root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 5 Packages Projects Releases Wiki Activity
59,475 Commits 165 Branches 538 Tags 262 MiB
Commit Graph

186 Commits

Author SHA1 Message Date
Michael Klishin 4bd782986d
OAuth 2: test tag extraction with scope aliases 2022-04-22 12:39:29 +04:00
Michael Klishin e3aade2a93
OAuth 2: one more test case 2022-04-22 12:09:50 +04:00
Michael Klishin 85c8c3e10f
OAuth 2: integration tests for missing/incorrect scope aliases 2022-04-22 11:45:20 +04:00
Michael Klishin ba3d2a4b11
OAuth 2: one more integration test for scope aliases 2022-04-22 11:26:47 +04:00
Michael Klishin 54710ed3d0
OAuth 2: system suite refactoring 2022-04-22 11:01:44 +04:00
Michael Klishin 878b1e0bad
OAuth 2: extract token refresh tests into a separate group 2022-04-22 10:39:57 +04:00
Michael Klishin 0a5f103bc5
OAuth 2: integration suite cosmetics 2022-04-22 10:17:33 +04:00
Michael Klishin ebbba4c992
OAuth 2: extract complex claim integration tests in a separate group 2022-04-22 09:50:14 +04:00
Michael Klishin efe78133c9
OAuth 2: add an integration test for scope aliases 2022-04-22 01:31:22 +04:00
Michael Klishin 9d72a4a804
OAuth 2: more scope aliasing tests 2022-04-22 00:38:26 +04:00
Michael Klishin a242fb9f3d
OAuth 2: refactor unit_SUITE 2022-04-21 16:28:44 +04:00
Michael Klishin 0862199b9e
OAuth 2: initial scope aliasing test 2022-04-21 14:16:46 +04:00
Michael Klishin c38a3d697d
Bump (c) year 2022-03-21 01:21:56 +04:00
Lajos Gerecs 608d11a3f8 convert additional_scopes_param to the correct equivalent 2022-02-03 18:13:08 +01:00
Anh Thi Lan Nguyen 575b6a1188 Increase token expiration time 2021-12-14 17:18:09 +07:00
Anh Thi Lan Nguyen 8aeca45a17 Start SSL app for testing server 2021-12-14 16:47:20 +07:00
Anh Thi Lan Nguyen 0bc7c98bda Standardise README.md 2021-12-14 12:22:55 +07:00
Anh Thi Lan Nguyen 093a04323b Add configurable crl_check and fail_if_no_peer_cert 
- Add configuration: crl_check, fail_if_no_peer_cert
- Correct configuration: hostname_verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 118e44c10e Add wildcard configuration 
A "wildcard" configuration is added to enable key server verification with wildcard certificate
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen a9bc1c0ce9 Update README.md 
- Update new configuration document
- Add configurable "depth" for key server verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 8c541fb047 Set peer_verification default as verify_none 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 1615cbfb8b Update better configuration names 
- "strict" changes to "https.peer_verification"
- "cacertfile" changes to "https.cacertfile"
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen dd685f1179 Oauth2 plugin improvements 
- Validate JWKS server when getting keys
- Restrict usable algorithms
 2021-12-14 11:28:33 +07:00
Michal Kuratczyk acf474e056 Fix cuttlefish config for oauth2 
The structure of the signing_keys map should be `<<"id">> => {pem, <<"key">>}`.
Previously it was mapped directly as `<<"id">> => <<"key">>`.
 2021-11-18 12:58:57 +01:00
Michael Klishin ab795c1232
OAuth 2 system_SUITE: squash some erlc warnings 2021-06-10 15:48:33 +03:00
Michael Klishin b2b37f5626
Merge pull request #2791 from Appva/feature/jwks 
Support fetching JWT signing keys from JWKS endpoint
 2021-02-23 09:48:25 +03:00
Michal Kuratczyk 53fc8ebbe0 Make the tests green 
Fix the snippet and make it more through.
 2021-02-22 13:35:30 +01:00
Michal Kuratczyk c729e15112 WIP: cuttlefish support for oauth2 plugin 
No support for symmetric key key options as this would make the
implementation much more complex and shouldn't really be used anyway.

