Skip to content

Commit 1f5bc60

Browse files
lukebakkenlukebakken
committed
Add code and tests for eldap:simple_bind validation.
1 parent 34bfd09 commit 1f5bc60

File tree

3 files changed

+44
-16
lines changed

3 files changed

+44
-16
lines changed

deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_mgmt.erl

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
-include_lib("kernel/include/logger.hrl").
2323
-include_lib("rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl").
2424

25-
dispatcher() -> [{"/ldap/validate/bind/:name", ?MODULE, []}].
25+
dispatcher() -> [{"/ldap/validate/simple-bind", ?MODULE, []}].
2626

2727
web_ui() -> [].
2828

@@ -45,22 +45,34 @@ is_authorized(ReqData, Context) ->
4545

4646
accept_content(ReqData0, Context) ->
4747
F = fun (_Values, BodyMap, ReqData1) ->
48-
_Name = name(ReqData1),
4948
Port = rabbit_mgmt_util:parse_int(maps:get(port, BodyMap, 389)),
5049
_UseSsl = rabbit_mgmt_util:parse_bool(maps:get(use_ssl, BodyMap, false)),
5150
_UseStartTls = rabbit_mgmt_util:parse_bool(maps:get(use_starttls, BodyMap, false)),
5251
Servers = maps:get(servers, BodyMap, []),
53-
_Password = maps:get(password, BodyMap, <<"">>),
52+
UserDN = maps:get(user_dn, BodyMap, <<"">>),
53+
Password = maps:get(password, BodyMap, <<"">>),
5454
Options = [
5555
{port, Port},
5656
{timeout, 5000},
5757
{ssl, false}
5858
],
5959
?LOG_DEBUG("eldap:open Servers: ~tp Options: ~tp", [Servers, Options]),
6060
case eldap:open(Servers, Options) of
61-
{ok, H} ->
62-
eldap:close(H),
63-
{true, ReqData1, Context};
61+
{ok, LDAP} ->
62+
?LOG_DEBUG("eldap:simple_bind UserDN: ~tp Password: ~tp", [UserDN, Password]),
63+
Result = case eldap:simple_bind(LDAP, UserDN, Password) of
64+
ok ->
65+
{true, ReqData1, Context};
66+
{error, invalidCredentials} ->
67+
rabbit_mgmt_util:not_authorised("invalid credentials", ReqData1, Context);
68+
{error, unwillingToPerform} ->
69+
rabbit_mgmt_util:not_authorised("invalid credentials", ReqData1, Context);
70+
{error, E} ->
71+
Reason = unicode_format(E),
72+
rabbit_mgmt_util:bad_request(Reason, ReqData1, Context)
73+
end,
74+
eldap:close(LDAP),
75+
Result;
6476
{error, E} ->
6577
Reason = unicode_format(E),
6678
rabbit_mgmt_util:bad_request(Reason, ReqData1, Context)
@@ -70,11 +82,5 @@ accept_content(ReqData0, Context) ->
7082

7183
%%--------------------------------------------------------------------
7284

73-
name(ReqData) ->
74-
case rabbit_mgmt_util:id(name, ReqData) of
75-
[Value] -> Value;
76-
Value -> Value
77-
end.
78-
7985
unicode_format(Arg) ->
8086
rabbit_data_coercion:to_utf8_binary(io_lib:format("~tp", [Arg])).

deps/rabbitmq_auth_backend_ldap/test/system_SUITE.erl

Lines changed: 25 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -282,12 +282,35 @@ end_per_testcase(Testcase, Config) ->
282282
%% -------------------------------------------------------------------
283283

284284
validate_ldap_configuration_via_api(Config) ->
285+
%% {user_dn_pattern, "cn=${username},ou=People,dc=rabbitmq,dc=com"},
286+
UserDNFmt = "cn=~ts,ou=People,dc=rabbitmq,dc=com",
287+
AliceUserDN = rabbit_data_coercion:to_utf8_binary(io_lib:format(UserDNFmt, [?ALICE_NAME])),
288+
InvalidUserDN = rabbit_data_coercion:to_utf8_binary(io_lib:format(UserDNFmt, ["NOBODY"])),
289+
Password = rabbit_data_coercion:to_utf8_binary("password"),
290+
285291
LdapPort = ?config(ldap_port, Config),
286-
http_put(Config, io_lib:format("/ldap/validate/bind/~ts", [<<?ALICE_NAME>>]),
292+
%% NB: bad resource name
293+
http_put(Config, "/ldap/validate/bad-bind-name",
294+
#{
295+
'user_dn' => AliceUserDN,
296+
'password' => Password,
297+
'servers' => ["localhost"],
298+
'port' => LdapPort
299+
}, ?METHOD_NOT_ALLOWED),
300+
http_put(Config, "/ldap/validate/simple-bind",
301+
#{
302+
'user_dn' => AliceUserDN,
303+
'password' => Password,
304+
'servers' => ["localhost"],
305+
'port' => LdapPort
306+
}, ?NO_CONTENT),
307+
http_put(Config, "/ldap/validate/simple-bind",
287308
#{
309+
'user_dn' => InvalidUserDN,
310+
'password' => Password,
288311
'servers' => ["localhost"],
289312
'port' => LdapPort
290-
}, ?NO_CONTENT).
313+
}, ?NOT_AUTHORISED).
291314

292315
purge_connection(Config) ->
293316
{ok, _} = rabbit_ct_broker_helpers:rpc(Config, 0,

deps/rabbitmq_management/src/rabbit_mgmt_util.erl

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
is_authorized_vhost_visible_for_monitoring/2,
1919
is_authorized_global_parameters/2]).
2020
-export([user/1]).
21-
-export([bad_request/3, service_unavailable/3, bad_request_exception/4,
21+
-export([bad_request/3, service_unavailable/3, not_authorised/3, bad_request_exception/4,
2222
internal_server_error/3, internal_server_error/4, precondition_failed/3,
2323
id/2, parse_bool/1, parse_int/1, redirect_to_home/3]).
2424
-export([with_decode/4, not_found/3]).
@@ -668,7 +668,6 @@ bad_request(Reason, ReqData, Context) ->
668668
service_unavailable(Reason, ReqData, Context) ->
669669
halt_response(503, service_unavailable, Reason, ReqData, Context).
670670

671-
672671
not_authorised(Reason, ReqData, Context) ->
673672
rabbit_web_dispatch_access_control:not_authorised(Reason, ReqData, Context).
674673

0 commit comments

Comments
 (0)