diff options
| author | Iliia Khaprov <i.khaprov@gmail.com> | 2021-07-21 11:19:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-21 11:19:22 +0200 |
| commit | 53d67fda1fd44cb844bfe6d3b80f6a1865f66054 (patch) | |
| tree | ce13ee712cb33abd9692511ec730d519079d26c1 | |
| parent | f38c023aa8afdae2ae6cdf1e6ae24f009a8f0337 (diff) | |
| parent | 39693cfb07fc77c017bfdded729354c6e6830365 (diff) | |
| download | rabbitmq-server-git-53d67fda1fd44cb844bfe6d3b80f6a1865f66054.tar.gz | |
Merge pull request #3205 from rabbitmq/send-www-authenticate-when-basic-auth-present
Send www-authenticate header when basic auth present but it's wrong
| -rw-r--r-- | deps/rabbitmq_management/src/rabbit_mgmt_util.erl | 7 | ||||
| -rw-r--r-- | deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl | 12 |
2 files changed, 14 insertions, 5 deletions
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl index ce24035719..97f7a01b7b 100644 --- a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl +++ b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl @@ -290,7 +290,7 @@ is_authorized(ReqData, Context, Username, Password, ErrorMsg, Fun) -> rabbit_core_metrics:auth_attempt_failed(RemoteAddress, Username, http), rabbit_log:warning("HTTP access denied: ~s", [rabbit_misc:format(Msg, Args)]), - not_authorised(<<"Login failed">>, ReqData, Context) + not_authenticated(<<"Login failed">>, ReqData, Context) end. vhost_from_headers(ReqData) -> @@ -736,7 +736,12 @@ a2b(B) -> B. bad_request(Reason, ReqData, Context) -> halt_response(400, bad_request, Reason, ReqData, Context). +not_authenticated(Reason, ReqData, Context) -> + ReqData1 = cowboy_req:set_resp_header(<<"www-authenticate">>, ?AUTH_REALM, ReqData), + halt_response(401, not_authorized, Reason, ReqData1, Context). + not_authorised(Reason, ReqData, Context) -> + %% TODO: consider changing to 403 in 4.0 halt_response(401, not_authorised, Reason, ReqData, Context). not_found(Reason, ReqData, Context) -> diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl index 988bebaa88..6624ffba12 100644 --- a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl +++ b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl @@ -415,9 +415,13 @@ assert_percentage(Breakdown0, ExtraMargin) -> auth_test(Config) -> http_put(Config, "/users/user", [{password, <<"user">>}, {tags, <<"">>}], {group, '2xx'}), - test_auth(Config, ?NOT_AUTHORISED, []), + EmptyAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, []), + ?assertEqual(true, lists:keymember("www-authenticate", 1, EmptyAuthResponseHeaders)), + %% NOTE: this one won't have www-authenticate in the response, + %% because user/password are ok, tags are not test_auth(Config, ?NOT_AUTHORISED, [auth_header("user", "user")]), - test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]), + WrongAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]), + ?assertEqual(true, lists:keymember("www-authenticate", 1, WrongAuthResponseHeaders)), test_auth(Config, ?OK, [auth_header("guest", "guest")]), http_delete(Config, "/users/user", {group, '2xx'}), passed. @@ -935,8 +939,8 @@ multiple_invalid_connections_test(Config) -> passed. test_auth(Config, Code, Headers) -> - {ok, {{_, Code, _}, _, _}} = req(Config, get, "/overview", Headers), - passed. + {ok, {{_, Code, _}, RespHeaders, _}} = req(Config, get, "/overview", Headers), + RespHeaders. exchanges_test(Config) -> %% Can list exchanges |