root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 2 Packages Projects Releases Wiki Activity
59,993 Commits 181 Branches 546 Tags 272 MiB
Commit Graph

187 Commits

Author SHA1 Message Date
Marcial Rosales 18bd43aa50 Improve formatting and add misisng test case 2024-08-29 12:44:49 +01:00
Marcial Rosales 72b6bbdb35 Add more test cases 2024-08-29 12:44:49 +01:00
Marcial Rosales 77e8172009 Support tokens without kid when using multiple resources 2024-08-29 12:44:49 +01:00
David Ansari 0397035669 Add test for AMQP 1.0 clients using OAuth token 2024-07-31 12:05:22 +02:00
David Ansari 7fb78338c6 Disconnect MQTT client when its credential expires 
Fixes https://github.com/rabbitmq/rabbitmq-server/discussions/11854
Fixes https://github.com/rabbitmq/rabbitmq-server/issues/11862

This commit uses the same approach as implemented for AMQP 1.0 and
Streams: When a token expires, RabbitMQ will close the connection.
 2024-07-30 19:55:46 +02:00
Michael Klishin 341f3daae9
Strip some trailing whitespace 2024-06-03 16:44:47 -04:00
Marcial Rosales 72ab1944bf Make end_session_endpoint configurable 2024-05-27 11:19:09 +02:00
Michal Kuratczyk cfa3de4b2b
Remove unused imports (thanks elp!) 2024-05-23 16:36:08 +02:00
Marcial Rosales f7e25b4611 Remove duplicate code 
that returns an Erlang ssl options
from RabbitMq Configuration
 2024-04-15 10:16:53 +02:00
Marcial Rosales 4cad467d51 Remove obsolete function 2024-02-28 10:04:50 +01:00
Marcial Rosales 06a7f48d4b Apply feedback from @knilson 2024-02-10 20:12:20 +01:00
Marcial Rosales a3b2269583 Deprecate has_additional_scopes_key 
and instead use only get_additional_scopes_key
As Per @kjnilsson suggestion
 2024-02-10 20:12:20 +01:00
Michael Klishin 7b955f154c OAuth 2 plugin: cosmetics 
(cherry picked from commit 7989bfc88e)
 2024-02-10 20:12:16 +01:00
Marcial Rosales f292114256 Fix formatting issues 2024-02-10 20:12:14 +01:00
Marcial Rosales 31df65da5d Drop comment line 2024-02-10 20:12:13 +01:00
Marcial Rosales fa77072eaa Add last scenarios 2024-02-10 20:12:06 +01:00
Marcial Rosales a78120c214 Fix test cases 2024-02-10 20:12:06 +01:00
Marcial Rosales dbbab67a87 Fix issue setting up mock http server 2024-02-10 20:12:05 +01:00
Marcial Rosales daebd5fd7a Fix issue building openid connect url 
And add more tests
 2024-02-10 20:12:05 +01:00
Marcial Rosales f6ce99ef72 Add failing test 2024-02-10 20:12:05 +01:00
Marcial Rosales a0680c0f1e Fix issue resolving oauth provider 
And add more test coverage
 2024-02-10 20:12:05 +01:00
Marcial Rosales d827b72ce1 Create Oauth2 client 2024-02-10 20:12:04 +01:00
Michael Klishin f414c2d512
More missed license header updates #9969 2024-02-05 11:53:50 -05:00
Arnaud Cogoluègnes 33c64d06ea
Add expiry_timestamp/1 callback to authz backend behavior 
Backends return 'never' or the timestamp of the expiry time
of the credentials. Only the OAuth2 backend returns a timestamp,
other RabbitMQ authz backends return 'never'.

Client code uses rabbit_access_control, so it contains now
a new expiry_timestamp/1 function that returns the earliest
expiry time of the underlying backends.

