diff options
10 files changed, 161 insertions, 114 deletions
diff --git a/deps/rabbitmq_management/priv/www/callback.html b/deps/rabbitmq_management/priv/www/callback.html index 9ef563911c..9e74452fdc 100644 --- a/deps/rabbitmq_management/priv/www/callback.html +++ b/deps/rabbitmq_management/priv/www/callback.html @@ -5,7 +5,7 @@ <meta content="utf-8" http-equiv="encoding"> <link href="css/main.css" rel="stylesheet" type="text/css"/> <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/> - <script src="js/oidc-client.js"></script> + <script src="js/oidc-client.min.js"></script> <script type="application/javascript"> new Oidc.UserManager() .signinRedirectCallback() diff --git a/deps/rabbitmq_management/priv/www/index.html b/deps/rabbitmq_management/priv/www/index.html index 9a49a366f9..903dd0370e 100644 --- a/deps/rabbitmq_management/priv/www/index.html +++ b/deps/rabbitmq_management/priv/www/index.html @@ -30,38 +30,16 @@ oauth2_implementation = auth.oauth2_implementation; uaa_client_id = auth.uaa_client_id; uaa_location = auth.uaa_location; - oauth2_scopes = auth.oauth2_scopes; + identityserver_scopes = auth.identityserver_scopes; oauth2_implementation = oauth2_implementation.toLowerCase() if (enable_uaa) { switch (oauth2_implementation) { case uaa_oauth2_implementation: - Singular.init({ - singularLocation: './js/singular/', - uaaLocation: uaa_location, - clientId: uaa_client_id, - onIdentityChange: function (identity) { - oauth2_user_logged_in = true; - start_app_login(); - }, - onLogout: function () { - oauth2_user_logged_in = false; - var hash = window.location.hash.substring(1); - var params = {} - hash.split('&').map(hk => { - let temp = hk.split('='); - params[temp[0]] = temp[1] - }); - if (params.error) { - uaa_invalid = true; - replace_content('login-status', '<p class="warning">' + decodeURIComponent(params.error) + ':' + decodeURIComponent(params.error_description) + '</p> <button id="loginWindow" onclick="oauth2_login()">Click here to log out - biatch!</button>'); - } else { - replace_content('login-status', '<button id="loginWindow" onclick="oauth2_login()">Click here to log in</button>'); - } - } - }); + initialize_uua(uaa_location, uaa_client_id); break; case identityServer_oauth2_implementation: + initialize_identityserver(); break; default: enable_uaa = false; diff --git a/deps/rabbitmq_management/priv/www/js/global.js b/deps/rabbitmq_management/priv/www/js/global.js index d5787fa046..d09eb05c1b 100644 --- a/deps/rabbitmq_management/priv/www/js/global.js +++ b/deps/rabbitmq_management/priv/www/js/global.js @@ -796,7 +796,7 @@ var last_page_out_of_range_error = 0; var enable_uaa; var uaa_client_id; var uaa_location; -var oauth2_scopes; +var identityserver_scopes; var oauth2_implementation; var uaa_oauth2_implementation = 'uaa'; diff --git a/deps/rabbitmq_management/priv/www/js/main.js b/deps/rabbitmq_management/priv/www/js/main.js index d5b6575ae1..b9f3c2899f 100644 --- a/deps/rabbitmq_management/priv/www/js/main.js +++ b/deps/rabbitmq_management/priv/www/js/main.js @@ -1,87 +1,86 @@ $(document).ready(function() { if (enable_uaa) { switch (oauth2_implementation) { - case uaa_oauth2_implementation: - get(uaa_location + "/info", "application/json", function(req) { - if (req.status !== 200) { - replace_content('outer', format('login_uaa', {})); - replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running UAA instance or may not have a trusted SSL certificate" + - '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Single Log On</button>'); - } else { - replace_content('outer', format('login_uaa', {})); - } - }); - break; - case identityServer_oauth2_implementation: - siteURI = new URL(window.location.href); - hostOrigin = siteURI.origin; - - oidcClientSettings = { - authority: uaa_location, - client_id: uaa_client_id, - redirect_uri: hostOrigin + "/callback.html", - response_type: "id_token token", - scope: oauth2_scopes, - post_logout_redirect_uri: hostOrigin + "/index.html", - silent_redirect_uri: hostOrigin + "/silent.html", - automaticSilentRenew: true, - loadUserInfo: true - }; - - // Uncomment for debug - //Oidc.Log.logger = console; - oidcClient = new Oidc.UserManager(oidcClientSettings); - - if (!oidcClientEventInitialized) { - - oidcClientEventInitialized = true; - oidcClient.events.addAccessTokenExpiring(function (e) { - oidcClient.signinSilentCallback(); + case uaa_oauth2_implementation: + get(uaa_location + "/info", "application/json", function(req) { + if (req.status !