OC-AUTH with admin persona

infrastructure/auth_connector/hydra_connector.go

@@ -146,7 +146,6 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 	// problem with consent THERE we need to accept the consent challenge && get the token
 	_, err = a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
 		"application/json", true, cookies...)
-	fmt.Println(err)
 	if err != nil {
 		s := strings.Split(err.Error(), "\"")
 		if len(s) > 1 && strings.Contains(s[1], "access_token") {
@@ -242,15 +241,12 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
 	if isOauth {
 		oauth = "/oauth2"
 	}
-	fmt.Println("http://" + host + ":" + port + oauth)
 	return "http://" + host + ":" + port + oauth
 
 }
 
 func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool {
-	fmt.Println("CheckAuthForward", reqToken, publicKey, host, method, forward)
 	if forward == "" || method == "" {
-		fmt.Println("Forwarded headers are missing")
 		return false
 	}
 	var c claims.Claims

infrastructure/auth_connector/ldap.go

@@ -254,7 +254,6 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
 	)
 	wg.Add(len(cli.Endpoints))
 	for _, addr := range cli.Endpoints {
-		fmt.Println("addr", addr)
 		go func(addr string) {
 			defer wg.Done()
 

infrastructure/claims/hydra_claims.go

@@ -4,7 +4,6 @@ import (
 	"crypto/sha256"
 	"encoding/pem"
 	"errors"
-	"fmt"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/perms_connectors"
 	"oc-auth/infrastructure/utils"
@@ -40,7 +39,6 @@ func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
 }
 
 func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
-	fmt.Println("DecodeSignature", host)
 	hashed := sha256.Sum256([]byte(host))
 	spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
 	err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
@@ -51,7 +49,6 @@ func (h HydraClaims) DecodeSignature(host string, signature string, publicKey st
 }
 
 func (h HydraClaims) encodeSignature(host string) (string, error) {
-	fmt.Println("encodeSignature", host)
 	hashed := sha256.Sum256([]byte(host))
 	// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
 	content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
@@ -102,7 +99,7 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 // add claims to token method of HydraTokenizer
 func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
 	claims := Claims{}
-	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId)
+	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false)
 	if err != nil {
 		return claims
 	}

infrastructure/perms_connectors/keto_connector.go

@@ -124,6 +124,8 @@ func (k KetoConnector) CreatePermission(permID string, relation string, internal
 	if err != nil {
 		return "", 422, err
 	}
+
+	k.BindPermission("admin", permID, "permits"+meth.String())
 	p, code, err := k.createRelationShip(permID, "permits"+meth.String(), k.scope(), nil)
 	if err != nil {
 		return "", code, err
@@ -145,7 +147,7 @@ func (k KetoConnector) GetRole(roleID string) ([]string, error) {
 
 func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
 	arr := []string{}
-	roles, err := k.get("", "is", userID)
+	roles, err := k.get("", "member", userID)
 	if err != nil {
 		return arr, err
 	}
@@ -159,10 +161,9 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
 	meth, err := utils.ExtractMethod(relation, true)
 	if err != nil {
 		p := []Permission{}
-		for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
-			fmt.Println("blblbl", permID, "permits"+method.String(), k.scope())
+		for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
+			tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
 			perms, err := k.get(permID, "permits"+method.String(), k.scope())
-			fmt.Println("blblbl2", perms, err)
 			if err == nil && len(perms) > 0 {
 				p = append(p, perms...)
 			}
@@ -173,24 +174,35 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
 }
 
 func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
-	return k.get("", "", roleID)
+	p := []Permission{}
+	for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
+		tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
+		perms, err := k.get(roleID, "permits"+method.String(), "")
+		if err == nil && len(perms) > 0 {
+			p = append(p, perms...)
+		}
+	}
+	return p, nil
 }
-func (k KetoConnector) GetPermissionByUser(userID string) ([]Permission, error) {
-	roles, err := k.get("", "is", userID)
-	perms := []Permission{}
+func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
+	roles, err := k.get("", "member", userID)
 	if err != nil {
-		return perms, err
+		return nil, err
+	}
+	p := []Permission{}
+	meths := []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE}
+	if internal {
+		meths = append(meths, []tools.METHOD{tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT}...)
 	}
 	for _, role := range roles {
-		p, err := k.get(role.Object, "", k.scope())
-		if err != nil {
-			log := oclib.GetLogger()
-			log.Error().Msg(err.Error())
-			continue
+		for _, method := range meths {
+			perms, err := k.get(role.Object, "permits"+method.String(), "")
+			if err == nil && len(perms) > 0 {
+				p = append(p, perms...)
+			}
 		}
-		perms = append(perms, p...)
 	}
-	return perms, nil
+	return p, nil
 }
 
 func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
@@ -229,11 +241,7 @@ func (k KetoConnector) BindRole(userID string, roleID string) (string, int, erro
 }
 
 func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
-	meth, err := utils.ExtractMethod(relation, false)
-	if err != nil {
-		return nil, 422, err
-	}
-	perms, err := k.GetPermission(permID, meth.String())
+	perms, err := k.GetPermission(permID, relation)
 	if err != nil || len(perms) != 1 {
 		if len(perms) == 0 {
 			return nil, 404, errors.New("Permission not found")
@@ -338,9 +346,7 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
 	n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
 	host := conf.GetConfig().PermissionConnectorHost
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
-	fmt.Println(host, port, n)
 	b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
-	fmt.Println(b, err)
 	if err != nil {
 		log := oclib.GetLogger()
 		log.Error().Msg(err.Error())

infrastructure/perms_connectors/perms_connector.go

@@ -37,7 +37,7 @@ type PermConnector interface {
 
 	GetRoleByUser(userID string) ([]string, error)
 	GetPermissionByRole(roleID string) ([]Permission, error)
-	GetPermissionByUser(userID string) ([]Permission, error)
+	GetPermissionByUser(userID string, internal bool) ([]Permission, error)
 
 	GetRole(roleID string) ([]string, error)
 	GetPermission(permID string, relation string) ([]Permission, error)