Deprecate has_additional_scopes_key

and instead use only get_additional_scopes_key
As Per @kjnilsson suggestion

Author: MarcialRosales

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -124,7 +124,7 @@ expiry_timestamp(#auth_user{impl = DecodedTokenFun}) ->
 authenticate(_, AuthProps0) ->
     AuthProps = to_map(AuthProps0),
     Token     = token_from_context(AuthProps),
-    
+
     case check_token(Token) of
         %% avoid logging the token
         {error, _} = E  -> E;
@@ -247,10 +247,10 @@ post_process_payload_with_scope_alias_in_extra_scopes_source(ResourceServerId, P
     ExtraScopesField = rabbit_oauth2_config:get_additional_scopes_key(ResourceServerId),
     case ExtraScopesField of
         %% nothing to inject
-        undefined -> Payload;
-        _         ->
+        {error, not_found} -> Payload;
+        {ok, ExtraScopes} ->
             ScopeMappings = rabbit_oauth2_config:get_scope_aliases(ResourceServerId),
-            post_process_payload_with_scope_alias_field_named(Payload, ExtraScopesField, ScopeMappings)
+            post_process_payload_with_scope_alias_field_named(Payload, ExtraScopes, ScopeMappings)
     end.
 
 
@@ -281,38 +281,42 @@ post_process_payload_with_scope_alias_field_named(Payload, FieldName, ScopeAlias
 
 -spec does_include_complex_claim_field(ResourceServerId :: binary(), Payload :: map()) -> boolean().
 does_include_complex_claim_field(ResourceServerId, Payload) when is_map(Payload) ->
-  case rabbit_oauth2_config:has_additional_scopes_key(ResourceServerId) of
-    true -> maps:is_key(rabbit_oauth2_config:get_additional_scopes_key(ResourceServerId), Payload);
-    false -> false
+  case rabbit_oauth2_config:get_additional_scopes_key(ResourceServerId) of
+    {ok, ScopeKey} -> maps:is_key(ScopeKey, Payload);
+    {error, not_found} -> false
   end.
 
 -spec post_process_payload_with_complex_claim(ResourceServerId :: binary(), Payload :: map()) -> map().
 post_process_payload_with_complex_claim(ResourceServerId, Payload) ->
-    ComplexClaim =   maps:get(rabbit_oauth2_config:get_additional_scopes_key(ResourceServerId), Payload),
-    AdditionalScopes =
-        case ComplexClaim of
-            L when is_list(L) -> L;
-            M when is_map(M) ->
-                case maps:get(ResourceServerId, M, undefined) of
-                    undefined           -> [];
-                    Ks when is_list(Ks) ->
-                        [erlang:iolist_to_binary([ResourceServerId, <<".">>, K]) || K <- Ks];
-                    ClaimBin when is_binary(ClaimBin) ->
-                        UnprefixedClaims = binary:split(ClaimBin, <<" ">>, [global, trim_all]),
-                        [erlang:iolist_to_binary([ResourceServerId, <<".">>, K]) || K <- UnprefixedClaims];
-                    _ -> []
-                    end;
-            Bin when is_binary(Bin) ->
-                binary:split(Bin, <<" ">>, [global, trim_all]);
-            _ -> []
-            end,
-
-    case AdditionalScopes of
-        [] -> Payload;
-        _  ->
-            ExistingScopes = maps:get(?SCOPE_JWT_FIELD, Payload, []),
-            maps:put(?SCOPE_JWT_FIELD, AdditionalScopes ++ ExistingScopes, Payload)
-        end.
+    case rabbit_oauth2_config:get_additional_scopes_key(ResourceServerId) of
+      {ok, ScopesKey} ->
+        ComplexClaim = maps:get(ScopesKey, Payload),
+        AdditionalScopes =
+            case ComplexClaim of
+                L when is_list(L) -> L;
+                M when is_map(M) ->
+                    case maps:get(ResourceServerId, M, undefined) of
+                        undefined           -> [];
+                        Ks when is_list(Ks) ->
+                            [erlang:iolist_to_binary([ResourceServerId, <<".">>, K]) || K <- Ks];
+                        ClaimBin when is_binary(ClaimBin) ->
+                            UnprefixedClaims = binary:split(ClaimBin, <<" ">>, [global, trim_all]),
+                            [erlang:iolist_to_binary([ResourceServerId, <<".">>, K]) || K <- UnprefixedClaims];
+                        _ -> []
+                        end;
+                Bin when is_binary(Bin) ->
+                    binary:split(Bin, <<" ">>, [global, trim_all]);
+                _ -> []
+                end,
+
+        case AdditionalScopes of
+            [] -> Payload;
+            _  ->
+                ExistingScopes = maps:get(?SCOPE_JWT_FIELD, Payload, []),
+                maps:put(?SCOPE_JWT_FIELD, AdditionalScopes ++ ExistingScopes, Payload)
+            end;
+      {error, not_found} -> Payload
+    end.
 
