Add idp-initiated with portal example

Author: MarcialRosales

Makefile

@@ -21,12 +21,30 @@ start-uaa: ## Start uaa (remember to run make build-uaa if you have not done )
 start-keycloak: ## Start keycloak
 	@./bin/keycloak/deploy
 
+start-forward-proxy: ## Start forward-proxy
+	@./bin/forward-proxy/deploy
+
+start-portal: ## Start portal
+	@./bin/portal/deploy
+
+start-proxy: ## Start proxy
+	@./bin/proxy/deploy
+
 stop-uaa: ## Stop uaa
 	@docker kill uaa
 
 stop-keycloak: ## Stop keycloak
 	@docker kill keycloak
 
+stop-forward-proxy: ## Stop forward-proxy
+	@docker kill forward-proxy
+
+stop-portal: ## Stop portal
+	@docker kill portal
+
+stop-proxy: ## Stop proxy
+	@docker kill proxy
+
 stop-dev-keycloak: ## Stop dev keycloak
 	@docker kill devkeycloak
 	@docker rm devkeycloak
@@ -39,7 +57,7 @@ start-oauth2-proxy: ## Start oauth2-proxy
 	@bin/oauth2-proxy/deploy
 
 stop-oauth2-proxy: ## Stop oauth2-proxy
-	@docker-compose -f conf/oauth2-proxy/compose.yml down
+	@bin/oauth2-proxy/undeploy
 
 start-rabbitmq:  ## Run RabbitMQ Server
 	@./bin/deploy-rabbit

README.md

@@ -54,8 +54,13 @@ When the example requires RabbitMQ with TLS enabled, the corresponding `conf` fo
 
  * [Keycloak](https://www.rabbitmq.com/docs/oauth2-examples-keycloak)
  * [Auth0](https://www.rabbitmq.com/oauth2-examples-auth0)
- * [Microsoft Entra ID](https://www.rabbitmq.com/docs/oauth2-examples-entra-id) (formerly known as Azure Active Directory)
- * [OAuth2 Proxy](https://www.rabbitmq.com/docs/oauth2-examples-proxy)
- * [Okta](https://www.rabbitmq.com/docs/oauth2-examples-okta)
- * [Google](https://www.rabbitmq.com/docs/oauth2-examples-google)  **NOT SUPPORTED**
- * [Multiple OAuth 2.0 servers and/or audiences](https://www.rabbitmq.com/docs/oauth2-examples-multiresource)
+ * [Microsoft Entra ID](https://www.rabbitmq.com/docs/next/oauth2-examples-entra-id) (formerly known as Azure Active Directory)
+ * [OAuth2 Proxy](https://www.rabbitmq.com/docs/next/oauth2-examples-proxy)
+ * [Okta](https://www.rabbitmq.com/docs/next/oauth2-examples-okta)
+ * [Google](https://www.rabbitmq.com/docs/next/oauth2-examples-google)  **NOT SUPPORTED**
+ * [Multiple OAuth 2.0 servers and/or audiences](https://www.rabbitmq.com/docs/next/oauth2-examples-multiresource)
+ * [Identity Provider initiated logon with a web portal](https://www.rabbitmq.com/docs/next/oauth2-examples-idp-initiated)
+
+ ### Commercial-only features
+
+ * [Explicit forward proxy](https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-rabbitmq-oci/4-0/tanzu-rabbitmq-oci-image/overview.html)

bin/deploy-rabbit

@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 
-#set -x
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
 
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
@@ -9,7 +11,7 @@ source $SCRIPT/common
 MODE=${MODE:-uaa}
 OAUTH_PROVIDER=${OAUTH_PROVIDER:-$MODE}
 ADVANCED=${ADVANCED:-advanced.config}
-IMAGE_TAG=${IMAGE_TAG:-4.0.2-management}
+IMAGE_TAG=${IMAGE_TAG:-4.0.7-management}
 IMAGE=${IMAGE:-rabbitmq}
 RABBITMQ_CONF=${RABBITMQ_CONF:-rabbitmq.conf}
 
