root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity
59,389 Commits 177 Branches 546 Tags 272 MiB
Commit Graph

185 Commits

Author SHA1 Message Date
Marcial Rosales 2a3dcb3679 WIP Refactor code 
before implementing oidc endpoints parameters
 2024-10-08 08:17:47 +02:00
Marcial Rosales 6fb83af48e Reduce logging verbosity 2024-10-08 08:17:47 +02:00
Marcial Rosales 3cf5b7e03e Reduce verbosity of some log statements 2024-10-08 08:17:47 +02:00
Marcial Rosales 4da45996ca Minor refactor 
Improve logging
Fix an issue running selenium tests locally
WIP modify schema to configure queryParameters for
oauth2 endpoints
 2024-10-08 08:17:47 +02:00
Marcial Rosales 77e8172009 Support tokens without kid when using multiple resources 2024-08-29 12:44:49 +01:00
Marcial Rosales e6e7f1aa96 Remove unnecessary function 2024-04-15 10:16:53 +02:00
Marcial Rosales 354df19a66 Remote obsolete function and refactor ssl_option 
function so that there is only one function which
provides default ssl options
 2024-04-15 10:16:53 +02:00
Marcial Rosales 49e8772565 Remove wrong and unncessary log statement 2024-03-06 16:37:12 +01:00
Marcial Rosales 9f9cd9fdbb Fix issue introduced while removing ssl_options function 2024-02-28 10:04:50 +01:00
Marcial Rosales 4cad467d51 Remove obsolete function 2024-02-28 10:04:50 +01:00
Michael Klishin a8518156c2
OAuth 2: improve debug log message consistency 2024-02-12 09:59:16 -05:00
Marcial Rosales 8a248ef630 Fix indentitation to 4 characters 2024-02-10 21:12:00 +01:00
Marcial Rosales ca73662ca4 Fix dialyze errors 2024-02-10 20:12:21 +01:00
Marcial Rosales 06a7f48d4b Apply feedback from @knilson 2024-02-10 20:12:20 +01:00
Marcial Rosales a3b2269583 Deprecate has_additional_scopes_key 
and instead use only get_additional_scopes_key
As Per @kjnilsson suggestion
 2024-02-10 20:12:20 +01:00
Michael Klishin 3e65938aa7 One more outdated license header 2024-02-10 20:12:16 +01:00
Michael Klishin bf21dbe303 Update a 2023 era license header 2024-02-10 20:12:16 +01:00
Michael Klishin 7b955f154c OAuth 2 plugin: cosmetics 
(cherry picked from commit 7989bfc88e)
 2024-02-10 20:12:16 +01:00
Marcial Rosales a78120c214 Fix test cases 2024-02-10 20:12:06 +01:00
Marcial Rosales daebd5fd7a Fix issue building openid connect url 
And add more tests
 2024-02-10 20:12:05 +01:00
Marcial Rosales a0680c0f1e Fix issue resolving oauth provider 
And add more test coverage
 2024-02-10 20:12:05 +01:00
Marcial Rosales d827b72ce1 Create Oauth2 client 2024-02-10 20:12:04 +01:00
Arnaud Cogoluègnes 1f89ede396
Remove rabbit_authz_backend:state_can_expire/0 
Use expiry_timestamp/1 instead, which returns 'never'
if the credentials do not expire.

Fixes #10382
 2024-01-24 09:58:59 +01:00
Arnaud Cogoluègnes 33c64d06ea
Add expiry_timestamp/1 callback to authz backend behavior 
Backends return 'never' or the timestamp of the expiry time
of the credentials. Only the OAuth2 backend returns a timestamp,
other RabbitMQ authz backends return 'never'.

Client code uses rabbit_access_control, so it contains now
a new expiry_timestamp/1 function that returns the earliest
expiry time of the underlying backends.

