Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for connection.update-secret #114

Merged
merged 2 commits into from
Sep 6, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions connection.go
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,22 @@ func Open(conn io.ReadWriteCloser, config Config) (*Connection, error) {
return c, c.open(config)
}

/*
UpdateSecret updates the secret used to authenticate this connection. It is used when
secrets have an expiration date and need to be renewed, like OAuth 2 tokens.

It returns an error if the operation is not successful, or if the connection is closed.
*/
func (c *Connection) UpdateSecret(newSecret, reason string) error {
if c.IsClosed() {
return ErrClosed
}
return c.call(&connectionUpdateSecret{
NewSecret: newSecret,
Reason: reason,
}, &connectionUpdateSecretOk{})
}

/*
LocalAddr returns the local TCP peer address, or ":0" (the zero value of net.TCPAddr)
as a fallback default value if the underlying transport does not support LocalAddr().
Expand Down
69 changes: 69 additions & 0 deletions examples_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"log"
"net"
Expand Down Expand Up @@ -434,3 +435,71 @@ func ExampleTable_SetClientConnectionName() {
}
defer conn.Close()
}

func ExampleConnection_UpdateSecret() {
// In order to authenticate into RabbitMQ, the application must acquire a JWT token.
// This may be different, depending on the library used to communicate with the OAuth2
// server. This examples assumes that it's possible to obtain tokens using username+password.
//
// The authentication is successful if RabbitMQ can validate the JWT with the OAuth2 server.
// The permissions are determined from the scopes. Check the OAuth2 plugin readme for more details:
// https://github.com/rabbitmq/rabbitmq-server/tree/main/deps/rabbitmq_auth_backend_oauth2#scope-to-permission-translation
//
// Once the app has a JWT token, this can be used as credentials in the URI used in Connection.Dial()
//
// The app should have a long-running task that checks the validity of the JWT token, and renew it before
// the refresher time expires. Once a new JWT token is obtained, it shall be used in Connection.UpdateSecret().

token, _ := getJWToken("username", "password")

uri := fmt.Sprintf("amqp://%s:%s@localhost:5672", "client_id", token)
c, _ := amqp.Dial(uri)

defer c.Close()

// It also calls Connection.UpdateSecret()
tokenRefresherTask := func(conn *amqp.Connection, token string) {
// if token is expired
// then
renewedToken, _ := refreshJWToken(token)
_ = conn.UpdateSecret(renewedToken, "Token refreshed!")
}

go tokenRefresherTask(c, "my-JWT-token")

ch, _ := c.Channel()
defer ch.Close()

_, _ = ch.QueueDeclare(
"test-amqp",
false,
false,
false,
false,
amqp.Table{},
)
_ = ch.PublishWithContext(
context.Background(),
"",
"test-amqp",
false,
false,
amqp.Publishing{
Headers: amqp.Table{},
ContentType: "text/plain",
ContentEncoding: "",
DeliveryMode: amqp.Persistent,
Body: []byte("message"),
},
)
}

func getJWToken(username, password string) (string, error) {
// do OAuth2 things
return "a-token", nil
}

func refreshJWToken(token string) (string, error) {
// do OAuth2 things to refresh tokens
return "so fresh!", nil
}