├── .gitignore ├── updater ├── test │ ├── default-user.conf │ └── rabbitmqadmin.conf ├── updater_suite_test.go ├── event_handler.go └── event_handler_test.go ├── .github ├── dependabot.yml └── workflows │ └── build-test-publish.yml ├── Dockerfile ├── go.mod ├── README.md ├── main.go ├── go.sum └── LICENSE /.gitignore: -------------------------------------------------------------------------------- 1 | default-user-credential-updater -------------------------------------------------------------------------------- /updater/test/default-user.conf: -------------------------------------------------------------------------------- 1 | default_user = myuser 2 | default_pass = pwd1 3 | -------------------------------------------------------------------------------- /updater/test/rabbitmqadmin.conf: -------------------------------------------------------------------------------- 1 | [default] 2 | username = myuser 3 | password = pwd1 4 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "gomod" 4 | directory: "/" 5 | schedule: 6 | interval: "daily" 7 | groups: 8 | all: 9 | patterns: 10 | - "*" 11 | - package-ecosystem: "github-actions" 12 | directory: "/" 13 | schedule: 14 | interval: "weekly" 15 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | ARG GO_TAG=1.25 2 | ARG DOCKER_REGISTRY=docker.io 3 | FROM --platform=$BUILDPLATFORM ${DOCKER_REGISTRY}/library/golang:${GO_TAG} AS builder 4 | 5 | WORKDIR /go/src/app 6 | ADD . /go/src/app 7 | 8 | RUN go get -v ./... 9 | 10 | ENV CGO_ENABLED=0 11 | RUN go build -o /go/bin/app 12 | 13 | FROM scratch 14 | COPY --from=builder /go/bin/app /default-user-credential-updater 15 | ENTRYPOINT ["/default-user-credential-updater"] 16 | -------------------------------------------------------------------------------- /updater/updater_suite_test.go: -------------------------------------------------------------------------------- 1 | package updater_test 2 | 3 | import ( 4 | "flag" 5 | "testing" 6 | 7 | . "github.com/onsi/ginkgo/v2" 8 | . "github.com/onsi/gomega" 9 | "k8s.io/klog/v2" 10 | ) 11 | 12 | func TestUpdater(t *testing.T) { 13 | RegisterFailHandler(Fail) 14 | 15 | klog.InitFlags(nil) 16 | // Set v to 5 for verbose output 17 | Expect(flag.Set("v", "-1")).To(Succeed()) 18 | flag.Parse() 19 | 20 | RunSpecs(t, "Updater Suite") 21 | } 22 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/rabbitmq/default-user-credential-updater 2 | 3 | go 1.25.5 4 | 5 | require ( 6 | github.com/fsnotify/fsnotify v1.9.0 7 | github.com/go-logr/logr v1.4.3 8 | github.com/michaelklishin/rabbit-hole/v3 v3.2.0 9 | github.com/onsi/ginkgo/v2 v2.27.3 10 | github.com/onsi/gomega v1.38.3 11 | gopkg.in/ini.v1 v1.67.0 12 | k8s.io/klog/v2 v2.130.1 13 | ) 14 | 15 | require ( 16 | github.com/Masterminds/semver/v3 v3.4.0 // indirect 17 | github.com/go-task/slim-sprig/v3 v3.0.0 // indirect 18 | github.com/google/go-cmp v0.7.0 // indirect 19 | github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect 20 | go.yaml.in/yaml/v3 v3.0.4 // indirect 21 | golang.org/x/mod v0.27.0 // indirect 22 | golang.org/x/net v0.43.0 // indirect 23 | golang.org/x/sync v0.16.0 // indirect 24 | golang.org/x/sys v0.38.0 // indirect 25 | golang.org/x/text v0.28.0 // indirect 26 | golang.org/x/tools v0.36.0 // indirect 27 | ) 28 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # default-user-credential-updater 2 | 3 | This is a program that watches a RabbitMQ config file containing `default_user` and `default_pass` for changes. 4 | If the file changes, it updates the password in RabbitMQ. 5 | 6 | It is meant to be deployed as a sidecar container by https://github.com/rabbitmq/cluster-operator when HashiCorp Vault is enabled. 7 | 8 | The use case is as-follows: 9 | 1. Default user password changes in Vault server. 10 | 1. Vault agent sidecar places new password into `/etc/rabbitmq/conf.d/11-default_user.conf`. 11 | 1. This sidecar (default-user-credential-updater) updates the password RabbitMQ server side by doing an HTTP PUT against the RabbitMQ Management API. This allows for default user password rotation without the need to restart RabbitMQ server. 12 | 1. This sidecar copies new password to `/var/lib/rabbitmq/.rabbitmqadmin.conf` to be used by `rabbitmqadmin` CLI. 13 | 14 | See [vault-default-user](https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples/vault-default-user) for an end-to-end example. 