auth configuration

Gsantomaggio · Gsantomaggio · commit 236492f9bc97 · 2025-03-11T11:05:11.000+01:00
Signed-off-by: Gabriele Santomaggio &lt;G.santomaggio@gmail.com&gt;
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -13,6 +13,7 @@
     <!-- Tests -->
     <PackageVersion Include="Microsoft.Extensions.Diagnostics" Version="9.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Diagnostics.Testing" Version="9.0.0" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.6.1" />
     <PackageVersion Include="System.Text.Json" Version="9.0.0" />
     <PackageVersion Include="xunit" Version="2.9.2" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
@@ -39,4 +40,4 @@
     <GlobalPackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
     <GlobalPackageReference Include="MinVer" Version="6.0.0" />
   </ItemGroup>
-</Project>
+</Project>
diff --git a/RabbitMQ.AMQP.Client/ConnectionSettings.cs b/RabbitMQ.AMQP.Client/ConnectionSettings.cs
@@ -41,6 +41,7 @@ public class ConnectionSettingsBuilder
         private Uri? _uri;
         private List<Uri>? _uris;
         private IUriSelector? _uriSelector;
+        private OAuth2Options? _oAuth2Options;
 
         public static ConnectionSettingsBuilder Create()
         {
@@ -104,6 +105,7 @@ public ConnectionSettingsBuilder MaxFrameSize(uint maxFrameSize)
                 throw new ArgumentOutOfRangeException(nameof(maxFrameSize),
                     "maxFrameSize must be 0 (no limit) or greater than or equal to 512");
             }
+
             return this;
         }
 
@@ -152,6 +154,13 @@ public ConnectionSettingsBuilder UriSelector(IUriSelector uriSelector)
             return this;
         }
 
+        public ConnectionSettingsBuilder OAuth2Options(OAuth2Options? oAuth2Options = null)
+        {
+            _oAuth2Options = oAuth2Options;
+            return this;
+
+        }
+
         public ConnectionSettings Build()
         {
             // TODO this should do something similar to consolidate in the Java code
@@ -205,6 +214,7 @@ public class ConnectionSettings : IEquatable<ConnectionSettings>
         private readonly TlsSettings? _tlsSettings;
         private readonly SaslMechanism _saslMechanism = SaslMechanism.Plain;
         private readonly IRecoveryConfiguration _recoveryConfiguration = new RecoveryConfiguration();
+        private readonly OAuth2Options? _oAuth2Options = null;
 
         public ConnectionSettings(Uri uri,
             string? containerId = null,
@@ -272,7 +282,8 @@ protected ConnectionSettings(
             SaslMechanism? saslMechanism = null,
             IRecoveryConfiguration? recoveryConfiguration = null,
             uint? maxFrameSize = null,
-            TlsSettings? tlsSettings = null)
+            TlsSettings? tlsSettings = null,
+            OAuth2Options? oAuth2Options = null)
         {
             if (containerId is not null)
             {
@@ -289,6 +300,15 @@ protected ConnectionSettings(
                 _recoveryConfiguration = recoveryConfiguration;
             }
 
+            _oAuth2Options = oAuth2Options;
+            if (_oAuth2Options is not null)
+            {
+                // in case of OAuth2, we need to use plain mechanism
+                _saslMechanism = SaslMechanism.Plain;
+                _address = new Address(_address.Host, _address.Port, _address.User, _oAuth2Options.Token, _address.Path,
+                    _address.Scheme);
+            }
+
             if (maxFrameSize is not null)
             {
                 _maxFrameSize = (uint)maxFrameSize;
@@ -408,7 +428,8 @@ protected static string ProcessUriSegmentsForVirtualHost(Uri uri)
             // that has at least the path segment "/"
             if (uri.Segments.Length > 2)
             {
-                throw new ArgumentException($"Multiple segments in path of AMQP URI: {string.Join(", ", uri.Segments)}");
+                throw new ArgumentException(
+                    $"Multiple segments in path of AMQP URI: {string.Join(", ", uri.Segments)}");
             }
 
             if (uri.Segments.Length == 2)
@@ -454,16 +475,17 @@ public ClusterConnectionSettings(IEnumerable<Uri> uris,
             SaslMechanism? saslMechanism = null,
             IRecoveryConfiguration? recoveryConfiguration = null,
             uint? maxFrameSize = null,
-            TlsSettings? tlsSettings = null)
-            : base(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings)
+            TlsSettings? tlsSettings = null,
+            OAuth2Options? oAuth2Options = null)
+            : base(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings, oAuth2Options)
         {
             _uris = uris.ToList();
             if (_uris.Count == 0)
             {
                 throw new ArgumentOutOfRangeException(nameof(uris), "At least one Uri is required.");
             }
 
