Redirect to end_session_endpoint for idp-initiated logon

Conflicts:
	selenium/bin/components/fakeportal

Author: michaelklishin

deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

@@ -154,9 +154,9 @@ export function oidc_settings_from(resource_server) {
     automaticSilentRenew: true,
     revokeAccessTokenOnSignout: true
   }
-  if (resource_server.end_session_endpoint != "") {
+  if (resource_server.oauth_end_session_endpoint != "") {
     oidcSettings.metadataSeed = {
-      end_session_endpoint: resource_server.end_session_endpoint
+      end_session_endpoint: resource_server.oauth_end_session_endpoint
     }
   }
   if (resource_server.oauth_client_secret != "") {
@@ -214,6 +214,9 @@ export function oauth_initialize(authSettings) {
     if (resource_server) {
       oauth.sp_initiated = resource_server.sp_initiated
       oauth.authority = resource_server.oauth_provider_url
+      if (resource_server.oauth_end_session_endpoint != "") {
+        oauth.oauth_end_session_endpoint = resource_server.oauth_end_session_endpoint      
+      }
       if (!resource_server.sp_initiated) return oauth;
       else oauth_initialize_user_manager(resource_server)
     }
@@ -311,7 +314,11 @@ export function oauth_initiateLogout() {
     })
 
   } else {
-    go_to_authority()
+    if (oauth.oauth_end_session_endpoint != null) {
+      location.href = oauth.oauth_end_session_endpoint      
+    }else {
+      go_to_authority()
+    }
   }
 }
 

deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl

@@ -72,7 +72,7 @@ oauth_provider_to_map(OAuthProvider) ->
     end,
     case OAuthProvider#oauth_provider.end_session_endpoint of
         undefined -> Map0;
-        V -> maps:put(end_session_endpoint, V, Map0)
+        V -> maps:put(oauth_end_session_endpoint, V, Map0)
     end.
 
 skip_unknown_mgt_resource_servers(ManagementProps, OAuth2Resources) ->

deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl

@@ -788,31 +788,31 @@ should_return_oauth_client_id_z(Config) ->
 
 should_not_return_end_session_endpoint(Config) ->
   assert_attribute_not_defined_for_oauth_resource_server(authSettings(),
-    Config, rabbit, end_session_endpoint).
+    Config, rabbit, oauth_end_session_endpoint).
 
 should_return_end_session_endpoint_0(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(authSettings(),
-    Config, rabbit, end_session_endpoint, ?config(logout_url_0, Config)).
+    Config, rabbit, oauth_end_session_endpoint, ?config(logout_url_0, Config)).
 
 should_return_end_session_endpoint_1(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(authSettings(),
-    Config, rabbit, end_session_endpoint, ?config(logout_url_1, Config)).
+    Config, rabbit, oauth_end_session_endpoint, ?config(logout_url_1, Config)).
 
 should_return_oauth_resource_server_a_without_end_session_endpoint(Config) ->
   assert_attribute_not_defined_for_oauth_resource_server(authSettings(),
-    Config, a, end_session_endpoint).
+    Config, a, oauth_end_session_endpoint).
 
 should_return_oauth_resource_server_a_with_end_session_endpoint_0(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(authSettings(),
-    Config, a, end_session_endpoint, ?config(logout_url_0, Config)).
+    Config, a, oauth_end_session_endpoint, ?config(logout_url_0, Config)).
 
 should_return_oauth_resource_server_a_with_end_session_endpoint_1(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(authSettings(),
-    Config, a, end_session_endpoint, ?config(logout_url_1, Config)).
+    Config, a, oauth_end_session_endpoint, ?config(logout_url_1, Config)).
 
 should_return_oauth_resource_server_a_with_end_session_endpoint_2(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(authSettings(),
-    Config, a, end_session_endpoint, ?config(logout_url_2, Config)).
+    Config, a, oauth_end_session_endpoint, ?config(logout_url_2, Config)).
 
 should_return_mgt_oauth_resource_rabbit_without_authorization_endpoint_params(Config) ->
   assert_attribute_not_defined_for_oauth_resource_server(authSettings(),

