debugging claims
This commit is contained in:
		| @@ -182,6 +182,7 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke | ||||
| 	c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer).Url) | ||||
| 	b, _ = json.Marshal(c) | ||||
| 	token.AccessToken = strings.ReplaceAll(token.AccessToken, "ory_at_", "") + "." + base64.StdEncoding.EncodeToString(b) | ||||
| 	token.Active = true | ||||
| 	return token, nil | ||||
| } | ||||
|  | ||||
|   | ||||
| @@ -4,6 +4,7 @@ import ( | ||||
| 	"crypto/sha256" | ||||
| 	"encoding/pem" | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| 	"oc-auth/conf" | ||||
| 	"oc-auth/infrastructure/perms_connectors" | ||||
| 	"oc-auth/infrastructure/utils" | ||||
| @@ -21,7 +22,7 @@ func (h HydraClaims) generateKey(relation string, path string) (string, error) { | ||||
| 		return "", err | ||||
| 	} | ||||
| 	p := strings.ReplaceAll(strings.ToUpper(path), "/", "_") | ||||
| 	return strings.ToLower(method.String()) + "_" + p, nil | ||||
| 	return strings.ToLower(method.String()) + "_" + strings.ReplaceAll(p, ":", ""), nil | ||||
| } | ||||
|  | ||||
| // decode key expect to extract method and path from key | ||||
| @@ -63,6 +64,17 @@ func (h HydraClaims) encodeSignature(host string) (string, error) { | ||||
| 	return SignDefault(hashed[:], spkiBlock.Bytes) | ||||
| } | ||||
|  | ||||
| func (h HydraClaims) clearBlank(path []string) []string { | ||||
| 	// clear blank | ||||
| 	newPath := []string{} | ||||
| 	for _, p := range path { | ||||
| 		if p != "" { | ||||
| 			newPath = append(newPath, p) | ||||
| 		} | ||||
| 	} | ||||
| 	return newPath | ||||
| } | ||||
|  | ||||
| func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) { | ||||
| 	idTokenClaims := sessionClaims.Session.IDToken | ||||
| 	if idTokenClaims["signature"] == nil { | ||||
| @@ -74,27 +86,33 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str | ||||
| 	} | ||||
| 	claims := sessionClaims.Session.AccessToken | ||||
| 	path := strings.ReplaceAll(forward, "http://"+host, "") | ||||
| 	splittedPath := strings.Split(path, "/") | ||||
| 	splittedPath := h.clearBlank(strings.Split(path, "/")) | ||||
| 	for m, p := range claims { | ||||
| 		splittedP := strings.Split(p.(string), "/") | ||||
| 		match := true | ||||
| 		splittedP := h.clearBlank(strings.Split(p.(string), "/")) | ||||
| 		if len(splittedP) != len(splittedPath) { | ||||
| 			continue | ||||
| 		} | ||||
| 		for i, v := range splittedP { | ||||
| 			fmt.Println(v, splittedPath[i]) | ||||
| 			if strings.Contains(v, ":") { // is a param | ||||
| 				continue | ||||
| 			} else if v != splittedPath[i] { | ||||
| 				meth, _, err := h.decodeKey(m, external) | ||||
| 				if err != nil { | ||||
| 					continue | ||||
| 				} | ||||
| 				perm := perms_connectors.Permission{ | ||||
| 					Relation: "permits" + strings.ToLower(meth.String()), | ||||
| 					Object:   p.(string), | ||||
| 				} | ||||
| 				return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil | ||||
| 				match = false | ||||
| 				break | ||||
| 			} | ||||
| 		} | ||||
| 		if match { | ||||
| 			meth, _, err := h.decodeKey(m, external) | ||||
| 			if err != nil { | ||||
| 				continue | ||||
| 			} | ||||
| 			perm := perms_connectors.Permission{ | ||||
| 				Relation: "permits" + strings.ToUpper(meth.String()), | ||||
| 				Object:   p.(string), | ||||
| 			} | ||||
| 			return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil | ||||
| 		} | ||||
| 	} | ||||
| 	return false, errors.New("no permission found") | ||||
| } | ||||
| @@ -109,11 +127,11 @@ func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims { | ||||
| 	claims.Session.AccessToken = make(map[string]interface{}) | ||||
| 	claims.Session.IDToken = make(map[string]interface{}) | ||||
| 	for _, perm := range perms { | ||||
| 		key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Object) | ||||
| 		key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Subject) | ||||
| 		if err != nil { | ||||
| 			continue | ||||
| 		} | ||||
| 		claims.Session.AccessToken[key] = perm.Object | ||||
| 		claims.Session.AccessToken[key] = perm.Subject | ||||
| 	} | ||||
| 	sign, err := h.encodeSignature(host) | ||||
| 	if err != nil { | ||||
|   | ||||
| @@ -69,21 +69,13 @@ func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permis | ||||
| 		log.Error().Msg("Permission denied : Ask illegal permission") | ||||
| 		return false | ||||
| 	} | ||||
| 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}) | ||||
| 	var responseBody map[string]interface{} | ||||
| 	host := conf.GetConfig().PermissionConnectorHost | ||||
| 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort) | ||||
| 	resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples/check"+k.permToQuery(perm, permDependancies)) | ||||
| 	perms, err := k.GetPermission(perm.Object, perm.Relation) | ||||
| 	if err != nil { | ||||
| 		log := oclib.GetLogger() | ||||
| 		log.Error().Msg(err.Error()) | ||||
| 		return false | ||||
| 	} | ||||
| 	err = json.Unmarshal(resp, &responseBody) | ||||
| 	if err != nil || responseBody["allowed"] == nil { | ||||
| 		return false | ||||
| 	} | ||||
| 	return responseBody["allowed"].(bool) | ||||
| 	return len(perms) > 0 | ||||
| } | ||||
|  | ||||
| func (k KetoConnector) DeleteRole(roleID string) (string, int, error) { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user