Test amqp+oauth+opaque tokens

MarcialRosales · MarcialRosales · commit cd02518aeb07 · 2025-07-30T12:31:46.000+02:00
diff --git a/selenium/suites/authnz-messaging/auth-oauth-backend-with-opaque-tokens.sh b/selenium/suites/authnz-messaging/auth-oauth-backend-with-opaque-tokens.sh
diff --git a/selenium/test/amqp.js b/selenium/test/amqp.js
@@ -46,15 +46,15 @@ module.exports = {
         connectionOptions.username + ":" + connectionOptions.password + "@" +
         connectionOptions.host + ":" + connectionOptions.port
   },
-  open: (queueName = "my-queue") => {
+  open: (queueName = "my-queue", connOptions = connectionOptions) => {
     let promise = new Promise((resolve, reject) => {
       container.on('connection_open', function(context) {
         resolve()
       })
     })
-    console.log("Opening amqp connection using " + JSON.stringify(connectionOptions))
+    console.log("Opening amqp connection using " + JSON.stringify(connOptions))
     
-    let connection = container.connect(connectionOptions)
+    let connection = container.connect(connOptions)
     let receiver = connection.open_receiver({
       source: queueName,
       target: 'receiver-target',
diff --git a/selenium/test/authnz-msg-protocols/amqp10.js b/selenium/test/authnz-msg-protocols/amqp10.js
@@ -1,7 +1,7 @@
 const assert = require('assert')
 const { log, tokenFor, openIdConfiguration } = require('../utils')
 const { reset, expectUser, expectVhost, expectResource, allow, verifyAll } = require('../mock_http_backend')
-const { open: openAmqp, once: onceAmqp, on: onAmqp, close: closeAmqp } = require('../amqp')
+const { getAmqpConnectionOptions: amqpOptions, open: openAmqp, once: onceAmqp, on: onAmqp, close: closeAmqp } = require('../amqp')
 
 var receivedAmqpMessageCount = 0
 var untilConnectionEstablished = new Promise((resolve, reject) => {
@@ -31,6 +31,7 @@ describe('Having AMQP 1.0 protocol enabled and the following auth_backends: ' +
   let password = process.env.RABBITMQ_AMQP_PASSWORD
   let usemtls = process.env.AMQP_USE_MTLS
   let amqp;
+  let amqpSettings = amqpOptions()
 
   before(function () {    
     if (backends.includes("http") && (username.includes("http") || usemtls)) {
@@ -48,16 +49,20 @@ describe('Having AMQP 1.0 protocol enabled and the following auth_backends: ' +
       let oauthProviderUrl = process.env.OAUTH_PROVIDER_URL
       let oauthClientId = process.env.OAUTH_CLIENT_ID
       let oauthClientSecret = process.env.OAUTH_CLIENT_SECRET
+      let tokenFormat = process.env.OAUTH_TOKEN_FORMAT || 'jwt'
       log("oauthProviderUrl  : " + oauthProviderUrl)
+      log("oauthClientId  : " + oauthClientId)
+      log("oauthClientSecret  : " + oauthClientSecret)
       let openIdConfig = openIdConfiguration(oauthProviderUrl)
       log("Obtained token_endpoint : " + openIdConfig.token_endpoint)
-      password = tokenFor(oauthClientId, oauthClientSecret, openIdConfig.token_endpoint)
+      password = tokenFor(oauthClientId, oauthClientSecret, openIdConfig.token_endpoint, tokenFormat)
       log("Obtained access token : " + password)
+      amqpSettings.password = password
     }
   })
 
   it('can open an AMQP 1.0 connection', async function () {     
-    amqp = openAmqp()
+    amqp = openAmqp("mq-queue", amqpSettings)
     await untilConnectionEstablished
     var untilMessageReceived = new Promise((resolve, reject) => {
       onAmqp('message', function(context) {
diff --git a/selenium/test/authnz-msg-protocols/env.auth_backends-opaque-oauth b/selenium/test/authnz-msg-protocols/env.auth_backends-opaque-oauth
@@ -0,0 +1 @@
+OAUTH_TOKEN_FORMAT=opaque
diff --git a/selenium/test/authnz-msg-protocols/rabbitmq.auth_backends-opaque-oauth.conf b/selenium/test/authnz-msg-protocols/rabbitmq.auth_backends-opaque-oauth.conf
@@ -13,3 +13,12 @@ auth_oauth2.https.cacertfile = ${SPRING_CA_CERT}
 auth_oauth2.https.verify = verify_peer
 auth_oauth2.https.hostname_verification = wildcard
 