selenium/bin/components/fakeportal

@@ -15,7 +15,10 @@ ensure_fakeportal() {
 }
 
 init_fakeportal() {
-  FAKEPORTAL_URL=${FAKEPORTAL_URL:-http://fakeportal:3000}
+  FAKEPORTAL_URL=${FAKEPORTAL_URL:-https://fakeportal:3000}
+  FAKEPORTAL_CONFIG_PATH=${FAKEPORTAL_CONFIG_PATH:-oauth/fakeportal}
+  FAKEPORTAL_CONFIG_DIR=$(realpath ${TEST_DIR}/${FAKEPORTAL_CONFIG_PATH})
+
   FAKEPORTAL_DIR=${SCRIPT}/../../fakeportal
   CLIENT_ID="${CLIENT_ID:-rabbit_idp_user}"
   CLIENT_SECRET="${CLIENT_SECRET:-rabbit_idp_user}"
@@ -32,6 +35,9 @@ init_fakeportal() {
   print "> CLIENT_ID: ${CLIENT_ID}"
   print "> CLIENT_SECRET: ${CLIENT_SECRET}"
   print "> RABBITMQ_URL: ${RABBITMQ_URL}"
+
+  generate-ca-server-client-kpi fakeportal $FAKEPORTAL_CONFIG_DIR
+
 }
 start_fakeportal() {
   begin "Starting fakeportal ..."
@@ -40,6 +46,10 @@ start_fakeportal() {
   kill_container_if_exist fakeportal
   mocha_test_tag=($(md5sum $SELENIUM_ROOT_FOLDER/package.json))
 
+  MOUNT_FAKEPORTAL_CONF_DIR=$CONF_DIR/fakeportal
+  mkdir -p $MOUNT_FAKEPORTAL_CONF_DIR
+  cp ${FAKEPORTAL_CONFIG_DIR}/*.pem $MOUNT_FAKEPORTAL_CONF_DIR
+
   docker run \
     --detach \
     --name fakeportal \
@@ -52,7 +62,8 @@ start_fakeportal() {
     --env CLIENT_ID="${CLIENT_ID}" \
     --env CLIENT_SECRET="${CLIENT_SECRET}" \
     --env NODE_EXTRA_CA_CERTS=/etc/uaa/ca_uaa_certificate.pem \
-    -v ${TEST_CONFIG_DIR}/uaa:/etc/uaa \
+    -v ${TEST_CONFIG_PATH}/uaa:/etc/uaa \
+    -v ${MOUNT_FAKEPORTAL_CONF_DIR}:/etc/fakeportal \
     -v ${FAKEPORTAL_DIR}:/code/fakeportal \
     mocha-test:${mocha_test_tag} run fakeportal
 

selenium/bin/suite_template

@@ -13,6 +13,7 @@ tabs 1
 declare -i PADDING_LEVEL=0
 declare -i STEP=1
 declare -a REQUIRED_COMPONENTS
+declare -a INIT_ONLY_COMPONENTS
 
 find_selenium_dir() {
   TEST_PATH=$1
@@ -112,6 +113,7 @@ init_suite() {
 
   begin "Initializing suite $SUITE ..."
   print "> REQUIRED_COMPONENTS: ${REQUIRED_COMPONENTS[*]}"
+  print "> INIT_ONLY_COMPONENTS: ${INIT_ONLY_COMPONENTS[*]}"
   print "> TEST_CASES_DIR: ${TEST_CASES_DIR} "
   print "> TEST_CONFIG_DIR: ${TEST_CONFIG_DIR} "
   print "> DOCKER_NETWORK: ${DOCKER_NETWORK} "
@@ -218,20 +220,37 @@ wait_for_oidc_endpoint_docker() {
 calculate_rabbitmq_url() {
   echo "${RABBITMQ_SCHEME:-http}://$1${PUBLIC_RABBITMQ_PATH:-$RABBITMQ_PATH}"
 }
-
+calculate_forward_proxy_url() {
+  PROXIED_URL=$1
+  PROXY_HOSTNAME=$2
+  PROXY_PORT=$3
+  SCHEME=$(echo "$PROXIED_URL" | cut -d: -f1)
+  PATH=$(echo "$PROXIED_URL" | cut -d/ -f4-)
+  echo "$SCHEME://$PROXY_HOSTNAME:$PROXY_PORT/$PATH"
+}
 wait_for_url() {
-  BASE_URL=$1
+  BASE_URL=$1  
   if [[ $BASE_URL == *"localhost"** ]]; then
-    wait_for_url_local $BASE_URL
+    wait_for_url_local $@ 
   else
-    wait_for_url_docker $BASE_URL
+    wait_for_url_docker $@
   fi
 }
 wait_for_url_local() {
   url=$1
+  proxy=${2:-none}
+  proxy_user=${3:-none}
+  proxy_pass=$4
+  curl_args="-L -f -v"
   max_retry=10
   counter=0
-  until (curl -L -f -v $url >/dev/null 2>&1)
+  if [[ "$proxy" != "none" && "$proxy" != ""  ]]; then 
+    curl_args="--proxy ${proxy} ${curl_args}"
+  fi 
+  if [[ "$proxy_user" != "none" && "$proxy_user" != "" ]]; then 
+    curl_args="--proxy-user ${proxy_user}:${proxy_pass} ${curl_args}"
+  fi 
+  until (curl $curl_args $url >/dev/null 2>&1)
   do
     print "Waiting for $url to start (local)"
     sleep 5
@@ -244,7 +263,14 @@ wait_for_url_docker() {
   url=$1
   max_retry=10
   counter=0
-  until (docker run --net ${DOCKER_NETWORK} --rm curlimages/curl:7.85.0 -L -f -v $url >/dev/null 2>&1)
+  curl_args="-L -f -v"
+  if [[ "$proxy" != "none"  && "$proxy" != "" ]]; then 
+    curl_args="--proxy ${proxy} ${curl_args}"
+  fi 
+  if [[ "$proxy_user" != "none" && "$proxy_user" != "" ]]; then 
+    curl_args="--proxy-user ${proxy_user}:${proxy_pass} ${curl_args}"
+  fi 
+  until (docker run --net ${DOCKER_NETWORK} --rm curlimages/curl:7.85.0 $curl_args $url >/dev/null 2>&1)
   do
     print "Waiting for $url to start (docker)"
     sleep 5
@@ -377,7 +403,8 @@ profiles_with_local_or_docker() {
 generate_env_file() {
     begin "Generating env file ..."
     mkdir -p $CONF_DIR
-    ${BIN_DIR}/gen-env-file $TEST_CONFIG_DIR $ENV_FILE    
+    ${BIN_DIR}/gen-env-file $TEST_CONFIG_DIR ${ENV_FILE}.tmp    
+    grep -v '^#' ${ENV_FILE}.tmp > $ENV_FILE
     source $ENV_FILE    
     end "Finished generating env file."
 }
@@ -475,6 +502,9 @@ generate-client-keystore-if-required() {
   fi
 }
 
