Support topic authorisation

Forward all the options of the resource record to the web server as HTTP parameters. This will then add a routing_key parameter to the resource check request. References rabbitmq/rabbitmq-server#505
2016-12-23 12:27:12 +01:00 · 2016-12-23 12:27:12 +01:00 · 81f7dc9d7d
parent dd3dd02e1d
commit 81f7dc9d7d
2 changed files with 25 additions and 7 deletions
--- a/deps/rabbitmq_auth_backend_http/README.md
+++ b/deps/rabbitmq_auth_backend_http/README.md
@ -93,11 +93,13 @@ Note that you cannot create arbitrary virtual hosts using this plugin; you can o

 ### resource_path

-* `username`   - the name of the user
-* `vhost`      - the name of the virtual host containing the resource
-* `resource`   - the type of resource (`exchange`, `queue`)
-* `name`       - the name of the resource
-* `permission` - the access level to the resource (`configure`, `write`, `read`) - see [the Access Control guide](http://www.rabbitmq.com/access-control.html) for their meaning
+* `username`    - the name of the user
+* `vhost`       - the name of the virtual host containing the resource
+* `resource`    - the type of resource (`exchange`, `queue`, `topic`)
+* `name`        - the name of the resource
+* `permission`  - the access level to the resource (`configure`, `write`, `read`) - see [the Access Control guide](http://www.rabbitmq.com/access-control.html) for their meaning
+* `routing_key` - the routing key (optional). This parameter is present only when publishing a message on a topic exchange
+(to enforce topic authorisation). `resource` then equals to `topic` and `permission` to `write` - see TODO add link to topic authorisation

 Your web server should always return HTTP 200 OK, with a body
 containing:
@ -106,6 +108,9 @@ containing:
 * `allow` - allow access to the user / vhost / resource
 * `allow [list of tags]` - (for `user_path` only) - allow access, and mark the user as an having the tags listed

+If you don't want your web server to enforce topic authorisation, it should `allow` all requests with
+`resource = topic`.
+
 ## Using TLS/HTTPS

 If your Web server uses HTTPS and certificate verification, you need to
--- a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
+++ b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
@ -28,6 +28,8 @@
 %% If keepalive connection is closed, retry N times before failing.
 -define(RETRY_ON_KEEPALIVE_CLOSED, 3).

+-define(RESOURCE_REQUEST_PARAMETERS, [username, vhost, resource, name, permission]).
+
 %%--------------------------------------------------------------------

 description() ->
@ -60,16 +62,27 @@ check_vhost_access(#auth_user{username = Username}, VHost, Sock) ->
                          {ip,       extract_address(Sock)}]).

 check_resource_access(#auth_user{username = Username},
-                      #resource{virtual_host = VHost, kind = Type, name = Name},
+                      #resource{virtual_host = VHost, kind = Type, name = Name, options = Options},
                      Permission) ->
+    OptionsParameters = resource_options_as_parameters(Options),
    bool_req(resource_path, [{username,   Username},
                             {vhost,      VHost},
                             {resource,   Type},
                             {name,       Name},
-                             {permission, Permission}]).
+                             {permission, Permission}] ++ OptionsParameters).

 %%--------------------------------------------------------------------

+resource_options_as_parameters(Options) when is_map(Options) ->
+    % filter options that would erase fixed parameters
+    [{rabbit_data_coercion:to_atom(Key), maps:get(Key, Options)}
+        || Key <- maps:keys(Options),
+        lists:member(
+            rabbit_data_coercion:to_atom(Key),
+            ?RESOURCE_REQUEST_PARAMETERS) =:= false];
+resource_options_as_parameters(_) ->
+    [].
+
 bool_req(PathName, Props) ->
    case http_req(p(PathName), q(Props)) of
        "deny"  -> false;