Modify schema to include scope_aliases

MarcialRosales · MarcialRosales · commit 6891fe36152b · 2024-10-03T09:26:19.000+02:00
WIP Add translation function
diff --git a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
@@ -73,6 +73,16 @@
     list_to_binary(cuttlefish:conf_get("auth_oauth2.additional_scopes_key", Conf))
  end}.
 
+{mapping,
+ "auth_oauth2.scope_aliases.$alias",
+ "rabbitmq_auth_backend_oauth2.scope_aliases",
+ [{datatype, string}]}.
+
+{translation,
+ "rabbitmq_auth_backend_oauth2.scope_aliases",
+ fun(Conf) ->
+    rabbit_oauth2_schema:translate_scope_aliases(Conf)
+ end}.
 
 %% Configure the plugin to skip validation of the aud field
 %%
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl
@@ -11,12 +11,54 @@
 -export([
     translate_oauth_providers/1,
     translate_resource_servers/1,
-    translate_signing_keys/1
+    translate_signing_keys/1,
+    translate_scope_aliases/1
 ]).
 
 extract_key_as_binary({Name,_}) -> list_to_binary(Name).
 extract_value({_Name,V}) -> V.
 
+-spec translate_scope_aliases([{list(), binary()}]) -> map().
+translate_scope_aliases(Conf) ->
+    Settings = cuttlefish_variable:filter_by_prefix("auth_oauth2.scope_aliases", Conf),
+    maps:merge(extract_scope_aliases_as_a_map(Settings),
+        extract_scope_aliases_as_a_list_of_alias_scope_props(Settings)).
+
+convert_space_separated_string_to_list_of_binaries(String) ->
+    [ list_to_binary(V) || V <- string:tokens(String, " ")].
+
+extract_scope_aliases_as_a_map(Settings) ->    
+    maps:from_list([{
+            list_to_binary(K), 
+            convert_space_separated_string_to_list_of_binaries(V)
+            } || {["auth_oauth2", "scope_aliases", K], V} <- Settings ]).
+extract_scope_aliases_as_a_list_of_alias_scope_props(Settings) ->    
+    KeyFun = fun extract_key_as_binary/1,
+    ValueFun = fun extract_value/1,
+
+    List0 = [{K, {list_to_atom(Attr), list_to_binary(V)}}
+        || {["auth_oauth2", "scope_aliases", K, Attr], V} <- Settings ],
+    List1 = maps:to_list(maps:groups_from_list(KeyFun, ValueFun, List0)),
+    maps:from_list([ 
+        extract_scope_alias_mapping(Proplist) || {_, Proplist} <- List1]).
+    
+extract_scope_alias_mapping(Proplist) ->
+    Alias = 
+        case proplists:get_value(alias, Proplist) of 
+            undefined -> {error, missing_alias_attribute};
+            A -> A
+        end,
+    Scope = 
+        case proplists:get_value(scope, Proplist) of 
+            undefined -> {error, missing_scope_attribute};
+            S -> convert_space_separated_string_to_list_of_binaries(S)
+        end,
+    case {Alias, Scope} of
+        {{error, _} = Err0, _} -> Err0;
+        {_, {error, _} = Err1 } -> Err1;
+        _ = V -> V
+    end.
+
 -spec translate_resource_servers([{list(), binary()}]) -> map().
 translate_resource_servers(Conf) ->
     Settings = cuttlefish_variable:filter_by_prefix("auth_oauth2.resource_servers", Conf),
@@ -100,7 +142,7 @@ extract_resource_server_properties(Settings) ->
     ValueFun = fun extract_value/1,
 
     OAuthProviders = [{Name, {list_to_atom(Key), list_to_binary(V)}}
-        || {["auth_oauth2","resource_servers", Name, Key], V} <- Settings ],
+        || {["auth_oauth2", "resource_servers", Name, Key], V} <- Settings ],
     maps:groups_from_list(KeyFun, ValueFun, OAuthProviders).
 