+auth_oauth2.introspection_client_auth_method = basic
+auth_oauth2.introspection_client_id = introspection_client
+auth_oauth2.introspection_client_secret = introspection_client
+
+auth_oauth2.opaque_token_signing_key.id = rabbit_opaque_key
+auth_oauth2.opaque_token_signing_key.type = hs256
+auth_oauth2.opaque_token_signing_key.key = symmetrical-signing-key
+
+auth_oauth2.verify_aud = false
diff --git a/selenium/test/authnz-msg-protocols/spring/application.yml b/selenium/test/authnz-msg-protocols/spring/application.yml
@@ -28,6 +28,16 @@ spring:
             - rabbitmq
       authorizationserver:
         client:
+          introspection_client:
+            registration:
+              provider: spring
+              client-id: introspection_client
+              client-secret: "{noop}introspection_client"
+              authorization-grant-types: 
+                - client_credentials
+              client-authentication-methods:
+                - client_secret_basic              
+              client-name: introspection_client
           producer:
             registration:
               provider: spring
@@ -36,17 +46,70 @@ spring:
               authorization-grant-types: 
                 - client_credentials
               client-authentication-methods:
-                - client_secret_post
-#              token-settings:
-#                access-token-format: reference              
-              scopes: 
+                - client_secret_basic
+              scope: 
                 - openid
                 - profile
                 - rabbitmq.tag:management
-                - rabbitmq.configure:*/*
-                - rabbitmq.read:*/*
-                - rabbitmq.write:*/*
+                - rabbitmq.configure:*/* 
+                - rabbitmq.read:*/* 
+                - rabbitmq.write:*/* 
               client-name: producer
+            token:
+              access-token-format: reference        
+          mgt_api_client_opaque:
+            registration:
+              provider: spring
+              client-id: mgt_api_client_opaque
+              client-secret: "{noop}mgt_api_client_opaque"
+              authorization-grant-types: 
+                - client_credentials
+              client-authentication-methods:
+                - client_secret_basic
+              scope: 
+                - openid
+                - profile
+                - rabbitmq.tag:management
+              client-name: mgt_api_client_opaque
+            token:
+              access-token-format: reference
+          mgt_api_client:
+            registration:
+              provider: spring
+              client-id: mgt_api_client
+              client-secret: "{noop}mgt_api_client"
+              authorization-grant-types: 
+                - client_credentials
+              client-authentication-methods:
+                - client_secret_basic
+              scope: 
+                - openid
+                - profile
+                - rabbitmq.tag:management
+                - rabbitmq.tag:administrator
+              client-name: mgt_api_client            
+          rabbitmq_client_code_opaque:
+            registration:
+              provider: spring
+              client-id: rabbitmq_client_code_opaque
+              client-secret: "{noop}rabbitmq_client_code_opaque"
+              require-proof-key: true              
+              authorization-grant-types: 
+                - authorization_code
+              client-authentication-methods:
+                - none
+              redirect-uris: 
+                - "${RABBITMQ_SCHEME}://${RABBITMQ_HOST}${RABBITMQ_PATH}/js/oidc-oauth/login-callback.html"
+              post-logout-redirect-uris:
+                - "${RABBITMQ_SCHEME}://${RABBITMQ_HOST}${RABBITMQ_PATH}/"
+              scopes: 
+                - openid 
+                - profile 
+                - rabbitmq.tag:administrator
+                - rabbitmq.tag:management
+              client-name: rabbitmq_client_code_opaque
+            token:
+              access-token-format: reference
           rabbitmq_client_code:
             registration:
               provider: spring
diff --git a/selenium/test/utils.js b/selenium/test/utils.js
@@ -236,17 +236,18 @@ module.exports = {
     }
   },
 
-  tokenFor: (client_id, client_secret, url = uaaUrl) => {
+  tokenFor: (client_id, client_secret, url = uaaUrl, token_format = "jwt") => {
     const req = new XMLHttpRequest()
     const params = 'client_id=' + client_id +
       '&client_secret=' + client_secret +
       '&grant_type=client_credentials' +
-      '&token_format=jwt' +
+      '&token_format=' + token_format + 
       '&response_type=token'
 
     req.open('POST', url, false)
     req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
     req.setRequestHeader('Accept', 'application/json')
+    req.setRequestHeader("Authorization", "Basic " + btoa(client_id+":"+client_secret));
     req.send(params)
     if (req.status == 200) return JSON.parse(req.responseText).access_token
     else {
