Merge default in

8 files changed, 179 insertions, 14 deletions

diff --git a/Makefile b/Makefile
index 70f47b38..3144889b 100644
--- a/Makefile
+++ b/Makefile
@@ -17,7 +17,7 @@ BEAM_TARGETS=$(patsubst $(SOURCE_DIR)/%.erl, $(EBIN_DIR)/%.beam, $(SOURCES))
 TARGETS=$(EBIN_DIR)/rabbit.app $(INCLUDE_DIR)/rabbit_framing.hrl $(BEAM_TARGETS) plugins
 WEB_URL=http://www.rabbitmq.com/
 MANPAGES=$(patsubst %.xml, %.gz, $(wildcard $(DOCS_DIR)/*.[0-9].xml))
-WEB_MANPAGES=$(patsubst %.xml, %.man.xml, $(wildcard $(DOCS_DIR)/*.[0-9].xml) $(DOCS_DIR)/rabbitmq-service.xml)
+WEB_MANPAGES=$(patsubst %.xml, %.man.xml, $(wildcard $(DOCS_DIR)/*.[0-9].xml) $(DOCS_DIR)/rabbitmq-service.xml $(DOCS_DIR)/rabbitmq-echopid.xml)
 USAGES_XML=$(DOCS_DIR)/rabbitmqctl.1.xml $(DOCS_DIR)/rabbitmq-plugins.1.xml
 USAGES_ERL=$(foreach XML, $(USAGES_XML), $(call usage_xml_to_erl, $(XML)))
 QC_MODULES := rabbit_backing_queue_qc
diff --git a/docs/rabbitmq-echopid.xml b/docs/rabbitmq-echopid.xml
new file mode 100644
index 00000000..d3dcea52
--- /dev/null
+++ b/docs/rabbitmq-echopid.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.docbook.org/xml/4.5/docbookx.dtd">
+<refentry lang="en">
+    <refentryinfo>
+        <productname>RabbitMQ Server</productname>
+        <authorgroup>
+            <corpauthor>The RabbitMQ Team &lt;<ulink url="mailto:info@rabbitmq.com"><email>info@rabbitmq.com</email></ulink>&gt;</corpauthor>
+        </authorgroup>
+    </refentryinfo>
+
+    <refmeta>
+        <refentrytitle>rabbitmq-echopid.bat</refentrytitle>
+        <refmiscinfo class="manual">RabbitMQ Server</refmiscinfo>
+    </refmeta>
+
+    <refnamediv>
+        <refname>rabbitmq-echopid.bat</refname>
+        <refpurpose>return the process id of the Erlang runtime hosting RabbitMQ</refpurpose>
+    </refnamediv>
+
+    <refsynopsisdiv>
+        <cmdsynopsis>
+          <command>rabbitmq-echopid.bat</command>
+          <arg choice="req">sname</arg>
+        </cmdsynopsis>
+    </refsynopsisdiv>
+
+    <refsect1>
+        <title>Description</title>
+        <para>
+           RabbitMQ is an implementation of AMQP, the emerging
+           standard for high performance enterprise messaging. The
+           RabbitMQ server is a robust and scalable implementation of
+           an AMQP broker.
+        </para>
+        <para>
+          Running <command>rabbitmq-echopid</command> will attempt to
+          discover and echo the process id (PID) of the Erlang runtime
+          process (erl.exe) that is hosting RabbitMQ. To allow erl.exe
+          time to start up and load RabbitMQ, the script will wait for
+          ten seconds before timing out if a suitable PID cannot be
+          found.
+        </para>
+        <para>
+          If a PID is discovered, the script will echo it to stdout
+          before exiting with a ERRORLEVEL of 0. If no PID is
+          discovered before the timeout, nothing is written to stdout
+          and the script exits setting ERRORLEVEL to 1.
+        </para>
+        <para>
+          Note that this script only exists on Windows due to the need
+          to wait for erl.exe and possibly time-out. To obtain the PID
+          on Unix set RABBITMQ_PID_FILE before starting
+          rabbitmq-server and do not use "-detached".
+        </para>
+    </refsect1>
+
+    <refsect1>
+      <title>Options</title>
+      <variablelist>
+        <varlistentry>
+          <term><cmdsynopsis><arg choice="req">sname</arg></cmdsynopsis></term>
+          <listitem>
+            <para role="usage">
+The short-name form of the RabbitMQ node name.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect1>
+</refentry>
diff --git a/docs/rabbitmqctl.1.xml b/docs/rabbitmqctl.1.xml
index c1c51f9f..3cfe0adf 100644
--- a/docs/rabbitmqctl.1.xml
+++ b/docs/rabbitmqctl.1.xml
@@ -1420,8 +1420,11 @@
             <variablelist>
               <varlistentry>
                 <term>fraction</term>
-                <listitem><para>The new memory threshhold fraction at which flow control is triggered, as a
-                                floating point number between 0.0 and 1.0 with a mandatory fractional part.</para></listitem>
+                <listitem><para>
+                    The new memory threshold fraction at which flow
+                    control is triggered, as a floating point number
+                    greater than or equal to 0.
+                </para></listitem>
               </varlistentry>
             </variablelist>
           </listitem>
diff --git a/ebin/rabbit_app.in b/ebin/rabbit_app.in
index 2fee1114..fd19051d 100644
--- a/ebin/rabbit_app.in
+++ b/ebin/rabbit_app.in
@@ -38,6 +38,7 @@
          {delegate_count, 16},
          {trace_vhosts, []},
          {log_levels, [{connection, info}]},
+         {ssl_cert_login_from, distinguished_name},
          {tcp_listen_options, [binary,
                                {packet,        raw},
                                {reuseaddr,     true},
diff --git a/packaging/debs/apt-repository/README-real-repository b/packaging/debs/apt-repository/README-real-repository
index b1526227..189852eb 100644
--- a/packaging/debs/apt-repository/README-real-repository
+++ b/packaging/debs/apt-repository/README-real-repository
@@ -13,7 +13,7 @@ that's a baby rabbit.
 
