diff options
| author | Michael Klishin <michael@novemberain.com> | 2017-01-13 15:06:36 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-01-13 15:06:36 +0300 |
| commit | dd92f155047a9f2d0c312287ef3711a2e5c7525f (patch) | |
| tree | f60d090705395414221f9870cb4d4fae1f21f9ba /test | |
| parent | 03bc4fb93c6b98284e6967f0157dd1de88c2a499 (diff) | |
| parent | d74c5e4fb4a712d57e55ddcf50fdecb4ab7f9106 (diff) | |
| download | rabbitmq-server-git-dd92f155047a9f2d0c312287ef3711a2e5c7525f.tar.gz | |
Merge pull request #1065 from rabbitmq/rabbitmq-server-505rabbitmq_v3_7_0_milestone9
Topic-based authorisation for publishes
Diffstat (limited to 'test')
| -rw-r--r-- | test/topic_permission_SUITE.erl | 217 | ||||
| -rw-r--r-- | test/unit_SUITE.erl | 4 |
2 files changed, 220 insertions, 1 deletions
diff --git a/test/topic_permission_SUITE.erl b/test/topic_permission_SUITE.erl new file mode 100644 index 0000000000..b7d65e6d0c --- /dev/null +++ b/test/topic_permission_SUITE.erl @@ -0,0 +1,217 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License at +%% http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the +%% License for the specific language governing rights and limitations +%% under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2011-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(topic_permission_SUITE). + +-include_lib("common_test/include/ct.hrl"). +-include_lib("rabbit_common/include/rabbit.hrl"). + +-compile(export_all). + +all() -> + [ + {group, sequential_tests} + ]. + +groups() -> [ + {sequential_tests, [], [ + topic_permission_database_access, + topic_permission_checks + ]} + ]. + +init_per_suite(Config) -> + rabbit_ct_helpers:log_environment(), + Config1 = rabbit_ct_helpers:set_config(Config, [ + {rmq_nodename_suffix, ?MODULE} + ]), + rabbit_ct_helpers:run_setup_steps(Config1, + rabbit_ct_broker_helpers:setup_steps() ++ + rabbit_ct_client_helpers:setup_steps()). + +end_per_suite(Config) -> + rabbit_ct_helpers:run_teardown_steps(Config, + rabbit_ct_client_helpers:teardown_steps() ++ + rabbit_ct_broker_helpers:teardown_steps()). + +init_per_group(_, Config) -> Config. +end_per_group(_, Config) -> Config. + +init_per_testcase(Testcase, Config) -> + ok = rabbit_ct_broker_helpers:rpc(Config, 0, + ?MODULE, clear_tables, []), + rabbit_ct_helpers:testcase_started(Config, Testcase). + +clear_tables() -> + {atomic, ok} = mnesia:clear_table(rabbit_topic_permission), + {atomic, ok} = mnesia:clear_table(rabbit_vhost), + {atomic, ok} = mnesia:clear_table(rabbit_user), + ok. + +end_per_testcase(Testcase, Config) -> + rabbit_ct_helpers:testcase_finished(Config, Testcase). + +topic_permission_database_access(Config) -> + ok = rabbit_ct_broker_helpers:rpc(Config, 0, + ?MODULE, topic_permission_database_access1, [Config]). + +topic_permission_database_access1(_Config) -> + 0 = length(ets:tab2list(rabbit_topic_permission)), + rabbit_vhost:add(<<"/">>), + rabbit_vhost:add(<<"other-vhost">>), + rabbit_auth_backend_internal:add_user(<<"guest">>, <<"guest">>), + rabbit_auth_backend_internal:add_user(<<"dummy">>, <<"dummy">>), + + rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"/">>, <<"amq.topic">>, "^a" + ), + 1 = length(ets:tab2list(rabbit_topic_permission)), + 1 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + 0 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"dummy">>)), + 1 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"/">>)), + 0 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"other-vhost">>)), + 1 = length(rabbit_auth_backend_internal:list_user_vhost_topic_permissions(<<"guest">>,<<"/">>)), + 0 = length(rabbit_auth_backend_internal:list_user_vhost_topic_permissions(<<"guest">>,<<"other-vhost">>)), + 1 = length(rabbit_auth_backend_internal:list_topic_permissions()), + + rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"other-vhost">>, <<"amq.topic">>, ".*" + ), + 2 = length(ets:tab2list(rabbit_topic_permission)), + 2 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + 0 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"dummy">>)), + 1 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"/">>)), + 1 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"other-vhost">>)), + 1 = length(rabbit_auth_backend_internal:list_user_vhost_topic_permissions(<<"guest">>,<<"/">>)), + 1 = length(rabbit_auth_backend_internal:list_user_vhost_topic_permissions(<<"guest">>,<<"other-vhost">>)), + 2 = length(rabbit_auth_backend_internal:list_topic_permissions()), + + rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"/">>, <<"topic1">>, "^a" + ), + rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"/">>, <<"topic2">>, "^a" + ), + + 4 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + 3 = length(rabbit_auth_backend_internal:list_user_vhost_topic_permissions(<<"guest">>,<<"/">>)), + 1 = length(rabbit_auth_backend_internal:list_user_vhost_topic_permissions(<<"guest">>,<<"other-vhost">>)), + 4 = length(rabbit_auth_backend_internal:list_topic_permissions()), + + rabbit_auth_backend_internal:clear_topic_permissions(<<"guest">>, <<"other-vhost">>), + 0 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"other-vhost">>)), + 3 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + rabbit_auth_backend_internal:clear_topic_permissions(<<"guest">>, <<"/">>, <<"topic1">>), + 2 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + rabbit_auth_backend_internal:clear_topic_permissions(<<"guest">>, <<"/">>), + 0 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + + + {error, {no_such_user, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions( + <<"non-existing-user">>, <<"other-vhost">>, <<"amq.topic">>, ".*" + )), + + {error, {no_such_vhost, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"non-existing-vhost">>, <<"amq.topic">>, ".*" + )), + + {error, {no_such_user, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions( + <<"non-existing-user">>, <<"non-existing-vhost">>, <<"amq.topic">>, ".*" + )), + + {error, {no_such_user, _}} = (catch rabbit_auth_backend_internal:list_user_topic_permissions( + "non-existing-user" + )), + + {error, {no_such_vhost, _}} = (catch rabbit_auth_backend_internal:list_vhost_topic_permissions( + "non-existing-vhost" + )), + + {error, {invalid_regexp, _, _}} = (catch rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"/">>, <<"amq.topic">>, "[" + )), + ok. + +topic_permission_checks(Config) -> + ok = rabbit_ct_broker_helpers:rpc(Config, 0, + ?MODULE, topic_permission_checks1, [Config]). + +topic_permission_checks1(_Config) -> + 0 = length(ets:tab2list(rabbit_topic_permission)), + rabbit_misc:execute_mnesia_transaction(fun() -> + ok = mnesia:write(rabbit_vhost, + #vhost{virtual_host = <<"/">>}, + write), + ok = mnesia:write(rabbit_vhost, + #vhost{virtual_host = <<"other-vhost">>}, + write) + end), + rabbit_auth_backend_internal:add_user(<<"guest">>, <<"guest">>), + rabbit_auth_backend_internal:add_user(<<"dummy">>, <<"dummy">>), + + rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"/">>, <<"amq.topic">>, "^a" + ), + 1 = length(ets:tab2list(rabbit_topic_permission)), + 1 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + 0 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"dummy">>)), + 1 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"/">>)), + 0 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"other-vhost">>)), + + rabbit_auth_backend_internal:set_topic_permissions( + <<"guest">>, <<"other-vhost">>, <<"amq.topic">>, ".*" + ), + 2 = length(ets:tab2list(rabbit_topic_permission)), + 2 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"guest">>)), + 0 = length(rabbit_auth_backend_internal:list_user_topic_permissions(<<"dummy">>)), + 1 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"/">>)), + 1 = length(rabbit_auth_backend_internal:list_vhost_topic_permissions(<<"other-vhost">>)), + + User = #auth_user{username = <<"guest">>}, + Topic = #resource{name = <<"amq.topic">>, virtual_host = <<"/">>, + kind = topic}, + Context = #{routing_key => <<"a.b.c">>}, + %% user has access to exchange, routing key matches + true = rabbit_auth_backend_internal:check_topic_access( + User, + Topic, + write, + Context + ), + %% user has access to exchange, routing key does not match + false = rabbit_auth_backend_internal:check_topic_access( + User, + Topic, + write, + #{routing_key => <<"x.y.z">>} + ), + %% user has access to exchange but not on this vhost + %% let pass when there's no match + true = rabbit_auth_backend_internal:check_topic_access( + User, + Topic#resource{virtual_host = <<"fancyvhost">>}, + write, + Context + ), + %% user does not have access to exchange + %% let pass when there's no match + true = rabbit_auth_backend_internal:check_topic_access( + #auth_user{username = <<"dummy">>}, + Topic, + write, + Context + ), + ok.
\ No newline at end of file diff --git a/test/unit_SUITE.erl b/test/unit_SUITE.erl index 8499fd2abc..f3fec06cb4 100644 --- a/test/unit_SUITE.erl +++ b/test/unit_SUITE.erl @@ -83,7 +83,7 @@ init_per_testcase(TC, Config) when TC =:= decrypt_start_app; TC =:= decrypt_start_app_undefined -> application:load(rabbit), Config; -init_per_testcase(_, Config) -> +init_per_testcase(_Testcase, Config) -> Config. end_per_testcase(TC, _Config) when TC =:= decrypt_start_app; @@ -464,6 +464,8 @@ rabbitmqctl_encode_encrypt_decrypt(Secret) -> ) . + + %% ------------------------------------------------------------------- %% pg_local. %% ------------------------------------------------------------------- |