Fixes #10298
 2024-01-19 14:46:47 +01:00
Michael Klishin 01092ff31f
(c) year bumps 2024-01-01 22:02:20 -05:00
Michael Klishin 1b642353ca
Update (c) according to [1] 
1. https://investors.broadcom.com/news-releases/news-release-details/broadcom-and-vmware-intend-close-transaction-november-22-2023
 2023-11-21 23:18:22 -05:00
Marcial Rosales 77ee572467 Fixes #8547 2023-06-14 09:39:03 +02:00
Marcial Rosales 84e8d172e6 Make scopes optional for oauth2 authentication 2023-05-30 16:56:12 +02:00
Michael Klishin f5ea10eff8 Squash a compiler warning in a test 2023-05-29 04:09:05 +04:00
Marcial Rosales 1cd84b36ec Test scope prefix within scope alias mapping 2023-05-16 08:40:29 +02:00
Marcial Rosales faffd6fa98 Configure Oauth scope prefix 
separate from resource_server_id
 2023-05-16 08:40:28 +02:00
Marcial Rosales 6227dfd15d Fix issue #7178 2023-04-18 16:29:42 +02:00
Marcial Rosales efb1b5bd10 Fix 2549 
Allow list of preferred_username_claims in cuttlefish
config style.
Use new config style on two selenium test suites
Test oauth2 backend's config schema and oauth2 management
config schema
 2023-02-28 10:38:28 +01:00
David Ansari 2d0826c335 Add OAuth 2.0 MQTT system test 
Add a test that rabbitmq_auth_backend_oauth2 works with MQTT.

See https://github.com/rabbitmq/rabbitmq-oauth2-tutorial#mqtt-protocol
 2023-02-03 14:08:51 +00:00
Marcial Rosales 51e27f8a3f Fix issue #6909 
Use the outcome from first authentication
stored in the #user.authz_backends to authenticate
subsequent attempts which occur when a session is
opened.
In particular, during the first authentication attempt
which occurs during the sasl handshake, the amqp 1.0
plugins reads and validates JWT token present in the
password field.
When a new AMQP 1.0 session is opened, the plugin creates
an internal AMQP connection which triggers a second/nth
authentication. For this second/nth authentication, the
plugin propagates as Authentication Credentials the outcome
from the first authentication which is stored in the
`#user.authz_backends`.
The Oauth2 backend first attempts to authenticate using
the password credentials else it uses the credential with the
key `rabbit_auth_backend_oauth2` which has a function which
returns the decoded token
 2023-01-31 11:45:59 +01:00
Marcial Rosales 9fca4a7446
Improve coverage 2023-01-03 07:09:02 -05:00
Marcial Rosales 9354397cbf
Support Idp initiated logon in mgt ui with Oauth 
Configure preferred username from a token
Make client_secret optional
 2023-01-03 07:09:00 -05:00
Michael Klishin ec4f1dba7d
(c) year bump: 2022 => 2023 2023-01-01 23:17:36 -05:00
Luke Bakken 7fe159edef
Yolo-replace format strings 
Replaces `~s` and `~p` with their unicode-friendly counterparts.

```
git ls-files *.erl | xargs sed -i.ORIG -e s/~s>/~ts/g -e s/~p>/~tp/g
```
 2022-10-10 10:32:03 +04:00
Michael Klishin 21e98f8b13 OAuth 2: unit_SUITE naming and wording 2022-08-23 13:20:01 +04:00
Michael Klishin 877f03082a
OAuth 2: use a separate system suite group for RAR 2022-08-23 12:59:59 +04:00
Marcial Rosales 39fbeea628
Use user-tags without prefix tag: as action name 2022-08-22 16:16:14 +04:00
Marcial Rosales 8ee81896cf
Add missing test cases 2022-08-22 16:16:14 +04:00
Marcial Rosales 29b97e085b
Test single value for locations and actions 2022-08-22 16:16:14 +04:00
Marcial Rosales 4be9bdbc08
Use wildcard library rather than re 
for cluster, vhost , queue , exchange,
and routing-key patterns
 2022-08-22 16:16:13 +04:00
Marcial Rosales 7cea128a48
Allow regular expression in location's cluster field 2022-08-22 16:16:13 +04:00
Marcial Rosales d83401aaf1
Fix issue where the cluster was wrongly matched 
It looks like it was matching any cluster which started
with the value in resource_server_id rather than the
exact value
 2022-08-22 16:16:13 +04:00
Marcial Rosales d69781a7ef
Support rich authorization request spec 2022-08-22 16:16:11 +04:00
Michael Klishin 8f779ce461
Avoid direct references to jsx 
and remove an unused Honeycomb Common Test helper module
we ended up not using.

