github/paralus
1
0
Fork 0
mirror of https://github.com/paralus/paralus.git synced 2026-05-06 00:17:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix casbin permissions, add kratos changes

Browse Source
This commit is contained in:
sigmabaryon
2022-04-12 11:19:31 +05:30
parent 0874093c43
commit fbae03741d
5 changed files with 69 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
_kratos/kratos.yml
View File

@@ -2,11 +2,33 @@ version: v0.7.1-alpha.1
dsn: postgres://admindbuser:admindbpassword@localhost:5432/admindb?sslmode=disable&max_conns=20&max_idle_conns=4
dev: true
serve:
public:
base_url: http://127.0.0.1:4433/
cors:
enabled: true
allowed_origins:
- http://127.0.0.1:3000
- http://127.0.0.1:3000/*
- http://127.0.0.1:19006
- http://127.0.0.1:19006/*
- http://127.0.0.1:4455
- http://127.0.0.1:4455/*
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
exposed_headers:
- Content-Type
- Set-Cookie
admin:
base_url: http://127.0.0.1:4434/
@@ -19,6 +41,24 @@ selfservice:
password:
enabled: true
oidc:
config:
providers:
- provider: generic
id: okta
client_id: 0oa4g7baw738BjuNp5d7
client_secret: Ezuu9lExU6b8zaQ9LayTFk6fjDauITw8i83kdZmE
mapper_url: file://etc/config/kratos/okta-mapper.jsonnet
issuer_url: https://dev-59990879.okta.com/oauth2/default
scope:
- email
# auth_url: http://openid-connect-provider/oauth2/auth
requested_claims:
email:
essential: true
enabled: true
link:
enabled: true
profile:
enabled: true
flows:
@@ -44,12 +84,12 @@ selfservice:
default_browser_return_url: http://127.0.0.1:4455/auth/login
login:
ui_url: http://127.0.0.1:4455/auth/login
ui_url: http://127.0.0.1:4455/login
lifespan: 10m
registration:
lifespan: 10m
ui_url: http://127.0.0.1:4455/auth/registration
ui_url: http://127.0.0.1:4455/registration
after:
password:
hooks:

9
_kratos/okta-mapper.jsonnet Normal file
View File

@@ -0,0 +1,9 @@
local claims = std.extVar('claims');
{
identity: {
traits: {
email: claims.email,
},
},
}

1
pkg/auth/v3/service.go
View File

@@ -114,7 +114,6 @@ func (ac *authContext) authorize(ctx context.Context, req *commonv3.IsRequestAll
Params: []string{"u:" + res.SessionData.Username, "*", proj, org, req.Url, req.Method},
}
authenticated, err := ac.as.Enforce(ctx, &er)
if err != nil {
return err
}

18
pkg/enforcer/enforcer.go
View File

@@ -18,6 +18,19 @@ func NewCasbinEnforcer(db *gorm.DB) *casbinEnforcer {
}
}
// KeyMatchCu custom matching function ref: https://casbin.org/docs/en/function
func KeyMatchCu(key1 string, key2 string) bool {
// admin:ops_star
if key2 == "*" {
return true
}
// FIXME: instead add permissions for userinfo
if key1 == "/auth/v3/userinfo" {
return true
}
return util.KeyMatch2(key1, key2)
}
func (e *casbinEnforcer) Init() (*casbin.CachedEnforcer, error) {
adapter, err := gormadapter.NewAdapterByDB(e.db)
if err != nil {
@@ -39,7 +52,7 @@ g2 = _, _
e = some(where (p.eft == allow))
[matchers]
m = g2(r.sub, p.sub) && globMatch(r.ns, p.ns) && globMatch(r.proj, p.proj) && r.org == p.org && g(r.obj, p.obj, r.act)
m = g2(r.sub, p.sub) && (globMatch(r.ns, p.ns) || globMatch(p.ns, r.ns)) && (globMatch(r.proj, p.proj) || globMatch(p.proj, r.proj)) && (globMatch(r.org, p.org) || globMatch(p.org, r.org)) && g(r.obj, p.obj, r.act)
`
m, err := model.NewModelFromString(modelText)
if err != nil {
@@ -51,7 +64,8 @@ m = g2(r.sub, p.sub) && globMatch(r.ns, p.ns) && globMatch(r.proj, p.proj) && r.
return nil, err
}
enforcer.Enforcer.AddNamedDomainMatchingFunc("g", "", util.KeyMatch2)
// enforcer.Enforcer.AddNamedDomainMatchingFunc("g", "", )
enforcer.Enforcer.AddNamedMatchingFunc("g", "", KeyMatchCu)
return enforcer, nil
}

4
scripts/initialize/permissions/base/ops_star_all.json
View File

@@ -2,7 +2,7 @@
"name": "ops_star.all",
"resource_urls": [
{
"url": "/:*",
"url": "*",
"methods": [
"GET",
"POST",
@@ -16,4 +16,4 @@
"description": "Provides complete access, make me a super admin.",
"authenticated": true,
"scope": "ORGANIZATION"
}
}