OC-AUTH with admin persona
This commit is contained in:
parent
d87883b57f
commit
d33d2eb343
@ -3,6 +3,7 @@ package conf
|
||||
import "sync"
|
||||
|
||||
type Config struct {
|
||||
Demo bool
|
||||
PublicKeyPath string
|
||||
PrivateKeyPath string
|
||||
|
||||
|
@ -66,7 +66,7 @@ func (o *PermissionController) GetByRole() {
|
||||
// @router /user/:id [get]
|
||||
func (o *PermissionController) GetByUser() {
|
||||
id := o.Ctx.Input.Param(":id")
|
||||
role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id)
|
||||
role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id, true)
|
||||
if err != nil {
|
||||
o.Data["json"] = map[string]interface{}{
|
||||
"data": nil,
|
||||
@ -88,7 +88,7 @@ func (o *PermissionController) GetByUser() {
|
||||
// @Description find auth by permission
|
||||
// @Param id path string true "the permission you want to get"
|
||||
// @Success 200 {auth} models.auth
|
||||
// @router /:id/:relation[get]
|
||||
// @router /:id/:relation [get]
|
||||
func (o *PermissionController) Get() {
|
||||
id := o.Ctx.Input.Param(":id")
|
||||
rel := o.Ctx.Input.Param(":relation")
|
||||
|
@ -5,5 +5,6 @@
|
||||
"PORT" : 8080,
|
||||
"AUTH_CONNECTOR_HOST": "hydra",
|
||||
"PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
|
||||
"PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem"
|
||||
"PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
|
||||
"DEMO": true
|
||||
}
|
@ -146,7 +146,6 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
|
||||
// problem with consent THERE we need to accept the consent challenge && get the token
|
||||
_, err = a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
|
||||
"application/json", true, cookies...)
|
||||
fmt.Println(err)
|
||||
if err != nil {
|
||||
s := strings.Split(err.Error(), "\"")
|
||||
if len(s) > 1 && strings.Contains(s[1], "access_token") {
|
||||
@ -242,15 +241,12 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
|
||||
if isOauth {
|
||||
oauth = "/oauth2"
|
||||
}
|
||||
fmt.Println("http://" + host + ":" + port + oauth)
|
||||
return "http://" + host + ":" + port + oauth
|
||||
|
||||
}
|
||||
|
||||
func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool {
|
||||
fmt.Println("CheckAuthForward", reqToken, publicKey, host, method, forward)
|
||||
if forward == "" || method == "" {
|
||||
fmt.Println("Forwarded headers are missing")
|
||||
return false
|
||||
}
|
||||
var c claims.Claims
|
||||
|
@ -254,7 +254,6 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
|
||||
)
|
||||
wg.Add(len(cli.Endpoints))
|
||||
for _, addr := range cli.Endpoints {
|
||||
fmt.Println("addr", addr)
|
||||
go func(addr string) {
|
||||
defer wg.Done()
|
||||
|
||||
|
@ -4,7 +4,6 @@ import (
|
||||
"crypto/sha256"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"oc-auth/conf"
|
||||
"oc-auth/infrastructure/perms_connectors"
|
||||
"oc-auth/infrastructure/utils"
|
||||
@ -40,7 +39,6 @@ func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
|
||||
}
|
||||
|
||||
func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
|
||||
fmt.Println("DecodeSignature", host)
|
||||
hashed := sha256.Sum256([]byte(host))
|
||||
spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
|
||||
err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
|
||||
@ -51,7 +49,6 @@ func (h HydraClaims) DecodeSignature(host string, signature string, publicKey st
|
||||
}
|
||||
|
||||
func (h HydraClaims) encodeSignature(host string) (string, error) {
|
||||
fmt.Println("encodeSignature", host)
|
||||
hashed := sha256.Sum256([]byte(host))
|
||||
// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
|
||||
content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
|
||||
@ -102,7 +99,7 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
|
||||
// add claims to token method of HydraTokenizer
|
||||
func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
|
||||
claims := Claims{}
|
||||
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId)
|
||||
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false)
|
||||
if err != nil {
|
||||
return claims
|
||||
}
|
||||
|
@ -124,6 +124,8 @@ func (k KetoConnector) CreatePermission(permID string, relation string, internal
|
||||
if err != nil {
|
||||
return "", 422, err
|
||||
}
|
||||
|
||||
k.BindPermission("admin", permID, "permits"+meth.String())
|
||||
p, code, err := k.createRelationShip(permID, "permits"+meth.String(), k.scope(), nil)
|
||||
if err != nil {
|
||||
return "", code, err
|
||||
@ -145,7 +147,7 @@ func (k KetoConnector) GetRole(roleID string) ([]string, error) {
|
||||
|
||||
func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
|
||||
arr := []string{}
|
||||
roles, err := k.get("", "is", userID)
|
||||
roles, err := k.get("", "member", userID)
|
||||
if err != nil {
|
||||
return arr, err
|
||||
}
|
||||
@ -159,10 +161,9 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
|
||||
meth, err := utils.ExtractMethod(relation, true)
|
||||
if err != nil {
|
||||
p := []Permission{}
|
||||
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
|
||||
fmt.Println("blblbl", permID, "permits"+method.String(), k.scope())
|
||||
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
|
||||
tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
|
||||
perms, err := k.get(permID, "permits"+method.String(), k.scope())
|
||||
fmt.Println("blblbl2", perms, err)
|
||||
if err == nil && len(perms) > 0 {
|
||||
p = append(p, perms...)
