Use strict_auth_mechanism and preferred_auth_mechanism

Request parameters and corresponding header to
control default auth mechanism or fixed auth
mechanism

Author: MarcialRosales

deps/rabbitmq_management/priv/www/js/main.js

@@ -41,12 +41,14 @@ function startWithOAuthLogin (oauth) {
   }
 }
 function render_login_oauth(oauth, messages) {
-  let formatData = {}
-  formatData.warnings = []
-  formatData.notAuthorized = false
-  formatData.resource_servers = oauth.resource_servers
-  formatData.declared_resource_servers_count = oauth.declared_resource_servers_count
-  formatData.oauth_disable_basic_auth = oauth.oauth_disable_basic_auth
+  let formatData = {};
+  formatData.warnings = [];
+  formatData.notAuthorized = false;
+  formatData.resource_servers = oauth.resource_servers;
+  formatData.declared_resource_servers_count = oauth.declared_resource_servers_count;
+  formatData.oauth_disable_basic_auth = oauth.oauth_disable_basic_auth;
+  formatData.strict_auth_mechanism = oauth.strict_auth_mechanism;
+  formatData.preferred_auth_mechanism = oauth.preferred_auth_mechanism;
 
   if (Array.isArray(messages)) {
     formatData.warnings = messages

deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

@@ -193,6 +193,25 @@ function oauth_initialize_user_manager(resource_server) {
     });
 
 }
+function parseAuthMechanism(oauth, name, auth_mechanism) {
+    if (!auth_mechanism) {
+        return oauth;
+    }
+    
+    if (auth_mechanism.includes(':')) {
+        // OAuth2 case: "oauth2:prod"
+        const [authMethod, resourceId] = auth_mechanism.split(':');        
+        if (authMethod === 'oauth2' && resourceId) {
+            if (oauth.resource_servers.some(resource => resource.id === resourceId)) {
+              oauth[name] = {type: "oauth2", resource_id: resourceId};            
+            }            
+        }
+    } else if (auth_mechanism === 'basic' && oauth.oauth_disable_basic_auth === false) {
+       oauth[name] = {type: "basic"};
+    }
+    return oauth;
+}
+
 export function oauth_initialize(authSettings) {
     authSettings = auth_settings_apply_defaults(authSettings);
     let oauth = {
@@ -202,7 +221,14 @@ export function oauth_initialize(authSettings) {
       "oauth_disable_basic_auth" : authSettings.oauth_disable_basic_auth
     }
     if (!oauth.enabled) return oauth;
-
+    if (authSettings.resource_servers.length > 1 || !authSettings.oauth_disable_basic_auth) {
+      if (authSettings.strict_auth_mechanism) {
+        oauth = parseAuthMechanism(oauth, "strict_auth_mechanism", authSettings.strict_auth_mechanism);
+      }else if (authSettings.preferred_auth_mechanism) {
+        oauth = parseAuthMechanism(oauth, "preferred_auth_mechanism", authSettings.preferred_auth_mechanism);
+      }
+    }
+     
     let resource_server = null;
 
     if (oauth.resource_servers.length == 1) {

deps/rabbitmq_management/priv/www/js/tmpl/login_oauth.ejs

@@ -12,12 +12,15 @@
     <% } %>
   </div>
 <% if (!notAuthorized) { %>
-    <% if ((typeof resource_servers == 'object' && resource_servers.length == 1) && oauth_disable_basic_auth) { %>
+    <% if (strict_auth_mechanism !== undefined && strict_auth_mechanism.type === "oauth2") { %>
+        <button id="login" onclick="oauth_initiateLogin('<%=strict_auth_mechanism.resource_id%>')">Click here to log in</button>
+    <% } else if ((typeof resource_servers == 'object' && resource_servers.length == 1) && oauth_disable_basic_auth) { %>
         <button id="login" onclick="oauth_initiateLogin('<%=resource_servers[0].id%>')">Click here to log in</button>
-    <% } else if (typeof resource_servers == 'object' && resource_servers.length >= 1) { %>
+    <% } else if (typeof resource_servers == 'object' && resource_servers.length >= 1 && strict_auth_mechanism == undefined) { %>
 
