Skip to content

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: ory/oathkeeper
Failed to load repositories. Confirm that selected base ref is valid, then try again.
base: v0.0.17
Choose a base ref
head repository: ory/oathkeeper
Failed to load repositories. Confirm that selected head ref is valid, then try again.
compare: v0.0.18
Choose a head ref
  • 2 commits
  • 1 file changed
  • 2 contributors

Commits on Nov 13, 2017

  1. evaluator: Resolve potential panic in token id generation

    Closes #22
    arekkas authored and arekkas committed Nov 13, 2017
    Copy the full SHA
    8fe9e9a View commit details
  2. evaluator: Improve audit capabilities

    aeneasr authored and arekkas committed Nov 13, 2017
    Copy the full SHA
    c952d21 View commit details
Showing with 151 additions and 16 deletions.
  1. +151 −16 evaluator/evaluator_warden.go
167 changes: 151 additions & 16 deletions evaluator/evaluator_warden.go
Original file line number Diff line number Diff line change
@@ -32,41 +32,116 @@ func NewWardenEvaluator(l logrus.FieldLogger, m rule.Matcher, s hydra.SDK) *Ward

var reasons = map[string]string{
"no_rule_match": "Unable to match a rule",
"passthrough": "Access is granted because rule is set to passthrough",
"anonymous_without_credentials": "Access is granted although no bearer token was given, because the rule allows anonymous access",
"anonymous_introspection_network_error": "Access is granted although token introspection endpoint returned a network error, because the rule allows anonymous access",
"anonymous_introspection_http_error": "Access is granted although token introspection endpoint returned a http error, because the rule allows anonymous access",
"anonymous_introspection_invalid_credentials": "Access is granted although token introspection endpoint could not validate the bearer token, because the rule allows anonymous access",
"anonymous_with_valid_credentials": "Rule allows anonymous access and valid access credentials have been provided",
"missing_credentials": "Rule requires a valid bearer token, but no bearer token was given",
"introspection_network_error": "Rule requires a valid bearer token, but token introspection endpoint returned a network error",
"introspection_http_error": "Rule requires a valid bearer token, but token introspection endpoint returned a http error",
"introspection_invalid_credentials": "Rule requires a valid bearer token, but token introspection endpoint could not validate the token",
"introspection_valid": "Rule requires a valid bearer token, which was confirmed by the token introspection endpoint",
"policy_decision_point_network_error": "Rule requires policy-based access control decision, which failed due to a network error",
"policy_decision_point_http_error": "Rule requires policy-based access control decision, which failed due to a http error",
"policy_decision_point_access_forbidden": "Rule requires policy-based access control decision, which was denied",
"policy_decision_point_access_granted": "Rule requires policy-based access control decision, which was granted",

func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, error) {
token := helper.BearerTokenFromRequest(r)
var tokenID = token
if len(token) >= 5 {
tokenID = token[:5]

rl, err := d.Matcher.MatchRule(r.Method, r.URL)
if err != nil {
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("reason", reasons["no_rule_match"]).
WithField("reason_id", "no_rule_match").
Warn("Access request denied")
return nil, err

if rl.BypassAuthorization {
WithField("granted", true).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("rule", rl.ID).
WithField("reason", reasons["passthrough"]).
WithField("reason_id", "passthrough").
Infoln("Access request granted")
return &Session{User: "", Anonymous: true, ClientID: "", Disabled: true}, nil

if rl.AllowAnonymous {
if token == "" {
WithField("granted", true).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("rule", rl.ID).
WithField("reason", reasons["anonymous_without_credentials"]).
WithField("reason_id", "anonymous_without_credentials").
Infoln("Access request granted")
return &Session{User: "", Anonymous: true, ClientID: ""}, nil

introspection, response, err := d.Hydra.IntrospectOAuth2Token(token, "")
if err != nil {
WithField("granted", true).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", token[:5]).
Errorf("Unable to connect to introspect endpoint.")
WithField("token", tokenID).
WithField("reason", reasons["anonymous_without_credentials_failed_introspection"]).
WithField("reason_id", "anonymous_without_credentials_failed_introspection").
Infoln("Access request granted")
return &Session{User: "", Anonymous: true, ClientID: ""}, nil
} else if response.StatusCode != http.StatusOK {
WithField("granted", true).
WithField("user", "").
WithField("status_code", response.StatusCode).
WithField("token", token[:5]).
WithField("token", tokenID).
WithField("access_url", r.URL.String()).
Errorf("Expected introspection response to return status code 200.")
WithField("reason", reasons["anonymous_introspection_http_error"]).
WithField("reason_id", "anonymous_introspection_http_error").
Infoln("Access request granted")
return &Session{User: "", Anonymous: true, ClientID: ""}, nil
} else if !introspection.Active {
WithField("granted", true).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("rule", rl.ID).
WithField("reason", reasons["anonymous_introspection_invalid_credentials"]).
WithField("reason_id", "anonymous_introspection_invalid_credentials").
Infoln("Access request granted")
return &Session{User: "", Anonymous: true, ClientID: ""}, nil

