Optionally return authz refusal reason to client

 ## What?

If the new config setting `authorization_failure_disclosure`
for an authz backend is set to `true`, (`false` by default), RabbitMQ
will return the reason why access was denied to the client.
For now, only the HTTP auth backend supports this new config setting.

 ## Why?

This helps debugging and troubleshooting directly in the client.
Some users might not have access to the RabbitMQ logs, for other
users it's cumbersome to correlate authz denial in the client with
logs on the broker.

For example, some customers would like to pass the reason why
authorization was denied from their custom HTTP auth backend via
RabbitMQ back to the client.

 ## How?

Authz backends can now return `{false, Reason}` as an alternative to
just `false` if access is denied.

For security reasons, the additional denial reason by the authz backend
will be returned to the client only if the operator opted in by setting
`authorization_failure_disclosure` to `true`.

Note that `authorization_failure_disclosure` applies only to
already authenticated clients when they try to access resources (e.g. vhosts,
exchanges, queues, topics). For security reasons, no detailed denial reason is
returned to the client if **authentication** fails.

Also note that `authorization_failure_disclosure` is set separately per
auth backend instead of being set globally for all auth backends. This
more fine granular configurability helps for use cases where the broker
should reveal the authz denial reason for only a specific auth backend.

Author: ansd

deps/rabbit/src/rabbit_access_control.erl

@@ -361,6 +361,10 @@ check_access(Fun, Module, ErrStr, ErrArgs, ErrName) ->
             ok;
         false ->
             rabbit_misc:protocol_error(ErrName, ErrStr, ErrArgs);
+        {false, Reason} ->
+            FullErrStr = ErrStr ++ " by backend ~ts: ~ts",
+            FullErrArgs = ErrArgs ++ [Module, Reason],
+            rabbit_misc:protocol_error(ErrName, FullErrStr, FullErrArgs);
         {error, E}  ->
             FullErrStr = ErrStr ++ ", backend ~ts returned an error: ~tp",
             FullErrArgs = ErrArgs ++ [Module, E],

deps/rabbit/src/rabbit_authz_backend.erl

@@ -32,38 +32,41 @@
 %% Possible responses:
 %% true
 %% false
+%% {false, Reason}
 %% {error, Error}
 %%     Something went wrong. Log and die.
 -callback check_vhost_access(AuthUser :: rabbit_types:auth_user(),
                              VHost :: rabbit_types:vhost(),
                              AuthzData :: rabbit_types:authz_data()) ->
-    boolean() | {'error', any()}.
+    boolean() | {false, Reason :: string()} | {'error', any()}.
 
 %% Given #auth_user, resource and permission, can a user access a resource?
 %%
 %% Possible responses:
 %% true
 %% false
+%% {false, Reason}
 %% {error, Error}
 %%     Something went wrong. Log and die.
 -callback check_resource_access(rabbit_types:auth_user(),
                                 rabbit_types:r(atom()),
                                 rabbit_types:permission_atom(),
                                 rabbit_types:authz_context()) ->
-    boolean() | {'error', any()}.
+    boolean() | {false, Reason :: string()} | {'error', any()}.
 
 %% Given #auth_user, topic as resource, permission, and context, can a user access the topic?
 %%
 %% Possible responses:
 %% true
 %% false
+%% {false, Reason}
 %% {error, Error}
 %%     Something went wrong. Log and die.
 -callback check_topic_access(rabbit_types:auth_user(),
     rabbit_types:r(atom()),
     rabbit_types:permission_atom(),
     rabbit_types:topic_access_context()) ->
-    boolean() | {'error', any()}.
+    boolean() | {false, Reason :: string()} | {'error', any()}.
 
