Oc Auth x Hydra x LDAP : draft of claims enrich for traefik + draft of forwarding

infrastructure/auth_connector/auth_connector.go

@@ -0,0 +1,28 @@
+package auth_connectors
+
+import (
+	"net/http"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type AuthConnector interface {
+	Status() tools.State
+	Login(username string, cookies ...*http.Cookie) (*Token, error)
+	Logout(token string, cookies ...*http.Cookie) (*Token, error)
+	Introspect(token string, cookie ...*http.Cookie) (bool, error)
+	Refresh(token *Token) (*Token, error)
+}
+
+type Token struct {
+	Active      bool   `json:"active"`
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"`
+	Challenge   string `json:"challenge"`
+	Username    string `json:"username,omitempty"`
+	Password    string `json:"password,omitempty"`
+}
+
+type Redirect struct {
+	RedirectTo string `json:"redirect_to"`
+}

infrastructure/auth_connector/hydra_connector.go

@@ -0,0 +1,240 @@
+package auth_connectors
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"oc-auth/conf"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type HydraConnector struct {
+	State        string `json:"state"`
+	Scopes       string `json:"scope"`
+	ClientID     string `json:"client_id"`
+	ResponseType string `json:"response_type"`
+
+	Caller *tools.HTTPCaller
+}
+
+func (a HydraConnector) Status() tools.State {
+	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
+	var responseBody map[string]interface{}
+	host := conf.GetConfig().AuthConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
+	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
+	if err != nil {
+		return tools.DEAD
+	}
+	err = json.Unmarshal(resp, &responseBody)
+	if err != nil || responseBody["status"] != "ok" {
+		return tools.DEAD
+	}
+	return tools.ALIVE
+}
+
+// urlFormat formats the URL of the peer with the data type API function
+func (a *HydraConnector) urlFormat(url string, replaceWith string) string {
+	// localhost is replaced by the local peer URL
+	// because localhost must collide on a web request security protocol
+	r := regexp.MustCompile("(http://[a-z]+:[0-9]+)/oauth2")
+	t := r.FindString(url)
+	if t != "" {
+		url = strings.Replace(url, t, replaceWith, -1)
+	}
+	return url
+}
+
+func (a HydraConnector) challenge(username string, url string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
+	body := map[string]interface{}{
+		"remember_for": 0,
+		"remember":     true,
+	}
+	if challenge != "consent" {
+		body["subject"] = username
+	}
+	s := strings.Split(url, challenge+"_challenge=")
+	resp, err := a.Caller.CallRaw(http.MethodPut,
+		a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1],
+		body, "application/json", true, cookies...) // "remember": true, "subject": username
+	if err != nil {
+		return nil, s[1], cookies, err
+	}
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, s[1], cookies, err
+	}
+	var token Redirect
+	err = json.Unmarshal(b, &token)
+	if err != nil {
+		return nil, s[1], cookies, err
+	}
+	return &token, s[1], cookies, nil
+}
+
+func (a HydraConnector) Refresh(token *Token) (*Token, error) {
+	isValid, err := a.Introspect(token.AccessToken)
+	if err != nil || !isValid {
+		return nil, err
+	}
+	return a.Login(token.Username)
+}
+
+func (a HydraConnector) tryLog(username string, url string, subpath string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
+	resp, err := a.Caller.CallRaw(http.MethodGet, url, subpath,
+		map[string]interface{}{}, "application/json", true, cookies...)
+	if err != nil || resp.Request.Response == nil || resp.Request.Response.Header["Set-Cookie"] == nil {
+		return nil, "", cookies, err
+	}
+	cc := resp.Request.Response.Header["Set-Cookie"] // retrieve oauth2 csrf token cookie
+	if len(cc) > 0 {
+		for _, c := range cc {
+			first := strings.Split(c, ";")
+			cookies = append(cookies, &http.Cookie{
+				Name:  strings.Split(first[0], "=")[0],
+				Value: strings.ReplaceAll(first[0], strings.Split(first[0], "=")[0]+"=", ""),
+			})
+		}
+	}
