Merge pull request #3205 from rabbitmq/send-www-authenticate-when-basic-auth-present

Send www-authenticate header when basic auth present but it's wrong

(cherry picked from commit 53d67fda1fd44cb844bfe6d3b80f6a1865f66054)

2 files changed, 14 insertions, 5 deletions

diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
index dcd6a250ec..78dc4fd38f 100644
--- a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
+++ b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
@@ -280,7 +280,7 @@ is_authorized(ReqData, Context, Username, Password, ErrorMsg, Fun) ->
             rabbit_core_metrics:auth_attempt_failed(RemoteAddress, Username, http),
             _ = rabbit_log:warning("HTTP access denied: ~s",
                                [rabbit_misc:format(Msg, Args)]),
-            not_authorised(<<"Login failed">>, ReqData, Context)
+            not_authenticated(<<"Login failed">>, ReqData, Context)
     end.
 
 vhost_from_headers(ReqData) ->
@@ -726,7 +726,12 @@ a2b(B)                 -> B.
 bad_request(Reason, ReqData, Context) ->
     halt_response(400, bad_request, Reason, ReqData, Context).
 
+not_authenticated(Reason, ReqData, Context) ->
+    ReqData1 = cowboy_req:set_resp_header(<<"www-authenticate">>, ?AUTH_REALM, ReqData),
+    halt_response(401, not_authorized, Reason, ReqData1, Context).
+
 not_authorised(Reason, ReqData, Context) ->
+    %% TODO: consider changing to 403 in 4.0
     halt_response(401, not_authorised, Reason, ReqData, Context).
 
 not_found(Reason, ReqData, Context) ->
diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
index 08f0a311e8..3deaecee08 100644
--- a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
+++ b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
@@ -409,9 +409,13 @@ assert_percentage(Breakdown0, ExtraMargin) ->
 auth_test(Config) ->
     http_put(Config, "/users/user", [{password, <<"user">>},
                                      {tags, <<"">>}], {group, '2xx'}),
-    test_auth(Config, ?NOT_AUTHORISED, []),
+    EmptyAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, []),
+    ?assertEqual(true, lists:keymember("www-authenticate", 1,  EmptyAuthResponseHeaders)),
+    %% NOTE: this one won't have www-authenticate in the response,
+    %% because user/password are ok, tags are not
     test_auth(Config, ?NOT_AUTHORISED, [auth_header("user", "user")]),
-    test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]),
+    WrongAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]),
+    ?assertEqual(true, lists:keymember("www-authenticate", 1,  WrongAuthResponseHeaders)),
     test_auth(Config, ?OK, [auth_header("guest", "guest")]),
     http_delete(Config, "/users/user", {group, '2xx'}),
     passed.
@@ -929,8 +933,8 @@ multiple_invalid_connections_test(Config) ->
     passed.
 
 test_auth(Config, Code, Headers) ->
-    {ok, {{_, Code, _}, _, _}} = req(Config, get, "/overview", Headers),
-    passed.
+    {ok, {{_, Code, _}, RespHeaders, _}} = req(Config, get, "/overview", Headers),
+    RespHeaders.
 
 exchanges_test(Config) ->
     %% Can list exchanges