diff options
| -rw-r--r-- | src/rabbit_credential_validation.erl | 53 | ||||
| -rw-r--r-- | src/rabbit_credential_validator.erl | 28 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_accept_everything.erl | 32 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_min_password_length.erl | 56 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_password_regexp.erl | 51 | ||||
| -rw-r--r-- | test/credential_validation_SUITE.erl | 311 |
6 files changed, 531 insertions, 0 deletions
diff --git a/src/rabbit_credential_validation.erl b/src/rabbit_credential_validation.erl new file mode 100644 index 0000000000..4a629da14f --- /dev/null +++ b/src/rabbit_credential_validation.erl @@ -0,0 +1,53 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(rabbit_credential_validation). + +-include("rabbit.hrl"). + +%% used for backwards compatibility +-define(DEFAULT_BACKEND, rabbit_credential_validator_accept_everything). + +%% +%% API +%% + +-export([validate/2, backend/0]). + +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. + +%% Validates a username/password pair by delegating to the effective +%% `rabbit_credential_validator`. Used by `rabbit_auth_backend_internal`. +%% Note that some validators may choose to only validate passwords. +%% +%% Possible return values: +%% +%% * ok: provided credentials passed validation. +%% * {error, Error, Args}: provided password password failed validation. + +validate(Username, Password) -> + Backend = backend(), + Backend:validate(Username, Password). + +-spec backend() -> atom(). + +backend() -> + case application:get_env(rabbit, credential_validator) of + undefined -> + ?DEFAULT_BACKEND; + {ok, Proplist} -> + proplists:get_value(validation_backend, Proplist, ?DEFAULT_BACKEND) + end. diff --git a/src/rabbit_credential_validator.erl b/src/rabbit_credential_validator.erl new file mode 100644 index 0000000000..dd12f6d2d6 --- /dev/null +++ b/src/rabbit_credential_validator.erl @@ -0,0 +1,28 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(rabbit_credential_validator). + +-include("rabbit.hrl"). + +%% Validates a password. Used by `rabbit_auth_backend_internal`. +%% +%% Possible return values: +%% +%% * ok: provided password passed validation. +%% * {error, Error, Args}: provided password password failed validation. + +-callback validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. diff --git a/src/rabbit_credential_validator_accept_everything.erl b/src/rabbit_credential_validator_accept_everything.erl new file mode 100644 index 0000000000..f572d67e7f --- /dev/null +++ b/src/rabbit_credential_validator_accept_everything.erl @@ -0,0 +1,32 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(rabbit_credential_validator_accept_everything). + +-include("rabbit.hrl"). + +-behaviour(rabbit_credential_validator). + +%% +%% API +%% + +-export([validate/2]). + +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. + +validate(_Username, _Password) -> + ok. diff --git a/src/rabbit_credential_validator_min_password_length.erl b/src/rabbit_credential_validator_min_password_length.erl new file mode 100644 index 0000000000..78239fc71b --- /dev/null +++ b/src/rabbit_credential_validator_min_password_length.erl @@ -0,0 +1,56 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(rabbit_credential_validator_min_password_length). + +-include("rabbit.hrl"). + +-behaviour(rabbit_credential_validator). + +%% accommodates default (localhost-only) user credentials, +%% guest/guest +-define(DEFAULT_MIN_LENGTH, 5). + +%% +%% API +%% + +-export([validate/2]). +%% for tests +-export([validate/3]). + +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. + +validate(Username, Password) -> + MinLength = case application:get_env(rabbit, credential_validator) of + undefined -> + ?DEFAULT_MIN_LENGTH; + {ok, Proplist} -> + case proplists:get_value(min_length, Proplist) of + undefined -> ?DEFAULT_MIN_LENGTH; + Value -> rabbit_data_coercion:to_integer(Value) + end + end, + validate(Username, Password, MinLength). + + +-spec validate(rabbit_types:username(), rabbit_types:password(), integer()) -> 