+initOnly() {
+  determine_init_only_components $@
+}
 run() {
   runWith rabbitmq
 }
@@ -525,6 +555,12 @@ elif [[ "$COMMAND" == "stop-rabbitmq" ]]
     test_local ${BASH_REMATCH[1]}
   fi
 }
+determine_init_only_components() {
+  for (( i=1; i<=$#; i++)) {
+    eval val='$'$i
+    INIT_ONLY_COMPONENTS+=( "$val" )
+  }
+}
 determine_required_components_including_rabbitmq() {
   for (( i=1; i<=$#; i++)) {
     eval val='$'$i
@@ -560,7 +596,7 @@ run_on_docker_with() {
   build_mocha_image
   start_selenium
 
-  trap teardown_components EXIT
+  trap "teardown_components" EXIT
 
   start_components
   test
@@ -637,11 +673,27 @@ ensure_components() {
 start_components() {
   for i in "${REQUIRED_COMPONENTS[@]}"
   do
-    start="start_$i"
-    $start
+    local ret=$(is_init_only_component $i)
+    if [[ $ret == 1 ]]
+    then 
+      init="init_$i"
+      $init 
+    else  
+      start="start_$i"
+      $start
+    fi
   done
 }
-
+is_init_only_component() {
+  for i in "${INIT_ONLY_COMPONENTS[@]}"
+  do
+    if [[ $i == $1 ]]
+    then 
+      return 1
+    fi
+  done
+  return 0
+}
 teardown_components() {
   skip_rabbitmq=${1:-false}
 

selenium/fakeportal/app.js

@@ -1,5 +1,7 @@
 const express = require("express");
 const app = express();
+const fs = require('fs');
+const https = require('https');
 var path = require('path');
 const XMLHttpRequest = require('xmlhttprequest').XMLHttpRequest
 
@@ -15,19 +17,38 @@ app.set('views', path.join(__dirname, 'views'));
 app.set('view engine', 'html');
 
 app.get('/', function(req, res){
-  let id =  default_if_blank(req.query.client_id, client_id);
-  let secret =  default_if_blank(req.query.client_secret, client_secret);
-  res.render('rabbitmq', {
-    proxied_url: proxied_rabbitmq_url,
-    url: rabbitmq_url.replace(/\/?$/, '/') + "login",
-    name: rabbitmq_url + " for " + id,
-    access_token: access_token(id, secret)
-  });
-});
+  let id =  default_if_blank(req.query.client_id, client_id)
+  let secret =  default_if_blank(req.query.client_secret, client_secret)
+  if (id == 'undefined' || secret == 'undefined') {
+    res.render('unauthenticated')
+  }else {
+    res.render('rabbitmq', {
+      proxied_url: proxied_rabbitmq_url,
+      url: rabbitmq_url.replace(/\/?$/, '/') + "login",
+      name: rabbitmq_url + " for " + id,
+      access_token: access_token(id, secret)
+    })
+  }
+})
+
 app.get('/favicon.ico', (req, res) => res.status(204));
 