@@ -39,8 +41,8 @@ function generate-final-conf-dir {
 
 }
 function generate-tls-certs-if-required {
-  if [[ -f "${CONF_DIR}/requires-tls" && ! -f "${CERTS_DIR}" ]]; then
-    generate-ca-server-client-kpi rabbitmq $CERTS_DIR       
+  if [[ -f "${CONF_DIR}/requires-tls" && ! -f "${CERTS_DIR}/server_rabbitmq_certificate.pem" ]]; then
+    generate-ca-server-client-kpi rabbitmq $CERTS_DIR      
   fi
 }
 
@@ -60,10 +62,21 @@ function deploy {
     EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${CONF_DIR}/${ADVANCED}:/etc/rabbitmq/advanced.config:ro "
     USED_CONFIG="${USED_CONFIG} ${CONF_DIR}/${ADVANCED}"
   fi
+  
+  echo "Running RabbitMQ ($IMAGE:$IMAGE_TAG) with" 
+  echo " - Mode: ${MODE} "
+  echo " - OauthProvider: ${OAUTH_PROVIDER}"
+  echo " - configuration file(s): ${USED_CONFIG}"
+  echo " - mounts: ${EXTRA_MOUNTS}"
+  
+  PLATFORM_ARGS=""
+  if [[ -n "${PLATFORM}" ]]; then
+    PLATFORM_ARGS="--platform ${PLATFORM} "
+  fi
 
-  echo "Running RabbitMQ ($IMAGE:$IMAGE_TAG) with Idp $MODE and configuration file(s) $USED_CONFIG"
   docker run -d --name rabbitmq \
-      --net rabbitmq_net \
+      --net ${RABBIT_NETWORK} \
+      ${PLATFORM_ARGS} \
       -p 15672:15672 \
       -p 5672:5672 \
       -p 5552:5552 \

bin/oauth2-proxy/deploy

@@ -8,14 +8,18 @@ CERTS_DIR=${CONF_DIR}/certs
 
 source $SCRIPT/../common
 
-ensure_docker_network
+cp -rf ${ROOT}/conf/keycloak/certs/* ${CERTS_DIR}
+
+PROVIDER_NETWORK=${PROVIDER_NETWORK:-rabbitmq_net}
+ensure_docker_network ${PROVIDER_NETWORK}
+
 docker-compose -f $ROOT/conf/oauth2-proxy/compose.yml down 2>/dev/null || echo "oauth2-proxy was not running"
 generate-ca-server-client-kpi oauth2-proxy $CERTS_DIR
 
-echo "Running oauth2-proxy docker image ..."
+print "Running oauth2-proxy docker image ..."
 
 export OAUTH2_PROXY_COOKIE_SECRET=`dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_' ; echo`
-docker-compose -f $ROOT/conf/oauth2-proxy/compose.yml up -d
+docker compose -f $ROOT/conf/oauth2-proxy/compose.yml up -d
 
 wait_for_message oauth2-proxy-oauth2-proxy-1 "Cookie settings"
 print "oauth2-proxy is running"

bin/oauth2-proxy/undeploy

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+ROOT=$SCRIPT/../..
+CONF_DIR=${ROOT}/conf/oauth2-proxy
+CERTS_DIR=${CONF_DIR}/certs
+
+
+echo "Stopping oauth2-proxy ..."
+
+docker compose -f $ROOT/conf/oauth2-proxy/compose.yml down 
+
+