Fixes #10298
 2024-01-19 14:46:47 +01:00
Michael Klishin 01092ff31f
(c) year bumps 2024-01-01 22:02:20 -05:00
Michael Klishin 1b642353ca
Update (c) according to [1] 
1. https://investors.broadcom.com/news-releases/news-release-details/broadcom-and-vmware-intend-close-transaction-november-22-2023
 2023-11-21 23:18:22 -05:00
Marcial Rosales 77ee572467 Fixes #8547 2023-06-14 09:39:03 +02:00
Marcial Rosales 84e8d172e6 Make scopes optional for oauth2 authentication 2023-05-30 16:56:12 +02:00
Marcial Rosales ea4074c1df Make parameter optional 2023-05-16 08:40:29 +02:00
Marcial Rosales faffd6fa98 Configure Oauth scope prefix 
separate from resource_server_id
 2023-05-16 08:40:28 +02:00
Marcial Rosales de4fa24444 Minor code change 2023-04-18 17:06:05 +02:00
Marcial Rosales 6227dfd15d Fix issue #7178 2023-04-18 16:29:42 +02:00
Marcial Rosales 9339ad1114 Comment why we are propagating authz_backends 
when opening an internal amqp connection
 2023-01-31 11:45:59 +01:00
Marcial Rosales 51e27f8a3f Fix issue #6909 
Use the outcome from first authentication
stored in the #user.authz_backends to authenticate
subsequent attempts which occur when a session is
opened.
In particular, during the first authentication attempt
which occurs during the sasl handshake, the amqp 1.0
plugins reads and validates JWT token present in the
password field.
When a new AMQP 1.0 session is opened, the plugin creates
an internal AMQP connection which triggers a second/nth
authentication. For this second/nth authentication, the
plugin propagates as Authentication Credentials the outcome
from the first authentication which is stored in the
`#user.authz_backends`.
The Oauth2 backend first attempts to authenticate using
the password credentials else it uses the credential with the
key `rabbit_auth_backend_oauth2` which has a function which
returns the decoded token
 2023-01-31 11:45:59 +01:00
Alexey Lebedeff 8164df8bb2 Fix all dialyzer warnings in auth backends 2023-01-19 16:01:30 +01:00
Marcial Rosales 9fca4a7446
Improve coverage 2023-01-03 07:09:02 -05:00
Marcial Rosales 9354397cbf
Support Idp initiated logon in mgt ui with Oauth 
Configure preferred username from a token
Make client_secret optional
 2023-01-03 07:09:00 -05:00
Michael Klishin ec4f1dba7d
(c) year bump: 2022 => 2023 2023-01-01 23:17:36 -05:00
Simon Unge 09d84e6bd5 See #4842. Obfuscate impl value 2022-11-09 15:14:51 -08:00
Luke Bakken 7fe159edef
Yolo-replace format strings 
Replaces `~s` and `~p` with their unicode-friendly counterparts.

```
git ls-files *.erl | xargs sed -i.ORIG -e s/~s>/~ts/g -e s/~p>/~tp/g
```
 2022-10-10 10:32:03 +04:00
Michael Klishin b14eee13b5 OAuth 2: rename a function 2022-08-23 14:30:03 +04:00
Marcial Rosales 39fbeea628
Use user-tags without prefix tag: as action name 2022-08-22 16:16:14 +04:00
Marcial Rosales 4be9bdbc08
Use wildcard library rather than re 
for cluster, vhost , queue , exchange,
and routing-key patterns
 2022-08-22 16:16:13 +04:00
Marcial Rosales 7cea128a48
Allow regular expression in location's cluster field 2022-08-22 16:16:13 +04:00
Marcial Rosales 4505fbd1dd
Remove print statement 2022-08-22 16:16:13 +04:00
Marcial Rosales d83401aaf1
Fix issue where the cluster was wrongly matched 
It looks like it was matching any cluster which started
with the value in resource_server_id rather than the
exact value
 2022-08-22 16:16:13 +04:00
Marcial Rosales a9d069e762
Make aud field optional 2022-08-22 16:16:12 +04:00
Marcial Rosales d69781a7ef
Support rich authorization request spec 2022-08-22 16:16:11 +04:00
Philip Kuryloski a250a533a4 Remove elixir related -ignore_xref calls 
As they are no longer necessary with xref2 and the erlang.mk updates
 2022-06-09 23:18:40 +02:00
Péter Gömöri 52cb5796a3 Remove leftover compiler option for get_stacktrace 2022-05-03 18:40:49 +02:00
Michael Klishin c6de0fd155
Remove a stray ct:pal/2 call in production code 
References #4588, #4666
 2022-04-29 16:01:00 +04:00
Michael Klishin ca290f1116
OAuth 2: expand all scope aliases provided 
Per discussion with @MarcialRosales.

