Test invalid token parameter config

MarcialRosales · MarcialRosales · commit e093f06164aa · 2024-09-19T09:50:04.000+02:00
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/oauth2_schema.erl b/deps/rabbitmq_auth_backend_oauth2/src/oauth2_schema.erl
@@ -72,7 +72,7 @@ translate_list_of_signing_keys(ListOfKidPath) ->
 translate_endpoint_params(Variable, Conf) ->
     Params0 = cuttlefish_variable:filter_by_prefix("auth_oauth2." ++ Variable, Conf),
     Params = [{list_to_binary(Param), list_to_binary(V)} ||
-        {["auth_oauth2", Name, Param], V} <- Params0],
+        {["auth_oauth2", _, Param], V} <- Params0],
     maps:from_list(Params).
 
 validator_file_exists(Attr, Filename) ->
@@ -104,9 +104,10 @@ extract_oauth_providers_properties(Settings) ->
     ValueFun = fun extract_value/1,
 
     OAuthProviders = [{Name, mapOauthProviderProperty({list_to_atom(Key), list_to_binary(V)})}
-        || {["auth_oauth2","oauth_providers", Name, Key], V} <- Settings ],
+        || {["auth_oauth2", "oauth_providers", Name, Key], V} <- Settings],
     maps:groups_from_list(KeyFun, ValueFun, OAuthProviders).
 
+
 extract_resource_server_properties(Settings) ->
     KeyFun = fun extract_key_as_binary/1,
     ValueFun = fun extract_value/1,
@@ -122,6 +123,15 @@ mapOauthProviderProperty({Key, Value}) ->
         jwks_uri -> validator_https_uri(Key, Value);
         end_session_endpoint -> validator_https_uri(Key, Value);
         authorization_endpoint -> validator_https_uri(Key, Value);
+        token_endpoint_params ->
+            cuttlefish:invalid(io_lib:format(
+                "Invalid attribute (~p) value: should be a map of Key,Value pairs", [Key]));
+        authorization_endpoint_params ->
+            cuttlefish:invalid(io_lib:format(
+                "Invalid attribute (~p) value: should be a map of Key,Value pairs", [Key]));
+        discovery_endpoint_params ->
+            cuttlefish:invalid(io_lib:format(
+                "Invalid attribute (~p) value: should be a map of Key,Value pairs", [Key]));
         _ -> Value
     end}.
 
@@ -163,9 +173,10 @@ extract_resource_server_preferred_username_claims(Settings) ->
 extract_oauth_providers_endpoint_params(Variable, Settings) ->
     KeyFun = fun extract_key_as_binary/1,
 
-    IndexedParams = [{Name, {ParamName, list_to_binary(V)}} ||
-        {["auth_oauth2","oauth_providers", Name, EndpointVar, ParamName], V} <- Settings, EndpointVar == Variable ],
-    maps:map(fun(_K,V)-> [{Variable, V}] end,
+    IndexedParams = [{Name, {list_to_binary(ParamName), list_to_binary(V)}} ||
+        {["auth_oauth2","oauth_providers", Name, EndpointVar, ParamName], V}
+            <- Settings, EndpointVar == atom_to_list(Variable) ],
+    maps:map(fun(_K,V)-> [{Variable, maps:from_list(V)}] end,
         maps:groups_from_list(KeyFun, fun({_, V}) -> V end, IndexedParams)).
 
 extract_oauth_providers_signing_keys(Settings) ->
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/oauth2_schema_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/oauth2_schema_SUITE.erl
@@ -27,10 +27,13 @@ all() ->
         test_oauth_providers_signing_keys,
         test_without_endpoint_params,
         test_with_endpoint_params,
+        test_with_invalid_endpoint_params,
         test_without_resource_servers,
         test_with_one_resource_server,
         test_with_many_resource_servers,
-        test_resource_servers_attributes
+        test_resource_servers_attributes,
+        test_invalid_oauth_providers_endpoint_params,
+        test_without_oauth_providers_with_endpoint_params
 
     ].
 
@@ -46,6 +49,14 @@ test_without_endpoint_params(_) ->
     #{} = translate_endpoint_params("token_endpoint_params", []),
     #{} = translate_endpoint_params("authorization_endpoint_params", []).
 
+test_with_invalid_endpoint_params(_) ->
+    try translate_endpoint_params("discovery_endpoint_params", [
+            {["auth_oauth2","discovery_endpoint_params"], "some-value1"}]) of
+        _ -> {throw, should_have_failed}
+    catch
+        _ -> ok
+    end.
+
 test_with_endpoint_params(_) ->
     Conf = [
         {["auth_oauth2","discovery_endpoint_params","param1"], "some-value1"},
@@ -60,6 +71,30 @@ test_with_endpoint_params(_) ->
     #{ <<"resource">> := <<"some-resource">>} =
         translate_endpoint_params("authorization_endpoint_params", Conf).
 
+test_invalid_oauth_providers_endpoint_params() ->
+    try oauth2_schema:translate_oauth_providers([
+            {["auth_oauth2","oauth_providers", "X", "discovery_endpoint_params"], ""}]) of
+        _ -> {throw, should_have_failed}
+    catch
+        _ -> ok
+    end.
+test_without_oauth_providers_with_endpoint_params(_) ->
+    Conf = [
+        {["auth_oauth2","oauth_providers", "A", "discovery_endpoint_params","param1"], "some-value1"},
+        {["auth_oauth2","oauth_providers", "A", "discovery_endpoint_params","param2"], "some-value2"},
+        {["auth_oauth2","oauth_providers", "B", "token_endpoint_params","audience"], "some-audience"},
+        {["auth_oauth2","oauth_providers", "C", "authorization_endpoint_params","resource"], "some-resource"}
+    ],
+
+    #{
+        <<"A">> := [{discovery_endpoint_params,
+                    #{ <<"param1">> := <<"some-value1">>, <<"param2">> := <<"some-value2">> }}],
+        <<"B">> := [{token_endpoint_params,
+                    #{ <<"audience">> := <<"some-audience">>}}],
+        <<"C">> := [{authorization_endpoint_params,
+                    #{ <<"resource">> := <<"some-resource">>}}]
+    } = translate_oauth_providers(Conf).
+
 test_with_one_oauth_provider(_) ->
     Conf = [{["auth_oauth2","oauth_providers","keycloak","issuer"],"https://rabbit"}
             ],
