Move credential validators into rabbitmq-server

Also introduces `rabbit_credential_validator_min_length` with
basic tests.

4 files changed, 141 insertions, 1 deletions

diff --git a/src/rabbit_credential_validator.erl b/src/rabbit_credential_validator.erl
new file mode 100644
index 0000000000..3fb5c481cc
--- /dev/null
+++ b/src/rabbit_credential_validator.erl
@@ -0,0 +1,28 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_credential_validator).
+
+-include("rabbit.hrl").
+
+%% Validates a password. Used by `rabbit_auth_backend_internal`.
+%%
+%% Possible return values:
+%%
+%% * ok: provided password passed validation.
+%% * {error, Error, Args}: provided password password failed validation.
+
+-callback validate_password(rabbit_types:password()) -> 'ok' | {'error', string(), [any()]}.
diff --git a/src/rabbit_credential_validator_accept_everything.erl b/src/rabbit_credential_validator_accept_everything.erl
new file mode 100644
index 0000000000..e43e898416
--- /dev/null
+++ b/src/rabbit_credential_validator_accept_everything.erl
@@ -0,0 +1,32 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_credential_validator_accept_everything).
+
+-include("rabbit.hrl").
+
+-behaviour(rabbit_credential_validator).
+
+%%
+%% API
+%%
+
+-export([validate_password/1]).
+
+-spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string(), [any()]}.
+
+validate_password(_Password) ->
+    ok.
diff --git a/src/rabbit_credential_validator_min_length.erl b/src/rabbit_credential_validator_min_length.erl
new file mode 100644
index 0000000000..d4bb36778d
--- /dev/null
+++ b/src/rabbit_credential_validator_min_length.erl
@@ -0,0 +1,56 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_credential_validator_min_length).
+
+-include("rabbit.hrl").
+
+-behaviour(rabbit_credential_validator).
+
+%% accommodates default (localhost-only) user credentials,
+%% guest/guest
+-define(DEFAULT_MIN_LENGTH, 5).
+
+%%
+%% API
+%%
+
+-export([validate_password/1]).
+%% for tests
+-export([validate_password/2]).
+
+-spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string(), [any()]}.
+
+validate_password(Password) ->
+    MinLength = case application:get_env(rabbit, credential_validator) of
+                    undefined -> 
+                        ?DEFAULT_MIN_LENGTH;
+                    Proplist  ->
+                        case proplists:get_value(min_length, Proplist) of
+                            undefined -> ?DEFAULT_MIN_LENGTH;
+                            Value     -> rabbit_data_coercion:to_integer(Value)
+                        end
+                end,
+    validate_password(Password, MinLength).
+
+
+-spec validate_password(rabbit_types:password(), integer()) -> 'ok' | {'error', string(), [any()]}.
+
+validate_password(Password, MinLength) ->
+    case size(Password) >= MinLength of
+        true  -> ok;
+        false -> {error, rabbit_misc:format("minimum required password length is ~B", [MinLength])}
+    end.
diff --git a/test/credential_validation_SUITE.erl b/test/credential_validation_SUITE.erl
index 44192a2e3c..4d7a9ddd8e 100644
--- a/test/credential_validation_SUITE.erl
+++ b/test/credential_validation_SUITE.erl
@@ -22,7 +22,9 @@
 
 all() ->
     [
-     basic_unconditionally_accepting_succeeds
+     basic_unconditionally_accepting_succeeds,
+     min_length_fails,
+     min_length_succeeds
     ].
 
 init_per_testcase(_, Config) ->
@@ -51,3 +53,25 @@ basic_unconditionally_accepting_succeeds(_Config) ->
     ?assertEqual(ok, F(Pwd5)),
     Pwd6 = crypto:strong_rand_bytes(1000),
     ?assertEqual(ok, F(Pwd6)).
+
+min_length_fails(_Config) ->
+    F = fun rabbit_credential_validator_min_length:validate_password/2,
+
+    Pwd1 = crypto:strong_rand_bytes(1),
+    ?assertMatch({error, _}, F(Pwd1, 5)),
+    Pwd2 = crypto:strong_rand_bytes(5),
+    ?assertMatch({error, _}, F(Pwd2, 6)),
+    Pwd3 = crypto:strong_rand_bytes(10),
+    ?assertMatch({error, _}, F(Pwd3, 15)),
+    Pwd4 = crypto:strong_rand_bytes(50),
+    ?assertMatch({error, _}, F(Pwd4, 60)).
+
+min_length_succeeds(_Config) ->
+    F = fun rabbit_credential_validator_min_length:validate_password/2,
+
+    ?assertEqual(ok, F(crypto:strong_rand_bytes(1), 1)),
+    ?assertEqual(ok, F(crypto:strong_rand_bytes(6), 6)),
+    ?assertEqual(ok, F(crypto:strong_rand_bytes(7), 6)),
+    ?assertEqual(ok, F(crypto:strong_rand_bytes(20), 20)),
+    ?assertEqual(ok, F(crypto:strong_rand_bytes(40), 30)),
+    ?assertEqual(ok, F(crypto:strong_rand_bytes(50), 50)).