+	return a.challenge(username, resp.Request.URL.String(), challenge, cookies...)
+}
+
+func (a HydraConnector) extractTokenFromFragment(fragment string) *Token {
+	splittedFragment := strings.Split(fragment, "#")
+	f := splittedFragment[0]
+	if len(splittedFragment) > 1 {
+		f = splittedFragment[1]
+	}
+	token := &Token{}
+	frags := strings.Split(f, "&")
+	for _, f := range frags {
+		splittedFrag := strings.Split(f, "=")
+		if len(splittedFrag) > 1 {
+			if splittedFrag[0] == "access_token" {
+				token.AccessToken = strings.ReplaceAll(splittedFrag[1], "ory_at_", "")
+			}
+			if splittedFrag[0] == "expires_in" {
+				i, err := strconv.Atoi(splittedFrag[1])
+				if err != nil {
+					return nil
+				}
+				token.ExpiresIn = i
+			}
+		}
+	}
+	return token
+}
+
+func (a HydraConnector) getClient() string {
+	resp, err := a.Caller.CallGet(a.getPath(true, false), "/clients")
+	if err != nil {
+		return ""
+	}
+	var clients []interface{}
+	err = json.Unmarshal(resp, &clients)
+	if err != nil || len(clients) == 0 {
+		return ""
+	}
+	return clients[0].(map[string]interface{})["client_id"].(string)
+}
+
+func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Token, err error) {
+	clientID := a.getClient()
+	redirect, challenge, cookies, err := a.tryLog(username, a.getPath(false, true),
+		"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
+		"login", cookies...)
+	if err != nil || redirect == nil {
+		return nil, err
+	}
+	redirect, challenge, cookies, err = a.tryLog(username, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", "consent", cookies...)
+	if err != nil || redirect == nil {
+		return nil, err
+	}
+	// problem with consent THERE we need to accept the consent challenge && get the token
+	url := ""
+	resp, err := a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
+		"application/json", true, cookies...)
+	if err != nil {
+		s := strings.Split(err.Error(), "\"")
+		if len(s) > 1 && strings.Contains(s[1], "access_token") {
+			url = s[1]
+			err = nil
+		} else {
+			return nil, err
+		}
+	} else {
+		url = resp.Request.Response.Request.URL.Fragment
+	}
+	token := a.extractTokenFromFragment(url)
+	fmt.Println(url, token)
+	if token == nil || token.AccessToken == "" {
+		return nil, errors.New("no token found")
+	}
+	token.Challenge = challenge
+	token.Active = true
+	token.Username = username
+	fmt.Println(token)
+	return token, nil
+}
+
+func (a HydraConnector) Logout(token string, cookies ...*http.Cookie) (*Token, error) {
+	p := a.getPath(false, true) + "/revoke"
+	urls := url.Values{}
+	urls.Add("token", token)
+	urls.Add("client_id", a.getClient())
+	urls.Add("client_secret", conf.GetConfig().ClientSecret)
+	_, err := a.Caller.CallForm(http.MethodPost, p, "", urls, "application/x-www-form-urlencoded", true)
+	if err != nil {
+		return nil, err
+	}
+	return &Token{
+		AccessToken: token,
+		Active:      false,
+	}, nil
+}
+func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool, error) {
+	// check validity of the token by calling introspect endpoint
+	// if token is not active, we need to re-authenticate by sending the user to the login page
+	urls := url.Values{}
+	urls.Add("token", token)
+	resp, err := a.Caller.CallForm(http.MethodPost, a.getPath(true, true), "/introspect", urls,
+		"application/x-www-form-urlencoded", true, cookie...)
+	if err != nil || resp.StatusCode >= 300 {
+		return false, err
+	}
+	defer resp.Body.Close()
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return false, err
+	}
+	var introspect Token
+	err = json.Unmarshal(b, &introspect)
+	if err != nil {
+		return false, err
+	}
+	introspect.AccessToken = token
+	return introspect.Active, nil
+}
+
+func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
+	host := conf.GetConfig().AuthConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
+	if isAdmin {
+		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
+	}
+	oauth := ""
+	if isOauth {
+		oauth = "/oauth2"
+	}
+	fmt.Println("http://" + host + ":" + port + oauth)
+	return "http://" + host + ":" + port + oauth
+
+}

