From bd0ee386df640337d8a834a1e5b8d9bd7386a221 Mon Sep 17 00:00:00 2001
From: "Aeneas Rekkas (arekkas)" <aeneas@ory.am>
Date: Mon, 5 Jun 2017 09:09:56 +0200
Subject: [PATCH] jwk/handler: nest ac check and resolve stray log message

Closes #271
---
 jwk/handler.go | 40 ++++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/jwk/handler.go b/jwk/handler.go
index 73a70a2012..7a1c14871c 100644
--- a/jwk/handler.go
+++ b/jwk/handler.go
@@ -101,18 +101,20 @@ type joseWebKeySetRequest struct {
 //       500: genericError
 func (h *Handler) WellKnown(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = context.Background()
-	if err := h.W.IsAllowed(ctx, &firewall.AccessRequest{
-		Subject:  "",
-		Resource: "rn:hydra:keys:" + IDTokenKeyName + ":public",
-		Action:   "get",
-	}); err == nil {
-		// Allow unauthorized requests to access this resource if it is enabled by policies
-	} else if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: "rn:hydra:keys:" + IDTokenKeyName + ":public",
 		Action:   "get",
 	}, "hydra.keys.get"); err != nil {
-		h.H.WriteError(w, r, err)
-		return
+		if err := h.W.IsAllowed(ctx, &firewall.AccessRequest{
+			Subject:  "",
+			Resource: "rn:hydra:keys:" + IDTokenKeyName + ":public",
+			Action:   "get",
+		}); err != nil {
+			h.H.WriteError(w, r, err)
+			return
+		} else {
+			// Allow unauthorized requests to access this resource if it is enabled by policies
+		}
 	}
 
 	keys, err := h.Manager.GetKey(IDTokenKeyName, "public")
@@ -159,18 +161,20 @@ func (h *Handler) GetKey(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	var setName = ps.ByName("set")
 	var keyName = ps.ByName("key")
 
-	if err := h.W.IsAllowed(ctx, &firewall.AccessRequest{
-		Subject:  "",
-		Resource: "rn:hydra:keys:" + setName + ":" + keyName,
-		Action:   "get",
-	}); err == nil {
-		// Allow unauthorized requests to access this resource if it is enabled by policies
-	} else if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: "rn:hydra:keys:" + setName + ":" + keyName,
 		Action:   "get",
 	}, "hydra.keys.get"); err != nil {
-		h.H.WriteError(w, r, err)
-		return
+		if err := h.W.IsAllowed(ctx, &firewall.AccessRequest{
+			Subject:  "",
+			Resource: "rn:hydra:keys:" + setName + ":" + keyName,
+			Action:   "get",
+		}); err != nil {
+			h.H.WriteError(w, r, err)
+			return
+		} else {
+			// Allow unauthorized requests to access this resource if it is enabled by policies
+		}
 	}
 
 	keys, err := h.Manager.GetKey(setName, keyName)