Use oathkeeper public url as issuer

ory · Nov 26, 2017 · 31fa680 · 31fa680
1 parent b53bcaf
commit 31fa680
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 10 deletions.
diff --git a/evaluator/evaluator_test.go b/evaluator/evaluator_test.go
@@ -30,7 +30,7 @@ func mustGenerateURL(t *testing.T, u string) *url.URL {
 }
 
 func TestEvaluator(t *testing.T) {
-	we := NewWardenEvaluator(nil, nil, nil)
+	we := NewWardenEvaluator(nil, nil, nil, "")
 	publicRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesURLCompiled: mustCompileRegex(t, "http://localhost/users/<[0-9]+>"), Mode: rule.AnonymousMode}
 	bypassACPRule := rule.Rule{MatchesMethods: []string{"GET"}, MatchesURLCompiled: mustCompileRegex(t, "http://localhost/users/<[0-9]+>"), Mode: rule.AuthenticatedMode}
 	privateRuleWithSubstitution := rule.Rule{

diff --git a/evaluator/evaluator_warden.go b/evaluator/evaluator_warden.go
@@ -18,9 +18,10 @@ type WardenEvaluator struct {
 	Logger  logrus.FieldLogger
 	Matcher rule.Matcher
 	Hydra   hydra.SDK
+	Issuer  string
 }
 
-func NewWardenEvaluator(l logrus.FieldLogger, m rule.Matcher, s hydra.SDK) *WardenEvaluator {
+func NewWardenEvaluator(l logrus.FieldLogger, m rule.Matcher, s hydra.SDK, i string) *WardenEvaluator {
 	if l == nil {
 		l = logrus.New()
 	}
@@ -29,6 +30,7 @@ func NewWardenEvaluator(l logrus.FieldLogger, m rule.Matcher, s hydra.SDK) *Ward
 		Matcher: m,
 		Hydra:   s,
 		Logger:  l,
+		Issuer:  i,
 	}
 }
 
@@ -91,7 +93,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 			WithField("reason", reasons["passthrough"]).
 			WithField("reason_id", "passthrough").
 			Infoln("Access request granted")
-		return &Session{Issuer: "", User: "", Anonymous: true, ClientID: "", Disabled: true}, nil
+		return &Session{Issuer: d.Issuer, User: "", Anonymous: true, ClientID: "", Disabled: true}, nil
 	case rule.AnonymousMode:
 		if token == "" {
 			d.Logger.
@@ -103,7 +105,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 				WithField("reason", reasons["anonymous_without_credentials"]).
 				WithField("reason_id", "anonymous_without_credentials").
 				Infoln("Access request granted")
-			return &Session{Issuer: "", User: "", Anonymous: true, ClientID: ""}, nil
+			return &Session{Issuer: d.Issuer, User: "", Anonymous: true, ClientID: ""}, nil
 		}
 
 		introspection, response, err := d.Hydra.IntrospectOAuth2Token(token, "")
@@ -117,7 +119,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 				WithField("reason", reasons["anonymous_without_credentials_failed_introspection"]).
 				WithField("reason_id", "anonymous_without_credentials_failed_introspection").
 				Infoln("Access request granted")
-			return &Session{Issuer: "", User: "", Anonymous: true, ClientID: ""}, nil
+			return &Session{Issuer: d.Issuer, User: "", Anonymous: true, ClientID: ""}, nil
 		} else if response.StatusCode != http.StatusOK {
 			d.Logger.
 				WithField("granted", true).
@@ -129,7 +131,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 				WithField("reason", reasons["anonymous_introspection_http_error"]).
 				WithField("reason_id", "anonymous_introspection_http_error").
 				Infoln("Access request granted")
-			return &Session{Issuer: "", User: "", Anonymous: true, ClientID: ""}, nil
+			return &Session{Issuer: d.Issuer, User: "", Anonymous: true, ClientID: ""}, nil
 		} else if !introspection.Active {
 			d.Logger.
 				WithField("granted", true).
@@ -141,7 +143,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 				WithField("reason", reasons["anonymous_introspection_invalid_credentials"]).
 				WithField("reason_id", "anonymous_introspection_invalid_credentials").
 				Infoln("Access request granted")
-			return &Session{Issuer: "", User: "", Anonymous: true, ClientID: ""}, nil
+			return &Session{Issuer: d.Issuer, User: "", Anonymous: true, ClientID: ""}, nil
 		}
 
 		d.Logger.
@@ -155,7 +157,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 			WithField("reason_id", "anonymous_with_valid_credentials").
 			Infoln("Access request granted")
 		return &Session{
-			Issuer:    introspection.Iss,
+			Issuer:    d.Issuer,
 			User:      introspection.Sub,
 			ClientID:  introspection.ClientId,
 			Anonymous: false,
@@ -223,7 +225,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 			WithField("reason_id", "introspection_valid").
 			Infoln("Access request granted")
 		return &Session{
-			Issuer:    introspection.Iss,
+			Issuer:    d.Issuer,
 			User:      introspection.Sub,
 			ClientID:  introspection.ClientId,
 			Anonymous: false,
@@ -291,7 +293,7 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
 			WithField("reason_id", "policy_decision_point_access_granted").
 			Infoln("Access request granted")
 		return &Session{
-			Issuer:    introspection.Issuer,
+			Issuer:    d.Issuer,
 			User:      introspection.Subject,
 			ClientID:  introspection.ClientId,
 			Anonymous: false,