Configure scope_aliases using .conf file

bin/deploy-rabbit

@@ -7,12 +7,26 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 source $SCRIPT/common
 
 MODE=${MODE:-uaa}
-OAUTH_PROVIDER=${OAUTH_PROVIDER:-$MODE}
-ADVANCED=${ADVANCED:-advanced.config}
-IMAGE_TAG=${IMAGE_TAG:-main}
-IMAGE=${IMAGE:-pivotalrabbitmq/rabbitmq}
-
+IMAGE_TAG=${IMAGE_TAG:-3.13.6-management}
+IMAGE=${IMAGE:-rabbitmq}
 CONF_DIR=$SCRIPT/../conf/${MODE}
+CERTS_DIR=${CONF_DIR}/certs
+
+function generate-final-conf-dir {
+  FINAL_CONF_DIR=`mktemp -d -t "oauth2"`
+  if [[ -z "${CONF_FILES}" ]]; then
+    for i in $CONF_DIR/*.conf
+    do
+      cp $i $FINAL_CONF_DIR
+    done
+  else
+    for i in ${CONF_FILES//,/ }
+    do
+      cp $CONF_DIR/${i}.conf $FINAL_CONF_DIR
+    done
+  fi
+
+}
 
 function generate-ca-server-client-kpi {
   NAME=$1
@@ -39,36 +53,27 @@ function generate-ca-server-client-kpi {
   cd $CUR_DIR
 }
 
-function deploy {
-  USED_CONFIG=""
-  CERTS_DIR=${CONF_DIR}/certs
+function generate-tls-certs-if-required {
   if [[ -f "${CONF_DIR}/requires-tls" && ! -f "${CERTS_DIR}" ]]; then
     generate-ca-server-client-kpi $CERTS_DIR
     cp $CERTS_DIR/basic/testca/cacert.pem $CERTS_DIR
     cp $CERTS_DIR/basic/server_localhost/key.pem $CERTS_DIR
     cp $CERTS_DIR/basic/server_localhost/cert.pem $CERTS_DIR
     EXTRA_PORTS="-p 15671:15671 "
+    EXTRA_MOUNTS="-v ${CERTS_DIR}:/certs"
   fi
-  EXTRA_MOUNTS="-v ${SCRIPT}/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins "
-  EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${CONF_DIR}:/conf "
+}
 
-  if [[ -n "${CONFIG}"  &&  -f "${CONF_DIR}/${CONFIG}" ]]; then
-    USED_CONFIG="${CONF_DIR}/${CONFIG}"
-    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${USED_CONFIG}:/etc/rabbitmq/rabbitmq.config:ro "
-  elif [ -f "${CONF_DIR}/${CONF:-rabbitmq.conf}" ]; then
-    USED_CONFIG="${CONF_DIR}/${CONF:-rabbitmq.conf}"
-    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${USED_CONFIG}:/etc/rabbitmq/rabbitmq.conf:ro "
-  fi
-  if [[ -n "${ADVANCED}"  && -f "${CONF_DIR}/${ADVANCED}"  ]]; then
-    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${CONF_DIR}/${ADVANCED}:/etc/rabbitmq/advanced.config:ro "
-    USED_CONFIG="${USED_CONFIG} ${CONF_DIR}/${ADVANCED}"
-  fi
+function deploy {
+  EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${SCRIPT}/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins "
+  EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${FINAL_CONF_DIR}:/conf "
 
   docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
   docker rm -f rabbitmq 2>/dev/null || echo "rabbitmq was not running"
-  echo "running RabbitMQ ($IMAGE:$IMAGE_TAG) with Idp $MODE and configuration file(s) $USED_CONFIG"
+  echo "running RabbitMQ ($IMAGE:$IMAGE_TAG) with Idp $MODE"
   docker run -d --name rabbitmq \
       --net rabbitmq_net \
+      --env RABBITMQ_CONFIG_FILES="/conf" \
       -p 15672:15672 \
       -p 5672:5672 \
       -p 5552:5552 \
@@ -77,6 +82,8 @@ function deploy {
       ${IMAGE}:${IMAGE_TAG}
 }
 