WIP becasue while the code seems to work but tests fail.
 2021-02-22 10:33:35 +01:00
Teo Klestrup Röijezon 543e8aa3a3 Enable jwks_http to run embedded without requiring a separate OTP application 2021-02-18 17:41:54 +01:00
Teo Klestrup Röijezon 68dd52e577 Move jwks_http modules into the test folder 2021-02-18 17:11:21 +01:00
Teo Klestrup Röijezon 1a3d68be37 JWKS tests 2021-02-05 11:23:10 +01:00
Michael Klishin 52479099ec
Bump (c) year 2021-01-22 09:00:14 +03:00
dcorbacho f0d39cb4e2 Switch to Mozilla Public License 2.0 (MPL 2.0) 2020-07-10 20:27:35 +01:00
Jean-Sébastien Pédron 7dcc11cdfd Update copyright (year 2020) 2020-03-10 16:05:48 +01:00
Philip Kuryloski 28080e1e2c Log authentication rejection messages 
Normally when auth fails, we simply log that it failed for a given
username. Since the username is ignored with the auth mechanism,
this does not provide sufficient context for debugging config
errors.
 2020-03-09 12:49:48 +01:00
Michael Klishin e4870b9c70 (c) bump 2019-12-29 05:50:24 +03:00
Arnaud Cogoluègnes cb3fe65a07 Polish extra scopes source tests 
Set up environment in init/end test functions, change some scopes in
test to make assertion more obvious.

References #41
 2019-12-05 14:10:21 +01:00
Michael Klishin d9073fba8d Make this code less unorthodox, take 2 
Also improves naming a bit.
 2019-12-05 10:28:37 +03:00
Michal Papuga 9a230b0aeb Resolve PR comments - rename variables. 2019-12-05 05:29:12 +01:00
Michal Papuga 3a04670a45 Implement support for gathering scopes from predefined JWT section and combine them with existing ones in post_process_payload () method. Create unit_SUITE and system_SUITE test cases. 2019-12-04 19:14:08 +01:00
Arnaud Cogoluègnes f3405e46fa Support Keycloak token format in post-processing 
Scopes from the "authorization" field are extracted and replace the
value of the "scope" key in the parsed and processed token.

Fixes #37
 2019-08-21 10:34:20 +02:00
Arnaud Cogoluègnes 49f1b6b043 Support simple strings in aud and scope fields 
Simple strings are supported, strings with spaces are split into arrays.
The strings are split upfront, the Erlang representation of the token
does not change, to avoid impacts in the code downstream.

Fixes #24
 2019-07-12 09:45:02 +02:00
Arnaud Cogoluègnes ae8b61a8aa Check token expiration on authentication 2019-07-02 15:27:13 +02:00
Michael Klishin fdb4693083 Integration suite: don't attempt to close channels on a closing connection 2019-07-02 13:20:36 +02:00
Michael Klishin 16f7328986 Integration suite: correctly compute expiration 
it should be in seconds.
 2019-07-02 12:15:17 +02:00
Michael Klishin d44e4bce59 Integration tests for JWT token/secret updates; improved error reporting 2019-07-01 21:20:57 +02:00
Michael Klishin 8a8bda0369 More OAuth 2 token refresh tests (WIP) 2019-07-01 16:48:53 +02:00
Michael Klishin 369e4158c1 Assert on operations on both new and existing channels 
Per suggestion from @acogoluegnes.
 2019-06-29 00:28:05 +02:00
Michael Klishin 4a4f81c374 Token refresh integration tests 
Depend on recent updates in the Erlang client.
 2019-06-28 18:44:33 +02:00
Arnaud Cogoluègnes 4f9a4f0ac2 Add protocol-specific context 
Just an update of check_resource_access/3 to check_resource_access/4,
the OAuth has no use of protocol-specific data for now.

References rabbitmq/rabbitmq-server#1767
 2019-06-04 14:50:59 +02:00
Spring Operator 8cb7b00642 URL Cleanup 
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener).

# HTTP URLs that Could Not Be Fixed
These URLs were unable to be fixed. Please review them to see if they can be manually resolved.

* http://blog.listincomprehension.com/search/label/procket (200) with 1 occurrences could not be migrated:
   ([https](https://blog.listincomprehension.com/search/label/procket) result ClosedChannelException).
* http://dozzie.jarowit.net/trac/wiki/TOML (200) with 1 occurrences could not be migrated:
   ([https](https://dozzie.jarowit.net/trac/wiki/TOML) result SSLHandshakeException).
* http://dozzie.jarowit.net/trac/wiki/subproc (200) with 1 occurrences could not be migrated:
   ([https](https://dozzie.jarowit.net/trac/wiki/subproc) result SSLHandshakeException).
* http://e2project.org (200) with 1 occurrences could not be migrated:
   ([https](https://e2project.org) result AnnotatedConnectException).
* http://nitrogenproject.com/ (200) with 2 occurrences could not be migrated:
   ([https](https://nitrogenproject.com/) result ConnectTimeoutException).
* http://proper.softlab.ntua.gr (200) with 1 occurrences could not be migrated:
   ([https](https://proper.softlab.ntua.gr) result SSLHandshakeException).
* http://yaws.hyber.org (200) with 1 occurrences could not be migrated:
   ([https](https://yaws.hyber.org) result AnnotatedConnectException).
* http://choven.ca (503) with 1 occurrences could not be migrated:
   ([https](https://choven.ca) result ConnectTimeoutException).

