From 1d942027a9d0763b6c3b31be5dbbd964fc46ea27 Mon Sep 17 00:00:00 2001
From: Marcial Rosales <marcial.rosales@broadcom.com>
Date: Wed, 28 May 2025 17:02:29 +0200
Subject: [PATCH] Add system test for variable expansion

---
 .../src/rabbit_auth_backend_oauth2.erl        |  1 +
 .../test/system_SUITE.erl                     | 30 ++++++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
index 69a6a0f2f9..cf1be034f7 100644
--- a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
+++ b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
@@ -97,6 +97,7 @@ check_resource_access(#auth_user{impl = DecodedTokenFun},
     with_decoded_token(DecodedTokenFun(),
         fun(Token) ->
             Scopes = get_expanded_scopes(Token, Resource),
+            rabbit_log:debug("Checking against scopes: ~p", [Scopes]),
             rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes)
         end).
 
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl
index 75a86b30b8..65e10bb87e 100644
--- a/deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl
+++ b/deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl
@@ -35,6 +35,7 @@ groups() ->
                        test_successful_connection_with_a_full_permission_token_and_all_defaults,
                        test_successful_connection_with_a_full_permission_token_and_explicitly_configured_vhost,
                        test_successful_connection_with_simple_strings_for_aud_and_scope,
+                       test_successful_connection_with_variable_expansion_on_queue_access,
                        test_successful_token_refresh,
                        test_successful_connection_without_verify_aud,
                        mqtt
@@ -42,6 +43,7 @@ groups() ->
      {basic_unhappy_path, [], [
                        test_failed_connection_with_expired_token,
                        test_failed_connection_with_a_non_token,
+                       test_failed_connection_with_a_token_with_variable_expansion,
                        test_failed_connection_with_a_token_with_insufficient_vhost_permission,
                        test_failed_connection_with_a_token_with_insufficient_resource_permission,
                        more_than_one_resource_server_id_not_allowed_in_one_token,
@@ -134,7 +136,8 @@ end_per_group(_Group, Config) ->
 %%
 
 init_per_testcase(Testcase, Config) when Testcase =:= test_successful_connection_with_a_full_permission_token_and_explicitly_configured_vhost orelse
-                                         Testcase =:= test_successful_token_refresh ->
+                                         Testcase =:= test_successful_token_refresh orelse 
+                                         Testcase =:= test_successful_connection_with_variable_expansion_on_queue_access ->
     rabbit_ct_broker_helpers:add_vhost(Config, <<"vhost1">>),
     rabbit_ct_helpers:testcase_started(Config, Testcase),
     Config;
@@ -420,6 +423,19 @@ test_successful_connection_with_simple_strings_for_aud_and_scope(Config) ->
         amqp_channel:call(Ch, #'queue.declare'{exclusive = true}),
     close_connection_and_channel(Conn, Ch).
 
+test_successful_connection_with_variable_expansion_on_queue_access(Config) ->
+    {_Algo, Token} = generate_valid_token(
+        Config,
+        <<"rabbitmq.configure:*/{vhost}-{sub}-* rabbitmq.write:*/* rabbitmq.read:*/*">>,
+        [<<"hare">>, <<"rabbitmq">>],
+        <<"Bob">>
+    ),
+    Conn     = open_unmanaged_connection(Config, 0, <<"vhost1">>, <<"Bob">>, Token),
+    {ok, Ch} = amqp_connection:open_channel(Conn),
+    #'queue.declare_ok'{} =
+        amqp_channel:call(Ch, #'queue.declare'{queue = <<"vhost1-Bob-1">>, exclusive = true}),
+    close_connection_and_channel(Conn, Ch).
+
 test_successful_connection_without_verify_aud(Config) ->
     {_Algo, Token} = generate_valid_token(
         Config,
@@ -895,6 +911,18 @@ test_failed_connection_with_a_token_with_insufficient_vhost_permission(Config) -
     ?assertEqual({error, not_allowed},
                  open_unmanaged_connection(Config, 0, <<"off-limits-vhost">>, <<"username">>, Token)).
 
+test_failed_connection_with_a_token_with_variable_expansion(Config) ->
+    {_Algo, Token} = generate_valid_token(
+        Config,
+        <<"rabbitmq.configure:*/{vhost}-{sub}-* rabbitmq.write:*/* rabbitmq.read:*/*">>,
+        [<<"hare">>, <<"rabbitmq">>]
+    ),
+    Conn     = open_unmanaged_connection(Config, 0, <<"vhost2">>, <<"username">>, Token),    
+    {ok, Ch} = amqp_connection:open_channel(Conn),
+    ?assertExit({{shutdown, {server_initiated_close, 403, _}}, _},
+       amqp_channel:call(Ch, #'queue.declare'{queue = <<"vhost1-username-3">>, exclusive = true})),
+    close_connection(Conn).
+
 test_failed_connection_with_a_token_with_insufficient_resource_permission(Config) ->
     {_Algo, Token} = generate_valid_token(Config, [<<"rabbitmq.configure:vhost2/jwt*">>,
                                                    <<"rabbitmq.write:vhost2/jwt*">>,