Extract scopes using path expression

MarcialRosales · MarcialRosales · commit eebe67c08e24 · 2025-02-07T12:17:05.000+01:00
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
@@ -296,6 +296,85 @@ has_additional_scopes_key(ResourceServer, Payload) when is_map(Payload) ->
         ScopeKey -> maps:is_key(ScopeKey, Payload)
     end.
 
+%% Path is a binary expression which is a plain word like <<"roles">>
+%% or +1 word separated by . like <<"authorization.permissions.scopes">>
+%% The Payload is a map.
+%% Using the path <<"authorization.permissions.scopes">> as an example
+%% 1. lookup the key <<"authorization">> in the Payload
+%% 2. if it is found, the next map to use as payload is the value found from the key <<"authorization">>
+%% 3. lookup the key <<"permissions">> in the previous map 
+%% 4. if it is found, it may be a map or a list of maps. 
+%% 5. if it is a list of maps, iterate each element in the list 
+%% 6. for each element in the list, which should be a map, find the key <<"scopes">>
+%% 7. because there are no more words/keys, return a list of all the values found
+%%    associated to the word <<"scopes">>
+extract_token_value(R, Payload, Path, ValueMapperFun) 
+        when is_map(Payload), is_binary(Path), is_function(ValueMapperFun) ->
+    extract_token_value_from_map(R, Payload, [], split_path(Path), ValueMapperFun);
+extract_token_value(_, _, _, _) ->
+    [].
+
+extract_scope_list_from_token_value(_R, List) when is_list(List) -> List;
+extract_scope_list_from_token_value(_R, Binary) when is_binary(Binary) -> 
+    binary:split(Binary, <<" ">>, [global, trim_all]);
+extract_scope_list_from_token_value(#resource_server{id = ResourceServerId}, Map) when is_map(Map) -> 
+    case maps:get(ResourceServerId, Map, undefined) of
+        undefined           -> [];
+        Ks when is_list(Ks) ->
+            [erlang:iolist_to_binary([ResourceServerId, <<".">>, K]) || K <- Ks];
+        ClaimBin when is_binary(ClaimBin) ->
+            UnprefixedClaims = binary:split(ClaimBin, <<" ">>, [global, trim_all]),
+            [erlang:iolist_to_binary([ResourceServerId, <<".">>, K]) || K <- UnprefixedClaims];
+        _ -> []
+    end;
+extract_scope_list_from_token_value(_, _) -> [].
+
+extract_token_value_from_map(_, _Map, Acc, [], _Mapper) ->
+    Acc;
+extract_token_value_from_map(R, Map, Acc, [KeyStr], Mapper) when is_map(Map) ->
+    case maps:find(KeyStr, Map) of
+        {ok, Value} -> Acc ++ Mapper(R, Value);
+        error -> Acc
+    end;
+extract_token_value_from_map(R, Map, Acc, [KeyStr | Rest], Mapper) when is_map(Map) ->
+    case maps:find(KeyStr, Map) of
+        {ok, M} when is_map(M) -> extract_token_value_from_map(R, M, Acc, Rest, Mapper);
+        {ok, L} when is_list(L) -> extract_token_value_from_list(R, L, Acc, Rest, Mapper); 
+        {ok, Value} when Rest =:= [] -> Acc ++ Mapper(R, Value);
+        _ -> Acc
+    end;
+extract_token_value_from_map(_, _, Acc, _, _Mapper) ->
+    Acc.
+
+extract_token_value_from_list(_, [], Acc, [], _Mapper) -> 
+    Acc;
+extract_token_value_from_list(_, [], Acc, [_KeyStr | _Rest], _Mapper) -> 
+    Acc;
+extract_token_value_from_list(R, [H | T], Acc, [KeyStr | Rest] = KeyList, Mapper) when is_map(H) ->
+    NewAcc = case maps:find(KeyStr, H) of
+        {ok, Map} when is_map(Map) -> extract_token_value_from_map(R, Map, Acc, Rest, Mapper);
+        {ok, List} when is_list(List) -> extract_token_value_from_list(R, List, Acc, Rest, Mapper);
+        {ok, Value} -> Acc++Mapper(R, Value);
+        _ -> Acc
+    end,
+    extract_token_value_from_list(R, T, NewAcc, KeyList, Mapper);
+
+extract_token_value_from_list(R, [E | T], Acc, [], Mapper) ->        
+    extract_token_value_from_list(R, T, Acc++Mapper(R, E), [], Mapper);
+extract_token_value_from_list(R, [E | _T] = L, Acc, KeyList, Mapper) when is_map(E) ->    
+    extract_token_value_from_list(R, L, Acc, KeyList, Mapper);
+extract_token_value_from_list(R, [_ | T], Acc, KeyList, Mapper) ->
+    extract_token_value_from_list(R, T, Acc, KeyList, Mapper).
+
+
+%split_path(Path) when is_list(Path) ->
+%    string:tokens(Path, ".");
+split_path(Path) when is_binary(Path) ->
+    binary:split(Path, <<".">>, [global, trim_all]).
+
+
+
+
 -spec extract_scopes_from_additional_scopes_key(
     ResourceServer :: resource_server(), Payload :: map()) -> map().
 extract_scopes_from_additional_scopes_key(ResourceServer, Payload) ->
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl
@@ -17,13 +17,16 @@
     user_login_authentication/2,
     user_login_authorization/2,
     normalize_token_scope/2,
-    check_vhost_access/3]).
+    check_vhost_access/3,
+    extract_token_value/4,
+    extract_scope_list_from_token_value/2]).
 -import(rabbit_oauth2_resource_server, [
     new_resource_server/1
 ]).
 