== 200) { + replace_content('outer', format('login_uaa', {})); + replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running UAA instance or may not have a trusted SSL certificate" + + '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Single Log On</button>'); + } else { + replace_content('outer', format('login_uaa', {})); + } }); - oidcClient.events.addAccessTokenExpired(function (e) { - oidcClient.removeUser().then(function() { + break; + case identityServer_oauth2_implementation: + siteURI = new URL(window.location.href); + hostOrigin = siteURI.origin; + + oidcClientSettings = { + authority: uaa_location, + client_id: uaa_client_id, + redirect_uri: hostOrigin + "/postSigninCallback.html", + response_type: "id_token token", + scope: identityserver_scopes, + post_logout_redirect_uri: hostOrigin + "/index.html", + silent_redirect_uri: hostOrigin + "/silentTokenRenewal.html", + automaticSilentRenew: true, + loadUserInfo: true + }; + + // Uncomment for debug + //Oidc.Log.logger = console; + oidcClient = new Oidc.UserManager(oidcClientSettings); + + if (!oidcClientEventInitialized) { + oidcClientEventInitialized = true; + oidcClient.events.addAccessTokenExpiring(function (e) { + oidcClient.signinSilentCallback(); + }); + oidcClient.events.addAccessTokenExpired(function (e) { + oidcClient.removeUser().then(function() { + replace_content('outer', format('login_uaa', {})); + replace_content('login-status', '<p class="warning">' + " Access token expired! User Logged out!" + + '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Log in</button>'); + console.warn("Access token has expired. User logged out."); + }); + }); + oidcClient.events.addSilentRenewError(function (e) { + console.warn("Automatic silent token renew has failed: ", e.message); + }); + oidcClient.events.addUserLoaded(function (user) { + set_auth_pref(uaa_client_id + ':' + user.access_token); + store_pref('jwt_token', user.access_token); + }); + oidcClient.events.addUserUnloaded(function (e) { + clear_pref('auth'); + clear_pref('jwt_token'); + clear_cookie_value('auth'); replace_content('outer', format('login_uaa', {})); - replace_content('login-status', '<p class="warning">' + " Access token expired! User Logged out!" + + replace_content('login-status', '<p class="success">' + "Logged out successfully!" + '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Log in</button>'); - console.warn("Access token has expired. User logged out."); + console.log("User session has been terminated. Token cleared."); }); - }); - oidcClient.events.addSilentRenewError(function (e) { - console.warn("Automatic silent token renew has failed: ", e.message); - }); - oidcClient.events.addUserLoaded(function (user) { - set_auth_pref(uaa_client_id + ':' + user.access_token); - store_pref('jwt_token', user.access_token); - }); - oidcClient.events.addUserUnloaded(function (e) { - clear_pref('auth'); - clear_pref('jwt_token'); - clear_cookie_value('auth'); - replace_content('outer', format('login_uaa', {})); - replace_content('login-status', '<p class="success">' + "Logged out successfully!" + - '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Log in</button>'); - console.log("User session has been terminated. Token cleared."); - }); - } + } - get(uaa_location + "/.well-known/openid-configuration", "application/json", function(req) { - if (req.status !== 200) { - replace_content('outer', format('login_uaa', {})); - replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running IdentityServer instance!" + '</p>'); - } else { - oidcClient.getUser().then(function(user) { - if (user) { - if (Math.round(new Date().getTime() / 1000) > user.expires_at){ - oauth2_logout(); + get(uaa_location + "/.well-known/openid-configuration", "application/json", function(req) { + if (req.status !