Discovered when spiking a JSON library switch to Thoas.

Pair: @pjk25
 2022-07-25 19:34:51 +04:00
Michael Klishin 38c5683377
OAuth 2: more tests in follow-up to #4588 2022-04-27 21:51:16 +04:00
Michael Klishin ca290f1116
OAuth 2: expand all scope aliases provided 
Per discussion with @MarcialRosales.

In follow-up to #4588.
 2022-04-27 21:21:40 +04:00
Michael Klishin 4bd782986d
OAuth 2: test tag extraction with scope aliases 2022-04-22 12:39:29 +04:00
Michael Klishin e3aade2a93
OAuth 2: one more test case 2022-04-22 12:09:50 +04:00
Michael Klishin 85c8c3e10f
OAuth 2: integration tests for missing/incorrect scope aliases 2022-04-22 11:45:20 +04:00
Michael Klishin ba3d2a4b11
OAuth 2: one more integration test for scope aliases 2022-04-22 11:26:47 +04:00
Michael Klishin 54710ed3d0
OAuth 2: system suite refactoring 2022-04-22 11:01:44 +04:00
Michael Klishin 878b1e0bad
OAuth 2: extract token refresh tests into a separate group 2022-04-22 10:39:57 +04:00
Michael Klishin 0a5f103bc5
OAuth 2: integration suite cosmetics 2022-04-22 10:17:33 +04:00
Michael Klishin ebbba4c992
OAuth 2: extract complex claim integration tests in a separate group 2022-04-22 09:50:14 +04:00
Michael Klishin efe78133c9
OAuth 2: add an integration test for scope aliases 2022-04-22 01:31:22 +04:00
Michael Klishin 9d72a4a804
OAuth 2: more scope aliasing tests 2022-04-22 00:38:26 +04:00
Michael Klishin a242fb9f3d
OAuth 2: refactor unit_SUITE 2022-04-21 16:28:44 +04:00
Michael Klishin 0862199b9e
OAuth 2: initial scope aliasing test 2022-04-21 14:16:46 +04:00
Michael Klishin c38a3d697d
Bump (c) year 2022-03-21 01:21:56 +04:00
Lajos Gerecs 608d11a3f8 convert additional_scopes_param to the correct equivalent 2022-02-03 18:13:08 +01:00
Anh Thi Lan Nguyen 575b6a1188 Increase token expiration time 2021-12-14 17:18:09 +07:00
Anh Thi Lan Nguyen 8aeca45a17 Start SSL app for testing server 2021-12-14 16:47:20 +07:00
Anh Thi Lan Nguyen 0bc7c98bda Standardise README.md 2021-12-14 12:22:55 +07:00
Anh Thi Lan Nguyen 093a04323b Add configurable crl_check and fail_if_no_peer_cert 
- Add configuration: crl_check, fail_if_no_peer_cert
- Correct configuration: hostname_verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 118e44c10e Add wildcard configuration 
A "wildcard" configuration is added to enable key server verification with wildcard certificate
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen a9bc1c0ce9 Update README.md 
- Update new configuration document
- Add configurable "depth" for key server verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 8c541fb047 Set peer_verification default as verify_none 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 1615cbfb8b Update better configuration names 
- "strict" changes to "https.peer_verification"
- "cacertfile" changes to "https.cacertfile"
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen dd685f1179 Oauth2 plugin improvements 
- Validate JWKS server when getting keys
- Restrict usable algorithms
 2021-12-14 11:28:33 +07:00
Michal Kuratczyk acf474e056 Fix cuttlefish config for oauth2 
The structure of the signing_keys map should be `<<"id">> => {pem, <<"key">>}`.
Previously it was mapped directly as `<<"id">> => <<"key">>`.
 2021-11-18 12:58:57 +01:00
Michael Klishin ab795c1232
OAuth 2 system_SUITE: squash some erlc warnings 2021-06-10 15:48:33 +03:00
Michael Klishin b2b37f5626
Merge pull request #2791 from Appva/feature/jwks 
Support fetching JWT signing keys from JWKS endpoint
 2021-02-23 09:48:25 +03:00
Michal Kuratczyk 53fc8ebbe0 Make the tests green 
Fix the snippet and make it more through.
 2021-02-22 13:35:30 +01:00
Michal Kuratczyk c729e15112 WIP: cuttlefish support for oauth2 plugin 
No support for symmetric key key options as this would make the
implementation much more complex and shouldn't really be used anyway.

