Add token helper functions

Such as those to decode and extract
the expiration time

Author: MarcialRosales

deps/oauth2_client/BUILD.bazel

@@ -70,6 +70,7 @@ rabbitmq_app(
     deps = [
         "//deps/rabbit:erlang_app",
         "//deps/rabbit_common:erlang_app",
+        "@jose//:erlang_app",
     ],
 )
 
@@ -94,7 +95,9 @@ dialyze(
 
 eunit(
     name = "eunit",
-    compiled_suites = [":test_oauth_http_mock_beam"],
+    compiled_suites = [
+        ":test_oauth_http_mock_beam",
+        ":test_oauth2_client_test_util_beam"],
     target = ":test_erlang_app",
 )
 
@@ -128,6 +131,9 @@ rabbitmq_integration_suite(
 rabbitmq_suite(
     name = "unit_SUITE",
     size = "small",
+    additional_beam = [
+        "test/oauth2_client_test_util.beam",
+    ],
 )
 
 assert_suites()

deps/oauth2_client/app.bzl

@@ -8,11 +8,15 @@ def all_beam_files(name = "all_beam_files"):
     )
     erlang_bytecode(
         name = "other_beam",
-        srcs = ["src/oauth2_client.erl"],
+        srcs = ["src/oauth2_client.erl",
+                "src/jwt_helper.erl"],
         hdrs = [":public_and_private_hdrs"],
         app_name = "oauth2_client",
         dest = "ebin",
         erlc_opts = "//:erlc_opts",
+        deps = [
+            "@jose//:erlang_app"
+        ],
     )
 
 def all_test_beam_files(name = "all_test_beam_files"):
@@ -24,11 +28,15 @@ def all_test_beam_files(name = "all_test_beam_files"):
     erlang_bytecode(
         name = "test_other_beam",
         testonly = True,
-        srcs = ["src/oauth2_client.erl"],
+        srcs = ["src/oauth2_client.erl",
+                "src/jwt_helper.erl"],
         hdrs = [":public_and_private_hdrs"],
         app_name = "oauth2_client",
         dest = "test",
         erlc_opts = "//:test_erlc_opts",
+        deps = [
+            "@jose//:erlang_app"
+        ],
     )
 
 def all_srcs(name = "all_srcs"):
@@ -46,7 +54,8 @@ def all_srcs(name = "all_srcs"):
 
     filegroup(
         name = "srcs",
-        srcs = ["src/oauth2_client.erl"],
+        srcs = ["src/oauth2_client.erl",
+                "src/jwt_helper.erl"],
     )
     filegroup(
         name = "private_hdrs",
@@ -90,3 +99,11 @@ def test_suite_beam_files(name = "test_suite_beam_files"):
         app_name = "oauth2_client",
         erlc_opts = "//:test_erlc_opts",
     )
+    erlang_bytecode(
+        name = "test_oauth2_client_test_util_beam",
+        testonly = True,
+        srcs = ["test/oauth2_client_test_util.erl"],
+        outs = ["test/oauth2_client_test_util.beam"],
+        app_name = "oauth2_client",
+        erlc_opts = "//:test_erlc_opts",
+    )

deps/oauth2_client/src/jwt_helper.erl

@@ -0,0 +1,22 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+%%
+-module(jwt_helper).
+
+-export([decode/1, get_expiration/1]).
+
+-include_lib("jose/include/jose_jwt.hrl").
+
+decode(Token) ->
+    try
+        #jose_jwt{fields = Fields} = jose_jwt:peek_payload(Token),
+        Fields
+    catch Type:Err:Stacktrace ->
+        {error, {invalid_token, Type, Err, Stacktrace}}
+    end.
+
+get_expiration(#{<<"exp">> := Exp}) when is_integer(Exp) -> {ok, Exp};
+get_expiration(#{}) -> {error, missing_exp_field}.

