diff options
| author | Simon MacMullen <simon@rabbitmq.com> | 2014-02-18 12:49:00 +0000 |
|---|---|---|
| committer | Simon MacMullen <simon@rabbitmq.com> | 2014-02-18 12:49:00 +0000 |
| commit | 77cd6ab1514d1a4cc2891c9fa99cc7ca65d156f9 (patch) | |
| tree | 97155ab0110c5c546081808a630c3ad78dbbc4b6 | |
| parent | 33456dd1890cfc64c3a21f76a5356c5b81b9b394 (diff) | |
| download | rabbitmq-server-git-77cd6ab1514d1a4cc2891c9fa99cc7ca65d156f9.tar.gz | |
Allow checking an IP address as well as a socket.
| -rw-r--r-- | src/rabbit_access_control.erl | 9 | ||||
| -rw-r--r-- | src/rabbit_net.erl | 15 | ||||
| -rw-r--r-- | src/rabbit_reader.erl | 2 |
3 files changed, 13 insertions, 13 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl index 3ea10e86d0..4bb1aed167 100644 --- a/src/rabbit_access_control.erl +++ b/src/rabbit_access_control.erl @@ -18,7 +18,7 @@ -include("rabbit.hrl"). --export([check_user_pass_login/2, check_user_login/2, check_user_socket/2, +-export([check_user_pass_login/2, check_user_login/2, check_user_loopback/2, check_vhost_access/2, check_resource_access/3]). %%---------------------------------------------------------------------------- @@ -35,7 +35,8 @@ -spec(check_user_login/2 :: (rabbit_types:username(), [{atom(), any()}]) -> {'ok', rabbit_types:user()} | {'refused', string(), [any()]}). --spec(check_user_socket/2 :: (rabbit_types:username(), rabbit_net:socket()) +-spec(check_user_loopback/2 :: (rabbit_types:username(), + rabbit_net:socket() | inet:ip_address()) -> 'ok' | 'not_allowed'). -spec(check_vhost_access/2 :: (rabbit_types:user(), rabbit_types:vhost()) @@ -79,9 +80,9 @@ try_login(Module, Username, AuthProps) -> Else -> Else end. -check_user_socket(Username, Sock) -> +check_user_loopback(Username, SockOrAddr) -> {ok, Users} = application:get_env(rabbit, loopback_users), - case rabbit_net:is_loopback(Sock) + case rabbit_net:is_loopback(SockOrAddr) orelse not lists:member(Username, Users) of true -> ok; false -> not_allowed diff --git a/src/rabbit_net.erl b/src/rabbit_net.erl index 5eda022698..c2b2968401 100644 --- a/src/rabbit_net.erl +++ b/src/rabbit_net.erl @@ -231,17 +231,16 @@ rdns(Addr) -> sock_funs(inbound) -> {fun peername/1, fun sockname/1}; sock_funs(outbound) -> {fun sockname/1, fun peername/1}. -is_loopback(Sock) -> +is_loopback(Sock) when is_port(Sock) ; ?IS_SSL(Sock) -> case sockname(Sock) of - {ok, {Addr, _Port}} -> is_loopback_addr(Addr); + {ok, {Addr, _Port}} -> is_loopback(Addr); {error, _} -> false - end. - + end; %% We could parse the results of inet:getifaddrs() instead. But that %% would be more complex and less maybe Windows-compatible... -is_loopback_addr({127,_,_,_}) -> true; -is_loopback_addr({0,0,0,0,0,0,0,1}) -> true; -is_loopback_addr({0,0,0,0,0,65535,AB,CD}) -> is_loopback_addr(ipv4(AB, CD)); -is_loopback_addr(_) -> false. +is_loopback({127,_,_,_}) -> true; +is_loopback({0,0,0,0,0,0,0,1}) -> true; +is_loopback({0,0,0,0,0,65535,AB,CD}) -> is_loopback(ipv4(AB, CD)); +is_loopback(_) -> false. ipv4(AB, CD) -> {AB bsr 8, AB band 255, CD bsr 8, CD band 255}. diff --git a/src/rabbit_reader.erl b/src/rabbit_reader.erl index 786403e12e..49bed8fe21 100644 --- a/src/rabbit_reader.erl +++ b/src/rabbit_reader.erl @@ -1025,7 +1025,7 @@ auth_phase(Response, State#v1{connection = Connection#connection{ auth_state = AuthState1}}; {ok, User = #user{username = Username}} -> - case rabbit_access_control:check_user_socket(Username, Sock) of + case rabbit_access_control:check_user_loopback(Username, Sock) of ok -> ok; not_allowed -> auth_fail("user '~s' can only connect via " "localhost", [Username], Name, State) |