See #4842. Obfuscate impl value
This commit is contained in:
Simon Unge
parent
dddef455c6
commit
09d84e6bd5
|
|
@ -111,7 +111,7 @@ internal_check_user_login(Username, Fun) ->
|
||||||
case Fun(User) of
|
case Fun(User) of
|
||||||
true -> {ok, #auth_user{username = Username,
|
true -> {ok, #auth_user{username = Username,
|
||||||
tags = Tags,
|
tags = Tags,
|
||||||
impl = none}};
|
impl = fun() -> none end}};
|
||||||
_ -> Refused
|
_ -> Refused
|
||||||
end;
|
end;
|
||||||
{error, not_found} ->
|
{error, not_found} ->
|
||||||
|
|
|
||||||
|
|
@ -64,6 +64,7 @@ authentication_response(Config) ->
|
||||||
authorization_response(Config) ->
|
authorization_response(Config) ->
|
||||||
AuthProps = [{password, <<"guest">>}],
|
AuthProps = [{password, <<"guest">>}],
|
||||||
{ok, #auth_user{impl = Impl, tags = Tags}} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, AuthProps]),
|
{ok, #auth_user{impl = Impl, tags = Tags}} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, AuthProps]),
|
||||||
|
true = is_function(Impl),
|
||||||
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"guest">>, AuthProps]),
|
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"guest">>, AuthProps]),
|
||||||
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_cache, user_login_authorization, [<<"guest">>, AuthProps]),
|
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_cache, user_login_authorization, [<<"guest">>, AuthProps]),
|
||||||
{refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"nonguest">>, AuthProps]),
|
{refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"nonguest">>, AuthProps]),
|
||||||
|
|
@ -163,7 +164,3 @@ cache_expiration_topic(Config) ->
|
||||||
|
|
||||||
rpc(Config, M, F, A) ->
|
rpc(Config, M, F, A) ->
|
||||||
rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A).
|
rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ user_login_authentication(Username, AuthProps) ->
|
||||||
T <- string:tokens(Rest, " ")],
|
T <- string:tokens(Rest, " ")],
|
||||||
{ok, #auth_user{username = Username,
|
{ok, #auth_user{username = Username,
|
||||||
tags = Tags,
|
tags = Tags,
|
||||||
impl = none}};
|
impl = fun() -> none end}};
|
||||||
Other -> {error, {bad_response, Other}}
|
Other -> {error, {bad_response, Other}}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -38,8 +38,9 @@ end_per_suite(_Config) ->
|
||||||
|
|
||||||
grants_access_to_user(Config) ->
|
grants_access_to_user(Config) ->
|
||||||
#{username := U, password := P, tags := T} = ?config(allowed_user, Config),
|
#{username := U, password := P, tags := T} = ?config(allowed_user, Config),
|
||||||
?assertMatch({ok, #auth_user{username = U, tags = T}},
|
{ok, User} = rabbit_auth_backend_http:user_login_authentication(U, [{password, P}]),
|
||||||
rabbit_auth_backend_http:user_login_authentication(U, [{password, P}])).
|
?assertMatch({U, T, none},
|
||||||
|
{User#auth_user.username, User#auth_user.tags, (User#auth_user.impl)()}).
|
||||||
|
|
||||||
denies_access_to_user(Config) ->
|
denies_access_to_user(Config) ->
|
||||||
#{username := U, password := P} = ?config(denied_user, Config),
|
#{username := U, password := P} = ?config(denied_user, Config),
|
||||||
|
|
|
||||||
|
|
@ -88,8 +88,9 @@ user_login_authorization(Username, AuthProps) ->
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_vhost_access(User = #auth_user{username = Username,
|
check_vhost_access(User = #auth_user{username = Username,
|
||||||
impl = #impl{user_dn = UserDN}},
|
impl = ImplFun},
|
||||||
VHost, AuthzData) ->
|
VHost, AuthzData) ->
|
||||||
|
UserDN = (ImplFun())#impl.user_dn,
|
||||||
OptionsArgs = context_as_options(AuthzData, undefined),
|
OptionsArgs = context_as_options(AuthzData, undefined),
|
||||||
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
||||||
Args = [{username, Username},
|
Args = [{username, Username},
|
||||||
|
|
@ -104,10 +105,11 @@ check_vhost_access(User = #auth_user{username = Username,
|
||||||
R1.