 mapOauthProviderProperty({Key, Value}) ->
@@ -117,7 +159,7 @@ extract_oauth_providers_https(Settings) ->
     ExtractProviderNameFun = fun extract_key_as_binary/1,
 
     AttributesPerProvider = [{Name, mapHttpProperty({list_to_atom(Key), V})} ||
-        {["auth_oauth2","oauth_providers", Name, "https", Key], V} <- Settings ],
+        {["auth_oauth2", "oauth_providers", Name, "https", Key], V} <- Settings ],
 
     maps:map(fun(_K,V)-> [{https, V}] end,
         maps:groups_from_list(ExtractProviderNameFun, fun({_, V}) -> V end, AttributesPerProvider)).
@@ -132,7 +174,7 @@ extract_oauth_providers_algorithm(Settings) ->
     KeyFun = fun extract_key_as_binary/1,
 
     IndexedAlgorithms = [{Name, {Index, list_to_binary(V)}} ||
-        {["auth_oauth2","oauth_providers", Name, "algorithms", Index], V} <- Settings ],
+        {["auth_oauth2", "oauth_providers", Name, "algorithms", Index], V} <- Settings ],
     SortedAlgorithms = lists:sort(fun({_,{AI,_}},{_,{BI,_}}) -> AI < BI end, IndexedAlgorithms),
     Algorithms = [{Name, V} || {Name, {_I, V}} <- SortedAlgorithms],
     maps:map(fun(_K,V)-> [{algorithms, V}] end,
@@ -142,7 +184,7 @@ extract_resource_server_preferred_username_claims(Settings) ->
     KeyFun = fun extract_key_as_binary/1,
 
     IndexedClaims = [{Name, {Index, list_to_binary(V)}} ||
-        {["auth_oauth2","resource_servers", Name, "preferred_username_claims", Index], V} <- Settings ],
+        {["auth_oauth2", "resource_servers", Name, "preferred_username_claims", Index], V} <- Settings ],
     SortedClaims = lists:sort(fun({_,{AI,_}},{_,{BI,_}}) -> AI < BI end, IndexedClaims),
     Claims = [{Name, V} || {Name, {_I, V}} <- SortedClaims],
     maps:map(fun(_K,V)-> [{preferred_username_claims, V}] end,
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets b/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets
@@ -184,5 +184,45 @@
             {scope_prefix,<<>>}
         ]}
         ],[]
+  }, 
+  {scope_aliases_1, 
+      "auth_oauth2.resource_server_id = new_resource_server_id
+       auth_oauth2.scope_aliases.admin = rabbitmq.tag:administrator 
+       auth_oauth2.scope_aliases.developer = rabbitmq.tag:management rabbitmq.read:*/*",
+       [
+        {rabbitmq_auth_backend_oauth2, [
+            {resource_server_id,<<"new_resource_server_id">>},
+            {scope_aliases, #{
+              <<"admin">> => [ 
+                              <<"rabbitmq.tag:administrator">>
+                              ],
+              <<"developer">> => [ 
+                              <<"rabbitmq.tag:administrator">>,
+                              <<"rabbitmq.read:*/*">>
+                              ]                              
+            }}
+        ]}
+       ], []
+  },
+  {scope_aliases_2, 
+      "auth_oauth2.resource_server_id = new_resource_server_id
+       auth_oauth2.scope_aliases.1.alias = admin
+       auth_oauth2.scope_aliases.1.scope = rabbitmq.tag:administrator 
+       auth_oauth2.scope_aliases.2.alias = developer
+       auth_oauth2.scope_aliases.2.scope = rabbitmq.tag:management rabbitmq.read:*/*",
+       [
+        {rabbitmq_auth_backend_oauth2, [
+            {resource_server_id,<<"new_resource_server_id">>},
+            {scope_aliases, #{
+              <<"admin">> => [ 
+                              <<"rabbitmq.tag:administrator">>
+                              ],
+              <<"developer">> => [ 
+                              <<"rabbitmq.tag:administrator">>,
+                              <<"rabbitmq.read:*/*">>
+                              ]                              
+            }}
+        ]}
+       ], []
   }
 ].
