Auth Tests

Signed-off-by: Gabriele Santomaggio <[email protected]>

Author: Gsantomaggio

RabbitMQ.AMQP.Client/ConnectionSettings.cs

@@ -154,11 +154,10 @@ public ConnectionSettingsBuilder UriSelector(IUriSelector uriSelector)
             return this;
         }
 
-        public ConnectionSettingsBuilder OAuth2Options(OAuth2Options? oAuth2Options = null)
+        public ConnectionSettingsBuilder OAuth2Options(OAuth2Options? oAuth2Options)
         {
             _oAuth2Options = oAuth2Options;
             return this;
-
         }
 
         public ConnectionSettings Build()
@@ -171,26 +170,26 @@ public ConnectionSettings Build()
                     _containerId, _saslMechanism,
                     _recoveryConfiguration,
                     _maxFrameSize,
-                    _tlsSettings);
+                    _tlsSettings,
+                    _oAuth2Options);
             }
-            else if (_uris is not null)
+
+            if (_uris is not null)
             {
                 return new ClusterConnectionSettings(_uris,
                     _uriSelector,
                     _containerId, _saslMechanism,
                     _recoveryConfiguration,
                     _maxFrameSize,
-                    _tlsSettings);
-            }
-            else
-            {
-                return new ConnectionSettings(_scheme, _host, _port, _user,
-                    _password, _virtualHost,
-                    _containerId, _saslMechanism,
-                    _recoveryConfiguration,
-                    _maxFrameSize,
-                    _tlsSettings);
+                    _tlsSettings, _oAuth2Options);
             }
+
+            return new ConnectionSettings(_scheme, _host, _port, _user,
+                _password, _virtualHost,
+                _containerId, _saslMechanism,
+                _recoveryConfiguration,
+                _maxFrameSize,
+                _tlsSettings, _oAuth2Options);
         }
 
         private void ValidateUris()
@@ -214,14 +213,14 @@ public class ConnectionSettings : IEquatable<ConnectionSettings>
         private readonly TlsSettings? _tlsSettings;
         private readonly SaslMechanism _saslMechanism = SaslMechanism.Plain;
         private readonly IRecoveryConfiguration _recoveryConfiguration = new RecoveryConfiguration();
-        private readonly OAuth2Options? _oAuth2Options = null;
 
         public ConnectionSettings(Uri uri,
             string? containerId = null,
             SaslMechanism? saslMechanism = null,
             IRecoveryConfiguration? recoveryConfiguration = null,
             uint? maxFrameSize = null,
-            TlsSettings? tlsSettings = null)
+            TlsSettings? tlsSettings = null,
+            OAuth2Options? oAuth2Options = null)
             : this(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings)
         {
             (string? user, string? password) = ProcessUserInfo(uri);
@@ -241,6 +240,14 @@ public ConnectionSettings(Uri uri,
                 path: "/",
                 scheme: scheme);
 
+            if (oAuth2Options is not null)
+            {
+                // in case of OAuth2, we need to use plain mechanism
+                _saslMechanism = SaslMechanism.Plain;
+                _address = new Address(_address.Host, _address.Port, "", oAuth2Options.Token, _address.Path,
+                    _address.Scheme);
+            }
+
             _tlsSettings = InitTlsSettings();
         }
 
@@ -254,7 +261,8 @@ public ConnectionSettings(string scheme,
             SaslMechanism? saslMechanism = null,
             IRecoveryConfiguration? recoveryConfiguration = null,
             uint? maxFrameSize = null,
-            TlsSettings? tlsSettings = null)
+            TlsSettings? tlsSettings = null,
+            OAuth2Options? oAuth2Options = null)
             : this(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings)
         {
             if (false == Utils.IsValidScheme(scheme))
@@ -274,6 +282,14 @@ public ConnectionSettings(string scheme,
                 _virtualHost = virtualHost;
             }
 
+            if (oAuth2Options is not null)
+            {
+                // in case of OAuth2, we need to use plain mechanism
+                _saslMechanism = SaslMechanism.Plain;
+                _address = new Address(_address.Host, _address.Port, "", oAuth2Options.Token, _address.Path,
+                    _address.Scheme);
+            }
+
             _tlsSettings = InitTlsSettings();
         }
 
@@ -282,8 +298,7 @@ protected ConnectionSettings(
             SaslMechanism? saslMechanism = null,
             IRecoveryConfiguration? recoveryConfiguration = null,
             uint? maxFrameSize = null,
-            TlsSettings? tlsSettings = null,
-            OAuth2Options? oAuth2Options = null)
+            TlsSettings? tlsSettings = null)
         {
             if (containerId is not null)
             {
@@ -300,15 +315,6 @@ protected ConnectionSettings(
                 _recoveryConfiguration = recoveryConfiguration;
             }
 
