Initial commit

Author: MarcialRosales

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -103,17 +103,29 @@ check_topic_access(#auth_user{impl = DecodedTokenFun},
 update_state(AuthUser, NewToken) ->
     case resolve_resource_server(NewToken) of
         {error, _} = Err0 -> Err0;
-        {_, _} = Tuple ->
+        {ResourceServer, _} = Tuple ->
             case check_token(NewToken, Tuple) of
                 %% avoid logging the token
                 {refused, {error, {invalid_token, error, _Err, _Stacktrace}}} ->
                     {refused, "Authentication using an OAuth 2/JWT token failed: provided token is invalid"};
                 {refused, Err} ->
                     {refused, rabbit_misc:format("Authentication using an OAuth 2/JWT token failed: ~tp", [Err])};
                 {ok, DecodedToken} ->
-                    Tags = tags_from(DecodedToken),
-                    {ok, AuthUser#auth_user{tags = Tags,
-                                            impl = fun() -> DecodedToken end}}
+                    CurToken = AuthUser#auth_user.impl,
+                    case ensure_same_username(
+                            ResourceServer#resource_server.preferred_username_claims,
+                            CurToken(), DecodedToken) of 
+                        ok ->
+                            Tags = tags_from(DecodedToken),
+                            {ok, AuthUser#auth_user{tags = Tags,
+                                                    impl = fun() -> DecodedToken end}};
+                        {error, mismatch_username_after_token_refresh} -> 
+                            {refused, 
+                                rabbit_misc:format("Not allowed to change username on refreshed token")};
+                        {error, Error} ->
+                            {refused, 
+                                rabbit_misc:format("Failed to refresh token due to ~p", [Error])}
+                    end
             end
     end.
 
@@ -139,7 +151,7 @@ authenticate(_, AuthProps0) ->
                     {refused, "Authentication using an OAuth 2/JWT token failed: provided token is invalid", []};
                 {refused, Err} ->
                     {refused, "Authentication using an OAuth 2/JWT token failed: ~tp", [Err]};
-                {ok, DecodedToken} ->
+                {ok, DecodedToken} ->                    
                     Func = fun(Token0) ->
                                 Username = username_from(
                                     ResourceServer#resource_server.preferred_username_claims,
@@ -164,6 +176,12 @@ with_decoded_token(DecodedToken, Fun) ->
             rabbit_log:error(Msg),
             Err
     end.
+ensure_same_username(PreferredUsernameClaims, CurrentDecodedToken, NewDecodedToken) ->
+    CurUsername = username_from(PreferredUsernameClaims, CurrentDecodedToken),
+    case {CurUsername, username_from(PreferredUsernameClaims, NewDecodedToken)} of 
+        {CurUsername, CurUsername} -> ok;
+        _ -> {error, mismatch_username_after_token_refresh}
+    end. 
 
 validate_token_expiry(#{<<"exp">> := Exp}) when is_integer(Exp) ->
     Now = os:system_time(seconds),

deps/rabbitmq_auth_backend_oauth2/test/jwks_SUITE.erl

@@ -58,7 +58,8 @@ groups() ->
         test_failed_connection_with_a_token_with_insufficient_resource_permission,
         test_failed_connection_with_algorithm_restriction,
         test_failed_token_refresh_case1,
-        test_failed_token_refresh_case2
+        test_failed_token_refresh_case2,
+        cannot_change_username_on_refreshed_token
         ]},
     {no_peer_verification, [], [
         {group, happy_path},
@@ -521,6 +522,11 @@ generate_valid_token(Config, Jwk, Scopes, Audience) ->
     IncludeKid = rabbit_ct_helpers:get_config(Config, include_kid, true),
     ?UTIL_MOD:sign_token_hs(Token, Jwk, IncludeKid).
 
+generate_valid_token_with_sub(Config, Jwk, Scopes, Sub) ->
+    Token = ?UTIL_MOD:token_with_sub(?UTIL_MOD:fixture_token_with_scopes(Scopes), Sub),
+    IncludeKid = rabbit_ct_helpers:get_config(Config, include_kid, true),
+    ?UTIL_MOD:sign_token_hs(Token, Jwk, IncludeKid).
+
 generate_valid_token_with_extra_fields(Config, ExtraFields) ->
     Jwk = 
         case rabbit_ct_helpers:get_config(Config, fixture_jwk) of
@@ -937,6 +943,33 @@ test_failed_token_refresh_case2(Config) ->
 
     close_connection(Conn).
 
+cannot_change_username_on_refreshed_token(Config) ->
+    Jwk = 
+        case get_config(Config, fixture_jwk) of
+            undefined -> ?UTIL_MOD:fixture_jwk();
+            Value     -> Value
+        end,
+    {_, CurToken} = generate_valid_token(Config, Jwk, <<"oldUsername">>, [
+        <<"rabbitmq.configure:vhost4/*">>,
+        <<"rabbitmq.write:vhost4/*">>,
+        <<"rabbitmq.read:vhost4/*">>]),
+    Conn     = open_unmanaged_connection(Config, 0, <<"vhost4">>, 
+                <<"oldUsername">>, CurToken),
+   
+    {_, RefreshToken} = generate_valid_token_with_sub(Config, Jwk, <<"newUsername">>,
+        [<<"rabbitmq.configure:vhost4/*">>,
+         <<"rabbitmq.write:vhost4/*">>,
+         <<"rabbitmq.read:vhost4/*">>]),
+
+    %% the error is communicated asynchronously via a connection-level error
+    {error, _} = amqp_connection:update_secret(Conn, RefreshToken,
+        <<"token refresh">>),
+
+    ?assertExit({{shutdown, {connection_closing, {server_initiated_close, 530, _}}}, _},
+       amqp_connection:open_channel(Conn)),
+
+    close_connection(Conn).
+
 test_failed_connection_with_algorithm_restriction(Config) ->
     {_Algo, Token} = get_config(Config, fixture_jwt),
     ?assertMatch({error, {auth_failure, _}},