WithField("granted", true).
WithField("user", introspection.Sub).
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("rule", rl.ID).
WithField("reason", reasons["anonymous_with_valid_credentials"]).
WithField("reason_id", "anonymous_with_valid_credentials").
Infoln("Access request granted")
return &Session{
User: introspection.Sub,
ClientID: introspection.ClientId,
@@ -75,28 +150,62 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro

if token == "" {
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("reason", reasons["missing_credentials"]).
WithField("reason_id", "missing_credentials").
Warn("Access request denied")
return nil, errors.WithStack(helper.ErrMissingBearerToken)

if rl.BypassAccessControlPolicies {
introspection, response, err := d.Hydra.IntrospectOAuth2Token(token, strings.Join(rl.RequiredScopes, " "))
if err != nil {
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", token[:5]).
Errorf("Unable to connect to warden endpoint.")
WithField("token", tokenID).
WithField("reason", reasons["introspection_network_error"]).
WithField("reason_id", "introspection_network_error").
Warn("Access request denied")
return nil, errors.WithStack(err)
} else if response.StatusCode != http.StatusOK {
WithField("status_code", response.StatusCode).
WithField("token", token[:5]).
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
Errorf("Expected warden response to return status code 200.")
WithField("status_code", response.StatusCode).
WithField("token", tokenID).
WithField("reason", reasons["introspection_http_error"]).
WithField("reason_id", "introspection_http_error").
Warn("Access request denied")
return nil, errors.Errorf("Token introspection expects status code %d but got %d", http.StatusOK, response.StatusCode)
} else if !introspection.Active {
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("status_code", response.StatusCode).
WithField("token", tokenID).
WithField("reason", reasons["introspection_invalid_credentials"]).
WithField("reason_id", "introspection_invalid_credentials").
Warn("Access request denied")
return nil, errors.WithStack(helper.ErrUnauthorized)

WithField("granted", true).
WithField("user", introspection.Sub).
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("rule", rl.ID).
WithField("reason", reasons["introspection_valid"]).
WithField("reason_id", "introspection_valid").
Infoln("Access request granted")
return &Session{
User: introspection.Sub,
ClientID: introspection.ClientId,
@@ -107,21 +216,47 @@ func (d *WardenEvaluator) EvaluateAccessRequest(r *http.Request) (*Session, erro
introspection, response, err := d.Hydra.DoesWardenAllowTokenAccessRequest(d.prepareAccessRequests(r, token, rl))
if err != nil {
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("token", token[:5]).
Errorf("Unable to connect to warden endpoint.")
WithField("token", tokenID).
WithField("reason", reasons["policy_decision_point_network_error"]).
WithField("reason_id", "policy_decision_point_network_error").
Warn("Access request denied")
return nil, errors.WithStack(err)
} else if response.StatusCode != http.StatusOK {
WithField("status_code", response.StatusCode).
WithField("token", token[:5]).
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
Errorf("Expected warden response to return status code 200.")
WithField("status_code", response.StatusCode).
WithField("token", tokenID).
WithField("reason", reasons["policy_decision_point_http_error"]).
WithField("reason_id", "policy_decision_point_http_error").
Warn("Access request denied")
return nil, errors.Errorf("Token introspection expects status code %d but got %d", http.StatusOK, response.StatusCode)
} else if !introspection.Allowed {
WithField("granted", false).
WithField("user", "").
WithField("access_url", r.URL.String()).
WithField("status_code", response.StatusCode).
WithField("token", tokenID).
WithField("reason", reasons["policy_decision_point_access_forbidden"]).
WithField("reason_id", "policy_decision_point_access_forbidden").
Warn("Access request denied")
return nil, errors.WithStack(helper.ErrForbidden)

WithField("granted", true).
WithField("user", introspection.Subject).
WithField("access_url", r.URL.String()).
WithField("token", tokenID).
WithField("rule", rl.ID).
WithField("reason", reasons["policy_decision_point_access_granted"]).
WithField("reason_id", "policy_decision_point_access_granted").
Infoln("Access request granted")
return &Session{
User: introspection.Subject,
ClientID: introspection.ClientId,