Support explicit foward proxy from oauth2 plugin

Author: MarcialRosales

.github/workflows/test-authnz.yaml

@@ -10,7 +10,7 @@ on:
       - 'deps/rabbitmq_auth_**'
       - 'deps/rabbitmq_management/src/**'
       - 'deps/rabbitmq_management/priv/**'
-      - 'deps/rabbitmq_management/selenium/**'
+      - 'selenium/**'
       - 'scripts/**'
       - .bazelrc
       - .bazelversion

deps/oauth2_client/include/types.hrl

@@ -20,6 +20,14 @@
 }).
 -type openid_configuration() :: #openid_configuration{}.
 
+-record(proxy_options, {
+    host :: string(),
+    port :: integer(),
+    username :: option(string() | binary()),
+    password :: option(string() | binary())
+}).
+-type proxy_options() :: #proxy_options{}.
+
 -record(oauth_provider, {
     id :: oauth_provider_id(),
     issuer :: option(uri_string:uri_string()),
@@ -28,7 +36,8 @@
     authorization_endpoint :: option(uri_string:uri_string()),
     end_session_endpoint :: option(uri_string:uri_string()),
     jwks_uri :: option(uri_string:uri_string()),
-    ssl_options :: option(list())
+    ssl_options :: option(list()),
+    proxy_options :: option(proxy_options())
 }).
 
 -type query_list() :: [{unicode:chardata(), unicode:chardata() | true}].

deps/oauth2_client/src/oauth2_client.erl

@@ -8,12 +8,16 @@
 -export([get_access_token/2, get_expiration_time/1,
         refresh_access_token/2,
         get_oauth_provider/1, get_oauth_provider/2,
-        get_openid_configuration/2,
+        get_openid_configuration/3,
         build_openid_discovery_endpoint/3,         
         merge_openid_configuration/2,
         merge_oauth_provider/2,
         extract_ssl_options_as_list/1,
-        format_ssl_options/1, format_oauth_provider/1, format_oauth_provider_id/1
+        map_proxy_auth_to_httpc_option/1,
+        map_proxy_to_httpc_option/1,
+        map_ssl_options_to_httpc_option/1,
+        map_timeout_to_httpc_option/1,
+        format_ssl_options/1, format_oauth_provider/1, format_oauth_provider_id/1        
         ]).
 
 -include("oauth2_client.hrl").
@@ -28,10 +32,11 @@ get_access_token(OAuthProvider, Request) ->
     Header = [],
     Type = ?CONTENT_URLENCODED,
     Body = build_access_token_request_body(Request),
-    HTTPOptions = get_ssl_options_if_any(OAuthProvider) ++
-        get_timeout_of_default(Request#access_token_request.timeout),
-    Options = [],
-    Response = httpc:request(post, {URL, Header, Type, Body}, HTTPOptions, Options),
+    HTTPOptions = 
+        map_ssl_options_to_httpc_option(OAuthProvider#oauth_provider.ssl_options) ++
+        map_timeout_to_httpc_option(Request#access_token_request.timeout),
+    Response = http_post(URL, Header, Type, Body, HTTPOptions, 
+        OAuthProvider#oauth_provider.proxy_options),
     parse_access_token_response(Response).
 
 -spec refresh_access_token(oauth_provider(), refresh_token_request()) ->
@@ -42,12 +47,36 @@ refresh_access_token(OAuthProvider, Request) ->
     Header = [],
     Type = ?CONTENT_URLENCODED,
     Body = build_refresh_token_request_body(Request),
-    HTTPOptions = get_ssl_options_if_any(OAuthProvider) ++
-        get_timeout_of_default(Request#refresh_token_request.timeout),
-    Options = [],
-    Response = httpc:request(post, {URL, Header, Type, Body}, HTTPOptions, Options),
+    HTTPOptions = 
+        map_ssl_options_to_httpc_option(OAuthProvider#oauth_provider.ssl_options) ++
+        map_timeout_to_httpc_option(Request#refresh_token_request.timeout),
+    Response = http_post(URL, Header, Type, Body, HTTPOptions, 
+        OAuthProvider#oauth_provider.proxy_options),
     parse_access_token_response(Response).
 
