Merge pull request #8548 from rabbitmq/fix-8547

Fixes #8547

deps/rabbit/src/rabbit_access_control.erl

@@ -53,16 +53,16 @@ check_user_login(Username, AuthProps) ->
                             rabbit_log:debug("User '~ts' authenticated successfully by backend ~ts", [Username2, Mod]),
                             user(ModNUser, {ok, [{Mod, Impl}], []});
                         Else ->
-                            rabbit_log:debug("User '~ts' failed authenticatation by backend ~ts", [Username, Mod]),
+                            rabbit_log:debug("User '~ts' failed authentication by backend ~ts", [Username, Mod]),
                             Else
                     end;
                 (_, {ok, User}) ->
                     %% We've successfully authenticated. Skip to the end...
                     {ok, User}
             end,
             {refused, Username, "No modules checked '~ts'", [Username]}, Modules)
-        catch 
-            Type:Error:Stacktrace -> 
+        catch
+            Type:Error:Stacktrace ->
                 rabbit_log:debug("User '~ts' authentication failed with ~ts:~tp:~n~tp", [Username, Type, Error, Stacktrace]),
                 {refused, Username, "User '~ts' authentication failed with internal error. "
                                     "Enable debug logs to see the real error.", [Username]}

deps/rabbitmq_auth_backend_oauth2/src/uaa_jwks.erl

@@ -1,5 +1,5 @@
 -module(uaa_jwks).
--export([get/1]).
+-export([get/1, ssl_options/0]).
 
 -spec get(string() | binary()) -> {ok, term()} | {error, term()}.
 get(JwksUrl) ->
@@ -9,19 +9,24 @@ get(JwksUrl) ->
 ssl_options() ->
     UaaEnv = application:get_env(rabbitmq_auth_backend_oauth2, key_config, []),
     PeerVerification = proplists:get_value(peer_verification, UaaEnv, verify_none),
-    CaCertFile = proplists:get_value(cacertfile, UaaEnv),
     Depth = proplists:get_value(depth, UaaEnv, 10),
     FailIfNoPeerCert = proplists:get_value(fail_if_no_peer_cert, UaaEnv, false),
     CrlCheck = proplists:get_value(crl_check, UaaEnv, false),
     SslOpts0 = [{verify, PeerVerification},
-                {cacertfile, CaCertFile},
                 {depth, Depth},
                 {fail_if_no_peer_cert, FailIfNoPeerCert},
                 {crl_check, CrlCheck},
-                {crl_cache, {ssl_crl_cache, {internal, [{http, 10000}]}}}],
+                {crl_cache, {ssl_crl_cache, {internal, [{http, 10000}]}}} | cacertfile(UaaEnv)],
+
     case proplists:get_value(hostname_verification, UaaEnv, none) of
         wildcard ->
             [{customize_hostname_check, [{match_fun, public_key:pkix_verify_hostname_match_fun(https)}]} | SslOpts0];
         none ->
             SslOpts0
-    end.
+    end.
+
+cacertfile(UaaEnv) ->
+  case proplists:get_value(cacertfile, UaaEnv) of
+    undefined -> [];
+    CaCertFile -> [{cacertfile, CaCertFile}]
+  end.

deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl

@@ -58,6 +58,7 @@ update_jwks_signing_keys() ->
         undefined ->
             {error, no_jwks_url};
         JwksUrl ->
+            rabbit_log:debug("Retrieving signing keys from ~ts", [JwksUrl]),
             case uaa_jwks:get(JwksUrl) of
                 {ok, {_, _, JwksBody}} ->
                     KeyList = maps:get(<<"keys">>, jose:decode(erlang:iolist_to_binary(JwksBody)), []),

deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl

@@ -48,7 +48,9 @@ all() ->
         test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_scope_field,
         test_successful_access_with_a_token_that_uses_single_scope_alias_in_extra_scope_source_field,
         test_successful_access_with_a_token_that_uses_multiple_scope_aliases_in_extra_scope_source_field,
-        test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_extra_scope_source_field
+        test_unsuccessful_access_with_a_token_that_uses_missing_scope_alias_in_extra_scope_source_field,
+        test_default_ssl_options,
+        test_default_ssl_options_with_cacertfile
     ].
 
 init_per_suite(Config) ->
@@ -88,6 +90,10 @@ init_per_testcase(test_post_process_payload_rich_auth_request_using_regular_expr
   application:set_env(rabbitmq_auth_backend_oauth2, resource_server_id, <<"rabbitmq-test">>),
   Config;
 
+init_per_testcase(test_default_ssl_options_with_cacertfile, Config) ->
+  application:set_env(rabbitmq_auth_backend_oauth2, key_config, [{ cacertfile, filename:join(["testca", "cacert.pem"]) }] ),
+  Config;
+
 init_per_testcase(_, Config) ->
   Config.
 
