root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 5 Packages Projects Releases Wiki Activity
53,467 Commits 166 Branches 538 Tags 261 MiB
Commit Graph

110 Commits

Author SHA1 Message Date
Marcial Rosales 84e8d172e6 Make scopes optional for oauth2 authentication 2023-05-30 16:56:12 +02:00
Michael Klishin f5ea10eff8 Squash a compiler warning in a test 2023-05-29 04:09:05 +04:00
Marcial Rosales 1cd84b36ec Test scope prefix within scope alias mapping 2023-05-16 08:40:29 +02:00
Marcial Rosales faffd6fa98 Configure Oauth scope prefix 
separate from resource_server_id
 2023-05-16 08:40:28 +02:00
Marcial Rosales 6227dfd15d Fix issue #7178 2023-04-18 16:29:42 +02:00
Marcial Rosales efb1b5bd10 Fix 2549 
Allow list of preferred_username_claims in cuttlefish
config style.
Use new config style on two selenium test suites
Test oauth2 backend's config schema and oauth2 management
config schema
 2023-02-28 10:38:28 +01:00
David Ansari 2d0826c335 Add OAuth 2.0 MQTT system test 
Add a test that rabbitmq_auth_backend_oauth2 works with MQTT.

See https://github.com/rabbitmq/rabbitmq-oauth2-tutorial#mqtt-protocol
 2023-02-03 14:08:51 +00:00
Marcial Rosales 51e27f8a3f Fix issue #6909 
Use the outcome from first authentication
stored in the #user.authz_backends to authenticate
subsequent attempts which occur when a session is
opened.
In particular, during the first authentication attempt
which occurs during the sasl handshake, the amqp 1.0
plugins reads and validates JWT token present in the
password field.
When a new AMQP 1.0 session is opened, the plugin creates
an internal AMQP connection which triggers a second/nth
authentication. For this second/nth authentication, the
plugin propagates as Authentication Credentials the outcome
from the first authentication which is stored in the
`#user.authz_backends`.
The Oauth2 backend first attempts to authenticate using
the password credentials else it uses the credential with the
key `rabbit_auth_backend_oauth2` which has a function which
returns the decoded token
 2023-01-31 11:45:59 +01:00
Marcial Rosales 9fca4a7446
Improve coverage 2023-01-03 07:09:02 -05:00
Marcial Rosales 9354397cbf
Support Idp initiated logon in mgt ui with Oauth 
Configure preferred username from a token
Make client_secret optional
 2023-01-03 07:09:00 -05:00
Michael Klishin ec4f1dba7d
(c) year bump: 2022 => 2023 2023-01-01 23:17:36 -05:00
Luke Bakken 7fe159edef
Yolo-replace format strings 
Replaces `~s` and `~p` with their unicode-friendly counterparts.

```
git ls-files *.erl | xargs sed -i.ORIG -e s/~s>/~ts/g -e s/~p>/~tp/g
```
 2022-10-10 10:32:03 +04:00
Michael Klishin 21e98f8b13 OAuth 2: unit_SUITE naming and wording 2022-08-23 13:20:01 +04:00
Michael Klishin 877f03082a
OAuth 2: use a separate system suite group for RAR 2022-08-23 12:59:59 +04:00
Marcial Rosales 39fbeea628
Use user-tags without prefix tag: as action name 2022-08-22 16:16:14 +04:00
Marcial Rosales 8ee81896cf
Add missing test cases 2022-08-22 16:16:14 +04:00
Marcial Rosales 29b97e085b
Test single value for locations and actions 2022-08-22 16:16:14 +04:00
Marcial Rosales 4be9bdbc08
Use wildcard library rather than re 
for cluster, vhost , queue , exchange,
and routing-key patterns
 2022-08-22 16:16:13 +04:00
Marcial Rosales 7cea128a48
Allow regular expression in location's cluster field 2022-08-22 16:16:13 +04:00
Marcial Rosales d83401aaf1
Fix issue where the cluster was wrongly matched 
It looks like it was matching any cluster which started
with the value in resource_server_id rather than the
exact value
 2022-08-22 16:16:13 +04:00
Marcial Rosales d69781a7ef
Support rich authorization request spec 2022-08-22 16:16:11 +04:00
Michael Klishin 8f779ce461
Avoid direct references to jsx 
and remove an unused Honeycomb Common Test helper module
we ended up not using.

