Merge pull request #7893 from rabbitmq/mergify/bp/v3.12.x/pr-7887

Remove deprecated UAA oauth settings (backport #7887)

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -5,7 +5,7 @@
 %%
 %% ----------------------------------------------------------------------------
 
-%% A prefix used for scopes in UAA to avoid scope collisions (or unintended overlap). It is an empty string by default.
+%% A prefix used for scopes to avoid scope collisions (or unintended overlap). It is an empty string by default.
 %%
 %% {resource_server_id, <<"my_rabbit_server">>},
 

deps/rabbitmq_management/priv/schema/rabbitmq_management.schema

@@ -432,20 +432,6 @@ end}.
 %% ===========================================================================
 %% Authorization
 
-%% Configure OAuth2 in the management ui to work with old versions of UAA (which versions?)
-{mapping, "management.enable_uaa", "rabbitmq_management.enable_uaa",
-    [{datatype, {enum, [true, false]}}]}.
-
-%% Your client application's identifier as registered with the OIDC/OAuth2. Deprecated, switch to oauth_client_id
-{mapping, "management.uaa_client_id", "rabbitmq_management.uaa_client_id",
-      [{datatype, string}]}.
-{mapping, "management.uaa_client_secret", "rabbitmq_management.uaa_client_secret",
-      [{datatype, string}]}.
-
-%% The URL of the OIDC/OAuth2 provider
-{mapping, "management.uaa_location", "rabbitmq_management.uaa_location",
-      [{datatype, string}]}.
-
 %% Enable OAuth2 in the management ui
 {mapping, "management.oauth_enabled", "rabbitmq_management.oauth_enabled",
     [{datatype, {enum, [true, false]}}]}.

deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

@@ -21,21 +21,7 @@ function oauth_initialize_if_required() {
 
 
 function auth_settings_apply_defaults(authSettings) {
-  if (authSettings.enable_uaa == "true") {
 
-    if (!authSettings.oauth_provider_url) {
-      authSettings.oauth_provider_url = authSettings.uaa_location
-    }
-    if (!authSettings.oauth_client_id) {
-      authSettings.oauth_client_id = authSettings.uaa_client_id
-    }
-    if (!authSettings.oauth_client_secret) {
-      authSettings.oauth_client_secret = authSettings.uaa_client_secret
-    }
-    if (!authSettings.oauth_scopes) {
-      authSettings.oauth_scopes = "openid profile " + authSettings.oauth_resource_id + ".*";
-    }
-  }
   if (!authSettings.oauth_response_type) {
     authSettings.oauth_response_type = "code"; // although the default value in oidc client
   }
@@ -71,7 +57,7 @@ function oauth_initialize(authSettings) {
         authority: authSettings.oauth_provider_url,
         client_id: authSettings.oauth_client_id,
         response_type: authSettings.oauth_response_type,
-        scope: authSettings.oauth_scopes, // for uaa we may need to include <resource-server-id>.*
+        scope: authSettings.oauth_scopes,
         resource: authSettings.oauth_resource_id,
         redirect_uri: rabbit_base_uri + "/js/oidc-oauth/login-callback.html",
         post_logout_redirect_uri: rabbit_base_uri + "/",
@@ -89,13 +75,6 @@ function oauth_initialize(authSettings) {
       oidcSettings.metadataUrl = authSettings.oauth_metadata_url;
     }
 
-    if (authSettings.enable_uaa == true) {
-      // This is required for old versions of UAA because the newer ones do expose
-      // the end_session_endpoint on the oidc discovery endpoint, .a.k.a. metadataUrl
-      oidcSettings.metadataSeed = {
-        end_session_endpoint: authSettings.oauth_provider_url + "/logout.do"
-      }
-    }
     oidc.Log.setLevel(oidc.Log.DEBUG);
     oidc.Log.setLogger(console);
 

deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf

@@ -1,7 +1,6 @@
 auth_backends.1 = rabbit_auth_backend_oauth2
 
 management.login_session_timeout = 1
-management.enable_uaa = true
 management.oauth_enabled = true
 management.oauth_client_id = rabbit_client_code
 management.oauth_scopes = ${OAUTH_SCOPES}

deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl

@@ -24,14 +24,12 @@ variances(Req, Context) ->
 content_types_provided(ReqData, Context) ->
    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
 
-to_json(ReqData, Context) ->
-    EnableUAA = application:get_env(rabbitmq_management, enable_uaa, false),
+authSettings() ->
   EnableOAUTH = application:get_env(rabbitmq_management, oauth_enabled, false),
-    Data = case EnableOAUTH of
+  case EnableOAUTH of
     true ->
       OAuthInitiatedLogonType = application:get_env(rabbitmq_management, oauth_initiated_logon_type, sp_initiated),
       OAuthProviderUrl = application:get_env(rabbitmq_management, oauth_provider_url, ""),
-
       case OAuthInitiatedLogonType of
         sp_initiated ->
           OAuthClientId = application:get_env(rabbitmq_management, oauth_client_id, ""),
@@ -41,17 +39,14 @@ to_json(ReqData, Context) ->
           OAuthResourceId = application:get_env(rabbitmq_auth_backend_oauth2, resource_server_id, ""),
           case is_invalid([OAuthResourceId]) of
             true ->
-                      rabbit_log:warning("Disabling OAuth 2 authorization, missing resource_server_id in oauth2 plugin", []),
                [{oauth_enabled, false}];
             false ->
                 case is_invalid([OAuthClientId, OAuthProviderUrl]) of
                     true ->
-                              rabbit_log:warning("Disabling OAuth 2 authorization, missing relevant configuration in management plugin", []),
                         [{oauth_enabled, false}, {oauth_client_id, <<>>}, {oauth_provider_url, <<>>}];
                     false ->
                         append_oauth_optional_secret([
                          {oauth_enabled, true},
-                               {enable_uaa, rabbit_data_coercion:to_binary(EnableUAA)},
                          {oauth_client_id, rabbit_data_coercion:to_binary(OAuthClientId)},
                          {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)},
                          {oauth_scopes, rabbit_data_coercion:to_binary(OAuthScopes)},
@@ -68,8 +63,10 @@ to_json(ReqData, Context) ->
         end;
      false ->
         [{oauth_enabled, false}]
-     end,
-     rabbit_mgmt_util:reply(Data, ReqData, Context).
+  end.
+
+  to_json(ReqData, Context) ->
+    rabbit_mgmt_util:reply(authSettings(), ReqData, Context).
 
 is_authorized(ReqData, Context) ->
     {true, ReqData, Context}.