root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Add a docker based example of rsa_keys 

Add a simpler way of demonstrating asymmetric keys, where only
docker is required.
This commit is contained in:
Philip Kuryloski 2020-03-04 23:21:53 +01:00
parent 4cb2d24b0c
commit 37d9a2bf77
7 changed files with 297 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
deps/rabbitmq_auth_backend_oauth2/demo/declare_queues.rb vendored
View File

@ -8,7 +8,10 @@ queues.each do |q|
vhost = split[0]
queue_name = split[1]
conn = Bunny.new(:vhost => vhost)
conn = Bunny.new(:host => ENV["BUNNY_HOST"] || "127.0.0.1",
:user => ENV["BUNNY_USER"] || "guest",
:pass => ENV["BUNNY_PASS"] || "guest",
:vhost => vhost)
conn.start
ch = conn.create_channel
ch.queue(queue_name)

101
deps/rabbitmq_auth_backend_oauth2/demo/rsa_docker/Makefile vendored Normal file
View File

@ -0,0 +1,101 @@
PLATFORM := $(shell uname)
ifeq ($(PLATFORM),Darwin)
HOST_DOCKER := host.docker.internal
endif
ifeq ($(PLATFORM),Linux)
HOST_DOCKER := $(shell ip addr show docker0 | grep -Po 'inet \K[\d.]+')
endif
.DEFAULT_GOAL = test
.PHONY: run-uaa
run-uaa:
docker exec uaa /bin/echo \
|| docker run \
--detach \
--name uaa \
--publish 8080:8080 \
--mount type=bind,source=$(CURDIR)/uaa,target=/etc/uaa \
--env JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom" \
pkuryloski/uaa:74.15.0
.PHONY: run-rabbitmq
run-rabbitmq: run-uaa
docker exec rabbitmq /bin/echo \
|| docker run \
--detach \
--name rabbitmq \
--publish 5672:5672 \
--publish 15672:15672 \
--mount type=bind,source="$(CURDIR)"/rabbitmq,target=/etc/rabbitmq \
rabbitmq:3.8-management
.PHONY: wait-rabbitmq
wait-rabbitmq: run-rabbitmq
docker exec rabbitmq rabbitmq-diagnostics ping -q \
|| (sleep 15; docker exec rabbitmq rabbitmq-diagnostics ping -q)
.PHONY: vhosts
vhosts: wait-rabbitmq
docker exec rabbitmq rabbitmqctl add_vhost uaa_vhost
docker exec rabbitmq rabbitmqctl add_vhost other_vhost
docker exec rabbitmq rabbitmqctl set_permissions -p uaa_vhost admin '.*' '.*' '.*'
docker exec rabbitmq rabbitmqctl set_permissions -p other_vhost admin '.*' '.*' '.*'
.PHONY: uaac-bunny-image
uaac-bunny-image:
docker images | grep "^uaac\s" \
|| docker run --name uaac ruby:2.5 gem install cf-uaac bunny
docker images | grep "^uaac\s" \
|| (docker commit $$(docker ps -aqf "name=^uaac$$") uaac:latest \
&& docker rm uaac)
.PHONY: queues
queues: vhosts uaac-bunny-image
docker run -it --rm \
--name declare-queues \
--mount type=bind,source="$(CURDIR)"/../declare_queues.rb,target=/workspace/declare_queues.rb \
-w /workspace \
uaac \
/bin/bash -c "BUNNY_HOST=$(HOST_DOCKER) \
BUNNY_USER=admin \
BUNNY_PASS=rabo2 \
ruby declare_queues.rb \
uaa_vhost/some_queue \
uaa_vhost/other_queue \
other_vhost/some_queue \
other_vhost/other_queue"
.PHONY: tokens
tokens: queues uaac-bunny-image
docker run -it --rm \
--name fetch-tokens \
uaac \
/bin/bash -c " \
uaac target http://$(HOST_DOCKER):8080/uaa \
&& uaac signing key \
&& uaac token owner get rabbit_client rabbit_super -s rabbit_secret -p rabbit_super \
&& uaac token owner get rabbit_client rabbit_nosuper -s rabbit_secret -p rabbit_nosuper \
&& uaac context rabbit_nosuper \
&& uaac context rabbit_super"
.PHONY: check-token
check-token: queues uaac-bunny-image
docker run -it --rm \
--name check-token \
--mount type=bind,source="$(CURDIR)"/check_token.rb,target=/workspace/check_token.rb \
uaac \
/bin/bash -c " \
uaac target http://$(HOST_DOCKER):8080/uaa \
&& uaac token owner get rabbit_client rabbit_super -s rabbit_secret -p rabbit_super \
&& BUNNY_HOST=$(HOST_DOCKER) ruby /workspace/check_token.rb"
.PHONY: test
test: check-token
.PHONY: cleanup
cleanup:
docker stop rabbitmq uaa
docker rm rabbitmq uaa

