Remove rabbit_authz_backend:state_can_expire/0

Use expiry_timestamp/1 instead, which returns 'never'
if the credentials do not expire.

Fixes #10382

deps/rabbit/src/rabbit_access_control.erl

@@ -232,15 +232,16 @@ update_state(User = #user{authz_backends = Backends0}, NewState) ->
     %% backends is in reverse order from the original list.
     Backends = lists:foldl(
                 fun({Module, Impl}, {ok, Acc}) ->
-                        case Module:state_can_expire() of
-                          true  ->
-                            case Module:update_state(auth_user(User, Impl), NewState) of
+                        AuthUser = auth_user(User, Impl),
+                        case Module:expiry_timestamp(AuthUser) of
+                          never ->
+                            {ok, [{Module, Impl} | Acc]};
+                          _  ->
+                            case Module:update_state(AuthUser, NewState) of
                               {ok, #auth_user{impl = Impl1}} ->
                                 {ok, [{Module, Impl1} | Acc]};
                               Else -> Else
-                            end;
-                          false ->
-                            {ok, [{Module, Impl} | Acc]}
+                            end
                         end;
                    (_, {error, _} = Err)      -> Err;
                    (_, {refused, _, _} = Err) -> Err
@@ -254,8 +255,8 @@ update_state(User = #user{authz_backends = Backends0}, NewState) ->
 
 %% Returns true if any of the backends support credential expiration,
 %% otherwise returns false.
-permission_cache_can_expire(#user{authz_backends = Backends}) ->
-    lists:any(fun ({Module, _State}) -> Module:state_can_expire() end, Backends).
+permission_cache_can_expire(User) ->
+    expiry_timestamp(User) =/= never.
 
 -spec expiry_timestamp(User :: rabbit_types:user()) -> integer() | never.
 expiry_timestamp(User = #user{authz_backends = Modules}) ->

deps/rabbit/src/rabbit_auth_backend_internal.erl

@@ -41,7 +41,7 @@
          list_user_vhost_permissions/2,
          list_user_topic_permissions/1, list_vhost_topic_permissions/1, list_user_vhost_topic_permissions/2]).
 
--export([state_can_expire/0, expiry_timestamp/1]).
+-export([expiry_timestamp/1]).
 
 -export([hashing_module_for_user/1, expand_topic_permission/2]).
 
@@ -109,8 +109,6 @@ user_login_authentication(Username, AuthProps) ->
             end
     end.
 
-state_can_expire() -> false.
-
 expiry_timestamp(_) -> never.
 
 user_login_authorization(Username, _AuthProps) ->

deps/rabbit/test/rabbit_auth_backend_context_propagation_mock.erl

@@ -15,7 +15,7 @@
 
 -export([user_login_authentication/2, user_login_authorization/2,
   check_vhost_access/3, check_resource_access/4, check_topic_access/4,
-  state_can_expire/0, expiry_timestamp/1,
+  expiry_timestamp/1,
   get/1, init/0]).
 
 init() ->
@@ -40,8 +40,6 @@ check_topic_access(#auth_user{}, #resource{}, _Permission, TopicContext) ->
   ets:insert(?MODULE, {topic_access, TopicContext}),
   true.
 
-state_can_expire() -> false.
-
 expiry_timestamp(_) ->
     never.
 

deps/rabbit_common/src/rabbit_auth_backend_dummy.erl

@@ -14,7 +14,7 @@
 -export([user/0]).
 -export([user_login_authentication/2, user_login_authorization/2,
          check_vhost_access/3, check_resource_access/4, check_topic_access/4]).
--export([state_can_expire/0, expiry_timestamp/1]).
+-export([expiry_timestamp/1]).
 
 -spec user() -> rabbit_types:user().
 
@@ -36,5 +36,4 @@ check_vhost_access(#auth_user{}, _VHostPath, _AuthzData) -> true.
 check_resource_access(#auth_user{}, #resource{}, _Permission, _Context) -> true.
 check_topic_access(#auth_user{}, #resource{}, _Permission, _Context) -> true.
 
