REmove from code keycloak format

Update existing test case with the
appropriate configuration
Add more tests

Author: MarcialRosales

deps/rabbitmq_auth_backend_oauth2/app.bzl

@@ -13,7 +13,6 @@ def all_beam_files(name = "all_beam_files"):
             "src/Elixir.RabbitMQ.CLI.Ctl.Commands.AddUaaKeyCommand.erl",
             "src/rabbit_auth_backend_oauth2.erl",
             "src/rabbit_auth_backend_oauth2_app.erl",
-            "src/rabbit_oauth2_keycloak.erl",
             "src/rabbit_oauth2_provider.erl",
             "src/rabbit_oauth2_rar.erl",
             "src/rabbit_oauth2_resource_server.erl",
@@ -51,7 +50,6 @@ def all_test_beam_files(name = "all_test_beam_files"):
             "src/Elixir.RabbitMQ.CLI.Ctl.Commands.AddUaaKeyCommand.erl",
             "src/rabbit_auth_backend_oauth2.erl",
             "src/rabbit_auth_backend_oauth2_app.erl",
-            "src/rabbit_oauth2_keycloak.erl",
             "src/rabbit_oauth2_provider.erl",
             "src/rabbit_oauth2_rar.erl",
             "src/rabbit_oauth2_resource_server.erl",
@@ -101,7 +99,6 @@ def all_srcs(name = "all_srcs"):
             "src/Elixir.RabbitMQ.CLI.Ctl.Commands.AddUaaKeyCommand.erl",
             "src/rabbit_auth_backend_oauth2.erl",
             "src/rabbit_auth_backend_oauth2_app.erl",
-            "src/rabbit_oauth2_keycloak.erl",
             "src/rabbit_oauth2_provider.erl",
             "src/rabbit_oauth2_rar.erl",
             "src/rabbit_oauth2_resource_server.erl",

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -28,7 +28,6 @@
     get_scope/1, set_scope/2,
     resolve_resource_server/1]).
 
--import(rabbit_oauth2_keycloak, [has_keycloak_scopes/1, extract_scopes_from_keycloak_format/1]).
 -import(rabbit_oauth2_rar, [extract_scopes_from_rich_auth_request/2, has_rich_auth_request_scopes/1]).
 
 -import(rabbit_oauth2_scope, [filter_matching_scope_prefix_and_drop_it/2]).
@@ -245,24 +244,19 @@ normalize_token_scope(ResourceServer, Payload) ->
         false -> Payload0
         end,
 
-    Payload2 = case has_keycloak_scopes(Payload1) of
-        true  -> extract_scopes_from_keycloak_format(Payload1);
-        false -> Payload1
+    Payload2 = case ResourceServer#resource_server.scope_aliases of
+        undefined -> Payload1;
+        ScopeAliases  -> extract_scopes_using_scope_aliases(ScopeAliases, Payload1)
         end,
 
-    Payload3 = case ResourceServer#resource_server.scope_aliases of
-        undefined -> Payload2;
-        ScopeAliases  -> extract_scopes_using_scope_aliases(ScopeAliases, Payload2)
-        end,
-
-    Payload4 = case has_rich_auth_request_scopes(Payload3) of
-        true  -> extract_scopes_from_rich_auth_request(ResourceServer, Payload3);
-        false -> Payload3
+    Payload3 = case has_rich_auth_request_scopes(Payload2) of
+        true  -> extract_scopes_from_rich_auth_request(ResourceServer, Payload2);
+        false -> Payload2
         end,
 
     FilteredScopes = filter_matching_scope_prefix_and_drop_it(
-        get_scope(Payload4), ResourceServer#resource_server.scope_prefix),
-    set_scope(FilteredScopes, Payload4).
+        get_scope(Payload3), ResourceServer#resource_server.scope_prefix),
+    set_scope(FilteredScopes, Payload3).
 
 
 -spec extract_scopes_using_scope_aliases(
@@ -293,7 +287,7 @@ extract_scopes_using_scope_aliases(ScopeAliasMapping, Payload) ->
 has_additional_scopes_key(ResourceServer, Payload) when is_map(Payload) ->
     case ResourceServer#resource_server.additional_scopes_key of
         undefined -> false;
-        ScopeKey -> maps:is_key(ScopeKey, Payload)
+        _ -> true
     end.
 
 %% Path is a binary expression which is a plain word like <<"roles">>
@@ -373,14 +367,16 @@ split_path(Path) when is_binary(Path) ->
     binary:split(Path, <<".">>, [global, trim_all]).
 
 
-
-
 -spec extract_scopes_from_additional_scopes_key(
     ResourceServer :: resource_server(), Payload :: map()) -> map().
 extract_scopes_from_additional_scopes_key(ResourceServer, Payload) ->
-    Claim = maps:get(ResourceServer#resource_server.additional_scopes_key, Payload),
-    AdditionalScopes = extract_additional_scopes(ResourceServer, Claim),
-    set_scope(AdditionalScopes ++ get_scope(Payload), Payload).
+    Paths = case ResourceServer#resource_server.additional_scopes_key of 
+        B when is_binary(B) -> binary:split(B, <<" ">>, [global, trim_all]);
+        L when is_list(L) -> L
+    end,
+    AdditionalScopes = [ extract_token_value(ResourceServer, 
+        Payload, Path, fun extract_scope_list_from_token_value/2) || Path <- Paths],    
+    set_scope(lists:flatten(AdditionalScopes) ++ get_scope(Payload), Payload).
 
