Successful login management ui with opaque token converted to JWT

Author: MarcialRosales

deps/oauth2_client/src/oauth2_client.erl

@@ -427,29 +427,29 @@ unlock(LockId) ->
 get_opaque_token_signing_key() -> 
     case get_env(opaque_token_signing_key) of 
         undefined -> {error, missing_opaque_token_signing_key};
-        Map -> 
-            parse_signing_key_configuration(Map)
+        List -> 
+            parse_signing_key_configuration(List)
     end.
 
 -spec get_opaque_token_signing_key(string()|binary()) -> {ok, signing_key()} | {error, any()}.
 get_opaque_token_signing_key(KeyId) -> 
-    Map = get_env(opaque_token_signing_key),
-    case maps:get(id, Map, undefined) of 
+    List = get_env(opaque_token_signing_key),
+    case proplists:get_value(id, List, undefined) of 
         undefined -> {error, missing_opaque_token_signing_key};
-        KeyId -> parse_signing_key_configuration(Map);
+        KeyId -> parse_signing_key_configuration(List);
         _ -> {error, missing_opaque_token_signing_key}
     end.
 
-parse_signing_key_configuration(Map) ->
-    SK0 = case maps:get(id, Map, undefined) of 
+parse_signing_key_configuration(List) ->
+    SK0 = case proplists:get_value(id, List, undefined) of 
         undefined -> {error, missing_signing_key_id};
         Id -> #signing_key{id = Id}
     end,
-    case {SK0, maps:get(type, Map, hs256)} of 
+    case {SK0, proplists:get_value(type, List, hs256)} of 
         {{error, _} = Error, _} -> 
             Error;
         {_, hs256} -> 
-            Sk1 = case maps:get(key, Map, undefined) of 
+            Sk1 = case proplists:get_value(key, List, undefined) of 
                 undefined -> {error, missing_symmetrical_key_value};
                 SymKey -> SK0#signing_key{
                     type = hs256, 
@@ -468,11 +468,11 @@ parse_signing_key_configuration(Map) ->
                 _ -> Sk1
             end;
         {_, rs256} -> 
-            Sk2 = case maps:get(key_pem_file, Map, undefined) of 
+            Sk2 = case proplists:get_value(key_pem_file, List, undefined) of 
                 undefined -> 
                     {error, missing_key_pem_file};
                 PrivateKey -> 
-                    case maps:get(cert_pem_file, Map, undefined) of 
+                    case proplists:get_value(cert_pem_file, List, undefined) of 
                         undefined -> 
                             {error, missing_cert_pem_file};
                         PublicKey -> 

deps/oauth2_client/test/unit_SUITE.erl

@@ -306,7 +306,7 @@ access_token_response_without_expiration_time(_) ->
 
 can_sign_token(_Config) ->
     application:set_env(rabbitmq_auth_backend_oauth2, opaque_token_signing_key,
-        #{ id => <<"key-id">>, type => hs256, key => <<"some-key">>}),
+        [{ id, <<"key-id">>, type, hs256, key, <<"some-key">>}]),
 
     {ok, Value } = oauth2_client:sign_token(#{"scopes" => "a b"}),
     ct:log("JWT : ~p", [Value]),

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -169,7 +169,7 @@
 
 {mapping, "auth_oauth2.opaque_token_signing_key.type", 
       "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.type",
-      [{datatype, {enum, [HS256, RS256]}}]}.
+      [{datatype, {enum, [hs256, rs256]}}]}.
 
 {mapping, "auth_oauth2.opaque_token_signing_key.key", 
       "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.key",
@@ -183,7 +183,11 @@
       "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.cert_pem_file",
       [{datatype, file}, {validators, ["file_accessible"]}]}.
 
-
+{translation,
+ "rabbitmq_auth_backend_oauth2.opaque_token_signing_key",
+ fun(Conf) ->
+    rabbit_oauth2_schema:translate_opaque_token_signing_key(Conf)
+ end}.
 
