core/oc-auth
6
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: core/oc-auth:main
Branches Tags
core/oc-auth:main core/oc-auth:demo-alpr core/oc-auth:feature/order core/oc-auth:feature/payment core/oc-auth:correct-oc-lib core/oc-auth:chart
..
pull from: core/oc-auth:correct-oc-lib
Branches Tags
core/oc-auth:main core/oc-auth:demo-alpr core/oc-auth:feature/order core/oc-auth:feature/payment core/oc-auth:correct-oc-lib core/oc-auth:chart

1 Commits
main .. correct-oc-lib

Author SHA1 Message Date
pb 28e6f1e043 trying to apply oclib changes 2025-01-03 16:55:12 +01:00
38 changed files with 972 additions and 2856 deletions
Expand all files Collapse all files
.gitattributes
-3
View File
@@ -1,3 +0,0 @@
# Force Go as the main language
*.go linguist-detectable=true
* linguist-language=Go
.gitignore
+1 -1
View File
@@ -20,4 +20,4 @@
# Go workspace file
go.work
env.env
Dockerfile
+5
View File
@@ -10,6 +10,11 @@ RUN go mod download
FROM golang:alpine AS builder
ARG HOSTNAME=http://localhost
ARG NAME=auth
RUN apk add git
RUN go install github.com/beego/bee/v2@latest
WORKDIR /oc-auth
Makefile
+7 -22
View File
@@ -6,14 +6,6 @@ build: clean
run:
bee run -gendoc=true -downdoc=true
purge:
lsof -t -i:8094 | xargs kill | true
run-dev:
bee generate routers && bee run -gendoc=true -downdoc=true -runmode=prod
dev: purge run-dev
debug:
bee run -downdebug -gendebug
@@ -21,22 +13,15 @@ clean:
rm -rf oc-auth oc-auth.tar.gz
docker:
DOCKER_BUILDKIT=1 docker build -t oc-auth -f Dockerfile . --build-arg=HOST=$(HOST)
docker tag oc-auth opencloudregistry/oc-auth:latest
DOCKER_BUILDKIT=1 docker build -t oc/oc-auth:0.0.1 -f Dockerfile .
docker tag oc/oc-auth:0.0.1 oc/oc-auth:latest
publish-kind:
kind load docker-image opencloudregistry/oc-auth:latest --name $(CLUSTER_NAME) | true
kind load docker-image oc/oc-auth:0.0.1 --name opencloud
publish-registry:
docker push opencloudregistry/oc-auth:latest
@echo "TODO"
docker-deploy:
docker compose up -d
all: docker publish-kind publish-registry
run-docker: docker publish-kind publish-registry docker-deploy
all: docker publish-kind
ci: docker publish-registry
.PHONY: build run clean docker publish-kind publish-registry
.PHONY: build run clean docker publish-kind publish-registry
README.md
-69
View File
@@ -7,76 +7,7 @@ To build :
bee generate routers
bee run -gendoc=true -downdoc=true
OR
make dev
If default Swagger page is displayed instead of tyour api, change url in swagger/index.html file to :
url: "swagger.json"
┌─────────┐ ┌──────────┐ ┌────────────┐ ┌────────┐
│ Browser │ │ UI │ │ Hydra │ │ API │
└────┬────┘ └────┬─────┘ └────┬───────┘ └───┬────┘
│ │ │ │
│ 1. Click "Login" │ │ │
│─────────────────► │ │ │
│ │ │ │
│ 2. Redirect auth │──────────────────► │ │
│ │ /oauth2/auth │ │
│ │ │ │
│ │ ◄──────────────────│ │
│ │ login challenge │ │
│ │ │ │
│ │ 3. Login UI │ │
│ │ (credentials) │ │
│ │ │ │
│ │──────────────────► │ │
│ │ accept login │ │
│ │ │ │
│ │ ◄──────────────────│ │
│ │ consent challenge │ │
│ │ │ │
│ │ 4. CALL API │ │
│ │──────────────────────────────────────► │
│ │ fetch peer / roles │
│ │ │ │
│ │ ◄──────────────────────────────────────│
│ │ peer, permissions │
│ │ │ │
│ │ 5. Accept consent │ │
│ │──────────────────► │ │
│ │ + custom claims │ │
│ │ │ │
│ │ ◄──────────────────│ │
│ │ redirect w/ code │ │
│ │ │ │
│ 6. Exchange code │──────────────────► │ │
│ for token │ /oauth2/token │ │
│ │ │ │
│ ◄─────────────────│ │ │
│ 7. JWT access_token │ │
│ (signed + enriched) │
│ │
│ 8. API call with Bearer token │
│───────────────────────────────────────────────────────────►│
│ │
│ ◄──────────────────────────────────────────────────────────│
Browser
Hydra /oauth2/auth
Redirect → /login?login_challenge=abc123
Frontend Login Page
POST username/password/login_challenge
TON backend
Hydra Admin API (accept login)
Hydra retourne redirect_to
Frontend redirige
auth.json
+5 -3
View File
@@ -1,7 +1,9 @@
{
"port": 8080,
"MONGO_URL":"mongodb://localhost:27017/",
"MONGO_DATABASE":"DC_myDC",
"NATS_URL": "nats://localhost:4222",
"LDAP_ENDPOINTS": "localhost:390",
"port": 8094
"natsurl":"http://localhost:4080",
"login":"admin",
"password":"admin",
"oidcserver":"http://localhost:8080"
}
conf/app.conf
+1 -1
View File
@@ -1,5 +1,5 @@
appname = oc-auth
httpport = 8094
httpport = 8080
runmode = dev
autorender = false
copyrequestbody = true
conf/config.go
+5 -23
View File
@@ -3,7 +3,6 @@ package conf
import "sync"
type Config struct {
SourceMode string
AdminRole string
PublicKeyPath string
PrivateKeyPath string
@@ -12,35 +11,18 @@ type Config struct {
LDAPBindDN string
LDAPBindPW string
LDAPBaseDN string
LDAPUserBaseDN string
LDAPRoleBaseDN string
ClientSecret string
OAuth2ClientSecretName string
OAuth2ClientSecretNamespace string
ClientSecret string
Auth string
AuthConnectPublicHost string
AuthConnectorHost string
AuthConnectorPort int
AuthConnectorAdminPort string
AuthConnectorAdminPort int
PermissionConnectorWriteHost string
PermissionConnectorReadHost string
PermissionConnectorPort string
PermissionConnectorAdminPort string
AdminOrigin string
Origin string
// OAuth2ClientID is the client_id registered in Hydra, used to initiate the authorization flow.
OAuth2ClientID string
// OAuthRedirectURI is the registered OAuth2 redirect_uri (frontend login/callback URL).
// Hydra redirects here with login_challenge (login phase) or authorization code (callback phase).
OAuthRedirectURI string
Local bool
PermissionConnectorHost string
PermissionConnectorPort int
PermissionConnectorAdminPort int
}
var instance *Config
controllers/group.go
+9 -17
View File
@@ -19,8 +19,7 @@ type GroupController struct {
func (o *GroupController) Post() {
// store and return Id or post with UUID
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
group, code, err := infrastructure.GetPermissionConnector(clientID).CreateGroup(id)
group, code, err := infrastructure.GetPermissionConnector().CreateGroup(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -45,8 +44,7 @@ func (o *GroupController) Post() {
// @router /user/:id [get]
func (o *GroupController) GetByUser() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
group, err := infrastructure.GetPermissionConnector(clientID).GetGroupByUser(id)
group, err := infrastructure.GetPermissionConnector().GetGroupByUser(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -69,8 +67,7 @@ func (o *GroupController) GetByUser() {
// @Success 200 {group} string
// @router / [get]
func (o *GroupController) GetAll() {
clientID := ExtractClient(*o.Ctx.Request)
group, err := infrastructure.GetPermissionConnector(clientID).GetGroup("")
group, err := infrastructure.GetPermissionConnector().GetGroup("")
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -95,8 +92,7 @@ func (o *GroupController) GetAll() {
// @router /:id [get]
func (o *GroupController) Get() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
group, err := infrastructure.GetPermissionConnector(clientID).GetGroup(id)
group, err := infrastructure.GetPermissionConnector().GetGroup(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -121,8 +117,7 @@ func (o *GroupController) Get() {
// @router /:id [delete]
func (o *GroupController) Delete() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
group, code, err := infrastructure.GetPermissionConnector(clientID).DeleteGroup(id)
group, code, err := infrastructure.GetPermissionConnector().DeleteGroup(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -145,8 +140,7 @@ func (o *GroupController) Delete() {
// @Success 200 {string} delete success!
// @router /clear [delete]
func (o *GroupController) Clear() {
clientID := ExtractClient(*o.Ctx.Request)
group, code, err := infrastructure.GetPermissionConnector(clientID).DeleteGroup("")
group, code, err := infrastructure.GetPermissionConnector().DeleteGroup("")
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -173,8 +167,7 @@ func (o *GroupController) Clear() {
func (o *GroupController) Bind() {
user_id := o.Ctx.Input.Param(":user_id")
group_id := o.Ctx.Input.Param(":group_id")
clientID := ExtractClient(*o.Ctx.Request)
group, code, err := infrastructure.GetPermissionConnector(clientID).BindGroup(user_id, group_id)
group, code, err := infrastructure.GetPermissionConnector().BindGroup(user_id, group_id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -194,15 +187,14 @@ func (o *GroupController) Bind() {
// @Title UnBind
// @Description unbind the group to user
// @Param user_id path string true "The group_id you want to unbind"
// @Param group_id path string true "The group_id you want to unbind"
// @Param group_id path string true "The user_id you want to unbind"
// @Success 200 {string} bind success!
// @router /:user_id/:group_id [delete]
func (o *GroupController) UnBind() {
user_id := o.Ctx.Input.Param(":user_id")
group_id := o.Ctx.Input.Param(":group_id")
clientID := ExtractClient(*o.Ctx.Request)
group, code, err := infrastructure.GetPermissionConnector(clientID).UnBindGroup(user_id, group_id)
group, code, err := infrastructure.GetPermissionConnector().UnBindGroup(user_id, group_id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
controllers/oauth2.go
+107 -705
View File
@@ -1,616 +1,167 @@
package controllers
import (
"crypto/rand"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"net/url"
"oc-auth/conf"
"oc-auth/infrastructure"
auth_connectors "oc-auth/infrastructure/auth_connector"
"regexp"
"strconv"
"strings"
"sync"
"time"
oclib "cloud.o-forge.io/core/oc-lib"
"cloud.o-forge.io/core/oc-lib/dbs"
"cloud.o-forge.io/core/oc-lib/models/peer"
model "cloud.o-forge.io/core/oc-lib/models/peer"
beego "github.com/beego/beego/v2/server/web"
)
var selfPeerCache struct {
sync.RWMutex
peer *model.Peer
fetchedAt time.Time
}
const selfPeerCacheTTL = 60 * time.Second
func getCachedSelfPeer() *model.Peer {
selfPeerCache.RLock()
if selfPeerCache.peer != nil && time.Since(selfPeerCache.fetchedAt) < selfPeerCacheTTL {
p := selfPeerCache.peer
selfPeerCache.RUnlock()
return p
}
selfPeerCache.RUnlock()
pp := oclib.NewRequestAdmin(oclib.LibDataEnum(oclib.PEER), nil).Search(
&dbs.Filters{
Or: map[string][]dbs.Filter{
"relation": {{Operator: dbs.EQUAL.String(), Value: peer.SELF}},
},
}, strconv.Itoa(peer.SELF.EnumIndex()), false, 0, 1)
if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
return nil
}
p := pp.Data[0].(*model.Peer)
selfPeerCache.Lock()
selfPeerCache.peer = p
selfPeerCache.fetchedAt = time.Now()
selfPeerCache.Unlock()
return p
}
// InvalidateSelfPeerCache forces the next call to getCachedSelfPeer to re-fetch from DB.
func InvalidateSelfPeerCache() {
selfPeerCache.Lock()
selfPeerCache.peer = nil
selfPeerCache.Unlock()
}
// OAuthController handles OAuth2 login/consent provider endpoints
// Operations about auth
type OAuthController struct {
beego.Controller
}
// @Title GetLogin
// @Description Hydra redirects here with a login_challenge. Returns challenge info or auto-accepts if session exists.
// @Param login_challenge query string true "The login challenge from Hydra"
// @Param client_id query string true "The targetted client_id from Hydra"
// @Param redirect query string true "explicit redirect by passed"
// @Success 200 {object} auth_connectors.LoginChallenge
// @Failure 400 missing login_challenge
// @Failure 500 internal error
// @router /login [get]
func (o *OAuthController) GetLogin() {
fmt.Println("GetLogin")
logger := oclib.GetLogger()
challenge := o.Ctx.Input.Query("login_challenge")
clientID := o.Ctx.Input.Query("client_id")
if conf.GetConfig().Local {
// In local mode, return a mock challenge for dev
o.Data["json"] = &auth_connectors.LoginChallenge{
Skip: false,
Challenge: challenge,
}
o.ServeJSON()
return
}
var loginChallenge *auth_connectors.LoginChallenge
var err error
if challenge == "" {
// No challenge yet — initiate the OAuth2 flow server-side to get one from Hydra.
// This supports thick clients that cannot follow browser redirects.
freshChallenge, err := infrastructure.GetAuthConnector().InitiateLogin(clientID, "")
fmt.Println("freshChallenge", freshChallenge, err)
if err != nil {
logger.Error().Msg("Failed to initiate login: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
loginChallenge, err = infrastructure.GetAuthConnector().GetLoginChallenge(freshChallenge)
fmt.Println("loginChallenge", loginChallenge, err)
if err != nil {
logger.Error().Msg("Failed to get fresh login challenge: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
o.Data["json"] = loginChallenge
o.ServeJSON()
return
} else {
loginChallenge, err = infrastructure.GetAuthConnector().GetLoginChallenge(challenge)
if err != nil {
logger.Error().Msg("Failed to get login challenge: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
}
// If skip is true, the user already has an active session — auto-accept
if loginChallenge.Skip {
redirect, err := infrastructure.GetAuthConnector().AcceptLogin(challenge, loginChallenge.Subject)
if err != nil {
logger.Error().Msg("Failed to auto-accept login: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
o.Data["json"] = redirect
o.ServeJSON()
return
}
/*o.Ctx.ResponseWriter.Header().Set("Location", fmt.Sprintf("%s?login_challenge=%s",
conf.GetConfig().Origin,
url.QueryEscape(loginChallenge.Challenge),
))
o.Ctx.ResponseWriter.WriteHeader(http.StatusFound)*/
o.Data["json"] = loginChallenge
o.ServeJSON()
}
// @Title PostLogin
// @Description Authenticate user via LDAP and accept Hydra login challenge
// @Param return_mode query string false "Return mode: 'redirect' (default, 303), 'json' (full object), 'token' (access token string)"
// @Param body body auth_connectors.LoginRequest true "Login credentials and challenge"
// @Success 200 {object} auth_connectors.Redirect
// @Failure 401 invalid credentials
// @Failure 500 internal error
// @router /login [post]
func (o *OAuthController) Login() {
logger := oclib.GetLogger()
returnMode := o.Ctx.Input.Query("return_mode")
if returnMode == "" {
returnMode = "redirect"
}
fmt.Println("LOGSqsdsq", returnMode)
var req auth_connectors.LoginRequest
if err := json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &req); err != nil {
o.Ctx.ResponseWriter.WriteHeader(400)
o.Data["json"] = map[string]string{"error": "invalid request body"}
o.ServeJSON()
return
}
fmt.Println("LOGSqsdsq2", req)
if req.Username == "" || req.Password == "" {
o.Ctx.ResponseWriter.WriteHeader(400)
o.Data["json"] = map[string]string{"error": "username and password are required"}
o.ServeJSON()
return
}
fmt.Println("LOGSqsdsq3", req)
if req.LoginChallenge == "" {
o.Ctx.ResponseWriter.WriteHeader(400)
o.Data["json"] = map[string]string{"error": "login_challenge is required in non-local mode"}
o.ServeJSON()
return
}
fmt.Println("LOGSqsdsq4", req)
// Authenticate via LDAP
ldap := auth_connectors.New()
found, err := ldap.Authenticate(o.Ctx.Request.Context(), req.Username, req.Password)
if err != nil || !found {
logger.Error().Msg("LDAP authentication failed for user: " + req.Username)
o.Ctx.ResponseWriter.WriteHeader(401)
o.Data["json"] = map[string]string{"error": "invalid credentials"}
o.ServeJSON()
return
}
fmt.Println("LOGSqsdsq5", req)
if conf.GetConfig().Local {
// In local mode, return a mock token for dev
t := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(
nil, fmt.Sprintf("%v", model.SELF.EnumIndex()), false, 0, 1)
if t.Err == "" && len(t.Data) > 0 {
p := t.Data[0].(*model.Peer)
c := infrastructure.GetClaims().BuildConsentSession("local", req.Username, p)
now := time.Now().UTC()
now = now.Add(3600 * time.Second)
c.Session.AccessToken["exp"] = now.Unix()
b, _ := json.Marshal(c)
token := &auth_connectors.Token{
Active: true,
TokenType: "Bearer",
ExpiresIn: 3600,
AccessToken: "localtoken." + base64.StdEncoding.EncodeToString(b),
}
if returnMode == "token" {
o.Ctx.ResponseWriter.Header().Set("Content-Type", "text/plain")
o.Ctx.ResponseWriter.WriteHeader(200)
o.Ctx.ResponseWriter.Write([]byte(token.AccessToken))
return
}
o.Data["json"] = token
} else {
o.Ctx.ResponseWriter.WriteHeader(401)
o.Data["json"] = map[string]string{"error": "peer not found"}
}
o.ServeJSON()
return
}
// Accept the login challenge with Hydra
redirect, err := infrastructure.GetAuthConnector().AcceptLogin(req.LoginChallenge, req.Username)
if err != nil {
logger.Error().Msg("Failed to accept login: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
// Return according to requested mode
switch returnMode {
case "token", "json":
tokenResp, err := completeFlowToToken(redirect.RedirectTo, req.Username, req.LoginChallenge)
fmt.Println("LOGS", tokenResp)
if err != nil {
logger.Error().Msg("Failed to complete OAuth2 flow: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
if returnMode == "token" {
o.Ctx.ResponseWriter.Header().Set("Content-Type", "text/plain")
o.Ctx.ResponseWriter.WriteHeader(200)
o.Ctx.ResponseWriter.Write([]byte(tokenResp.AccessToken))
return
}
o.Data["json"] = tokenResp
o.ServeJSON()
default: // "redirect"
o.Redirect(redirect.RedirectTo, 303)
}
}
// @Title Consent
// @Description Hydra redirects here with a consent_challenge. Auto-accepts consent with user permissions.
// @Param consent_challenge query string true "The consent challenge from Hydra"
// @Param redirect query string true "explicit redirect by passed"
// @Success 200 {object} auth_connectors.Redirect
// @Failure 400 missing consent_challenge
// @Failure 500 internal error
// @router /consent [get]
func (o *OAuthController) Consent() {
logger := oclib.GetLogger()
challenge := o.Ctx.Input.Query("consent_challenge")
if challenge == "" {
o.Ctx.ResponseWriter.WriteHeader(400)
o.Data["json"] = map[string]string{"error": "missing consent_challenge parameter"}
o.ServeJSON()
return
}
// Get consent challenge details from Hydra
consentChallenge, err := infrastructure.GetAuthConnector().GetConsentChallenge(challenge)
if err != nil {
logger.Error().Msg("Failed to get consent challenge: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
p := getCachedSelfPeer()
// Extract client_id from consent challenge
clientID := ""
if consentChallenge.Client != nil {
if cid, ok := consentChallenge.Client["client_id"].(string); ok {
clientID = cid
}
}
// Build consent session with user permissions and claims
session := infrastructure.GetClaims().BuildConsentSession(clientID, consentChallenge.Subject, p)
// Accept the consent challenge — grant all requested scopes
redirect, err := infrastructure.GetAuthConnector().AcceptConsent(challenge, consentChallenge.RequestedScope, session)
if err != nil {
logger.Error().Msg("Failed to accept consent: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
// Return redirect_to (callback URL with authorization code)
o.Data["json"] = redirect
o.ServeJSON()
}
// @Title GetLogout
// @Description Hydra redirects here with a logout_challenge. Accepts the challenge and returns a redirect URL.