# Fixed URLs

## Fixed But Review Recommended
These URLs were fixed, but the https status was not OK. However, the https status was the same as the http request or http redirected to an https URL, so they were migrated. Your review is recommended.

* http://fixprotocol.org/ (301) with 1 occurrences migrated to:
  https://fixtrading.org ([https](https://fixprotocol.org/) result SSLHandshakeException).
* http://erldb.org (UnknownHostException) with 1 occurrences migrated to:
  https://erldb.org ([https](https://erldb.org) result UnknownHostException).

## Fixed Success
These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended.

* http://cloudi.org/ with 27 occurrences migrated to:
  https://cloudi.org/ ([https](https://cloudi.org/) result 200).
* http://erlware.org/ with 1 occurrences migrated to:
  https://erlware.org/ ([https](https://erlware.org/) result 200).
* http://inaka.github.io/cowboy-trails/ with 1 occurrences migrated to:
  https://inaka.github.io/cowboy-trails/ ([https](https://inaka.github.io/cowboy-trails/) result 200).
* http://ninenines.eu with 6 occurrences migrated to:
  https://ninenines.eu ([https](https://ninenines.eu) result 200).
* http://www.actordb.com/ with 2 occurrences migrated to:
  https://www.actordb.com/ ([https](https://www.actordb.com/) result 200).
* http://www.cs.kent.ac.uk/projects/wrangler/Home.html with 1 occurrences migrated to:
  https://www.cs.kent.ac.uk/projects/wrangler/Home.html ([https](https://www.cs.kent.ac.uk/projects/wrangler/Home.html) result 200).
* http://www.rabbitmq.com/access-control.html with 2 occurrences migrated to:
  https://www.rabbitmq.com/access-control.html ([https](https://www.rabbitmq.com/access-control.html) result 200).
* http://www.rabbitmq.com/configure.html with 1 occurrences migrated to:
  https://www.rabbitmq.com/configure.html ([https](https://www.rabbitmq.com/configure.html) result 200).
* http://www.rebar3.org with 1 occurrences migrated to:
  https://www.rebar3.org ([https](https://www.rebar3.org) result 200).
* http://inaka.github.com/apns4erl with 1 occurrences migrated to:
  https://inaka.github.com/apns4erl ([https](https://inaka.github.com/apns4erl) result 301).
* http://inaka.github.com/edis/ with 1 occurrences migrated to:
  https://inaka.github.com/edis/ ([https](https://inaka.github.com/edis/) result 301).
* http://lasp-lang.org/ with 1 occurrences migrated to:
  https://lasp-lang.org/ ([https](https://lasp-lang.org/) result 301).
* http://saleyn.github.com/erlexec with 1 occurrences migrated to:
  https://saleyn.github.com/erlexec ([https](https://saleyn.github.com/erlexec) result 301).
* http://www.mozilla.org/MPL/ with 6 occurrences migrated to:
  https://www.mozilla.org/MPL/ ([https](https://www.mozilla.org/MPL/) result 301).
* http://zhongwencool.github.io/observer_cli with 1 occurrences migrated to:
  https://zhongwencool.github.io/observer_cli ([https](https://zhongwencool.github.io/observer_cli) result 301).

# Ignored
These URLs were intentionally ignored.

* http://localhost:8080/uaa/oauth/token with 1 occurrences
 2019-03-20 03:11:57 -05:00
Josh Soref 40410e5c01 spelling: exactly 
(cherry picked from commit f5af5a4cb42c90147849dcc2e2b3705248fdd801)
 2019-02-12 07:42:14 +03:00
Luke Bakken 0e19df0ce4 Rename uaa_jwt app env setting to key_config 
See this comment for context:

https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/pull/18#issuecomment-409016622
 2018-07-31 15:51:20 -07:00
Luke Bakken 4bd726b5d4 uaa_jwt is no longer a separate application 
In order for uaa_jwt settings to be populated by config files, they have to be part of a defined and running application. This PR adds support for a uaa_jwt sub-key of the main rabbitmq_auth_backend_oauth2 env key.
 2018-07-20 15:25:09 -07:00
Michael Klishin f0178d7729 rabbitmq_auth_backend_uaa => rabbitmq_auth_backend_oauth2 
"OAuth 2" is many things but it's still more descriptive, open-ended and easier
to find than "uaa" (too tool-specific) or "jwt" (too narrow, not known widely enough).