15 | -------------------------------------------------------------------------------- /.github/workflows/build-test-publish.yml: -------------------------------------------------------------------------------- 1 | name: Build, Test, & Publish 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | paths-ignore: 7 | - "**.md" 8 | - "LICENSE" 9 | tags: 10 | - "**" 11 | pull_request: 12 | branches: [ main ] 13 | paths-ignore: 14 | - "**.md" 15 | - "LICENSE" 16 | 17 | jobs: 18 | unit_tests: 19 | name: Unit tests 20 | runs-on: ubuntu-latest 21 | steps: 22 | - uses: actions/checkout@v6 23 | 24 | - name: Setup Go 25 | uses: actions/setup-go@v6 26 | with: 27 | go-version-file: go.mod 28 | 29 | - name: Unit tests 30 | run: go test -v ./... 31 | 32 | build_dev_image: 33 | name: Build dev image 34 | runs-on: ubuntu-latest 35 | needs: unit_tests 36 | permissions: 37 | contents: 'write' 38 | id-token: 'write' 39 | packages: 'write' 40 | steps: 41 | - uses: actions/checkout@v6 42 | 43 | - name: Setup Go 44 | id: set-go 45 | uses: actions/setup-go@v6 46 | with: 47 | go-version-file: go.mod 48 | 49 | - name: OCI Metadata for multi-arch image 50 | id: meta 51 | uses: docker/metadata-action@v5 52 | with: 53 | images: | 54 | rabbitmqoperator/default-user-credential-updater 55 | quay.io/rabbitmqoperator/default-user-credential-updater 56 | ghcr.io/rabbitmq/default-user-credential-updater 57 | tags: | 58 | type=sha 59 | type=ref,event=pr 60 | type=semver,pattern={{version}} 61 | 62 | - uses: docker/setup-qemu-action@v3 63 | 64 | - uses: docker/setup-buildx-action@v3 65 | 66 | - uses: docker/login-action@v3 67 | if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/v') }} 68 | with: 69 | username: ${{ secrets.DOCKERHUB_USERNAME }} 70 | password: ${{ secrets.DOCKERHUB_TOKEN }} 71 | 72 | - name: Login to Quay.io 73 | if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/v') }} 74 | uses: docker/login-action@v3 75 | with: 76 | registry: quay.io 77 | username: ${{ secrets.QUAY_USERNAME }} 78 | password: ${{ secrets.QUAY_ROBOT_TOKEN }} 79 | 80 | - name: Login to GHCR 81 | if: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/v') }} 82 | uses: docker/login-action@v3 83 | with: 84 | registry: ghcr.io 85 | username: ${{ github.repository_owner }} 86 | password: ${{ secrets.GITHUB_TOKEN }} 87 | 88 | # We want to always build the image, and push to registry only on new tag i.e. new release 89 | - name: Build and push 90 | uses: docker/build-push-action@v6 91 | with: 92 | context: . 93 | platforms: linux/amd64, linux/arm64, linux/ppc64le, linux/s390x 94 | push: ${{ github.event_name != 'pull_request' && startsWith(github.ref, 'refs/tags/v') }} 95 | tags: ${{ steps.meta.outputs.tags }} 96 | labels: ${{ steps.meta.outputs.labels }} 97 | cache-from: type=gha 98 | cache-to: type=gha,mode=max 99 | build-args: | 100 | GO_TAG=${{ steps.set-go.outputs.go-version }} 101 | 102 | release: 103 | name: Release to GitHub Releases 104 | runs-on: ubuntu-latest 105 | if: startsWith(github.ref, 'refs/tags/v') 106 | needs: [ unit_tests, build_dev_image ] 107 | steps: 108 | - uses: actions/checkout@v6 109 | 110 | - name: Release 111 | uses: softprops/action-gh-release@v2 112 | if: startsWith(github.ref, 'refs/tags/v') 113 | with: 114 | generate_release_notes: true 115 | draft: true 116 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "crypto/x509" 6 | "flag" 7 | "io/ioutil" 8 | "net/http" 9 | "os" 10 | "os/signal" 11 | "path/filepath" 12 | "strings" 13 | "syscall" 14 | 15 | "k8s.io/klog/v2" 16 | "k8s.io/klog/v2/klogr" 17 | 18 | "github.com/fsnotify/fsnotify" 19 | "github.com/go-logr/logr" 20 | rabbithole "github.com/michaelklishin/rabbit-hole/v3" 21 | "github.com/rabbitmq/default-user-credential-updater/updater" 22 | "gopkg.in/ini.v1" 23 | ) 24 | 25 | func main() { 26 | var managementURI, caFile string 27 | u := &updater.PasswordUpdater{} 28 | 29 | flag.StringVar( 30 | &u.DefaultUserFile, 31 | "default-user-file", 32 | "/etc/rabbitmq/conf.d/11-default_user.conf", 33 | "Absolute path to file containing default user username and (updated) password. "+ 34 | "Its directory will be watched for changes.") 