Add test with OAuth 2 and JWT token

Author: acogoluegnes

ci/start-broker.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-RABBITMQ_IMAGE=${RABBITMQ_IMAGE:-rabbitmq:4.0}
+RABBITMQ_IMAGE=${RABBITMQ_IMAGE:-pivotalrabbitmq/rabbitmq:amqp-token-renew}
 
 wait_for_message() {
   while ! docker logs "$1" | grep -q "$2";
@@ -17,7 +17,7 @@ cp -R "${PWD}"/tls-gen/basic/result/* rabbitmq-configuration/tls
 chmod o+r rabbitmq-configuration/tls/*
 chmod g+r rabbitmq-configuration/tls/*
 
-echo "[rabbitmq_auth_mechanism_ssl]." >> rabbitmq-configuration/enabled_plugins
+echo "[rabbitmq_auth_mechanism_ssl,rabbitmq_auth_backend_oauth2]." >> rabbitmq-configuration/enabled_plugins
 
 echo "loopback_users = none
 
@@ -34,7 +34,24 @@ ssl_options.depth = 1
 
 auth_mechanisms.1 = PLAIN
 auth_mechanisms.2 = ANONYMOUS
-auth_mechanisms.3 = EXTERNAL" >> rabbitmq-configuration/rabbitmq.conf
+auth_mechanisms.3 = EXTERNAL
+
+auth_backends.1 = internal
+auth_backends.2 = rabbit_auth_backend_oauth2" >> rabbitmq-configuration/rabbitmq.conf
+
+echo "[
+  {rabbitmq_auth_backend_oauth2, [{key_config,
+         [{signing_keys,
+              #{<<\"token-key\">> =>
+                    {map,
+                        #{<<\"alg\">> => <<\"HS256\">>,
+                          <<\"k\">> => <<\"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH\">>,
+                          <<\"kid\">> => <<\"token-key\">>,
+                          <<\"kty\">> => <<\"oct\">>,
+                          <<\"use\">> => <<\"sig\">>,
+                          <<\"value\">> => <<\"token-key\">>}}}}]},
+     {resource_server_id,<<\"rabbitmq\">>}]}
+]." >> rabbitmq-configuration/advanced.config
 
 echo "Running RabbitMQ ${RABBITMQ_IMAGE}"
 

pom.xml

@@ -51,9 +51,9 @@
         <assertj.version>3.26.3</assertj.version>
         <mockito.version>5.14.2</mockito.version>
         <jqwik.version>1.9.1</jqwik.version>
-        <amqp-client.version>5.20.0</amqp-client.version>
         <micrometer-tracing-test.version>1.3.5</micrometer-tracing-test.version>
         <micrometer-docs-generator.version>1.0.4</micrometer-docs-generator.version>
+        <jose4j.version>0.9.6</jose4j.version>
         <maven.compiler.plugin.version>3.13.0</maven.compiler.plugin.version>
         <maven.dependency.plugin.version>3.8.1</maven.dependency.plugin.version>
         <maven-surefire-plugin.version>3.5.1</maven-surefire-plugin.version>
@@ -236,6 +236,14 @@
             <scope>provided</scope>
         </dependency>
 
+        <dependency>
+            <groupId>org.bitbucket.b_c</groupId>
+            <artifactId>jose4j</artifactId>
+            <version>${jose4j.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+
     </dependencies>
 
     <dependencyManagement>

src/main/qpid/org/apache/qpid/protonj2/engine/sasl/client/PlainMechanism.java

@@ -43,8 +43,7 @@ public Symbol getName() {
 
     @Override
     public boolean isApplicable(SaslCredentialsProvider credentials) {
-        return credentials.username() != null && !credentials.username().isEmpty() &&
-               credentials.password() != null && !credentials.password().isEmpty();
+        return credentials.username() != null && credentials.password() != null;
     }
 
