Add topic authorisation for consumption

Fixes #1085
author: Arnaud Cogoluègnes <acogoluegnes@gmail.com> 2017-01-19 14:56:47 +0100
committer: Arnaud Cogoluègnes <acogoluegnes@gmail.com> 2017-01-19 14:56:47 +0100
commit: 1ae0e83f74afec21246af3542978388442d7c248 (patch)
tree: 62400079b3a67fdc1a30a121a3d6a9ddf0768aae
parent: 66a44fa157f2ab3f68e9894f13a0f4eb4ff71b80 (diff)
download: rabbitmq-server-git-1ae0e83f74afec21246af3542978388442d7c248.tar.gz
3 files changed, 25 insertions, 24 deletions
diff --git a/src/rabbit_table.erl b/src/rabbit_table.erl
index 040075ea87..56a9c2b578 100644
--- a/src/rabbit_table.erl
+++ b/src/rabbit_table.erl
@@ -280,7 +280,7 @@ definitions() ->
        {attributes, record_info(fields, topic_permission)},
        {disc_copies, [node()]},
        {match, #topic_permission{topic_permission_key = #topic_permission_key{_='_'},
-                                 pattern = '_',
+                                 permission = #permission{_='_'},
                                  _='_'}}]},
      {rabbit_vhost,
       [{record_name, vhost},
diff --git a/src/rabbit_upgrade_functions.erl b/src/rabbit_upgrade_functions.erl
index c2a1e49b32..178db3e3e3 100644
--- a/src/rabbit_upgrade_functions.erl
+++ b/src/rabbit_upgrade_functions.erl
@@ -568,7 +568,7 @@ user_password_hashing() ->
 topic_permission() ->
     create(rabbit_topic_permission,
         [{record_name, topic_permission},
-         {attributes, [topic_permission_key, pattern]},
+         {attributes, [topic_permission_key, permission]},
          {disc_copies, [node()]}]).
 
 %%--------------------------------------------------------------------
diff --git a/test/topic_permission_SUITE.erl b/test/topic_permission_SUITE.erl
index b7d65e6d0c..0ae44bc69b 100644
--- a/test/topic_permission_SUITE.erl
+++ b/test/topic_permission_SUITE.erl
@@ -76,7 +76,7 @@ topic_permission_database_access1(_Config) ->
     rabbit_auth_backend_internal:add_user(<<"dummy">>, <<"dummy">>),
 
     rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"/">>, <<"amq.topic">>, "^a"
+        <<"guest">>, <<"/">>, <<"amq.topic">>, "^a", "^a"
     ),
     1 = length(ets:tab2list(rabbit_topic_permission)),
     1 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)),
@@ -88,7 +88,7 @@ topic_permission_database_access1(_Config) ->
     1 = length(rabbit_auth_backend_internal:list_topic_permissions()),
 
     rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"other-vhost">>, <<"amq.topic">>, ".*"
+        <<"guest">>, <<"other-vhost">>, <<"amq.topic">>, ".*", ".*"
     ),
     2 = length(ets:tab2list(rabbit_topic_permission)),
     2 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)),
@@ -100,10 +100,10 @@ topic_permission_database_access1(_Config) ->
     2 = length(rabbit_auth_backend_internal:list_topic_permissions()),
 
     rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"/">>, <<"topic1">>, "^a"
+        <<"guest">>, <<"/">>, <<"topic1">>, "^a", "^a"
     ),
     rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"/">>, <<"topic2">>, "^a"
+        <<"guest">>, <<"/">>, <<"topic2">>, "^a", "^a"
     ),
 
     4 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)),
@@ -121,15 +121,15 @@ topic_permission_database_access1(_Config) ->
 
 
     {error, {no_such_user, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions(
-        <<"non-existing-user">>, <<"other-vhost">>, <<"amq.topic">>, ".*"
+        <<"non-existing-user">>, <<"other-vhost">>, <<"amq.topic">>, ".*", ".*"
     )),
 