infrastructure/auth_connector/ldap.go

@@ -0,0 +1,386 @@
+package auth_connectors
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"oc-auth/conf"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/coocood/freecache"
+	"github.com/go-ldap/ldap/v3"
+	"github.com/i-core/rlog"
+	"go.uber.org/zap"
+)
+
+var (
+	// errInvalidCredentials is an error that happens when a user's password is invalid.
+	errInvalidCredentials = fmt.Errorf("invalid credentials")
+	// errConnectionTimeout is an error that happens when no one LDAP endpoint responds.
+	errConnectionTimeout = fmt.Errorf("connection timeout")
+	// errMissedUsername is an error that happens
+	errMissedUsername = errors.New("username is missed")
+	// errUnknownUsername is an error that happens
+	errUnknownUsername = errors.New("unknown username")
+)
+
+type conn interface {
+	Bind(bindDN, password string) error
+	SearchUser(user string, attrs ...string) ([]map[string]interface{}, error)
+	SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error)
+	Close() error
+}
+
+type connector interface {
+	Connect(ctx context.Context, addr string) (conn, error)
+}
+
+// Config is a LDAP configuration.
+type Config struct {
+	Endpoints      []string          `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
+	BindDN         string            `envconfig:"binddn" desc:"a LDAP bind DN"`
+	BindPass       string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
+	BaseDN         string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
+	AttrClaims     map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
+	RoleBaseDN     string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
+	RoleAttr       string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
+	RoleClaim      string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
+	CacheSize      int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
+	CacheTTL       time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
+	IsTLS          bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
+	FlatRoleClaims bool              `envconfig:"flat_role_claims" desc:"add roles claim as single list"`
+}
+
+// New creates a new LDAP client.
+func New() *Client {
+	cnf := Config{
+		Endpoints:  strings.Split(conf.GetConfig().LDAPEndpoints, ","),
+		BindDN:     conf.GetConfig().LDAPBindDN,
+		BindPass:   conf.GetConfig().LDAPBindPW,
+		BaseDN:     conf.GetConfig().LDAPBaseDN,
+		RoleBaseDN: conf.GetConfig().LDAPRoleBaseDN,
+	}
+	return &Client{
+		Config:    cnf,
+		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
+		cache:     freecache.NewCache(cnf.CacheSize * 1024),
+	}
+}
+
+type Client struct {
+	Config
+	connector connector
+	cache     *freecache.Cache
+}
+
+func (cli *Client) Authenticate(ctx context.Context, username, password string) (bool, error) {
+	if username == "" || password == "" {
+		return false, nil
+	}
+
+	var cancel context.CancelFunc
+	ctx, cancel = context.WithCancel(ctx)
+
+	cn, ok := <-cli.connect(ctx)
+	cancel()
+	if !ok {
+		return false, errConnectionTimeout
+	}
+	defer cn.Close()
+
+	// Find a user DN by his or her username.
+	details, err := cli.findBasicUserDetails(cn, username, []string{"dn"})
+	if err != nil {
+		return false, err
+	}
+	if details == nil {
+		return false, nil
+	}
+
+	if err := cn.Bind(details["dn"].(string), password); err != nil {
+		if err == errInvalidCredentials {
+			return false, nil
+		}
+		return false, err
+	}
+
+	// Clear the claims' cache because of possible re-authentication. We don't want stale claims after re-login.
+	if ok := cli.cache.Del([]byte(username)); ok {
+		log := rlog.FromContext(ctx)
+		log.Debug("Cleared user's OIDC claims in the cache")
+	}
+
+	return true, nil
+}
+
+// Claim is the FindOIDCClaims result struct
+type LDAPClaim struct {
+	Code  string      // the root claim name
+	Name  string      // the claim name
+	Value interface{} // the value
+}
+
+// FindOIDCClaims finds all OIDC claims for a user.
+func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPClaim, error) {
+	if username == "" {
+		return nil, errMissedUsername
+	}
+
+	log := rlog.FromContext(ctx).Sugar()
+
+	// Retrieving from LDAP is slow. So, we try to get claims for the given username from the cache.
+	switch cdata, err := cli.cache.Get([]byte(username)); err {
+	case nil:
+		var claims []LDAPClaim
+		if err = json.Unmarshal(cdata, &claims); err != nil {
+			log.Info("Failed to unmarshal user's OIDC claims", zap.Error(err), "data", cdata)
+			return nil, err
+		}
+		log.Debugw("Retrieved user's OIDC claims from the cache", "claims", claims)
+		return claims, nil
+	case freecache.ErrNotFound:
+		log.Debug("User's OIDC claims is not found in the cache")
+	default:
+		log.Infow("Failed to retrieve user's OIDC claims from the cache", zap.Error(err))
+	}
+
+	// Try to make multiple TCP connections to the LDAP server for getting claims.
+	// Accept the first one, and cancel others.
+	var cancel context.CancelFunc
+	ctx, cancel = context.WithCancel(ctx)
+
+	cn, ok := <-cli.connect(ctx)
+	cancel()
+	if !ok {
+		return nil, errConnectionTimeout
+	}
+	defer cn.Close()
+
+	// We need to find LDAP attribute's names for all required claims.
+	attrs := []string{"dn"}
+	for k := range cli.AttrClaims {
+		attrs = append(attrs, k)
+	}
+	// Find the attributes in the LDAP server.
+	details, err := cli.findBasicUserDetails(cn, username, attrs)
+	if err != nil {
+		return nil, err
+	}
+	if details == nil {
+		return nil, errUnknownUsername
+	}
+	log.Infow("Retrieved user's info from LDAP", "details", details)
+
+	// Transform the retrieved attributes to corresponding claims.
+	claims := make([]LDAPClaim, 0, len(details))
+	for attr, v := range details {
+		if claim, ok := cli.AttrClaims[attr]; ok {
+			claims = append(claims, LDAPClaim{claim, claim, v})
+		}
+	}
+
