diff --git a/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js b/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js index dfbf0275a3..2179ccfaff 100644 --- a/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js +++ b/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js @@ -34,7 +34,7 @@ function auth_settings_apply_defaults(authSettings) { } authSettings.resource_servers = [] - if (authSettings.oauth_resource_servers && Object.keys(authSettings.oauth_resource_servers).length > 0) { + if (authSettings.oauth_resource_servers) { for (const [resource_server_id, resource_server] of Object.entries(authSettings.oauth_resource_servers)) { if (!resource_server.oauth_provider_url) { @@ -80,25 +80,6 @@ function auth_settings_apply_defaults(authSettings) { resource_server.id = resource_server_id authSettings.resource_servers.push(resource_server) } - - }else if (authSettings.oauth_provider_url) { - let resource = { - "provider_url" : authSettings.oauth_provider_url, - "scopes" : authSettings.oauth_scopes, - "response_type" : authSettings.oauth_response_type, - "sp_initiated" : authSettings.oauth_initiated_logon_type == "sp_initiated", - "id" : authSettings.oauth_resource_id - } - if (authSettings.oauth_client_id) { - resource.client_id = authSettings.oauth_client_id - } - if (authSettings.oauth_client_secret && authSettings.oauth_client_id) { - resource.client_secret = authSettings.oauth_client_secret - } - if (authSettings.metadata_url) { - resource.metadata_url = authSettings.metadata_url - } - authSettings.resource_servers.push(resource) } return authSettings; diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl index bedecddba6..8a65e64c1f 100644 --- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl +++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl @@ -79,7 +79,7 @@ skip_unknown_resource_servers(MgtOauthResources, OAuth2Resources) -> skip_disabled_mgt_resource_servers(MgtOauthResources) -> maps:filter(fun(_Key, Value) -> not proplists:get_value(disabled, Value, false) end, MgtOauthResources). -has_multi_resources(OAuth2BackendProps, ManagementProps) -> +extract_oauth2_and_mgt_resources(OAuth2BackendProps, ManagementProps) -> OAuth2Resources = getAllDeclaredOauth2Resources(OAuth2BackendProps), MgtResources0 = skip_unknown_resource_servers(proplists:get_value(resource_servers, ManagementProps, #{}), OAuth2Resources), MgtResources1 = maps:merge(MgtResources0, maps:filtermap(fun(K,_V) -> @@ -88,14 +88,14 @@ has_multi_resources(OAuth2BackendProps, ManagementProps) -> false -> {true, [{id, K}]} end end, OAuth2Resources)), MgtResources = skip_disabled_mgt_resource_servers(MgtResources1), - + HasMulti = {true, OAuth2Resources, MgtResources}, case maps:size(MgtResources) of 0 -> case maps:size(OAuth2Resources) of - 0 -> false; - _ -> {true, OAuth2Resources, MgtResources} + 1 -> {}; + _ -> HasMulti end; - _ -> {true, OAuth2Resources, MgtResources} + _ -> HasMulti end. getAllDeclaredOauth2Resources(OAuth2BackendProps) -> OAuth2Resources = proplists:get_value(resource_servers, OAuth2BackendProps, #{}), @@ -111,21 +111,27 @@ authSettings() -> case EnableOAUTH of false -> [{oauth_enabled, false}]; true -> - case has_multi_resources(OAuth2BackendProps, ManagementProps) of + case extract_oauth2_and_mgt_resources(OAuth2BackendProps, ManagementProps) of {true, OAuth2Resources, MgtResources} -> - multi_resource_auth_settings(OAuth2Resources, MgtResources, ManagementProps); - false -> single_resource_auth_settings(OAuth2BackendProps, ManagementProps) + produce_auth_settings(OAuth2Resources, MgtResources, ManagementProps); + {} -> [{oauth_enabled, false}] end end. -skip_resource_servers_without_oauth_client_id(MgtResourceServers) -> +skip_resource_servers_without_oauth_client_id_with_sp_initiated_logon(MgtResourceServers, ManagementProps) -> + DefaultOauthInitiatedLogonType = proplists:get_value(oauth_initiated_logon_type, ManagementProps, sp_initiated), maps:filter(fun(_K,ResourceServer) -> + SpInitiated = case proplists:get_value(oauth_initiated_logon_type, ResourceServer, DefaultOauthInitiatedLogonType) of + sp_initiated -> true; + _ -> false + end, + not SpInitiated or not is_invalid([proplists:get_value(oauth_client_id, ResourceServer)]) end, MgtResourceServers). -filter_resource_servers_without_resolvable_oauth_client_id(MgtResourceServers, ManagementProps) -> +filter_resource_servers_without_resolvable_oauth_client_id_for_sp_initiated(MgtResourceServers, ManagementProps) -> case