Fix all test in unit_SUITE

MarcialRosales · MarcialRosales · commit cd67b6574e0e · 2024-09-19T09:50:04.000+02:00
diff --git a/deps/rabbitmq_auth_backend_oauth2/app.bzl b/deps/rabbitmq_auth_backend_oauth2/app.bzl
@@ -105,7 +105,7 @@ def all_srcs(name = "all_srcs"):
             "src/resource_server.erl",
             "src/oauth2_schema.erl",
             "src/rar.erl",
-            "src/keycloak.erl",            
+            "src/keycloak.erl",
             "src/rabbit_oauth2_scope.erl",
             "src/uaa_jwks.erl",
             "src/uaa_jwt.erl",
@@ -233,9 +233,11 @@ def test_suite_beam_files(name = "test_suite_beam_files"):
         testonly = True,
         srcs = ["test/unit_SUITE.erl"],
         outs = ["test/unit_SUITE.beam"],
+        hdrs = ["include/oauth2.hrl"],
         app_name = "rabbitmq_auth_backend_oauth2",
         erlc_opts = "//:test_erlc_opts",
-        deps = ["//deps/rabbit_common:erlang_app"],
+        deps = ["//deps/rabbit_common:erlang_app",
+                "//deps/oauth2_client:erlang_app"],
     )
     erlang_bytecode(
         name = "wildcard_match_SUITE_beam_files",
diff --git a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
@@ -163,15 +163,15 @@
 %% auth_oauth2.resource_servers.rabbitmq.token_endpoint_params.audience
 %% auth_oauth2.resource_servers.rabbitmq.jkws_uri_params.appId =
 
-{mapping,
- "auth_oauth2.authorization_endpoint_params.$param",
- "rabbitmq_auth_backend_oauth2.oauth_providers",
- [{datatype, string}]}.
-
-{translation, "rabbitmq_auth_backend_oauth2.authorization_endpoint_params",
- fun(Conf) ->
-    oauth2_schema:translate_authorization_endpoint_params(Conf)
- end}.
+%%{mapping,
+%% "auth_oauth2.authorization_endpoint_params.$param",
+%% "rabbitmq_auth_backend_oauth2.oauth_providers",
+%% [{datatype, string}]}.
+
+%%{translation, "rabbitmq_auth_backend_oauth2.authorization_endpoint_params",
+%% fun(Conf) ->
+%%    oauth2_schema:translate_authorization_endpoint_params(Conf)
+%% end}.
 
 {mapping,
  "auth_oauth2.oauth_providers.$name.algorithms.$algorithm",
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/oauth2_schema.erl b/deps/rabbitmq_auth_backend_oauth2/src/oauth2_schema.erl
@@ -11,8 +11,8 @@
 -export([
     translate_oauth_providers/1,
     translate_resource_servers/1,
-    translate_signing_keys/1,
-    translate_authorization_endpoint_params/1
+    translate_signing_keys/1 %,
+    %%translate_authorization_endpoint_params/1
 ]).
 
 extract_key_as_binary({Name,_}) -> list_to_binary(Name).
@@ -64,10 +64,10 @@ translate_list_of_signing_keys(ListOfKidPath) ->
         end,
     maps:map(fun(_K, Path) -> {pem, TryReadingFileFun(Path)} end, maps:from_list(ListOfKidPath)).
 
--spec translate_authorization_endpoint_params([{list(), binary()}]) -> map().
-translate_authorization_endpoint_params(Conf) ->
-    Params = cuttlefish_variable:filter_by_prefix("auth_oauth2.authorization_endpoint_params", Conf),
-    lists:map(fun({Id, Value}) -> {list_to_binary(lists:last(Id)), Value} end, Params).
+%%-spec translate_authorization_endpoint_params([{list(), binary()}]) -> map().
+%%translate_authorization_endpoint_params(Conf) ->
+%%    Params = cuttlefish_variable:filter_by_prefix("auth_oauth2.authorization_endpoint_params", Conf),
+%%    lists:map(fun({Id, Value}) -> {list_to_binary(lists:last(Id)), Value} end, Params).
 
 validator_file_exists(Attr, Filename) ->
     case file:read_file(Filename) of
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
@@ -133,7 +133,7 @@ authenticate(_, AuthProps0) ->
     Token     = token_from_context(AuthProps),
     case resolve_resource_server(Token) of
         {error, _} = Err0 ->
-            Err0;
+            {refused, "Authentication using OAuth 2/JWT token failed: ~tp", [Err0]};
         {ResourceServer, _} = Tuple ->
             case check_token(Token, Tuple) of
                 {error, _} = E  -> E;
@@ -189,7 +189,7 @@ check_token(Token, {ResourceServer, InternalOAuthProvider}) ->
     case decode_and_verify(Token, ResourceServer, InternalOAuthProvider) of
         {error, Reason} -> {refused, {error, Reason}};
         {true, Payload} -> {ok, normalize_token_scope(ResourceServer, Payload)};
-        {false, _, _} -> {refused, signature_invalid}
+        {false, _} -> {refused, signature_invalid}
     end.
 