+generate-final-conf-dir
+generate-tls-certs-if-required
 deploy
 wait_for_message rabbitmq "Time to start RabbitMQ"
 print "RabbitMQ is running"

bin/uaa/deploy

@@ -5,20 +5,71 @@ SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 ROOT=$SCRIPT/../..
 UAA_IMAGE_TAG=${UAA_IMAGE_TAG:-75.21.0}
 UAA_IMAGE_NAME=${UAA_IMAGE_NAME:-cloudfoundry/uaa}
-UAA_MODE=${UAA_MODE:-"uaa"}
+CONF_DIR=${ROOT}/conf/uaa
+CERTS_DIR=${CONF_DIR}/certs
 
-docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
-docker rm -f uaa 2>/dev/null || echo "uaa was not running"
+function generate-ca-server-client-kpi {
+  DIR=$1
 
-echo "Running ${UAA_IMAGE_NAME}:${UAA_IMAGE_TAG} docker image with .."
+  if [ -d "$DIR" ]; then
+    echo "SSL Certificates for uaa already present under $DIR. Skip SSL generation"
+    return
+  fi
 
-docker run \
+  if [ ! -d "$ROOT/tls-gen" ]; then
+    git clone https://github.com/michaelklishin/tls-gen $ROOT/tls-gen
+  fi
+
+  echo "Generating CA and Server PKI for uaa under $DIR ..."
+  mkdir -p $DIR
+
+  CUR_DIR=$(pwd)
+  cd $ROOT/tls-gen/basic
+  make CN=uaa PASSWORD=foobar
+  #make
+  make verify
+  make info
+  cd $CUR_DIR
+}
+
+function generate-tls-certs-if-required {
+  if [[ ! -d "${CERTS_DIR}" ]]; then
+    generate-ca-server-client-kpi $CERTS_DIR
+    cp $ROOT/tls-gen/basic/testca/cacert.pem $CERTS_DIR
+    cp $ROOT/tls-gen/basic/server_uaa/key.pem $CERTS_DIR
+    cp $ROOT/tls-gen/basic/server_uaa/cert.pem $CERTS_DIR
+	cp $ROOT/tls-gen/basic/server_uaa/keycert.p12 $CERTS_DIR
+	keytool -importkeystore \
+			-destkeystore ${CERTS_DIR}/uaa.jks \
+			-srckeystore ${CERTS_DIR}/keycert.p12 \
+			-deststoretype pkcs12 \
+			-srcstoretype pkcs12 \
+            -alias 1 \
+			-destalias uaa-tls \
+			-deststorepass foobar \
+			-destkeypass foobar \
+			-srcstorepass foobar \
+			-srckeypass foobar \
+			-noprompt
+  fi
+}
+
+function deploy {
+	echo "Running ${UAA_IMAGE_NAME}:${UAA_IMAGE_TAG} docker image with .."
+	docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
+	docker rm -f uaa 2>/dev/null || echo "uaa was not running"
+
+	docker run \
 		--detach \
-    --name uaa --net rabbitmq_net \
+    	--name uaa \
+		--net rabbitmq_net \
 		--publish 8080:8080 \
 		--publish 8443:8443 \
-		--mount "type=bind,source=${ROOT}/conf/${UAA_MODE},target=/config" \
-		--env UAA_CONFIG_PATH="/config" \
-		--env JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom" \
-		--env SPRING_CONFIG_LOCATION="file:/config/application.yml" \
-    "${UAA_IMAGE_NAME}:${UAA_IMAGE_TAG}"
+		-v ${CONF_DIR}:/uaa \
+		-v ${CONF_DIR}/server.xml:/layers/paketo-buildpacks_apache-tomcat/catalina-base/conf/server.xml \
+		--env UAA_CONFIG_PATH="/uaa" \
+		--env JAVA_OPTS="-Djava.security.policy=unlimited -Djava.security.egd=file:/dev/./urandom" \
+    	"${UAA_IMAGE_NAME}:${UAA_IMAGE_TAG}"
+}
+generate-tls-certs-if-required
+deploy