@@ -96,6 +102,10 @@ end_per_testcase(test_post_process_token_payload_complex_claims, Config) ->
   application:set_env(rabbitmq_auth_backend_oauth2, resource_server_id, undefined),
   Config;
 
+end_per_testcase(test_default_ssl_options_with_cacertfile, Config) ->
+  application:set_env(rabbitmq_auth_backend_oauth2, key_config, undefined),
+  Config;
+
 end_per_testcase(_, Config) ->
   Config.
 
@@ -1344,7 +1354,24 @@ test_validate_payload_when_verify_aud_false(_) ->
                         <<"scope">> => [<<"bar">>, <<"other.third">>]}},
                  rabbit_auth_backend_oauth2:validate_payload(WithAudWithUnknownResourceId, ?RESOURCE_SERVER_ID, ?DEFAULT_SCOPE_PREFIX)).
 
-
+test_default_ssl_options(_) ->
+  ?assertEqual([
+              {verify, verify_none},
+              {depth, 10},
+              {fail_if_no_peer_cert, false},
+              {crl_check, false},
+              {crl_cache, {ssl_crl_cache, {internal, [{http, 10000}]}}}
+              ], uaa_jwks:ssl_options()).
+
+test_default_ssl_options_with_cacertfile(_) ->
+  ?assertEqual([
+              {verify, verify_none},
+              {depth, 10},
+              {fail_if_no_peer_cert, false},
+              {crl_check, false},
+              {crl_cache, {ssl_crl_cache, {internal, [{http, 10000}]}}},
+              {cacertfile, filename:join(["testca", "cacert.pem"])}
+              ], uaa_jwks:ssl_options()).
 
 %%
 %% Helpers

deps/rabbitmq_management/selenium/bin/suite_template

@@ -242,16 +242,20 @@ start_keycloak() {
   mkdir -p $MOUNT_KEYCLOAK_CONF_DIR
   ${BIN_DIR}/gen-keycloak-json ${KEYCLOAK_CONFIG_DIR} $ENV_FILE $MOUNT_KEYCLOAK_CONF_DIR/test-realm.json
   print "> EFFECTIVE KEYCLOAK_CONFIG_FILE: $MOUNT_KEYCLOAK_CONF_DIR/test-realm.json"
+  cp ${KEYCLOAK_CONFIG_DIR}/*.pem $MOUNT_KEYCLOAK_CONF_DIR
 
   docker run \
 		--detach \
 		--name keycloak \
     --net ${DOCKER_NETWORK} \
 		--publish 8080:8080 \
+    --publish 8443:8443 \
 		--env KEYCLOAK_ADMIN=admin \
 		--env KEYCLOAK_ADMIN_PASSWORD=admin \
 		--mount type=bind,source=${MOUNT_KEYCLOAK_CONF_DIR},target=/opt/keycloak/data/import/ \
-		${KEYCLOAK_DOCKER_IMAGE} start-dev --import-realm
+		${KEYCLOAK_DOCKER_IMAGE} start-dev --import-realm \
+    --https-certificate-file=/opt/keycloak/data/import/server_localhost_certificate.pem \
+    --https-certificate-key-file=/opt/keycloak/data/import/server_localhost_key.pem
 
   wait_for_oidc_endpoint keycloak $KEYCLOAK_URL
   end "Keycloak is ready"

deps/rabbitmq_management/selenium/package.json

@@ -4,7 +4,7 @@
   "description": "",
   "main": "index.js",
   "scripts": {
-    "test": "mocha --recursive --trace-warnings --timeout 35000",
+    "test": "mocha --recursive --trace-warnings --timeout 40000",
     "fakeportal": "node fakeportal/app.js",
     "fakeproxy": "node fakeportal/proxy.js"
   },

deps/rabbitmq_management/selenium/suites/oauth-with-keycloak.sh

@@ -4,7 +4,7 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/oauth/with-sp-initiated
 TEST_CONFIG_PATH=/oauth
-PROFILES="keycloak keycloak-oauth-provider"
+PROFILES="keycloak jwks keycloak-oauth-provider"
 
