Merge pull request #7893 from rabbitmq/mergify/bp/v3.12.x/pr-7887

Remove deprecated UAA oauth settings (backport #7887)
2023-04-14 19:37:03 +04:00 · 2023-04-14 19:37:03 +04:00 · 6cef0dc7fe
parent ca8acf67d9 7b8beb1c69
commit 6cef0dc7fe
5 changed files with 44 additions and 83 deletions
--- a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
+++ b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
@ -5,7 +5,7 @@
 %%
 %% ----------------------------------------------------------------------------

-%% A prefix used for scopes in UAA to avoid scope collisions (or unintended overlap). It is an empty string by default.
+%% A prefix used for scopes to avoid scope collisions (or unintended overlap). It is an empty string by default.
 %%
 %% {resource_server_id, <<"my_rabbit_server">>},

--- a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+++ b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
@ -432,20 +432,6 @@ end}.
 %% ===========================================================================
 %% Authorization

-%% Configure OAuth2 in the management ui to work with old versions of UAA (which versions?)
-{mapping, "management.enable_uaa", "rabbitmq_management.enable_uaa",
-    [{datatype, {enum, [true, false]}}]}.
-
-%% Your client application's identifier as registered with the OIDC/OAuth2. Deprecated, switch to oauth_client_id
-{mapping, "management.uaa_client_id", "rabbitmq_management.uaa_client_id",
-      [{datatype, string}]}.
-{mapping, "management.uaa_client_secret", "rabbitmq_management.uaa_client_secret",
-      [{datatype, string}]}.
-
-%% The URL of the OIDC/OAuth2 provider
-{mapping, "management.uaa_location", "rabbitmq_management.uaa_location",
-      [{datatype, string}]}.
-
 %% Enable OAuth2 in the management ui
 {mapping, "management.oauth_enabled", "rabbitmq_management.oauth_enabled",
    [{datatype, {enum, [true, false]}}]}.
--- a/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js
+++ b/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js
@ -21,21 +21,7 @@ function oauth_initialize_if_required() {


 function auth_settings_apply_defaults(authSettings) {
-  if (authSettings.enable_uaa == "true") {

-    if (!authSettings.oauth_provider_url) {
-      authSettings.oauth_provider_url = authSettings.uaa_location
-    }
-    if (!authSettings.oauth_client_id) {
-      authSettings.oauth_client_id = authSettings.uaa_client_id
-    }
-    if (!authSettings.oauth_client_secret) {
-      authSettings.oauth_client_secret = authSettings.uaa_client_secret
-    }
-    if (!authSettings.oauth_scopes) {
-      authSettings.oauth_scopes = "openid profile " + authSettings.oauth_resource_id + ".*";
-    }
-  }
  if (!authSettings.oauth_response_type) {
    authSettings.oauth_response_type = "code"; // although the default value in oidc client
  }
@ -71,7 +57,7 @@ function oauth_initialize(authSettings) {
        authority: authSettings.oauth_provider_url,
        client_id: authSettings.oauth_client_id,
        response_type: authSettings.oauth_response_type,
-        scope: authSettings.oauth_scopes, // for uaa we may need to include <resource-server-id>.*
+        scope: authSettings.oauth_scopes,
        resource: authSettings.oauth_resource_id,
        redirect_uri: rabbit_base_uri + "/js/oidc-oauth/login-callback.html",
        post_logout_redirect_uri: rabbit_base_uri + "/",
@ -89,13 +75,6 @@ function oauth_initialize(authSettings) {
      oidcSettings.metadataUrl = authSettings.oauth_metadata_url;
    }

-    if (authSettings.enable_uaa == true) {
-      // This is required for old versions of UAA because the newer ones do expose
-      // the end_session_endpoint on the oidc discovery endpoint, .a.k.a. metadataUrl
-      oidcSettings.metadataSeed = {
-        end_session_endpoint: authSettings.oauth_provider_url + "/logout.do"
-      }
-    }
    oidc.Log.setLevel(oidc.Log.DEBUG);
    oidc.Log.setLogger(console);

--- a/deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf
+++ b/deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf
@ -1,7 +1,6 @@
 auth_backends.1 = rabbit_auth_backend_oauth2

 management.login_session_timeout = 1
-management.enable_uaa = true
 management.oauth_enabled = true
 management.oauth_client_id = rabbit_client_code
 management.oauth_scopes = ${OAUTH_SCOPES}
--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl
+++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl
@ -24,52 +24,49 @@ variances(Req, Context) ->
 content_types_provided(ReqData, Context) ->
   {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.

