debugging claims
This commit is contained in:
parent
02767d87fa
commit
605327e5c7
@ -162,10 +162,12 @@ func (o *OAuthController) InternalAuthForward() {
|
|||||||
Name: "csrf_token",
|
Name: "csrf_token",
|
||||||
Value: o.XSRFToken(),
|
Value: o.XSRFToken(),
|
||||||
}) // may be a problem... we should check if token is valid on our side
|
}) // may be a problem... we should check if token is valid on our side
|
||||||
// prefers a refresh token call
|
|
||||||
fmt.Println("InternalAuthForward", isToken, err)
|
fmt.Println("InternalAuthForward", isToken, err)
|
||||||
|
// prefers a refresh token call
|
||||||
if err != nil || !isToken {
|
if err != nil || !isToken {
|
||||||
o.Ctx.ResponseWriter.WriteHeader(401)
|
o.Ctx.ResponseWriter.WriteHeader(401)
|
||||||
|
} else {
|
||||||
|
o.Ctx.ResponseWriter.WriteHeader(200)
|
||||||
}
|
}
|
||||||
o.ServeJSON()
|
o.ServeJSON()
|
||||||
}
|
}
|
||||||
|
@ -28,6 +28,7 @@ services:
|
|||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.routers.whoami.entrypoints=web"
|
- "traefik.http.routers.whoami.entrypoints=web"
|
||||||
- "traefik.http.routers.whoami.rule=Host(`localhost`)"
|
- "traefik.http.routers.whoami.rule=Host(`localhost`)"
|
||||||
|
- "traefik.routers.whoami.rule=Path(/whoami)"
|
||||||
- "traefik.http.routers.whoami.tls=false"
|
- "traefik.http.routers.whoami.tls=false"
|
||||||
- "traefik.http.services.whoami.loadbalancer.server.port=80"
|
- "traefik.http.services.whoami.loadbalancer.server.port=80"
|
||||||
- "traefik.http.routers.whoami.middlewares=auth"
|
- "traefik.http.routers.whoami.middlewares=auth"
|
||||||
|
@ -182,6 +182,7 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
|
|||||||
c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer).Url)
|
c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer).Url)
|
||||||
b, _ = json.Marshal(c)
|
b, _ = json.Marshal(c)
|
||||||
token.AccessToken = strings.ReplaceAll(token.AccessToken, "ory_at_", "") + "." + base64.StdEncoding.EncodeToString(b)
|
token.AccessToken = strings.ReplaceAll(token.AccessToken, "ory_at_", "") + "." + base64.StdEncoding.EncodeToString(b)
|
||||||
|
token.Active = true
|
||||||
return token, nil
|
return token, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -4,6 +4,7 @@ import (
|
|||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
"oc-auth/conf"
|
"oc-auth/conf"
|
||||||
"oc-auth/infrastructure/perms_connectors"
|
"oc-auth/infrastructure/perms_connectors"
|
||||||
"oc-auth/infrastructure/utils"
|
"oc-auth/infrastructure/utils"
|
||||||
@ -21,7 +22,7 @@ func (h HydraClaims) generateKey(relation string, path string) (string, error) {
|
|||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
p := strings.ReplaceAll(strings.ToUpper(path), "/", "_")
|
p := strings.ReplaceAll(strings.ToUpper(path), "/", "_")
|
||||||
return strings.ToLower(method.String()) + "_" + p, nil
|
return strings.ToLower(method.String()) + "_" + strings.ReplaceAll(p, ":", ""), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// decode key expect to extract method and path from key
|
// decode key expect to extract method and path from key
|
||||||
@ -63,6 +64,17 @@ func (h HydraClaims) encodeSignature(host string) (string, error) {
|
|||||||
return SignDefault(hashed[:], spkiBlock.Bytes)
|
return SignDefault(hashed[:], spkiBlock.Bytes)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (h HydraClaims) clearBlank(path []string) []string {
|
||||||
|
// clear blank
|
||||||
|
newPath := []string{}
|
||||||
|
for _, p := range path {
|
||||||
|
if p != "" {
|
||||||
|
newPath = append(newPath, p)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return newPath
|
||||||
|
}
|
||||||
|
|
||||||
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
|
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
|
||||||
idTokenClaims := sessionClaims.Session.IDToken
|
idTokenClaims := sessionClaims.Session.IDToken
|
||||||
if idTokenClaims["signature"] == nil {
|
if idTokenClaims["signature"] == nil {
|
||||||
