Merge pull request #8661 from SimonUnge/prometheus_authentication_v2

michaelklishin · web-flow · commit 085cc457450f · 2023-06-26T16:55:12.000+04:00
(Opt-in) Prometheus scraping endpoint authentication
diff --git a/deps/rabbitmq_management/BUILD.bazel b/deps/rabbitmq_management/BUILD.bazel
@@ -190,6 +190,7 @@ rabbitmq_suite(
     deps = [
         "//deps/rabbitmq_ct_helpers:erlang_app",
         "//deps/rabbitmq_management_agent:erlang_app",
+        "//deps/rabbitmq_web_dispatch:erlang_app",
         "@proper//:erlang_app",
     ],
 )
@@ -198,6 +199,7 @@ rabbitmq_integration_suite(
     name = "rabbit_mgmt_test_db_SUITE",
     deps = [
         "//deps/rabbitmq_management_agent:erlang_app",
+        "//deps/rabbitmq_web_dispatch:erlang_app",
     ],
 )
 
@@ -211,6 +213,7 @@ rabbitmq_suite(
     size = "small",
     deps = [
         "//deps/rabbitmq_management_agent:erlang_app",
+        "//deps/rabbitmq_web_dispatch:erlang_app",
         "@proper//:erlang_app",
     ],
 )
diff --git a/deps/rabbitmq_management/app.bzl b/deps/rabbitmq_management/app.bzl
@@ -571,7 +571,10 @@ def test_suite_beam_files(name = "test_suite_beam_files"):
         outs = ["test/rabbit_mgmt_stats_SUITE.beam"],
         app_name = "rabbitmq_management",
         erlc_opts = "//:test_erlc_opts",
-        deps = ["//deps/rabbitmq_management_agent:erlang_app", "@proper//:erlang_app"],
+        deps = [
+            "//deps/rabbitmq_management_agent:erlang_app",
+            "@proper//:erlang_app",
+        ],
     )
     erlang_bytecode(
         name = "rabbit_mgmt_test_db_SUITE_beam_files",
@@ -581,7 +584,11 @@ def test_suite_beam_files(name = "test_suite_beam_files"):
         hdrs = ["include/rabbit_mgmt.hrl"],
         app_name = "rabbitmq_management",
         erlc_opts = "//:test_erlc_opts",
-        deps = ["//deps/rabbit_common:erlang_app", "//deps/rabbitmq_ct_helpers:erlang_app", "//deps/rabbitmq_management_agent:erlang_app"],
+        deps = [
+            "//deps/rabbit_common:erlang_app",
+            "//deps/rabbitmq_ct_helpers:erlang_app",
+            "//deps/rabbitmq_management_agent:erlang_app",
+        ],
     )
     erlang_bytecode(
         name = "rabbit_mgmt_test_unit_SUITE_beam_files",
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
diff --git a/deps/rabbitmq_management_agent/BUILD.bazel b/deps/rabbitmq_management_agent/BUILD.bazel
@@ -72,6 +72,7 @@ rabbitmq_app(
     deps = [
         "//deps/rabbit:erlang_app",
         "//deps/rabbit_common:erlang_app",
+        "//deps/rabbitmq_web_dispatch:erlang_app",
         "@ranch//:erlang_app",
     ],
 )
diff --git a/deps/rabbitmq_management_agent/app.bzl b/deps/rabbitmq_management_agent/app.bzl
@@ -34,6 +34,7 @@ def all_beam_files(name = "all_beam_files"):
             "//deps/rabbit:erlang_app",
             "//deps/rabbit_common:erlang_app",
             "//deps/rabbitmq_cli:erlang_app",
+            "//deps/rabbitmq_web_dispatch:erlang_app",
         ],
     )
 
@@ -72,6 +73,7 @@ def all_test_beam_files(name = "all_test_beam_files"):
             "//deps/rabbit:erlang_app",
             "//deps/rabbit_common:erlang_app",
             "//deps/rabbitmq_cli:erlang_app",
+            "//deps/rabbitmq_web_dispatch:erlang_app",
         ],
     )
 
diff --git a/deps/rabbitmq_management_agent/include/rabbit_mgmt_records.hrl b/deps/rabbitmq_management_agent/include/rabbit_mgmt_records.hrl
@@ -5,12 +5,8 @@
 %% Copyright (c) 2007-2023 VMware, Inc. or its affiliates.  All rights reserved.
 %%
 
--record(context, {user,
-                  password = none,
-                  impl}). % storage for a context of the resource handler
+-include_lib("rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl").
 
