Create plugin for SASL EXTERNAL mechanism.

2011-01-10 12:17:06 +00:00 · 2011-01-10 12:17:06 +00:00 · a72d050e39
commit a72d050e39
5 changed files with 181 additions and 0 deletions
--- a/deps/rabbitmq_auth_mechanism_ssl/.hgignore
+++ b/deps/rabbitmq_auth_mechanism_ssl/.hgignore
@ -0,0 +1,8 @@
+syntax: regexp
+
+^build/
+^dist/
+.*\.beam
+^ebin/rabbit_auth_mechanism_ssl.app$
+^cover/
+^tmp/
--- a/deps/rabbitmq_auth_mechanism_ssl/Makefile
+++ b/deps/rabbitmq_auth_mechanism_ssl/Makefile
@ -0,0 +1,5 @@
+PACKAGE=rabbitmq-auth-mechanism-ssl
+APPNAME=rabbit_auth_mechanism_ssl
+DEPS=rabbitmq-server rabbitmq-erlang-client
+
+include ../include.mk
--- a/deps/rabbitmq_auth_mechanism_ssl/ebin/rabbit_auth_mechanism_ssl.app.in
+++ b/deps/rabbitmq_auth_mechanism_ssl/ebin/rabbit_auth_mechanism_ssl.app.in
@ -0,0 +1,10 @@
+%% -*- erlang -*-
+{application, rabbit_auth_mechanism_ssl,
+ [{description, "RabbitMQ SSL authentication (SASL EXTERNAL)"},
+  {vsn, "%%VSN%%"},
+  {modules, [rabbit_auth_mechanism_ssl_app,
+             rabbit_auth_mechanism_ssl]}, %% TODO generate automatically.
+  {registered, []},
+  {mod, {rabbit_auth_mechanism_ssl_app, []}},
+  {env, [] },
+  {applications, [kernel, stdlib]}]}.
--- a/deps/rabbitmq_auth_mechanism_ssl/src/rabbit_auth_mechanism_ssl.erl
+++ b/deps/rabbitmq_auth_mechanism_ssl/src/rabbit_auth_mechanism_ssl.erl
@ -0,0 +1,106 @@
+%%   The contents of this file are subject to the Mozilla Public License
+%%   Version 1.1 (the "License"); you may not use this file except in
+%%   compliance with the License. You may obtain a copy of the License at
+%%   http://www.mozilla.org/MPL/
+%%
+%%   Software distributed under the License is distributed on an "AS IS"
+%%   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+%%   License for the specific language governing rights and limitations
+%%   under the License.
+%%
+%%   The Original Code is RabbitMQ.
+%%
+%%   The Initial Developers of the Original Code are LShift Ltd,
+%%   Cohesive Financial Technologies LLC, and Rabbit Technologies Ltd.
+%%
+%%   Portions created before 22-Nov-2008 00:00:00 GMT by LShift Ltd,
+%%   Cohesive Financial Technologies LLC, or Rabbit Technologies Ltd
+%%   are Copyright (C) 2007-2008 LShift Ltd, Cohesive Financial
+%%   Technologies LLC, and Rabbit Technologies Ltd.
+%%
+%%   Portions created by LShift Ltd are Copyright (C) 2007-2010 LShift
+%%   Ltd. Portions created by Cohesive Financial Technologies LLC are
+%%   Copyright (C) 2007-2010 Cohesive Financial Technologies
+%%   LLC. Portions created by Rabbit Technologies Ltd are Copyright
+%%   (C) 2007-2010 Rabbit Technologies Ltd.
+%%
+%%   All Rights Reserved.
+%%
+%%   Contributor(s): ______________________________________.
+%%
+
+-module(rabbit_auth_mechanism_ssl).
+
+-behaviour(rabbit_auth_mechanism).
+
+-export([description/0, init/1, handle_response/2]).
+
+-include_lib("rabbit_common/include/rabbit.hrl").
+-include_lib("rabbit_common/include/rabbit_auth_mechanism_spec.hrl").
+-include_lib("public_key/include/public_key.hrl").
+
+-rabbit_boot_step({?MODULE,
+                   [{description, "auth mechanism external"},
+                    {mfa,         {rabbit_registry, register,
+                                   [auth_mechanism, <<"EXTERNAL">>, ?MODULE]}},
+                    {requires,    rabbit_registry},
+                    {enables,     kernel_ready}]}).
+
+-record(state, {username = undefined}).
