diff options
author | Simon MacMullen <simon@rabbitmq.com> | 2010-11-19 17:00:35 +0000 |
---|---|---|
committer | Simon MacMullen <simon@rabbitmq.com> | 2010-11-19 17:00:35 +0000 |
commit | 6d8b9ac51ff4f6923d7b17fc75fbb7b54414bb70 (patch) | |
tree | 1e3317afafd92777bbb25cedb83308610376c919 | |
parent | 7172d72bd99ef56d3eae0a1b3e34f03ed070be07 (diff) | |
download | rabbitmq-server-6d8b9ac51ff4f6923d7b17fc75fbb7b54414bb70.tar.gz |
Increase the amount of correctness
-rw-r--r-- | include/rabbit.hrl | 6 | ||||
-rw-r--r-- | src/rabbit_access_control.erl | 49 | ||||
-rw-r--r-- | src/rabbit_auth_backend.erl | 6 | ||||
-rw-r--r-- | src/rabbit_auth_backend_internal.erl | 29 |
4 files changed, 49 insertions, 41 deletions
diff --git a/include/rabbit.hrl b/include/rabbit.hrl index b4f348a2..7dda9211 100644 --- a/include/rabbit.hrl +++ b/include/rabbit.hrl @@ -29,7 +29,11 @@ %% Contributor(s): ______________________________________. %% --record(user, {username, is_admin, auth_backend, impl}). +-record(user, {username, + is_admin, + auth_backend, %% Module this user came from + impl %% Scratch space for that module + }). %% TODO mnesia-upgrade this -record(internal_user, {username, password_hash, is_admin}). diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl index c380e6a2..f419ec11 100644 --- a/src/rabbit_access_control.erl +++ b/src/rabbit_access_control.erl @@ -117,9 +117,10 @@ check_user_pass_login(Username, Password) -> {ok, User} end, {refused, Username}, Modules). -check_vhost_access(User = #user{username = Username}, VHostPath) -> +check_vhost_access(User = #user{ username = Username, + auth_backend = Module }, VHostPath) -> ?LOGDEBUG("Checking VHost access for ~p to ~p~n", [Username, VHostPath]), - case internal_lookup_vhost_access(User, VHostPath) of + case Module:check_vhost_access(User, VHostPath) of ok -> ok; not_found -> @@ -128,43 +129,17 @@ check_vhost_access(User = #user{username = Username}, VHostPath) -> [VHostPath, Username]) end. -internal_lookup_vhost_access(User, VHostPath) -> - rabbit_auth_backend_internal:check_vhost_access(User, VHostPath). - -permission_index(configure) -> #permission.configure; -permission_index(write) -> #permission.write; -permission_index(read) -> #permission.read. - -check_resource_access(User, - R = #resource{kind = exchange, name = <<"">>}, +check_resource_access(User, R = #resource{kind = exchange, name = <<"">>}, Permission) -> - check_resource_access(User, - R#resource{name = <<"amq.default">>}, + check_resource_access(User, R#resource{name = <<"amq.default">>}, Permission); -check_resource_access(_User = #user{username = Username}, - R = #resource{virtual_host = VHostPath, name = Name}, - Permission) -> - Res = case mnesia:dirty_read({rabbit_user_permission, - #user_vhost{username = Username, - virtual_host = VHostPath}}) of - [] -> - false; - [#user_permission{permission = P}] -> - PermRegexp = - case element(permission_index(Permission), P) of - %% <<"^$">> breaks Emacs' erlang mode - <<"">> -> <<$^, $$>>; - RE -> RE - end, - case re:run(Name, PermRegexp, [{capture, none}]) of - match -> true; - nomatch -> false - end - end, - if Res -> ok; - true -> rabbit_misc:protocol_error( - access_refused, "access to ~s refused for user '~s'", - [rabbit_misc:rs(R), Username]) +check_resource_access(User = #user{username = Username, auth_backend = Module}, + Resource, Permission) -> + case Module:check_resource_access(User, Resource, Permission) of + true -> ok; + false -> rabbit_misc:protocol_error( + access_refused, "access to ~s refused for user '~s'", + [rabbit_misc:rs(Resource), Username]) end. %%---------------------------------------------------------------------------- diff --git a/src/rabbit_auth_backend.erl b/src/rabbit_auth_backend.erl index f2ff98a6..bafa0695 100644 --- a/src/rabbit_auth_backend.erl +++ b/src/rabbit_auth_backend.erl @@ -35,13 +35,15 @@ behaviour_info(callbacks) -> [ - %% A description. + %% A description (TODO should this be here if we're not using registry?). {description, 0}, %% TODO should we abstract out username / password? {check_user_pass_login, 2}, - {check_vhost_access, 2} + {check_vhost_access, 2}, + + {check_resource_access, 3} ]; behaviour_info(_Other) -> undefined. diff --git a/src/rabbit_auth_backend_internal.erl b/src/rabbit_auth_backend_internal.erl index 4cdeaef8..4be7d11e 100644 --- a/src/rabbit_auth_backend_internal.erl +++ b/src/rabbit_auth_backend_internal.erl @@ -34,7 +34,9 @@ -behaviour(rabbit_auth_backend). --export([description/0, check_user_pass_login/2, check_vhost_access/2]). +-export([description/0]). +-export([check_user_pass_login/2, check_vhost_access/2, + check_resource_access/3]). %%-include("rabbit_auth_backend_spec.hrl"). @@ -69,3 +71,28 @@ check_vhost_access(#user{username = Username}, VHostPath) -> [_R] -> ok end end). + +check_resource_access(#user{username = Username}, + #resource{virtual_host = VHostPath, name = Name}, + Permission) -> + case mnesia:dirty_read({rabbit_user_permission, + #user_vhost{username = Username, + virtual_host = VHostPath}}) of + [] -> + false; + [#user_permission{permission = P}] -> + PermRegexp = + case element(permission_index(Permission), P) of + %% <<"^$">> breaks Emacs' erlang mode + <<"">> -> <<$^, $$>>; + RE -> RE + end, + case re:run(Name, PermRegexp, [{capture, none}]) of + match -> true; + nomatch -> false + end + end. + +permission_index(configure) -> #permission.configure; +permission_index(write) -> #permission.write; +permission_index(read) -> #permission.read. |