 Secondly, a note on software. We need a tool to manage the repository, 
 and a tool to perform uploads to the repository. Debian being Debian 
-there are quite a few of each. We will use "rerepro" to manage the 
+there are quite a few of each. We will use "reprepro" to manage the 
 repository since it's modern, maintained, and fairly simple. We will use 
 "dupload" to perform the uploads since it gives us the ability to run 
 arbitrary commands after the upload, which means we don't need to run a 
@@ -99,7 +99,7 @@ machine
 * "rm -rf" the uploads folder
 
 This is a bit cheesy but should be enough for our purposes. The 
-dupload.conf uses scp and ssh so you need a public-key login (or tpye 
+dupload.conf uses scp and ssh so you need a public-key login (or type 
 your password lots).
 
 There's still an open question as to whether dupload is really needed 
diff --git a/scripts/rabbitmq-echopid.bat b/scripts/rabbitmq-echopid.bat
new file mode 100644
index 00000000..5c652c30
--- /dev/null
+++ b/scripts/rabbitmq-echopid.bat
@@ -0,0 +1,49 @@
+@echo off
+
+REM Usage: rabbitmq-echopid.bat <rabbitmq_nodename>
+REM
+REM <rabbitmq_nodename> sname of the erlang node to connect to (required)
+
+setlocal
+
+if "%1"=="" goto fail
+
+:: set timeout vars ::
+set TIMEOUT=10
+set TIMER=1
+
+:: check that wmic exists ::
+set WMIC_PATH=%SYSTEMROOT%\System32\Wbem\wmic.exe
+if not exist "%WMIC_PATH%" (
+  goto fail
+)
+
+:getpid
+for /f "usebackq tokens=* skip=1" %%P IN (`%%WMIC_PATH%% process where "name='erl.exe' and commandline like '%%-sname %1%%'" get processid 2^>nul`) do (
+  set PID=%%P
+  goto echopid
+)
+
+:echopid
+:: check for pid not found ::
+if "%PID%" == "" (
+  PING 127.0.0.1 -n 2 > nul
+  set /a TIMER+=1
+  if %TIMEOUT%==%TIMER% goto fail
+  goto getpid
+)
+
+:: show pid ::
+echo %PID%
+
+:: all done ::
+:ok
+endlocal
+EXIT /B 0
+
+:: something went wrong ::
+:fail
+endlocal
+EXIT /B 1
+
+
diff --git a/src/rabbit.erl b/src/rabbit.erl
index 0a0ca90a..dd5fb89c 100644
--- a/src/rabbit.erl
+++ b/src/rabbit.erl
@@ -212,14 +212,13 @@
 -type(file_suffix() :: binary()).
 %% this really should be an abstract type
 -type(log_location() :: 'tty' | 'undefined' | file:filename()).
+-type(param() :: atom()).
 
