Implement AMQP 1.0: support JWT (OAuth 2) (#109)

 - Closes: #85 
 - Add  `rabbitmq_auth_backend_oauth2` configuration to CI ubuntu single node and CI cluster.
 - Update the RabbitMQ docker images to `4.1.0-beta.4`
 - Add TLS tests for different virtual hosts
 - Add an Example for OAuth2
---------

Signed-off-by: Gabriele Santomaggio <[email protected]>

Author: Gsantomaggio

.ci/ubuntu/cluster/gha-setup.sh

@@ -19,7 +19,7 @@ function run_docker_compose
     docker compose --file "$script_dir/docker-compose.yml" $@
 }
 
-readonly rabbitmq_image="${RABBITMQ_IMAGE:-pivotalrabbitmq/rabbitmq:main}"
+readonly rabbitmq_image="${RABBITMQ_IMAGE:-rabbitmq:4.1.0-beta.4-management-alpine}"
 
 if [[ ! -v GITHUB_ACTIONS ]]
 then

.ci/ubuntu/cluster/rmq/Dockerfile

@@ -1,4 +1,4 @@
-ARG RABBITMQ_DOCKER_TAG=pivotalrabbitmq/rabbitmq:main
+ARG RABBITMQ_DOCKER_TAG=rabbitmq:4.1.0-beta.4-management-alpine
 
 FROM ${RABBITMQ_DOCKER_TAG}
 

.ci/ubuntu/cluster/rmq/advanced.config

@@ -1,3 +1,14 @@
 [
-    {kernel, [{net_ticktime, 15}]}
-].
+  {kernel, [{net_ticktime, 15}]},
+  {rabbitmq_auth_backend_oauth2, [{key_config,
+         [{signing_keys,
+              #{<<"token-key">> =>
+                    {map,
+                        #{<<"alg">> => <<"HS256">>,
+                          <<"k">> => <<"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH">>,
+                          <<"kid">> => <<"token-key">>,
+                          <<"kty">> => <<"oct">>,
+                          <<"use">> => <<"sig">>,
+                          <<"value">> => <<"token-key">>}}}}]},
+     {resource_server_id,<<"rabbitmq">>}]}
+].

.ci/ubuntu/cluster/rmq/enabled_plugins

@@ -1 +1 @@
-[rabbitmq_auth_mechanism_ssl,rabbitmq_management,rabbitmq_top].
+[rabbitmq_auth_mechanism_ssl,rabbitmq_management,rabbitmq_stream,rabbitmq_stream_management,rabbitmq_top,rabbitmq_auth_backend_oauth2].

.ci/ubuntu/cluster/rmq/rabbitmq.conf

@@ -28,3 +28,7 @@ cluster_formation.peer_discovery_backend = classic_config
 cluster_formation.classic_config.nodes.0 = [email protected]
 cluster_formation.classic_config.nodes.1 = [email protected]
 cluster_formation.classic_config.nodes.2 = [email protected]
+
+
+auth_backends.1 = internal
+auth_backends.2 = rabbit_auth_backend_oauth2

.ci/ubuntu/one-node/advanced.config

@@ -0,0 +1,13 @@
+[
+  {rabbitmq_auth_backend_oauth2, [{key_config,
+         [{signing_keys,
+              #{<<"token-key">> =>
+                    {map,
+                        #{<<"alg">> => <<"HS256">>,
+                          <<"k">> => <<"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH">>,
+                          <<"kid">> => <<"token-key">>,
+                          <<"kty">> => <<"oct">>,
+                          <<"use">> => <<"sig">>,
+                          <<"value">> => <<"token-key">>}}}}]},
+     {resource_server_id,<<"rabbitmq">>}]}
+].

.ci/ubuntu/one-node/enabled_plugins

@@ -1 +1 @@
-[rabbitmq_auth_mechanism_ssl,rabbitmq_management,rabbitmq_stream,rabbitmq_stream_management,rabbitmq_top].
+[rabbitmq_auth_mechanism_ssl,rabbitmq_management,rabbitmq_stream,rabbitmq_stream_management,rabbitmq_top,rabbitmq_auth_backend_oauth2].

.ci/ubuntu/one-node/gha-setup.sh

@@ -8,12 +8,9 @@ script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 readonly script_dir
 echo "[INFO] script_dir: '$script_dir'"
 
-if [[ $3 == 'arm' ]]
-then
-    readonly rabbitmq_image="${RABBITMQ_IMAGE:-pivotalrabbitmq/rabbitmq-arm64:main}"
-else
-    readonly rabbitmq_image="${RABBITMQ_IMAGE:-pivotalrabbitmq/rabbitmq:main}"
-fi
+
+readonly rabbitmq_image="${RABBITMQ_IMAGE:-rabbitmq:4.1.0-beta.4-management-alpine}"
+
 
 
 readonly docker_name_prefix='rabbitmq-amqp-dotnet-client'
@@ -92,6 +89,7 @@ function start_rabbitmq
         --volume "$GITHUB_WORKSPACE/.ci/ubuntu/one-node/enabled_plugins:/etc/rabbitmq/enabled_plugins" \
         --volume "$GITHUB_WORKSPACE/.ci/ubuntu/one-node/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf:ro" \
         --volume "$GITHUB_WORKSPACE/.ci/certs:/etc/rabbitmq/certs:ro" \
+        --volume "$GITHUB_WORKSPACE/.ci/ubuntu/one-node/advanced.config:/etc/rabbitmq/advanced.config:ro" \
         --volume "$GITHUB_WORKSPACE/.ci/ubuntu/log:/var/log/rabbitmq" \
         "$rabbitmq_image"
 }