+	// User's roles is stored in LDAP as groups. We find all groups in a role's DN
+	// that include the user as a member.
+	entries, err := cn.SearchUserRoles(fmt.Sprintf("%s", details["dn"]), "dn", cli.RoleAttr)
+	if err != nil {
+		return nil, err
+	}
+
+	roles := make(map[string]interface{})
+	for _, entry := range entries {
+		roleDN, ok := entry["dn"].(string)
+		if !ok || roleDN == "" {
+			log.Infow("No required LDAP attribute for a role", "ldapAttribute", "dn", "entry", entry)
+			continue
+		}
+		if entry[cli.RoleAttr] == nil {
+			log.Infow("No required LDAP attribute for a role", "ldapAttribute", cli.RoleAttr, "roleDN", roleDN)
+			continue
+		}
+
+		// Ensure that a role's DN is inside of the role's base DN.
+		// It's sufficient to compare the DN's suffix with the base DN.
+		n, k := len(roleDN), len(cli.RoleBaseDN)
+		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
+			panic("You should never see that")
+		}
+		// The DN without the role's base DN must contain a CN and OU
+		// where the CN is for uniqueness only, and the OU is an application id.
+		path := strings.Split(roleDN[:n-k-1], ",")
+		if len(path) != 2 {
+			log.Infow("A role's DN without the role's base DN must contain two nodes only",
+				"roleBaseDN", cli.RoleBaseDN, "roleDN", roleDN)
+			continue
+		}
+		appID := path[1][len("OU="):]
+
+		var appRoles []interface{}
+		if v := roles[appID]; v != nil {
+			appRoles = v.([]interface{})
+		}
+		appRoles = append(appRoles, entry[cli.RoleAttr])
+		roles[appID] = appRoles
+	}
+
+	claims = append(claims, LDAPClaim{cli.RoleClaim, cli.RoleClaim, roles})
+
+	if cli.FlatRoleClaims {
+		for appID, appRoles := range roles {
+			claims = append(claims, LDAPClaim{cli.RoleClaim, cli.RoleClaim + "/" + appID, appRoles})
+		}
+	}
+
+	// Save the claims in the cache for future queries.
+	cdata, err := json.Marshal(claims)
+	if err != nil {
+		log.Infow("Failed to marshal user's OIDC claims for caching", zap.Error(err), "claims", claims)
+	}
+	if err = cli.cache.Set([]byte(username), cdata, int(cli.CacheTTL.Seconds())); err != nil {
+		log.Infow("Failed to store user's OIDC claims into the cache", zap.Error(err), "claims", claims)
+	}
+
+	return claims, nil
+}
+
+func (cli *Client) connect(ctx context.Context) <-chan conn {
+	var (
+		wg sync.WaitGroup
+		ch = make(chan conn)
+	)
+	wg.Add(len(cli.Endpoints))
+	for _, addr := range cli.Endpoints {
+		fmt.Println("addr", addr)
+		go func(addr string) {
+			defer wg.Done()
+
+			cn, err := cli.connector.Connect(ctx, addr)
+			if err != nil {
+				fmt.Println("Failed to create a LDAP connection", "address", addr)
+				return
+			}
+			select {
+			case <-ctx.Done():
+				cn.Close()
+				fmt.Println("a LDAP connection is cancelled", "address", addr)
+				return
+			case ch <- cn:
+			}
+		}(addr)
+	}
+	go func() {
+		wg.Wait()
+		close(ch)
+	}()
+	return ch
+}
+
+// findBasicUserDetails finds user's LDAP attributes that were specified. It returns nil if no such user.
+func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string) (map[string]interface{}, error) {
+	if cli.BindDN != "" {
+		// We need to login to a LDAP server with a service account for retrieving user data.
+		if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
+			return nil, errors.New(err.Error() + " : failed to login to a LDAP woth a service account")
+		}
+	}
+
+	entries, err := cn.SearchUser(username, attrs...)
+	if err != nil {
+		return nil, err
+	}
+	if len(entries) != 1 {
+		// We didn't find the user.
+		return nil, nil
+	}
+
+	var (
+		entry   = entries[0]
+		details = make(map[string]interface{})
+	)
+	for _, attr := range attrs {
+		if v, ok := entry[attr]; ok {
+			details[attr] = v
+		}
+	}
+	return details, nil
+}
+
+type ldapConnector struct {
+	BaseDN     string
+	RoleBaseDN string
+	IsTLS      bool
+}
+
+func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
+	d := net.Dialer{Timeout: ldap.DefaultTimeout}
+	tcpcn, err := d.DialContext(ctx, "tcp", addr)
+	if err != nil {
+		return nil, err
+	}
+
+	if c.IsTLS {
+		tlscn, err := tls.DialWithDialer(&d, "tcp", addr, nil)
+		if err != nil {
+			return nil, err
+		}
+		tcpcn = tlscn
+	}
+
+	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
+
+	ldapcn.Start()
+	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
+}
+
+type ldapConn struct {
+	*ldap.Conn
+	BaseDN     string
+	RoleBaseDN string
+}
+
+func (c *ldapConn) Bind(bindDN, password string) error {
+	err := c.Conn.Bind(bindDN, password)
+	if ldapErr, ok := err.(*ldap.Error); ok && ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
+		return errInvalidCredentials
+	}
+	return err
+}
+
+func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
+	query := fmt.Sprintf(
+		"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
+			"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
+	return c.searchEntries(c.BaseDN, query, attrs)
+}
+
+func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
+	query := fmt.Sprintf("(|"+
+		"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
+		"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
+		")", user)
+	return c.searchEntries(c.RoleBaseDN, query, attrs)
+}
+
+// searchEntries executes a LDAP query, and returns a result as entries where each entry is mapping of LDAP attributes.
+func (c *ldapConn) searchEntries(baseDN, query string, attrs []string) ([]map[string]interface{}, error) {
+	req := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, query, attrs, nil)
+	res, err := c.Search(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var entries []map[string]interface{}
+	for _, v := range res.Entries {
+		entry := map[string]interface{}{"dn": v.DN}
+		for _, attr := range v.Attributes {
+			// We need the first value only for the named attribute.
+			entry[attr.Name] = attr.Values[0]
+		}
+		entries = append(entries, entry)
+	}
+	return entries, nil
+}