 %% ID of the default signing key
 %%

deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_provider.erl

@@ -147,12 +147,12 @@ get_signing_keys(OauthProviderId) ->
 
 get_signing_key(KeyId) ->
     case maps:get(KeyId, get_signing_keys(root), undefined) of 
-        undefined -> oauth2_client:get_opaque_signing_key(KeyId);
+        undefined -> oauth2_client:get_opaque_token_signing_key(KeyId);
         V -> V 
     end.
 get_signing_key(KeyId, OAuthProviderId) ->
     case maps:get(KeyId, get_signing_keys(OAuthProviderId), undefined) of 
-        undefined -> oauth2_client:get_opaque_signing_key(KeyId);
+        undefined -> oauth2_client:get_opaque_token_signing_key(KeyId);
         V -> V
     end.
 

deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl

@@ -12,6 +12,8 @@
 -define(RESOURCE_SERVERS, "resource_servers").
 -define(OAUTH_PROVIDERS, "oauth_providers").
 -define(SIGNING_KEYS, "signing_keys").
+-define(OPAQUE_TOKEN_SIGNING_KEY, "opaque_token_signing_key").
+
 -define(AUTH_OAUTH2_SCOPE_ALIASES, ?AUTH_OAUTH2 ++ "." ++ ?SCOPE_ALIASES).
 -define(AUTH_OAUTH2_RESOURCE_SERVERS, ?AUTH_OAUTH2 ++ "." ++ ?RESOURCE_SERVERS).
 -define(AUTH_OAUTH2_OAUTH_PROVIDERS, ?AUTH_OAUTH2 ++ "." ++ ?OAUTH_PROVIDERS).
@@ -25,7 +27,8 @@
     translate_resource_servers/1,
     translate_signing_keys/1,
     translate_endpoint_params/2,
-    translate_scope_aliases/1
+    translate_scope_aliases/1,
+    translate_opaque_token_signing_key/1
 ]).
 
 resource_servers_key_synonym(Key) -> maps:get(Key, ?RESOURCE_SERVERS_SYNONYMS, Key).
@@ -193,6 +196,13 @@ translate_endpoint_params(Variable, Conf) ->
     [{list_to_binary(Param), list_to_binary(V)} || {["auth_oauth2", _, Param], V}
          <- Params0].
 
+-spec translate_opaque_token_signing_key([{list(), binary()}]) -> 
+    [{binary(), binary()}].
+translate_opaque_token_signing_key(Conf) ->
+    Params0 = cuttlefish_variable:filter_by_prefix("auth_oauth2.opaque_token_signing_key",
+        Conf),
+    extract_opaque_token_signing_key_properties(Params0). 
+
 validator_file_exists(Attr, Filename) ->
     case file:read_file(Filename) of
         {ok, _} ->
@@ -246,6 +256,22 @@ extract_oauth_providers_properties(Settings) ->
         } || {[?AUTH_OAUTH2, ?OAUTH_PROVIDERS, Name, Key], V} <- Settings ],
     maps:groups_from_list(KeyFun, ValueFun, OAuthProviders).
 
+extract_opaque_token_signing_key_properties(Settings) ->
+    MapValueFun = fun(K, V) -> 
+        case {K, V} of 
+            {"type", A} when is_atom(A) -> A;
+            {"type", _} -> list_to_atom(V);
+            {"id", L} when is_list(L) -> list_to_binary(L);
+            {"id", B} when is_binary(B) -> B;
+            {"key", L} when is_list(L) -> list_to_binary(L);
+            {"key", B} when is_binary(B) -> B
+        end end,
+
+    Translation = [{
+        list_to_atom(Key),
+        MapValueFun(Key, V)
+    } || {[?AUTH_OAUTH2, ?OPAQUE_TOKEN_SIGNING_KEY, Key], V} <- Settings ],
+    Translation.
 
 extract_resource_server_properties(Settings) ->
     KeyFun = fun extract_key_as_binary/1,
@@ -255,6 +281,7 @@ extract_resource_server_properties(Settings) ->
         || {[?AUTH_OAUTH2, ?RESOURCE_SERVERS, Name, Key], V} <- Settings ],
     maps:groups_from_list(KeyFun, ValueFun, ResourceServers).
 