deps/oauth2_client/test/oauth2_client_test_util.erl

@@ -0,0 +1,149 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+%%
+-module(oauth2_client_test_util).
+
+-compile(export_all).
+
+-define(DEFAULT_EXPIRATION_IN_SECONDS, 2).
+
+%%
+%% API
+%%
+
+sign_token_hs(Token, #{<<"kid">> := TokenKey} = Jwk) ->
+    sign_token_hs(Token, Jwk, TokenKey).
+
+sign_token_hs(Token, Jwk, TokenKey) ->
+    Jws = #{
+      <<"alg">> => <<"HS256">>,
+      <<"kid">> => TokenKey
+    },
+    sign_token(Token, Jwk, Jws).
+
+sign_token_rsa(Token, Jwk, TokenKey) ->
+    Jws = #{
+      <<"alg">> => <<"RS256">>,
+      <<"kid">> => TokenKey
+    },
+    sign_token(Token, Jwk, Jws).
+
+sign_token_no_kid(Token, Jwk) ->
+    Signed = jose_jwt:sign(Jwk, Token),
+    jose_jws:compact(Signed).
+
+sign_token(Token, Jwk, Jws) ->
+    Signed = jose_jwt:sign(Jwk, Jws, Token),
+    jose_jws:compact(Signed).
+
+fixture_jwk() ->
+  fixture_jwk(<<"token-key">>).
+
+fixture_jwk(TokenKey) ->
+    fixture_jwk(TokenKey, <<"dG9rZW5rZXk">>).
+
+fixture_jwk(TokenKey, K) ->
+    #{<<"alg">> => <<"HS256">>,
+      <<"k">> => K,
+      <<"kid">> => TokenKey,
+      <<"kty">> => <<"oct">>,
+      <<"use">> => <<"sig">>,
+      <<"value">> => TokenKey}.
+
+full_permission_scopes() ->
+    [<<"rabbitmq.configure:*/*">>,
+     <<"rabbitmq.write:*/*">>,
+     <<"rabbitmq.read:*/*">>].
+
+expirable_token() ->
+    expirable_token(?DEFAULT_EXPIRATION_IN_SECONDS).
+
+expirable_token(Seconds) ->
+    TokenPayload = fixture_token(),
+    %% expiration is a timestamp with precision in seconds
+    TokenPayload#{<<"exp">> := os:system_time(seconds) + Seconds}.
+
+expired_token() ->
+    expired_token_with_scopes(full_permission_scopes()).
+
+expired_token_with_scopes(Scopes) ->
+    token_with_scopes_and_expiration(Scopes, seconds_in_the_past(10)).
+
+fixture_token_with_scopes(Scopes) ->
+    token_with_scopes_and_expiration(Scopes, default_expiration_moment()).
+
+token_with_scopes_and_expiration(Scopes, Expiration) ->
+    %% expiration is a timestamp with precision in seconds
+    #{<<"exp">> => Expiration,
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>],
+      <<"scope">> => Scopes}.
+
+token_without_scopes() ->
+    %% expiration is a timestamp with precision in seconds
+    #{
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>]
+      }.
+
+fixture_token() ->
+    fixture_token([]).
+
+token_with_sub(TokenFixture, Sub) ->
+    maps:put(<<"sub">>, Sub, TokenFixture).
+token_with_scopes(TokenFixture, Scopes) ->
+    maps:put(<<"scope">>, Scopes, TokenFixture).
+
+fixture_token(ExtraScopes) ->
+    Scopes = [<<"rabbitmq.configure:vhost/foo">>,
+              <<"rabbitmq.write:vhost/foo">>,
+              <<"rabbitmq.read:vhost/foo">>,
+              <<"rabbitmq.read:vhost/bar">>,
+              <<"rabbitmq.read:vhost/bar/%23%2Ffoo">>] ++ ExtraScopes,
+    fixture_token_with_scopes(Scopes).
+
+fixture_token_with_full_permissions() ->
+    fixture_token_with_scopes(full_permission_scopes()).
+
+plain_token_without_scopes_and_aud() ->
+  %% expiration is a timestamp with precision in seconds
+  #{<<"exp">> => default_expiration_moment(),
+    <<"iss">> => <<"unit_test">>,
+    <<"foo">> => <<"bar">>}.
+
+token_with_scope_alias_in_scope_field(Value) ->
+    %% expiration is a timestamp with precision in seconds
+    #{<<"exp">> => default_expiration_moment(),
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>],
+      <<"scope">> => Value}.
+
+token_with_scope_alias_in_claim_field(Claims, Scopes) ->
+    %% expiration is a timestamp with precision in seconds
+    #{<<"exp">> => default_expiration_moment(),
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>],
+      <<"scope">>  => Scopes,
+      <<"claims">> => Claims}.
+
+seconds_in_the_future() ->
+    seconds_in_the_future(30).
+
+seconds_in_the_future(N) ->
+    os:system_time(seconds) + N.
+
+seconds_in_the_past() ->
+    seconds_in_the_past(10).
+
+seconds_in_the_past(N) ->
+    os:system_time(seconds) - N.
+
+default_expiration_moment() ->
+    seconds_in_the_future(30).