+http_post(URL, Header, Type, Body, HTTPOptions, ProxyOptions) ->
+    case ProxyOptions of 
+        undefined -> httpc:request(post, {URL, Header, Type, Body}, HTTPOptions, []);
+        _ ->
+            case httpc:set_options(map_proxy_to_httpc_option(ProxyOptions)) of
+                ok -> 
+                    httpc:request(post, {URL, Header, Type, Body},
+                        HTTPOptions ++ map_proxy_auth_to_httpc_option(ProxyOptions), []);
+                {error, _} = Error -> Error 
+            end
+    end.
+http_get(URL, HTTPOptions, ProxyOptions) ->
+    case ProxyOptions of 
+        undefined -> httpc:request(get, {URL, []}, HTTPOptions, []);
+        _ ->
+            case httpc:set_options(map_proxy_to_httpc_option(ProxyOptions)) of 
+                ok -> 
+                    httpc:request(get, {URL, []},
+                        HTTPOptions ++ map_proxy_auth_to_httpc_option(ProxyOptions), []);
+                {error, _} = Error -> Error 
+            end
+    end.
+        
 append_paths(Path1, Path2) ->
     erlang:iolist_to_binary([Path1, Path2]).
 
@@ -94,14 +123,17 @@ drop_trailing_path_separator(Path) when is_list(Path) ->
     end.
 
 -spec get_openid_configuration(DiscoveryEndpoint :: uri_string:uri_string(),
-    ssl:tls_option() | []) -> {ok, openid_configuration()} | {error, term()}.
-get_openid_configuration(DiscoverEndpoint, TLSOptions) ->    
-    rabbit_log:debug("get_openid_configuration from ~p (~p)", [DiscoverEndpoint,
-        format_ssl_options(TLSOptions)]),
-    Options = [],
-    Response = httpc:request(get, {DiscoverEndpoint, []}, TLSOptions, Options),
+    ssl:tls_option() | [], proxy_options() | undefined | 'none') -> 
+        {ok, openid_configuration()} | {error, term()}.
+get_openid_configuration(DiscoverEndpoint, TLSOptions, ProxyOptions) ->    
+    rabbit_log:debug("get_openid_configuration from ~p (~p) [~p]", [DiscoverEndpoint,
+        format_ssl_options(TLSOptions), format_proxy_options(ProxyOptions)]),
+    HTTPOptions = 
+        map_ssl_options_to_httpc_option(TLSOptions) ++
+        map_timeout_to_httpc_option(?DEFAULT_HTTP_TIMEOUT),
+    Response = http_get(DiscoverEndpoint, HTTPOptions, ProxyOptions),
     parse_openid_configuration_response(Response).
-
+    
 -spec merge_openid_configuration(openid_configuration(), oauth_provider()) ->
     oauth_provider().
 merge_openid_configuration(OpenId, OAuthProvider0) ->    
@@ -283,7 +315,9 @@ download_oauth_provider(OAuthProvider) ->
         undefined -> {error, {missing_oauth_provider_attributes, [issuer]}};
         URL ->
             rabbit_log:debug("Downloading oauth_provider using ~p ", [URL]),
-            case get_openid_configuration(URL, get_ssl_options_if_any(OAuthProvider)) of
+            case get_openid_configuration(URL, 
+                    OAuthProvider#oauth_provider.ssl_options,
+                    OAuthProvider#oauth_provider.proxy_options) of
                 {ok, OpenIdConfiguration} ->
                     {ok, update_oauth_provider_endpoints_configuration(
                         merge_openid_configuration(OpenIdConfiguration, OAuthProvider))};
@@ -395,8 +429,36 @@ lookup_root_oauth_provider() ->
         token_endpoint = get_env(token_endpoint),
         authorization_endpoint = get_env(authorization_endpoint),
         end_session_endpoint = get_env(end_session_endpoint),
-        ssl_options = extract_ssl_options_as_list(Map)
+        ssl_options = extract_ssl_options_as_list(Map),
+        proxy_options = extract_proxy_options(Map)
     }.
+  
+-spec extract_proxy_options(#{atom() => any()}|list()) -> proxy_options() | undefined.
+extract_proxy_options(List) when is_list(List) ->
+    case {proplists:get_value(proxy_host, List, undefined),
+        proplists:get_value(proxy_port, List, 0)} of 
+        {undefined, _} -> undefined;
+        {_, 0} -> undefined;
+        {H, P} ->
+            #proxy_options{
+                host = H,
+                port = P,
+                username = proplists:get_value(proxy_username, List, undefined),
+                password = proplists:get_value(proxy_password, List, undefined)
+            }
+    end;
+extract_proxy_options(Map) ->
+    case {maps:get(proxy_host, Map, undefined), maps:get(proxy_port, Map, 0)} of
+        {undefined, _} -> undefined;
+        {_, 0} -> undefined;
+        {H, P} ->
+            #proxy_options{
+                host = H,
+                port = P,
+                username = maps:get(proxy_username, Map, undefined),
+                password = maps:get(proxy_password, Map, undefined)
+            }
+    end.
 