|
R1.
|
||||||
|
|
||||||
check_resource_access(User = #auth_user{username = Username,
|
check_resource_access(User = #auth_user{username = Username,
|
||||||
impl = #impl{user_dn = UserDN}},
|
impl = ImplFun},
|
||||||
#resource{virtual_host = VHost, kind = Type, name = Name},
|
#resource{virtual_host = VHost, kind = Type, name = Name},
|
||||||
Permission,
|
Permission,
|
||||||
AuthzContext) ->
|
AuthzContext) ->
|
||||||
|
UserDN = (ImplFun())#impl.user_dn,
|
||||||
OptionsArgs = context_as_options(AuthzContext, undefined),
|
OptionsArgs = context_as_options(AuthzContext, undefined),
|
||||||
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
||||||
Args = [{username, Username},
|
Args = [{username, Username},
|
||||||
|
|
@ -125,10 +127,11 @@ check_resource_access(User = #auth_user{username = Username,
|
||||||
R1.
|
R1.
|
||||||
|
|
||||||
check_topic_access(User = #auth_user{username = Username,
|
check_topic_access(User = #auth_user{username = Username,
|
||||||
impl = #impl{user_dn = UserDN}},
|
impl = ImplFun},
|
||||||
#resource{virtual_host = VHost, kind = topic = Resource, name = Name},
|
#resource{virtual_host = VHost, kind = topic = Resource, name = Name},
|
||||||
Permission,
|
Permission,
|
||||||
Context) ->
|
Context) ->
|
||||||
|
UserDN = (ImplFun())#impl.user_dn,
|
||||||
OptionsArgs = context_as_options(Context, undefined),
|
OptionsArgs = context_as_options(Context, undefined),
|
||||||
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
||||||
Args = [{username, Username},
|
Args = [{username, Username},
|
||||||
|
|
@ -220,7 +223,8 @@ evaluate0({in_group, DNPattern}, Args, User, LDAP) ->
|
||||||
evaluate({in_group, DNPattern, "member"}, Args, User, LDAP);
|
evaluate({in_group, DNPattern, "member"}, Args, User, LDAP);
|
||||||
|
|
||||||
evaluate0({in_group, DNPattern, Desc}, Args,
|
evaluate0({in_group, DNPattern, Desc}, Args,
|
||||||
#auth_user{impl = #impl{user_dn = UserDN}}, LDAP) ->
|
#auth_user{impl = ImplFun}, LDAP) ->
|
||||||
|
UserDN = (ImplFun())#impl.user_dn,
|
||||||
Filter = eldap:equalityMatch(Desc, UserDN),
|
Filter = eldap:equalityMatch(Desc, UserDN),
|
||||||
DN = fill(DNPattern, Args),
|
DN = fill(DNPattern, Args),
|
||||||
R = object_exists(DN, Filter, LDAP),
|
R = object_exists(DN, Filter, LDAP),
|
||||||
|
|
@ -234,7 +238,7 @@ evaluate0({in_group_nested, DNPattern, Desc}, Args, User, LDAP) ->
|
||||||
evaluate({in_group_nested, DNPattern, Desc, subtree},
|
evaluate({in_group_nested, DNPattern, Desc, subtree},
|
||||||
Args, User, LDAP);
|
Args, User, LDAP);
|
||||||
evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args,
|
evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args,
|
||||||
#auth_user{impl = #impl{user_dn = UserDN}}, LDAP) ->
|
#auth_user{impl = ImplFun}, LDAP) ->
|
||||||
GroupsBase = case env(group_lookup_base) of
|
GroupsBase = case env(group_lookup_base) of
|
||||||
none ->
|
none ->
|
||||||
get_expected_env_str(dn_lookup_base, none);
|
get_expected_env_str(dn_lookup_base, none);
|
||||||
|
|
@ -250,6 +254,7 @@ evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args,
|
||||||
