diff options
| author | Luke Bakken <lbakken@pivotal.io> | 2019-03-22 13:07:07 -0700 |
|---|---|---|
| committer | Luke Bakken <lbakken@pivotal.io> | 2019-03-22 13:07:07 -0700 |
| commit | cb9055f692a34f3a5c3a3399b0bf01bc789f6072 (patch) | |
| tree | ac161b9335575334292be0a62ea6dc7587732ed2 | |
| parent | 700a3585f2d442a2963f14fe5ea00ec5502efd52 (diff) | |
| download | rabbitmq-server-git-cb9055f692a34f3a5c3a3399b0bf01bc789f6072.tar.gz | |
Finish converting check_vhost_access/3 to new API
| -rw-r--r-- | src/rabbit_access_control.erl | 21 | ||||
| -rw-r--r-- | src/rabbit_auth_backend_internal.erl | 2 | ||||
| -rw-r--r-- | src/rabbit_direct.erl | 4 | ||||
| -rw-r--r-- | src/rabbit_reader.erl | 2 |
4 files changed, 21 insertions, 8 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl index 1c8c50c0d3..905fa094b4 100644 --- a/src/rabbit_access_control.erl +++ b/src/rabbit_access_control.erl @@ -125,20 +125,33 @@ check_user_loopback(Username, SockOrAddr) -> false -> not_allowed end. +get_authz_data_from({ip, Address}) -> + case inet:ntoa(Address) of + {error, einval} -> + undefined; + AddressStr -> + #{peeraddr => AddressStr} + end; +get_authz_data_from({socket, Sock}) -> + {ok, {Address, _Port}} = rabbit_net:peername(Sock), + get_authz_data_from({ip, Address}); +get_authz_data_from(undefined) -> + undefined. + -spec check_vhost_access(User :: rabbit_types:user(), VHostPath :: rabbit_types:vhost(), - Sock :: rabbit_net:socket() | #authz_socket_info{} | undefined) -> + AuthzRawData :: {socket, rabbit_net:socket()} | {ip, inet:ip_address()} | undefined) -> 'ok' | rabbit_types:channel_exit(). check_vhost_access(User = #user{username = Username, - authz_backends = Modules}, VHostPath, Sock) -> - AuthData = + authz_backends = Modules}, VHostPath, AuthzRawData) -> + AuthzData = get_authz_data_from(AuthzRawData), lists:foldl( fun({Mod, Impl}, ok) -> check_access( fun() -> rabbit_vhost:exists(VHostPath) andalso Mod:check_vhost_access( - auth_user(User, Impl), VHostPath, AuthData) + auth_user(User, Impl), VHostPath, AuthzData) end, Mod, "access to vhost '~s' refused for user '~s'", [VHostPath, Username], not_allowed); diff --git a/src/rabbit_auth_backend_internal.erl b/src/rabbit_auth_backend_internal.erl index 417f0d6374..2f8e85f0f3 100644 --- a/src/rabbit_auth_backend_internal.erl +++ b/src/rabbit_auth_backend_internal.erl @@ -113,7 +113,7 @@ internal_check_user_login(Username, Fun) -> Refused end. -check_vhost_access(#auth_user{username = Username}, VHostPath, _Sock) -> +check_vhost_access(#auth_user{username = Username}, VHostPath, _AuthzData) -> case mnesia:dirty_read({rabbit_user_permission, #user_vhost{username = Username, virtual_host = VHostPath}}) of diff --git a/src/rabbit_direct.erl b/src/rabbit_direct.erl index 4a57c08a9d..d928b7df1a 100644 --- a/src/rabbit_direct.erl +++ b/src/rabbit_direct.erl @@ -182,8 +182,8 @@ notify_auth_result(Username, AuthResult, ExtraProps) -> rabbit_event:notify(AuthResult, [P || {_, V} = P <- EventProps, V =/= '']). connect1(User, VHost, Protocol, Pid, Infos) -> - AuthzData = #{peeraddr := proplists:get_value(peer_host, Infos)}, - try rabbit_access_control:check_vhost_access(User, VHost, AuthzData) of + PeerHost = proplists:get_value(peer_host, Infos), + try rabbit_access_control:check_vhost_access(User, VHost, {ip, PeerHost}) of ok -> ok = pg_local:join(rabbit_direct, Pid), rabbit_core_metrics:connection_created(Pid, Infos), rabbit_event:notify(connection_created, Infos), diff --git a/src/rabbit_reader.erl b/src/rabbit_reader.erl index 4aea1495a4..aa26cf5482 100644 --- a/src/rabbit_reader.erl +++ b/src/rabbit_reader.erl @@ -1229,7 +1229,7 @@ handle_method0(#'connection.open'{virtual_host = VHost}, throttle = Throttle}) -> ok = is_over_connection_limit(VHost, User), - ok = rabbit_access_control:check_vhost_access(User, VHost, Sock), + ok = rabbit_access_control:check_vhost_access(User, VHost, {socket, Sock}), ok = is_vhost_alive(VHost, User), NewConnection = Connection#connection{vhost = VHost}, ok = send_on_channel0(Sock, #'connection.open_ok'{}, Protocol), |