├── .github ├── ISSUE_TEMPLATE.md └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── .travis.yml ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── LICENSE-MPL-RabbitMQ ├── Makefile ├── README.md ├── erlang.mk ├── priv └── schema │ └── rabbitmq_auth_backend_cache.schema ├── rabbitmq-components.mk ├── src ├── rabbit_auth_backend_cache.erl ├── rabbit_auth_backend_cache_app.erl ├── rabbit_auth_cache.erl ├── rabbit_auth_cache_dict.erl ├── rabbit_auth_cache_ets.erl ├── rabbit_auth_cache_ets_segmented.erl └── rabbit_auth_cache_ets_segmented_stateless.erl └── test ├── config_schema_SUITE.erl ├── config_schema_SUITE_data └── rabbitmq_auth_backend_cache.snippets ├── rabbit_auth_backend_cache_SUITE.erl └── rabbit_auth_cache_SUITE.erl /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Thank you for using RabbitMQ. 2 | 3 | **STOP NOW AND READ THIS** BEFORE OPENING A NEW ISSUE ON GITHUB 4 | 5 | Unless you are CERTAIN you have found a reproducible problem in RabbitMQ or 6 | have a **specific, actionable** suggestion for our team, you must first ask 7 | your question or discuss your suspected issue on the mailing list: 8 | 9 | https://groups.google.com/forum/#!forum/rabbitmq-users 10 | 11 | Team RabbitMQ does not use GitHub issues for discussions, investigations, root 12 | cause analysis and so on. 13 | 14 | Please take the time to read the CONTRIBUTING.md document for instructions on 15 | how to effectively ask a question or report a suspected issue: 16 | 17 | https://github.com/rabbitmq/rabbitmq-server/blob/master/CONTRIBUTING.md#github-issues 18 | 19 | Following these rules **will save time** for both you and RabbitMQ's maintainers. 20 | 21 | Thank you. 22 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## Proposed Changes 2 | 3 | Please describe the big picture of your changes here to communicate to the 4 | RabbitMQ team why we should accept this pull request. If it fixes a bug or 5 | resolves a feature request, be sure to link to that issue. 6 | 7 | A pull request that doesn't explain **why** the change was made has a much 8 | lower chance of being accepted. 9 | 10 | If English isn't your first language, don't worry about it and try to 11 | communicate the problem you are trying to solve to the best of your abilities. 12 | As long as we can understand the intent, it's all good. 13 | 14 | ## Types of Changes 15 | 16 | What types of changes does your code introduce to this project? 17 | _Put an `x` in the boxes that apply_ 18 | 19 | - [ ] Bug fix (non-breaking change which fixes issue #NNNN) 20 | - [ ] New feature (non-breaking change which adds functionality) 21 | - [ ] Breaking change (fix or feature that would cause an observable behavior change in existing systems) 22 | - [ ] Documentation improvements (corrections, new content, etc) 23 | - [ ] Cosmetic change (whitespace, formatting, etc) 24 | 25 | ## Checklist 26 | 27 | _Put an `x` in the boxes that apply. You can also fill these out after creating 28 | the PR. If you're unsure about any of them, don't hesitate to ask on the 29 | mailing list. We're here to help! This is simply a reminder of what we are 30 | going to look for before merging your code._ 31 | 32 | - [ ] I have read the `CONTRIBUTING.md` document 33 | - [ ] I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq) 34 | - [ ] All tests pass locally with my changes 35 | - [ ] I have added tests that prove my fix is effective or that my feature works 36 | - [ ] I have added necessary documentation (if appropriate) 37 | - [ ] Any dependent changes have been merged and published in related repositories 38 | 39 | ## Further Comments 40 | 41 | If this is a relatively large or complex change, kick off the discussion by 42 | explaining why you chose the solution you did and what alternatives you 43 | considered, etc. 44 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .sw? 2 | .*.sw? 3 | *.beam 4 | /.erlang.mk/ 5 | /cover/ 6 | /deps/ 7 | /doc/ 8 | /ebin/ 9 | /escript/ 10 | /escript.lock 11 | /logs/ 12 | /plugins/ 13 | /plugins.lock 14 | /sbin/ 15 | /sbin.lock 16 | 17 | test/config_schema_SUITE_data/schema/ 18 | 19 | /rabbitmq_auth_backend_cache.d 20 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | # vim:sw=2:et: 2 | 3 | os: linux 4 | dist: xenial 5 | language: elixir 6 | notifications: 7 | email: 8 | recipients: 9 | - alerts@rabbitmq.com 10 | on_success: never 11 | on_failure: always 12 | addons: 13 | apt: 14 | packages: 15 | - awscli 16 | cache: 17 | apt: true 18 | env: 19 | global: 20 | - secure: gWlkVT8wmpOTTJtPYHpX7Lqq7RKDPS555K9nIR+l3wUTgMS8ocef5ZQ7PfpAACZ7APLa3kKK2DtlfHVYXJ/jHbOV+PAKgRfA4UXAZm2EYdhAxLqPL/FHe1GEfxdlSQQacdZ0yYl9EPQAk/8YQrMEPqg0ulhCWrAiL5/VQWlDg03pOKidL+T2JmJBmcVl/3pSf1xyV4HByacyqUzseMG4WhFU1cygqAZlbawPy44N0zZHiBzfZ0pz+e3LCvLFTD9NRgrRK3kAL/zcBYMAS/CXcz05Rh0uuNF2yHke8f9GxYPiVpP6KGFVlvVWEtzMWt1bopWLEzoHcM3MKEQQ3UGMfpWDxLlTZ3T318GTUcOGsEIEGtNHk+AbFPWA2rCW9G6/SEq5KPtEmfi7H5e7BpWoTpzwXuKPOCsLQZAxbgtACGL0HTlCtjEfr90h9t96V32rn7Wp3U+7p674zJPXap4u9Rtv6Z9zrn1aBbiotu7WwyAyRL+xklAYJ/Vuxqsv2eoovPza8JCgWPpyGH8DeOOPzuuH2D3SbjaDfqNvZBcXNhg16FnNh1LSCGSWspjdQZRIkaHFC44RBmQcsg+Kk9stFPz+b7CS6WKyrHk6IWv0rqxndBnSh5rGWsCkYhz38ZOzjog6fMae8L2diEKhbsnCQxuUcsRy8Rc68mc4oHMOlcg= 21 | - secure: nPG6EWK7WkazGEpHkAOEahe3ijI21Y51OGgsVO+LEE1IxLGypAgiuQmwwYVfZhBeVsERtSvKrhShSOStoN44zellR4B32WnA4PYJzhELtw//68HxyDX8NTfJ0I0soRFSyNrbLh31QtvcwXYgAkZAsSlwwHhFOidc+V7g8dJeB5qNTl8YB7DUGqhXEBQqyM6UXwR2o6+fyRU9HwHCvnii+xJ1wf2QE1xJ/W/tE5T8ahuukQAiirlXm7nJCV2fr9R0nHyvxIgygW54aOIhBpaOxcTPWqqjO9E/pQiTztWweVpPrJJVUDV/zW3WrIYwHc5K+bFRKH+jt9fFjRZ+GHfUjkVXN7EeQ2A+HIcLxaJjv7ZqAZNeGC/OQUISCcvi+a9OgWbmWtf8xaofRT7MTEIXpFW4UhQAo1rm7AvXRP5I5mtS6vDo4ToyZQGsn3oscp/eVBcue8Of7hSA6dMSax+8RCFs2kFoJcTy+orBRdx7JEvk8CkRIIBVeQqZRtTlJJkJAojJ8urMR2Wf4UCG2Oiqhur5G2SZft2gBZ9Wrpplt7Z7G/PyDlD7y6uUCtCvI8BBiYS5jW8gBYTwpLqaNgMs0nWVtGNLsJcXZVDZlk2bKCdbywRVb5DlQHBvbetoEpMFU1X6esv2HfXpGz13ODNBvlAFPBMTaZ/21OCArzpD1Vc= 22 | 23 | # $base_rmq_ref is used by rabbitmq-components.mk to select the 24 | # appropriate branch for dependencies. 25 | - base_rmq_ref=master 26 | 27 | elixir: 28 | - '1.9' 29 | otp_release: 30 | - '21.3' 31 | - '22.2' 32 | 33 | install: 34 | # This project being an Erlang one (we just set language to Elixir 35 | # to ensure it is installed), we don't want Travis to run mix(1) 36 | # automatically as it will break. 37 | skip 38 | 39 | script: 40 | # $current_rmq_ref is also used by rabbitmq-components.mk to select 41 | # the appropriate branch for dependencies. 42 | - make check-rabbitmq-components.mk 43 | current_rmq_ref="${TRAVIS_PULL_REQUEST_BRANCH:-${TRAVIS_BRANCH}}" 44 | - make xref 45 | current_rmq_ref="${TRAVIS_PULL_REQUEST_BRANCH:-${TRAVIS_BRANCH}}" 46 | - make tests 47 | current_rmq_ref="${TRAVIS_PULL_REQUEST_BRANCH:-${TRAVIS_BRANCH}}" 48 | 49 | after_failure: 50 | - | 51 | cd "$TRAVIS_BUILD_DIR" 52 | if test -d logs && test "$AWS_ACCESS_KEY_ID" && test "$AWS_SECRET_ACCESS_KEY"; then 53 | archive_name="$(basename "$TRAVIS_REPO_SLUG")-$TRAVIS_JOB_NUMBER" 54 | 55 | tar -c --transform "s/^logs/${archive_name}/" -f - logs | \ 56 | xz > "${archive_name}.tar.xz" 57 | 58 | aws s3 cp "${archive_name}.tar.xz" s3://server-release-pipeline/travis-ci-logs/ \ 59 | --region eu-west-1 \ 60 | --acl public-read 61 | fi 62 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Code of Conduct 2 | 3 | As contributors and maintainers of this project, and in the interest of fostering an open 4 | and welcoming community, we pledge to respect all people who contribute through reporting 5 | issues, posting feature requests, updating documentation, submitting pull requests or 6 | patches, and other activities. 7 | 8 | We are committed to making participation in this project a harassment-free experience for 9 | everyone, regardless of level of experience, gender, gender identity and expression, 10 | sexual orientation, disability, personal appearance, body size, race, ethnicity, age, 11 | religion, or nationality. 12 | 13 | Examples of unacceptable behavior by participants include: 14 | 15 | * The use of sexualized language or imagery 16 | * Personal attacks 17 | * Trolling or insulting/derogatory comments 18 | * Public or private harassment 19 | * Publishing other's private information, such as physical or electronic addresses, 20 | without explicit permission 21 | * Other unethical or unprofessional conduct 22 | 23 | Project maintainers have the right and responsibility to remove, edit, or reject comments, 24 | commits, code, wiki edits, issues, and other contributions that are not aligned to this 25 | Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors 26 | that they deem inappropriate, threatening, offensive, or harmful. 27 | 28 | By adopting this Code of Conduct, project maintainers commit themselves to fairly and 29 | consistently applying these principles to every aspect of managing this project. Project 30 | maintainers who do not follow or enforce the Code of Conduct may be permanently removed 31 | from the project team. 32 | 33 | This Code of Conduct applies both within project spaces and in public spaces when an 34 | individual is representing the project or its community. 35 | 36 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by 37 | contacting a project maintainer at [info@rabbitmq.com](mailto:info@rabbitmq.com). All complaints will 38 | be reviewed and investigated and will result in a response that is deemed necessary and 39 | appropriate to the circumstances. Maintainers are obligated to maintain confidentiality 40 | with regard to the reporter of an incident. 41 | 42 | This Code of Conduct is adapted from the 43 | [Contributor Covenant](https://contributor-covenant.org), version 1.3.0, available at 44 | [contributor-covenant.org/version/1/3/0/](https://contributor-covenant.org/version/1/3/0/) 45 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Thank you for using RabbitMQ and for taking the time to contribute to the project. 