Skip to content

Commit 573bdad

Browse files
michaelklishinmichaelklishin
authored
Merge pull request #13507 from rabbitmq/mergify/bp/v4.0.x/pr-13502
Improve oauth2 idp-initiated login (backport #13476) (backport #13502)
2 parents 5494edf + 02e5b07 commit 573bdad

File tree

3 files changed

+80
-27
lines changed

3 files changed

+80
-27
lines changed

deps/rabbitmq_management/include/rabbit_mgmt.hrl

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,3 +13,6 @@
1313
-define(MANAGEMENT_PG_GROUP, management_db).
1414

1515
-define(MANAGEMENT_DEFAULT_HTTP_MAX_BODY_SIZE, 20000000).
16+
17+
-define(OAUTH2_ACCESS_TOKEN_COOKIE_NAME, <<"access_token">>).
18+
-define(OAUTH2_ACCESS_TOKEN_COOKIE_PATH, <<"/js/oidc-oauth/bootstrap.js">>).

deps/rabbitmq_management/src/rabbit_mgmt_login.erl

Lines changed: 40 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -10,29 +10,52 @@
1010
-export([init/2]).
1111

1212
-include_lib("rabbitmq_management_agent/include/rabbit_mgmt_records.hrl").
13+
-include("rabbit_mgmt.hrl").
14+
1315
%%--------------------------------------------------------------------
1416

1517
init(Req0, State) ->
1618
login(cowboy_req:method(Req0), Req0, State).
1719

18-
login(<<"POST">>, Req0, State) ->
19-
{ok, Body, _} = cowboy_req:read_urlencoded_body(Req0),
20-
AccessToken = proplists:get_value(<<"access_token">>, Body),
21-
case rabbit_mgmt_util:is_authorized_user(Req0, #context{}, <<"">>, AccessToken, false) of
22-
{true, Req1, _} ->
23-
NewBody = ["<html><head></head><body><script src='js/prefs.js'></script><script type='text/javascript'>",
24-
"set_token_auth('", AccessToken, "'); window.location = '", rabbit_mgmt_util:get_path_prefix(),
25-
"/'</script></body></html>"],
26-
Req2 = cowboy_req:reply(200, #{<<"content-type">> => <<"text/html; charset=utf-8">>}, NewBody, Req1),
27-
{ok, Req2, State};
28-
{false, ReqData1, Reason} ->
29-
Home = cowboy_req:uri(ReqData1, #{path => rabbit_mgmt_util:get_path_prefix() ++ "/", qs => "error=" ++ Reason}),
30-
ReqData2 = cowboy_req:reply(302,
31-
#{<<"Location">> => iolist_to_binary(Home) },
32-
<<>>, ReqData1),
33-
{ok, ReqData2, State}
34-
end;
20+
login(<<"POST">>, Req0=#{scheme := Scheme}, State) ->
21+
{ok, Body, _} = cowboy_req:read_urlencoded_body(Req0),
22+
AccessToken = proplists:get_value(<<"access_token">>, Body),
23+
case rabbit_mgmt_util:is_authorized_user(Req0, #context{}, <<"">>, AccessToken, false) of
24+
{true, Req1, _} ->
25+
CookieSettings = #{
26+
http_only => true,
27+
path => ?OAUTH2_ACCESS_TOKEN_COOKIE_PATH,
28+
max_age => 30,
29+
same_site => strict
30+
},
31+
SetCookie = cowboy_req:set_resp_cookie(?OAUTH2_ACCESS_TOKEN_COOKIE_NAME, AccessToken, Req1,
32+
case Scheme of
33+
<<"https">> -> CookieSettings#{ secure => true};
34+
_ -> CookieSettings
35+
end),
36+
Home = cowboy_req:uri(SetCookie, #{
37+
path => rabbit_mgmt_util:get_path_prefix() ++ "/"
38+
}),
39+
Redirect = cowboy_req:reply(302, #{
40+
<<"Location">> => iolist_to_binary(Home)
41+
}, <<>>, SetCookie),
42+
{ok, Redirect, State};
43+
{false, ReqData1, Reason} ->
44+
replyWithError(Reason, ReqData1, State)
45+
end;
3546