// @Param logout_challenge query string true "The logout challenge from Hydra"
// @Param redirect query string true "explicit redirect by passed"
// @Success 200 {object} auth_connectors.Redirect
// @Failure 400 missing logout_challenge
// @Failure 500 internal error
// @router /logout [get]
func (o *OAuthController) GetLogout() {
logger := oclib.GetLogger()
red := o.Ctx.Input.Query("redirect")
challenge := o.Ctx.Input.Query("logout_challenge")
if challenge == "" {
o.Ctx.ResponseWriter.WriteHeader(400)
o.Data["json"] = map[string]string{"error": "missing logout_challenge parameter"}
o.ServeJSON()
return
}
if conf.GetConfig().Local {
o.Data["json"] = &auth_connectors.Redirect{RedirectTo: ""}
o.ServeJSON()
return
}
_, err := infrastructure.GetAuthConnector().GetLogoutChallenge(challenge)
if err != nil {
logger.Error().Msg("Failed to get logout challenge: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
redirect, err := infrastructure.GetAuthConnector().AcceptLogout(challenge)
if err != nil {
logger.Error().Msg("Failed to accept logout challenge: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
o.ServeJSON()
return
}
if red == "false" {
o.Data["json"] = redirect
o.ServeJSON()
return
}
o.Redirect(redirect.RedirectTo, 303)
}
// @Title Logout
// @Description Revoke an OAuth2 token
// @Param Authorization header string false "Bearer token"
// @Param client_id query string true "The client_id"
// @Success 200 {object} auth_connectors.Token
// @router /logout [delete]
func (o *OAuthController) LogOut() {
clientID := o.Ctx.Input.Query("client_id")
reqToken := extractBearerToken(o.Ctx.Request)
if conf.GetConfig().Local {
o.Data["json"] = map[string]string{"status": "logged out"}
o.ServeJSON()
return
}
err := infrastructure.GetAuthConnector().RevokeToken(reqToken, clientID)
if err != nil {
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
// @Description unauthenticate user
// @Param Authorization header string false "auth token"
// @Success 200 {string}
// @router /ldap/logout [delete]
func (o *OAuthController) LogOutLDAP() {
// authorize user
reqToken := o.Ctx.Request.Header.Get("Authorization")
splitToken := strings.Split(reqToken, "Bearer ")
if len(splitToken) < 2 {
reqToken = ""
} else {
o.Data["json"] = &auth_connectors.Token{
AccessToken: reqToken,
Active: false,
}
reqToken = splitToken[1]
}
o.ServeJSON()
}
var res auth_connectors.Token
json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
// @Title Refresh
// @Description Exchange a refresh_token for a new token set
// @Param body body object true "refresh_token and client_id"
// @Success 200 {object} auth_connectors.TokenResponse
// @Failure 401 invalid refresh token
// @router /refresh [post]
func (o *OAuthController) Refresh() {
logger := oclib.GetLogger()
var body struct {
RefreshToken string `json:"refresh_token"`
ClientID string `json:"client_id"`
}
json.Unmarshal(o.Ctx.Input.CopyBody(100000), &body)
if conf.GetConfig().Local {
o.Data["json"] = map[string]string{"error": "refresh not supported in local mode"}
o.Ctx.ResponseWriter.WriteHeader(400)
o.ServeJSON()
return
}
if body.RefreshToken == "" {
o.Ctx.ResponseWriter.WriteHeader(400)
o.Data["json"] = map[string]string{"error": "refresh_token is required"}
o.ServeJSON()
return
}
token, err := infrastructure.GetAuthConnector().RefreshToken(body.RefreshToken, body.ClientID)
if err != nil {
logger.Error().Msg("Failed to refresh token: " + err.Error())
o.Ctx.ResponseWriter.WriteHeader(401)
o.Data["json"] = map[string]string{"error": err.Error()}
token, err := infrastructure.GetAuthConnector().Logout(reqToken)
if err != nil || token == nil {
o.Data["json"] = err
} else {
o.Data["json"] = token
}
o.ServeJSON()
}
// @Title Introspect
// @Description Introspect a token — respects Hydra's response
// @Param Authorization header string false "Bearer token"
// @Success 200 {object} auth_connectors.IntrospectResult
// @router /introspect [get]
func (o *OAuthController) Introspect() {
reqToken := extractBearerToken(o.Ctx.Request)
if reqToken == "" {
// @Title Login
// @Description authenticate user
// @Param body body models.workflow true "The workflow content"
// @Success 200 {string}
// @router /ldap/login [post]
func (o *OAuthController) LoginLDAP() {
// authorize user
var res auth_connectors.Token
json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &res)
ldap := auth_connectors.New()
found, err := ldap.Authenticate(o.Ctx.Request.Context(), res.Username, res.Password)
if err != nil || !found {
o.Data["json"] = err
o.Ctx.ResponseWriter.WriteHeader(401)
o.Data["json"] = map[string]string{"error": "missing bearer token"}
o.ServeJSON()
return
}
if conf.GetConfig().Local {
o.Data["json"] = &auth_connectors.IntrospectResult{Active: true}
o.ServeJSON()
return
}
result, err := infrastructure.GetAuthConnector().Introspect(reqToken)
if err != nil {
o.Ctx.ResponseWriter.WriteHeader(500)
o.Data["json"] = map[string]string{"error": err.Error()}
} else if !result.Active {
token, err := infrastructure.GetAuthConnector().Login(res.Username,
&http.Cookie{ // open a session
Name: "csrf_token",
Value: o.XSRFToken(),
})
if err != nil || token == nil {
o.Data["json"] = err
o.Ctx.ResponseWriter.WriteHeader(401)
o.Data["json"] = result
} else {
o.Data["json"] = result
o.Data["json"] = token
}
o.ServeJSON()
}
// @Title Introspection
// @Description introspect token
// @Param body body models.Token true "The token info"
// @Success 200 {string}
// @router /refresh [post]
func (o *OAuthController) Refresh() {
var token auth_connectors.Token
json.Unmarshal(o.Ctx.Input.CopyBody(100000), &token)
// refresh token
newToken, err := infrastructure.GetAuthConnector().Refresh(&token)
if err != nil || newToken == nil {
o.Data["json"] = err
o.Ctx.ResponseWriter.WriteHeader(401)
} else {
o.Data["json"] = newToken
}
o.ServeJSON()
}
// @Title Introspection
// @Description introspect token
// @Param Authorization header string false "auth token"
// @Success 200 {string}
// @router /introspect [get]
func (o *OAuthController) Introspect() {
reqToken := o.Ctx.Request.Header.Get("Authorization")
splitToken := strings.Split(reqToken, "Bearer ")
if len(splitToken) < 2 {
reqToken = ""
} else {
reqToken = splitToken[1]
}
token, err := infrastructure.GetAuthConnector().Introspect(reqToken)
if err != nil || !token {
o.Data["json"] = err
o.Ctx.ResponseWriter.WriteHeader(401)
}
o.ServeJSON()
}
// whitelist lists path segments of oc-auth's own challenge endpoints.
// These require no token — the challenge is passed as a query parameter by Hydra.
var whitelist = []string{
"/public/",
"/version",
"/status",
"/login",
"/logout",
"/refresh",
"/introspect",
"/consent",
}
// @Title AuthForward
// @Description Forward auth for Traefik — validates JWT via Hydra introspection.
// Only requests from our own peer (SELF) are authorized.
// Routes in pathWhitelist bypass all checks (with or without token).
// Routes in whitelist bypass the token check (oc-auth own challenge endpoints).
// On missing/invalid token: 302 to Hydra authorization URL (restart OAuth2 flow).
// On wrong peer: 401 (network/config issue, no redirect).
// On valid token but insufficient permissions: 403.
// On success: 200 so Traefik forwards the request to the target route.
// @Param Authorization header string false "Bearer token"
// @Description auth forward
// @Param Authorization header string false "auth token"
// @Success 200 {string}
// @router /forward [get]
func (o *OAuthController) InternalAuthForward() {
fmt.Println("InternalAuthForward")
uri := o.Ctx.Request.Header.Get("X-Replaced-Path")
if uri == "" {
uri = o.Ctx.Request.Header.Get("X-Forwarded-Uri")
}
for _, w := range whitelist {
if strings.Contains(uri, w) {
fmt.Println("WHITELIST", w)
o.Ctx.ResponseWriter.WriteHeader(http.StatusOK)
return
}
}
origin, publicKey, external := o.extractOrigin(o.Ctx.Request)
reqToken := o.Ctx.Request.Header.Get("Authorization")
if reqToken == "" {
// WebSocket upgrade: the browser cannot send custom headers, so the token
// is passed as the Sec-WebSocket-Protocol subprotocol value instead.
if proto := o.Ctx.Request.Header.Get("Sec-WebSocket-Protocol"); proto != "" {
reqToken = "Bearer " + proto
for _, w := range whitelist {
if strings.Contains(o.Ctx.Request.Header.Get("X-Forwarded-Uri"), w) {
o.Ctx.ResponseWriter.WriteHeader(200)
o.ServeJSON()
return
}
}
}
fmt.Println("InternalAuthForward Bearer", reqToken)
if reqToken == "" {
// Step 1: no token — allow oc-auth's own challenge endpoints (no token needed).
// No token and not a whitelisted path → restart OAuth2 flow.
fmt.Println("NO TOKEN")
o.redirectToLogin()
o.Ctx.ResponseWriter.WriteHeader(401)
o.ServeJSON()
return
}
fmt.Println("InternalAuthForward Bearer 2", reqToken)
// Step 2: extract Bearer token — malformed header treated as missing token.
splitToken := strings.Split(reqToken, "Bearer ")
if len(splitToken) < 2 || splitToken[1] == "" {
fmt.Println("MALFORMED BEARER")
o.redirectToLogin()
return
if len(splitToken) < 2 {
reqToken = ""
} else {
reqToken = splitToken[1]
}
reqToken = splitToken[1]
// Step 3: verify the token belongs to our self peer.
// Decode the JWT payload and extract ext.peer_id, then compare against the cached self peer UUID.
// A mismatch means the request comes from a foreign peer → 401 (not a login problem).
tokenPeerID := extractPeerIDFromToken(reqToken)
selfPeer := getCachedSelfPeer()
fmt.Println("TOKEN", selfPeer == nil, tokenPeerID != selfPeer.UUID, tokenPeerID, selfPeer.UUID)
/*if selfPeer == nil || tokenPeerID != selfPeer.UUID {
o.Ctx.ResponseWriter.WriteHeader(http.StatusUnauthorized)
return
}*/
fmt.Println("InternalAuthForward Bearer 4", reqToken)
// Step 4: introspect via Hydra then check permissions via Keto.
// 401 → token inactive/invalid, user must re-authenticate → restart OAuth2 flow.
// 403 → token valid, but permissions denied → forbidden.
// 200 → all good, let Traefik forward to the target route.
introspection, permissionKey, code := infrastructure.GetAuthConnector().CheckAuthForward(
origin, publicKey, external := o.extractOrigin()
if !infrastructure.GetAuthConnector().CheckAuthForward( //reqToken != "" &&
reqToken, publicKey, origin,
o.Ctx.Request.Header.Get("X-Forwarded-Method"),
uri, external)
switch code {
case http.StatusOK:
user, _, _ := oclib.ExtractTokenInfo(*o.Ctx.Request)
claims := infrastructure.GetClaims().BuildConsentSession(conf.GetConfig().OAuth2ClientID, user, selfPeer)
if !claims.EqualClaims(introspection, permissionKey) {
fmt.Println("Token is not fresh or compromised")
o.Ctx.ResponseWriter.WriteHeader(http.StatusConflict)
return
}
fmt.Println("OK")
o.Ctx.ResponseWriter.WriteHeader(http.StatusOK)
case http.StatusForbidden:
fmt.Println("StatusForbidden")
o.Ctx.ResponseWriter.WriteHeader(http.StatusForbidden)
default:
fmt.Println("redirectToLogin UNAUTHORIZED")
// 401 or unexpected status → token likely expired, restart the OAuth2 flow.
o.redirectToLogin()
o.Ctx.Request.Header.Get("X-Forwarded-Uri"), external) && origin != "" && publicKey != "" {
o.Ctx.ResponseWriter.WriteHeader(401)
o.ServeJSON()
return
}
o.ServeJSON()
}
// redirectToLogin redirects the client to Hydra's authorization endpoint to start a fresh
// OAuth2 flow. Hydra will generate a login_challenge and redirect to the configured login URL.
func (o *OAuthController) redirectToLogin() {
cfg := conf.GetConfig()
var clientID, redirectURI string
clientID = cfg.OAuth2ClientID
redirectURI = cfg.OAuthRedirectURI
stateBytes := make([]byte, 16)
rand.Read(stateBytes)
state := base64.RawURLEncoding.EncodeToString(stateBytes)
hydraAuthURL := fmt.Sprintf("%s/hydra/oauth2/auth?client_id=%s&response_type=code&redirect_uri=%s&scope=openid&state=%s",
conf.GetConfig().Origin,
url.QueryEscape(clientID),
url.QueryEscape(redirectURI),
url.QueryEscape(state),
)
o.Ctx.ResponseWriter.Header().Set("Location", hydraAuthURL)
o.Ctx.ResponseWriter.WriteHeader(http.StatusFound)
}
func (o *OAuthController) extractOrigin(request *http.Request) (string, string, bool) {
user, peerID, groups := oclib.ExtractTokenInfo(*request)
func (o *OAuthController) extractOrigin() (string, string, bool) {
external := true
publicKey := ""
origin := o.Ctx.Request.Header.Get("X-Forwarded-Host")
@@ -623,15 +174,15 @@ func (o *OAuthController) extractOrigin(request *http.Request) (string, string,
if t != "" {
searchStr = strings.Replace(searchStr, t, "", -1)
}
pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), user, peerID, groups, nil).Search(nil, searchStr, false, 0, 1)
if pp.Code != 200 || len(pp.Data) == 0 {
peer := oclib.Search(nil, searchStr, oclib.LibDataEnum(oclib.PEER))
if peer.Code != 200 || len(peer.Data) == 0 { // TODO: add state of partnership
return "", "", external
}
p := pp.Data[0].(*model.Peer)
p := peer.Data[0].(*model.Peer)
publicKey = p.PublicKey
origin = p.APIUrl
if origin != "" {
if p.Relation == peer.SELF {
origin = p.Url
if origin != "" { // is external
if strings.Contains(origin, "localhost") || strings.Contains(origin, "127.0.0.1") || p.State == model.SELF {
external = false
}
} else {
@@ -639,152 +190,3 @@ func (o *OAuthController) extractOrigin(request *http.Request) (string, string,
}
return origin, publicKey, external
}
// ExtractClient extracts the client_id from a JWT token.
// Supports both standard JWT (3 parts with base64 payload) and local dev tokens.
func ExtractClient(request http.Request) string {
reqToken := request.Header.Get("Authorization")
splitToken := strings.Split(reqToken, "Bearer ")
if len(splitToken) < 2 {
return ""
}
reqToken = splitToken[1]
if reqToken == "" {
return ""
}
// Try to decode as standard JWT (header.payload.signature)
parts := strings.Split(reqToken, ".")
if len(parts) >= 2 {
// Decode the payload (second part of JWT)
payload := parts[1]
// Add padding if needed
switch len(payload) % 4 {
case 2:
payload += "=="
case 3:
payload += "="
}
bytes, err := base64.URLEncoding.DecodeString(payload)
if err != nil {
// Try standard base64 for local dev tokens
bytes, err = base64.StdEncoding.DecodeString(parts[len(parts)-1])
if err != nil {
return ""
}
}
m := map[string]interface{}{}
if err := json.Unmarshal(bytes, &m); err != nil {
return ""
}
// Standard JWT: look for client_id in top-level or ext claims
if cid, ok := m["client_id"].(string); ok {
return cid
}
if ext, ok := m["ext"].(map[string]interface{}); ok {
if cid, ok := ext["client_id"].(string); ok {
return cid
}
}
// Local dev token format: session.id_token.client_id
if session, ok := m["session"].(map[string]interface{}); ok {
if idToken, ok := session["id_token"].(map[string]interface{}); ok {
if cid, ok := idToken["client_id"].(string); ok {
return cid
}
}
}
}
return ""
}
// completeFlowToToken drives the server-side OAuth2 flow after AcceptLogin.
// It follows Hydra's redirect to grab the consent_challenge, accepts it,
// then exchanges the resulting auth code for a token.
func completeFlowToToken(loginRedirectTo string, subject string, loginChallenge string) (*auth_connectors.TokenResponse, error) {
connector := infrastructure.GetAuthConnector()
// Step 1: follow the login redirect to get the consent_challenge (uses CSRF cookie from InitiateLogin)
consentChallenge, err := connector.FollowToConsentChallenge(loginRedirectTo, loginChallenge)
if err != nil {
return nil, fmt.Errorf("consent challenge: %w", err)
}
// Step 2: fetch consent challenge details (scopes + client_id)
consentDetails, err := connector.GetConsentChallenge(consentChallenge)
if err != nil {
return nil, fmt.Errorf("get consent challenge: %w", err)
}
clientID := ""
if consentDetails.Client != nil {
if cid, ok := consentDetails.Client["client_id"].(string); ok {
clientID = cid
}
}
// Step 3: get self peer for claims
pp := oclib.NewRequestAdmin(oclib.LibDataEnum(oclib.PEER), nil).Search(
&dbs.Filters{
Or: map[string][]dbs.Filter{
"relation": {{Operator: dbs.EQUAL.String(), Value: peer.SELF}},
},
}, strconv.Itoa(peer.SELF.EnumIndex()), false, 0, 1)
if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
return nil, fmt.Errorf("self peer not found")
}
p := pp.Data[0].(*model.Peer)
// Step 4: accept consent
session := infrastructure.GetClaims().BuildConsentSession(clientID, subject, p)
consentRedirect, err := connector.AcceptConsent(consentChallenge, consentDetails.RequestedScope, session)
if err != nil {
return nil, fmt.Errorf("accept consent: %w", err)
}
// Step 5: follow consent redirect to exchange auth code for token (uses CSRF cookie, cleans up jar)
token, err := connector.ExchangeCodeForToken(consentRedirect.RedirectTo, clientID, loginChallenge)
if err != nil {
return nil, fmt.Errorf("exchange code: %w", err)
}
return token, nil
}
// extractPeerIDFromToken decodes the JWT payload and returns ext.peer_id.
func extractPeerIDFromToken(token string) string {
parts := strings.Split(token, ".")
if len(parts) < 2 {
return ""
}
payload := parts[1]
switch len(payload) % 4 {
case 2:
payload += "=="
case 3:
payload += "="
}
b, err := base64.URLEncoding.DecodeString(payload)
if err != nil {
return ""
}
var claims map[string]interface{}
if err := json.Unmarshal(b, &claims); err != nil {
return ""
}
ext, ok := claims["ext"].(map[string]interface{})
if !ok {
return ""
}
peerID, _ := ext["peer_id"].(string)
return peerID
}
// extractBearerToken extracts the token from the Authorization header
func extractBearerToken(r *http.Request) string {
reqToken := r.Header.Get("Authorization")
splitToken := strings.Split(reqToken, "Bearer ")
if len(splitToken) < 2 {
return ""
}
return splitToken[1]
}
controllers/permission.go
+7 -14
View File
@@ -16,8 +16,7 @@ type PermissionController struct {
// @Success 200 {permission} string
// @router / [get]
func (o *PermissionController) GetAll() {
clientID := ExtractClient(*o.Ctx.Request)
role, err := infrastructure.GetPermissionConnector(clientID).GetPermission("", "")
role, err := infrastructure.GetPermissionConnector().GetPermission("", "")
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -42,8 +41,7 @@ func (o *PermissionController) GetAll() {
// @router /role/:id [get]
func (o *PermissionController) GetByRole() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
role, err := infrastructure.GetPermissionConnector(clientID).GetPermissionByRole(id)
role, err := infrastructure.GetPermissionConnector().GetPermissionByRole(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -68,8 +66,7 @@ func (o *PermissionController) GetByRole() {
// @router /user/:id [get]
func (o *PermissionController) GetByUser() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
role, err := infrastructure.GetPermissionConnector(clientID).GetPermissionByUser(id, true)
role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id, true)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -95,8 +92,7 @@ func (o *PermissionController) GetByUser() {
func (o *PermissionController) Get() {
id := o.Ctx.Input.Param(":id")
rel := o.Ctx.Input.Param(":relation")
clientID := ExtractClient(*o.Ctx.Request)
role, err := infrastructure.GetPermissionConnector(clientID).GetPermission(id, rel)
role, err := infrastructure.GetPermissionConnector().GetPermission(id, rel)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -119,8 +115,7 @@ func (o *PermissionController) Get() {
// @Success 200 {string} delete success!
