Add var expansion to vhost and resource access

Author: MarcialRosales

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -87,27 +87,25 @@ user_login_authorization(Username, AuthProps) ->
 check_vhost_access(#auth_user{impl = DecodedTokenFun},
                    VHost, _AuthzData) ->
     with_decoded_token(DecodedTokenFun(),
-        fun(_Token) ->
+        fun(Token) ->
             DecodedToken = DecodedTokenFun(),
-            Scopes = get_scope(DecodedToken),
-            ScopeString = rabbit_oauth2_scope:concat_scopes(Scopes, ","),
-            rabbit_log:debug("Matching virtual host '~ts' against the following scopes: ~ts", [VHost, ScopeString]),
+            Scopes = get_expanded_scopes(Token, #resource{virtual_host = VHost}),
             rabbit_oauth2_scope:vhost_access(VHost, Scopes)
         end).
 
 check_resource_access(#auth_user{impl = DecodedTokenFun},
                       Resource, Permission, _AuthzContext) ->
     with_decoded_token(DecodedTokenFun(),
         fun(Token) ->
-            Scopes = get_scope(Token),
+            Scopes = get_expanded_scopes(Token, Resource),
             rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes)
         end).
 
 check_topic_access(#auth_user{impl = DecodedTokenFun},
                    Resource, Permission, Context) ->    
     with_decoded_token(DecodedTokenFun(),
         fun(Token) ->
-            Scopes = get_expanded_scopes(Token, Resource),        
+            Scopes = get_expanded_scopes(Token, Resource),
             rabbit_oauth2_scope:topic_access(Resource, Permission, Context, Scopes)
         end).
 

deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl

@@ -785,25 +785,35 @@ test_successful_access_with_a_token_that_uses_single_scope_alias_with_var_expans
     Alias = <<"client-alias-1">>,
     set_env(scope_aliases, #{
         Alias => [
-            <<"rabbitmq.configure:{vhost}/q-{sub}/{client_id}**">>
-        ]            
+            <<"rabbitmq.configure:{vhost}/q-{sub}/rk-{client_id}**">>           
+        ]
     }),
 
     VHost = <<"vhost">>,
     Username = <<"bob">>,
+    ClientId = <<"rmq">>,
     Token    = ?UTIL_MOD:sign_token_hs(?UTIL_MOD:token_with_sub(
         ?UTIL_MOD:token_with_claim(
-            ?UTIL_MOD:token_with_scope_alias_in_scope_field(Alias), <<"client_id">>, <<"rmq">>), 
+            ?UTIL_MOD:token_with_scope_alias_in_scope_field(Alias), <<"client_id">>, ClientId), 
                 Username), Jwk),
 
     {ok, #auth_user{username = Username} = AuthUser} =
         user_login_authentication(Username, [{password, Token}]),
-        
-    assert_topic_access_refused(AuthUser, VHost, <<"q-bob">>, read,
-        #{routing_key => <<"rmq/#">>}),
+
+    %% vhost access 
+    assert_vhost_access_granted(AuthUser, ClientId),
+
+    %% resource access 
+    assert_resource_access_denied(AuthUser, VHost, <<"none">>, read),
+    assert_resource_access_granted(AuthUser, VHost, <<"q-bob">>, configure),
+
+    %% topic access         
+    assert_topic_access_refused(AuthUser, VHost, <<"q-bob">>, configure,
+        #{routing_key => <<"rk-r2mq/#">>}),
     assert_topic_access_granted(AuthUser, VHost, <<"q-bob">>, configure,
-        #{routing_key => <<"rmq/#">>}),
+        #{routing_key => <<"rk-rmq/#">>}),
 
+
     application:unset_env(rabbitmq_auth_backend_oauth2, scope_aliases),
     application:unset_env(rabbitmq_auth_backend_oauth2, key_config).