diff options
| author | Simon MacMullen <simon@rabbitmq.com> | 2010-12-06 13:58:01 +0000 |
|---|---|---|
| committer | Simon MacMullen <simon@rabbitmq.com> | 2010-12-06 13:58:01 +0000 |
| commit | fbfe779dc0a6ab797d9bfd0831c25b5a9d045061 (patch) | |
| tree | 6c8583f87afe17ce2c6cfdab88200fbfe1f1ec10 /src | |
| parent | 864428a8b22537fe86a2f4f38f0f258ba68e44bf (diff) | |
| download | rabbitmq-server-git-fbfe779dc0a6ab797d9bfd0831c25b5a9d045061.tar.gz | |
Better diagnostics when authentication fails.
Diffstat (limited to 'src')
| -rw-r--r-- | src/rabbit_access_control.erl | 8 | ||||
| -rw-r--r-- | src/rabbit_auth_mechanism_external.erl | 24 | ||||
| -rw-r--r-- | src/rabbit_reader.erl | 5 |
3 files changed, 23 insertions, 14 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl index 30bcc9f306..c15a4de9d2 100644 --- a/src/rabbit_access_control.erl +++ b/src/rabbit_access_control.erl @@ -109,14 +109,16 @@ user_pass_login(User, Pass) -> end. check_user_pass_login(Username, Pass) -> + Refused = {refused, io_lib:format("user '~s' - invalid credentials", + [Username])}, case lookup_user(Username) of {ok, User} -> case check_password(Pass, User#user.password_hash) of - true -> {ok, User}; - _ -> {refused, Username} + true -> {ok, User}; + _ -> Refused end; {error, not_found} -> - {refused, Username} + Refused end. internal_lookup_vhost_access(Username, VHostPath) -> diff --git a/src/rabbit_auth_mechanism_external.erl b/src/rabbit_auth_mechanism_external.erl index c0531bcca8..b21dd31366 100644 --- a/src/rabbit_auth_mechanism_external.erl +++ b/src/rabbit_auth_mechanism_external.erl @@ -62,27 +62,33 @@ init(Sock) -> {ok, C} -> CN = case rabbit_ssl:peer_cert_subject_item( C, ?'id-at-commonName') of - not_found -> not_found; + not_found -> {refused, "no CN found"}; CN0 -> list_to_binary(CN0) end, case config_sane() of true -> CN; - false -> not_found + false -> {refused, "configuration unsafe"} end; {error, no_peercert} -> - not_found; + {refused, "no peer certificate"}; nossl -> - not_found + {refused, "not SSL connection"} end, #state{username = Username}. handle_response(_Response, #state{username = Username}) -> case Username of - not_found -> {refused, "CN not found"}; - _ -> case rabbit_access_control:lookup_user(Username) of - {ok, User} -> {ok, User}; - {error, not_found} -> {refused, Username} - end + {refused, _} = E -> + E; + _ -> + case rabbit_access_control:lookup_user(Username) of + {ok, User} -> + {ok, User}; + {error, not_found} -> + %% This is not an information leak as we have to + %% have validated a client cert to get this far. + {refused, io_lib:format("user '~s' not found", [Username])} + end end. %%-------------------------------------------------------------------------- diff --git a/src/rabbit_reader.erl b/src/rabbit_reader.erl index 57d82d80d6..bbecdbaaf8 100644 --- a/src/rabbit_reader.erl +++ b/src/rabbit_reader.erl @@ -868,9 +868,10 @@ auth_phase(Response, #connection{protocol = Protocol}, sock = Sock}) -> case AuthMechanism:handle_response(Response, AuthState) of - {refused, Username} -> + {refused, Reason} -> rabbit_misc:protocol_error( - access_refused, "login refused for user '~s'", [Username]); + access_refused, "~s login refused: ~s", + [proplists:get_value(name, AuthMechanism:description()), Reason]); {protocol_error, Msg, Args} -> rabbit_misc:protocol_error(access_refused, Msg, Args); {challenge, Challenge, AuthState1} -> |