 %% Updates backend state that has expired.
 %%

deps/rabbitmq_auth_backend_cache/src/rabbit_auth_backend_cache.erl

@@ -36,37 +36,34 @@ user_login_authorization(Username, AuthProps) ->
         end).
 
 check_vhost_access(#auth_user{} = AuthUser, VHostPath, AuthzData) ->
-    with_cache(authz, {check_vhost_access, [AuthUser, VHostPath, AuthzData]},
-        fun(true)  -> success;
-           (false) -> refusal;
-           ({error, _} = Err) -> Err;
-           (_)                -> unknown
-        end).
+    with_cache(authz,
+               {check_vhost_access, [AuthUser, VHostPath, AuthzData]},
+               fun convert_backend_result/1).
 
 check_resource_access(#auth_user{} = AuthUser,
                       #resource{} = Resource, Permission, AuthzContext) ->
-    with_cache(authz, {check_resource_access, [AuthUser, Resource, Permission, AuthzContext]},
-        fun(true)  -> success;
-           (false) -> refusal;
-           ({error, _} = Err) -> Err;
-           (_)                -> unknown
-        end).
+    with_cache(authz,
+               {check_resource_access, [AuthUser, Resource, Permission, AuthzContext]},
+               fun convert_backend_result/1).
 
 check_topic_access(#auth_user{} = AuthUser,
                    #resource{} = Resource, Permission, Context) ->
-    with_cache(authz, {check_topic_access, [AuthUser, Resource, Permission, Context]},
-        fun(true)  -> success;
-            (false) -> refusal;
-            ({error, _} = Err) -> Err;
-            (_)                -> unknown
-        end).
+    with_cache(authz,
+               {check_topic_access, [AuthUser, Resource, Permission, Context]},
+               fun convert_backend_result/1).
 
 expiry_timestamp(_) -> never.
 
 %%
 %% Implementation
 %%
 
+convert_backend_result(true) -> success;
+convert_backend_result(false) -> refusal;
+convert_backend_result({false, _}) -> refusal;
+convert_backend_result({error, _} = Err) -> Err;
+convert_backend_result(_) -> unknown.
+
 clear_cache_cluster_wide() ->
     Nodes = rabbit_nodes:list_running(),
     ?LOG_WARNING("Clearing auth_backend_cache in all nodes : ~p", [Nodes]),

deps/rabbitmq_auth_backend_cache/src/rabbit_auth_cache.erl

@@ -18,7 +18,7 @@
 -callback clear() -> ok.
 
 expiration(TTL) ->
-    erlang:system_time(milli_seconds) + TTL.
+    erlang:system_time(millisecond) + TTL.
 
 expired(Exp) ->
-    erlang:system_time(milli_seconds) > Exp.
+    erlang:system_time(millisecond) > Exp.

deps/rabbitmq_auth_backend_http/Makefile

@@ -10,7 +10,8 @@ define PROJECT_ENV
 	    {user_path,     "http://localhost:8000/auth/user"},
 	    {vhost_path,    "http://localhost:8000/auth/vhost"},
 	    {resource_path, "http://localhost:8000/auth/resource"},
-	    {topic_path,    "http://localhost:8000/auth/topic"}
+	    {topic_path,    "http://localhost:8000/auth/topic"},
+	    {authorization_failure_disclosure, false}
 	  ]
 endef
 
@@ -20,7 +21,7 @@ endef
 
 LOCAL_DEPS = ssl inets crypto public_key
 DEPS = rabbit_common rabbit amqp_client
-TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers cowboy
+TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers cowboy rabbitmq_amqp_client
 
 DEP_EARLY_PLUGINS = rabbit_common/mk/rabbitmq-early-plugin.mk
 DEP_PLUGINS = rabbit_common/mk/rabbitmq-plugin.mk

deps/rabbitmq_auth_backend_http/README.md

@@ -53,6 +53,7 @@ auth_http.user_path     = http://some-server/auth/user
 auth_http.vhost_path    = http://some-server/auth/vhost
 auth_http.resource_path = http://some-server/auth/resource
 auth_http.topic_path    = http://some-server/auth/topic
+auth_http.authorization_failure_disclosure = false
 ```
 
 In the [`advanced.config` format](https://www.rabbitmq.com/configure.html#advanced-config-file):
@@ -65,7 +66,8 @@ In the [`advanced.config` format](https://www.rabbitmq.com/configure.html#advanc
     {user_path,     "http(s)://some-server/auth/user"},
     {vhost_path,    "http(s)://some-server/auth/vhost"},
     {resource_path, "http(s)://some-server/auth/resource"},
-    {topic_path,    "http(s)://some-server/auth/topic"}]}
+    {topic_path,    "http(s)://some-server/auth/topic"},
+    {authorization_failure_disclosure, false}]}
 ].
 ```
 
@@ -124,6 +126,8 @@ containing:
 