onelevel -> eldap:singleLevel();
|
onelevel -> eldap:singleLevel();
|
||||||
one_level -> eldap:singleLevel()
|
one_level -> eldap:singleLevel()
|
||||||
end,
|
end,
|
||||||
|
UserDN = (ImplFun())#impl.user_dn,
|
||||||
search_nested_group(LDAP, Desc, GroupsBase, EldapScope, UserDN, GroupDN, []);
|
search_nested_group(LDAP, Desc, GroupsBase, EldapScope, UserDN, GroupDN, []);
|
||||||
|
|
||||||
evaluate0({'not', SubQuery}, Args, User, LDAP) ->
|
evaluate0({'not', SubQuery}, Args, User, LDAP) ->
|
||||||
|
|
@ -786,8 +791,9 @@ do_login(Username, PrebindUserDN, Password, VHost, LDAP) ->
|
||||||
_ -> PrebindUserDN
|
_ -> PrebindUserDN
|
||||||
end,
|
end,
|
||||||
User = #auth_user{username = Username,
|
User = #auth_user{username = Username,
|
||||||
impl = #impl{user_dn = UserDN,
|
impl = fun() -> #impl{user_dn = UserDN,
|
||||||
password = Password}},
|
password = Password}
|
||||||
|
end},
|
||||||
DTQ = fun (LDAPn) -> do_tag_queries(Username, UserDN, User, VHost, LDAPn) end,
|
DTQ = fun (LDAPn) -> do_tag_queries(Username, UserDN, User, VHost, LDAPn) end,
|
||||||
TagRes = case env(other_bind) of
|
TagRes = case env(other_bind) of
|
||||||
as_user -> DTQ(LDAP);
|
as_user -> DTQ(LDAP);
|
||||||
|
|
@ -882,7 +888,8 @@ creds(User) -> creds(User, env(other_bind)).
|
||||||
|
|
||||||
creds(none, as_user) ->
|
creds(none, as_user) ->
|
||||||
{error, "'other_bind' set to 'as_user' but no password supplied"};
|
{error, "'other_bind' set to 'as_user' but no password supplied"};
|
||||||
creds(#auth_user{impl = #impl{user_dn = UserDN, password = PW}}, as_user) ->
|
creds(#auth_user{impl = ImplFun}, as_user) ->
|
||||||
|
#impl{user_dn = UserDN, password = PW} = ImplFun(),
|
||||||
{ok, {UserDN, PW}};
|
{ok, {UserDN, PW}};
|
||||||
creds(_, Creds) ->
|
creds(_, Creds) ->
|
||||||
{ok, Creds}.
|
{ok, Creds}.
|
||||||
|
|
|
||||||
|
|
@ -457,10 +457,10 @@ topic_authorisation_consumption(Config) ->
|
||||||
topic_authorisation_consumption1(Config) ->
|
topic_authorisation_consumption1(Config) ->
|
||||||
%% we can't use the LDAP backend record here, falling back to simple tuples
|
%% we can't use the LDAP backend record here, falling back to simple tuples
|
||||||
Alice = {auth_user,<<"Alice">>, [monitor],
|
Alice = {auth_user,<<"Alice">>, [monitor],
|
||||||
{impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>}
|
fun() -> {impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>} end,
|
||||||
},
|
},
|
||||||
Bob = {auth_user,<<"Bob">>, [monitor],
|
Bob = {auth_user,<<"Bob">>, [monitor],
|
||||||
{impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>}
|
fun() -> {impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>} end,
|
||||||
},
|
},
|
||||||
Resource = #resource{virtual_host = <<"/">>, name = <<"amq.topic">>, kind = topic},
|
Resource = #resource{virtual_host = <<"/">>, name = <<"amq.topic">>, kind = topic},
|
||||||
Context = #{routing_key => <<"a.b">>,
|
Context = #{routing_key => <<"a.b">>,
|
||||||
|
|
@ -946,4 +946,3 @@ expand_options(As, Bs) ->
|
||||||
false -> [A | R]
|
false -> [A | R]
|
||||||
end
|
end
|
||||||
end, Bs, As).
|
end, Bs, As).
