auth

Dockerfile

@@ -10,9 +10,6 @@ RUN go mod download
 
 FROM golang:alpine AS builder
 
-ARG HOSTNAME=http://localhost
-ARG NAME=local
-
 RUN apk add git
 
 RUN go install github.com/beego/bee/v2@latest

Makefile

@@ -6,6 +6,14 @@ build: clean
 run:
 	bee run -gendoc=true -downdoc=true
 
+purge:
+	lsof -t -i:8094 | xargs kill | true
+
+run-dev:
+	bee generate routers && bee run -gendoc=true -downdoc=true -runmode=prod
+
+dev: purge run-dev
+
 debug:
 	bee run -downdebug -gendebug
 

README.md

@@ -7,6 +7,9 @@ To build :
     bee generate routers
     bee run -gendoc=true -downdoc=true
 
+OR 
+    make dev
+
 If default Swagger page is displayed instead of tyour api, change url in swagger/index.html file to :
 
     url: "swagger.json"

auth.json

@@ -1,9 +1,7 @@
 {
-    "port": 8080,
     "MONGO_URL":"mongodb://localhost:27017/", 
     "MONGO_DATABASE":"DC_myDC",
-    "natsurl":"http://localhost:4080", 
+    "NATS_URL": "nats://localhost:4222",
-    "login":"admin", 
+    "LDAP_ENDPOINTS": "localhost:390",
-    "password":"admin",
+    "port": 8094
-    "oidcserver":"http://localhost:8080"
 }

conf/app.conf

@@ -1,5 +1,5 @@
 appname = oc-auth
-httpport = 8080
+httpport = 8094
 runmode = dev
 autorender = false
 copyrequestbody = true

conf/config.go

@@ -3,6 +3,7 @@ package conf
 import "sync"
 
 type Config struct {
+	SourceMode     string
 	AdminRole      string
 	PublicKeyPath  string
 	PrivateKeyPath string
@@ -23,9 +24,12 @@ type Config struct {
 	AuthConnectorPort      int
 	AuthConnectorAdminPort int
 
-	PermissionConnectorHost      string
+	PermissionConnectorWriteHost string
+	PermissionConnectorReadHost  string
 	PermissionConnectorPort      int
 	PermissionConnectorAdminPort int
+
+	Local bool
 }
 
 var instance *Config

controllers/group.go

@@ -19,7 +19,8 @@ type GroupController struct {
 func (o *GroupController) Post() {
 	// store and return Id or post with UUID
 	id := o.Ctx.Input.Param(":id")
-	group, code, err := infrastructure.GetPermissionConnector().CreateGroup(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, code, err := infrastructure.GetPermissionConnector(clientID).CreateGroup(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -44,7 +45,8 @@ func (o *GroupController) Post() {
 // @router /user/:id [get]
 func (o *GroupController) GetByUser() {
 	id := o.Ctx.Input.Param(":id")
-	group, err := infrastructure.GetPermissionConnector().GetGroupByUser(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, err := infrastructure.GetPermissionConnector(clientID).GetGroupByUser(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -67,7 +69,8 @@ func (o *GroupController) GetByUser() {
 // @Success 200 {group} string
 // @router / [get]
 func (o *GroupController) GetAll() {
-	group, err := infrastructure.GetPermissionConnector().GetGroup("")
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, err := infrastructure.GetPermissionConnector(clientID).GetGroup("")
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -92,7 +95,8 @@ func (o *GroupController) GetAll() {
 // @router /:id [get]
 func (o *GroupController) Get() {
 	id := o.Ctx.Input.Param(":id")
-	group, err := infrastructure.GetPermissionConnector().GetGroup(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, err := infrastructure.GetPermissionConnector(clientID).GetGroup(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -117,7 +121,8 @@ func (o *GroupController) Get() {
 // @router /:id [delete]
 func (o *GroupController) Delete() {
 	id := o.Ctx.Input.Param(":id")
-	group, code, err := infrastructure.GetPermissionConnector().DeleteGroup(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, code, err := infrastructure.GetPermissionConnector(clientID).DeleteGroup(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -140,7 +145,8 @@ func (o *GroupController) Delete() {
 // @Success 200 {string} delete success!
 // @router /clear [delete]
 func (o *GroupController) Clear() {
-	group, code, err := infrastructure.GetPermissionConnector().DeleteGroup("")
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, code, err := infrastructure.GetPermissionConnector(clientID).DeleteGroup("")
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -167,7 +173,8 @@ func (o *GroupController) Clear() {
 func (o *GroupController) Bind() {
 	user_id := o.Ctx.Input.Param(":user_id")
 	group_id := o.Ctx.Input.Param(":group_id")
-	group, code, err := infrastructure.GetPermissionConnector().BindGroup(user_id, group_id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, code, err := infrastructure.GetPermissionConnector(clientID).BindGroup(user_id, group_id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -187,14 +194,15 @@ func (o *GroupController) Bind() {
 
 // @Title UnBind
 // @Description unbind the group to user
-// @Param	group_id		path 	string	true		"The group_id you want to unbind"
+// @Param	user_id		path 	string	true		"The group_id you want to unbind"
 // @Param	group_id		path 	string	true		"The user_id you want to unbind"
 // @Success 200 {string} bind success!
 // @router /:user_id/:group_id [delete]
 func (o *GroupController) UnBind() {
 	user_id := o.Ctx.Input.Param(":user_id")
 	group_id := o.Ctx.Input.Param(":group_id")
-	group, code, err := infrastructure.GetPermissionConnector().UnBindGroup(user_id, group_id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	group, code, err := infrastructure.GetPermissionConnector(clientID).UnBindGroup(user_id, group_id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,

controllers/oauth2.go

@@ -1,13 +1,17 @@
 package controllers
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"oc-auth/conf"
 	"oc-auth/infrastructure"
 	auth_connectors "oc-auth/infrastructure/auth_connector"
+	"oc-auth/infrastructure/claims"
 	"regexp"
 	"strings"
+	"time"
 
 	oclib "cloud.o-forge.io/core/oc-lib"
 	model "cloud.o-forge.io/core/oc-lib/models/peer"
@@ -22,10 +26,12 @@ type OAuthController struct {
 // @Title Logout
 // @Description unauthenticate user
 // @Param	Authorization		header  string	false "auth token"
+// @Param   client_id   query    string  true        "the client_id you want to get"
 // @Success 200 {string}
-// @router /ldap/logout [delete]
+// @router /logout [delete]
-func (o *OAuthController) LogOutLDAP() {
+func (o *OAuthController) LogOut() {
 	// authorize user
+	clientID := o.Ctx.Input.Query("client_id")
 	reqToken := o.Ctx.Request.Header.Get("Authorization")
 	splitToken := strings.Split(reqToken, "Bearer ")
 	if len(splitToken) < 2 {
@@ -36,24 +42,32 @@ func (o *OAuthController) LogOutLDAP() {
 	var res auth_connectors.Token
 	json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
 
-	token, err := infrastructure.GetAuthConnector().Logout(reqToken)
+	if !conf.GetConfig().Local {
+		token, err := infrastructure.GetAuthConnector().Logout(clientID, reqToken)
 		if err != nil || token == nil {
 			o.Data["json"] = err
 		} else {
 			o.Data["json"] = token
 		}
+	} else {
+		o.Data["json"] = reqToken
+	}
 	o.ServeJSON()
 }
 
 // @Title Login
 // @Description authenticate user
 // @Param	body		body 	models.workflow	true		"The workflow content"
+// @Param   client_id   query    string  true        "the client_id you want to get"
 // @Success 200 {string}
-// @router /ldap/login [post]
+// @router /login [post]
-func (o *OAuthController) LoginLDAP() {
+func (o *OAuthController) Login() {
 	// authorize user
+	clientID := o.Ctx.Input.Query("client_id")
 	var res auth_connectors.Token
 	json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
+
+	if conf.GetConfig().SourceMode == "ldap" {
 		ldap := auth_connectors.New()
 		found, err := ldap.Authenticate(o.Ctx.Request.Context(), res.Username, res.Password)
 		if err != nil || !found {
@@ -62,7 +76,10 @@ func (o *OAuthController) LoginLDAP() {
 			o.ServeJSON()
 			return
 		}
-	token, err := infrastructure.GetAuthConnector().Login(res.Username,
+	}
+	if !conf.GetConfig().Local {
+		token, err := infrastructure.GetAuthConnector().Login(
+			clientID, res.Username,
 			&http.Cookie{ // open a session
 				Name:  "csrf_token",
 				Value: o.XSRFToken(),
@@ -73,25 +90,57 @@ func (o *OAuthController) LoginLDAP() {
 		} else {
 			o.Data["json"] = token
 		}
+	} else {
+		t := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(
+			nil, fmt.Sprintf("%v", model.SELF.EnumIndex()), false)
+		if t.Err == "" && len(t.Data) > 0 {
+			token := &auth_connectors.Token{
+				Username:    res.Username,
+				Password:    res.Password,
+				TokenType:   "Bearer",
+				Active:      true,
+				ExpiresIn:   3600,
+				AccessToken: "localtoken",
+			}
+			now := time.Now().UTC()
+			now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
+			unix := now.Unix()
+			c := claims.GetClaims().AddClaimsToToken(clientID, res.Username, t.Data[0].(*model.Peer))
+			c.Session.AccessToken["exp"] = unix
+			b, _ := json.Marshal(c)
+			token.AccessToken = token.AccessToken + "." + base64.StdEncoding.EncodeToString(b)
+			o.Data["json"] = token
+
+		} else {
+			o.Data["json"] = t.Err
+			o.Ctx.ResponseWriter.WriteHeader(401)
+		}
+	}
 	o.ServeJSON()
 }
 