// @router /clear [delete]
func (o *PermissionController) Clear() {
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).DeletePermission("", "", true)
role, code, err := infrastructure.GetPermissionConnector().DeletePermission("", "", true)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -149,8 +144,7 @@ func (o *PermissionController) Bind() {
permission_id := o.Ctx.Input.Param(":permission_id")
role_id := o.Ctx.Input.Param(":role_id")
rel := o.Ctx.Input.Param(":relation")
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).BindPermission(role_id, permission_id, rel)
role, code, err := infrastructure.GetPermissionConnector().BindPermission(role_id, permission_id, rel)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -179,8 +173,7 @@ func (o *PermissionController) UnBind() {
permission_id := o.Ctx.Input.Param(":permission_id")
role_id := o.Ctx.Input.Param(":role_id")
rel := o.Ctx.Input.Param(":relation")
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).UnBindPermission(role_id, permission_id, rel)
role, code, err := infrastructure.GetPermissionConnector().UnBindPermission(role_id, permission_id, rel)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
controllers/role.go
+8 -16
View File
@@ -19,8 +19,7 @@ type RoleController struct {
func (o *RoleController) Post() {
// store and return Id or post with UUID
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).CreateRole(id)
role, code, err := infrastructure.GetPermissionConnector().CreateRole(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -45,8 +44,7 @@ func (o *RoleController) Post() {
// @router /user/:id [get]
func (o *RoleController) GetByUser() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
role, err := infrastructure.GetPermissionConnector(clientID).GetRoleByUser(id)
role, err := infrastructure.GetPermissionConnector().GetRoleByUser(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -69,8 +67,7 @@ func (o *RoleController) GetByUser() {
// @Success 200 {role} string
// @router / [get]
func (o *RoleController) GetAll() {
clientID := ExtractClient(*o.Ctx.Request)
role, err := infrastructure.GetPermissionConnector(clientID).GetRole("")
role, err := infrastructure.GetPermissionConnector().GetRole("")
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -95,8 +92,7 @@ func (o *RoleController) GetAll() {
// @router /:id [get]
func (o *RoleController) Get() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
role, err := infrastructure.GetPermissionConnector(clientID).GetRole(id)
role, err := infrastructure.GetPermissionConnector().GetRole(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -121,8 +117,7 @@ func (o *RoleController) Get() {
// @router /:id [delete]
func (o *RoleController) Delete() {
id := o.Ctx.Input.Param(":id")
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).DeleteRole(id)
role, code, err := infrastructure.GetPermissionConnector().DeleteRole(id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -145,8 +140,7 @@ func (o *RoleController) Delete() {
// @Success 200 {string} delete success!
// @router /clear [delete]
func (o *RoleController) Clear() {
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).DeleteRole("")
role, code, err := infrastructure.GetPermissionConnector().DeleteRole("")
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -173,8 +167,7 @@ func (o *RoleController) Clear() {
func (o *RoleController) Bind() {
user_id := o.Ctx.Input.Param(":user_id")
role_id := o.Ctx.Input.Param(":role_id")
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).BindRole(user_id, role_id)
role, code, err := infrastructure.GetPermissionConnector().BindRole(user_id, role_id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
@@ -201,8 +194,7 @@ func (o *RoleController) Bind() {
func (o *RoleController) UnBind() {
user_id := o.Ctx.Input.Param(":user_id")
role_id := o.Ctx.Input.Param(":role_id")
clientID := ExtractClient(*o.Ctx.Request)
role, code, err := infrastructure.GetPermissionConnector(clientID).UnBindRole(user_id, role_id)
role, code, err := infrastructure.GetPermissionConnector().UnBindRole(user_id, role_id)
if err != nil {
o.Data["json"] = map[string]interface{}{
"data": nil,
controllers/version.go
+2 -8
View File
@@ -14,10 +14,7 @@ type VersionController struct {
// @Success 200
// @router / [get]
func (c *VersionController) GetAll() {
c.Data["json"] = map[string]string{
"service": "oc-auth",
"version": "1",
}
c.Data["json"] = map[string]string{"version": "1"}
c.ServeJSON()
}
@@ -26,9 +23,6 @@ func (c *VersionController) GetAll() {
// @Success 200
// @router /discovery [get]
func (c *VersionController) Get() {
c.Data["json"] = map[string]string{
"service": "oc-auth",
"version": "1",
}
c.Data["json"] = map[string]string{"version": "1"}
c.ServeJSON()
}
docker-compose.yml
+21 -14
View File
@@ -1,6 +1,22 @@
version: '3.4'
services:
traefik:
image: traefik:v2.10.4
container_name: traefik
networks:
- catalog
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--log.level=DEBUG"
ports:
- "8080:80"
- "8082:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
oc-auth:
image: 'oc-auth:latest'
ports:
@@ -8,27 +24,18 @@ services:
container_name: oc-auth
labels:
- "traefik.enable=true"
- "traefik.http.routers.auth-sec.entrypoints=web"
- "traefik.http.routers.auth-sec.rule=PathPrefix(`/auth/`)"
- "traefik.http.middlewares.auth-sec-rewrite.replacepathregex.regex=^/auth(.*)"
- "traefik.http.middlewares.auth-sec-rewrite.replacepathregex.replacement=/oc$$1"
- "traefik.http.services.auth-sec.loadbalancer.server.port=8080"
- "traefik.http.routers.auth-sec.middlewares=auth-sec-rewrite,auth-auth-sec"
- "traefik.http.middlewares.auth-auth-sec.forwardauth.address=http://oc-auth:8080/oc/forward"
- "traefik.http.middlewares.auth-auth-sec.forwardauth.trustForwardHeader=true"
- "traefik.http.middlewares.auth-auth-sec.forwardauth.authResponseHeaders=X-Auth-Request-User,X-Auth-Request-Email"
- "traefik.http.middlewares.auth.forwardauth.address=http://oc-auth:8080/oc/forward"
- "traefik.http.routers.workflow.rule=PathPrefix(/auth)"
environment:
LDAP_ENDPOINTS: ldap:389
LDAP_BINDDN: cn=admin,dc=example,dc=com
LDAP_BINDPW: password
LDAP_BASEDN: "dc=example,dc=com"
LDAP_USER_BASEDN: "ou=users,dc=example,dc=com"
LDAP_ROLE_BASEDN: "ou=AppRoles,dc=example,dc=com"
networks:
- oc
- catalog
volumes:
- ./pem/private.pem:/keys/private/private.pem
- ./pem/public.pem:/keys/public/public.pem
- ./pem:/etc/oc/pem
networks:
oc:
catalog:
external: true
docker_auth.json
+4 -5
View File
@@ -2,10 +2,9 @@
"MONGO_URL":"mongodb://mongo:27017/",
"MONGO_DATABASE":"DC_myDC",
"NATS_URL": "nats://nats:4222",
"PORT" : 8080,
"AUTH_CONNECTOR_HOST": "hydra",
"AUTH_CONNECTOR_PUBLIC_HOST": "hydra",
"PRIVATE_KEY_PATH": "/keys/private/private.pem",
"PUBLIC_KEY_PATH": "/keys/public/public.pem",
"LDAP_ENDPOINTS": "ldap:389",
"LOCAL": false
"PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
"PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
"LDAP_ENDPOINTS": "ldap:389"
}
env.env
-4
View File
@@ -1,4 +0,0 @@
KUBERNETES_SERVICE_HOST=192.168.1.169
KUBE_CA="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTnpReU56STVNVEF3SGhjTk1qWXdNekl6TVRNek5URXdXaGNOTXpZd016SXdNVE16TlRFdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTnpReU56STVNVEF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSSGpYRDVpbnRIYWZWSk5VaDFlRnIxcXBKdFlkUmc5NStKVENEa0tadTIKYjUxRXlKaG1zanRIY3BDUndGL1VGMzlvdzY4TFBUcjBxaUorUHlhQTBLZUtvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdWQkNzZVN3ajJ2cmczMFE5UG8vCnV6ZzAvMjR3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlEOVY2aFlUSS83ZW1hRzU0dDdDWVU3TXFSdDdESUkKNlgvSUwrQ0RLbzlNQWlCdlFEMGJmT0tVWDc4UmRGdUplcEhEdWFUMUExaGkxcWdIUGduM1dZdDBxUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
KUBE_CERT="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJUU5KbFNJQUJPMDR3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOemMwTWpjeU9URXdNQjRYRFRJMk1ETXlNekV6TXpVeE1Gb1hEVEkzTURNeQpNekV6TXpVeE1Gb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJMY3Uwb2pUbVg4RFhTQkYKSHZwZDZNVEoyTHdXc1lRTmdZVURXRDhTVERIUWlCczlMZ0x5ZTdOMEFvZk85RkNZVW1HamhiaVd3WFVHR3dGTgpUdlRMU2lXalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUlJhRW9wQzc5NGJyTHlnR0g5SVhvbDZTSmlFREFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQWhaRUlrSWV3Y1loL1NmTFVCVjE5MW1CYTNRK0J5S2J5eTVlQmpwL3kzeWtDSUIxWTJicTVOZTNLUUU4RAprNnNzeFJrbjJmN0VoWWVRQU1pUlJ2MjIweDNLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTnpReU56STVNVEF3SGhjTk1qWXdNekl6TVRNek5URXdXaGNOTXpZd016SXdNVE16TlRFdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTnpReU56STVNVEF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTcTdVTC85MEc1ZmVTaE95NjI3eGFZWlM5dHhFdWFoWFQ3Vk5wZkpQSnMKaEdXd2UxOXdtbXZzdlp6dlNPUWFRSzJaMmttN0hSb1IrNlA1YjIyamczbHVvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVVXaEtLUXUvZUc2eThvQmgvU0Y2Ckpla2lZaEF3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUk3cGxHczFtV20ySDErbjRobDBNTk13RmZzd0o5ZXIKTzRGVkM0QzhwRG44QWlCN3NZMVFwd2M5VkRUeGNZaGxuZzZNUzRXai85K0lHWjJxcy94UStrMjdTQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
KUBE_DATA="LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUROZDRnWXd6aVRhK1hwNnFtNVc3SHFzc1JJNkREaUJTbUV2ZHoxZzk3VGxvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFdHk3U2lOT1pmd05kSUVVZStsM294TW5ZdkJheGhBMkJoUU5ZUHhKTU1kQ0lHejB1QXZKNwpzM1FDaDg3MFVKaFNZYU9GdUpiQmRRWWJBVTFPOU10S0pRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
go.mod
+16 -52
View File
@@ -1,71 +1,35 @@
module oc-auth
go 1.25.0
go 1.22.0
require (
cloud.o-forge.io/core/oc-lib v0.0.0-20260527135023-cef23b5f307b
github.com/beego/beego/v2 v2.3.8
cloud.o-forge.io/core/oc-lib v0.0.0-20241216081858-245f3adea3ba
github.com/beego/beego/v2 v2.3.4
github.com/smartystreets/goconvey v1.7.2
go.uber.org/zap v1.27.0
)
//replace cloud.o-forge.io/core/oc-lib => ../oc-lib
replace cloud.o-forge.io/core/oc-lib => ../oc-lib
require (
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/biter777/countries v1.7.5 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
github.com/emicklei/go-restful/v3 v3.12.2 // indirect
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/gofrs/uuid v4.3.0+incompatible // indirect
github.com/google/gnostic-models v0.7.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/libp2p/go-libp2p/core v0.43.0-rc2 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
github.com/nats-io/nats.go v1.37.0 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/nats-io/nats.go v1.38.0 // indirect
github.com/robfig/cron v1.2.0 // indirect
go.uber.org/multierr v1.10.0 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/term v0.37.0 // indirect
golang.org/x/time v0.9.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
k8s.io/api v0.35.1 // indirect
k8s.io/apimachinery v0.35.1 // indirect
k8s.io/client-go v0.35.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
sigs.k8s.io/yaml v1.6.0 // indirect
)
require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/coocood/freecache v1.2.4
github.com/gabriel-vasile/mimetype v1.4.6 // indirect
github.com/gabriel-vasile/mimetype v1.4.7 // indirect
github.com/go-ldap/ldap/v3 v3.4.8
github.com/go-playground/locales v0.14.1 // indirect
github.com/go-playground/universal-translator v0.18.1 // indirect
github.com/go-playground/validator/v10 v10.22.1 // indirect
github.com/go-playground/validator/v10 v10.23.0 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/go-cmp v0.7.0
github.com/google/uuid v1.6.0 // indirect
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 // indirect
github.com/goraz/onion v0.1.3 // indirect
@@ -79,11 +43,11 @@ require (
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/montanaflynn/stats v0.7.1 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nats-io/nkeys v0.4.7 // indirect
github.com/nats-io/nkeys v0.4.9 // indirect
github.com/nats-io/nuid v1.0.1 // indirect
github.com/prometheus/client_golang v1.20.5 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.60.1 // indirect
github.com/prometheus/common v0.61.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/rs/zerolog v1.33.0 // indirect
github.com/shiena/ansicolor v0.0.0-20230509054315-a9deabde6e02 // indirect
@@ -93,11 +57,11 @@ require (
github.com/xdg-go/stringprep v1.0.4 // indirect
github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
go.mongodb.org/mongo-driver v1.17.1 // indirect
golang.org/x/crypto v0.44.0 // indirect
golang.org/x/net v0.47.0 // indirect
golang.org/x/sync v0.18.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/text v0.31.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
golang.org/x/crypto v0.31.0 // indirect
golang.org/x/net v0.33.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
google.golang.org/protobuf v1.36.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
go.sum
+30 -140
View File
@@ -1,26 +1,12 @@
cloud.o-forge.io/core/oc-lib v0.0.0-20260204083845-d9f646aac28b h1:/TkmuO5ERpHJCqNpKBlmzw8pYTVDGcFcDo+e1ndXlm0=
cloud.o-forge.io/core/oc-lib v0.0.0-20260204083845-d9f646aac28b/go.mod h1:T0UCxRd8w+qCVVC0NEyDiWIGC5ADwEbQ7hFcvftd4Ks=
cloud.o-forge.io/core/oc-lib v0.0.0-20260210081202-3bcf0da56aa1 h1:CSPqJlSepu0efDRFV8tv62Fg5XP2UwSZKfaaL81YuVY=
cloud.o-forge.io/core/oc-lib v0.0.0-20260210081202-3bcf0da56aa1/go.mod h1:jmyBwmsac/4V7XPL347qawF60JsBCDmNAMfn/ySXKYo=
cloud.o-forge.io/core/oc-lib v0.0.0-20260212123952-403913d8cf13 h1:DNIPQ7C+7wjbj5RUx29wLxuIe/wiSOcuUMlLRIv6Fvs=
cloud.o-forge.io/core/oc-lib v0.0.0-20260212123952-403913d8cf13/go.mod h1:jmyBwmsac/4V7XPL347qawF60JsBCDmNAMfn/ySXKYo=
cloud.o-forge.io/core/oc-lib v0.0.0-20260219084344-9662ac6d678c h1:brsB6se+xMv386Vf6dSu3In2QZSH4EqgcAYkI4fNpJw=
cloud.o-forge.io/core/oc-lib v0.0.0-20260219084344-9662ac6d678c/go.mod h1:jmyBwmsac/4V7XPL347qawF60JsBCDmNAMfn/ySXKYo=
cloud.o-forge.io/core/oc-lib v0.0.0-20260527135023-cef23b5f307b h1:TWhmHeurbBmdyevREh4+mHWOBehO2AK587RCIjCfvOc=
cloud.o-forge.io/core/oc-lib v0.0.0-20260527135023-cef23b5f307b/go.mod h1:JynnOb3eMr9VZW1mHq+Vsl3tzx6gPhPsGKpQD/dtEBc=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/beego/beego/v2 v2.3.1 h1:7MUKMpJYzOXtCUsTEoXOxsDV/UcHw6CPbaWMlthVNsc=
github.com/beego/beego/v2 v2.3.1/go.mod h1:5cqHsOHJIxkq44tBpRvtDe59GuVRVv/9/tyVDxd5ce4=
github.com/beego/beego/v2 v2.3.8 h1:wplhB1pF4TxR+2SS4PUej8eDoH4xGfxuHfS7wAk9VBc=
github.com/beego/beego/v2 v2.3.8/go.mod h1:8vl9+RrXqvodrl9C8yivX1e6le6deCK6RWeq8R7gTTg=
github.com/beego/beego/v2 v2.3.4 h1:HurQEOGIEhLlPFCTR6ZDuQkybrUl2Ag2i6CdVD2rGiI=
github.com/beego/beego/v2 v2.3.4/go.mod h1:5cqHsOHJIxkq44tBpRvtDe59GuVRVv/9/tyVDxd5ce4=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/biter777/countries v1.7.5 h1:MJ+n3+rSxWQdqVJU8eBy9RqcdH6ePPn4PJHocVWUa+Q=
github.com/biter777/countries v1.7.5/go.mod h1:1HSpZ526mYqKJcpT5Ti1kcGQ0L0SrXWIaptUWjFfv2E=
github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -29,57 +15,35 @@ github.com/coocood/freecache v1.2.4/go.mod h1:RBUWa/Cy+OHdfTGFEhEuE1pMCMX51Ncizj
github.com/coreos/etcd v3.3.17+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
github.com/elazarl/go-bindata-assetfs v1.0.1 h1:m0kkaHRKEu7tUIUFVwhGGGYClXvyl4RE03qmvRTNfbw=
github.com/elazarl/go-bindata-assetfs v1.0.1/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/etcd-io/etcd v3.3.17+incompatible/go.mod h1:cdZ77EstHBwVtD6iTgzgvogwcjo9m4iOqoijouPJ4bs=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/gabriel-vasile/mimetype v1.4.6 h1:3+PzJTKLkvgjeTbts6msPJt4DixhT4YtFNf1gtGe3zc=
github.com/gabriel-vasile/mimetype v1.4.6/go.mod h1:JX1qVKqZd40hUPpAfiNTe0Sne7hdfKSbOqqmkq8GCXc=
github.com/gabriel-vasile/mimetype v1.4.7 h1:SKFKl7kD0RiPdbht0s7hFtjl489WcQ1VyPW8ZzUMYCA=
github.com/gabriel-vasile/mimetype v1.4.7/go.mod h1:GDlAgAyIRT27BhFl53XNAFtfjzOkLaF35JdEG0P7LtU=
github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
github.com/go-playground/validator/v10 v10.23.0 h1:/PwmTwZhS0dPkav3cdK9kV1FsAmrL8sThn8IHr/sO+o=
github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -109,31 +73,20 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
github.com/libp2p/go-libp2p/core v0.43.0-rc2 h1:1X1aDJNWhMfodJ/ynbaGLkgnC8f+hfBIqQDrzxFZOqI=
github.com/libp2p/go-libp2p/core v0.43.0-rc2/go.mod h1:NYeJ9lvyBv9nbDk2IuGb8gFKEOkIv/W5YRIy1pAJB2Q=
github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -144,42 +97,37 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/nats-io/nats.go v1.37.0 h1:07rauXbVnnJvv1gfIyghFEo6lUcYRY0WXc3x7x0vUxE=
github.com/nats-io/nats.go v1.37.0/go.mod h1:Ubdu4Nh9exXdSz0RVWRFBbRfrbSxOYd26oF0wkWclB8=
github.com/nats-io/nkeys v0.4.7 h1:RwNJbbIdYCoClSDNY7QVKZlyb/wfT6ugvFCiKy6vDvI=
github.com/nats-io/nkeys v0.4.7/go.mod h1:kqXRgRDPlGy7nGaEDMuYzmiJCIAAWDK0IMBtDmGD0nc=
github.com/nats-io/nats.go v1.38.0 h1:A7P+g7Wjp4/NWqDOOP/K6hfhr54DvdDQUznt5JFg9XA=
github.com/nats-io/nats.go v1.38.0/go.mod h1:IGUM++TwokGnXPs82/wCuiHS02/aKrdYUQkU8If6yjw=
github.com/nats-io/nkeys v0.4.9 h1:qe9Faq2Gxwi6RZnZMXfmGMZkg3afLLOtrU+gDZJ35b0=
github.com/nats-io/nkeys v0.4.9/go.mod h1:jcMqs+FLG+W5YO36OX6wFIFcmpdAns+w1Wm6D3I/evE=
github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw=
github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
github.com/ogier/pflag v0.0.1/go.mod h1:zkFki7tvTa0tafRvTBIZTvzYyAu6kQhPZFnshFFPE+g=
github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPAaSc=
github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw=
github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ=
github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s=
github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
@@ -202,8 +150,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
@@ -224,22 +170,14 @@ go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -253,21 +191,13 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -282,20 +212,14 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -303,56 +227,22 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/api v0.35.1 h1:0PO/1FhlK/EQNVK5+txc4FuhQibV25VLSdLMmGpDE/Q=
k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM=
k8s.io/apimachinery v0.35.1 h1:yxO6gV555P1YV0SANtnTjXYfiivaTPvCTKX6w6qdDsU=
k8s.io/apimachinery v0.35.1/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
k8s.io/client-go v0.35.1 h1:+eSfZHwuo/I19PaSxqumjqZ9l5XiTEKbIaJ+j1wLcLM=
k8s.io/client-go v0.35.1/go.mod h1:1p1KxDt3a0ruRfc/pG4qT/3oHmUj1AhSHEcxNSGg+OA=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
infrastructure/auth_connector/auth_connector.go
+16 -110
View File
@@ -1,135 +1,41 @@
package auth_connectors
import (
"net/http"
"oc-auth/conf"
"oc-auth/infrastructure/claims"
"strings"
"cloud.o-forge.io/core/oc-lib/tools"
)
type AuthConnector interface {
Status() tools.State
// Login/Consent Provider endpoints (Hydra redirects here)
// InitiateLogin starts a new OAuth2 flow server-side and returns the login_challenge
// generated by Hydra. Useful for thick clients that cannot follow browser redirects.