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -74,29 +74,29 @@ user_login_authorization(Username, AuthProps) ->
|
||||||
Else -> Else
|
Else -> Else
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_vhost_access(#auth_user{impl = DecodedToken},
|
check_vhost_access(#auth_user{impl = DecodedTokenFun},
|
||||||
VHost, _AuthzData) ->
|
VHost, _AuthzData) ->
|
||||||
with_decoded_token(DecodedToken,
|
with_decoded_token(DecodedTokenFun(),
|
||||||
fun() ->
|
fun() ->
|
||||||
Scopes = get_scopes(DecodedToken),
|
Scopes = get_scopes(DecodedTokenFun()),
|
||||||
ScopeString = rabbit_oauth2_scope:concat_scopes(Scopes, ","),
|
ScopeString = rabbit_oauth2_scope:concat_scopes(Scopes, ","),
|
||||||
rabbit_log:debug("Matching virtual host '~ts' against the following scopes: ~ts", [VHost, ScopeString]),
|
rabbit_log:debug("Matching virtual host '~ts' against the following scopes: ~ts", [VHost, ScopeString]),
|
||||||
rabbit_oauth2_scope:vhost_access(VHost, Scopes)
|
rabbit_oauth2_scope:vhost_access(VHost, Scopes)
|
||||||
end).
|
end).
|
||||||
|
|
||||||
check_resource_access(#auth_user{impl = DecodedToken},
|
check_resource_access(#auth_user{impl = DecodedTokenFun},
|
||||||
Resource, Permission, _AuthzContext) ->
|
Resource, Permission, _AuthzContext) ->
|
||||||
with_decoded_token(DecodedToken,
|
with_decoded_token(DecodedTokenFun(),
|
||||||
fun() ->
|
fun() ->
|
||||||
Scopes = get_scopes(DecodedToken),
|
Scopes = get_scopes(DecodedTokenFun()),
|
||||||
rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes)
|
rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes)
|
||||||
end).
|
end).
|
||||||
|
|
||||||
check_topic_access(#auth_user{impl = DecodedToken},
|
check_topic_access(#auth_user{impl = DecodedTokenFun},
|
||||||
Resource, Permission, Context) ->
|
Resource, Permission, Context) ->
|
||||||
with_decoded_token(DecodedToken,
|
with_decoded_token(DecodedTokenFun(),
|
||||||
fun() ->
|
fun() ->
|
||||||
Scopes = get_scopes(DecodedToken),
|
Scopes = get_scopes(DecodedTokenFun()),
|
||||||
rabbit_oauth2_scope:topic_access(Resource, Permission, Context, Scopes)
|
rabbit_oauth2_scope:topic_access(Resource, Permission, Context, Scopes)
|
||||||
end).
|
end).
|
||||||
|
|
||||||
|
|
@ -114,7 +114,7 @@ update_state(AuthUser, NewToken) ->
|
||||||
Tags = tags_from(DecodedToken),
|
Tags = tags_from(DecodedToken),
|
||||||
|
|
||||||
{ok, AuthUser#auth_user{tags = Tags,
|
{ok, AuthUser#auth_user{tags = Tags,
|
||||||
impl = DecodedToken}}
|
impl = fun() -> DecodedToken end}}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%%--------------------------------------------------------------------
|
%%--------------------------------------------------------------------
|
||||||
|
|
@ -136,7 +136,7 @@ authenticate(Username0, AuthProps0) ->
|
||||||
|
|
||||||
{ok, #auth_user{username = Username,
|
{ok, #auth_user{username = Username,
|
||||||
tags = Tags,
|
tags = Tags,
|
||||||
impl = DecodedToken}}
|
impl = fun() -> DecodedToken end}}
|
||||||
end,
|
end,
|
||||||
case with_decoded_token(DecodedToken, Func) of
|
case with_decoded_token(DecodedToken, Func) of
|
||||||
{error, Err} ->
|
{error, Err} ->
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue