after test
This commit is contained in:
parent
8b8e5d92d7
commit
d229d92b3b
@ -3,7 +3,7 @@ package conf
|
||||
import "sync"
|
||||
|
||||
type Config struct {
|
||||
Demo bool
|
||||
AdminRole string
|
||||
PublicKeyPath string
|
||||
PrivateKeyPath string
|
||||
|
||||
|
@ -158,17 +158,6 @@ func (o *OAuthController) InternalAuthForward() {
|
||||
o.ServeJSON()
|
||||
return
|
||||
}
|
||||
isToken, err := infrastructure.GetAuthConnector().Introspect(reqToken, &http.Cookie{
|
||||
Name: "csrf_token",
|
||||
Value: o.XSRFToken(),
|
||||
}) // may be a problem... we should check if token is valid on our side
|
||||
fmt.Println("InternalAuthForward", isToken, err)
|
||||
// prefers a refresh token call
|
||||
if err != nil || !isToken {
|
||||
o.Ctx.ResponseWriter.WriteHeader(401)
|
||||
} else {
|
||||
o.Ctx.ResponseWriter.WriteHeader(200)
|
||||
}
|
||||
o.ServeJSON()
|
||||
}
|
||||
|
||||
|
@ -6,5 +6,5 @@
|
||||
"AUTH_CONNECTOR_HOST": "hydra",
|
||||
"PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
|
||||
"PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
|
||||
"DEMO": true
|
||||
"LDAP_ENDPOINTS": "ldap:389"
|
||||
}
|
@ -2,6 +2,7 @@ package auth_connectors
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"oc-auth/conf"
|
||||
|
||||
"cloud.o-forge.io/core/oc-lib/tools"
|
||||
)
|
||||
@ -18,7 +19,7 @@ type AuthConnector interface {
|
||||
type Token struct {
|
||||
Active bool `json:"active"`
|
||||
AccessToken string `json:"access_token"`
|
||||
ExpiresIn int `json:"expires_in"`
|
||||
ExpiresIn int64 `json:"expires_in"`
|
||||
TokenType string `json:"token_type"`
|
||||
|
||||
Username string `json:"username,omitempty"`
|
||||
@ -28,3 +29,13 @@ type Token struct {
|
||||
type Redirect struct {
|
||||
RedirectTo string `json:"redirect_to"`
|
||||
}
|
||||
|
||||
var a = map[string]AuthConnector{
|
||||
"hydra": HydraConnector{
|
||||
Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
|
||||
State: "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
|
||||
}
|
||||
|
||||
func GetAuthConnector() AuthConnector {
|
||||
return a[conf.GetConfig().Auth]
|
||||
}
|
||||
|
@ -13,6 +13,7 @@ import (
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
oclib "cloud.o-forge.io/core/oc-lib"
|
||||
"cloud.o-forge.io/core/oc-lib/models/peer"
|
||||
@ -179,8 +180,15 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
|
||||
if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
|
||||
return nil, errors.New("peer not found")
|
||||
}
|
||||
now := time.Now().UTC()
|
||||
now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
|
||||
token.ExpiresIn = now.Unix()
|
||||
|
||||
c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer).Url)
|
||||
c.Session.AccessToken["exp"] = token.ExpiresIn
|
||||
|
||||
b, _ = json.Marshal(c)
|
||||
|
||||
token.AccessToken = strings.ReplaceAll(token.AccessToken, "ory_at_", "") + "." + base64.StdEncoding.EncodeToString(b)
|
||||
token.Active = true
|
||||
return token, nil
|
||||
|
@ -4,12 +4,12 @@ import (
|
||||
"crypto/sha256"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"oc-auth/conf"
|
||||
"oc-auth/infrastructure/perms_connectors"
|
||||
"oc-auth/infrastructure/utils"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"cloud.o-forge.io/core/oc-lib/tools"
|
