OC-AUTH with admin persona

This commit is contained in:
mr 2024-10-30 16:18:21 +01:00
parent d87883b57f
commit d33d2eb343
15 changed files with 52 additions and 52 deletions

View File

@ -3,6 +3,7 @@ package conf
import "sync"
type Config struct {
Demo bool
PublicKeyPath string
PrivateKeyPath string

View File

@ -66,7 +66,7 @@ func (o *PermissionController) GetByRole() {
// @router /user/:id [get]
func (o *PermissionController) GetByUser() {
id := o.Ctx.Input.Param(":id")
role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id)
role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id, true)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,

View File

@ -5,5 +5,6 @@
"PORT" : 8080,
"AUTH_CONNECTOR_HOST": "hydra",
"PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
"PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem"
"PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
"DEMO": true
}

View File

@ -146,7 +146,6 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
// problem with consent THERE we need to accept the consent challenge && get the token
_, err = a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
"application/json", true, cookies...)
fmt.Println(err)
if err != nil {
s := strings.Split(err.Error(), "\"")
if len(s) > 1 && strings.Contains(s[1], "access_token") {
@ -242,15 +241,12 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
if isOauth {
oauth = "/oauth2"
}
fmt.Println("http://" + host + ":" + port + oauth)
return "http://" + host + ":" + port + oauth
}
func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool {
fmt.Println("CheckAuthForward", reqToken, publicKey, host, method, forward)
if forward == "" || method == "" {
fmt.Println("Forwarded headers are missing")
return false
}
var c claims.Claims

View File

@ -254,7 +254,6 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
)
wg.Add(len(cli.Endpoints))
for _, addr := range cli.Endpoints {
fmt.Println("addr", addr)
go func(addr string) {
defer wg.Done()

View File

@ -4,7 +4,6 @@ import (
"crypto/sha256"
"encoding/pem"
"errors"
"fmt"
"oc-auth/conf"
"oc-auth/infrastructure/perms_connectors"
"oc-auth/infrastructure/utils"
@ -40,7 +39,6 @@ func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
}
func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
fmt.Println("DecodeSignature", host)
hashed := sha256.Sum256([]byte(host))
spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
@ -51,7 +49,6 @@ func (h HydraClaims) DecodeSignature(host string, signature string, publicKey st
}
func (h HydraClaims) encodeSignature(host string) (string, error) {
fmt.Println("encodeSignature", host)
hashed := sha256.Sum256([]byte(host))
// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
@ -102,7 +99,7 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
// add claims to token method of HydraTokenizer
func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
claims := Claims{}
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId)
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false)
if err != nil {
return claims
}

View File

@ -124,6 +124,8 @@ func (k KetoConnector) CreatePermission(permID string, relation string, internal
if err != nil {
return "", 422, err
}
k.BindPermission("admin", permID, "permits"+meth.String())
p, code, err := k.createRelationShip(permID, "permits"+meth.String(), k.scope(), nil)
if err != nil {
return "", code, err
@ -145,7 +147,7 @@ func (k KetoConnector) GetRole(roleID string) ([]string, error) {
func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
arr := []string{}
roles, err := k.get("", "is", userID)
roles, err := k.get("", "member", userID)
if err != nil {
return arr, err
}
@ -159,10 +161,9 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
meth, err := utils.ExtractMethod(relation, true)
if err != nil {
p := []Permission{}
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
fmt.Println("blblbl", permID, "permits"+method.String(), k.scope())
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
perms, err := k.get(permID, "permits"+method.String(), k.scope())
fmt.Println("blblbl2", perms, err)
if err == nil && len(perms) > 0 {
p = append(p, perms...)
}
@ -173,24 +174,35 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
}
func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
return k.get("", "", roleID)
p := []Permission{}
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
perms, err := k.get(roleID, "permits"+method.String(), "")
if err == nil && len(perms) > 0 {
p = append(p, perms...)
}
func (k KetoConnector) GetPermissionByUser(userID string) ([]Permission, error) {
roles, err := k.get("", "is", userID)
perms := []Permission{}
}
return p, nil
}
func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
roles, err := k.get("", "member", userID)
if err != nil {
return perms, err
return nil, err
}
p := []Permission{}
meths := []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE}
if internal {
meths = append(meths, []tools.METHOD{tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT}...)
}
for _, role := range roles {
p, err := k.get(role.Object, "", k.scope())
if err != nil {
log := oclib.GetLogger()
log.Error().Msg(err.Error())
continue
for _, method := range meths {
perms, err := k.get(role.Object, "permits"+method.String(), "")
if err == nil && len(perms) > 0 {
p = append(p, perms...)
}
perms = append(perms, p...)
}
return perms, nil
}
return p, nil
}
func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
@ -229,11 +241,7 @@ func (k KetoConnector) BindRole(userID string, roleID string) (string, int, erro
}
func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
meth, err := utils.ExtractMethod(relation, false)
if err != nil {
return nil, 422, err
}
perms, err := k.GetPermission(permID, meth.String())
perms, err := k.GetPermission(permID, relation)
if err != nil || len(perms) != 1 {
if len(perms) == 0 {
return nil, 404, errors.New("Permission not found")
@ -338,9 +346,7 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
host := conf.GetConfig().PermissionConnectorHost
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
fmt.Println(host, port, n)
b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
fmt.Println(b, err)
if err != nil {
log := oclib.GetLogger()
log.Error().Msg(err.Error())