InitiateLogin(clientID string, redirectURI string) (string, error)
GetLoginChallenge(challenge string) (*LoginChallenge, error)
AcceptLogin(challenge string, subject string) (*Redirect, error)
RejectLogin(challenge string, reason string) (*Redirect, error)
GetConsentChallenge(challenge string) (*ConsentChallenge, error)
AcceptConsent(challenge string, grantScope []string, session claims.Claims) (*Redirect, error)
// Logout Provider endpoints (Hydra redirects here)
GetLogoutChallenge(challenge string) (*LogoutChallenge, error)
AcceptLogout(challenge string) (*Redirect, error)
// Token operations
Introspect(token string) (*IntrospectResult, error)
RevokeToken(token string, clientID string) error
RefreshToken(refreshToken string, clientID string) (*TokenResponse, error)
// Server-side flow completion (for thick clients that cannot follow browser redirects)
// FollowToConsentChallenge follows the redirect_to from AcceptLogin to extract the consent_challenge.
// loginChallenge is used to replay the CSRF cookie set during InitiateLogin.
FollowToConsentChallenge(redirectTo string, loginChallenge string) (string, error)
// ExchangeCodeForToken follows the redirect_to from AcceptConsent, extracts the auth code,
// and exchanges it for a token at Hydra's token endpoint.
// loginChallenge is used to replay the CSRF cookie and is cleaned up after use.
ExchangeCodeForToken(redirectTo string, clientID string, loginChallenge string) (*TokenResponse, error)
// CheckAuthForward validates the token and permissions for a forward auth request.
// Returns an HTTP status code:
// 200 — token active and permissions granted
// 401 — token missing, invalid, or inactive → caller should redirect to login
// 403 — token valid but permissions denied → caller should return forbidden
CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) (*claims.Claims, string, int)
Login(username string, cookies ...*http.Cookie) (*Token, error)
Logout(token string, cookies ...*http.Cookie) (*Token, error)
Introspect(token string, cookie ...*http.Cookie) (bool, error)
Refresh(token *Token) (*Token, error)
CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool
}
// Token is the unified token response returned to clients
type Token struct {
Active bool `json:"active"`
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token,omitempty"`
IDToken string `json:"id_token,omitempty"`
ExpiresIn int64 `json:"expires_in"`
TokenType string `json:"token_type"`
Scope string `json:"scope,omitempty"`
Active bool `json:"active"`
AccessToken string `json:"access_token"`
ExpiresIn int64 `json:"expires_in"`
TokenType string `json:"token_type"`
Username string `json:"username,omitempty"`
Password string `json:"password,omitempty"`
}
// LoginRequest is the body of POST /oc/login
type LoginRequest struct {
Username string `json:"username"`
Password string `json:"password"`
LoginChallenge string `json:"login_challenge"`
}
// Redirect is a response containing a redirect URL from Hydra
type Redirect struct {
RedirectTo string `json:"redirect_to"`
}
// LoginChallenge contains the details of a Hydra login challenge
type LoginChallenge struct {
Skip bool `json:"skip"`
Subject string `json:"subject"`
Challenge string `json:"challenge"`
Client map[string]interface{} `json:"client"`
RequestURL string `json:"request_url"`
SessionID string `json:"session_id"`
}
// LogoutChallenge contains the details of a Hydra logout challenge
type LogoutChallenge struct {
Subject string `json:"subject"`
SessionID string `json:"sid"`
RequestURL string `json:"request_url"`
RPInitiated bool `json:"rp_initiated"`
}
// ConsentChallenge contains the details of a Hydra consent challenge
type ConsentChallenge struct {
Skip bool `json:"skip"`
Subject string `json:"subject"`
Challenge string `json:"challenge"`
RequestedScope []string `json:"requested_scope"`
RequestedAccessTokenAud []string `json:"requested_access_token_audience"`
Client map[string]interface{} `json:"client"`
}
// TokenResponse is the OAuth2 token response from Hydra
type TokenResponse struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
RefreshToken string `json:"refresh_token,omitempty"`
IDToken string `json:"id_token,omitempty"`
Scope string `json:"scope"`
}
// IntrospectResult is the OAuth2 introspection response from Hydra
type IntrospectResult struct {
Active bool `json:"active"`
Sub string `json:"sub,omitempty"`
ClientID string `json:"client_id,omitempty"`
Scope string `json:"scope,omitempty"`
ExpiresAt int64 `json:"exp,omitempty"`
TokenType string `json:"token_type,omitempty"`
Extra map[string]interface{} `json:"ext,omitempty"`
}
var a = map[string]AuthConnector{
"hydra": &HydraConnector{
"hydra": HydraConnector{
Caller: tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{}),
},
State: "12345678", ResponseType: "token", Scopes: "openid profile email roles"}, // base url
}
func GetAuthConnector() AuthConnector {
for k := range a {
if strings.Contains(conf.GetConfig().Auth, k) {
return a[k]
}
}
return nil
return a[conf.GetConfig().Auth]
}
infrastructure/auth_connector/hydra_connector.go
+228 -525
View File
@@ -1,19 +1,19 @@
package auth_connectors
import (
"crypto/rand"
"encoding/hex"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"net/http/cookiejar"
"net/url"
"oc-auth/conf"
"oc-auth/infrastructure/claims"
"regexp"
"strconv"
"strings"
"sync"
"time"
oclib "cloud.o-forge.io/core/oc-lib"
"cloud.o-forge.io/core/oc-lib/models/peer"
@@ -21,21 +21,22 @@ import (
)
type HydraConnector struct {
Mu sync.RWMutex
Caller *tools.HTTPCaller
cookieJars sync.Map // map[loginChallenge] *cookiejar.Jar
State string `json:"state"`
Scopes string `json:"scope"`
ClientID string `json:"client_id"`
ResponseType string `json:"response_type"`
Caller *tools.HTTPCaller
}
func (h *HydraConnector) Status() tools.State {
const test_name = "test-pierre"
const test_id = "1234"
func (a HydraConnector) Status() tools.State {
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
var responseBody map[string]interface{}
host := conf.GetConfig().AuthConnectPublicHost
if conf.GetConfig().Local {
host = "localhost"
}
host := conf.GetConfig().AuthConnectorHost
port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
if err != nil {
return tools.DEAD
@@ -47,535 +48,237 @@ func (h *HydraConnector) Status() tools.State {
return tools.ALIVE
}
// getPath builds the base URL for Hydra API calls
func (h *HydraConnector) getPath(isAdmin bool, isOauth bool) string {
host := conf.GetConfig().AuthConnectPublicHost
if isAdmin {
host = conf.GetConfig().AuthConnectorHost
// urlFormat formats the URL of the peer with the data type API function
func (a *HydraConnector) urlFormat(url string, replaceWith string) string {
// localhost is replaced by the local peer URL
// because localhost must collide on a web request security protocol
r := regexp.MustCompile("(http://[a-z]+:[0-9]+)/oauth2")
t := r.FindString(url)
if t != "" {
url = strings.Replace(url, t, replaceWith, -1)
}
if conf.GetConfig().Local {
host = "localhost"
return url
}
func (a HydraConnector) challenge(username string, url string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
body := map[string]interface{}{
"remember_for": 0,
"remember": true,
}
if challenge != "consent" {
body["subject"] = username
}
s := strings.Split(url, challenge+"_challenge=")
resp, err := a.Caller.CallRaw(http.MethodPut,
a.getPath(true, true), "/auth/requests/"+challenge+"/accept?"+challenge+"_challenge="+s[1],
body, "application/json", true, cookies...) // "remember": true, "subject": username
if err != nil {
return nil, s[1], cookies, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, s[1], cookies, err
}
var token Redirect
err = json.Unmarshal(b, &token)
if err != nil {
return nil, s[1], cookies, err
}
return &token, s[1], cookies, nil
}
func (a HydraConnector) Refresh(token *Token) (*Token, error) {
access := strings.Split(token.AccessToken, ".")
if len(access) > 2 {
token.AccessToken = strings.Join(access[0:2], ".")
}
isValid, err := a.Introspect(token.AccessToken)
if err != nil || !isValid {
return nil, err
}
_, err = a.Logout(token.AccessToken)
if err != nil {
return nil, err
}
return a.Login(token.Username)
}
func (a HydraConnector) tryLog(username string, url string, subpath string, challenge string, cookies ...*http.Cookie) (*Redirect, string, []*http.Cookie, error) {
resp, err := a.Caller.CallRaw(http.MethodGet, url, subpath,
map[string]interface{}{}, "application/json", true, cookies...)
if err != nil || resp.Request.Response == nil || resp.Request.Response.Header["Set-Cookie"] == nil {
return nil, "", cookies, err
}
cc := resp.Request.Response.Header["Set-Cookie"] // retrieve oauth2 csrf token cookie
if len(cc) > 0 {
for _, c := range cc {
first := strings.Split(c, ";")
cookies = append(cookies, &http.Cookie{
Name: strings.Split(first[0], "=")[0],
Value: strings.ReplaceAll(first[0], strings.Split(first[0], "=")[0]+"=", ""),
})
}
}
return a.challenge(username, resp.Request.URL.String(), challenge, cookies...)
}
func (a HydraConnector) getClient() string {
resp, err := a.Caller.CallGet(a.getPath(true, false), "/clients")
if err != nil {
return ""
}
var clients []interface{}
err = json.Unmarshal(resp, &clients)
if err != nil || len(clients) == 0 {
return ""
}
return clients[0].(map[string]interface{})["client_id"].(string)
}
func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Token, err error) {
clientID := a.getClient()
redirect, _, cookies, err := a.tryLog(username, a.getPath(false, true),
"/auth?client_id="+clientID+"&response_type="+strings.ReplaceAll(a.ResponseType, " ", "%20")+"&scope="+strings.ReplaceAll(a.Scopes, " ", "%20")+"&state="+a.State,
"login", cookies...)
if err != nil || redirect == nil {
return nil, err
}
redirect, _, cookies, err = a.tryLog(username, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", "consent", cookies...)
if err != nil || redirect == nil {
return nil, err
}
// problem with consent THERE we need to accept the consent challenge && get the token
_, err = a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
"application/json", true, cookies...)
if err != nil {
s := strings.Split(err.Error(), "\"")
if len(s) > 1 && strings.Contains(s[1], "access_token") {
err = nil
} else {
return nil, err
}
}
token := &Token{
Username: username,
}
urls := url.Values{}
urls.Add("client_id", clientID)
urls.Add("client_secret", conf.GetConfig().ClientSecret)
urls.Add("grant_type", "client_credentials")
resp, err := a.Caller.CallForm(http.MethodPost, a.getPath(false, true), "/token", urls,
"application/x-www-form-urlencoded", true, cookies...)
var m map[string]interface{}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
err = json.Unmarshal(b, &token)
if err != nil {
return nil, err
}
json.Unmarshal(b, &m)
pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER),test_name,test_id,nil,nil).Search(nil, strconv.Itoa(peer.SELF.EnumIndex()))
if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
return nil, errors.New("peer not found")
}
now := time.Now().UTC()
now = now.Add(time.Duration(token.ExpiresIn) * time.Second)
unix := now.Unix()
c := claims.GetClaims().AddClaimsToToken(username, pp.Data[0].(*peer.Peer))
c.Session.AccessToken["exp"] = unix
b, _ = json.Marshal(c)
token.AccessToken = strings.ReplaceAll(token.AccessToken, "ory_at_", "") + "." + base64.StdEncoding.EncodeToString(b)
token.Active = true
return token, nil
}
func (a HydraConnector) Logout(token string, cookies ...*http.Cookie) (*Token, error) {
access := strings.Split(token, ".")
if len(access) > 2 {
token = strings.Join(access[0:2], ".")
}
p := a.getPath(false, true) + "/revoke"
urls := url.Values{}
urls.Add("token", token)
urls.Add("client_id", a.getClient())
urls.Add("client_secret", conf.GetConfig().ClientSecret)
_, err := a.Caller.CallForm(http.MethodPost, p, "", urls, "application/x-www-form-urlencoded", true)
if err != nil {
return nil, err
}
return &Token{
AccessToken: token,
Active: false,
}, nil
}
func (a HydraConnector) Introspect(token string, cookie ...*http.Cookie) (bool, error) {
// check validity of the token by calling introspect endpoint
// if token is not active, we need to re-authenticate by sending the user to the login page
access := strings.Split(token, ".")
if len(access) > 2 {
token = strings.Join(access[0:2], ".")
}
urls := url.Values{}
urls.Add("token", token)
resp, err := a.Caller.CallForm(http.MethodPost, a.getPath(true, true), "/introspect", urls,
"application/x-www-form-urlencoded", true, cookie...)
if err != nil || resp.StatusCode >= 300 {
return false, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return false, err
}
var introspect Token
err = json.Unmarshal(b, &introspect)
if err != nil {
return false, err
}
introspect.AccessToken = token
return introspect.Active, nil
}
func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
host := conf.GetConfig().AuthConnectorHost
port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
if isAdmin {
port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort)
port = fmt.Sprintf("%v", conf.GetConfig().AuthConnectorAdminPort) + "/admin"
}
oauth := ""
if isOauth {
oauth = "/oauth2"
}
return "http://" + host + ":" + port + oauth
}
// InitiateLogin starts a new OAuth2 authorization flow with Hydra server-side.
// It calls Hydra's /oauth2/auth endpoint without following the redirect, then extracts
// the login_challenge from the Location header. For thick clients that cannot follow
// browser redirects.
func (h *HydraConnector) InitiateLogin(clientID string, redirectURI string) (string, error) {
stateBytes := make([]byte, 16)
if _, err := rand.Read(stateBytes); err != nil {
return "", fmt.Errorf("failed to generate state: %w", err)
}
state := hex.EncodeToString(stateBytes)
params := fmt.Sprintf("client_id=%s&response_type=code&scope=openid&state=%s",
url.QueryEscape(clientID), state)
if redirectURI != "" {
params += "&redirect_uri=" + url.QueryEscape(redirectURI)
}
authURL := h.getPath(false, false) + "/oauth2/auth?" + params
jar, _ := cookiejar.New(nil)
client := &http.Client{
Jar: jar,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse // do not follow redirects
},
}
resp, err := client.Get(authURL)
if err != nil {
return "", fmt.Errorf("failed to initiate login with Hydra: %w", err)
}
defer resp.Body.Close()
location := resp.Header.Get("Location")
if location == "" {
return "", fmt.Errorf("hydra did not return a redirect location (status %d)", resp.StatusCode)
}
parsed, err := url.Parse(location)
if err != nil {
return "", fmt.Errorf("failed to parse redirect location: %w", err)
}
challenge := parsed.Query().Get("login_challenge")
if challenge == "" {
return "", fmt.Errorf("login_challenge not found in redirect location: %s", location)
}
// Save the cookie jar so server-side flow completion can reuse the CSRF cookie
h.cookieJars.Store(challenge, jar)
return challenge, nil
}
// GetLoginChallenge retrieves login challenge details from Hydra admin API
func (h *HydraConnector) GetLoginChallenge(challenge string) (*LoginChallenge, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/login?login_challenge="+url.QueryEscape(challenge))
if err != nil {
logger.Error().Msg("Failed to get login challenge: " + err.Error())
return nil, err
}
var result LoginChallenge
if err := json.Unmarshal(resp, &result); err != nil {
logger.Error().Msg("Failed to unmarshal login challenge: " + err.Error())
return nil, err
}
return &result, nil
}
// AcceptLogin accepts a login challenge after LDAP authentication
func (h *HydraConnector) AcceptLogin(challenge string, subject string) (*Redirect, error) {
logger := oclib.GetLogger()
body := map[string]interface{}{
"subject": subject,
"remember": true,
"remember_for": 3600,
}
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/login/accept?login_challenge="+url.QueryEscape(challenge),
body, "application/json", true)
if err != nil {
logger.Error().Msg("Failed to accept login challenge: " + err.Error())
return nil, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
if resp.StatusCode >= 300 {
return nil, errors.New("hydra accept login returned status " + resp.Status + ": " + string(b))
}
var redirect Redirect
if err := json.Unmarshal(b, &redirect); err != nil {
return nil, err
}
return &redirect, nil
}
// RejectLogin rejects a login challenge
func (h *HydraConnector) RejectLogin(challenge string, reason string) (*Redirect, error) {
logger := oclib.GetLogger()
body := map[string]interface{}{
"error": "access_denied",
"error_description": reason,
}
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/login/reject?login_challenge="+url.QueryEscape(challenge),
body, "application/json", true)
if err != nil {
logger.Error().Msg("Failed to reject login challenge: " + err.Error())
return nil, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
var redirect Redirect
if err := json.Unmarshal(b, &redirect); err != nil {
return nil, err
}
return &redirect, nil
}
// GetLogoutChallenge retrieves logout challenge details from Hydra admin API
func (h *HydraConnector) GetLogoutChallenge(challenge string) (*LogoutChallenge, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/logout?logout_challenge="+url.QueryEscape(challenge))
if err != nil {
logger.Error().Msg("Failed to get logout challenge: " + err.Error())
return nil, err
}
var result LogoutChallenge
if err := json.Unmarshal(resp, &result); err != nil {
logger.Error().Msg("Failed to unmarshal logout challenge: " + err.Error())
return nil, err
}
return &result, nil
}
// AcceptLogout accepts a logout challenge — invalidates the Hydra session
func (h *HydraConnector) AcceptLogout(challenge string) (*Redirect, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/logout/accept?logout_challenge="+url.QueryEscape(challenge),
nil, "application/json", true)
if err != nil {
logger.Error().Msg("Failed to accept logout challenge: " + err.Error())
return nil, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
if resp.StatusCode >= 300 {
return nil, errors.New("hydra accept logout returned status " + resp.Status + ": " + string(b))
}
var redirect Redirect
if err := json.Unmarshal(b, &redirect); err != nil {
return nil, err
}
return &redirect, nil
}
// GetConsentChallenge retrieves consent challenge details from Hydra admin API
func (h *HydraConnector) GetConsentChallenge(challenge string) (*ConsentChallenge, error) {
logger := oclib.GetLogger()
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/consent?consent_challenge="+url.QueryEscape(challenge))
if err != nil {
logger.Error().Msg("Failed to get consent challenge: " + err.Error())
return nil, err
}
var result ConsentChallenge
if err := json.Unmarshal(resp, &result); err != nil {
logger.Error().Msg("Failed to unmarshal consent challenge: " + err.Error())
return nil, err
}
return &result, nil
}
// AcceptConsent accepts a consent challenge with claims injected into the Hydra session
func (h *HydraConnector) AcceptConsent(challenge string, grantScope []string, session claims.Claims) (*Redirect, error) {
logger := oclib.GetLogger()
body := map[string]interface{}{
"grant_scope": grantScope,
"grant_access_token_audience": grantScope, // grant requested audience
"remember": true,
"remember_for": 3600,
"session": map[string]interface{}{
"access_token": session.Session.AccessToken,
"id_token": session.Session.IDToken,
},
}
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallRaw(http.MethodPut,
h.getPath(true, true), "/auth/requests/consent/accept?consent_challenge="+url.QueryEscape(challenge),
body, "application/json", true)
if err != nil {
logger.Error().Msg("Failed to accept consent challenge: " + err.Error())
return nil, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
if resp.StatusCode >= 300 {
return nil, errors.New("hydra accept consent returned status " + resp.Status + ": " + string(b))
}
var redirect Redirect
if err := json.Unmarshal(b, &redirect); err != nil {
return nil, err
}
return &redirect, nil
}
// Introspect verifies a token with Hydra — respects the actual response (no override)
func (h *HydraConnector) Introspect(token string) (*IntrospectResult, error) {
logger := oclib.GetLogger()
urls := url.Values{}
urls.Add("token", token)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(true, true), "/introspect", urls,
"application/x-www-form-urlencoded", true)
if err != nil {
logger.Error().Msg("Failed to introspect token: " + err.Error())
return nil, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
if resp.StatusCode >= 300 {
return nil, errors.New("hydra introspect returned status " + resp.Status)
}
var result IntrospectResult
if err := json.Unmarshal(b, &result); err != nil {
return nil, err
}
return &result, nil
}
// RevokeToken revokes an OAuth2 token
func (h *HydraConnector) RevokeToken(token string, clientID string) error {
logger := oclib.GetLogger()
urls := url.Values{}
urls.Add("token", token)
urls.Add("client_id", clientID)
urls.Add("client_secret", conf.GetConfig().ClientSecret)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/revoke", urls,
"application/x-www-form-urlencoded", true)
if err != nil {
logger.Error().Msg("Failed to revoke token: " + err.Error())
return err
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {
b, _ := io.ReadAll(resp.Body)
return errors.New("hydra revoke returned status " + resp.Status + ": " + string(b))
}
return nil
}
// RefreshToken exchanges a refresh_token for a new token set
func (h *HydraConnector) RefreshToken(refreshToken string, clientID string) (*TokenResponse, error) {
logger := oclib.GetLogger()
urls := url.Values{}
urls.Add("grant_type", "refresh_token")
urls.Add("refresh_token", refreshToken)
urls.Add("client_id", clientID)
urls.Add("client_secret", conf.GetConfig().ClientSecret)
h.Mu.Lock()
defer h.Mu.Unlock()
resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/token", urls,
"application/x-www-form-urlencoded", true)
if err != nil {
logger.Error().Msg("Failed to refresh token: " + err.Error())
return nil, err
}
defer resp.Body.Close()
b, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
if resp.StatusCode >= 300 {
return nil, errors.New("hydra refresh returned status " + resp.Status + ": " + string(b))
}
var result TokenResponse
if err := json.Unmarshal(b, &result); err != nil {
return nil, err
}
return &result, nil
}
// CheckAuthForward validates a JWT token for forward auth (Traefik integration).