 -spec(maybe_hipe_compile/0 :: () -> 'ok').
 -spec(prepare/0 :: () -> 'ok').
 -spec(start/0 :: () -> 'ok').
 -spec(stop/0 :: () -> 'ok').
 -spec(stop_and_halt/0 :: () -> no_return()).
--spec(rotate_logs/1 :: (file_suffix()) -> rabbit_types:ok_or_error(any())).
--spec(force_event_refresh/0 :: () -> 'ok').
 -spec(status/0 ::
         () -> [{pid, integer()} |
                {running_applications, [{atom(), string(), string()}]} |
@@ -228,12 +227,11 @@
                {memory, any()}]).
 -spec(is_running/0 :: () -> boolean()).
 -spec(is_running/1 :: (node()) -> boolean()).
--spec(environment/0 :: () -> [{atom() | term()}]).
--spec(log_location/1 :: ('sasl' | 'kernel') -> log_location()).
+-spec(environment/0 :: () -> [{param() | term()}]).
+-spec(rotate_logs/1 :: (file_suffix()) -> rabbit_types:ok_or_error(any())).
+-spec(force_event_refresh/0 :: () -> 'ok').
 
--spec(maybe_insert_default_data/0 :: () -> 'ok').
--spec(boot_delegate/0 :: () -> 'ok').
--spec(recover/0 :: () -> 'ok').
+-spec(log_location/1 :: ('sasl' | 'kernel') -> log_location()).
 
 -spec(start/2 :: ('normal',[]) ->
 		      {'error',
@@ -243,6 +241,10 @@
 		      {'ok',pid()}).
 -spec(stop/1 :: (_) -> 'ok').
 
+-spec(maybe_insert_default_data/0 :: () -> 'ok').
+-spec(boot_delegate/0 :: () -> 'ok').
+-spec(recover/0 :: () -> 'ok').
+
 -endif.
 
 %%----------------------------------------------------------------------------
@@ -712,6 +714,6 @@ config_files() ->
     case init:get_argument(config) of
         {ok, Files} -> [filename:absname(
                           filename:rootname(File, ".config") ++ ".config") ||
-                           File <- Files];
+                           [File] <- Files];
         error       -> []
     end.
diff --git a/src/rabbit_ssl.erl b/src/rabbit_ssl.erl
index 3025d981..22ff555f 100644
--- a/src/rabbit_ssl.erl
+++ b/src/rabbit_ssl.erl
@@ -21,7 +21,7 @@
 -include_lib("public_key/include/public_key.hrl").
 
 -export([peer_cert_issuer/1, peer_cert_subject/1, peer_cert_validity/1]).
--export([peer_cert_subject_items/2]).
+-export([peer_cert_subject_items/2, peer_cert_auth_name/1]).
 
 %%--------------------------------------------------------------------------
 
@@ -36,6 +36,8 @@
 -spec(peer_cert_validity/1      :: (certificate()) -> string()).
 -spec(peer_cert_subject_items/2  ::
         (certificate(), tuple()) -> [string()] | 'not_found').
+-spec(peer_cert_auth_name/1 ::
+        (certificate()) -> binary() | 'not_found' | 'unsafe').
 
 -endif.
 
@@ -76,6 +78,43 @@ peer_cert_validity(Cert) ->
                                                      format_asn1_value(End)])
               end, Cert).
 
+%% Extract a username from the certificate
+peer_cert_auth_name(Cert) ->
+    {ok, Mode} = application:get_env(rabbit, ssl_cert_login_from),
+    peer_cert_auth_name(Mode, Cert).
+
+peer_cert_auth_name(distinguished_name, Cert) ->
+    case auth_config_sane() of
+        true  -> iolist_to_binary(peer_cert_subject(Cert));
+        false -> unsafe
+    end;
+
+peer_cert_auth_name(common_name, Cert) ->
+    %% If there is more than one CN then we join them with "," in a
+    %% vaguely DN-like way. But this is more just so we do something
+    %% more intelligent than crashing, if you actually want to escape
+    %% things properly etc, use DN mode.
+    case auth_config_sane() of
+        true  -> case peer_cert_subject_items(Cert, ?'id-at-commonName') of
+                     not_found -> not_found;
+                     CNs       -> list_to_binary(string:join(CNs, ","))
+                 end;
+        false -> unsafe
+    end.
+
+auth_config_sane() ->
+    {ok, Opts} = application:get_env(rabbit, ssl_options),
+    case {proplists:get_value(fail_if_no_peer_cert, Opts),
+          proplists:get_value(verify, Opts)} of
+        {true, verify_peer} ->
+            true;
+        {F, V} ->
+            rabbit_log:warning("SSL certificate authentication disabled, "
+                               "fail_if_no_peer_cert=~p; "
+                               "verify=~p~n", [F, V]),
+            false
+    end.
+
 %%--------------------------------------------------------------------------
 
 cert_info(F, Cert) ->