core/oc-auth
6
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Neo OcLib

Browse Source
This commit is contained in:
mr
2026-05-27 16:09:00 +02:00
parent bc7f0be53b
commit 453d913896
13 changed files with 332 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/perms_connectors/keto_connector.go
+51 -41
View File
@@ -7,6 +7,7 @@ import (
"oc-auth/conf"
"oc-auth/infrastructure/utils"
"strings"
"sync"
oclib "cloud.o-forge.io/core/oc-lib"
"cloud.o-forge.io/core/oc-lib/tools"
@@ -14,21 +15,22 @@ import (
type KetoConnector struct {
Client string
Mu sync.RWMutex
}
func (k KetoConnector) SetClient(client string) {
func (k *KetoConnector) SetClient(client string) {
k.Client = client
}
func (k KetoConnector) namespace() string {
func (k *KetoConnector) namespace() string {
return "open-cloud"
}
func (k KetoConnector) scope() string {
func (k *KetoConnector) scope() string {
return "oc-auth-realm"
}
func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
func (f *KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
n := "?namespace=" + f.namespace()
if perm.Object != "" {
n += "&object=" + perm.Object
@@ -54,7 +56,7 @@ func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission
return n
}
func (k KetoConnector) Status() tools.State {
func (k *KetoConnector) Status() tools.State {
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
var responseBody map[string]interface{}
host := conf.GetConfig().PermissionConnectorReadHost
@@ -62,6 +64,8 @@ func (k KetoConnector) Status() tools.State {
host = "localhost"
}
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
k.Mu.Lock()
defer k.Mu.Unlock()
resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
if err != nil {
return tools.DEAD
@@ -73,7 +77,7 @@ func (k KetoConnector) Status() tools.State {
return tools.ALIVE
}
func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool {
func (k *KetoConnector) CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool {
if (perm.Object == k.scope() || perm.Subject == k.scope()) && !internal {
log := oclib.GetLogger()
log.Error().Msg("Permission denied : Ask illegal permission")
@@ -88,7 +92,7 @@ func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permis
return len(perms) > 0
}
func (k KetoConnector) deletes(object string, relation string, subject string, relation2 string) (string, int, error) {
func (k *KetoConnector) deletes(object string, relation string, subject string, relation2 string) (string, int, error) {
k.deleteRelationShip(object, relation, subject, nil)
_, code, err := k.deleteRelationShip(subject, relation2, k.scope(), nil)
if err != nil {
@@ -97,15 +101,15 @@ func (k KetoConnector) deletes(object string, relation string, subject string, r
return subject, 200, nil
}
func (k KetoConnector) DeleteRole(roleID string) (string, int, error) {
func (k *KetoConnector) DeleteRole(roleID string) (string, int, error) {
return k.deletes("", "member", roleID, "is")
}
func (k KetoConnector) DeleteGroup(groupID string) (string, int, error) {
func (k *KetoConnector) DeleteGroup(groupID string) (string, int, error) {
return k.deletes("", "groups", groupID, "groupin")
}
func (k KetoConnector) DeletePermission(permID string, relation string, internal bool) (string, int, error) {
func (k *KetoConnector) DeletePermission(permID string, relation string, internal bool) (string, int, error) {
meth, err := utils.ExtractMethod(relation, internal)
if err != nil {
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
@@ -116,15 +120,15 @@ func (k KetoConnector) DeletePermission(permID string, relation string, internal
return k.deletes("", "groups", permID, "permits"+meth.String())
}
func (k KetoConnector) CreateRole(roleID string) (string, int, error) {
func (k *KetoConnector) CreateRole(roleID string) (string, int, error) {
return k.creates(roleID, "is", k.scope())
}
func (k KetoConnector) CreateGroup(groupID string) (string, int, error) {
func (k *KetoConnector) CreateGroup(groupID string) (string, int, error) {
return k.creates(groupID, "groupin", k.scope())
}
func (k KetoConnector) CreatePermission(permID string, relation string, internal bool) (string, int, error) {
func (k *KetoConnector) CreatePermission(permID string, relation string, internal bool) (string, int, error) {
meth, err := utils.ExtractMethod(relation, internal)