conf/auth0/rabbitmq.conf.tmpl

@@ -11,14 +11,3 @@ management.oauth_token_endpoint_params.audience = rabbitmq
 auth_oauth2.resource_server_id = rabbitmq
 auth_oauth2.issuer = {Domain}
 auth_oauth2.https.hostname_verification = wildcard
-
-management.ssl.port = 15671
-management.ssl.cacertfile = /conf/certs/cacert.pem
-management.ssl.certfile = /conf/certs/cert.pem
-management.ssl.keyfile = /conf/certs/key.pem
-management.ssl.verify = verify_none
-management.ssl.fail_if_no_peer_cert = false
-management.ssl.client_renegotiation = false
-management.ssl.secure_renegotiate = true
-management.ssl.honor_ecc_order = true
-management.ssl.honor_cipher_order = true

conf/auth0/tls.conf

@@ -0,0 +1,10 @@
+management.ssl.port = 15671
+management.ssl.cacertfile = /certs/cacert.pem
+management.ssl.certfile = /certs/cert.pem
+management.ssl.keyfile = /certs/key.pem
+management.ssl.verify = verify_none
+management.ssl.fail_if_no_peer_cert = false
+management.ssl.client_renegotiation = false
+management.ssl.secure_renegotiate = true
+management.ssl.honor_ecc_order = true
+management.ssl.honor_cipher_order = true

conf/entra/rabbitmq.conf.tmpl

@@ -13,14 +13,3 @@ auth_oauth2.issuer = https://login.microsoftonline.com/{Directory (tenant) ID}/v
 #auth_oauth2.discovery_endpoint_params.appid = {Application(client) ID}
 auth_oauth2.preferred_username_claims.1 = name
 auth_oauth2.preferred_username_claims.2 = preferred_username
-
-management.ssl.port = 15671
-management.ssl.cacertfile = /conf/certs/cacert.pem
-management.ssl.certfile = /conf/certs/cert.pem
-management.ssl.keyfile = /conf/certs/key.pem
-management.ssl.verify = verify_none
-management.ssl.fail_if_no_peer_cert = false
-management.ssl.client_renegotiation = false
-management.ssl.secure_renegotiate = true
-management.ssl.honor_ecc_order = true
-management.ssl.honor_cipher_order = true

conf/entra/tls.conf

@@ -0,0 +1,10 @@
+management.ssl.port = 15671
+management.ssl.cacertfile = /certs/cacert.pem
+management.ssl.certfile = /certs/cert.pem
+management.ssl.keyfile = /certs/key.pem
+management.ssl.verify = verify_none
+management.ssl.fail_if_no_peer_cert = false
+management.ssl.client_renegotiation = false
+management.ssl.secure_renegotiate = true
+management.ssl.honor_ecc_order = true
+management.ssl.honor_cipher_order = true

conf/okta/rabbitmq.conf.tmpl

@@ -1,5 +1,7 @@
 auth_backends.1 = rabbit_auth_backend_oauth2
 
+log.console.level = debug
+
 management.oauth_enabled = true
 management.oauth_client_id = {okta_client_app_ID}
 management.oauth_scopes = admin monitoring
@@ -14,13 +16,5 @@ auth_oauth2.verify_aud = false
 auth_oauth2.scope_prefix = okta.
 auth_oauth2.https.hostname_verification = wildcard
 
-management.ssl.port = 15671
-management.ssl.cacertfile = /conf/certs/cacert.pem
-management.ssl.certfile = /conf/certs/cert.pem
-management.ssl.keyfile = /conf/certs/key.pem
-management.ssl.verify = verify_none
-management.ssl.fail_if_no_peer_cert = false
-management.ssl.client_renegotiation = false
-management.ssl.secure_renegotiate = true
-management.ssl.honor_ecc_order = true
-management.ssl.honor_cipher_order = true
+auth_oauth2.scope_aliases.admin = okta.read:*/* okta.write:*/* okta.configure:*/* okta.tag:administrator
+auth_oauth2.scope_aliases.monitoring = okta.tag:management okta.read:*/

conf/okta/tls.conf

@@ -0,0 +1,10 @@
+management.ssl.port = 15671
+management.ssl.cacertfile = /certs/cacert.pem
+management.ssl.certfile = /certs/cert.pem
+management.ssl.keyfile = /certs/key.pem
+management.ssl.verify = verify_none
+management.ssl.fail_if_no_peer_cert = false
+management.ssl.client_renegotiation = false
+management.ssl.secure_renegotiate = true
+management.ssl.honor_ecc_order = true
+management.ssl.honor_cipher_order = true