infrastructure/claims/claims.go

@@ -0,0 +1,18 @@
+package claims
+
+// Tokenizer interface
+type ClaimService interface {
+	AddClaimsToToken(userId string, host string) Claims
+	DecodeClaimsInToken(host string, method string, forward string, sessionClaims map[string]interface{}, publicKey string) (bool, error)
+}
+
+// SessionClaims struct
+type SessionClaims struct {
+	AccessToken map[string]interface{} `json:"access_token"`
+	IDToken     map[string]interface{} `json:"id_token"`
+}
+
+// Claims struct
+type Claims struct {
+	Session SessionClaims `json:"session"`
+}

infrastructure/claims/hydra_claims.go

@@ -0,0 +1,133 @@
+package claims
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"oc-auth/conf"
+	"oc-auth/infrastructure/perms_connectors"
+	"oc-auth/infrastructure/utils"
+	"os"
+	"strings"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type HydraClaims struct{}
+
+func (h HydraClaims) generateKey(relation string, path string) (string, error) {
+	method, err := utils.ExtractMethod(relation, false)
+	if err != nil {
+		return "", err
+	}
+	p := strings.ReplaceAll(strings.ToUpper(path), "/", "_")
+	return strings.ToLower(method.String()) + "_" + p, nil
+}
+
+// decode key expect to extract method and path from key
+func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
+	s := strings.Split(key, "_")
+	if len(s) < 2 {
+		return tools.GET, "", errors.New("invalid key")
+	}
+	meth, err := utils.ExtractMethod(s[0], false)
+	if err != nil {
+		return meth, "", err
+	}
+	p := strings.ReplaceAll(strings.ToLower(s[1]), "_", "/")
+	return meth, p, nil
+}
+
+func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
+	hashed := sha256.Sum256([]byte(host))
+	// get public key into a variable
+	spkiBlock, _ := pem.Decode([]byte(publicKey))
+	key, _ := x509.ParsePKCS1PublicKey(spkiBlock.Bytes)
+	err := rsa.VerifyPKCS1v15(key, crypto.SHA256, hashed[:], []byte(signature))
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+func (h HydraClaims) encodeSignature(host string) (string, error) {
+	hashed := sha256.Sum256([]byte(host))
+	// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
+	content, err := os.ReadFile(conf.GetConfig().PVKPath)
+	if err != nil {
+		return "", err
+	}
+	privateKey := string(content)
+	spkiBlock, _ := pem.Decode([]byte(privateKey))
+	key, _ := x509.ParsePKCS1PrivateKey(spkiBlock.Bytes)
+	signature, err := rsa.SignPKCS1v15(rand.Reader, key, crypto.SHA256, hashed[:])
+	if err != nil {
+		return "", err
+	}
+	return string(signature), nil
+}
+
+func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims map[string]interface{}, publicKey string) (bool, error) {
+	if sessionClaims["id_token"] == nil || sessionClaims["access_token"] == nil {
+		return false, errors.New("invalid session claims")
+	}
+	idTokenClaims := sessionClaims["id_token"].(map[string]interface{})
+	signature := idTokenClaims["signature"].(string)
+	if ok, err := h.DecodeSignature(host, signature, publicKey); !ok {
+		return false, err
+	}
+	claims := sessionClaims["access_token"].(map[string]interface{})
+	path := strings.ReplaceAll(forward, "http://"+host, "")
+	splittedPath := strings.Split(path, "/")
+	for m, p := range claims {
+		splittedP := strings.Split(p.(string), "/")
+		if len(splittedP) != len(splittedPath) {
+			return false, errors.New("invalid path")
+		}
+		for i, v := range splittedP {
+			if strings.Contains(v, ":") { // is a param
+				continue
+			} else if v != splittedPath[i] {
+				meth, _, err := h.decodeKey(m)
+				if err != nil {
+					return false, err
+				}
+				perm := perms_connectors.Permission{
+					Relation: "permits" + strings.ToLower(meth.String()),
+					Object:   p.(string),
+				}
+				return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
+			}
+		}
+	}
+	return false, errors.New("no permission found")
+}
+
+// add claims to token method of HydraTokenizer
+func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
+	claims := Claims{}
+	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId)
+	if err != nil {
+		return claims
+	}
+	for _, perm := range perms {
+		key, err := h.generateKey(perm.Relation, perm.Object)
+		if err != nil {
+			continue
+		}
+		claims.Session.AccessToken[key] = perm.Object
+	}
+	sign, err := h.encodeSignature(host)
+	if err != nil {
+		return claims
+	}
+	claims.Session.IDToken["signature"] = sign
+	return claims
+
+}
+
+// add signature in the token MISSING

