after test

This commit is contained in:
mr 2024-11-05 10:11:39 +01:00
parent 8b8e5d92d7
commit d229d92b3b
9 changed files with 37 additions and 29 deletions

View File

@ -3,7 +3,7 @@ package conf
import "sync"
type Config struct {
Demo bool
AdminRole string
PublicKeyPath string
PrivateKeyPath string

View File

@ -158,17 +158,6 @@ func (o *OAuthController) InternalAuthForward() {
o.ServeJSON()
return
}
isToken, err := infrastructure.GetAuthConnector().Introspect(reqToken, &http.Cookie{
Name: "csrf_token",
Value: o.XSRFToken(),
}) // may be a problem... we should check if token is valid on our side
fmt.Println("InternalAuthForward", isToken, err)
// prefers a refresh token call
if err != nil || !isToken {
o.Ctx.ResponseWriter.WriteHeader(401)
} else {
o.Ctx.ResponseWriter.WriteHeader(200)
}
o.ServeJSON()
}

View File

@ -6,5 +6,5 @@
"AUTH_CONNECTOR_HOST": "hydra",
"PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
"PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
"DEMO": true
"LDAP_ENDPOINTS": "ldap:389"
}

View File

@ -2,6 +2,7 @@ package auth_connectors
import (
"net/http"
"oc-auth/conf"
"cloud.o-forge.io/core/oc-lib/tools"
)
@ -18,7 +19,7 @@ type AuthConnector interface {
type Token struct {
Active bool `json:"active"`
AccessToken string `json:"access_token"`
ExpiresIn int `json:"expires_in"`
ExpiresIn int64 `json:"expires_in"`
TokenType string `json:"token_type"`
Username string `json:"username,omitempty"`
@ -28,3 +29,13 @@ type Token struct {
type Redirect struct {
RedirectTo string `json:"redirect_to"`
}
var a = map[string]AuthConnector{
"hydra": HydraConnector{
Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
State: "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
}
func GetAuthConnector() AuthConnector {
return a[conf.GetConfig().Auth]
}

View File

@ -13,6 +13,7 @@ import (
"regexp"
"strconv"
"strings"
"time"
oclib "cloud.o-forge.io/core/oc-lib"
"cloud.o-forge.io/core/oc-lib/models/peer"
@ -179,8 +180,15 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
return nil, errors.New("peer not found")
}
now := time.Now().UTC()
now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
token.ExpiresIn = now.Unix()
c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer).Url)
c.Session.AccessToken["exp"] = token.ExpiresIn
b, _ = json.Marshal(c)
token.AccessToken = strings.ReplaceAll(token.AccessToken, "ory_at_", "") + "." + base64.StdEncoding.EncodeToString(b)
token.Active = true
return token, nil

View File

@ -4,12 +4,12 @@ import (
"crypto/sha256"
"encoding/pem"
"errors"
"fmt"
"oc-auth/conf"
"oc-auth/infrastructure/perms_connectors"
"oc-auth/infrastructure/utils"
"os"
"strings"
"time"
"cloud.o-forge.io/core/oc-lib/tools"
)
@ -75,6 +75,11 @@ func (h HydraClaims) clearBlank(path []string) []string {
return newPath
}
func (a HydraClaims) CheckExpiry(exp int64) bool {
now := time.Now().UTC().Unix()
return now <= exp
}
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
idTokenClaims := sessionClaims.Session.IDToken
if idTokenClaims["signature"] == nil {
@ -87,6 +92,9 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
claims := sessionClaims.Session.AccessToken
path := strings.ReplaceAll(forward, "http://"+host, "")
splittedPath := h.clearBlank(strings.Split(path, "/"))
if _, ok := claims["exp"].(float64); !ok || !h.CheckExpiry(int64(claims["exp"].(float64))) {
return false, errors.New("token is expired")
}
for m, p := range claims {
match := true
splittedP := h.clearBlank(strings.Split(p.(string), "/"))
@ -94,7 +102,6 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
continue
}
for i, v := range splittedP {
fmt.Println(v, splittedPath[i])
if strings.Contains(v, ":") { // is a param
continue
} else if v != splittedPath[i] {

View File

@ -1,22 +1,13 @@
package infrastructure
import (
"oc-auth/conf"
auth_connectors "oc-auth/infrastructure/auth_connector"
"oc-auth/infrastructure/claims"
"oc-auth/infrastructure/perms_connectors"
"cloud.o-forge.io/core/oc-lib/tools"
)
var a = map[string]auth_connectors.AuthConnector{
"hydra": auth_connectors.HydraConnector{
Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
State: "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
}
func GetAuthConnector() auth_connectors.AuthConnector {
return a[conf.GetConfig().Auth]
return auth_connectors.GetAuthConnector()
}
func GetPermissionConnector() perms_connectors.PermConnector {

View File

@ -69,7 +69,7 @@ services:
- hydra-net
- catalog
ports:
- "389:389"
- "390:389"
deploy:
restart_policy:
condition: on-failure

View File

@ -29,6 +29,7 @@ func main() {
// Load the right config file
o := oclib.GetConfLoader()
conf.GetConfig().AdminRole = o.GetStringDefault("ADMIN_ROLE", "admin")
conf.GetConfig().PublicKeyPath = o.GetStringDefault("PUBLIC_KEY_PATH", "./pem/public.pem")
conf.GetConfig().PrivateKeyPath = o.GetStringDefault("PRIVATE_KEY_PATH", "./pem/private.pem")
conf.GetConfig().ClientSecret = o.GetStringDefault("CLIENT_SECRET", "oc-auth-got-secret")
@ -99,8 +100,9 @@ func discovery() {
fmt.Println("Discovered")
api := tools.API{}
conn := infrastructure.GetPermissionConnector()
conn.CreateRole("admin")
conn.BindRole("admin", "admin")
conn.CreateRole(conf.GetConfig().AdminRole)
conn.BindRole(conf.GetConfig().AdminRole, "admin")
addPermissions := func(m map[string]interface{}) {
for k, v := range m {
for _, p := range v.([]interface{}) {