Skip to content

Commit

Permalink
See #4842. Obfuscate impl value
Browse files Browse the repository at this point in the history 
(cherry picked from commit 09d84e6)
(cherry picked from commit 724b9b2)
  • Loading branch information
@SimonUnge @mergify
SimonUnge authored and mergify[bot] committed Nov 13, 2022
1 parent 91e1dc4 commit 249fdef
Show file tree
Hide file tree
Showing 7 changed files with 34 additions and 30 deletions.
2 changes: 1 addition & 1 deletion deps/rabbit/src/rabbit_auth_backend_internal.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ internal_check_user_login(Username, Fun) ->
case Fun(User) of
true -> {ok, #auth_user{username = Username,
tags = Tags,
impl = none}};
impl = fun() -> none end}};
_ -> Refused
end;
{error, not_found} ->
Expand Down
5 changes: 1 addition & 4 deletions deps/rabbitmq_auth_backend_cache/test/rabbit_auth_backend_cache_SUITE.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ authentication_response(Config) ->
authorization_response(Config) ->
AuthProps = [{password, <<"guest">>}],
{ok, #auth_user{impl = Impl, tags = Tags}} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, AuthProps]),
true = is_function(Impl),
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"guest">>, AuthProps]),
{ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_cache, user_login_authorization, [<<"guest">>, AuthProps]),
{refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"nonguest">>, AuthProps]),
Expand Down Expand Up @@ -163,7 +164,3 @@ cache_expiration_topic(Config) ->

rpc(Config, M, F, A) ->
rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A).




2 changes: 1 addition & 1 deletion deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ user_login_authentication(Username, AuthProps) ->
T <- string:tokens(Rest, " ")],
{ok, #auth_user{username = Username,
tags = Tags,
impl = none}};
impl = fun() -> none end}};
Other -> {error, {bad_response, Other}}
end.

Expand Down
5 changes: 3 additions & 2 deletions deps/rabbitmq_auth_backend_http/test/auth_SUITE.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,9 @@ end_per_suite(_Config) ->

grants_access_to_user(Config) ->
#{username := U, password := P, tags := T} = ?config(allowed_user, Config),
?assertMatch({ok, #auth_user{username = U, tags = T}},
rabbit_auth_backend_http:user_login_authentication(U, [{password, P}])).
{ok, User} = rabbit_auth_backend_http:user_login_authentication(U, [{password, P}]),
?assertMatch({U, T, none},
{User#auth_user.username, User#auth_user.tags, (User#auth_user.impl)()}).

denies_access_to_user(Config) ->
#{username := U, password := P} = ?config(denied_user, Config),
Expand Down
23 changes: 15 additions & 8 deletions deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,9 @@ user_login_authorization(Username, AuthProps) ->
end.

check_vhost_access(User = #auth_user{username = Username,
impl = #impl{user_dn = UserDN}},
impl = ImplFun},
VHost, AuthzData) ->
UserDN = (ImplFun())#impl.user_dn,
OptionsArgs = context_as_options(AuthzData, undefined),
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
Args = [{username, Username},
Expand All @@ -104,10 +105,11 @@ check_vhost_access(User = #auth_user{username = Username,
R1.

check_resource_access(User = #auth_user{username = Username,
impl = #impl{user_dn = UserDN}},
impl = ImplFun},
#resource{virtual_host = VHost, kind = Type, name = Name},
Permission,
AuthzContext) ->
UserDN = (ImplFun())#impl.user_dn,
OptionsArgs = context_as_options(AuthzContext, undefined),
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
Args = [{username, Username},
Expand All @@ -125,10 +127,11 @@ check_resource_access(User = #auth_user{username = Username,
R1.

check_topic_access(User = #auth_user{username = Username,
impl = #impl{user_dn = UserDN}},
impl = ImplFun},
#resource{virtual_host = VHost, kind = topic = Resource, name = Name},
Permission,
Context) ->
UserDN = (ImplFun())#impl.user_dn,
OptionsArgs = context_as_options(Context, undefined),
ADArgs = rabbit_auth_backend_ldap_util:get_active_directory_args(Username),
Args = [{username, Username},
Expand Down Expand Up @@ -220,7 +223,8 @@ evaluate0({in_group, DNPattern}, Args, User, LDAP) ->
evaluate({in_group, DNPattern, "member"}, Args, User, LDAP);

evaluate0({in_group, DNPattern, Desc}, Args,
#auth_user{impl = #impl{user_dn = UserDN}}, LDAP) ->
#auth_user{impl = ImplFun}, LDAP) ->
UserDN = (ImplFun())#impl.user_dn,
Filter = eldap:equalityMatch(Desc, UserDN),
DN = fill(DNPattern, Args),
R = object_exists(DN, Filter, LDAP),
Expand All @@ -234,7 +238,7 @@ evaluate0({in_group_nested, DNPattern, Desc}, Args, User, LDAP) ->
evaluate({in_group_nested, DNPattern, Desc, subtree},
Args, User, LDAP);
evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args,
#auth_user{impl = #impl{user_dn = UserDN}}, LDAP) ->
#auth_user{impl = ImplFun}, LDAP) ->
GroupsBase = case env(group_lookup_base) of
none ->
get_expected_env_str(dn_lookup_base, none);
Expand All @@ -250,6 +254,7 @@ evaluate0({in_group_nested, DNPattern, Desc, Scope}, Args,
onelevel -> eldap:singleLevel();
one_level -> eldap:singleLevel()
end,
UserDN = (ImplFun())#impl.user_dn,
search_nested_group(LDAP, Desc, GroupsBase, EldapScope, UserDN, GroupDN, []);

