diff options
| -rw-r--r-- | src/rabbit_credential_validation.erl | 13 | ||||
| -rw-r--r-- | src/rabbit_credential_validator.erl | 2 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_accept_everything.erl | 6 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_min_password_length.erl (renamed from src/rabbit_credential_validator_min_length.erl) | 16 | ||||
| -rw-r--r-- | src/rabbit_credential_validator_password_regexp.erl (renamed from src/rabbit_credential_validator_regexp.erl) | 19 | ||||
| -rw-r--r-- | test/credential_validation_SUITE.erl | 90 |
6 files changed, 75 insertions, 71 deletions
diff --git a/src/rabbit_credential_validation.erl b/src/rabbit_credential_validation.erl index 696024548a..4a629da14f 100644 --- a/src/rabbit_credential_validation.erl +++ b/src/rabbit_credential_validation.erl @@ -25,21 +25,22 @@ %% API %% --export([validate_password/1, backend/0]). +-export([validate/2, backend/0]). --spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string()}. +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. -%% Validates a password by delegating to the effective +%% Validates a username/password pair by delegating to the effective %% `rabbit_credential_validator`. Used by `rabbit_auth_backend_internal`. +%% Note that some validators may choose to only validate passwords. %% %% Possible return values: %% -%% * ok: provided password passed validation. +%% * ok: provided credentials passed validation. %% * {error, Error, Args}: provided password password failed validation. -validate_password(Value) -> +validate(Username, Password) -> Backend = backend(), - Backend:validate_password(Value). + Backend:validate(Username, Password). -spec backend() -> atom(). diff --git a/src/rabbit_credential_validator.erl b/src/rabbit_credential_validator.erl index b556995f51..dd12f6d2d6 100644 --- a/src/rabbit_credential_validator.erl +++ b/src/rabbit_credential_validator.erl @@ -25,4 +25,4 @@ %% * ok: provided password passed validation. %% * {error, Error, Args}: provided password password failed validation. --callback validate_password(rabbit_types:password()) -> 'ok' | {'error', string()}. +-callback validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. diff --git a/src/rabbit_credential_validator_accept_everything.erl b/src/rabbit_credential_validator_accept_everything.erl index ea04d09ce1..f572d67e7f 100644 --- a/src/rabbit_credential_validator_accept_everything.erl +++ b/src/rabbit_credential_validator_accept_everything.erl @@ -24,9 +24,9 @@ %% API %% --export([validate_password/1]). +-export([validate/2]). --spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string()}. +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. -validate_password(_Password) -> +validate(_Username, _Password) -> ok. diff --git a/src/rabbit_credential_validator_min_length.erl b/src/rabbit_credential_validator_min_password_length.erl index 3a66239138..78239fc71b 100644 --- a/src/rabbit_credential_validator_min_length.erl +++ b/src/rabbit_credential_validator_min_password_length.erl @@ -14,7 +14,7 @@ %% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. %% --module(rabbit_credential_validator_min_length). +-module(rabbit_credential_validator_min_password_length). -include("rabbit.hrl"). @@ -28,13 +28,13 @@ %% API %% --export([validate_password/1]). +-export([validate/2]). %% for tests --export([validate_password/2]). +-export([validate/3]). --spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string()}. +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. -validate_password(Password) -> +validate(Username, Password) -> MinLength = case application:get_env(rabbit, credential_validator) of undefined -> ?DEFAULT_MIN_LENGTH; @@ -44,12 +44,12 @@ validate_password(Password) -> Value -> rabbit_data_coercion:to_integer(Value) end