infrastructure/infrastructure.go

@@ -0,0 +1,32 @@
+package infrastructure
+
+import (
+	"oc-auth/conf"
+	auth_connectors "oc-auth/infrastructure/auth_connector"
+	"oc-auth/infrastructure/claims"
+	"oc-auth/infrastructure/perms_connectors"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+var t = map[string]claims.ClaimService{
+	"hydra": claims.HydraClaims{},
+}
+
+var a = map[string]auth_connectors.AuthConnector{
+	"hydra": auth_connectors.HydraConnector{
+		Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
+		State:  "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
+}
+
+func GetAuthConnector() auth_connectors.AuthConnector {
+	return a[conf.GetConfig().Auth]
+}
+
+func GetPermissionConnector() perms_connectors.PermConnector {
+	return perms_connectors.GetPermissionConnector()
+}
+
+func GetClaims() claims.ClaimService {
+	return t[conf.GetConfig().Auth]
+}

infrastructure/perms_connectors/keto_connector.go

@@ -0,0 +1,360 @@
+package perms_connectors
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"oc-auth/conf"
+	"oc-auth/infrastructure/utils"
+
+	oclib "cloud.o-forge.io/core/oc-lib"
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type KetoConnector struct{}
+
+func (k KetoConnector) namespace() string {
+	return "open-cloud"
+}
+
+func (k KetoConnector) scope() string {
+	return "oc-auth"
+}
+
+func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
+	n := "?namespace=" + perm.Namespace()
+	if perm.Object != "" {
+		n += "&object=" + perm.Object
+	}
+	if perm.Subject != "" {
+		n += "&subject_id=" + perm.Subject
+	}
+	if perm.Relation != "" {
+		n += "&relation=" + perm.Relation
+	}
+	if permDependancies != nil {
+		n += "&subject_set.namespace=" + perm.Namespace()
+		if permDependancies.Object != "" {
+			n += "&subject_set.object=" + permDependancies.Object
+		}
+		if permDependancies.Subject != "" {
+			n += "&subject_set.subject_id=" + permDependancies.Subject
+		}
+		if permDependancies.Relation != "" {
+			n += "&subject_set.relation=" + permDependancies.Relation
+		}
+	}
+	return n
+}
+
+func (k KetoConnector) Status() tools.State {
+	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
+	var responseBody map[string]interface{}
+	host := conf.GetConfig().PermissionConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
+	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
+	if err != nil {
+		return tools.DEAD
+	}
+	err = json.Unmarshal(resp, &responseBody)
+	if err != nil || responseBody["status"] != "ok" {
+		return tools.DEAD
+	}
+	return tools.ALIVE
+}
+
+func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool {
+	if (perm.Object == k.scope() || perm.Subject == k.scope()) && !internal {
+		log := oclib.GetLogger()
+		log.Error().Msg("Permission denied : Ask illegal permission")
+		return false
+	}
+	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
+	var responseBody map[string]interface{}
+	host := conf.GetConfig().PermissionConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
+	resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples/check"+k.permToQuery(perm, permDependancies))
+	if err != nil {
+		log := oclib.GetLogger()
+		log.Error().Msg(err.Error())
+		return false
+	}
+	err = json.Unmarshal(resp, &responseBody)
+	if err != nil || responseBody["allowed"] == nil {
+		return false
+	}
+	return responseBody["allowed"].(bool)
+}
+
+func (k KetoConnector) DeleteRole(roleID string) (string, int, error) {
+	k.deleteRelationShip("", "", roleID, nil)
+	_, code, err := k.deleteRelationShip(roleID, "", k.scope(), nil)
+	if err != nil {
+		return "", code, err
+	}
+	return roleID, 200, nil
+}
+
+func (k KetoConnector) DeletePermission(permID string, relation string, internal bool) (string, int, error) {
+	meth, err := utils.ExtractMethod(relation, internal)
+	if err != nil {
+		for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
+			k.DeletePermission("", method.String(), internal)
+		}
+		return "", 200, err
+	}
+	k.deleteRelationShip("", "", permID, nil)
+	_, code, err := k.deleteRelationShip(permID, "permits"+meth.String(), k.scope(), nil)
+	if err != nil {
+		return "", code, err
+	}
+	return permID, 200, nil
+}
+
+func (k KetoConnector) CreateRole(roleID string) (string, int, error) {
+	p, code, err := k.createRelationShip(roleID, "is", k.scope(), nil)
+	if err != nil {
+		return "", code, err
+	}
+	return p.Object, 200, nil
+}
+
+func (k KetoConnector) CreatePermission(permID string, relation string, internal bool) (string, int, error) {
+	meth, err := utils.ExtractMethod(relation, internal)
+	if err != nil {
+		return "", 422, err
+	}
+	p, code, err := k.createRelationShip(permID, "permits"+meth.String(), k.scope(), nil)
+	if err != nil {
+		return "", code, err
+	}
+	return p.Object, 200, nil
+}
+
+func (k KetoConnector) GetRole(roleID string) ([]string, error) {
+	arr := []string{}
+	roles, err := k.get(roleID, "is", k.scope())
+	if err != nil {
+		return arr, err
+	}
+	for _, role := range roles {
+		arr = append(arr, role.Object)
+	}
+	return arr, nil
+}
+
+func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
+	arr := []string{}
+	roles, err := k.get("", "is", userID)
+	if err != nil {
+		return arr, err
+	}
+	for _, role := range roles {
+		arr = append(arr, role.Object)
+	}
+	return arr, nil
+}
+
+func (k KetoConnector) GetPermission(permID string, relation string) ([]Permission, error) {
+	meth, err := utils.ExtractMethod(relation, true)
+	if err != nil {
+		p := []Permission{}
+		for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
+			fmt.Println("blblbl", permID, "permits"+method.String(), k.scope())
+			perms, err := k.get(permID, "permits"+method.String(), k.scope())
+			fmt.Println("blblbl2", perms, err)
+			if err == nil && len(perms) > 0 {
+				p = append(p, perms...)
+			}
+		}
+		return p, nil
+	}
