Added introspect endpoint

so that management can cache the jwt token
resulting from introspecting an opaque one

Author: MarcialRosales

deps/rabbitmq_management/src/rabbit_mgmt_dispatcher.erl

@@ -214,6 +214,7 @@ dispatcher() ->
      {"/reset/:node",                                          rabbit_mgmt_wm_reset, []},
      {"/rebalance/queues",                                     rabbit_mgmt_wm_rebalance_queues, [{queues, all}]},
      {"/auth",                                                 rabbit_mgmt_wm_auth, []},
+     {"/auth/introspect",                                      rabbit_mgmt_wm_oauth_introspect, []},
      {"/auth/attempts/:node",                                  rabbit_mgmt_wm_auth_attempts, [all]},
      {"/auth/attempts/:node/source",                           rabbit_mgmt_wm_auth_attempts, [by_source]},
      {"/login",                                                rabbit_mgmt_wm_login, []},

deps/rabbitmq_management/src/rabbit_mgmt_wm_oauth_introspect.erl

@@ -0,0 +1,39 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2025 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+%%
+
+-module(rabbit_mgmt_wm_oauth_introspect).
+
+-export([init/2, to_json/2, content_types_provided/2, is_authorized/2]).
+-include("rabbit_mgmt.hrl").
+
+%%--------------------------------------------------------------------
+
+init(Req, State) ->
+    {cowboy_rest, rabbit_mgmt_headers:set_no_cache_headers(
+        rabbit_mgmt_headers:set_common_permission_headers(Req, ?MODULE), ?MODULE), State}.
+
+allowed_methods(ReqData, Context) ->
+    {[<<"POST">>, <<"OPTIONS">>], ReqData, Context}.
+
+variances(Req, Context) ->
+    {[<<"accept-encoding">>, <<"origin">>], Req, Context}.
+
+content_types_provided(ReqData, Context) ->
+    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+
+to_json(ReqData, Context) ->
+    case cowboy_req:parse_header(<<"authorization">>, ReqData) of
+        {bearer, Token} ->             
+            rabbit_mgmt_util:reply(
+              maps:from_list(oauth2_client:introspect_token(Token)),
+              ReqData, Context);
+        _ -> 
+            rabbit_mgmt_util:bad_request(<<"Opaque token not found in authorization header">>, ReqData, Context)
+    end.
+               
+is_authorized(ReqData, Context) ->
+    {true, ReqData, Context}.

deps/rabbitmq_management/test/introspect_http_handler.erl

@@ -0,0 +1,21 @@
+-module(introspect_http_handler).
+-behavior(cowboy_handler).
+
+-export([init/2, terminate/3]).
+
+init(Req, State) ->
+    case cowboy_req:parse_header(<<"authorization">>, Req) of
+        {bearer, <<"active">>} -> 
+            Body = rabbit_json:encode([{"active", true}, {"scope", "rabbitmq.tag:administrator"}]),
+            {ok, cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, 
+                Body, Req), State};
+        {bearer, <<"inactive">>} -> 
+            Body = rabbit_json:encode([{"active", false}, {"scope", "rabbitmq.tag:administrator"}]),
+            {ok, cowboy_req:reply(200, #{<<"content-type">> => <<"application/json">>}, 
+                Body, Req), State};
+        _ -> 
+            {ok, cowboy_req:reply(401, #{}, [], Req), State}
+    end.
+
+terminate(_Reason, _Req, _State) ->
+    ok.

deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl

@@ -11,6 +11,7 @@
 -include_lib("eunit/include/eunit.hrl").
 -import(application, [set_env/3, unset_env/2]).
 -import(rabbit_mgmt_wm_auth, [authSettings/0]).
+-import(rabbit_mgmt_test_util, [req/5]).
 -compile(export_all).
 
 all() ->
@@ -27,12 +28,17 @@ all() ->
      {group, verify_oauth_initiated_logon_type_for_idp_initiated},
      {group, verify_oauth_disable_basic_auth},
      {group, verify_oauth_scopes},
-     {group, verify_extra_endpoint_params}
+     {group, verify_extra_endpoint_params},
+     {group, run_with_broker}
     ].
 