'ok' | {'error', string(), [any()]}. + +validate(_Username, Password, MinLength) -> + case size(Password) >= MinLength of + true -> ok; + false -> {error, rabbit_misc:format("minimum required password length is ~B", [MinLength])} + end. diff --git a/src/rabbit_credential_validator_password_regexp.erl b/src/rabbit_credential_validator_password_regexp.erl new file mode 100644 index 0000000000..b516175126 --- /dev/null +++ b/src/rabbit_credential_validator_password_regexp.erl @@ -0,0 +1,51 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + + +%% A `rabbit_credential_validator` implementation that matches +%% password against a pre-configured regular expression. +-module(rabbit_credential_validator_password_regexp). + +-include("rabbit.hrl"). + +-behaviour(rabbit_credential_validator). + +%% +%% API +%% + +-export([validate/2]). +%% for tests +-export([validate/3]). + +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. + +validate(Username, Password) -> + {ok, Proplist} = application:get_env(rabbit, credential_validator), + Regexp = case proplists:get_value(regexp, Proplist) of + undefined -> {error, "rabbit.credential_validator.regexp config key is undefined"}; + Value -> rabbit_data_coercion:to_list(Value) + end, + validate(Username, Password, Regexp). + + +-spec validate(rabbit_types:username(), rabbit_types:password(), string()) -> 'ok' | {'error', string(), [any()]}. + +validate(_Username, Password, Pattern) -> + case re:run(rabbit_data_coercion:to_list(Password), Pattern) of + {match, _} -> ok; + nomatch -> {error, "provided password does not match the validator regular expression"} + end. diff --git a/test/credential_validation_SUITE.erl b/test/credential_validation_SUITE.erl new file mode 100644 index 0000000000..d6f9fb5ec2 --- /dev/null +++ b/test/credential_validation_SUITE.erl @@ -0,0 +1,311 @@ +%% The contents of this file are subject to the Mozilla Public License +%% Version 1.1 (the "License"); you may not use this file except in +%% compliance with the License. You may obtain a copy of the License +%% at http://www.mozilla.org/MPL/ +%% +%% Software distributed under the License is distributed on an "AS IS" +%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See +%% the License for the specific language governing rights and +%% limitations under the License. +%% +%% The Original Code is RabbitMQ. +%% +%% The Initial Developer of the Original Code is GoPivotal, Inc. +%% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. +%% + +-module(credential_validation_SUITE). + +-compile(export_all). +-include_lib("proper/include/proper.hrl"). +-include_lib("common_test/include/ct.hrl"). +-include_lib("eunit/include/eunit.hrl"). + +all() -> + [ + {group, unit}, + {group, integration} + ]. + +groups() -> + [ + {integration, [], [ + min_length_integration_fails + , regexp_integration_fails + , min_length_integration_succeeds + , regexp_integration_succeeds + , min_length_change_password_integration_fails + , regexp_change_password_integration_fails + , min_length_change_password_integration_succeeds + , regexp_change_password_integration_succeeds + ]}, + {unit, [parallel], [ + basic_unconditionally_accepting_succeeds, + min_length_fails, + min_length_succeeds, + min_length_proper_fails, + min_length_proper_succeeds, + regexp_fails, + regexp_succeeds, + regexp_proper_fails, + regexp_proper_succeeds + ]} +]. + +suite() -> + [ + {timetrap, {minutes, 4}} + ]. + +%% +%% Setup/teardown +%% + +init_per_suite(Config) -> + rabbit_ct_helpers:log_environment(), + rabbit_ct_helpers:run_setup_steps(Config). + +end_per_suite(Config) -> + rabbit_ct_helpers:run_teardown_steps(Config). + +init_per_group(integration, Config) -> + Suffix = rabbit_ct_helpers:testcase_absname(Config, "", "-"), + Config1 = rabbit_ct_helpers:set_config(Config, [ + {rmq_nodes_count, 