if err != nil {
return "", 422, err
@@ -137,7 +141,7 @@ func (k KetoConnector) CreatePermission(permID string, relation string, internal
return id, code, nil
}
func (k KetoConnector) creates(object string, relation string, subject string) (string, int, error) {
func (k *KetoConnector) creates(object string, relation string, subject string) (string, int, error) {
p, code, err := k.createRelationShip(object, relation, subject, nil)
if err != nil {
return "", code, err
@@ -145,23 +149,23 @@ func (k KetoConnector) creates(object string, relation string, subject string) (
return p.Object, 200, nil
}
func (k KetoConnector) GetRole(roleID string) ([]string, error) {
func (k *KetoConnector) GetRole(roleID string) ([]string, error) {
return k.gets(roleID, "is", k.scope())
}
func (k KetoConnector) GetGroup(groupID string) ([]string, error) {
func (k *KetoConnector) GetGroup(groupID string) ([]string, error) {
return k.gets(groupID, "groupin", k.scope())
}
func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
func (k *KetoConnector) GetRoleByUser(userID string) ([]string, error) {
return k.gets("", "member", userID)
}
func (k KetoConnector) GetGroupByUser(userID string) ([]string, error) {
func (k *KetoConnector) GetGroupByUser(userID string) ([]string, error) {
return k.gets("", "groups", userID)
}
func (k KetoConnector) gets(object string, relation string, subject string) ([]string, error) {
func (k *KetoConnector) gets(object string, relation string, subject string) ([]string, error) {
arr := []string{}
objs, err := k.get(object, relation, subject)
if err != nil {
@@ -173,7 +177,7 @@ func (k KetoConnector) gets(object string, relation string, subject string) ([]s
return arr, nil
}
func (k KetoConnector) GetPermission(permID string, relation string) ([]Permission, error) {
func (k *KetoConnector) GetPermission(permID string, relation string) ([]Permission, error) {
meth, err := utils.ExtractMethod(relation, true)
if err != nil {
p := []Permission{}
@@ -189,7 +193,7 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
return k.get(permID, "permits"+meth.String(), k.scope())
}
func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
func (k *KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
p := []Permission{}
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
@@ -200,7 +204,7 @@ func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error)
}
return p, nil
}
func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
func (k *KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
roles, err := k.get("", "member", userID)
log := oclib.GetLogger()
log.Debug().Msgf("GetPermissionByUser roles for %s: %d roles, err=%v", userID, len(roles), err)
@@ -223,7 +227,7 @@ func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Perm
return p, nil
}
func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
func (k *KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
t := []Permission{}
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
host := conf.GetConfig().PermissionConnectorReadHost
@@ -231,6 +235,8 @@ func (k KetoConnector) get(object string, relation string, subject string) ([]Pe
host = "localhost"
}
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
k.Mu.Lock()
defer k.Mu.Unlock()
resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
Permission{Object: object, Relation: relation, Subject: subject}, nil))
if err != nil {
@@ -253,7 +259,7 @@ func (k KetoConnector) get(object string, relation string, subject string) ([]Pe
return t, nil
}
func (k KetoConnector) binds(object string, relation string, subject string) (string, int, error) {
func (k *KetoConnector) binds(object string, relation string, subject string) (string, int, error) {
_, code, err := k.createRelationShip(object, relation, subject, nil)
if err != nil {
return object, code, err
@@ -261,17 +267,17 @@ func (k KetoConnector) binds(object string, relation string, subject string) (st
return object, 200, nil
}
func (k KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
func (k *KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
log := oclib.GetLogger()
log.Debug().Msgf("BindRole: user=%s role=%s", userID, roleID)
return k.binds(userID, "member", roleID)
}
func (k KetoConnector) BindGroup(userID string, groupID string) (string, int, error) {
