diff options
author | Ilya Khaprov <i.khaprov@gmail.com> | 2021-07-20 21:28:51 +0200 |
---|---|---|
committer | Ilya Khaprov <i.khaprov@gmail.com> | 2021-07-20 21:44:36 +0200 |
commit | 39693cfb07fc77c017bfdded729354c6e6830365 (patch) | |
tree | 18d4fe9a45348596d6adbc9756e04075bcb8c7d3 | |
parent | 5c3f456131558e1c0c11e862c5ea96dbcb19bb85 (diff) | |
download | rabbitmq-server-git-39693cfb07fc77c017bfdded729354c6e6830365.tar.gz |
Send www-authenticate header when basic auth present but it's wrong
close #3181
-rw-r--r-- | deps/rabbitmq_management/src/rabbit_mgmt_util.erl | 7 | ||||
-rw-r--r-- | deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl | 12 |
2 files changed, 14 insertions, 5 deletions
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl index ce24035719..97f7a01b7b 100644 --- a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl +++ b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl @@ -290,7 +290,7 @@ is_authorized(ReqData, Context, Username, Password, ErrorMsg, Fun) -> rabbit_core_metrics:auth_attempt_failed(RemoteAddress, Username, http), rabbit_log:warning("HTTP access denied: ~s", [rabbit_misc:format(Msg, Args)]), - not_authorised(<<"Login failed">>, ReqData, Context) + not_authenticated(<<"Login failed">>, ReqData, Context) end. vhost_from_headers(ReqData) -> @@ -736,7 +736,12 @@ a2b(B) -> B. bad_request(Reason, ReqData, Context) -> halt_response(400, bad_request, Reason, ReqData, Context). +not_authenticated(Reason, ReqData, Context) -> + ReqData1 = cowboy_req:set_resp_header(<<"www-authenticate">>, ?AUTH_REALM, ReqData), + halt_response(401, not_authorized, Reason, ReqData1, Context). + not_authorised(Reason, ReqData, Context) -> + %% TODO: consider changing to 403 in 4.0 halt_response(401, not_authorised, Reason, ReqData, Context). not_found(Reason, ReqData, Context) -> diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl index 988bebaa88..6624ffba12 100644 --- a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl +++ b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl @@ -415,9 +415,13 @@ assert_percentage(Breakdown0, ExtraMargin) -> auth_test(Config) -> http_put(Config, "/users/user", [{password, <<"user">>}, {tags, <<"">>}], {group, '2xx'}), - test_auth(Config, ?NOT_AUTHORISED, []), + EmptyAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, []), + ?assertEqual(true, lists:keymember("www-authenticate", 1, EmptyAuthResponseHeaders)), + %% NOTE: this one won't have www-authenticate in the response, + %% because user/password are ok, tags are not test_auth(Config, ?NOT_AUTHORISED, [auth_header("user", "user")]), - test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]), + WrongAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]), + ?assertEqual(true, lists:keymember("www-authenticate", 1, WrongAuthResponseHeaders)), test_auth(Config, ?OK, [auth_header("guest", "guest")]), http_delete(Config, "/users/user", {group, '2xx'}), passed. @@ -935,8 +939,8 @@ multiple_invalid_connections_test(Config) -> passed. test_auth(Config, Code, Headers) -> - {ok, {{_, Code, _}, _, _}} = req(Config, get, "/overview", Headers), - passed. + {ok, {{_, Code, _}, RespHeaders, _}} = req(Config, get, "/overview", Headers), + RespHeaders. exchanges_test(Config) -> %% Can list exchanges |