From 970434a060a132f69cb78599d26cce6180f2004f Mon Sep 17 00:00:00 2001
From: Peter Holloway <peter.holloway@diamond.ac.uk>
Date: Thu, 10 Oct 2024 14:21:01 +0100
Subject: [PATCH] Very rough draft for supporting both keycloak and cas

---
 policy/diamond/policy/token/token.rego | 34 +++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/policy/diamond/policy/token/token.rego b/policy/diamond/policy/token/token.rego
index 05eef79..73cfd9c 100644
--- a/policy/diamond/policy/token/token.rego
+++ b/policy/diamond/policy/token/token.rego
@@ -2,10 +2,42 @@ package diamond.policy.token
 
 import rego.v1
 
-verify(token) := profile.sub if {
+verify_cas(token) := profile.sub if {
 	profile := http.send({
 		"url": opa.runtime().env.USERINFO_ENDPOINT,
 		"method": "GET",
 		"headers": {"authorization": token},
 	})
 }
+
+verify_keycloak(token) := claims if {
+
+    fetch_jwks(url) := http.send({
+        "url": jwks_url,
+        "method": "GET",
+        "force_cache": true,
+        "force_cache_duration_seconds": 86400,
+    })
+
+    jwks_endpoint := opa.runtime().env.JWKS_ENDPOINT
+
+    unverified := io.jwt.decode(token)
+
+    jwt_header := unverified[0]
+
+    jwks_url := concat("?", [jwks_endpoint, urlquery.encode_object({"kid": jwt_header.kid})])
+
+    jwks := fetch_jwks(jwks_url).raw_body
+
+    valid := io.jwt.decode_verify(token, {
+        "cert": jwks,
+        "iss": "https://authn.diamond.ac.uk/realms/master",
+        "aud": "account",
+    })
+
+    claims := valid[2]
+
+}
+
+verify if verify_cas(input.token)
+verify if verify_keycloak(input.token)