Merge pull request #15793 from rabbitmq/fix-oauth2-basic-auth-reload

rabbitmq_management: Fix issue with oauth2+basic_auth

Author: michaelklishin

deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

@@ -100,13 +100,18 @@ function get_oauth_settings() {
 export function oauth_initialize_if_required(state = "index") {
   let oauth = oauth_initialize(get_oauth_settings())
   if (!oauth.enabled) return oauth;
+
   switch (state) {
     case 'login-callback':
       oauth_completeLogin(); break;
     case 'logout-callback':
       oauth_completeLogout(); break;
     default:
-      oauth = oauth_initiate(oauth);
+      if (has_auth_credentials(BASIC_AUTH_SCHEME)) {
+        break;
+      } else {
+        oauth = oauth_initiate(oauth);
+      }
   }
   return oauth;
 }

deps/rabbitmq_management/priv/www/js/prefs.js

@@ -14,6 +14,10 @@ const LOGGED_IN = 'loggedIn'
 const LOGIN_SESSION_TIMEOUT = "login_session_timeout"
 const AUTH_RESOURCE = 'auth_resource'
 
+const BASIC_AUTH_SCHEME = "Basic"
+const BEARER_AUTH_SCHEME = "Bearer"
+
+
 function set_auth_resource(resource) {
   store_local_pref(AUTH_RESOURCE, resource)
 }
@@ -24,9 +28,12 @@ function get_auth_resource() {
   return get_local_pref(AUTH_RESOURCE)
 }
 
-function has_auth_credentials() {
-    return get_local_pref(CREDENTIALS) != undefined && get_local_pref(AUTH_SCHEME) != undefined &&
-      get_cookie_value(LOGGED_IN) != undefined
+// When auth_scheme is undefined, matches any scheme for backwards compatibility.
+function has_auth_credentials(auth_scheme) {
+    let authenticated =get_local_pref(CREDENTIALS) != undefined && get_local_pref(AUTH_SCHEME) != undefined &&
+      get_cookie_value(LOGGED_IN) != undefined;
+    return authenticated && (auth_scheme == undefined 
+        || auth_scheme == get_auth_scheme());
 }
 function get_auth_credentials() {
     return get_local_pref(CREDENTIALS)
@@ -54,6 +61,7 @@ function set_auth(auth_scheme, credentials, validUntil) {
     store_local_pref(AUTH_SCHEME, auth_scheme)
     store_cookie_value_with_expiration(LOGGED_IN, "true", validUntil) // session marker
 }
+
 function authorization_header() {
     if (has_auth_credentials()) {
         return get_auth_scheme() + ' ' + get_auth_credentials();

selenium/bin/components/fakeproxy

@@ -20,12 +20,11 @@ init_fakeproxy() {
   CLIENT_ID="${CLIENT_ID:-rabbit_idp_user}"
   CLIENT_SECRET="${CLIENT_SECRET:-rabbit_idp_user}"
   RABBITMQ_HOST_FOR_FAKEPROXY=${RABBITMQ_HOST_FOR_FAKEPROXY:-rabbitmq:15672}
-  UAA_URL_FOR_FAKEPROXY=${UAA_URL_FOR_FAKEPROXY:-http://uaa:8080}
 
   RABBITMQ_URL_FOR_FAKEPROXY=$(calculate_rabbitmq_url $RABBITMQ_HOST_FOR_FAKEPROXY)
 
   print "> FAKEPROXY_URL: ${FAKEPROXY_URL}"
-  print "> UAA_URL: ${UAA_URL_FOR_FAKEPROXY}"
+  print "> IDP_TOKEN_ENDPOINT: ${IDP_TOKEN_ENDPOINT}"
   print "> RABBITMQ_HOST_FOR_FAKEPROXY: ${RABBITMQ_HOST_FOR_FAKEPROXY}"
   print "> CLIENT_ID: ${CLIENT_ID}"
   print "> CLIENT_SECRET: ${CLIENT_SECRET}"
@@ -46,7 +45,7 @@ start_fakeproxy() {
     --publish 9090:9090 \
     --env PORT=9090 \
     --env RABBITMQ_URL="${RABBITMQ_URL_FOR_FAKEPROXY}" \
-    --env UAA_URL="${UAA_URL_FOR_FAKEPROXY}" \
+    --env IDP_TOKEN_ENDPOINT="${IDP_TOKEN_ENDPOINT}" \
     --env CLIENT_ID="${CLIENT_ID}" \
     --env CLIENT_SECRET="${CLIENT_SECRET}" \
     --env NODE_EXTRA_CA_CERTS=/etc/uaa/ca_uaa_certificate.pem \

selenium/fakeportal/proxy.js

@@ -1,13 +1,13 @@
 var http = require('http'),
-    httpProxy = require('http-proxy');
+httpProxy = require('http-proxy');
 
 const XMLHttpRequest = require('xmlhttprequest').XMLHttpRequest
 
 const rabbitmq_url = process.env.RABBITMQ_URL || 'http://0.0.0.0:15672/';
 const client_id = process.env.CLIENT_ID;
 const client_secret = process.env.CLIENT_SECRET;
-const uaa_url = process.env.UAA_URL;
 const port = process.env.PORT;
+const idp_token_endpoint = process.env.IDP_TOKEN_ENDPOINT;
 