2 | This document has two main parts: 3 | 4 | * when and how to file GitHub issues for RabbitMQ projects 5 | * how to submit pull requests 6 | 7 | They intend to save you and RabbitMQ maintainers some time, so please 8 | take a moment to read through them. 9 | 10 | ## Overview 11 | 12 | ### GitHub issues 13 | 14 | The RabbitMQ team uses GitHub issues for _specific actionable items_ that 15 | engineers can work on. This assumes the following: 16 | 17 | * GitHub issues are not used for questions, investigations, root cause 18 | analysis, discussions of potential issues, etc (as defined by this team) 19 | * Enough information is provided by the reporter for maintainers to work with 20 | 21 | The team receives many questions through various venues every single 22 | day. Frequently, these questions do not include the necessary details 23 | the team needs to begin useful work. GitHub issues can very quickly 24 | turn into a something impossible to navigate and make sense 25 | of. Because of this, questions, investigations, root cause analysis, 26 | and discussions of potential features are all considered to be 27 | [mailing list][rmq-users] material. If you are unsure where to begin, 28 | the [RabbitMQ users mailing list][rmq-users] is the right place. 29 | 30 | Getting all the details necessary to reproduce an issue, make a 31 | conclusion or even form a hypothesis about what's happening can take a 32 | fair amount of time. Please help others help you by providing a way to 33 | reproduce the behavior you're observing, or at least sharing as much 34 | relevant information as possible on the [RabbitMQ users mailing 35 | list][rmq-users]. 36 | 37 | Please provide versions of the software used: 38 | 39 | * RabbitMQ server 40 | * Erlang 41 | * Operating system version (and distribution, if applicable) 42 | * All client libraries used 43 | * RabbitMQ plugins (if applicable) 44 | 45 | The following information greatly helps in investigating and reproducing issues: 46 | 47 | * RabbitMQ server logs 48 | * A code example or terminal transcript that can be used to reproduce 49 | * Full exception stack traces (a single line message is not enough!) 50 | * `rabbitmqctl report` and `rabbitmqctl environment` output 51 | * Other relevant details about the environment and workload, e.g. a traffic capture 52 | * Feel free to edit out hostnames and other potentially sensitive information. 53 | 54 | To make collecting much of this and other environment information, use 55 | the [`rabbitmq-collect-env`][rmq-collect-env] script. It will produce an archive with 56 | server logs, operating system logs, output of certain diagnostics commands and so on. 57 | Please note that **no effort is made to scrub any information that may be sensitive**. 58 | 59 | ### Pull Requests 60 | 61 | RabbitMQ projects use pull requests to discuss, collaborate on and accept code contributions. 62 | Pull requests is the primary place of discussing code changes. 63 | 64 | Here's the recommended workflow: 65 | 66 | * [Fork the repository][github-fork] or repositories you plan on contributing to. If multiple 67 | repositories are involved in addressing the same issue, please use the same branch name 68 | in each repository 69 | * Create a branch with a descriptive name in the relevant repositories 70 | * Make your changes, run tests (usually with `make tests`), commit with a 71 | [descriptive message][git-commit-msgs], push to your fork 72 | * Submit pull requests with an explanation what has been changed and **why** 73 | * Submit a filled out and signed [Contributor Agreement][ca-agreement] if needed (see below) 74 | * Be patient. We will get to your pull request eventually 75 | 76 | If what you are going to work on is a substantial change, please first 77 | ask the core team for their opinion on the [RabbitMQ users mailing list][rmq-users]. 78 | 79 | ## Running Tests 80 | 81 | make tests 82 | 83 | ## Code of Conduct 84 | 85 | See [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md). 86 | 87 | ## Contributor Agreement 88 | 89 | If you want to contribute a non-trivial change, please submit a signed 90 | copy of our [Contributor Agreement][ca-agreement] around the time you 91 | submit your pull request. This will make it much easier (in some 92 | cases, possible) for the RabbitMQ team at Pivotal to merge your 93 | contribution. 94 | 95 | ## Where to Ask Questions 96 | 97 | If something isn't clear, feel free to ask on our [mailing list][rmq-users]. 98 | 99 | [rmq-collect-env]: https://github.com/rabbitmq/support-tools/blob/master/scripts/rabbitmq-collect-env 100 | [git-commit-msgs]: https://chris.beams.io/posts/git-commit/ 101 | [rmq-users]: https://groups.google.com/forum/#!forum/rabbitmq-users 102 | [ca-agreement]: https://cla.pivotal.io/sign/rabbitmq 103 | [github-fork]: https://help.github.com/articles/fork-a-repo/ 104 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This package is licensed under the MPL 2.0. For the MPL 2.0, please see LICENSE-MPL-RabbitMQ. 2 | 3 | If you have any questions regarding licensing, please contact us at 4 | info@rabbitmq.com. 5 | -------------------------------------------------------------------------------- /LICENSE-MPL-RabbitMQ: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | PROJECT = rabbitmq_auth_backend_cache 2 | PROJECT_DESCRIPTION = RabbitMQ Authentication Backend cache 3 | PROJECT_MOD = rabbit_auth_backend_cache_app 4 | 5 | define PROJECT_ENV 6 | [ 7 | {cache_ttl, 15000}, 8 | {cache_module, rabbit_auth_cache_ets}, 9 | {cache_module_args, []}, 10 | {cached_backend, rabbit_auth_backend_internal}, 11 | {cache_refusals, false} 12 | ] 13 | endef 14 | 15 | define PROJECT_APP_EXTRA_KEYS 16 | {broker_version_requirements, []} 17 | endef 18 | 19 | DEPS = rabbit_common rabbit 20 | TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers 21 | 22 | DEP_EARLY_PLUGINS = rabbit_common/mk/rabbitmq-early-plugin.mk 23 | DEP_PLUGINS = rabbit_common/mk/rabbitmq-plugin.mk 24 | 25 | # FIXME: Use erlang.mk patched for RabbitMQ, while waiting for PRs to be 26 | # reviewed and merged. 27 | 28 | ERLANG_MK_REPO = https://github.com/rabbitmq/erlang.mk.git 29 | ERLANG_MK_COMMIT = rabbitmq-tmp 30 | 31 | include rabbitmq-components.mk 32 | include erlang.mk 33 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RabbitMQ Access Control Cache Plugin 2 | 3 | ## This was migrated to https://github.com/rabbitmq/rabbitmq-server 4 | 5 | This repository has been moved to the main unified RabbitMQ "monorepo", including all open issues. You can find the source under [/deps/rabbitmq_auth_backend_cache](https://github.com/rabbitmq/rabbitmq-server/tree/master/deps/rabbitmq_auth_backend_cache). 6 | All issues have been transferred. 7 | 8 | ## Project Maturity 9 | 10 | As of 3.7.0, this plugin is distributed with RabbitMQ. 11 | 12 | ## Overview 13 | 14 | This plugin provides a caching layer for [access control operations](https://rabbitmq.com/access-control.html) 15 | performed by RabbitMQ nodes. 16 | 17 | This plugin provides a way to cache [authentication and authorization backend](https://rabbitmq.com/access-control.html) 18 | results for a configurable amount of time. 19 | 20 | It's not an independent auth backend but a caching layer for existing backends 21 | such as the built-in, [LDAP](https://github.com/rabbitmq/rabbitmq-auth-backend-ldap), or [HTTP](https://github.com/rabbitmq/rabbitmq-auth-backend-http) 22 | ones. 23 | 24 | Cache expiration is currently time-based. It is not very useful with the built-in 25 | (internal) [authn/authz backends](https://rabbitmq.com/access-control.html) but can be very useful for LDAP, HTTP or other backends that 26 | use network requests. 27 | 28 | ## RabbitMQ Version Requirements 29 | 30 | As of 3.7.0, this plugin is distributed with RabbitMQ. Like any other plugin, it must 31 | be [enabled](https://www.rabbitmq.com/plugins.html#ways-to-enable-plugins) before it can be used. 32 | 33 | 34 | ## Installation 35 | 36 | This plugin ships with reasonably recent RabbitMQ versions 37 | (e.g. `3.7.0` or later). Enable it with 38 | 39 | ``` shell 40 | rabbitmq-plugins enable rabbitmq_auth_backend_cache 41 | ``` 42 | 43 | ## Binary Builds 44 | 45 | Binary builds can be obtained [from project releases](https://github.com/rabbitmq/rabbitmq-auth-backend-cache/releases/) on GitHub. 46 | 47 | ## Building 48 | 49 | You can build and install it like any other plugin (see 50 | [the plugin development guide](https://www.rabbitmq.com/plugin-development.html)). 51 | 52 | ## Authentication and Authorization Backend Configuration 53 | 54 | To enable the plugin, set the value of the `auth_backends` configuration item 55 | for the `rabbit` application to include `rabbit_auth_backend_cache`. 56 | `auth_backends` is a list of authentication providers to try in order. 57 | 58 | 59 | So a configuration fragment that enables this plugin *only* (this example is **intentionally incomplete**) would look like: 60 | 61 | ``` ini 62 | auth_backends.1 = cache 63 | ``` 64 | 65 | In the [classic config format](https://www.rabbitmq.com/configure.html#config-file-formats): 66 | 67 | ``` erlang 68 | [ 69 | {rabbit, [ 70 | {auth_backends, [rabbit_auth_backend_cache]} 71 | ] 72 | } 73 | ]. 74 | ``` 75 | 76 | This plugin wraps another auth backend (an "upstream" one) to reduce load on it. 77 | 78 | To configure upstream auth backend, use the `auth_cache.cached_backend` configuration key 79 | (`rabbitmq_auth_backend_cache.cached_backend` in the classic config format). 80 | 81 | The following configuration uses the [LDAP backend]((https://rabbitmq.com/ldap.html)) for both authentication and authorization 82 | and wraps it with caching: 83 | 84 | auth_backends.1 = cache 85 | 86 | auth_cache.cached_backend = ldap 87 | 88 | In the classic config format: 89 | 90 | ``` erlang 91 | [ 92 | {rabbit, [ 93 | %% ... 94 | ]}, 95 | {rabbitmq_auth_backend_cache, [ 96 | {cached_backend, rabbit_auth_backend_ldap} 97 | ]}, 98 | {rabbit_auth_backend_ldap, [ 99 | %% ... 100 | ]}, 101 | ]. 102 | ``` 103 | 104 | The following example combines this backend with the [HTTP backend](https://github.com/rabbitmq/rabbitmq-auth-backend-http/tree/master) and its [example Spring Boot application](https://github.com/rabbitmq/rabbitmq-auth-backend-http/tree/master/examples): 105 | 106 | 107 | auth_backends.1 = cache 108 | auth_cache.cached_backend = http 109 | 110 | auth_http.http_method = post 111 | auth_http.user_path = http://localhost:8080/auth/user 112 | auth_http.vhost_path = http://localhost:8080/auth/vhost 113 | auth_http.resource_path = http://localhost:8080/auth/resource 114 | auth_http.topic_path = http://localhost:8080/auth/topic 115 | 116 | In the classic config format: 117 | 118 | ``` erlang 119 | [ 120 | {rabbit, [ 121 | {auth_backends, [rabbit_auth_backend_cache]} 122 | ] 123 | }, 124 | {rabbitmq_auth_backend_cache, [ 125 | {cached_backend, rabbit_auth_backend_http} 126 | ] 127 | }, 128 | {rabbitmq_auth_backend_http, [{http_method, post}, 129 | {user_path, "http://127.0.0.1:8080/auth/user"}, 130 | {vhost_path, "http://127.0.0.1:8080/auth/vhost"}, 131 | {resource_path, "http://127.0.0.1:8080/auth/resource"}, 132 | {auth_http.topic_path, "http://127.0.0.1:8080/auth/topic"} 133 | ] 134 | } 135 | ]. 