From 7f1952c105aee22fa52e6f9874aa4df539fecffb Mon Sep 17 00:00:00 2001 From: Marcial Rosales Date: Wed, 2 Oct 2024 18:51:56 +0200 Subject: [PATCH] Test translation function of scope_aliases --- .../src/rabbit_oauth2_schema.erl | 2 +- .../test/rabbit_oauth2_schema_SUITE.erl | 159 ++++++++++++------ 2 files changed, 112 insertions(+), 49 deletions(-) diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl index 5cd0060d3348..47d50921a158 100644 --- a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl +++ b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl @@ -210,7 +210,7 @@ extract_oauth_providers_signing_keys(Settings) -> KeyFun = fun extract_key_as_binary/1, IndexedSigningKeys = [{Name, {list_to_binary(Kid), list_to_binary(V)}} || - {[?AUTH_OAUTH2, ?OAUTH_PROVIDERS, Name, "signing_keys", Kid], V} + {[?AUTH_OAUTH2, ?OAUTH_PROVIDERS, Name, ?SIGNING_KEYS, Kid], V} <- Settings ], maps:map(fun(_K,V)-> [{signing_keys, translate_list_of_signing_keys(V)}] end, maps:groups_from_list(KeyFun, fun({_, V}) -> V end, IndexedSigningKeys)). diff --git a/deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_schema_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_schema_SUITE.erl index 58e69c334d83..af0a0baf941e 100644 --- a/deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_schema_SUITE.erl +++ b/deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_schema_SUITE.erl @@ -27,7 +27,8 @@ all() -> test_without_resource_servers, test_with_one_resource_server, test_with_many_resource_servers, - test_resource_servers_attributes + test_resource_servers_attributes, + test_scope_aliases ]. @@ -39,21 +40,27 @@ test_without_resource_servers(_) -> #{} = rabbit_oauth2_schema:translate_resource_servers([]). test_with_one_oauth_provider(_) -> - Conf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://rabbit"} - ], + Conf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "https://rabbit"} + ], #{<<"keycloak">> := [{issuer, <<"https://rabbit">>}] } = rabbit_oauth2_schema:translate_oauth_providers(Conf). test_with_one_resource_server(_) -> - Conf = [{["auth_oauth2","resource_servers","rabbitmq1","id"],"rabbitmq1"} - ], + Conf = [ + {["auth_oauth2","resource_servers","rabbitmq1","id"],"rabbitmq1"} + ], #{<<"rabbitmq1">> := [{id, <<"rabbitmq1">>}] } = rabbit_oauth2_schema:translate_resource_servers(Conf). test_with_many_oauth_providers(_) -> - Conf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://keycloak"}, - {["auth_oauth2","oauth_providers","uaa","issuer"],"https://uaa"} - ], + Conf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "https://keycloak"}, + {["auth_oauth2","oauth_providers","uaa","issuer"], + "https://uaa"} + ], #{<<"keycloak">> := [{issuer, <<"https://keycloak">>} ], <<"uaa">> := [{issuer, <<"https://uaa">>} @@ -62,9 +69,12 @@ test_with_many_oauth_providers(_) -> test_with_many_resource_servers(_) -> - Conf = [{["auth_oauth2","resource_servers","rabbitmq1","id"],"rabbitmq1"}, - {["auth_oauth2","resource_servers","rabbitmq2","id"],"rabbitmq2"} - ], + Conf = [ + {["auth_oauth2","resource_servers","rabbitmq1","id"], + "rabbitmq1"}, + {["auth_oauth2","resource_servers","rabbitmq2","id"], + "rabbitmq2"} + ], #{<<"rabbitmq1">> := [{id, <<"rabbitmq1">>} ], <<"rabbitmq2">> := [{id, <<"rabbitmq2">>} @@ -72,21 +82,30 @@ test_with_many_resource_servers(_) -> } = rabbit_oauth2_schema:translate_resource_servers(Conf). test_oauth_providers_attributes(_) -> - Conf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://keycloak"}, - {["auth_oauth2","oauth_providers","keycloak","default_key"],"token-key"} - ], + Conf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "https://keycloak"}, + {["auth_oauth2","oauth_providers","keycloak","default_key"], + "token-key"} + ], #{<<"keycloak">> := [{default_key, <<"token-key">>}, {issuer, <<"https://keycloak">>} ] } = sort_settings(rabbit_oauth2_schema:translate_oauth_providers(Conf)). test_resource_servers_attributes(_) -> - Conf = [{["auth_oauth2","resource_servers","rabbitmq1","id"],"rabbitmq1xxx"}, - {["auth_oauth2","resource_servers","rabbitmq1","scope_prefix"],"somescope."