.ci/ubuntu/one-node/rabbitmq.conf

@@ -24,3 +24,6 @@ ssl_options.fail_if_no_peer_cert = false
 auth_mechanisms.1 = PLAIN
 auth_mechanisms.2 = ANONYMOUS
 auth_mechanisms.3 = EXTERNAL
+
+auth_backends.1 = internal
+auth_backends.2 = rabbit_auth_backend_oauth2

.ci/windows/advanced.config

@@ -0,0 +1,13 @@
+[
+  {rabbitmq_auth_backend_oauth2, [{key_config,
+         [{signing_keys,
+              #{<<"token-key">> =>
+                    {map,
+                        #{<<"alg">> => <<"HS256">>,
+                          <<"k">> => <<"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH">>,
+                          <<"kid">> => <<"token-key">>,
+                          <<"kty">> => <<"oct">>,
+                          <<"use">> => <<"sig">>,
+                          <<"value">> => <<"token-key">>}}}}]},
+     {resource_server_id,<<"rabbitmq">>}]}
+].

.ci/windows/enabled_plugins

@@ -1 +1 @@
-[rabbitmq_auth_mechanism_ssl,rabbitmq_management,rabbitmq_stream,rabbitmq_stream_management,rabbitmq_top].
+[rabbitmq_auth_mechanism_ssl,rabbitmq_management,rabbitmq_stream,rabbitmq_stream_management,rabbitmq_top,rabbitmq_auth_backend_oauth2].

.ci/windows/gha-setup.ps1

@@ -20,6 +20,11 @@ New-Variable -Name ca_certificate_file -Option Constant -Value `
 New-Variable -Name enabled_plugins_file -Option Constant -Value `
     (Resolve-Path -LiteralPath (Join-Path -Path $ci_windows_dir -ChildPath 'enabled_plugins'))
 
+New-Variable -Name advanced_config_file -Option Constant -Value `
+    (Resolve-Path -LiteralPath (Join-Path -Path $ci_windows_dir -ChildPath 'advanced.config'))
+
+
+
 Write-Host "[INFO] importing CA cert from '$ca_certificate_file'"
 Import-Certificate -Verbose -CertStoreLocation Cert:\LocalMachine\Root -FilePath $ca_certificate_file
 
@@ -145,6 +150,7 @@ $rabbitmq_appdata_dir = Join-Path -Path $env:AppData -ChildPath 'RabbitMQ'
 New-Item -Path $rabbitmq_appdata_dir -ItemType Directory
 $rabbitmq_conf_file = Join-Path -Path $rabbitmq_appdata_dir -ChildPath 'rabbitmq.conf'
 $rabbitmq_enabled_plugins_file = Join-Path -Path $rabbitmq_appdata_dir -ChildPath 'enabled_plugins'
+$rabbitmq_advanced_config_file = Join-Path -Path $rabbitmq_appdata_dir -ChildPath 'advanced.config'
 
 Write-Host "[INFO] Creating RabbitMQ configuration file in '$rabbitmq_appdata_dir'"
 Get-Content $rabbitmq_conf_in_file | %{ $_ -replace '@@CERTS_DIR@@', $certs_dir } | %{ $_ -replace '\\', '/' } | Set-Content -LiteralPath $rabbitmq_conf_file
@@ -153,6 +159,10 @@ Get-Content $rabbitmq_conf_file
 Write-Host "[INFO] Copying  '$enabled_plugins_file' to '$rabbitmq_enabled_plugins_file'"
 Copy-Item -Verbose -Force -LiteralPath $enabled_plugins_file -Destination $rabbitmq_enabled_plugins_file
 
+Write-Host "[INFO] Copying  '$advanced_config_file' to '$rabbitmq_advanced_config_file'"
+Copy-Item -Verbose -Force -LiteralPath $advanced_config_file -Destination $rabbitmq_advanced_config_file
+
+
 Write-Host '[INFO] Creating Erlang cookie files...'
 
 function Set-ErlangCookie

.ci/windows/versions.json

@@ -1,4 +1,4 @@
 {
   "erlang": "27.2",
-  "rabbitmq": "4.0.5"
+  "rabbitmq": "4.1.0-beta.4"
 }

Directory.Packages.props

@@ -13,6 +13,7 @@
     <!-- Tests -->
     <PackageVersion Include="Microsoft.Extensions.Diagnostics" Version="9.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Diagnostics.Testing" Version="9.0.0" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.6.1" />
     <PackageVersion Include="System.Text.Json" Version="9.0.0" />
     <PackageVersion Include="xunit" Version="2.9.2" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
@@ -39,4 +40,4 @@
     <GlobalPackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
     <GlobalPackageReference Include="MinVer" Version="6.0.0" />
   </ItemGroup>
-</Project>
+</Project>