From 3fa449ae970bc281d4bce531ae779fc525dba8a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <loic.hoguin@broadcom.com>
Date: Mon, 7 Apr 2025 15:59:13 +0200
Subject: [PATCH 1/2] Add new option require_auth_for_api_desc_page to mgmt

This allows restricting access to the /api/index.html and
the /cli/index.html page to authenticated users should the
user really want to. This can be enabled via advanced.config.

(cherry picked from commit 400e8006e540b33fba67e072c70907de5488a252)
(cherry picked from commit 95c2ba756c3a03330a630e2c7d2dbc20c0440bf3)
---
 deps/rabbitmq_management/Makefile               |  3 ++-
 .../src/rabbit_mgmt_wm_static.erl               | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/deps/rabbitmq_management/Makefile b/deps/rabbitmq_management/Makefile
index 0ee5dff47b03..c3520d8a7e2e 100644
--- a/deps/rabbitmq_management/Makefile
+++ b/deps/rabbitmq_management/Makefile
@@ -14,7 +14,8 @@ define PROJECT_ENV
 	    {cors_max_age, 1800},
 	    {content_security_policy, "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"},
 	    {max_http_body_size, 10000000},
-	    {delegate_count, 5}
+	    {delegate_count, 5},
+	    {require_auth_for_api_desc_page, false}
 	  ]
 endef
 
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl
index 6cd5341729e8..0ce03079c5b5 100644
--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl
+++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl
@@ -11,9 +11,11 @@
 -module(rabbit_mgmt_wm_static).
 
 -include_lib("kernel/include/file.hrl").
+-include_lib("rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl").
 
 -export([init/2]).
 -export([malformed_request/2]).
+-export([is_authorized/2]).
 -export([forbidden/2]).
 -export([content_types_provided/2]).
 -export([resource_exists/2]).
@@ -46,6 +48,21 @@ do_init(Req, App, Path) ->
 malformed_request(Req, State) ->
     cowboy_static:malformed_request(Req, State).
 
+is_authorized(Req0=#{path := Path}, State)
+        when Path =:= <<"/api/index.html">>; Path =:= <<"/cli/index.html">> ->
+    case application:get_env(rabbitmq_management, require_auth_for_api_desc_page) of
+        {ok, true} ->
+            %% We temporarily use #context{} here to make authorization work,
+            %% and discard it immediately after since we only want to check
+            %% whether the user authenticates successfully.
+            {Res, Req, _} = rabbit_mgmt_util:is_authorized(Req0, #context{}),
+            {Res, Req, State};
+        _ ->
+            {true, Req0, State}
+    end;
+is_authorized(Req, State) ->
+    {true, Req, State}.
+
 forbidden(Req, State) ->
     cowboy_static:forbidden(Req, State).
 

From c0f31a6985f6d9ea188b8ada7a4e7ee9fae6734d Mon Sep 17 00:00:00 2001
From: Michael Klishin <michaelklishin@icloud.com>
Date: Wed, 9 Apr 2025 02:02:47 -0400
Subject: [PATCH 2/2] rabbitmq.conf schema and tests for #13698

(cherry picked from commit 20188a770e3156a6ea902e0aaaac9b3ea1c452ee)
(cherry picked from commit 98d44459a64c295ad4fef8a5684599fa2b9e62d1)
---
 deps/rabbitmq_management/Makefile             |  2 +-
 .../priv/schema/rabbitmq_management.schema    |  7 ++++
 .../src/rabbit_mgmt_wm_static.erl             |  2 +-
 .../rabbitmq_management.snippets              | 42 +++++++++++++++++++
 4 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/deps/rabbitmq_management/Makefile b/deps/rabbitmq_management/Makefile
index c3520d8a7e2e..1aad4366fc06 100644
--- a/deps/rabbitmq_management/Makefile
+++ b/deps/rabbitmq_management/Makefile
@@ -15,7 +15,7 @@ define PROJECT_ENV
 	    {content_security_policy, "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"},
 	    {max_http_body_size, 10000000},
 	    {delegate_count, 5},
-	    {require_auth_for_api_desc_page, false}
+	    {require_auth_for_api_reference, false}
 	  ]
 endef
 
diff --git a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
index 1ed048afe3c2..f14bd65a447a 100644
--- a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+++ b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
@@ -655,3 +655,10 @@ end}.
     {datatype, {enum, [true, false]}},
     {include_default, false}
 ]}.
+
+%% Require authentication for the HTTP API reference page.
+
+{mapping, "management.require_auth_for_api_reference", "rabbitmq_management.require_auth_for_api_reference", [
+    {datatype, {enum, [true, false]}},
+    {include_default, false}
+]}.
\ No newline at end of file
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl
index 0ce03079c5b5..4a424df0d8a7 100644
--- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl
+++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl
@@ -50,7 +50,7 @@ malformed_request(Req, State) ->
 
 is_authorized(Req0=#{path := Path}, State)
         when Path =:= <<"/api/index.html">>; Path =:= <<"/cli/index.html">> ->
-    case application:get_env(rabbitmq_management, require_auth_for_api_desc_page) of
+    case application:get_env(rabbitmq_management, require_auth_for_api_reference) of
         {ok, true} ->
             %% We temporarily use #context{} here to make authorization work,
             %% and discard it immediately after since we only want to check
diff --git a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets
index d26639620bb8..9607a65ff8fc 100644
--- a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets
+++ b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets
@@ -497,6 +497,48 @@
   ], [rabbitmq_management]
  },
 
+ %%
+ %% Restrictions
+ %%
+
+  {restrictions_quorum_queue_replica_operations_disabled_case1,
+   "management.restrictions.quorum_queue_replica_operations.disabled = true",
+   [
+    {rabbitmq_management, [
+                           {restrictions, [
+                                {quorum_queue_replica_operations, [
+                                    {disabled, true}
+                                ]}
+                           ]}
+                          ]}
+   ], [rabbitmq_management]
+  },
+
+  {restrictions_operator_policy_changes_disabled_case1,
+   "management.restrictions.operator_policy_changes.disabled = true",
+   [
+    {rabbitmq_management, [
+                           {restrictions, [
+                                {operator_policy_changes, [
+                                    {disabled, true}
+                                ]}
+                           ]}
+                          ]}
+   ], [rabbitmq_management]
+  },
+
+ %%
+ %% Exotic options
+ %%
+
+  {auth_for_http_api_reference_case1,
+   "management.require_auth_for_api_reference = true",
+   [
+    {rabbitmq_management, [
+                           {require_auth_for_api_reference, true}
+                          ]}
+   ], [rabbitmq_management]
+  },
 
  %%
  %% Legacy listener configuration