 source $SCRIPT/../bin/suite_template $@
 runWith keycloak

deps/rabbitmq_management/selenium/test/oauth/.env.docker.keycloak

@@ -1 +1,2 @@
 export KEYCLOAK_URL=http://keycloak:8080/realms/test
+export OAUTH_JKWS_URL="https://keycloak:8443/realms/test/protocol/openid-connect/certs"

deps/rabbitmq_management/selenium/test/oauth/.env.local.keycloak

@@ -1 +1,2 @@
 export OAUTH_PROVIDER_URL=http://localhost:8080/realms/test
+export OAUTH_JKWS_URL="https://localhost:8443/realms/test/protocol/openid-connect/certs"

deps/rabbitmq_management/selenium/test/oauth/enabled_plugins

@@ -1 +1,16 @@
-[rabbitmq_auth_backend_oauth2,rabbitmq_management].
+[accept,amqp10_client,amqp_client,base64url,cowboy,cowlib,eetcd,gun,jose,
+ prometheus,rabbitmq_amqp1_0,rabbitmq_auth_backend_cache,
+ rabbitmq_auth_backend_http,rabbitmq_auth_backend_ldap,
+ rabbitmq_auth_backend_oauth2,rabbitmq_auth_mechanism_ssl,rabbitmq_aws,
+ rabbitmq_consistent_hash_exchange,rabbitmq_event_exchange,
+ rabbitmq_federation,rabbitmq_federation_management,
+ rabbitmq_jms_topic_exchange,rabbitmq_management,rabbitmq_management_agent,
+ rabbitmq_mqtt,rabbitmq_peer_discovery_aws,rabbitmq_peer_discovery_common,
+ rabbitmq_peer_discovery_consul,rabbitmq_peer_discovery_etcd,
+ rabbitmq_peer_discovery_k8s,rabbitmq_prometheus,rabbitmq_random_exchange,
+ rabbitmq_recent_history_exchange,rabbitmq_sharding,rabbitmq_shovel,
+ rabbitmq_shovel_management,rabbitmq_stomp,rabbitmq_stream,
+ rabbitmq_stream_common,rabbitmq_stream_management,rabbitmq_top,
+ rabbitmq_tracing,rabbitmq_trust_store,rabbitmq_web_dispatch,
+ rabbitmq_web_mqtt,rabbitmq_web_mqtt_examples,rabbitmq_web_stomp,
+ rabbitmq_web_stomp_examples].

deps/rabbitmq_management/selenium/test/oauth/keycloak/ca_certificate.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDezCCAmOgAwIBAgIJAIafyIrD8MVnMA0GCSqGSIb3DQEBCwUAMEwxOzA5BgNV
+BAMMMlRMU0dlblNlbGZTaWduZWR0Um9vdENBIDIwMjMtMDYtMTNUMTI6MzY6NDQu
+ODUwMzcxMQ0wCwYDVQQHDAQkJCQkMB4XDTIzMDYxMzEwMzY0NFoXDTMzMDYxMDEw
+MzY0NFowTDE7MDkGA1UEAwwyVExTR2VuU2VsZlNpZ25lZHRSb290Q0EgMjAyMy0w
+Ni0xM1QxMjozNjo0NC44NTAzNzExDTALBgNVBAcMBCQkJCQwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC9iC76OIDMAGmKdz5cRPJoEW7p0je0t0MtcerY
+qx4/E+Ft9ZCGaKLDCfUIit2Zv4JaGoPEI3zCcA41M0EuC3cI99s5tvOnRMM8DFTk
+ARWP848shQpbCFXozD99Q9A3lriie8s3an/MZS/B401ujo9KNdg9P9rxjasIN3Oo
+y0GOi306xQ1kxuXKvutuPjYZE0DWXY0GGNQk9jTVJ53qNSLJWLfsjDvOt9VnlbXM
+GIX2RIQhE5/abpo6DPehXfmpfwm9pU0yNQVBBzFgXEmeqe08VfjgJ/SoWiic1AfW
+auOA50ZB1MdcelVnDgbc0JFRBDwdxhfB4u4TOrTuGtC9WhNNAgMBAAGjYDBeMA8G
+A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBScoS8TfTiIl4Nv
+qxxf1Q7/aNCykjAfBgNVHSMEGDAWgBScoS8TfTiIl4Nvqxxf1Q7/aNCykjANBgkq
+hkiG9w0BAQsFAAOCAQEAMsWWqR5S+JIAQO1a9b1gPp3eGFM8XomLLTgUiMQEuOcH
+rF5iCrQsAUXcOo4OrMnEA9sK9z0gcncRenBNzc/M79eOspKnZ3RtXouPcv+0x8Zj
+TqaGoknipDfXgNcQzKjrSUIrKAr/vhRKio13GgVMsgWj8VEYlynANKtfGQiMVgvH
+15UHIDP6uKjgF0HsBh/rSO9gKFTMtaurtbJ3iV20Voxq8gXyazWkwx++JrxsqDyB
+rRVFddWmbPt719zikGkGZZFSZ9k6tRMyG4oiZsea8Yy2s95Jw0kLggnyJvW3mzBa
+0nckXeslmE7uGuV1KeOHcofdXAfaokfFMsZZqDZgLg==
+-----END CERTIFICATE-----

