Test OAuth2 support with JWT tokens

Author: acogoluegnes

ci/start-broker.sh

@@ -12,6 +12,7 @@ wait_for_message() {
 
 make -C "${PWD}"/tls-gen/basic
 
+rm -rf rabbitmq-configuration
 mkdir -p rabbitmq-configuration/tls
 cp -R "${PWD}"/tls-gen/basic/result/* rabbitmq-configuration/tls
 chmod o+r rabbitmq-configuration/tls/*

src/test/java/com/rabbitmq/client/amqp/impl/JwtTestUtils.java

@@ -0,0 +1,97 @@
+// Copyright (c) 2024 Broadcom. All Rights Reserved.
+// The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// If you have any questions regarding licensing, please contact us at
+// [email protected].
+package com.rabbitmq.client.amqp.impl;
+
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
+import com.rabbitmq.client.amqp.oauth.Token;
+import java.util.Base64;
+import java.util.List;
+import java.util.Map;
+import org.jose4j.jws.AlgorithmIdentifiers;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwt.JwtClaims;
+import org.jose4j.jwt.NumericDate;
+import org.jose4j.jwt.consumer.JwtConsumer;
+import org.jose4j.jwt.consumer.JwtConsumerBuilder;
+import org.jose4j.keys.HmacKey;
+
+final class JwtTestUtils {
+
+  private static final String BASE64_KEY = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH";
+  private static final HmacKey KEY = new HmacKey(Base64.getDecoder().decode(BASE64_KEY));
+  private static final String AUDIENCE = "rabbitmq";
+  private static final Gson GSON = new Gson();
+  private static final TypeToken<Map<String, Object>> MAP_TYPE = new TypeToken<>() {};
+
+  private JwtTestUtils() {}
+
+  static String token(long expirationTime) {
+    try {
+      JwtClaims claims = new JwtClaims();
+      claims.setIssuer("unit_test");
+      claims.setAudience(AUDIENCE);
+      claims.setExpirationTime(NumericDate.fromMilliseconds(expirationTime));
+      claims.setStringListClaim(
+          "scope", List.of("rabbitmq.configure:*/*", "rabbitmq.write:*/*", "rabbitmq.read:*/*"));
+
+      JsonWebSignature signature = new JsonWebSignature();
+
+      signature.setKeyIdHeaderValue("token-key");
+      signature.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256);
+      signature.setKey(KEY);
+      signature.setPayload(claims.toJson());
+      return signature.getCompactSerialization();
+    } catch (Exception e) {
+      System.out.println("ERROR " + e.getMessage());
+      throw new RuntimeException(e);
+    }
+  }
+
+  static Token parseToken(String tokenAsString) {
+    long expirationTime;
+    try {
+      JwtConsumer consumer =
+          new JwtConsumerBuilder()
+              .setExpectedAudience(AUDIENCE)
+              // we do not validate the expiration time
+              .setEvaluationTime(NumericDate.fromMilliseconds(0))
+              .setVerificationKey(KEY)
+              .build();
+      JwtClaims claims = consumer.processToClaims(tokenAsString);
+      expirationTime = claims.getExpirationTime().getValueInMillis();
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+    return new Token() {
+      @Override
+      public String value() {
+        return tokenAsString;
+      }
+
+      @Override
+      public long expirationTime() {
+        return expirationTime;
+      }
+    };
+  }
+
+  static Map<String, Object> parse(String json) {
+    return GSON.fromJson(json, MAP_TYPE);
+  }
+}

