diff options
| -rw-r--r-- | src/rabbit_credential_validator.erl | 28 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_accept_everything.erl | 32 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_min_length.erl | 56 | ||||
| -rw-r--r-- | test/credential_validation_SUITE.erl | 26 |
4 files changed, 141 insertions, 1 deletions
diff --git a/src/rabbit_credential_validator.erl b/src/rabbit_credential_validator.erl new file mode 100644 index 0000000000..3fb5c481cc --- /dev/null +++ b/src/rabbit_credential_validator.erl @@ -0,0 +1,28 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(rabbit_credential_validator). + +-include("rabbit.hrl"). + +%% Validates a password. Used by `rabbit_auth_backend_internal`. +%% +%% Possible return values: +%% +%% * ok: provided password passed validation. +%% * {error, Error, Args}: provided password password failed validation. + +-callback validate_password(rabbit_types:password()) -> 'ok' | {'error', string(), [any()]}. diff --git a/src/rabbit_credential_validator_accept_everything.erl b/src/rabbit_credential_validator_accept_everything.erl new file mode 100644 index 0000000000..e43e898416 --- /dev/null +++ b/src/rabbit_credential_validator_accept_everything.erl @@ -0,0 +1,32 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(rabbit_credential_validator_accept_everything). + +-include("rabbit.hrl"). + +-behaviour(rabbit_credential_validator). + +%% +%% API +%% + +-export([validate_password/1]). + +-spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string(), [any()]}. + +validate_password(_Password) -> + ok. diff --git a/src/rabbit_credential_validator_min_length.erl b/src/rabbit_credential_validator_min_length.erl new file mode 100644 index 0000000000..d4bb36778d --- /dev/null +++ b/src/rabbit_credential_validator_min_length.erl @@ -0,0 +1,56 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(rabbit_credential_validator_min_length). + +-include("rabbit.hrl"). + +-behaviour(rabbit_credential_validator). + +%% accommodates default (localhost-only) user credentials, +%% guest/guest +-define(DEFAULT_MIN_LENGTH, 5). + +%% +%% API +%% + +-export([validate_password/1]). +%% for tests +-export([validate_password/2]). + +-spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string(), [any()]}. + +validate_password(Password) -> + MinLength = case application:get_env(rabbit, credential_validator) of + undefined -> + ?DEFAULT_MIN_LENGTH; + Proplist -> + case proplists:get_value(min_length, Proplist) of + undefined -> ?DEFAULT_MIN_LENGTH; + Value -> rabbit_data_coercion:to_integer(Value) + end + end, + validate_password(Password, MinLength). + + +-spec validate_password(rabbit_types:password(), integer()) -> 'ok' | {'error', string(), [any()]}. + +validate_password(Password, MinLength) -> + case size(Password) >= MinLength of + true -> ok; + false -> {error, rabbit_misc:format("minimum required password length is ~B", [MinLength])} + end. diff --git a/test/credential_validation_SUITE.erl b/test/credential_validation_SUITE.erl index 44192a2e3c..4d7a9ddd8e 100644 --- a/test/credential_validation_SUITE.erl +++ b/test/credential_validation_SUITE.erl @@ -22,7 +22,9 @@ all() -> [ - basic_unconditionally_accepting_succeeds + basic_unconditionally_accepting_succeeds, + min_length_fails, + min_length_succeeds ]. init_per_testcase(_, Config) -> @@ -51,3 +53,25 @@ basic_unconditionally_accepting_succeeds(_Config) -> ?assertEqual(ok, F(Pwd5)), Pwd6 = crypto:strong_rand_bytes(1000), ?assertEqual(ok, F(Pwd6)). + +min_length_fails(_Config) -> + F = fun rabbit_credential_validator_min_length:validate_password/2, + + Pwd1 = crypto:strong_rand_bytes(1), + ?assertMatch({error, _}, F(Pwd1, 5)), + Pwd2 = crypto:strong_rand_bytes(5), + ?assertMatch({error, _}, F(Pwd2, 6)), + Pwd3 = crypto:strong_rand_bytes(10), + ?assertMatch({error, _}, F(Pwd3, 15)), + Pwd4 = crypto:strong_rand_bytes(50), + ?assertMatch({error, _}, F(Pwd4, 60)). + +min_length_succeeds(_Config) -> + F = fun rabbit_credential_validator_min_length:validate_password/2, + + ?assertEqual(ok, F(crypto:strong_rand_bytes(1), 1)), + ?assertEqual(ok, F(crypto:strong_rand_bytes(6), 6)), + ?assertEqual(ok, F(crypto:strong_rand_bytes(7), 6)), + ?assertEqual(ok, F(crypto:strong_rand_bytes(20), 20)), + ?assertEqual(ok, F(crypto:strong_rand_bytes(40), 30)), + ?assertEqual(ok, F(crypto:strong_rand_bytes(50), 50)). |