1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
%% The contents of this file are subject to the Mozilla Public License
%% Version 1.1 (the "License"); you may not use this file except in
%% compliance with the License. You may obtain a copy of the License at
%% http://www.mozilla.org/MPL/
%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
%% License for the specific language governing rights and limitations
%% under the License.
%%
%% The Original Code is RabbitMQ.
%%
%% The Initial Developers of the Original Code are LShift Ltd,
%% Cohesive Financial Technologies LLC, and Rabbit Technologies Ltd.
%%
%% Portions created before 22-Nov-2008 00:00:00 GMT by LShift Ltd,
%% Cohesive Financial Technologies LLC, or Rabbit Technologies Ltd
%% are Copyright (C) 2007-2008 LShift Ltd, Cohesive Financial
%% Technologies LLC, and Rabbit Technologies Ltd.
%%
%% Portions created by LShift Ltd are Copyright (C) 2007-2010 LShift
%% Ltd. Portions created by Cohesive Financial Technologies LLC are
%% Copyright (C) 2007-2010 Cohesive Financial Technologies
%% LLC. Portions created by Rabbit Technologies Ltd are Copyright
%% (C) 2007-2010 Rabbit Technologies Ltd.
%%
%% All Rights Reserved.
%%
%% Contributor(s): ______________________________________.
%%
-module(rabbit_auth_mechanism_external).
-include("rabbit.hrl").
-behaviour(rabbit_auth_mechanism).
-export([description/0, init/1, handle_response/2]).
-include("rabbit_auth_mechanism_spec.hrl").
-include_lib("public_key/include/public_key.hrl").
-rabbit_boot_step({?MODULE,
[{description, "auth mechanism external"},
{mfa, {rabbit_registry, register,
[auth_mechanism, <<"EXTERNAL">>, ?MODULE]}},
{requires, rabbit_registry},
{enables, kernel_ready}]}).
-record(state, {username = undefined}).
%% SASL EXTERNAL. SASL says EXTERNAL means "use credentials
%% established by means external to the mechanism". We define that to
%% mean the peer certificate's subject's CN.
description() ->
[{name, <<"EXTERNAL">>},
{description, <<"SASL EXTERNAL authentication mechanism">>}].
init(Sock) ->
Username = case rabbit_net:peercert(Sock) of
{ok, C} ->
CN = case rabbit_ssl:peer_cert_subject_item(
C, ?'id-at-commonName') of
not_found -> {refused, "no CN found", []};
CN0 -> list_to_binary(CN0)
end,
case config_sane() of
true -> CN;
false -> {refused, "configuration unsafe", []}
end;
{error, no_peercert} ->
{refused, "no peer certificate", []};
nossl ->
{refused, "not SSL connection", []}
end,
#state{username = Username}.
handle_response(_Response, #state{username = Username}) ->
case Username of
{refused, _, _} = E ->
E;
_ ->
case rabbit_access_control:lookup_user(Username) of
{ok, User} ->
{ok, User};
{error, not_found} ->
%% This is not an information leak as we have to
%% have validated a client cert to get this far.
{refused, "user '~s' not found", [Username]}
end
end.
%%--------------------------------------------------------------------------
config_sane() ->
{ok, Opts} = application:get_env(ssl_options),
case {proplists:get_value(fail_if_no_peer_cert, Opts),
proplists:get_value(verify, Opts)} of
{true, verify_peer} ->
true;
{F, V} ->
rabbit_log:warning("EXTERNAL mechanism disabled, "
"fail_if_no_peer_cert=~p; "
"verify=~p~n", [F, V]),
false
end.
|