Make management.oauth_client_secret optional

Also: -Javascript formatting improvements -Clean up some necessary code and files -Improve scripts that runs selenium tests -Add selenium test that verifies oauth authentication against keycloak
rabbitmq · Oct 25, 2022 · eacdf8f · eacdf8f
1 parent f4a7d2f
commit eacdf8f
Show file tree

Hide file tree

Showing 26 changed files with 265 additions and 75 deletions.
diff --git a/.github/workflows/test-selenium.yaml b/.github/workflows/test-selenium.yaml
@@ -91,7 +91,7 @@ jobs:
 
     - name: Run Suites
       run: |
-        ${SELENIUM_DIR}/run-suites.sh
+        RABBITMQ_DOCKER_IMAGE=bazel/packaging/docker-image:rabbitmq ${SELENIUM_DIR}/run-suites.sh
 
     - name: Upload Test Artifacts
       if: always()

diff --git a/deps/rabbitmq_management/.gitignore b/deps/rabbitmq_management/.gitignore
@@ -33,3 +33,5 @@ selenium/screens/*/*
 selenium/logs
 selenium/suites/logs/*
 selenium/suites/screens/*
+h2/*.trace.db
+h2/*.lock.db
diff --git a/deps/rabbitmq_management/priv/www/js/main.js b/deps/rabbitmq_management/priv/www/js/main.js
@@ -2,15 +2,15 @@
 $(document).ready(function() {
    var url_string = window.location.href;
    var url = new URL(url_string);
-   var error = url.searchParams.get("error");
+   var error = url.searchParams.get('error');
    if (error) {
      renderWarningMessageInLoginStatus(error);
    }else {
       if (oauth.enabled) {
         if (!oauth.logged_in ) {
-          get(oauth.readiness_url, "application/json", function(req) {
+          get(oauth.readiness_url, 'application/json', function(req) {
               if (req.status !== 200) {
-                  renderWarningMessageInLoginStatus(oauth.authority + " does not appear to be a running OAuth2.0 instance or may not have a trusted SSL certificate" );
+                  renderWarningMessageInLoginStatus(oauth.authority + ' does not appear to be a running OAuth2.0 instance or may not have a trusted SSL certificate' );
               } else {
                   replace_content('outer', format('login_oauth', {}));
               }
@@ -27,7 +27,7 @@ $(document).ready(function() {
 
 function renderWarningMessageInLoginStatus(message) {
   replace_content('outer', format('login_oauth', {}));
-  replace_content('login-status', '<p class="warning">' + message  + '</p> <button id="loginWindow" onclick="oauth_initiateLogin()">Single Sign On</button>');
+  replace_content('login-status', '<p class="warning">' + message  + '</p> <button id="loginWindow" onclick="oauth_initiateLogin()">Click here to log in</button>');
 }
 
 function dispatcher_add(fun) {
@@ -70,7 +70,6 @@ function getAccessToken() {
 }
 
 function start_app_login() {
-    //console.log("start_app_login begin");
     app = new Sammy.Application(function () {
         this.get('#/', function() {});
         this.put('#/login', function() {
@@ -94,7 +93,6 @@ function start_app_login() {
             check_login();
         }
     }
-    //console.log("start_app_login end");
 }
 
 
@@ -105,7 +103,7 @@ function check_login() {
         clear_pref('auth');
         clear_cookie_value('auth');
         if (oauth.enabled) {
-            renderWarningMessageInLoginStatus("Not authorized");
+            renderWarningMessageInLoginStatus('Not authorized');
         } else {
             replace_content('login-status', '<p>Login failed</p>');
         }
@@ -135,10 +133,10 @@ function check_login() {
 function print_logging_session_info(user_login_session_timeout) {
   let var_has_auth_cookie_value = has_auth_cookie_value()
   let login_session_timeout = get_login_session_timeout()
-  console.log("user_login_session_timeout: " + user_login_session_timeout)
-  console.log("has_auth_cookie_value: " + var_has_auth_cookie_value)
-  console.log("login_session_timeout: " + login_session_timeout)
-  console.log("isNaN(user_login_session_timeout): " + isNaN(user_login_session_timeout))
+  console.log('user_login_session_timeout: ' + user_login_session_timeout)
+  console.log('has_auth_cookie_value: ' + var_has_auth_cookie_value)
+  console.log('login_session_timeout: ' + login_session_timeout)
+  console.log('isNaN(user_login_session_timeout): ' + isNaN(user_login_session_timeout))
 }
 
