From bd16c867cd275086e04ce890f7c3c4756314a1fb Mon Sep 17 00:00:00 2001
From: Michal Papuga <mpapuga@prescientco.com>
Date: Tue, 21 Jan 2020 18:19:32 +0100
Subject: Resolve PR comments - rename variable (identityserver_scopes), rename
 redirect_uri and silent_redirect_uri callback .html sites and encapsulate UAA
 and IdentityServer initialization in dedicated methods.

---
 deps/rabbitmq_management/priv/www/callback.html    |   2 +-
 deps/rabbitmq_management/priv/www/index.html       |  28 +---
 deps/rabbitmq_management/priv/www/js/global.js     |   2 +-
 deps/rabbitmq_management/priv/www/js/main.js       | 181 ++++++++++++---------
 .../priv/www/postSigninCallback.html               |  21 +++
 deps/rabbitmq_management/priv/www/silent.html      |   2 +-
 .../priv/www/silentTokenRenewal.html               |  19 +++
 .../src/rabbit_mgmt_wm_auth.erl                    |  10 +-
 .../test/rabbit_mgmt_http_SUITE.erl                |   8 +-
 .../schema/rabbitmq_management.schema              |   2 +-
 10 files changed, 161 insertions(+), 114 deletions(-)
 create mode 100644 deps/rabbitmq_management/priv/www/postSigninCallback.html
 create mode 100644 deps/rabbitmq_management/priv/www/silentTokenRenewal.html

diff --git a/deps/rabbitmq_management/priv/www/callback.html b/deps/rabbitmq_management/priv/www/callback.html
index 9ef563911c..9e74452fdc 100644
--- a/deps/rabbitmq_management/priv/www/callback.html
+++ b/deps/rabbitmq_management/priv/www/callback.html
@@ -5,7 +5,7 @@
   <meta content="utf-8" http-equiv="encoding">
   <link href="css/main.css" rel="stylesheet" type="text/css"/>
   <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/>
-  <script src="js/oidc-client.js"></script>
+  <script src="js/oidc-client.min.js"></script>
   <script type="application/javascript">
     new Oidc.UserManager()
       .signinRedirectCallback()
diff --git a/deps/rabbitmq_management/priv/www/index.html b/deps/rabbitmq_management/priv/www/index.html
index 9a49a366f9..903dd0370e 100644
--- a/deps/rabbitmq_management/priv/www/index.html
+++ b/deps/rabbitmq_management/priv/www/index.html
@@ -30,38 +30,16 @@
       oauth2_implementation = auth.oauth2_implementation;
       uaa_client_id = auth.uaa_client_id;
       uaa_location = auth.uaa_location;
-      oauth2_scopes = auth.oauth2_scopes;
+      identityserver_scopes = auth.identityserver_scopes;
       oauth2_implementation = oauth2_implementation.toLowerCase()
       
       if (enable_uaa) {
         switch (oauth2_implementation) {
           case uaa_oauth2_implementation:
-            Singular.init({
-            singularLocation: './js/singular/',
-            uaaLocation: uaa_location,
-            clientId: uaa_client_id,
-            onIdentityChange: function (identity) {
-              oauth2_user_logged_in = true;
-              start_app_login();
-            },
-            onLogout: function () {
-              oauth2_user_logged_in = false;
-              var hash = window.location.hash.substring(1);
-              var params = {}
-              hash.split('&').map(hk => {
-              let temp = hk.split('=');
-              params[temp[0]] = temp[1]
-              });
-              if (params.error) {
-                uaa_invalid = true;
-                replace_content('login-status', '<p class="warning">' + decodeURIComponent(params.error) + ':' + decodeURIComponent(params.error_description) + '</p> <button id="loginWindow" onclick="oauth2_login()">Click here to log out - biatch!</button>');
-                } else {
-                replace_content('login-status', '<button id="loginWindow" onclick="oauth2_login()">Click here to log in</button>');
-                }
-              }
-            });
+            initialize_uua(uaa_location, uaa_client_id);
             break;
           case identityServer_oauth2_implementation:
+            initialize_identityserver();
             break;
           default:
             enable_uaa = false;
diff --git a/deps/rabbitmq_management/priv/www/js/global.js b/deps/rabbitmq_management/priv/www/js/global.js
index d5787fa046..d09eb05c1b 100644
--- a/deps/rabbitmq_management/priv/www/js/global.js
+++ b/deps/rabbitmq_management/priv/www/js/global.js
@@ -796,7 +796,7 @@ var last_page_out_of_range_error = 0;
 var enable_uaa;
 var uaa_client_id;
 var uaa_location;
-var oauth2_scopes;
+var identityserver_scopes;
 var oauth2_implementation;
 
 var uaa_oauth2_implementation = 'uaa';
diff --git a/deps/rabbitmq_management/priv/www/js/main.js b/deps/rabbitmq_management/priv/www/js/main.js
index d5b6575ae1..b9f3c2899f 100644
--- a/deps/rabbitmq_management/priv/www/js/main.js
+++ b/deps/rabbitmq_management/priv/www/js/main.js
@@ -1,87 +1,86 @@
 $(document).ready(function() {
     if (enable_uaa) {
         switch (oauth2_implementation) {
-          case uaa_oauth2_implementation:
-            get(uaa_location + "/info", "application/json", function(req) {
-                if (req.status !== 200) {
-                    replace_content('outer', format('login_uaa', {}));
