Propagate all credentials to http backend

except those that starts with rabbit_

Author: MarcialRosales

deps/rabbitmq_auth_backend_http/README.md

@@ -84,6 +84,9 @@ against the URIs listed in the configuration file. It will add query string
 * `username`: the name of the user
 * `password`: the password provided (may be missing if e.g. rabbitmq-auth-mechanism-ssl is used)
 
+Note: This plugin may include additional http request parameters in addition to the ones listed above.
+For instance, if the user accessed RabbitMQ via the MQTT protocol, it is expected `client_id` and `vhost` request parameters too. 
+
 ### vhost_path
 
 * `username`: the name of the user

deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl

@@ -34,7 +34,7 @@ description() ->
 
 user_login_authentication(Username, AuthProps) ->
 
-    case http_req(p(user_path), q([{username, Username}|extractPassword(AuthProps)])) of
+    case http_req(p(user_path), q([{username, Username}|extractPassword(AuthProps)]++extractOtherCredentials(AuthProps))) of
         {error, _} = E  -> E;
         "deny"          -> {refused, "Denied by the backing HTTP service", []};
         "allow" ++ Rest -> Tags = [rabbit_data_coercion:to_atom(T) ||
@@ -49,6 +49,7 @@ user_login_authentication(Username, AuthProps) ->
 %% Credentials (i.e. password) maybe directly in the password attribute in AuthProps
 %% or as a Function with the attribute rabbit_auth_backend_http if the user was already authenticated with http backend
 %% or as a Function with the attribute rabbit_auth_backend_cache if the user was already authenticated via cache backend
+
 extractPassword(AuthProps) ->
     case proplists:get_value(password, AuthProps, none) of
         none ->
@@ -62,6 +63,15 @@ extractPassword(AuthProps) ->
         Password -> [{password, Password}]
     end.
 
+%% Some protocols may add additional credentials into the AuthProps that should be propagated to
+%% the external authentication backends
+%% This function excludes any attribute that starts with rabbit_auth_backend_
+is_internal_property("rabbit_" ++ _Rest) -> true;
+is_internal_property(_Other) -> false.
+
+extractOtherCredentials(AuthProps) ->
+  [{K,V} || {K,V} <-AuthProps, not is_internal_property(K)].
+
 user_login_authorization(Username, AuthProps) ->
     case user_login_authentication(Username, AuthProps) of
         {ok, #auth_user{impl = Impl}} -> {ok, Impl};

deps/rabbitmq_auth_backend_http/test/auth_SUITE.erl

@@ -20,18 +20,35 @@
 	 {vhost_path, "http://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/vhost"},
      {resource_path, "http://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/resource"},
 	 {topic_path, "http://localhost:" ++ integer_to_list(?AUTH_PORT) ++ "/auth/topic"}]).
--define(ALLOWED_USER, #{username => <<"Ala">>,
+-define(ALLOWED_USER, #{username => <<"Ala1">>,
                         password => <<"Kocur">>,
+												expected_credentials => [username, password],
                         tags => [policymaker, monitoring]}).
--define(DENIED_USER, #{username => <<"Alice">>, password => <<"Cat">>}).
+-define(ALLOWED_USER_WITH_EXTRA_CREDENTIALS, #{username => <<"Ala2">>,
+                        password => <<"Kocur">>,
+												client_id => <<"some_id">>,
+												expected_credentials => [username, password, client_id],
+                        tags => [policymaker, monitoring]}).
+-define(DENIED_USER, #{username => <<"Alice">>,
+											 password => <<"Cat">>
+											 }).
 
-all() -> [grants_access_to_user, denies_access_to_user].
+all() -> [grants_access_to_user,
+					denies_access_to_user,
+					grants_access_to_user_passing_additional_required_authprops,
+					grants_access_to_user_skipping_internal_authprops].
 
