As mentioned in discussion #14426, the way that `cacerts` is handled by
cuttlefish schemas simply will not work if set.
If `cacerts` were set to a string value containing one X509 certificate,
it would eventually result in a crash because the `cacerts` ssl option
must be of [this type](https://www.erlang.org/doc/apps/ssl/ssl.html#t:client_option_cert/0):
```
{cacerts, CACerts :: [public_key:der_encoded()] | [public_key:combined_cert()]}
```
Neither of those are strings, of course.
This PR removes all use of `cacerts` in cuttlefish schemas. In addition,
it filters out `cacerts` and `certs_keys` from being JSON-encoded by an
HTTP API call to `/api/overview`. It _is_ technically possible to set
`cacerts` via `advanced.config`, so, if set, it would crash this API
call, as would `certs_keys`.
See discussion #14244
These changes will allow a user to make an HTTP API request to...
```
/api/ldap/validate/simple-bind
```
...with an appropriate JSON body, and the plugin will attempt a
connection to the specified LDAP server using the provided credentials.
This allows validation that a connection can be made to an LDAP server
from a RabbitMQ cluster environment.
* Add code and tests for `eldap:simple_bind` validation.
* Add support for testing TLS connections to OpenLDAP
* Add support for validating TLS related configuration via `/ldap/validate/simple-bind`
* Add support for various TLS options:
* versions
* depth
* multiple CA cert pem data
* Fall back to system certs if neither `cacertfile` nor `cacerts_pem_data` are provided to the `simple-bind` validation.
* Add `ssl_hostname_verification` support.
* Return 422 when auth fails
* Add more informative information when connection fails
* Add more tests with invalid input
* Catch parsing errors
* Tests for edge-cases for password / user_dn
* Add test for use_ssl + use_starttls combo
* Add test for ssl_options.depth validation
* Add validation tests for server_name_indication
Provides a specific function to fix client ssl options, i.e.: apply all
fixes that are applied for TLS listeneres and clients on previous
versions but also sets `cacerts` option to CA certificates obtained by
`public_key:cacerts_get`, only when no `cacertfile` or `cacerts` are
provided.
The search results record change was done in OTP-25, which is
no longer supported. So we can use the modern search results
record and drop the compatibility clauses.
For more context:
* 8d8847e069
* https://github.com/erlang/otp/pull/5538
We don't need to duplicate so many patterns in so many
files since we have a monorepo (and want to keep it).
If I managed to miss something or remove something that
should stay, please put it back. Note that monorepo-wide
patterns should go in the top-level .gitignore file.
Other .gitignore files are for application or folder-
specific patterns.
In openldap 2.5, `memberOf` seems to be a read-only annotation. Instead
the LDAPWiki recommends adding the user's name to the member attribute
on the relevant group objects:
<https://ldapwiki.com/wiki/Wiki.jsp?page=MemberOf>
We already do that when setting up the group objects, so this annotation
is safe to remove.
Backends return 'never' or the timestamp of the expiry time
of the credentials. Only the OAuth2 backend returns a timestamp,
other RabbitMQ authz backends return 'never'.
Client code uses rabbit_access_control, so it contains now
a new expiry_timestamp/1 function that returns the earliest
expiry time of the underlying backends.
Fixes#10298
Bazel build files are now maintained primarily with `bazel run
gazelle`. This will analyze and merge changes into the build files as
necessitated by certain code changes (e.g. the introduction of new
modules).
In some cases there hints to gazelle in the build files, such as `#
gazelle:erlang...` or `# keep` comments. xref checks on plugins that
depend on the cli are a good example.
Luke Bakken
Michael Klishin
Michal Kuratczyk
Luke Bakken
Aitor Perez
Michael Klishin
Michael Klishin
Lois Soto Lopez
Loïc Hoguin
Michal Kuratczyk
Michael Davis
Rin Kuryloski
Michael Klishin
Arnaud Cogoluègnes
Marcial Rosales
Rin Kuryloski
Alexey Lebedeff
Simon Unge