 //
 // Create a proxy server with custom application logic
@@ -52,7 +52,7 @@ function default_if_blank(value, defaultValue) {
 
 function access_token(id, secret) {
   const req = new XMLHttpRequest();
-  const url = uaa_url + '/oauth/token';
+  const url = idp_token_endpoint;
   const params = 'client_id=' + id +
     '&client_secret=' + secret +
     '&grant_type=client_credentials' +

selenium/test/amqp.js

@@ -52,7 +52,13 @@ module.exports = {
         resolve()
       })
     })
-    console.log("Opening amqp connection using " + JSON.stringify(connectionOptions))
+    log("Opening amqp connection using " + JSON.stringify(connectionOptions,
+       (key, value) => {
+        // Omit the private key from the log output.
+        if (key === "key") return undefined;
+          return value;
+        }
+    ))
 
     let connection = container.connect(connectionOptions)
     let receiver = connection.open_receiver({

selenium/test/oauth/with-basic-auth/happy-login.js

@@ -1,7 +1,7 @@
 const { By, Key, until, Builder } = require('selenium-webdriver')
 require('chromedriver')
 const assert = require('assert')
-const { buildDriver, goToHome, captureScreensFor, teardown, idpLoginPage } = require('../../utils')
+const { buildDriver, goToHome, captureScreensFor, teardown, idpLoginPage, log } = require('../../utils')
 
 const SSOHomePage = require('../../pageobjects/SSOHomePage')
 const OverviewPage = require('../../pageobjects/OverviewPage')
@@ -40,6 +40,46 @@ describe('An user with administrator tag', function () {
     await overview.logout()
   })
 
+  describe("and logged in via OAuth 2.0", function() {
+    before(async function() {
+      await homePage.clickToLogin()
+      await idpLogin.login('rabbit_admin', 'rabbit_admin')
+      if (!await overview.isLoaded()) {
+        throw new Error('Failed to login via OAuth 2.0')
+      }
+    })
+    it ('can reload page without being logged out', async function() {
+      log("About to refresh page")
+      await overview.refresh()
+      if (!await overview.isLoaded()) {
+        throw new Error('Failed to keep session opened')
+      }
+    })
+    after(async function () {
+       await overview.logout()
+    })
+  })
+
+  describe("and logged in via basic auth", function() {
+    before(async function() {
+      await homePage.toggleBasicAuthSection()
+      await homePage.basicAuthLogin('guest', 'guest')
+      if (!await overview.isLoaded()) {
+        throw new Error('Failed to login')
+      }
+    })
+    it ('can reload page without being logged out', async function() {
+      log("About to refresh page")
+      await overview.refresh()
+      if (!await overview.isLoaded()) {
+        throw new Error('Failed to keep session opened')
+      }
+    })
+    after(async function () {
+       await overview.logout()
+    })
+  })
+
   after(async function () {
     await teardown(driver, this, captureScreen)
   })

selenium/test/oauth/with-basic-auth/unauthorized.js

@@ -40,20 +40,6 @@ describe('An user without management tag', function () {
     assert.ok(!await homePage.isOAuth2SectionVisible())
   })
 
-  describe("After clicking on logout button", function() {
-
-      before(async function () {
-          await homePage.clickToLogout()
-      })
-
-      it('should get redirected to home page again without error message', async function(){
-        const visible = await homePage.isWarningVisible()
-        assert.ok(!visible)
-      })
-
-  })
-
-
   after(async function () {
     await teardown(driver, this, captureScreen)
   })

selenium/test/oauth/with-idp-initiated-via-proxy/happy-login.js

@@ -22,6 +22,18 @@ describe('A user with a JWT token', function () {
     assert.equal(await overview.getUser(), 'User rabbit_idp_user')
   })
 
+
+  it ('can reload page without being logged out', async function() {
+    await goToHome(driver);
+    await overview.isLoaded();
+
+    await overview.refresh()
+    if (!await overview.isLoaded()) {
+      throw new Error('Failed to keep session opened')
+    }
+  })
+
+
   after(async function () {
     await teardown(driver, this, captureScreen)
   })

selenium/test/oauth/with-idp-initiated/happy-login.js

@@ -33,6 +33,20 @@ describe('A user with a JWT token', function () {
     assert.equal(await overview.getUser(), 'User ' + username)
   })
 
+  it ('can reload page without being logged out', async function() {
+    await fakePortal.goToHome(username, password)
+    if (!await fakePortal.isLoaded()) {
+      throw new Error('Failed to load fakePortal')
+    }
+    await fakePortal.login()
+    await overview.isLoaded()
+
+    await overview.refresh()
+    if (!await overview.isLoaded()) {
+      throw new Error('Failed to keep session opened')
+    }
+  })
+
   after(async function () {
     await teardown(driver, this, captureScreen)
   })

selenium/test/oauth/with-idp-initiated/logout.js

@@ -1,7 +1,7 @@
 const { By, Key, until, Builder } = require('selenium-webdriver')
 require('chromedriver')
 const assert = require('assert')
-const { buildDriver, captureScreensFor, teardown } = require('../../utils')
+const { buildDriver, captureScreensFor, teardown, delay } = require('../../utils')
 
 const OverviewPage = require('../../pageobjects/OverviewPage')
 const FakePortalPage = require('../../pageobjects/FakePortalPage')
@@ -28,6 +28,7 @@ describe('When a logged in user', function () {
 
   it('logs out', async function () {
     await overview.logout()
+    await delay(1500)
     await fakePortal.isLoaded()
   })