Add signing introspected token

Author: MarcialRosales

deps/oauth2_client/include/types.hrl

@@ -95,3 +95,12 @@
 }).
 
 -type unsuccessful_introspect_token_response() :: #unsuccessful_introspect_token_response{}.
+
+-record(signing_key, {
+    id :: string(),
+    type :: hs256 | rs256,
+    key :: option(binary()),
+    private_key :: option(binary()),
+    public_key :: option(binary())
+}).
+-type signing_key() :: #signing_key{}.

deps/oauth2_client/src/oauth2_client.erl

@@ -7,7 +7,7 @@
 -module(oauth2_client).
 -export([get_access_token/2, get_expiration_time/1,
         refresh_access_token/2,
-        introspect_token/1,
+        introspect_token/1,sign_token/1,
         get_oauth_provider/1, get_oauth_provider/2,
         get_openid_configuration/2,
         build_openid_discovery_endpoint/3,
@@ -50,7 +50,7 @@ refresh_access_token(OAuthProvider, Request) ->
     parse_access_token_response(Response).
 
 -spec introspect_token(binary()) -> 
-    {ok, map()} |
+    {ok, binary()} |
     {error, unsuccessful_access_token_response() | any()}.
 introspect_token(Token) ->
     case build_introspection_request() of 
@@ -67,10 +67,56 @@ introspect_token(Token) ->
             rabbit_log:debug("Sending introspect_request URL:~p Header: ~p Body: ~p",
                 [URL, Header, Body]),
             Response = httpc:request(post, {URL, Header, Type, Body}, HTTPOptions, Options),
-            parse_introspect_token_response(Response);
+            case parse_introspect_token_response(Response) of
+                {error, _} = Error -> Error;
+                {ok, _} = Ret -> Ret
+            end;
         {error, _} = Error -> Error            
     end.    
 
+sign_token(TokenPayload) ->
+    case get_opaque_token_signing_key() of 
+        {error, _} = Error -> Error;
+        SK -> 
+            ct:log("Signing with ~p", [SK]),
+            case SK#signing_key.type of 
+                hs256 -> 
+                    {_, Value} = sign_token_hs(TokenPayload, SK#signing_key.key, SK#signing_key.id),
+                    {ok, Value};
+                _ -> {error, not_implemented}
+            end
+    end.
+
+sign_token_hs(Token, #{<<"kid">> := TokenKey} = Jwk) ->
+    sign_token_hs(Token, Jwk, TokenKey).
+
+%%sign_token_hs(Token, Jwk, TokenKey) ->
+%%    sign_token_hs(Token, Jwk, TokenKey, true).
+
+sign_token_hs(Token, Jwk, TokenKey) ->
+    Jws0 = #{
+      <<"alg">> => <<"HS256">>,
+      <<"kid">> => TokenKey
+    },
+    Jws = maps:put(<<"kid">>, TokenKey, Jws0),
+    sign_token(Token, Jwk, Jws).
+    
+sign_token_rsa(Token, Jwk, TokenKey) ->
+    Jws = #{
+      <<"alg">> => <<"RS256">>,
+      <<"kid">> => TokenKey
+    },
+    sign_token(Token, Jwk, Jws).
+
+sign_token_no_kid(Token, Jwk) ->
+    Signed = jose_jwt:sign(Jwk, Token),
+    jose_jws:compact(Signed).
+
+sign_token(Token, Jwk, Jws) ->
+    Signed = jose_jwt:sign(Jwk, Jws, Token),
+    jose_jws:compact(Signed).
+
+
 build_introspect_request_parameters(Token, #introspect_token_request{
         client_auth_method = Method, 
         client_id = ClientId, 
@@ -374,6 +420,63 @@ unlock(LockId) ->
             end
     end.
 