-state_can_expire() -> false.
 expiry_timestamp(_) -> never.

deps/rabbit_common/src/rabbit_authz_backend.erl

@@ -67,10 +67,6 @@
     rabbit_types:topic_access_context()) ->
     boolean() | {'error', any()}.
 
-%% Returns true for backends that support state or credential expiration (e.g. use JWTs).
-%% @deprecated Please use {@link expiry_timestamp/1} instead.
--callback state_can_expire() -> boolean().
-
 %% Updates backend state that has expired.
 %%
 %% Possible responses:

deps/rabbitmq_auth_backend_cache/src/rabbit_auth_backend_cache.erl

@@ -13,7 +13,7 @@
 
 -export([user_login_authentication/2, user_login_authorization/2,
          check_vhost_access/3, check_resource_access/4, check_topic_access/4,
-         state_can_expire/0, expiry_timestamp/1]).
+         expiry_timestamp/1]).
 
 %% API
 
@@ -60,8 +60,6 @@ check_topic_access(#auth_user{} = AuthUser,
             (_)                -> unknown
         end).
 
-state_can_expire() -> false.
-
 expiry_timestamp(_) -> never.
 
 %%

deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl

@@ -15,7 +15,7 @@
 -export([description/0, p/1, q/1, join_tags/1]).
 -export([user_login_authentication/2, user_login_authorization/2,
          check_vhost_access/3, check_resource_access/4, check_topic_access/4,
-         state_can_expire/0, expiry_timestamp/1]).
+         expiry_timestamp/1]).
 
 %% If keepalive connection is closed, retry N times before failing.
 -define(RETRY_ON_KEEPALIVE_CLOSED, 3).
@@ -129,8 +129,6 @@ check_topic_access(#auth_user{username = Username, tags = Tags},
         {permission, Permission},
         {tags, join_tags(Tags)}] ++ OptionsParameters).
 
-state_can_expire() -> false.
-
 expiry_timestamp(_) -> never.
 
 %%--------------------------------------------------------------------

deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl

@@ -17,7 +17,7 @@
 
 -export([user_login_authentication/2, user_login_authorization/2,
          check_vhost_access/3, check_resource_access/4, check_topic_access/4,
-         state_can_expire/0, expiry_timestamp/1,
+         expiry_timestamp/1,
          format_multi_attr/1, format_multi_attr/2]).
 
 -export([get_connections/0]).
@@ -168,8 +168,6 @@ check_topic_access(User = #auth_user{username = Username,
          log_result(R0), log_result(R1)]),
     R1.
 
-state_can_expire() -> false.
-
 expiry_timestamp(_) -> never.
 
 %%--------------------------------------------------------------------

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -14,7 +14,7 @@
 -export([description/0]).
 -export([user_login_authentication/2, user_login_authorization/2,
          check_vhost_access/3, check_resource_access/4,
-         check_topic_access/4, check_token/1, state_can_expire/0, update_state/2,
+         check_topic_access/4, check_token/1, update_state/2,
          expiry_timestamp/1]).
 
 % for testing
@@ -104,8 +104,6 @@ check_topic_access(#auth_user{impl = DecodedTokenFun},
             rabbit_oauth2_scope:topic_access(Resource, Permission, Context, Scopes)
         end).
 
-state_can_expire() -> true.
-
 update_state(AuthUser, NewToken) ->
   case check_token(NewToken) of
       %% avoid logging the token

deps/rabbitmq_mqtt/test/rabbit_auth_backend_mqtt_mock.erl

@@ -16,7 +16,7 @@
 -export([setup/1,
          user_login_authentication/2, user_login_authorization/2,
          check_vhost_access/3, check_resource_access/4, check_topic_access/4,
-         state_can_expire/0,
+         expiry_timestamp/1,
          get/1]).
 
 setup(CallerPid) ->
@@ -47,7 +47,8 @@ check_topic_access(#auth_user{}, #resource{}, _Permission, TopicContext) ->
     ets:insert(?MODULE, {topic_access, TopicContext}),
     true.
 
-state_can_expire() -> false.
+expiry_timestamp(_) ->
+    never.
 
 get(K) ->
     ets:lookup(?MODULE, K).