     @Override

src/test/java/com/rabbitmq/client/amqp/impl/ManagementTest.java

@@ -99,7 +99,8 @@ void receiveLoopShouldStopAfterBeingIdle() {
   @ParameterizedTest
   @ValueSource(booleans = {true, false})
   @BrokerVersionAtLeast(RABBITMQ_4_1_0)
-  void setToken(boolean isolateResources, TestInfo info) {
+  void sessionShouldGetClosedAfterPermissionsChangedAndSetTokenCalled(
+      boolean isolateResources, TestInfo info) {
     String username = "foo";
     String password = "bar";
     String vh = "/";
@@ -121,15 +122,18 @@ void setToken(boolean isolateResources, TestInfo info) {
       Sync publisherClosedSync = sync();
       Sync consumerClosedSync = sync();
       Publisher p =
-          c.publisherBuilder().queue(q).listeners(closedListener(publisherClosedSync)).build();
+          c.publisherBuilder()
+              .queue(q)
+              .listeners(closedOnSecurityExceptionListener(publisherClosedSync))
+              .build();
       c.consumerBuilder()
           .queue(q)
           .messageHandler(
               (ctx, msg) -> {
                 ctx.accept();
                 consumeSync.down();
               })
-          .listeners(closedListener(consumerClosedSync))
+          .listeners(closedOnSecurityExceptionListener(consumerClosedSync))
           .build();
 
       p.publish(p.message(), ctx -> {});
@@ -149,7 +153,7 @@ void setToken(boolean isolateResources, TestInfo info) {
     }
   }
 
-  private static Resource.StateListener closedListener(Sync sync) {
+  private static Resource.StateListener closedOnSecurityExceptionListener(Sync sync) {
     return context -> {
       if (context.currentState() == Resource.State.CLOSED
           && context.failureCause() instanceof AmqpException.AmqpSecurityException) {

src/test/java/com/rabbitmq/client/amqp/impl/Oauth2Test.java

@@ -0,0 +1,77 @@
+// Copyright (c) 2024 Broadcom. All Rights Reserved.
+// The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// If you have any questions regarding licensing, please contact us at
+// [email protected].
+package com.rabbitmq.client.amqp.impl;
+
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+import com.rabbitmq.client.amqp.AmqpException;
+import com.rabbitmq.client.amqp.Connection;
+import com.rabbitmq.client.amqp.Environment;
+import java.time.Duration;
+import java.util.List;
+import org.jose4j.base64url.Base64;
+import org.jose4j.jws.AlgorithmIdentifiers;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwt.JwtClaims;
+import org.jose4j.jwt.NumericDate;
+import org.jose4j.keys.HmacKey;
+import org.jose4j.lang.JoseException;
+import org.junit.jupiter.api.Test;
+
+@AmqpTestInfrastructure
+public class Oauth2Test {
+
+  private static final String BASE64_KEY = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH";
+
+  Environment environment;
+
+  @Test
+  void expiredTokenShouldFail() throws Exception {
+    String expiredToken = token(System.currentTimeMillis() - 1000);
+    assertThatThrownBy(
+            () -> environment.connectionBuilder().username("").password(expiredToken).build())
+        .isInstanceOf(AmqpException.AmqpSecurityException.class);
+  }
+
+  @Test
+  void validTokenShouldSucceed() throws Exception {
+    String validToken = token(System.currentTimeMillis() + Duration.ofMinutes(10).toMillis());
+    try (Connection ignored =
+        environment.connectionBuilder().username("").password(validToken).build()) {}
+  }
+
+  private static String token(long expirationTime) throws JoseException {
+    JwtClaims claims = new JwtClaims();
+    claims.setIssuer("unit_test");
+    claims.setAudience("rabbitmq");
+    claims.setExpirationTime(NumericDate.fromMilliseconds(expirationTime));
+    claims.setStringListClaim(
+        "scope", List.of("rabbitmq.configure:*/*", "rabbitmq.write:*/*", "rabbitmq.read:*/*"));
+
+    JsonWebSignature signature = new JsonWebSignature();
+
+    byte[] key = Base64.decode(BASE64_KEY);
+    HmacKey hmacKey = new HmacKey(key);
+    signature.setKeyIdHeaderValue("token-key");
+    signature.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256);
+    signature.setKey(hmacKey);
+    signature.setPayload(claims.toJson());
+
+    return signature.getCompactSerialization();
+  }
+}