View File

@ -37,7 +37,7 @@ type PermConnector interface {
GetRoleByUser(userID string) ([]string, error)
GetPermissionByRole(roleID string) ([]Permission, error)
GetPermissionByUser(userID string) ([]Permission, error)
GetPermissionByUser(userID string, internal bool) ([]Permission, error)
GetRole(roleID string) ([]string, error)
GetPermission(permID string, relation string) ([]Permission, error)

View File

@ -1,10 +1,10 @@
dn: uid=momo,ou=Users,dc=example,dc=com
dn: uid=admin,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
cn: Kolya Gerasyimov
sn: Gerasyimov
uid: momo
userPassword: 123
mail: momo@example.com
cn: Admin
sn: Istrator
uid: admin
userPassword: admin
mail: admin@example.com
ou: Users
dn: ou=AppRoles,dc=example,dc=com
@ -21,4 +21,4 @@ dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
objectClass: groupofnames
cn: traveler
description: traveler
member: uid=momo,ou=Users,dc=example,dc=com
member: uid=admin,ou=Users,dc=example,dc=com

View File

@ -73,13 +73,11 @@ func generateSelfPeer() error {
return err
}
// compare the public key from file with the one in the database
fmt.Println(string(f), p.Data[0].(*peer.Peer).PublicKey)
if !strings.Contains(string(f), p.Data[0].(*peer.Peer).PublicKey) {
return errors.New("public key is different from the one in the database")
}
return nil
}
fmt.Println("Creating new peer", strconv.Itoa(peer.SELF.EnumIndex()))
// create a new peer
o := oclib.GetConfLoader()
peer := &peer.Peer{
@ -100,8 +98,10 @@ func generateSelfPeer() error {
func discovery() {
fmt.Println("Discovered")
api := tools.API{}
addPermissions := func(m map[string]interface{}) {
conn := infrastructure.GetPermissionConnector()
conn.CreateRole("admin")
conn.BindRole("admin", "admin")
addPermissions := func(m map[string]interface{}) {
for k, v := range m {
for _, p := range v.([]interface{}) {
conn.CreatePermission(k, p.(string), true)

BIN
oc-auth

Binary file not shown.

View File

@ -64,7 +64,7 @@ func init() {
beego.GlobalControllerRouter["oc-auth/controllers:PermissionController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:PermissionController"],
beego.ControllerComments{
Method: "Get",
Router: `/:id/:relation[get]`,
Router: `/:id/:relation`,
AllowHTTPMethods: []string{"get"},
MethodParams: param.Make(),
Filters: nil,

View File

@ -14,7 +14,7 @@ import (
)
func init() {
ns := beego.NewNamespace("/oc",
ns := beego.NewNamespace("/oc/",
beego.NSInclude(
&controllers.OAuthController{},
),

View File

@ -13,7 +13,7 @@
"url": "https://www.gnu.org/licenses/agpl-3.0.html"
}
},
"basePath": "/oc",
"basePath": "/oc/",
"paths": {
"/forward": {
"get": {
@ -180,7 +180,7 @@
}
}
},
"/permission/{id}/{relation[get]}": {
"/permission/{id}/{relation}": {
"get": {
"tags": [
"permission"

View File

@ -10,7 +10,7 @@ info:
license:
name: AGPL
url: https://www.gnu.org/licenses/agpl-3.0.html
basePath: /oc
basePath: /oc/
paths:
/forward:
get:
@ -89,7 +89,7 @@ paths:
responses:
"200":
description: '{permission} string'
/permission/{id}/{relation[get]}:
/permission/{id}/{relation}:
get:
tags:
- permission