Test active and non active opaque tokens

Author: MarcialRosales

deps/rabbitmq_management/src/rabbit_mgmt_util.erl

@@ -17,6 +17,7 @@
          is_authorized_vhost_visible/2,
          is_authorized_vhost_visible_for_monitoring/2,
          is_authorized_global_parameters/2]).
+-export([not_authorised/3]).
 -export([user/1]).
 -export([bad_request/3, service_unavailable/3, bad_request_exception/4,
          internal_server_error/3, internal_server_error/4, precondition_failed/3,

deps/rabbitmq_management/src/rabbit_mgmt_wm_oauth_introspect.erl

@@ -43,9 +43,12 @@ do_it(ReqData, Context) ->
     case cowboy_req:parse_header(<<"authorization">>, ReqData) of
         {bearer, Token} ->             
             case oauth2_client:introspect_token(Token) of 
+                {error, introspected_token_not_valid} -> 
+                    rabbit_log:error("Failed to introspect token due to ~p", [introspected_token_not_valid]),
+                    rabbit_mgmt_util:not_authorised("Introspected token is not active", ReqData, Context);
                 {error, Reason} -> 
                     rabbit_log:error("Failed to introspect token due to ~p", [Reason]),
-                    rabbit_mgmt_util:bad_request(<<"Cannot introspect tokenr">>, ReqData, Context);
+                    rabbit_mgmt_util:not_authorised(Reason, ReqData, Context);
                 {ok, JwtToken} -> 
                     rabbit_log:debug("Got jwt token : ~p", [JwtToken]),
                     rabbit_mgmt_util:reply(JwtToken, ReqData, Context)

deps/rabbitmq_management/test/introspect_http_handler.erl

@@ -15,7 +15,8 @@ init(Req, State) ->
                     Body = rabbit_json:encode([{"active", true}, {"scope", "rabbitmq.tag:administrator"}]),
                     {ok, cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, 
                         Body, Req), State};
-                <<"inactive">> -> Body = rabbit_json:encode([{"active", false}, {"scope", "rabbitmq.tag:administrator"}]),
+                <<"inactive">> -> 
+                    Body = rabbit_json:encode([{"active", false}, {"scope", "rabbitmq.tag:administrator"}]),
                     {ok, cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, 
                         Body, Req), State}
             end;

deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl

@@ -52,7 +52,8 @@ groups() ->
     [
       {run_with_broker, [], [
         {verify_introspection_endpoint, [], [
-          introspect_opaque_token_returns_active_jwt_token
+          introspect_opaque_token_returns_active_jwt_token,
+          introspect_opaque_token_returns_inactive_jwt_token
         ]}        
       ]},
       {verify_multi_resource_and_provider, [], [
@@ -693,7 +694,8 @@ end_per_group(verify_introspection_endpoint, Config) ->
 end_per_group(_, Config) ->
   Config.
 
-init_per_testcase(introspect_opaque_token_returns_active_jwt_token, Config) ->
+init_per_testcase(Testcase, Config) when Testcase =:= introspect_opaque_token_returns_active_jwt_token orelse
+                                         Testcase =:= introspect_opaque_token_returns_inactive_jwt_token ->
   ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
     [rabbitmq_auth_backend_oauth2, introspection_endpoint,
       ?config(authorization_server_url, Config)]),
@@ -706,9 +708,10 @@ init_per_testcase(introspect_opaque_token_returns_active_jwt_token, Config) ->
   ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
     [rabbitmq_auth_backend_oauth2, key_config, [{cacertfile, CaCertFile}]]),
 
-  rabbit_ct_helpers:testcase_started(Config, introspect_opaque_token_returns_active_jwt_token).
+  rabbit_ct_helpers:testcase_started(Config, Testcase).
 
-end_per_testcase(introspect_opaque_token_returns_active_jwt_token, Config) ->
+end_per_testcase(Testcase, Config) when Testcase =:= introspect_opaque_token_returns_active_jwt_token orelse
+                                        Testcase =:= introspect_opaque_token_returns_inactive_jwt_token ->
   ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, unset_env,
     [rabbitmq_auth_backend_oauth2, introspection_endpoint]),
   ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, unset_env,
@@ -941,12 +944,19 @@ should_return_mgt_oauth_resource_a_with_token_endpoint_params_1(Config) ->
     Config, a, oauth_token_endpoint_params, token_params_1).
 
 introspect_opaque_token_returns_active_jwt_token(Config) -> 
-  {ok, {{_HTTP, _, _}, _Headers, ResBody}} = req(Config, 0, post, "/auth/introspect", [
+  {ok, {{_HTTP, 200, _}, _Headers, ResBody}} = req(Config, 0, post, "/auth/introspect", [
     {"authorization", "bearer active"}], []),
   JSON = rabbit_json:decode(rabbit_data_coercion:to_binary(ResBody)),
   ?assertEqual(true, maps:get(<<"active">>, JSON)),
   ?assertEqual("rabbitmq.tag:administrator", maps:get(<<"scope">>, JSON)).
 
+introspect_opaque_token_returns_inactive_jwt_token(Config) -> 
+  {ok, {{_HTTP, 401, _}, _Headers, ResBody}} = req(Config, 0, post, "/auth/introspect", [
+    {"authorization", "bearer inactive"}], []),
+   JSON = rabbit_json:decode(rabbit_data_coercion:to_binary(ResBody)),
+  ?assertEqual(<<"not_authorised">>, maps:get(<<"error">>, JSON)),
+  ?assertEqual(<<"Introspected token is not active">>, maps:get(<<"reason">>, JSON)).
+
 
 
 %% -------------------------------------------------------------------