In follow-up to #4588.
 2022-04-27 21:21:40 +04:00
Michael Klishin 0862199b9e
OAuth 2: initial scope aliasing test 2022-04-21 14:16:46 +04:00
Michael Klishin a2a54686e7
OAuth 2: initial work on scope aliases 
Per discussion with @MarcialRosales, we try to fetch
aliases from two sources, based on feedback from two different
users who seemingly rely on the same family of identity
provider products:

 * Use the JWT scope field value first
 * Use extra_scopes_source app env setting second

Just like with the existing extra scopes/complex claim
support originally contributed for Keycloak/identityProvider,
we merge all these scopes obtained from "alternative sources"
with the value of the JWT scopes field. This implicitly
assumes that the result makes sense semantically and
there will not be conflicting scopes. That's on the user to
make sure of.

References #4588
 2022-04-20 14:29:31 +04:00
Michael Klishin c38a3d697d
Bump (c) year 2022-03-21 01:21:56 +04:00
Arnaud Cogoluègnes 4a2f61a49a
Fix usage of add_uaa_key command 
Switch is --pem-file, not --pem_file.
 2022-03-09 16:24:05 +01:00
Anh Thi Lan Nguyen ea8ad0e3e3 Add timeout for httpc request 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 093a04323b Add configurable crl_check and fail_if_no_peer_cert 
- Add configuration: crl_check, fail_if_no_peer_cert
- Correct configuration: hostname_verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 118e44c10e Add wildcard configuration 
A "wildcard" configuration is added to enable key server verification with wildcard certificate
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen a9bc1c0ce9 Update README.md 
- Update new configuration document
- Add configurable "depth" for key server verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 8c541fb047 Set peer_verification default as verify_none 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 1615cbfb8b Update better configuration names 
- "strict" changes to "https.peer_verification"
- "cacertfile" changes to "https.cacertfile"
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen dd685f1179 Oauth2 plugin improvements 
- Validate JWKS server when getting keys
- Restrict usable algorithms
 2021-12-14 11:28:33 +07:00
Philip Kuryloski 98e71c45d8 Perform xref checks on many tier-1 plugins 2021-05-21 12:03:22 +02:00
Michael Klishin 97ff62d3b2
Drop trailing newlines from logged messages where possible 
Lager strips trailing newline characters but OTP logger with the default
formatter adds a newline at the end. To avoid unintentional multi-line log
messages we have to revisit most messages logged.

Some log entries are intentionally multiline, others
are printed to stdout directly: newlines are required there
for sensible formatting.
 2021-03-11 15:17:37 +01:00
Teo Klestrup Röijezon 68dd52e577 Move jwks_http modules into the test folder 2021-02-18 17:11:21 +01:00
Teo Klestrup Röijezon 1a3d68be37 JWKS tests 2021-02-05 11:23:10 +01:00
Teo Klestrup Röijezon 480f7eaadf Support fetching JWT signing keys from JWKS endpoint 2021-02-03 17:09:54 +01:00
Michael Klishin 52479099ec
Bump (c) year 2021-01-22 09:00:14 +03:00
Robert Gustafsson 57716223e0 Add support for using extra scopes standalone 
This commit makes it possible to use additional sources of scopes in a token
standalone, without the need of combining them with existing ones.
 2020-09-16 16:30:24 +02:00
Simon Alling 9b0e853799 Simplify post_process_payload_keycloak 2020-09-01 17:17:15 +02:00
dcorbacho f0d39cb4e2 Switch to Mozilla Public License 2.0 (MPL 2.0) 2020-07-10 20:27:35 +01:00
Jean-Sébastien Pédron 7dcc11cdfd Update copyright (year 2020) 2020-03-10 16:05:48 +01:00
Philip Kuryloski 28080e1e2c Log authentication rejection messages 
Normally when auth fails, we simply log that it failed for a given
username. Since the username is ignored with the auth mechanism,
this does not provide sufficient context for debugging config
errors.
 2020-03-09 12:49:48 +01:00
Michael Klishin 8d4b3439f9 Avoid using erlang:get_stacktrace/0 for improved OTP 23/24 compat 2020-02-27 22:22:32 +03:00
Michael Klishin e4870b9c70 (c) bump 2019-12-29 05:50:24 +03:00
Arnaud Cogoluègnes e936e82292 Move up aud/scope binary to array conversion 
This way scope is always an array which makes it easier for downstream
processing.