-            _oAuth2Options = oAuth2Options;
-            if (_oAuth2Options is not null)
-            {
-                // in case of OAuth2, we need to use plain mechanism
-                _saslMechanism = SaslMechanism.Plain;
-                _address = new Address(_address.Host, _address.Port, _address.User, _oAuth2Options.Token, _address.Path,
-                    _address.Scheme);
-            }
-
             if (maxFrameSize is not null)
             {
                 _maxFrameSize = (uint)maxFrameSize;
@@ -477,7 +483,7 @@ public ClusterConnectionSettings(IEnumerable<Uri> uris,
             uint? maxFrameSize = null,
             TlsSettings? tlsSettings = null,
             OAuth2Options? oAuth2Options = null)
-            : base(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings, oAuth2Options)
+            : base(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings)
         {
             _uris = uris.ToList();
             if (_uris.Count == 0)
@@ -526,6 +532,14 @@ public ClusterConnectionSettings(IEnumerable<Uri> uris,
                     path: "/",
                     scheme: scheme);
 
+                // if (oAuth2Options is not null)
+                // {
+                //     // in case of OAuth2, we need to use plain mechanism
+                //     _saslMechanism = SaslMechanism.Plain;
+                //     _address = new Address(_address.Host, _address.Port, "", oAuth2Options.Token, _address.Path,
+                //         _address.Scheme);
+                // }
+
                 _uriToAddress[uri] = address;
 
                 if (first)

RabbitMQ.AMQP.Client/PublicAPI.Unshipped.txt

@@ -64,9 +64,9 @@ RabbitMQ.AMQP.Client.ConnectionException
 RabbitMQ.AMQP.Client.ConnectionException.ConnectionException(string! message) -> void
 RabbitMQ.AMQP.Client.ConnectionException.ConnectionException(string! message, System.Exception! innerException) -> void
 RabbitMQ.AMQP.Client.ConnectionSettings
-RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(string! scheme, string! host, int port, string? user = null, string? password = null, string? virtualHost = null, string! containerId = "", RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null) -> void
-RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null, RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options = null) -> void
-RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(System.Uri! uri, string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null) -> void
+RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(string! scheme, string! host, int port, string? user = null, string? password = null, string? virtualHost = null, string! containerId = "", RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null, RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options = null) -> void
+RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null) -> void
+RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(System.Uri! uri, string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null, RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options = null) -> void
 RabbitMQ.AMQP.Client.ConnectionSettings.ContainerId.get -> string!
 RabbitMQ.AMQP.Client.ConnectionSettings.Host.get -> string!
 RabbitMQ.AMQP.Client.ConnectionSettings.MaxFrameSize.get -> uint
@@ -88,7 +88,7 @@ RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.ConnectionSettingsBuilder() -> vo
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.ContainerId(string! containerId) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.Host(string! host) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.MaxFrameSize(uint maxFrameSize) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
-RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.OAuth2Options(RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options = null) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
+RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.OAuth2Options(RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.Password(string! password) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.Port(int port) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.RecoveryConfiguration(RabbitMQ.AMQP.Client.IRecoveryConfiguration! recoveryConfiguration) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!

Tests/OAuth2Tests.cs

@@ -5,14 +5,18 @@
 using System;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text;
+using System.Threading;
 using System.Threading.Tasks;
+using Amqp;
 using Microsoft.IdentityModel.Tokens;
 using RabbitMQ.AMQP.Client;
 using RabbitMQ.AMQP.Client.Impl;
 using Xunit;
+using IConnection = RabbitMQ.AMQP.Client.IConnection;
 
 namespace Tests
 {
@@ -23,7 +27,7 @@ public class OAuth2Tests
         private const string Audience = "rabbitmq";
 
         [Fact]
-        public async Task ConnectToRabbitMqWithOAuth2Token()
+        public async Task ConnectToRabbitMqWithOAuth2TokenShouldSuccess()
         {
             IConnection connection = await AmqpConnection.CreateAsync(
                 ConnectionSettingsBuilder.Create()
@@ -36,55 +40,76 @@ public async Task ConnectToRabbitMqWithOAuth2Token()
             await connection.CloseAsync();
         }
 
-        private static string GenerateToken(DateTime expiration)
+        [Fact]
+        public async Task ConnectToRabbitMqWithOAuth2TokenShouldDisconnectAfterTimeout()
         {
-            byte[] decodedKey = Convert.FromBase64String(Base64Key);
+            IConnection connection = await AmqpConnection.CreateAsync(
+                ConnectionSettingsBuilder.Create()
+                    .Host("localhost")
+                    .Port(5672)
+                    .RecoveryConfiguration(new RecoveryConfiguration().Activated(false).Topology(false))
+                    .OAuth2Options(new OAuth2Options(GenerateToken(DateTime.UtcNow.AddMilliseconds(1_000))))
+                    .Build());
 
