diff --git a/controllers/oauth2.go b/controllers/oauth2.go index 9470ef1..4273e12 100644 --- a/controllers/oauth2.go +++ b/controllers/oauth2.go @@ -14,6 +14,7 @@ import ( "time" oclib "cloud.o-forge.io/core/oc-lib" + "cloud.o-forge.io/core/oc-lib/dbs" "cloud.o-forge.io/core/oc-lib/models/peer" model "cloud.o-forge.io/core/oc-lib/models/peer" beego "github.com/beego/beego/v2/server/web" @@ -27,6 +28,8 @@ type OAuthController struct { // @Title GetLogin // @Description Hydra redirects here with a login_challenge. Returns challenge info or auto-accepts if session exists. // @Param login_challenge query string true "The login challenge from Hydra" +// @Param redirect query string true "explicit redirect by passed" + // @Success 200 {object} auth_connectors.LoginChallenge // @Failure 400 missing login_challenge // @Failure 500 internal error @@ -73,8 +76,9 @@ func (o *OAuthController) GetLogin() { o.Data["json"] = redirect o.ServeJSON() return - } + return + } // Return challenge info so frontend can render login form o.Data["json"] = loginChallenge o.ServeJSON() @@ -82,13 +86,17 @@ func (o *OAuthController) GetLogin() { // @Title PostLogin // @Description Authenticate user via LDAP and accept Hydra login challenge +// @Param redirect query string true "explicit redirect by passed" // @Param body body auth_connectors.LoginRequest true "Login credentials and challenge" + // @Success 200 {object} auth_connectors.Redirect // @Failure 401 invalid credentials // @Failure 500 internal error // @router /login [post] func (o *OAuthController) Login() { logger := oclib.GetLogger() + red := o.Ctx.Input.Query("redirect") + var req auth_connectors.LoginRequest if err := json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &req); err != nil { o.Ctx.ResponseWriter.WriteHeader(400) @@ -159,13 +167,18 @@ func (o *OAuthController) Login() { } // Return redirect_to so the frontend follows the OAuth2 flow - o.Data["json"] = redirect - o.ServeJSON() + if red == "false" { + o.Data["json"] = redirect + o.ServeJSON() + return + } + o.Redirect(redirect.RedirectTo, 303) } // @Title Consent // @Description Hydra redirects here with a consent_challenge. Auto-accepts consent with user permissions. // @Param consent_challenge query string true "The consent challenge from Hydra" +// @Param redirect query string true "explicit redirect by passed" // @Success 200 {object} auth_connectors.Redirect // @Failure 400 missing consent_challenge // @Failure 500 internal error @@ -191,8 +204,13 @@ func (o *OAuthController) Consent() { } // Get self peer for signing - pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search( - nil, strconv.Itoa(peer.SELF.EnumIndex()), false) + pp := oclib.NewRequestAdmin(oclib.LibDataEnum(oclib.PEER), nil).Search( + &dbs.Filters{ + Or: map[string][]dbs.Filter{ // search by name if no filters are provided + "relation": {{Operator: dbs.EQUAL.String(), Value: peer.SELF}}, + }, + }, strconv.Itoa(peer.SELF.EnumIndex()), false) + fmt.Println(pp.Err, pp.Data) if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" { logger.Error().Msg("Self peer not found") o.Ctx.ResponseWriter.WriteHeader(500) @@ -231,12 +249,16 @@ func (o *OAuthController) Consent() { // @Title GetLogout // @Description Hydra redirects here with a logout_challenge. Accepts the challenge and returns a redirect URL. // @Param logout_challenge query string true "The logout challenge from Hydra" +// @Param redirect query string true "explicit redirect by passed" + // @Success 200 {object} auth_connectors.Redirect // @Failure 400 missing logout_challenge // @Failure 500 internal error // @router /logout [get] func (o *OAuthController) GetLogout() { logger := oclib.GetLogger() + red := o.Ctx.Input.Query("redirect") + challenge := o.Ctx.Input.Query("logout_challenge") if challenge == "" { o.Ctx.ResponseWriter.WriteHeader(400) @@ -268,15 +290,19 @@ func (o *OAuthController) GetLogout() { o.ServeJSON() return } - - o.Data["json"] = redirect - o.ServeJSON() + if red == "false" { + o.Data["json"] = redirect + o.ServeJSON() + return + } + o.Redirect(redirect.RedirectTo, 303) } // @Title Logout // @Description Revoke an OAuth2 token // @Param Authorization header string false "Bearer token" // @Param client_id query string true "The client_id" + // @Success 200 {object} auth_connectors.Token // @router /logout [delete] func (o *OAuthController) LogOut() { diff --git a/docker-compose.yml b/docker-compose.yml index bf43dd4..9b22d0c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,7 +14,7 @@ services: - "traefik.http.middlewares.auth-sec-rewrite.replacepathregex.replacement=/oc$$1" - "traefik.http.services.auth-sec.loadbalancer.server.port=8080" - "traefik.http.routers.auth-sec.middlewares=auth-sec-rewrite,auth-auth-sec" - - "traefik.http.middlewares.auth-auth-sec.forwardauth.address=http://hydra:4444/oauth2/auth" + - "traefik.http.middlewares.auth-auth-sec.forwardauth.address=http://oc-auth:8080/oc/forward" - "traefik.http.middlewares.auth-auth-sec.forwardauth.trustForwardHeader=true" - "traefik.http.middlewares.auth-auth-sec.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email" environment: diff --git a/main.go b/main.go index 8f641cd..3811b48 100644 --- a/main.go +++ b/main.go @@ -45,8 +45,8 @@ func main() { conf.GetConfig().Origin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8000") conf.GetConfig().AdminOrigin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8001") - conf.GetConfig().OAuthRedirectURI = o.GetStringDefault("OAUTH_REDIRECT_URI", "http://google.com") - conf.GetConfig().OAdminAuthRedirectURI = o.GetStringDefault("ADMIN_OAUTH_REDIRECT_URI", "http://chatgpt.com") + conf.GetConfig().OAuthRedirectURI = o.GetStringDefault("OAUTH_REDIRECT_URI", "http://localhost:8000/l") + conf.GetConfig().OAdminAuthRedirectURI = o.GetStringDefault("ADMIN_OAUTH_REDIRECT_URI", "http://localhost:8000/l") conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true) // config LDAPauth diff --git a/oc-auth b/oc-auth index c3480d3..e76176f 100755 Binary files a/oc-auth and b/oc-auth differ diff --git a/swagger/swagger.json b/swagger/swagger.json index da256bc..ba608b6 100644 --- a/swagger/swagger.json +++ b/swagger/swagger.json @@ -29,6 +29,13 @@ "description": "The consent challenge from Hydra", "required": true, "type": "string" + }, + { + "in": "query", + "name": "redirect", + "description": "explicit redirect by passed", + "required": true, + "type": "string" } ], "responses": { @@ -282,6 +289,13 @@ "description": "The login challenge from Hydra", "required": true, "type": "string" + }, + { + "in": "query", + "name": "redirect", + "description": "explicit redirect by passed", + "required": true, + "type": "string" } ], "responses": { @@ -304,8 +318,15 @@ "oc-auth/controllersOAuthController" ], "description": "Authenticate user via LDAP and accept Hydra login challenge\n\u003cbr\u003e", - "operationId": "OAuthController.PostLogin", + "operationId": "OAuthController.Login", "parameters": [ + { + "in": "query", + "name": "redirect", + "description": "explicit redirect by passed", + "required": true, + "type": "string" + }, { "in": "body", "name": "body", @@ -346,6 +367,13 @@ "description": "The logout challenge from Hydra", "required": true, "type": "string" + }, + { + "in": "query", + "name": "redirect", + "description": "explicit redirect by