// It introspects the token via Hydra then checks permissions via Keto.
// Only requests from our own peer (external == false) are accepted.
// Returns 200 (OK), 401 (token inactive/invalid → redirect to login), or 403 (permission denied).
func (h *HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) (*claims.Claims, string, int) {
func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string, external bool) bool {
if forward == "" || method == "" {
return nil, "", http.StatusUnauthorized
return false
}
// Defense in depth: only SELF peer requests are allowed.
/*if external {
return http.StatusUnauthorized
}*/
logger := oclib.GetLogger()
// Introspect the token via Hydra.
// An inactive or invalid token means the user must re-authenticate → 401.
result, err := h.Introspect(reqToken)
if err != nil || !result.Active {
var c claims.Claims
token := strings.Split(reqToken, ".")
if len(token) > 2 {
bytes, err := base64.StdEncoding.DecodeString(token[2])
if err != nil {
logger.Error().Msg("Forward auth introspect failed: " + err.Error())
return false
}
return nil, "", http.StatusUnauthorized
}
// Build session claims from Hydra's introspection "ext" field.
// Hydra injects the consent session's access_token data there.
var sessionClaims claims.Claims
sessionClaims.Session.AccessToken = make(map[string]interface{})
sessionClaims.Session.IDToken = make(map[string]interface{})
if result.Extra != nil {
for k, v := range result.Extra {
sessionClaims.Session.AccessToken[k] = v
err = json.Unmarshal(bytes, &c)
if err != nil {
return false
}
}
// For SELF peer requests skip the signature check (internal traffic).
pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, fmt.Sprintf("%v", peer.SELF.EnumIndex()), false, 0, 1)
if len(pp.Data) > 0 {
p := pp.Data[0].(*peer.Peer)
if p.PublicKey == publicKey {
sessionClaims.Session.IDToken["signature"] = ""
}
}
// Check permissions via Keto.
// A valid token with insufficient permissions → 403 (authenticated, not authorized).
ok, permKey, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, sessionClaims, publicKey, external)
// ask keto for permission is in claims
ok, err := claims.GetClaims().DecodeClaimsInToken(host, method, forward, c, publicKey, external)
if err != nil {
logger.Error().Msg("Failed to decode claims in forward auth: " + err.Error())
return nil, "", http.StatusForbidden
fmt.Println("Failed to decode claims", err)
}
if !ok {
return nil, "", http.StatusForbidden
}
return &sessionClaims, permKey, http.StatusOK
}
// FollowToConsentChallenge follows the redirect_to returned by AcceptLogin.
// Hydra redirects once to the consent URL — this extracts the consent_challenge from it.
// loginChallenge is used to retrieve the CSRF cookie jar saved during InitiateLogin.
func (h *HydraConnector) FollowToConsentChallenge(redirectTo string, loginChallenge string) (string, error) {
// The redirect_to URL uses the public host (via reverse proxy).
// Rewrite it to hit Hydra directly using its internal address.
internalURL, err := rewriteToInternalHydra(h, redirectTo)
if err != nil {
return "", fmt.Errorf("failed to rewrite redirect URL: %w", err)
}
var jar http.CookieJar
if v, ok := h.cookieJars.Load(loginChallenge); ok {
jar = v.(*cookiejar.Jar)
}
client := &http.Client{
Jar: jar,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
resp, err := client.Get(internalURL)
if err != nil {
return "", fmt.Errorf("failed to follow login redirect: %w", err)
}
defer resp.Body.Close()
location := resp.Header.Get("Location")
if location == "" {
return "", fmt.Errorf("no redirect location after following login redirect (status %d)", resp.StatusCode)
}
parsed, err := url.Parse(location)
if err != nil {
return "", fmt.Errorf("failed to parse consent redirect: %w", err)
}
challenge := parsed.Query().Get("consent_challenge")
if challenge == "" {
return "", fmt.Errorf("consent_challenge not found in redirect: %s", location)
}
return challenge, nil
}
// ExchangeCodeForToken follows the redirect_to returned by AcceptConsent to extract the
// authorization code, then exchanges it for a token at Hydra's token endpoint.
// loginChallenge is used to retrieve the CSRF cookie jar and clean it up after use.
func (h *HydraConnector) ExchangeCodeForToken(redirectTo string, clientID string, loginChallenge string) (*TokenResponse, error) {
internalURL, err := rewriteToInternalHydra(h, redirectTo)
if err != nil {
return nil, fmt.Errorf("failed to rewrite redirect URL: %w", err)
}
var jar http.CookieJar
if v, ok := h.cookieJars.Load(loginChallenge); ok {
jar = v.(*cookiejar.Jar)
}
client := &http.Client{
Jar: jar,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
resp, err := client.Get(internalURL)
if err != nil {
return nil, fmt.Errorf("failed to follow consent redirect: %w", err)
}
defer resp.Body.Close()
location := resp.Header.Get("Location")
if location == "" {
return nil, fmt.Errorf("no redirect after consent (status %d)", resp.StatusCode)
}
parsed, err := url.Parse(location)
if err != nil {
return nil, fmt.Errorf("failed to parse code redirect: %w", err)
}
code := parsed.Query().Get("code")
if code == "" {
return nil, fmt.Errorf("code not found in redirect: %s", location)
}
// Reconstruct redirect_uri without query/fragment — must match the registered value
parsed.RawQuery = ""
parsed.Fragment = ""
redirectURI := parsed.String()
cfg := conf.GetConfig()
vals := url.Values{}
vals.Add("grant_type", "authorization_code")
vals.Add("code", code)
vals.Add("client_id", clientID)
vals.Add("client_secret", cfg.ClientSecret)
vals.Add("redirect_uri", redirectURI)
h.Mu.Lock()
defer h.Mu.Unlock()
resp2, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/token", vals,
"application/x-www-form-urlencoded", true)
if err != nil {
return nil, fmt.Errorf("failed to exchange code for token: %w", err)
}
defer resp2.Body.Close()
b, err := io.ReadAll(resp2.Body)
if err != nil {
return nil, err
}
if resp2.StatusCode >= 300 {
return nil, fmt.Errorf("token exchange failed (%s): %s", resp2.Status, string(b))
}
var result TokenResponse
if err := json.Unmarshal(b, &result); err != nil {
return nil, err
}
// Cookie jar no longer needed — clean up
h.cookieJars.Delete(loginChallenge)
return &result, nil
}
// rewriteToInternalHydra rewrites a public-facing Hydra URL to use the internal Hydra address.
// The redirect_to from Hydra uses the public host/port (possibly behind a reverse proxy),
// but server-side follow-ups must hit Hydra directly.
// It keeps the path suffix after "/oauth2" and the full query string.
func rewriteToInternalHydra(h *HydraConnector, publicURL string) (string, error) {
parsed, err := url.Parse(publicURL)
if err != nil {
return "", fmt.Errorf("invalid redirect URL: %w", err)
}
// Extract the path segment from "/oauth2" onward (e.g. "/oauth2/auth")
const marker = "/oauth2"
idx := strings.Index(parsed.Path, marker)
if idx < 0 {
return "", fmt.Errorf("redirect URL has no /oauth2 path segment: %s", publicURL)
}
suffix := parsed.Path[idx:] // e.g. "/oauth2/auth"
internal := h.getPath(false, false) + suffix
if parsed.RawQuery != "" {
internal += "?" + parsed.RawQuery
}
return internal, nil
}
// extractBearerToken extracts the token from a "Bearer xxx" Authorization header value
func extractBearerToken(authHeader string) string {
splitToken := strings.Split(authHeader, "Bearer ")
if len(splitToken) < 2 {
return ""
}
return splitToken[1]
return ok
}
infrastructure/auth_connector/ldap.go
+31 -140
View File
@@ -12,7 +12,6 @@ import (
"sync"
"time"
oclib "cloud.o-forge.io/core/oc-lib"
"github.com/coocood/freecache"
"github.com/go-ldap/ldap/v3"
"github.com/i-core/rlog"
@@ -32,9 +31,8 @@ var (
type conn interface {
Bind(bindDN, password string) error
SearchRoles(attrs ...string) ([]map[string][]string, error)
SearchUser(user string, attrs ...string) ([]map[string][]string, error)
SearchUserRoles(user string, attrs ...string) ([]map[string][]string, error)
SearchUser(user string, attrs ...string) ([]map[string]interface{}, error)
SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error)
Close() error
}
@@ -49,7 +47,6 @@ type Config struct {
BindPass string `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
BaseDN string `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
AttrClaims map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
UserBaseDN string `envconfig:"user_basedn" required:"true" desc:"a LDAP base DN for searching users"`
RoleBaseDN string `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
RoleAttr string `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
RoleClaim string `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
@@ -66,12 +63,11 @@ func New() *Client {
BindDN: conf.GetConfig().LDAPBindDN,
BindPass: conf.GetConfig().LDAPBindPW,
BaseDN: conf.GetConfig().LDAPBaseDN,
UserBaseDN: conf.GetConfig().LDAPUserBaseDN,
RoleBaseDN: conf.GetConfig().LDAPRoleBaseDN,
}
return &Client{
Config: cnf,
connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, UserBaseDN: cnf.UserBaseDN, IsTLS: cnf.IsTLS},
connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN, IsTLS: cnf.IsTLS},
cache: freecache.NewCache(cnf.CacheSize * 1024),
}
}
@@ -82,29 +78,31 @@ type Client struct {
cache *freecache.Cache
}
func (cli *Client) Authenticate(ctx context.Context, username string, password string) (bool, error) {
func (cli *Client) Authenticate(ctx context.Context, username, password string) (bool, error) {
if username == "" || password == "" {
return false, nil
}
var cancel context.CancelFunc
ctx, cancel = context.WithCancel(ctx)
logger := oclib.GetLogger()
logger.Debug().Msgf("LDAP authenticate user: %s", username)
cn, ok := <-cli.connect(ctx)
cancel()
if !ok {
return false, errConnectionTimeout
}
defer cn.Close()
// Find a user DN by his or her username.
details, err := cli.findBasicUserDetails(cn, username, []string{"dn"})
if err != nil || details == nil {
if err != nil {
return false, err
}
a := details["dn"]
logger.Debug().Msgf("Binding DN: %s", a[0])
if err := cn.Bind(a[0], password); err != nil {
logger.Error().Msg("LDAP bind failed: " + err.Error())
if details == nil {
return false, nil
}
if err := cn.Bind(details["dn"].(string), password); err != nil {
if err == errInvalidCredentials {
return false, nil
}
@@ -120,21 +118,6 @@ func (cli *Client) Authenticate(ctx context.Context, username string, password s
return true, nil
}
func (cli *Client) GetRoles(ctx context.Context) (map[string]LDAPRoles, error) {
var cancel context.CancelFunc
ctx, cancel = context.WithCancel(ctx)
cn, ok := <-cli.connect(ctx)
cancel()
if !ok {
return map[string]LDAPRoles{}, errConnectionTimeout
}
defer cn.Close()
// Find a user DN by his or her username.
return cli.findRoles(cn, "dn", "member", "uniqueMember")
}
// Claim is the FindOIDCClaims result struct
type LDAPClaim struct {
Code string // the root claim name
@@ -142,10 +125,6 @@ type LDAPClaim struct {
Value interface{} // the value
}
type LDAPRoles struct {
Members map[string][]string
}
// FindOIDCClaims finds all OIDC claims for a user.
func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPClaim, error) {
if username == "" {
@@ -214,12 +193,11 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPC
roles := make(map[string]interface{})
for _, entry := range entries {
roleDNs, ok := entry["dn"]
if !ok || len(roleDNs) == 0 {
roleDN, ok := entry["dn"].(string)
if !ok || roleDN == "" {
log.Infow("No required LDAP attribute for a role", "ldapAttribute", "dn", "entry", entry)
continue
}
roleDN := roleDNs[0]
if entry[cli.RoleAttr] == nil {
log.Infow("No required LDAP attribute for a role", "ldapAttribute", cli.RoleAttr, "roleDN", roleDN)
continue
@@ -229,7 +207,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) ([]LDAPC
// It's sufficient to compare the DN's suffix with the base DN.
n, k := len(roleDN), len(cli.RoleBaseDN)
if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
return nil, errors.New("You should never see that")
panic("You should never see that")
}
// The DN without the role's base DN must contain a CN and OU
// where the CN is for uniqueness only, and the OU is an application id.
@@ -281,15 +259,13 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
cn, err := cli.connector.Connect(ctx, addr)
if err != nil {
log := oclib.GetLogger()
log.Error().Msgf("Failed to create LDAP connection to %s: %v", addr, err)
fmt.Println("Failed to create a LDAP connection", "address", addr)
return
}
select {
case <-ctx.Done():
cn.Close()
log := oclib.GetLogger()
log.Debug().Msgf("LDAP connection cancelled: %s", addr)
fmt.Println("a LDAP connection is cancelled", "address", addr)
return
case ch <- cn:
}
@@ -302,102 +278,27 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
return ch
}
func (cli *Client) findRoles(cn conn, attrs ...string) (map[string]LDAPRoles, error) {
logger := oclib.GetLogger()
logger.Debug().Msg("Finding LDAP roles")
if cli.BindDN != "" {
// We need to login to a LDAP server with a service account for retrieving user data.
if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
return map[string]LDAPRoles{}, errors.New(err.Error() + " : failed to login to a LDAP woth a service account")
}
}
entries, err := cn.SearchRoles(attrs...)
logger.Debug().Msgf("Found %d LDAP role entries", len(entries))
if err != nil {
return map[string]LDAPRoles{}, err
}
claims := map[string]LDAPRoles{}
for _, entry := range entries {
roleDNs, ok := entry["dn"]
if !ok || len(roleDNs) == 0 {
continue
}
roleDN := roleDNs[0]
// Ensure that a role's DN is inside of the role's base DN.
// It's sufficient to compare the DN's suffix with the base DN.
n, k := len(roleDN), len(cli.RoleBaseDN)
if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
return nil, errors.New("You should never see that")
}
// The DN without the role's base DN must contain a CN and OU
// where the CN is for uniqueness only, and the OU is an application id.
path := strings.Split(roleDN[:n-k-1], ",")
if len(path) != 2 {
continue
}
appID := path[1][len("OU="):]
if _, ok := claims[appID]; !ok {
claims[appID] = LDAPRoles{
Members: map[string][]string{},
}
}
role := path[0][len("cn="):]
if claims[appID].Members[role] == nil {
claims[appID].Members[role] = []string{}
}
logger.Debug().Msgf("Processing role entry: %v", entry["dn"])
memberDNs, ok := entry["member"]
for _, memberDN := range memberDNs {
if !ok || memberDN == "" {
continue
}
path = strings.Split(memberDN[:n-k-1], ",")
if len(path) < 1 {
continue
}
member := strings.Split(path[0][len("uid="):], ",")
claims[appID].Members[role] = append(claims[appID].Members[role], member[0])
}
memberDNs, ok = entry["uniqueMember"]
for _, memberDN := range memberDNs {
if !ok || memberDN == "" {
continue
}
path = strings.Split(memberDN[:n-k-1], ",")
if len(path) < 1 {
continue
}
member := strings.Split(path[0][len("uid="):], ",")
claims[appID].Members[role] = append(claims[appID].Members[role], member[0])
}
}
return claims, nil
}
// findBasicUserDetails finds user's LDAP attributes that were specified. It returns nil if no such user.
func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string) (map[string][]string, error) {
logger := oclib.GetLogger()
logger.Debug().Msgf("Finding LDAP user details for: %s", username)
func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string) (map[string]interface{}, error) {
if cli.BindDN != "" {
// We need to login to a LDAP server with a service account for retrieving user data.
if err := cn.Bind(cli.BindDN, cli.BindPass); err != nil {
return nil, errors.New(err.Error() + " : failed to login to a LDAP woth a service account")
}
}
entries, err := cn.SearchUser(username, attrs...)
if err != nil {
return nil, err
}
if len(entries) == 0 {
if len(entries) != 1 {
// We didn't find the user.
logger.Debug().Msgf("LDAP user not found: %s", username)
return nil, nil
}
var (
entry = entries[0]
details = make(map[string][]string)
details = make(map[string]interface{})
)
for _, attr := range attrs {
if v, ok := entry[attr]; ok {
@@ -410,7 +311,6 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
type ldapConnector struct {
BaseDN string
RoleBaseDN string
UserBaseDN string
IsTLS bool
}
@@ -432,13 +332,12 @@ func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error)
ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
ldapcn.Start()
return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, UserBaseDN: c.UserBaseDN, RoleBaseDN: c.RoleBaseDN}, nil
return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
}
type ldapConn struct {
*ldap.Conn
BaseDN string
UserBaseDN string
RoleBaseDN string
}
@@ -450,43 +349,35 @@ func (c *ldapConn) Bind(bindDN, password string) error {
return err
}
func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string][]string, error) {
func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
query := fmt.Sprintf(
"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
return c.searchEntries(c.UserBaseDN, query, attrs)
return c.searchEntries(c.BaseDN, query, attrs)
}
func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string][]string, error) {
func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
query := fmt.Sprintf("(|"+
"(&(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupofnames))(member=%[1]s))"+
"(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))"+
"(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s))"+
")", user)
return c.searchEntries(c.RoleBaseDN, query, attrs)
}
func (c *ldapConn) SearchRoles(attrs ...string) ([]map[string][]string, error) {
query := "(|(&(|(objectClass=group)(objectClass=groupOfNames)(objectClass=groupofnames))))"
return c.searchEntries(c.RoleBaseDN, query, attrs)
}
// searchEntries executes a LDAP query, and returns a result as entries where each entry is mapping of LDAP attributes.
func (c *ldapConn) searchEntries(baseDN, query string, attrs []string) ([]map[string][]string, error) {
log := oclib.GetLogger()
log.Debug().Msgf("LDAP search: baseDN=%s query=%s", baseDN, query)
func (c *ldapConn) searchEntries(baseDN, query string, attrs []string) ([]map[string]interface{}, error) {
req := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, query, attrs, nil)
res, err := c.Search(req)
if err != nil {
return nil, err
}
log.Debug().Msgf("LDAP search returned %d entries", len(res.Entries))
var entries []map[string][]string
var entries []map[string]interface{}
for _, v := range res.Entries {
entry := map[string][]string{"dn": {v.DN}}
entry := map[string]interface{}{"dn": v.DN}
for _, attr := range v.Attributes {
// We need the first value only for the named attribute.
entry[attr.Name] = attr.Values
entry[attr.Name] = attr.Values[0]
}
entries = append(entries, entry)
}
infrastructure/claims/claims.go
+6 -101
View File
@@ -1,32 +1,24 @@
package claims
import (
"fmt"
"oc-auth/conf"
"reflect"
"strings"
"cloud.o-forge.io/core/oc-lib/models/peer"
"github.com/google/go-cmp/cmp"
)
// ClaimService builds and verifies OAuth2 session claims
// Tokenizer interface
type ClaimService interface {
// BuildConsentSession builds the session payload for Hydra consent accept.
