func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Perm
 func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
 	t := []Permission{}
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorReadHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
 		Permission{Object: object, Relation: relation, Subject: subject}, nil))
@@ -344,7 +350,10 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 		}
 		body["subject_set"] = map[string]interface{}{"namespace": k.namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
 	}
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorWriteHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
 	b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
 	if err != nil {
@@ -355,6 +364,7 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 	var data map[string]interface{}
 	err = json.Unmarshal(b, &data)
 	if err != nil {
+		fmt.Println(string(b), err)
 		log := oclib.GetLogger()
 		log.Error().Msg("createRelationShip2" + err.Error())
 		return nil, 500, err
@@ -382,7 +392,10 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
 	}
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorWriteHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
 	b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
 	if err != nil {
--- a/infrastructure/perms_connectors/perms_connector.go
+++ b/infrastructure/perms_connectors/perms_connector.go
@@ -2,6 +2,7 @@ package perms_connectors

 import (
 	"oc-auth/conf"
+	"strings"

 	"cloud.o-forge.io/core/oc-lib/tools"
 )
@@ -55,5 +56,10 @@ var c = map[string]PermConnector{
 }

 func GetPermissionConnector(scope string) PermConnector {
-	return c[conf.GetConfig().PermissionConnectorHost]
+	for k := range c {
+		if strings.Contains(conf.GetConfig().PermissionConnectorReadHost, k) {
+			return c[k]
+		}
+	}
+	return nil
 }