wip draft

yetanalytics · Feb 11, 2025 · e6180b7 · e6180b7
1 parent ece6d8a
commit e6180b7
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 42 deletions.
diff --git a/src/dev/lrsql/user.clj b/src/dev/lrsql/user.clj
@@ -203,28 +203,3 @@
 
   (component/stop sys')
   )
-
-
-(defn splice-into-statements-route [routes]
-  (let [f (fn [idx [path :as route]]
-            (if (= "statements"
-                   (last (clojure.string/split path #"/")))
-              idx))
-        idx (some (keep-indexed f routes))]
-    (update-in routes [idx 2] conj
-               {:name :auth-by-cred-id-interceptor
-                :enter (fn [ctx]
-                         (let [last-of-path (last (get-in ctx [:request :path-info]))
-                               cred-id (get-in ctx [:request :params :credentialID])]
-                           (if (and (= "statements" last-of-path)
-                                    cred-id)
-                             (let [cred-q-input (auth-input/query-credential-by-id-input cred-id)
-                                   {:keys [api-key secret-key]} (auth-q/query-credential-by-id cred-q-input)
-
-                                   base64 (util/str->base64encoded-str (str api-key ":" secret-key))]
-                               (-> ctx
-                                   (update-in [:request :params] dissoc :credentialID)
-                                        ;next spoof basic auth
-                                   (assoc-in [:request :headers "authorization"]
-                                             (str "Basic " base64))))
-                             ctx)))})))
diff --git a/src/main/lrsql/auth/interceptor.clj b/src/main/lrsql/auth/interceptor.clj
@@ -0,0 +1,62 @@
+(ns lrsql.auth.interceptor
+  (:require
+   [lrsql.input.auth :as auth-input]
+   [lrsql.ops.query.auth :as auth-q]
+   [lrsql.util :as util]))
+
+(def holder (atom nil))
+(def h2 (atom nil))
+(def h3 (atom nil))
+
+(def auth-by-cred-id-interceptor
+  {:name :auth-by-cred-id-interceptor
+   :enter (fn auth-by-cred-id-interceptor [ctx]
+            (reset! h3 ctx)
+            (println "triggered")
+            (let [cred-id (get-in ctx [:request :params :credentialID])]
+              (if cred-id
+                (do
+                  (println "triggered statements")
+                  (-> ctx
+                      (update-in [:request :params] dissoc :credentialID)
+                                        ;next spoof basic auth
+                      (assoc-in [:request :com.yetanalytics.url-credential-ID] cred-id)))
+                ctx)))})
+
+
+(defn insert-id-auth-interceptor [routes]
+  (reset! holder routes)
+  (let [statements? (fn [[path method]]
+                      (and 
+                       (= "statements"
+                          (last (clojure.string/split path #"/")))
+                       (= method :get)))
+        map-fn (fn [route]
+                 (if (statements? route)
+                   (update-in route [2] (partial into [auth-by-cred-id-interceptor]))
+                   route))]
+    (reset! h2 (->> routes
+                    (map map-fn)
+                    (set)))))
+
+
+
+
+#_(let [routes @holder
+      statements?  (fn [[path method]]
+                     (and 
+                      (= "statements"
+                         (last (clojure.string/split path #"/")))
+                      (= method :get)))
+      map-fn (fn [route]
+               (if (vector? route) (println "vector") (println "not vector" ))
+               (if (statements? route)
+                 (do 
+                   (println route)
+                   (update-in route [2] (partial into [auth-by-cred-id-interceptor]))) 
+                 route))]
+
+
+  (->> routes
+       (map map-fn)
+       (set)))
diff --git a/src/main/lrsql/input/auth.clj b/src/main/lrsql/input/auth.clj
@@ -127,7 +127,7 @@
     :authority-url authority-url}))
 
 (s/fdef query-credential-by-id-input
-  :args string?
+  :args (s/cat :id string?)
   :ret (s/keys :req-un [::id]))
 