29
deps/rabbitmq_auth_backend_oauth2/demo/rsa_docker/check_token.rb vendored Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env ruby
require 'net/http'
require 'bunny'
require 'yaml'
host = ENV["BUNNY_HOST"]
config = YAML.load_file('/root/.uaac.yml')
access_token = config["http://#{host}:8080/uaa"]["contexts"]["rabbit_super"]["access_token"]
conn = Bunny.new(:host => host,
:user => "",
:pass => access_token,
:vhost => "uaa_vhost")
conn.start
puts "Connected via AMQP!"
conn.stop
uri = URI("http://#{host}:15672/api/vhosts")
req = Net::HTTP::Get.new(uri)
req['Authorization'] = "Bearer #{access_token}"
res = Net::HTTP.start(uri.hostname, uri.port) { |http|
http.request(req)
}
raise "Could not connect to managment API." unless res.is_a?(Net::HTTPSuccess)
puts "Connected via Management Plugin API!"
puts res.body

1
deps/rabbitmq_auth_backend_oauth2/demo/rsa_docker/rabbitmq/enabled_plugins vendored Normal file
View File

@ -0,0 +1 @@
[rabbitmq_management,rabbitmq_auth_backend_oauth2].

30
deps/rabbitmq_auth_backend_oauth2/demo/rsa_docker/rabbitmq/rabbitmq.config vendored Normal file
View File

@ -0,0 +1,30 @@
[
{rabbit, [
{default_user, <<"admin">>},
{default_pass, <<"rabo2">>},
{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
]},
{rabbitmq_management, [
{enable_uaa, true},
{uaa_client_id, "rabbit_client"},
{uaa_location, "http://localhost:8080/uaa"}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{default_key, <<"key-1">>},
{signing_keys,
#{<<"key-1">> => {pem, <<"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dP+vRn+Kj+S/oGd49kq
6+CKNAduCC1raLfTH7B3qjmZYm45yDl+XmgK9CNmHXkho9qvmhdksdzDVsdeDlhK
IdcIWadhqDzdtn1hj/22iUwrhH0bd475hlKcsiZ+oy/sdgGgAzvmmTQmdMqEXqV2
B9q9KFBmo4Ahh/6+d4wM1rH9kxl0RvMAKLe+daoIHIjok8hCO4cKQQEw/ErBe4SF
2cr3wQwCfF1qVu4eAVNVfxfy/uEvG3Q7x005P3TcK+QcYgJxav3lictSi5dyWLgG
QAvkknWitpRK8KVLypEj5WKej6CF8nq30utn15FQg0JkHoqzwiCqqeen8GIPteI7
VwIDAQAB
-----END PUBLIC KEY-----">>}
}
}]
}
]}
].

28
deps/rabbitmq_auth_backend_oauth2/demo/rsa_docker/uaa/log4j2.properties vendored Normal file
View File

@ -0,0 +1,28 @@
status = error
dest = err
name = UaaLog
property.log_pattern=[%d{yyyy-MM-dd HH:mm:ss.SSS}] uaa%X{context} - %pid [%t] .... %5p --- %c{1}: %replace{%m}{(?<=password=|client_secret=)([^&]*)}{<redacted>}%n
appender.uaaDefaultAppender.type = Console
appender.uaaDefaultAppender.name = UaaDefaultAppender
appender.uaaDefaultAppender.layout.type = PatternLayout
appender.uaaDefaultAppender.layout.pattern = [UAA] ${log_pattern}
appender.uaaAuditAppender.type = Console
appender.uaaAuditAppender.name = UaaAuditAppender
appender.uaaAuditAppender.layout.type = PatternLayout
appender.uaaAuditAppender.layout.pattern = [UAA_AUDIT] ${log_pattern}
rootLogger.level = info
rootLogger.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender
logger.UAAAudit.name = UAA.Audit
logger.UAAAudit.level = info
logger.UAAAudit.additivity = true
logger.UAAAudit.appenderRef.auditEventLog.ref = UaaAuditAppender
logger.cfIdentity.name = org.cloudfoundry.identity
logger.cfIdentity.level = info
logger.cfIdentity.additivity = false
logger.cfIdentity.appenderRef.uaaDefaultAppender.ref = UaaDefaultAppender