}, - {["auth_oauth2","resource_servers","rabbitmq1","additional_scopes_key"],"roles"}, - {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","1"],"userid"}, - {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","2"],"groupid"} - ], + Conf = [ + {["auth_oauth2","resource_servers","rabbitmq1","id"], + "rabbitmq1xxx"}, + {["auth_oauth2","resource_servers","rabbitmq1","scope_prefix"], + "somescope."}, + {["auth_oauth2","resource_servers","rabbitmq1","additional_scopes_key"], + "roles"}, + {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","1"], + "userid"}, + {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","2"], + "groupid"} + ], #{<<"rabbitmq1xxx">> := [{additional_scopes_key, <<"roles">>}, {id, <<"rabbitmq1xxx">>}, {preferred_username_claims, [<<"userid">>, <<"groupid">>]}, @@ -95,11 +114,15 @@ test_resource_servers_attributes(_) -> } = sort_settings(rabbit_oauth2_schema:translate_resource_servers(Conf)), Conf2 = [ - {["auth_oauth2","resource_servers","rabbitmq1","scope_prefix"],"somescope."}, - {["auth_oauth2","resource_servers","rabbitmq1","additional_scopes_key"],"roles"}, - {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","1"],"userid"}, - {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","2"],"groupid"} - ], + {["auth_oauth2","resource_servers","rabbitmq1","scope_prefix"], + "somescope."}, + {["auth_oauth2","resource_servers","rabbitmq1","additional_scopes_key"], + "roles"}, + {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","1"], + "userid"}, + {["auth_oauth2","resource_servers","rabbitmq1","preferred_username_claims","2"], + "groupid"} + ], #{<<"rabbitmq1">> := [{additional_scopes_key, <<"roles">>}, {id, <<"rabbitmq1">>}, {preferred_username_claims, [<<"userid">>, <<"groupid">>]}, @@ -108,9 +131,12 @@ test_resource_servers_attributes(_) -> } = sort_settings(rabbit_oauth2_schema:translate_resource_servers(Conf2)). test_oauth_providers_attributes_with_invalid_uri(_) -> - Conf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"http://keycloak"}, - {["auth_oauth2","oauth_providers","keycloak","default_key"],"token-key"} - ], + Conf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "http://keycloak"}, + {["auth_oauth2","oauth_providers","keycloak","default_key"], + "token-key"} + ], try sort_settings(rabbit_oauth2_schema:translate_oauth_providers(Conf)) of _ -> {throw, should_have_failed} catch @@ -118,10 +144,14 @@ test_oauth_providers_attributes_with_invalid_uri(_) -> end. test_oauth_providers_algorithms(_) -> - Conf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://keycloak"}, - {["auth_oauth2","oauth_providers","keycloak","algorithms","2"],"HS256"}, - {["auth_oauth2","oauth_providers","keycloak","algorithms","1"],"RS256"} - ], + Conf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "https://keycloak"}, + {["auth_oauth2","oauth_providers","keycloak","algorithms","2"], + "HS256"}, + {["auth_oauth2","oauth_providers","keycloak","algorithms","1"], + "RS256"} + ], #{<<"keycloak">> := [{algorithms, [<<"RS256">>, <<"HS256">>]}, {issuer, <<"https://keycloak">>} ] @@ -129,15 +159,24 @@ test_oauth_providers_algorithms(_) -> test_oauth_providers_https(Conf) -> - CuttlefishConf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://keycloak"}, - {["auth_oauth2","oauth_providers","keycloak","https","verify"],verify_none}, - {["auth_oauth2","oauth_providers","keycloak","https","peer_verification"],verify_peer}, - {["auth_oauth2","oauth_providers","keycloak","https","depth"],2}, - {["auth_oauth2","oauth_providers","keycloak","https","hostname_verification"],wildcard}, - {["auth_oauth2","oauth_providers","keycloak","https","crl_check"],false}, - {["auth_oauth2","oauth_providers","keycloak","https","fail_if_no_peer_cert"],true}, - {["auth_oauth2","oauth_providers","keycloak","https","cacertfile"],cert_filename(Conf)} - ], + CuttlefishConf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "https://keycloak"}, + {["auth_oauth2","oauth_providers","keycloak","https","verify"], + verify_none}, + {["auth_oauth2","oauth_providers","keycloak","https","peer_verification"], + verify_peer}, + {["auth_oauth2","oauth_providers","keycloak","https","depth"], + 2}, + {["auth_oauth2","oauth_providers","keycloak","https","hostname_verification"], + wildcard}, + {["auth_oauth2","oauth_providers","keycloak","https","crl_check"], + false}, + {["auth_oauth2","oauth_providers","keycloak","https","fail_if_no_peer_cert"], + true}, + {["auth_oauth2","oauth_providers","keycloak","https","cacertfile"], + cert_filename(Conf)} + ], #{<<"keycloak">> := [{https, [{verify, verify_none}, {peer_verification, verify_peer}, {depth, 2}, @@ -152,9 +191,12 @@ test_oauth_providers_https(Conf) -> test_oauth_providers_https_with_missing_cacertfile(_) -> - Conf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://keycloak"}, - {["auth_oauth2","oauth_providers","keycloak","https","cacertfile"],"/non-existent.pem"} - ], + Conf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "https://keycloak"}, + {["auth_oauth2","oauth_providers","keycloak","https","cacertfile"], + "/non-existent.pem"} + ], try sort_settings(rabbit_oauth2_schema:translate_oauth_providers(Conf)) of _ -> {throw, should_have_failed} catch @@ -162,10 +204,14 @@ test_oauth_providers_https_with_missing_cacertfile(_) -> end. test_oauth_providers_signing_keys(Conf) -> - CuttlefishConf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://keycloak"}, - {["auth_oauth2","oauth_providers","keycloak","signing_keys","2"], cert_filename(Conf)}, - {["auth_oauth2","oauth_providers","keycloak","signing_keys","1"], cert_filename(Conf)} - ], + CuttlefishConf = [ + {["auth_oauth2","oauth_providers","keycloak","issuer"], + "https://keycloak"}, + {["auth_oauth2","oauth_providers","keycloak","signing_keys","2"], + cert_filename(Conf)}, + {["auth_oauth2","oauth_providers","keycloak","signing_keys","1"], + cert_filename(Conf)} + ], #{<<"keycloak">> := [{issuer, <<"https://keycloak">>}, {signing_keys, SigningKeys} ] @@ -175,6 +221,23 @@ test_oauth_providers_signing_keys(Conf) -> <<"2">> := {pem, <<"I'm not a certificate">>} } = SigningKeys. +test_scope_aliases(_) -> + CuttlefishConf = [ + {["auth_oauth2","scope_aliases","1","alias"], + "admin"}, + {["auth_oauth2","scope_aliases","1","scope"], + "rabbitmq.tag:administrator"}, + {["auth_oauth2","scope_aliases","2","alias"], + "developer"}, + {["auth_oauth2","scope_aliases","2","scope"], + "rabbitmq.tag:management rabbitmq.read:*/*"} + ], + #{ + <<"admin">> := [<<"rabbitmq.tag:administrator">>], + <<"developer">> := [<<"rabbitmq.tag:management">>, <<"rabbitmq.read:*/*">>] + } = rabbit_oauth2_schema:translate_scope_aliases(CuttlefishConf). + + cert_filename(Conf) -> string:concat(?config(data_dir, Conf), "certs/cert.pem").