-            _uriToAddress = new(_uris.Count);
+            _uriToAddress = new Dictionary<Uri, Address>(_uris.Count);
 
             if (uriSelector is not null)
             {
@@ -492,7 +514,8 @@ public ClusterConnectionSettings(IEnumerable<Uri> uris,
                     string thisVirtualHost = ProcessUriSegmentsForVirtualHost(uri);
                     if (false == thisVirtualHost.Equals(tmpVirtualHost, StringComparison.InvariantCultureIgnoreCase))
                     {
-                        throw new ArgumentException($"All AMQP URIs must use the same virtual host. Expected '{tmpVirtualHost}', got '{thisVirtualHost}'");
+                        throw new ArgumentException(
+                            $"All AMQP URIs must use the same virtual host. Expected '{tmpVirtualHost}', got '{thisVirtualHost}'");
                     }
                 }
 
@@ -551,6 +574,7 @@ public override int GetHashCode()
             {
                 hashCode ^= _uris[i].GetHashCode();
             }
+
             return hashCode;
         }
 
@@ -600,4 +624,14 @@ private bool trustEverythingCertValidationCallback(object sender, X509Certificat
             return (sslPolicyErrors & ~AcceptablePolicyErrors) == SslPolicyErrors.None;
         }
     }
+
+    public class OAuth2Options
+    {
+        public OAuth2Options(string token)
+        {
+            Token = token;
+        }
+
+        public string Token { get; set; }
+    }
 }
diff --git a/RabbitMQ.AMQP.Client/PublicAPI.Unshipped.txt b/RabbitMQ.AMQP.Client/PublicAPI.Unshipped.txt
@@ -59,13 +59,13 @@ RabbitMQ.AMQP.Client.ClassicQueueVersion
 RabbitMQ.AMQP.Client.ClassicQueueVersion.V1 = 0 -> RabbitMQ.AMQP.Client.ClassicQueueVersion
 RabbitMQ.AMQP.Client.ClassicQueueVersion.V2 = 1 -> RabbitMQ.AMQP.Client.ClassicQueueVersion
 RabbitMQ.AMQP.Client.ClusterConnectionSettings
-RabbitMQ.AMQP.Client.ClusterConnectionSettings.ClusterConnectionSettings(System.Collections.Generic.IEnumerable<System.Uri!>! uris, RabbitMQ.AMQP.Client.IUriSelector? uriSelector = null, string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null) -> void
+RabbitMQ.AMQP.Client.ClusterConnectionSettings.ClusterConnectionSettings(System.Collections.Generic.IEnumerable<System.Uri!>! uris, RabbitMQ.AMQP.Client.IUriSelector? uriSelector = null, string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null, RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options = null) -> void
 RabbitMQ.AMQP.Client.ConnectionException
 RabbitMQ.AMQP.Client.ConnectionException.ConnectionException(string! message) -> void
 RabbitMQ.AMQP.Client.ConnectionException.ConnectionException(string! message, System.Exception! innerException) -> void
 RabbitMQ.AMQP.Client.ConnectionSettings
 RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(string! scheme, string! host, int port, string? user = null, string? password = null, string? virtualHost = null, string! containerId = "", RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null) -> void
-RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null) -> void
+RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null, RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options = null) -> void
 RabbitMQ.AMQP.Client.ConnectionSettings.ConnectionSettings(System.Uri! uri, string? containerId = null, RabbitMQ.AMQP.Client.SaslMechanism? saslMechanism = null, RabbitMQ.AMQP.Client.IRecoveryConfiguration? recoveryConfiguration = null, uint? maxFrameSize = null, RabbitMQ.AMQP.Client.TlsSettings? tlsSettings = null) -> void
 RabbitMQ.AMQP.Client.ConnectionSettings.ContainerId.get -> string!
 RabbitMQ.AMQP.Client.ConnectionSettings.Host.get -> string!
@@ -88,6 +88,7 @@ RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.ConnectionSettingsBuilder() -> vo
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.ContainerId(string! containerId) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.Host(string! host) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.MaxFrameSize(uint maxFrameSize) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
+RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.OAuth2Options(RabbitMQ.AMQP.Client.OAuth2Options? oAuth2Options = null) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.Password(string! password) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.Port(int port) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
