Add token helper functions to oauth2-client module (backport #10645)

deps/oauth2_client/BUILD.bazel

@@ -47,7 +47,10 @@ rabbitmq_app(
     ],
     license_files = [":license_files"],
     priv = [":priv"],
-    deps = ["//deps/rabbit_common:erlang_app"],
+    deps = [
+        "//deps/rabbit_common:erlang_app",
+        "@jose//:erlang_app",
+    ],
 )
 
 xref(
@@ -77,7 +80,9 @@ dialyze(
 
 eunit(
     name = "eunit",
-    compiled_suites = [":test_oauth_http_mock_beam"],
+    compiled_suites = [
+        ":test_oauth_http_mock_beam",
+        ":test_oauth2_client_test_util_beam"],
     target = ":test_erlang_app",
 )
 
@@ -112,6 +117,9 @@ rabbitmq_integration_suite(
 rabbitmq_suite(
     name = "unit_SUITE",
     size = "small",
+    additional_beam = [
+        "test/oauth2_client_test_util.beam",
+    ],
 )
 
 assert_suites()

deps/oauth2_client/Makefile

@@ -3,7 +3,7 @@ PROJECT_DESCRIPTION = OAuth2 client from the RabbitMQ Project
 PROJECT_MOD = oauth2_client_app
 
 BUILD_DEPS = rabbit
-DEPS = rabbit_common
+DEPS = rabbit_common jose
 TEST_DEPS = rabbitmq_ct_helpers cowboy
 LOCAL_DEPS = ssl inets crypto public_key
 

deps/oauth2_client/app.bzl

@@ -8,11 +8,15 @@ def all_beam_files(name = "all_beam_files"):
     )
     erlang_bytecode(
         name = "other_beam",
-        srcs = ["src/oauth2_client.erl"],
+        srcs = ["src/oauth2_client.erl",
+                "src/jwt_helper.erl"],
         hdrs = [":public_and_private_hdrs"],
         app_name = "oauth2_client",
         dest = "ebin",
         erlc_opts = "//:erlc_opts",
+        deps = [
+            "@jose//:erlang_app"
+        ],
     )
 
 def all_test_beam_files(name = "all_test_beam_files"):
@@ -24,11 +28,15 @@ def all_test_beam_files(name = "all_test_beam_files"):
     erlang_bytecode(
         name = "test_other_beam",
         testonly = True,
-        srcs = ["src/oauth2_client.erl"],
+        srcs = ["src/oauth2_client.erl",
+                "src/jwt_helper.erl"],
         hdrs = [":public_and_private_hdrs"],
         app_name = "oauth2_client",
         dest = "test",
         erlc_opts = "//:test_erlc_opts",
+        deps = [
+            "@jose//:erlang_app"
+        ],
     )
 
 def all_srcs(name = "all_srcs"):
@@ -46,7 +54,8 @@ def all_srcs(name = "all_srcs"):
 
     filegroup(
         name = "srcs",
-        srcs = ["src/oauth2_client.erl"],
+        srcs = ["src/oauth2_client.erl",
+                "src/jwt_helper.erl"],
     )
     filegroup(
         name = "private_hdrs",
@@ -90,3 +99,11 @@ def test_suite_beam_files(name = "test_suite_beam_files"):
         app_name = "oauth2_client",
         erlc_opts = "//:test_erlc_opts",
     )
+    erlang_bytecode(
+        name = "test_oauth2_client_test_util_beam",
+        testonly = True,
+        srcs = ["test/oauth2_client_test_util.erl"],
+        outs = ["test/oauth2_client_test_util.beam"],
+        app_name = "oauth2_client",
+        erlc_opts = "//:test_erlc_opts",
+    )

deps/oauth2_client/include/oauth2_client.hrl

@@ -9,6 +9,10 @@
 % define access token request common constants
 
 -define(DEFAULT_HTTP_TIMEOUT, 60000).
+
+% Refresh tome this number of seconds before expires_in token's attribute
+-define(REFRESH_IN_BEFORE_EXPIRES_IN, 5).
+
 -define(DEFAULT_OPENID_CONFIGURATION_PATH, "/.well-known/openid-configuration").
 