 -record(range, {first :: integer(),
                 last  :: integer(),
                 incr  :: integer()}).
-
-
diff --git a/deps/rabbitmq_prometheus/app.bzl b/deps/rabbitmq_prometheus/app.bzl
@@ -24,6 +24,7 @@ def all_beam_files(name = "all_beam_files"):
         deps = [
             "//deps/amqp_client:erlang_app",
             "//deps/rabbit_common:erlang_app",
+            "//deps/rabbitmq_web_dispatch:erlang_app",
             "@prometheus//:erlang_app",
         ],
     )
@@ -53,6 +54,7 @@ def all_test_beam_files(name = "all_test_beam_files"):
         deps = [
             "//deps/amqp_client:erlang_app",
             "//deps/rabbit_common:erlang_app",
+            "//deps/rabbitmq_web_dispatch:erlang_app",
             "@prometheus//:erlang_app",
         ],
     )
@@ -114,5 +116,8 @@ def test_suite_beam_files(name = "test_suite_beam_files"):
         outs = ["test/rabbit_prometheus_http_SUITE.beam"],
         app_name = "rabbitmq_prometheus",
         erlc_opts = "//:test_erlc_opts",
-        deps = ["//deps/amqp_client:erlang_app", "//deps/rabbitmq_ct_helpers:erlang_app"],
+        deps = [
+            "//deps/amqp_client:erlang_app",
+            "//deps/rabbitmq_ct_helpers:erlang_app",
+        ],
     )
diff --git a/deps/rabbitmq_prometheus/priv/schema/rabbitmq_prometheus.schema b/deps/rabbitmq_prometheus/priv/schema/rabbitmq_prometheus.schema
@@ -141,4 +141,8 @@ end}.
 {mapping, "prometheus.ssl.max_keepalive", "rabbitmq_prometheus.ssl_config.cowboy_opts.max_keepalive",
     [{datatype, integer}, {validators, ["non_negative_integer"]}]}.
 
-{mapping, "prometheus.filter_aggregated_queue_metrics_pattern", "rabbitmq_prometheus.filter_aggregated_queue_metrics_pattern", [{datatype, string}]}.
+{mapping, "prometheus.filter_aggregated_queue_metrics_pattern", "rabbitmq_prometheus.filter_aggregated_queue_metrics_pattern", [{datatype, string}]}.
+
+%% Authentication options ========================================================
+{mapping, "prometheus.authentication.enabled", "rabbitmq_prometheus.authentication.enabled",
+    [{datatype, {enum, [true, false]}}]}.
diff --git a/deps/rabbitmq_prometheus/src/rabbit_prometheus_handler.erl b/deps/rabbitmq_prometheus/src/rabbit_prometheus_handler.erl
@@ -11,24 +11,38 @@
 -export([setup/0]).
 
 -include_lib("amqp_client/include/amqp_client.hrl").
+-include_lib("rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl").
 
 -define(SCRAPE_DURATION, telemetry_scrape_duration_seconds).
 -define(SCRAPE_SIZE, telemetry_scrape_size_bytes).
 -define(SCRAPE_ENCODED_SIZE, telemetry_scrape_encoded_size_bytes).
 
+-define(AUTH_REALM, "Basic realm=\"RabbitMQ Prometheus\"").
+
 %% ===================================================================
 %% Cowboy Handler Callbacks
 %% ===================================================================
 
 init(Req, _State) ->
-  {cowboy_rest, Req, #{}}.
+    {cowboy_rest, Req, #context{}}.
+
 
 content_types_provided(ReqData, Context) ->
     %% Since Prometheus 2.0 Protobuf is no longer supported
     {[{{<<"text">>, <<"plain">>, '*'}, generate_response}], ReqData, Context}.
 
 is_authorized(ReqData, Context) ->
-    {true, ReqData, Context}.
+    AuthSettings = rabbit_misc:get_env(rabbitmq_prometheus, authentication, []),
+    case proplists:get_value(enabled, AuthSettings) of
+        true ->
+            rabbit_web_dispatch_access_control:is_authorized_monitor(ReqData,
+                                                                     Context,
+                                                                     #auth_settings{basic_auth_enabled = true,
+                                                                                    auth_realm = ?AUTH_REALM});
+        _ ->
+            {true, ReqData, Context}
+    end.
+
 
 setup() ->
     setup_metrics(telemetry_registry()),
diff --git a/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/rabbitmq_prometheus.snippets b/deps/rabbitmq_prometheus/test/config_schema_SUITE_data/rabbitmq_prometheus.snippets
@@ -296,5 +296,14 @@
                             {ssl_config, [{cowboy_opts, [{max_keepalive, 120}]}]}
                            ]}
     ], [rabbitmq_prometheus]
+   },
+
+  {authentication,
+    "prometheus.authentication.enabled = true",
+    [
+     {rabbitmq_prometheus, [
+                            {authentication, [{enabled, true}]}
+                           ]}
+    ], [rabbitmq_prometheus]
    }
 ].
diff --git a/deps/rabbitmq_prometheus/test/rabbit_prometheus_http_SUITE.erl b/deps/rabbitmq_prometheus/test/rabbit_prometheus_http_SUITE.erl
@@ -23,7 +23,8 @@ all() ->
         {group, per_object_metrics},
         {group, per_object_endpoint_metrics},
         {group, commercial},
-        {group, detailed_metrics}
+        {group, detailed_metrics},
+        {group, authentication}
     ].
 