 // @Title Introspection
 // @Description introspect token
 // @Param	body		body 	models.Token	true		"The token info"
+// @Param   client_id   query    string  true        "the client_id you want to get"
 // @Success 200 {string}
 // @router /refresh [post]
 func (o *OAuthController) Refresh() {
+	clientID := o.Ctx.Input.Query("client_id")
 	var token auth_connectors.Token
 	json.Unmarshal(o.Ctx.Input.CopyBody(100000), &token)
 	// refresh token
-	newToken, err := infrastructure.GetAuthConnector().Refresh(&token)
+	if !conf.GetConfig().Local {
+		newToken, err := infrastructure.GetAuthConnector().Refresh(clientID, &token)
 		if err != nil || newToken == nil {
 			o.Data["json"] = err
 			o.Ctx.ResponseWriter.WriteHeader(401)
 		} else {
 			o.Data["json"] = newToken
 		}
+	} else {
+		o.Data["json"] = token
+	}
 	o.ServeJSON()
 }
 
@@ -108,12 +157,13 @@ func (o *OAuthController) Introspect() {
 	} else {
 		reqToken = splitToken[1]
 	}
-
+	if !conf.GetConfig().Local {
 		token, err := infrastructure.GetAuthConnector().Introspect(reqToken)
 		if err != nil || !token {
 			o.Data["json"] = err
 			o.Ctx.ResponseWriter.WriteHeader(401)
 		}
+	}
 	o.ServeJSON()
 }
 
@@ -149,7 +199,7 @@ func (o *OAuthController) InternalAuthForward() {
 	} else {
 		reqToken = splitToken[1]
 	}
-	origin, publicKey, external := o.extractOrigin()
+	origin, publicKey, external := o.extractOrigin(o.Ctx.Request)
 	if !infrastructure.GetAuthConnector().CheckAuthForward( //reqToken != "" &&
 		reqToken, publicKey, origin,
 		o.Ctx.Request.Header.Get("X-Forwarded-Method"),
@@ -161,7 +211,8 @@ func (o *OAuthController) InternalAuthForward() {
 	o.ServeJSON()
 }
 
-func (o *OAuthController) extractOrigin() (string, string, bool) {
+func (o *OAuthController) extractOrigin(request *http.Request) (string, string, bool) {
+	user, peerID, groups := oclib.ExtractTokenInfo(*request)
 	external := true
 	publicKey := ""
 	origin := o.Ctx.Request.Header.Get("X-Forwarded-Host")
@@ -174,7 +225,7 @@ func (o *OAuthController) extractOrigin() (string, string, bool) {
 	if t != "" {
 		searchStr = strings.Replace(searchStr, t, "", -1)
 	}
-	peer := oclib.Search(nil, searchStr, oclib.LibDataEnum(oclib.PEER))
+	peer := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), user, peerID, groups, nil).Search(nil, searchStr, false)
 	if peer.Code != 200 || len(peer.Data) == 0 { // TODO: add state of partnership
 		return "", "", external
 	}
@@ -190,3 +241,29 @@ func (o *OAuthController) extractOrigin() (string, string, bool) {
 	}
 	return origin, publicKey, external
 }
+
+func ExtractClient(request http.Request) string {
+	reqToken := request.Header.Get("Authorization")
+	splitToken := strings.Split(reqToken, "Bearer ")
+	if len(splitToken) < 2 {
+		reqToken = ""
+	} else {
+		reqToken = splitToken[1]
+	}
+	if reqToken != "" {
+		token := strings.Split(reqToken, ".")
+		if len(token) > 2 {
+			bytes, err := base64.StdEncoding.DecodeString(token[2])
+			if err != nil {
+				return ""
+			}
+			m := map[string]interface{}{}
+			err = json.Unmarshal(bytes, &m)
+			if err != nil {
+				return ""
+			}
+			return m["session"].(map[string]interface{})["id_token"].(map[string]interface{})["client_id"].(string)
+		}
+	}
+	return ""
+}

controllers/permission.go

@@ -16,7 +16,8 @@ type PermissionController struct {
 // @Success 200 {permission} string
 // @router / [get]
 func (o *PermissionController) GetAll() {
-	role, err := infrastructure.GetPermissionConnector().GetPermission("", "")
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, err := infrastructure.GetPermissionConnector(clientID).GetPermission("", "")
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -41,7 +42,8 @@ func (o *PermissionController) GetAll() {
 // @router /role/:id [get]
 func (o *PermissionController) GetByRole() {
 	id := o.Ctx.Input.Param(":id")
-	role, err := infrastructure.GetPermissionConnector().GetPermissionByRole(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, err := infrastructure.GetPermissionConnector(clientID).GetPermissionByRole(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -66,7 +68,8 @@ func (o *PermissionController) GetByRole() {
 // @router /user/:id [get]
 func (o *PermissionController) GetByUser() {
 	id := o.Ctx.Input.Param(":id")
-	role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id, true)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, err := infrastructure.GetPermissionConnector(clientID).GetPermissionByUser(id, true)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -92,7 +95,8 @@ func (o *PermissionController) GetByUser() {
 func (o *PermissionController) Get() {
 	id := o.Ctx.Input.Param(":id")
 	rel := o.Ctx.Input.Param(":relation")
-	role, err := infrastructure.GetPermissionConnector().GetPermission(id, rel)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, err := infrastructure.GetPermissionConnector(clientID).GetPermission(id, rel)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -115,7 +119,8 @@ func (o *PermissionController) Get() {
 // @Success 200 {string} delete success!
 // @router /clear [delete]
 func (o *PermissionController) Clear() {
-	role, code, err := infrastructure.GetPermissionConnector().DeletePermission("", "", true)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).DeletePermission("", "", true)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -144,7 +149,8 @@ func (o *PermissionController) Bind() {
 	permission_id := o.Ctx.Input.Param(":permission_id")
 	role_id := o.Ctx.Input.Param(":role_id")
 	rel := o.Ctx.Input.Param(":relation")
-	role, code, err := infrastructure.GetPermissionConnector().BindPermission(role_id, permission_id, rel)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).BindPermission(role_id, permission_id, rel)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -173,7 +179,8 @@ func (o *PermissionController) UnBind() {
 	permission_id := o.Ctx.Input.Param(":permission_id")
 	role_id := o.Ctx.Input.Param(":role_id")
 	rel := o.Ctx.Input.Param(":relation")
-	role, code, err := infrastructure.GetPermissionConnector().UnBindPermission(role_id, permission_id, rel)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).UnBindPermission(role_id, permission_id, rel)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,

