Fix test cases and refactor rar and keycloak

functionality into their own modules
rabbitmq · Sep 18, 2024 · d3b85f8 · d3b85f8
1 parent 6724ab3
commit d3b85f8
Show file tree

Hide file tree

Showing 8 changed files with 673 additions and 652 deletions.
diff --git a/deps/rabbitmq_auth_backend_oauth2/app.bzl b/deps/rabbitmq_auth_backend_oauth2/app.bzl
@@ -15,6 +15,8 @@ def all_beam_files(name = "all_beam_files"):
             "src/rabbit_auth_backend_oauth2_app.erl",
             "src/oauth_provider.erl",
             "src/resource_server.erl",
+            "src/rar.erl",
+            "src/keycloak.erl",
             "src/oauth2_schema.erl",
             "src/rabbit_oauth2_scope.erl",
             "src/uaa_jwks.erl",
@@ -52,6 +54,8 @@ def all_test_beam_files(name = "all_test_beam_files"):
             "src/resource_server.erl",
             "src/oauth_provider.erl",
             "src/oauth2_schema.erl",
+            "src/rar.erl",
+            "src/keycloak.erl",
             "src/rabbit_oauth2_scope.erl",
             "src/uaa_jwks.erl",
             "src/uaa_jwt.erl",
@@ -100,6 +104,8 @@ def all_srcs(name = "all_srcs"):
             "src/oauth_provider.erl",
             "src/resource_server.erl",
             "src/oauth2_schema.erl",
+            "src/rar.erl",
+            "src/keycloak.erl",            
             "src/rabbit_oauth2_scope.erl",
             "src/uaa_jwks.erl",
             "src/uaa_jwt.erl",

diff --git a/deps/rabbitmq_auth_backend_oauth2/include/oauth2.hrl b/deps/rabbitmq_auth_backend_oauth2/include/oauth2.hrl
@@ -18,30 +18,10 @@
 
 -define(AUD_JWT_FIELD, <<"aud">>).
 -define(SCOPE_JWT_FIELD, <<"scope">>).
+-define(TAG_SCOPE_PREFIX, <<"tag:">>).
 
 %% End of Key JWT fields
 
-%%
-%% Rich Authorization Request fields
-%%
--define(RAR_ACTIONS_FIELD, <<"actions">>).
--define(RAR_LOCATIONS_FIELD, <<"locations">>).
--define(RAR_TYPE_FIELD, <<"type">>).
-
--define(RAR_CLUSTER_LOCATION_ATTRIBUTE, <<"cluster">>).
--define(RAR_VHOST_LOCATION_ATTRIBUTE, <<"vhost">>).
--define(RAR_QUEUE_LOCATION_ATTRIBUTE, <<"queue">>).
--define(RAR_EXCHANGE_LOCATION_ATTRIBUTE, <<"exchange">>).
--define(RAR_ROUTING_KEY_LOCATION_ATTRIBUTE, <<"routing-key">>).
--define(RAR_LOCATION_ATTRIBUTES, [?RAR_CLUSTER_LOCATION_ATTRIBUTE, ?RAR_VHOST_LOCATION_ATTRIBUTE,
-  ?RAR_QUEUE_LOCATION_ATTRIBUTE, ?RAR_EXCHANGE_LOCATION_ATTRIBUTE, ?RAR_ROUTING_KEY_LOCATION_ATTRIBUTE]).
-
--define(RAR_ALLOWED_TAG_VALUES, [<<"monitoring">>, <<"administrator">>, <<"management">>, <<"policymaker">> ]).
--define(RAR_ALLOWED_ACTION_VALUES, [<<"read">>, <<"write">>, <<"configure">>, <<"monitoring">>,
-  <<"administrator">>, <<"management">>, <<"policymaker">> ]).
-
-%% end of Rich Authorization Request fields
-
 
 -record(internal_oauth_provider, {
     id :: oauth_provider_id(),
@@ -55,9 +35,9 @@
   resource_server_type :: binary() | undefined,
   verify_aud :: boolean(),
   scope_prefix :: binary(),
-  additional_scopes_key :: binary(),
+  additional_scopes_key :: binary() | undefined,
   preferred_username_claims :: list(),
-  scope_aliases :: undefined | map(),
+  scope_aliases :: map() | undefined,
   oauth_provider_id :: oauth_provider_id()
  }).
 

diff --git a/deps/rabbitmq_auth_backend_oauth2/src/keycloak.erl b/deps/rabbitmq_auth_backend_oauth2/src/keycloak.erl
@@ -0,0 +1,41 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+%%
+
+-module(keycloak).
+
+-include("oauth2.hrl").
+
+-export([extract_scopes_from_keycloak_format/1, has_keycloak_scopes/1]).
+-import(uaa_jwt, [get_scope/1, set_scope/2]).
+
+-define(AUTHORIZATION_CLAIM, <<"authorization">>).
+-define(PERMISSIONS_CLAIM, <<"permissions">>).
+-define(SCOPES_CLAIM, <<"scopes">>).
+
+-spec has_keycloak_scopes(Payload::map()) -> boolean().
+has_keycloak_scopes(Payload) ->
+    maps:is_key(?AUTHORIZATION_CLAIM, Payload).
+
+-spec extract_scopes_from_keycloak_format(Payload :: map()) -> map().
+%% keycloak token format: https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/issues/36
+extract_scopes_from_keycloak_format(#{?AUTHORIZATION_CLAIM := Authorization} = Payload) ->
+    AdditionalScopes = extract_scopes_from_keycloak_permissions([],
+            maps:get(?PERMISSIONS_CLAIM, Authorization, [])),
+    set_scope(AdditionalScopes ++ get_scope(Payload), Payload).
+
+extract_scopes_from_keycloak_permissions(Acc, []) ->
+    Acc;
+extract_scopes_from_keycloak_permissions(Acc, [H | T]) when is_map(H) ->
+    Scopes = case maps:get(?SCOPES_CLAIM, H, []) of
+        ScopesAsList when is_list(ScopesAsList) ->
+            ScopesAsList;
+        ScopesAsBinary when is_binary(ScopesAsBinary) ->
+            [ScopesAsBinary]
+    end,
+    extract_scopes_from_keycloak_permissions(Acc ++ Scopes, T);
+extract_scopes_from_keycloak_permissions(Acc, [_ | T]) ->
+    extract_scopes_from_keycloak_permissions(Acc, T).