4cad467d51
Remove obsolete function
2024-02-28 10:04:50 +01:00
d5624ab5dc
Add gazelle directive to stabilize bazel run gazelle
...
rabbit_common is indirectly included via rabbit_stream_reader.hrl, and
the rules_erlang gazelle extension does not yet know how to detect
this, therefore the directive manually declares it
2024-02-19 12:53:58 +01:00
41237fbb3b
Fix gaxelle issues around oauth2 dependencies
2024-02-14 18:55:39 +01:00
a8518156c2
OAuth 2: improve debug log message consistency
2024-02-12 09:59:16 -05:00
8a248ef630
Fix indentitation to 4 characters
2024-02-10 21:12:00 +01:00
ca73662ca4
Fix dialyze errors
2024-02-10 20:12:21 +01:00
06a7f48d4b
Apply feedback from @knilson
2024-02-10 20:12:20 +01:00
a3b2269583
Deprecate has_additional_scopes_key
...
and instead use only get_additional_scopes_key
As Per @kjnilsson suggestion
2024-02-10 20:12:20 +01:00
3e65938aa7
One more outdated license header
2024-02-10 20:12:16 +01:00
bf21dbe303
Update a 2023 era license header
2024-02-10 20:12:16 +01:00
7b955f154c
OAuth 2 plugin: cosmetics
...
(cherry picked from commit 7989bfc88e
2024-02-10 20:12:16 +01:00
f292114256
Fix formatting issues
2024-02-10 20:12:14 +01:00
31df65da5d
Drop comment line
2024-02-10 20:12:13 +01:00
fa77072eaa
Add last scenarios
2024-02-10 20:12:06 +01:00
a78120c214
Fix test cases
2024-02-10 20:12:06 +01:00
dbbab67a87
Fix issue setting up mock http server
2024-02-10 20:12:05 +01:00
daebd5fd7a
Fix issue building openid connect url
...
And add more tests
2024-02-10 20:12:05 +01:00
f6ce99ef72
Add failing test
2024-02-10 20:12:05 +01:00
a0680c0f1e
Fix issue resolving oauth provider
...
And add more test coverage
2024-02-10 20:12:05 +01:00
d827b72ce1
Create Oauth2 client
2024-02-10 20:12:04 +01:00
9c79ad8d55
More missed license header updates #9969
2024-02-05 12:26:25 -05:00
f414c2d512
More missed license header updates #9969
2024-02-05 11:53:50 -05:00
1f89ede396
Remove rabbit_authz_backend:state_can_expire/0
...
Use expiry_timestamp/1 instead, which returns 'never'
if the credentials do not expire.
Fixes #10382
2024-01-24 09:58:59 +01:00
33c64d06ea
Add expiry_timestamp/1 callback to authz backend behavior
...
Backends return 'never' or the timestamp of the expiry time
of the credentials. Only the OAuth2 backend returns a timestamp,
other RabbitMQ authz backends return 'never'.
Client code uses rabbit_access_control, so it contains now
a new expiry_timestamp/1 function that returns the earliest
expiry time of the underlying backends.
Fixes #10298
2024-01-19 14:46:47 +01:00
01092ff31f
(c) year bumps
2024-01-01 22:02:20 -05:00
1b642353ca
Update (c) according to [1]
...
1. https://investors.broadcom.com/news-releases/news-release-details/broadcom-and-vmware-intend-close-transaction-november-22-2023
2023-11-21 23:18:22 -05:00
2270a30af0
Point emqtt to rabbitmq/emqtt:master
...
emqtt repos:
emqx/emqtt PR #196 is based on rabbitmq:otp-26-compatibility
emqx/emqtt PR #198 is based on ansd:master
rabbitmq/master contains both of these 2 PRs cherry-picked.
rabbitmq-server repos:
main branch points emqtt to rabbitmq:otp-26-compatibility
mqtt5 branch points emqtt to rabbitmq:master
Therefore, the current mqtt5 branch is OTP 26 compatible and can support
multiple subscription identifiers.