 -spec normalize_token_scope(
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_scope.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_scope.erl
@@ -96,7 +96,6 @@ parse_resource_pattern(Pattern, Permission) ->
 -spec filter_matching_scope_prefix_and_drop_it(list(), binary()|list()) -> list().
 filter_matching_scope_prefix_and_drop_it(Scopes, <<"">>) -> Scopes;
 filter_matching_scope_prefix_and_drop_it(Scopes, PrefixPattern)  ->
-    ct:log("filter_matching_scope_prefix_and_drop_it ~p ~p", [Scopes, PrefixPattern]),
     PatternLength = byte_size(PrefixPattern),
     lists:filtermap(
         fun(ScopeEl) ->
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl
@@ -36,10 +36,9 @@ all() ->
         test_token_expiration,
         test_invalid_signature,
         test_incorrect_kid,
-        test_post_process_token_payload,
-        test_post_process_token_payload_keycloak,
-        test_post_process_payload_rich_auth_request,
-        test_post_process_payload_rich_auth_request_using_regular_expression_with_cluster,
+        normalize_token_scope_with_keycloak_scopes,
+        normalize_token_scope_with_rich_auth_request,
+        normalize_token_scope_with_rich_auth_request_using_regular_expression_with_cluster,
         test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_scope_field,
         test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_extra_scope_source_field,
         test_username_from,
@@ -62,7 +61,7 @@ groups() ->
           test_successful_authentication_without_scopes,
           test_successful_access_with_a_token_that_uses_single_scope_alias_in_extra_scope_source_field,
           test_successful_access_with_a_token_that_uses_multiple_scope_aliases_in_extra_scope_source_field,
-          test_post_process_token_payload_complex_claims,
+          normalize_token_scope_with_additional_scopes_complex_claims,
           test_successful_access_with_a_token_that_uses_single_scope_alias_in_scope_field_and_custom_scope_prefix
 
       ]}
@@ -121,70 +120,67 @@ end_per_group(_, Config) ->
 -define(DEFAULT_SCOPE_PREFIX, <<"rabbitmq.">>).
 
 
-test_post_process_token_payload_keycloak(_) ->
+normalize_token_scope_with_keycloak_scopes(_) ->
     Pairs = [
         %% common case
-        {
-          #{<<"permissions">> =>
-                [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
-                   <<"rsname">> => <<"allvhost">>,
-                   <<"scopes">> => [<<"rabbitmq-resource.read:*/*">>]},
-                 #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
-                   <<"rsname">> => <<"vhost1">>,
-                   <<"scopes">> => [<<"rabbitmq-resource.write:vhost1/*">>]},
-                 #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
-                   <<"rsname">> => <<"Default Resource">>,
-                   <<"scopes">> => [<<"unknown-resource.write:vhost1/*">>]}
-                 ]
-          },
-          [<<"read:*/*">>, <<"write:vhost1/*">>]
-        },
-
-        %% one scopes field with a string instead of an array
-        {
-          #{<<"permissions">> =>
-                [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
-                   <<"rsname">> => <<"allvhost">>,
-                   <<"scopes">> => <<"rabbitmq-resource.read:*/*">>},
-                 #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
-                   <<"rsname">> => <<"vhost1">>,
-                   <<"scopes">> => [<<"unknown-resource-read">>]},
-                 #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
-                   <<"rsname">> => <<"Default Resource">>}]},
-          [<<"rabbitmq-resource.read:*/*">>]
+    {
+        "common case",
+        #{<<"permissions">> =>
+            [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
+               <<"rsname">> => <<"allvhost">>,
+               <<"scopes">> => [<<"rabbitmq-resource.read:*/*">>]},
+             #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
+               <<"rsname">> => <<"vhost1">>,
+               <<"scopes">> => [<<"rabbitmq-resource.write:vhost1/*">>]},
+             #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
+               <<"rsname">> => <<"Default Resource">>,
+               <<"scopes">> => [<<"unknown-resource.write:vhost1/*">>]}
+             ]
         },
-
-        %% no scopes field in permissions
-        {
-          #{<<"permissions">> =>
-                [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
-                   <<"rsname">> => <<"allvhost">>},
-                 #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
-                   <<"rsname">> => <<"vhost1">>},
-                 #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
-                   <<"rsname">> => <<"Default Resource">>}]},
-          []
-        },
-
-        %% no permissions
-        {
-          #{<<"permissions">> => []},
+        [<<"read:*/*">>, <<"write:vhost1/*">>]
+    },
+    {
+        "one scopes field with a string instead of an array",
+        #{<<"permissions">> =>
+            [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
+               <<"rsname">> => <<"allvhost">>,
+               <<"scopes">> => <<"rabbitmq-resource.read:*/*">>},
+             #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
+               <<"rsname">> => <<"vhost1">>,
+               <<"scopes">> => [<<"unknown-resource-read">>]},
+             #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
+               <<"rsname">> => <<"Default Resource">>}]},
+        [<<"read:*/*">>]
+    },
+    {
+        "no scopes field in permissions",
+        #{<<"permissions">> =>
+            [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
+               <<"rsname">> => <<"allvhost">>},
+             #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
+               <<"rsname">> => <<"vhost1">>},
+             #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
+               <<"rsname">> => <<"Default Resource">>}]},
+        []
+    },
+    {
+        "no permissions",
+        #{<<"permissions">> => []},
           []
-        },
-        %% missing permissions key
-        {#{}, []}
+    },
+    {"missing permissions key", #{}, []}
     ],
-    lists:foreach(fun({Authorization, ExpectedScope}) ->
+
+    lists:foreach(fun({Case, Authorization, ExpectedScope}) ->
         ResourceServer = resource_server:new_resource_server(<<"rabbitmq-resource">>),
         Token0 = #{<<"authorization">> => Authorization},
         Token = normalize_token_scope(ResourceServer, Token0),
-        ?assertEqual(ExpectedScope, uaa_jwt:get_scope(Token))
+        ?assertEqual(ExpectedScope, uaa_jwt:get_scope(Token), Case)
         end, Pairs).
 