Discovered when spiking a JSON library switch to Thoas.

Pair: @pjk25
 2022-07-25 19:34:51 +04:00
Michael Klishin 38c5683377
OAuth 2: more tests in follow-up to #4588 2022-04-27 21:51:16 +04:00
Michael Klishin ca290f1116
OAuth 2: expand all scope aliases provided 
Per discussion with @MarcialRosales.

In follow-up to #4588.
 2022-04-27 21:21:40 +04:00
Michael Klishin 4bd782986d
OAuth 2: test tag extraction with scope aliases 2022-04-22 12:39:29 +04:00
Michael Klishin e3aade2a93
OAuth 2: one more test case 2022-04-22 12:09:50 +04:00
Michael Klishin 85c8c3e10f
OAuth 2: integration tests for missing/incorrect scope aliases 2022-04-22 11:45:20 +04:00
Michael Klishin ba3d2a4b11
OAuth 2: one more integration test for scope aliases 2022-04-22 11:26:47 +04:00
Michael Klishin 54710ed3d0
OAuth 2: system suite refactoring 2022-04-22 11:01:44 +04:00
Michael Klishin 878b1e0bad
OAuth 2: extract token refresh tests into a separate group 2022-04-22 10:39:57 +04:00
Michael Klishin 0a5f103bc5
OAuth 2: integration suite cosmetics 2022-04-22 10:17:33 +04:00
Michael Klishin ebbba4c992
OAuth 2: extract complex claim integration tests in a separate group 2022-04-22 09:50:14 +04:00
Michael Klishin efe78133c9
OAuth 2: add an integration test for scope aliases 2022-04-22 01:31:22 +04:00
Michael Klishin 9d72a4a804
OAuth 2: more scope aliasing tests 2022-04-22 00:38:26 +04:00
Michael Klishin a242fb9f3d
OAuth 2: refactor unit_SUITE 2022-04-21 16:28:44 +04:00
Michael Klishin 0862199b9e
OAuth 2: initial scope aliasing test 2022-04-21 14:16:46 +04:00
Michael Klishin c38a3d697d
Bump (c) year 2022-03-21 01:21:56 +04:00
Lajos Gerecs 608d11a3f8 convert additional_scopes_param to the correct equivalent 2022-02-03 18:13:08 +01:00
Anh Thi Lan Nguyen 575b6a1188 Increase token expiration time 2021-12-14 17:18:09 +07:00
Anh Thi Lan Nguyen 8aeca45a17 Start SSL app for testing server 2021-12-14 16:47:20 +07:00
Anh Thi Lan Nguyen 0bc7c98bda Standardise README.md 2021-12-14 12:22:55 +07:00
Anh Thi Lan Nguyen 093a04323b Add configurable crl_check and fail_if_no_peer_cert 
- Add configuration: crl_check, fail_if_no_peer_cert
- Correct configuration: hostname_verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 118e44c10e Add wildcard configuration 
A "wildcard" configuration is added to enable key server verification with wildcard certificate
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen a9bc1c0ce9 Update README.md 
- Update new configuration document
- Add configurable "depth" for key server verification
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 8c541fb047 Set peer_verification default as verify_none 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen 1615cbfb8b Update better configuration names 
- "strict" changes to "https.peer_verification"
- "cacertfile" changes to "https.cacertfile"
 2021-12-14 11:28:33 +07:00
Anh Thi Lan Nguyen dd685f1179 Oauth2 plugin improvements 
- Validate JWKS server when getting keys
- Restrict usable algorithms
 2021-12-14 11:28:33 +07:00
Michal Kuratczyk acf474e056 Fix cuttlefish config for oauth2 
The structure of the signing_keys map should be `<<"id">> => {pem, <<"key">>}`.
Previously it was mapped directly as `<<"id">> => <<"key">>`.
 2021-11-18 12:58:57 +01:00
Michael Klishin ab795c1232
OAuth 2 system_SUITE: squash some erlc warnings 2021-06-10 15:48:33 +03:00
Michael Klishin b2b37f5626
Merge pull request #2791 from Appva/feature/jwks 
Support fetching JWT signing keys from JWKS endpoint
 2021-02-23 09:48:25 +03:00