See #4842. Obfuscate impl value
This commit is contained in:
Simon Unge
parent
dddef455c6
commit
09d84e6bd5
|
|
@ -111,7 +111,7 @@ internal_check_user_login(Username, Fun) ->
|
|||
case Fun(User) of
|
||||
true -> {ok, #auth_user{username = Username,
|
||||
tags = Tags,
|
||||
impl = none}};
|
||||
impl = fun() -> none end}};
|
||||
_ -> Refused
|
||||
end;
|
||||
{error, not_found} ->
|
||||
|
|
|
|||
|
|
@ -64,6 +64,7 @@ authentication_response(Config) ->
|
|||
authorization_response(Config) ->
|
||||
AuthProps = [{password, <<"guest">>}],
|
||||
{ok, #auth_user{impl = Impl, tags = Tags}} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, AuthProps]),
|
||||
true = is_function(Impl),
|
||||
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"guest">>, AuthProps]),
|
||||
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_cache, user_login_authorization, [<<"guest">>, AuthProps]),
|
||||
{refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"nonguest">>, AuthProps]),
|
||||
|
|
@ -163,7 +164,3 @@ cache_expiration_topic(Config) ->
|
|||
|
||||
rpc(Config, M, F, A) ->
|
||||
rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A).
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ user_login_authentication(Username, AuthProps) ->
|
|||
T <- string:tokens(Rest, " ")],
|
||||
{ok, #auth_user{username = Username,
|
||||
tags = Tags,
|
||||
impl = none}};
|
||||
impl = fun() -> none end}};
|
||||
Other -> {error, {bad_response, Other}}
|
||||
end.
|
||||
|
||||
|
|
|
|||
|
|
@ -38,8 +38,9 @@ end_per_suite(_Config) ->
|
|||
|
||||
grants_access_to_user(Config) ->
|
||||
#{username := U, password := P, tags := T} = ?config(allowed_user, Config),
|
||||
?assertMatch({ok, #auth_user{username = U, tags = T}},
|
||||
rabbit_auth_backend_http:user_login_authentication(U, [{password, P}])).
|
||||
{ok, User} = rabbit_auth_backend_http:user_login_authentication(U, [{password, P}]),
|
||||
?assertMatch({U, T, none},
|
||||
{User#auth_user.username, User#auth_user.tags, (User#auth_user.impl)()}).
|
||||
|
||||
denies_access_to_user(Config) ->
|
||||
#{username := U, password := P} = ?config(denied_user, Config),
|
||||
|
|
|
|||
|
|
@ -88,8 +88,9 @@ user_login_authorization(Username, AuthProps) ->
|
|||
end.
|
||||
|
||||
check_vhost_access(User = #auth_user{username = Username,
|
||||
impl = #impl{user_dn = UserDN}},
|
||||
impl = ImplFun},
|
||||
VHost, AuthzData) ->
|
||||
UserDN = (ImplFun())#impl.user_dn,
|
||||
OptionsArgs = context_as_options(AuthzData, undefined),
|
||||
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
||||
Args = [{username, Username},
|
||||
|
|
@ -104,10 +105,11 @@ check_vhost_access(User = #auth_user{username = Username,
|
|||
R1.
|
||||
|
||||
check_resource_access(User = #auth_user{username = Username,
|
||||
impl = #impl{user_dn = UserDN}},
|
||||
impl = ImplFun},
|
||||
#resource{virtual_host = VHost, kind = Type, name = Name},
|
||||
Permission,
|
||||
AuthzContext) ->
|
||||
UserDN = (ImplFun())#impl.user_dn,
|
||||
OptionsArgs = context_as_options(AuthzContext, undefined),
|
||||
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
||||
Args = [{username, Username},
|
||||
|
|
@ -125,10 +127,11 @@ check_resource_access(User = #auth_user{username = Username,
|
|||
R1.