bin/portal/deploy

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
+
+ROOT=$SCRIPT/../..
+CONF_DIR=${ROOT}/conf/portal
+CERTS_DIR=${CONF_DIR}/certs
+
+source $SCRIPT/../common
+
+if [ ! -f ${ROOT}/conf/uaa/certs ]; then
+  print "Deploy uaa first so that portal can reference its certificates"
+fi
+
+print "Starting portal ..."
+
+DOCKER_NETWORK=${DOCKER_NETWORK:-rabbitmq_net}
+ensure_docker_network ${DOCKER_NETWORK}
+kill_container_if_exist portal
+
+image_tag=($(md5sum $CONF_DIR/package.json))
+if [[ $(docker images -q portal:$image_tag 2> /dev/null) == "" ]]; then
+  docker build -t portal:$image_tag  --target test $CONF_DIR
+fi 
+
+generate-ca-server-client-kpi portal $CERTS_DIR
+
+begin "Running portal docker image  portal:${image_tag} ..."
+
+rm -f ${CONF_DIR}/certs/ca_certs.pem
+cat ${ROOT}/conf/uaa/certs/ca_uaa_certificate.pem ${CONF_DIR}/certs/ca_rabbitmq_certificate.pem \
+  >> ${CONF_DIR}/certs/ca_certs.pem
+
+if [[ -f ${ROOT}/conf/portal/certs/ca_proxy_certificate.pem ]]; then 
+  cat ${ROOT}/conf/portal/certs/ca_proxy_certificate.pem >> ${CONF_DIR}/certs/ca_certs.pem
+fi 
+
+docker run \
+  --detach \
+  --name portal \
+  --net ${DOCKER_NETWORK} \
+  --publish 3000:3000 \
+  --env PORT=3000 \
+  --env RABBITMQ_URL="https://localhost:15671" \
+  --env UAA_URL="https://uaa:8443" \
+  --env CLIENT_ID="rabbit_idp_user" \
+  --env CLIENT_SECRET="rabbit_idp_user" \
+  --env PROXIED_RABBITMQ_URL="https://proxy:9090" \
+  --env NODE_EXTRA_CA_CERTS=/etc/portal/ca_certs.pem \
+  -v ${CONF_DIR}/certs:/etc/portal \
+  -v ${CONF_DIR}:/code/portal \
+  portal:${image_tag} run portal
+
+print "portal is running"

bin/proxy/deploy

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [[ ! -z "${DEBUG}" ]]; then
+  set -x
+fi
+
+ROOT=$SCRIPT/../..
+CONF_DIR=${ROOT}/conf/portal
+CERTS_DIR=${CONF_DIR}/certs
+
+source $SCRIPT/../common
+
+if [ ! -f ${ROOT}/conf/uaa/certs ]; then
+  print "Deploy uaa first so that portal can reference its certificates"
+fi
+
+print "Starting proxy ..."
+
+DOCKER_NETWORK=${DOCKER_NETWORK:-rabbitmq_net}
+ensure_docker_network ${DOCKER_NETWORK}
+kill_container_if_exist proxy
+
+image_tag=($(md5sum $CONF_DIR/package.json))
+if [[ $(docker images -q portal:$image_tag 2> /dev/null) == "" ]]; then
+  docker build -t portal:$image_tag  --target test $CONF_DIR
+fi 
+
+generate-ca-server-client-kpi proxy $CERTS_DIR
+
+begin "Running proxy docker image portal:${image_tag} ..."
+
+rm -f ${CONF_DIR}/certs/ca_certs.pem
+cat ${ROOT}/conf/uaa/certs/ca_uaa_certificate.pem ${CONF_DIR}/certs/ca_rabbitmq_certificate.pem \
+  >> ${CONF_DIR}/certs/ca_certs.pem
+
+docker run \
+  --detach \
+  --name proxy \
+  --net ${DOCKER_NETWORK} \
+  --publish 9090:9090 \
+  --env PORT=9090 \
+  --env RABBITMQ_URL="https://rabbitmq:15671" \
+  --env UAA_URL="https://uaa:8443" \
+  --env CLIENT_ID="rabbit_idp_user" \
+  --env CLIENT_SECRET="rabbit_idp_user" \
+  --env NODE_EXTRA_CA_CERTS=/etc/proxy/ca_certs.pem \
+  -v ${CONF_DIR}/certs:/etc/proxy \
+  -v ${CONF_DIR}:/code/portal \
+  portal:${image_tag} run proxy
+
+print "proxy is running"

conf/oauth2-proxy/rabbitmq.conf

@@ -1,14 +1,15 @@
 auth_backends.1 = rabbit_auth_backend_oauth2
 
 log.default.level = debug
+log.console.level = debug
 
 management.oauth_enabled = true
 management.oauth_initiated_logon_type = idp_initiated
-management.oauth_provider_url = https://localhost:8442
+management.oauth_provider_url = https://oauth2-proxy:8442
 
