merge default into bug24186

2011-08-16 14:02:38 +01:00 · 2011-08-16 14:02:38 +01:00 · 7b54511464
parent 4acceb7985 5d20872b41
commit 7b54511464
2 changed files with 28 additions and 21 deletions
--- a/deps/rabbitmq_auth_backend_ldap/README-authorisation
+++ b/deps/rabbitmq_auth_backend_ldap/README-authorisation
@ -5,15 +5,16 @@ Authorisation is effected by three configuration options:

 * vhost_access_query
 * resource_access_query
-* is_admin_query
+* tag_queries

 Each defines a query that will determine whether a user has access to
 a vhost, a resource (e.g. exchange, queue, binding) or is considered
 an administrator.

 The default values are {constant, true}, {constant, true} and
-{constant, false}, granting all users access to all objects in all
-vhosts, but not making them administrators.
+[{administrator, {constant, false}}] respectively, granting all users
+access to all objects in all vhosts, but not making them
+administrators.

 A query can be of one of several types:

@ -57,10 +58,15 @@ The terms configure, write and read for resource access have the same
 meanings that they do for the built-in RabbitMQ permissions system,
 see http://www.rabbitmq.com/admin-guide.html#access-control

-is_admin_query:
+tag_queries:
  ${username}
  ${user_dn}

+Note that tag_queries consists of a proplist, mapping the name of a
+tag to a query to perform to determine whether or not the user has
+that tag. You must list queries for all tags that you want your users
+to have.
+
 In Group Query
 --------------

@ -119,7 +125,7 @@ TODO improve and explain this
                     {permission, read,  {constant, true}}
                    ]}},
             {resource, queue, {constant, true}} ]}},
-     {is_admin_query,        {constant, false}},
+     {tag_queries,           [{administrator, {constant, false}}]},
     {use_ssl,               false},
     {port,                  389},
     {log,                   false} ] }
--- a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
+++ b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@ -40,7 +40,7 @@
 -include_lib("rabbit_common/include/rabbit_auth_backend_spec.hrl").

 -export([description/0]).
-export([check_user_login/2, check_vhost_access/3, check_resource_access/3]).
+-export([check_user_login/2, check_vhost_access/2, check_resource_access/3]).

 -behaviour(gen_server).

@ -55,7 +55,7 @@
                 other_bind,
                 vhost_access_query,
                 resource_access_query,
-                 is_admin_query,
+                 tag_queries,
                 use_ssl,
                 log,
                 port }).
@ -81,11 +81,10 @@ check_user_login(Username, AuthProps) ->
    exit({unknown_auth_props, Username, AuthProps}).

 check_vhost_access(User = #user{username = Username,
-                                impl = UserDN}, VHost, Permission) ->
-    gen_server:call(?SERVER, {check_vhost, [{username,   Username},
-                                            {user_dn,    UserDN},
-                                            {vhost,      VHost},
-                                            {permission, Permission}], User},
+                                impl = UserDN}, VHost) ->
+    gen_server:call(?SERVER, {check_vhost, [{username, Username},
+                                            {user_dn,  UserDN},
+                                            {vhost,    VHost}], User},
                    infinity).

 check_resource_access(User = #user{username = Username, impl = UserDN},
@ -157,8 +156,10 @@ with_ldap(BindOpts, Fun,
    Opts0 = [{ssl, SSL}, {port, Port}],
    Opts = case Log of
               true ->
-                   [{log, fun(1, S, A) -> rabbit_log:warning(S, A);
-                             (2, S, A) -> rabbit_log:info   (S, A)
+                   Pre = "LDAP backend: ",
+                   rabbit_log:info(Pre ++ "connecting to ~p~n", [Servers]),
+                   [{log, fun(1, S, A) -> rabbit_log:warning(Pre ++ S, A);
+                             (2, S, A) -> rabbit_log:info   (Pre ++ S, A)
                          end} | Opts0];
               _ ->
                   Opts0
@ -192,17 +193,17 @@ get_env(F) ->
    {ok, V} = application:get_env(F),
    V.

-do_login(Username, LDAP, State = #state{ is_admin_query  = IsAdminQuery }) ->
+do_login(Username, LDAP, State = #state{ tag_queries = TagQueries }) ->
    UserDN = username_to_dn(Username, State),
    User = #user{username     = Username,
                 auth_backend = ?MODULE,
                 impl         = UserDN},
-    case evaluate(IsAdminQuery, [{username, Username},
-                                 {user_dn,  UserDN}], User, LDAP) of
-        {error, _} = E ->
-            E;
-        IsAdmin ->
-            {ok, User#user{is_admin = IsAdmin}}
+    TagRes = [{Tag, evaluate(Q, [{username, Username},
+                                 {user_dn,  UserDN}], User, LDAP)} ||
+                 {Tag, Q} <- TagQueries],
+    case [E || {_, E = {error, _}} <- TagRes] of
+        []      -> {ok, User#user{tags = [Tag || {Tag, true} <- TagRes]}};
+        [E | _] -> E
    end.

 username_to_dn(Username, #state{ user_dn_pattern = UserDNPattern }) ->