-            var claims = new List<Claim>
+            Assert.NotNull(connection);
+            Assert.Equal(State.Open, connection.State);
+            State? stateFrom = null;
+            State? stateTo = null;
+            Error? stateError = null;
+            TaskCompletionSource<bool> tcs = new();
+            connection.ChangeState += (sender, from, to, error) =>
             {
-                new (JwtRegisteredClaimNames.Iss, "unit_test"),
-                new (JwtRegisteredClaimNames.Aud, Audience),
-                new (JwtRegisteredClaimNames.Exp,
-                    new DateTimeOffset(expiration).ToUniversalTime().ToUnixTimeSeconds().ToString()),
-                new ("scope", "rabbitmq.configure:*/*"),
-                new ("scope", "rabbitmq.write:*/*"),
-                new ("scope", "rabbitmq.read:*/*"),
-                new ("random", RandomString(6))
+                stateFrom = from;
+                stateTo = to;
+                stateError = error;
+                tcs.SetResult(true);
             };
 
-            var tokenHandler = new JwtSecurityTokenHandler();
-            var claimIdentity = new ClaimsIdentity(claims);
-            var tokenDescriptor = new SecurityTokenDescriptor
+            await tcs.Task;
+            Assert.NotNull(stateFrom);
+            Assert.NotNull(stateTo);
+            Assert.NotNull(stateError);
+            Assert.NotNull(stateError.ErrorCode);
+            Assert.Equal(State.Open, stateFrom);
+            Assert.Equal(State.Closed, stateTo);
+            Assert.Equal(State.Closed, connection.State);
+            Assert.Contains(stateError.ErrorCode, "amqp:unauthorized-access");
+        }
+
+        private static string GenerateToken(DateTime duration)
+        {
+            byte[] decodedKey = Convert.FromBase64String(Base64Key);
+
+            var claims = new[]
             {
-                Subject = claimIdentity,
-                Expires = expiration,
-                SigningCredentials =
-                    new SigningCredentials(new SymmetricSecurityKey(decodedKey),
-                        SecurityAlgorithms.HmacSha256Signature),
-                Claims = new Dictionary<string, object> { ["kid"] = "token-key" }
+                new Claim(JwtRegisteredClaimNames.Iss, "unit_test"),
+                new Claim(JwtRegisteredClaimNames.Aud, Audience),
+                new Claim(JwtRegisteredClaimNames.Exp, new DateTimeOffset(duration).ToUnixTimeSeconds().ToString()),
+                new Claim("scope", "rabbitmq.configure:*/* rabbitmq.write:*/* rabbitmq.read:*/*"),
+                new Claim("random", GenerateRandomString(6))
             };
 
-            var token = tokenHandler.CreateToken(tokenDescriptor);
+            var key = new SymmetricSecurityKey(decodedKey);
+            var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+
+            var token = new JwtSecurityToken(
+                claims: claims,
+                expires: duration,
+                signingCredentials: creds
+            );
+
+            token.Header["kid"] = "token-key";
+
+            var tokenHandler = new JwtSecurityTokenHandler();
             return tokenHandler.WriteToken(token);
         }
 
-        private static string RandomString(int length)
+        private static string GenerateRandomString(int length)
         {
             const string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-            var result = new StringBuilder(length);
-
-            using (var rng = RandomNumberGenerator.Create())
-            {
-                byte[] byteArray = new byte[length];
-                rng.GetBytes(byteArray);
-
-                foreach (byte byteValue in byteArray)
-                {
-                    result.Append(chars[byteValue % chars.Length]);
-                }
-            }
-
-            return result.ToString();
+            var random = new Random();
+            return new string(Enumerable.Repeat(chars, length)
+                .Select(s => s[random.Next(s.Length)]).ToArray());
         }
     }
 }

docs/Examples/OAuth2/OAuth2.csproj

@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <OutputType>Exe</OutputType>
+        <TargetFramework>net8.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\..\RabbitMQ.AMQP.Client\RabbitMQ.AMQP.Client.csproj" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
+    </ItemGroup>
+
+</Project>

docs/Examples/OAuth2/Program.cs

@@ -0,0 +1,28 @@
+// See https://aka.ms/new-console-template for more information
+
+using System.Diagnostics;
+using OAuth2;
+using RabbitMQ.AMQP.Client;
+using RabbitMQ.AMQP.Client.Impl;
+using Trace = Amqp.Trace;
+using TraceLevel = Amqp.TraceLevel;
+
+Trace.TraceLevel = TraceLevel.Verbose;
+
+ConsoleTraceListener consoleListener = new();
+Trace.TraceListener = (l, f, a) =>
+    consoleListener.WriteLine($"[{DateTime.Now}] [{l}] - {f}");
+
+IConnection connection = await AmqpConnection.CreateAsync(
+    ConnectionSettingsBuilder.Create()
+        .Host("localhost")
+        .Port(5672)
+        .OAuth2Options(new OAuth2Options(Token.GenerateToken(DateTime.UtcNow.AddMilliseconds(1500))))
+        .Build()).ConfigureAwait(false);
+
+Trace.WriteLine(TraceLevel.Information, $"Connected to the broker {connection} successfully");
+Trace.WriteLine(TraceLevel.Information, $"Connection status {connection.State}");
+
+Thread.Sleep(TimeSpan.FromSeconds(15));
+
+Console.WriteLine("Connection state: " + connection.State);