 auth_oauth2.resource_server_id = rabbitmq
-auth_oauth2.issuer = https://keycloak:8443/realms/test
-auth_oauth2.end_session_endpoint = https://localhost:8442/oauth2/sign_out?rd=https://keycloak:8443/realms/test/protocol/openid-connect/logout
-auth_oauth2.https.cacertfile = /etc/keycloak/certs/ca_keycloak_certificate.pem
+auth_oauth2.jwks_uri = https://keycloak:8443/realms/test/protocol/openid-connect/certs
+auth_oauth2.end_session_endpoint = https://oauth2-proxy:8442/oauth2/sign_out?rd=https://keycloak:8443/realms/test/protocol/openid-connect/logout
+auth_oauth2.https.cacertfile = /etc/oauth2-proxy/certs/ca_keycloak_certificate.pem
 auth_oauth2.preferred_username_claims.1 = preferred_username
 auth_oauth2.verify_aud = false

conf/portal/Dockerfile

@@ -0,0 +1,12 @@
+# syntax=docker/dockerfile:1
+FROM atools/jdk-maven-node:mvn3-jdk11-node16 as base
+
+WORKDIR /code
+
+COPY package.json package.json
+
+FROM base as test
+RUN npm install
+
+ENTRYPOINT [ "npm" ]
+CMD [ "" ]

conf/portal/app.js

@@ -0,0 +1,85 @@
+const express = require("express");
+const app = express();
+const fs = require('fs');
+const https = require('https');
+var path = require('path');
+const XMLHttpRequest = require('xmlhttprequest').XMLHttpRequest
+
+const rabbitmq_url = process.env.RABBITMQ_URL;
+const proxied_rabbitmq_url = process.env.PROXIED_RABBITMQ_URL;
+const client_id = process.env.CLIENT_ID;
+const client_secret = process.env.CLIENT_SECRET;
+const uaa_url = process.env.UAA_URL;
+const port = process.env.PORT || 3000;
+
+app.engine('.html', require('ejs').__express);
+app.set('views', path.join(__dirname, 'views'));
+app.set('view engine', 'html');
+
+app.get('/', function(req, res){
+  let id =  default_if_blank(req.query.client_id, client_id)
+  let secret =  default_if_blank(req.query.client_secret, client_secret)
+  if (id == 'undefined' || secret == 'undefined') {
+    res.render('unauthenticated')
+  }else {
+    res.render('rabbitmq', {
+      proxied_url: proxied_rabbitmq_url,
+      url: rabbitmq_url.replace(/\/?$/, '/') + "login",
+      name: rabbitmq_url + " for " + id,
+      access_token: access_token(id, secret)
+    })
+  }
+})
+
+app.get('/favicon.ico', (req, res) => res.status(204));
+
+app.get('/logout', function(req, res) {
+  const redirectUrl = uaa_url + '/logout.do?client_id=' + client_id + "&redirect=https://portal:3000" 
+  console.debug("Received /logout request -> redirect to " + redirectUrl)
+  res.redirect(redirectUrl);
+})
+
+https
+  .createServer(
+    {
+      cert: fs.readFileSync('/etc/portal/server_portal_certificate.pem'),
+      key: fs.readFileSync('/etc/portal/server_portal_key.pem')
+    },
+    app
+  )
+  .listen(port)
+
+console.log('Express started on port ' + port);
+
+function default_if_blank(value, defaultValue) {
+  if (typeof value === "undefined" || value === null || value == "") {
+    return defaultValue;
+  } else {
+    return value;
+  }
+}
+
+function access_token(id, secret) {
+  const req = new XMLHttpRequest();
+  const url = uaa_url + '/oauth/token';
+  const params = 'client_id=' + id +
+    '&client_secret=' + secret +
+    '&grant_type=client_credentials' +
+    '&token_format=jwt' +
+    '&response_type=token';
+
+  console.debug("Sending " + url + " with params "+  params);
+
+  req.open('POST', url, false);
+  req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
+  req.setRequestHeader('Accept', 'application/json');
+  req.send(params);
+  if (req.status == 200) {
+    const token = JSON.parse(req.responseText).access_token;
+    console.log("Token => " + token)
+    return token
+  } else {
+    throw new Error(req.status + " : " + " : " + 
+      req.response + " : " + req.responseText)
+  }
+}