 groups() ->
@@ -32,7 +33,7 @@ groups() ->
         {config_path, [], generic_tests()},
         {global_labels, [], generic_tests()},
         {aggregated_metrics, [], [
-            aggregated_metrics_test,
+                                  aggregated_metrics_test,
             specific_erlang_metrics_present_test,
             global_metrics_present_test,
             global_metrics_single_metric_family_test
@@ -60,12 +61,13 @@ groups() ->
                                      vhost_status_metric,
                                      exchange_bindings_metric,
                                      exchange_names_metric
-        ]}
+        ]},
+       {authentication, [], [basic_auth]}
     ].
 
 generic_tests() ->
     [
-        get_test,
+     get_test,
         content_type_test,
         encoding_test,
         gzip_encoding_test,
@@ -202,7 +204,14 @@ init_per_group(aggregated_metrics, Config0) ->
 init_per_group(commercial, Config0) ->
     ProductConfig = {rabbit, [{product_name, "WolfMQ"}, {product_version, "2020"}]},
     Config1 = rabbit_ct_helpers:merge_app_env(Config0, ProductConfig),
-    init_per_group(commercial, Config1, []).
+    init_per_group(commercial, Config1, []);
+
+init_per_group(authentication, Config) ->
+    Config1 = rabbit_ct_helpers:merge_app_env(
+                Config, {rabbitmq_prometheus, [{authentication, [{enabled, true}]}]}),
+    init_per_group(authentication, Config1, []).
+
+
 
 init_per_group(Group, Config0, Extra) ->
     rabbit_ct_helpers:log_environment(),
@@ -242,7 +251,10 @@ end_per_group(detailed_metrics, Config) ->
 
     %% Delete queues?
     end_per_group_(Config);
-
+end_per_group(authentication, Config) ->
+    ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, unset_env,
+                                      [rabbitmq_prometheus, authentication]),
+    end_per_group_(Config);
 end_per_group(_, Config) ->
     end_per_group_(Config).
 
@@ -549,6 +561,25 @@ exchange_names_metric(Config) ->
     ok.
 
 
+basic_auth(Config) ->
+    http_get(Config, [{"accept-encoding", "deflate"}], 401),
+    AuthHeader = rabbit_mgmt_test_util:auth_header("guest", "guest"),
+    http_get(Config, [{"accept-encoding", "deflate"}, AuthHeader], 200),
+
+    rabbit_ct_broker_helpers:add_user(Config, <<"monitor">>),
+    rabbit_ct_broker_helpers:set_user_tags(Config, 0, <<"monitor">>, [monitoring]),
+    MonAuthHeader = rabbit_mgmt_test_util:auth_header("monitor", "monitor"),
+    http_get(Config, [{"accept-encoding", "deflate"}, MonAuthHeader], 200),
+
+    rabbit_ct_broker_helpers:add_user(Config, <<"management">>),
+    rabbit_ct_broker_helpers:set_user_tags(Config, 0, <<"management">>, [management]),
+    MgmtAuthHeader = rabbit_mgmt_test_util:auth_header("management", "management"),
+    http_get(Config, [{"accept-encoding", "deflate"}, MgmtAuthHeader], 401),
+
+    rabbit_ct_broker_helpers:delete_user(Config, <<"monitor">>),
+    rabbit_ct_broker_helpers:delete_user(Config, <<"management">>).
+
+
 http_get(Config, ReqHeaders, CodeExp) ->
     Path = proplists:get_value(prometheus_path, Config, "/metrics"),
     http_get(Config, Path, ReqHeaders, CodeExp).
diff --git a/deps/rabbitmq_web_dispatch/BUILD.bazel b/deps/rabbitmq_web_dispatch/BUILD.bazel
@@ -53,6 +53,7 @@ rabbitmq_app(
     license_files = [":license_files"],
     priv = [":priv"],
     deps = [
+        "//deps/amqp_client:erlang_app",
         "//deps/rabbit:erlang_app",
         "//deps/rabbit_common:erlang_app",
         "@cowboy//:erlang_app",
diff --git a/deps/rabbitmq_web_dispatch/app.bzl b/deps/rabbitmq_web_dispatch/app.bzl
@@ -13,6 +13,7 @@ def all_beam_files(name = "all_beam_files"):
             "src/rabbit_cowboy_redirect.erl",
             "src/rabbit_cowboy_stream_h.erl",
             "src/rabbit_web_dispatch.erl",
+            "src/rabbit_web_dispatch_access_control.erl",
             "src/rabbit_web_dispatch_app.erl",
             "src/rabbit_web_dispatch_listing_handler.erl",
             "src/rabbit_web_dispatch_registry.erl",
@@ -25,7 +26,10 @@ def all_beam_files(name = "all_beam_files"):
         app_name = "rabbitmq_web_dispatch",
         dest = "ebin",
         erlc_opts = "//:erlc_opts",
-        deps = ["@cowboy//:erlang_app"],
+        deps = [
+            "//deps/amqp_client:erlang_app",
+            "@cowboy//:erlang_app",
+        ],
     )
 