35 | flag.StringVar( 36 | &u.AdminFile, 37 | "admin-file", 38 | "/var/lib/rabbitmq/.rabbitmqadmin.conf", 39 | "Absolute path to file used by rabbitmqadmin CLI. "+ 40 | "It contains RabbitMQ admin username (must be the same as default user username) and (old) password.") 41 | flag.StringVar( 42 | &managementURI, 43 | "management-uri", 44 | "http://127.0.0.1:15672", 45 | "RabbitMQ Management URI") 46 | flag.StringVar( 47 | &caFile, 48 | "ca-file", 49 | "/etc/rabbitmq-tls/ca.crt", 50 | "This file contains the trusted certificate for RabbitMQ server authentication.") 51 | klog.InitFlags(nil) 52 | flag.Parse() 53 | log := klogr.New().WithName("password-updater") 54 | u.Log = log 55 | 56 | rabbitClient, err := newRabbitClient(log, managementURI, caFile) 57 | if err != nil { 58 | log.Error(err, "failed to create RabbitMQ client") 59 | return 60 | } 61 | u.Rmqc = rabbitClient 62 | 63 | // Watch the directory because the file gets re-created (i.e. first removed and then created) 64 | // when password is updated by Vault agent and fsnotify will stop watching a re-created file. 65 | watchDir := filepath.Dir(u.DefaultUserFile) 66 | u.WatchDir = watchDir 67 | 68 | watcher, err := fsnotify.NewWatcher() 69 | if err != nil { 70 | log.Error(err, "failed to create watcher") 71 | return 72 | } 73 | defer watcher.Close() 74 | u.Watcher = watcher 75 | 76 | // Remove trailing new line (.rabbitmqadmin.conf has only one section). 77 | ini.PrettySection = false 78 | 79 | // This channel will contain a value when the Pod gets terminated. 80 | sigs := make(chan os.Signal, 1) 81 | signal.Notify(sigs, syscall.SIGTERM, syscall.SIGINT) 82 | 83 | // This channel will contain a value when our program terminates itself. 84 | // This is preferred over calling os.Exit() because os.Exit() does not run deferred functions. 85 | done := make(chan bool, 1) 86 | u.Done = done 87 | 88 | go u.HandleEvents() 89 | 90 | log.V(1).Info("start watching", "directory", watchDir) 91 | if err := watcher.Add(watchDir); err != nil { 92 | log.Error(err, "cannot watch", "directory", watchDir) 93 | return 94 | } 95 | 96 | select { 97 | case sig := <-sigs: 98 | log.V(1).Info("terminating", "signal", sig.String()) 99 | case <-done: 100 | log.V(1).Info("terminating") 101 | } 102 | } 103 | 104 | func newRabbitClient(log logr.Logger, managementURI, caFile string) (updater.RabbitClient, error) { 105 | if strings.HasPrefix(managementURI, "https") { 106 | caCert, err := ioutil.ReadFile(caFile) 107 | if err != nil { 108 | log.Error(err, "failed to read CA file", "file", caFile) 109 | return nil, err 110 | } 111 | caCertPool := x509.NewCertPool() 112 | caCertPool.AppendCertsFromPEM(caCert) 113 | tlsConfig := &tls.Config{ 114 | RootCAs: caCertPool, 115 | } 116 | transport := &http.Transport{TLSClientConfig: tlsConfig} 117 | rmqc, err := rabbithole.NewTLSClient(managementURI, "", "", transport) 118 | if err != nil { 119 | log.Error(err, "failed to create rabbithole TLS client", "uri", managementURI, "ca-file", caFile) 120 | return nil, err 121 | } 122 | return rabbitHoleClientWrapper{rmqc}, nil 123 | } 124 | rmqc, err := rabbithole.NewClient(managementURI, "", "") 125 | if err != nil { 126 | log.Error(err, "failed to create rabbithole client", "uri", managementURI) 127 | return nil, err 128 | } 129 | return rabbitHoleClientWrapper{rmqc}, nil 130 | } 131 | 132 | type rabbitHoleClientWrapper struct { 133 | rabbitHoleClient *rabbithole.Client 134 | } 135 | 136 | func (w rabbitHoleClientWrapper) GetUser(username string) (*rabbithole.UserInfo, error) { 137 | return w.rabbitHoleClient.GetUser(username) 138 | } 139 | func (w rabbitHoleClientWrapper) PutUser(username string, info rabbithole.UserSettings) (*http.Response, error) { 140 | return w.rabbitHoleClient.PutUser(username, info) 141 | } 142 | func (w rabbitHoleClientWrapper) Whoami() (*rabbithole.WhoamiInfo, error) { 143 | return w.rabbitHoleClient.Whoami() 144 | } 145 | func (w rabbitHoleClientWrapper) GetUsername() string { 146 | return w.rabbitHoleClient.Username 147 | } 148 | func (w rabbitHoleClientWrapper) SetUsername(username string) { 149 | w.rabbitHoleClient.Username = username 150 | } 151 | func (w rabbitHoleClientWrapper) SetPassword(passwd string) { 152 | w.rabbitHoleClient.Password = passwd 153 | } 154 | -------------------------------------------------------------------------------- /updater/event_handler.go: -------------------------------------------------------------------------------- 1 | package updater 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | 7 | "github.com/fsnotify/fsnotify" 8 | "github.com/go-logr/logr" 9 | rabbithole "github.com/michaelklishin/rabbit-hole/v3" 10 | "gopkg.in/ini.v1" 11 | ) 12 | 13 | type PasswordUpdater struct { 14 | DefaultUserFile string 15 | AdminFile string 16 | Watcher *fsnotify.Watcher 17 | WatchDir string 18 | Done chan<- bool 19 | Log logr.Logger 20 | Rmqc RabbitClient 21 | } 22 | 23 | type RabbitClient interface { 24 | // RabbitMQ Management API functions 25 | GetUser(string) (*rabbithole.UserInfo, error) 26 | PutUser(string, rabbithole.UserSettings) (*http.Response, error) 27 | Whoami() (*rabbithole.WhoamiInfo, error) 28 | // Field getters and setters 29 | GetUsername() string 30 | SetUsername(string) 31 | SetPassword(string) 32 | } 33 | 34 | func (u *PasswordUpdater) HandleEvents() { 35 | for { 36 | select { 37 | case event, ok := <-u.Watcher.Events: 38 | if !ok { 39 | u.Log.V(0).Info("watcher events channel is closed, exiting...", "directory", u.WatchDir) 40 | u.Done <- true 41 | return 42 | } 43 | if fileChanged(u.DefaultUserFile, event) { 44 | u.Log.V(2).Info("file system event", "file", u.DefaultUserFile, "operation", event.Op.String()) 45 | 46 | // read default user username and (new) password 47 | defaultUserCfg, err := ini.Load(u.DefaultUserFile) 48 | if err != nil { 49 | u.Log.Error(err, "failed to load INI data source", "file", u.DefaultUserFile) 50 | u.Done <- true 51 | return 52 | } 53 | defaultUser := defaultUserCfg.Section("").Key("default_user").String() 54 | newPasswd := defaultUserCfg.Section("").Key("default_pass").String() 55 | 56 | // read admin username and (old) password 57 | adminCfg, err := ini.Load(u.AdminFile) 58 | if err != nil { 59 | u.Log.Error(err, "failed to load INI data source", "file", u.AdminFile) 60 | u.Done <- true 61 | return 62 | } 63 | adminSection := adminCfg.Section("default") 64 | adminUser := adminSection.Key("username").String() 65 | oldPasswd := adminSection.Key("password").String() 66 | 67 | if defaultUser != adminUser { 68 | u.Log.V(0).Info("exiting because usernames do not match", 69 | "default-user", defaultUser, "default-user-file", u.DefaultUserFile, 70 | "admin-user", adminUser, "admin-file", u.AdminFile) 71 | u.Done <- true 72 | return 73 | } 74 | if newPasswd == oldPasswd { 75 | u.Log.V(2).Info("passwords already match, nothing to do", "username", defaultUser) 76 | break 77 | } 78 | 79 | u.Rmqc.SetUsername(adminUser) 80 | u.Rmqc.SetPassword(oldPasswd) 81 | 82 | if err := u.updateInRabbitMQ(adminUser, newPasswd); err != nil { 83 | break 84 | } 85 | 86 | u.Log.V(4).Info("copying new password...", "source", u.DefaultUserFile, "target", u.AdminFile) 87 | adminSection.Key("password").SetValue(newPasswd) 88 | if err := adminCfg.SaveTo(u.AdminFile); err != nil { 89 | u.Log.Error(err, "failed to write new password", "file", u.AdminFile) 90 | u.Done <- true 91 | return 92 | } 93 | u.Log.V(2).Info("copied new password", "source", u.DefaultUserFile, "target", u.AdminFile) 94 | } else { 95 | u.Log.V(4).Info("file system event", "file", event.Name, "operation", event.Op.String()) 96 | } 97 | 98 | case err, ok := <-u.Watcher.Errors: 99 | if !ok { 100 | u.Log.V(0).Info("watcher errors channel is closed, exiting...") 101 | u.Done <- true 102 | return 103 | } 104 | u.Log.Error(err, "failed to watch", "directory", u.WatchDir) 105 | } 106 | } 107 | 108 | } 109 | 110 | func fileChanged(defaultUserFile string, event fsnotify.Event) bool { 111 | return event.Name == defaultUserFile && 112 | (event.Op&fsnotify.Create == fsnotify.Create || 113 | event.Op&fsnotify.Write == fsnotify.Write) 114 | } 115 | 116 | // updateInRabbitMQ sets newPasswd for existingUser in the RabbitMQ server. 117 | // It returns an error if password cannot be updated. 118 | func (u *PasswordUpdater) updateInRabbitMQ(existingUser, newPasswd string) error { 119 | pathUsers := "/api/users/" + existingUser 120 | 121 | user, err := u.Rmqc.GetUser(existingUser) 122 | if err != nil { 123 | return u.handleHTTPError(err, http.MethodGet, pathUsers, newPasswd) 124 | } 125 | 126 | // We succeeded to fetch user tags, continue to update user password. 