diff --git a/api/transfer.go b/api/transfer.go index c9e91ca0..4fbf2790 100644 --- a/api/transfer.go +++ b/api/transfer.go @@ -1,6 +1,7 @@ package api import ( + "encoding/base64" "encoding/json" "errors" "fmt" @@ -201,14 +202,25 @@ func (w Wrapper) UpdateTransferNegotiationStatus(ctx echo.Context, transferID st func (w Wrapper) NotifyTransferUpdate(ctx echo.Context, taskID string) error { // This gets called by a transfer sending XIS to inform the local node there's FHIR tasks to be retrieved. // The PEP added introspection result to the X-Userinfo header - introspectionResult := ctx.Request().Header.Get("X-Userinfo") - //log.Errorf("X-Userinfo: %s", introspectionResult) - - if introspectionResult == "" { + b64IntrospectionResult := ctx.Request().Header.Get("X-Userinfo") + //log.Errorf("X-Userinfo: %s", b64IntrospectionResult) + if b64IntrospectionResult == "" { return errors.New("missing X-Userinfo header") } + + // b64 -> json string + introspectionResult, err := base64.URLEncoding.DecodeString(b64IntrospectionResult) + if err != nil { + return fmt.Errorf("failed to base64 decode X-Userinfo header: %w", err) + } + + // json string -> map target := map[string]interface{}{} - _ = json.Unmarshal([]byte(introspectionResult), &target) + err = json.Unmarshal(introspectionResult, &target) + if err != nil { + return fmt.Errorf("failed to unmarshal X-Userinfo header: %w", err) + } + // client_id for senderDID and sub for customerDID senderDID := target["client_id"].(string) customerDID := target["sub"].(string) diff --git a/docker-compose/left/config/pep/nginx.conf b/docker-compose/left/config/pep/nginx.conf index e233e03a..8d3ea168 100644 --- a/docker-compose/left/config/pep/nginx.conf +++ b/docker-compose/left/config/pep/nginx.conf @@ -102,8 +102,7 @@ http { location /_oauth2_authorize { internal; proxy_method POST; - proxy_set_header request $request; - proxy_set_header X-Userinfo $http_x_userinfo; + proxy_set_header Content-Type "application/json"; proxy_pass http://pip-left/v1/data; } } diff --git a/docker-compose/left/config/pep/oauth2.js b/docker-compose/left/config/pep/oauth2.js index a5c96903..9d3b0778 100644 --- a/docker-compose/left/config/pep/oauth2.js +++ b/docker-compose/left/config/pep/oauth2.js @@ -15,7 +15,7 @@ function introspectAccessToken(r) { const introspection = JSON.parse(reply.responseBody); if (introspection.active === true) { //dpop(r, introspection.cnf) - r.headersOut['X-Userinfo'] = reply.responseBody; + r.headersOut['X-Userinfo'] = btoa(reply.responseBody); r.return(200); } else { r.return(403); @@ -31,13 +31,25 @@ function introspectAccessToken(r) { function authorize(r) { // const xUserinfo = r.headersIn['X-Userinfo']; // const requestLine = r.request + const input = + JSON.stringify({ + "input": { + "request": { + "method": r.variables.request_method, + "path": r.variables.request_uri, // original non-normalized request_uri, may need some processing in more complex situations + "headers": { + "X-Userinfo": r.headersIn["X-Userinfo"] + } + } + } + }); r.subrequest("/_oauth2_authorize", - { method: "POST"}, + { method: "POST", body: input}, function(reply) { if (reply.status === 200) { r.error(reply.responseBody); const authResult = JSON.parse(reply.responseBody); - if (authResult.allow === true) { + if (authResult.result.allow === true) { r.return(200); } else { r.return(403); diff --git a/docker-compose/right/config/pep/nginx.conf b/docker-compose/right/config/pep/nginx.conf index 592b328c..0444fcc3 100644 --- a/docker-compose/right/config/pep/nginx.conf +++ b/docker-compose/right/config/pep/nginx.conf @@ -102,8 +102,7 @@ http { location /_oauth2_authorize { internal; proxy_method POST; - proxy_set_header request $request; - proxy_set_header X-Userinfo $http_x_userinfo; + proxy_set_header Content-Type "application/json"; proxy_pass http://pip-right/v1/data; } } diff --git a/docker-compose/right/config/pep/oauth2.js b/docker-compose/right/config/pep/oauth2.js index a5c96903..cbbc3728 100644 --- a/docker-compose/right/config/pep/oauth2.js +++ b/docker-compose/right/config/pep/oauth2.js @@ -15,7 +15,7 @@ function introspectAccessToken(r) { const introspection = JSON.parse(reply.responseBody); if (introspection.active === true) { //dpop(r, introspection.cnf) - r.headersOut['X-Userinfo'] = reply.responseBody; + r.headersOut['X-Userinfo'] = btoa(reply.responseBody); r.return(200); } else { r.return(403); @@ -31,13 +31,26 @@ function introspectAccessToken(r) { function authorize(r) { // const xUserinfo = r.headersIn['X-Userinfo']; // const requestLine = r.request + const input = + JSON.stringify({ + "input": { + "request": { + "method": r.variables.request_method, + "path": r.variables.request_uri, // original non-normalized request_uri, may need some processing in more complex situations + "headers": { + "X-Userinfo": r.headersIn["X-Userinfo"] + } + } + + } + }); r.subrequest("/_oauth2_authorize", - { method: "POST"}, + { method: "POST", body: input}, function(reply) { if (reply.status === 200) { r.error(reply.responseBody); const authResult = JSON.parse(reply.responseBody); - if (authResult.allow === true) { + if (authResult.result.allow === true) { r.return(200); } else { r.return(403);