diff options
| author | Simon MacMullen <simon@rabbitmq.com> | 2014-01-17 16:51:41 +0000 |
|---|---|---|
| committer | Simon MacMullen <simon@rabbitmq.com> | 2014-01-17 16:51:41 +0000 |
| commit | 3a5b3717e8cbdd757f4bbd102f53142602eb5b5b (patch) | |
| tree | 8dfb2248af4ab94b22d520e3e8d5bd63b3b2045e | |
| parent | a6ae81bd0c34ca380be4c0ad1595097ee497454a (diff) | |
| download | rabbitmq-server-3a5b3717e8cbdd757f4bbd102f53142602eb5b5b.tar.gz | |
Separate modules for authentication and authorisation
| -rw-r--r-- | src/rabbit_access_control.erl | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl index d54c2a8d..e3d9f94f 100644 --- a/src/rabbit_access_control.erl +++ b/src/rabbit_access_control.erl @@ -52,18 +52,31 @@ check_user_pass_login(Username, Password) -> check_user_login(Username, AuthProps) -> {ok, Modules} = application:get_env(rabbit, auth_backends), lists:foldl( - fun(Module, {refused, _, _}) -> - case Module:check_user_login(Username, AuthProps) of - {error, E} -> - {refused, "~s failed authenticating ~s: ~p~n", - [Module, Username, E]}; - Else -> - Else + fun (Mod, {refused, _, _}) -> + %% Same module for authN and authZ. Just take the result + %% it gives us + try_login(Mod, Username, AuthProps); + ({ModN, ModZ}, {refused, _, _}) -> + %% Different modules for authN vs authZ. So authenticate + %% with authN module, then if that succeeds do + %% passwordless (i.e pre-authenticated) login with authZ + %% module, and use the #user{} the latter gives us. + case try_login(ModN, Username, AuthProps) of + {ok, _} -> try_login(ModZ, Username, []); + Else -> Else end; - (_, {ok, User}) -> + (_, {ok, User}) -> + %% We've successfully authenticated. Skip to the end... {ok, User} end, {refused, "No modules checked '~s'", [Username]}, Modules). +try_login(Module, Username, AuthProps) -> + case Module:check_user_login(Username, AuthProps) of + {error, E} -> {refused, "~s failed authenticating ~s: ~p~n", + [Module, Username, E]}; + Else -> Else + end. + check_vhost_access(User = #user{ username = Username, auth_backend = Module }, VHostPath) -> check_access( |