diff options
author | Iliia Khaprov <i.khaprov@gmail.com> | 2021-07-21 11:19:22 +0200 |
---|---|---|
committer | Michael Klishin <michael@clojurewerkz.org> | 2021-07-21 14:55:46 +0300 |
commit | aa185353de55972af89674b32a9526ae86fd6bc1 (patch) | |
tree | a0c0d035c29014c6620ca9cc7cf2318c2c09c862 | |
parent | 3e41472535cc1853c3751f7ebd04c1ba4aff18bc (diff) | |
download | rabbitmq-server-git-aa185353de55972af89674b32a9526ae86fd6bc1.tar.gz |
Merge pull request #3205 from rabbitmq/send-www-authenticate-when-basic-auth-present
Send www-authenticate header when basic auth present but it's wrong
(cherry picked from commit 53d67fda1fd44cb844bfe6d3b80f6a1865f66054)
-rw-r--r-- | deps/rabbitmq_management/src/rabbit_mgmt_util.erl | 7 | ||||
-rw-r--r-- | deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl | 12 |
2 files changed, 14 insertions, 5 deletions
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl index dcd6a250ec..78dc4fd38f 100644 --- a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl +++ b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl @@ -280,7 +280,7 @@ is_authorized(ReqData, Context, Username, Password, ErrorMsg, Fun) -> rabbit_core_metrics:auth_attempt_failed(RemoteAddress, Username, http), _ = rabbit_log:warning("HTTP access denied: ~s", [rabbit_misc:format(Msg, Args)]), - not_authorised(<<"Login failed">>, ReqData, Context) + not_authenticated(<<"Login failed">>, ReqData, Context) end. vhost_from_headers(ReqData) -> @@ -726,7 +726,12 @@ a2b(B) -> B. bad_request(Reason, ReqData, Context) -> halt_response(400, bad_request, Reason, ReqData, Context). +not_authenticated(Reason, ReqData, Context) -> + ReqData1 = cowboy_req:set_resp_header(<<"www-authenticate">>, ?AUTH_REALM, ReqData), + halt_response(401, not_authorized, Reason, ReqData1, Context). + not_authorised(Reason, ReqData, Context) -> + %% TODO: consider changing to 403 in 4.0 halt_response(401, not_authorised, Reason, ReqData, Context). not_found(Reason, ReqData, Context) -> diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl index 08f0a311e8..3deaecee08 100644 --- a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl +++ b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl @@ -409,9 +409,13 @@ assert_percentage(Breakdown0, ExtraMargin) -> auth_test(Config) -> http_put(Config, "/users/user", [{password, <<"user">>}, {tags, <<"">>}], {group, '2xx'}), - test_auth(Config, ?NOT_AUTHORISED, []), + EmptyAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, []), + ?assertEqual(true, lists:keymember("www-authenticate", 1, EmptyAuthResponseHeaders)), + %% NOTE: this one won't have www-authenticate in the response, + %% because user/password are ok, tags are not test_auth(Config, ?NOT_AUTHORISED, [auth_header("user", "user")]), - test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]), + WrongAuthResponseHeaders = test_auth(Config, ?NOT_AUTHORISED, [auth_header("guest", "gust")]), + ?assertEqual(true, lists:keymember("www-authenticate", 1, WrongAuthResponseHeaders)), test_auth(Config, ?OK, [auth_header("guest", "guest")]), http_delete(Config, "/users/user", {group, '2xx'}), passed. @@ -929,8 +933,8 @@ multiple_invalid_connections_test(Config) -> passed. test_auth(Config, Code, Headers) -> - {ok, {{_, Code, _}, _, _}} = req(Config, get, "/overview", Headers), - passed. + {ok, {{_, Code, _}, RespHeaders, _}} = req(Config, get, "/overview", Headers), + RespHeaders. exchanges_test(Config) -> %% Can list exchanges |