136 | ``` 137 | 138 | It is still possible to [use different backends for authorization and authentication](https://www.rabbitmq.com/access-control.html). 139 | 140 | The following example configures plugin to use LDAP backend for authentication 141 | but internal backend for authorisation: 142 | 143 | auth_backends.1 = cache 144 | 145 | auth_cache.cached_backend.authn = ldap 146 | auth_cache.cached_backend.authz = internal 147 | 148 | In the classic config format: 149 | 150 | ``` erlang 151 | [ 152 | {rabbit, [ 153 | %% ... 154 | ]}, 155 | {rabbitmq_auth_backend_cache, [{cached_backend, {rabbit_auth_backend_ldap, 156 | rabbit_auth_backend_internal}}]}]. 157 | ``` 158 | 159 | 160 | 161 | ## Cache Configuration 162 | 163 | You can configure TTL for cache items, by using `cache_ttl` configuration item, specified in **milliseconds** 164 | 165 | auth_cache.cached_backend = ldap 166 | auth_cache.cache_ttl = 5000 167 | 168 | Or using the classic config for both parameters: 169 | 170 | ``` erlang 171 | [ 172 | {rabbit, [ 173 | %% ... 174 | ]}, 175 | {rabbitmq_auth_backend_cache, [{cached_backend, rabbit_auth_backend_ldap}, 176 | {cache_ttl, 5000}]}]. 177 | ``` 178 | 179 | You can also use a custom cache module to store cached requests. This module 180 | should be an erlang module implementing `rabbit_auth_cache` behaviour and (optionally) 181 | define `start_link` function to start cache process. 182 | 183 | This repository provides several implementations: 184 | 185 | * `rabbit_auth_cache_dict` stores cache entries in the internal process dictionary. **This module is for demonstration only and should not be used in production**. 186 | * `rabbit_auth_cache_ets` stores cache entries in an [ETS](https://learnyousomeerlang.com/ets) table and uses timers for cache invalidation. **This is the default implementation**. 187 | * `rabbit_auth_cache_ets_segmented` stores cache entries in multiple ETS tables and does not delete individual cache items but rather 188 | uses a separate process for garbage collection. 189 | * `rabbit_auth_cache_ets_segmented_stateless` same as previous, but with minimal use of `gen_server` state, using ets tables to store information about segments. 190 | 191 | To specify module for caching you should use `cache_module` configuration item and 192 | specify start args with `cache_module_args`. 193 | Start args should be list of arguments passed to module `start_link` function 194 | 195 | Cache module can be set via sysctl config format: 196 | 197 | auth_cache.cache_module = rabbit_auth_backend_ets_segmented 198 | 199 | Additional cache module arguments can only be defined via the [advanced config](https://www.rabbitmq.com/configure.html#advanced-config-file) or classic config format: 200 | 201 | ``` erlang 202 | [ 203 | {rabbit, [ 204 | %% ... 205 | ]}, 206 | 207 | {rabbitmq_auth_backend_cache, [{cache_module_args, [10000]}]} 208 | ]. 209 | ``` 210 | 211 | The above two snippets combined in the classic config format: 212 | 213 | ``` erlang 214 | [ 215 | {rabbit, [ 216 | %% ... 217 | ]}, 218 | 219 | {rabbitmq_auth_backend_cache, [{cache_module, rabbit_auth_backend_ets_segmented}, 220 | {cache_module_args, [10000]}]} 221 | ]. 222 | ``` 223 | 224 | The default values are `rabbit_auth_cache_ets` and `[]`, respectively. 225 | 226 | 227 | ## License and Copyright 228 | 229 | (c) 2016-2020 VMware, Inc. or its affiliates. 230 | 231 | Released under the Mozilla Public License 2.0, same as RabbitMQ. 232 | -------------------------------------------------------------------------------- /priv/schema/rabbitmq_auth_backend_cache.schema: -------------------------------------------------------------------------------- 1 | 2 | %% ========================================================================== 3 | %% ---------------------------------------------------------------------------- 4 | %% RabbitMQ Authorization cache 5 | %% 6 | %% ---------------------------------------------------------------------------- 7 | 8 | {mapping, "auth_cache.cached_backend", "rabbitmq_auth_backend_cache.cached_backend",[ 9 | {datatype, atom} 10 | ]}. 11 | 12 | {mapping, "auth_cache.cached_backend.authn", "rabbitmq_auth_backend_cache.cached_backend",[ 13 | {datatype, atom} 14 | ]}. 15 | 16 | {mapping, "auth_cache.cached_backend.authz", "rabbitmq_auth_backend_cache.cached_backend",[ 17 | {datatype, atom} 18 | ]}. 19 | 20 | 21 | {translation, "rabbitmq_auth_backend_cache.cached_backend", 22 | fun(Conf) -> 23 | BackendModule = fun 24 | (internal) -> rabbit_auth_backend_internal; 25 | (ldap) -> rabbit_auth_backend_ldap; 26 | (http) -> rabbit_auth_backend_http; 27 | (amqp) -> rabbit_auth_backend_amqp; 28 | (dummy) -> rabbit_auth_backend_dummy; 29 | (undefined) -> undefined; 30 | (Other) when is_atom(Other) -> Other; 31 | (_) -> cuttlefish:invalid("Unknown/unsupported auth backend") 32 | end, 33 | AuthN = BackendModule(cuttlefish:conf_get("auth_cache.cached_backend.authn", Conf, undefined)), 34 | AuthZ = BackendModule(cuttlefish:conf_get("auth_cache.cached_backend.authz", Conf, undefined)), 35 | Common = BackendModule(cuttlefish:conf_get("auth_cache.cached_backend", Conf, undefined)), 36 | case {Common, AuthN, AuthZ} of 37 | {undefined, V, undefined} when V =/= undefined -> 38 | cuttlefish:warn(io_lib:format("Cached authZ backend undefined. Using ~p", [AuthN])), 39 | {AuthN, AuthN}; 40 | {undefined, undefined, V} when V =/= undefined -> 41 | cuttlefish:warn(io_lib:format("Cached authN backend undefined. Using ~p", [AuthZ])), 42 | {AuthZ, AuthZ}; 43 | {V, undefined, undefined} when V =/= undefined -> 44 | Common; 45 | {undefined, V, V1} when V =/= undefined, V1 =/= undefined -> 46 | {AuthN, AuthZ}; 47 | _ -> 48 | cuttlefish:invalid(iolist_to_binary(io_lib:format("Cached auth backend already defined", []))) 49 | end 50 | end}. 51 | 52 | {mapping, "auth_cache.cache_ttl", "rabbitmq_auth_backend_cache.cache_ttl", [ 53 | {datatype, integer}, {validators, ["non_negative_integer"]} 54 | ]}. 55 | 56 | {mapping, "auth_cache.cache_module", "rabbitmq_auth_backend_cache.cache_module", [ 57 | {datatype, atom} 58 | ]}. 59 | 60 | {mapping, "auth_cache.cache_refusals", "rabbitmq_auth_backend_cache.cache_refusals", [ 61 | {datatype, {enum, [true, false]}} 62 | ]}. 63 | -------------------------------------------------------------------------------- /rabbitmq-components.mk: -------------------------------------------------------------------------------- 1 | ifeq ($(.DEFAULT_GOAL),) 2 | # Define default goal to `all` because this file defines some targets 3 | # before the inclusion of erlang.mk leading to the wrong target becoming 4 | # the default. 5 | .DEFAULT_GOAL = all 6 | endif 7 | 8 | # PROJECT_VERSION defaults to: 9 | # 1. the version exported by rabbitmq-server-release; 10 | # 2. the version stored in `git-revisions.txt`, if it exists; 11 | # 3. a version based on git-describe(1), if it is a Git clone; 12 | # 4. 0.0.0 13 | 14 | PROJECT_VERSION := $(RABBITMQ_VERSION) 15 | 16 | ifeq ($(PROJECT_VERSION),) 17 | PROJECT_VERSION := $(shell \ 18 | if test -f git-revisions.txt; then \ 19 | head -n1 git-revisions.txt | \ 20 | awk '{print $$$(words $(PROJECT_DESCRIPTION) version);}'; \ 21 | else \ 22 | (git describe --dirty --abbrev=7 --tags --always --first-parent \ 23 | 2>/dev/null || echo rabbitmq_v0_0_0) | \ 24 | sed -e 's/^rabbitmq_v//' -e 's/^v//' -e 's/_/./g' -e 's/-/+/' \ 25 | -e 's/-/./g'; \ 26 | fi) 27 | endif 28 | 29 | # -------------------------------------------------------------------- 30 | # RabbitMQ components. 31 | # -------------------------------------------------------------------- 32 | 33 | # For RabbitMQ repositories, we want to checkout branches which match 34 | # the parent project. For instance, if the parent project is on a 35 | # release tag, dependencies must be on the same release tag. If the 36 | # parent project is on a topic branch, dependencies must be on the same 37 | # topic branch or fallback to `stable` or `master` whichever was the 38 | # base of the topic branch. 39 | 40 | dep_amqp_client = git_rmq rabbitmq-erlang-client $(current_rmq_ref) $(base_rmq_ref) master 41 | dep_amqp10_client = git_rmq rabbitmq-amqp1.0-client $(current_rmq_ref) $(base_rmq_ref) master 42 | dep_amqp10_common = git_rmq rabbitmq-amqp1.0-common $(current_rmq_ref) $(base_rmq_ref) master 43 | dep_rabbit = git_rmq rabbitmq-server $(current_rmq_ref) $(base_rmq_ref) master 44 | dep_rabbit_common = git_rmq rabbitmq-common $(current_rmq_ref) $(base_rmq_ref) master 45 | dep_rabbitmq_amqp1_0 = git_rmq rabbitmq-amqp1.0 $(current_rmq_ref) $(base_rmq_ref) master 46 | dep_rabbitmq_auth_backend_amqp = git_rmq rabbitmq-auth-backend-amqp $(current_rmq_ref) $(base_rmq_ref) master 47 | dep_rabbitmq_auth_backend_cache = git_rmq rabbitmq-auth-backend-cache $(current_rmq_ref) $(base_rmq_ref) master 48 | dep_rabbitmq_auth_backend_http = git_rmq rabbitmq-auth-backend-http $(current_rmq_ref) $(base_rmq_ref) master 49 | dep_rabbitmq_auth_backend_ldap = git_rmq rabbitmq-auth-backend-ldap $(current_rmq_ref) $(base_rmq_ref) master 50 | dep_rabbitmq_auth_backend_oauth2 = git_rmq rabbitmq-auth-backend-oauth2 $(current_rmq_ref) $(base_rmq_ref) master 51 | dep_rabbitmq_auth_mechanism_ssl = git_rmq rabbitmq-auth-mechanism-ssl $(current_rmq_ref) $(base_rmq_ref) master 52 | dep_rabbitmq_aws = git_rmq rabbitmq-aws $(current_rmq_ref) $(base_rmq_ref) master 53 | dep_rabbitmq_boot_steps_visualiser = git_rmq rabbitmq-boot-steps-visualiser $(current_rmq_ref) $(base_rmq_ref) master 54 | dep_rabbitmq_cli = git_rmq rabbitmq-cli $(current_rmq_ref) $(base_rmq_ref) master 55 | dep_rabbitmq_codegen = git_rmq rabbitmq-codegen $(current_rmq_ref) $(base_rmq_ref) master 56 | dep_rabbitmq_consistent_hash_exchange = git_rmq rabbitmq-consistent-hash-exchange $(current_rmq_ref) $(base_rmq_ref) master 57 | dep_rabbitmq_ct_client_helpers = git_rmq rabbitmq-ct-client-helpers $(current_rmq_ref) $(base_rmq_ref) master 58 | dep_rabbitmq_ct_helpers = git_rmq rabbitmq-ct-helpers $(current_rmq_ref) $(base_rmq_ref) master 59 | dep_rabbitmq_delayed_message_exchange = git_rmq rabbitmq-delayed-message-exchange $(current_rmq_ref) $(base_rmq_ref) master 60 | dep_rabbitmq_dotnet_client = git_rmq rabbitmq-dotnet-client $(current_rmq_ref) $(base_rmq_ref) master 61 | dep_rabbitmq_event_exchange = git_rmq rabbitmq-event-exchange $(current_rmq_ref) $(base_rmq_ref) master 62 | dep_rabbitmq_federation = git_rmq rabbitmq-federation $(current_rmq_ref) $(base_rmq_ref) master 63 | dep_rabbitmq_federation_management = git_rmq rabbitmq-federation-management $(current_rmq_ref) $(base_rmq_ref) master 64 | dep_rabbitmq_java_client = git_rmq rabbitmq-java-client $(current_rmq_ref) $(base_rmq_ref) master 65 | dep_rabbitmq_jms_client = git_rmq rabbitmq-jms-client $(current_rmq_ref) $(base_rmq_ref) master 66 | dep_rabbitmq_jms_cts = git_rmq rabbitmq-jms-cts $(current_rmq_ref) $(base_rmq_ref) master 67 | dep_rabbitmq_jms_topic_exchange = git_rmq rabbitmq-jms-topic-exchange $(current_rmq_ref) $(base_rmq_ref) master 68 | dep_rabbitmq_lvc_exchange = git_rmq rabbitmq-lvc-exchange $(current_rmq_ref) $(base_rmq_ref) master 69 | dep_rabbitmq_management = git_rmq rabbitmq-management $(current_rmq_ref) $(base_rmq_ref) master 70 | dep_rabbitmq_management_agent = git_rmq rabbitmq-management-agent $(current_rmq_ref) $(base_rmq_ref) master 71 | dep_rabbitmq_management_exchange = git_rmq rabbitmq-management-exchange $(current_rmq_ref) $(base_rmq_ref) master 72 | dep_rabbitmq_management_themes = git_rmq rabbitmq-management-themes $(current_rmq_ref) $(base_rmq_ref) master 73 | dep_rabbitmq_message_timestamp = git_rmq rabbitmq-message-timestamp $(current_rmq_ref) $(base_rmq_ref) master 74 | dep_rabbitmq_metronome = git_rmq rabbitmq-metronome $(current_rmq_ref) $(base_rmq_ref) master 75 | dep_rabbitmq_mqtt = git_rmq rabbitmq-mqtt $(current_rmq_ref) $(base_rmq_ref) master 76 | dep_rabbitmq_objc_client = git_rmq rabbitmq-objc-client $(current_rmq_ref) $(base_rmq_ref) master 77 | dep_rabbitmq_peer_discovery_aws = git_rmq rabbitmq-peer-discovery-aws $(current_rmq_ref) $(base_rmq_ref) master 78 | dep_rabbitmq_peer_discovery_common = git_rmq rabbitmq-peer-discovery-common $(current_rmq_ref) $(base_rmq_ref) master 79 | dep_rabbitmq_peer_discovery_consul = git_rmq rabbitmq-peer-discovery-consul $(current_rmq_ref) $(base_rmq_ref) master 80 | dep_rabbitmq_peer_discovery_etcd = git_rmq rabbitmq-peer-discovery-etcd $(current_rmq_ref) $(base_rmq_ref) master 81 | dep_rabbitmq_peer_discovery_k8s = git_rmq rabbitmq-peer-discovery-k8s $(current_rmq_ref) $(base_rmq_ref) master 82 | dep_rabbitmq_prometheus = git_rmq rabbitmq-prometheus $(current_rmq_ref) $(base_rmq_ref) master 83 | dep_rabbitmq_random_exchange = git_rmq rabbitmq-random-exchange $(current_rmq_ref) $(base_rmq_ref) master 84 | dep_rabbitmq_recent_history_exchange = git_rmq rabbitmq-recent-history-exchange $(current_rmq_ref) $(base_rmq_ref) master 85 | dep_rabbitmq_routing_node_stamp = git_rmq rabbitmq-routing-node-stamp $(current_rmq_ref) $(base_rmq_ref) master 86 | dep_rabbitmq_rtopic_exchange = git_rmq rabbitmq-rtopic-exchange $(current_rmq_ref) $(base_rmq_ref) master 87 | dep_rabbitmq_server_release = git_rmq rabbitmq-server-release $(current_rmq_ref) $(base_rmq_ref) master 88 | dep_rabbitmq_sharding = git_rmq rabbitmq-sharding $(current_rmq_ref) $(base_rmq_ref) master 89 | dep_rabbitmq_shovel = git_rmq rabbitmq-shovel $(current_rmq_ref) $(base_rmq_ref) master 90 | dep_rabbitmq_shovel_management = git_rmq rabbitmq-shovel-management $(current_rmq_ref) $(base_rmq_ref) master 91 | dep_rabbitmq_stomp = git_rmq rabbitmq-stomp $(current_rmq_ref) $(base_rmq_ref) master 92 | dep_rabbitmq_stream = git_rmq rabbitmq-stream $(current_rmq_ref) $(base_rmq_ref) master 93 | dep_rabbitmq_toke = git_rmq rabbitmq-toke $(current_rmq_ref) $(base_rmq_ref) master 94 | dep_rabbitmq_top = git_rmq rabbitmq-top $(current_rmq_ref) $(base_rmq_ref) master 95 | dep_rabbitmq_tracing = git_rmq rabbitmq-tracing $(current_rmq_ref) $(base_rmq_ref) master 96 | dep_rabbitmq_trust_store = git_rmq rabbitmq-trust-store $(current_rmq_ref) $(base_rmq_ref) master 97 | dep_rabbitmq_test = git_rmq rabbitmq-test $(current_rmq_ref) $(base_rmq_ref) master 98 | dep_rabbitmq_web_dispatch = git_rmq rabbitmq-web-dispatch $(current_rmq_ref) $(base_rmq_ref) master 99 | dep_rabbitmq_web_stomp = git_rmq rabbitmq-web-stomp $(current_rmq_ref) $(base_rmq_ref) master 100 | dep_rabbitmq_web_stomp_examples = git_rmq rabbitmq-web-stomp-examples $(current_rmq_ref) $(base_rmq_ref) master 101 | dep_rabbitmq_web_mqtt = git_rmq rabbitmq-web-mqtt $(current_rmq_ref) $(base_rmq_ref) master 102 | dep_rabbitmq_web_mqtt_examples = git_rmq rabbitmq-web-mqtt-examples $(current_rmq_ref) $(base_rmq_ref) master 103 | dep_rabbitmq_website = git_rmq rabbitmq-website $(current_rmq_ref) $(base_rmq_ref) live master 104 | dep_toke = git_rmq toke $(current_rmq_ref) $(base_rmq_ref) master 105 | 106 | dep_rabbitmq_public_umbrella = git_rmq rabbitmq-public-umbrella $(current_rmq_ref) $(base_rmq_ref) master 107 | 108 | # Third-party dependencies version pinning. 109 | # 110 | # We do that in this file, which is copied in all projects, to ensure 111 | # all projects use the same versions. It avoids conflicts and makes it 112 | # possible to work with rabbitmq-public-umbrella. 113 | 114 | dep_accept = hex 0.3.5 115 | dep_cowboy = hex 2.8.0 116 | dep_cowlib = hex 2.9.1 117 | dep_jsx = hex 2.11.0 118 | dep_lager = hex 3.8.0 119 | dep_prometheus = git https://github.com/deadtrickster/prometheus.erl.git master 120 | dep_ra = git https://github.com/rabbitmq/ra.git master 121 | dep_ranch = hex 1.7.1 122 | dep_recon = hex 2.5.1 123 | dep_observer_cli = hex 1.5.4 124 | dep_stdout_formatter = hex 0.2.4 125 | dep_sysmon_handler = hex 1.3.0 126 | 127 | RABBITMQ_COMPONENTS = amqp_client \ 128 | amqp10_common \ 129 | amqp10_client \ 130 | rabbit \ 131 | rabbit_common \ 132 | rabbitmq_amqp1_0 \ 133 | rabbitmq_auth_backend_amqp \ 134 | rabbitmq_auth_backend_cache \ 135 | rabbitmq_auth_backend_http \ 136 | rabbitmq_auth_backend_ldap \ 137 | rabbitmq_auth_backend_oauth2 \ 138 | rabbitmq_auth_mechanism_ssl \ 139 | rabbitmq_aws \ 140 | rabbitmq_boot_steps_visualiser \ 141 | rabbitmq_cli \ 142 | rabbitmq_codegen \ 143 | rabbitmq_consistent_hash_exchange \ 144 | rabbitmq_ct_client_helpers \ 145 | rabbitmq_ct_helpers \ 146 | rabbitmq_delayed_message_exchange \ 147 | rabbitmq_dotnet_client \ 148 | rabbitmq_event_exchange \ 149 | rabbitmq_federation \ 150 | rabbitmq_federation_management \ 151 | rabbitmq_java_client \ 152 | rabbitmq_jms_client \ 153 | rabbitmq_jms_cts \ 154 | rabbitmq_jms_topic_exchange \ 155 | rabbitmq_lvc_exchange \ 156 | rabbitmq_management \ 157 | rabbitmq_management_agent \ 158 | rabbitmq_management_exchange \ 159 | rabbitmq_management_themes \ 160 | rabbitmq_message_timestamp \ 161 | rabbitmq_metronome \ 162 | rabbitmq_mqtt \ 163 | rabbitmq_objc_client \ 164 | rabbitmq_peer_discovery_aws \ 165 | rabbitmq_peer_discovery_common \ 166 | rabbitmq_peer_discovery_consul \ 167 | rabbitmq_peer_discovery_etcd \ 168 | rabbitmq_peer_discovery_k8s \ 169 | rabbitmq_prometheus \ 170 | rabbitmq_random_exchange \ 171 | rabbitmq_recent_history_exchange \ 172 | rabbitmq_routing_node_stamp \ 173 | rabbitmq_rtopic_exchange \ 174 | rabbitmq_server_release \ 175 | rabbitmq_sharding \ 176 | rabbitmq_shovel \ 177 | rabbitmq_shovel_management \ 178 | rabbitmq_stomp \ 179 | rabbitmq_stream \ 180 | rabbitmq_toke \ 181 | rabbitmq_top \ 182 | rabbitmq_tracing \ 183 | rabbitmq_trust_store \ 184 | rabbitmq_web_dispatch \ 185 | rabbitmq_web_mqtt \ 186 | rabbitmq_web_mqtt_examples \ 187 | rabbitmq_web_stomp \ 188 | rabbitmq_web_stomp_examples \ 189 | rabbitmq_website 190 | 191 | # Erlang.mk does not rebuild dependencies by default, once they were 192 | # compiled once, except for those listed in the `$(FORCE_REBUILD)` 193 | # variable. 194 | # 195 | # We want all RabbitMQ components to always be rebuilt: this eases 196 | # the work on several components at the same time. 197 | 198 | FORCE_REBUILD = $(RABBITMQ_COMPONENTS) 199 | 200 | # Several components have a custom erlang.mk/build.config, mainly 201 | # to disable eunit. Therefore, we can't use the top-level project's 202 | # erlang.mk copy. 203 | NO_AUTOPATCH += $(RABBITMQ_COMPONENTS) 204 | 205 | ifeq ($(origin current_rmq_ref),undefined) 206 | ifneq ($(wildcard .git),) 207 | current_rmq_ref := $(shell (\ 208 | ref=$$(LANG=C git branch --list | awk '/^\* \(.*detached / {ref=$$0; sub(/.*detached [^ ]+ /, "", ref); sub(/\)$$/, "", ref); print ref; exit;} /^\* / {ref=$$0; sub(/^\* /, "", ref); print ref; exit}');\ 209 | if test "$$(git rev-parse --short HEAD)" != "$$ref"; then echo "$$ref"; fi)) 210 | else 211 | current_rmq_ref := master 212 | endif 213 | endif 214 | export current_rmq_ref 215 | 216 | ifeq ($(origin base_rmq_ref),undefined) 217 | ifneq ($(wildcard .git),) 218 | possible_base_rmq_ref := master 219 | ifeq ($(possible_base_rmq_ref),$(current_rmq_ref)) 220 | base_rmq_ref := $(current_rmq_ref) 221 | else 222 | base_rmq_ref := $(shell \ 223 | (git rev-parse --verify -q master >/dev/null && \ 224 | git rev-parse --verify -q $(possible_base_rmq_ref) >/dev/null && \ 225 | git merge-base --is-ancestor $$(git merge-base master HEAD) $(possible_base_rmq_ref) && \ 226 | echo $(possible_base_rmq_ref)) || \ 227 | echo master) 228 | endif 229 | else 230 | base_rmq_ref := master 231 | endif 232 | endif 233 | export base_rmq_ref 234 | 235 | # Repository URL selection. 236 | # 237 | # First, we infer other components' location from the current project 238 | # repository URL, if it's a Git repository: 239 | # - We take the "origin" remote URL as the base 240 | # - The current project name and repository name is replaced by the 241 | # target's properties: 242 | # eg. rabbitmq-common is replaced by rabbitmq-codegen 243 | # eg. rabbit_common is replaced by rabbitmq_codegen 244 | # 245 | # If cloning from this computed location fails, we fallback to RabbitMQ 246 | # upstream which is GitHub. 247 | 248 | # Macro to transform eg. "rabbit_common" to "rabbitmq-common". 249 | rmq_cmp_repo_name = $(word 2,$(dep_$(1))) 250 | 251 | # Upstream URL for the current project. 252 | RABBITMQ_COMPONENT_REPO_NAME := $(call rmq_cmp_repo_name,$(PROJECT)) 253 | RABBITMQ_UPSTREAM_FETCH_URL ?= https://github.com/rabbitmq/$(RABBITMQ_COMPONENT_REPO_NAME).git 254 | RABBITMQ_UPSTREAM_PUSH_URL ?= git@github.com:rabbitmq/$(RABBITMQ_COMPONENT_REPO_NAME).git 255 | 256 | # Current URL for the current project. If this is not a Git clone, 257 | # default to the upstream Git repository. 258 | ifneq ($(wildcard .git),) 259 | git_origin_fetch_url := $(shell git config remote.origin.url) 260 | git_origin_push_url := $(shell git config remote.origin.pushurl || git config remote.origin.url) 261 | RABBITMQ_CURRENT_FETCH_URL ?