Per discussion with @hairyhum @kjnilsson.
 2018-07-19 22:20:57 +03:00
Michael Klishin 6618c21b1f More integration tests 
[#158782152]
[#158782156]
 2018-07-19 14:40:18 +03:00
Michael Klishin 2d52dda042 More integration tests 
[#158782152]
[#158782156]
 2018-07-18 18:25:10 +03:00
Michael Klishin 821f54c92a More integration tests 
[#158782152]
[#158782156]
 2018-07-18 18:15:50 +03:00
Michael Klishin 8cc9e4f628 Initial integration tests 
[#158782152]
[#158782156]
 2018-07-18 02:34:23 +03:00
Michael Klishin e3856ffa91 Include tag tests in more cases 
[#158782152]
[#158782156]
 2018-07-11 02:58:51 +03:00
Michael Klishin 37366191f2 Extract tags from the provided JWT token 
Pair: @acogoluegnes.

[#158782152]
[#158782156]
 2018-07-09 18:26:53 +03:00
Michael Klishin cb4dfba58a Expect access token in the password field 
We cannot pass access tokens in the username since
those are logged and displayed by operator tools.

Per discussion with @acogoluegnes.

[#158782152]
[#158782156]
 2018-07-05 19:50:12 +03:00
Michael Klishin 435d5c7690 Split the unsuccessful authorization test into 3 
[#158782152]
[#158782156]
 2018-07-03 20:02:33 +03:00
Michael Klishin c4269275db Convert all suites to use EUnit matchers 
[#158782152]
[#158782156]
 2018-07-03 17:55:40 +03:00
Michael Klishin 7a758a2ece More test massaging, remove debug logging 
[#158782152]
[#158782156]
 2018-07-03 16:27:58 +03:00
Michael Klishin 4cc2cfef89 Split and simplify unit tests; naming 2018-07-03 02:15:51 +03:00
Daniil Fedotov 973ef5ccef Add support for pem public key 2017-09-20 16:40:56 +01:00
Daniil Fedotov 5fdfda0846 Improve tests 2017-02-17 11:33:08 +00:00
Daniil Fedotov 7b421e6ae1 Return error instead of error_message to comply with authz_backend API 2017-02-08 16:32:59 +00:00
Daniil Fedotov c71c3eb292 Test token expiration 2017-02-03 13:01:24 +00:00
Daniil Fedotov 24551ef095 Test default key support 2017-02-02 13:09:53 +00:00
Daniil Fedotov a07b4485e6 Test key validation when adding via cli command 2017-02-02 12:25:38 +00:00
Daniil Fedotov 78bb2044fb Test command validation 2017-02-02 11:29:25 +00:00
Daniil Fedotov df197ad5b9 Command to add UAA signing keys 2017-02-01 17:15:10 +00:00
Daniil Fedotov afb59ddc20 Fix test to represent Jwt decoded extended scope permissions 2017-01-27 11:48:35 +00:00
Daniil Fedotov 759d66263b Decode and verify UAA JWT tokens without connecting to UAA server 
Fixes #3
Uses rabbitmq/uaa_jwt library to decode a token and verify signature.
Signing keys should be predefined in the uaa_jwt application environment
 2017-01-27 11:32:14 +00:00
Michael Klishin 42e401e900 invalid_resource_authorization => resource_server_authentication_failed 
HTTP 401 response can indicate an authorization failure as well
but let's assume authentication failures will be more common in this
specific case.
 2017-01-27 01:51:48 +03:00
Michael Klishin 88ac9518e2 Wording 2017-01-27 01:47:05 +03:00
Michael Klishin 0e595fe48f Wording 2017-01-27 01:39:25 +03:00
Michael Klishin 269a2729e0 This example doesn't actually seem to be case insensitive 2017-01-27 01:34:53 +03:00
Daniil Fedotov a53e4d3cb9 Support topic authorization 2017-01-24 17:26:59 +00:00
Daniil Fedotov dfc61ec18f Change scope to permission mapping 2016-12-20 13:13:18 +00:00
Daniil Fedotov ff84dfae52 Support for custom resource kinds 2016-02-16 12:36:38 +00:00
Daniil Fedotov b5c47a75f6 Resource ID filtering 2016-02-16 12:22:49 +00:00
Daniil Fedotov 4835e0b3af Indent 2016-01-20 14:24:06 +00:00
Daniil Fedotov 99279bd10f Tests 2016-01-20 14:04:14 +00:00