+	return k.get(permID, "permits"+meth.String(), k.scope())
+}
+
+func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
+	return k.get("", "", roleID)
+}
+func (k KetoConnector) GetPermissionByUser(userID string) ([]Permission, error) {
+	roles, err := k.get("", "is", userID)
+	perms := []Permission{}
+	if err != nil {
+		return perms, err
+	}
+	for _, role := range roles {
+		p, err := k.get(role.Object, "", k.scope())
+		if err != nil {
+			log := oclib.GetLogger()
+			log.Error().Msg(err.Error())
+			continue
+		}
+		perms = append(perms, p...)
+	}
+	return perms, nil
+}
+
+func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
+	t := []Permission{}
+	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
+	host := conf.GetConfig().PermissionConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
+	resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
+		Permission{Object: object, Relation: relation, Subject: subject}, nil))
+	if err != nil {
+		return t, err
+	}
+	var data map[string]interface{}
+	err = json.Unmarshal(resp, &data)
+	if err != nil {
+		return t, err
+	}
+	if data["relation_tuples"] != nil {
+		for _, v := range data["relation_tuples"].([]interface{}) {
+			t = append(t, Permission{
+				Relation: v.(map[string]interface{})["relation"].(string),
+				Subject:  v.(map[string]interface{})["subject_id"].(string),
+				Object:   v.(map[string]interface{})["object"].(string),
+			})
+		}
+	}
+	return t, nil
+}
+
+func (k KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
+	_, code, err := k.createRelationShip(roleID, "member", userID, nil)
+	if err != nil {
+		return roleID, code, err
+	}
+	return roleID, 200, nil
+}
+
+func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
+	meth, err := utils.ExtractMethod(relation, false)
+	if err != nil {
+		return nil, 422, err
+	}
+	perms, err := k.GetPermission(permID, meth.String())
+	if err != nil || len(perms) != 1 {
+		if len(perms) == 0 {
+			return nil, 404, errors.New("Permission not found")
+		} else if len(perms) > 1 {
+			return nil, 409, errors.New("Multiple permission found")
+		}
+	}
+	_, code, err := k.createRelationShip(roleID, perms[0].Relation, permID, nil)
+	if err != nil {
+		return nil, code, err
+	}
+	return &Permission{
+		Object:   roleID,
+		Relation: perms[0].Relation,
+		Subject:  permID,
+	}, 200, nil
+}
+
+func (k KetoConnector) UnBindRole(userID string, roleID string) (string, int, error) {
+	_, code, err := k.deleteRelationShip(roleID, "member", userID, nil)
+	if err != nil {
+		return roleID, code, err
+	}
+	return roleID, 200, nil
+}
+
+func (k KetoConnector) UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
+	meth, err := utils.ExtractMethod(relation, false)
+	if err != nil {
+		return nil, 422, err
+	}
+	perms, err := k.GetPermission(permID, meth.String())
+	if err != nil || len(perms) != 1 {
+		if len(perms) == 0 {
+			return nil, 404, errors.New("Permission not found")
+		} else if len(perms) > 1 {
+			return nil, 409, errors.New("Multiple permission found")
+		}
+	}
+	_, code, err := k.deleteRelationShip(roleID, perms[0].Relation, permID, nil)
+	if err != nil {
+		return nil, code, err
+	}
+	return &Permission{
+		Object:   roleID,
+		Relation: perms[0].Relation,
+		Subject:  permID,
+	}, 200, nil
+}
+func (k KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
+	exist, err := k.get(object, relation, subject)
+	if err == nil && len(exist) > 0 {
+		return nil, 409, errors.New("Relation already exist")
+	}
+	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
+	body := map[string]interface{}{"namespace": k.namespace(), "object": object, "relation": relation, "subject_id": subject}
+
+	if subPerm != nil {
+		s, code, err := k.createRelationShip(subPerm.Object, subPerm.Relation, subPerm.Subject, nil)
+		if err != nil {
+			return nil, code, err
+		}
+		body["subject_set"] = map[string]interface{}{"namespace": s.Namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
+	}
+	host := conf.GetConfig().PermissionConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
+	b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
+	if err != nil {
+		log := oclib.GetLogger()
+		log.Error().Msg(err.Error())
+		return nil, 500, err
+	}
+	var data map[string]interface{}
+	err = json.Unmarshal(b, &data)
+	if err != nil {
+		log := oclib.GetLogger()
+		log.Error().Msg(err.Error())
+		return nil, 500, err
+	}
+	perm := &Permission{
+		Object:   data["object"].(string),
+		Relation: data["relation"].(string),
+		Subject:  data["subject_id"].(string),
+	}
+	if data["subject_set"] != nil {
+		sub := data["subject_set"].(map[string]interface{})
+		perm.SubPermission = &Permission{
+			Object:   sub["object"].(string),
+			Relation: sub["relation"].(string),
+			Subject:  sub["subject_id"].(string),
+		}
+	}
+	return perm, 200, nil
+}
+
+func (k KetoConnector) deleteRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
+	exist, err := k.get(object, relation, subject)
+	if err == nil && len(exist) == 0 {
+		return nil, 409, errors.New("Relation does not exist")
+	}
+	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
+	n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
+	host := conf.GetConfig().PermissionConnectorHost
+	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
+	fmt.Println(host, port, n)
+	b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
+	fmt.Println(b, err)
+	if err != nil {
+		log := oclib.GetLogger()
+		log.Error().Msg(err.Error())
+		return nil, 500, err
+	}
+	var data map[string]interface{}
+	err = json.Unmarshal(b, &data)
+	if err == nil && data["code"].(int) > 300 {
+		return nil, data["code"].(int), errors.New("Error while deleting relation")
+	}
+	return &Permission{
+		Object:        object,
+		Relation:      relation,
+		Subject:       subject,
+		SubPermission: subPerm,
+	}, 200, nil
+}

