root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Verify non-zero DNS and email SAN

This commit is contained in:
Marcial Rosales 2024-10-29 16:21:27 +01:00
parent 4c1099950d
commit e7cb2420a7
3 changed files with 52 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
deps/rabbitmq_ct_helpers/tools/tls-certs/openssl.cnf.in vendored
View File

@ -63,3 +63,6 @@ DNS.2 = localhost
[ client_alt_names ] [ client_alt_names ]
DNS.1 = rabbit_client_id DNS.1 = rabbit_client_id
DNS.2 = rabbit_client_id_ext
email.1 = rabbit_client@localhost
URI.1 = rabbit_client_id_uri

2
deps/rabbitmq_mqtt/BUILD.bazel vendored
View File

@ -136,7 +136,7 @@ rabbitmq_integration_suite(
"test/rabbit_auth_backend_mqtt_mock.beam", "test/rabbit_auth_backend_mqtt_mock.beam",
"test/util.beam", "test/util.beam",
], ],
shard_count = 18, shard_count = 22,
runtime_deps = [ runtime_deps = [
"@emqtt//:erlang_app", "@emqtt//:erlang_app",
"@meck//:erlang_app", "@meck//:erlang_app",

49
deps/rabbitmq_mqtt/test/auth_SUITE.erl vendored
View File

@ -72,6 +72,12 @@ sub_groups() ->
[client_id_from_cert_san_dns, [client_id_from_cert_san_dns,
invalid_client_id_from_cert_san_dns invalid_client_id_from_cert_san_dns
]}, ]},
{ssl_user_with_client_id_in_cert_san_dns_1, [],
[client_id_from_cert_san_dns_1
]},
{ssl_user_with_client_id_in_cert_san_email, [],
[client_id_from_cert_san_email
]},
{ssl_user_with_client_id_in_cert_dn, [], {ssl_user_with_client_id_in_cert_dn, [],
[client_id_from_cert_dn [client_id_from_cert_dn
]}, ]},
@ -206,6 +212,17 @@ mqtt_config(ssl_user_with_client_id_in_cert_san_dns) ->
{allow_anonymous, false}, {allow_anonymous, false},
{ssl_cert_client_id_from, subject_alternative_name}, {ssl_cert_client_id_from, subject_alternative_name},
{ssl_cert_login_san_type, dns}]}; {ssl_cert_login_san_type, dns}]};
mqtt_config(ssl_user_with_client_id_in_cert_san_dns_1) ->
{rabbitmq_mqtt, [{ssl_cert_login, true},
{allow_anonymous, false},
{ssl_cert_client_id_from, subject_alternative_name},
{ssl_cert_login_san_type, dns},
{ssl_cert_login_san_index, 1}]};
mqtt_config(ssl_user_with_client_id_in_cert_san_email) ->
{rabbitmq_mqtt, [{ssl_cert_login, true},
{allow_anonymous, false},
{ssl_cert_client_id_from, subject_alternative_name},
{ssl_cert_login_san_type, email}]};
mqtt_config(ssl_user_with_client_id_in_cert_dn) -> mqtt_config(ssl_user_with_client_id_in_cert_dn) ->
{rabbitmq_mqtt, [{ssl_cert_login, true}, {rabbitmq_mqtt, [{ssl_cert_login, true},
{allow_anonymous, false}, {allow_anonymous, false},
@ -216,6 +233,8 @@ mqtt_config(_) ->
auth_config(T) when T == client_id_propagation; auth_config(T) when T == client_id_propagation;
T == ssl_user_with_client_id_in_cert_san_dns; T == ssl_user_with_client_id_in_cert_san_dns;
T == ssl_user_with_client_id_in_cert_san_dns_1;
T == ssl_user_with_client_id_in_cert_san_email;
T == ssl_user_with_client_id_in_cert_dn -> T == ssl_user_with_client_id_in_cert_dn ->
{rabbit, [ {rabbit, [
{auth_backends, [rabbit_auth_backend_mqtt_mock]} {auth_backends, [rabbit_auth_backend_mqtt_mock]}
@ -316,6 +335,8 @@ init_per_testcase(T, Config)
when T =:= client_id_propagation; when T =:= client_id_propagation;
T =:= invalid_client_id_from_cert_san_dns; T =:= invalid_client_id_from_cert_san_dns;
T =:= client_id_from_cert_san_dns; T =:= client_id_from_cert_san_dns;
T =:= client_id_from_cert_san_dns_1;
T =:= client_id_from_cert_san_email;
T =:= client_id_from_cert_dn -> T =:= client_id_from_cert_dn ->
SetupProcess = setup_rabbit_auth_backend_mqtt_mock(Config), SetupProcess = setup_rabbit_auth_backend_mqtt_mock(Config),
rabbit_ct_helpers:set_config(Config, {mock_setup_process, SetupProcess}); rabbit_ct_helpers:set_config(Config, {mock_setup_process, SetupProcess});
@ -444,6 +465,8 @@ end_per_testcase(T, Config)
when T =:= client_id_propagation; when T =:= client_id_propagation;
T =:= invalid_client_id_from_cert_san_dns; T =:= invalid_client_id_from_cert_san_dns;
T =:= client_id_from_cert_san_dns; T =:= client_id_from_cert_san_dns;
T =:= client_id_from_cert_san_dns_1;
T =:= client_id_from_cert_san_email;
T =:= client_id_from_cert_dn -> T =:= client_id_from_cert_dn ->
SetupProcess = ?config(mock_setup_process, Config), SetupProcess = ?config(mock_setup_process, Config),
SetupProcess ! stop; SetupProcess ! stop;
@ -500,7 +523,31 @@ user_credentials_auth(Config) ->
Config). Config).
client_id_from_cert_san_dns(Config) -> client_id_from_cert_san_dns(Config) ->
ExpectedClientId = <<"rabbit_client_id">>, % Found in the client's certificate as SAN type CLIENT_ID ExpectedClientId = <<"rabbit_client_id">>, % Found in the client's certificate as SAN type DNS
MqttClientId = ExpectedClientId,
{ok, C} = connect_ssl(MqttClientId, Config),
{ok, _} = emqtt:connect(C),
[{authentication, AuthProps}] = rpc(Config, 0,
rabbit_auth_backend_mqtt_mock,
get,
[authentication]),
?assertEqual(ExpectedClientId, proplists:get_value(client_id, AuthProps)),
ok = emqtt:disconnect(C).
client_id_from_cert_san_dns_1(Config) ->
ExpectedClientId = <<"rabbit_client_id_ext">>, % Found in the client's certificate as SAN type DNS
MqttClientId = ExpectedClientId,
{ok, C} = connect_ssl(MqttClientId, Config),
{ok, _} = emqtt:connect(C),
[{authentication, AuthProps}] = rpc(Config, 0,
rabbit_auth_backend_mqtt_mock,
get,
[authentication]),
?assertEqual(ExpectedClientId, proplists:get_value(client_id, AuthProps)),
ok = emqtt:disconnect(C).
client_id_from_cert_san_email(Config) ->
ExpectedClientId = <<"rabbit_client@localhost">>, % Found in the client's certificate as SAN type email
MqttClientId = ExpectedClientId, MqttClientId = ExpectedClientId,
{ok, C} = connect_ssl(MqttClientId, Config), {ok, C} = connect_ssl(MqttClientId, Config),
{ok, _} = emqtt:connect(C), {ok, _} = emqtt:connect(C),