// Claims are injected into the Hydra JWT via the consent session, not appended to the token.
BuildConsentSession(clientID string, userId string, peer *peer.Peer) Claims
// DecodeClaimsInToken verifies permissions from claims extracted from a JWT
DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error)
AddClaimsToToken(userId string, peer *peer.Peer) Claims
DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error)
}
// SessionClaims contains access_token and id_token claim maps
// SessionClaims struct
type SessionClaims struct {
AccessToken map[string]interface{} `json:"access_token"`
IDToken map[string]interface{} `json:"id_token"`
}
// Claims is the top-level session structure passed to Hydra consent accept
// Claims struct
type Claims struct {
Session SessionClaims `json:"session"`
}
@@ -35,93 +27,6 @@ var t = map[string]ClaimService{
"hydra": HydraClaims{},
}
func cleanMap(m map[string]interface{}) map[string]interface{} {
if m == nil {
return map[string]interface{}{}
}
ignored := map[string]bool{
"exp": true,
"iat": true,
"nbf": true,
}
out := make(map[string]interface{})
for k, v := range m {
if ignored[k] {
continue
}
switch val := v.(type) {
case map[string]interface{}:
out[k] = cleanMap(val)
default:
out[k] = val
}
}
return out
}
func (c *Claims) EqualExt(ext map[string]interface{}) bool {
claims := &Claims{}
claims.SessionFromExt(ext)
return c.EqualClaims(claims)
}
func (c *Claims) EqualClaims(claims *Claims, permsKey ...string) bool {
c.normalizeClaims()
claims.normalizeClaims()
if len(permsKey) > 0 {
for _, p := range permsKey {
if !(claims.Session.AccessToken[p] != nil && c.Session.AccessToken[p] != nil && claims.Session.AccessToken[p] == c.Session.AccessToken[p]) {
return false
}
}
return true
}
ok := reflect.DeepEqual(c.Session, claims.Session)
if !ok {
fmt.Println(cmp.Diff(c.Session, claims.Session))
}
return ok
}
func (c *Claims) normalizeClaims() {
c.Session.AccessToken = cleanMap(c.Session.AccessToken)
c.Session.IDToken = cleanMap(c.Session.IDToken)
}
func (c *Claims) SessionFromExt(ext map[string]interface{}) {
var access map[string]interface{}
var id map[string]interface{}
if v, ok := ext["access_token"].(map[string]interface{}); ok && v != nil {
access = v
} else {
access = map[string]interface{}{}
}
if v, ok := ext["id_token"].(map[string]interface{}); ok && v != nil {
id = v
} else {
id = map[string]interface{}{}
}
c.Session = SessionClaims{
AccessToken: access,
IDToken: id,
}
}
func GetClaims() ClaimService {
for k := range t {
if strings.Contains(conf.GetConfig().Auth, k) {
return t[k]
}
}
return nil
return t[conf.GetConfig().Auth]
}
infrastructure/claims/crypto.go
+6 -28
View File
@@ -99,20 +99,9 @@ func New(privateKey []byte, publicKeys map[string][]byte) (client *Client, err e
if privateKey != nil {
validPrivateKey, errPrivate := x509.ParsePKCS1PrivateKey(privateKey)
if errPrivate != nil {
// Fallback to PKCS8 (generated with openssl genpkey or similar)
key, errPKCS8 := x509.ParsePKCS8PrivateKey(privateKey)
if errPKCS8 != nil {
err = errPKCS8
log.Println(err)
return
}
rsaKey, ok := key.(*rsa.PrivateKey)
if !ok {
err = errors.New("PKCS8 private key is not RSA")
log.Println(err)
return
}
validPrivateKey = rsaKey
err = errPrivate
log.Println(err)
return
}
client.PrivateKey = validPrivateKey
}
@@ -122,20 +111,9 @@ func New(privateKey []byte, publicKeys map[string][]byte) (client *Client, err e
for k, v := range publicKeys {
validPublicKey, errPublic := x509.ParsePKCS1PublicKey(v)
if errPublic != nil {
// Fallback to PKIX (SubjectPublicKeyInfo, generated alongside PKCS8 private key)
key, errPKIX := x509.ParsePKIXPublicKey(v)
if errPKIX != nil {
err = errPKIX
log.Println(err)
return
}
rsaKey, ok := key.(*rsa.PublicKey)
if !ok {
err = errors.New("PKIX public key is not RSA")
log.Println(err)
return
}
validPublicKey = rsaKey
err = errPublic
log.Println(err)
return
}
if validPublicKey == nil {
err = errors.New("Invalid Public Key Type")
infrastructure/claims/hydra_claims.go
+56 -84
View File
@@ -2,13 +2,15 @@ package claims
import (
"crypto/sha256"
"encoding/pem"
"errors"
"fmt"
"oc-auth/conf"
"oc-auth/infrastructure/perms_connectors"
"oc-auth/infrastructure/utils"
"os"
"strings"
"time"
oclib "cloud.o-forge.io/core/oc-lib"
"cloud.o-forge.io/core/oc-lib/models/peer"
"cloud.o-forge.io/core/oc-lib/tools"
)
@@ -24,7 +26,7 @@ func (h HydraClaims) generateKey(relation string, path string) (string, error) {
return strings.ToUpper(method.String()) + "_" + strings.ReplaceAll(p, ":", ""), nil
}
// decodeKey extracts method and path from a permission key
// decode key expect to extract method and path from key
func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string, error) {
s := strings.Split(key, "_")
if len(s) < 2 {
@@ -42,33 +44,29 @@ func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string,
}
func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
/*hashed := sha256.Sum256([]byte(host))
spkiBlock, _ := pem.Decode([]byte(publicKey))
if spkiBlock == nil {
return false, errors.New("failed to decode public key PEM")
}
hashed := sha256.Sum256([]byte(host))
spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
if err != nil {
return false, err
}*/
}
return true, nil
}
func (h HydraClaims) encodeSignature(host string) (string, error) {
return "", nil
priv, err := tools.LoadKeyFromFilePrivate()
if err != nil {
return "", err
}
privb, err := priv.Raw()
if err != nil {
return "", err
}
hashed := sha256.Sum256([]byte(host))
return SignDefault(hashed[:], privb)
// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
if err != nil {
return "", err
}
privateKey := string(content)
spkiBlock, _ := pem.Decode([]byte(privateKey))
return SignDefault(hashed[:], spkiBlock.Bytes)
}
func (h HydraClaims) clearBlank(path []string) []string {
// clear blank
newPath := []string{}
for _, p := range path {
if p != "" {
@@ -78,37 +76,32 @@ func (h HydraClaims) clearBlank(path []string) []string {
return newPath
}
// DecodeClaimsInToken verifies permissions from claims in a standard JWT (via introspection)
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, string, error) {
logger := oclib.GetLogger()
func (a HydraClaims) CheckExpiry(exp int64) bool {
now := time.Now().UTC().Unix()
return now <= exp
}
func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward string, sessionClaims Claims, publicKey string, external bool) (bool, error) {
idTokenClaims := sessionClaims.Session.IDToken
// Signature verification: skip if signature is empty (internal requests)
if sig, ok := idTokenClaims["signature"].(string); ok && sig != "" {
if ok, err := h.DecodeSignature(host, sig, publicKey); !ok {
fmt.Println("FAILED SIGNATURE")
return false, "", err
}
if idTokenClaims["signature"] == nil {
return false, errors.New("no signature found")
}
signature := idTokenClaims["signature"].(string)
if ok, err := h.DecodeSignature(host, signature, publicKey); !ok {
return false, err
}
claims := sessionClaims.Session.AccessToken
if claims == nil {
fmt.Println("no access_token claims found")
return false, "", errors.New("no access_token claims found")
}
path := strings.ReplaceAll(forward, "http://"+host, "")
splittedPath := h.clearBlank(strings.Split(path, "/"))
if _, ok := claims["exp"].(float64); !ok || !h.CheckExpiry(int64(claims["exp"].(float64))) {
return false, errors.New("token is expired")
}
for m, p := range claims {
pStr, ok := p.(string)
if !ok {
continue
}
splittedP := h.clearBlank(strings.Split(pStr, "/"))
match := true
splittedP := h.clearBlank(strings.Split(p.(string), "/"))
if len(splittedP) != len(splittedPath) {
continue
}
match := true
for i, v := range splittedP {
if strings.Contains(v, ":") { // is a param
continue
@@ -124,64 +117,43 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
}
perm := perms_connectors.Permission{
Relation: "permits" + strings.ToUpper(meth.String()),
Object: pStr,
Object: p.(string),
}
return perms_connectors.GetPermissionConnector("").CheckPermission(perm, nil, true), m, nil
return perms_connectors.GetPermissionConnector().CheckPermission(perm, nil, true), nil
}
}
logger.Error().Msg("No permission found for " + method + " " + forward)
return false, "", errors.New("no permission found")
return false, errors.New("no permission found")
}
// BuildConsentSession builds the session payload for Hydra consent accept.
// Claims are injected into the Hydra JWT — not appended to the token as before.
func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer.Peer) Claims {
logger := oclib.GetLogger()
c := Claims{}
perms, err := (&perms_connectors.KetoConnector{}).GetPermissionByUser(userId, true)
// add claims to token method of HydraTokenizer
func (h HydraClaims) AddClaimsToToken(userId string, p *peer.Peer) Claims {
claims := Claims{}
perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)
if err != nil {
logger.Error().Msg("Failed to get permissions for user " + userId + ": " + err.Error())
return c
return claims
}
c.Session.AccessToken = make(map[string]interface{})
c.Session.IDToken = make(map[string]interface{})
claims.Session.AccessToken = make(map[string]interface{})
claims.Session.IDToken = make(map[string]interface{})
for _, perm := range perms {
key, err := h.generateKey(strings.ReplaceAll(perm.Relation, "permits", ""), perm.Subject)
if err != nil {
continue
}
c.Session.AccessToken[key] = perm.Subject
claims.Session.AccessToken[key] = perm.Subject
}
sign, err := h.encodeSignature(p.APIUrl)
sign, err := h.encodeSignature(p.Url)
if err != nil {
logger.Error().Msg("Failed to encode signature: " + err.Error())
return c
return claims
}
fmt.Println("PEER ID", p.UUID)
c.Session.AccessToken["peer_id"] = p.UUID
c.Session.AccessToken["user_id"] = userId
c.Session.IDToken["user_id"] = userId
c.Session.IDToken["peer_id"] = p.UUID
c.Session.IDToken["client_id"] = clientID
groups, err := (&perms_connectors.KetoConnector{}).GetGroupByUser(userId)
claims.Session.IDToken["peer_id"] = p.UUID
// we should get group from user
groups, err := perms_connectors.KetoConnector{}.GetGroupByUser(userId)
if err != nil {
logger.Error().Msg("Failed to get groups for user " + userId + ": " + err.Error())
return c
return claims
}
c.Session.AccessToken["groups"] = groups
c.Session.IDToken["groups"] = groups
roles, err := (&perms_connectors.KetoConnector{}).GetRoleByUser(userId)
if err != nil {
logger.Error().Msg("Failed to get roles for user " + userId + ": " + err.Error())
return c
}
c.Session.IDToken["roles"] = roles
c.Session.IDToken["signature"] = sign
return c
claims.Session.IDToken["groups"] = groups
claims.Session.IDToken["signature"] = sign
return claims
}
// add signature in the token MISSING
infrastructure/infrastructure.go
+2 -2
View File
@@ -10,8 +10,8 @@ func GetAuthConnector() auth_connectors.AuthConnector {
return auth_connectors.GetAuthConnector()
}
func GetPermissionConnector(client string) perms_connectors.PermConnector {
return perms_connectors.GetPermissionConnector(client)
func GetPermissionConnector() perms_connectors.PermConnector {
return perms_connectors.GetPermissionConnector()
}
func GetClaims() claims.ClaimService {
infrastructure/perms_connectors/keto_connector.go
+63 -99
View File
@@ -7,31 +7,23 @@ import (
"oc-auth/conf"
"oc-auth/infrastructure/utils"
"strings"
"sync"
oclib "cloud.o-forge.io/core/oc-lib"
"cloud.o-forge.io/core/oc-lib/tools"
)
type KetoConnector struct {
Client string
Mu sync.RWMutex
}
type KetoConnector struct{}
func (k *KetoConnector) SetClient(client string) {
k.Client = client
}
func (k *KetoConnector) namespace() string {
func (k KetoConnector) namespace() string {
return "open-cloud"
}
func (k *KetoConnector) scope() string {
return "oc-auth-realm"
func (k KetoConnector) scope() string {
return "oc-auth"
}
func (f *KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
n := "?namespace=" + f.namespace()
func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
n := "?namespace=" + perm.Namespace()
if perm.Object != "" {
n += "&object=" + perm.Object
}
@@ -56,16 +48,11 @@ func (f *KetoConnector) permToQuery(perm Permission, permDependancies *Permissio
return n
}
func (k *KetoConnector) Status() tools.State {
func (k KetoConnector) Status() tools.State {
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
var responseBody map[string]interface{}
host := conf.GetConfig().PermissionConnectorReadHost
if conf.GetConfig().Local {
host = "localhost"
}
host := conf.GetConfig().PermissionConnectorHost
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
k.Mu.Lock()
defer k.Mu.Unlock()
resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
if err != nil {
return tools.DEAD
@@ -77,7 +64,7 @@ func (k *KetoConnector) Status() tools.State {
return tools.ALIVE
}
func (k *KetoConnector) CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool {
func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool {
if (perm.Object == k.scope() || perm.Subject == k.scope()) && !internal {
log := oclib.GetLogger()
log.Error().Msg("Permission denied : Ask illegal permission")
@@ -86,13 +73,13 @@ func (k *KetoConnector) CheckPermission(perm Permission, permDependancies *Permi
perms, err := k.GetPermission(perm.Object, perm.Relation)
if err != nil {
log := oclib.GetLogger()
log.Error().Msg("CheckPermission " + err.Error())
log.Error().Msg(err.Error())
return false
}
return len(perms) > 0
}
func (k *KetoConnector) deletes(object string, relation string, subject string, relation2 string) (string, int, error) {
func (k KetoConnector) deletes(object string, relation string, subject string, relation2 string) (string, int, error) {
k.deleteRelationShip(object, relation, subject, nil)
_, code, err := k.deleteRelationShip(subject, relation2, k.scope(), nil)
if err != nil {
@@ -101,15 +88,15 @@ func (k *KetoConnector) deletes(object string, relation string, subject string,
return subject, 200, nil
}
func (k *KetoConnector) DeleteRole(roleID string) (string, int, error) {
func (k KetoConnector) DeleteRole(roleID string) (string, int, error) {
return k.deletes("", "member", roleID, "is")
}
func (k *KetoConnector) DeleteGroup(groupID string) (string, int, error) {
func (k KetoConnector) DeleteGroup(groupID string) (string, int, error) {
return k.deletes("", "groups", groupID, "groupin")
}
func (k *KetoConnector) DeletePermission(permID string, relation string, internal bool) (string, int, error) {
func (k KetoConnector) DeletePermission(permID string, relation string, internal bool) (string, int, error) {
meth, err := utils.ExtractMethod(relation, internal)
if err != nil {
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
@@ -120,28 +107,24 @@ func (k *KetoConnector) DeletePermission(permID string, relation string, interna
return k.deletes("", "groups", permID, "permits"+meth.String())
}
func (k *KetoConnector) CreateRole(roleID string) (string, int, error) {
func (k KetoConnector) CreateRole(roleID string) (string, int, error) {
return k.creates(roleID, "is", k.scope())
}
func (k *KetoConnector) CreateGroup(groupID string) (string, int, error) {
func (k KetoConnector) CreateGroup(groupID string) (string, int, error) {
return k.creates(groupID, "groupin", k.scope())
}
func (k *KetoConnector) CreatePermission(permID string, relation string, internal bool) (string, int, error) {
func (k KetoConnector) CreatePermission(permID string, relation string, internal bool) (string, int, error) {
meth, err := utils.ExtractMethod(relation, internal)
if err != nil {
return "", 422, err
}
id, code, err := k.creates(permID, "permits"+meth.String(), k.scope())
if err != nil && !strings.Contains(err.Error(), "already exist") {
return id, code, err
}
k.BindPermission(conf.GetConfig().AdminRole, permID, "permits"+meth.String())
return id, code, nil
k.BindPermission("admin", permID, "permits"+meth.String())
return k.creates(permID, "permits"+meth.String(), k.scope())
}
func (k *KetoConnector) creates(object string, relation string, subject string) (string, int, error) {
func (k KetoConnector) creates(object string, relation string, subject string) (string, int, error) {
p, code, err := k.createRelationShip(object, relation, subject, nil)
if err != nil {
return "", code, err
@@ -149,23 +132,23 @@ func (k *KetoConnector) creates(object string, relation string, subject string)
return p.Object, 200, nil
}
func (k *KetoConnector) GetRole(roleID string) ([]string, error) {
func (k KetoConnector) GetRole(roleID string) ([]string, error) {
return k.gets(roleID, "is", k.scope())
}
func (k *KetoConnector) GetGroup(groupID string) ([]string, error) {
func (k KetoConnector) GetGroup(groupID string) ([]string, error) {
return k.gets(groupID, "groupin", k.scope())
}
func (k *KetoConnector) GetRoleByUser(userID string) ([]string, error) {
func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
return k.gets("", "member", userID)
}
func (k *KetoConnector) GetGroupByUser(userID string) ([]string, error) {
func (k KetoConnector) GetGroupByUser(userID string) ([]string, error) {
return k.gets("", "groups", userID)
}
func (k *KetoConnector) gets(object string, relation string, subject string) ([]string, error) {
func (k KetoConnector) gets(object string, relation string, subject string) ([]string, error) {
arr := []string{}
objs, err := k.get(object, relation, subject)
if err != nil {
@@ -177,7 +160,7 @@ func (k *KetoConnector) gets(object string, relation string, subject string) ([]
return arr, nil
}
func (k *KetoConnector) GetPermission(permID string, relation string) ([]Permission, error) {
func (k KetoConnector) GetPermission(permID string, relation string) ([]Permission, error) {
meth, err := utils.ExtractMethod(relation, true)
if err != nil {
p := []Permission{}
@@ -193,7 +176,7 @@ func (k *KetoConnector) GetPermission(permID string, relation string) ([]Permiss
return k.get(permID, "permits"+meth.String(), k.scope())
}
func (k *KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
p := []Permission{}
for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
@@ -204,10 +187,8 @@ func (k *KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error)
}
return p, nil
}
func (k *KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
roles, err := k.get("", "member", userID)
log := oclib.GetLogger()
log.Debug().Msgf("GetPermissionByUser roles for %s: %d roles, err=%v", userID, len(roles), err)
if err != nil {
return nil, err
}
@@ -227,16 +208,11 @@ func (k *KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Per
return p, nil
}
func (k *KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
t := []Permission{}
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
host := conf.GetConfig().PermissionConnectorReadHost
if conf.GetConfig().Local {
host = "localhost"
}
host := conf.GetConfig().PermissionConnectorHost
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
k.Mu.Lock()
defer k.Mu.Unlock()
resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
Permission{Object: object, Relation: relation, Subject: subject}, nil))
if err != nil {
@@ -259,7 +235,7 @@ func (k *KetoConnector) get(object string, relation string, subject string) ([]P
return t, nil
}
func (k *KetoConnector) binds(object string, relation string, subject string) (string, int, error) {
func (k KetoConnector) binds(subject string, relation string, object string) (string, int, error) {
_, code, err := k.createRelationShip(object, relation, subject, nil)
if err != nil {
return object, code, err
@@ -267,17 +243,15 @@ func (k *KetoConnector) binds(object string, relation string, subject string) (s
return object, 200, nil
}
func (k *KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
log := oclib.GetLogger()
log.Debug().Msgf("BindRole: user=%s role=%s", userID, roleID)
func (k KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
return k.binds(userID, "member", roleID)
}
func (k *KetoConnector) BindGroup(userID string, groupID string) (string, int, error) {
func (k KetoConnector) BindGroup(userID string, groupID string) (string, int, error) {
return k.binds(userID, "groups", groupID)
}
func (k *KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
perms, err := k.GetPermission(permID, relation)
if err != nil || len(perms) != 1 {
count := 0
@@ -303,7 +277,7 @@ func (k *KetoConnector) BindPermission(roleID string, permID string, relation st
}, 200, nil
}
func (k *KetoConnector) unbinds(subject string, relation string, object string) (string, int, error) {
func (k KetoConnector) unbinds(subject string, relation string, object string) (string, int, error) {
_, code, err := k.deleteRelationShip(object, relation, subject, nil)
if err != nil {
return object, code, err
@@ -311,15 +285,15 @@ func (k *KetoConnector) unbinds(subject string, relation string, object string)
return object, 200, nil
}
func (k *KetoConnector) UnBindRole(userID string, roleID string) (string, int, error) {
func (k KetoConnector) UnBindRole(userID string, roleID string) (string, int, error) {
return k.unbinds(userID, "member", roleID)
}
func (k *KetoConnector) UnBindGroup(userID string, groupID string) (string, int, error) {
func (k KetoConnector) UnBindGroup(userID string, groupID string) (string, int, error) {
return k.unbinds(userID, "groups", groupID)
}
func (k *KetoConnector) UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
func (k KetoConnector) UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
meth, err := utils.ExtractMethod(relation, false)
if err != nil {
return nil, 422, err
@@ -348,8 +322,11 @@ func (k *KetoConnector) UnBindPermission(roleID string, permID string, relation
Subject: permID,
}, 200, nil
}
func (k *KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
func (k KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
exist, err := k.get(object, relation, subject)
if strings.Contains(subject, "/workflow/:id") {
fmt.Println("subject", subject, relation, exist, err)
}
if err == nil && len(exist) > 0 {
return nil, 409, errors.New("Relation already exist")
}
@@ -361,71 +338,58 @@ func (k *KetoConnector) createRelationShip(object string, relation string, subje
if err != nil {
return nil, code, err
}
body["subject_set"] = map[string]interface{}{"namespace": k.namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
}
host := conf.GetConfig().PermissionConnectorWriteHost
if conf.GetConfig().Local {
host = "localhost"
body["subject_set"] = map[string]interface{}{"namespace": s.Namespace(), "object": s.Object, "relation": s.Relation, "subject_id": s.Subject}
}
host := conf.GetConfig().PermissionConnectorHost
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
k.Mu.Lock()
defer k.Mu.Unlock()
b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
if err != nil {
log := oclib.GetLogger()
log.Error().Msg("createRelationShip" + err.Error())
log.Error().Msg(err.Error())
return nil, 500, err
}
data := map[string]interface{}{}
var data map[string]interface{}
err = json.Unmarshal(b, &data)
if err != nil {
log := oclib.GetLogger()
log.Error().Msgf("createRelationShip unmarshal error: %s, err=%v", string(b), err)
log.Error().Msg(err.Error())
return nil, 500, err
}
perm := &Permission{}
if data != nil {
perm = &Permission{
Object: fmt.Sprintf("%v", data["object"]),
Relation: fmt.Sprintf("%v", data["relation"]),
Subject: fmt.Sprintf("%v", data["subject_id"]),
}
if data["subject_set"] != nil {
sub := data["subject_set"].(map[string]interface{})
perm.SubPermission = &Permission{
Object: fmt.Sprintf("%v", sub["object"]),
Relation: fmt.Sprintf("%v", sub["relation"]),
Subject: fmt.Sprintf("%v", sub["subject_id"]),
}
perm := &Permission{
Object: data["object"].(string),
Relation: data["relation"].(string),
Subject: data["subject_id"].(string),
}
if data["subject_set"] != nil {
sub := data["subject_set"].(map[string]interface{})
perm.SubPermission = &Permission{
Object: sub["object"].(string),
Relation: sub["relation"].(string),
Subject: sub["subject_id"].(string),
}
}
return perm, 200, nil
}
func (k *KetoConnector) deleteRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
func (k KetoConnector) deleteRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
exist, err := k.get(object, relation, subject)
if err == nil && len(exist) == 0 {
return nil, 409, errors.New("Relation does not exist")
}
caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
host := conf.GetConfig().PermissionConnectorWriteHost
if conf.GetConfig().Local {
host = "localhost"
}
host := conf.GetConfig().PermissionConnectorHost
port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
k.Mu.Lock()
defer k.Mu.Unlock()
b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
if err != nil {
log := oclib.GetLogger()
log.Error().Msg("deleteRelationShip " + err.Error())
log.Error().Msg(err.Error())
return nil, 500, err
}
var data map[string]interface{}
err = json.Unmarshal(b, &data)
if data["code"] == nil || err != nil || data["code"].(int) > 300 {
return nil, 400, errors.New("Error while deleting relation")
if err == nil && data["code"].(int) > 300 {
return nil, data["code"].(int), errors.New("Error while deleting relation")
}
return &Permission{
Object: object,
infrastructure/perms_connectors/perms_connector.go
+3 -12
View File
@@ -1,9 +1,6 @@
package perms_connectors
import (
"oc-auth/conf"
"strings"
"cloud.o-forge.io/core/oc-lib/tools"
)
@@ -24,7 +21,6 @@ func (k Permission) Scope() string {
type PermConnector interface {
Status() tools.State
SetClient(scope string)
CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool
BindRole(userID string, roleID string) (string, int, error)
BindGroup(userID string, groupID string) (string, int, error)
@@ -52,14 +48,9 @@ type PermConnector interface {
}
var c = map[string]PermConnector{
"keto": &KetoConnector{},
"keto": KetoConnector{},
}
func GetPermissionConnector(scope string) PermConnector {
for k := range c {
if strings.Contains(conf.GetConfig().PermissionConnectorReadHost, k) {
return c[k]
}
}
return nil
func GetPermissionConnector() PermConnector {
return c["keto"]
}
keto/docker-compose.yml
+21
View File
@@ -0,0 +1,21 @@
version: '3.4'
services:
keto:
image: oryd/keto:v0.7.0-alpha.1-sqlite
ports:
- "4466:4466"
- "4467:4467"
command: serve -c /home/ory/keto.yml
restart: on-failure
volumes:
- type: bind
source: .
