Do not propagate password if not provided

This is relevant for ssl-based authentications

Author: MarcialRosales

deps/rabbitmq_mqtt/src/rabbit_mqtt_processor.erl

@@ -1094,9 +1094,15 @@ check_vhost_alive(VHost) ->
     end.
 
 check_user_login(VHost, Username, Password, ClientId, PeerIp, ConnName) ->
-    AuthProps = [{vhost, VHost},
-                  {client_id, ClientId},
-                  {password, Password}],
+    AuthProps = case Password of
+        none ->
+            [{vhost, VHost},
+             {client_id, ClientId}];
+        _ ->
+            [{password, Password},
+             {vhost, VHost},
+             {client_id, ClientId}]
+    end,
     case rabbit_access_control:check_user_login(Username, AuthProps) of
         {ok, User = #user{username = Username1}} ->
             notify_auth_result(user_authentication_success, Username1, ConnName),

deps/rabbitmq_mqtt/test/auth_SUITE.erl

@@ -66,13 +66,14 @@ sub_groups() ->
        ssl_user_vhost_parameter_mapping_success,
        ssl_user_vhost_parameter_mapping_not_allowed,
        ssl_user_vhost_parameter_mapping_vhost_does_not_exist,
-       ssl_user_cert_vhost_mapping_takes_precedence_over_port_vhost_mapping
+       ssl_user_cert_vhost_mapping_takes_precedence_over_port_vhost_mpping
       ]},
      {ssl_user_with_invalid_client_id_in_cert_san_dns, [],
        [invalid_client_id_from_cert_san_dns
        ]},
      {ssl_user_with_client_id_in_cert_san_dns, [],
-       [client_id_from_cert_san_dns        
+       [client_id_from_cert_san_dns,
+        ssl_user_password_not_propagated_if_not_provided        
        ]},
      {ssl_user_with_client_id_in_cert_san_dns_1, [],
        [client_id_from_cert_san_dns_1
@@ -81,7 +82,8 @@ sub_groups() ->
        [client_id_from_cert_san_email
        ]},
      {ssl_user_with_client_id_in_cert_dn, [],
-       [client_id_from_cert_dn
+       [client_id_from_cert_dn,
+        ssl_user_password_not_propagated_if_not_provided
        ]},
      {no_ssl_user, [shuffle],
       [anonymous_auth_failure,
@@ -338,6 +340,7 @@ init_per_testcase(T, Config)
   when T =:= client_id_propagation;
        T =:= invalid_client_id_from_cert_san_dns;
        T =:= client_id_from_cert_san_dns;
+       T =:= ssl_user_password_not_propagated_if_not_provided;
        T =:= client_id_from_cert_san_dns_1;
        T =:= client_id_from_cert_san_email;
        T =:= client_id_from_cert_dn ->
@@ -477,6 +480,7 @@ end_per_testcase(T, Config)
    when T =:= client_id_propagation;
        T =:= invalid_client_id_from_cert_san_dns;
        T =:= client_id_from_cert_san_dns;
+       T =:= ssl_user_password_not_propagated_if_not_provided;
        T =:= client_id_from_cert_san_dns_1;
        T =:= client_id_from_cert_san_email;
        T =:= client_id_from_cert_dn ->
@@ -573,6 +577,7 @@ client_id_from_cert_san_email(Config) ->
                                         rabbit_auth_backend_mqtt_mock,
                                         get,
                                         [authentication]),
+    ct:log("client_id_from_cert_dn. AuthProps: ~p", [AuthProps]),
     ?assertEqual(ExpectedClientId, proplists:get_value(client_id, AuthProps)),
     ok = emqtt:disconnect(C).
 
@@ -584,10 +589,22 @@ client_id_from_cert_dn(Config) ->
     [{authentication, AuthProps}] = rpc(Config, 0,
                                         rabbit_auth_backend_mqtt_mock,
                                         get,
-                                        [authentication]),
+                                        [authentication]),    
     ?assertEqual(ExpectedClientId, proplists:get_value(client_id, AuthProps)),
     ok = emqtt:disconnect(C).
 
+ssl_user_password_not_propagated_if_not_provided(Config) ->
+    ExpectedClientId = get_client_cert_subject(Config), % subject = distinguished_name
+    MqttClientId = ExpectedClientId,
+    {ok, C} = connect_ssl(MqttClientId, Config),
+    {ok, _} = emqtt:connect(C),
+    [{authentication, AuthProps}] = rpc(Config, 0,
+                                        rabbit_auth_backend_mqtt_mock,
+                                        get,
+                                        [authentication]),
+    ?assertEqual(false, proplists:is_defined(password, AuthProps)),
+    ok = emqtt:disconnect(C).
+
 invalid_client_id_from_cert_san_dns(Config) ->
     MqttClientId = <<"other_client_id">>,
     {ok, C} = connect_ssl(MqttClientId, Config),