 RabbitMQ.AMQP.Client.ConnectionSettingsBuilder.RecoveryConfiguration(RabbitMQ.AMQP.Client.IRecoveryConfiguration! recoveryConfiguration) -> RabbitMQ.AMQP.Client.ConnectionSettingsBuilder!
@@ -698,6 +699,10 @@ RabbitMQ.AMQP.Client.MetricsReporter.PublisherClosed() -> void
 RabbitMQ.AMQP.Client.MetricsReporter.PublisherOpened() -> void
 RabbitMQ.AMQP.Client.ModelException
 RabbitMQ.AMQP.Client.ModelException.ModelException(string! message) -> void
+RabbitMQ.AMQP.Client.OAuth2Options
+RabbitMQ.AMQP.Client.OAuth2Options.OAuth2Options(string! token) -> void
+RabbitMQ.AMQP.Client.OAuth2Options.Token.get -> string!
+RabbitMQ.AMQP.Client.OAuth2Options.Token.set -> void
 RabbitMQ.AMQP.Client.OutcomeState
 RabbitMQ.AMQP.Client.OutcomeState.Accepted = 0 -> RabbitMQ.AMQP.Client.OutcomeState
 RabbitMQ.AMQP.Client.OutcomeState.Rejected = 1 -> RabbitMQ.AMQP.Client.OutcomeState
diff --git a/Tests/OAuth2Tests.cs b/Tests/OAuth2Tests.cs
@@ -0,0 +1,90 @@
+// This source code is dual-licensed under the Apache License, version 2.0,
+// and the Mozilla Public License, version 2.0.
+// Copyright (c) 2017-2024 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+
+using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.Tokens;
+using RabbitMQ.AMQP.Client;
+using RabbitMQ.AMQP.Client.Impl;
+using Xunit;
+
+namespace Tests
+{
+    public class OAuth2Tests
+    {
+        private const string Base64Key = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH";
+
+        private const string Audience = "rabbitmq";
+
+        [Fact]
+        public async Task ConnectToRabbitMqWithOAuth2Token()
+        {
+            IConnection connection = await AmqpConnection.CreateAsync(
+                ConnectionSettingsBuilder.Create()
+                    .Host("localhost")
+                    .Port(5672)
+                    .OAuth2Options(new OAuth2Options(GenerateToken(DateTime.UtcNow.AddMinutes(5))))
+                    .Build());
+
+            Assert.NotNull(connection);
+            await connection.CloseAsync();
+        }
+
+        private static string GenerateToken(DateTime expiration)
+        {
+            byte[] decodedKey = Convert.FromBase64String(Base64Key);
+
+            var claims = new List<Claim>
+            {
+                new (JwtRegisteredClaimNames.Iss, "unit_test"),
+                new (JwtRegisteredClaimNames.Aud, Audience),
+                new (JwtRegisteredClaimNames.Exp,
+                    new DateTimeOffset(expiration).ToUniversalTime().ToUnixTimeSeconds().ToString()),
+                new ("scope", "rabbitmq.configure:*/*"),
+                new ("scope", "rabbitmq.write:*/*"),
+                new ("scope", "rabbitmq.read:*/*"),
+                new ("random", RandomString(6))
+            };
+
+            var tokenHandler = new JwtSecurityTokenHandler();
+            var claimIdentity = new ClaimsIdentity(claims);
+            var tokenDescriptor = new SecurityTokenDescriptor
+            {
+                Subject = claimIdentity,
+                Expires = expiration,
+                SigningCredentials =
+                    new SigningCredentials(new SymmetricSecurityKey(decodedKey),
+                        SecurityAlgorithms.HmacSha256Signature),
+                Claims = new Dictionary<string, object> { ["kid"] = "token-key" }
+            };
+
+            var token = tokenHandler.CreateToken(tokenDescriptor);
+            return tokenHandler.WriteToken(token);
+        }
+
+        private static string RandomString(int length)
+        {
+            const string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+            var result = new StringBuilder(length);
+
+            using (var rng = RandomNumberGenerator.Create())
+            {
+                byte[] byteArray = new byte[length];
+                rng.GetBytes(byteArray);
+
+                foreach (byte byteValue in byteArray)
+                {
+                    result.Append(chars[byteValue % chars.Length]);
+                }
+            }
+
+            return result.ToString();
+        }
+    }
+}
diff --git a/Tests/Tests.csproj b/Tests/Tests.csproj
@@ -29,6 +29,7 @@
     <PackageReference Include="Microsoft.Extensions.Diagnostics.Testing" />
     <PackageReference Include="Microsoft.Extensions.Diagnostics" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
     <PackageReference Include="System.Text.Json" />
     <PackageReference Include="xunit" />
     <PackageReference Include="xunit.runner.visualstudio" />