 extract_additional_scopes(ResourceServer, ComplexClaim) ->
     ResourceServerId = ResourceServer#resource_server.id,

deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_keycloak.erl

@@ -316,5 +316,15 @@
             }            
         ]}
        ], []
+  },
+  {additional_scopes_key, 
+      "auth_oauth2.resource_server_id = new_resource_server_id
+       auth_oauth2.additional_scopes_key = roles realm.roles",
+       [
+        {rabbitmq_auth_backend_oauth2, [
+            {resource_server_id,<<"new_resource_server_id">>},
+            {extra_scopes_source, <<"roles realm.roles">> }            
+        ]}
+       ], []
   }
 ].

deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets

@@ -42,13 +42,15 @@ all() ->
         test_token_expiration,
         test_invalid_signature,
         test_incorrect_kid,
+        normalize_token_scope_using_multiple_scopes_key,
         normalize_token_scope_with_keycloak_scopes,
         normalize_token_scope_with_rich_auth_request,
         normalize_token_scope_with_rich_auth_request_using_regular_expression_with_cluster,
         test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_scope_field,
         test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_extra_scope_source_field,
         test_username_from,
         {group, with_rabbitmq_node}
+      
     ].
 groups() ->
     [
@@ -119,6 +121,73 @@ end_per_group(_, Config) ->
 -define(RESOURCE_SERVER_TYPE, <<"rabbitmq-type">>).
 -define(DEFAULT_SCOPE_PREFIX, <<"rabbitmq.">>).
 
+normalize_token_scope_using_multiple_scopes_key(_) ->
+    Pairs = [
+        %% common case
+    {
+        "keycloak format 1",
+        #{<<"authorization">> => 
+            #{<<"permissions">> =>
+            [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
+               <<"rsname">> => <<"allvhost">>,
+               <<"scopes">> => [<<"rabbitmq-resource.read:*/*">>]},
+             #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
+               <<"rsname">> => <<"vhost1">>,
+               <<"scopes">> => [<<"rabbitmq-resource.write:vhost1/*">>]},
+             #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
+               <<"rsname">> => <<"Default Resource">>,
+               <<"scopes">> => [<<"unknown-resource.write:vhost1/*">>]}
+             ]
+            }
+        },        
+        [<<"read:*/*">>, <<"write:vhost1/*">>]
+    },
+    {
+        "keycloak format 2 using realm_access",
+        #{<<"realm_access">> =>
+            #{<<"roles">> => [<<"rabbitmq-resource.read:format2/*">>]}
+        },
+        [<<"read:format2/*">>]
+    },
+     {
+        "keycloak format 2 using resource_access",
+        #{<<"resource_access">> =>
+            #{<<"account">> => #{<<"roles">> => [<<"rabbitmq-resource.read:format2bis/*">>]} }
+        },
+        [<<"read:format2bis/*">>]
+    },
+     {
+        "both formats",
+        #{<<"authorization">> => 
+            #{<<"permissions">> =>
+            [#{<<"rsid">> => <<"2c390fe4-02ad-41c7-98a2-cebb8c60ccf1">>,
+               <<"rsname">> => <<"allvhost">>,
+               <<"scopes">> => [<<"rabbitmq-resource.read:*/*">>]},
+             #{<<"rsid">> => <<"e7f12e94-4c34-43d8-b2b1-c516af644cee">>,
+               <<"rsname">> => <<"vhost1">>,
+               <<"scopes">> => [<<"rabbitmq-resource.write:vhost1/*">>]},
+             #{<<"rsid">> => <<"12ac3d1c-28c2-4521-8e33-0952eff10bd9">>,
+               <<"rsname">> => <<"Default Resource">>,
+               <<"scopes">> => [<<"unknown-resource.write:vhost1/*">>]}
+             ]
+            },
+         <<"realm_access">> =>
+            #{<<"roles">> => [<<"rabbitmq-resource.read:format2/*">>]},
+         <<"resource_access">> =>
+            #{<<"account">> => #{<<"roles">> => [<<"rabbitmq-resource.read:format2bis/*">>]} }   
+        },        
+        [<<"read:*/*">>, <<"write:vhost1/*">>, <<"read:format2/*">>, <<"read:format2bis/*">>]
+    }
+    ],
+
+    lists:foreach(fun({Case, Token0, ExpectedScope}) ->
+        ResourceServer0 = new_resource_server(<<"rabbitmq-resource">>),
+        ResourceServer = ResourceServer0#resource_server{
+            additional_scopes_key = <<"authorization.permissions.scopes realm_access.roles resource_access.account.roles">>
+            },
+        Token = normalize_token_scope(ResourceServer, Token0),
+        ?assertEqual(ExpectedScope, uaa_jwt:get_scope(Token), Case)
+        end, Pairs).
 
 normalize_token_scope_with_keycloak_scopes(_) ->
     Pairs = [
@@ -172,7 +241,10 @@ normalize_token_scope_with_keycloak_scopes(_) ->
     ],
 
     lists:foreach(fun({Case, Authorization, ExpectedScope}) ->
-        ResourceServer = new_resource_server(<<"rabbitmq-resource">>),
+        ResourceServer0 = new_resource_server(<<"rabbitmq-resource">>),
+        ResourceServer = ResourceServer0#resource_server{
+            additional_scopes_key = <<"authorization.permissions.scopes">>
+            },
         Token0 = #{<<"authorization">> => Authorization},
         Token = normalize_token_scope(ResourceServer, Token0),
         ?assertEqual(ExpectedScope, uaa_jwt:get_scope(Token), Case)
@@ -1313,6 +1385,7 @@ test_extract_scope_from_path_expression(_) ->
             <<"rabbitmq">> => <<"role1 role2">>         
         }}, 
         <<"auth">>, M),
+    %% this is the old keycloak format    
     [<<"role1">>,<<"role2">>] = extract_token_value(R,
         #{ <<"auth">> => #{ 
             <<"permission">> => [