diff --git a/deps/rabbitmq_management/Makefile b/deps/rabbitmq_management/Makefile index 5c5a64775e..c08bc449e6 100644 --- a/deps/rabbitmq_management/Makefile +++ b/deps/rabbitmq_management/Makefile @@ -14,7 +14,8 @@ define PROJECT_ENV {cors_max_age, 1800}, {content_security_policy, "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"}, {max_http_body_size, 10000000}, - {delegate_count, 5} + {delegate_count, 5}, + {require_auth_for_api_reference, false} ] endef diff --git a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema index 9c1a2a773f..1a1b837b04 100644 --- a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema +++ b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema @@ -654,3 +654,10 @@ end}. {datatype, {enum, [true, false]}}, {include_default, false} ]}. + +%% Require authentication for the HTTP API reference page. + +{mapping, "management.require_auth_for_api_reference", "rabbitmq_management.require_auth_for_api_reference", [ + {datatype, {enum, [true, false]}}, + {include_default, false} +]}. \ No newline at end of file diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl index 6cd5341729..4a424df0d8 100644 --- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl +++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl @@ -11,9 +11,11 @@ -module(rabbit_mgmt_wm_static). -include_lib("kernel/include/file.hrl"). +-include_lib("rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl"). -export([init/2]). -export([malformed_request/2]). +-export([is_authorized/2]). -export([forbidden/2]). -export([content_types_provided/2]). -export([resource_exists/2]). @@ -46,6 +48,21 @@ do_init(Req, App, Path) -> malformed_request(Req, State) -> cowboy_static:malformed_request(Req, State). +is_authorized(Req0=#{path := Path}, State) + when Path =:= <<"/api/index.html">>; Path =:= <<"/cli/index.html">> -> + case application:get_env(rabbitmq_management, require_auth_for_api_reference) of + {ok, true} -> + %% We temporarily use #context{} here to make authorization work, + %% and discard it immediately after since we only want to check + %% whether the user authenticates successfully. + {Res, Req, _} = rabbit_mgmt_util:is_authorized(Req0, #context{}), + {Res, Req, State}; + _ -> + {true, Req0, State} + end; +is_authorized(Req, State) -> + {true, Req, State}. + forbidden(Req, State) -> cowboy_static:forbidden(Req, State). diff --git a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets index 1208f4ddad..0627b364e4 100644 --- a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets +++ b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets @@ -497,6 +497,48 @@ ], [rabbitmq_management] }, + %% + %% Restrictions + %% + + {restrictions_quorum_queue_replica_operations_disabled_case1, + "management.restrictions.quorum_queue_replica_operations.disabled = true", + [ + {rabbitmq_management, [ + {restrictions, [ + {quorum_queue_replica_operations, [ + {disabled, true} + ]} + ]} + ]} + ], [rabbitmq_management] + }, + + {restrictions_operator_policy_changes_disabled_case1, + "management.restrictions.operator_policy_changes.disabled = true", + [ + {rabbitmq_management, [ + {restrictions, [ + {operator_policy_changes, [ + {disabled, true} + ]} + ]} + ]} + ], [rabbitmq_management] + }, + + %% + %% Exotic options + %% + + {auth_for_http_api_reference_case1, + "management.require_auth_for_api_reference = true", + [ + {rabbitmq_management, [ + {require_auth_for_api_reference, true} + ]} + ], [rabbitmq_management] + }, %% %% Legacy listener configuration