Add Azure AD use case

Author: Baptiste DA ROIT

.gitignore

@@ -2,6 +2,8 @@
 ./uaa-4.24.0/
 conf/asymmetric_key/uaa.yml
 conf/symmetric_key/uaa.yml
+conf/azure/*
+!conf/azure/rabbitmq.config
 plugin
 rabbitmq-auth-backend-oauth2-*
 master-*.zip

Makefile

@@ -29,6 +29,9 @@ start-uaa: ## Start uaa (remember to run make build-uaa if you have not done )
 start-keycloak: ## Start keycloak
 	@./bin/keycloak/deploy
 
+start-azure: ## Start nginx for azure https
+	@./bin/azure/deploy ${SERVER_NAME}
+
 build-uaa: ## Build uaa image
 	@(cd uaa-latest; make build-uaa; cd ..)
 

README.md

@@ -28,6 +28,7 @@ If you want to understand the details of how to configure RabbitMQ with Oauth2 g
 - Use different OAuth 2.0 servers
 	- [KeyCloak](use-cases/keycloak.md)
 	- [https://auth0.com/](use-cases/oauth0.md)
+	- [Azure Active Directory](use-cases/azure.md)
 
 - [Understand the environment](#understand-the-environment)
 	- [RabbitMQ server](#rabbitmq-server)

assets/azure-ad-enterprise-application.png

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+ROOT=$SCRIPT/../..
+
+echo "Generate SSL Certificate and Key for localhost"
+echo "--------------------------------"
+echo "Generate root key"
+echo "--------------------------------"
+openssl genrsa 2048 > ${ROOT}/conf/azure/rabbitmq-ca.key
+echo ""
+echo "--------------------------------"
+echo "Create and self-sign root certificate"
+echo "--------------------------------"
+openssl req -new -x509 -nodes -days 365 \
+   -key ${ROOT}/conf/azure/rabbitmq-https.key \
+   -out ${ROOT}/conf/azure/rabbitmq-https.crt \
+   -subj "/C=US/ST=California/L=San Francisco/O=RabbitMQ/OU=OAuth 2.0 Tutorial/CN=RootCA"
+echo ""
+echo "--------------------------------"
+echo "Create Certificate Signing Request and associated private key for localhost"
+echo "--------------------------------"
+openssl req -newkey rsa:2048 -nodes \
+   -keyout ${ROOT}/conf/azure/rabbitmq.key \
+   -out ${ROOT}/conf/azure/rabbitmq.csr \
+   -subj "/C=US/ST=California/L=San Francisco/O=RabbitMQ/OU=OAuth 2.0 Tutorial/CN=localhost"
+echo ""
+echo "--------------------------------"
+echo "Create certificate for localhost"
+echo "--------------------------------"
+openssl x509 -req -days 365 \
+   -in ${ROOT}/conf/azure/rabbitmq.csr \
+   -out ${ROOT}/conf/azure/rabbitmq.crt \
+   -CA ${ROOT}/conf/azure/rabbitmq-ca.crt \
+   -CAkey ${ROOT}/conf/azure/rabbitmq-ca.key \
+echo "--------------------------------"
+echo "Configure SSL cert/key ownership"
+echo "--------------------------------"
+chown 999:999 ${ROOT}/conf/azure/*

assets/azure-ad-jwks-uri.png

@@ -7,11 +7,18 @@ CONFIG=${CONFIG:-rabbitmq.config}
 IMAGE_TAG=${IMAGE_TAG:-3.10.0-rc.6-management}
 IMAGE=${IMAGE:-rabbitmq}
 
+if [ "${MODE}" == "azure" ]; then
+  EXTRA_PORTS="-p 15671:15671"
+  EXTRA_MOUNTS="-v $SCRIPT/../conf/${MODE}/rabbitmq-ca.crt:/etc/rabbitmq/rabbitmq-ca.crt \
+                -v $SCRIPT/../conf/${MODE}/rabbitmq.key:/etc/rabbitmq/rabbitmq.key \
+                -v $SCRIPT/../conf/${MODE}/rabbitmq.crt:/etc/rabbitmq/rabbitmq.crt"
+fi
+
 docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
 docker rm -f rabbitmq 2>/dev/null || echo "rabbitmq was not running"
 echo "running RabbitMQ with mode $MODE"
 docker run -d --name rabbitmq --net rabbitmq_net \
-    -p 15672:15672 -p 5672:5672 \
-    -v $SCRIPT/../conf/${MODE}/${CONFIG}:/etc/rabbitmq/rabbitmq.config:ro \
-    -v $SCRIPT/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins \
-    -v $SCRIPT/../conf:/conf ${IMAGE}:${IMAGE_TAG}
+    -p 15672:15672 -p 5672:5672 ${EXTRA_PORTS}\
+    -v ${SCRIPT}/../conf/${MODE}/${CONFIG}:/etc/rabbitmq/rabbitmq.config:ro \
+    -v ${SCRIPT}/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins \
+    -v ${SCRIPT}/../conf:/conf ${EXTRA_MOUNTS} ${IMAGE}:${IMAGE_TAG}

assets/azure-ad-oauth-registered-app.png

@@ -0,0 +1,34 @@
+[
+  {rabbit, [
+   {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
+  ]},
+  {rabbitmq_management, [
+    {listener, [{port,    15671},
+                {ssl,      true},
+                {ssl_opts, [{cacertfile, "/etc/rabbitmq/rabbitmq-ca.crt"},
+			   {certfile,   "/etc/rabbitmq/rabbitmq.crt"},
+                           {keyfile,    "/etc/rabbitmq/rabbitmq.key"},
+
+                           %% don't do peer verification to HTTPS clients
+                           {verify,               verify_none},
+                           {fail_if_no_peer_cert, false},
+
+                           {client_renegotiation, false},
+                           {secure_renegotiate,   true},
+                           {honor_ecc_order,      true},
+                           {honor_cipher_order,   true}
+			]}
+     ]},
+     {oauth_enable, true},
+     {oauth_client_id, "PUT YOUR AZURE AD APPLICATION ID"},
+     {oauth_client_secret, "PUT YOUR AZURE AD APPLICATION SECRET"},
+     {oauth_provider_url, "https://login.microsoftonline.com/AZURE_AD_TENANT_ID"}
+ ]},
+ {rabbitmq_auth_backend_oauth2, [
+   {resource_server_id, <<"PUT YOUR AZURE AD APPLICATION ID">>},
+   {extra_scopes_source, <<"roles">>},
+   {key_config, [
+     {jwks_url, <<"PUT YOUR AZURE AD JWKS URI VALUE">>}
+   ]}
+  ]}
+ ].