2023-06-21 17:14:08 +01:00
55442aa914
Replace @rabbitmq.com addresses with rabbitmq-core@groups.vmware.com
...
Don't ask why we have to do it. Because reasons!
2023-06-20 15:40:13 +04:00
77ee572467
Fixes #8547
2023-06-14 09:39:03 +02:00
84e8d172e6
Make scopes optional for oauth2 authentication
2023-05-30 16:56:12 +02:00
f5ea10eff8
Squash a compiler warning in a test
2023-05-29 04:09:05 +04:00
1cd84b36ec
Test scope prefix within scope alias mapping
2023-05-16 08:40:29 +02:00
ea4074c1df
Make parameter optional
2023-05-16 08:40:29 +02:00
faffd6fa98
Configure Oauth scope prefix
...
separate from resource_server_id
2023-05-16 08:40:28 +02:00
eb94a58bc9
Add a workflow to compare the bazel/erlang.mk output
...
To catch any drift between the builds
2023-05-15 13:54:14 +02:00
858ed1bff6
Switch to an emqtt fork/branch for OTP26
...
This change should be reverted once emqx/emqtt is OTP26 compatible.
Our fork/branch isn't either at this point, but at least partially
works. Let's use this branch for now to uncover server-side OTP26
incompatibilities (and continue working on OTP26 support for emqtt of
course).
2023-04-26 11:06:23 +02:00
a944439fba
Replace globs in bazel with explicit lists of files
...
As this is preferred in rules_erlang 3.9.14
2023-04-25 17:29:12 +02:00
854d01d9a5
Restore the original -include_lib statements from before #6466
...
since this broke erlang_ls
requires rules_erlang 3.9.13
2023-04-20 12:40:45 +02:00
c0ed80c625
Merge pull request #6466 from rabbitmq/gazelle
...
Use gazelle for some maintenance of bazel BUILD files
2023-04-19 09:33:44 +04:00
de4fa24444
Minor code change
2023-04-18 17:06:05 +02:00
6227dfd15d
Fix issue #7178
2023-04-18 16:29:42 +02:00
8de8f59d47
Use gazelle generated bazel files
...
Bazel build files are now maintained primarily with `bazel run
gazelle`. This will analyze and merge changes into the build files as
necessitated by certain code changes (e.g. the introduction of new
modules).
In some cases there hints to gazelle in the build files, such as `#
gazelle:erlang...` or `# keep` comments. xref checks on plugins that
depend on the cli are a good example.
2023-04-17 18:13:18 +02:00
933d6a586c
Ignore warnings when building plt for rabbitmq_auth_backend_oauth2
...
The plugin itself still dialyzes cleanly, these warnings just mean
that the limited set of dependencies needed for the plugin are
incomplete with respect to each other (Or at least that is how I'm
intrepreting the results at this time).
2023-04-14 12:41:39 +02:00
1c1e4515f7
Deprecate uaa settings from management plugin
2023-04-13 11:22:05 +02:00
efb1b5bd10
Fix 2549
...
Allow list of preferred_username_claims in cuttlefish
config style.
Use new config style on two selenium test suites
Test oauth2 backend's config schema and oauth2 management
config schema
2023-02-28 10:38:28 +01:00
bf2a97a20a
Bump emqx/emqtt to 1.8.2
2023-02-21 17:25:19 +01:00
2dfa762bbb
Merge pull request #7177 from rabbitmq/oauth-mqtt-test
...
Add OAuth 2.0 MQTT system test
2023-02-06 23:18:17 -05:00
bf2b11d7ba
Fixing the rabbitmq_auth_backend_oauth2 schema
...
Fixing reference to the old key 'additional_rabbitmq_scopes'. Removing redundant mapping
2023-02-04 11:41:26 +01:00
2d0826c335
Add OAuth 2.0 MQTT system test
...
Add a test that rabbitmq_auth_backend_oauth2 works with MQTT.
