root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Add system test for variable expansion

This commit is contained in:
Marcial Rosales 2025-05-28 17:02:29 +02:00
parent 0023ba2a01
commit 1d942027a9
2 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl vendored
View File

@ -97,6 +97,7 @@ check_resource_access(#auth_user{impl = DecodedTokenFun},
with_decoded_token(DecodedTokenFun(), with_decoded_token(DecodedTokenFun(),
fun(Token) -> fun(Token) ->
Scopes = get_expanded_scopes(Token, Resource), Scopes = get_expanded_scopes(Token, Resource),
rabbit_log:debug("Checking against scopes: ~p", [Scopes]),
rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes) rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes)
end). end).

30
deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl vendored
View File

@ -35,6 +35,7 @@ groups() ->
test_successful_connection_with_a_full_permission_token_and_all_defaults, test_successful_connection_with_a_full_permission_token_and_all_defaults,
test_successful_connection_with_a_full_permission_token_and_explicitly_configured_vhost, test_successful_connection_with_a_full_permission_token_and_explicitly_configured_vhost,
test_successful_connection_with_simple_strings_for_aud_and_scope, test_successful_connection_with_simple_strings_for_aud_and_scope,
test_successful_connection_with_variable_expansion_on_queue_access,
test_successful_token_refresh, test_successful_token_refresh,
test_successful_connection_without_verify_aud, test_successful_connection_without_verify_aud,
mqtt mqtt
@ -42,6 +43,7 @@ groups() ->
{basic_unhappy_path, [], [ {basic_unhappy_path, [], [
test_failed_connection_with_expired_token, test_failed_connection_with_expired_token,
test_failed_connection_with_a_non_token, test_failed_connection_with_a_non_token,
test_failed_connection_with_a_token_with_variable_expansion,
test_failed_connection_with_a_token_with_insufficient_vhost_permission, test_failed_connection_with_a_token_with_insufficient_vhost_permission,
test_failed_connection_with_a_token_with_insufficient_resource_permission, test_failed_connection_with_a_token_with_insufficient_resource_permission,
more_than_one_resource_server_id_not_allowed_in_one_token, more_than_one_resource_server_id_not_allowed_in_one_token,
@ -134,7 +136,8 @@ end_per_group(_Group, Config) ->
%% %%
init_per_testcase(Testcase, Config) when Testcase =:= test_successful_connection_with_a_full_permission_token_and_explicitly_configured_vhost orelse init_per_testcase(Testcase, Config) when Testcase =:= test_successful_connection_with_a_full_permission_token_and_explicitly_configured_vhost orelse
Testcase =:= test_successful_token_refresh -> Testcase =:= test_successful_token_refresh orelse
Testcase =:= test_successful_connection_with_variable_expansion_on_queue_access ->
rabbit_ct_broker_helpers:add_vhost(Config, <<"vhost1">>), rabbit_ct_broker_helpers:add_vhost(Config, <<"vhost1">>),
rabbit_ct_helpers:testcase_started(Config, Testcase), rabbit_ct_helpers:testcase_started(Config, Testcase),
Config; Config;
@ -420,6 +423,19 @@ test_successful_connection_with_simple_strings_for_aud_and_scope(Config) ->
amqp_channel:call(Ch, #'queue.declare'{exclusive = true}), amqp_channel:call(Ch, #'queue.declare'{exclusive = true}),
close_connection_and_channel(Conn, Ch). close_connection_and_channel(Conn, Ch).
test_successful_connection_with_variable_expansion_on_queue_access(Config) ->
{_Algo, Token} = generate_valid_token(
Config,
<<"rabbitmq.configure:*/{vhost}-{sub}-* rabbitmq.write:*/* rabbitmq.read:*/*">>,
[<<"hare">>, <<"rabbitmq">>],
<<"Bob">>
),
Conn = open_unmanaged_connection(Config, 0, <<"vhost1">>, <<"Bob">>, Token),
{ok, Ch} = amqp_connection:open_channel(Conn),
#'queue.declare_ok'{} =
amqp_channel:call(Ch, #'queue.declare'{queue = <<"vhost1-Bob-1">>, exclusive = true}),
close_connection_and_channel(Conn, Ch).
test_successful_connection_without_verify_aud(Config) -> test_successful_connection_without_verify_aud(Config) ->
{_Algo, Token} = generate_valid_token( {_Algo, Token} = generate_valid_token(
Config, Config,
@ -895,6 +911,18 @@ test_failed_connection_with_a_token_with_insufficient_vhost_permission(Config) -
?assertEqual({error, not_allowed}, ?assertEqual({error, not_allowed},
open_unmanaged_connection(Config, 0, <<"off-limits-vhost">>, <<"username">>, Token)). open_unmanaged_connection(Config, 0, <<"off-limits-vhost">>, <<"username">>, Token)).
test_failed_connection_with_a_token_with_variable_expansion(Config) ->
{_Algo, Token} = generate_valid_token(
Config,
<<"rabbitmq.configure:*/{vhost}-{sub}-* rabbitmq.write:*/* rabbitmq.read:*/*">>,
[<<"hare">>, <<"rabbitmq">>]
),
Conn = open_unmanaged_connection(Config, 0, <<"vhost2">>, <<"username">>, Token),
{ok, Ch} = amqp_connection:open_channel(Conn),
?assertExit({{shutdown, {server_initiated_close, 403, _}}, _},
amqp_channel:call(Ch, #'queue.declare'{queue = <<"vhost1-username-3">>, exclusive = true})),
close_connection(Conn).
test_failed_connection_with_a_token_with_insufficient_resource_permission(Config) -> test_failed_connection_with_a_token_with_insufficient_resource_permission(Config) ->
{_Algo, Token} = generate_valid_token(Config, [<<"rabbitmq.configure:vhost2/jwt*">>, {_Algo, Token} = generate_valid_token(Config, [<<"rabbitmq.configure:vhost2/jwt*">>,
<<"rabbitmq.write:vhost2/jwt*">>, <<"rabbitmq.write:vhost2/jwt*">>,