 * `deny`: deny access to the user / vhost / resource
 * `deny <Reason>`: deny access to the user / vhost / resource. RabbitMQ will log the `<Reason>` at INFO level.
+   If `auth_http.authorization_failure_disclosure` is set to `true` (the default is `false` for security reasons)
+   RabbitMQ will additionally forward the `<Reason>` to AMQP clients.
 * `allow`: allow access to the user / vhost / resource
 * `allow [list of tags]` (for `user_path` only): allow access, and mark the user as an having the tags listed
 

deps/rabbitmq_auth_backend_http/priv/schema/rabbitmq_auth_backend_http.schema

@@ -23,6 +23,9 @@
 {mapping, "auth_http.connection_timeout", "rabbitmq_auth_backend_http.connection_timeout",
     [{datatype, integer}]}.
 
+{mapping, "auth_http.authorization_failure_disclosure", "rabbitmq_auth_backend_http.authorization_failure_disclosure", [
+    {datatype, {enum, [true, false]}}]}.
+
 %% TLS options
 
 {mapping, "auth_http.ssl_options", "rabbitmq_auth_backend_http.ssl_options", [

deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl

@@ -25,6 +25,8 @@
 
 -define(SUCCESSFUL_RESPONSE_CODES, [200, 201]).
 
+-define(APP, rabbitmq_auth_backend_http).
+
 %%--------------------------------------------------------------------
 
 description() ->
@@ -37,7 +39,7 @@ user_login_authentication(Username, AuthProps) ->
     Path = p(user_path),
     Query = q([{username, Username}] ++ extract_other_credentials(AuthProps)),
     case http_req(Path, Query) of
-        {error, _} = Err  ->
+        {error, _} = Err ->
             Err;
         "deny " ++ Reason ->
             ?LOG_INFO("HTTP authentication denied for user '~ts': ~ts",
@@ -53,7 +55,9 @@ user_login_authentication(Username, AuthProps) ->
                     {ok, #auth_user{
                             username = Username,
                             tags = Tags,
-                            impl = fun() -> proplists:delete(username, AuthProps) end}}
+                            impl = fun() -> proplists:delete(username, AuthProps) end}};
+                Other ->
+                    {error, {bad_response, Other}}
             end
     end.
 
@@ -120,34 +124,34 @@ check_vhost_access(#auth_user{username = Username, tags = Tags}, VHost,
 
 do_check_vhost_access(Username, Tags, VHost, Ip, AuthzData) ->
     OptionsParameters = context_as_parameters(AuthzData),
-    bool_req(vhost_path, [{username, Username},
-                          {vhost,    VHost},
-                          {ip,       Ip},
-                          {tags,     join_tags(Tags)}] ++ OptionsParameters).
+    req(vhost_path, [{username, Username},
+                     {vhost,    VHost},
+                     {ip,       Ip},
+                     {tags,     join_tags(Tags)}] ++ OptionsParameters).
 
 check_resource_access(#auth_user{username = Username, tags = Tags},
                       #resource{virtual_host = VHost, kind = Type, name = Name},
                       Permission,
                       AuthzContext) ->
     OptionsParameters = context_as_parameters(AuthzContext),
-    bool_req(resource_path, [{username,   Username},
-                             {vhost,      VHost},
-                             {resource,   Type},
-                             {name,       Name},
-                             {permission, Permission},
-                             {tags, join_tags(Tags)}] ++ OptionsParameters).
+    req(resource_path, [{username,   Username},
+                        {vhost,      VHost},
+                        {resource,   Type},
+                        {name,       Name},
+                        {permission, Permission},
+                        {tags, join_tags(Tags)}] ++ OptionsParameters).
 
 check_topic_access(#auth_user{username = Username, tags = Tags},
                    #resource{virtual_host = VHost, kind = topic = Type, name = Name},
                    Permission,
                    Context) ->
     OptionsParameters = context_as_parameters(Context),
-    bool_req(topic_path, [{username,   Username},
-        {vhost,      VHost},
-        {resource,   Type},
-        {name,       Name},
-        {permission, Permission},
-        {tags, join_tags(Tags)}] ++ OptionsParameters).
+    req(topic_path, [{username,   Username},
+                     {vhost,      VHost},
+                     {resource,   Type},
+                     {name,       Name},
+                     {permission, Permission},
+                     {tags, join_tags(Tags)}] ++ OptionsParameters).
 
 expiry_timestamp(_) -> never.
 