is_invalid([proplists:get_value(oauth_client_id, ManagementProps)]) of - true -> skip_resource_servers_without_oauth_client_id(MgtResourceServers); + true -> skip_resource_servers_without_oauth_client_id_with_sp_initiated_logon(MgtResourceServers, ManagementProps); false -> MgtResourceServers end. @@ -144,10 +150,10 @@ filter_resource_servers_without_resolvable_oauth_provider_url(OAuthResourceServe end end end , MgtResourceServers)). -multi_resource_auth_settings(OAuthResourceServers, MgtResourceServers, ManagementProps) -> +produce_auth_settings(OAuthResourceServers, MgtResourceServers, ManagementProps) -> ConvertValuesToBinary = fun(_K,V) -> [ {K1, to_binary(V1)} || {K1,V1} <- V ] end, FilteredMgtResourceServers = filter_resource_servers_without_resolvable_oauth_provider_url(OAuthResourceServers, - filter_resource_servers_without_resolvable_oauth_client_id(MgtResourceServers, ManagementProps), ManagementProps), + filter_resource_servers_without_resolvable_oauth_client_id_for_sp_initiated(MgtResourceServers, ManagementProps), ManagementProps), case maps:size(FilteredMgtResourceServers) of 0 -> [{oauth_enabled, false}]; @@ -166,60 +172,6 @@ multi_resource_auth_settings(OAuthResourceServers, MgtResourceServers, Managemen ]) end. - - -single_resource_auth_settings(OAuth2BackendProps, ManagementProps) -> - OAuthInitiatedLogonType = proplists:get_value(oauth_initiated_logon_type, ManagementProps, sp_initiated), - OAuthDisableBasicAuth = proplists:get_value(oauth_disable_basic_auth, ManagementProps, true), - OAuthProviderUrl = resolve_oauth_provider_url(ManagementProps), - OAuthResourceId = proplists:get_value(resource_server_id, OAuth2BackendProps), - case OAuthInitiatedLogonType of - sp_initiated -> - case is_invalid([OAuthResourceId]) of - true -> - rabbit_log:error("Invalid rabbitmq_auth_backend_oauth2.resource_server_id ~p", [OAuthResourceId]), - [{oauth_enabled, false}]; - false -> - OAuthClientId = proplists:get_value(oauth_client_id, ManagementProps), - case is_invalid([OAuthClientId, OAuthProviderUrl]) of - true -> - rabbit_log:error("Invalid rabbitmq_management oauth_client_id ~p or resolved oauth_provider_url ~p", - [OAuthClientId, OAuthProviderUrl]), - [{oauth_enabled, false}]; - false -> - filter_empty_properties([ - {oauth_enabled, true}, - {oauth_disable_basic_auth, OAuthDisableBasicAuth}, - {oauth_client_id, to_binary(OAuthClientId)}, - {oauth_provider_url, to_binary(OAuthProviderUrl)}, - to_tuple(oauth_scopes, ManagementProps), - to_tuple(oauth_metadata_url, ManagementProps), - {oauth_resource_id, to_binary(OAuthResourceId)}, - to_tuple(oauth_client_secret, ManagementProps) - ]) - end - end; - idp_initiated -> - case is_invalid([OAuthResourceId]) of - true -> - rabbit_log:error("Invalid rabbitmq_auth_backend_oauth2.resource_server_id ~p", [OAuthResourceId]), - [{oauth_enabled, false}]; - false -> - case is_invalid([OAuthProviderUrl]) of - true -> - rabbit_log:error("Invalid rabbitmq_management resolved oauth_provider_url ~p", [OAuthProviderUrl]), - [{oauth_enabled, false}]; - false -> - [{oauth_enabled, true}, - {oauth_disable_basic_auth, OAuthDisableBasicAuth}, - {oauth_initiated_logon_type, to_binary(OAuthInitiatedLogonType)}, - {oauth_provider_url, to_binary(OAuthProviderUrl)}, - {oauth_resource_id, to_binary(OAuthResourceId)} - ] - end - end - end. - filter_empty_properties(ListOfProperties) -> lists:filter(fun(Prop) -> case Prop of diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl index d01d5ddafa..28b3c9558a 100644 --- a/deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl +++ b/deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl @@ -17,8 +17,8 @@ all() -> {group, without_any_settings}, {group, with_oauth_disabled}, {group, verify_client_id_and_secret}, - {group, verify_oauth_provider_url_with_single_resource}, - {group, verify_oauth_provider_url_with_single_resource_and_another_resource}, + {group, verify_mgt_oauth_provider_url_with_single_resource}, + {group, verify_mgt_oauth_provider_url_with_single_resource_and_another_resource}, {group, verify_oauth_initiated_logon_type_for_sp_initiated}, {group, verify_oauth_initiated_logon_type_for_idp_initiated}, {group, verify_oauth_disable_basic_auth}, @@ -65,15 +65,15 @@ groups() -> ]} ]} ]}, - {verify_oauth_provider_url_with_single_resource, [], [ + {verify_mgt_oauth_provider_url_with_single_resource, [], [ {with_resource_server_id_rabbit, [], [ {with_root_issuer_url1, [], [ {with_oauth_enabled, [], [ should_return_disabled_auth_settings, {with_mgt_oauth_client_id_z, [], [ - should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url1, + should_return_mgt_oauth_provider_url_url1, {with_mgt_oauth_provider_url_url0, [], [ - should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url0 + should_return_mgt_oauth_provider_url_url0 ]} ]} ]} @@ -83,12 +83,12 @@ groups() -> {with_oauth_enabled, [], [ should_return_disabled_auth_settings, {with_mgt_oauth_client_id_z, [], [ - should_return_oauth_resource_server_rabbit_with_oauth_provider_url_idp1_url, + should_return_mgt_oauth_provider_url_idp1_url, {with_root_issuer_url1, [], [ - should_return_oauth_resource_server_rabbit_with_oauth_provider_url_idp1_url + should_return_mgt_oauth_provider_url_idp1_url ]}, {with_mgt_oauth_provider_url_url0, [], [ - should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url0 + should_return_mgt_oauth_provider_url_url0 ]} ]} ]} @@ -96,7 +96,7 @@ groups() -> ]} ]} ]}, - {verify_oauth_provider_url_with_single_resource_and_another_resource, [], [ + {verify_mgt_oauth_provider_url_with_single_resource_and_another_resource, [], [ {with_resource_server_id_rabbit, [], [ {with_resource_server_a, [], [ {with_root_issuer_url1, [], [ @@ -169,13 +169,18 @@ groups() -> should_return_disabled_auth_settings, {with_oauth_initiated_logon_type_idp_initiated, [], [ should_return_disabled_auth_settings, - {with_oauth_enabled, [], [ - should_return_oauth_enabled, - should_return_oauth_initiated_logon_type_idp_initiated - {with_resource_server_a, [], [ - {with_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated, [], [ - should_not_return_oauth_initiated_logon_type, - should_return_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated + {with_resource_server_id_rabbit, [], [ + should_return_disabled_auth_settings, + {with_oauth_enabled, [], [ + should_return_oauth_enabled, + should_return_oauth_initiated_logon_type_idp_initiated, + {with_resource_server_a, [], [ + {with_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated, [], [ + should_return_oauth_resource_server_a_with_oauth_initiated_logon_type_idp_initiated + ]}, + {with_oauth_resource_server_a_with_oauth_initiated_logon_type_sp_initiated, [], [ + should_not_return_oauth_resource_server_a + ]} ]} ]} ]} @@ -425,9 +430,17 @@ should_not_return_oauth_resource_server_a_with_client_secret(Config) -> assert_attribute_not_defined_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(), Config, a, oauth_client_secret). -should_return_oauth_provider_url_idp1_url(Config) -> - Actual = rabbit_mgmt_wm_auth:authSettings(), - ?assertEqual(?config(idp1_url, Config), proplists:get_value(oauth_provider_url, Actual)). +should_return_mgt_oauth_provider_url_idp1_url(Config) -> + assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(), + Config, rabbit, oauth_provider_url, idp1_url). + +should_return_mgt_oauth_provider_url_url1(Config) -> + assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(), + Config, rabbit, oauth_provider_url, url1). + +should_return_mgt_oauth_provider_url_url0(Config) -> + assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(), + Config, rabbit, oauth_provider_url, url0). should_return_oauth_scopes_admin_mgt(Config) -> Actual = rabbit_mgmt_wm_auth:authSettings(), @@ -479,6 +492,10 @@ should_return_oauth_initiated_logon_type_idp_initiated(_Config) -> Actual = rabbit_mgmt_wm_auth:authSettings(), ?assertEqual(<<"idp_initiated">>, proplists:get_value(oauth_initiated_logon_type, Actual)). +should_not_return_oauth_resource_server_a(Config) -> + Actual = rabbit_mgmt_wm_auth:authSettings(), + assert_not_defined_oauth_resource_server(Actual, Config, a). + should_not_return_oauth_resource_server_a_with_oauth_initiated_logon_type(Config) -> assert_attribute_not_defined_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(), Config, a, oauth_initiated_logon_type). @@ -558,6 +575,11 @@ assert_attribute_not_defined_for_oauth_resource_server(Actual, Config, ConfigKey OauthResource = maps:get(?config(ConfigKey, Config), OAuthResourceServers), ?assertEqual(false, proplists:is_defined(Attribute, OauthResource)). +assert_not_defined_oauth_resource_server(Actual, Config, ConfigKey) -> + log(Actual), + OAuthResourceServers = proplists:get_value(oauth_resource_servers, Actual), + ?assertEqual(false, maps:is_key(?config(ConfigKey, Config), OAuthResourceServers)). + set_attribute_in_entry_for_env_variable(Application, EnvVar, Key, Attribute, Value) -> Map = application:get_env(Application, EnvVar, #{}), Map1 = maps:put(Key, [ { Attribute, Value} | maps:get(Key, Map, []) ], Map),