||||
)
|
||||
@ -75,6 +75,11 @@ func (h HydraClaims) clearBlank(path []string) []string {
|
||||
return newPath
|
||||
}
|
||||
|
||||
func (a HydraClaims) CheckExpiry(exp int64) bool {
|
||||
now := time.Now().UTC().Unix()
|
||||
return now <= exp
|
||||
}
|
||||
|
||||
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
|
||||
idTokenClaims := sessionClaims.Session.IDToken
|
||||
if idTokenClaims["signature"] == nil {
|
||||
@ -87,6 +92,9 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
|
||||
claims := sessionClaims.Session.AccessToken
|
||||
path := strings.ReplaceAll(forward, "http://"+host, "")
|
||||
splittedPath := h.clearBlank(strings.Split(path, "/"))
|
||||
if _, ok := claims["exp"].(float64); !ok || !h.CheckExpiry(int64(claims["exp"].(float64))) {
|
||||
return false, errors.New("token is expired")
|
||||
}
|
||||
for m, p := range claims {
|
||||
match := true
|
||||
splittedP := h.clearBlank(strings.Split(p.(string), "/"))
|
||||
@ -94,7 +102,6 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
|
||||
continue
|
||||
}
|
||||
for i, v := range splittedP {
|
||||
fmt.Println(v, splittedPath[i])
|
||||
if strings.Contains(v, ":") { // is a param
|
||||
continue
|
||||
} else if v != splittedPath[i] {
|
||||
|
@ -1,22 +1,13 @@
|
||||
package infrastructure
|
||||
|
||||
import (
|
||||
"oc-auth/conf"
|
||||
auth_connectors "oc-auth/infrastructure/auth_connector"
|
||||
"oc-auth/infrastructure/claims"
|
||||
"oc-auth/infrastructure/perms_connectors"
|
||||
|
||||
"cloud.o-forge.io/core/oc-lib/tools"
|
||||
)
|
||||
|
||||
var a = map[string]auth_connectors.AuthConnector{
|
||||
"hydra": auth_connectors.HydraConnector{
|
||||
Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
|
||||
State: "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
|
||||
}
|
||||
|
||||
func GetAuthConnector() auth_connectors.AuthConnector {
|
||||
return a[conf.GetConfig().Auth]
|
||||
return auth_connectors.GetAuthConnector()
|
||||
}
|
||||
|
||||
func GetPermissionConnector() perms_connectors.PermConnector {
|
||||
|
@ -69,7 +69,7 @@ services:
|
||||
- hydra-net
|
||||
- catalog
|
||||
ports:
|
||||
- "389:389"
|
||||
- "390:389"
|
||||
deploy:
|
||||
restart_policy:
|
||||
condition: on-failure
|
||||
|
6
main.go
6
main.go
@ -29,6 +29,7 @@ func main() {
|
||||
// Load the right config file
|
||||
o := oclib.GetConfLoader()
|
||||
|
||||
conf.GetConfig().AdminRole = o.GetStringDefault("ADMIN_ROLE", "admin")
|
||||
conf.GetConfig().PublicKeyPath = o.GetStringDefault("PUBLIC_KEY_PATH", "./pem/public.pem")
|
||||
conf.GetConfig().PrivateKeyPath = o.GetStringDefault("PRIVATE_KEY_PATH", "./pem/private.pem")
|
||||
conf.GetConfig().ClientSecret = o.GetStringDefault("CLIENT_SECRET", "oc-auth-got-secret")
|
||||
@ -99,8 +100,9 @@ func discovery() {
|
||||
fmt.Println("Discovered")
|
||||
api := tools.API{}
|
||||
conn := infrastructure.GetPermissionConnector()
|
||||
conn.CreateRole("admin")
|
||||
conn.BindRole("admin", "admin")
|
||||
|
||||
conn.CreateRole(conf.GetConfig().AdminRole)
|
||||
conn.BindRole(conf.GetConfig().AdminRole, "admin")
|
||||
addPermissions := func(m map[string]interface{}) {
|
||||
for k, v := range m {
|
||||
for _, p := range v.([]interface{}) {
|
||||
|
Loading…
Reference in New Issue
Block a user