-test_post_process_payload_rich_auth_request_using_regular_expression_with_cluster(_) ->
+normalize_token_scope_with_rich_auth_request_using_regular_expression_with_cluster(_) ->
 
   Pairs = [
-
   { "should filter out those permisions whose locations do not refer to cluster : {resource_server_id}",
     [ #{<<"type">> => ?RESOURCE_SERVER_TYPE,
         <<"locations">> => [<<"cluster:rabbitmq-test">>],
@@ -230,7 +226,7 @@ test_post_process_payload_rich_auth_request_using_regular_expression_with_cluste
                 lists:sort(uaa_jwt:get_scope(Token)), Case)
       end, Pairs).
 
-test_post_process_payload_rich_auth_request(_) ->
+normalize_token_scope_with_rich_auth_request(_) ->
 
     Pairs = [
     { "should merge all permissions for the current cluster",
@@ -546,75 +542,75 @@ test_post_process_payload_rich_auth_request(_) ->
         ?assertEqual(ExpectedScopes, ActualScopes, Case)
       end, Pairs).
 
-test_post_process_token_payload_complex_claims(_) ->
+normalize_token_scope_with_additional_scopes_complex_claims(_) ->
     Pairs = [
-        %% claims in form of binary
-        {
-          <<"rabbitmq.rabbitmq-resource.read:*/* rabbitmq.rabbitmq-resource-read">>,
-          [<<"rabbitmq.rabbitmq-resource.read:*/*">>, <<"rabbitmq.rabbitmq-resource-read">>]
-        },
-        %% claims in form of binary - empty result
-        {<<>>, []},
-        %% claims in form of list
-        {
-          [<<"rabbitmq.rabbitmq-resource.read:*/*">>,
+    {
+        "claims in form of binary",
+        <<"rabbitmq.rabbitmq-resource.read:*/* rabbitmq.rabbitmq-resource-read">>,
+        [<<"read:*/*">>]
+    },
+    {"claims in form of binary - empty result", <<>>, []},
+    {
+        "claims in form of list",
+        [<<"rabbitmq.rabbitmq-resource.read:*/*">>,
            <<"rabbitmq2.rabbitmq-resource-read">>],
-          [<<"rabbitmq.rabbitmq-resource.read:*/*">>, <<"rabbitmq2.rabbitmq-resource-read">>]
-        },
-        %% claims in form of list - empty result
-        {[], []},
-        %% claims are map with list content
-        {
-          #{<<"rabbitmq">> =>
-                [<<"rabbitmq-resource.read:*/*">>,
-                 <<"rabbitmq-resource-read">>],
-            <<"rabbitmq3">> =>
-                [<<"rabbitmq-resource.write:*/*">>,
-                 <<"rabbitmq-resource-write">>]},
-          [<<"rabbitmq.rabbitmq-resource.read:*/*">>, <<"rabbitmq.rabbitmq-resource-read">>]
-        },
-        %% claims are map with list content - empty result
-        {
-          #{<<"rabbitmq2">> =>
-                 [<<"rabbitmq-resource.read:*/*">>,
-                  <<"rabbitmq-resource-read">>]},
-          []
-        },
-        %% claims are map with binary content
-        {
-          #{<<"rabbitmq">> => <<"rabbitmq-resource.read:*/* rabbitmq-resource-read">>,
-           <<"rabbitmq3">> => <<"rabbitmq-resource.write:*/* rabbitmq-resource-write">>},
-          [<<"rabbitmq.rabbitmq-resource.read:*/*">>, <<"rabbitmq.rabbitmq-resource-read">>]
-        },
-        %% claims are map with binary content - empty result
-        {
-          #{<<"rabbitmq2">> => <<"rabbitmq-resource.read:*/* rabbitmq-resource-read">>}, []
-        },
-        %% claims are map with empty binary content - empty result
-        {