|
||||
|
||||
check_topic_access(User = #auth_user{username = Username,
|
||||
impl = #impl{user_dn = UserDN}},
|
||||
impl = ImplFun},
|
||||
#resource{virtual_host = VHost, kind = topic = Resource, name = Name},
|
||||
Permission,
|
||||
Context) ->
|
||||
UserDN = (ImplFun())#impl.user_dn,
|
||||
OptionsArgs = context_as_options(Context, undefined),
|
||||
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
|
||||
Args = [{username, Username},
|
||||
|
|
@ -220,7 +223,8 @@ evaluate0({in_group, DNPattern}, Args, User, LDAP) ->
|
|||
evaluate({in_group, DNPattern, "member"}, Args, User, LDAP);
|
||||
|
||||
evaluate0({in_group, DNPattern, Desc}, Args,
|
||||
#auth_user{impl = #impl{user_dn = UserDN}}, LDAP) ->
|
||||
#auth_user{impl = ImplFun}, LDAP) ->
|
||||
UserDN = (ImplFun())#impl.user_dn,
|
||||
Filter = eldap:equalityMatch(Desc, UserDN),
|
||||
DN = fill(DNPattern, Args),
|
||||
R = object_exists(DN, Filter, LDAP),
|
||||
|
|
@ -234,7 +238,7 @@ evaluate0({in_group_nested, DNPattern, Desc}, Args, User, LDAP) ->
|
|||
evaluate({in_group_nested, DNPattern, Desc, subtree},
|
||||
Args, User, LDAP);
|
||||
evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args,
|
||||
#auth_user{impl = #impl{user_dn = UserDN}}, LDAP) ->
|
||||
#auth_user{impl = ImplFun}, LDAP) ->
|
||||
GroupsBase = case env(group_lookup_base) of
|
||||
none ->
|
||||
get_expected_env_str(dn_lookup_base, none);
|
||||
|
|
@ -250,6 +254,7 @@ evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args,
|
|||
onelevel -> eldap:singleLevel();
|
||||
one_level -> eldap:singleLevel()
|
||||
end,
|
||||
UserDN = (ImplFun())#impl.user_dn,
|
||||
search_nested_group(LDAP, Desc, GroupsBase, EldapScope, UserDN, GroupDN, []);
|
||||
|
||||
evaluate0({'not', SubQuery}, Args, User, LDAP) ->
|
||||
|
|
@ -786,8 +791,9 @@ do_login(Username, PrebindUserDN, Password, VHost, LDAP) ->
|
|||
_ -> PrebindUserDN
|
||||
end,
|
||||
User = #auth_user{username = Username,
|
||||
impl = #impl{user_dn = UserDN,
|
||||
password = Password}},
|
||||
impl = fun() -> #impl{user_dn = UserDN,
|
||||
password = Password}
|
||||
end},
|
||||
DTQ = fun (LDAPn) -> do_tag_queries(Username, UserDN, User, VHost, LDAPn) end,
|
||||
TagRes = case env(other_bind) of
|
||||
as_user -> DTQ(LDAP);
|
||||
|
|
@ -882,7 +888,8 @@ creds(User) -> creds(User, env(other_bind)).
|
|||
|
||||
creds(none, as_user) ->
|
||||
{error, "'other_bind' set to 'as_user' but no password supplied"};
|
||||
creds(#auth_user{impl = #impl{user_dn = UserDN, password = PW}}, as_user) ->
|
||||
creds(#auth_user{impl = ImplFun}, as_user) ->
|
||||
#impl{user_dn = UserDN, password = PW} = ImplFun(),
|
||||
{ok, {UserDN, PW}};
|
||||
creds(_, Creds) ->
|
||||
{ok, Creds}.