+-spec get_opaque_token_signing_key() -> {ok, signing_key()} | {error, any()}.
+get_opaque_token_signing_key() -> 
+    case get_env(opaque_token_signing_key) of 
+        undefined -> {error, missing_opaque_token_signing_key};
+        Map -> 
+            parse_signing_key_configuration(Map)
+    end.
+
+parse_signing_key_configuration(Map) ->
+    SK0 = case maps:get(id, Map, undefined) of 
+        undefined -> {error, missing_signing_key_id};
+        Id -> #signing_key{id = Id}
+    end,
+    case {SK0, maps:get(type, Map, hs256)} of 
+        {{error, _} = Error, _} -> 
+            Error;
+        {_, hs256} -> 
+            Sk1 = case maps:get(key, Map, undefined) of 
+                undefined -> {error, missing_symmetrical_key_value};
+                SymKey -> SK0#signing_key{
+                    type = hs256, 
+                    key = case make_jwk(#{
+                        <<"alg">> => <<"HS256">>,
+                        <<"value">> => SymKey,
+                        <<"kty">> => <<"MAC">>,
+                        <<"use">> => <<"sig">>}) of 
+                            {error, _} = Error -> Error;
+                            {ok, Val} -> Val
+                        end
+                }
+            end,
+            case Sk1#signing_key.key of 
+                {error, _} = Error1 -> Error1;
+                _ -> Sk1
+            end;
+        {_, rs256} -> 
+            Sk2 = case maps:get(key_pem_file, Map, undefined) of 
+                undefined -> 
+                    {error, missing_key_pem_file};
+                PrivateKey -> 
+                    case maps:get(cert_pem_file, Map, undefined) of 
+                        undefined -> 
+                            {error, missing_cert_pem_file};
+                        PublicKey -> 
+                            SK0#signing_key{type = hs256, 
+                                private_key = PrivateKey,
+                                public_key = PublicKey}
+                    end
+            end,
+            case {Sk2#signing_key.private_key, Sk2#signing_key.public_key} of 
+                {{error, _} = Error2, _} -> Error2;
+                {_, {error, _} = Error3} -> Error3;
+                {_, _} -> Sk2
+            end;
+        {_, _} -> {error, unsupported_signing_type}
+    end.
+
 -spec get_oauth_provider(list()) -> {ok, oauth_provider()} | {error, any()}.
 get_oauth_provider(ListOfRequiredAttributes) ->
     case get_env(default_oauth_provider) of
@@ -819,3 +922,79 @@ get_env(Par, Def) ->
     application:get_env(rabbitmq_auth_backend_oauth2, Par, Def).
 set_env(Par, Val) ->
     application:set_env(rabbitmq_auth_backend_oauth2, Par, Val).
+
+
+-include_lib("jose/include/jose_jwk.hrl").
+
+-spec make_jwk(binary() | map()) -> {ok, #{binary() => binary()}} | {error, term()}.
+make_jwk(Json) when is_binary(Json); is_list(Json) ->
+    JsonMap = jose:decode(iolist_to_binary(Json)),
+    make_jwk(JsonMap);
+
+make_jwk(JsonMap) when is_map(JsonMap) ->
+    case JsonMap of
+        #{<<"kty">> := <<"MAC">>, <<"value">> := _Value} ->
+            {ok, mac_to_oct(JsonMap)};
+        #{<<"kty">> := <<"RSA">>, <<"n">> := _N, <<"e">> := _E} ->
+            {ok, fix_alg(JsonMap)};
+        #{<<"kty">> := <<"oct">>, <<"k">> := _K} ->
+            {ok, fix_alg(JsonMap)};
+        #{<<"kty">> := <<"OKP">>, <<"crv">> := _Crv, <<"x">> := _X} ->
+            {ok, fix_alg(JsonMap)};
+        #{<<"kty">> := <<"EC">>} ->
+            {ok, fix_alg(JsonMap)};
+        #{<<"kty">> := Kty} when Kty == <<"oct">>;
+                                 Kty == <<"MAC">>;
+                                 Kty == <<"RSA">>;
+                                 Kty == <<"OKP">>;
+                                 Kty == <<"EC">> ->
+            {error, {fields_missing_for_kty, Kty}};
+        #{<<"kty">> := _Kty} ->
+            {error, unknown_kty};
+        #{} ->
+            {error, no_kty}
+    end.
+
+from_pem(Pem) ->
+    case jose_jwk:from_pem(Pem) of
+        #jose_jwk{} = Jwk -> {ok, Jwk};
+        Other             ->
+            error_logger:warning_msg("Error parsing jwk from pem: ", [Other]),
+            {error, invalid_pem_string}
+    end.
+
+from_pem_file(FileName) ->
+    case filelib:is_file(FileName) of
+        false ->
+            {error, enoent};
+        true  ->
+            case jose_jwk:from_pem_file(FileName) of
+                #jose_jwk{} = Jwk -> {ok, Jwk};
+                Other             ->
+                    error_logger:warning_msg("Error parsing jwk from pem file: ", [Other]),
+                    {error, invalid_pem_file}
+            end
+    end.
+
+mac_to_oct(#{<<"kty">> := <<"MAC">>, <<"value">> := Value} = Key) ->
+    OktKey = maps:merge(Key,
+                        #{<<"kty">> => <<"oct">>,
+                          <<"k">> => base64url:encode(Value)}),
+    fix_alg(OktKey).
+
+fix_alg(#{<<"alg">> := Alg} = Key) ->
+    Algs = uaa_algs(),
+    case maps:get(Alg, Algs, undefined) of
+        undefined -> Key;
+        Val       -> Key#{<<"alg">> := Val}
+    end;
+fix_alg(#{} = Key) -> Key.
+
+uaa_algs() ->
+    UaaEnv = application:get_env(rabbitmq_auth_backend_oauth2, uaa_jwt_decoder, []),
+    DefaultAlgs = #{<<"HMACSHA256">> => <<"HS256">>,
+                    <<"HMACSHA384">> => <<"HS384">>,
+                    <<"HMACSHA512">> => <<"HS512">>,
+                    <<"SHA256withRSA">> => <<"RS256">>,
+                    <<"SHA512withRSA">> => <<"RS512">>},
+    proplists:get_value(uaa_algs, UaaEnv, DefaultAlgs).