-          #{<<"rabbitmq">> => <<>>}, []
-        },
-        %% claims are map with empty list content - empty result
-        {
-          #{<<"rabbitmq">> => []}, []
+        [<<"read:*/*">>]
+    },
+    {"claims in form of list - empty result", [], []},
+    {
+        "claims are map with list content",
+        #{<<"rabbitmq">> =>
+            [<<"rabbitmq-resource.read:*/*">>,
+             <<"rabbitmq-resource-read">>],
+        <<"rabbitmq3">> =>
+            [<<"rabbitmq-resource.write:*/*">>,
+             <<"rabbitmq-resource-write">>]},
+        [<<"read:*/*">>, <<"rabbitmq.rabbitmq-resource-read">>]
+    },
+    {
+        "claims are map with list content - empty result",
+        #{<<"rabbitmq2">> =>
+             [<<"rabbitmq-resource.read:*/*">>,
+              <<"rabbitmq-resource-read">>]},
+        []
+    },
+    {
+        "claims are map with binary content",
+        #{  <<"rabbitmq">> => <<"rabbitmq-resource.read:*/* rabbitmq-resource-read">>,
+            <<"rabbitmq3">> => <<"rabbitmq-resource.write:*/* rabbitmq-resource-write">>},
+        [<<"rabbitmq.rabbitmq-resource.read:*/*">>, <<"rabbitmq.rabbitmq-resource-read">>]
+    },
+    {
+        "claims are map with binary content - empty result",
+        #{<<"rabbitmq2">> => <<"rabbitmq-resource.read:*/* rabbitmq-resource-read">>}, []
+    },
+    {
+        "claims are map with empty binary content - empty result",
+        #{<<"rabbitmq">> => <<>>}, []
+    },
+    {
+        "claims are map with empty list content - empty result",
+        #{<<"rabbitmq">> => []}, []
+    },
+    {
+        "no extra claims provided",
+        [], []
+    },
+    {
+        "no extra claims provided", #{}, []
+    }],
+    lists:foreach(fun({Case, Authorization, ExpectedScope0}) ->
+        ResourceServer0 = resource_server:new_resource_server(?RESOURCE_SERVER_ID),
+        ResourceServer = ResourceServer0#resource_server{
+            scope_prefix = <<"rabbitmq.rabbitmq-resource.">>,
+            additional_scopes_key = <<"custom-key">>
         },
-        %% no extra claims provided
-        {[], []},
-        %% no extra claims provided
-        {#{}, []}
-    ],
-    lists:foreach(
-        fun({Authorization, ExpectedScope}) ->
-            Payload = post_process_payload_with_complex_claim_authorization(<<"rabbitmq-resource">>, Authorization),
-            ?assertEqual(ExpectedScope, maps:get(<<"scope">>, Payload))
-        end, Pairs).
-
-post_process_payload_with_complex_claim_authorization(ResourceServerId, Authorization) ->
-    Jwk = ?UTIL_MOD:fixture_jwk(),
-    Token =  maps:put(<<"additional_rabbitmq_scopes">>, Authorization, ?UTIL_MOD:fixture_token_with_scopes([])),
-    {_, EncodedToken} = ?UTIL_MOD:sign_token_hs(Token, Jwk),
-    {true, Payload} = uaa_jwt_jwt:decode_and_verify(Jwk, EncodedToken),
-    rabbit_auth_backend_oauth2:post_process_payload(ResourceServerId, Payload).
+        Token0 = #{<<"custom-key">> => Authorization},
+        Token = normalize_token_scope(ResourceServer, Token0),
+        ExpectedScopes = lists:sort(ExpectedScope0),
+        ActualScopes = lists:sort(uaa_jwt:get_scope(Token)),
+        ?assertEqual(ExpectedScopes, ActualScopes, Case)
+      end, Pairs).
 
 test_successful_authentication_without_scopes(_) ->
     Jwk = ?UTIL_MOD:fixture_jwk(),