controllers/role.go

@@ -19,7 +19,8 @@ type RoleController struct {
 func (o *RoleController) Post() {
 	// store and return Id or post with UUID
 	id := o.Ctx.Input.Param(":id")
-	role, code, err := infrastructure.GetPermissionConnector().CreateRole(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).CreateRole(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -44,7 +45,8 @@ func (o *RoleController) Post() {
 // @router /user/:id [get]
 func (o *RoleController) GetByUser() {
 	id := o.Ctx.Input.Param(":id")
-	role, err := infrastructure.GetPermissionConnector().GetRoleByUser(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, err := infrastructure.GetPermissionConnector(clientID).GetRoleByUser(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -67,7 +69,8 @@ func (o *RoleController) GetByUser() {
 // @Success 200 {role} string
 // @router / [get]
 func (o *RoleController) GetAll() {
-	role, err := infrastructure.GetPermissionConnector().GetRole("")
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, err := infrastructure.GetPermissionConnector(clientID).GetRole("")
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -92,7 +95,8 @@ func (o *RoleController) GetAll() {
 // @router /:id [get]
 func (o *RoleController) Get() {
 	id := o.Ctx.Input.Param(":id")
-	role, err := infrastructure.GetPermissionConnector().GetRole(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, err := infrastructure.GetPermissionConnector(clientID).GetRole(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -117,7 +121,8 @@ func (o *RoleController) Get() {
 // @router /:id [delete]
 func (o *RoleController) Delete() {
 	id := o.Ctx.Input.Param(":id")
-	role, code, err := infrastructure.GetPermissionConnector().DeleteRole(id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).DeleteRole(id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -140,7 +145,8 @@ func (o *RoleController) Delete() {
 // @Success 200 {string} delete success!
 // @router /clear [delete]
 func (o *RoleController) Clear() {
-	role, code, err := infrastructure.GetPermissionConnector().DeleteRole("")
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).DeleteRole("")
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -167,7 +173,8 @@ func (o *RoleController) Clear() {
 func (o *RoleController) Bind() {
 	user_id := o.Ctx.Input.Param(":user_id")
 	role_id := o.Ctx.Input.Param(":role_id")
-	role, code, err := infrastructure.GetPermissionConnector().BindRole(user_id, role_id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).BindRole(user_id, role_id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -194,7 +201,8 @@ func (o *RoleController) Bind() {
 func (o *RoleController) UnBind() {
 	user_id := o.Ctx.Input.Param(":user_id")
 	role_id := o.Ctx.Input.Param(":role_id")
-	role, code, err := infrastructure.GetPermissionConnector().UnBindRole(user_id, role_id)
+	clientID := ExtractClient(*o.Ctx.Request)
+	role, code, err := infrastructure.GetPermissionConnector(clientID).UnBindRole(user_id, role_id)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,

controllers/version.go

@@ -14,7 +14,10 @@ type VersionController struct {
 // @Success 200
 // @router / [get]
 func (c *VersionController) GetAll() {
-	c.Data["json"] = map[string]string{"version": "1"}
+	c.Data["json"] = map[string]string{
+		"service": "oc-auth",
+		"version": "1",
+	}
 	c.ServeJSON()
 }
 
@@ -23,6 +26,9 @@ func (c *VersionController) GetAll() {
 // @Success 200
 // @router /discovery [get]
 func (c *VersionController) Get() {
-	c.Data["json"] = map[string]string{"version": "1"}
+	c.Data["json"] = map[string]string{
+		"service": "oc-auth",
+		"version": "1",
+	}
 	c.ServeJSON()
 }

docker-compose.yml

@@ -1,22 +1,6 @@
 version: '3.4'
 
 services:
-  traefik:
-    image: traefik:v2.10.4
-    container_name: traefik
-    networks:
-      - catalog
-    command:
-      - "--api.insecure=true"
-      - "--providers.docker=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--log.level=DEBUG"
-    ports:
-      - "8080:80"   
-      - "8082:8080"    
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
   oc-auth:
     image: 'oc-auth:latest'
     ports:
@@ -24,8 +8,13 @@ services:
     container_name: oc-auth
     labels:
       - "traefik.enable=true"
+      - "traefik.http.routers.auth.entrypoints=web"
+      - "traefik.http.routers.auth.rule=PathPrefix(`/auth`)"
+      - "traefik.http.middlewares.auth-rewrite.replacepathregex.regex=^/auth(.*)"
+      - "traefik.http.middlewares.auth-rewrite.replacepathregex.replacement=/oc$$1"
+      - "traefik.http.routers.auth.middlewares=auth-rewrite"
+      - "traefik.http.services.auth.loadbalancer.server.port=8080"
       - "traefik.http.middlewares.auth.forwardauth.address=http://oc-auth:8080/oc/forward"
-      - "traefik.http.routers.workflow.rule=PathPrefix(/auth)"
     environment:
           LDAP_ENDPOINTS: ldap:389
           LDAP_BINDDN: cn=admin,dc=example,dc=com
@@ -33,9 +22,10 @@ services:
           LDAP_BASEDN: "dc=example,dc=com"
           LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
     networks: 
-      - catalog
+      - oc
     volumes:
-      - ./pem:/etc/oc/pem
+      - ./pem/private.pem:/keys/private/private.pem
+      - ./pem/public.pem:/keys/public/public.pem
 networks: 
-  catalog:
+  oc:
     external: true

docker_auth.json

@@ -2,9 +2,10 @@
     "MONGO_URL":"mongodb://mongo:27017/", 
     "MONGO_DATABASE":"DC_myDC",
     "NATS_URL": "nats://nats:4222",
-    "PORT" : 8080,
     "AUTH_CONNECTOR_HOST": "hydra",
-    "PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
+    "AUTH_CONNECTOR_PUBLIC_HOST": "hydra",
-    "PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
+    "PRIVATE_KEY_PATH": "/keys/private/private.pem",
-    "LDAP_ENDPOINTS": "ldap:389"
+    "PUBLIC_KEY_PATH": "/keys/public/public.pem",
+    "LDAP_ENDPOINTS": "ldap:389",
+    "LOCAL": false
 }

go.mod

@@ -5,55 +5,25 @@ go 1.23.0
 toolchain go1.23.3
 
 require (
-	cloud.o-forge.io/core/oc-lib v0.0.0-20250108155542-0f4adeea86be
+	cloud.o-forge.io/core/oc-lib v0.0.0-20250219142942-5111c9c8bec7
 	github.com/beego/beego/v2 v2.3.1
 	github.com/smartystreets/goconvey v1.7.2
 	go.uber.org/zap v1.27.0
-	k8s.io/apimachinery v0.32.1
-	k8s.io/client-go v0.32.1
 )
 
 //replace cloud.o-forge.io/core/oc-lib => ../oc-lib
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/biter777/countries v1.7.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
-	github.com/go-openapi/jsonpointer v0.21.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gofrs/uuid v4.3.0+incompatible // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/nats-io/nats.go v1.37.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
-	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/term v0.25.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
-	gopkg.in/inf.v0 v0.9.1 // indirect
-	k8s.io/api v0.32.1 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
-	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
-	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
 )
 
 require (

go.sum

@@ -1,5 +1,7 @@
-cloud.o-forge.io/core/oc-lib v0.0.0-20250108155542-0f4adeea86be h1:1Yf8ihUxXjOEPqcfgtXJpJ/slxBUHhf7AgS7DZI3iUk=
+cloud.o-forge.io/core/oc-lib v0.0.0-20250219104152-3ecb0e9d960b h1:DhRqJdw2VePaYVlsh8OUA3zl+76Q0FWwGu+a+3aOf6s=
-cloud.o-forge.io/core/oc-lib v0.0.0-20250108155542-0f4adeea86be/go.mod h1:ya7Q+zHhaKM+XF6sAJ+avqHEVzaMnFJQih2X3TlTlGo=
+cloud.o-forge.io/core/oc-lib v0.0.0-20250219104152-3ecb0e9d960b/go.mod h1:2roQbUpv3a6mTIr5oU1ux31WbN8YucyyQvCQ0FqwbcE=
+cloud.o-forge.io/core/oc-lib v0.0.0-20250219142942-5111c9c8bec7 h1:fh6SzBPenzIxufIIzExtx4jEE4OhFposqn3EbHFr92Q=
+cloud.o-forge.io/core/oc-lib v0.0.0-20250219142942-5111c9c8bec7/go.mod h1:2roQbUpv3a6mTIr5oU1ux31WbN8YucyyQvCQ0FqwbcE=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -9,6 +11,8 @@ github.com/beego/beego/v2 v2.3.1 h1:7MUKMpJYzOXtCUsTEoXOxsDV/UcHw6CPbaWMlthVNsc=
 github.com/beego/beego/v2 v2.3.1/go.mod h1:5cqHsOHJIxkq44tBpRvtDe59GuVRVv/9/tyVDxd5ce4=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/biter777/countries v1.7.5 h1:MJ+n3+rSxWQdqVJU8eBy9RqcdH6ePPn4PJHocVWUa+Q=
+github.com/biter777/countries v1.7.5/go.mod h1:1HSpZ526mYqKJcpT5Ti1kcGQ0L0SrXWIaptUWjFfv2E=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -17,35 +21,20 @@ github.com/coocood/freecache v1.2.4/go.mod h1:RBUWa/Cy+OHdfTGFEhEuE1pMCMX51Ncizj
 github.com/coreos/etcd v3.3.17+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/elazarl/go-bindata-assetfs v1.0.1 h1:m0kkaHRKEu7tUIUFVwhGGGYClXvyl4RE03qmvRTNfbw=
 github.com/elazarl/go-bindata-assetfs v1.0.1/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
-github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
-github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/etcd-io/etcd v3.3.17+incompatible/go.mod h1:cdZ77EstHBwVtD6iTgzgvogwcjo9m4iOqoijouPJ4bs=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gabriel-vasile/mimetype v1.4.6 h1:3+PzJTKLkvgjeTbts6msPJt4DixhT4YtFNf1gtGe3zc=
 github.com/gabriel-vasile/mimetype v1.4.6/go.mod h1:JX1qVKqZd40hUPpAfiNTe0Sne7hdfKSbOqqmkq8GCXc=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
 github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
-github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
-github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
-github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
-github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
-github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
@@ -54,28 +43,15 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
 github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
-github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
-github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
 github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
-github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
@@ -104,22 +80,13 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
-github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
 github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -127,8 +94,6 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
-github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -139,12 +104,9 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -156,13 +118,8 @@ github.com/nats-io/nkeys v0.4.7/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDm
 github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/ogier/pflag v0.0.1/go.mod h1:zkFki7tvTa0tafRvTBIZTvzYyAu6kQhPZFnshFFPE+g=
-github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
-github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
@@ -175,8 +132,8 @@ github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPA
 github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
-github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
+github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
@@ -191,8 +148,6 @@ github.com/smartystreets/assertions v1.2.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYl
 github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
 github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -203,8 +158,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
-github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
@@ -213,8 +166,6 @@ github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6
 github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.mongodb.org/mongo-driver v1.17.1 h1:Wic5cJIwJgSpBhe3lx3+/RybR5PiYRMpVFgO7cOHyIM=
 go.mongodb.org/mongo-driver v1.17.1/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4=
@@ -228,25 +179,19 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
 golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -256,11 +201,7 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
@@ -268,7 +209,6 @@ golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -288,8 +228,6 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -299,51 +237,20 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
 golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
-golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
 google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
-k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
-k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
-k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
-k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
-k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
-k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
-sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
-sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
-sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