References #41
 2019-12-05 14:26:17 +01:00
Michael Klishin d9073fba8d Make this code less unorthodox, take 2 
Also improves naming a bit.
 2019-12-05 10:28:37 +03:00
Michael Klishin 7d2b069cbd Make this code less unorthodox, take 1 2019-12-05 10:12:51 +03:00
Michal Papuga 9a230b0aeb Resolve PR comments - rename variables. 2019-12-05 05:29:12 +01:00
Michal Papuga 3a04670a45 Implement support for gathering scopes from predefined JWT section and combine them with existing ones in post_process_payload () method. Create unit_SUITE and system_SUITE test cases. 2019-12-04 19:14:08 +01:00
Arnaud Cogoluègnes f3405e46fa Support Keycloak token format in post-processing 
Scopes from the "authorization" field are extracted and replace the
value of the "scope" key in the parsed and processed token.

Fixes #37
 2019-08-21 10:34:20 +02:00
Arnaud Cogoluègnes 16968e8c66 Remove unnecessary console output 2019-07-24 09:04:58 +02:00
Arnaud Cogoluègnes 49f1b6b043 Support simple strings in aud and scope fields 
Simple strings are supported, strings with spaces are split into arrays.
The strings are split upfront, the Erlang representation of the token
does not change, to avoid impacts in the code downstream.

Fixes #24
 2019-07-12 09:45:02 +02:00
Michael Klishin 5f44635d05 uaa_jwt:get_jwk/1: return an error if there are no configured signing keys 
Closes #30.
 2019-07-10 18:52:59 +03:00
Arnaud Cogoluègnes 833bb4cec9 Deal with unused parameter 2019-07-10 15:47:57 +02:00
Arnaud Cogoluègnes cb81b0748f Remove extra parameters from output call 2019-07-10 15:12:48 +02:00
Arnaud Cogoluègnes ae8b61a8aa Check token expiration on authentication 2019-07-02 15:27:13 +02:00
Michael Klishin d44e4bce59 Integration tests for JWT token/secret updates; improved error reporting 2019-07-01 21:20:57 +02:00
Michael Klishin 8a8bda0369 More OAuth 2 token refresh tests (WIP) 2019-07-01 16:48:53 +02:00
Michael Klishin e80c125f0b Implement secret (token) update 2019-06-27 22:08:18 +02:00
Michael Klishin 975e2bf177 Extract a constant 2019-06-27 16:04:58 +02:00
Michael Klishin 7e0ebb0fb1 Extract a constant 2019-06-27 16:04:34 +02:00
Michael Klishin 1bc504d297 Token/state renewal stub 2019-06-27 11:19:33 +02:00
Arnaud Cogoluègnes 4f9a4f0ac2 Add protocol-specific context 
Just an update of check_resource_access/3 to check_resource_access/4,
the OAuth has no use of protocol-specific data for now.

References rabbitmq/rabbitmq-server#1767
 2019-06-04 14:50:59 +02:00
Spring Operator 8cb7b00642 URL Cleanup 
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener).

# HTTP URLs that Could Not Be Fixed
These URLs were unable to be fixed. Please review them to see if they can be manually resolved.

* http://blog.listincomprehension.com/search/label/procket (200) with 1 occurrences could not be migrated:
   ([https](https://blog.listincomprehension.com/search/label/procket) result ClosedChannelException).
* http://dozzie.jarowit.net/trac/wiki/TOML (200) with 1 occurrences could not be migrated:
   ([https](https://dozzie.jarowit.net/trac/wiki/TOML) result SSLHandshakeException).
* http://dozzie.jarowit.net/trac/wiki/subproc (200) with 1 occurrences could not be migrated:
   ([https](https://dozzie.jarowit.net/trac/wiki/subproc) result SSLHandshakeException).
* http://e2project.org (200) with 1 occurrences could not be migrated:
   ([https](https://e2project.org) result AnnotatedConnectException).
* http://nitrogenproject.com/ (200) with 2 occurrences could not be migrated:
   ([https](https://nitrogenproject.com/) result ConnectTimeoutException).
* http://proper.softlab.ntua.gr (200) with 1 occurrences could not be migrated:
   ([https](https://proper.softlab.ntua.gr) result SSLHandshakeException).
* http://yaws.hyber.org (200) with 1 occurrences could not be migrated:
   ([https](https://yaws.hyber.org) result AnnotatedConnectException).
* http://choven.ca (503) with 1 occurrences could not be migrated:
   ([https](https://choven.ca) result ConnectTimeoutException).

# Fixed URLs

## Fixed But Review Recommended
These URLs were fixed, but the https status was not OK. However, the https status was the same as the http request or http redirected to an https URL, so they were migrated. Your review is recommended.

