root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Simplify auth_settings 

just an array of oauth_resource_servers
regardless whether we have just resource_server_id
or many resource servers
This commit is contained in:
Marcial Rosales 2024-01-22 17:53:01 +01:00
parent fa3653acb1
commit a253a8cc31
3 changed files with 61 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js vendored
View File

@ -34,7 +34,7 @@ function auth_settings_apply_defaults(authSettings) {
}
authSettings.resource_servers = []
if (authSettings.oauth_resource_servers && Object.keys(authSettings.oauth_resource_servers).length > 0) {
if (authSettings.oauth_resource_servers) {
for (const [resource_server_id, resource_server] of Object.entries(authSettings.oauth_resource_servers)) {
if (!resource_server.oauth_provider_url) {
@ -80,25 +80,6 @@ function auth_settings_apply_defaults(authSettings) {
resource_server.id = resource_server_id
authSettings.resource_servers.push(resource_server)
}
}else if (authSettings.oauth_provider_url) {
let resource = {
"provider_url" : authSettings.oauth_provider_url,
"scopes" : authSettings.oauth_scopes,
"response_type" : authSettings.oauth_response_type,
"sp_initiated" : authSettings.oauth_initiated_logon_type == "sp_initiated",
"id" : authSettings.oauth_resource_id
}
if (authSettings.oauth_client_id) {
resource.client_id = authSettings.oauth_client_id
}
if (authSettings.oauth_client_secret && authSettings.oauth_client_id) {
resource.client_secret = authSettings.oauth_client_secret
}
if (authSettings.metadata_url) {
resource.metadata_url = authSettings.metadata_url
}
authSettings.resource_servers.push(resource)
}
return authSettings;