|
||||
}
|
||||
@ -173,24 +174,35 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
|
||||
}
|
||||
|
||||
func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
|
||||
return k.get("", "", roleID)
|
||||
p := []Permission{}
|
||||
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
|
||||
tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
|
||||
perms, err := k.get(roleID, "permits"+method.String(), "")
|
||||
if err == nil && len(perms) > 0 {
|
||||
p = append(p, perms...)
|
||||
}
|
||||
}
|
||||
return p, nil
|
||||
}
|
||||
func (k KetoConnector) GetPermissionByUser(userID string) ([]Permission, error) {
|
||||
roles, err := k.get("", "is", userID)
|
||||
perms := []Permission{}
|
||||
func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
|
||||
roles, err := k.get("", "member", userID)
|
||||
if err != nil {
|
||||
return perms, err
|
||||
return nil, err
|
||||
}
|
||||
p := []Permission{}
|
||||
meths := []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE}
|
||||
if internal {
|
||||
meths = append(meths, []tools.METHOD{tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT}...)
|
||||
}
|
||||
for _, role := range roles {
|
||||
p, err := k.get(role.Object, "", k.scope())
|
||||
if err != nil {
|
||||
log := oclib.GetLogger()
|
||||
log.Error().Msg(err.Error())
|
||||
continue
|
||||
for _, method := range meths {
|
||||
perms, err := k.get(role.Object, "permits"+method.String(), "")
|
||||
if err == nil && len(perms) > 0 {
|
||||
p = append(p, perms...)
|
||||
}
|
||||
}
|
||||
perms = append(perms, p...)
|
||||
}
|
||||
return perms, nil
|
||||
return p, nil
|
||||
}
|
||||
|
||||
func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
|
||||
@ -229,11 +241,7 @@ func (k KetoConnector) BindRole(userID string, roleID string) (string, int, erro
|
||||
}
|
||||
|
||||
func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
|
||||
meth, err := utils.ExtractMethod(relation, false)
|
||||
if err != nil {
|
||||
return nil, 422, err
|
||||
}
|
||||
perms, err := k.GetPermission(permID, meth.String())
|
||||
perms, err := k.GetPermission(permID, relation)
|
||||
if err != nil || len(perms) != 1 {
|
||||
if len(perms) == 0 {
|
||||
return nil, 404, errors.New("Permission not found")
|
||||
@ -338,9 +346,7 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
|
||||
n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
|
||||
host := conf.GetConfig().PermissionConnectorHost
|
||||
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
|
||||
fmt.Println(host, port, n)
|
||||
b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
|
||||
fmt.Println(b, err)
|
||||
if err != nil {
|
||||
log := oclib.GetLogger()
|
||||
log.Error().Msg(err.Error())
|
||||
|
@ -37,7 +37,7 @@ type PermConnector interface {
|
||||
|
||||
GetRoleByUser(userID string) ([]string, error)
|
||||
GetPermissionByRole(roleID string) ([]Permission, error)
|
||||
GetPermissionByUser(userID string) ([]Permission, error)
|
||||
GetPermissionByUser(userID string, internal bool) ([]Permission, error)
|
||||
|
||||
GetRole(roleID string) ([]string, error)
|
||||
GetPermission(permID string, relation string) ([]Permission, error)
|
||||
|
@ -1,10 +1,10 @@
|
||||
dn: uid=momo,ou=Users,dc=example,dc=com
|
||||
dn: uid=admin,ou=Users,dc=example,dc=com