infrastructure/auth_connector/auth_connector.go

@@ -3,16 +3,17 @@ package auth_connectors
 import (
 	"net/http"
 	"oc-auth/conf"
+	"strings"
 
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
 
 type AuthConnector interface {
 	Status() tools.State
-	Login(username string, cookies ...*http.Cookie) (*Token, error)
+	Login(clientID string, username string, cookies ...*http.Cookie) (*Token, error)
-	Logout(token string, cookies ...*http.Cookie) (*Token, error)
+	Logout(clientID string, token string, cookies ...*http.Cookie) (*Token, error)
 	Introspect(token string, cookie ...*http.Cookie) (bool, error)
-	Refresh(token *Token) (*Token, error)
+	Refresh(client_id string, token *Token) (*Token, error)
 	CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool
 }
 
@@ -37,5 +38,10 @@ var a = map[string]AuthConnector{
 }
 
 func GetAuthConnector() AuthConnector {
-	return a[conf.GetConfig().Auth]
+	for k := range a {
+		if strings.Contains(conf.GetConfig().Auth, k) {
+			return a[k]
+		}
+	}
+	return nil
 }

infrastructure/auth_connector/hydra_connector.go

@@ -1,8 +1,6 @@
 package auth_connectors
 
 import (
-	"bytes"
-	"context"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -12,7 +10,6 @@ import (
 	"net/url"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/claims"
-	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -21,16 +18,11 @@ import (
 	oclib "cloud.o-forge.io/core/oc-lib"
 	"cloud.o-forge.io/core/oc-lib/models/peer"
 	"cloud.o-forge.io/core/oc-lib/tools"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
 )
 
 type HydraConnector struct {
 	State        string `json:"state"`
 	Scopes       string `json:"scope"`
-	ClientID     string `json:"client_id"`
 	ResponseType string `json:"response_type"`
 
 	Caller *tools.HTTPCaller
@@ -40,6 +32,9 @@ func (a HydraConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
 	host := conf.GetConfig().AuthConnectorHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
@@ -76,6 +71,7 @@ func (a HydraConnector) challenge(username string, url string, challenge string,
 	resp, err := a.Caller.CallRaw(http.MethodPut,
 		a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1],
 		body, "application/json", true, cookies...) // "remember": true, "subject": username
+	fmt.Println(a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1], resp, err)
 	if err != nil {
 		return nil, s[1], cookies, err
 	}
@@ -92,7 +88,7 @@ func (a HydraConnector) challenge(username string, url string, challenge string,
 	return &token, s[1], cookies, nil
 }
 
-func (a HydraConnector) Refresh(token *Token) (*Token, error) {
+func (a HydraConnector) Refresh(client_id string, token *Token) (*Token, error) {
 	access := strings.Split(token.AccessToken, ".")
 	if len(access) > 2 {
 		token.AccessToken = strings.Join(access[0:2], ".")
@@ -101,34 +97,20 @@ func (a HydraConnector) Refresh(token *Token) (*Token, error) {
 	if err != nil || !isValid {
 		return nil, err
 	}
-	_, err = a.Logout(token.AccessToken)
+	_, err = a.Logout(client_id, token.AccessToken)
 	if err != nil {
 		return nil, err
 	}
-	return a.Login(token.Username)
+	return a.Login(client_id, token.Username)
 }
 
 func (a HydraConnector) tryLog(username string, url string, subpath string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
-
+	resp, err := a.Caller.CallRaw(http.MethodGet, url, subpath,
-	postBody, _ := json.Marshal(map[string]interface{}{})
+		map[string]interface{}{}, "application/json", true, cookies...)
-	responseBody := bytes.NewBuffer(postBody)
+	if err != nil || resp.Request.Response == nil || resp.Request.Response.Header["Set-Cookie"] == nil {
-	req, _ := http.NewRequest(http.MethodGet, url+subpath, responseBody)
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Add("X-Forwarded-Proto", "https")
-	for _, c := range cookies {
-		req.AddCookie(c)
-	}
-	client := &http.Client{
-		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			return http.ErrUseLastResponse // No redirect, doesn't make sense; hydra redirect user to login page, we are not the user here due to wrong oauth flow implementation
-		},
-	}
-	resp, err := client.Do(req)
-
-	if err != nil || resp == nil || resp.Header["Set-Cookie"] == nil {
 		return nil, "", cookies, err
 	}
-	cc := resp.Header["Set-Cookie"] // retrieve oauth2 csrf token cookie
+	cc := resp.Request.Response.Header["Set-Cookie"] // retrieve oauth2 csrf token cookie
 	if len(cc) > 0 {
 		for _, c := range cc {
 			first := strings.Split(c, ";")
@@ -138,10 +120,10 @@ func (a HydraConnector) tryLog(username string, url string, subpath string, chal
 			})
 		}
 	}
-	return a.challenge(username, resp.Header.Get("Location"), challenge, cookies...)
+	return a.challenge(username, resp.Request.URL.String(), challenge, cookies...)
 }
 
-func (a HydraConnector) getClient() string {
+func (a HydraConnector) getClient(clientID string) string {
 	resp, err := a.Caller.CallGet(a.getPath(true, false), "/clients")
 	if err != nil {
 		return ""
@@ -151,14 +133,20 @@ func (a HydraConnector) getClient() string {
 	if err != nil || len(clients) == 0 {
 		return ""
 	}
+	for _, c := range clients {
+		if c.(map[string]interface{})["client_name"].(string) == clientID {
+			return c.(map[string]interface{})["client_id"].(string)
+		}
+	}
 	return clients[0].(map[string]interface{})["client_id"].(string)
 }
 