deps/oauth2_client/test/system_SUITE.erl

@@ -49,7 +49,7 @@ groups() ->
                 cannot_introspect_due_to_missing_configuration,
                 {https, [], [
                     {with_introspection_basic_client_credentials, [], [
-                        can_introspect_token                        
+                        can_introspect_token
                     ]},
                     {with_introspection_request_param_client_credentials, [], [
                         can_introspect_token
@@ -192,6 +192,13 @@ init_per_group(with_default_oauth_provider, Config) ->
         OAuthProvider#oauth_provider.id),
     Config;
 
+init_per_group(with_hs256_signing, Config) ->
+    application:set_env(rabbitmq_auth_backend_oauth2, opaque_token_signing_key,
+        #{ id => <<"some-id">>,
+           type => hs256, 
+           key => <<"some-key-value">> }),
+    Config;
+
 init_per_group(with_introspection_endpoint, Config) ->    
     application:set_env(rabbitmq_auth_backend_oauth2, introspection_endpoint,
         build_token_introspection_endpoint("https")),
@@ -743,7 +750,9 @@ cannot_introspect_due_to_missing_configuration(_Config)->
     application:unset_env(rabbitmq_auth_backend_oauth2, introspection_client_secret).
 
 can_introspect_token(_Config) ->
-    {ok, _} = oauth2_client:introspect_token(?MOCK_OPAQUE_TOKEN).
+    {ok, Value} = oauth2_client:introspect_token(?MOCK_OPAQUE_TOKEN),
+    ct:log("JWT : ~p", [Value]),
+    ok.
 
 introspected_token_is_not_active(_Config) ->
     {error, introspected_token_not_valid} = oauth2_client:introspect_token(?MOCK_OPAQUE_TOKEN).
@@ -807,6 +816,8 @@ build_https_oauth_provider(Id, CaCertFile) ->
         jwks_uri = build_jwks_uri("https"),
         ssl_options = ssl_options(verify_peer, false, CaCertFile)
     }.
+oauth_provider_to_proplist(undefined) -> [];
+
 oauth_provider_to_proplist(#oauth_provider{
         issuer = Issuer,
         token_endpoint = TokenEndpoint,

deps/oauth2_client/test/unit_SUITE.erl

@@ -24,11 +24,15 @@ all() ->
     build_openid_discovery_endpoint,
     {group, ssl_options},
     {group, merge},
-    {group, get_expiration_time}
+    {group, get_expiration_time},
+    {group, sign_token}
 ].
 
 groups() ->
 [
+    {sign_token, [], [
+        can_sign_token
+    ]},
     {ssl_options, [], [
         no_ssl_options_triggers_verify_peer,
         choose_verify_over_peer_verification,
@@ -298,3 +302,12 @@ access_token_response_without_expiration_time(_) ->
     },
     ct:log("AccessTokenResponse ~p", [AccessTokenResponse]),
     ?assertEqual({error, missing_exp_field}, oauth2_client:get_expiration_time(AccessTokenResponse)).
+
+
+can_sign_token(_Config) ->
+    application:set_env(rabbitmq_auth_backend_oauth2, opaque_token_signing_key,
+        #{ id => <<"key-id">>, type => hs256, key => <<"some-key">>}),
+
+    {ok, Value } = oauth2_client:sign_token(#{"scopes" => "a b"}),
+    ct:log("JWT : ~p", [Value]),
+    ok.