deps/rabbitmq_management/selenium/test/oauth/keycloak/server_localhost_certificate.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyzCCArOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMTswOQYDVQQDDDJUTFNH
+ZW5TZWxmU2lnbmVkdFJvb3RDQSAyMDIzLTA2LTEzVDEyOjUzOjI3LjM4OTIzMjEN
+MAsGA1UEBwwEJCQkJDAeFw0yMzA2MTMxMDUzMjdaFw0zMzA2MTAxMDUzMjdaMCUx
+EjAQBgNVBAMMCWxvY2FsaG9zdDEPMA0GA1UECgwGc2VydmVyMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyF6LEFxMDMIkH4/dHwAkXQj0MQE91aMqC2t+
+JoYUMQSMfQdzxhlwj3zaWWlKZouMYeIc/8ZQzqmEN8rgNhVFMox2tYyninCIaE4t
+bFRTY6QHhvszdEzkrCeQA3NuzcMjoBTsrxgjPCaH8dr/8z6P4fEk5YDo/t98DRVT
+P9M8HpFJ+ap8DRd7B4GGfVQmuoG6kb655KpjXqE+isCE9nQAUOkhhwofl2wyIxrN
+ucgqvQd0LuuQpWPkELzwInakIBAMIMgC597yYXcGPgJWs6CcLqii3CrXM0lGB+z3
+Buv1ffm9nB04N7VUq8+Cyi17PkKNihRSACcbMgckrxxd9A3KewIDAQABo4HeMIHb
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMDkG
+A1UdEQQyMDCCCWxvY2FsaG9zdIIYbXJvc2FsZXMwTFZEUS52bXdhcmUuY29tggls
+b2NhbGhvc3QwHQYDVR0OBBYEFNH/UYDO1rKz607qp7mjjMBakYJnMB8GA1UdIwQY
+MBaAFKeWeZvOH7Z4DP459yUjLcXg/uW1MDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6
+Ly9jcmwtc2VydmVyOjgwMDAvYmFzaWMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBn
+E++l6xLjW6xo6RVRLy9tsO/VGREhbb9Q7vyiNzpmRS7VVaUl06lq/MlfrxZmUFog
+EDg9Ojw4YV2PJ+kAG/zp/fJBwDT2NKKJBRv+lr4puGb07yMWUuoiIw/u4aN7zrmk
+TOdmqa6gDbfBlACsYIt9iu5Y2VaHnFiraTKizNO1J+NUb+UyKw7pgnJupBh3mcaw
+9xJzVDzALtvOApZ8QeJF3Ev3NGnA9IHASj/rrcnxMxM7OoQtJVg7PUMDTRxjGLEV
+FainQ01Hm1SjBS0Ttvj+MRibCIafGNIsTz5vECZ8VJNQUhDGXgSdRvSJ/ERuGIf0
+gssLuKG2XzI2nYm6+0ng
+-----END CERTIFICATE-----