127 | newUserSettings := rabbithole.UserSettings{ 128 | Name: existingUser, 129 | Tags: user.Tags, 130 | Password: newPasswd, 131 | HashingAlgorithm: user.HashingAlgorithm, 132 | } 133 | resp, err := u.Rmqc.PutUser(existingUser, newUserSettings) 134 | if err != nil { 135 | return u.handleHTTPError(err, http.MethodPut, pathUsers, newPasswd) 136 | } 137 | 138 | u.Log.V(3).Info("HTTP response", "method", http.MethodPut, "path", pathUsers, "status", resp.Status) 139 | u.Log.V(2).Info("updated password on RabbitMQ server", "user", existingUser) 140 | return nil 141 | } 142 | 143 | func (u *PasswordUpdater) handleHTTPError(err error, httpMethod, pathUsers, newPasswd string) error { 144 | // as returned in 145 | // https://github.com/michaelklishin/rabbit-hole/blob/1de83b96b8ba1e29afd003143a9d8a8234d4e913/client.go#L153 146 | if err.Error() == "Error: API responded with a 401 Unauthorized" { 147 | // Only one node in a multi node RabbitMQ cluster will update the password. 148 | // All other nodes are expected to run into this branch. 149 | u.Log.V(2).Info( 150 | "HTTP request with old password returned 401 Unauthorized, therefore trying to authenticate with new password...", 151 | "method", httpMethod, "path", pathUsers) 152 | u.Rmqc.SetPassword(newPasswd) 153 | return u.authenticate() 154 | } 155 | u.Log.Error(err, "HTTP request failed", "method", httpMethod, "path", pathUsers) 156 | return err 157 | } 158 | 159 | // authenticate checks whether authentication succeeds. 160 | // It queries /api/whoami (although it could query any other endpoint requiring basic auth). 161 | // Returns an error if authentication fails. 162 | func (u *PasswordUpdater) authenticate() error { 163 | const pathWhoAmI = "/api/whoami" 164 | _, err := u.Rmqc.Whoami() 165 | if err != nil { 166 | u.Log.Error(err, fmt.Sprintf("failed to GET %s with new password", pathWhoAmI)) 167 | return err 168 | } 169 | u.Log.V(2).Info(fmt.Sprintf( 170 | "GET %s with new password succeeded, therefore skipping PUT %s...", pathWhoAmI, "/api/users/"+u.Rmqc.GetUsername())) 171 | return nil 172 | } 173 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= 2 | github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= 3 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 4 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 5 | github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= 6 | github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= 7 | github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= 8 | github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= 9 | github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= 10 | github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= 11 | github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE= 12 | github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc= 13 | github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= 14 | github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= 15 | github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= 16 | github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= 17 | github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= 18 | github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= 19 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= 20 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= 21 | github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= 22 | github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= 23 | github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE= 24 | github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung= 25 | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 26 | github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= 27 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 28 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 29 | github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= 30 | github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= 31 | github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE= 32 | github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A= 33 | github.com/michaelklishin/rabbit-hole/v3 v3.2.0 h1:N4YdHFj36MP5059Csze9B4TTZPS6j6HPJm9bBeZgvJk= 34 | github.com/michaelklishin/rabbit-hole/v3 v3.2.0/go.mod h1:LTyucfaAV/Y++Y6aVfAmsc6lvKw3y0WEyQa+yPAXcXc= 35 | github.com/onsi/ginkgo/v2 v2.27.3 h1:ICsZJ8JoYafeXFFlFAG75a7CxMsJHwgKwtO+82SE9L8= 36 | github.com/onsi/ginkgo/v2 v2.27.3/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= 37 | github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM= 38 | github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= 39 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 40 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 41 | github.com/rabbitmq/amqp091-go v1.10.0 h1:STpn5XsHlHGcecLmMFCtg7mqq0RnD+zFr4uzukfVhBw= 42 | github.com/rabbitmq/amqp091-go v1.10.0/go.mod h1:Hy4jKW5kQART1u+JkDTF9YYOQUHXqMuhrgxOEeS7G4o= 43 | github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= 44 | github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= 45 | github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= 46 | github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= 47 | github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= 48 | github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= 49 | github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= 50 | github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= 51 | github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= 52 | github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= 53 | github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= 54 | github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= 55 | go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= 56 | go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= 57 | golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ= 58 | golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc= 59 | golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE= 60 | golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg= 61 | golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= 62 | golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= 63 | golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= 64 | golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= 65 | golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= 66 | golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= 67 | golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg= 68 | golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s= 69 | google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= 70 | google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= 71 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 72 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 73 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 74 | gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= 75 | gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= 76 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 77 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 78 | k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= 79 | k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= 80 | -------------------------------------------------------------------------------- /updater/event_handler_test.go: -------------------------------------------------------------------------------- 1 | package updater_test 2 | 3 | import ( 4 | "errors" 5 | "net/http" 6 | "os" 7 | "path/filepath" 8 | 9 | "github.com/fsnotify/fsnotify" 10 | rabbithole "github.com/michaelklishin/rabbit-hole/v3" 11 | . "github.com/onsi/ginkgo/v2" 12 | . "github.com/onsi/gomega" 13 | . "github.com/rabbitmq/default-user-credential-updater/updater" 14 | "gopkg.in/ini.v1" 15 | "k8s.io/klog/v2/klogr" 16 | ) 17 | 18 | const ( 19 | defaultFileSection = "" 20 | defaultFileUserKey = "default_user" 21 | defaultFilePasswordKey = "default_pass" 22 | adminFileSection = "default" 23 | adminFileUserKey = "username" 24 | adminFilePasswordKey = "password" 25 | ) 26 | 27 | var ( 28 | defaultUserFile = filepath.Join("test", "default-user.conf") 29 | adminFile = filepath.Join("test", "rabbitmqadmin.conf") 30 | ) 31 | 32 | var _ = Describe("EventHandler", func() { 33 | const