86
deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl vendored
View File

@ -79,7 +79,7 @@ skip_unknown_resource_servers(MgtOauthResources, OAuth2Resources) ->
skip_disabled_mgt_resource_servers(MgtOauthResources) ->
maps:filter(fun(_Key, Value) -> not proplists:get_value(disabled, Value, false) end, MgtOauthResources).
has_multi_resources(OAuth2BackendProps, ManagementProps) ->
extract_oauth2_and_mgt_resources(OAuth2BackendProps, ManagementProps) ->
OAuth2Resources = getAllDeclaredOauth2Resources(OAuth2BackendProps),
MgtResources0 = skip_unknown_resource_servers(proplists:get_value(resource_servers, ManagementProps, #{}), OAuth2Resources),
MgtResources1 = maps:merge(MgtResources0, maps:filtermap(fun(K,_V) ->
@ -88,14 +88,14 @@ has_multi_resources(OAuth2BackendProps, ManagementProps) ->
false -> {true, [{id, K}]}
end end, OAuth2Resources)),
MgtResources = skip_disabled_mgt_resource_servers(MgtResources1),
HasMulti = {true, OAuth2Resources, MgtResources},
case maps:size(MgtResources) of
0 ->
case maps:size(OAuth2Resources) of
0 -> false;
_ -> {true, OAuth2Resources, MgtResources}
1 -> {};
_ -> HasMulti
end;
_ -> {true, OAuth2Resources, MgtResources}
_ -> HasMulti
end.
getAllDeclaredOauth2Resources(OAuth2BackendProps) ->
OAuth2Resources = proplists:get_value(resource_servers, OAuth2BackendProps, #{}),
@ -111,21 +111,27 @@ authSettings() ->
case EnableOAUTH of
false -> [{oauth_enabled, false}];
true ->
case has_multi_resources(OAuth2BackendProps, ManagementProps) of
case extract_oauth2_and_mgt_resources(OAuth2BackendProps, ManagementProps) of
{true, OAuth2Resources, MgtResources} ->
multi_resource_auth_settings(OAuth2Resources, MgtResources, ManagementProps);
false -> single_resource_auth_settings(OAuth2BackendProps, ManagementProps)
produce_auth_settings(OAuth2Resources, MgtResources, ManagementProps);
{} -> [{oauth_enabled, false}]
end
end.
skip_resource_servers_without_oauth_client_id(MgtResourceServers) ->
skip_resource_servers_without_oauth_client_id_with_sp_initiated_logon(MgtResourceServers, ManagementProps) ->
DefaultOauthInitiatedLogonType = proplists:get_value(oauth_initiated_logon_type, ManagementProps, sp_initiated),
maps:filter(fun(_K,ResourceServer) ->
SpInitiated = case proplists:get_value(oauth_initiated_logon_type, ResourceServer, DefaultOauthInitiatedLogonType) of
sp_initiated -> true;
_ -> false
end,
not SpInitiated or
not is_invalid([proplists:get_value(oauth_client_id, ResourceServer)]) end, MgtResourceServers).
filter_resource_servers_without_resolvable_oauth_client_id(MgtResourceServers, ManagementProps) ->
filter_resource_servers_without_resolvable_oauth_client_id_for_sp_initiated(MgtResourceServers, ManagementProps) ->
case is_invalid([proplists:get_value(oauth_client_id, ManagementProps)]) of
true -> skip_resource_servers_without_oauth_client_id(MgtResourceServers);
true -> skip_resource_servers_without_oauth_client_id_with_sp_initiated_logon(MgtResourceServers, ManagementProps);
false -> MgtResourceServers
end.
@ -144,10 +150,10 @@ filter_resource_servers_without_resolvable_oauth_provider_url(OAuthResourceServe
end
end end , MgtResourceServers)).
multi_resource_auth_settings(OAuthResourceServers, MgtResourceServers, ManagementProps) ->
produce_auth_settings(OAuthResourceServers, MgtResourceServers, ManagementProps) ->
ConvertValuesToBinary = fun(_K,V) -> [ {K1, to_binary(V1)} || {K1,V1} <- V ] end,
FilteredMgtResourceServers = filter_resource_servers_without_resolvable_oauth_provider_url(OAuthResourceServers,
filter_resource_servers_without_resolvable_oauth_client_id(MgtResourceServers, ManagementProps), ManagementProps),
filter_resource_servers_without_resolvable_oauth_client_id_for_sp_initiated(MgtResourceServers, ManagementProps), ManagementProps),
case maps:size(FilteredMgtResourceServers) of
0 -> [{oauth_enabled, false}];
@ -166,60 +172,6 @@ multi_resource_auth_settings(OAuthResourceServers, MgtResourceServers, Managemen
])
end.
single_resource_auth_settings(OAuth2BackendProps, ManagementProps) ->
OAuthInitiatedLogonType = proplists:get_value(oauth_initiated_logon_type, ManagementProps, sp_initiated),
OAuthDisableBasicAuth = proplists:get_value(oauth_disable_basic_auth, ManagementProps, true),
OAuthProviderUrl = resolve_oauth_provider_url(ManagementProps),
OAuthResourceId = proplists:get_value(resource_server_id, OAuth2BackendProps),
case OAuthInitiatedLogonType of
sp_initiated ->
case is_invalid([OAuthResourceId]) of
true ->
rabbit_log:error("Invalid rabbitmq_auth_backend_oauth2.resource_server_id ~p", [OAuthResourceId]),
[{oauth_enabled, false}];
false ->
OAuthClientId = proplists:get_value(oauth_client_id, ManagementProps),
case is_invalid([OAuthClientId, OAuthProviderUrl]) of
true ->
rabbit_log:error("Invalid rabbitmq_management oauth_client_id ~p or resolved oauth_provider_url ~p",
[OAuthClientId, OAuthProviderUrl]),
[{oauth_enabled, false}];
false ->
filter_empty_properties([
{oauth_enabled, true},
{oauth_disable_basic_auth, OAuthDisableBasicAuth},
{oauth_client_id, to_binary(OAuthClientId)},
{oauth_provider_url, to_binary(OAuthProviderUrl)},
to_tuple(oauth_scopes, ManagementProps),
to_tuple(oauth_metadata_url, ManagementProps),
{oauth_resource_id, to_binary(OAuthResourceId)},
to_tuple(oauth_client_secret, ManagementProps)
])
end
end;
idp_initiated ->
case is_invalid([OAuthResourceId]) of
true ->
rabbit_log:error("Invalid rabbitmq_auth_backend_oauth2.resource_server_id ~p", [OAuthResourceId]),
[{oauth_enabled, false}];
false ->
case is_invalid([OAuthProviderUrl]) of
true ->
rabbit_log:error("Invalid rabbitmq_management resolved oauth_provider_url ~p", [OAuthProviderUrl]),
[{oauth_enabled, false}];
false ->
[{oauth_enabled, true},
{oauth_disable_basic_auth, OAuthDisableBasicAuth},
{oauth_initiated_logon_type, to_binary(OAuthInitiatedLogonType)},
{oauth_provider_url, to_binary(OAuthProviderUrl)},
{oauth_resource_id, to_binary(OAuthResourceId)}
]
end
end
end.
filter_empty_properties(ListOfProperties) ->
lists:filter(fun(Prop) ->
case Prop of