3647
login(_, Req0, State) ->
3748
%% Method not allowed.
3849
{ok, cowboy_req:reply(405, Req0), State}.
50+
51+
replyWithError(Reason, Req, State) ->
52+
Home = cowboy_req:uri(Req, #{
53+
path => rabbit_mgmt_util:get_path_prefix() ++ "/",
54+
qs => "error=" ++ Reason
55+
}),
56+
Req2 = cowboy_req:reply(302, #{
57+
<<"Location">> => iolist_to_binary(Home)
58+
}, <<>>, Req),
59+
{ok, Req2, State}.
60+
61+

deps/rabbitmq_management/src/rabbit_mgmt_oauth_bootstrap.erl

Lines changed: 37 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
-module(rabbit_mgmt_oauth_bootstrap).
99

1010
-export([init/2]).
11+
-include("rabbit_mgmt.hrl").
1112

1213
%%--------------------------------------------------------------------
1314

@@ -18,12 +19,14 @@ init(Req0, State) ->
1819
bootstrap_oauth(Req0, State) ->
1920
AuthSettings = rabbit_mgmt_wm_auth:authSettings(),
2021
Dependencies = oauth_dependencies(),
21-
JSContent = import_dependencies(Dependencies) ++
22-
set_oauth_settings(AuthSettings) ++
23-
set_token_auth(AuthSettings, Req0) ++
24-
export_dependencies(Dependencies),
25-
{ok, cowboy_req:reply(200, #{<<"content-type">> => <<"text/javascript; charset=utf-8">>},
26-
JSContent, Req0), State}.
22+
{Req1, SetTokenAuth} = set_token_auth(AuthSettings, Req0),
23+
JSContent = import_dependencies(Dependencies) ++
24+
set_oauth_settings(AuthSettings) ++
25+
SetTokenAuth ++
26+
export_dependencies(Dependencies),
27+
28+
{ok, cowboy_req:reply(200, #{<<"content-type">> => <<"text/javascript; charset=utf-8">>},
29+
JSContent, Req1), State}.
2730

2831
set_oauth_settings(AuthSettings) ->
2932
JsonAuthSettings = rabbit_json:encode(rabbit_mgmt_format:format_nulls(AuthSettings)),
@@ -33,11 +36,35 @@ set_token_auth(AuthSettings, Req0) ->
3336
case proplists:get_value(oauth_enabled, AuthSettings, false) of
3437
true ->
3538
case cowboy_req:parse_header(<<"authorization">>, Req0) of
36-
{bearer, Token} -> ["set_token_auth('", Token, "');"];
37-
_ -> []
39+
{bearer, Token} ->
40+
{
41+
Req0,
42+
["set_token_auth('", Token, "');"]
43+
};
44+
_ ->
45+
Cookies = cowboy_req:parse_cookies(Req0),
46+
case lists:keyfind(?OAUTH2_ACCESS_TOKEN_COOKIE_NAME, 1, Cookies) of
47+
{_, Token} ->
48+
{
49+
cowboy_req:set_resp_cookie(
50+
?OAUTH2_ACCESS_TOKEN_COOKIE_NAME, <<"">>, Req0, #{
51+
max_age => 0,
52+
http_only => true,
53+
path => ?OAUTH2_ACCESS_TOKEN_COOKIE_PATH,
54+
same_site => strict
55+
}),
56+
["set_token_auth('", Token, "');"]
57+
};
58+
false -> {
59+
Req0,
60+
[]
61+
}
62+
end
3863
end;
39-
false ->
40-
[]
64+
false -> {
65+
Req0,
66+
[]
67+
}
4168
end.
4269

4370
import_dependencies(Dependencies) ->

0 commit comments

Comments
 (0)