     <b>Login with :</b>
     <p/>
+    <% const preferredResourceId = preferred_auth_mechanism !== undefined && preferred_auth_mechanism.type === "oauth2" ? preferred_auth_mechanism.resource_id : null; %>
     <!-- begin login with oauth2  -->
     <div class="section" id="login-with-oauth2">
       <h2>OAuth 2.0</h2>
@@ -30,7 +33,7 @@
             <label for="oauth2-resource">Resource:</label>
             <select id="oauth2-resource">
               <% for (var i = 0; i < resource_servers.length; i++) { %>
-               <option value="<%= fmt_string(resource_servers[i].id) %>">
+               <option value="<%= fmt_string(resource_servers[i].id) %>" <%= (preferredResourceId === resource_servers[i].id) ? 'selected="selected"' : '' %>>
                  <%= fmt_string(resource_servers[i].label != null ? resource_servers[i].label : resource_servers[i].id) %>
                </option>
               <% } %>
@@ -45,9 +48,9 @@
     <!-- end login with oauth2  -->
 <% } %>
 
-  <!-- begin login with basic auth   -->
-  <% if (!oauth_disable_basic_auth) { %>
-  <div class="section-hidden" id="login-with-basic-auth">
+  <!-- begin login with basic auth   -->  
+  <% if (!oauth_disable_basic_auth && (strict_auth_mechanism === undefined || strict_auth_mechanism.type === "basic")) { %>
+  <div class="section-hidden <%= (strict_auth_mechanism != undefined && strict_auth_mechanism.type === 'basic')? 'section-visible' : '' %> " id="login-with-basic-auth">
     <h2>Basic Authentication</h2>
     <div class="hider">
       <div class="updatable">

deps/rabbitmq_management/src/rabbit_mgmt_oauth_bootstrap.erl

@@ -9,6 +9,7 @@
 
 -export([init/2]).
 -include("rabbit_mgmt.hrl").
+-include_lib("kernel/include/logger.hrl").
 
 %%--------------------------------------------------------------------
 
@@ -18,6 +19,7 @@ init(Req0, State) ->
 
 bootstrap_oauth(Req0, State) ->
     AuthSettings = enrich_oauth_settings(Req0, rabbit_mgmt_wm_auth:authSettings()),
+    ?LOG_DEBUG("AuthSettings: ~p", [AuthSettings]),
     Dependencies = oauth_dependencies(),
     {Req1, SetTokenAuth} = set_token_auth(AuthSettings, Req0),
     JSContent = import_dependencies(Dependencies) ++
@@ -29,7 +31,10 @@ bootstrap_oauth(Req0, State) ->
         JSContent, Req1), State}.
 