104
deps/rabbitmq_auth_backend_oauth2/demo/rsa_docker/uaa/uaa.yml vendored Normal file
View File

@ -0,0 +1,104 @@
logging:
config: /etc/uaa/log4j2.properties
issuer:
uri: http://localhost:8080/uaa
encryption:
active_key_label: CHANGE-THIS-KEY
encryption_keys:
- label: CHANGE-THIS-KEY
passphrase: CHANGEME
login:
serviceProviderKey: |
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5
L39WqS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vA
fpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQAB
AoGAVOj2Yvuigi6wJD99AO2fgF64sYCm/BKkX3dFEw0vxTPIh58kiRP554Xt5ges
7ZCqL9QpqrChUikO4kJ+nB8Uq2AvaZHbpCEUmbip06IlgdA440o0r0CPo1mgNxGu
lhiWRN43Lruzfh9qKPhleg2dvyFGQxy5Gk6KW/t8IS4x4r0CQQD/dceBA+Ndj3Xp
ubHfxqNz4GTOxndc/AXAowPGpge2zpgIc7f50t8OHhG6XhsfJ0wyQEEvodDhZPYX
kKBnXNHzAkEAyCA76vAwuxqAd3MObhiebniAU3SnPf2u4fdL1EOm92dyFs1JxyyL
gu/DsjPjx6tRtn4YAalxCzmAMXFSb1qHfwJBAM3qx3z0gGKbUEWtPHcP7BNsrnWK
vw6By7VC8bk/ffpaP2yYspS66Le9fzbFwoDzMVVUO/dELVZyBnhqSRHoXQcCQQCe
A2WL8S5o7Vn19rC0GVgu3ZJlUrwiZEVLQdlrticFPXaFrn3Md82ICww3jmURaKHS
N+l4lnMda79eSp3OMmq9AkA0p79BvYsLshUJJnvbk76pCjR28PK4dV1gSDUEqQMB
qy45ptdwJLqLJCeNoR0JUcDNIRhOCuOPND7pcMtX6hI/
-----END RSA PRIVATE KEY-----
serviceProviderKeyPassword: password
serviceProviderCertificate: |
-----BEGIN CERTIFICATE-----
MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO
MAwGA1UECBMFYXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEO
MAwGA1UECxMFYXJ1YmExDjAMBgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5h
cnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2MjdaFw0xNjExMTkyMjI2MjdaMHwx
CzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAM
BgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAb
BgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39W
qS9u0hnA+O7MCA/KlrAR4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOw
znoD66DDCnQVpbCjtDYWX+x6imxn8HCYxhMol6ZnTbSsFW6VZjFMjQIDAQABo4Ha
MIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1syGDCBpwYDVR0jBIGfMIGc
gBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3MQ4wDAYD
VQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYD
VQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJh
QGFydWJhLmFyggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ
0HOZbbHClXmGUjGs+GS+xC1FO/am2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxC
KdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3oePe84k8jm3A7EvH5wi5hvCkK
RpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=