See https://github.com/rabbitmq/rabbitmq-oauth2-tutorial#mqtt-protocol
2023-02-03 14:08:51 +00:00
9339ad1114
Comment why we are propagating authz_backends
...
when opening an internal amqp connection
2023-01-31 11:45:59 +01:00
51e27f8a3f
Fix issue #6909
...
Use the outcome from first authentication
stored in the #user.authz_backends to authenticate
subsequent attempts which occur when a session is
opened.
In particular, during the first authentication attempt
which occurs during the sasl handshake, the amqp 1.0
plugins reads and validates JWT token present in the
password field.
When a new AMQP 1.0 session is opened, the plugin creates
an internal AMQP connection which triggers a second/nth
authentication. For this second/nth authentication, the
plugin propagates as Authentication Credentials the outcome
from the first authentication which is stored in the
`#user.authz_backends`.
The Oauth2 backend first attempts to authenticate using
the password credentials else it uses the credential with the
key `rabbit_auth_backend_oauth2` which has a function which
returns the decoded token
2023-01-31 11:45:59 +01:00
b84e746ee9
Rework plt/dialyze for rabbitmqctl and plugins that depend on it
...
This allows us to stop ignorning undefined callback warnings
When mix compiles rabbitmqctl, it produces a 'consolidated' directory
alongside the 'ebin' dir. Some of the modules in consolidated are
intended to be used instead of those provided by elixir. We now handle
the conflicts properly in the bazel build.
2023-01-19 17:29:23 +01:00
8164df8bb2
Fix all dialyzer warnings in auth backends
2023-01-19 16:01:30 +01:00
5ef8923462
Avoid the need to pass package name to rabbitmq_integration_suite
2023-01-18 15:25:27 +01:00
a317b30807
Use improved assert_suites2 macro from rules_erlang 3.9.0
2023-01-18 15:07:06 +01:00
9fca4a7446
Improve coverage
2023-01-03 07:09:02 -05:00
9354397cbf
Support Idp initiated logon in mgt ui with Oauth
...
Configure preferred username from a token
Make client_secret optional
2023-01-03 07:09:00 -05:00
0a8dd19434
Cosmetics
...
(cherry picked from commit 042725d8364bac3fed40df4dcdb534728dd56576)
2023-01-02 07:15:58 -05:00
ec4f1dba7d
(c) year bump: 2022 => 2023
2023-01-01 23:17:36 -05:00
09d84e6bd5
See #4842 . Obfuscate impl value
2022-11-09 15:14:51 -08:00
7fe159edef
Yolo-replace format strings
...
Replaces `~s` and `~p` with their unicode-friendly counterparts.
```
git ls-files *.erl | xargs sed -i.ORIG -e s/~s>/~ts/g -e s/~p>/~tp/g
```
2022-10-10 10:32:03 +04:00
a9b72877f5
Bump deps: michaelklishin/erlang-jose and Thoas
2022-08-29 15:28:37 +04:00
b14eee13b5
OAuth 2: rename a function
2022-08-23 14:30:03 +04:00
21e98f8b13
OAuth 2: unit_SUITE naming and wording
2022-08-23 13:20:01 +04:00
877f03082a
OAuth 2: use a separate system suite group for RAR
2022-08-23 12:59:59 +04:00
d321a30198
README edits
...