end, - validate_password(Password, MinLength). + validate(Username, Password, MinLength). --spec validate_password(rabbit_types:password(), integer()) -> 'ok' | {'error', string(), [any()]}. +-spec validate(rabbit_types:username(), rabbit_types:password(), integer()) -> 'ok' | {'error', string(), [any()]}. -validate_password(Password, MinLength) -> +validate(_Username, Password, MinLength) -> case size(Password) >= MinLength of true -> ok; false -> {error, rabbit_misc:format("minimum required password length is ~B", [MinLength])} diff --git a/src/rabbit_credential_validator_regexp.erl b/src/rabbit_credential_validator_password_regexp.erl index 3c58529bf3..a23e7a47a7 100644 --- a/src/rabbit_credential_validator_regexp.erl +++ b/src/rabbit_credential_validator_password_regexp.erl @@ -14,7 +14,10 @@ %% Copyright (c) 2007-2016 Pivotal Software, Inc. All rights reserved. %% --module(rabbit_credential_validator_regexp). + +%% A `rabbit_credential_validator` implementation that matches +%% password against a pre-configured regular expression. +-module(rabbit_credential_validator_password_regexp). -include("rabbit.hrl"). @@ -24,24 +27,24 @@ %% API %% --export([validate_password/1]). +-export([validate/2]). %% for tests --export([validate_password/2]). +-export([validate/3]). --spec validate_password(rabbit_types:password()) -> 'ok' | {'error', string()}. +-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}. -validate_password(Password) -> +validate(Username, Password) -> {ok, Proplist} = application:get_env(rabbit, credential_validator), Regexp = case proplists:get_value(regexp, Proplist) of undefined -> {error, "rabbit.credential_validator.regexp config key is undefined"}; Value -> rabbit_data_coercion:to_list(Value) end, - validate_password(Password, Regexp). + validate(Username, Password, Regexp). --spec validate_password(rabbit_types:password(), string()) -> 'ok' | {'error', string(), [any()]}. +-spec validate(rabbit_types:username(), rabbit_types:password(), string()) -> 'ok' | {'error', string(), [any()]}. -validate_password(Password, Pattern) -> +validate(Username, Password, Pattern) -> case re:run(rabbit_data_coercion:to_list(Password), Pattern) of {match, _} -> ok; nomatch -> {error, "provided password does not match the validator regular expression"} diff --git a/test/credential_validation_SUITE.erl b/test/credential_validation_SUITE.erl index fec8e79268..d6f9fb5ec2 100644 --- a/test/credential_validation_SUITE.erl +++ b/test/credential_validation_SUITE.erl @@ -100,42 +100,42 @@ end_per_testcase(Testcase, Config) -> %% basic_unconditionally_accepting_succeeds(_Config) -> - F = fun rabbit_credential_validator_accept_everything:validate_password/1, + F = fun rabbit_credential_validator_accept_everything:validate/2, Pwd1 = crypto:strong_rand_bytes(1), - ?assertEqual(ok, F(Pwd1)), + ?assertEqual(ok, F(?USERNAME, Pwd1)), Pwd2 = crypto:strong_rand_bytes(5), - ?assertEqual(ok, F(Pwd2)), + ?assertEqual(ok, F(?USERNAME, Pwd2)), Pwd3 = crypto:strong_rand_bytes(10), - ?assertEqual(ok, F(Pwd3)), + ?assertEqual(ok, F(?USERNAME, Pwd3)), Pwd4 = crypto:strong_rand_bytes(50), - ?assertEqual(ok, F(Pwd4)), + ?assertEqual(ok, F(?USERNAME, Pwd4)), Pwd5 = crypto:strong_rand_bytes(100), - ?assertEqual(ok, F(Pwd5)), + ?assertEqual(ok, F(?USERNAME, Pwd5)), Pwd6 = crypto:strong_rand_bytes(1000), - ?assertEqual(ok, F(Pwd6)). + ?assertEqual(ok, F(?USERNAME, Pwd6)). min_length_fails(_Config) -> - F = fun rabbit_credential_validator_min_length:validate_password/2, + F = fun rabbit_credential_validator_min_password_length:validate/3, Pwd1 = crypto:strong_rand_bytes(1), - ?assertMatch({error, _}, F(Pwd1, 5)), + ?assertMatch({error, _}, F(?USERNAME, Pwd1, 5)), Pwd2 = crypto:strong_rand_bytes(5), - ?assertMatch({error, _}, F(Pwd2, 6)), + ?assertMatch({error, _}, F(?USERNAME, Pwd2, 6)), Pwd3 = crypto:strong_rand_bytes(10), - ?assertMatch({error, _}, F(Pwd3, 