target: /home/ory
container_name: keto
networks:
- catalog
networks:
catalog:
external: true
keto/keto.yml
+18
View File
@@ -0,0 +1,18 @@
version: v0.6.0-alpha.1
log:
level: debug
namespaces:
- id: 0
name: open-cloud
dsn: memory
serve:
read:
host: 0.0.0.0
port: 4466
write:
host: 0.0.0.0
port: 4467
ldap-hydra/docker-compose.yml
+79
View File
@@ -0,0 +1,79 @@
version: "3"
services:
hydra-client:
image: oryd/hydra:v2.2.0
container_name: hydra-client
environment:
HYDRA_ADMIN_URL: http://hydra:4445
ORY_SDK_URL: http://hydra:4445
command:
- create
- oauth2-client
- --skip-tls-verify
- --name
- test-client
- --secret
- oc-auth-got-secret
- --response-type
- id_token,token,code
- --grant-type
- implicit,refresh_token,authorization_code,client_credentials
- --scope
- openid,profile,email,roles
- --token-endpoint-auth-method
- client_secret_post
- --redirect-uri
- http://localhost:3000
networks:
- hydra-net
- catalog
deploy:
restart_policy:
condition: none
depends_on:
- hydra
healthcheck:
test: ["CMD", "curl", "-f", "http://hydra:4445"]
interval: 10s
timeout: 10s
retries: 10
hydra:
container_name: hydra
image: oryd/hydra:v2.2.0
environment:
SECRETS_SYSTEM: oc-auth-got-secret
LOG_LEAK_SENSITIVE_VALUES: true
# OAUTH2_TOKEN_HOOK_URL: http://oc-auth:8080/oc/claims
URLS_SELF_ISSUER: http://hydra:4444
URLS_SELF_PUBLIC: http://hydra:4444
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
DSN: memory
command: serve all --dev
networks:
- hydra-net
- catalog
ports:
- "4444:4444"
- "4445:4445"
deploy:
restart_policy:
condition: on-failure
ldap:
image: pgarrett/ldap-alpine
container_name: ldap
volumes:
- "./ldap.ldif:/ldif/ldap.ldif"
networks:
- hydra-net
- catalog
ports:
- "390:389"
deploy:
restart_policy:
condition: on-failure
networks:
hydra-net:
catalog:
external: true
ldap-hydra/ldap.ldif
+24
View File
@@ -0,0 +1,24 @@
dn: uid=admin,ou=Users,dc=example,dc=com
objectClass: inetOrgPerson
cn: Admin
sn: Istrator
uid: admin
userPassword: admin
mail: admin@example.com
ou: Users
dn: ou=AppRoles,dc=example,dc=com
objectClass: organizationalunit
ou: AppRoles
description: AppRoles
dn: ou=App1,ou=AppRoles,dc=example,dc=com
objectClass: organizationalunit
ou: App1
description: App1
dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
objectClass: groupofnames
cn: traveler
description: traveler
member: uid=admin,ou=Users,dc=example,dc=com
main.go
+72 -93
View File
@@ -1,20 +1,22 @@
package main
import (
"context"
"encoding/json"
"errors"
"oc-auth/conf"
"oc-auth/infrastructure"
auth_connectors "oc-auth/infrastructure/auth_connector"
_ "oc-auth/routers"
"os"
"strconv"
"strings"
"time"
oclib "cloud.o-forge.io/core/oc-lib"
peer "cloud.o-forge.io/core/oc-lib/models/peer"
"cloud.o-forge.io/core/oc-lib/models/utils"
"cloud.o-forge.io/core/oc-lib/tools"
beego "github.com/beego/beego/v2/server/web"
)
const test_name = "test-pierre"
const appname = "oc-auth"
// @securityDefinitions.apikey Bearer
@@ -22,119 +24,96 @@ const appname = "oc-auth"
// @name Authorization
// @description Type "Bearer" followed by a space and JWT token.
func main() {
oclib.InitAPI(appname)
// Init the oc-lib
oclib.Init(appname)
// Load the right config file
o := oclib.GetConfLoader(appname)
o := oclib.GetConfLoader()
conf.GetConfig().AdminRole = o.GetStringDefault("ADMIN_ROLE", "admin")
conf.GetConfig().PublicKeyPath = o.GetStringDefault("PUBLIC_KEY_PATH", "./pem/public.pem")
conf.GetConfig().PrivateKeyPath = o.GetStringDefault("PRIVATE_KEY_PATH", "./pem/private.pem")
conf.GetConfig().ClientSecret = o.GetStringDefault("CLIENT_SECRET", "oc-auth-got-secret")
conf.GetConfig().OAuth2ClientSecretName = o.GetStringDefault("OAUTH2_CLIENT_SECRET_NAME", "oc-oauth2-client-secret")
conf.GetConfig().OAuth2ClientSecretNamespace = o.GetStringDefault("NAMESPACE", "default")
conf.GetConfig().Auth = o.GetStringDefault("AUTH", "hydra")
conf.GetConfig().AuthConnectorHost = o.GetStringDefault("AUTH_CONNECTOR_HOST", "localhost")
conf.GetConfig().AuthConnectPublicHost = o.GetStringDefault("AUTH_CONNECTOR_PUBLIC_HOST", "localhost")
conf.GetConfig().AuthConnectorPort = o.GetIntDefault("AUTH_CONNECTOR_PORT", 4444)
conf.GetConfig().AuthConnectorAdminPort = o.GetStringDefault("AUTH_CONNECTOR_ADMIN_PORT", "4445/admin")
conf.GetConfig().PermissionConnectorWriteHost = o.GetStringDefault("PERMISSION_CONNECTOR_WRITE_HOST", "keto")
conf.GetConfig().PermissionConnectorReadHost = o.GetStringDefault("PERMISSION_CONNECTOR_READ_HOST", "keto")
conf.GetConfig().PermissionConnectorPort = o.GetStringDefault("PERMISSION_CONNECTOR_PORT", "4466")
conf.GetConfig().PermissionConnectorAdminPort = o.GetStringDefault("PERMISSION_CONNECTOR_ADMIN_PORT", "4467")
conf.GetConfig().AuthConnectorAdminPort = o.GetIntDefault("AUTH_CONNECTOR_ADMIN_PORT", 4445)
conf.GetConfig().PermissionConnectorHost = o.GetStringDefault("PERMISSION_CONNECTOR_HOST", "keto")
conf.GetConfig().PermissionConnectorPort = o.GetIntDefault("PERMISSION_CONNECTOR_PORT", 4466)
conf.GetConfig().PermissionConnectorAdminPort = o.GetIntDefault("PERMISSION_CONNECTOR_ADMIN_PORT", 4467)
conf.GetConfig().Origin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8000")
conf.GetConfig().AdminOrigin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8001")
conf.GetConfig().OAuth2ClientID = o.GetStringDefault("OAUTH2_CLIENT_ID", "oc-auth")
conf.GetConfig().OAuthRedirectURI = o.GetStringDefault("OAUTH_REDIRECT_URI", "http://localhost:8000")
conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)
// config LDAPauth
conf.GetConfig().SourceMode = o.GetStringDefault("SOURCE_MODE", "ldap")
// config LDAP
conf.GetConfig().LDAPEndpoints = o.GetStringDefault("LDAP_ENDPOINTS", "ldap:389")
conf.GetConfig().LDAPBindDN = o.GetStringDefault("LDAP_BINDDN", "cn=admin,dc=example,dc=com")
conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password")
conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com")
conf.GetConfig().LDAPUserBaseDN = o.GetStringDefault("LDAP_USER_BASEDN", "ou=users,dc=example,dc=com")
conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com")
go generateRole()
go discovery()
err := generateSelfPeer()
if err != nil {
panic(err)
}
discovery()
beego.Run()
}
func generateRole() {
logger := oclib.GetLogger()
defer func() {
if r := recover(); r != nil {
logger.Error().Msgf("generateRole recovered from panic: %v", r)
}
}()
if conf.GetConfig().SourceMode == "ldap" {
for {
ldap := auth_connectors.New()
roles, err := ldap.GetRoles(context.Background())
if err == nil {
logger.Info().Msgf("Syncing %d LDAP role groups to Keto", len(roles))
for _, role := range roles {
for r, m := range role.Members {
infrastructure.GetPermissionConnector("").CreateRole(r)
for _, p := range m {
infrastructure.GetPermissionConnector("").BindRole(r, p)
}
}
}
break
} else {
logger.Error().Msg("Failed to get LDAP roles, retrying in 10s: " + err.Error())
time.Sleep(10 * time.Second)
continue
}
}
func generateSelfPeer() error {
requester := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), test_name, "1234", nil, nil)
// TODO check if files at private & public path are set
// check if files at private & public path are set
if _, err := os.Stat(conf.GetConfig().PrivateKeyPath); errors.Is(err, os.ErrNotExist) {
return errors.New("private key path does not exist")
}
if _, err := os.Stat(conf.GetConfig().PublicKeyPath); errors.Is(err, os.ErrNotExist) {
return errors.New("public key path does not exist")
}
// check if peer already exists
p := requester.Search(nil,strconv.Itoa(peer.SELF.EnumIndex()))
// p := oclib.Search(nil, strconv.Itoa(peer.SELF.EnumIndex()), oclib.L ibDataEnum(oclib.PEER))
file := ""
f, err := os.ReadFile(conf.GetConfig().PublicKeyPath)
if err != nil {
return err
}
file = string(f)
if len(p.Data) > 0 {
// check public key with the one in the database
// compare the public key from file with the one in the database
if !strings.Contains(file, p.Data[0].(*peer.Peer).PublicKey) {
return errors.New("public key is different from the one in the database")
}
return nil
}
// create a new peer
o := oclib.GetConfLoader()
peer := &peer.Peer{
Url: o.GetStringDefault("HOSTNAME", "http://localhost"),
AbstractObject: utils.AbstractObject{
Name: o.GetStringDefault("NAME", "local"),
},
PublicKey: file,
State: peer.SELF,
}
data := requester.StoreOne(peer.Serialize(peer))
if data.Err != "" {
return errors.New(data.Err)
}
return nil
}
func discovery() {
logger := oclib.GetLogger()
defer func() {
if r := recover(); r != nil {
logger.Error().Msgf("discovery recovered from panic: %v", r)
}
}()
api := tools.API{}
conn := infrastructure.GetPermissionConnector("")
for {
logger.Info().Msg("Starting permission discovery")
_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
if err != nil && !strings.Contains(err.Error(), "already exist") {
logger.Error().Msg("Failed to create admin role, retrying in 10s: " + err.Error())
time.Sleep(10 * time.Second)
continue
}
if _, _, err := conn.BindRole(conf.GetConfig().AdminRole, "admin"); err != nil {
logger.Error().Msg("Failed to admin bind role: " + err.Error())
}
addPermissions := func(m tools.NATSResponse) {
var resp map[string][]interface{}
json.Unmarshal(m.Payload, &resp)
for k, v := range resp {
for _, p := range v {
conn.DeletePermission(k, p.(string), true)
if _, _, err := conn.CreatePermission(k, p.(string), true); err != nil {
logger.Error().Msg("Failed to admin create permission: " + err.Error())
}
}
conn := infrastructure.GetPermissionConnector()
conn.CreateRole(conf.GetConfig().AdminRole)
conn.BindRole(conf.GetConfig().AdminRole, "admin")
addPermissions := func(m map[string]interface{}) {
for k, v := range m {
for _, p := range v.([]interface{}) {
conn.CreatePermission(k, p.(string), true)
}
}
api.ListenRouter(addPermissions)
b, _ := json.Marshal(map[string]interface{}{})
tools.NewNATSCaller().SetNATSPub(tools.DISCOVERY, tools.NATSResponse{
FromApp: "oc-auth",
Datatype: -1,
User: "root",
Method: tools.GET.EnumIndex(),
Payload: b,
})
break
}
api.ListenRouter(addPermissions)
tools.NewNATSCaller().SetNATSPub("api", tools.DISCOVERY, map[string]interface{}{})
}
oc-auth
BIN
View File
Binary file not shown.