= $(git_origin_fetch_url) 262 | RABBITMQ_CURRENT_PUSH_URL ?= $(git_origin_push_url) 263 | else 264 | RABBITMQ_CURRENT_FETCH_URL ?= $(RABBITMQ_UPSTREAM_FETCH_URL) 265 | RABBITMQ_CURRENT_PUSH_URL ?= $(RABBITMQ_UPSTREAM_PUSH_URL) 266 | endif 267 | 268 | # Macro to replace the following pattern: 269 | # 1. /foo.git -> /bar.git 270 | # 2. /foo -> /bar 271 | # 3. /foo/ -> /bar/ 272 | subst_repo_name = $(patsubst %/$(1)/%,%/$(2)/%,$(patsubst %/$(1),%/$(2),$(patsubst %/$(1).git,%/$(2).git,$(3)))) 273 | 274 | # Macro to replace both the project's name (eg. "rabbit_common") and 275 | # repository name (eg. "rabbitmq-common") by the target's equivalent. 276 | # 277 | # This macro is kept on one line because we don't want whitespaces in 278 | # the returned value, as it's used in $(dep_fetch_git_rmq) in a shell 279 | # single-quoted string. 280 | dep_rmq_repo = $(if $(dep_$(2)),$(call subst_repo_name,$(PROJECT),$(2),$(call subst_repo_name,$(RABBITMQ_COMPONENT_REPO_NAME),$(call rmq_cmp_repo_name,$(2)),$(1))),$(pkg_$(1)_repo)) 281 | 282 | dep_rmq_commits = $(if $(dep_$(1)), \ 283 | $(wordlist 3,$(words $(dep_$(1))),$(dep_$(1))), \ 284 | $(pkg_$(1)_commit)) 285 | 286 | define dep_fetch_git_rmq 287 | fetch_url1='$(call dep_rmq_repo,$(RABBITMQ_CURRENT_FETCH_URL),$(1))'; \ 288 | fetch_url2='$(call dep_rmq_repo,$(RABBITMQ_UPSTREAM_FETCH_URL),$(1))'; \ 289 | if test "$$$$fetch_url1" != '$(RABBITMQ_CURRENT_FETCH_URL)' && \ 290 | git clone -q -n -- "$$$$fetch_url1" $(DEPS_DIR)/$(call dep_name,$(1)); then \ 291 | fetch_url="$$$$fetch_url1"; \ 292 | push_url='$(call dep_rmq_repo,$(RABBITMQ_CURRENT_PUSH_URL),$(1))'; \ 293 | elif git clone -q -n -- "$$$$fetch_url2" $(DEPS_DIR)/$(call dep_name,$(1)); then \ 294 | fetch_url="$$$$fetch_url2"; \ 295 | push_url='$(call dep_rmq_repo,$(RABBITMQ_UPSTREAM_PUSH_URL),$(1))'; \ 296 | fi; \ 297 | cd $(DEPS_DIR)/$(call dep_name,$(1)) && ( \ 298 | $(foreach ref,$(call dep_rmq_commits,$(1)), \ 299 | git checkout -q $(ref) >/dev/null 2>&1 || \ 300 | ) \ 301 | (echo "error: no valid pathspec among: $(call dep_rmq_commits,$(1))" \ 302 | 1>&2 && false) ) && \ 303 | (test "$$$$fetch_url" = "$$$$push_url" || \ 304 | git remote set-url --push origin "$$$$push_url") 305 | endef 306 | 307 | # -------------------------------------------------------------------- 308 | # Component distribution. 309 | # -------------------------------------------------------------------- 310 | 311 | list-dist-deps:: 312 | @: 313 | 314 | prepare-dist:: 315 | @: 316 | 317 | # -------------------------------------------------------------------- 318 | # Umbrella-specific settings. 319 | # -------------------------------------------------------------------- 320 | 321 | # If the top-level project is a RabbitMQ component, we override 322 | # $(DEPS_DIR) for this project to point to the top-level's one. 323 | # 324 | # We also verify that the guessed DEPS_DIR is actually named `deps`, 325 | # to rule out any situation where it is a coincidence that we found a 326 | # `rabbitmq-components.mk` up upper directories. 327 | 328 | possible_deps_dir_1 = $(abspath ..) 329 | possible_deps_dir_2 = $(abspath ../../..) 330 | 331 | ifeq ($(notdir $(possible_deps_dir_1)),deps) 332 | ifneq ($(wildcard $(possible_deps_dir_1)/../rabbitmq-components.mk),) 333 | deps_dir_overriden = 1 334 | DEPS_DIR ?= $(possible_deps_dir_1) 335 | DISABLE_DISTCLEAN = 1 336 | endif 337 | endif 338 | 339 | ifeq ($(deps_dir_overriden),) 340 | ifeq ($(notdir $(possible_deps_dir_2)),deps) 341 | ifneq ($(wildcard $(possible_deps_dir_2)/../rabbitmq-components.mk),) 342 | deps_dir_overriden = 1 343 | DEPS_DIR ?= $(possible_deps_dir_2) 344 | DISABLE_DISTCLEAN = 1 345 | endif 346 | endif 347 | endif 348 | 349 | ifneq ($(wildcard UMBRELLA.md),) 350 | DISABLE_DISTCLEAN = 1 351 | endif 352 | 353 | # We disable `make distclean` so $(DEPS_DIR) is not accidentally removed. 354 | 355 | ifeq ($(DISABLE_DISTCLEAN),1) 356 | ifneq ($(filter distclean distclean-deps,$(MAKECMDGOALS)),) 357 | SKIP_DEPS = 1 358 | endif 359 | endif 360 | -------------------------------------------------------------------------------- /src/rabbit_auth_backend_cache.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(rabbit_auth_backend_cache). 9 | -include_lib("rabbit_common/include/rabbit.hrl"). 10 | 11 | -behaviour(rabbit_authn_backend). 12 | -behaviour(rabbit_authz_backend). 13 | 14 | -export([user_login_authentication/2, user_login_authorization/2, 15 | check_vhost_access/3, check_resource_access/4, check_topic_access/4, 16 | state_can_expire/0]). 17 | 18 | %% API 19 | 20 | user_login_authentication(Username, AuthProps) -> 21 | with_cache(authn, {user_login_authentication, [Username, AuthProps]}, 22 | fun({ok, _}) -> success; 23 | ({refused, _, _}) -> refusal; 24 | ({error, _} = Err) -> Err; 25 | (_) -> unknown 26 | end). 27 | 28 | user_login_authorization(Username, AuthProps) -> 29 | with_cache(authz, {user_login_authorization, [Username, AuthProps]}, 30 | fun({ok, _}) -> success; 31 | ({ok, _, _}) -> success; 32 | ({refused, _, _}) -> refusal; 33 | ({error, _} = Err) -> Err; 34 | (_) -> unknown 35 | end). 36 | 37 | check_vhost_access(#auth_user{} = AuthUser, VHostPath, AuthzData) -> 38 | with_cache(authz, {check_vhost_access, [AuthUser, VHostPath, AuthzData]}, 39 | fun(true) -> success; 40 | (false) -> refusal; 41 | ({error, _} = Err) -> Err; 42 | (_) -> unknown 43 | end). 44 | 45 | check_resource_access(#auth_user{} = AuthUser, 46 | #resource{} = Resource, Permission, AuthzContext) -> 47 | with_cache(authz, {check_resource_access, [AuthUser, Resource, Permission, AuthzContext]}, 48 | fun(true) -> success; 49 | (false) -> refusal; 50 | ({error, _} = Err) -> Err; 51 | (_) -> unknown 52 | end). 53 | 54 | check_topic_access(#auth_user{} = AuthUser, 55 | #resource{} = Resource, Permission, Context) -> 56 | with_cache(authz, {check_topic_access, [AuthUser, Resource, Permission, Context]}, 57 | fun(true) -> success; 58 | (false) -> refusal; 59 | ({error, _} = Err) -> Err; 60 | (_) -> unknown 61 | end). 62 | 63 | state_can_expire() -> false. 64 | 65 | %% 66 | %% Implementation 67 | %% 68 | 69 | with_cache(BackendType, {F, A}, Fun) -> 70 | {ok, AuthCache} = application:get_env(rabbitmq_auth_backend_cache, 71 | cache_module), 72 | case AuthCache:get({F, A}) of 73 | {ok, Result} -> 74 | Result; 75 | {error, not_found} -> 76 | Backend = get_cached_backend(BackendType), 77 | {ok, TTL} = application:get_env(rabbitmq_auth_backend_cache, 78 | cache_ttl), 79 | BackendResult = apply(Backend, F, A), 80 | case should_cache(BackendResult, Fun) of 81 | true -> ok = AuthCache:put({F, A}, BackendResult, TTL); 82 | false -> ok 83 | end, 84 | BackendResult 85 | end. 86 | 87 | get_cached_backend(Type) -> 88 | {ok, BackendConfig} = application:get_env(rabbitmq_auth_backend_cache, 89 | cached_backend), 90 | case BackendConfig of 91 | Mod when is_atom(Mod) -> 92 | Mod; 93 | {N, Z} -> 94 | case Type of 95 | authn -> N; 96 | authz -> Z 97 | end 98 | end. 99 | 100 | should_cache(Result, Fun) -> 101 | {ok, CacheRefusals} = application:get_env(rabbitmq_auth_backend_cache, 102 | cache_refusals), 103 | case {Fun(Result), CacheRefusals} of 104 | {success, _} -> true; 105 | {refusal, true} -> true; 106 | _ -> false 107 | end. 108 | -------------------------------------------------------------------------------- /src/rabbit_auth_backend_cache_app.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(rabbit_auth_backend_cache_app). 9 | 10 | -behaviour(application). 11 | -export([start/2, stop/1]). 12 | 13 | -behaviour(supervisor). 14 | -export([init/1]). 15 | 16 | start(_Type, _StartArgs) -> 17 | supervisor:start_link({local,?MODULE},?MODULE,[]). 18 | 19 | stop(_State) -> 20 | ok. 21 | 22 | %%---------------------------------------------------------------------------- 23 | 24 | init([]) -> 25 | {ok, AuthCache} = application:get_env(rabbitmq_auth_backend_cache, 26 | cache_module), 27 | 28 | {ok, AuthCacheArgs} = application:get_env(rabbitmq_auth_backend_cache, cache_module_args), 29 | % Load module to be able to check exported function. 30 | code:load_file(AuthCache), 31 | ChildSpecs = case erlang:function_exported(AuthCache, start_link, 32 | length(AuthCacheArgs)) of 33 | true -> [{auth_cache, {AuthCache, start_link, AuthCacheArgs}, 34 | permanent, 5000, worker, [AuthCache]}]; 35 | false -> [] 36 | end, 37 | {ok, {{one_for_one,3,10}, ChildSpecs}}. 38 | -------------------------------------------------------------------------------- /src/rabbit_auth_cache.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(rabbit_auth_cache). 9 | 10 | -export([expiration/1, expired/1]). 11 | 12 | -ifdef(use_specs). 13 | 14 | -callback get(term()) -> term(). 15 | 16 | -callback put(term(), term(), integer()) -> ok. 17 | 18 | -callback delete(term()) -> ok. 19 | 20 | -else. 21 | 22 | -export([behaviour_info/1]). 23 | 24 | behaviour_info(callbacks) -> 25 | [{get, 1}, {put, 3}, {delete, 1}]; 26 | behaviour_info(_Other) -> 27 | undefined. 28 | 29 | -endif. 30 | 31 | expiration(TTL) -> 32 | erlang:system_time(milli_seconds) + TTL. 33 | 34 | expired(Exp) -> 35 | erlang:system_time(milli_seconds) > Exp. 36 | -------------------------------------------------------------------------------- /src/rabbit_auth_cache_dict.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(rabbit_auth_cache_dict). 9 | -behaviour(gen_server). 10 | -compile({no_auto_import,[get/1]}). 11 | -compile({no_auto_import,[put/2]}). 12 | 13 | -behaviour(rabbit_auth_cache). 14 | 15 | -export([start_link/0, 16 | get/1, put/3, delete/1]). 17 | 18 | -export([init/1, handle_call/3, handle_cast/2, handle_info/2, 19 | terminate/2, code_change/3]). 20 | 21 | start_link() -> gen_server:start_link({local, ?MODULE}, ?MODULE, [], []). 22 | 23 | get(Key) -> gen_server:call(?MODULE, {get, Key}). 24 | put(Key, Value, TTL) -> gen_server:cast(?MODULE, {put, Key, Value, TTL}). 25 | delete(Key) -> gen_server:call(?MODULE, {delete, Key}). 26 | 27 | init(_Args) -> {ok, nostate}. 28 | 29 | handle_call({get, Key}, _From, nostate) -> 30 | Result = case erlang:get({items, Key}) of 31 | undefined -> {error, not_found}; 32 | Val -> {ok, Val} 33 | end, 34 | {reply, Result, nostate}; 35 | handle_call({delete, Key}, _From, nostate) -> 36 | do_delete(Key), 37 | {reply, ok, nostate}. 38 | 39 | handle_cast({put, Key, Value, TTL}, nostate) -> 40 | erlang:put({items, Key}, Value), 41 | {ok, TRef} = timer:apply_after(TTL, rabbit_auth_cache_dict, delete, [Key]), 42 | erlang:put({timers, Key}, TRef), 43 | {noreply, nostate}. 