conf/uaa/authn-and-authz.conf

@@ -0,0 +1,2 @@
+auth_backends.1.authn = rabbit_auth_backend_oauth2
+auth_backends.1.authz = internal

conf/uaa/oauth2-and-internal.conf

@@ -0,0 +1,2 @@
+auth_backends.1 = rabbit_auth_backend_oauth2
+auth_backends.2 = rabbit_auth_backend_internal

conf/uaa/oauth2-only.conf

@@ -0,0 +1 @@
+auth_backends.1 = rabbit_auth_backend_oauth2

conf/uaa/rabbitmq.conf

@@ -1,4 +1,3 @@
-auth_backends.1 = rabbit_auth_backend_oauth2
 
 management.oauth_enabled = true
 management.oauth_client_id = rabbit_client_code
@@ -13,5 +12,3 @@ auth_oauth2.preferred_username_claims.1 = preferred_username
 auth_oauth2.preferred_username_claims.2 = user_name
 auth_oauth2.preferred_username_claims.3 = email
 auth_oauth2.signing_keys.legacy-token-key = /conf/signing-key/signing-key.pem
-
-amqp1_0.default_user = none

conf/uaa/rar-tokens.conf

@@ -0,0 +1 @@
+auth_oauth2.resource_server_type = rabbitmq

conf/uaa/scope-aliases.conf

@@ -0,0 +1,15 @@
+
+auth_oauth2.scope_aliases.1.alias = api://rabbitmq:Read.All
+auth_oauth2.scope_aliases.1.scope = rabbitmq.read:*/*
+
+auth_oauth2.scope_aliases.2.alias = api://rabbitmq:Write.All
+auth_oauth2.scope_aliases.2.scope = rabbitmq.write:*/*
+
+auth_oauth2.scope_aliases.3.alias = api://rabbitmq:Configure.All
+auth_oauth2.scope_aliases.3.scope = rabbitmq.configure:*/*
+
+auth_oauth2.scope_aliases.3.alias = api://rabbitmq:Administrator
+auth_oauth2.scope_aliases.3.scope = rabbitmq.tag:administrator
+
+auth_oauth2.scope_aliases.4.alias = api://rabbitmq:producer
+auth_oauth2.scope_aliases.4.scope = rabbitmq.read:*/* rabbitmq.write:*/* rabbitmq.configure:*/* rabbitmq.tag:management

conf/uaa/server.xml

@@ -0,0 +1,43 @@
+<?xml version='1.0' encoding='utf-8'?>
+<Server port="-1">
+    <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+    <Service name="Catalina">
+    <Connector class="org.apache.coyote.http11.Http11NioProtocol" protocol="HTTP/1.1" connectionTimeout="20000"
+                scheme="https"
+                port="8443"
+                SSLEnabled="true"
+                sslEnabledProtocols="TLSv1.2"
+                ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+                secure="true"
+                clientAuth="false"
+                sslProtocol="TLS"
+                keystoreFile="/uaa/certs/uaa.jks"
+                keystoreType="PKCS12"
+                keyAlias="uaa-tls"
+                keystorePass="foobar"
+                bindOnInit="false"/>
+    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
+                connectionTimeout="20000"
+                port="8989"
+                address="127.0.0.1"
+                bindOnInit="true"/>
+    <Engine name="Catalina" defaultHost="localhost">
+        <Host name="localhost"
+            appBase="webapps"
+            unpackWARs="true"
+            autoDeploy="false"
+            failCtxIfServletStartFails="true">
+        <Valve className="org.apache.catalina.valves.RemoteIpValve"
+                remoteIpHeader="x-forwarded-for"
+                protocolHeader="x-forwarded-proto"
+                internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}"/>
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+                prefix="localhost_access" suffix=".log" rotatable="false" pattern="%h %l %u %t &quot;%r&quot; %s %b"/>
+        </Host>
+    </Engine>
+    </Service>
+</Server>

conf/uaa/uaa.yml

@@ -1,3 +1,6 @@
+require_https: true
+https_port: 8443
+
 logging:
   config: /config/log4j2.properties