-----END CERTIFICATE-----
#The secret that an external login server will use to authenticate to the uaa using the id `login`
LOGIN_SECRET: loginsecret
oauth:
clients:
rabbit_client:
id: rabbit_client
secret: rabbit_secret
authorized-grant-types: password,implicit
scope: rabbitmq.*,openid
authorities: rabbitmq
redirect-uri: http://localhost:15672/**
scim:
username_pattern: '[a-z0-9+\-_.@]+'
users:
- rabbit_super|rabbit_super|rabbit_super@example.com|Rabbit|Super|rabbitmq.read:*/*,rabbitmq.write:*/*,rabbitmq.configure:*/*,rabbitmq.tag:administrator
- rabbit_nosuper|rabbit_nosuper|rabbit_nosuper@example.com|Rabbit|Nosuper|rabbitmq.write:uaa_vhost/*,rabbitmq.read:uaa_vhost/some*
jwt:
token:
policy:
keys:
key-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA2dP+vRn+Kj+S/oGd49kq6+CKNAduCC1raLfTH7B3qjmZYm45
yDl+XmgK9CNmHXkho9qvmhdksdzDVsdeDlhKIdcIWadhqDzdtn1hj/22iUwrhH0b
d475hlKcsiZ+oy/sdgGgAzvmmTQmdMqEXqV2B9q9KFBmo4Ahh/6+d4wM1rH9kxl0
RvMAKLe+daoIHIjok8hCO4cKQQEw/ErBe4SF2cr3wQwCfF1qVu4eAVNVfxfy/uEv
G3Q7x005P3TcK+QcYgJxav3lictSi5dyWLgGQAvkknWitpRK8KVLypEj5WKej6CF
8nq30utn15FQg0JkHoqzwiCqqeen8GIPteI7VwIDAQABAoIBAFsB5FszYepa11o3
4zSPxgv4qyUjuYf3GfoNW0rRGp3nJLtoHAIYa0CcLX9kzsQfmLtxoY46mdppxr8Z
2qUZpBdRVO7ILNfyXhthdQKI2NuyFDhtYK1p8bx6BXe095HMcvm2ohjXzPdTP4Hq
HrXAYXjUndUbClbjMJ82AnPF8pM70kBq7g733UqkdfrMuv6/d95Jiyw4cC7dGsI3
Ruz9DGhiAyCBtQ0tUB+6Kqn5DChSB+ccfMJjr6GnCVYmERxEQ5DJCTIX8am8C6KX
mAxUwHMTsEGBU6GzhcUgAwUFEK3I9RptdlRFp7F8E/P0LxmPkFdgaBNUhrdnB7Y4
01n1R1kCgYEA/huFJgwVWSBSK/XIouFuQrxZOI9JbBbdmpFT7SBGCdFg26Or9y7j
+N5HE7yuoZ9PkBh17zzosZdsJhGocRYvO0LSq8cXvKXKCwn2fTMM7uJ/oQe68sxG
cF/fC0M/8LvRESWShH920rrERu0s161RuasdOPre0aXu7ZQzkQ68O6MCgYEA23NO
DHKNblBOdFEWsvotLqV8DrIbQ4le7sSgQr56/bdn9GScZk2JU0f+pqzpiGUy9bIt
6uujvt5ar0IvpIQVdjf3dbp6Fy+Dwhd4yTR4dMdDECest7jL++/21x8Y0ywFhBIK
yEd+QxpOLXP6qaSKTGxL2rnTXRjl8/g629xQPL0CgYEAkNNOh+jLIgjxzGxA9dRV
62M91qaTyi8eDkJV+wgx4taaxZP7Jt5qwCSvjegz/5m01wOZ88hbNxx+XxQhVJK4
SKZFO/I07Sfwh2oeOi0maeBdrYGiY09ZtiJuFRU3FBV3irZHU4zyRBh+VY5HyITX
12JXPWp+JC7WhkG5QiuLzNECgYEA15OBzICLpx6Es4clAVT6JaSzJcyZM9MyyuOl
e2ubbrpJCK/9ZBIvIPzMj/e0wiSH1wzeRrSM+ud7tkcSfk6ytptsIN67KSOoD3b3
VNCStEU7ABe5eBG1cRzeI52MyYWpNYBzzyNMSacBvWz9hMD6ivCn44pAtGfNHclw
KKNYvxECgYBOamf25md9Jy6rtQsJVEJWw+8sB4lBlKEEadc5qekR7ZQ0hwj8CnTm
WOo856ynI28Sog62iw8F/do/z0B29RuGuxw+prkBkn3lg/VQXEitzqcYvota6osa
8XSfaPiTyQwWpzbFNZzzemlTsIDiF3UqwkHvWaMYPDf4Ng3cokPPxw==
-----END RSA PRIVATE KEY-----