44 | 45 | handle_info(_Msg, nostate) -> 46 | {noreply, nostate}. 47 | 48 | code_change(_OldVsn, nostate, _Extra) -> 49 | {ok, nostate}. 50 | 51 | terminate(_Reason, nostate) -> 52 | nostate. 53 | 54 | do_delete(Key) -> 55 | erase({items, Key}), 56 | case erlang:get({timers, Key}) of 57 | undefined -> ok; 58 | Tref -> timer:cancel(Tref), 59 | erase({timers, Key}) 60 | 61 | end. 62 | -------------------------------------------------------------------------------- /src/rabbit_auth_cache_ets.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(rabbit_auth_cache_ets). 9 | -behaviour(gen_server). 10 | -compile({no_auto_import,[get/1]}). 11 | -compile({no_auto_import,[put/2]}). 12 | 13 | -behaviour(rabbit_auth_cache). 14 | 15 | -export([start_link/0, 16 | get/1, put/3, delete/1]). 17 | 18 | -export([init/1, handle_call/3, handle_cast/2, handle_info/2, 19 | terminate/2, code_change/3]). 20 | 21 | -record(state, {cache, timers, ttl}). 22 | 23 | start_link() -> gen_server:start_link({local, ?MODULE}, ?MODULE, [], []). 24 | 25 | get(Key) -> gen_server:call(?MODULE, {get, Key}). 26 | put(Key, Value, TTL) -> 27 | Expiration = rabbit_auth_cache:expiration(TTL), 28 | gen_server:cast(?MODULE, {put, Key, Value, TTL, Expiration}). 29 | delete(Key) -> gen_server:call(?MODULE, {delete, Key}). 30 | 31 | init(_Args) -> 32 | {ok, #state{cache = ets:new(?MODULE, [set, private]), 33 | timers = ets:new(auth_cache_ets_timers, [set, private])}}. 34 | 35 | handle_call({get, Key}, _From, State = #state{cache = Table}) -> 36 | Result = case ets:lookup(Table, Key) of 37 | [{Key, {Exp, Val}}] -> case rabbit_auth_cache:expired(Exp) of 38 | true -> {error, not_found}; 39 | false -> {ok, Val} 40 | end; 41 | [] -> {error, not_found} 42 | end, 43 | {reply, Result, State}; 44 | handle_call({delete, Key}, _From, State = #state{cache = Table, timers = Timers}) -> 45 | do_delete(Key, Table, Timers), 46 | {reply, ok, State}. 47 | 48 | handle_cast({put, Key, Value, TTL, Expiration}, 49 | State = #state{cache = Table, timers = Timers}) -> 50 | do_delete(Key, Table, Timers), 51 | ets:insert(Table, {Key, {Expiration, Value}}), 52 | {ok, TRef} = timer:apply_after(TTL, rabbit_auth_cache_ets, delete, [Key]), 53 | ets:insert(Timers, {Key, TRef}), 54 | {noreply, State}. 55 | 56 | handle_info(_Msg, State) -> 57 | {noreply, State}. 58 | 59 | code_change(_OldVsn, State, _Extra) -> 60 | {ok, State}. 61 | 62 | terminate(_Reason, State = #state{}) -> 63 | State. 64 | 65 | do_delete(Key, Table, Timers) -> 66 | true = ets:delete(Table, Key), 67 | case ets:lookup(Timers, Key) of 68 | [{Key, Tref}] -> timer:cancel(Tref), 69 | true = ets:delete(Timers, Key); 70 | [] -> ok 71 | end. 72 | -------------------------------------------------------------------------------- /src/rabbit_auth_cache_ets_segmented.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(rabbit_auth_cache_ets_segmented). 9 | -behaviour(gen_server). 10 | -behaviour(rabbit_auth_cache). 11 | 12 | -export([start_link/1, 13 | get/1, put/3, delete/1]). 14 | -export([gc/0]). 15 | 16 | -export([init/1, handle_call/3, handle_cast/2, handle_info/2, 17 | terminate/2, code_change/3]). 18 | 19 | -record(state, { 20 | segments = [], 21 | gc_timer, 22 | segment_size}). 23 | 24 | start_link(SegmentSize) -> 25 | gen_server:start_link({local, ?MODULE}, ?MODULE, [SegmentSize], []). 26 | 27 | get(Key) -> 28 | case get_from_segments(Key) of 29 | [] -> {error, not_found}; 30 | [V|_] -> {ok, V} 31 | end. 32 | 33 | put(Key, Value, TTL) -> 34 | Expiration = rabbit_auth_cache:expiration(TTL), 35 | Segment = gen_server:call(?MODULE, {get_write_segment, Expiration}), 36 | ets:insert(Segment, {Key, {Expiration, Value}}), 37 | ok. 38 | 39 | delete(Key) -> 40 | [ets:delete(Table, Key) 41 | || Table <- gen_server:call(?MODULE, get_segment_tables)]. 42 | 43 | gc() -> 44 | case whereis(?MODULE) of 45 | undefined -> ok; 46 | Pid -> Pid ! gc 47 | end. 48 | 49 | init([SegmentSize]) -> 50 | InitSegment = ets:new(segment, [set, public]), 51 | InitBoundary = rabbit_auth_cache:expiration(SegmentSize), 52 | {ok, GCTimer} = timer:send_interval(SegmentSize * 2, gc), 53 | {ok, #state{gc_timer = GCTimer, segment_size = SegmentSize, 54 | segments = [{InitBoundary, InitSegment}]}}. 55 | 56 | handle_call({get_write_segment, Expiration}, _From, 57 | State = #state{segments = Segments, 58 | segment_size = SegmentSize}) -> 59 | [{_, Segment} | _] = NewSegments = maybe_add_segment(Expiration, SegmentSize, Segments), 60 | {reply, Segment, State#state{segments = NewSegments}}; 61 | handle_call(get_segment_tables, _From, State = #state{segments = Segments}) -> 62 | {_, Valid} = partition_expired_segments(Segments), 63 | {_,Tables} = lists:unzip(Valid), 64 | {reply, Tables, State}. 65 | 66 | handle_cast(_, State = #state{}) -> 67 | {noreply, State}. 68 | 69 | handle_info(gc, State = #state{ segments = Segments }) -> 70 | {Expired, Valid} = partition_expired_segments(Segments), 71 | [ets:delete(Table) || {_, Table} <- Expired], 72 | {noreply, State#state{ segments = Valid }}; 73 | handle_info(_Msg, State) -> 74 | {noreply, State}. 75 | 76 | code_change(_OldVsn, State, _Extra) -> 77 | {ok, State}. 78 | 79 | terminate(_Reason, State = #state{gc_timer = Timer}) -> 80 | timer:cancel(Timer), 81 | State. 82 | 83 | partition_expired_segments(Segments) -> 84 | lists:partition( 85 | fun({Boundary, _}) -> rabbit_auth_cache:expired(Boundary) end, 86 | Segments). 87 | 88 | maybe_add_segment(Expiration, SegmentSize, OldSegments) -> 89 | case OldSegments of 90 | [{OldBoundary, _}|_] when OldBoundary > Expiration -> 91 | OldSegments; 92 | _ -> 93 | NewBoundary = Expiration + SegmentSize, 94 | Segment = ets:new(segment, [set, public]), 95 | [{NewBoundary, Segment} | OldSegments] 96 | end. 97 | 98 | get_from_segments(Key) -> 99 | Tables = gen_server:call(?MODULE, get_segment_tables), 100 | lists:flatmap( 101 | fun(undefined) -> []; 102 | (T) -> 103 | try ets:lookup(T, Key) of 104 | [{Key, {Exp, Val}}] -> 105 | case rabbit_auth_cache:expired(Exp) of 106 | true -> []; 107 | false -> [Val] 108 | end; 109 | [] -> [] 110 | % ETS table can be deleted concurrently. 111 | catch 112 | error:badarg -> [] 113 | end 114 | end, 115 | Tables). 116 | 117 | -------------------------------------------------------------------------------- /src/rabbit_auth_cache_ets_segmented_stateless.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(rabbit_auth_cache_ets_segmented_stateless). 9 | -behaviour(gen_server). 10 | -behaviour(rabbit_auth_cache). 11 | 12 | -export([start_link/1, 13 | get/1, put/3, delete/1]). 14 | -export([gc/0]). 15 | 16 | -export([init/1, handle_call/3, handle_cast/2, handle_info/2, 17 | terminate/2, code_change/3]). 18 | 19 | -define(SEGMENT_TABLE, rabbit_auth_cache_ets_segmented_stateless_segment_table). 20 | 21 | -record(state, {gc_timer}). 22 | 23 | start_link(SegmentSize) -> 24 | gen_server:start_link({local, ?MODULE}, ?MODULE, [SegmentSize], []). 25 | 26 | get(Key) -> 27 | case get_from_segments(Key) of 28 | [] -> {error, not_found}; 29 | [V|_] -> {ok, V} 30 | end. 31 | 32 | put(Key, Value, TTL) -> 33 | Expiration = rabbit_auth_cache:expiration(TTL), 34 | [{_, SegmentSize}] = ets:lookup(?SEGMENT_TABLE, segment_size), 35 | Segment = segment(Expiration, SegmentSize), 36 | Table = case ets:lookup(?SEGMENT_TABLE, Segment) of 37 | [{Segment, T}] -> T; 38 | [] -> add_segment(Segment) 39 | end, 40 | ets:insert(Table, {Key, {Expiration, Value}}), 41 | ok. 42 | 43 | delete(Key) -> 44 | [ets:delete(Table, Key) 45 | || Table <- get_all_segment_tables()]. 46 | 47 | gc() -> 48 | case whereis(?MODULE) of 49 | undefined -> ok; 50 | Pid -> Pid ! gc 51 | end. 52 | 53 | init([SegmentSize]) -> 54 | ets:new(?SEGMENT_TABLE, [ordered_set, named_table, public]), 55 | ets:insert(?SEGMENT_TABLE, {segment_size, SegmentSize}), 56 | 57 | InitSegment = segment(rabbit_auth_cache:expiration(SegmentSize), SegmentSize), 58 | do_add_segment(InitSegment), 59 | 60 | {ok, GCTimer} = timer:send_interval(SegmentSize * 2, gc), 61 | {ok, #state{gc_timer = GCTimer}}. 62 | 63 | handle_call({add_segment, Segment}, _From, State) -> 64 | %% Double check segment if it's already created 65 | Table = do_add_segment(Segment), 66 | {reply, Table, State}. 67 | 68 | handle_cast(_, State = #state{}) -> 69 | {noreply, State}. 70 | 71 | handle_info(gc, State = #state{}) -> 72 | Now = erlang:system_time(milli_seconds), 73 | MatchSpec = [{{'$1', '$2'}, [{'<', '$1', {const, Now}}], ['$2']}], 74 | Expired = ets:select(?SEGMENT_TABLE, MatchSpec), 75 | [ets:delete(Table) || Table <- Expired], 76 | {noreply, State}; 77 | handle_info(_Msg, State) -> 78 | {noreply, State}. 79 | 80 | code_change(_OldVsn, State, _Extra) -> 81 | {ok, State}. 82 | 83 | terminate(_Reason, State = #state{gc_timer = Timer}) -> 84 | timer:cancel(Timer), 85 | State. 86 | 87 | segment(Expiration, SegmentSize) -> 88 | Begin = ((Expiration div SegmentSize) * SegmentSize), 89 | End = Begin + SegmentSize, 90 | End. 91 | 92 | add_segment(Segment) -> 93 | gen_server:call(?MODULE, {add_segment, Segment}). 94 | 95 | do_add_segment(Segment) -> 96 | case ets:lookup(?SEGMENT_TABLE, Segment) of 97 | [{Segment, Table}] -> Table; 98 | [] -> Table = ets:new(segment, [set, public]), 99 | ets:insert(?SEGMENT_TABLE, {Segment, Table}), 100 | Table 101 | end. 102 | 103 | get_segment_tables() -> 104 | Now = erlang:system_time(milli_seconds), 105 | MatchSpec = [{{'$1', '$2'}, [{'>', '$1', {const, Now}}], ['$_']}], 106 | [V || {K, V} <- ets:select(?SEGMENT_TABLE, MatchSpec), K =/= segment_size]. 107 | 108 | get_all_segment_tables() -> 109 | [V || {K, V} <- ets:tab2list(?SEGMENT_TABLE), K =/= segment_size]. 110 | 111 | get_from_segments(Key) -> 112 | Tables = get_segment_tables(), 113 | lists:flatmap( 114 | fun(undefined) -> []; 115 | (T) -> 116 | try ets:lookup(T, Key) of 117 | [{Key, {Exp, Val}}] -> 118 | case rabbit_auth_cache:expired(Exp) of 119 | true -> []; 120 | false -> [Val] 121 | end; 122 | [] -> [] 123 | % ETS table can be deleted concurrently. 124 | catch 125 | error:badarg -> [] 126 | end 127 | end, 128 | Tables). 129 | 130 | -------------------------------------------------------------------------------- /test/config_schema_SUITE.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2016-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(config_schema_SUITE). 9 | 10 | -compile(export_all). 11 | 12 | all() -> 13 | [ 14 | run_snippets 15 | ]. 16 | 17 | %% ------------------------------------------------------------------- 18 | %% Testsuite setup/teardown. 