15)), + ?assertMatch({error, _}, F(?USERNAME, Pwd3, 15)), Pwd4 = crypto:strong_rand_bytes(50), - ?assertMatch({error, _}, F(Pwd4, 60)). + ?assertMatch({error, _}, F(?USERNAME, Pwd4, 60)). min_length_succeeds(_Config) -> - F = fun rabbit_credential_validator_min_length:validate_password/2, + F = fun rabbit_credential_validator_min_password_length:validate/3, - ?assertEqual(ok, F(crypto:strong_rand_bytes(1), 1)), - ?assertEqual(ok, F(crypto:strong_rand_bytes(6), 6)), - ?assertEqual(ok, F(crypto:strong_rand_bytes(7), 6)), - ?assertEqual(ok, F(crypto:strong_rand_bytes(20), 20)), - ?assertEqual(ok, F(crypto:strong_rand_bytes(40), 30)), - ?assertEqual(ok, F(crypto:strong_rand_bytes(50), 50)). + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(1), 1)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(6), 6)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(7), 6)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(20), 20)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(40), 30)), + ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(50), 50)). min_length_proper_fails(_Config) -> rabbit_ct_proper_helpers:run_proper(fun prop_min_length_fails_validation/0, [], 500). @@ -144,18 +144,18 @@ min_length_proper_succeeds(_Config) -> rabbit_ct_proper_helpers:run_proper(fun prop_min_length_passes_validation/0, [], 500). regexp_fails(_Config) -> - F = fun rabbit_credential_validator_regexp:validate_password/2, + F = fun rabbit_credential_validator_password_regexp:validate/3, - ?assertMatch({error, _}, F(<<"abc">>, "^xyz")), - ?assertMatch({error, _}, F(<<"abcdef">>, "^xyz")), - ?assertMatch({error, _}, F(<<"abcxyz">>, "^abc\\d+")). + ?assertMatch({error, _}, F(?USERNAME, <<"abc">>, "^xyz")), + ?assertMatch({error, _}, F(?USERNAME, <<"abcdef">>, "^xyz")), + ?assertMatch({error, _}, F(?USERNAME, <<"abcxyz">>, "^abc\\d+")). regexp_succeeds(_Config) -> - F = fun rabbit_credential_validator_regexp:validate_password/2, + F = fun rabbit_credential_validator_password_regexp:validate/3, - ?assertEqual(ok, F(<<"abc">>, "^abc")), - ?assertEqual(ok, F(<<"abcdef">>, "^abc")), - ?assertEqual(ok, F(<<"abc123">>, "^abc\\d+")). + ?assertEqual(ok, F(?USERNAME, <<"abc">>, "^abc")), + ?assertEqual(ok, F(?USERNAME, <<"abcdef">>, "^abc")), + ?assertEqual(ok, F(?USERNAME, <<"abc123">>, "^abc\\d+")). regexp_proper_fails(_Config) -> rabbit_ct_proper_helpers:run_proper(fun prop_regexp_fails_validation/0, [], 500). @@ -166,26 +166,26 @@ regexp_proper_succeeds(_Config) -> min_length_integration_fails(Config) -> delete_user(Config, ?USERNAME), switch_validator(Config, min_length, 50), - ?assertMatch(rabbit_credential_validator_min_length, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), ?assertMatch({error, "minimum required password length is 50"}, add_user(Config, ?USERNAME, <<"_">>)). regexp_integration_fails(Config) -> delete_user(Config, ?USERNAME), switch_validator(Config, regexp), - ?assertMatch(rabbit_credential_validator_regexp, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), ?assertMatch({error, _}, add_user(Config, ?USERNAME, <<"_">>)). min_length_integration_succeeds(Config) -> delete_user(Config, ?USERNAME), switch_validator(Config, min_length, 5), - ?assertMatch(rabbit_credential_validator_min_length, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), ?assertMatch(ok, add_user(Config, ?USERNAME, <<"abcdefghi">>)). regexp_integration_succeeds(Config) -> delete_user(Config, ?USERNAME), switch_validator(Config, regexp), - ?assertMatch(rabbit_credential_validator_regexp, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), ?assertMatch(ok, add_user(Config, ?USERNAME, <<"xyz12345678901">>)). min_length_change_password_integration_fails(Config) -> @@ -193,7 +193,7 @@ min_length_change_password_integration_fails(Config) -> switch_validator(Config, accept_everything), add_user(Config, ?USERNAME, <<"abcdefghi">>), switch_validator(Config, min_length, 