 -spec extract_ssl_options_as_list(#{atom() => any()}) -> proplists:proplist().
 extract_ssl_options_as_list(Map) ->
@@ -522,17 +584,44 @@ append_extra_parameters(Request, QueryList) ->
         Params -> Params ++ QueryList
     end.
 
-get_ssl_options_if_any(OAuthProvider) ->
-    case OAuthProvider#oauth_provider.ssl_options of
+map_ssl_options_to_httpc_option(SslOptions) ->
+    case SslOptions of
         undefined -> [];
         Options ->  [{ssl, Options}]
     end.
-get_timeout_of_default(Timeout) ->
+
+map_timeout_to_httpc_option(Timeout) ->
     case Timeout of
         undefined -> [{timeout, ?DEFAULT_HTTP_TIMEOUT}];
         Timeout -> [{timeout, Timeout}]
     end.
 
+map_proxy_to_httpc_option(ProxyOptions) ->
+    case ProxyOptions of
+        undefined -> 
+            []; 
+        Proxy -> case {Proxy#proxy_options.host, Proxy#proxy_options.port} of 
+            {undefined, 0} -> [];
+            {_, 0} -> [];
+            {undefined, _} -> [];
+            {Host, Port} ->
+                P = {{Host, Port},[]},
+                [{proxy, P}]                
+            end
+    end.
+
+map_proxy_auth_to_httpc_option(ProxyOptions) ->
+    case ProxyOptions of
+        undefined -> 
+            []; 
+        Proxy -> 
+            case {Proxy#proxy_options.username, Proxy#proxy_options.password} of 
+                {undefined, _} -> [];
+                {_, undefined} -> [];
+                {_, _} = Auth -> [{proxy_auth, Auth}]
+            end
+    end.
+
 is_json(?CONTENT_JSON) -> true;
 is_json(_) -> false.
 
@@ -588,7 +677,9 @@ map_to_oauth_provider(PropList) when is_list(PropList) ->
             proplists:get_value(jwks_uri, PropList, undefined),
         ssl_options = 
             extract_ssl_options_as_list(maps:from_list(
-                proplists:get_value(https, PropList, [])))
+                proplists:get_value(https, PropList, []))),
+        proxy_options = 
+            extract_proxy_options(PropList)
     }.
 map_to_access_token_response(Code, Reason, Headers, Body) ->
     case decode_body(proplists:get_value("content-type", Headers, ?CONTENT_JSON), Body) of
@@ -626,6 +717,18 @@ format_ssl_options(TlsOptions) ->
         proplists:get_value(cacertfile, TlsOptions),
         CaCertsCount])).
 