19 | %% ------------------------------------------------------------------- 20 | 21 | init_per_suite(Config) -> 22 | rabbit_ct_helpers:log_environment(), 23 | Config1 = rabbit_ct_helpers:run_setup_steps(Config), 24 | rabbit_ct_config_schema:init_schemas(rabbitmq_auth_backend_cache, Config1). 25 | 26 | 27 | end_per_suite(Config) -> 28 | rabbit_ct_helpers:run_teardown_steps(Config). 29 | 30 | init_per_testcase(Testcase, Config) -> 31 | rabbit_ct_helpers:testcase_started(Config, Testcase), 32 | Config1 = rabbit_ct_helpers:set_config(Config, [ 33 | {rmq_nodename_suffix, Testcase} 34 | ]), 35 | rabbit_ct_helpers:run_steps(Config1, 36 | rabbit_ct_broker_helpers:setup_steps() ++ 37 | rabbit_ct_client_helpers:setup_steps()). 38 | 39 | end_per_testcase(Testcase, Config) -> 40 | Config1 = rabbit_ct_helpers:run_steps(Config, 41 | rabbit_ct_client_helpers:teardown_steps() ++ 42 | rabbit_ct_broker_helpers:teardown_steps()), 43 | rabbit_ct_helpers:testcase_finished(Config1, Testcase). 44 | 45 | %% ------------------------------------------------------------------- 46 | %% Testcases. 47 | %% ------------------------------------------------------------------- 48 | 49 | run_snippets(Config) -> 50 | ok = rabbit_ct_broker_helpers:rpc(Config, 0, 51 | ?MODULE, run_snippets1, [Config]). 52 | 53 | run_snippets1(Config) -> 54 | rabbit_ct_config_schema:run_snippets(Config). 55 | 56 | -------------------------------------------------------------------------------- /test/config_schema_SUITE_data/rabbitmq_auth_backend_cache.snippets: -------------------------------------------------------------------------------- 1 | [{enable_backend, 2 | "auth_backends.1 = cache 3 | auth_cache.cached_backend = ldap", 4 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}, 5 | {rabbitmq_auth_backend_cache,[{cached_backend,rabbit_auth_backend_ldap}]}], 6 | [rabbitmq_auth_backend_cache]}, 7 | {auth_backend_cache, 8 | "auth_backends.1 = cache", 9 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}], 10 | [rabbitmq_auth_backend_cache]}, 11 | {cached_backend, 12 | "auth_backends.1 = cache 13 | auth_cache.cached_backend = ldap", 14 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}, 15 | {rabbitmq_auth_backend_cache, 16 | [{cached_backend,rabbit_auth_backend_ldap}]}], 17 | [rabbitmq_auth_backend_cache]}, 18 | {cached_authn_authz, 19 | "auth_backends.1 = cache 20 | auth_cache.cached_backend.authn = ldap 21 | auth_cache.cached_backend.authz = http", 22 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}, 23 | {rabbitmq_auth_backend_cache, 24 | [{cached_backend, 25 | {rabbit_auth_backend_ldap,rabbit_auth_backend_http}}]}], 26 | [rabbitmq_auth_backend_cache]}, 27 | {cached_authn, 28 | "auth_backends.1 = cache 29 | auth_cache.cached_backend.authn = ldap", 30 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}, 31 | {rabbitmq_auth_backend_cache, 32 | [{cached_backend, 33 | {rabbit_auth_backend_ldap,rabbit_auth_backend_ldap}}]}], 34 | [rabbitmq_auth_backend_cache]}, 35 | {cache_ttl, 36 | "auth_backends.1 = cache 37 | auth_cache.cache_ttl = 200", 38 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}, 39 | {rabbitmq_auth_backend_cache,[{cache_ttl,200}]}], 40 | [rabbitmq_auth_backend_cache]}, 41 | {cache_module, 42 | "auth_backends.1 = cache 43 | auth_cache.cache_module = rabbit_auth_backend_ets_segmented", 44 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}, 45 | {rabbitmq_auth_backend_cache, 46 | [{cache_module,rabbit_auth_backend_ets_segmented}]}], 47 | [rabbitmq_auth_backend_cache]}, 48 | {cache_refusals, 49 | "auth_backends.1 = cache 50 | auth_cache.cache_refusals = true", 51 | [{rabbit,[{auth_backends,[rabbit_auth_backend_cache]}]}, 52 | {rabbitmq_auth_backend_cache, 53 | [{cache_refusals,true}]}], 54 | [rabbitmq_auth_backend_cache]} 55 | ]. 56 | -------------------------------------------------------------------------------- /test/rabbit_auth_backend_cache_SUITE.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | -module(rabbit_auth_backend_cache_SUITE). 8 | 9 | -include_lib("rabbit_common/include/rabbit.hrl"). 10 | 11 | -compile(export_all). 12 | 13 | all() -> 14 | [ 15 | authentication_response, 16 | authorization_response, 17 | access_response, 18 | cache_expiration, 19 | cache_expiration_topic 20 | ]. 21 | 22 | init_per_suite(Config) -> 23 | rabbit_ct_helpers:log_environment(), 24 | rabbit_ct_helpers:run_setup_steps(Config, rabbit_ct_broker_helpers:setup_steps() ++ 25 | [ fun setup_env/1 ]). 26 | 27 | setup_env(Config) -> 28 | true = lists:member(rabbitmq_auth_backend_cache, 29 | rpc(Config, rabbit_plugins, active, [])), 30 | application:set_env(rabbit, auth_backends, [rabbit_auth_backend_cache]), 31 | 32 | Config. 33 | 34 | end_per_suite(Config) -> 35 | rabbit_ct_helpers:run_teardown_steps(Config, rabbit_ct_broker_helpers:teardown_steps()). 36 | 37 | init_per_testcase(access_response, Config) -> 38 | ok = rpc(Config, rabbit_auth_backend_internal, set_topic_permissions, [ 39 | <<"guest">>, <<"/">>, <<"amq.topic">>, <<"^a">>, <<"^b">>, <<"acting-user">> 40 | ]), 41 | Config; 42 | init_per_testcase(_TestCase, Config) -> 43 | Config. 44 | 45 | end_per_testcase(TestCase, Config) when TestCase == access_response; 46 | TestCase == cache_expiration_topic -> 47 | ok = rpc(Config, rabbit_auth_backend_internal, clear_topic_permissions, [ 48 | <<"guest">>, <<"/">>, <<"acting-user">> 49 | ]), 50 | Config; 51 | end_per_testcase(cache_expiration, Config) -> 52 | rabbit_ct_broker_helpers:add_user(Config, <<"guest">>), 53 | rabbit_ct_broker_helpers:set_full_permissions(Config, <<"/">>), 54 | Config; 55 | end_per_testcase(_TestCase, Config) -> 56 | Config. 57 | 58 | authentication_response(Config) -> 59 | {ok, AuthRespOk} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 60 | {ok, AuthRespOk} = rpc(Config,rabbit_auth_backend_cache, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 61 | {refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, [{password, <<"notguest">>}]]), 62 | {refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_cache, user_login_authentication, [<<"guest">>, [{password, <<"notguest">>}]]). 63 | 64 | authorization_response(Config) -> 65 | AuthProps = [{password, <<"guest">>}], 66 | {ok, #auth_user{impl = Impl, tags = Tags}} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, AuthProps]), 67 | {ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"guest">>, AuthProps]), 68 | {ok, Impl, Tags} = rpc(Config,rabbit_auth_backend_cache, user_login_authorization, [<<"guest">>, AuthProps]), 69 | {refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_internal, user_login_authorization, [<<"nonguest">>, AuthProps]), 70 | {refused, FailErr, FailArgs} = rpc(Config,rabbit_auth_backend_cache, user_login_authorization, [<<"nonguest">>, AuthProps]). 71 | 72 | access_response(Config) -> 73 | AvailableVhost = <<"/">>, 74 | RestrictedVhost = <<"restricted">>, 75 | AvailableResource = #resource{virtual_host = AvailableVhost, kind = exchange, name = <<"some">>}, 76 | RestrictedResource = #resource{virtual_host = RestrictedVhost, kind = exchange, name = <<"some">>}, 77 | TopicResource = #resource{virtual_host = AvailableVhost, kind = topic, name = <<"amq.topic">>}, 78 | AuthorisedTopicContext = #{routing_key => <<"a.b">>}, 79 | RestrictedTopicContext = #{routing_key => <<"b.b">>}, 80 | 81 | {ok, Auth} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 82 | true = rpc(Config,rabbit_auth_backend_internal, check_vhost_access, [Auth, AvailableVhost, undefined]), 83 | true = rpc(Config,rabbit_auth_backend_cache, check_vhost_access, [Auth, AvailableVhost, undefined]), 84 | 85 | false = rpc(Config,rabbit_auth_backend_internal, check_vhost_access, [Auth, RestrictedVhost, undefined]), 86 | false = rpc(Config,rabbit_auth_backend_cache, check_vhost_access, [Auth, RestrictedVhost, undefined]), 87 | 88 | true = rpc(Config,rabbit_auth_backend_internal, check_resource_access, [Auth, AvailableResource, configure, #{}]), 89 | true = rpc(Config,rabbit_auth_backend_cache, check_resource_access, [Auth, AvailableResource, configure, #{}]), 90 | 91 | false = rpc(Config,rabbit_auth_backend_internal, check_resource_access, [Auth, RestrictedResource, configure, #{}]), 92 | false = rpc(Config,rabbit_auth_backend_cache, check_resource_access, [Auth, RestrictedResource, configure, #{}]), 93 | 94 | true = rpc(Config,rabbit_auth_backend_internal, check_topic_access, [Auth, TopicResource, write, AuthorisedTopicContext]), 95 | true = rpc(Config,rabbit_auth_backend_cache, check_topic_access, [Auth, TopicResource, write, AuthorisedTopicContext]), 96 | 97 | false = rpc(Config,rabbit_auth_backend_internal, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]), 98 | false = rpc(Config,rabbit_auth_backend_cache, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]). 99 | 100 | cache_expiration(Config) -> 101 | AvailableVhost = <<"/">>, 102 | AvailableResource = #resource{virtual_host = AvailableVhost, kind = excahnge, name = <<"some">>}, 103 | {ok, Auth} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 104 | {ok, Auth} = rpc(Config,rabbit_auth_backend_cache, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 105 | true = rpc(Config,rabbit_auth_backend_internal, check_vhost_access, [Auth, AvailableVhost, undefined]), 106 | true = rpc(Config,rabbit_auth_backend_cache, check_vhost_access, [Auth, AvailableVhost, undefined]), 107 | 108 | true = rpc(Config,rabbit_auth_backend_cache, check_resource_access, [Auth, AvailableResource, configure, #{}]), 109 | true = rpc(Config,rabbit_auth_backend_cache, check_resource_access, [Auth, AvailableResource, configure, #{}]), 110 | 111 | rpc(Config,rabbit_auth_backend_internal, change_password, [<<"guest">>, <<"newpass">>, <<"acting-user">>]), 112 | 113 | {refused, _, _} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 114 | {ok, Auth} = rpc(Config,rabbit_auth_backend_cache, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 115 | true = rpc(Config,rabbit_auth_backend_internal, check_vhost_access, [Auth, AvailableVhost, undefined]), 116 | true = rpc(Config,rabbit_auth_backend_cache, check_vhost_access, [Auth, AvailableVhost, undefined]), 117 | 118 | true = rpc(Config,rabbit_auth_backend_internal, check_resource_access, [Auth, AvailableResource, configure, #{}]), 119 | true = rpc(Config,rabbit_auth_backend_cache, check_resource_access, [Auth, AvailableResource, configure, #{}]), 120 | 121 | rpc(Config,rabbit_auth_backend_internal, delete_user, [<<"guest">>, <<"acting-user">>]), 122 | 123 | false = rpc(Config,rabbit_auth_backend_internal, check_vhost_access, [Auth, AvailableVhost, undefined]), 124 | true = rpc(Config,rabbit_auth_backend_cache, check_vhost_access, [Auth, AvailableVhost, undefined]), 125 | 126 | false = rpc(Config,rabbit_auth_backend_internal, check_resource_access, [Auth, AvailableResource, configure, #{}]), 127 | true = rpc(Config,rabbit_auth_backend_cache, check_resource_access, [Auth, AvailableResource, configure, #{}]), 128 | 129 | {ok, TTL} = rpc(Config, application, get_env, [rabbitmq_auth_backend_cache, cache_ttl]), 130 | timer:sleep(TTL), 131 | 132 | {refused, _, _} = rpc(Config,rabbit_auth_backend_cache, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 133 | 134 | false = rpc(Config,rabbit_auth_backend_internal, check_vhost_access, [Auth, AvailableVhost, undefined]), 135 | false = rpc(Config,rabbit_auth_backend_cache, check_vhost_access, [Auth, AvailableVhost, undefined]), 136 | 137 | false = rpc(Config,rabbit_auth_backend_internal, check_resource_access, [Auth, AvailableResource, configure, #{}]), 138 | false = rpc(Config,rabbit_auth_backend_cache, check_resource_access, [Auth, AvailableResource, configure, #{}]). 