deps/rabbitmq_management/selenium/test/oauth/keycloak/server_localhost_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDIXosQXEwMwiQf
+j90fACRdCPQxAT3VoyoLa34mhhQxBIx9B3PGGXCPfNpZaUpmi4xh4hz/xlDOqYQ3
+yuA2FUUyjHa1jKeKcIhoTi1sVFNjpAeG+zN0TOSsJ5ADc27NwyOgFOyvGCM8Jofx
+2v/zPo/h8STlgOj+33wNFVM/0zwekUn5qnwNF3sHgYZ9VCa6gbqRvrnkqmNeoT6K
+wIT2dABQ6SGHCh+XbDIjGs25yCq9B3Qu65ClY+QQvPAidqQgEAwgyALn3vJhdwY+
+AlazoJwuqKLcKtczSUYH7PcG6/V9+b2cHTg3tVSrz4LKLXs+Qo2KFFIAJxsyBySv
+HF30Dcp7AgMBAAECggEBALVNvx2ltnbQ8OjSP24+rai1Ymg5TF9UjcXZlUN8jSax
+jAHSTXMSL+TWP6kp+dWCLhugA0d5hkMJ5oapf2nQo1WS/hNW238MRpHDM5zTTMVb
+digwgyWYMk6IWeqVd8yd502BwYzKFY/m+Znh5TmQAZeboRw+IhYF2PTpt/OHyt2I
+VFx5gztryMPvi/zd8sSpXjkvbjLUMf5U//k3BU4gVute6LtedSM/fUwaFpYWJ2KU
+aNhbt8BYrJXSDwnl6GIybjDU3HHRmuVu7e4Mt688InV+fS9aEIMDOkhkyenPDz+5
++JgMU/wJAeMTIrQ6V6kYJrWf92bLYnVi6x3jPfsrEikCgYEA95jECO1O2+aomZYC
+k2FeCyToI0eVkJxWeUdBJ+NS0Zkvt1eCyz1wYLIkiFmrtn6JKj2k7M66OHWctqCZ
+FkgEc/9j1o2cKdUjL4qiwTkFZP0cJBe/W0ugStp6LCza2cWTdQUaDnbBe2UsZCcd
+xFK/3oniIsElv3zm5a6ga9vs/q0CgYEAzytxnwCEECtJ6vanG+vUPry3Z8B7p21n
+Riz/X0NGHSc5M14iOnsyFZLB/4+RkADZGCAy6B2CyJD5UztzpjMjZFjtwx6UJXda
+JgQpl8RiSOzGitr9/lmjN3yxzA29rsu0O8buUhgZWboIokkOkRNbWSrp6yWpTvXl
+X6FbwTLXWscCgYEA5xscwAhhdziRXup6dP6JPXWxiFyk6lpDDOjJlGXHRATsWQHB
+/9rVLiyZlPu+H5V0io0HiFJd151QLdcxjW6jWXKkyftcLF/Ze+K3kAudUWo//iB8
+aMbqU3QiXWFw1Zxpyux8KcwHRRpmmQU576odlaa2ASKwDVCUZQbejk61o/ECgYAY
+0WCEJsCrWzQ4tKGiQ6cieOMTx8hIb1++1WcmV13P4kIE+FLrZJTEZtdcsStD8AYR
+0NGoYtinBE8J/IZHM7saq1iYVlJzBpBDG56L8te/WrYSLlfdH4ng/Mwj4MWHahnG
+S3eDWCW5TQL5xfy7vnDkBrMNG27j6as3wJHIXDnWQwKBgFL7+yd9jOejKgtsbXYX
+8Rub4I/KS+6dv1s9mlHsT6+SX+BozZC/xwmBQmVuPexnklgqO9c0A4c7pVNLE2u4
+9RBrDFle4A6e8NDB7oq8Vo8wnpyglbBUB/0aVNU25BWl1/BhxzoxTTeF+U0pmKia
+KmmMEdjVD5y0qh+ma+rHDBb1
+-----END PRIVATE KEY-----

deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf

@@ -9,5 +9,3 @@ management.cors.allow_origins.1 = *
 
 auth_oauth2.resource_server_id = rabbitmq
 auth_oauth2.preferred_username_claims.1 = user_name
-auth_oauth2.default_key = ${OAUTH_SIGNING_KEY_ID}
-auth_oauth2.signing_keys.${OAUTH_SIGNING_KEY_ID} = ${OAUTH_SIGNING_KEY_DIR}/signing-key.pem

deps/rabbitmq_management/selenium/test/oauth/rabbitmq.jwks.conf

@@ -0,0 +1 @@
+auth_oauth2.jwks_url = ${OAUTH_JKWS_URL}

deps/rabbitmq_management/selenium/test/oauth/rabbitmq.uaa.conf

@@ -1 +1,3 @@
 management.oauth_client_secret = ${OAUTH_CLIENT_SECRET}
+auth_oauth2.default_key = ${OAUTH_SIGNING_KEY_ID}
+auth_oauth2.signing_keys.${OAUTH_SIGNING_KEY_ID} = ${OAUTH_SIGNING_KEY_DIR}/signing-key.pem

deps/rabbitmq_management/selenium/test/utils.js

@@ -36,7 +36,9 @@ module.exports = {
     if (!runLocal) {
       builder = builder.usingServer(seleniumUrl)
     }
-    return builder.forBrowser('chrome').build()
+    driver = builder.forBrowser('chrome').build()
+    driver.manage().setTimeouts( { pageLoad: 35000 } )
+    return driver
   },
 
   goToHome: (driver) => {