Make it clear that the first sample location grants
access to any queue and/or exchange on the selected
vhost and cluster
2022-08-22 16:16:16 +04:00
5629a7ccbb
OAuth 2 README: add a missing link
2022-08-22 16:16:16 +04:00
4134bbacfc
OAuth 2: edits per discussion with @marcialrosales
2022-08-22 16:16:16 +04:00
3a09139635
OAuth 2: more RAR doc edits
2022-08-22 16:16:15 +04:00
207162d535
OAuth 2: one more RAR doc edit
2022-08-22 16:16:15 +04:00
083abe52b7
OAuth 2 Cuttlefish schema: cosmetics
2022-08-22 16:16:15 +04:00
382c7f092b
OAuth 2: README edits
2022-08-22 16:16:15 +04:00
32242a5c7a
OAuth 2: README edits
2022-08-22 16:16:15 +04:00
efc2878bdb
README edits
2022-08-22 16:16:15 +04:00
3112fa962e
Update documentation
2022-08-22 16:16:14 +04:00
be36f91fb0
Update docs
2022-08-22 16:16:14 +04:00
39fbeea628
Use user-tags without prefix tag: as action name
2022-08-22 16:16:14 +04:00
8ee81896cf
Add missing test cases
2022-08-22 16:16:14 +04:00
29b97e085b
Test single value for locations and actions
2022-08-22 16:16:14 +04:00
9562ea53bc
Correct mistake in the translation example
2022-08-22 16:16:14 +04:00
3dbb438f5a
Improve readability
2022-08-22 16:16:14 +04:00
38e83ac8d4
Explain how permissions are translated to scopes
2022-08-22 16:16:13 +04:00
fa77f93448
Explain how the permissions translate to scopes
2022-08-22 16:16:13 +04:00
eb3f894d25
Update docs
2022-08-22 16:16:13 +04:00
4be9bdbc08
Use wildcard library rather than re
...
for cluster, vhost , queue , exchange,
and routing-key patterns
2022-08-22 16:16:13 +04:00
7cea128a48
Allow regular expression in location's cluster field
2022-08-22 16:16:13 +04:00
4505fbd1dd
Remove print statement
2022-08-22 16:16:13 +04:00
d83401aaf1
Fix issue where the cluster was wrongly matched
...
It looks like it was matching any cluster which started
with the value in resource_server_id rather than the
exact value
2022-08-22 16:16:13 +04:00
a9d069e762
Make aud field optional
2022-08-22 16:16:12 +04:00
d69781a7ef
Support rich authorization request spec
2022-08-22 16:16:11 +04:00
575c5f9975
Remove all of the .travis.yml files
...
since we no longer use them
2022-08-16 09:46:31 +02:00
8f779ce461
Avoid direct references to jsx
...
and remove an unused Honeycomb Common Test helper module
we ended up not using.
Discovered when spiking a JSON library switch to Thoas.
Pair: @pjk25
2022-07-25 19:34:51 +04:00
a250a533a4
Remove elixir related -ignore_xref calls
...
As they are no longer necessary with xref2 and the erlang.mk updates
2022-06-09 23:18:40 +02:00
15a79466b1
Use the new xref2 macro from rules_erlang
...
That adopts the modern erlang.mk xref behaviour
2022-06-09 23:18:28 +02:00
327f075d57
Make rabbitmq-server work with rules_erlang 3
...
Also rework elixir dependency handling, so we no longer rely on mix to
fetch the rabbitmq_cli deps
Also:
- Specify ra version with a commit rather than a branch
- Fixup compilation options for erlang 23
- Add missing ra reference in MODULE.bazel
- Add missing flag in oci.yaml
- Reduce bazel rbe jobs to try to save memory
- Use bazel built erlang for erlang git master tests
- Use the same cache for all the workflows but windows
- Avoid using `mix local.hex --force` in elixir rules
- Fetching seems blocked in CI, and this should reduce hex api usage in
all builds, which is always nice
- Remove xref and dialyze tags since rules_erlang 3 includes them in
the defaults
2022-06-08 14:04:53 +02:00
dc70cbf281
Update Erlang.mk and switch to new xref code
2022-05-31 13:51:12 +02:00
52cb5796a3
Remove leftover compiler option for get_stacktrace
2022-05-03 18:40:49 +02:00
c6de0fd155
Remove a stray ct:pal/2 call in production code
...
References #4588 , #4666
2022-04-29 16:01:00 +04:00
38c5683377
OAuth 2: more tests in follow-up to #4588
2022-04-27 21:51:16 +04:00
ca290f1116
OAuth 2: expand all scope aliases provided
...
Per discussion with @MarcialRosales.
In follow-up to #4588 .