WIP becasue while the code seems to work but tests fail.
 2021-02-22 10:33:35 +01:00
Teo Klestrup Röijezon 543e8aa3a3 Enable jwks_http to run embedded without requiring a separate OTP application 2021-02-18 17:41:54 +01:00
Teo Klestrup Röijezon 68dd52e577 Move jwks_http modules into the test folder 2021-02-18 17:11:21 +01:00
Teo Klestrup Röijezon 1a3d68be37 JWKS tests 2021-02-05 11:23:10 +01:00
Michael Klishin 52479099ec
Bump (c) year 2021-01-22 09:00:14 +03:00
dcorbacho f0d39cb4e2 Switch to Mozilla Public License 2.0 (MPL 2.0) 2020-07-10 20:27:35 +01:00
Jean-Sébastien Pédron 7dcc11cdfd Update copyright (year 2020) 2020-03-10 16:05:48 +01:00
Philip Kuryloski 28080e1e2c Log authentication rejection messages 
Normally when auth fails, we simply log that it failed for a given
username. Since the username is ignored with the auth mechanism,
this does not provide sufficient context for debugging config
errors.
 2020-03-09 12:49:48 +01:00
Michael Klishin e4870b9c70 (c) bump 2019-12-29 05:50:24 +03:00
Arnaud Cogoluègnes cb3fe65a07 Polish extra scopes source tests 
Set up environment in init/end test functions, change some scopes in
test to make assertion more obvious.

References #41
 2019-12-05 14:10:21 +01:00
Michael Klishin d9073fba8d Make this code less unorthodox, take 2 
Also improves naming a bit.
 2019-12-05 10:28:37 +03:00
Michal Papuga 9a230b0aeb Resolve PR comments - rename variables. 2019-12-05 05:29:12 +01:00
Michal Papuga 3a04670a45 Implement support for gathering scopes from predefined JWT section and combine them with existing ones in post_process_payload () method. Create unit_SUITE and system_SUITE test cases. 2019-12-04 19:14:08 +01:00
Arnaud Cogoluègnes f3405e46fa Support Keycloak token format in post-processing 
Scopes from the "authorization" field are extracted and replace the
value of the "scope" key in the parsed and processed token.

Fixes #37
 2019-08-21 10:34:20 +02:00
Arnaud Cogoluègnes 49f1b6b043 Support simple strings in aud and scope fields 
Simple strings are supported, strings with spaces are split into arrays.
The strings are split upfront, the Erlang representation of the token
does not change, to avoid impacts in the code downstream.

Fixes #24
 2019-07-12 09:45:02 +02:00
Arnaud Cogoluègnes ae8b61a8aa Check token expiration on authentication 2019-07-02 15:27:13 +02:00
Michael Klishin fdb4693083 Integration suite: don't attempt to close channels on a closing connection 2019-07-02 13:20:36 +02:00
Michael Klishin 16f7328986 Integration suite: correctly compute expiration 
it should be in seconds.
 2019-07-02 12:15:17 +02:00
Michael Klishin d44e4bce59 Integration tests for JWT token/secret updates; improved error reporting 2019-07-01 21:20:57 +02:00
Michael Klishin 8a8bda0369 More OAuth 2 token refresh tests (WIP) 2019-07-01 16:48:53 +02:00
Michael Klishin 369e4158c1 Assert on operations on both new and existing channels 
Per suggestion from @acogoluegnes.
 2019-06-29 00:28:05 +02:00
Michael Klishin 4a4f81c374 Token refresh integration tests 
Depend on recent updates in the Erlang client.
 2019-06-28 18:44:33 +02:00