 init_per_suite(Config) ->
     configure_http_auth_backend(),
-    #{username := Username, password := Password, tags := Tags} = ?ALLOWED_USER,
-    start_http_auth_server(?AUTH_PORT, ?USER_PATH, #{Username => {Password, Tags}}),
-    [{allowed_user, ?ALLOWED_USER}, {denied_user, ?DENIED_USER} | Config].
+    {User1, Tuple1} = extractUserTuple(?ALLOWED_USER),
+		{User2, Tuple2} = extractUserTuple(?ALLOWED_USER_WITH_EXTRA_CREDENTIALS),
+    start_http_auth_server(?AUTH_PORT, ?USER_PATH, #{User1 => Tuple1, User2 => Tuple2}),
+    [{allowed_user, ?ALLOWED_USER},
+			{allowed_user_with_extra_credentials, ?ALLOWED_USER_WITH_EXTRA_CREDENTIALS},
+			{denied_user, ?DENIED_USER} | Config].
+extractUserTuple(User) ->
+	#{username := Username, password := Password, tags := Tags, expected_credentials := ExpectedCredentials} = User,
+	{Username, {Password, Tags, ExpectedCredentials}}.
 
 end_per_suite(_Config) ->
     stop_http_auth_server().
@@ -47,6 +64,20 @@ denies_access_to_user(Config) ->
     ?assertMatch({refused, "Denied by the backing HTTP service", []},
                   rabbit_auth_backend_http:user_login_authentication(U, [{password, P}])).
 
+
+grants_access_to_user_passing_additional_required_authprops(Config) ->
+    #{username := U, password := P, tags := T, client_id := ClientId} = ?config(allowed_user_with_extra_credentials, Config),
+    {ok, User} = rabbit_auth_backend_http:user_login_authentication(U, [{password, P}, {client_id, ClientId}]),
+    ?assertMatch({U, T, P},
+                 {User#auth_user.username, User#auth_user.tags, (User#auth_user.impl)()}).
+
+grants_access_to_user_skipping_internal_authprops(Config) ->
+    #{username := U, password := P, tags := T, client_id := ClientId} = ?config(allowed_user_with_extra_credentials, Config),
+    {ok, User} = rabbit_auth_backend_http:user_login_authentication(U,
+			[{password, P}, {client_id, ClientId}, {rabbit_any_internal_property, <<"some value">>}]),
+    ?assertMatch({U, T, P},
+                 {User#auth_user.username, User#auth_user.tags, (User#auth_user.impl)()}).
+
 %%% HELPERS
 
 configure_http_auth_backend() ->

deps/rabbitmq_auth_backend_http/test/auth_http_mock.erl

@@ -6,21 +6,25 @@
 
 init(Req = #{method := <<"GET">>}, Users) ->
     QsVals = cowboy_req:parse_qs(Req),
-    Reply = authenticate(proplists:get_value(<<"username">>, QsVals),
-                         proplists:get_value(<<"password">>, QsVals),
-                         Users),
+    Reply = authenticate(QsVals, Users),
     Req2 = cowboy_req:reply(200, #{<<"content-type">> => <<"text/plain">>}, Reply, Req),
     {ok, Req2, Users}.
 
 %%% HELPERS
 
-authenticate(Username, Password, Users) ->
+authenticate(QsVals, Users) ->
+   Username = proplists:get_value(<<"username">>, QsVals),
+   Password = proplists:get_value(<<"password">>, QsVals),
    case maps:get(Username, Users, undefined) of
-       {MatchingPassword, Tags} when Password =:= MatchingPassword ->
-           StringTags = lists:map(fun(T) -> io_lib:format("~ts", [T]) end, Tags),
-           <<"allow ", (list_to_binary(string:join(StringTags, " ")))/binary>>;
-        {_OtherPassword, _} ->
+       {MatchingPassword, Tags, ExpectedCredentials} when Password =:= MatchingPassword ->
+            case lists:all(fun(C) -> proplists:is_defined(list_to_binary(rabbit_data_coercion:to_list(C)),QsVals) end, ExpectedCredentials) of
+              true -> StringTags = lists:map(fun(T) -> io_lib:format("~ts", [T]) end, Tags),
+                      <<"allow ", (list_to_binary(string:join(StringTags, " ")))/binary>>;
+              false -> ct:log("Missing required attributes. Expected ~p, Found: ~p", [ExpectedCredentials, QsVals]),
+                       <<"deny">>
+            end;
+        {_OtherPassword, _, _} ->
             <<"deny">>;
         undefined ->
             <<"deny">>
-   end.
+   end.