+app.get('/logout', function(req, res) {
+  const redirectUrl = uaa_url + '/logout.do?client_id=' + client_id + "&redirect=https://fakeportal:3000" 
+  console.debug("Received /logout request -> redirect to " + redirectUrl)
+  res.redirect(redirectUrl);
+})
+
+https
+  .createServer(
+    {
+      cert: fs.readFileSync('/etc/fakeportal/server_fakeportal_certificate.pem'),
+      key: fs.readFileSync('/etc/fakeportal/server_fakeportal_key.pem')
+    },
+    app
+  )
+  .listen(port)
 
-app.listen(port);
 console.log('Express started on port ' + port);
 
 function default_if_blank(value, defaultValue) {

selenium/fakeportal/views/unauthenticated.html

@@ -0,0 +1,18 @@
+<h1> FakePortal </h1>
+
+<p>This is a portal used to test <b>Identity-Provider-based authentication</b>.
+This means users comes to RabbitMQ with a token already obtained without involving RabbitMQ
+management ui.
+</p>
+
+<p>This is the state of the Portal when the user is not authenticated yet.</p>
+<p>To get the fakeportal fully authenticated, pass two request parameters:
+  <ul>
+    <li>client_id</li>
+    <li>client_secret</li>
+  </ul> 
+ These credentitals are used to get an access token from UAA and send it to 
+RabbitMQ. 
+</p>
+
+

selenium/suites/authnz-mgt/oauth-idp-initiated-with-uaa-and-prefix-via-proxy.sh

@@ -4,7 +4,7 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/oauth/with-idp-initiated-via-proxy
 TEST_CONFIG_PATH=/oauth
-PROFILES="uaa fakeportal fakeproxy fakeportal-mgt-oauth-provider idp-initiated mgt-prefix uaa-oauth-provider"
+PROFILES="uaa fakeportal fakeproxy fakeportal-mgt-oauth-provider idp-initiated mgt-prefix uaa-oauth-provider tls"
 
 source $SCRIPT/../../bin/suite_template $@
 runWith rabbitmq uaa fakeportal fakeproxy

selenium/suites/authnz-mgt/oauth-idp-initiated-with-uaa-and-prefix.sh

@@ -4,7 +4,7 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/oauth/with-idp-initiated
 TEST_CONFIG_PATH=/oauth
-PROFILES="uaa fakeportal-mgt-oauth-provider idp-initiated mgt-prefix uaa-oauth-provider"
+PROFILES="uaa fakeportal-mgt-oauth-provider idp-initiated mgt-prefix uaa-oauth-provider tls"
 
 source $SCRIPT/../../bin/suite_template $@
 runWith uaa fakeportal

selenium/suites/authnz-mgt/oauth-idp-initiated-with-uaa-via-proxy.sh

@@ -4,7 +4,7 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/oauth/with-idp-initiated-via-proxy
 TEST_CONFIG_PATH=/oauth
-PROFILES="uaa fakeportal fakeproxy fakeportal-mgt-oauth-provider idp-initiated uaa-oauth-provider"
+PROFILES="uaa fakeportal fakeproxy fakeportal-mgt-oauth-provider idp-initiated uaa-oauth-provider tls"
 
 source $SCRIPT/../../bin/suite_template $@
 runWith rabbitmq uaa fakeportal fakeproxy

selenium/suites/authnz-mgt/oauth-idp-initiated-with-uaa.sh

@@ -4,7 +4,8 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/oauth/with-idp-initiated
 TEST_CONFIG_PATH=/oauth
-PROFILES="uaa idp-initiated uaa-oauth-provider fakeportal-mgt-oauth-provider"
+PROFILES="uaa uaa-oauth-provider idp-initiated fakeportal-mgt-oauth-provider tls"
 
 source $SCRIPT/../../bin/suite_template $@
 runWith uaa fakeportal
+#runWith fakeportal

selenium/suites/authnz-mgt/oauth-with-uaa-down.sh

@@ -7,4 +7,5 @@ TEST_CONFIG_PATH=/oauth
 PROFILES="uaa uaa-oauth-provider uaa-mgt-oauth-provider"
 
 source $SCRIPT/../../bin/suite_template $@
+initOnly uaa
 run

selenium/test/oauth/env.docker.fakeportal

@@ -1,3 +1,3 @@
-export FAKEPORTAL_URL=http://fakeportal:3000
+export FAKEPORTAL_URL=https://fakeportal:3000
 export RABBITMQ_HOST_FOR_FAKEPORTAL=${RABBITMQ_HOST}
 export UAA_URL_FOR_FAKEPORTAL=https://uaa:8443