 all() ->
     [
+        test_extract_scope_from_path_expression,
         filter_matching_scope_prefix_and_drop_it,
         normalize_token_scopes_with_scope_prefix,
         normalize_token_scope_from_space_separated_list_in_scope_claim,
@@ -1286,6 +1289,76 @@ normalize_token_scope_without_scope_claim(_) ->
     Token0 = #{ },
     ?assertEqual([], uaa_jwt:get_scope(normalize_token_scope(ResourceServer, Token0))).
 
+
+test_extract_scope_from_path_expression(_) ->
+    M = fun rabbit_auth_backend_oauth2:extract_scope_list_from_token_value/2,
+    R = #resource_server{id = <<"rabbitmq">>},
+
+    [<<"role1">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ <<"permission">> => <<"role1">> }}, 
+        <<"auth.permission">>, M),
+    [<<"role1">>,<<"role2">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ <<"permission">> => [<<"role1">>,<<"role2">>] }}, 
+        <<"auth.permission">>, M),
+    [<<"role1">>,<<"role2">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ <<"permission">> => <<"role1 role2">> }}, 
+        <<"auth.permission">>, M),
+    [<<"rabbitmq.role1">>,<<"rabbitmq.role2">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ 
+            <<"rabbitmq">> => [<<"role1">>,<<"role2">>]            
+        }}, 
+        <<"auth">>, M),
+    [<<"rabbitmq.role1">>,<<"rabbitmq.role2">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ 
+            <<"rabbitmq">> => <<"role1 role2">>         
+        }}, 
+        <<"auth">>, M),
+    [<<"role1">>,<<"role2">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ 
+            <<"permission">> => [
+                #{ <<"scopes">> => <<"role1">>},
+                #{ <<"scopes">> => <<"role2">>}
+            ]
+        }}, 
+        <<"auth.permission.scopes">>, M),
+
+    [<<"role1">>,<<"role2">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ 
+            <<"permission">> => [
+                #{ <<"scopes">> => [<<"role1">>]},
+                #{ <<"scopes">> => [<<"role2">>]}
+            ]
+        }}, 
+        <<"auth.permission.scopes">>, M),
+
+    [<<"role1">>,<<"role2">>] = extract_token_value(R,
+        #{ <<"auth">> => [
+            #{ <<"permission">> => [
+                #{ <<"scopes">> => [<<"role1">>]}                
+            ]},
+            #{ <<"permission">> => [
+                #{ <<"scopes">> => [<<"role2">>]}                
+            ]}        
+        ]}, 
+        <<"auth.permission.scopes">>, M),
+
+    [<<"role1">>] = extract_token_value(R,
+        #{ <<"auth">> => #{ <<"permission">> => [<<"role1">>] }}, 
+        <<"auth.permission">>, M),
+
+    [] = extract_token_value(R,
+        #{ <<"auth">> => #{ <<"permission">> => [<<"role1">>] }}, 
+        <<"auth.permission2">>, M),
+
+    [] = extract_token_value(R,
+        #{ <<"auth">> => #{ <<"permission">> => [<<"role1">>] }}, 
+        <<"auth2.permission">>, M),
+
+    [] = extract_token_value(R,
+        #{ <<"auth">> => #{ <<"permission">> => [<<"role1">>] }}, 
+        <<"auth.permission2">>, M).
+
+
 %%
 %% Helpers
 %%
