Prevent change of username on token refresh

MarcialRosales · mergify[bot] · commit 3d8629b2a303 · 2024-11-27T12:35:54.000Z
(cherry picked from commit 3718fe3) # Conflicts: # deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
@@ -98,6 +98,7 @@ check_topic_access(#auth_user{impl = DecodedTokenFun},
         end).
 
 update_state(AuthUser, NewToken) ->
+<<<<<<< HEAD
   case check_token(NewToken) of
       %% avoid logging the token
       {error, _} = E  -> E;
@@ -111,6 +112,32 @@ update_state(AuthUser, NewToken) ->
           {ok, AuthUser#auth_user{tags = Tags,
                                   impl = fun() -> DecodedToken end}}
   end.
+=======
+    case resolve_resource_server(NewToken) of
+        {error, _} = Err0 -> Err0;
+        {ResourceServer, _} = Tuple ->
+            case check_token(NewToken, Tuple) of
+                %% avoid logging the token
+                {refused, {error, {invalid_token, error, _Err, _Stacktrace}}} ->
+                    {refused, "Authentication using an OAuth 2/JWT token failed: provided token is invalid"};
+                {refused, Err} ->
+                    {refused, rabbit_misc:format("Authentication using an OAuth 2/JWT token failed: ~tp", [Err])};
+                {ok, DecodedToken} ->
+                    CurToken = AuthUser#auth_user.impl,
+                    case ensure_same_username(
+                            ResourceServer#resource_server.preferred_username_claims,
+                            CurToken(), DecodedToken) of 
+                        ok ->
+                            Tags = tags_from(DecodedToken),
+                            {ok, AuthUser#auth_user{tags = Tags,
+                                                    impl = fun() -> DecodedToken end}};
+                        {error, mismatch_username_after_token_refresh} -> 
+                            {refused, 
+                                "Not allowed to change username on refreshed token"}
+                    end
+            end
+    end.
+>>>>>>> 3718fe3289 (Prevent change of username on token refresh)
 
 expiry_timestamp(#auth_user{impl = DecodedTokenFun}) ->
     case DecodedTokenFun() of
@@ -145,8 +172,27 @@ authenticate(_, AuthProps0) ->
             case with_decoded_token(DecodedToken, Func) of
                 {error, Err} ->
                     {refused, "Authentication using an OAuth 2/JWT token failed: ~tp", [Err]};
+<<<<<<< HEAD
                 Else ->
                     Else
+=======
+                {ok, DecodedToken} ->                    
+                    Func = fun(Token0) ->
+                                Username = username_from(
+                                    ResourceServer#resource_server.preferred_username_claims,
+                                    Token0),
+                                Tags     = tags_from(Token0),
+                                {ok, #auth_user{username = Username,
+                                                tags = Tags,
+                                                impl = fun() -> Token0 end}}
+                           end,
+                    case with_decoded_token(DecodedToken, Func) of
+                        {error, Err} ->
+                            {refused, "Authentication using an OAuth 2/JWT token failed: ~tp", [Err]};
+                        Else ->
+                            Else
+                    end
+>>>>>>> 3718fe3289 (Prevent change of username on token refresh)
             end
     end.
 
@@ -157,6 +203,12 @@ with_decoded_token(DecodedToken, Fun) ->
             rabbit_log:error(Msg),
             Err
     end.
+ensure_same_username(PreferredUsernameClaims, CurrentDecodedToken, NewDecodedToken) ->
+    CurUsername = username_from(PreferredUsernameClaims, CurrentDecodedToken),
+    case {CurUsername, username_from(PreferredUsernameClaims, NewDecodedToken)} of 
+        {CurUsername, CurUsername} -> ok;
+        _ -> {error, mismatch_username_after_token_refresh}
+    end. 
 
 validate_token_expiry(#{<<"exp">> := Exp}) when is_integer(Exp) ->
     Now = os:system_time(seconds),
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/jwks_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/jwks_SUITE.erl
@@ -45,7 +45,8 @@ groups() ->
         test_failed_connection_with_a_token_with_insufficient_resource_permission,
         test_failed_connection_with_algorithm_restriction,
         test_failed_token_refresh_case1,
-        test_failed_token_refresh_case2
+        test_failed_token_refresh_case2,
+        cannot_change_username_on_refreshed_token
         ]},
     {no_peer_verification, [], [
         {group, happy_path},
@@ -531,6 +532,11 @@ generate_valid_token(Config, Jwk, Scopes, Audience) ->
     IncludeKid = rabbit_ct_helpers:get_config(Config, include_kid, true),
     ?UTIL_MOD:sign_token_hs(Token, Jwk, IncludeKid).
 