infrastructure/perms_connectors/perms_connector.go

@@ -0,0 +1,52 @@
+package perms_connectors
+
+import (
+	"oc-auth/conf"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+type Permission struct {
+	Object        string      `json:"object,omitempty"`
+	Relation      string      `json:"relation,omitempty"`
+	Subject       string      `json:"subject,omitempty"`
+	SubPermission *Permission `json:"sub_perm,omitempty"`
+}
+
+func (p Permission) Namespace() string {
+	return "open-cloud"
+}
+
+func (k Permission) Scope() string {
+	return "oc-auth"
+}
+
+type PermConnector interface {
+	Status() tools.State
+	CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool
+	BindRole(userID string, roleID string) (string, int, error)
+	BindPermission(roleID string, permID string, relation string) (*Permission, int, error)
+
+	UnBindRole(userID string, roleID string) (string, int, error)
+	UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error)
+
+	CreateRole(roleID string) (string, int, error)
+	CreatePermission(permID string, relation string, internal bool) (string, int, error)
+	DeleteRole(roleID string) (string, int, error)
+	DeletePermission(permID string, relation string, internal bool) (string, int, error)
+
+	GetRoleByUser(userID string) ([]string, error)
+	GetPermissionByRole(roleID string) ([]Permission, error)
+	GetPermissionByUser(userID string) ([]Permission, error)
+
+	GetRole(roleID string) ([]string, error)
+	GetPermission(permID string, relation string) ([]Permission, error)
+}
+
+var c = map[string]PermConnector{
+	"keto": KetoConnector{},
+}
+
+func GetPermissionConnector() PermConnector {
+	return c[conf.GetConfig().PermissionConnectorHost]
+}

infrastructure/utils/utils.go

@@ -0,0 +1,21 @@
+package utils
+
+import (
+	"errors"
+	"strings"
+
+	"cloud.o-forge.io/core/oc-lib/tools"
+)
+
+func ExtractMethod(relation string, internal bool) (tools.METHOD, error) {
+	meths := []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE}
+	if internal {
+		meths = append(meths, []tools.METHOD{tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_DELETE}...)
+	}
+	for _, method := range meths {
+		if (!internal && strings.Contains(strings.ToUpper(relation), strings.ToUpper(method.String()))) || (internal && strings.ToUpper(relation) == strings.ToUpper(method.String())) {
+			return method, nil
+		}
+	}
+	return tools.GET, errors.New("method not found")
+}