From d913e62c6a1b1e8b49c58d5c820762b015a8363e Mon Sep 17 00:00:00 2001
From: Boudjebla <samiraws@amazon.com>
Date: Fri, 26 Jul 2024 18:57:34 -0700
Subject: [PATCH] Initial declaration of OAuth and OIDC plugin and validator
 with unimplemented methods - https://issues.apache.org/jira/browse/AMQ-9400

---
 activemq-broker/README_OAUTH_OIDC.md          | 19 ++++++
 activemq-broker/README_OAUTH_OIDC.md.bak      |  9 +++
 activemq-broker/pom.xml                       | 20 +++++-
 .../activemq/security/OAuthValidator.java     | 23 +++++++
 .../security/OIDCAuthenticationPlugin.java    | 68 +++++++++++++++++++
 .../security/OIDCSecurityContext.java         | 18 +++++
 .../src/main/webapp/WEB-INF/activemq.xml      |  3 +
 7 files changed, 159 insertions(+), 1 deletion(-)
 create mode 100644 activemq-broker/README_OAUTH_OIDC.md
 create mode 100644 activemq-broker/README_OAUTH_OIDC.md.bak
 create mode 100644 activemq-broker/src/main/java/org/apache/activemq/security/OAuthValidator.java
 create mode 100644 activemq-broker/src/main/java/org/apache/activemq/security/OIDCAuthenticationPlugin.java
 create mode 100644 activemq-broker/src/main/java/org/apache/activemq/security/OIDCSecurityContext.java

diff --git a/activemq-broker/README_OAUTH_OIDC.md b/activemq-broker/README_OAUTH_OIDC.md
new file mode 100644
index 00000000000..be3874d64be
--- /dev/null
+++ b/activemq-broker/README_OAUTH_OIDC.md
@@ -0,0 +1,19 @@
+# OAuth and OIDC Implementation for ActiveMQ
+
+## Overview
+This document outlines the plan to implement OAuth and OIDC authentication for ActiveMQ. The implementation will be done in a maxiumum of four stages:
+1. Initial declaration of changes and setup.
+2. Implementation of OAuth and OIDC methods.
+3. Adding unit and integration tests.
+4. Implementing logging for OAuth and OIDC operations.
+
+## Plugin configuration in the activemq.xml file
+
+    <plugins>
+        <bean id="oidcAuthenticationPlugin" class="org.apache.activemq.security.OIDCAuthenticationPlugin">
+            <property name="clientId" value="YOUR_COMPANY_CLIENT_ID"/>
+            <property name="clientSecret" value="YOUR_COMPANY_CLIENT_SECRET"/>
+            <property name="oidcServerUrl" value="https://oidc-server.com"/>
+            <property name="oidcIssuer" value="https://oidc-issuer.com"/>
+        </bean>
+    </plugins>
\ No newline at end of file
diff --git a/activemq-broker/README_OAUTH_OIDC.md.bak b/activemq-broker/README_OAUTH_OIDC.md.bak
new file mode 100644
index 00000000000..0481a12c59e
--- /dev/null
+++ b/activemq-broker/README_OAUTH_OIDC.md.bak
@@ -0,0 +1,9 @@
+# OAuth and OIDC Implementation for ActiveMQ
+
+## Overview
+This document outlines the plan to implement OAuth and OIDC authentication for ActiveMQ. The implementation will be done in a maxiumum of four stages:
+1. Initial declaration of changes and setup.
+2. Implementation of OAuth and OIDC methods.
+3. Adding unit and integration tests.
+4. Implementing logging for OAuth and OIDC operations.
+
diff --git a/activemq-broker/pom.xml b/activemq-broker/pom.xml
index 7acaf187447..8f1f839dbee 100644
--- a/activemq-broker/pom.xml
+++ b/activemq-broker/pom.xml
@@ -50,7 +50,8 @@
       <groupId>jakarta.annotation</groupId>
       <artifactId>jakarta.annotation-api</artifactId>
     </dependency>
-    
+
+
     <!-- =============================== -->
     <!-- Optional Dependencies -->
     <!-- =============================== -->
@@ -67,6 +68,23 @@
       <optional>true</optional>
     </dependency>
 