+generate_valid_token_with_sub(Config, Jwk, Scopes, Sub) ->
+    Token = ?UTIL_MOD:token_with_sub(?UTIL_MOD:fixture_token_with_scopes(Scopes), Sub),
+    IncludeKid = rabbit_ct_helpers:get_config(Config, include_kid, true),
+    ?UTIL_MOD:sign_token_hs(Token, Jwk, IncludeKid).
+
 generate_valid_token_with_extra_fields(Config, ExtraFields) ->
     Jwk = case rabbit_ct_helpers:get_config(Config, fixture_jwk) of
               undefined -> ?UTIL_MOD:fixture_jwk();
@@ -912,6 +918,29 @@ test_failed_token_refresh_case2(Config) ->
 
     close_connection(Conn).
 
+cannot_change_username_on_refreshed_token(Config) ->
+    Jwk = 
+        case get_config(Config, fixture_jwk) of
+            undefined -> ?UTIL_MOD:fixture_jwk();
+            Value     -> Value
+        end,
+    {_, CurToken} = generate_valid_token(Config, Jwk, <<"oldUsername">>, [
+        <<"rabbitmq.configure:vhost4/*">>,
+        <<"rabbitmq.write:vhost4/*">>,
+        <<"rabbitmq.read:vhost4/*">>]),
+    Conn     = open_unmanaged_connection(Config, 0, <<"vhost4">>, 
+                <<"oldUsername">>, CurToken),
+   
+    {_, RefreshToken} = generate_valid_token_with_sub(Config, Jwk, <<"newUsername">>,
+        [<<"rabbitmq.configure:vhost4/*">>,
+         <<"rabbitmq.write:vhost4/*">>,
+         <<"rabbitmq.read:vhost4/*">>]),
+
+    %% the error is communicated asynchronously via a connection-level error
+    ?assertException(exit, _, amqp_connection:update_secret(Conn, RefreshToken,
+        <<"token refresh">>)).
+
+
 test_failed_connection_with_algorithm_restriction(Config) ->
     {_Algo, Token} = rabbit_ct_helpers:get_config(Config, fixture_jwt),
     ?assertMatch({error, {auth_failure, _}},
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl
@@ -52,7 +52,8 @@ groups() ->
 
      {token_refresh, [], [
                        test_failed_token_refresh_case1,
-                       test_failed_token_refresh_case2
+                       test_failed_token_refresh_case2,
+                       refreshed_token_cannot_change_username
      ]},
 
      {extra_scopes_source, [], [
@@ -312,21 +313,33 @@ preconfigure_node(Config) ->
 
     rabbit_ct_helpers:set_config(Config, {fixture_jwk, Jwk}).
 
+generate_valid_token_with_sub(Config, Sub) ->
+    generate_valid_token(Config, 
+        ?UTIL_MOD:full_permission_scopes(), undefined, Sub).
+
 generate_valid_token(Config) ->
     generate_valid_token(Config, ?UTIL_MOD:full_permission_scopes()).
 
 generate_valid_token(Config, Scopes) ->
-    generate_valid_token(Config, Scopes, undefined).
+    generate_valid_token(Config, Scopes, undefined, undefined).
 
 generate_valid_token(Config, Scopes, Audience) ->
+    generate_valid_token(Config, Scopes, Audience, undefined).
+
+generate_valid_token(Config, Scopes, Audience, Sub) ->
     Jwk = case rabbit_ct_helpers:get_config(Config, fixture_jwk) of
               undefined -> ?UTIL_MOD:fixture_jwk();
               Value     -> Value
           end,
-    Token = case Audience of
+    Token0 = case Audience of
         undefined -> ?UTIL_MOD:fixture_token_with_scopes(Scopes);
-        DefinedAudience -> maps:put(<<"aud">>, DefinedAudience, ?UTIL_MOD:fixture_token_with_scopes(Scopes))
+        DefinedAudience -> maps:put(<<"aud">>, DefinedAudience, 
+            ?UTIL_MOD:fixture_token_with_scopes(Scopes))
     end,
+    Token = case Sub of 
+        undefined -> Token0;
+        _ -> maps:put(<<"sub">>, Sub, Token0)
+    end,    
     ?UTIL_MOD:sign_token_hs(Token, Jwk).
 
 generate_valid_token_with_extra_fields(Config, ExtraFields) ->
@@ -693,6 +706,15 @@ test_failed_token_refresh_case1(Config) ->
 
     close_connection(Conn).
 
+refreshed_token_cannot_change_username(Config) ->
+    {_, Token} = generate_valid_token_with_sub(Config, <<"username">>),
+    Conn     = open_unmanaged_connection(Config, 0, <<"vhost4">>, <<"username">>, Token),
+    {_, RefreshedToken} = generate_valid_token_with_sub(Config, <<"username2">>),
+
+    %% the error is communicated asynchronously via a connection-level error
+    ?assertException(exit, {{nodedown,not_allowed},_}, amqp_connection:update_secret(Conn, RefreshedToken, <<"token refresh">>)).
+    
+
 test_failed_token_refresh_case2(Config) ->
     {_Algo, Token} = generate_valid_token(Config, [<<"rabbitmq.configure:vhost4/*">>,
                                                    <<"rabbitmq.write:vhost4/*">>,