* http://fixprotocol.org/ (301) with 1 occurrences migrated to:
  https://fixtrading.org ([https](https://fixprotocol.org/) result SSLHandshakeException).
* http://erldb.org (UnknownHostException) with 1 occurrences migrated to:
  https://erldb.org ([https](https://erldb.org) result UnknownHostException).

## Fixed Success
These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended.

* http://cloudi.org/ with 27 occurrences migrated to:
  https://cloudi.org/ ([https](https://cloudi.org/) result 200).
* http://erlware.org/ with 1 occurrences migrated to:
  https://erlware.org/ ([https](https://erlware.org/) result 200).
* http://inaka.github.io/cowboy-trails/ with 1 occurrences migrated to:
  https://inaka.github.io/cowboy-trails/ ([https](https://inaka.github.io/cowboy-trails/) result 200).
* http://ninenines.eu with 6 occurrences migrated to:
  https://ninenines.eu ([https](https://ninenines.eu) result 200).
* http://www.actordb.com/ with 2 occurrences migrated to:
  https://www.actordb.com/ ([https](https://www.actordb.com/) result 200).
* http://www.cs.kent.ac.uk/projects/wrangler/Home.html with 1 occurrences migrated to:
  https://www.cs.kent.ac.uk/projects/wrangler/Home.html ([https](https://www.cs.kent.ac.uk/projects/wrangler/Home.html) result 200).
* http://www.rabbitmq.com/access-control.html with 2 occurrences migrated to:
  https://www.rabbitmq.com/access-control.html ([https](https://www.rabbitmq.com/access-control.html) result 200).
* http://www.rabbitmq.com/configure.html with 1 occurrences migrated to:
  https://www.rabbitmq.com/configure.html ([https](https://www.rabbitmq.com/configure.html) result 200).
* http://www.rebar3.org with 1 occurrences migrated to:
  https://www.rebar3.org ([https](https://www.rebar3.org) result 200).
* http://inaka.github.com/apns4erl with 1 occurrences migrated to:
  https://inaka.github.com/apns4erl ([https](https://inaka.github.com/apns4erl) result 301).
* http://inaka.github.com/edis/ with 1 occurrences migrated to:
  https://inaka.github.com/edis/ ([https](https://inaka.github.com/edis/) result 301).
* http://lasp-lang.org/ with 1 occurrences migrated to:
  https://lasp-lang.org/ ([https](https://lasp-lang.org/) result 301).
* http://saleyn.github.com/erlexec with 1 occurrences migrated to:
  https://saleyn.github.com/erlexec ([https](https://saleyn.github.com/erlexec) result 301).
* http://www.mozilla.org/MPL/ with 6 occurrences migrated to:
  https://www.mozilla.org/MPL/ ([https](https://www.mozilla.org/MPL/) result 301).
* http://zhongwencool.github.io/observer_cli with 1 occurrences migrated to:
  https://zhongwencool.github.io/observer_cli ([https](https://zhongwencool.github.io/observer_cli) result 301).

# Ignored
These URLs were intentionally ignored.

* http://localhost:8080/uaa/oauth/token with 1 occurrences
 2019-03-20 03:11:57 -05:00
Luke Bakken 0e19df0ce4 Rename uaa_jwt app env setting to key_config 
See this comment for context:

https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/pull/18#issuecomment-409016622
 2018-07-31 15:51:20 -07:00
Luke Bakken 4bd726b5d4 uaa_jwt is no longer a separate application 
In order for uaa_jwt settings to be populated by config files, they have to be part of a defined and running application. This PR adds support for a uaa_jwt sub-key of the main rabbitmq_auth_backend_oauth2 env key.
 2018-07-20 15:25:09 -07:00
Luke Bakken 613e35be64 Miscellaneous build and doc fixes 
* Update erlang.mk to resolve S3 bucket issue
* Update README to indicate that tokens need to be in the password field when clients log in
 2018-07-19 15:44:37 -07:00
Michael Klishin f0178d7729 rabbitmq_auth_backend_uaa => rabbitmq_auth_backend_oauth2 
"OAuth 2" is many things but it's still more descriptive, open-ended and easier
to find than "uaa" (too tool-specific) or "jwt" (too narrow, not known widely enough).

Per discussion with @hairyhum @kjnilsson.
 2018-07-19 22:20:57 +03:00