pem/private.pem
+51 -3
View File
@@ -1,3 +1,51 @@
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIAeX4O7ldwehRSnPkbzuE6csyo63vjvqAcNNujENOKUC
-----END PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAw2pdG6wMtuLcP0+k1LFvIb0DQo/oHW2uNJaEJK74plXqp4zt
z2dRb+RQHFLeLuqk4i/zc3b4K3fKPXSlwnVPJCwzPrnyT8jYGOZVlWlETiV9xeJh
u6s/Bh6g1PWz75XjjwV50iv/CEiLNBT23f/3J44wrQzygqNQCiQSALdxWLAEl4l5
kHSa9oMyV70/Uql94/ayMARZsHgp9ZvqQKbkZPw6yzVMfCBxQozlNlo315OHevud
hnhpDRjN5I7zWmqYt6rbXJJC7Y3Izdvzn7QI88RqjSRST5I/7Kz3ndCqrOnI+OQU
E5NTREyQebphvQfTDTKlRPXkdyktdK2DH28Zj6ZF3yjQvN35Q4zhOzlq77dO5Ihh
opI7ct8dZH1T1nYkvdyCA/EVMtQsASmBOitH0Y0ACoXQK5Kb6nm/TcM/9ZSJUNiE
Muy5gBZ3YKE9oa4cpTpPXwcA+S/cU7HPNnQAsvD3iJi8GTW9uJs84pn4/WhpQqmX
d4rvhKWECCN3fHy01fUs/U0PaSj2jDY/kQVeXoikNMzPUjdZd9m816TIBh3v3aVX
CH/0iTHHAxctvDgMRb2fpvRJ/wwnYjFG9RpamVFDMvC9NffuYzWAA9IRIY4cqger
fHrVZ2HHiPTDDvDAIsvImXZc/h7mXN6m3RCQ4Qywy993wd9gUdgg/qnynHcCAwEA
AQKCAgBSRc29gMo5lXm1DgsPoURwp+tfcsb+3NajPVuVNjVpknKg6CyXTaBzw2QX
CKyShCe3MwkEa+pAIsb66MmA/XK8f/9zQUZLYPvaP994cEFZxV8WmSEcqhR2tx5v
iqKfFDQiWuPXIL7W9fPlkY3+GW4tMSg9M15GsgtYuab6tkD6XeERC8gqkW1MrB/d
4MdwPfvKpmqO3MYGDhFcXrBZV+qAudDnDSGOgPouUrOOFp28HVjE5nqDyt4vrWnB
+I1sW8TATybb6phS+4a3ZQtFCb9bIi7aDZi595ECTDBUOS4ibqs2XpA1TamY78ND
/Lx5oXmx7Mi4J+5wXN3Oad7ytQvFOdOttILNpAMFbLU5yKsxf+EDjCBcR5faNAtu
wAMH9TkzFpmhp5NBwQdAkCFnhyla363ljmlGAWPuG/D9bVZ0qtBf3NAF4hEJ/L4n
vYQFErd64tPasAgWPow2LLvqi3jT232aDgahj1lX1enHoR6TbQE4r3zy8DeA7i0C
hA8GFAvMsqIcee9Xi4yD8QFEH0PrJh6zP1PWKXR4AQVExnFGanz0s6O1GRqLPrIK
31NiRTwIVp0xbet9/GsJxWxqrTKPqd5yJvUGG3A4EL8e3RdWRM5vTHbNCVGi9LhS
3OIXV9/YOQJtWxzWUjFN3HpaNuWHVSR149GAYpTxeh+/ZGoAQQKCAQEA9RzG0LrB
/onSnzfAXD5IwGW/jSb4e8VLCZ/7W0CiD1ht23Q1pAR4bofSYXdx/rhVhRty+38q
GzugBPcejGeGYyKIViO1e8Psrd6dydYoaA9fX3YzcZ0onk9t+tYNxVhstolfIGgc
KW1qwDNrV1PP0N/oQU4QPxLmwcf/BSSl3sf53mVMzcnHkjCF5SgEN1rtIAOUZaM8
B4urSSMZMLpwmhXF9rAUPXWgLS+0fkrQzoaBS2ZfqEcFNs1ln8sTBeoXAz6kyZem
0To1oYhTeN+Tg11quWhJKiTMYmSGT3B7nVt25n0BypDktfaUU+LMY9/BewWwE6xx
iX97bldgv6y4uwKCAQEAzBh5IYa09uJTwrxY0IKVfkXRp2S+8fqhJ5qhEPykCF+4
JJBKPp7IA7rhcf5tw3NVpa/YE1h2H1P5Z4EQkzgETExVotBlOYYNmkBkd9etURGs
omAPHprnvT7q+dR/rc8/lQt3Xzvej4P4zSRbnzg/q2K0I1qs3vOwnZyO3GXk6eni
Q59k0y8zosKdde7m1YJ+KAj5MZc3PeHTfbLaLcfXnTSUX6xwnX+Js8kr2PVP+wSj
sExakP6ieNu/ZzFcYv6aiPgyXIWO/5pjwLt/GTqUPQcO9W76m0w24lWnYCx1iySw
alrl2irL2rnlXJin7q4FttHTWbeH90RVt3050m8ddQKCAQEAkgylgnXlZc+lim1j
1xLdspZt/qM76DP0tDV5RjRK3C3qt5qU47guMl4Hwz+y0v3vJzLl3mk1I6jxfkPp
FewRrTxEVF9OogJqImfFSSCsTuTqBS2fFZF5RGs7svyck/xOOq272sluDlk+BGwf
B5fO+jyQXWkwUQToLosGr3/YvdgWUKe3jd8vZTI4dgTUDk/Ffw/i+nS7LhvQ4fFh
7yEIOyfCH21ngf92g7YrLB1UMdr/a3gCg3hd6PuWFBKisSF8uNg4xE3yfjTbA/cB
FcLSWLHvB67V+aCXkAEp7metoGOBg3D1Akg3nxzf4OQAuXn4BV+sPOzBchZd669w
3IUERQKCAQBxPE7QjBWROKcyTx+TqC/bHE+i6SGLzftlpsQgUZuMzdaz6p5Wue/N
Kf11Kq2pmC73u2VN7nGzFfs1MwWIOLchweRtbeQLk1WutHVJjI8rgHvgpx0cZOOY
OvVR4VVpkKf9QJxdaTElPRpobviqkSG6LAw35VIubNQbzkXxAFOOeGZCEIh3JyQl
9IY6bW8DHOBzw+7GVdifa9DUV8v3RH5bSVXc8yaUK7Ox3TaHrCtQ4RUUdnh1I+Hu
3jUGwvs4LXx96/69GJjrNbSMtTpiO/8NEQJ6p7VBPnrg/pbbpC8fIR8EEySd88qg
sy0PP99EbKbc9POnPk2gofhQ0pinKWEVAoIBAQC0h8J3lGSG9Ki9QJvAOdMqnsSg
uoqjI0y6RmeR7LpYX1ASKNNImjG1hwLyZ8Qg5hCNjySEqBAGGd3MBNfIC6wzBDrV
zSJIrxjvu+2sfz1nUGdYWjQfhx3cT+yGqT6NEQupmstNukxiu2HDu76pi96AX2mk
TXYXlubIpfL50dWZ0wij0LivH6TPavvjbRZnXNVth1qlZOUtuBGyEwcXb4COtqRq
+nP8AEgzKxbMJFVy3PY5E5JyjB5d1ZPQ2OeYUVbfDEEYqzkorjByCcLdv7O1CHNq
VjUyJsd8F1tuCGPxbcbgyCeIqgDM1JxO4zTMSP+C82Ar7VXkr6Q8hAsCgHQ/
-----END RSA PRIVATE KEY-----
pem/public.pem
+13 -3
View File
@@ -1,3 +1,13 @@
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAG95Ettl3jTi41HM8le1A9WDmOEq0ANEqpLF7zTZrfXA=
-----END PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAw2pdG6wMtuLcP0+k1LFvIb0DQo/oHW2uNJaEJK74plXqp4ztz2dR
b+RQHFLeLuqk4i/zc3b4K3fKPXSlwnVPJCwzPrnyT8jYGOZVlWlETiV9xeJhu6s/
Bh6g1PWz75XjjwV50iv/CEiLNBT23f/3J44wrQzygqNQCiQSALdxWLAEl4l5kHSa
9oMyV70/Uql94/ayMARZsHgp9ZvqQKbkZPw6yzVMfCBxQozlNlo315OHevudhnhp
DRjN5I7zWmqYt6rbXJJC7Y3Izdvzn7QI88RqjSRST5I/7Kz3ndCqrOnI+OQUE5NT
REyQebphvQfTDTKlRPXkdyktdK2DH28Zj6ZF3yjQvN35Q4zhOzlq77dO5IhhopI7
ct8dZH1T1nYkvdyCA/EVMtQsASmBOitH0Y0ACoXQK5Kb6nm/TcM/9ZSJUNiEMuy5
gBZ3YKE9oa4cpTpPXwcA+S/cU7HPNnQAsvD3iJi8GTW9uJs84pn4/WhpQqmXd4rv
hKWECCN3fHy01fUs/U0PaSj2jDY/kQVeXoikNMzPUjdZd9m816TIBh3v3aVXCH/0
iTHHAxctvDgMRb2fpvRJ/wwnYjFG9RpamVFDMvC9NffuYzWAA9IRIY4cqgerfHrV
Z2HHiPTDDvDAIsvImXZc/h7mXN6m3RCQ4Qywy993wd9gUdgg/qnynHcCAwEAAQ==
-----END RSA PUBLIC KEY-----
routers/commentsRouter.go
+4 -31
View File
@@ -79,15 +79,6 @@ func init() {
Filters: nil,
Params: nil})
beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
beego.ControllerComments{
Method: "Consent",
Router: `/consent`,
AllowHTTPMethods: []string{"get"},
MethodParams: param.Make(),
Filters: nil,
Params: nil})
beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
beego.ControllerComments{
Method: "InternalAuthForward",
@@ -108,17 +99,8 @@ func init() {
beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
beego.ControllerComments{
Method: "GetLogin",
Router: `/login`,
AllowHTTPMethods: []string{"get"},
MethodParams: param.Make(),
Filters: nil,
Params: nil})
beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
beego.ControllerComments{
Method: "Login",
Router: `/login`,
Method: "LoginLDAP",
Router: `/ldap/login`,
AllowHTTPMethods: []string{"post"},
MethodParams: param.Make(),
Filters: nil,
@@ -126,17 +108,8 @@ func init() {
beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
beego.ControllerComments{
Method: "GetLogout",
Router: `/logout`,
AllowHTTPMethods: []string{"get"},
MethodParams: param.Make(),
Filters: nil,
Params: nil})
beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:OAuthController"],
beego.ControllerComments{
Method: "LogOut",
Router: `/logout`,
Method: "LogOutLDAP",
Router: `/ldap/logout`,
AllowHTTPMethods: []string{"delete"},
MethodParams: param.Make(),
Filters: nil,
swagger/swagger.json
+26 -307
View File
@@ -15,57 +15,18 @@
},
"basePath": "/oc/",
"paths": {
"/consent": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Hydra redirects here with a consent_challenge. Auto-accepts consent with user permissions.\n\u003cbr\u003e",
"operationId": "OAuthController.Consent",
"parameters": [
{
"in": "query",
"name": "consent_challenge",
"description": "The consent challenge from Hydra",
"required": true,
"type": "string"
},
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Redirect"
}
},
"400": {
"description": "missing consent_challenge"
},
"500": {
"description": "internal error"
}
}
}
},
"/forward": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Forward auth for Traefik — validates JWT via Hydra introspection.\n\u003cbr\u003e",
"description": "auth forward\n\u003cbr\u003e",
"operationId": "OAuthController.AuthForward",
"parameters": [
{
"in": "header",
"name": "Authorization",
"description": "Bearer token",
"description": "auth token",
"type": "string"
}
],
@@ -230,7 +191,7 @@
"parameters": [
{
"in": "path",
"name": "user_id",
"name": "group_id",
"description": "The group_id you want to unbind",
"required": true,
"type": "string"
@@ -255,169 +216,66 @@
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Introspect a token — respects Hydra's response\n\u003cbr\u003e",
"operationId": "OAuthController.Introspect",
"description": "introspect token\n\u003cbr\u003e",
"operationId": "OAuthController.Introspection",
"parameters": [
{
"in": "header",
"name": "Authorization",
"description": "Bearer token",
"description": "auth token",
"type": "string"
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.IntrospectResult"
}
"description": "{string}"
}
}
}
},
"/login": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Hydra redirects here with a login_challenge. Returns challenge info or auto-accepts if session exists.\n\u003cbr\u003e",
"operationId": "OAuthController.GetLogin",
"parameters": [
{
"in": "query",
"name": "login_challenge",
"description": "The login challenge from Hydra",
"required": true,
"type": "string"
},
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.LoginChallenge"
}
},
"400": {
"description": "missing login_challenge"
},
"500": {
"description": "internal error"
}
}
},
"/ldap/login": {
"post": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Authenticate user via LDAP and accept Hydra login challenge\n\u003cbr\u003e",
"description": "authenticate user\n\u003cbr\u003e",
"operationId": "OAuthController.Login",
"parameters": [
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
},
{
"in": "body",
"name": "body",
"description": "Login credentials and challenge",
"description": "The workflow content",
"required": true,
"schema": {
"$ref": "#/definitions/auth_connectors.LoginRequest"
"$ref": "#/definitions/models.workflow"
}
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Redirect"
}
},
"401": {
"description": "invalid credentials"
},
"500": {
"description": "internal error"
"description": "{string}"
}
}
}
},
"/logout": {
"get": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Hydra redirects here with a logout_challenge. Accepts the challenge and returns a redirect URL.\n\u003cbr\u003e",
"operationId": "OAuthController.GetLogout",
"parameters": [
{
"in": "query",
"name": "logout_challenge",
"description": "The logout challenge from Hydra",
"required": true,
"type": "string"
},
{
"in": "query",
"name": "redirect",
"description": "explicit redirect by passed",
"required": true,
"type": "string"
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Redirect"
}
},
"400": {
"description": "missing logout_challenge"
},
"500": {
"description": "internal error"
}
}
},
"/ldap/logout": {
"delete": {
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Revoke an OAuth2 token\n\u003cbr\u003e",
"description": "unauthenticate user\n\u003cbr\u003e",
"operationId": "OAuthController.Logout",
"parameters": [
{
"in": "header",
"name": "Authorization",
"description": "Bearer token",
"type": "string"
},
{
"in": "query",
"name": "client_id",
"description": "The client_id",
"required": true,
"description": "auth token",
"type": "string"
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.Token"
}
"description": "{string}"
}
}
}
@@ -596,28 +454,22 @@
"tags": [
"oc-auth/controllersOAuthController"
],
"description": "Exchange a refresh_token for a new token set\n\u003cbr\u003e",
"operationId": "OAuthController.Refresh",
"description": "introspect token\n\u003cbr\u003e",
"operationId": "OAuthController.Introspection",
"parameters": [
{
"in": "body",
"name": "body",
"description": "refresh_token and client_id",
"description": "The token info",
"required": true,
"schema": {
"$ref": "#/definitions/object"
"$ref": "#/definitions/models.Token"
}
}
],
"responses": {
"200": {
"description": "",
"schema": {
"$ref": "#/definitions/auth_connectors.TokenResponse"
}
},
"401": {
"description": "invalid refresh token"
"description": "{string}"
}
}
}
@@ -826,152 +678,19 @@
}
},
"definitions": {
"2432.0xc0004a0630.false": {
"title": "false",
"type": "object"
},
"4171.0xc0004a0810.false": {
"title": "false",
"type": "object"
},
"auth_connectors.LoginRequest": {
"title": "LoginRequest",
"type": "object",
"properties": {
"username": {
"type": "string"
},
"password": {
"type": "string"
},
"login_challenge": {
"type": "string"
}
}
},
"auth_connectors.IntrospectResult": {
"title": "IntrospectResult",
"type": "object",
"properties": {
"active": {
"type": "boolean"
},
"client_id": {
"type": "string"
},
"exp": {
"type": "integer",
"format": "int64"
},
"ext": {
"$ref": "#/definitions/4171.0xc0004a0810.false"
},
"scope": {
"type": "string"
},
"sub": {
"type": "string"
},
"token_type": {
"type": "string"
}
}
},
"auth_connectors.LoginChallenge": {
"title": "LoginChallenge",
"type": "object",
"properties": {
"challenge": {
"type": "string"
},
"client": {
"$ref": "#/definitions/2432.0xc0004a0630.false"
},
"request_url": {
"type": "string"
},
"session_id": {
"type": "string"
},
"skip": {
"type": "boolean"
},
"subject": {
"type": "string"
}
}
},
"auth_connectors.Redirect": {
"title": "Redirect",
"type": "object",
"properties": {
"redirect_to": {
"type": "string"
}
}
},
"auth_connectors.Token": {
"models.Token": {
"title": "Token",
"type": "object",
"properties": {
"access_token": {
"type": "string"
},
"active": {
"type": "boolean"
},
"expires_in": {
"type": "integer",
"format": "int64"
},
"id_token": {
"type": "string"
},
"refresh_token": {
"type": "string"
},
"scope": {
"type": "string"
},
"token_type": {
"type": "string"
}
}
"type": "object"
},
"auth_connectors.TokenResponse": {
"title": "TokenResponse",
"type": "object",
"properties": {
"access_token": {
"type": "string"
},
"expires_in": {
"type": "integer",
"format": "int64"
},
"id_token": {
"type": "string"
},
"refresh_token": {
"type": "string"
},
"scope": {
"type": "string"
},
"token_type": {
"type": "string"
}
}
},
"object": {
"title": "object",
"models.workflow": {
"title": "workflow",
"type": "object"
}
},
"tags": [
{
"name": "oc-auth/controllersOAuthController",
"description": "OAuthController handles OAuth2 login/consent provider endpoints\n"
"description": "Operations about auth\n"
},
{
"name": "group",
swagger/swagger.yml
+25 -221
View File
@@ -12,46 +12,18 @@ info:
url: https://www.gnu.org/licenses/agpl-3.0.html
basePath: /oc/
paths:
/consent:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
Hydra redirects here with a consent_challenge. Auto-accepts consent with user permissions.
<br>
operationId: OAuthController.Consent
parameters:
- in: query
name: consent_challenge
description: The consent challenge from Hydra
required: true
type: string
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.Redirect'
"400":
description: missing consent_challenge
"500":
description: internal error
/forward:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
Forward auth for Traefik — validates JWT via Hydra introspection.
auth forward
<br>
operationId: OAuthController.AuthForward
parameters:
- in: header
name: Authorization
description: Bearer token
description: auth token
type: string
responses:
"200":
@@ -147,7 +119,7 @@ paths:
operationId: GroupController.UnBind
parameters:
- in: path
name: user_id
name: group_id
description: The group_id you want to unbind
required: true
type: string
@@ -192,125 +164,51 @@ paths:
tags:
- oc-auth/controllersOAuthController
description: |-
Introspect a token — respects Hydra's response
introspect token
<br>
operationId: OAuthController.Introspect
operationId: OAuthController.Introspection
parameters:
- in: header
name: Authorization
description: Bearer token
description: auth token
type: string
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.IntrospectResult'
/login:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
Hydra redirects here with a login_challenge. Returns challenge info or auto-accepts if session exists.
<br>
operationId: OAuthController.GetLogin
parameters:
- in: query
name: login_challenge
description: The login challenge from Hydra
required: true
type: string
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.LoginChallenge'
"400":
description: missing login_challenge
"500":
description: internal error
description: '{string}'
/ldap/login:
post:
tags:
- oc-auth/controllersOAuthController
description: |-
Authenticate user via LDAP and accept Hydra login challenge
authenticate user
<br>
operationId: OAuthController.Login
parameters:
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
- in: body
name: body
description: Login credentials and challenge
description: The workflow content
required: true
schema:
$ref: '#/definitions/auth_connectors.LoginRequest'
$ref: '#/definitions/models.workflow'
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.Redirect'
"401":
description: invalid credentials
"500":
description: internal error
/logout:
get:
tags:
- oc-auth/controllersOAuthController
description: |-
Hydra redirects here with a logout_challenge. Accepts the challenge and returns a redirect URL.
<br>
operationId: OAuthController.GetLogout
parameters:
- in: query
name: logout_challenge
description: The logout challenge from Hydra
required: true
type: string
- in: query
name: redirect
description: explicit redirect by passed
required: true
type: string
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.Redirect'
"400":
description: missing logout_challenge
"500":
description: internal error
description: '{string}'
/ldap/logout:
delete:
tags:
- oc-auth/controllersOAuthController
description: |-
Revoke an OAuth2 token
unauthenticate user
<br>
operationId: OAuthController.Logout
parameters:
- in: header
name: Authorization
description: Bearer token
type: string
- in: query
name: client_id
description: The client_id
required: true
description: auth token
type: string
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.Token'
description: '{string}'
/permission/:
get:
tags:
@@ -442,23 +340,19 @@ paths:
tags:
- oc-auth/controllersOAuthController
description: |-
Exchange a refresh_token for a new token set
introspect token
<br>
operationId: OAuthController.Refresh
operationId: OAuthController.Introspection
parameters:
- in: body
name: body
description: refresh_token and client_id
description: The token info
required: true
schema:
$ref: '#/definitions/object'
$ref: '#/definitions/models.Token'
responses:
"200":
description: ""
schema:
$ref: '#/definitions/auth_connectors.TokenResponse'
"401":
description: invalid refresh token
description: '{string}'
/role/:
get:
tags:
@@ -613,106 +507,16 @@ paths:
"200":
description: ""
definitions:
2432.0xc0004a0630.false:
title: "false"
type: object
4171.0xc0004a0810.false:
title: "false"
type: object
auth_connectors.LoginRequest:
title: LoginRequest
type: object
properties:
username:
type: string
password:
type: string
login_challenge:
type: string
auth_connectors.IntrospectResult:
title: IntrospectResult
type: object
properties:
active:
type: boolean
client_id:
type: string
exp:
type: integer
format: int64
ext:
$ref: '#/definitions/4171.0xc0004a0810.false'
scope:
type: string
sub:
type: string
token_type:
type: string
auth_connectors.LoginChallenge:
title: LoginChallenge
type: object
properties:
challenge:
type: string
client:
$ref: '#/definitions/2432.0xc0004a0630.false'
request_url:
type: string
session_id:
type: string
skip:
type: boolean
subject:
type: string
auth_connectors.Redirect:
title: Redirect
type: object
properties:
redirect_to:
type: string
auth_connectors.Token:
models.Token:
title: Token
type: object
properties:
access_token:
type: string
active:
type: boolean
expires_in:
type: integer
format: int64
id_token:
type: string
refresh_token:
type: string
scope:
type: string
token_type:
type: string
auth_connectors.TokenResponse:
title: TokenResponse
type: object
properties:
access_token:
type: string
expires_in:
type: integer
format: int64
id_token:
type: string
refresh_token:
type: string
scope:
type: string
token_type:
type: string
object:
title: object
models.workflow:
title: workflow
type: object
tags:
- name: oc-auth/controllersOAuthController
description: |
OAuthController handles OAuth2 login/consent provider endpoints
Operations about auth
- name: group
description: |
Operations about auth