-to_json(ReqData, Context) ->
-    EnableUAA = application:get_env(rabbitmq_management, enable_uaa, false),
-    EnableOAUTH = application:get_env(rabbitmq_management, oauth_enabled, false),
-    Data = case EnableOAUTH of
-      true ->
-          OAuthInitiatedLogonType = application:get_env(rabbitmq_management, oauth_initiated_logon_type, sp_initiated),
-          OAuthProviderUrl = application:get_env(rabbitmq_management, oauth_provider_url, ""),
+authSettings() ->
+  EnableOAUTH = application:get_env(rabbitmq_management, oauth_enabled, false),
+  case EnableOAUTH of
+    true ->
+      OAuthInitiatedLogonType = application:get_env(rabbitmq_management, oauth_initiated_logon_type, sp_initiated),
+      OAuthProviderUrl = application:get_env(rabbitmq_management, oauth_provider_url, ""),
+      case OAuthInitiatedLogonType of
+        sp_initiated ->
+          OAuthClientId = application:get_env(rabbitmq_management, oauth_client_id, ""),
+          OAuthClientSecret = application:get_env(rabbitmq_management, oauth_client_secret, ""),
+          OAuthMetadataUrl = application:get_env(rabbitmq_management, oauth_metadata_url, ""),
+          OAuthScopes = application:get_env(rabbitmq_management, oauth_scopes, ""),
+          OAuthResourceId = application:get_env(rabbitmq_auth_backend_oauth2, resource_server_id, ""),
+          case is_invalid([OAuthResourceId]) of
+            true ->
+               [{oauth_enabled, false}];
+            false ->
+                case is_invalid([OAuthClientId, OAuthProviderUrl]) of
+                    true ->
+                        [{oauth_enabled, false}, {oauth_client_id, <<>>}, {oauth_provider_url, <<>>}];
+                    false ->
+                        append_oauth_optional_secret([
+                         {oauth_enabled, true},
+                         {oauth_client_id, rabbit_data_coercion:to_binary(OAuthClientId)},
+                         {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)},
+                         {oauth_scopes, rabbit_data_coercion:to_binary(OAuthScopes)},
+                         {oauth_metadata_url, rabbit_data_coercion:to_binary(OAuthMetadataUrl)},
+                         {oauth_resource_id, rabbit_data_coercion:to_binary(OAuthResourceId)}
+                         ], OAuthClientSecret)
+                end
+          end;
+        idp_initiated ->
+           [{oauth_enabled, true},
+            {oauth_initiated_logon_type, rabbit_data_coercion:to_binary(OAuthInitiatedLogonType)},
+            {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)}
+            ]
+        end;
+     false ->
+        [{oauth_enabled, false}]
+  end.

-          case OAuthInitiatedLogonType of
-            sp_initiated ->
-              OAuthClientId = application:get_env(rabbitmq_management, oauth_client_id, ""),
-              OAuthClientSecret = application:get_env(rabbitmq_management, oauth_client_secret, ""),
-              OAuthMetadataUrl = application:get_env(rabbitmq_management, oauth_metadata_url, ""),
-              OAuthScopes = application:get_env(rabbitmq_management, oauth_scopes, ""),
-              OAuthResourceId = application:get_env(rabbitmq_auth_backend_oauth2, resource_server_id, ""),
-              case is_invalid([OAuthResourceId]) of
-                  true ->
-                      rabbit_log:warning("Disabling OAuth 2 authorization, missing resource_server_id in oauth2 plugin", []),
-                       [{oauth_enabled, false}];
-                  false ->
-                      case is_invalid([OAuthClientId, OAuthProviderUrl]) of
-                          true ->
-                              rabbit_log:warning("Disabling OAuth 2 authorization, missing relevant configuration in management plugin", []),
-                              [{oauth_enabled, false}, {oauth_client_id, <<>>}, {oauth_provider_url, <<>>}];
-                          false ->
-                              append_oauth_optional_secret([
-                               {oauth_enabled, true},
-                               {enable_uaa, rabbit_data_coercion:to_binary(EnableUAA)},
-                               {oauth_client_id, rabbit_data_coercion:to_binary(OAuthClientId)},
-                               {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)},
-                               {oauth_scopes, rabbit_data_coercion:to_binary(OAuthScopes)},
-                               {oauth_metadata_url, rabbit_data_coercion:to_binary(OAuthMetadataUrl)},
-                               {oauth_resource_id, rabbit_data_coercion:to_binary(OAuthResourceId)}
-                               ], OAuthClientSecret)
-                      end
-              end;
-            idp_initiated ->
-               [{oauth_enabled, true},
-                {oauth_initiated_logon_type, rabbit_data_coercion:to_binary(OAuthInitiatedLogonType)},
-                {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)}
-                ]
-            end;
-       false ->
-           [{oauth_enabled, false}]
-     end,
-     rabbit_mgmt_util:reply(Data, ReqData, Context).
+  to_json(ReqData, Context) ->
+    rabbit_mgmt_util:reply(authSettings(), ReqData, Context).

 is_authorized(ReqData, Context) ->
    {true, ReqData, Context}.