File: rabbitmq_auth_backend_oauth2.schema

package info (click to toggle)
rabbitmq-server 3.10.8-1.1%2Bdeb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 32,436 kB
  • sloc: erlang: 200,376; javascript: 18,664; makefile: 2,244; python: 1,934; sh: 1,845; xml: 648; cs: 368; java: 320; ruby: 212; php: 100; perl: 63; awk: 13
file content (128 lines) | stat: -rw-r--r-- 4,251 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
 
%% ----------------------------------------------------------------------------
%% RabbitMQ OAuth2 Plugin
%%
%% See https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbitmq_auth_backend_oauth2/ for details.
%%
%% ----------------------------------------------------------------------------

%% A prefix used for scopes in UAA to avoid scope collisions (or unintended overlap). It is an empty string by default.
%%
%% {resource_server_id, <<"my_rabbit_server">>},

{mapping,
 "auth_oauth2.resource_server_id",
 "rabbitmq_auth_backend_oauth2.resource_server_id",
 [{datatype, string}]}.

{translation,
 "rabbitmq_auth_backend_oauth2.resource_server_id",
 fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.resource_server_id", Conf))
 end}.

%% Configure the plugin to also look in other fields using additional_scopes_key (maps to extra_scopes_source in the old format)
%%
%% {additional_rabbitmq_scopes, <<"my_custom_scope_key">>},

{mapping,
 "auth_oauth2.additional_scopes_key",
 "rabbitmq_auth_backend_oauth2.extra_scopes_source",
 [{datatype, string}]}.

{translation,
 "rabbitmq_auth_backend_oauth2.extra_scopes_source",
 fun(Conf) ->
    list_to_binary(cuttlefish:conf_get("auth_oauth2.additional_scopes_key", Conf))
 end}.

%% ID of the default signing key
%%
%% {default_key, <<"key-1">>},

{mapping,
 "auth_oauth2.default_key",
 "rabbitmq_auth_backend_oauth2.key_config.default_key",
 [{datatype, string}]}.

{translation,
 "rabbitmq_auth_backend_oauth2.key_config.default_key",
 fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.default_key", Conf)) end}.

%% A map of signing keys
%%
%% {signing_keys, #{<<"id1">> => {pem, <<"value1">>}, <<"id2">> => {pem, <<"value2">>}}}
%% validator doesn't work

{mapping,
 "auth_oauth2.signing_keys.$name",
 "rabbitmq_auth_backend_oauth2.key_config.signing_keys",
 [{datatype, file}, {validators, ["file_accessible"]}]}.

{translation,
 "rabbitmq_auth_backend_oauth2.key_config.signing_keys",
 fun(Conf) ->
    Settings = cuttlefish_variable:filter_by_prefix("auth_oauth2.signing_keys", Conf),
    TryReadingFileFun =
        fun(Path) ->
            case file:read_file(Path) of
                {ok, Bin} ->
                    string:trim(Bin, trailing, "\n");
                _ ->
                    %% this throws and makes Cuttlefish treak the key as invalid
                    cuttlefish:invalid("file does not exist or cannot be read by the node")
            end
        end,
    SigningKeys =
        lists:map(fun({Id, Path}) ->
                    {list_to_binary(lists:last(Id)), {pem, TryReadingFileFun(Path)}}
                  end, Settings),
    maps:from_list(SigningKeys)
 end}.

{mapping,
 "auth_oauth2.jwks_url",
 "rabbitmq_auth_backend_oauth2.key_config.jwks_url",
 [{datatype, string}, {validators, ["uri", "https_uri"]}]}.

{mapping,
 "auth_oauth2.https.peer_verification",
 "rabbitmq_auth_backend_oauth2.key_config.peer_verification",
 [{datatype, {enum, [verify_peer, verify_none]}}]}.

{mapping,
 "auth_oauth2.https.cacertfile",
 "rabbitmq_auth_backend_oauth2.key_config.cacertfile",
 [{datatype, file}, {validators, ["file_accessible"]}]}.

{mapping,
 "auth_oauth2.https.depth",
 "rabbitmq_auth_backend_oauth2.key_config.depth",
 [{datatype, integer}]}.

{mapping,
 "auth_oauth2.https.hostname_verification",
 "rabbitmq_auth_backend_oauth2.key_config.hostname_verification",
 [{datatype, {enum, [wildcard, none]}}]}.

{mapping,
 "auth_oauth2.https.crl_check",
 "rabbitmq_auth_backend_oauth2.key_config.crl_check",
 [{datatype, {enum, [true, false, peer, best_effort]}}]}.

{mapping,
 "auth_oauth2.https.fail_if_no_peer_cert",
 "rabbitmq_auth_backend_oauth2.key_config.fail_if_no_peer_cert",
 [{datatype, {enum, [true, false]}}]}.

{validator, "https_uri", "According to the JWT Specification, Key Server URL must be https.",
 fun(Uri) -> string:nth_lexeme(Uri, 1, "://") == "https" end}.

{mapping,
 "auth_oauth2.algorithms.$algorithm",
 "rabbitmq_auth_backend_oauth2.key_config.algorithms",
 [{datatype, string}]}.

{translation, "rabbitmq_auth_backend_oauth2.key_config.algorithms",
 fun(Conf) ->
     Settings = cuttlefish_variable:filter_by_prefix("auth_oauth2.algorithms", Conf),
     [list_to_binary(V) || {_, V} <- Settings]
 end}.