passed", + "required": true, + "type": "string" } ], "responses": { @@ -798,14 +826,29 @@ } }, "definitions": { - "2432.0xc000460e70.false": { + "2432.0xc0004a0630.false": { "title": "false", "type": "object" }, - "4171.0xc000461050.false": { + "4171.0xc0004a0810.false": { "title": "false", "type": "object" }, + "auth_connectors.LoginRequest": { + "title": "LoginRequest", + "type": "object", + "properties": { + "username": { + "type": "string" + }, + "password": { + "type": "string" + }, + "login_challenge": { + "type": "string" + } + } + }, "auth_connectors.IntrospectResult": { "title": "IntrospectResult", "type": "object", @@ -821,7 +864,7 @@ "format": "int64" }, "ext": { - "$ref": "#/definitions/4171.0xc000461050.false" + "$ref": "#/definitions/4171.0xc0004a0810.false" }, "scope": { "type": "string" @@ -842,7 +885,7 @@ "type": "string" }, "client": { - "$ref": "#/definitions/2432.0xc000460e70.false" + "$ref": "#/definitions/2432.0xc0004a0630.false" }, "request_url": { "type": "string" @@ -858,21 +901,6 @@ } } }, - "auth_connectors.LoginRequest": { - "title": "LoginRequest", - "type": "object", - "properties": { - "login_challenge": { - "type": "string" - }, - "password": { - "type": "string" - }, - "username": { - "type": "string" - } - } - }, "auth_connectors.Redirect": { "title": "Redirect", "type": "object", diff --git a/swagger/swagger.yml b/swagger/swagger.yml index aff15bf..3a005d3 100644 --- a/swagger/swagger.yml +++ b/swagger/swagger.yml @@ -26,6 +26,11 @@ paths: description: The consent challenge from Hydra required: true type: string + - in: query + name: redirect + description: explicit redirect by passed + required: true + type: string responses: "200": description: "" @@ -214,6 +219,11 @@ paths: description: The login challenge from Hydra required: true type: string + - in: query + name: redirect + description: explicit redirect by passed + required: true + type: string responses: "200": description: "" @@ -229,8 +239,13 @@ paths: description: |- Authenticate user via LDAP and accept Hydra login challenge
- operationId: OAuthController.PostLogin + operationId: OAuthController.Login parameters: + - in: query + name: redirect + description: explicit redirect by passed + required: true + type: string - in: body name: body description: Login credentials and challenge @@ -260,6 +275,11 @@ paths: description: The logout challenge from Hydra required: true type: string + - in: query + name: redirect + description: explicit redirect by passed + required: true + type: string responses: "200": description: "" @@ -593,12 +613,22 @@ paths: "200": description: "" definitions: - 2432.0xc000460e70.false: + 2432.0xc0004a0630.false: title: "false" type: object - 4171.0xc000461050.false: + 4171.0xc0004a0810.false: title: "false" type: object + auth_connectors.LoginRequest: + title: LoginRequest + type: object + properties: + username: + type: string + password: + type: string + login_challenge: + type: string auth_connectors.IntrospectResult: title: IntrospectResult type: object @@ -611,7 +641,7 @@ definitions: type: integer format: int64 ext: - $ref: '#/definitions/4171.0xc000461050.false' + $ref: '#/definitions/4171.0xc0004a0810.false' scope: type: string sub: @@ -625,7 +655,7 @@ definitions: challenge: type: string client: - $ref: '#/definitions/2432.0xc000460e70.false' + $ref: '#/definitions/2432.0xc0004a0630.false' request_url: type: string session_id: @@ -634,16 +664,6 @@ definitions: type: boolean subject: type: string - auth_connectors.LoginRequest: - title: LoginRequest - type: object - properties: - login_challenge: - type: string - password: - type: string - username: - type: string auth_connectors.Redirect: title: Redirect type: object