-func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Token, err error) {
+func (a HydraConnector) Login(clientID string, username string, cookies ...*http.Cookie) (t *Token, err error) {
-	clientID := a.getClient()
+	clientID = a.getClient(clientID)
 	redirect, _, cookies, err := a.tryLog(username, a.getPath(false, true),
 		"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
 		"login", cookies...)
+	fmt.Println("login", clientID, username, a.getPath(false, true), redirect, err)
 	if err != nil || redirect == nil {
 		return nil, err
 	}
@@ -167,22 +155,8 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 		return nil, err
 	}
 	// problem with consent THERE we need to accept the consent challenge && get the token
-
+	_, err = a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
-	postBody, _ := json.Marshal(map[string]interface{}{})
+		"application/json", true, cookies...)
-	responseBody := bytes.NewBuffer(postBody)
-	req, _ := http.NewRequest(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), responseBody)
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Add("X-Forwarded-Proto", "https")
-	for _, c := range cookies {
-		req.AddCookie(c)
-	}
-	client := &http.Client{
-		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			return http.ErrUseLastResponse // No redirect, doesn't make sense; hydra redirect user to login page, we are not the user here due to wrong oauth flow implementation
-		},
-	}
-	_, err = client.Do(req)
-
 	if err != nil {
 		s := strings.Split(err.Error(), "\"")
 		if len(s) > 1 && strings.Contains(s[1], "access_token") {
@@ -195,15 +169,6 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 		Username: username,
 	}
 	urls := url.Values{}
-
-	// Using k8s secrets gen by hydra, eventually
-	clientID, clientSecret, err := a.getOAuth2Conf(conf.GetConfig().OAuth2ClientSecretNamespace, conf.GetConfig().OAuth2ClientSecretName)
-	if err == nil {
-		urls.Add("client_id", clientID)
-		urls.Add("client_secret", clientSecret)
-	}
-
-	// Fallback on manually set client secret
 	urls.Add("client_id", clientID)
 	urls.Add("client_secret", conf.GetConfig().ClientSecret)
 	urls.Add("grant_type", "client_credentials")
@@ -220,7 +185,7 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 		return nil, err
 	}
 	json.Unmarshal(b, &m)
-	pp := oclib.Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), oclib.LibDataEnum(oclib.PEER))
+	pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), false)
 	if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
 		return nil, errors.New("peer not found")
 	}
@@ -228,7 +193,7 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 	now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
 	unix := now.Unix()
 
-	c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer))
+	c := claims.GetClaims().AddClaimsToToken(clientID, username, pp.Data[0].(*peer.Peer))
 	c.Session.AccessToken["exp"] = unix
 
 	b, _ = json.Marshal(c)
@@ -238,55 +203,8 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 	return token, nil
 }
 
-func (a HydraConnector) getOAuth2Conf(namespace string, secretName string) (string, string, error) {
+func (a HydraConnector) Logout(clientID string, token string, cookies ...*http.Cookie) (*Token, error) {
-	clientset, err := a.getClientset()
+	clientID = a.getClient(clientID)
-	if err != nil {
-		return "", "", fmt.Errorf("error creating Kubernetes client: %v", err)
-	}
-
-	secret, err := clientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
-	if err != nil {
-		return "", "", fmt.Errorf("error retrieving secret %s/%s: %v", namespace, secretName, err)
-	}
-
-	clientIDEncoded, found := secret.Data["CLIENT_ID"]
-	if !found {
-		return "", "", fmt.Errorf("CLIENT_ID key not found in secret")
-	}
-
-	clientSecretEncoded, found := secret.Data["CLIENT_SECRET"]
-	if !found {
-		return "", "", fmt.Errorf("CLIENT_SECRET key not found in secret")
-	}
-
-	clientID := string(clientIDEncoded)
-	clientSecret := string(clientSecretEncoded)
-
-	return clientID, clientSecret, nil
-}
-
-func (a HydraConnector) getClientset() (*kubernetes.Clientset, error) {
-	var config *rest.Config
-	var err error
-
-	// Check if running inside cluster
-	if _, inCluster := os.LookupEnv("KUBERNETES_SERVICE_HOST"); inCluster {
-		config, err = rest.InClusterConfig() // Use in-cluster config
-	} else {
-		kubeconfig := os.Getenv("KUBECONFIG") // Use local kubeconfig file
-		if kubeconfig == "" {
-			kubeconfig = clientcmd.RecommendedHomeFile
-		}
-		config, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	return kubernetes.NewForConfig(config)
-}
-
-func (a HydraConnector) Logout(token string, cookies ...*http.Cookie) (*Token, error) {
 	access := strings.Split(token, ".")
 	if len(access) > 2 {
 		token = strings.Join(access[0:2], ".")
@@ -294,7 +212,7 @@ func (a HydraConnector) Logout(token string, cookies ...*http.Cookie) (*Token, e
 	p := a.getPath(false, true) + "/revoke"
 	urls := url.Values{}
 	urls.Add("token", token)
-	urls.Add("client_id", a.getClient())
+	urls.Add("client_id", clientID)
 	urls.Add("client_secret", conf.GetConfig().ClientSecret)
 	_, err := a.Caller.CallForm(http.MethodPost, p, "", urls, "application/x-www-form-urlencoded", true)
 	if err != nil {
@@ -334,10 +252,12 @@ func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool,
 }
 
 func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
-	host := conf.GetConfig().AuthConnectPublicHost
+	host := conf.GetConfig().AuthConnectorHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	if isAdmin {
-		host = conf.GetConfig().AuthConnectorHost
 		port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
 	}
 	oauth := ""

infrastructure/auth_connector/ldap.go

@@ -31,8 +31,9 @@ var (
 
 type conn interface {
 	Bind(bindDN, password string) error
-	SearchUser(user string, attrs ...string) ([]map[string]interface{}, error)
+	SearchRoles(attrs ...string) ([]map[string][]string, error)
-	SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error)
+	SearchUser(user string, attrs ...string) ([]map[string][]string, error)
+	SearchUserRoles(user string, attrs ...string) ([]map[string][]string, error)
 	Close() error
 }
 
@@ -78,7 +79,7 @@ type Client struct {
 	cache     *freecache.Cache
 }
 
-func (cli *Client) Authenticate(ctx context.Context, username, password string) (bool, error) {
+func (cli *Client) Authenticate(ctx context.Context, username string, password string) (bool, error) {
 	if username == "" || password == "" {
 		return false, nil
 	}
@@ -101,8 +102,8 @@ func (cli *Client) Authenticate(ctx context.Context, username, password string)
 	if details == nil {
 		return false, nil
 	}
-
+	a := details["dn"]
-	if err := cn.Bind(details["dn"].(string), password); err != nil {
+	if err := cn.Bind(a[0], password); err != nil {
 		if err == errInvalidCredentials {
 			return false, nil
 		}
@@ -118,6 +119,21 @@ func (cli *Client) Authenticate(ctx context.Context, username, password string)
 	return true, nil
 }
 
+func (cli *Client) GetRoles(ctx context.Context) (map[string]LDAPRoles, error) {
+	var cancel context.CancelFunc
+	ctx, cancel = context.WithCancel(ctx)
+
+	cn, ok := <-cli.connect(ctx)
+	cancel()
+	if !ok {
+		return map[string]LDAPRoles{}, errConnectionTimeout
+	}
+	defer cn.Close()
+
+	// Find a user DN by his or her username.
+	return cli.findRoles(cn, "dn", "member", "uniqueMember")
+}
+
 // Claim is the FindOIDCClaims result struct
 type LDAPClaim struct {
 	Code  string      // the root claim name
@@ -125,6 +141,10 @@ type LDAPClaim struct {
 	Value interface{} // the value
 }
 
+type LDAPRoles struct {
+	Members map[string][]string
+}
+
 // FindOIDCClaims finds all OIDC claims for a user.
 func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPClaim, error) {
 	if username == "" {
@@ -193,11 +213,12 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPC
 
 	roles := make(map[string]interface{})
 	for _, entry := range entries {
-		roleDN, ok := entry["dn"].(string)
+		roleDNs, ok := entry["dn"]
-		if !ok || roleDN == "" {
+		if !ok || len(roleDNs) == 0 {
 			log.Infow("No required LDAP attribute for a role", "ldapAttribute", "dn", "entry", entry)
 			continue
 		}
+		roleDN := roleDNs[0]
 		if entry[cli.RoleAttr] == nil {
 			log.Infow("No required LDAP attribute for a role", "ldapAttribute", cli.RoleAttr, "roleDN", roleDN)
 			continue
@@ -207,7 +228,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPC
 		// It's sufficient to compare the DN's suffix with the base DN.
 		n, k := len(roleDN), len(cli.RoleBaseDN)
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
-			panic("You should never see that")
+			return nil, errors.New("You should never see that")
 		}
 		// The DN without the role's base DN must contain a CN and OU
 		// where the CN is for uniqueness only, and the OU is an application id.
@@ -278,8 +299,79 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
 	return ch
 }
 