 (defn query-credential-by-id-input [id]

diff --git a/src/main/lrsql/ops/query/auth.clj b/src/main/lrsql/ops/query/auth.clj
@@ -103,4 +103,4 @@
 (defn query-credential-by-id
   "Given an input containing `:id`, return a map containing `:id`, `:api-key`, `:secret-key`, `:account-id`"
   [bk tx input]
-  (query-credential-by-id bk tx))
+  (bp/-query-credential-by-id bk tx input))
diff --git a/src/main/lrsql/system/lrs.clj b/src/main/lrsql/system/lrs.clj
@@ -228,18 +228,19 @@
     (let [transform-from-url-auth
           (fn [ctx]
             (let [last-of-path (last (get-in ctx [:request :path-info]))
-                  cred-id (get-in ctx [:request :params :credentialID])]
+                  cred-id (get-in ctx [:request :com.yetanalytics.url-credential-ID])]
               (if (and (= "statements" last-of-path)
                        cred-id)
-                (let [cred-q-input (auth-input/query-credential-by-id-input cred-id)
-                      {:keys [api-key secret-key]} (auth-q/query-credential-by-id cred-q-input)
+                (let [conn (lrs-conn lrs)
+                      cred-q-input (auth-input/query-credential-by-id-input cred-id)
+                      {:keys [api-key secret-key]}
+                      (jdbc/with-transaction [tx conn]
+                        (auth-q/query-credential-by-id cred-q-input))
+
 
                       base64 (util/str->base64encoded-str (str api-key ":" secret-key))]
-                  (-> ctx
-                      (update-in [:request :params] dissoc :credentialID)
-                                        ;next spoof basic auth
-                      (assoc-in [:request :headers "authorization"]
-                                (str "Basic " base64))))
+                  (assoc-in ctx [:request :headers "authorization"]
+                            (str "Basic " base64)))
                 ctx)))
           ctx (transform-from-url-auth ctx)]
       (or
@@ -252,7 +253,6 @@
        ;; Basic Authentication
        (let [conn   (lrs-conn lrs)
              header (get-in ctx [:request :headers "authorization"])
-             credential-id (get-in ctx [:request :params :credentialID ])
              _ (reset! holder ctx)]
          (if-some [key-pair (auth-util/header->key-pair header)]
            (let [{:keys [authority-url]} config

diff --git a/src/main/lrsql/system/webserver.clj b/src/main/lrsql/system/webserver.clj
@@ -6,6 +6,7 @@
             [com.yetanalytics.lrs.pedestal.routes :refer [build]]
             [com.yetanalytics.lrs.pedestal.interceptor :as i]
             [lrsql.admin.routes :refer [add-admin-routes add-openapi-route]]
+            [lrsql.auth.interceptor :as auth-interceptor]
             [lrsql.init.oidc :as oidc]
             [lrsql.init.clamav :as clamav]
             [lrsql.init.git-data :refer [read-version]]
@@ -14,10 +15,12 @@
             [lrsql.util.cert :as cu]
             [lrsql.util.interceptor :refer [handle-json-parse-exn]]))
 
+(def holder (atom nil))
+
 (defn- service-map
   "Create a new service map for the webserver."
   [lrs config]
-  (let [;; Destructure webserver config
+  (let [ ;; Destructure webserver config
         {:keys [enable-http
                 enable-http2
                 http-host
@@ -81,9 +84,7 @@
         (->> (build {:lrs               lrs
                      :path-prefix       url-prefix
                      :wrap-interceptors (into
-                                         [:mythical-interceptor
-
-                                          i/error-interceptor
+                                         [i/error-interceptor
                                           (handle-json-parse-exn)]
                                          oidc-resource-interceptors)
                      :file-scanner      (when enable-clamav
@@ -115,7 +116,8 @@
              (add-openapi-route
               {:lrs lrs
                :head-opts head-opts
-               :version (read-version)}))
+               :version (read-version)})
+             (auth-interceptor/insert-id-auth-interceptor))
 
         ;; Build allowed-origins list. Add without ports as well for
         ;; default ports
@@ -128,7 +130,8 @@
               (= http-port 80) (conj (format "http://%s" http-host))
               (= ssl-port 443) (conj (format "https://%s" http-host))))]
     {:env                      :prod
-     ::http/routes             routes
+     ::http/routes             (do (reset! holder routes)
+                                   routes)
      ;; only serve assets if the admin ui is enabled
      ::http/resource-path      (when enable-admin-ui "/public")
      ::http/type               :jetty