1}, + {rmq_nodename_suffix, Suffix} + ]), + rabbit_ct_helpers:run_steps(Config1, + rabbit_ct_broker_helpers:setup_steps()); + +init_per_group(unit, Config) -> + Config. + +end_per_group(integration, Config) -> + switch_validator(Config, accept_everything), + rabbit_ct_helpers:run_steps(Config, + rabbit_ct_broker_helpers:teardown_steps()); +end_per_group(unit, Config) -> + Config. + +-define(USERNAME, <<"abc">>). + +init_per_testcase(Testcase, Config) -> + rabbit_ct_helpers:testcase_started(Config, Testcase). + +end_per_testcase(Testcase, Config) -> + rabbit_ct_helpers:testcase_finished(Config, Testcase). + +%% +%% Test Cases +%% + +basic_unconditionally_accepting_succeeds(_Config) -> + F = fun rabbit_credential_validator_accept_everything:validate/2, + + Pwd1 = crypto:strong_rand_bytes(1), + ?assertEqual(ok, F(?USERNAME, Pwd1)), + Pwd2 = crypto:strong_rand_bytes(5), + ?assertEqual(ok, F(?USERNAME, Pwd2)), + Pwd3 = crypto:strong_rand_bytes(10), + ?assertEqual(ok, F(?USERNAME, Pwd3)), + Pwd4 = crypto:strong_rand_bytes(50), + ?assertEqual(ok, F(?USERNAME, Pwd4)), + Pwd5 = crypto:strong_rand_bytes(100), + ?assertEqual(ok, F(?USERNAME, Pwd5)), + Pwd6 = crypto:strong_rand_bytes(1000), + ?assertEqual(ok, F(?USERNAME, Pwd6)). + +min_length_fails(_Config) -> + F = fun rabbit_credential_validator_min_password_length:validate/3, + + Pwd1 = crypto:strong_rand_bytes(1), + ?assertMatch({error, _}, F(?USERNAME, Pwd1, 5)), + Pwd2 = crypto:strong_rand_bytes(5), + ?assertMatch({error, _}, F(?USERNAME, Pwd2, 6)), + Pwd3 = crypto:strong_rand_bytes(10), + ?assertMatch({error, _}, F(?USERNAME, Pwd3, 15)), + Pwd4 = crypto:strong_rand_bytes(50), + ?assertMatch({error, _}, F(?USERNAME, Pwd4, 60)). + +min_length_succeeds(_Config) -> + F = fun rabbit_credential_validator_min_password_length:validate/3, + + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(1), 1)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(6), 6)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(7), 6)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(20), 20)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(40), 30)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(50), 50)). + +min_length_proper_fails(_Config) -> + rabbit_ct_proper_helpers:run_proper(fun prop_min_length_fails_validation/0, [], 500). + +min_length_proper_succeeds(_Config) -> + rabbit_ct_proper_helpers:run_proper(fun prop_min_length_passes_validation/0, [], 500). + +regexp_fails(_Config) -> + F = fun rabbit_credential_validator_password_regexp:validate/3, + + ?assertMatch({error, _}, F(?USERNAME, <<"abc">>, "^xyz")), + ?assertMatch({error, _}, F(?USERNAME, <<"abcdef">>, "^xyz")), + ?assertMatch({error, _}, F(?USERNAME, <<"abcxyz">>, "^abc\\d+")). + +regexp_succeeds(_Config) -> + F = fun rabbit_credential_validator_password_regexp:validate/3, + + ?assertEqual(ok, F(?USERNAME, <<"abc">>, "^abc")), + ?assertEqual(ok, F(?USERNAME, <<"abcdef">>, "^abc")), + ?assertEqual(ok, F(?USERNAME, <<"abc123">>, "^abc\\d+")). + +regexp_proper_fails(_Config) -> + rabbit_ct_proper_helpers:run_proper(fun prop_regexp_fails_validation/0, [], 500). + +regexp_proper_succeeds(_Config) -> + rabbit_ct_proper_helpers:run_proper(fun prop_regexp_passes_validation/0, [], 500). + +min_length_integration_fails(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, min_length, 50), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), + ?assertMatch({error, "minimum required password length is 50"}, + add_user(Config, ?USERNAME, <<"_">>)). + +regexp_integration_fails(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, regexp), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), + ?assertMatch({error, _}, add_user(Config, ?USERNAME, <<"_">>)). + +min_length_integration_succeeds(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, min_length, 5), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), + ?assertMatch(ok, add_user(Config, ?USERNAME, <<"abcdefghi">>)). + +regexp_integration_succeeds(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, regexp), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), + ?assertMatch(ok, add_user(Config, ?USERNAME, <<"xyz12345678901">>)). + +min_length_change_password_integration_fails(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, accept_everything), + add_user(Config, ?USERNAME, <<"abcdefghi">>), + switch_validator(Config, min_length, 50), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), + ?assertMatch({error, "minimum required password length is 50"}, + change_password(Config, ?USERNAME, <<"_">>)). + +regexp_change_password_integration_fails(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, accept_everything), + add_user(Config, ?USERNAME, <<"abcdefghi">>), + switch_validator(Config, regexp), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), + ?assertMatch({error, _}, change_password(Config, ?USERNAME, <<"_">>)). + +min_length_change_password_integration_succeeds(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, accept_everything), + add_user(Config, ?USERNAME, <<"abcdefghi">>), + switch_validator(Config, min_length, 5), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), + ?assertMatch(ok, change_password(Config, ?USERNAME, <<"abcdefghi">>)). + +regexp_change_password_integration_succeeds(Config) -> + delete_user(Config, ?USERNAME), + switch_validator(Config, accept_everything), + add_user(Config, ?USERNAME, <<"abcdefghi">>), + switch_validator(Config, regexp), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), + ?assertMatch(ok, change_password(Config, ?USERNAME, <<"xyz12345678901">>)). + +%% +%% PropEr +%% + +prop_min_length_fails_validation() -> + N = 5, + F = fun rabbit_credential_validator_min_password_length:validate/3, + ?FORALL(Val, binary(N), + ?FORALL(Length, choose(N + 1, 100), + failed_validation(F(?USERNAME, Val, Length + 1)))). + +prop_min_length_passes_validation() -> + N = 20, + F = fun rabbit_credential_validator_min_password_length:validate/3, + ?FORALL(Val, binary(N), + ?FORALL(Length, choose(1, N - 1), + passed_validation(F(?USERNAME, Val, Length)))). + +prop_regexp_fails_validation() -> + N = 5, + F = fun rabbit_credential_validator_password_regexp:validate/3, + ?FORALL(Val, binary(N), + ?FORALL(Length, choose(N + 1, 100), + failed_validation(F(?USERNAME, Val, regexp_that_requires_length_of_at_least(Length + 1))))). + +prop_regexp_passes_validation() -> + N = 5, + F = fun rabbit_credential_validator_password_regexp:validate/3, + ?FORALL(Val, binary(N), + passed_validation(F(?USERNAME, Val, regexp_that_requires_length_of_at_most(size(Val) + 1)))). + +%% +%% Helpers +%% + +passed_validation(ok) -> + true; +passed_validation({error, _}) -> + false. + +failed_validation(Result) -> + not passed_validation(Result). + +regexp_that_requires_length_of_at_least(N) when is_integer(N) -> + rabbit_misc:format("^[a-zA-Z0-9]{~p,~p}", [N, N + 10]). + +regexp_that_requires_length_of_at_most(N) when is_integer(N) -> + rabbit_misc:format("^[a-zA-Z0-9]{0,~p}", [N]). + +switch_validator(Config, accept_everything) -> + rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, + [rabbit, credential_validator, + [{validation_backend, rabbit_credential_validator_accept_everything}]]); + +switch_validator(Config, min_length) -> + switch_validator(Config, min_length, 5); + +switch_validator(Config, regexp) -> + switch_validator(Config, regexp, <<"^xyz\\d{10,12}$">>). + + +switch_validator(Config, min_length, MinLength) -> + ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, + [rabbit, credential_validator, + [{validation_backend, rabbit_credential_validator_min_password_length}, + {min_length, MinLength}]]); + +switch_validator(Config, regexp, RegExp) -> + ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, + [rabbit, credential_validator, + [{validation_backend, rabbit_credential_validator_password_regexp}, + {regexp, RegExp}]]). + +add_user(Config, Username, Password) -> + rabbit_ct_broker_helpers:rpc(Config, 0, + rabbit_auth_backend_internal, add_user, [Username, Password]). + +delete_user(Config, Username) -> + rabbit_ct_broker_helpers:rpc(Config, 0, + rabbit_auth_backend_internal, delete_user, [Username]). + +change_password(Config, Username, Password) -> + rabbit_ct_broker_helpers:rpc(Config, 0, + rabbit_auth_backend_internal, change_password, [Username, Password]). + +validator_backend(Config) -> + rabbit_ct_broker_helpers:rpc(Config, 0, rabbit_credential_validation, backend, []). + |