1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
%% The contents of this file are subject to the Mozilla Public License
%% Version 1.1 (the "License"); you may not use this file except in
%% compliance with the License. You may obtain a copy of the License
%% at http://www.mozilla.org/MPL/
%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and
%% limitations under the License.
%%
%% The Original Code is RabbitMQ.
%%
%% The Initial Developer of the Original Code is VMware, Inc.
%% Copyright (c) 2007-2011 VMware, Inc. All rights reserved.
%%
-module(rabbit_access_control).
-include("rabbit.hrl").
-export([check_user_pass_login/2, check_user_login/2,
check_vhost_access/2, check_resource_access/3]).
%%----------------------------------------------------------------------------
-ifdef(use_specs).
-export_type([permission_atom/0]).
-type(permission_atom() :: 'configure' | 'read' | 'write').
-spec(check_user_pass_login/2 ::
(rabbit_types:username(), rabbit_types:password())
-> {'ok', rabbit_types:user()} | {'refused', string(), [any()]}).
-spec(check_vhost_access/2 ::
(rabbit_types:user(), rabbit_types:vhost())
-> 'ok' | rabbit_types:channel_exit()).
-spec(check_resource_access/3 ::
(rabbit_types:user(), rabbit_types:r(atom()), permission_atom())
-> 'ok' | rabbit_types:channel_exit()).
-endif.
%%----------------------------------------------------------------------------
check_user_pass_login(Username, Password) ->
check_user_login(Username, [{password, Password}]).
check_user_login(Username, AuthProps) ->
{ok, Modules} = application:get_env(rabbit, auth_backends),
lists:foldl(
fun(Module, {refused, _, _}) ->
case Module:check_user_login(Username, AuthProps) of
{error, E} ->
{refused, "~s failed authenticating ~s: ~p~n",
[Module, Username, E]};
Else ->
Else
end;
(_, {ok, User}) ->
{ok, User}
end, {refused, "No modules checked '~s'", [Username]}, Modules).
check_vhost_access(User = #user{ username = Username,
auth_backend = Module }, VHostPath) ->
?LOGDEBUG("Checking VHost access for ~p to ~p~n", [Username, VHostPath]),
check_access(
fun() ->
rabbit_vhost:exists(VHostPath) andalso
Module:check_vhost_access(User, VHostPath)
end,
"~s failed checking vhost access to ~s for ~s: ~p~n",
[Module, VHostPath, Username],
"access to vhost '~s' refused for user '~s'",
[VHostPath, Username]).
check_resource_access(User, R = #resource{kind = exchange, name = <<"">>},
Permission) ->
check_resource_access(User, R#resource{name = <<"amq.default">>},
Permission);
check_resource_access(User = #user{username = Username, auth_backend = Module},
Resource, Permission) ->
check_access(
fun() -> Module:check_resource_access(User, Resource, Permission) end,
"~s failed checking resource access to ~p for ~s: ~p~n",
[Module, Resource, Username],
"access to ~s refused for user '~s'",
[rabbit_misc:rs(Resource), Username]).
check_access(Fun, ErrStr, ErrArgs, RefStr, RefArgs) ->
Allow = case Fun() of
{error, _} = E ->
rabbit_log:error(ErrStr, ErrArgs ++ [E]),
false;
Else ->
Else
end,
case Allow of
true ->
ok;
false ->
rabbit_misc:protocol_error(access_refused, RefStr, RefArgs)
end.
|