139 | 140 | cache_expiration_topic(Config) -> 141 | AvailableVhost = <<"/">>, 142 | TopicResource = #resource{virtual_host = AvailableVhost, kind = topic, name = <<"amq.topic">>}, 143 | RestrictedTopicContext = #{routing_key => <<"b.b">>}, 144 | 145 | {ok, Auth} = rpc(Config,rabbit_auth_backend_internal, user_login_authentication, [<<"guest">>, [{password, <<"guest">>}]]), 146 | 147 | % topic access is authorised if no permission is found 148 | true = rpc(Config,rabbit_auth_backend_internal, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]), 149 | true = rpc(Config,rabbit_auth_backend_cache, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]), 150 | 151 | ok = rpc(Config, rabbit_auth_backend_internal, set_topic_permissions, [ 152 | <<"guest">>, <<"/">>, <<"amq.topic">>, <<"^a">>, <<"^b">>, <<"acting-user">> 153 | ]), 154 | 155 | false = rpc(Config,rabbit_auth_backend_internal, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]), 156 | true = rpc(Config,rabbit_auth_backend_cache, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]), 157 | 158 | {ok, TTL} = rpc(Config, application, get_env, [rabbitmq_auth_backend_cache, cache_ttl]), 159 | timer:sleep(TTL), 160 | 161 | false = rpc(Config,rabbit_auth_backend_internal, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]), 162 | false = rpc(Config,rabbit_auth_backend_cache, check_topic_access, [Auth, TopicResource, write, RestrictedTopicContext]). 163 | 164 | rpc(Config, M, F, A) -> 165 | rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A). 166 | 167 | 168 | 169 | 170 | -------------------------------------------------------------------------------- /test/rabbit_auth_cache_SUITE.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2007-2020 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | -module(rabbit_auth_cache_SUITE). 8 | 9 | -include_lib("common_test/include/ct.hrl"). 10 | 11 | -compile(export_all). 12 | 13 | all() -> 14 | [ 15 | {group, rabbit_auth_cache_dict}, 16 | {group, rabbit_auth_cache_ets}, 17 | {group, rabbit_auth_cache_ets_segmented}, 18 | {group, rabbit_auth_cache_ets_segmented_stateless} 19 | ]. 20 | 21 | groups() -> 22 | CommonTests = [get_empty, get_put, get_expired, put_replace, get_deleted, random_timing], 23 | [ 24 | {rabbit_auth_cache_dict, [sequence], CommonTests}, 25 | {rabbit_auth_cache_ets, [sequence], CommonTests}, 26 | {rabbit_auth_cache_ets_segmented, [sequence], CommonTests}, 27 | {rabbit_auth_cache_ets_segmented_stateless, [sequence], CommonTests} 28 | ]. 29 | 30 | init_per_suite(Config) -> 31 | application:load(rabbitmq_auth_backend_cache), 32 | {ok, TTL} = application:get_env(rabbitmq_auth_backend_cache, cache_ttl), 33 | rabbit_ct_helpers:set_config(Config, {current_ttl, TTL}). 34 | 35 | end_per_suite(Config) -> 36 | Config. 37 | 38 | init_per_group(Group, Config) 39 | when Group =:= rabbit_auth_cache_dict; Group =:= rabbit_auth_cache_ets -> 40 | set_auth_cache_module(Group, [], Config); 41 | init_per_group(Group, Config) 42 | when Group =:= rabbit_auth_cache_ets_segmented; 43 | Group =:= rabbit_auth_cache_ets_segmented_stateless -> 44 | TTL = ?config(current_ttl, Config), 45 | set_auth_cache_module(Group, [TTL * 2], Config); 46 | init_per_group(_, Config) -> Config. 47 | 48 | set_auth_cache_module(Module, Args, Config) -> 49 | Config1 = rabbit_ct_helpers:set_config(Config, {auth_cache_module, Module}), 50 | rabbit_ct_helpers:set_config(Config1, {auth_cache_module_args, Args}). 51 | 52 | end_per_group(_, Config) -> 53 | Config. 54 | 55 | init_per_testcase(Test, Config) -> 56 | Config1 = init_per_testcase0(Test, Config), 57 | AuthCacheModule = ?config(auth_cache_module, Config1), 58 | AuthCacheModuleArgs = ?config(auth_cache_module_args, Config1), 59 | apply(AuthCacheModule, start_link, AuthCacheModuleArgs), 60 | Config1. 61 | 62 | init_per_testcase0(get_expired, Config) -> 63 | TTL = ?config(current_ttl, Config), 64 | TempTTL = 500, 65 | application:set_env(rabbitmq_auth_backend_cache, cache_ttl, TempTTL), 66 | Config1 = rabbit_ct_helpers:set_config(Config, {saved_ttl, TTL}), 67 | Config2 = rabbit_ct_helpers:set_config(Config1, {current_ttl, TempTTL}), 68 | rabbit_ct_helpers:set_config(Config2, 69 | {auth_cache_module_args, 70 | new_auth_cache_module_args(TTL, Config2)}); 71 | init_per_testcase0(random_timing, Config) -> 72 | TTL = ?config(current_ttl, Config), 73 | TempTTL = 500, 74 | application:set_env(rabbitmq_auth_backend_cache, cache_ttl, TempTTL), 75 | Config1 = rabbit_ct_helpers:set_config(Config, {saved_ttl, TTL}), 76 | Config2 = rabbit_ct_helpers:set_config(Config1, {current_ttl, TempTTL}), 77 | rabbit_ct_helpers:set_config(Config2, 78 | {auth_cache_module_args, 79 | new_auth_cache_module_args(TTL, Config2)}); 80 | init_per_testcase0(_, Config) -> Config. 81 | 82 | end_per_testcase(Test, Config) -> 83 | AuthCacheModule = ?config(auth_cache_module, Config), 84 | % gen_server:stop(AuthCacheModule), 85 | Pid = whereis(AuthCacheModule), 86 | exit(Pid, normal), 87 | end_per_testcase0(Test, Config). 88 | 89 | end_per_testcase0(get_expired, Config) -> 90 | TTL = ?config(saved_ttl, Config), 91 | application:set_env(rabbitmq_auth_backend_cache, cache_ttl, TTL), 92 | Config1 = rabbit_ct_helpers:set_config(Config, {current_ttl, TTL}), 93 | rabbit_ct_helpers:set_config(Config, 94 | {auth_cache_module_args, 95 | new_auth_cache_module_args(TTL, Config1)}); 96 | end_per_testcase0(random_timing, Config) -> 97 | TTL = ?config(saved_ttl, Config), 98 | application:set_env(rabbitmq_auth_backend_cache, cache_ttl, TTL), 99 | Config1 = rabbit_ct_helpers:set_config(Config, {current_ttl, TTL}), 100 | rabbit_ct_helpers:set_config(Config, 101 | {auth_cache_module_args, 102 | new_auth_cache_module_args(TTL, Config1)}); 103 | end_per_testcase0(_, Config) -> Config. 104 | 105 | new_auth_cache_module_args(TTL, Config) -> 106 | case ?config(auth_cache_module_args, Config) of 107 | [] -> []; 108 | [_] -> [TTL * 2] 109 | end. 110 | 111 | get_empty(Config) -> 112 | AuthCacheModule = ?config(auth_cache_module, Config), 113 | {error, not_found} = AuthCacheModule:get(some_key), 114 | {error, not_found} = AuthCacheModule:get(other_key). 115 | 116 | get_put(Config) -> 117 | AuthCacheModule = ?config(auth_cache_module, Config), 118 | Key = some_key, 119 | TTL = ?config(current_ttl, Config), 120 | {error, not_found} = AuthCacheModule:get(Key), 121 | ok = AuthCacheModule:put(Key, some_value, TTL), 122 | {ok, some_value} = AuthCacheModule:get(Key). 123 | 124 | get_expired(Config) -> 125 | TTL = ?config(current_ttl, Config), 126 | AuthCacheModule = ?config(auth_cache_module, Config), 127 | Key = some_key, 128 | {error, not_found} = AuthCacheModule:get(Key), 129 | ok = AuthCacheModule:put(Key, some_value, TTL), 130 | {ok, some_value} = AuthCacheModule:get(Key), 131 | timer:sleep(TTL div 2), 132 | {ok, some_value} = AuthCacheModule:get(Key), 133 | timer:sleep(TTL), 134 | {error, not_found} = AuthCacheModule:get(Key). 135 | 136 | put_replace(Config) -> 137 | AuthCacheModule = ?config(auth_cache_module, Config), 138 | Key = some_key, 139 | TTL = ?config(current_ttl, Config), 140 | {error, not_found} = AuthCacheModule:get(Key), 141 | ok = AuthCacheModule:put(Key, some_value, TTL), 142 | {ok, some_value} = AuthCacheModule:get(Key), 143 | ok = AuthCacheModule:put(Key, other_value, TTL), 144 | {ok, other_value} = AuthCacheModule:get(Key). 145 | 146 | get_deleted(Config) -> 147 | AuthCacheModule = ?config(auth_cache_module, Config), 148 | Key = some_key, 149 | TTL = ?config(current_ttl, Config), 150 | {error, not_found} = AuthCacheModule:get(Key), 151 | ok = AuthCacheModule:put(Key, some_value, TTL), 152 | {ok, some_value} = AuthCacheModule:get(Key), 153 | AuthCacheModule:delete(Key), 154 | {error, not_found} = AuthCacheModule:get(Key). 155 | 156 | 157 | random_timing(Config) -> 158 | random_timing(Config, 30000, 1000). 159 | 160 | random_timing(Config, MaxTTL, Parallel) -> 161 | AuthCacheModule = ?config(auth_cache_module, Config), 162 | RandomTTls = [{N, rabbit_misc:random(MaxTTL) + 1000} || N <- lists:seq(1, Parallel)], 163 | Pid = self(), 164 | Ref = make_ref(), 165 | Pids = lists:map( 166 | fun({N, TTL}) -> 167 | spawn_link( 168 | fun() -> 169 | Key = N, 170 | Value = {tuple_with, N, TTL}, 171 | {error, not_found} = AuthCacheModule:get(Key), 172 | PutTime = erlang:system_time(milli_seconds), 173 | ok = AuthCacheModule:put(Key, Value, TTL), 174 | case AuthCacheModule:get(Key) of 175 | {ok, Value} -> ok; 176 | Other -> 177 | case AuthCacheModule of 178 | rabbit_auth_cache_ets_segmented -> 179 | State = sys:get_state(AuthCacheModule), 180 | Data = case State of 181 | {state, Segments, _, _} when is_list(Segments) -> 182 | [ets:tab2list(Segment) || {_, Segment} <- Segments]; 183 | _ -> [] 184 | end, 185 | error({Other, Value, PutTime, erlang:system_time(milli_seconds), State, Data}); 186 | _ -> 187 | error({Other, Value, PutTime, erlang:system_time(milli_seconds)}) 188 | end 189 | end, 190 | % expiry error 191 | timer:sleep(TTL + 200), 192 | {error, not_found} = AuthCacheModule:get(Key), 193 | Pid ! {ok, self(), Ref} 194 | end) 195 | end, 196 | RandomTTls), 197 | [receive {ok, P, Ref} -> ok after MaxTTL * 2 -> error(timeout) end || P <- Pids]. 198 | 199 | 200 | 201 | --------------------------------------------------------------------------------