 function get_login_session_timeout() {
@@ -193,7 +191,7 @@ function start_app() {
         // Tokens are passed in the url hash, so the url always contains a #.
         // We need to check the current path is `/` and token is present,
         // so we can redirect to `/#/`
-        this.location = url.replace(/#token_type.+/gi, "#/");
+        this.location = url.replace(/#token_type.+/gi, '#/');
     }
 
     app = new Sammy.Application(dispatcher);
@@ -245,7 +243,7 @@ function setup_extensions() {
     extension_count = 0;
     for (var i in extensions) {
         var extension = extensions[i];
-        if ($.isPlainObject(extension) && extension.hasOwnProperty("javascript")) {
+        if ($.isPlainObject(extension) && extension.hasOwnProperty('javascript')) {
             dynamic_load(extension.javascript);
             extension_count++;
         }
@@ -256,7 +254,7 @@ function dynamic_load(filename) {
     var element = document.createElement('script');
     element.setAttribute('type', 'text/javascript');
     element.setAttribute('src', 'js/' + filename);
-    document.getElementsByTagName("head")[0].appendChild(element);
+    document.getElementsByTagName('head')[0].appendChild(element);
 }
 
 function update_interval() {

diff --git a/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js b/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js
@@ -54,7 +54,7 @@ function oauth_initialize(authSettings) {
       "logged_in": false,
       "enabled" : authSettings.oauth_enabled,
       "authority" : authSettings.oauth_provider_url
-    }
+    };
 
     if (!oauth.enabled) return oauth;
 
@@ -64,7 +64,6 @@ function oauth_initialize(authSettings) {
         //userStore: new WebStorageStateStore({ store: window.localStorage }),
         authority: authSettings.oauth_provider_url,
         client_id: authSettings.oauth_client_id,
-        client_secret: authSettings.oauth_client_secret,
         response_type: authSettings.oauth_response_type,
         scope: authSettings.oauth_scopes, // for uaa we may need to include <resource-server-id>.*
         resource: authSettings.oauth_resource_id,
@@ -77,7 +76,12 @@ function oauth_initialize(authSettings) {
           audience: authSettings.oauth_resource_id, // required by oauth0
         },
     };
-    if (authSettings.oauth_metadata_url != "") oidcSettings.metadataUrl = authSettings.oauth_metadata_url
+    if (authSettings.oauth_client_secret != "") {
+      oidcSettings.client_secret = authSettings.oauth_client_secret;
+    }
+    if (authSettings.oauth_metadata_url != "") {
+      oidcSettings.metadataUrl = authSettings.oauth_metadata_url;
+    }
 
     if (authSettings.enable_uaa == true) {
       // This is required for old versions of UAA because the newer ones do expose
@@ -90,22 +94,22 @@ function oauth_initialize(authSettings) {
     oidc.Log.setLogger(console);
 
     mgr = new oidc.UserManager(oidcSettings);
-    oauth.readiness_url = mgr.settings.metadataUrl
+    oauth.readiness_url = mgr.settings.metadataUrl;
 
     _management_logger = new oidc.Logger("Management");
 
     mgr.events.addAccessTokenExpiring(function() {
-        _management_logger.info("token expiring...");
+      _management_logger.info("token expiring...");
     });
     mgr.events.addAccessTokenExpired(function() {
-        _management_logger.info("token expired!!");
+      _management_logger.info("token expired!!");
     });
     mgr.events.addSilentRenewError(function(err) {
-        _management_logger.error("token expiring failed due to ", err);
+      _management_logger.error("token expiring failed due to ", err);
     });
     mgr.events.addUserLoaded(function(user) {
-        oauth.access_token = user.access_token;
-     });
+      oauth.access_token = user.access_token;
+    });
 
     return oauth;
 }
@@ -145,7 +149,6 @@ function oauth_redirectToHome(oauth) {
   location.href = rabbit_path_prefix + "/"
 }
 function oauth_redirectToLogin(error) {
-  _management_logger.debug("oauth_redirectToLogin called");
   if (!error) location.href = rabbit_path_prefix + "/"
   else {
     location.href = rabbit_path_prefix + "/?error=" + error

