Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OAuth2 authorization flow #476

Merged
merged 2 commits into from
Feb 21, 2023
Merged

Support OAuth2 authorization flow #476

merged 2 commits into from
Feb 21, 2023

Conversation

binarin
Copy link
Contributor

@binarin binarin commented Feb 14, 2023

Now it's possible to connect to rabbit with an OAuth2 token like this:

java -jar ./target/perf-test.jar \
  --uri amqps://some-uri-without-user-and-password:5671 \
  --oauth2-token-endpoint https://example.com/api/auth/token \
  --oauth2-client-id 12345 \
  --oauth2-client-secret qwerty \
  --oauth2-grant-type client_credentials \
  --oauth2-parameters orgId=1212 \
  --oauth2-parameters subject_token_type=urn:ietf:params:oauth:token-type:access_token

NOTE: jackson is an optional dependency of amqp client, and it needs to be
explicitly pulled here to make OAuth2 work.

@binarin
Support OAuth2 authorization flow
18de796 
Now it's possible to connect to rabbit with an OAuth2 token like this:

```bash
java -jar ./target/perf-test.jar \
  --uri amqps://some-uri-without-user-and-password:5671 \
  --oauth2-token-endpoint https://example.com/api/auth/token \
  --oauth2-client-id 12345 \
  --oauth2-client-secret qwerty \
  --oauth2-grant-type client_credentials \
  --oauth2-parameters orgId=1212 \
  --oauth2-parameters subject_token_type=urn:ietf:params:oauth:token-type:access_token
```

NOTE: jackson is an optional dependency of amqp client, and it needs to be
explicitly pulled here to make OAuth2 work.
@binarin binarin requested a review from acogoluegnes February 15, 2023 20:11
@binarin binarin marked this pull request as draft February 20, 2023 08:32
@binarin
Copy link
Contributor Author

binarin commented Feb 20, 2023

It fails ssl verification against a host with incomplete certificate chain (it's a testing server, can't change anything here), despite the fact that SSL context should (and is) ignoring self-signed certs for amqps.

09:35:31.501 [main] WARN  c.r.c.TrustEverythingTrustManager - SECURITY ALERT: this trust manager trusts every certificate, effectively disabling peer verification. This is convenient for local development but offers no protection against man-in-the-middle attacks. Please see https://www.rabbitmq.com/ssl.html to learn more about peer certificate verification.
09:35:32.052 [main] ERROR c.r.client.impl.SocketFrameHandler - TLS connection failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
09:35:32.475 [main] ERROR c.r.client.impl.SocketFrameHandler - TLS connection failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Main thread caught exception: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
09:35:32.475 [main] ERROR com.rabbitmq.perf.PerfTest - Main thread caught exception
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1356)
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231)
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
        at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:818)
        at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
        at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1180)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at java.io.DataOutputStream.flush(DataOutputStream.java:123)
        at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:160)
        at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:170)
        at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:314)
        at com.rabbitmq.client.impl.recovery.RecoveryAwareAMQConnectionFactory.newConnection(RecoveryAwareAMQConnectionFactory.java:65)
        at com.rabbitmq.client.impl.recovery.AutorecoveringConnection.init(AutorecoveringConnection.java:160)
        at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1216)
        at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1173)
        at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1071)
        at com.rabbitmq.perf.MulticastSet$ConnectionCreator.createConfigurationConnections(MulticastSet.java:914)
        at com.rabbitmq.perf.MulticastSet.createConfigurationConnections(MulticastSet.java:375)
        at com.rabbitmq.perf.MulticastSet.run(MulticastSet.java:209)
        at com.rabbitmq.perf.PerfTest.main(PerfTest.java:322)
        at com.rabbitmq.perf.PerfTest.main(PerfTest.java:773)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:108)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:65)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
        at sun.security.validator.Validator.validate(Validator.java:271)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340)
        ... 37 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
        ... 43 common frames omitted

@binarin binarin marked this pull request as ready for review February 20, 2023 14:08
@acogoluegnes acogoluegnes added this to the 2.20.0 milestone Feb 21, 2023
@acogoluegnes acogoluegnes merged commit 8975fa8 into main Feb 21, 2023
@acogoluegnes acogoluegnes deleted the oauth2-support branch February 21, 2023 13:57
github-actions bot pushed a commit that referenced this pull request Feb 21, 2023
@rabbitmq-ci
Merge pull request #476 from rabbitmq/oauth2-support
5069bde 
Support OAuth2 authorization flow
acogoluegnes added a commit that referenced this pull request Feb 23, 2023
@acogoluegnes
Use GSON to parse OAuth 2 token
0bcdadb 
Instead of Jackson. GSON is smaller than Jackson and enough
for our usage. Adding Jackson makes the binary 30% bigger.

References #476, #458
github-actions bot pushed a commit that referenced this pull request Feb 23, 2023
@rabbitmq-ci
Use GSON to parse OAuth 2 token
c45238f 
Instead of Jackson. GSON is smaller than Jackson and enough
for our usage. Adding Jackson makes the binary 30% bigger.

References #476, #458
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acogoluegnes acogoluegnes acogoluegnes approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
2.20.0
Development

Successfully merging this pull request may close these issues.
2 participants
@binarin @acogoluegnes