+    <!-- =============================== -->
+    <!-- oAuth and OIDC Dependencies -->
+    <!-- Nimbus JOSE + JWT dependencies -->
+    <!-- =============================== -->
+
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>oauth2-oidc-sdk</artifactId>
+      <version>9.15</version>
+    </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>9.40</version>
+    </dependency>
+
+
     <!-- =============================== -->
     <!-- Testing Dependencies -->
     <!-- =============================== -->
diff --git a/activemq-broker/src/main/java/org/apache/activemq/security/OAuthValidator.java b/activemq-broker/src/main/java/org/apache/activemq/security/OAuthValidator.java
new file mode 100644
index 00000000000..328c7904df5
--- /dev/null
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/OAuthValidator.java
@@ -0,0 +1,23 @@
+package org.apache.activemq.security;
+
+public class OAuthValidator {
+    private String clientId;
+    private String clientSecret;
+    private String oidcServerUrl;
+    private String oidcIssuer;
+
+    public OAuthValidator(String clientId, String clientSecret, String oidcServerUrl, String oidcIssuer) {
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+        this.oidcServerUrl = oidcServerUrl;
+        this.oidcIssuer = oidcIssuer;
+    }
+
+    public void initialize() {
+        throw new UnsupportedOperationException("Method not implemented yet");
+    }
+
+    public boolean validateToken(String token) {
+        throw new UnsupportedOperationException("Method not implemented yet");
+    }
+}
diff --git a/activemq-broker/src/main/java/org/apache/activemq/security/OIDCAuthenticationPlugin.java b/activemq-broker/src/main/java/org/apache/activemq/security/OIDCAuthenticationPlugin.java
new file mode 100644
index 00000000000..823f59ec996
--- /dev/null
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/OIDCAuthenticationPlugin.java
@@ -0,0 +1,68 @@
+package org.apache.activemq.security;
+
+import org.apache.activemq.broker.Broker;
+import org.apache.activemq.broker.BrokerPlugin;
+import org.apache.activemq.broker.BrokerPluginSupport;
+import org.apache.activemq.command.ConnectionInfo;
+import org.apache.activemq.security.OIDCSecurityContext;
+
+public class OIDCAuthenticationPlugin implements BrokerPlugin {
+    private String clientId;
+    private String clientSecret;
+    private String oidcServerUrl;
+    private String oidcIssuer;
+
+    @Override
+    public Broker installPlugin(Broker broker) {
+        return new OIDCBroker(broker);
+    }
+
+    private class OIDCBroker extends BrokerPluginSupport {
+        private final Broker next;
+
+        public OIDCBroker(Broker next) {
+            this.next = next;
+        }
+
+        @Override
+        public void addConnection(org.apache.activemq.broker.ConnectionContext context, ConnectionInfo info) throws Exception {
+            throw new UnsupportedOperationException("Method not implemented yet");
+        }
+
+        private OIDCSecurityContext authenticate(String token) {
+            throw new UnsupportedOperationException("Method not implemented yet");
+        }
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    public String getClientSecret() {
+        return clientSecret;
+    }
+
+    public void setClientSecret(String clientSecret) {
+        this.clientSecret = clientSecret;
+    }
+
+    public String getOidcServerUrl() {
+        return oidcServerUrl;
+    }
+
+    public void setOidcServerUrl(String oidcServerUrl) {
+        this.oidcServerUrl = oidcServerUrl;
+    }
+
+    public String getOidcIssuer() {
+        return oidcIssuer;
+    }
+
+    public void setOidcIssuer(String oidcIssuer) {
+        this.oidcIssuer = oidcIssuer;
+    }
+}
\ No newline at end of file
diff --git a/activemq-broker/src/main/java/org/apache/activemq/security/OIDCSecurityContext.java b/activemq-broker/src/main/java/org/apache/activemq/security/OIDCSecurityContext.java
new file mode 100644
index 00000000000..ea58a5cc784
--- /dev/null
+++ b/activemq-broker/src/main/java/org/apache/activemq/security/OIDCSecurityContext.java
@@ -0,0 +1,18 @@
+package org.apache.activemq.security;
+
+import java.security.Principal;
+import java.util.Set;
+
+public class OIDCSecurityContext extends SecurityContext {
+    private final Set<Principal> principals;
+
+    public OIDCSecurityContext(String userName, Set<Principal> principals) {
+        super(userName);
+        this.principals = principals;
+    }
+
+    @Override
+    public Set<Principal> getPrincipals() {
+        return principals;
+    }
+}
\ No newline at end of file
diff --git a/activemq-web-console/src/main/webapp/WEB-INF/activemq.xml b/activemq-web-console/src/main/webapp/WEB-INF/activemq.xml
index 4317fefd4f5..264088b70ed 100644
--- a/activemq-web-console/src/main/webapp/WEB-INF/activemq.xml
+++ b/activemq-web-console/src/main/webapp/WEB-INF/activemq.xml
@@ -34,6 +34,9 @@
     <transportConnectors>
       <transportConnector name="openwire" uri="tcp://localhost:61616" />
       <transportConnector name="stomp" uri="stomp://localhost:61613" />
+      <!-- Add Jetty Transport Connector for Web Console -->
+      <transportConnector name="jetty" uri="http://localhost:8161"/>
+
     </transportConnectors>
 
   </broker>