diff --git a/deps/rabbitmq_management/selenium/README.md b/deps/rabbitmq_management/selenium/README.md
@@ -95,16 +95,18 @@ Start RabbitMQ from source (it runs `make run-broker`):
 make start-rabbitmq
 ```
 
-Access the test case folder:
+To run all tests under `with-uaa`:
 ```
-cd with-uaa
-```
-
-To run all tests under the suite:
-```
-make test
+make test TEST=with-uaa
 ```
 Or to run a single tests under the suite:
 ```
-make test TEST=landing.js
+make test TEST=with-uaa/landing.js
 ```
+
+**VERY IMPORTANT NOTE**: `make start-rabbitmq` will always load `rabbitmq-localhost.config`
+regardless of the test suite we are running. Therefore, if your suite requires a specific
+configuration ensure that configuration is in `rabbitmq-localhost.config`.
+
+We do not have this issue when we run the headless suites because they use dedicated files
+for each suite. Doing the same when running locally, i.e using `localhost`, would be too tedious.
diff --git a/deps/rabbitmq_management/selenium/run-suites.sh b/deps/rabbitmq_management/selenium/run-suites.sh
@@ -2,9 +2,25 @@
 
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
+OVERALL_TEST_RESULT=0
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+NC='\033[0m'
+
 for f in $SCRIPT/suites/*.sh
 do
   SUITE=$(basename -- "$f")
-	echo "Running suite $SUITE ..."
+  echo "=== Running suite $SUITE ============================================"
+  echo " "
   $f
+  TEST_RESULT="$?"
+  TEST_STATUS="${GREEN}Succeeded${NC}"
+  if [ "$TEST_RESULT" -ne 0 ]
+  then
+    OVERALL_TEST_RESULT=$TEST_RESULT
+    TEST_STATUS=" ${RED}Failed${NC}"
+  fi
+  echo -e "=== $TEST_STATUS $SUITE ==========================================="
+  echo " "
 done
+exit $OVERALL_TEST_RESULT
diff --git a/deps/rabbitmq_management/selenium/suites/oauth-with-keycloak.sh b/deps/rabbitmq_management/selenium/suites/oauth-with-keycloak.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Name of the suite used to generate log and screen folders
+SUITE=$( basename "${BASH_SOURCE[0]}" .sh)
+
+# Path to the test cases this suite should run. It is relative to the selenium/test folder
+TEST_CASES_PATH=/oauth/with-uaa
+# Path to the folder where all configuration file reside. It is relative to the selenim/test folder
+TEST_CONFIG_PATH=/oauth
+# Path to the uaa configuration. It is relative to the TEST_CONFIG_PATH
+KEYCLOAK_CONFIG_PATH=/keycloak
+# Name of the rabbitmq config file. It is relative to the TEST_CONFIG_PATH
+RABBITMQ_CONFIG_FILENAME=rabbitmq-with-keycloak.config
+
+source $SCRIPT/suite_template
+
+_setup () {
+  start_keycloak
+  start_rabbitmq
+}
+_save_logs() {
+  save_container_logs rabbitmq
+  save_container_logs keycloak
+}
+_teardown() {
+  kill_container_if_exist rabbitmq
+  kill_container_if_exist keycloak
+}
+run
diff --git a/deps/rabbitmq_management/selenium/suites/oauth-with-uaa-with-mgt-prefix.sh b/deps/rabbitmq_management/selenium/suites/oauth-with-uaa-with-mgt-prefix.sh
@@ -19,8 +19,8 @@ RABBITMQ_URL=http://rabbitmq:15672/my-prefix/another-prefix/
 source $SCRIPT/suite_template
 
 _setup () {
-  start_rabbitmq
   start_uaa
+  start_rabbitmq
 }
 _save_logs() {
   save_container_logs rabbitmq

diff --git a/deps/rabbitmq_management/selenium/suites/oauth-with-uaa.sh b/deps/rabbitmq_management/selenium/suites/oauth-with-uaa.sh
@@ -15,8 +15,8 @@ UAA_CONFIG_PATH=/uaa
 source $SCRIPT/suite_template
 
 _setup () {
+  start_uaa
   start_rabbitmq
-  start_uaa  
 }
 _save_logs() {
   save_container_logs rabbitmq