src/test/java/com/rabbitmq/client/amqp/impl/Oauth2Test.java

@@ -19,6 +19,8 @@
 
 import static com.rabbitmq.client.amqp.ConnectionSettings.SASL_MECHANISM_PLAIN;
 import static com.rabbitmq.client.amqp.impl.Assertions.assertThat;
+import static com.rabbitmq.client.amqp.impl.HttpTestUtils.startHttpServer;
+import static com.rabbitmq.client.amqp.impl.JwtTestUtils.*;
 import static com.rabbitmq.client.amqp.impl.TestConditions.BrokerVersion.RABBITMQ_4_1_0;
 import static com.rabbitmq.client.amqp.impl.TestUtils.*;
 import static java.lang.System.currentTimeMillis;
@@ -32,22 +34,15 @@
 import com.rabbitmq.client.amqp.impl.TestUtils.DisabledIfOauth2AuthBackendNotEnabled;
 import com.rabbitmq.client.amqp.impl.TestUtils.Sync;
 import com.rabbitmq.client.amqp.oauth.HttpTokenRequester;
-import com.rabbitmq.client.amqp.oauth.Token;
 import com.rabbitmq.client.amqp.oauth.TokenParser;
+import com.rabbitmq.client.amqp.oauth.TokenRequester;
 import com.sun.net.httpserver.Headers;
+import com.sun.net.httpserver.HttpHandler;
 import com.sun.net.httpserver.HttpServer;
 import java.io.OutputStream;
 import java.time.Duration;
-import java.util.Base64;
 import java.util.Collections;
-import java.util.List;
-import org.jose4j.jws.AlgorithmIdentifiers;
-import org.jose4j.jws.JsonWebSignature;
-import org.jose4j.jwt.JwtClaims;
-import org.jose4j.jwt.NumericDate;
-import org.jose4j.jwt.consumer.JwtConsumer;
-import org.jose4j.jwt.consumer.JwtConsumerBuilder;
-import org.jose4j.keys.HmacKey;
+import java.util.function.LongSupplier;
 import org.jose4j.lang.JoseException;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Test;
@@ -57,32 +52,9 @@
 @DisabledIfOauth2AuthBackendNotEnabled
 public class Oauth2Test {
 
-  private static final String BASE64_KEY = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH";
-  private static final HmacKey KEY = new HmacKey(Base64.getDecoder().decode(BASE64_KEY));
   Environment environment;
   HttpServer server;
 
-  private static String token(long expirationTime) {
-    JwtClaims claims = new JwtClaims();
-    claims.setIssuer("unit_test");
-    claims.setAudience("rabbitmq");
-    claims.setExpirationTime(NumericDate.fromMilliseconds(expirationTime));
-    claims.setStringListClaim(
-        "scope", List.of("rabbitmq.configure:*/*", "rabbitmq.write:*/*", "rabbitmq.read:*/*"));
-
-    JsonWebSignature signature = new JsonWebSignature();
-
-    signature.setKeyIdHeaderValue("token-key");
-    signature.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256);
-    signature.setKey(KEY);
-    signature.setPayload(claims.toJson());
-    try {
-      return signature.getCompactSerialization();
-    } catch (JoseException e) {
-      throw new RuntimeException(e);
-    }
-  }
-
   @AfterEach
   void tearDown() {
     if (this.server != null) {
@@ -108,7 +80,7 @@ void validTokenShouldSucceed() {
   @Test
   @BrokerVersionAtLeast(RABBITMQ_4_1_0)
   void connectionShouldBeClosedWhenTokenExpires(TestInfo info) throws JoseException {
-    String q = TestUtils.name(info);
+    String q = name(info);
     long expiry = currentTimeMillis() + ofSeconds(2).toMillis();
     String token = token(expiry);
     Sync connectionClosedSync = sync();
@@ -156,63 +128,19 @@ void connectionShouldBeClosedWhenTokenExpires(TestInfo info) throws JoseExceptio
 
   @Test
   @BrokerVersionAtLeast(RABBITMQ_4_1_0)
-  void httpClientProviderShouldGetToken(TestInfo info) throws Exception {
-    String q = TestUtils.name(info);
-
+  void openingConnectionWithHttpValidTokenShouldWork(TestInfo info) throws Exception {
+    String q = name(info);
     int port = randomNetworkPort();
     String contextPath = "/uaa/oauth/token";
 