@@ -163,16 +167,21 @@ context_as_parameters(Options) when is_map(Options) ->
 context_as_parameters(_) ->
     [].
 
-bool_req(PathName, Props) ->
+req(PathName, Props) ->
     Path = p(PathName),
     Query = q(Props),
     case http_req(Path, Query) of
         {error, _} = Err ->
             Err;
         "deny " ++ Reason ->
-            ?LOG_INFO("HTTP authorisation denied for path ~ts with query ~ts: ~ts",
+            ?LOG_INFO("HTTP authorization denied for path ~ts with query '~ts': ~ts",
                       [Path, Query, Reason]),
-            false;
+            case application:get_env(?APP, authorization_failure_disclosure) of
+                {ok, true} ->
+                    {false, Reason};
+                _ ->
+                    false
+            end;
         Body ->
             case string:lowercase(Body) of
                 "deny" ->
@@ -201,7 +210,7 @@ do_http_req(Path0, Query) ->
     {host, Host} = lists:keyfind(host, 1, URI),
     {port, Port} = lists:keyfind(port, 1, URI),
     HostHdr = rabbit_misc:format("~ts:~b", [Host, Port]),
-    {ok, Method} = application:get_env(rabbitmq_auth_backend_http, http_method),
+    {ok, Method} = application:get_env(?APP, http_method),
     Request = case rabbit_data_coercion:to_atom(Method) of
         get  ->
             Path = Path0 ++ "?" ++ Query,
@@ -212,21 +221,22 @@ do_http_req(Path0, Query) ->
             {Path0, [{"Host", HostHdr}], "application/x-www-form-urlencoded", Query}
     end,
     RequestTimeout =
-        case application:get_env(rabbitmq_auth_backend_http, request_timeout) of
+        case application:get_env(?APP, request_timeout) of
             {ok, Val1} -> Val1;
             _ -> infinity
         end,
     ConnectionTimeout =
-        case application:get_env(rabbitmq_auth_backend_http, connection_timeout) of
+        case application:get_env(?APP, connection_timeout) of
             {ok, Val2} -> Val2;
             _ -> RequestTimeout
         end,
     ?LOG_DEBUG("auth_backend_http: request timeout: ~tp, connection timeout: ~tp", [RequestTimeout, ConnectionTimeout]),
     HttpOpts = [{timeout, RequestTimeout},
                 {connect_timeout, ConnectionTimeout}] ++ ssl_options(),
-    case httpc:request(Method, Request, HttpOpts, []) of
-        {ok, {{_HTTP, Code, _}, _Headers, Body}} ->
-            ?LOG_DEBUG("auth_backend_http: response code is ~tp, body: ~tp", [Code, Body]),
+    case httpc:request(Method, Request, HttpOpts, [{body_format, binary}]) of
+        {ok, {{_HTTP, Code, _}, _Headers, BodyBin}} ->
+            Body = unicode:characters_to_list(BodyBin),
+            ?LOG_DEBUG("auth_backend_http: response code is ~tp, body: '~ts'", [Code, Body]),
             case lists:member(Code, ?SUCCESSFUL_RESPONSE_CODES) of
                 true ->
                     string:strip(Body);
@@ -238,10 +248,10 @@ do_http_req(Path0, Query) ->
     end.
 
 ssl_options() ->
-    case application:get_env(rabbitmq_auth_backend_http, ssl_options) of
+    case application:get_env(?APP, ssl_options) of
         {ok, Opts0} when is_list(Opts0) ->
             Opts1 = [{ssl, rabbit_ssl_options:fix_client(Opts0)}],
-            case application:get_env(rabbitmq_auth_backend_http, ssl_hostname_verification) of
+            case application:get_env(?APP, ssl_hostname_verification) of
                 {ok, wildcard} ->
                     ?LOG_DEBUG("Enabling wildcard-aware hostname verification for HTTP client connections"),
                     %% Needed for HTTPS connections that connect to servers that use wildcard certificates.
@@ -254,7 +264,7 @@ ssl_options() ->
     end.
 
 p(PathName) ->
-    {ok, Path} = application:get_env(rabbitmq_auth_backend_http, PathName),
+    {ok, Path} = application:get_env(?APP, PathName),
     Path.
 
 q(Args) ->