+
+%% SASL EXTERNAL. SASL says EXTERNAL means "use credentials
+%% established by means external to the mechanism". We define that to
+%% mean the peer certificate's subject's CN.
+
+description() ->
+    [{name, <<"EXTERNAL">>},
+     {description, <<"SSL authentication mechanism using SASL EXTERNAL">>}].
+
+init(Sock) ->
+    Username = case rabbit_net:peercert(Sock) of
+                   {ok, C} ->
+                       CN = case rabbit_ssl:peer_cert_subject_item(
+                                   C, ?'id-at-commonName') of
+                                not_found -> {refused, "no CN found", []};
+                                CN0       -> list_to_binary(CN0)
+                            end,
+                       case config_sane() of
+                           true  -> CN;
+                           false -> {refused, "configuration unsafe", []}
+                       end;
+                   {error, no_peercert} ->
+                       {refused, "no peer certificate", []};
+                   nossl ->
+                       {refused, "not SSL connection", []}
+               end,
+    #state{username = Username}.
+
+handle_response(_Response, #state{username = Username}) ->
+    case Username of
+        {refused, _, _} = E ->
+            E;
+        _ ->
+            case rabbit_access_control:check_user_login(Username, []) of
+                {ok, User} ->
+                    {ok, User};
+                {error, not_found} ->
+                    %% This is not an information leak as we have to
+                    %% have validated a client cert to get this far.
+                    {refused, "user '~s' not found", [Username]}
+            end
+    end.
+
+%%--------------------------------------------------------------------------
+
+config_sane() ->
+    {ok, Opts} = application:get_env(ssl_options),
+    case {proplists:get_value(fail_if_no_peer_cert, Opts),
+          proplists:get_value(verify, Opts)} of
+        {true, verify_peer} ->
+            true;
+        {F, V} ->
+            rabbit_log:warning("EXTERNAL mechanism disabled, "
+                               "fail_if_no_peer_cert=~p; "
+                               "verify=~p~n", [F, V]),
+            false
+    end.
--- a/deps/rabbitmq_auth_mechanism_ssl/src/rabbit_auth_mechanism_ssl_app.erl
+++ b/deps/rabbitmq_auth_mechanism_ssl/src/rabbit_auth_mechanism_ssl_app.erl
@ -0,0 +1,52 @@
+%%   The contents of this file are subject to the Mozilla Public License
+%%   Version 1.1 (the "License"); you may not use this file except in
+%%   compliance with the License. You may obtain a copy of the License at
+%%   http://www.mozilla.org/MPL/
+%%
+%%   Software distributed under the License is distributed on an "AS IS"
+%%   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+%%   License for the specific language governing rights and limitations
+%%   under the License.
+%%
+%%   The Original Code is RabbitMQ.
+%%
+%%   The Initial Developers of the Original Code are LShift Ltd,
+%%   Cohesive Financial Technologies LLC, and Rabbit Technologies Ltd.
+%%
+%%   Portions created before 22-Nov-2008 00:00:00 GMT by LShift Ltd,
+%%   Cohesive Financial Technologies LLC, or Rabbit Technologies Ltd
+%%   are Copyright (C) 2007-2008 LShift Ltd, Cohesive Financial
+%%   Technologies LLC, and Rabbit Technologies Ltd.
+%%
+%%   Portions created by LShift Ltd are Copyright (C) 2007-2010 LShift
+%%   Ltd. Portions created by Cohesive Financial Technologies LLC are
+%%   Copyright (C) 2007-2010 Cohesive Financial Technologies
+%%   LLC. Portions created by Rabbit Technologies Ltd are Copyright
+%%   (C) 2007-2010 Rabbit Technologies Ltd.
+%%
+%%   All Rights Reserved.
+%%
+%%   Contributor(s): ______________________________________.
+%%
+
+-module(rabbit_auth_mechanism_ssl_app).
+
+-behaviour(application).
+-export([start/2, stop/1]).
+
+-include_lib("amqp_client/include/amqp_client.hrl").
+
+%% Dummy supervisor - see Ulf Wiger's comment at
+%% http://erlang.2086793.n4.nabble.com/initializing-library-applications-without-processes-td2094473.html
+
+-behaviour(supervisor).
+-export([init/1]).
+
+start(normal, []) ->
+    supervisor:start_link({local,?MODULE},?MODULE,[]).
+
+stop(_State) ->
+    ok.
+
+init([]) ->
+    {ok, {{one_for_one,3,10},[]}}.