     this.server =
-        HttpTestUtils.startHttpServer(
-            port,
-            contextPath,
-            exchange -> {
-              long expirationTime = currentTimeMillis() + 60_000;
-              byte[] data = token(expirationTime).getBytes(UTF_8);
-              Headers responseHeaders = exchange.getResponseHeaders();
-              responseHeaders.set("content-type", "application/json");
-              exchange.sendResponseHeaders(200, data.length);
-              OutputStream responseBody = exchange.getResponseBody();
-              responseBody.write(data);
-              responseBody.close();
-            });
-
-    HttpTokenRequester tokenRequester =
-        new HttpTokenRequester(
-            "http://localhost:" + port + contextPath,
-            "",
-            "",
-            "",
-            Collections.emptyMap(),
-            null,
-            null,
-            null,
-            null);
+        startHttpServer(port, contextPath, tokenHttpHandler(() -> currentTimeMillis() + 60_000));
+
+    TokenRequester tokenRequester = httpTokenRequester("http://localhost:" + port + contextPath);
     TokenParser tokenParser =
-        tokenAsString -> {
-          long expirationTime;
-          try {
-            JwtConsumer consumer =
-                new JwtConsumerBuilder()
-                    .setExpectedAudience("rabbitmq")
-                    .setVerificationKey(KEY)
-                    .build();
-            JwtClaims claims = consumer.processToClaims(tokenAsString);
-            expirationTime = claims.getExpirationTime().getValueInMillis();
-          } catch (Exception e) {
-            throw new RuntimeException(e);
-          }
-          return new Token() {
-            @Override
-            public String value() {
-              return tokenAsString;
-            }
-
-            @Override
-            public long expirationTime() {
-              return expirationTime;
-            }
-          };
+        json -> {
+          String compact = parse(json).get("value").toString();
+          return parseToken(compact);
         };
 
     CredentialsProvider credentialsProvider =
@@ -224,5 +152,63 @@ public long expirationTime() {
             .credentialsProvider(credentialsProvider)
             .build();
     c.management().queue(q).exclusive(true).declare();
+    Publisher publisher = c.publisherBuilder().queue(q).build();
+    Sync consumeSync = TestUtils.sync();
+    c.consumerBuilder()
+        .queue(q)
+        .messageHandler(
+            (ctx, msg) -> {
+              ctx.accept();
+              consumeSync.down();
+            })
+        .build();
+    publisher.publish(publisher.message(), ctx -> {});
+    assertThat(consumeSync).completes();
+  }
+
+  @Test
+  @BrokerVersionAtLeast(RABBITMQ_4_1_0)
+  void openingConnectionWithHttpExpiredTokenShouldFail() throws Exception {
+    int port = randomNetworkPort();
+    String contextPath = "/uaa/oauth/token";
+
+    this.server =
+        startHttpServer(port, contextPath, tokenHttpHandler(() -> currentTimeMillis() - 60_000));
+
+    TokenRequester tokenRequester = httpTokenRequester("http://localhost:" + port + contextPath);
+    TokenParser tokenParser =
+        json -> {
+          String compact = parse(json).get("value").toString();
+          return parseToken(compact);
+        };
+
+    CredentialsProvider credentialsProvider =
+        new OAuthCredentialsProvider(tokenRequester, tokenParser);
+    assertThatThrownBy(
+            () ->
+                environment
+                    .connectionBuilder()
+                    .saslMechanism(SASL_MECHANISM_PLAIN)
+                    .credentialsProvider(credentialsProvider)
+                    .build())
+        .isInstanceOf(AmqpException.AmqpSecurityException.class);
+  }
+
+  private static HttpHandler tokenHttpHandler(LongSupplier expirationTimeSupplier) {
+    return exchange -> {
+      long expirationTime = expirationTimeSupplier.getAsLong();
+      String token = token(expirationTime);
+      byte[] data = String.format("{ 'value': '%s' }", token).replace('\'', '"').getBytes(UTF_8);
+      Headers responseHeaders = exchange.getResponseHeaders();
+      responseHeaders.set("content-type", "application/json");
+      exchange.sendResponseHeaders(200, data.length);
+      OutputStream responseBody = exchange.getResponseBody();
+      responseBody.write(data);
+      responseBody.close();
+    };
+  }
+
+  private static TokenRequester httpTokenRequester(String uri) {
+    return new HttpTokenRequester(uri, "", "", "", Collections.emptyMap(), null, null, null, null);
   }
 }