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -122,6 +122,67 @@
     [list_to_binary(V) || {_, V} <- lists:reverse(Settings)]
  end}.
 
+%% Signing key used by RabbitMQ to convert an introspected opaque token 
+%% into a JWT token for the management UI use case. For messaging 
+%% use cases like AMQP it is not necessary because when a user authenticates with 
+%% an opaque token, RabbitMQ introspects the opaque token to obtain the actual 
+%% JWT's payload with the scopes and those scopes are kept along with the connection
+%% in RabbitMQ's memory for as long as the connection stays alive, exactly as if the user 
+%% would have presented a JWT from the beginning. 
+%% For the management UI use case, there is no server-side state 
+%% hence the management UI has to convert an opaque token into a 
+%% JWT token so that RabbitMQ can validate the JWT token without making 
+%% an external HTTP request to the introspection endpoint. If the management ui 
+%% sends an opaque token, RabbitMQ, in order to validate the token, has to 
+%% introspect it.
+%%
+%% Here it is how this signing key is used:
+%% When a management user logs in for the first time with an 
+%% opaque token, the token is instrospected and validated it. 
+%% If the token is valid, RabbitMQ issues a JWT token whose payload 
+%% is the introspected token and the signing key is configured in 
+%% `auth_oauth2.opaque_token_signing_key`. 
+%% 
+%% The issued JWT token has the same expiry date, scopes, etc as the original
+%% opaque token. In other words, RabbitMQ does not add anything. 
+%% It only wraps it with a digital signature.
+%% 
+%% Maybe it is necessary a rabbitmqctl command to rotate the signing key like: 
+%% rabbitmqctl rotate_opaque_token_signing_key <new_id> <type> [<value> | <key_pem_file> <cert_pem_file>]
+%%
+%% Note: This feature is only necessary when the management UI needs to authenticate with OAuth2 
+%% using opaque tokens. In all other cases, this feature is not necessary.
+%% 
+%% Example:
+%% auth_oauth2.opaque_token_signing_key.id = rabbit_kid
+%% for symmetrical key
+%% auth_oauth2.opaque_token_signing_key.type = HS256 
+%% auth_oauth2.opaque_token_signing_key.key = "hello-world-symmetrical-key"
+%% for asymmetrical key
+%% auth_oauth2.opaque_token_signing_key.type = RS256 
+%% auth_oauth2.opaque_token_signing_key.key_pem_file = rabbit_key.pem
+%% auth_oauth2.opaque_token_signing_key.cert_pem_file = rabbit_cert.pem
+
+{mapping, "auth_oauth2.opaque_token_signing_key.id", 
+      "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.id",
+      [{datatype, string}]}.
+
+{mapping, "auth_oauth2.opaque_token_signing_key.type", 
+      "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.type",
+      [{datatype, {enum, [HS256, RS256]}}]}.
+
+{mapping, "auth_oauth2.opaque_token_signing_key.key", 
+      "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.key",
+      [{datatype, string}]}.
+
+{mapping, "auth_oauth2.opaque_token_signing_key.key_file", 
+      "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.key_pem_file",
+      [{datatype, file}, {validators, ["file_accessible"]}]}.
+
+{mapping, "auth_oauth2.opaque_token_signing_key.cert_file", 
+      "rabbitmq_auth_backend_oauth2.key_config.opaque_token_signing_key.cert_pem_file",
+      [{datatype, file}, {validators, ["file_accessible"]}]}.
+
 
 
 %% ID of the default signing key

deps/rabbitmq_management/priv/schema/rabbitmq_management.schema

@@ -470,7 +470,6 @@ end}.
 {mapping, "management.oauth_provider_url", "rabbitmq_management.oauth_provider_url",
       [{datatype, string}]}.
 
-
 %% Your client application's identifier as registered with the OIDC/OAuth2
 {mapping, "management.oauth_client_id", "rabbitmq_management.oauth_client_id",
       [{datatype, string}]}.