2022-04-27 21:21:40 +04:00
2dccccfdb4
Merge pull request #4604 from rabbitmq/rabbitmq-server-4588
...
OAuth 2: support for scope aliases
2022-04-23 08:33:07 +04:00
4bd782986d
OAuth 2: test tag extraction with scope aliases
2022-04-22 12:39:29 +04:00
e3aade2a93
OAuth 2: one more test case
2022-04-22 12:09:50 +04:00
85c8c3e10f
OAuth 2: integration tests for missing/incorrect scope aliases
2022-04-22 11:45:20 +04:00
ba3d2a4b11
OAuth 2: one more integration test for scope aliases
2022-04-22 11:26:47 +04:00
54710ed3d0
OAuth 2: system suite refactoring
2022-04-22 11:01:44 +04:00
878b1e0bad
OAuth 2: extract token refresh tests into a separate group
2022-04-22 10:39:57 +04:00
0a5f103bc5
OAuth 2: integration suite cosmetics
2022-04-22 10:17:33 +04:00
ebbba4c992
OAuth 2: extract complex claim integration tests in a separate group
2022-04-22 09:50:14 +04:00
ead29ffa12
Add note on token expiration and refresh
2022-04-21 23:40:56 +02:00
efe78133c9
OAuth 2: add an integration test for scope aliases
2022-04-22 01:31:22 +04:00
9d72a4a804
OAuth 2: more scope aliasing tests
2022-04-22 00:38:26 +04:00
a242fb9f3d
OAuth 2: refactor unit_SUITE
2022-04-21 16:28:44 +04:00
0862199b9e
OAuth 2: initial scope aliasing test
2022-04-21 14:16:46 +04:00
a2a54686e7
OAuth 2: initial work on scope aliases
...
Per discussion with @MarcialRosales, we try to fetch
aliases from two sources, based on feedback from two different
users who seemingly rely on the same family of identity
provider products:
* Use the JWT scope field value first
* Use extra_scopes_source app env setting second
Just like with the existing extra scopes/complex claim
support originally contributed for Keycloak/identityProvider,
we merge all these scopes obtained from "alternative sources"
with the value of the JWT scopes field. This implicitly
assumes that the result makes sense semantically and
there will not be conflicting scopes. That's on the user to
make sure of.
References #4588
2022-04-20 14:29:31 +04:00
dba25f6462
Replace files with symlinks
...
This prevents duplicated and out-of-date instructions.
2022-04-15 06:04:29 -07:00
c38a3d697d
Bump (c) year
2022-03-21 01:21:56 +04:00
4a2f61a49a
Fix usage of add_uaa_key command
...
Switch is --pem-file, not --pem_file.
2022-03-09 16:24:05 +01:00
8443305e49
Remove Travis CI badge in OAuth 2 plugin
2022-03-02 08:57:40 +01:00
dabf053cf8
Additional dialyzer warning fixes
...
Currently loading of the rabbitmq_cli defined behaviors compiled with
Elixir does not work, so we ignore the callback definitions contained therein
2022-02-25 18:14:35 +01:00
226e00fcd2
Tighten up dialyzer usage
...
now that rules_erlang no longer cascades up dialyzer warnings from deps
2022-02-24 11:18:41 +01:00
d8201726ae
Ignore dialyzer warnings for most apps
2022-02-21 09:19:56 +01:00
608d11a3f8
convert additional_scopes_param to the correct equivalent
2022-02-03 18:13:08 +01:00
efcd881658
Use rules_erlang v2
...
bazel-erlang has been renamed rules_erlang. v2 is a substantial
refactor that brings Windows support. While this alone isn't enough to
run all rabbitmq-server suites on windows, one can at least now start
the broker (bazel run broker) and run the tests that do not start a
background broker process
2022-01-18 13:43:46 +01:00
575b6a1188
Increase token expiration time
2021-12-14 17:18:09 +07:00
8aeca45a17
Start SSL app for testing server
2021-12-14 16:47:20 +07:00
0bc7c98bda
Standardise README.md
2021-12-14 12:22:55 +07:00
868443deb0
Correct configuration example in README.md
2021-12-14 11:28:33 +07:00
ea8ad0e3e3
Add timeout for httpc request
2021-12-14 11:28:33 +07:00
093a04323b
Add configurable crl_check and fail_if_no_peer_cert
...