|
||||
|
|
|
|||
|
|
@ -457,10 +457,10 @@ topic_authorisation_consumption(Config) ->
|
|||
topic_authorisation_consumption1(Config) ->
|
||||
%% we can't use the LDAP backend record here, falling back to simple tuples
|
||||
Alice = {auth_user,<<"Alice">>, [monitor],
|
||||
{impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>}
|
||||
fun() -> {impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>} end,
|
||||
},
|
||||
Bob = {auth_user,<<"Bob">>, [monitor],
|
||||
{impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>}
|
||||
fun() -> {impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>} end,
|
||||
},
|
||||
Resource = #resource{virtual_host = <<"/">>, name = <<"amq.topic">>, kind = topic},
|
||||
Context = #{routing_key => <<"a.b">>,
|
||||
|
|
@ -946,4 +946,3 @@ expand_options(As, Bs) ->
|
|||
false -> [A | R]
|
||||
end
|
||||
end, Bs, As).
|
||||
|
||||
|
|
|
|||
|
|
@ -74,29 +74,29 @@ user_login_authorization(Username, AuthProps) ->
|
|||
Else -> Else
|
||||
end.
|
||||
|
||||
check_vhost_access(#auth_user{impl = DecodedToken},
|
||||
check_vhost_access(#auth_user{impl = DecodedTokenFun},
|
||||
VHost, _AuthzData) ->
|
||||
with_decoded_token(DecodedToken,
|
||||
with_decoded_token(DecodedTokenFun(),
|
||||
fun() ->
|
||||
Scopes = get_scopes(DecodedToken),
|
||||
Scopes = get_scopes(DecodedTokenFun()),
|
||||
ScopeString = rabbit_oauth2_scope:concat_scopes(Scopes, ","),
|
||||
rabbit_log:debug("Matching virtual host '~ts' against the following scopes: ~ts", [VHost, ScopeString]),
|
||||
rabbit_oauth2_scope:vhost_access(VHost, Scopes)
|
||||
end).
|
||||
|
||||
check_resource_access(#auth_user{impl = DecodedToken},
|
||||
check_resource_access(#auth_user{impl = DecodedTokenFun},
|
||||
Resource, Permission, _AuthzContext) ->
|
||||
with_decoded_token(DecodedToken,
|
||||
with_decoded_token(DecodedTokenFun(),
|
||||
fun() ->
|
||||
Scopes = get_scopes(DecodedToken),
|
||||
Scopes = get_scopes(DecodedTokenFun()),
|
||||
rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes)
|
||||
end).
|
||||
|
||||
check_topic_access(#auth_user{impl = DecodedToken},
|
||||
check_topic_access(#auth_user{impl = DecodedTokenFun},
|
||||
Resource, Permission, Context) ->
|
||||
with_decoded_token(DecodedToken,
|
||||
with_decoded_token(DecodedTokenFun(),
|
||||
fun() ->
|
||||
Scopes = get_scopes(DecodedToken),
|
||||
Scopes = get_scopes(DecodedTokenFun()),
|
||||
rabbit_oauth2_scope:topic_access(Resource, Permission, Context, Scopes)
|
||||
end).
|
||||
|
||||
|
|
@ -114,7 +114,7 @@ update_state(AuthUser, NewToken) ->
|
|||
Tags = tags_from(DecodedToken),
|
||||
|
||||
{ok, AuthUser#auth_user{tags = Tags,
|
||||
impl = DecodedToken}}
|
||||
impl = fun() -> DecodedToken end}}
|
||||
end.
|
||||
|
||||
%%--------------------------------------------------------------------
|
||||
|
|
@ -136,7 +136,7 @@ authenticate(Username0, AuthProps0) ->
|
|||
|
||||
{ok, #auth_user{username = Username,
|
||||
tags = Tags,
|
||||
impl = DecodedToken}}
|
||||
impl = fun() -> DecodedToken end}}
|
||||
end,
|
||||
case with_decoded_token(DecodedToken, Func) of
|
||||
{error, Err} ->
|
||||
|
|
|
|||
Loading…
Reference in New Issue