-                    replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running UAA instance or may not have a trusted SSL certificate"  + 
-                                                    '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Single Log On</button>');
-                } else {
-                    replace_content('outer', format('login_uaa', {}));
-                }
-            });
-            break;
-          case identityServer_oauth2_implementation:
-            siteURI = new URL(window.location.href);
-            hostOrigin = siteURI.origin;
-
-            oidcClientSettings = {
-                authority: uaa_location,
-                client_id: uaa_client_id,
-                redirect_uri: hostOrigin + "/callback.html",
-                response_type: "id_token token",
-                scope: oauth2_scopes,
-                post_logout_redirect_uri: hostOrigin + "/index.html",
-                silent_redirect_uri: hostOrigin + "/silent.html",
-                automaticSilentRenew: true,
-                loadUserInfo: true
-            };
-            
-            // Uncomment for debug    
-            //Oidc.Log.logger = console;
-            oidcClient = new Oidc.UserManager(oidcClientSettings);
-
-            if (!oidcClientEventInitialized) {
-
-                oidcClientEventInitialized = true;
-                oidcClient.events.addAccessTokenExpiring(function (e) {
-                    oidcClient.signinSilentCallback();
+            case uaa_oauth2_implementation:
+                get(uaa_location + "/info", "application/json", function(req) {
+                    if (req.status !== 200) {
+                        replace_content('outer', format('login_uaa', {}));
+                        replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running UAA instance or may not have a trusted SSL certificate"  + 
+                                                        '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Single Log On</button>');
+                    } else {
+                        replace_content('outer', format('login_uaa', {}));
+                    }
                 });
-                oidcClient.events.addAccessTokenExpired(function (e) {
-                    oidcClient.removeUser().then(function() {
+                break;
+            case identityServer_oauth2_implementation:
+                siteURI = new URL(window.location.href);
+                hostOrigin = siteURI.origin;
+
+                oidcClientSettings = {
+                    authority: uaa_location,
+                    client_id: uaa_client_id,
+                    redirect_uri: hostOrigin + "/postSigninCallback.html",
+                    response_type: "id_token token",
+                    scope: identityserver_scopes,
+                    post_logout_redirect_uri: hostOrigin + "/index.html",
+                    silent_redirect_uri: hostOrigin + "/silentTokenRenewal.html",
+                    automaticSilentRenew: true,
+                    loadUserInfo: true
+                };
+            
+                // Uncomment for debug    
+                //Oidc.Log.logger = console;
+                oidcClient = new Oidc.UserManager(oidcClientSettings);
+
+                if (!oidcClientEventInitialized) {
+                    oidcClientEventInitialized = true;
+                    oidcClient.events.addAccessTokenExpiring(function (e) {
+                        oidcClient.signinSilentCallback();
+                    });
+                    oidcClient.events.addAccessTokenExpired(function (e) {
+                        oidcClient.removeUser().then(function() {
+                            replace_content('outer', format('login_uaa', {}));
+                            replace_content('login-status', '<p class="warning">' + " Access token expired! User Logged out!"  + 
+                                                            '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Log in</button>');
+                            console.warn("Access token has expired. User logged out.");
+                        });
+                    });
+                    oidcClient.events.addSilentRenewError(function (e) {
+                        console.warn("Automatic silent token renew has failed: ", e.message);
+                    });
+                    oidcClient.events.addUserLoaded(function (user) {
+                        set_auth_pref(uaa_client_id + ':' + user.access_token);
+                        store_pref('jwt_token', user.access_token);
+                    });
+                    oidcClient.events.addUserUnloaded(function (e) {
+                        clear_pref('auth');
+                        clear_pref('jwt_token');
+                        clear_cookie_value('auth');
                         replace_content('outer', format('login_uaa', {}));
-                        replace_content('login-status', '<p class="warning">' + " Access token expired! User Logged out!"  + 
+                        replace_content('login-status', '<p class="success">' + "Logged out successfully!" +
                                                         '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Log in</button>');
-                        console.warn("Access token has expired. User logged out.");
+                        console.log("User session has been terminated. Token cleared.");
                     });
-                });
-                oidcClient.events.addSilentRenewError(function (e) {
-                    console.warn("Automatic silent token renew has failed: ", e.message);
-                });
-                oidcClient.events.addUserLoaded(function (user) {
-                    set_auth_pref(uaa_client_id + ':' + user.access_token);
-                    store_pref('jwt_token', user.access_token);
-                });
-                oidcClient.events.addUserUnloaded(function (e) {
-                    clear_pref('auth');
-                    clear_pref('jwt_token');
-                    clear_cookie_value('auth');
-                    replace_content('outer', format('login_uaa', {}));
-                    replace_content('login-status', '<p class="success">' + "Logged out successfully!" +
-                                                    '</p> <button id="loginWindow" style="text-align: center; margin: 0 auto;" onclick="oauth2_login()">Log in</button>');
-                    console.log("User session has been terminated. Token cleared.");
-                });
-            }
+                }
 
-            get(uaa_location + "/.well-known/openid-configuration", "application/json", function(req) {
-                if (req.status !== 200) {
-                    replace_content('outer', format('login_uaa', {}));
-                    replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running IdentityServer instance!" + '</p>');
-                } else {
-                    oidcClient.getUser().then(function(user) {
-                        if (user) {
-                            if (Math.round(new Date().getTime() / 1000) > user.expires_at){
-                                oauth2_logout();
+                get(uaa_location + "/.well-known/openid-configuration", "application/json", function(req) {
+                    if (req.status !== 200) {
+                        replace_content('outer', format('login_uaa', {}));
+                        replace_content('login-status', '<p class="warning">' + uaa_location + " does not appear to be a running IdentityServer instance!" + '</p>');
+                    } else {
+                        oidcClient.getUser().then(function(user) {
+                            if (user) {
+                                if (Math.round(new Date().getTime() / 1000) > user.expires_at){
+                                    oauth2_logout();
+                                }
                             }
-                        }
-                        oauth2_login();
-                    });
-                };
-            });
-            break;
-          default:
-            break;
+                            oauth2_login();
+                        });
+                    };
+                });
+                break;
+            default:
+                break;
         }
     } else {
         replace_content('outer', format('login', {}));
@@ -256,7 +255,6 @@ function check_login() {
                     oidcClient = new Oidc.UserManager(oidcClientSettings);
                     oidcClient.getUser().then(function(user){
                         if (user){
-                            user.token
                             oidcClient.removeUser().then(function() {
                                 replace_content('outer', format('login_uaa', {}));
                                 replace_content('login-status', '<p class="warning">' + " Unauthorized access! User Logged out!"  + 
@@ -1872,3 +1870,34 @@ function get_chart_range_type(arg) {
     console.log('[WARNING]: range type not found for arg: ' + arg);
     return 'basic';
 }
+
+function initialize_uaa(uaa_location, uaa_client_id) {
+    Singular.init({
+        singularLocation: './js/singular/',
+        uaaLocation: uaa_location,
+        clientId: uaa_client_id,
+        onIdentityChange: function (identity) {
+          oauth2_user_logged_in = true;
+          start_app_login();
+        },
+        onLogout: function () {
+          oauth2_user_logged_in = false;
+          var hash = window.location.hash.substring(1);
+          var params = {}
+          hash.split('&').map(hk => {
+          let temp = hk.split('=');
+          params[temp[0]] = temp[1]
+          });
+          if (params.error) {
+            uaa_invalid = true;
+            replace_content('login-status', '<p class="warning">' + decodeURIComponent(params.error) + ':' + decodeURIComponent(params.error_description) + '</p> <button id="loginWindow" onclick="oauth2_login()">Click here to log out - biatch!</button>');
+            } else {
+            replace_content('login-status', '<button id="loginWindow" onclick="oauth2_login()">Click here to log in</button>');
+            }
+          }
+        });
+}
+
+function initialize_identityserver() {
+    // nothing to initialize
+}
\ No newline at end of file
diff --git a/deps/rabbitmq_management/priv/www/postSigninCallback.html b/deps/rabbitmq_management/priv/www/postSigninCallback.html
new file mode 100644
index 0000000000..9e74452fdc
--- /dev/null
+++ b/deps/rabbitmq_management/priv/www/postSigninCallback.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta content="text/html;charset=utf-8" http-equiv="Content-Type">
+  <meta content="utf-8" http-equiv="encoding">
+  <link href="css/main.css" rel="stylesheet" type="text/css"/>
+  <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/>
+  <script src="js/oidc-client.min.js"></script>
+  <script type="application/javascript">
+    new Oidc.UserManager()
+      .signinRedirectCallback()
+      .then(function () {
+        window.location = "/";
+      }).catch(function (e) {
+        console.error(e);
+      });
+  </script>
+</head>
+<body>
+</body>
+</html>
diff --git a/deps/rabbitmq_management/priv/www/silent.html b/deps/rabbitmq_management/priv/www/silent.html
index 137b62e879..b1f0f36e17 100644
--- a/deps/rabbitmq_management/priv/www/silent.html
+++ b/deps/rabbitmq_management/priv/www/silent.html
@@ -5,7 +5,7 @@
   <meta content="utf-8" http-equiv="encoding">
   <link href="css/main.css" rel="stylesheet" type="text/css"/>
   <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/>
-  <script src="js/oidc-client.js"></script>
+  <script src="js/oidc-client.min.js"></script>
   <script type="application/javascript">
     new Oidc.UserManager()
       .signinSilentCallback()
diff --git a/deps/rabbitmq_management/priv/www/silentTokenRenewal.html b/deps/rabbitmq_management/priv/www/silentTokenRenewal.html
new file mode 100644
index 0000000000..b1f0f36e17
--- /dev/null
+++ b/deps/rabbitmq_management/priv/www/silentTokenRenewal.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta content="text/html;charset=utf-8" http-equiv="Content-Type">
+  <meta content="utf-8" http-equiv="encoding">
+  <link href="css/main.css" rel="stylesheet" type="text/css"/>
+  <link href="favicon.ico" rel="shortcut icon" type="image/x-icon"/>
+  <script src="js/oidc-client.min.js"></script>
+  <script type="application/javascript">
+    new Oidc.UserManager()
+      .signinSilentCallback()
+      .catch(function (e) {
+        console.error(e);
+      });
+  </script>
+</head>
+<body>
+</body>
+</html>
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl
index 832789565c..97dbfeb68b 100644
--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl
+++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl
@@ -49,20 +49,20 @@ to_json(ReqData, Context) ->
                         identityserver ->
                             UAAClientId = application:get_env(rabbitmq_management, uaa_client_id, ""),
                             UAALocation = application:get_env(rabbitmq_management, uaa_location, ""),
-                            OAuth2Scopes = application:get_env(rabbitmq_management, oauth2_scopes, ""),
-                            case is_invalid([UAAClientId, UAALocation, OAuth2Scopes]) of
+                            IdentityServerScopes = application:get_env(rabbitmq_management, identityserver_scopes, ""),
+                            case is_invalid([UAAClientId, UAALocation, IdentityServerScopes]) of
                                 true ->
                                     log_invalid_configuration(),
                                     [{enable_uaa, false}, 
                                     {uaa_client_id, <<>>},
                                     {uaa_location, <<>>},
-                                    {oauth2_scopes, <<>>},
+                                    {identityserver_scopes, <<>>},
                                     {oauth2_implementation, identityserver}];
                                 false ->
                                     [{enable_uaa, true},
                                     {uaa_client_id, rabbit_data_coercion:to_binary(UAAClientId)},
                                     {uaa_location, rabbit_data_coercion:to_binary(UAALocation)},
-                                    {oauth2_scopes, rabbit_data_coercion:to_binary(OAuth2Scopes)},
+                                    {identityserver_scopes, rabbit_data_coercion:to_binary(IdentityServerScopes)},
                                     {oauth2_implementation, rabbit_data_coercion:to_binary(OAuth2Implementation)}]
                             end
                         end;
@@ -70,7 +70,7 @@ to_json(ReqData, Context) ->
                         [{enable_uaa, false},
                         {uaa_client_id, <<>>},
                         {uaa_location, <<>>},
-                        {oauth2_scopes, <<>>},
+                        {identityserver_scopes, <<>>},
                         {oauth2_implementation, uaa}]
                 end,
     rabbit_mgmt_util:reply(Data, ReqData, Context).
diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
index 71b54ba4e2..2dc95ba6f8 100644
--- a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
+++ b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
@@ -3333,12 +3333,12 @@ oauth_test(Config) ->
                                 [rabbitmq_management, uaa_location]),
     rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
                                 [rabbitmq_management, oauth2_implementation, identityserver]),
-    %% IdentityServer misconfiguration - Missings params - Client_Id, UAA_Location, OAuth2_Scopes
+    %% IdentityServer misconfiguration - Missings params - client_id, uaa_Location, identityserver_scopes
     Map4 = http_get(Config, "/auth", ?OK),
     ?assertEqual(false, maps:get(enable_uaa, Map4)),
     ?assertEqual(<<>>, maps:get(uaa_client_id, Map4)),
     ?assertEqual(<<>>, maps:get(uaa_location, Map4)),
-    ?assertEqual(<<>>, maps:get(oauth2_scopes, Map4)),
+    ?assertEqual(<<>>, maps:get(identityserver_scopes, Map4)),
     ?assertEqual(<<"identityserver">>, maps:get(oauth2_implementation, Map4)),
     %% Valid IdentityServer config
     rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
@@ -3346,12 +3346,12 @@ oauth_test(Config) ->
     rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
                                  [rabbitmq_management, uaa_location, "http://localhost:5000/identityserver"]),
     rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
-                                 [rabbitmq_management, oauth2_scopes, "rabbitmq.read:*/* rabbitmq.write:*/*"]),
+                                 [rabbitmq_management, identityserver_scopes, "rabbitmq.read:*/* rabbitmq.write:*/*"]),
     Map5 = http_get(Config, "/auth", ?OK),
     ?assertEqual(true, maps:get(enable_uaa, Map5)),
     ?assertEqual(<<"rabbitmq">>, maps:get(uaa_client_id, Map5)),
     ?assertEqual(<<"http://localhost:5000/identityserver">>, maps:get(uaa_location, Map5)),
-    ?assertEqual(<<"rabbitmq.read:*/* rabbitmq.write:*/*">>, maps:get(oauth2_scopes, Map5)),
+    ?assertEqual(<<"rabbitmq.read:*/* rabbitmq.write:*/*">>, maps:get(identityserver_scopes, Map5)),
     ?assertEqual(<<"identityserver">>, maps:get(oauth2_implementation, Map5)),
     %% Cleanup after IdentityServer
     rabbit_ct_broker_helpers:rpc(Config, 0, application, unset_env,
diff --git a/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema b/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema
index e35f12f502..e8c297b723 100644
--- a/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema
+++ b/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/schema/rabbitmq_management.schema
@@ -386,7 +386,7 @@ end}.
 {mapping, "management.uaa_location", "rabbitmq_management.uaa_location",
     [{datatype, string}]}.
 
-{mapping, "management.oauth2_scopes", "rabbitmq_management.oauth2_scopes",
+{mapping, "management.identityserver_scopes", "rabbitmq_management.identityserver_scopes",
     [{datatype, string}]}.
 
 {mapping, "management.oauth2_implementation", "rabbitmq_management.oauth2_implementation",
-- 
cgit v1.2.1