60
deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl vendored
View File

@ -17,8 +17,8 @@ all() ->
{group, without_any_settings},
{group, with_oauth_disabled},
{group, verify_client_id_and_secret},
{group, verify_oauth_provider_url_with_single_resource},
{group, verify_oauth_provider_url_with_single_resource_and_another_resource},
{group, verify_mgt_oauth_provider_url_with_single_resource},
{group, verify_mgt_oauth_provider_url_with_single_resource_and_another_resource},
{group, verify_oauth_initiated_logon_type_for_sp_initiated},
{group, verify_oauth_initiated_logon_type_for_idp_initiated},
{group, verify_oauth_disable_basic_auth},
@ -65,15 +65,15 @@ groups() ->
]}
]}
]},
{verify_oauth_provider_url_with_single_resource, [], [
{verify_mgt_oauth_provider_url_with_single_resource, [], [
{with_resource_server_id_rabbit, [], [
{with_root_issuer_url1, [], [
{with_oauth_enabled, [], [
should_return_disabled_auth_settings,
{with_mgt_oauth_client_id_z, [], [
should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url1,
should_return_mgt_oauth_provider_url_url1,
{with_mgt_oauth_provider_url_url0, [], [
should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url0
should_return_mgt_oauth_provider_url_url0
]}
]}
]}
@ -83,12 +83,12 @@ groups() ->
{with_oauth_enabled, [], [
should_return_disabled_auth_settings,
{with_mgt_oauth_client_id_z, [], [
should_return_oauth_resource_server_rabbit_with_oauth_provider_url_idp1_url,
should_return_mgt_oauth_provider_url_idp1_url,
{with_root_issuer_url1, [], [
should_return_oauth_resource_server_rabbit_with_oauth_provider_url_idp1_url
should_return_mgt_oauth_provider_url_idp1_url
]},
{with_mgt_oauth_provider_url_url0, [], [
should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url0
should_return_mgt_oauth_provider_url_url0
]}
]}
]}
@ -96,7 +96,7 @@ groups() ->
]}
]}
]},
{verify_oauth_provider_url_with_single_resource_and_another_resource, [], [
{verify_mgt_oauth_provider_url_with_single_resource_and_another_resource, [], [
{with_resource_server_id_rabbit, [], [
{with_resource_server_a, [], [
{with_root_issuer_url1, [], [
@ -169,13 +169,18 @@ groups() ->
should_return_disabled_auth_settings,
{with_oauth_initiated_logon_type_idp_initiated, [], [
should_return_disabled_auth_settings,
{with_oauth_enabled, [], [
should_return_oauth_enabled,
should_return_oauth_initiated_logon_type_idp_initiated
{with_resource_server_a, [], [
{with_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated, [], [
should_not_return_oauth_initiated_logon_type,
should_return_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated
{with_resource_server_id_rabbit, [], [
should_return_disabled_auth_settings,
{with_oauth_enabled, [], [
should_return_oauth_enabled,
should_return_oauth_initiated_logon_type_idp_initiated,
{with_resource_server_a, [], [
{with_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated, [], [
should_return_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated
]},
{with_oauth_resource_server_a_with_oauth_initiated_logon_type_sp_initiated, [], [
should_not_return_oauth_resource_server_a
]}
]}
]}
]}
@ -425,9 +430,17 @@ should_not_return_oauth_resource_server_a_with_client_secret(Config) ->
assert_attribute_not_defined_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
Config, a, oauth_client_secret).
should_return_oauth_provider_url_idp1_url(Config) ->
Actual = rabbit_mgmt_wm_auth:authSettings(),
?assertEqual(?config(idp1_url, Config), proplists:get_value(oauth_provider_url, Actual)).
should_return_mgt_oauth_provider_url_idp1_url(Config) ->
assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
Config, rabbit, oauth_provider_url, idp1_url).
should_return_mgt_oauth_provider_url_url1(Config) ->
assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
Config, rabbit, oauth_provider_url, url1).
should_return_mgt_oauth_provider_url_url0(Config) ->
assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
Config, rabbit, oauth_provider_url, url0).
should_return_oauth_scopes_admin_mgt(Config) ->
Actual = rabbit_mgmt_wm_auth:authSettings(),
@ -479,6 +492,10 @@ should_return_oauth_initiated_logon_type_idp_initiated(_Config) ->
Actual = rabbit_mgmt_wm_auth:authSettings(),
?assertEqual(<<"idp_initiated">>, proplists:get_value(oauth_initiated_logon_type, Actual)).
should_not_return_oauth_resource_server_a(Config) ->
Actual = rabbit_mgmt_wm_auth:authSettings(),
assert_not_defined_oauth_resource_server(Actual, Config, a).
should_not_return_oauth_resource_server_a_with_oauth_initiated_logon_type(Config) ->
assert_attribute_not_defined_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
Config, a, oauth_initiated_logon_type).
@ -558,6 +575,11 @@ assert_attribute_not_defined_for_oauth_resource_server(Actual, Config, ConfigKey
OauthResource = maps:get(?config(ConfigKey, Config), OAuthResourceServers),
?assertEqual(false, proplists:is_defined(Attribute, OauthResource)).
assert_not_defined_oauth_resource_server(Actual, Config, ConfigKey) ->
log(Actual),
OAuthResourceServers = proplists:get_value(oauth_resource_servers, Actual),
?assertEqual(false, maps:is_key(?config(ConfigKey, Config), OAuthResourceServers)).
set_attribute_in_entry_for_env_variable(Application, EnvVar, Key, Attribute, Value) ->
Map = application:get_env(Application, EnvVar, #{}),
Map1 = maps:put(Key, [ { Attribute, Value} | maps:get(Key, Map, []) ], Map),