+
 mapOauthProviderProperty({Key, Value}) ->
     {Key, case Key of
         issuer -> validator_https_uri(Key, Value);

deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl

@@ -146,7 +146,10 @@ get_jwk(KeyId, InternalOAuthProvider, AllowUpdateJwks) ->
                 pem_file -> uaa_jwt_jwk:from_pem_file(Value);
                 map      -> uaa_jwt_jwk:make_jwk(Value);
                 _        -> {error, unknown_signing_key_type}
-            end
+            end;
+        SK -> 
+            rabbit_log:debug("Opaque token Signing key ~p found", [KeyId]),
+            {ok, SK#signing_key.key}
     end.
 
 verify_signing_key(Type, Value) ->

deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_schema_SUITE.erl

@@ -41,7 +41,8 @@ all() ->
         test_without_oauth_providers_with_endpoint_params,
         test_scope_aliases_configured_as_list_of_properties,
         test_scope_aliases_configured_as_map,
-        test_scope_aliases_configured_as_list_of_missing_properties
+        test_scope_aliases_configured_as_list_of_missing_properties,
+        test_opaque_token_signing_key
     ].
 
 
@@ -326,6 +327,21 @@ test_scope_aliases_configured_as_map(_) ->
         <<"developer">> := [<<"rabbitmq.tag:management">>, <<"rabbitmq.read:*/*">>]
     } = rabbit_oauth2_schema:translate_scope_aliases(CuttlefishConf).
 
+test_opaque_token_signing_key(_) ->
+    CuttlefishConf = [
+        {["auth_oauth2","opaque_token_signing_key","id"],
+            "key-id"},
+        {["auth_oauth2","opaque_token_signing_key","type"],
+            "hs256"},
+        {["auth_oauth2","opaque_token_signing_key","key"],
+            "signing-key"}
+    ],
+    [
+        {id, <<"key-id">>},
+        {type, hs256},
+        {key, <<"signing-key">>}
+    ] = rabbit_oauth2_schema:translate_opaque_token_signing_key(CuttlefishConf).
+
 
 cert_filename(Conf) ->
     string:concat(?config(data_dir, Conf), "certs/cert.pem").

deps/rabbitmq_management/priv/www/js/main.js

@@ -1389,7 +1389,8 @@ function sync_req(type, params0, path_template, options) {
     var req = xmlHttpRequest();
     req.open(type, 'api' + path, false);
     req.setRequestHeader('content-type', 'application/json');
-    req.setRequestHeader('authorization', authorization_header());
+    let authorization = authorization_header()
+    req.setRequestHeader('authorization', authorization);
 
     if (options != undefined || options != null) {
         if (options.headers != undefined || options.headers != null) {

deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

@@ -298,9 +298,9 @@ export function oauth_completeLogin() {
     });
 }
 function introspect_token() {
-  let json = sync_post({}, '/auth/introspect')
-  console.log("token : " + JSON.stringify(json))
-  return JSON.parse(json.responseText)
+  let jwt = JSON.parse(sync_post({}, '/auth/introspect').responseText)
+  console.log("jwt token : " + jwt)
+  return jwt.token
 }
 
 function is_jwt_token(token) {

deps/rabbitmq_management/src/rabbit_mgmt_wm_oauth_introspect.erl

@@ -51,7 +51,7 @@ do_it(ReqData, Context) ->
                 {ok, JwtPayload} -> 
                     case oauth2_client:sign_token(JwtPayload) of 
                         {ok, JWT} ->
-                            rabbit_mgmt_util:reply(JWT, ReqData, Context);
+                            rabbit_mgmt_util:reply([{token, JWT}], ReqData, Context);
                         {error, Reason} ->
                             rabbit_mgmt_util:not_authorised(Reason, ReqData, Context)
                     end