rabbitmq_auth_backend_uaa => rabbitmq_auth_backend_oauth2

"OAuth 2" is many things but it's still more descriptive, open-ended and easier
to find than "uaa" (too tool-specific) or "jwt" (too narrow, not known widely enough).

Per discussion with @hairyhum @kjnilsson.

1 files changed, 85 insertions, 0 deletions

diff --git a/deps/rabbitmq_auth_backend_oauth2/test/rabbit_auth_backend_oauth2_test_util.erl b/deps/rabbitmq_auth_backend_oauth2/test/rabbit_auth_backend_oauth2_test_util.erl
new file mode 100644
index 0000000000..0213186e3f
--- /dev/null
+++ b/deps/rabbitmq_auth_backend_oauth2/test/rabbit_auth_backend_oauth2_test_util.erl
@@ -0,0 +1,85 @@
+-module(rabbit_auth_backend_oauth2_test_util).
+
+-compile(export_all).
+
+-define(EXPIRATION_TIME, 2000).
+
+%%
+%% API
+%%
+
+sign_token_hs(Token, #{<<"kid">> := TokenKey} = Jwk) ->
+    sign_token_hs(Token, Jwk, TokenKey).
+
+sign_token_hs(Token, Jwk, TokenKey) ->
+    Jws = #{
+      <<"alg">> => <<"HS256">>,
+      <<"kid">> => TokenKey
+    },
+    sign_token(Token, Jwk, Jws).
+
+sign_token_rsa(Token, Jwk, TokenKey) ->
+    Jws = #{
+      <<"alg">> => <<"RS256">>,
+      <<"kid">> => TokenKey
+    },
+    sign_token(Token, Jwk, Jws).
+
+sign_token_no_kid(Token, Jwk) ->
+    Signed = jose_jwt:sign(Jwk, Token),
+    jose_jws:compact(Signed).
+
+sign_token(Token, Jwk, Jws) ->
+    Signed = jose_jwt:sign(Jwk, Jws, Token),
+    jose_jws:compact(Signed).
+
+fixture_jwk() ->
+    #{<<"alg">> => <<"HS256">>,
+      <<"k">> => <<"dG9rZW5rZXk">>,
+      <<"kid">> => <<"token-key">>,
+      <<"kty">> => <<"oct">>,
+      <<"use">> => <<"sig">>,
+      <<"value">> => <<"tokenkey">>}.
+
+full_permission_scopes() ->
+    [<<"rabbitmq.configure:*/*">>,
+     <<"rabbitmq.write:*/*">>,
+     <<"rabbitmq.read:*/*">>].
+
+expirable_token() ->
+    TokenPayload = fixture_token(),
+    TokenPayload#{<<"exp">> := os:system_time(seconds) + timer:seconds(?EXPIRATION_TIME)}.
+
+wait_for_token_to_expire() ->
+    timer:sleep(?EXPIRATION_TIME).
+
+expired_token() ->
+    expired_token_with_scopes(full_permission_scopes()).
+
+expired_token_with_scopes(Scopes) ->
+    token_with_scopes_and_expiration(Scopes, os:system_time(seconds) - timer:seconds(10)).
+
+fixture_token_with_scopes(Scopes) ->
+    token_with_scopes_and_expiration(Scopes, os:system_time(seconds) + timer:seconds(10)).
+
+token_with_scopes_and_expiration(Scopes, Expiration) ->
+    #{<<"exp">> => Expiration,
+      <<"kid">> => <<"token-key">>,
+      <<"iss">> => <<"unit_test">>,
+      <<"foo">> => <<"bar">>,
+      <<"aud">> => [<<"rabbitmq">>],
+      <<"scope">> => Scopes}.
+
+fixture_token() ->
+    fixture_token([]).
+
+fixture_token(ExtraScopes) ->
+    Scopes = [<<"rabbitmq.configure:vhost/foo">>,
+              <<"rabbitmq.write:vhost/foo">>,
+              <<"rabbitmq.read:vhost/foo">>,
+              <<"rabbitmq.read:vhost/bar">>,
+              <<"rabbitmq.read:vhost/bar/%23%2Ffoo">>] ++ ExtraScopes,
+    fixture_token_with_scopes(Scopes).
+
+fixture_token_with_full_permissions() ->
+    fixture_token_with_scopes(full_permission_scopes()).