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,7 @@ public class ConnectionSettingsBuilder`
`41`	`41`	`private Uri? _uri;`
`42`	`42`	`private List<Uri>? _uris;`
`43`	`43`	`private IUriSelector? _uriSelector;`
	`44`	`+ private OAuth2Options? _oAuth2Options;`
`44`	`45`
`45`	`46`	`public static ConnectionSettingsBuilder Create()`
`46`	`47`	`{`
`@@ -104,6 +105,7 @@ public ConnectionSettingsBuilder MaxFrameSize(uint maxFrameSize)`
`104`	`105`	`throw new ArgumentOutOfRangeException(nameof(maxFrameSize),`
`105`	`106`	`"maxFrameSize must be 0 (no limit) or greater than or equal to 512");`
`106`	`107`	`}`
	`108`	`+`
`107`	`109`	`return this;`
`108`	`110`	`}`
`109`	`111`
`@@ -152,6 +154,13 @@ public ConnectionSettingsBuilder UriSelector(IUriSelector uriSelector)`
`152`	`154`	`return this;`
`153`	`155`	`}`
`154`	`156`
	`157`	`+ public ConnectionSettingsBuilder OAuth2Options(OAuth2Options? oAuth2Options = null)`
	`158`	`+ {`
	`159`	`+ _oAuth2Options = oAuth2Options;`
	`160`	`+ return this;`
	`161`	`+`
	`162`	`+ }`
	`163`	`+`
`155`	`164`	`public ConnectionSettings Build()`
`156`	`165`	`{`
`157`	`166`	`// TODO this should do something similar to consolidate in the Java code`
`@@ -205,6 +214,7 @@ public class ConnectionSettings : IEquatable<ConnectionSettings>`
`205`	`214`	`private readonly TlsSettings? _tlsSettings;`
`206`	`215`	`private readonly SaslMechanism _saslMechanism = SaslMechanism.Plain;`
`207`	`216`	`private readonly IRecoveryConfiguration _recoveryConfiguration = new RecoveryConfiguration();`
	`217`	`+ private readonly OAuth2Options? _oAuth2Options = null;`
`208`	`218`
`209`	`219`	`public ConnectionSettings(Uri uri,`
`210`	`220`	`string? containerId = null,`
`@@ -272,7 +282,8 @@ protected ConnectionSettings(`
`272`	`282`	`SaslMechanism? saslMechanism = null,`
`273`	`283`	`IRecoveryConfiguration? recoveryConfiguration = null,`
`274`	`284`	`uint? maxFrameSize = null,`
`275`		`- TlsSettings? tlsSettings = null)`
	`285`	`+ TlsSettings? tlsSettings = null,`
	`286`	`+ OAuth2Options? oAuth2Options = null)`
`276`	`287`	`{`
`277`	`288`	`if (containerId is not null)`
`278`	`289`	`{`
`@@ -289,6 +300,15 @@ protected ConnectionSettings(`
`289`	`300`	`_recoveryConfiguration = recoveryConfiguration;`
`290`	`301`	`}`
`291`	`302`
	`303`	`+ _oAuth2Options = oAuth2Options;`
	`304`	`+ if (_oAuth2Options is not null)`
	`305`	`+ {`
	`306`	`+ // in case of OAuth2, we need to use plain mechanism`
	`307`	`+ _saslMechanism = SaslMechanism.Plain;`
	`308`	`+ _address = new Address(_address.Host, _address.Port, _address.User, _oAuth2Options.Token, _address.Path,`
	`309`	`+ _address.Scheme);`
	`310`	`+ }`
	`311`	`+`
`292`	`312`	`if (maxFrameSize is not null)`
`293`	`313`	`{`
`294`	`314`	`_maxFrameSize = (uint)maxFrameSize;`