evaluate0({'not', SubQuery}, Args, User, LDAP) ->
Expand Down Expand Up @@ -786,8 +791,9 @@ do_login(Username, PrebindUserDN, Password, VHost, LDAP) ->
_ -> PrebindUserDN
end,
User = #auth_user{username = Username,
impl = #impl{user_dn = UserDN,
password = Password}},
impl = fun() -> #impl{user_dn = UserDN,
password = Password}
end},
DTQ = fun (LDAPn) -> do_tag_queries(Username, UserDN, User, VHost, LDAPn) end,
TagRes = case env(other_bind) of
as_user -> DTQ(LDAP);
Expand Down Expand Up @@ -882,7 +888,8 @@ creds(User) -> creds(User, env(other_bind)).

creds(none, as_user) ->
{error, "'other_bind' set to 'as_user' but no password supplied"};
creds(#auth_user{impl = #impl{user_dn = UserDN, password = PW}}, as_user) ->
creds(#auth_user{impl = ImplFun}, as_user) ->
#impl{user_dn = UserDN, password = PW} = ImplFun(),
{ok, {UserDN, PW}};
creds(_, Creds) ->
{ok, Creds}.
Expand Down
5 changes: 2 additions & 3 deletions deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -457,10 +457,10 @@ topic_authorisation_consumption(Config) ->
topic_authorisation_consumption1(Config) ->
%% we can't use the LDAP backend record here, falling back to simple tuples
Alice = {auth_user,<<"Alice">>, [monitor],
{impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>}
fun() -> {impl,"cn=Alice,ou=People,dc=rabbitmq,dc=com",<<"password">>} end,
},
Bob = {auth_user,<<"Bob">>, [monitor],
{impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>}
fun() -> {impl,"cn=Bob,ou=People,dc=rabbitmq,dc=com",<<"password">>} end,
},
Resource = #resource{virtual_host = <<"/">>, name = <<"amq.topic">>, kind = topic},
Context = #{routing_key => <<"a.b">>,
Expand Down Expand Up @@ -946,4 +946,3 @@ expand_options(As, Bs) ->
false -> [A | R]
end
end, Bs, As).

22 changes: 11 additions & 11 deletions deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,29 +71,29 @@ user_login_authorization(Username, AuthProps) ->
Else -> Else
end.

check_vhost_access(#auth_user{impl = DecodedToken},
check_vhost_access(#auth_user{impl = DecodedTokenFun},
VHost, _AuthzData) ->
with_decoded_token(DecodedToken,
with_decoded_token(DecodedTokenFun(),
fun() ->
Scopes = get_scopes(DecodedToken),
Scopes = get_scopes(DecodedTokenFun()),
ScopeString = rabbit_oauth2_scope:concat_scopes(Scopes, ","),
rabbit_log:debug("Matching virtual host '~s' against the following scopes: ~s", [VHost, ScopeString]),
rabbit_oauth2_scope:vhost_access(VHost, Scopes)
end).

check_resource_access(#auth_user{impl = DecodedToken},
check_resource_access(#auth_user{impl = DecodedTokenFun},
Resource, Permission, _AuthzContext) ->
with_decoded_token(DecodedToken,
with_decoded_token(DecodedTokenFun(),
fun() ->
Scopes = get_scopes(DecodedToken),
Scopes = get_scopes(DecodedTokenFun()),
rabbit_oauth2_scope:resource_access(Resource, Permission, Scopes)
end).

check_topic_access(#auth_user{impl = DecodedToken},
check_topic_access(#auth_user{impl = DecodedTokenFun},
Resource, Permission, Context) ->
with_decoded_token(DecodedToken,
with_decoded_token(DecodedTokenFun(),
fun() ->
Scopes = get_scopes(DecodedToken),
Scopes = get_scopes(DecodedTokenFun()),
rabbit_oauth2_scope:topic_access(Resource, Permission, Context, Scopes)
end).

Expand All @@ -111,7 +111,7 @@ update_state(AuthUser, NewToken) ->
Tags = tags_from(DecodedToken),

{ok, AuthUser#auth_user{tags = Tags,
impl = DecodedToken}}
impl = fun() -> DecodedToken end}}
end.

%%--------------------------------------------------------------------
Expand All @@ -133,7 +133,7 @@ authenticate(Username0, AuthProps0) ->

{ok, #auth_user{username = Username,
tags = Tags,
impl = DecodedToken}}
impl = fun() -> DecodedToken end}}
end,
case with_decoded_token(DecodedToken, Func) of
{error, Err} ->
Expand Down

0 comments on commit 249fdef

Please sign in to comment.