50), - ?assertMatch(rabbit_credential_validator_min_length, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), ?assertMatch({error, "minimum required password length is 50"}, change_password(Config, ?USERNAME, <<"_">>)). @@ -202,7 +202,7 @@ regexp_change_password_integration_fails(Config) -> switch_validator(Config, accept_everything), add_user(Config, ?USERNAME, <<"abcdefghi">>), switch_validator(Config, regexp), - ?assertMatch(rabbit_credential_validator_regexp, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), ?assertMatch({error, _}, change_password(Config, ?USERNAME, <<"_">>)). min_length_change_password_integration_succeeds(Config) -> @@ -210,7 +210,7 @@ min_length_change_password_integration_succeeds(Config) -> switch_validator(Config, accept_everything), add_user(Config, ?USERNAME, <<"abcdefghi">>), switch_validator(Config, min_length, 5), - ?assertMatch(rabbit_credential_validator_min_length, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)), ?assertMatch(ok, change_password(Config, ?USERNAME, <<"abcdefghi">>)). regexp_change_password_integration_succeeds(Config) -> @@ -218,7 +218,7 @@ regexp_change_password_integration_succeeds(Config) -> switch_validator(Config, accept_everything), add_user(Config, ?USERNAME, <<"abcdefghi">>), switch_validator(Config, regexp), - ?assertMatch(rabbit_credential_validator_regexp, validator_backend(Config)), + ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)), ?assertMatch(ok, change_password(Config, ?USERNAME, <<"xyz12345678901">>)). %% @@ -227,30 +227,30 @@ regexp_change_password_integration_succeeds(Config) -> prop_min_length_fails_validation() -> N = 5, - F = fun rabbit_credential_validator_min_length:validate_password/2, + F = fun rabbit_credential_validator_min_password_length:validate/3, ?FORALL(Val, binary(N), ?FORALL(Length, choose(N + 1, 100), - failed_validation(F(Val, Length + 1)))). + failed_validation(F(?USERNAME, Val, Length + 1)))). prop_min_length_passes_validation() -> N = 20, - F = fun rabbit_credential_validator_min_length:validate_password/2, + F = fun rabbit_credential_validator_min_password_length:validate/3, ?FORALL(Val, binary(N), ?FORALL(Length, choose(1, N - 1), - passed_validation(F(Val, Length)))). + passed_validation(F(?USERNAME, Val, Length)))). prop_regexp_fails_validation() -> N = 5, - F = fun rabbit_credential_validator_regexp:validate_password/2, + F = fun rabbit_credential_validator_password_regexp:validate/3, ?FORALL(Val, binary(N), ?FORALL(Length, choose(N + 1, 100), - failed_validation(F(Val, regexp_that_requires_length_of_at_least(Length + 1))))). + failed_validation(F(?USERNAME, Val, regexp_that_requires_length_of_at_least(Length + 1))))). prop_regexp_passes_validation() -> N = 5, - F = fun rabbit_credential_validator_regexp:validate_password/2, + F = fun rabbit_credential_validator_password_regexp:validate/3, ?FORALL(Val, binary(N), - passed_validation(F(Val, regexp_that_requires_length_of_at_most(size(Val) + 1)))). + passed_validation(F(?USERNAME, Val, regexp_that_requires_length_of_at_most(size(Val) + 1)))). %% %% Helpers @@ -285,13 +285,13 @@ switch_validator(Config, regexp) -> switch_validator(Config, min_length, MinLength) -> ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, [rabbit, credential_validator, - [{validation_backend, rabbit_credential_validator_min_length}, + [{validation_backend, rabbit_credential_validator_min_password_length}, {min_length, MinLength}]]); switch_validator(Config, regexp, RegExp) -> ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env, [rabbit, credential_validator, - [{validation_backend, rabbit_credential_validator_regexp}, + [{validation_backend, rabbit_credential_validator_password_regexp}, {regexp, RegExp}]]). add_user(Config, Username, Password) -> |