Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make some OAuth2 settings optional #12258

Open
wants to merge 54 commits into
base: main
Choose a base branch
from
Open

Make some OAuth2 settings optional #12258

wants to merge 54 commits into from

Conversation

MarcialRosales
Copy link
Contributor

@MarcialRosales MarcialRosales commented Sep 9, 2024
edited
Loading

Proposed Changes

Implements features:

It is accompanied by this docs PR rabbitmq/rabbitmq-website#2056

Tasks:

  • Refactor oauth2 plugin so that the core logic uses oauth_provider and resource_server types rather than asking for each setting to the deprecated config module. Split config module into oauth_provider and resource_server modules.
  • Modify oauth2 schema to include discovery_endpoint_path and discovery_endpoint_params
  • Modify management schema to include oauth_authorization_endpoint_params and oauth_token_endpoint_params
  • Modify oauth2_client so that it also accepts params in the access_token_request and discovery_endpoint to the oauth_provider type. (TODO the WSR plugin should be updated to read these extra params and pass them to the access_token_request)
  • Modify management module that generates authSettings for the ui so that it includes the new schema settings
  • Modify javascript (helper.js) so that it initilizes oidc-client-ts with the new settings
  • Verify changes against keycloak + uaa
  • Verify changes against auth0
  • Verify changes against entra
  • Verify changes against okta

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)
  • Build system and/or CI

@MarcialRosales MarcialRosales self-assigned this Sep 9, 2024
@MarcialRosales MarcialRosales mentioned this pull request Sep 10, 2024
Open
4 tasks
@MarcialRosales MarcialRosales force-pushed the make-some-oauth2-settings-optional branch 3 times, most recently from 043520f to f6dd1e0 Compare September 12, 2024 17:22
@mergify mergify bot added the bazel label Sep 12, 2024
@MarcialRosales MarcialRosales force-pushed the make-some-oauth2-settings-optional branch 8 times, most recently from ecac15f to 3a210d7 Compare September 20, 2024 10:11
@MarcialRosales MarcialRosales force-pushed the make-some-oauth2-settings-optional branch 4 times, most recently from a216551 to 99838c3 Compare September 25, 2024 04:53
@MarcialRosales
Deprecate resource req parameter from authorize endpoint
33efdf9
@MarcialRosales
Minor refactor
97b3f1f 
Improve logging
Fix an issue running selenium tests locally
WIP modify schema to configure queryParameters for
oauth2 endpoints
@MarcialRosales
Reduce verbosity of some log statements
fef0c5d
@MarcialRosales
Reduce logging verbosity
072b144
@MarcialRosales
WIP Refactor code
0124739 
before implementing oidc endpoints parameters
@MarcialRosales
WIP More refactoring
2a3c4a7 
split rabbit_oauth2_config into
- rabbit_oauth2_resource_server
- rabbit_oauth2_oauth_provider

and their respective test modules

Signing keys is an oauth provider
concern hence it stays with the
oauth_provider module.
@MarcialRosales
WIP Fix compilation errors
02b49ea
@MarcialRosales
WIP Continue refactoring + clean up
51dacf1
@MarcialRosales
WIP Fix compilation errors
9ed6e6b 
Fixing test cases
@MarcialRosales
Refactor assertion function
2888225
@MarcialRosales
WIP Fix test cases
357f656
@MarcialRosales
WIP fix some test cases
90faa0d 
Pending to add more scenarios whch
combine +2 resources with and without
verify_aud and with and without audience
in token
MarcialRosales and others added 17 commits September 27, 2024 09:35
@MarcialRosales
Fix test case
caf0662
@MarcialRosales
Clean up ct:log statements
cb947f9 
WIP address a dialyzer error
@MarcialRosales
Fix dialyzer error
0623b99
@MarcialRosales
Modify management schema
3cb81f0 
to be able to set extra parameters
for authorize and token endpoints
@MarcialRosales
Send new params to management ui
101e89e
@MarcialRosales
WIP Elminate defaults and take from config
b8da455 
Add javascript unit tests given that amount of
javascript code it is difficult to get good coverage
with just end-to-end tests
The tests are not running yet because i need to learn
how to use Babel to convert ES5 modules into NodeJs modules
otherwise it is not possible because all the source modules
use ES5 modules whereas tests run from node.js which requires
CommonJS
@MarcialRosales
Add auth and token endpoint params to authSettings
6f1f74d
@MarcialRosales
Test authSettings with extra endpoint params
da8a1e3
@MarcialRosales
Teet extra token parans for additioal resource servers
135f6aa
@MarcialRosales
Fix schema issues
1675b2e 
And fix selenium script to run
rabbitrmq locally
@MarcialRosales
Always use list() type for urls
2f1a878
@MarcialRosales
Fix schema mapping issues
f0cd2ca 
And location of cert files when running
multioauth test suites locally
@MarcialRosales
Remove function
0592732
@MarcialRosales
Fix fucntion signature
4c859bb
@MarcialRosales
Fix issue initializing oidc-client
4a7de0b
@MarcialRosales
Remove unnecessary log statements
b413d77
@MarcialRosales
Fix error
697b5a2
@MarcialRosales MarcialRosales force-pushed the make-some-oauth2-settings-optional branch from 378bbb2 to 697b5a2 Compare September 27, 2024 07:35
@MarcialRosales MarcialRosales marked this pull request as ready for review September 27, 2024 11:06
@MarcialRosales MarcialRosales mentioned this pull request Sep 27, 2024
Open
This was referenced Oct 2, 2024
Draft
Open
@michaelklishin michaelklishin added this to the 4.1.0 milestone Oct 4, 2024
michaelklishin
michaelklishin requested changes Oct 4, 2024
View reviewed changes
Copy link
Member

@michaelklishin michaelklishin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarcialRosales we cannot use very generic modules names such as rar and oauth2, or keycloak.

We should continue using the rabbit_oauth2_ prefix in this plugin to avoid potential code path conflicts with external libraries, other plugins, and so on.

deps/rabbitmq_auth_backend_oauth2/src/resource_server.erl Outdated
%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
%%

-module(resource_server).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very generic name, we should continue using rabbit_oauth2_ for prefix.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. I wanted to make it simpler but clearly I went over the line :) . Thanks Michael.

deps/rabbitmq_auth_backend_oauth2/src/rar.erl Outdated
%%

% Rich Authorization Request
-module(rar).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very generic and short name, we should continue using rabbit_oauth2_ for prefix.

deps/rabbitmq_auth_backend_oauth2/src/oauth_provider.erl Outdated
%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
%%

-module(oauth_provider).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very generic name, we should continue using rabbit_oauth2_ for prefix.

deps/rabbitmq_auth_backend_oauth2/src/keycloak.erl Outdated
%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
%%

-module(keycloak).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very generic name, we should continue using rabbit_oauth2_ for prefix.

@MarcialRosales
Refactoring
11d405d 
- Use rabbit_oauth2 prefix for modules which do not have it
- Ensure most lines stick to 80 column
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelklishin michaelklishin michaelklishin requested changes

Assignees

@MarcialRosales MarcialRosales

Labels
bazel rabbitmq-auth-backend-oauth2
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@MarcialRosales @michaelklishin