 % define access token request constants
@@ -66,7 +70,9 @@
 -record(successful_access_token_response, {
   access_token :: binary(),
   token_type :: binary(),
-  refresh_token :: option(binary()),
+  refresh_token :: option(binary()),    % A refresh token SHOULD NOT be included
+                                        % .. for client-credentials flow.
+                                        % https://www.rfc-editor.org/rfc/rfc6749#section-4.4.3
   expires_in :: option(integer())
 }).
 

deps/oauth2_client/src/jwt_helper.erl

@@ -0,0 +1,22 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+%%
+-module(jwt_helper).
+
+-export([decode/1, get_expiration_time/1]).
+
+-include_lib("jose/include/jose_jwt.hrl").
+
+decode(Token) ->
+    try
+        #jose_jwt{fields = Fields} = jose_jwt:peek_payload(Token),
+        Fields
+    catch Type:Err:Stacktrace ->
+        {error, {invalid_token, Type, Err, Stacktrace}}
+    end.
+
+get_expiration_time(#{<<"exp">> := Exp}) when is_integer(Exp) -> {ok, Exp};
+get_expiration_time(#{}) -> {error, missing_exp_field}.

deps/oauth2_client/src/oauth2_client.erl

@@ -5,7 +5,7 @@
 %% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
 %%
 -module(oauth2_client).
--export([get_access_token/2,
+-export([get_access_token/2, get_expiration_time/1,
         refresh_access_token/2,
         get_oauth_provider/1, get_oauth_provider/2,
         extract_ssl_options_as_list/1
@@ -71,6 +71,19 @@ get_openid_configuration(IssuerURI, OpenIdConfigurationPath, TLSOptions) ->
 get_openid_configuration(IssuerURI, TLSOptions) ->
     get_openid_configuration(IssuerURI, ?DEFAULT_OPENID_CONFIGURATION_PATH, TLSOptions).
 
+-spec get_expiration_time(successful_access_token_response()) -> 
+    {ok, [{expires_in, integer() }| {exp, integer() }]} | {error, missing_exp_field}.
+get_expiration_time(#successful_access_token_response{expires_in = ExpiresInSec,
+        access_token = AccessToken}) ->
+    case ExpiresInSec of
+        undefined -> 
+            case jwt_helper:get_expiration_time(jwt_helper:decode(AccessToken)) of 
+                {ok, Exp} -> {ok, [{exp, Exp}]};
+                {error, _} = Error -> Error 
+            end;
+        _ -> {ok, [{expires_in, ExpiresInSec}]}
+    end.
+
 update_oauth_provider_endpoints_configuration(OAuthProvider) ->
     LockId = lock(),
     try do_update_oauth_provider_endpoints_configuration(OAuthProvider) of