`@@ -408,7 +428,8 @@ protected static string ProcessUriSegmentsForVirtualHost(Uri uri)`
`408`	`428`	`// that has at least the path segment "/"`
`409`	`429`	`if (uri.Segments.Length > 2)`
`410`	`430`	`{`
`411`		`- throw new ArgumentException($"Multiple segments in path of AMQP URI: {string.Join(", ", uri.Segments)}");`
	`431`	`+ throw new ArgumentException(`
	`432`	`+ $"Multiple segments in path of AMQP URI: {string.Join(", ", uri.Segments)}");`
`412`	`433`	`}`
`413`	`434`
`414`	`435`	`if (uri.Segments.Length == 2)`
`@@ -454,16 +475,17 @@ public ClusterConnectionSettings(IEnumerable<Uri> uris,`
`454`	`475`	`SaslMechanism? saslMechanism = null,`
`455`	`476`	`IRecoveryConfiguration? recoveryConfiguration = null,`
`456`	`477`	`uint? maxFrameSize = null,`
`457`		`- TlsSettings? tlsSettings = null)`
`458`		`- : base(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings)`
	`478`	`+ TlsSettings? tlsSettings = null,`
	`479`	`+ OAuth2Options? oAuth2Options = null)`
	`480`	`+ : base(containerId, saslMechanism, recoveryConfiguration, maxFrameSize, tlsSettings, oAuth2Options)`
`459`	`481`	`{`
`460`	`482`	`_uris = uris.ToList();`
`461`	`483`	`if (_uris.Count == 0)`
`462`	`484`	`{`
`463`	`485`	`throw new ArgumentOutOfRangeException(nameof(uris), "At least one Uri is required.");`
`464`	`486`	`}`
`465`	`487`
`466`		`- _uriToAddress = new(_uris.Count);`
	`488`	`+ _uriToAddress = new Dictionary<Uri, Address>(_uris.Count);`
`467`	`489`
`468`	`490`	`if (uriSelector is not null)`
`469`	`491`	`{`
`@@ -492,7 +514,8 @@ public ClusterConnectionSettings(IEnumerable<Uri> uris,`
`492`	`514`	`string thisVirtualHost = ProcessUriSegmentsForVirtualHost(uri);`
`493`	`515`	`if (false == thisVirtualHost.Equals(tmpVirtualHost, StringComparison.InvariantCultureIgnoreCase))`
`494`	`516`	`{`
`495`		`- throw new ArgumentException($"All AMQP URIs must use the same virtual host. Expected '{tmpVirtualHost}', got '{thisVirtualHost}'");`
	`517`	`+ throw new ArgumentException(`
	`518`	`+ $"All AMQP URIs must use the same virtual host. Expected '{tmpVirtualHost}', got '{thisVirtualHost}'");`
`496`	`519`	`}`
`497`	`520`	`}`
`498`	`521`
`@@ -551,6 +574,7 @@ public override int GetHashCode()`
`551`	`574`	`{`
`552`	`575`	`hashCode ^= _uris[i].GetHashCode();`
`553`	`576`	`}`
	`577`	`+`
`554`	`578`	`return hashCode;`
`555`	`579`	`}`
`556`	`580`
`@@ -600,4 +624,14 @@ private bool trustEverythingCertValidationCallback(object sender, X509Certificat`
`600`	`624`	`return (sslPolicyErrors & ~AcceptablePolicyErrors) == SslPolicyErrors.None;`
`601`	`625`	`}`
`602`	`626`	`}`
	`627`	`+`
	`628`	`+ public class OAuth2Options`
	`629`	`+ {`
	`630`	`+ public OAuth2Options(string token)`
	`631`	`+ {`
	`632`	`+ Token = token;`
	`633`	`+ }`
	`634`	`+`
	`635`	`+ public string Token { get; set; }`
	`636`	`+ }`
`603`	`637`	`}`