BAHAMAS

2024-10-30 12:38:25 +01:00
parent 7198c40d30
commit d87883b57f
27 changed files with 536 additions and 755 deletions
--- a/infrastructure/claims/claims.go
+++ b/infrastructure/claims/claims.go
@@ -1,9 +1,11 @@
 package claims

+import "oc-auth/conf"
+
 // Tokenizer interface
 type ClaimService interface {
 	AddClaimsToToken(userId string, host string) Claims
-	DecodeClaimsInToken(host string, method string, forward string, sessionClaims map[string]interface{}, publicKey string) (bool, error)
+	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error)
 }

 // SessionClaims struct
@@ -16,3 +18,11 @@ type SessionClaims struct {
 type Claims struct {
 	Session SessionClaims `json:"session"`
 }
+
+var t = map[string]ClaimService{
+	"hydra": HydraClaims{},
+}
+
+func GetClaims() ClaimService {
+	return t[conf.GetConfig().Auth]
+}
--- a/infrastructure/claims/crypto.go
+++ b/infrastructure/claims/crypto.go
@@ -0,0 +1,129 @@
+package claims
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"log"
+)
+
+func SignDefault(plaintext, privateKey []byte) (signature string, err error) {
+	client, err := New(privateKey, nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	signatureByte, err := client.Sign(plaintext)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	signature = base64.StdEncoding.EncodeToString(signatureByte)
+	return
+}
+
+func VerifyDefault(plaintext, publicKey []byte, signature string) (err error) {
+	publicKeys := make(map[string][]byte)
+	publicKeys["default"] = publicKey
+	client, err := New(nil, publicKeys)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	signatureByte, err := base64.StdEncoding.DecodeString(signature)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+
+	err = client.Verify(plaintext, signatureByte, "default")
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	return
+}
+
+func (c *Client) Sign(plaintext []byte) (signature []byte, err error) {
+	var opts rsa.PSSOptions
+	opts.SaltLength = rsa.PSSSaltLengthAuto
+
+	newhash := crypto.SHA256
+	pssh := newhash.New()
+	pssh.Write(plaintext)
+	hashed := pssh.Sum(nil)
+	signature, err = rsa.SignPSS(
+		rand.Reader,
+		c.PrivateKey,
+		newhash,
+		hashed,
+		&opts,
+	)
+	return
+}
+
+func (c *Client) Verify(plaintext, signature []byte, target string) (err error) {
+	var opts rsa.PSSOptions
+	opts.SaltLength = rsa.PSSSaltLengthAuto
+
+	newhash := crypto.SHA256
+	pssh := newhash.New()
+	pssh.Write(plaintext)
+	hashed := pssh.Sum(nil)
+	err = rsa.VerifyPSS(
+		c.PublicKeys[target],
+		newhash,
+		hashed,
+		signature,
+		&opts,
+	)
+	return
+}
+
+func init() {
+	log.SetFlags(log.LstdFlags | log.Lshortfile)
+}
+
+type Client struct {
+	PrivateKey *rsa.PrivateKey
+	PublicKeys map[string]*rsa.PublicKey
+}
+
+func New(privateKey []byte, publicKeys map[string][]byte) (client *Client, err error) {
+	client = &Client{}
+
+	if privateKey != nil {
+		validPrivateKey, errPrivate := x509.ParsePKCS1PrivateKey(privateKey)
+		if errPrivate != nil {
+			err = errPrivate
+			log.Println(err)
+			return
+		}
+		client.PrivateKey = validPrivateKey
+	}
+
+	if publicKeys != nil {
+		validPublicKeysMap := make(map[string]*rsa.PublicKey)
+		for k, v := range publicKeys {
+			validPublicKey, errPublic := x509.ParsePKCS1PublicKey(v)
+			if errPublic != nil {
+				err = errPublic
+				log.Println(err)
+				return
+			}
+			if validPublicKey == nil {
+				err = errors.New("Invalid Public Key Type")
+				log.Println(err)
+				return
+			}
+			validPublicKeysMap[k] = validPublicKey
+		}
+		client.PublicKeys = validPublicKeysMap
+	}
+
+	return
+}
--- a/infrastructure/claims/hydra_claims.go
+++ b/infrastructure/claims/hydra_claims.go
@@ -1,13 +1,10 @@
 package claims

 import (
-	"crypto"
-	"crypto/rand"
-	"crypto/rsa"
 	"crypto/sha256"
-	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/perms_connectors"
 	"oc-auth/infrastructure/utils"
@@ -43,11 +40,10 @@ func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
 }

 func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
+	fmt.Println("DecodeSignature", host)
 	hashed := sha256.Sum256([]byte(host))
-	// get public key into a variable
-	spkiBlock, _ := pem.Decode([]byte(publicKey))
-	key, _ := x509.ParsePKCS1PublicKey(spkiBlock.Bytes)
-	err := rsa.VerifyPKCS1v15(key, crypto.SHA256, hashed[:], []byte(signature))
+	spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
+	err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
 	if err != nil {
 		return false, err
 	}
@@ -55,32 +51,28 @@ func (h HydraClaims) DecodeSignature(host string, signature string, publicKey st
 }

 func (h HydraClaims) encodeSignature(host string) (string, error) {
+	fmt.Println("encodeSignature", host)
 	hashed := sha256.Sum256([]byte(host))
 	// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
-	content, err := os.ReadFile(conf.GetConfig().PVKPath)
+	content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
 	if err != nil {
 		return "", err
 	}
 	privateKey := string(content)
 	spkiBlock, _ := pem.Decode([]byte(privateKey))
-	key, _ := x509.ParsePKCS1PrivateKey(spkiBlock.Bytes)
-	signature, err := rsa.SignPKCS1v15(rand.Reader, key, crypto.SHA256, hashed[:])
-	if err != nil {
-		return "", err
-	}
-	return string(signature), nil
+	return SignDefault(hashed[:], spkiBlock.Bytes)
 }

-func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims map[string]interface{}, publicKey string) (bool, error) {
-	if sessionClaims["id_token"] == nil || sessionClaims["access_token"] == nil {
-		return false, errors.New("invalid session claims")
+func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string) (bool, error) {
+	idTokenClaims := sessionClaims.Session.IDToken
+	if idTokenClaims["signature"] == nil {
+		return false, errors.New("no signature found")
 	}
-	idTokenClaims := sessionClaims["id_token"].(map[string]interface{})
 	signature := idTokenClaims["signature"].(string)
 	if ok, err := h.DecodeSignature(host, signature, publicKey); !ok {
 		return false, err
 	}
-	claims := sessionClaims["access_token"].(map[string]interface{})
+	claims := sessionClaims.Session.AccessToken
 	path := strings.ReplaceAll(forward, "http://"+host, "")
 	splittedPath := strings.Split(path, "/")
 	for m, p := range claims {
@@ -114,6 +106,8 @@ func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
 	if err != nil {
 		return claims
 	}
+	claims.Session.AccessToken = make(map[string]interface{})
+	claims.Session.IDToken = make(map[string]interface{})
 	for _, perm := range perms {
 		key, err := h.generateKey(perm.Relation, perm.Object)
 		if err != nil {
@@ -127,7 +121,6 @@ func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
 	}
 	claims.Session.IDToken["signature"] = sign
 	return claims
-
 }

 // add signature in the token MISSING