func (k *KetoConnector) BindGroup(userID string, groupID string) (string, int, error) {
return k.binds(userID, "groups", groupID)
}
func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
func (k *KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
perms, err := k.GetPermission(permID, relation)
if err != nil || len(perms) != 1 {
count := 0
@@ -297,7 +303,7 @@ func (k KetoConnector) BindPermission(roleID string, permID string, relation str
}, 200, nil
}
func (k KetoConnector) unbinds(subject string, relation string, object string) (string, int, error) {
func (k *KetoConnector) unbinds(subject string, relation string, object string) (string, int, error) {
_, code, err := k.deleteRelationShip(object, relation, subject, nil)
if err != nil {
return object, code, err
@@ -305,15 +311,15 @@ func (k KetoConnector) unbinds(subject string, relation string, object string) (
return object, 200, nil
}
func (k KetoConnector) UnBindRole(userID string, roleID string) (string, int, error) {
func (k *KetoConnector) UnBindRole(userID string, roleID string) (string, int, error) {
return k.unbinds(userID, "member", roleID)
}
func (k KetoConnector) UnBindGroup(userID string, groupID string) (string, int, error) {
func (k *KetoConnector) UnBindGroup(userID string, groupID string) (string, int, error) {
return k.unbinds(userID, "groups", groupID)
}
func (k KetoConnector) UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
func (k *KetoConnector) UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
meth, err := utils.ExtractMethod(relation, false)
if err != nil {
return nil, 422, err
@@ -342,7 +348,7 @@ func (k KetoConnector) UnBindPermission(roleID string, permID string, relation s
Subject: permID,
}, 200, nil
}
func (k KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
func (k *KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
exist, err := k.get(object, relation, subject)
if err == nil && len(exist) > 0 {
return nil, 409, errors.New("Relation already exist")
@@ -362,6 +368,8 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
host = "localhost"
}
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
k.Mu.Lock()
defer k.Mu.Unlock()
b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
if err != nil {
log := oclib.GetLogger()
@@ -378,23 +386,23 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
perm := &Permission{}
if data != nil {
perm = &Permission{
Object: data["object"].(string),
Relation: data["relation"].(string),
Subject: data["subject_id"].(string),
Object: fmt.Sprintf("%v", data["object"]),
Relation: fmt.Sprintf("%v", data["relation"]),
Subject: fmt.Sprintf("%v", data["subject_id"]),
}
if data["subject_set"] != nil {
sub := data["subject_set"].(map[string]interface{})
perm.SubPermission = &Permission{
Object: sub["object"].(string),
Relation: sub["relation"].(string),
Subject: sub["subject_id"].(string),
Object: fmt.Sprintf("%v", sub["object"]),
Relation: fmt.Sprintf("%v", sub["relation"]),
Subject: fmt.Sprintf("%v", sub["subject_id"]),
}
}
}
return perm, 200, nil
}
func (k KetoConnector) deleteRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
func (k *KetoConnector) deleteRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
exist, err := k.get(object, relation, subject)
if err == nil && len(exist) == 0 {
return nil, 409, errors.New("Relation does not exist")
@@ -406,6 +414,8 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
host = "localhost"
}
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
k.Mu.Lock()
defer k.Mu.Unlock()
b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
if err != nil {
log := oclib.GetLogger()
@@ -414,8 +424,8 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
}
var data map[string]interface{}
err = json.Unmarshal(b, &data)
if err == nil && data["code"].(int) > 300 {
return nil, data["code"].(int), errors.New("Error while deleting relation")
if data["code"] == nil || err != nil || data["code"].(int) > 300 {
return nil, 400, errors.New("Error while deleting relation")
}
return &Permission{
Object: object,
infrastructure/perms_connectors/perms_connector.go
+1 -1
View File
@@ -52,7 +52,7 @@ type PermConnector interface {
}
var c = map[string]PermConnector{
"keto": KetoConnector{},
"keto": &KetoConnector{},
}
func GetPermissionConnector(scope string) PermConnector {