 -spec post_process_payload_in_keycloak_format(Payload :: map()) -> map().
 %% keycloak token format: https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/issues/36

deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_config.erl

@@ -232,15 +232,22 @@ has_additional_scopes_key(TopResourceServerId, ResourceServerId) when ResourceSe
     _ -> true
   end.
 
--spec get_additional_scopes_key() -> binary() | undefined.
-get_additional_scopes_key() -> application:get_env(?APP, extra_scopes_source, undefined).
+-spec get_additional_scopes_key() -> {ok, binary()} | {error, not_found}.
+get_additional_scopes_key() ->
+  case application:get_env(?APP, extra_scopes_source, undefined) of
+    undefined -> {error, not_found};
+    ScopeKey -> {ok, ScopeKey}
+  end.
 
--spec get_additional_scopes_key(binary()) -> binary()  | undefined .
+-spec get_additional_scopes_key(binary()) -> {ok, binary()} | {error, not_found}.
 get_additional_scopes_key(ResourceServerId) -> get_additional_scopes_key(get_default_resource_server_id(), ResourceServerId).
 get_additional_scopes_key(TopResourceServerId, ResourceServerId) when ResourceServerId =:= TopResourceServerId -> get_additional_scopes_key();
 get_additional_scopes_key(TopResourceServerId, ResourceServerId) when ResourceServerId =/= TopResourceServerId ->
-  proplists:get_value(extra_scopes_source, maps:get(ResourceServerId, application:get_env(?APP, resource_servers, #{}), []),
-    get_additional_scopes_key()).
+  case proplists:get_value(extra_scopes_source, maps:get(ResourceServerId, application:get_env(?APP, resource_servers, #{}), [])) of
+    undefined -> get_additional_scopes_key();
+    <<>> -> get_additional_scopes_key();
+    ScopeKey -> {ok, ScopeKey}
+  end.
 
 
 -spec get_scope_prefix() -> binary().

deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_config_SUITE.erl

@@ -511,13 +511,13 @@ get_key_config(_Config) ->
   ?assertEqual(<<"https://oauth-for-rabbitmq1">>, proplists:get_value(jwks_url, KeyConfig)).
 
 get_additional_scopes_key(_Config) ->
-  ?assertEqual(<<"roles">>, rabbit_oauth2_config:get_additional_scopes_key()),
-  ?assertEqual(<<"extra-scope-1">>, rabbit_oauth2_config:get_additional_scopes_key(<<"rabbitmq1">> )),
+  ?assertEqual({ok, <<"roles">>}, rabbit_oauth2_config:get_additional_scopes_key()),
+  ?assertEqual({ok, <<"extra-scope-1">>}, rabbit_oauth2_config:get_additional_scopes_key(<<"rabbitmq1">> )),
   ?assertEqual(rabbit_oauth2_config:get_additional_scopes_key(), rabbit_oauth2_config:get_additional_scopes_key(<<"rabbitmq2">>)),
-  ?assertEqual(<<"roles">>, rabbit_oauth2_config:get_additional_scopes_key(?RABBITMQ)).
+  ?assertEqual({ok, <<"roles">>}, rabbit_oauth2_config:get_additional_scopes_key(?RABBITMQ)).
 
 get_additional_scopes_key_when_not_defined(_Config) ->
-  ?assertEqual(undefined, rabbit_oauth2_config:get_additional_scopes_key()),
+  ?assertEqual({error, not_found}, rabbit_oauth2_config:get_additional_scopes_key()),
   ?assertEqual(rabbit_oauth2_config:get_additional_scopes_key(), rabbit_oauth2_config:get_additional_scopes_key(<<"rabbitmq2">>)).
 
 is_verify_aud(_Config) ->