watchDir = "test" 34 | var ( 35 | u *PasswordUpdater 36 | fakeClient *fakeRabbitClient 37 | done chan bool 38 | // as returned in https://github.com/michaelklishin/rabbit-hole/blob/1de83b96b8ba1e29afd003143a9d8a8234d4e913/client.go#L153 39 | errUnauthorized = errors.New("Error: API responded with a 401 Unauthorized") 40 | ) 41 | 42 | BeforeEach(func() { 43 | // Remove trailing new line 44 | ini.PrettySection = false 45 | initConfigFiles() 46 | log := klogr.New() 47 | fakeClient = &fakeRabbitClient{} 48 | watcher, err := fsnotify.NewWatcher() 49 | Expect(err).ToNot(HaveOccurred()) 50 | Expect(watcher.Add(watchDir)).To(Succeed()) 51 | done = make(chan bool, 1) 52 | u = &PasswordUpdater{ 53 | DefaultUserFile: defaultUserFile, 54 | AdminFile: adminFile, 55 | Watcher: watcher, 56 | WatchDir: watchDir, 57 | Done: done, 58 | Log: log, 59 | Rmqc: fakeClient, 60 | } 61 | go u.HandleEvents() 62 | }) 63 | 64 | AfterEach(func() { 65 | u.Watcher.Close() 66 | initConfigFiles() 67 | }) 68 | 69 | When("default user file cannot be parsed", func() { 70 | BeforeEach(func() { 71 | Expect(os.WriteFile(defaultUserFile, []byte("invalid INI"), 0644)).To(Succeed()) 72 | }) 73 | It("exits", func() { 74 | Eventually(done).Should(Receive()) 75 | }) 76 | }) 77 | When("admin file cannot be parsed", func() { 78 | BeforeEach(func() { 79 | Expect(os.WriteFile(adminFile, []byte("invalid INI"), 0644)).To(Succeed()) 80 | // trigger file event 81 | write(defaultUserFile, defaultFileSection, defaultFilePasswordKey, "pwd1") 82 | }) 83 | It("exits", func() { 84 | Eventually(done).Should(Receive()) 85 | }) 86 | }) 87 | 88 | When("passwords in files already match", func() { 89 | BeforeEach(func() { 90 | // trigger file event with same password 91 | write(defaultUserFile, defaultFileSection, defaultFilePasswordKey, "pwd1") 92 | }) 93 | It("does not talk to RabbitMQ", func() { 94 | Consistently(func() string { 95 | return fakeClient.getUserArg 96 | }).Should(BeEmpty()) 97 | 98 | Consistently(func() putUserArg { 99 | return fakeClient.putUserArg 100 | }).Should(Equal(putUserArg{})) 101 | }) 102 | }) 103 | 104 | When("usernames in files do not match", func() { 105 | BeforeEach(func() { 106 | write(defaultUserFile, defaultFileSection, defaultFileUserKey, "otherUser") 107 | }) 108 | It("exits because this tool only updates the password", func() { 109 | Eventually(done).Should(Receive()) 110 | }) 111 | }) 112 | 113 | When("password in default user file updates", func() { 114 | JustBeforeEach(func() { 115 | write(defaultUserFile, defaultFileSection, defaultFilePasswordKey, "pwd2") 116 | }) 117 | When("password in RabbitMQ is not yet up-to-date", func() { 118 | BeforeEach(func() { 119 | fakeClient.getUserReturn = getUserReturn{ 120 | userInfo: &rabbithole.UserInfo{ 121 | HashingAlgorithm: "myalgo", 122 | Tags: rabbithole.UserTags{"mytag"}, 123 | }} 124 | fakeClient.putUserReturn = putUserReturn{ 125 | resp: &http.Response{ 126 | Status: "204 No Content", 127 | }} 128 | }) 129 | It("updates password in RabbitMQ", func() { 130 | Eventually(func() string { 131 | return fakeClient.getUserArg 132 | }).Should(Equal("myuser")) 133 | expectedUserSettings := rabbithole.UserSettings{ 134 | Name: "myuser", 135 | Tags: rabbithole.UserTags{"mytag"}, 136 | Password: "pwd2", 137 | HashingAlgorithm: "myalgo", 138 | } 139 | Expect(fakeClient.putUserArg).To(Equal(putUserArg{"myuser", expectedUserSettings})) 140 | }) 141 | It("copies new password to admin conf", func() { 142 | Eventually(func() string { 143 | return read(adminFile, adminFileSection, adminFilePasswordKey) 144 | }).Should(Equal("pwd2")) 145 | }) 146 | }) 147 | When("password in RabbitMQ is already up-to-date", func() { 148 | BeforeEach(func() { 149 | fakeClient.whoamiReturn = whoamiReturn{err: nil} 150 | }) 151 | Context("before GET /api/users/myuser", func() { 152 | BeforeEach(func() { 153 | fakeClient.getUserReturn = getUserReturn{ 154 | // as returned in https://github.com/michaelklishin/rabbit-hole/blob/1de83b96b8ba1e29afd003143a9d8a8234d4e913/client.go#L153 155 | err: errUnauthorized} 156 | }) 157 | It("does not PUT /api/users/myuser", func() { 158 | Consistently(func() putUserArg { 159 | return fakeClient.putUserArg 160 | }).Should(Equal(putUserArg{})) 161 | }) 162 | It("copies new password to admin conf", func() { 163 | Eventually(func() string { 164 | return read(adminFile, adminFileSection, adminFilePasswordKey) 165 | }).Should(Equal("pwd2")) 166 | }) 167 | }) 168 | Context("after GET /api/users/myuser", func() { 169 | BeforeEach(func() { 170 | fakeClient.getUserReturn = getUserReturn{ 171 | userInfo: &rabbithole.UserInfo{ 172 | HashingAlgorithm: "myalgo", 173 | Tags: rabbithole.UserTags{"mytag"}, 174 | }} 175 | fakeClient.putUserReturn = putUserReturn{ 176 | err: errUnauthorized} 177 | }) 178 | It("copies new password to admin conf", func() { 179 | Eventually(func() string { 180 | return read(adminFile, adminFileSection, adminFilePasswordKey) 181 | }).Should(Equal("pwd2")) 182 | }) 183 | }) 184 | }) 185 | When("neither old nor new password is valid", func() { 186 | BeforeEach(func() { 187 | fakeClient.getUserReturn = getUserReturn{err: errUnauthorized} 188 | fakeClient.whoamiReturn = whoamiReturn{err: errors.New("cannot authenticate with new password either")} 189 | }) 190 | It("does not copy new password to admin conf", func() { 191 | Consistently(func() string { 192 | return read(adminFile, adminFileSection, adminFilePasswordKey) 193 | }).Should(Equal("pwd1")) 194 | }) 195 | }) 196 | }) 197 | }) 198 | 199 | func initConfigFiles() { 200 | cfg := ini.Empty() 201 | _, err := cfg.Section(defaultFileSection).NewKey(defaultFileUserKey, "myuser") 202 | Expect(err).ToNot(HaveOccurred()) 203 | _, err = cfg.Section(defaultFileSection).NewKey(defaultFilePasswordKey, "pwd1") 204 | Expect(err).ToNot(HaveOccurred()) 205 | Expect(cfg.SaveTo(defaultUserFile)).To(Succeed()) 206 | 207 | cfg = ini.Empty() 208 | section, err := cfg.NewSection(adminFileSection) 209 | Expect(err).ToNot(HaveOccurred()) 210 | _, err = section.NewKey(adminFileUserKey, "myuser") 211 | Expect(err).ToNot(HaveOccurred()) 212 | _, err = section.NewKey(adminFilePasswordKey, "pwd1") 213 | Expect(err).ToNot(HaveOccurred()) 214 | Expect(cfg.SaveTo(adminFile)).To(Succeed()) 215 | } 216 | 217 | func read(file, section, key string) string { 218 | cfg, err := ini.Load(file) 219 | Expect(err).ToNot(HaveOccurred()) 220 | return cfg.Section(section).Key(key).String() 221 | } 222 | 223 | func write(file, section, key, value string) { 224 | cfg, err := ini.Load(file) 225 | Expect(err).ToNot(HaveOccurred()) 226 | cfg.Section(section).Key(key).SetValue(value) 227 | Expect(cfg.SaveTo(file)).To(Succeed()) 228 | } 229 | 230 | type fakeRabbitClient struct { 231 | Username string 232 | Password string 233 | // Method arguments. 234 | // Enables us to assert after the test ran. 235 | getUserArg string 236 | putUserArg putUserArg 237 | // Method return values. 238 | // Enables us to stub before the test runs. 239 | getUserReturn getUserReturn 240 | putUserReturn putUserReturn 241 | whoamiReturn whoamiReturn 242 | } 243 | type getUserReturn struct { 244 | userInfo *rabbithole.UserInfo 245 | err error 246 | } 247 | type putUserArg struct { 248 | username string 249 | info rabbithole.UserSettings 250 | } 251 | type putUserReturn struct { 252 | resp *http.Response 253 | err error 254 | } 255 | type whoamiReturn struct { 256 | info *rabbithole.WhoamiInfo 257 | err error 258 | } 259 | 260 | func (frc *fakeRabbitClient) GetUser(username string) (*rabbithole.UserInfo, error) { 261 | frc.getUserArg = username 262 | r := frc.getUserReturn 263 | return r.userInfo, r.err 264 | } 265 | func (frc *fakeRabbitClient) PutUser(username string, info rabbithole.UserSettings) (*http.Response, error) { 266 | frc.putUserArg = putUserArg{ 267 | username: username, 268 | info: info, 269 | } 270 | r := frc.putUserReturn 271 | return r.resp, r.err 272 | } 273 | func (frc *fakeRabbitClient) Whoami() (*rabbithole.WhoamiInfo, error) { 274 | r := frc.whoamiReturn 275 | return r.info, r.err 276 | } 277 | func (frc *fakeRabbitClient) GetUsername() string { 278 | return frc.Username 279 | } 280 | func (frc *fakeRabbitClient) SetUsername(username string) { 281 | frc.Username = username 282 | } 283 | func (frc *fakeRabbitClient) SetPassword(passwd string) { 284 | frc.Password = passwd 285 | } 286 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | --------------------------------------------------------------------------------