|
||||
objectClass: inetOrgPerson
|
||||
cn: Kolya Gerasyimov
|
||||
sn: Gerasyimov
|
||||
uid: momo
|
||||
userPassword: 123
|
||||
mail: momo@example.com
|
||||
cn: Admin
|
||||
sn: Istrator
|
||||
uid: admin
|
||||
userPassword: admin
|
||||
mail: admin@example.com
|
||||
ou: Users
|
||||
|
||||
dn: ou=AppRoles,dc=example,dc=com
|
||||
@ -21,4 +21,4 @@ dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
|
||||
objectClass: groupofnames
|
||||
cn: traveler
|
||||
description: traveler
|
||||
member: uid=momo,ou=Users,dc=example,dc=com
|
||||
member: uid=admin,ou=Users,dc=example,dc=com
|
6
main.go
6
main.go
@ -73,13 +73,11 @@ func generateSelfPeer() error {
|
||||
return err
|
||||
}
|
||||
// compare the public key from file with the one in the database
|
||||
fmt.Println(string(f), p.Data[0].(*peer.Peer).PublicKey)
|
||||
if !strings.Contains(string(f), p.Data[0].(*peer.Peer).PublicKey) {
|
||||
return errors.New("public key is different from the one in the database")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
fmt.Println("Creating new peer", strconv.Itoa(peer.SELF.EnumIndex()))
|
||||
// create a new peer
|
||||
o := oclib.GetConfLoader()
|
||||
peer := &peer.Peer{
|
||||
@ -100,8 +98,10 @@ func generateSelfPeer() error {
|
||||
func discovery() {
|
||||
fmt.Println("Discovered")
|
||||
api := tools.API{}
|
||||
conn := infrastructure.GetPermissionConnector()
|
||||
conn.CreateRole("admin")
|
||||
conn.BindRole("admin", "admin")
|
||||
addPermissions := func(m map[string]interface{}) {
|
||||
conn := infrastructure.GetPermissionConnector()
|
||||
for k, v := range m {
|
||||
for _, p := range v.([]interface{}) {
|
||||
conn.CreatePermission(k, p.(string), true)
|
||||
|
@ -64,7 +64,7 @@ func init() {
|
||||
beego.GlobalControllerRouter["oc-auth/controllers:PermissionController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:PermissionController"],
|
||||
beego.ControllerComments{
|
||||
Method: "Get",
|
||||
Router: `/:id/:relation[get]`,
|
||||
Router: `/:id/:relation`,
|
||||
AllowHTTPMethods: []string{"get"},
|
||||
MethodParams: param.Make(),
|
||||
Filters: nil,
|
||||
|
@ -14,7 +14,7 @@ import (
|
||||
)
|
||||
|
||||
func init() {
|
||||
ns := beego.NewNamespace("/oc",
|
||||
ns := beego.NewNamespace("/oc/",
|
||||
beego.NSInclude(
|
||||
&controllers.OAuthController{},
|
||||
),
|
||||
|
@ -13,7 +13,7 @@
|
||||
"url": "https://www.gnu.org/licenses/agpl-3.0.html"
|
||||
}
|
||||
},
|
||||
"basePath": "/oc",
|
||||
"basePath": "/oc/",
|
||||
"paths": {
|
||||
"/forward": {
|
||||
"get": {
|
||||
@ -180,7 +180,7 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"/permission/{id}/{relation[get]}": {
|
||||
"/permission/{id}/{relation}": {
|
||||
"get": {
|
||||
"tags": [
|
||||
"permission"
|
||||
|
@ -10,7 +10,7 @@ info:
|
||||
license:
|
||||
name: AGPL
|
||||
url: https://www.gnu.org/licenses/agpl-3.0.html
|
||||
basePath: /oc
|
||||
basePath: /oc/
|
||||
paths:
|
||||
/forward:
|
||||
get:
|
||||
@ -89,7 +89,7 @@ paths:
|
||||
responses:
|
||||
"200":
|
||||
description: '{permission} string'
|
||||
/permission/{id}/{relation[get]}:
|
||||
/permission/{id}/{relation}:
|
||||
get:
|
||||
tags:
|
||||
- permission
|
||||
|
Loading…
Reference in New Issue
Block a user