Configure scope_aliases also per resource_server

MarcialRosales · michaelklishin · commit b966ab7b729f · 2024-10-09T10:57:38.000-04:00
diff --git a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema
@@ -375,6 +375,21 @@
   [{datatype, string}]
 }.
 
+{mapping,
+ "auth_oauth2.resource_servers.$name.scope_aliases.$alias",
+ "rabbitmq_auth_backend_oauth2.resource_servers",
+ [{datatype, string}]}.
+
+{mapping,
+ "auth_oauth2.resource_servers.$name.scope_aliases.$index.alias",
+ "rabbitmq_auth_backend_oauth2.resource_servers",
+ [{datatype, string}]}.
+
+{mapping,
+ "auth_oauth2.resource_servers.$name.scope_aliases.$index.scope",
+ "rabbitmq_auth_backend_oauth2.resource_servers",
+ [{datatype, string}]}.
+
 {mapping,
   "auth_oauth2.resource_servers.$name.oauth_provider_id",
   "rabbitmq_auth_backend_oauth2.resource_servers",
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl
@@ -78,13 +78,60 @@ extract_scope_alias_mapping(Proplist) ->
         _ = V -> V
     end.
 
+extract_resource_server_scope_aliases_as_list_of_props(Settings) ->
+    KeyFun = fun extract_key_as_binary/1,
+    ValueFun = fun extract_value/1,
+
+    List0 = [
+        {
+            Name, 
+            {Index, {list_to_atom(Attr), V}}
+        } || 
+        {[
+            ?AUTH_OAUTH2, ?RESOURCE_SERVERS, Name, ?SCOPE_ALIASES, 
+            Index, Attr
+         ], V
+        } <- Settings ],
+    Map0 = maps:groups_from_list(KeyFun, ValueFun, List0),
+     
+    Map4 = maps:map(fun (_, L) -> 
+        Map2 = maps:map(fun (_, L2) -> extract_scope_alias_mapping(L2) end, 
+            maps:groups_from_list(KeyFun, ValueFun, L)),
+        Map3 = maps:filter(fun (_,V) -> V =/= {} end, Map2),
+        [{scope_aliases, maps:from_list([ V || {_, V} <- maps:to_list(Map3)])}]
+        end, Map0),
+       
+    Map4.
+ 
+extract_resource_server_scope_aliases_as_map(Settings) ->
+    KeyFun = fun extract_key_as_binary/1,
+    ValueFun = fun extract_value/1,
+
+    List0 = [
+        {
+            Name, 
+            {
+                list_to_binary(Alias), 
+                convert_space_separated_string_to_list_of_binaries(Scope)
+            }         
+        } || 
+        {[
+            ?AUTH_OAUTH2, ?RESOURCE_SERVERS, Name, ?SCOPE_ALIASES, 
+            Alias
+         ], Scope
+        } <- Settings ],
+    Map0 = maps:groups_from_list(KeyFun, ValueFun, List0),
+    maps:map(fun (_, L) -> [{scope_aliases, maps:from_list(L)}] end, Map0).    
+
 -spec translate_resource_servers([{list(), binary()}]) -> map().
 translate_resource_servers(Conf) ->
     Settings = cuttlefish_variable:filter_by_prefix(
         ?AUTH_OAUTH2_RESOURCE_SERVERS, Conf),
     Map = merge_list_of_maps([
         extract_resource_server_properties(Settings),
-        extract_resource_server_preferred_username_claims(Settings)
+        extract_resource_server_preferred_username_claims(Settings),
+        extract_resource_server_scope_aliases_as_list_of_props(Settings),
+        extract_resource_server_scope_aliases_as_map(Settings)
     ]),
     Map0 = maps:map(fun(K,V) ->
         case proplists:get_value(id, V) of
@@ -97,7 +144,8 @@ translate_resource_servers(Conf) ->
 
 -spec translate_oauth_providers([{list(), binary()}]) -> map().
 translate_oauth_providers(Conf) ->
-    Settings = cuttlefish_variable:filter_by_prefix(?AUTH_OAUTH2_OAUTH_PROVIDERS, Conf),
+    Settings = cuttlefish_variable:filter_by_prefix(
+        ?AUTH_OAUTH2_OAUTH_PROVIDERS, Conf),
 
     merge_list_of_maps([
         extract_oauth_providers_properties(Settings),
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets b/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets
@@ -236,5 +236,81 @@
             }}
         ]}
        ], []
+  },
+  {scope_aliases_3, 
+      "auth_oauth2.resource_server_id = new_resource_server_id
+       auth_oauth2.resource_servers.a.scope_aliases.admin = rabbitmq.tag:administrator 
+       auth_oauth2.resource_servers.a.scope_aliases.developer = rabbitmq.tag:management rabbitmq.read:*/*
+       auth_oauth2.resource_servers.b.scope_aliases.admin_b = rabbitmq.tag:administrator 
+       auth_oauth2.resource_servers.b.scope_aliases.developer_b = rabbitmq.tag:management rabbitmq.read:*/*",
+       [
+        {rabbitmq_auth_backend_oauth2, [
+            {resource_server_id,<<"new_resource_server_id">>},
+            {resource_servers, #{
+                <<"a">> => [
+                    {scope_aliases, #{
+                      <<"admin">> => [ 
+                              <<"rabbitmq.tag:administrator">>
+                              ],
+                      <<"developer">> => [ 
+                              <<"rabbitmq.tag:management">>,
+                              <<"rabbitmq.read:*/*">>
+                              ]                              
+                    }},
+                    {id, <<"a">>}
+                ],
+                <<"b">> => [
+                    {scope_aliases, #{
+                      <<"admin_b">> => [ 
+                              <<"rabbitmq.tag:administrator">>
+                              ],
+                      <<"developer_b">> => [ 
+                              <<"rabbitmq.tag:management">>,
+                              <<"rabbitmq.read:*/*">>
+                              ]                              
+                    }},
+                    {id, <<"b">>}
+                ]
+              }
+            }            
+        ]}
+       ], []
+  },
+  {scope_aliases_4, 
+      "auth_oauth2.resource_server_id = new_resource_server_id
+       auth_oauth2.resource_servers.b.scope_aliases.1.alias = admin_b
+       auth_oauth2.resource_servers.b.scope_aliases.1.scope = rabbitmq.tag:administrator 
+       auth_oauth2.resource_servers.a.scope_aliases.1.alias = admin
+       auth_oauth2.resource_servers.a.scope_aliases.1.scope = rabbitmq.tag:administrator 
+       auth_oauth2.resource_servers.a.scope_aliases.2.alias = developer
+       auth_oauth2.resource_servers.a.scope_aliases.2.scope = rabbitmq.tag:management rabbitmq.read:*/*",
+       [
+        {rabbitmq_auth_backend_oauth2, [
+            {resource_server_id,<<"new_resource_server_id">>},
+            {resource_servers, #{
+                <<"a">> => [
+                    {scope_aliases, #{
+                      <<"admin">> => [ 
+                              <<"rabbitmq.tag:administrator">>
+                              ],
+                      <<"developer">> => [ 
+                              <<"rabbitmq.tag:management">>,
+                              <<"rabbitmq.read:*/*">>
+                              ]                              
+                    }},
+                    {id, <<"a">>}
+                ],
+                <<"b">> => [
+                    {scope_aliases, #{
+                      <<"admin_b">> => [ 
+                              <<"rabbitmq.tag:administrator">>
+                        ]                              
+                    }},
+                    {id, <<"b">>}
+                ]
+              }
+            }            
+        ]}
+       ], []
   }
 ].