+-spec format_proxy_options(proxy_options()|undefined) -> string().
+format_proxy_options(undefined) ->
+    lists:flatten(io_lib:format("{no proxy}", []));
+
+format_proxy_options(ProxyOptions) ->
+    lists:flatten(io_lib:format("{host: ~p, port: ~p, username: ~p, " ++
+        "password: ~p }", [
+        ProxyOptions#proxy_options.host,
+        ProxyOptions#proxy_options.port,
+        ProxyOptions#proxy_options.username,
+        ProxyOptions#proxy_options.password])).
+
 format_oauth_provider_id(root) -> "<from keyconfig>";
 format_oauth_provider_id(Id) -> binary_to_list(Id).
 
@@ -634,15 +737,16 @@ format_oauth_provider(OAuthProvider) ->
     lists:flatten(io_lib:format("{id: ~p, issuer: ~p, discovery_endpoint: ~p, " ++
         " token_endpoint: ~p, " ++
         "authorization_endpoint: ~p, end_session_endpoint: ~p, " ++
-        "jwks_uri: ~p, ssl_options: ~p }", [
+        "jwks_uri: ~p, ssl_options: ~p, proxy_options: ~p}", [
         format_oauth_provider_id(OAuthProvider#oauth_provider.id),
         OAuthProvider#oauth_provider.issuer,
         OAuthProvider#oauth_provider.discovery_endpoint,
         OAuthProvider#oauth_provider.token_endpoint,
         OAuthProvider#oauth_provider.authorization_endpoint,
         OAuthProvider#oauth_provider.end_session_endpoint,
         OAuthProvider#oauth_provider.jwks_uri,
-        format_ssl_options(OAuthProvider#oauth_provider.ssl_options)])).
+        format_ssl_options(OAuthProvider#oauth_provider.ssl_options),
+        format_proxy_options(OAuthProvider#oauth_provider.proxy_options)])).
 
 get_env(Par) ->
     application:get_env(rabbitmq_auth_backend_oauth2, Par, undefined).

deps/oauth2_client/test/system_SUITE.erl

@@ -322,10 +322,11 @@ build_openid_discovery_endpoint(Issuer, Path) ->
 
 get_openid_configuration(Config) ->
     ExpectedOAuthProvider = ?config(oauth_provider, Config),
-    SslOptions = [{ssl, ExpectedOAuthProvider#oauth_provider.ssl_options}],
+    SslOptions = ExpectedOAuthProvider#oauth_provider.ssl_options,
     {ok, ActualOpenId} = oauth2_client:get_openid_configuration(
         build_openid_discovery_endpoint(build_issuer("https")),
-        SslOptions),
+        SslOptions,
+        ExpectedOAuthProvider#oauth_provider.proxy_options),
     ExpectedOpenId = map_oauth_provider_to_openid_configuration(ExpectedOAuthProvider),
     assertOpenIdConfiguration(ExpectedOpenId, ActualOpenId).
 
@@ -344,35 +345,39 @@ get_openid_configuration_returns_partial_payload(Config) ->
         token_endpoint = ExpectedOAuthProvider0#oauth_provider.token_endpoint,
         jwks_uri = ExpectedOAuthProvider0#oauth_provider.jwks_uri},
 
-    SslOptions = [{ssl, ExpectedOAuthProvider0#oauth_provider.ssl_options}],
+    SslOptions = ExpectedOAuthProvider0#oauth_provider.ssl_options,
     {ok, Actual} = oauth2_client:get_openid_configuration(
         build_openid_discovery_endpoint(build_issuer("https")),
-        SslOptions),
+        SslOptions,
+        ExpectedOAuthProvider0#oauth_provider.proxy_options),
     ExpectedOpenId = map_oauth_provider_to_openid_configuration(ExpectedOAuthProvider),
     assertOpenIdConfiguration(ExpectedOpenId, Actual).
 