     {error, {no_such_vhost, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"non-existing-vhost">>, <<"amq.topic">>, ".*"
+        <<"guest">>, <<"non-existing-vhost">>, <<"amq.topic">>, ".*", ".*"
     )),
 
     {error, {no_such_user, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions(
-        <<"non-existing-user">>, <<"non-existing-vhost">>, <<"amq.topic">>, ".*"
+        <<"non-existing-user">>, <<"non-existing-vhost">>, <<"amq.topic">>, ".*", ".*"
     )),
 
     {error, {no_such_user, _}} = (catch rabbit_auth_backend_internal:list_user_topic_permissions(
@@ -141,7 +141,7 @@ topic_permission_database_access1(_Config) ->
     )),
 
     {error, {invalid_regexp, _, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"/">>, <<"amq.topic">>, "["
+        <<"guest">>, <<"/">>, <<"amq.topic">>, "[", "^a"
     )),
     ok.
 
@@ -163,7 +163,7 @@ topic_permission_checks1(_Config) ->
     rabbit_auth_backend_internal:add_user(<<"dummy">>, <<"dummy">>),
 
     rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"/">>, <<"amq.topic">>, "^a"
+        <<"guest">>, <<"/">>, <<"amq.topic">>, "^a", "^a"
     ),
     1 = length(ets:tab2list(rabbit_topic_permission)),
     1 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)),
@@ -172,7 +172,7 @@ topic_permission_checks1(_Config) ->
     0 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"other-vhost">>)),
 
     rabbit_auth_backend_internal:set_topic_permissions(
-        <<"guest">>, <<"other-vhost">>, <<"amq.topic">>, ".*"
+        <<"guest">>, <<"other-vhost">>, <<"amq.topic">>, ".*", ".*"
     ),
     2 = length(ets:tab2list(rabbit_topic_permission)),
     2 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)),
@@ -184,34 +184,35 @@ topic_permission_checks1(_Config) ->
     Topic = #resource{name = <<"amq.topic">>, virtual_host = <<"/">>,
         kind = topic},
     Context = #{routing_key => <<"a.b.c">>},
+    Permissions = [write, read],
     %% user has access to exchange, routing key matches
-    true = rabbit_auth_backend_internal:check_topic_access(
+    [true = rabbit_auth_backend_internal:check_topic_access(
         User,
         Topic,
-        write,
+        Perm,
         Context
-    ),
+    ) || Perm <- Permissions],
     %% user has access to exchange, routing key does not match
-    false = rabbit_auth_backend_internal:check_topic_access(
+    [false = rabbit_auth_backend_internal:check_topic_access(
         User,
         Topic,
-        write,
+        Perm,
         #{routing_key => <<"x.y.z">>}
-    ),
+    ) || Perm <- Permissions],
     %% user has access to exchange but not on this vhost
     %% let pass when there's no match
-    true = rabbit_auth_backend_internal:check_topic_access(
+    [true = rabbit_auth_backend_internal:check_topic_access(
         User,
         Topic#resource{virtual_host = <<"fancyvhost">>},
-        write,
+        Perm,
         Context
-    ),
+    ) || Perm <- Permissions],
     %% user does not have access to exchange
     %% let pass when there's no match
-    true = rabbit_auth_backend_internal:check_topic_access(
+    [true = rabbit_auth_backend_internal:check_topic_access(
         #auth_user{username = <<"dummy">>},
         Topic,
-        write,
+        Perm,
         Context
-    ),
+    ) || Perm <- Permissions],
     ok.
 \ No newline at end of file
author	Arnaud Cogoluègnes <acogoluegnes@gmail.com>	2017-01-19 14:56:47 +0100
committer	Arnaud Cogoluègnes <acogoluegnes@gmail.com>	2017-01-19 14:56:47 +0100
commit	1ae0e83f74afec21246af3542978388442d7c248 (patch)
tree	62400079b3a67fdc1a30a121a3d6a9ddf0768aae
parent	66a44fa157f2ab3f68e9894f13a0f4eb4ff71b80 (diff)
download	rabbitmq-server-git-1ae0e83f74afec21246af3542978388442d7c248.tar.gz