diff options
author | Michael Klishin <klishinm@vmware.com> | 2022-11-13 16:24:55 +0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-13 16:24:55 +0400 |
commit | 86c71a6cfe0ba8a8004e17a0b5090c3c605a2071 (patch) | |
tree | 274ee9c7c040094e64b60c9a7b3e586d157d2b34 | |
parent | 4e343ed0207ad7aa587ee2a328e1cd587d9fae6f (diff) | |
parent | 06131e2eded63a3c6916465914cfb051be4d5c5c (diff) | |
download | rabbitmq-server-git-86c71a6cfe0ba8a8004e17a0b5090c3c605a2071.tar.gz |
Merge pull request #6415 from rabbitmq/mergify/bp/v3.11.x/pr-6397
#4842: obfuscate a sensitive field in authenticated user state (backport #6397)
7 files changed, 34 insertions, 30 deletions
diff --git a/deps/rabbit/src/rabbit_auth_backend_internal.erl b/deps/rabbit/src/rabbit_auth_backend_internal.erl index 65c6b2c03f..0b214d371f 100644 --- a/deps/rabbit/src/rabbit_auth_backend_internal.erl +++ b/deps/rabbit/src/rabbit_auth_backend_internal.erl @@ -111,7 +111,7 @@ internal_check_user_login(Username, Fun) -> case Fun(User) of true -> {ok, #auth_user{username = Username, tags = Tags, - impl = none}}; + impl = fun() -> none end}}; _ -> Refused end; {error, not_found} -> diff --git a/deps/rabbitmq_auth_backend_cache/test/rabbit_auth_backend_cache_SUITE.erl b/deps/rabbitmq_auth_backend_cache/test/rabbit_auth_backend_cache_SUITE.erl index 42a6893ee9..0d2f79a4df 100644 --- a/deps/rabbitmq_auth_backend_cache/test/rabbit_auth_backend_cache_SUITE.erl +++ b/deps/rabbitmq_auth_backend_cache/test/rabbit_auth_backend_cache_SUITE.erl @@ -64,6 +64,7 @@ authentication_response(Config) -> authorization_response(Config) -> AuthProps = [{password, <<"guest">>}], {ok, #auth_user{impl = Impl, tags = Tags}} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, AuthProps]), + true = is_function(Impl), {ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"guest">>, AuthProps]), {ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_cache, user_login_authorization, [<<"guest">>, AuthProps]), {refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"nonguest">>, AuthProps]), @@ -163,7 +164,3 @@ cache_expiration_topic(Config) -> rpc(Config, M, F, A) -> rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A). - - - - diff --git a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl index d59e79dc95..1e1bf0e2ec 100644 --- a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl +++ b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl @@ -40,7 +40,7 @@ user_login_authentication(Username, AuthProps) -> T <- string:tokens(Rest, " ")], {ok, #auth_user{username = Username, tags = Tags, - impl = none}}; + impl = fun() -> none end}}; Other -> {error, {bad_response, Other}} end. diff --git a/deps/rabbitmq_auth_backend_http/test/auth_SUITE.erl b/deps/rabbitmq_auth_backend_http/test/auth_SUITE.erl index 7b326b72c8..668e2bbf4c 100644 --- a/deps/rabbitmq_auth_backend_http/test/auth_SUITE.erl +++ b/deps/rabbitmq_auth_backend_http/test/auth_SUITE.erl @@ -38,8 +38,9 @@ end_per_suite(_Config) -> grants_access_to_user(Config) -> #{username := U, password := P, tags := T} = ?config(allowed_user, Config), - ?assertMatch({ok, #auth_user{username = U, tags = T}}, - rabbit_auth_backend_http:user_login_authentication(U, [{password, P}])). + {ok, User} = rabbit_auth_backend_http:user_login_authentication(U, [{password, P}]), + ?assertMatch({U, T, none}, + {User#auth_user.username, User#auth_user.tags, (User#auth_user.impl)()}). denies_access_to_user(Config) -> #{username := U, password := P} = ?config(denied_user, Config), diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl index afc28ce28b..74cc96101b 100644 --- a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl +++ b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl @@ -88,8 +88,9 @@ user_login_authorization(Username, AuthProps) -> end. check_vhost_access(User = #auth_user{username = Username, - impl = #impl{user_dn = UserDN}}, + impl = ImplFun}, VHost, AuthzData) -> + UserDN = (ImplFun())#impl.user_dn, OptionsArgs = context_as_options(AuthzData, undefined), ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username), Args = [{username, Username}, @@ -104,10 +105,11 @@ check_vhost_access(User = #auth_user{username = Username, R1. check_resource_access(User = #auth_user{username = Username, - impl = #impl{user_dn = UserDN}}, + impl = ImplFun}, #resource{virtual_host = VHost, kind = Type, name = Name}, Permission, AuthzContext) -> + UserDN = (ImplFun())#impl.user_dn, OptionsArgs = context_as_options(AuthzContext, undefined), ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username), Args = [{username, Username}, @@ -125,10 +127,11 @@ check_resource_access(User = #auth_user{username = Username, R1. check_topic_access(User = #auth_user{username = Username, - impl = #impl{user_dn = UserDN}}, + impl = ImplFun}, #resource{virtual_host = VHost, kind = topic = Resource, name = Name}, Permission, Context) -> + UserDN = (ImplFun())#impl.user_dn, OptionsArgs = context_as_options(Context, undefined), ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username), Args = [{username, Username}, @@ -220,7 +223,8 @@ evaluate0({in_group, DNPattern}, Args, User, LDAP) -> evaluate({in_group, DNPattern, "member"}, Args, User, LDAP); evaluate0({in_group, DNPattern, Desc}, Args, - #auth_user{impl = #impl{user_dn = UserDN}}, LDAP) -> + #auth_user{impl = ImplFun}, LDAP) -> + UserDN = (ImplFun())#impl.user_dn, Filter = eldap:equalityMatch(Desc, UserDN), DN = fill(DNPattern, Args), R = object_exists(DN, Filter, LDAP), @@ -234,7 +238,7 @@ evaluate0({in_group_nested, DNPattern, Desc}, Args, User, LDAP) -> evaluate({in_group_nested, DNPattern, Desc, subtree}, Args, User, LDAP); evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args, - #auth_user{impl = #impl{user_dn = UserDN}}, LDAP) -> + #auth_user{impl = ImplFun}, LDAP) -> GroupsBase = case env(group_lookup_base) of none -> get_expected_env_str(dn_lookup_base, none); @@ -250,6 +254,7 @@ evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args, onelevel -> eldap:singleLevel(); one_level -> eldap:singleLevel() end, + UserDN = (ImplFun())#impl.user_dn, search_nested_group(LDAP, Desc, GroupsBase, EldapScope, UserDN, GroupDN, []); evaluate0({'not', SubQuery}, Args, User, LDAP) -> @@ -786,8 +791,9 @@ do_login(Username, PrebindUserDN, Password, VHost, LDAP) -> _ -> PrebindUserDN end, User = #auth_user{username = Username, - impl = #impl{user_dn = UserDN, - password = Password}}, + impl = fun() -> #impl{user_dn = UserDN, + password = Password} + end}, DTQ = fun (LDAPn) -> do_tag_queries(Username, UserDN, User, VHost, LDAPn) end, TagRes = case env(other_bind) of as_user -> DTQ(LDAP); @@ -882,7 +888,8 @@ creds(User) -> creds(User, env(other_bind)). creds(none, as_user) -> {error, "'other_bind' set to 'as_user' but no password supplied"}; -creds(#auth_user{impl = #impl{user_dn = UserDN, password = PW}}, as_user) -> +creds(#auth_user{impl = ImplFun}, as_user) -> + #impl{user_dn = UserDN, password = PW} = ImplFun(), {ok, {UserDN, PW}}; creds(_, Creds) -> {ok, Creds}. diff --git a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl index 2fa2fea3a9..d59cb2f25e 100644 --- a/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl +++ b/deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl @@ -457,10 +457,10 @@ topic_authorisation_consumption(Config) -> topic_authorisation_consumption1(Config) -> %% we can't use the LDAP backend record here, falling back to simple tuples Alice = {auth_user,<<"Alice">>, [monitor], - {impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>} + fun() -> {impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>} end }, Bob = {auth_user,<<"Bob">>, [monitor], - {impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>} + fun() -> {impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>} end }, Resource = #resource{virtual_host = <<"/">>, name = <<"amq.topic">>, kind = topic}, Context = #{routing_key => <<"a.b">>, @@ -946,4 +946,3 @@ expand_options(As, Bs) -> false -> [A | R] end end, Bs, As). - diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl index ee6f144ceb..7b4809fbd4 100644 --- a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl +++ b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl @@ -74,29 +74,29 @@ user_login_authorization(Username, AuthProps) -> Else -> Else end. -check_vhost_access(#auth_user{impl = DecodedToken}, +check_vhost_access(#auth_user{impl = DecodedTokenFun}, VHost, _AuthzData) -> - with_decoded_token(DecodedToken, + with_decoded_token(DecodedTokenFun(), fun() -> - Scopes = get_scopes(DecodedToken), + Scopes = get_scopes(DecodedTokenFun()), ScopeString = rabbit_oauth2_scope:concat_scopes(Scopes, ","), rabbit_log:debug("Matching virtual host '~s' against the following scopes: ~s", [VHost, ScopeString]), rabbit_oauth2_scope:vhost_access(VHost, Scopes) end). -check_resource_access(#auth_user{impl = DecodedToken}, +check_resource_access(#auth_user{impl = DecodedTokenFun}, Resource, Permission, _AuthzContext) -> - with_decoded_token(DecodedToken, + with_decoded_token(DecodedTokenFun(), fun() -> - Scopes = get_scopes(DecodedToken), + Scopes = get_scopes(DecodedTokenFun()), rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes) end). -check_topic_access(#auth_user{impl = DecodedToken}, +check_topic_access(#auth_user{impl = DecodedTokenFun}, Resource, Permission, Context) -> - with_decoded_token(DecodedToken, + with_decoded_token(DecodedTokenFun(), fun() -> - Scopes = get_scopes(DecodedToken), + Scopes = get_scopes(DecodedTokenFun()), rabbit_oauth2_scope:topic_access(Resource, Permission, Context, Scopes) end). @@ -114,7 +114,7 @@ update_state(AuthUser, NewToken) -> Tags = tags_from(DecodedToken), {ok, AuthUser#auth_user{tags = Tags, - impl = DecodedToken}} + impl = fun() -> DecodedToken end}} end. %%-------------------------------------------------------------------- @@ -136,7 +136,7 @@ authenticate(Username0, AuthProps0) -> {ok, #auth_user{username = Username, tags = Tags, - impl = DecodedToken}} + impl = fun() -> DecodedToken end}} end, case with_decoded_token(DecodedToken, Func) of {error, Err} -> |