+func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, error) {
+	if cli.BindDN != "" {
+		// We need to login to a LDAP server with a service account for retrieving user data.
+		if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
+			return map[string]LDAPRoles{}, errors.New(err.Error() + " : failed to login to a LDAP woth a service account")
+		}
+	}
+	entries, err := cn.SearchRoles(attrs...)
+	fmt.Println("entries", entries)
+	if err != nil {
+		return map[string]LDAPRoles{}, err
+	}
+	claims := map[string]LDAPRoles{}
+	for _, entry := range entries {
+		roleDNs, ok := entry["dn"]
+		if !ok || len(roleDNs) == 0 {
+			continue
+		}
+		roleDN := roleDNs[0]
+		// Ensure that a role's DN is inside of the role's base DN.
+		// It's sufficient to compare the DN's suffix with the base DN.
+		n, k := len(roleDN), len(cli.RoleBaseDN)
+		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
+			return nil, errors.New("You should never see that")
+		}
+		// The DN without the role's base DN must contain a CN and OU
+		// where the CN is for uniqueness only, and the OU is an application id.
+		path := strings.Split(roleDN[:n-k-1], ",")
+		if len(path) != 2 {
+			continue
+		}
+		appID := path[1][len("OU="):]
+		if _, ok := claims[appID]; !ok {
+			claims[appID] = LDAPRoles{
+				Members: map[string][]string{},
+			}
+		}
+		role := path[0][len("cn="):]
+		if claims[appID].Members[role] == nil {
+			claims[appID].Members[role] = []string{}
+		}
+		fmt.Println("entry", entry)
+		memberDNs, ok := entry["member"]
+		for _, memberDN := range memberDNs {
+			if !ok || memberDN == "" {
+				continue
+			}
+			path = strings.Split(memberDN[:n-k-1], ",")
+			if len(path) < 1 {
+				continue
+			}
+			member := strings.Split(path[0][len("uid="):], ",")
+			claims[appID].Members[role] = append(claims[appID].Members[role], member[0])
+		}
+		memberDNs, ok = entry["uniqueMember"]
+		for _, memberDN := range memberDNs {
+			if !ok || memberDN == "" {
+				continue
+			}
+			path = strings.Split(memberDN[:n-k-1], ",")
+			if len(path) < 1 {
+				continue
+			}
+			member := strings.Split(path[0][len("uid="):], ",")
+			claims[appID].Members[role] = append(claims[appID].Members[role], member[0])
+		}
+	}
+
+	return claims, nil
+}
+
 // findBasicUserDetails finds user's LDAP attributes that were specified. It returns nil if no such user.
-func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string) (map[string]interface{}, error) {
+func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string) (map[string][]string, error) {
 	if cli.BindDN != "" {
 		// We need to login to a LDAP server with a service account for retrieving user data.
 		if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
@@ -298,7 +390,7 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
 
 	var (
 		entry   = entries[0]
-		details = make(map[string]interface{})
+		details = make(map[string][]string)
 	)
 	for _, attr := range attrs {
 		if v, ok := entry[attr]; ok {
@@ -349,35 +441,40 @@ func (c *ldapConn) Bind(bindDN, password string) error {
 	return err
 }
 
-func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
+func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string][]string, error) {
 	query := fmt.Sprintf(
 		"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
 			"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
 	return c.searchEntries(c.BaseDN, query, attrs)
 }
 
-func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
+func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string][]string, error) {
 	query := fmt.Sprintf("(|"+
-		"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
+		"(&(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupofnames))(member=%[1]s))"+
 		"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
 		")", user)
 	return c.searchEntries(c.RoleBaseDN, query, attrs)
 }
 
+func (c *ldapConn) SearchRoles(attrs ...string) ([]map[string][]string, error) {
+	query := "(|(&(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupofnames))))"
+	return c.searchEntries(c.RoleBaseDN, query, attrs)
+}
+
 // searchEntries executes a LDAP query, and returns a result as entries where each entry is mapping of LDAP attributes.
-func (c *ldapConn) searchEntries(baseDN, query string, attrs []string) ([]map[string]interface{}, error) {
+func (c *ldapConn) searchEntries(baseDN, query string, attrs []string) ([]map[string][]string, error) {
 	req := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, query, attrs, nil)
 	res, err := c.Search(req)
 	if err != nil {
 		return nil, err
 	}
 
-	var entries []map[string]interface{}
+	var entries []map[string][]string
 	for _, v := range res.Entries {
-		entry := map[string]interface{}{"dn": v.DN}
+		entry := map[string][]string{"dn": []string{v.DN}}
 		for _, attr := range v.Attributes {
 			// We need the first value only for the named attribute.
-			entry[attr.Name] = attr.Values[0]
+			entry[attr.Name] = attr.Values
 		}
 		entries = append(entries, entry)
 	}

infrastructure/claims/claims.go

@@ -2,13 +2,14 @@ package claims
 
 import (
 	"oc-auth/conf"
+	"strings"
 
 	"cloud.o-forge.io/core/oc-lib/models/peer"
 )
 
 // Tokenizer interface
 type ClaimService interface {
-	AddClaimsToToken(userId string, peer *peer.Peer) Claims
+	AddClaimsToToken(clientID string, userId string, peer *peer.Peer) Claims
 	DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error)
 }
 
@@ -28,5 +29,10 @@ var t = map[string]ClaimService{
 }
 
 func GetClaims() ClaimService {
-	return t[conf.GetConfig().Auth]
+	for k := range t {
+		if strings.Contains(conf.GetConfig().Auth, k) {
+			return t[k]
+		}
+	}
+	return nil
 }

infrastructure/claims/hydra_claims.go

@@ -4,6 +4,7 @@ import (
 	"crypto/sha256"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/perms_connectors"
 	"oc-auth/infrastructure/utils"
@@ -119,21 +120,23 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 				Relation: "permits" + strings.ToUpper(meth.String()),
 				Object:   p.(string),
 			}
-			return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
+			return perms_connectors.GetPermissionConnector("").CheckPermission(perm, nil, true), nil
 		}
 	}
 	return false, errors.New("no permission found")
 }
 
 // add claims to token method of HydraTokenizer
-func (h HydraClaims) AddClaimsToToken(userId string, p *peer.Peer) Claims {
+func (h HydraClaims) AddClaimsToToken(clientID string, userId string, p *peer.Peer) Claims {
 	claims := Claims{}
 	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)
+
 	if err != nil {
 		return claims
 	}
 	claims.Session.AccessToken = make(map[string]interface{})
 	claims.Session.IDToken = make(map[string]interface{})
+	fmt.Println("PERMS err 1", perms, err)
 	for _, perm := range perms {
 		key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Subject)
 		if err != nil {
@@ -145,15 +148,15 @@ func (h HydraClaims) AddClaimsToToken(userId string, p *peer.Peer) Claims {
 	if err != nil {
 		return claims
 	}
+	claims.Session.IDToken["username"] = userId
 	claims.Session.IDToken["peer_id"] = p.UUID
 	// we should get group from user
 	groups, err := perms_connectors.KetoConnector{}.GetGroupByUser(userId)
 	if err != nil {
 		return claims
 	}
+	claims.Session.IDToken["client_id"] = clientID
 	claims.Session.IDToken["groups"] = groups
 	claims.Session.IDToken["signature"] = sign
 	return claims
 }
-
-// add signature in the token MISSING

infrastructure/infrastructure.go

@@ -10,8 +10,8 @@ func GetAuthConnector() auth_connectors.AuthConnector {
 	return auth_connectors.GetAuthConnector()
 }
 
-func GetPermissionConnector() perms_connectors.PermConnector {
+func GetPermissionConnector(client string) perms_connectors.PermConnector {
-	return perms_connectors.GetPermissionConnector()
+	return perms_connectors.GetPermissionConnector(client)
 }
 
 func GetClaims() claims.ClaimService {

infrastructure/perms_connectors/keto_connector.go

@@ -6,24 +6,29 @@ import (
 	"fmt"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/utils"
-	"strings"
 
 	oclib "cloud.o-forge.io/core/oc-lib"
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
 
-type KetoConnector struct{}
+type KetoConnector struct {
+	Client string
+}
+
+func (k KetoConnector) SetClient(client string) {
+	k.Client = client
+}
 
 func (k KetoConnector) namespace() string {
 	return "open-cloud"
 }
 
 func (k KetoConnector) scope() string {
-	return "oc-auth"
+	return "oc-auth-realm"
 }
 
 func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
-	n := "?namespace=" + perm.Namespace()
+	n := "?namespace=" + f.namespace()
 	if perm.Object != "" {
 		n += "&object=" + perm.Object
 	}
@@ -51,7 +56,10 @@ func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission
 func (k KetoConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorReadHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
@@ -73,7 +81,7 @@ func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permis
 	perms, err := k.GetPermission(perm.Object, perm.Relation)
 	if err != nil {
 		log := oclib.GetLogger()
-		log.Error().Msg(err.Error())
+		log.Error().Msg("CheckPermission " + err.Error())
 		return false
 	}
 	return len(perms) > 0
@@ -189,6 +197,7 @@ func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error)
 }
 func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
 	roles, err := k.get("", "member", userID)
+	fmt.Println("ROLES", roles, err)
 	if err != nil {
 		return nil, err
 	}
@@ -211,7 +220,10 @@ func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Perm
 func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
 	t := []Permission{}
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorReadHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
 		Permission{Object: object, Relation: relation, Subject: subject}, nil))
@@ -235,7 +247,7 @@ func (k KetoConnector) get(object string, relation string, subject string) ([]Pe
 	return t, nil
 }
 