 groups() ->
     [
-
+      {run_with_broker, [], [
+        {verify_introspection_endpoint, [], [
+          introspect_opaque_token_returns_active_jwt_token
+        ]}        
+      ]},
       {verify_multi_resource_and_provider, [], [
         {with_oauth_enabled, [], [
             {with_oauth_providers_idp1_idp2, [], [
@@ -510,6 +516,26 @@ init_per_group(with_mgt_resource_server_a_with_token_endpoint_params_1, Config)
     ?config(a, Config), oauth_token_endpoint_params, ?config(token_params_1, Config)),
   Config;
 
+init_per_group(run_with_broker, Config) ->
+  Config1 = finish_init(run_with_broker, Config),
+  start_broker(Config1);
+
+init_per_group(verify_introspection_endpoint, Config) ->
+  {ok, _} = application:ensure_all_started(ssl),
+  {ok, _} = application:ensure_all_started(cowboy),
+  
+  PortBase = rabbit_ct_broker_helpers:get_node_config(Config, 0, tcp_ports_base),
+  Port = PortBase + 100,
+    
+  CertsDir = ?config(rmq_certsdir, Config),
+  Endpoints = [ {"/introspect", introspect_endpoint, []}],
+  Dispatch = cowboy_router:compile([{'_', Endpoints}]),
+  {ok, _} = cowboy:start_tls(introspection_http_listener,
+                      [{port, Port},
+                       {certfile, filename:join([CertsDir, "server", "cert.pem"])},
+                       {keyfile, filename:join([CertsDir, "server", "key.pem"])}],
+                      #{env => #{dispatch => Dispatch}}),
+  Config;
 
 init_per_group(_, Config) ->
   Config.
@@ -632,11 +658,44 @@ end_per_group(with_mgt_resource_server_a_with_token_endpoint_params_1, Config) -
     ?config(a, Config), oauth_token_endpoint_params),
   Config;
 
+end_per_group(run_with_broker, Config) -> 
+  Teardown0 = rabbit_ct_client_helpers:teardown_steps(),
+  Teardown1 = rabbit_ct_broker_helpers:teardown_steps(),
+  Steps = Teardown0 ++ Teardown1,
+  rabbit_ct_helpers:run_teardown_steps(Config, Steps),
+  Config;
+
+end_per_group(verify_introspection_endpoint, Config) ->
+  ok = cowboy:stop_listener(introspection_http_listener),
+  inets:stop(),
+  Config; 
 
 end_per_group(_, Config) ->
   Config.
 
 
+start_broker(Config) ->
+    Setup0 = rabbit_ct_broker_helpers:setup_steps(),
+    Setup1 = rabbit_ct_client_helpers:setup_steps(),
+    Steps = Setup0 ++ Setup1,
+    case rabbit_ct_helpers:run_setup_steps(Config, Steps) of
+        {skip, _} = Skip ->
+            Skip;
+        Config1 ->
+            Ret = rabbit_ct_broker_helpers:enable_feature_flag(
+                    Config1, 'rabbitmq_4.0.0'),
+            case Ret of
+                ok -> Config1;
+                _  -> Ret
+            end
+    end.
+finish_init(Group, Config) ->
+    rabbit_ct_helpers:log_environment(),
+    inets:start(),
+    NodeConf = [{rmq_nodename_suffix, Group}],
+    rabbit_ct_helpers:set_config(Config, NodeConf).
+    
+
 %% -------------------------------------------------------------------
 %% Test cases.
 %% -------------------------------------------------------------------
@@ -838,6 +897,10 @@ should_return_mgt_oauth_resource_a_with_token_endpoint_params_1(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(authSettings(),
     Config, a, oauth_token_endpoint_params, token_params_1).
 
+introspect_opaque_token_returns_active_jwt_token(Config) ->  
+  _Result = req(Config, 0, post, "/introspect", [{"Authorization", "Bearer active"}]).
+
+
 %% -------------------------------------------------------------------
 %% Utility/helper functions
 %% -------------------------------------------------------------------