root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Support variable expansion in topic authz 

Part of rabbitmq/rabbitmq-server#1229
This commit is contained in:
Arnaud Cogoluègnes 2017-06-12 10:35:52 +02:00
parent 124bad8b75
commit c6fdd8fa17
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
deps/rabbitmq_stomp/src/rabbit_stomp_processor.erl vendored
View File

@ -720,15 +720,16 @@ do_subscribe(Destination, DestHdr, Frame,
check_subscription_access(Destination = {topic, _Topic},
#proc_state{auth_login = _User,
connection = Connection}) ->
[{amqp_params, AmqpParams}, {internal_user, InternalUser}] = amqp_connection:info(
Connection, [amqp_params, internal_user]
),
[{amqp_params, AmqpParams}, {internal_user, InternalUser = #user{username = Username}}] =
amqp_connection:info(Connection, [amqp_params, internal_user]),
#amqp_params_direct{virtual_host = VHost} = AmqpParams,
{Exchange, RoutingKey} = rabbit_routing_util:parse_routing(Destination),
Resource = #resource{virtual_host = VHost,
kind = topic,
name = rabbit_data_coercion:to_binary(Exchange)},
Context = #{routing_key => rabbit_data_coercion:to_binary(RoutingKey)},
Context = #{routing_key => rabbit_data_coercion:to_binary(RoutingKey),
variable_map => #{<<"vhost">> => VHost, <<"username">> => Username}
},
rabbit_access_control:check_topic_access(InternalUser, Resource, read, Context);
check_subscription_access(_, _) ->
authorized.

10
deps/rabbitmq_stomp/test/topic_SUITE.erl vendored
View File

@ -84,7 +84,7 @@ init_per_testcase0(Config) ->
rabbit_ct_broker_helpers:rpc(Config, 0, rabbit_auth_backend_internal, set_permissions, [
<<"user">>, <<"/">>, <<".*">>, <<".*">>, <<".*">>, <<"acting-user">>]),
rabbit_ct_broker_helpers:rpc(Config, 0, rabbit_auth_backend_internal, set_topic_permissions, [
<<"user">>, <<"/">>, <<"amq.topic">>, <<"^Authorised">>, <<"^Authorised">>, <<"acting-user">>]),
<<"user">>, <<"/">>, <<"amq.topic">>, <<"^{username}.Authorised">>, <<"^{username}.Authorised">>, <<"acting-user">>]),
Version = ?config(version, Config),
StompPort = rabbit_ct_broker_helpers:get_node_config(Config, 0, tcp_port_stomp),
{ok, ClientFoo} = rabbit_stomp_client:connect(Version, "user", "pass", StompPort),
@ -100,8 +100,8 @@ end_per_testcase0(Config) ->
publish_topic_authorisation(Config) ->
ClientFoo = ?config(client_foo, Config),
AuthorizedTopic = "/topic/AuthorisedTopic",
RestrictedTopic = "/topic/RestrictedTopic",
AuthorizedTopic = "/topic/user.AuthorisedTopic",
RestrictedTopic = "/topic/user.RestrictedTopic",
%% send on authorised topic
rabbit_stomp_client:send(
@ -123,8 +123,8 @@ publish_topic_authorisation(Config) ->
subscribe_topic_authorisation(Config) ->
ClientFoo = ?config(client_foo, Config),
AuthorizedTopic = "/topic/AuthorisedTopic",
RestrictedTopic = "/topic/RestrictedTopic",
AuthorizedTopic = "/topic/user.AuthorisedTopic",
RestrictedTopic = "/topic/user.RestrictedTopic",
%% subscribe to authorised topic
rabbit_stomp_client:send(