deps/oauth2_client/test/oauth2_client_test_util.erl

@@ -0,0 +1,154 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+%%
+-module(oauth2_client_test_util).
+
+-compile(export_all).
+
+-define(DEFAULT_EXPIRATION_IN_SECONDS, 2).
+
+%%
+%% API
+%%
+
+sign_token_hs(Token, #{<<"kid">> := TokenKey} = Jwk) ->
+    sign_token_hs(Token, Jwk, TokenKey).
+
+sign_token_hs(Token, Jwk, TokenKey) ->
+    Jws = #{
+      <<"alg">> => <<"HS256">>,
+      <<"kid">> => TokenKey
+    },
+    sign_token(Token, Jwk, Jws).
+
+sign_token_rsa(Token, Jwk, TokenKey) ->
+    Jws = #{
+      <<"alg">> => <<"RS256">>,
+      <<"kid">> => TokenKey
+    },
+    sign_token(Token, Jwk, Jws).
+
+sign_token_no_kid(Token, Jwk) ->
+    Signed = jose_jwt:sign(Jwk, Token),
+    jose_jws:compact(Signed).
+
+sign_token(Token, Jwk, Jws) ->
+    Signed = jose_jwt:sign(Jwk, Jws, Token),
+    jose_jws:compact(Signed).
+
+fixture_jwk() ->
+  fixture_jwk(<<"token-key">>).
+
+fixture_jwk(TokenKey) ->
+    fixture_jwk(TokenKey, <<"dG9rZW5rZXk">>).
+
+fixture_jwk(TokenKey, K) ->
+    #{<<"alg">> => <<"HS256">>,
+      <<"k">> => K,
+      <<"kid">> => TokenKey,
+      <<"kty">> => <<"oct">>,
+      <<"use">> => <<"sig">>,
+      <<"value">> => TokenKey}.
+
+full_permission_scopes() ->
+    [<<"rabbitmq.configure:*/*">>,
+     <<"rabbitmq.write:*/*">>,
+     <<"rabbitmq.read:*/*">>].
+
+expirable_token() ->
+    expirable_token(?DEFAULT_EXPIRATION_IN_SECONDS).
+
+expirable_token(Seconds) ->
+    TokenPayload = fixture_token(),
+    %% expiration is a timestamp with precision in seconds
+    TokenPayload#{<<"exp">> := os:system_time(seconds) + Seconds}.
+
+expirable_token_with_expiration_time(ExpiresIn) ->
+    TokenPayload = fixture_token(),
+    %% expiration is a timestamp with precision in seconds
+    TokenPayload#{<<"exp">> := ExpiresIn}.
+
+expired_token() ->
+    expired_token_with_scopes(full_permission_scopes()).
+
+expired_token_with_scopes(Scopes) ->
+    token_with_scopes_and_expiration(Scopes, seconds_in_the_past(10)).
+
+fixture_token_with_scopes(Scopes) ->
+    token_with_scopes_and_expiration(Scopes, default_expiration_moment()).
+
+token_with_scopes_and_expiration(Scopes, Expiration) ->
+    %% expiration is a timestamp with precision in seconds
+    #{<<"exp">> => Expiration,
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>],
+      <<"scope">> => Scopes}.
+
+token_without_scopes() ->
+    %% expiration is a timestamp with precision in seconds
+    #{
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>]
+      }.
+
+fixture_token() ->
+    fixture_token([]).
+
+token_with_sub(TokenFixture, Sub) ->
+    maps:put(<<"sub">>, Sub, TokenFixture).
+token_with_scopes(TokenFixture, Scopes) ->
+    maps:put(<<"scope">>, Scopes, TokenFixture).
+
+fixture_token(ExtraScopes) ->
+    Scopes = [<<"rabbitmq.configure:vhost/foo">>,
+              <<"rabbitmq.write:vhost/foo">>,
+              <<"rabbitmq.read:vhost/foo">>,
+              <<"rabbitmq.read:vhost/bar">>,
+              <<"rabbitmq.read:vhost/bar/%23%2Ffoo">>] ++ ExtraScopes,
+    fixture_token_with_scopes(Scopes).
+
+fixture_token_with_full_permissions() ->
+    fixture_token_with_scopes(full_permission_scopes()).
+
+plain_token_without_scopes_and_aud() ->
+  %% expiration is a timestamp with precision in seconds
+  #{<<"exp">> => default_expiration_moment(),
+    <<"iss">> => <<"unit_test">>,
+    <<"foo">> => <<"bar">>}.
+
+token_with_scope_alias_in_scope_field(Value) ->
+    %% expiration is a timestamp with precision in seconds
+    #{<<"exp">> => default_expiration_moment(),
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>],
+      <<"scope">> => Value}.
+
+token_with_scope_alias_in_claim_field(Claims, Scopes) ->
+    %% expiration is a timestamp with precision in seconds
+    #{<<"exp">> => default_expiration_moment(),
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>],
+      <<"scope">>  => Scopes,
+      <<"claims">> => Claims}.
+
+seconds_in_the_future() ->
+    seconds_in_the_future(30).
+
+seconds_in_the_future(N) ->
+    os:system_time(seconds) + N.
+
+seconds_in_the_past() ->
+    seconds_in_the_past(10).
+
+seconds_in_the_past(N) ->
+    os:system_time(seconds) - N.
+
+default_expiration_moment() ->
+    seconds_in_the_future(30).