 def all_test_beam_files(name = "all_test_beam_files"):
@@ -42,6 +46,7 @@ def all_test_beam_files(name = "all_test_beam_files"):
             "src/rabbit_cowboy_redirect.erl",
             "src/rabbit_cowboy_stream_h.erl",
             "src/rabbit_web_dispatch.erl",
+            "src/rabbit_web_dispatch_access_control.erl",
             "src/rabbit_web_dispatch_app.erl",
             "src/rabbit_web_dispatch_listing_handler.erl",
             "src/rabbit_web_dispatch_registry.erl",
@@ -54,7 +59,10 @@ def all_test_beam_files(name = "all_test_beam_files"):
         app_name = "rabbitmq_web_dispatch",
         dest = "test",
         erlc_opts = "//:test_erlc_opts",
-        deps = ["@cowboy//:erlang_app"],
+        deps = [
+            "//deps/amqp_client:erlang_app",
+            "@cowboy//:erlang_app",
+        ],
     )
 
 def all_srcs(name = "all_srcs"):
@@ -77,6 +85,7 @@ def all_srcs(name = "all_srcs"):
             "src/rabbit_cowboy_redirect.erl",
             "src/rabbit_cowboy_stream_h.erl",
             "src/rabbit_web_dispatch.erl",
+            "src/rabbit_web_dispatch_access_control.erl",
             "src/rabbit_web_dispatch_app.erl",
             "src/rabbit_web_dispatch_listing_handler.erl",
             "src/rabbit_web_dispatch_registry.erl",
@@ -92,6 +101,7 @@ def all_srcs(name = "all_srcs"):
     )
     filegroup(
         name = "public_hdrs",
+        srcs = ["include/rabbitmq_web_dispatch_records.hrl"],
     )
     filegroup(
         name = "license_files",
diff --git a/deps/rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl b/deps/rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl
@@ -0,0 +1,15 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2023 VMware, Inc. or its affiliates.  All rights reserved.
+%%
+
+-record(context, {user,
+                  password = none,
+                  impl}). % storage for a context of the resource handler
+
+-record(auth_settings, {auth_realm = "Basic realm=\"RabbitMQ undefined\"",
+                        basic_auth_enabled = false,
+                        oauth2_enabled = false,
+                        oauth_client_id = <<"">>}).
diff --git a/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_access_control.erl b/deps/rabbitmq_web_dispatch/src/rabbit_web_dispatch_access_control.erl
diff --git a/moduleindex.yaml b/moduleindex.yaml

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ rabbitmq_app(`
`72`	`72`	`deps = [`
`73`	`73`	`"//deps/rabbit:erlang_app",`
`74`	`74`	`"//deps/rabbit_common:erlang_app",`
	`75`	`+ "//deps/rabbitmq_web_dispatch:erlang_app",`
`75`	`76`	`"@ranch//:erlang_app",`
`76`	`77`	`],`
`77`	`78`	`)`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ def all_beam_files(name = "all_beam_files"):`
`34`	`34`	`"//deps/rabbit:erlang_app",`
`35`	`35`	`"//deps/rabbit_common:erlang_app",`
`36`	`36`	`"//deps/rabbitmq_cli:erlang_app",`
	`37`	`+ "//deps/rabbitmq_web_dispatch:erlang_app",`
`37`	`38`	`],`
`38`	`39`	`)`
`39`	`40`
`@@ -72,6 +73,7 @@ def all_test_beam_files(name = "all_test_beam_files"):`
`72`	`73`	`"//deps/rabbit:erlang_app",`
`73`	`74`	`"//deps/rabbit_common:erlang_app",`
`74`	`75`	`"//deps/rabbitmq_cli:erlang_app",`
	`76`	`+ "//deps/rabbitmq_web_dispatch:erlang_app",`
`75`	`77`	`],`
`76`	`78`	`)`
`77`	`79`