 enrich_oauth_settings(Req0, AuthSettings) ->
-    case get_auth_mechanism(Req0) of
+    Auth = get_auth_mechanism(Req0),
+    ValidAuth = validate_auth_mechanism(Auth, AuthSettings),
+    ?LOG_DEBUG("validate_auth_mechanism ~p -> ~p", [Auth, ValidAuth]),
+    case ValidAuth of
         undefined -> AuthSettings;
         {_, _} = Auth -> [Auth | AuthSettings]
     end.
@@ -42,9 +47,31 @@ get_auth_mechanism(Req) ->
             end;
         Val -> {strict_auth_mechanism, Val}
     end.
+validate_auth_mechanism({_, <<"oauth2:", Id/binary>>} = Auth, AuthSettings) ->    
+    case maps:is_key(Id, proplists:get_value(oauth_resource_servers, AuthSettings)) of 
+        true -> Auth;
+        _ -> undefined
+    end;
+validate_auth_mechanism({_, <<"basic">>} = Auth, _AuthSettings) -> Auth;
+validate_auth_mechanism({_, _}, _AuthSettings) -> undefined;
+validate_auth_mechanism(_, _) -> undefined.
+
+extract_referer_params(Req) ->
+    case cowboy_req:header(<<"referer">>, Req) of
+        undefined -> [];
+        Referer ->
+            case uri_string:parse(Referer) of
+                #{query := Query} when Query =/= undefined ->
+                    uri_string:dissect_query(Query);
+                _ ->
+                    []
+            end
+    end.
 get_param_or_header(ParamName, HeaderName, Req) ->
-    case rabbit_mgmt_util:qs_val(ParamName, Req) of
-        undefined -> cowboy_req:parse_header(HeaderName, Req);
+    ReqParams = maps:from_list(extract_referer_params(Req)),
+    ?LOG_DEBUG("ReqParams: ~p", [ReqParams]),
+    case maps:get(ParamName, ReqParams, undefined) of
+        undefined -> cowboy_req:header(HeaderName, Req);
         Val -> Val
     end.
 

deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl

@@ -201,8 +201,6 @@ all_tests() -> [
     rates_test,
     single_active_consumer_cq_test,
     single_active_consumer_qq_test,
-    %% This test needs the OAuth 2 plugin to be enabled
-    %% oauth_test,
     disable_basic_auth_test,
     login_test,
     csp_headers_test,
@@ -4003,34 +4001,6 @@ stats_redirect_test(Config) ->
     assert_permanent_redirect(Config, "doc/stats.html", "/api/index.html"),
     passed.
 
-oauth_test(Config) ->
-    ok = rabbit_ct_broker_helpers:enable_plugin(Config, 0, "rabbitmq_auth_backend_oauth2"),
-
-    Map1 = http_get(Config, "/auth", ?OK),
-    %% Defaults
-    ?assertEqual(false, maps:get(oauth_enabled, Map1)),
-
-    %% Misconfiguration
-    rpc(Config, application, set_env, [rabbitmq_management, oauth_enabled, true]),
-    Map2 = http_get(Config, "/auth", ?OK),
-    ?assertEqual(false, maps:get(oauth_enabled, Map2)),
-    ?assertEqual(<<>>, maps:get(oauth_client_id, Map2)),
-    ?assertEqual(<<>>, maps:get(oauth_provider_url, Map2)),
-    %% Valid config requires non empty OAuthClientId, OAuthClientSecret, OAuthResourceId, OAuthProviderUrl
-    rpc(Config, application, set_env, [rabbitmq_management, oauth_client_id, "rabbit_user"]),
-    rpc(Config, application, set_env, [rabbitmq_management, oauth_client_secret, "rabbit_secret"]),
-    rpc(Config, application, set_env, [rabbitmq_management, oauth_provider_url, "http://localhost:8080/uaa"]),
-    rpc(Config, application, set_env, [rabbitmq_auth_backend_oauth2, resource_server_id, "rabbitmq"]),
-    Map3 = http_get(Config, "/auth", ?OK),
-    println(Map3),
-    ?assertEqual(true, maps:get(oauth_enabled, Map3)),
-    ?assertEqual(<<"rabbit_user">>, maps:get(oauth_client_id, Map3)),
-    ?assertEqual(<<"rabbit_secret">>, maps:get(oauth_client_secret, Map3)),
-    ?assertEqual(<<"rabbitmq">>, maps:get(resource_server_id, Map3)),
-    ?assertEqual(<<"http://localhost:8080/uaa">>, maps:get(oauth_provider_url, Map3)),
-    %% cleanup
-    rpc(Config, application, unset_env, [rabbitmq_management, oauth_enabled]).
-
 version_test(Config) ->
     ActualVersion = http_get(Config, "/version"),
     ct:log("ActualVersion : ~p", [ActualVersion]),