Test resolve resource server with opaque access token

Author: MarcialRosales

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -204,6 +204,7 @@ ensure_same_username(PreferredUsernameClaims, CurrentDecodedToken, NewDecodedTok
         _ -> {error, mismatch_username_after_token_refresh}
     end.
 
+
 validate_token_expiry(#{<<"exp">> := Exp}) when is_integer(Exp) ->
     Now = os:system_time(seconds),
     case Exp =< Now of

deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_resource_server.erl

@@ -11,6 +11,7 @@
 
 -export([
     resolve_resource_server_from_audience/1,
+    resolve_single_resource_server_with_opaque_access_token_format/0,
     new_resource_server/1
 ]).
 
@@ -57,6 +58,38 @@ resolve_resource_server_from_audience(Audience) ->
             {ok, get_resource_server(ResourceServerId)}
     end.
 
+-spec resolve_single_resource_server_with_opaque_access_token_format() -> 
+     {ok, resource_server()} |
+     {error, too_many_matched_resource_servers_only_one_allowed} |
+     {error, no_resource_server_found}.
+resolve_single_resource_server_with_opaque_access_token_format() ->
+    case get_root_resource_server_id() of 
+        <<>> -> 
+            find_unique_resource_server_with_opaque_access_token_format();
+        _ -> 
+            Root = get_root_resource_server(),
+            case Root#resource_server.access_token_format of 
+                opaque -> {ok, Root};
+                _ -> find_unique_resource_server_with_opaque_access_token_format()
+            end
+    end.
+
+find_unique_resource_server_with_opaque_access_token_format() ->   
+    Map0 = maps:fold(fun(K,V,Acc)->
+        case V#resource_server.access_token_format of 
+            opaque -> 
+                case maps:is_key(V#resource_server.oauth_provider_id, Acc) of 
+                    false -> maps:put(V#resource_server.oauth_provider_id, K, Acc);
+                    true -> Acc
+                end;
+            _ -> Acc
+        end end, #{}, get_env(resource_servers, #{})),
+    case maps:size(Map0) of 
+        0 -> {error, no_resource_server_found};
+        1 -> {ok, lists:last(maps:values(Map0))};
+        _ ->  {error, too_many_matched_resource_servers_only_one_allowed}
+    end.
+    
 -spec get_root_resource_server_id() -> resource_server_id().
 get_root_resource_server_id() ->
     get_env(resource_server_id, <<>>).

deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl

@@ -165,6 +165,16 @@ verify_signing_key(Type, Value) ->
         Err -> Err
     end.
 
+% introspect_token(OpaqueToken) ->
+%     case rabbit_oauth2_resource_server:resolve_single_resource_server_with_opaque_access_token_format() of
+%         ResourceServer -> 
+%             case oauth2_client:get_oauth_provider(ResourceServer#resource_server.oauth_provider_id,
+%                     [introspection_endpoint]) of 
+%                 Provider -> 
+%             Provider#oauth_provider.
+%         {error,_} = Error -> Error
+%     end.
+
 -spec get_scope(map()) -> binary() | list().
 get_scope(#{?SCOPE_JWT_FIELD := Scope}) -> Scope;
 get_scope(#{}) -> [].

deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_resource_server_SUITE.erl

@@ -19,7 +19,9 @@
 -define(OAUTH_PROVIDER_B,<<"B">>).
 
 -import(oauth2_client, [get_oauth_provider/2]).
--import(rabbit_oauth2_resource_server, [resolve_resource_server_from_audience/1]).
+-import(rabbit_oauth2_resource_server, 
+    [resolve_resource_server_from_audience/1,
+     resolve_single_resource_server_with_opaque_access_token_format/0]).
 
 
 all() -> [
@@ -38,6 +40,10 @@ groups() -> [
             resolve_resource_server_for_none_audience_returns_rabbitmq,
             resolve_resource_server_for_unknown_audience_returns_rabbitmq
         ]},
+        cannot_resolve_resource_server_for_opaque_access_token,
+        {with_opaque_access_token_format, [], [
+            resolve_resource_server_for_opaque_access_token
+        ]},
         {verify_get_rabbitmq_server_configuration, [],
             verify_get_rabbitmq_server_configuration()}
     ]},
@@ -205,6 +211,10 @@ init_per_group(with_two_resource_servers, Config) ->
     [{?RABBITMQ_RESOURCE_ONE, RabbitMQ1}, {?RABBITMQ_RESOURCE_TWO, RabbitMQ2}]
         ++ Config;
 
+init_per_group(with_opaque_access_token_format, Config) ->
+    set_env(access_token_format, opaque),
+    Config;
+
 init_per_group(_any, Config) ->
     Config.
 
@@ -256,6 +266,10 @@ end_per_group(with_scope_aliases, Config) ->
     unset_env(scope_aliases),
     Config;
 
+end_per_group(with_opaque_access_token_format, Config) ->
+    unset_env(access_token_format),
+    Config;
+
 end_per_group(_any, Config) ->
     Config.
 
@@ -304,6 +318,13 @@ resolve_resource_server_id_for_both_resources_returns_error(_) ->
     assert_resource_server_id({error, aud_matched_many_resource_servers_only_one_allowed},
         [?RABBITMQ_RESOURCE_TWO, ?RABBITMQ_RESOURCE_ONE]).
 
+resolve_resource_server_for_opaque_access_token(_) ->
+    {ok, Actual} = resolve_single_resource_server_with_opaque_access_token_format(),
+    ?assertEqual(?RABBITMQ, Actual#resource_server.id).
+
+cannot_resolve_resource_server_for_opaque_access_token(_) ->
+    {error, no_resource_server_found} = resolve_single_resource_server_with_opaque_access_token_format().
+
 rabbitmq_verify_aud_is_true(_) ->
     assert_verify_aud(true, ?RABBITMQ).