@ -74,27 +86,33 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
|
|||||||
}
|
}
|
||||||
claims := sessionClaims.Session.AccessToken
|
claims := sessionClaims.Session.AccessToken
|
||||||
path := strings.ReplaceAll(forward, "http://"+host, "")
|
path := strings.ReplaceAll(forward, "http://"+host, "")
|
||||||
splittedPath := strings.Split(path, "/")
|
splittedPath := h.clearBlank(strings.Split(path, "/"))
|
||||||
for m, p := range claims {
|
for m, p := range claims {
|
||||||
splittedP := strings.Split(p.(string), "/")
|
match := true
|
||||||
|
splittedP := h.clearBlank(strings.Split(p.(string), "/"))
|
||||||
if len(splittedP) != len(splittedPath) {
|
if len(splittedP) != len(splittedPath) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
for i, v := range splittedP {
|
for i, v := range splittedP {
|
||||||
|
fmt.Println(v, splittedPath[i])
|
||||||
if strings.Contains(v, ":") { // is a param
|
if strings.Contains(v, ":") { // is a param
|
||||||
continue
|
continue
|
||||||
} else if v != splittedPath[i] {
|
} else if v != splittedPath[i] {
|
||||||
meth, _, err := h.decodeKey(m, external)
|
match = false
|
||||||
if err != nil {
|
break
|
||||||
continue
|
|
||||||
}
|
|
||||||
perm := perms_connectors.Permission{
|
|
||||||
Relation: "permits" + strings.ToLower(meth.String()),
|
|
||||||
Object: p.(string),
|
|
||||||
}
|
|
||||||
return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if match {
|
||||||
|
meth, _, err := h.decodeKey(m, external)
|
||||||
|
if err != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
perm := perms_connectors.Permission{
|
||||||
|
Relation: "permits" + strings.ToUpper(meth.String()),
|
||||||
|
Object: p.(string),
|
||||||
|
}
|
||||||
|
return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return false, errors.New("no permission found")
|
return false, errors.New("no permission found")
|
||||||
}
|
}
|
||||||
@ -109,11 +127,11 @@ func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
|
|||||||
claims.Session.AccessToken = make(map[string]interface{})
|
claims.Session.AccessToken = make(map[string]interface{})
|
||||||
claims.Session.IDToken = make(map[string]interface{})
|
claims.Session.IDToken = make(map[string]interface{})
|
||||||
for _, perm := range perms {
|
for _, perm := range perms {
|
||||||
key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Object)
|
key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Subject)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
claims.Session.AccessToken[key] = perm.Object
|
claims.Session.AccessToken[key] = perm.Subject
|
||||||
}
|
}
|
||||||
sign, err := h.encodeSignature(host)
|
sign, err := h.encodeSignature(host)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -69,21 +69,13 @@ func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permis
|
|||||||
log.Error().Msg("Permission denied : Ask illegal permission")
|
log.Error().Msg("Permission denied : Ask illegal permission")
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
|
perms, err := k.GetPermission(perm.Object, perm.Relation)
|
||||||
var responseBody map[string]interface{}
|
|
||||||
host := conf.GetConfig().PermissionConnectorHost
|
|
||||||
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
|
|
||||||
resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples/check"+k.permToQuery(perm, permDependancies))
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log := oclib.GetLogger()
|
log := oclib.GetLogger()
|
||||||
log.Error().Msg(err.Error())
|
log.Error().Msg(err.Error())
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
err = json.Unmarshal(resp, &responseBody)
|
return len(perms) > 0
|
||||||
if err != nil || responseBody["allowed"] == nil {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return responseBody["allowed"].(bool)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k KetoConnector) DeleteRole(roleID string) (string, int, error) {
|
func (k KetoConnector) DeleteRole(roleID string) (string, int, error) {
|
||||||
|
Loading…
Reference in New Issue
Block a user