-func (k KetoConnector) binds(subject string, relation string, object string) (string, int, error) {
+func (k KetoConnector) binds(object string, relation string, subject string) (string, int, error) {
 	_, code, err := k.createRelationShip(object, relation, subject, nil)
 	if err != nil {
 		return object, code, err
@@ -244,6 +256,7 @@ func (k KetoConnector) binds(subject string, relation string, object string) (st
 }
 
 func (k KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
+	fmt.Println("BIND ROLE", userID, roleID)
 	return k.binds(userID, "member", roleID)
 }
 
@@ -324,9 +337,6 @@ func (k KetoConnector) UnBindPermission(roleID string, permID string, relation s
 }
 func (k KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
 	exist, err := k.get(object, relation, subject)
-	if strings.Contains(subject, "/workflow/:id") {
-		fmt.Println("subject", subject, relation, exist, err)
-	}
 	if err == nil && len(exist) > 0 {
 		return nil, 409, errors.New("Relation already exist")
 	}
@@ -338,21 +348,25 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 		if err != nil {
 			return nil, code, err
 		}
-		body["subject_set"] = map[string]interface{}{"namespace": s.Namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
+		body["subject_set"] = map[string]interface{}{"namespace": k.namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
+	}
+	host := conf.GetConfig().PermissionConnectorWriteHost
+	if conf.GetConfig().Local {
+		host = "localhost"
 	}
-	host := conf.GetConfig().PermissionConnectorHost
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
-	b, err := caller.CallPut("http://"+host+":"+port, "/admin/relation-tuples", body)
+	b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
 	if err != nil {
 		log := oclib.GetLogger()
-		log.Error().Msg(err.Error())
+		log.Error().Msg("createRelationShip" + err.Error())
 		return nil, 500, err
 	}
 	var data map[string]interface{}
 	err = json.Unmarshal(b, &data)
 	if err != nil {
+		fmt.Println(string(b), err)
 		log := oclib.GetLogger()
-		log.Error().Msg(err.Error())
+		log.Error().Msg("createRelationShip2" + err.Error())
 		return nil, 500, err
 	}
 	perm := &Permission{
@@ -378,12 +392,15 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
 	}
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
-	host := conf.GetConfig().PermissionConnectorHost
+	host := conf.GetConfig().PermissionConnectorWriteHost
+	if conf.GetConfig().Local {
+		host = "localhost"
+	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
 	b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
 	if err != nil {
 		log := oclib.GetLogger()
-		log.Error().Msg(err.Error())
+		log.Error().Msg("deleteRelationShip " + err.Error())
 		return nil, 500, err
 	}
 	var data map[string]interface{}

infrastructure/perms_connectors/perms_connector.go

@@ -1,6 +1,9 @@
 package perms_connectors
 
 import (
+	"oc-auth/conf"
+	"strings"
+
 	"cloud.o-forge.io/core/oc-lib/tools"
 )
 
@@ -21,6 +24,7 @@ func (k Permission) Scope() string {
 
 type PermConnector interface {
 	Status() tools.State
+	SetClient(scope string)
 	CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool
 	BindRole(userID string, roleID string) (string, int, error)
 	BindGroup(userID string, groupID string) (string, int, error)
@@ -51,6 +55,11 @@ var c = map[string]PermConnector{
 	"keto": KetoConnector{},
 }
 
-func GetPermissionConnector() PermConnector {
+func GetPermissionConnector(scope string) PermConnector {
-	return c["keto"]
+	for k := range c {
+		if strings.Contains(conf.GetConfig().PermissionConnectorReadHost, k) {
+			return c[k]
+		}
+	}
+	return nil
 }

keto/docker-compose.yml

@@ -1,21 +0,0 @@
-version: '3.4'
-
-services:
-  keto:
-    image: oryd/keto:v0.7.0-alpha.1-sqlite
-    ports:
-      - "4466:4466"
-      - "4467:4467"
-    command: serve -c /home/ory/keto.yml
-    restart: on-failure
-    volumes:
-      - type: bind
-        source: .
-        target: /home/ory
-    container_name: keto
-    networks: 
-      - catalog
-
-networks: 
-  catalog:
-    external: true

keto/keto.yml

@@ -1,18 +0,0 @@
-version: v0.6.0-alpha.1
-
-log:
-  level: debug
-
-namespaces:
-  - id: 0
-    name: open-cloud
-
-dsn: memory
-
-serve:
-  read:
-    host: 0.0.0.0
-    port: 4466
-  write:
-    host: 0.0.0.0
-    port: 4467

ldap-hydra/docker-compose.yml

@@ -1,79 +0,0 @@
-version: "3"
-services:   
-    hydra-client: 
-        image: oryd/hydra:v2.2.0
-        container_name: hydra-client
-        environment:
-            HYDRA_ADMIN_URL: http://hydra:4445
-            ORY_SDK_URL: http://hydra:4445
-        command:
-            - create
-            - oauth2-client
-            - --skip-tls-verify
-            - --name
-            - test-client
-            - --secret
-            - oc-auth-got-secret
-            - --response-type
-            - id_token,token,code
-            - --grant-type
-            - implicit,refresh_token,authorization_code,client_credentials
-            - --scope
-            - openid,profile,email,roles
-            - --token-endpoint-auth-method
-            - client_secret_post
-            - --redirect-uri
-            - http://localhost:3000
-
-        networks:
-            - hydra-net
-            - catalog
-        deploy:
-            restart_policy:
-                condition: none
-        depends_on:
-            - hydra
-        healthcheck:
-            test: ["CMD", "curl", "-f", "http://hydra:4445"]
-            interval: 10s
-            timeout: 10s
-            retries: 10
-    hydra:
-        container_name: hydra
-        image: oryd/hydra:v2.2.0
-        environment:
-            SECRETS_SYSTEM: oc-auth-got-secret
-            LOG_LEAK_SENSITIVE_VALUES: true
-            # OAUTH2_TOKEN_HOOK_URL: http://oc-auth:8080/oc/claims
-            URLS_SELF_ISSUER: http://hydra:4444
-            URLS_SELF_PUBLIC: http://hydra:4444
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
-            WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
-            DSN: memory
-        command: serve all --dev
-        networks:
-            - hydra-net
-            - catalog
-        ports:
-            - "4444:4444"
-            - "4445:4445"
-        deploy:
-            restart_policy:
-                condition: on-failure
-    ldap:
-        image: pgarrett/ldap-alpine
-        container_name: ldap
-        volumes:  
-            - "./ldap.ldif:/ldif/ldap.ldif"
-        networks:
-            - hydra-net
-            - catalog
-        ports:
-            - "390:389"
-        deploy:
-            restart_policy:
-                condition: on-failure
-networks:    
-    hydra-net:
-    catalog:
-        external: true

ldap-hydra/ldap.ldif

@@ -1,24 +0,0 @@
-dn: uid=admin,ou=Users,dc=example,dc=com
-objectClass: inetOrgPerson
-cn: Admin
-sn: Istrator
-uid: admin
-userPassword: admin
-mail: admin@example.com
-ou: Users
-
-dn: ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: AppRoles
-description: AppRoles
-
-dn: ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: organizationalunit
-ou: App1
-description: App1
-
-dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
-objectClass: groupofnames
-cn: traveler
-description: traveler
-member: uid=admin,ou=Users,dc=example,dc=com

main.go

@@ -1,13 +1,17 @@
 package main
 
 import (
+	"context"
 	"errors"
+	"fmt"
 	"oc-auth/conf"
 	"oc-auth/infrastructure"
+	auth_connectors "oc-auth/infrastructure/auth_connector"
 	_ "oc-auth/routers"
 	"os"
 	"strconv"
 	"strings"
+	"time"
 
 	oclib "cloud.o-forge.io/core/oc-lib"
 	peer "cloud.o-forge.io/core/oc-lib/models/peer"
@@ -40,21 +44,23 @@ func main() {
 	conf.GetConfig().AuthConnectPublicHost = o.GetStringDefault("AUTH_CONNECTOR_PUBLIC_HOST", "localhost")
 	conf.GetConfig().AuthConnectorPort = o.GetIntDefault("AUTH_CONNECTOR_PORT", 4444)
 	conf.GetConfig().AuthConnectorAdminPort = o.GetIntDefault("AUTH_CONNECTOR_ADMIN_PORT", 4445)
-	conf.GetConfig().PermissionConnectorHost = o.GetStringDefault("PERMISSION_CONNECTOR_HOST", "keto")
+	conf.GetConfig().PermissionConnectorWriteHost = o.GetStringDefault("PERMISSION_CONNECTOR_WRITE_HOST", "keto")
+	conf.GetConfig().PermissionConnectorReadHost = o.GetStringDefault("PERMISSION_CONNECTOR_READ_HOST", "keto")
 	conf.GetConfig().PermissionConnectorPort = o.GetIntDefault("PERMISSION_CONNECTOR_PORT", 4466)
 	conf.GetConfig().PermissionConnectorAdminPort = o.GetIntDefault("PERMISSION_CONNECTOR_ADMIN_PORT", 4467)
+	conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)
 