 get_openid_configuration_using_path(Config) ->
     ExpectedOAuthProvider = ?config(oauth_provider, Config),
-    SslOptions = [{ssl, ExpectedOAuthProvider#oauth_provider.ssl_options}],
+    SslOptions = ExpectedOAuthProvider#oauth_provider.ssl_options,
     {ok, Actual} = oauth2_client:get_openid_configuration(
         build_openid_discovery_endpoint(build_issuer("https", ?ISSUER_PATH)),
-        SslOptions),
+        SslOptions,
+        ExpectedOAuthProvider#oauth_provider.proxy_options),
     ExpectedOpenId = map_oauth_provider_to_openid_configuration(ExpectedOAuthProvider),
     assertOpenIdConfiguration(ExpectedOpenId,Actual).
 get_openid_configuration_using_path_and_custom_endpoint(Config) ->
     ExpectedOAuthProvider = ?config(oauth_provider, Config),
-    SslOptions = [{ssl, ExpectedOAuthProvider#oauth_provider.ssl_options}],
+    SslOptions = ExpectedOAuthProvider#oauth_provider.ssl_options,
     {ok, Actual} = oauth2_client:get_openid_configuration(
         build_openid_discovery_endpoint(build_issuer("https", ?ISSUER_PATH),
-        ?CUSTOM_OPENID_CONFIGURATION_ENDPOINT), SslOptions),
+        ?CUSTOM_OPENID_CONFIGURATION_ENDPOINT), SslOptions, 
+        ExpectedOAuthProvider#oauth_provider.proxy_options),
     ExpectedOpenId = map_oauth_provider_to_openid_configuration(ExpectedOAuthProvider),
     assertOpenIdConfiguration(ExpectedOpenId, Actual).
 get_openid_configuration_using_custom_endpoint(Config) ->
     ExpectedOAuthProvider = ?config(oauth_provider, Config),
-    SslOptions = [{ssl, ExpectedOAuthProvider#oauth_provider.ssl_options}],
+    SslOptions = ExpectedOAuthProvider#oauth_provider.ssl_options,
     {ok, Actual} = oauth2_client:get_openid_configuration(
         build_openid_discovery_endpoint(build_issuer("https"),
-        ?CUSTOM_OPENID_CONFIGURATION_ENDPOINT), SslOptions),
+        ?CUSTOM_OPENID_CONFIGURATION_ENDPOINT), SslOptions,
+        ExpectedOAuthProvider#oauth_provider.proxy_options),
     ExpectedOpenId = map_oauth_provider_to_openid_configuration(ExpectedOAuthProvider),
     assertOpenIdConfiguration(ExpectedOpenId, Actual).
 

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -220,6 +220,26 @@
     rabbit_oauth2_schema:translate_oauth_providers(Conf)
  end}.
 
+{mapping,
+ "auth_oauth2.proxy.host",
+ "rabbitmq_auth_backend_oauth2.proxy.host",
+ [{datatype, string}]}.
+
+{mapping,
+ "auth_oauth2.proxy.port",
+ "rabbitmq_auth_backend_oauth2.proxy.port",
+ [{datatype, integer}]}.
+
+{mapping,
+ "auth_oauth2.proxy.username",
+ "rabbitmq_auth_backend_oauth2.proxy.username",
+ [{datatype, string}]}.
+
+{mapping,
+ "auth_oauth2.proxy.password",
+ "rabbitmq_auth_backend_oauth2.proxy.password",
+ [{datatype, string}]}.
+
 {mapping,
  "auth_oauth2.https.peer_verification",
  "rabbitmq_auth_backend_oauth2.key_config.peer_verification",
@@ -322,6 +342,26 @@
  "rabbitmq_auth_backend_oauth2.oauth_providers",
  [{datatype, integer}]}.
 
+{mapping,
+ "auth_oauth2.oauth_providers.$name.proxy.host",
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, string}]}.
+
+{mapping,
+ "auth_oauth2.oauth_providers.$name.proxy.port",
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, integer}]}.
+
+{mapping,
+ "auth_oauth2.oauth_providers.$name.proxy.username",
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, string}]}.
+
+{mapping,
+ "auth_oauth2.oauth_providers.$name.proxy.password",
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, string}]}.
+
 {mapping,
  "auth_oauth2.oauth_providers.$name.https.hostname_verification",
  "rabbitmq_auth_backend_oauth2.oauth_providers",