== 200) { + replace_content('outer', format('login_uaa', {})); + replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running IdentityServer instance!" + '</p>'); + } else { + oidcClient.getUser().then(function(user) { + if (user) { + if (Math.round(new Date().getTime() / 1000) > user.expires_at){ + oauth2_logout(); + } } - } - oauth2_login(); - }); - }; - }); - break; - default: - break; + oauth2_login(); + }); + }; + }); + break; + default: + break; } } else { replace_content('outer', format('login', {})); @@ -256,7 +255,6 @@ function check_login() { oidcClient = new Oidc.UserManager(oidcClientSettings); oidcClient.getUser().then(function(user){ if (user){ - user.token oidcClient.removeUser().then(function() { replace_content('outer', format('login_uaa', {})); replace_content('login-status', '<p class="warning">' + " Unauthorized access! User Logged out!" + @@ -1872,3 +1870,34 @@ function get_chart_range_type(arg) { console.log('[WARNING]: range type not found for arg: ' + arg); return 'basic'; } + +function initialize_uaa(uaa_location, uaa_client_id) { + Singular.init({ + singularLocation: './js/singular/', + uaaLocation: uaa_location, + clientId: uaa_client_id, + onIdentityChange: function (identity) { + oauth2_user_logged_in = true; + start_app_login(); + }, + onLogout: function () { + oauth2_user_logged_in = false; + var hash = window.location.hash.substring(1); + var params = {} + hash.split('&').map(hk => { + let temp = hk.split('='); + params[temp[0]] = temp[1] + }); + if (params.error) { + uaa_invalid = true; + replace_content('login-status', '<p class="warning">' + decodeURIComponent(params.error) + ':' + decodeURIComponent(params.error_description) + '</p> <button id="loginWindow" onclick="oauth2_login()">Click here to log out - biatch!</button>'); + } else { + replace_content('login-status', '<button id="loginWindow" onclick="oauth2_login()">Click here to log in</button>'); + } + } + }); +} + +function initialize_identityserver() { + // nothing to initialize +}
\ No newline at end of file diff --git a/deps/rabbitmq_management/priv/www/postSigninCallback.html b/deps/rabbitmq_management/priv/www/postSigninCallback.html new file mode 100644 index 0000000000..9e74452fdc --- /dev/null +++ b/deps/rabbitmq_management/priv/www/postSigninCallback.html @@ -0,0 +1,21 @@ +<!DOCTYPE html> +<html> +<head> + <meta content="text/html;charset=utf-8" http-equiv="Content-Type"> + <meta content="utf-8" http-equiv="encoding"> + <link href="css/main.css" rel="stylesheet" type="text/css"/> + <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/> + <script src="js/oidc-client.min.js"></script> + <script type="application/javascript"> + new Oidc.UserManager() + .signinRedirectCallback() + .then(function () { + window.location = "/"; + }).catch(function (e) { + console.error(e); + }); + </script> +</head> +<body> +</body> +</html> diff --git a/deps/rabbitmq_management/priv/www/silent.html b/deps/rabbitmq_management/priv/www/silent.html index 137b62e879..b1f0f36e17 100644 --- a/deps/rabbitmq_management/priv/www/silent.html +++ b/deps/rabbitmq_management/priv/www/silent.html @@ -5,7 +5,7 @@ <meta content="utf-8" http-equiv="encoding"> <link href="css/main.css" rel="stylesheet" type="text/css"/> <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/> - <script src="js/oidc-client.js"></script> + <script src="js/oidc-client.min.js"></script> <script type="application/javascript"> new Oidc.UserManager() .signinSilentCallback() diff --git a/deps/rabbitmq_management/priv/www/silentTokenRenewal.html b/deps/rabbitmq_management/priv/www/silentTokenRenewal.html new file mode 100644 index 0000000000..b1f0f36e17 --- /dev/null +++ b/deps/rabbitmq_management/priv/www/silentTokenRenewal.html @@ -0,0 +1,19 @@ +<!DOCTYPE html> +<html> +<head> + <meta content="text/html;charset=utf-8" http-equiv="Content-Type"> + <meta content="utf-8" http-equiv="encoding"> + <link href="css/main.css" rel="stylesheet" type="text/css"/> + <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/> + <script src="js/oidc-client.min.js"></script> + <script type="application/javascript"> + new Oidc.UserManager() + .signinSilentCallback() + .catch(function (e) { + console.error(e); + }); + </script> +</head> +<body> +</body> +</html> diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl index 832789565c..97dbfeb68b 100644 --- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl +++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl @@ -49,20 +49,20 @@ to_json(ReqData, Context) -> identityserver -> UAAClientId = application:get_env(rabbitmq_management, uaa_client_id, ""), UAALocation = application:get_env(rabbitmq_management, uaa_location, ""), - OAuth2Scopes = application:get_env(rabbitmq_management, oauth2_scopes, ""), - case is_invalid([UAAClientId, UAALocation, OAuth2Scopes]) of + IdentityServerScopes = application:get_env(rabbitmq_management, identityserver_scopes, ""), + case is_invalid([UAAClientId, UAALocation, IdentityServerScopes]) of true -> log_invalid_configuration(), [{enable_uaa, false}, {uaa_client_id, <<>>}, {uaa_location, <<>>}, - {oauth2_scopes, <<>>}, + {identityserver_scopes, <<>>}, {oauth2_implementation, identityserver}]; false -> [{enable_uaa, true}, {uaa_client_id, rabbit_data_coercion:to_binary(UAAClientId)}, {uaa_location, rabbit_data_coercion:to_binary(UAALocation)}, - {oauth2_scopes, rabbit_data_coercion:to_binary(OAuth2Scopes)}, + {identityserver_scopes, rabbit_data_coercion:to_binary(IdentityServerScopes)}, {oauth2_implementation, rabbit_data_coercion:to_binary(OAuth2Implementation)}] end end; @@ -70,7 +70,7 @@ to_json(ReqData, Context) -> [{enable_uaa, false}, {uaa_client_id, <<>>}, {uaa_location, <<>>}, - {oauth2_scopes, <<>>}, + {identityserver_scopes, <<>>}, {oauth2_implementation, uaa}] end, rabbit_mgmt_util:reply(Data, ReqData, Context). diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl index 71b54ba4e2..2dc95ba6f8 100644 --- a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl +++ b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl @@ -3333,12 +3333,12 @@ oauth_test(Config) -> [rabbitmq_management, uaa_location]), rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, [rabbitmq_management, oauth2_implementation, identityserver]), - %% IdentityServer misconfiguration - Missings params - Client_Id, UAA_Location, OAuth2_Scopes + %% IdentityServer misconfiguration - Missings params - client_id, uaa_Location, identityserver_scopes Map4 = http_get(Config, "/auth", ?OK), ?assertEqual(false, maps:get(enable_uaa, Map4)), ?assertEqual(<<>>, maps:get(uaa_client_id, Map4)), ?assertEqual(<<>>, maps:get(uaa_location, Map4)), - ?assertEqual(<<>>, maps:get(oauth2_scopes, Map4)), + ?assertEqual(<<>>, maps:get(identityserver_scopes, Map4)), ?assertEqual(<<"identityserver">>, maps:get(oauth2_implementation, Map4)), %% Valid IdentityServer config rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, @@ -3346,12 +3346,12 @@ oauth_test(Config) -> rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, [rabbitmq_management, uaa_location, "http://localhost:5000/identityserver"]), rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, - [rabbitmq_management, oauth2_scopes, "rabbitmq.read:*/* rabbitmq.write:*/*"]), + [rabbitmq_management, identityserver_scopes, "rabbitmq.read:*/* rabbitmq.write:*/*"]), Map5 = http_get(Config, "/auth", ?OK), ?assertEqual(true, maps:get(enable_uaa, Map5)), ?assertEqual(<<"rabbitmq">>, maps:get(uaa_client_id, Map5)), ?assertEqual(<<"http://localhost:5000/identityserver">>, maps:get(uaa_location, Map5)), - ?assertEqual(<<"rabbitmq.read:*/* rabbitmq.write:*/*">>, maps:get(oauth2_scopes, Map5)), + ?assertEqual(<<"rabbitmq.read:*/* rabbitmq.write:*/*">>, maps:get(identityserver_scopes, Map5)), ?assertEqual(<<"identityserver">>, maps:get(oauth2_implementation, Map5)), %% Cleanup after IdentityServer rabbit_ct_broker_helpers:rpc(Config, 0, application, unset_env, diff --git a/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema b/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema index e35f12f502..e8c297b723 100644 --- a/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema +++ b/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema @@ -386,7 +386,7 @@ end}. {mapping, "management.uaa_location", "rabbitmq_management.uaa_location", [{datatype, string}]}. -{mapping, "management.oauth2_scopes", "rabbitmq_management.oauth2_scopes", +{mapping, "management.identityserver_scopes", "rabbitmq_management.identityserver_scopes", [{datatype, string}]}. {mapping, "management.oauth2_implementation", "rabbitmq_management.oauth2_implementation", |