 	// config LDAP
+	conf.GetConfig().SourceMode = o.GetStringDefault("SOURCE_MODE", "ldap")
 	conf.GetConfig().LDAPEndpoints = o.GetStringDefault("LDAP_ENDPOINTS", "ldap:389")
 	conf.GetConfig().LDAPBindDN = o.GetStringDefault("LDAP_BINDDN", "cn=admin,dc=example,dc=com")
 	conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password")
 	conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com")
 	conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com")
-	err := generateSelfPeer()
+	go generateSelfPeer()
-	if err != nil {
+	go generateRole()
-		panic(err)
+	go discovery()
-	}
+	beego.BConfig.Listen.HTTPPort = o.GetIntDefault("port", 8080)
-	discovery()
 	beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
 		AllowAllOrigins:  true,
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
@@ -65,7 +71,39 @@ func main() {
 	beego.Run()
 }
 
+func generateRole() {
+	defer func() {
+		if r := recover(); r != nil {
+			fmt.Println("Recovered in f", r)
+		}
+	}()
+	// if from ldap, create roles from ldap
+	if conf.GetConfig().SourceMode == "ldap" {
+		ldap := auth_connectors.New()
+		roles, err := ldap.GetRoles(context.Background())
+		if err == nil {
+			fmt.Println("ROLE", roles)
+			for _, role := range roles {
+				for r, m := range role.Members {
+					infrastructure.GetPermissionConnector("").CreateRole(r)
+					for _, p := range m {
+						infrastructure.GetPermissionConnector("").BindRole(r, p)
+					}
+				}
+			}
+		} else {
+			time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+			generateRole()
+		}
+	}
+}
+
 func generateSelfPeer() error {
+	defer func() {
+		if r := recover(); r != nil {
+			fmt.Println("Recovered in f", r)
+		}
+	}()
 	// TODO check if files at private & public path are set
 	// check if files at private & public path are set
 	if _, err := os.Stat(conf.GetConfig().PrivateKeyPath); errors.Is(err, os.ErrNotExist) {
@@ -75,7 +113,7 @@ func generateSelfPeer() error {
 		return errors.New("public key path does not exist")
 	}
 	// check if peer already exists
-	p := oclib.Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), oclib.LibDataEnum(oclib.PEER))
+	p := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), false)
 	file := ""
 	f, err := os.ReadFile(conf.GetConfig().PublicKeyPath)
 	if err != nil {
@@ -99,19 +137,32 @@ func generateSelfPeer() error {
 		},
 		PublicKey:     file,
 		State:         peer.SELF,
+		WalletAddress: "my-wallet",
 	}
-	data := oclib.StoreOne(oclib.LibDataEnum(oclib.PEER), peer.Serialize())
+	data := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).StoreOne(peer.Serialize(peer))
 	if data.Err != "" {
+		time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+		generateSelfPeer()
 		return errors.New(data.Err)
 	}
 	return nil
 }
 
 func discovery() {
+	defer func() {
+		if r := recover(); r != nil {
+			fmt.Println("Recovered in f", r)
+		}
+	}()
 	api := tools.API{}
-	conn := infrastructure.GetPermissionConnector()
+	conn := infrastructure.GetPermissionConnector("")
-
+	fmt.Println("AdminRole", conn, conf.GetConfig().PermissionConnectorWriteHost)
-	conn.CreateRole(conf.GetConfig().AdminRole)
+	_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
+	if err != nil {
+		time.Sleep(10 * time.Second) // Pause execution for 10 seconds
+		discovery()
+		return
+	}
 	conn.BindRole(conf.GetConfig().AdminRole, "admin")
 	addPermissions := func(m map[string]interface{}) {
 		for k, v := range m {

routers/commentsRouter.go

@@ -99,8 +99,8 @@ func init() {
 
     beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
         beego.ControllerComments{
-            Method: "LoginLDAP",
+            Method: "Login",
-            Router: `/ldap/login`,
+            Router: `/login`,
             AllowHTTPMethods: []string{"post"},
             MethodParams: param.Make(),
             Filters: nil,
@@ -108,8 +108,8 @@ func init() {
 
     beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
         beego.ControllerComments{
-            Method: "LogOutLDAP",
+            Method: "LogOut",
-            Router: `/ldap/logout`,
+            Router: `/logout`,
             AllowHTTPMethods: []string{"delete"},
             MethodParams: param.Make(),
             Filters: nil,

swagger/swagger.json

@@ -191,7 +191,7 @@
                 "parameters": [
                     {
                         "in": "path",
-                        "name": "group_id",
+                        "name": "user_id",
                         "description": "The group_id you want to unbind",
                         "required": true,
                         "type": "string"
@@ -233,7 +233,7 @@
                 }
             }
         },
-        "/ldap/login": {
+        "/login": {
             "post": {
                 "tags": [
                     "oc-auth/controllersOAuthController"
@@ -249,6 +249,13 @@
                         "schema": {
                             "$ref": "#/definitions/models.workflow"
                         }
+                    },
+                    {
+                        "in": "query",
+                        "name": "client_id",
+                        "description": "the client_id you want to get",
+                        "required": true,
+                        "type": "string"
                     }
                 ],
                 "responses": {
@@ -258,7 +265,7 @@
                 }
             }
         },
-        "/ldap/logout": {
+        "/logout": {
             "delete": {
                 "tags": [
                     "oc-auth/controllersOAuthController"
@@ -271,6 +278,13 @@
                         "name": "Authorization",
                         "description": "auth token",
                         "type": "string"
+                    },
+                    {
+                        "in": "query",
+                        "name": "client_id",
+                        "description": "the client_id you want to get",
+                        "required": true,
+                        "type": "string"
                     }
                 ],
                 "responses": {
@@ -465,6 +479,13 @@
                         "schema": {
                             "$ref": "#/definitions/models.Token"
                         }
+                    },
+                    {
+                        "in": "query",
+                        "name": "client_id",
+                        "description": "the client_id you want to get",
+                        "required": true,
+                        "type": "string"
                     }
                 ],
                 "responses": {

swagger/swagger.yml

@@ -119,7 +119,7 @@ paths:
       operationId: GroupController.UnBind
       parameters:
       - in: path
-        name: group_id
+        name: user_id
         description: The group_id you want to unbind
         required: true
         type: string
@@ -175,7 +175,7 @@ paths:
       responses:
         "200":
           description: '{string}'
-  /ldap/login:
+  /login:
     post:
       tags:
       - oc-auth/controllersOAuthController
@@ -190,10 +190,15 @@ paths:
         required: true
         schema:
           $ref: '#/definitions/models.workflow'
+      - in: query
+        name: client_id
+        description: the client_id you want to get
+        required: true
+        type: string
       responses:
         "200":
           description: '{string}'
-  /ldap/logout:
+  /logout:
     delete:
       tags:
       - oc-auth/controllersOAuthController
@@ -206,6 +211,11 @@ paths:
         name: Authorization
         description: auth token
         type: string
+      - in: query
+        name: client_id
+        description: the client_id you want to get
+        required: true
+        type: string
       responses:
         "200":
           description: '{string}'
@@ -350,6 +360,11 @@ paths:
         required: true
         schema:
           $ref: '#/definitions/models.Token'
+      - in: query
+        name: client_id
+        description: the client_id you want to get
+        required: true
+        type: string
       responses:
         "200":
           description: '{string}'