- Add configuration: crl_check, fail_if_no_peer_cert
- Correct configuration: hostname_verification
2021-12-14 11:28:33 +07:00
118e44c10e
Add wildcard configuration
...
A "wildcard" configuration is added to enable key server verification with wildcard certificate
2021-12-14 11:28:33 +07:00
a9bc1c0ce9
Update README.md
...
- Update new configuration document
- Add configurable "depth" for key server verification
2021-12-14 11:28:33 +07:00
8c541fb047
Set peer_verification default as verify_none
2021-12-14 11:28:33 +07:00
1615cbfb8b
Update better configuration names
...
- "strict" changes to "https.peer_verification"
- "cacertfile" changes to "https.cacertfile"
2021-12-14 11:28:33 +07:00
dd685f1179
Oauth2 plugin improvements
...
- Validate JWKS server when getting keys
- Restrict usable algorithms
2021-12-14 11:28:33 +07:00
acf474e056
Fix cuttlefish config for oauth2
...
The structure of the signing_keys map should be `<<"id">> => {pem, <<"key">>}`.
Previously it was mapped directly as `<<"id">> => <<"key">>`.
2021-11-18 12:58:57 +01:00
b8cabfe3dd
bump test timeouts
2021-07-28 08:37:40 +02:00
2a6a9c786b
Bazel test timeouts
2021-07-27 10:57:50 +02:00
abc8703fd8
Bump test timeouts in bazel
2021-07-26 11:09:09 +02:00
8f9de08de7
Also assert no missing suites for all other deps
2021-07-12 18:05:55 +02:00
8c7e7e0656
Revert "Default all `rabbitmq_integration_suite` to flaky in bazel"
...
This reverts commit 70cb8147b2
2021-06-23 20:53:14 +02:00
70cb8147b2
Default all `rabbitmq_integration_suite` to flaky in bazel
...
Most tests that can start rabbitmq nodes have some chance of
flaking. Rather than chase individual flakes for now, this commit
changes the default (though it can still be overriden, as is the case
for config_scheme_SUITE in many places, since I have yet to see that
particular suite flake).
2021-06-21 16:10:38 +02:00
604fbfac3a
Depend on erlang-jose ref with fix for potatosalad/erlang-jose#113
2021-06-10 15:49:39 +03:00
ab795c1232
OAuth 2 system_SUITE: squash some erlc warnings
2021-06-10 15:48:33 +03:00
37f5744833
Add rabbitmq_auth_backend_oauth2 system_SUITE to bazel
2021-06-09 17:43:20 +02:00
30f9a95b9f
Add dialyze for remaning tier-1 plugins
2021-06-01 10:19:10 +02:00
98e71c45d8
Perform xref checks on many tier-1 plugins
2021-05-21 12:03:22 +02:00
c13c2af614
Bazel file refactoring
2021-05-11 12:03:27 +02:00
ec5954fe9c
Refactor rabbitmq_auth_backend_oauth2 bazel
2021-05-11 10:52:28 +02:00
05cb5f8fa6
Set correct field for extra scope and improve doc
...
- Replace additional_rabbitmq_scopes in doc for the correct extra_scopes_source value
- Add samples
- More details for audiance checkup on token
2021-04-16 15:27:58 +02:00
Marcial Rosales
Rin Kuryloski
Michael Klishin
Michael Klishin
Arnaud Cogoluègnes
David Ansari
Rin Kuryloski
Michal Kuratczyk
brunomedeirosdedalus
Alexey Lebedeff
Simon Unge
Luke Bakken
Loïc Hoguin
Péter Gömöri
Péter Gömöri
Lajos Gerecs
Anh Thi Lan Nguyen
SkapiN