Merge pull request #14868 from rabbitmq/mergify/bp/v4.2.x/pr-14850

LDAP: make it possible to configure queries in `rabbitmq.conf` as multiline strings (supported as of Cuttlefish 3.6.x) (backport #14850)

Author: michaelklishin

deps/rabbitmq_auth_backend_ldap/Makefile

@@ -35,7 +35,7 @@ define PROJECT_APP_EXTRA_KEYS
 endef
 
 LOCAL_DEPS = eldap public_key
-DEPS = rabbit_common rabbit
+DEPS = rabbit_common rabbit cuttlefish
 TEST_DEPS = ct_helper rabbitmq_ct_helpers rabbitmq_ct_client_helpers amqp_client
 dep_ct_helper = git https://github.com/extend/ct_helper.git master
 

deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema

@@ -1,12 +1,12 @@
+%% vim:ft=erlang:
+%% -*- mode: erlang; -*-
 %% ----------------------------------------------------------------------------
 %% RabbitMQ LDAP Plugin
 %%
 %% See https://www.rabbitmq.com/ldap.html for details.
 %%
 %% ----------------------------------------------------------------------------
 
-%  {rabbitmq_auth_backend_ldap,
-%   [
 %%
 %% Connecting to the LDAP server(s)
 %% ================================
@@ -191,25 +191,6 @@ end}.
 {mapping, "auth_ldap.group_lookup_base", "rabbitmq_auth_backend_ldap.group_lookup_base",
     [{datatype, [{enum, [none]}, string]}]}.
 
-%% The LDAP plugin can perform a variety of queries against your
-%% LDAP server to determine questions of authorisation. See
-%% https://www.rabbitmq.com/ldap.html#authorisation for more
-%% information.
-
-%% Set the query to use when determining vhost access
-%%
-%% {vhost_access_query, {in_group,
-%%                       "ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}},
-
-%% Set the query to use when determining resource (e.g., queue) access
-%%
-%% {resource_access_query, {constant, true}},
-
-%% Set queries to determine which tags a user has
-%%
-%% {tag_queries, []}
-%   ]},
-
 %% Connect to the LDAP server using TLS
 %%
 %% {use_ssl, false},
@@ -341,6 +322,62 @@ fun(Conf) ->
     end
 end}.
 
-
 {mapping, "auth_ldap.ssl_options.hostname_verification", "rabbitmq_auth_backend_ldap.ssl_hostname_verification", [
     {datatype, {enum, [wildcard, none]}}]}.
+
+%% The LDAP plugin can perform a variety of queries against your
+%% LDAP server to determine questions of authorisation. See
+%% https://rabbitmq.com/docs/ldap#authorisation for more
+%% information.
+
+{mapping, "auth_ldap.queries.vhost_access", "rabbitmq_auth_backend_ldap.vhost_access_query",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_ldap.vhost_access_query",
+fun(Conf) ->
+    case cuttlefish:conf_get("auth_ldap.queries.vhost_access", Conf, undefined) of
+        undefined ->
+            cuttlefish:unset();
+        Query ->
+            rabbit_auth_backend_ldap_util:parse_query(Query)
+    end
+end}.
+
+{mapping, "auth_ldap.queries.resource_access", "rabbitmq_auth_backend_ldap.resource_access_query",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_ldap.resource_access_query",
+fun(Conf) ->
+    case cuttlefish:conf_get("auth_ldap.queries.resource_access", Conf, undefined) of
+        undefined ->
+            cuttlefish:unset();
+        Query ->
+            rabbit_auth_backend_ldap_util:parse_query(Query)
+    end
+end}.
+
+{mapping, "auth_ldap.queries.topic_access", "rabbitmq_auth_backend_ldap.topic_access_query",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_ldap.topic_access_query",
+fun(Conf) ->
+    case cuttlefish:conf_get("auth_ldap.queries.topic_access", Conf, undefined) of
+        undefined ->
+            cuttlefish:unset();
+        Query ->
+            rabbit_auth_backend_ldap_util:parse_query(Query)
+    end
+end}.
+
+{mapping, "auth_ldap.queries.tags", "rabbitmq_auth_backend_ldap.tag_queries",
+    [{datatype, string}]}.
+
+{translation, "rabbitmq_auth_backend_ldap.tag_queries",
+fun(Conf) ->
+    case cuttlefish:conf_get("auth_ldap.queries.tags", Conf, undefined) of
+        undefined ->
+            cuttlefish:unset();
+        Query ->
+            rabbit_auth_backend_ldap_util:parse_query(Query)
+    end
+end}.

deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap_util.erl

@@ -7,7 +7,7 @@
 
 -module(rabbit_auth_backend_ldap_util).
 
--export([fill/2, get_active_directory_args/1]).
+-export([fill/2, get_active_directory_args/1, parse_query/1]).
 
 fill(Fmt, []) ->
     binary_to_list(iolist_to_binary(Fmt));
@@ -32,3 +32,57 @@ get_active_directory_args(Username) when is_binary(Username) ->
     % If Username is in Domain\User format, provide additional fill
     % template arguments
     get_active_directory_args(binary:split(Username, <<"\\">>, [trim_all])).
+
+parse_query(Query) when is_binary(Query) ->
+    parse_query(rabbit_data_coercion:to_unicode_charlist(Query));
+parse_query(Query0) when is_list(Query0) ->
+    Query1 = fixup_query(Query0),
+    parse_query_handle_erl_scan(erl_scan:string(Query1)).
+
+fixup_query(Query0) ->
+    Query1 = string:trim(Query0, both),
+    fixup_query(lists:last(Query1) =:= $., Query1).
+
+fixup_query(true, Query) ->
+    Query;
+fixup_query(false, Query) ->
+    Query ++ ".".
+
+parse_query_handle_erl_scan({ok, Tokens, _EndLine}) ->
+    parse_query_handle_exprs(erl_parse:parse_exprs(Tokens));
+parse_query_handle_erl_scan(Error) ->
+    cuttlefish:invalid(fmt("invalid query: ~tp", [Error])).
+
+parse_query_handle_exprs({ok, AbsForm}) ->
+    parse_query_handle_eval(erl_eval:exprs(AbsForm, erl_eval:new_bindings()));
+parse_query_handle_exprs(Error) ->
+    cuttlefish:invalid(fmt("invalid query: ~tp", [Error])).
+
+parse_query_handle_eval({value, {constant, true}=T, _}) ->
+    T;
+parse_query_handle_eval({value, {constant, false}=T, _}) ->
+    T;
+parse_query_handle_eval({value, {in_group, _}=T, _}) ->
+    T;
+parse_query_handle_eval({value, {in_group_nested, _, _}=T, _}) ->
+    T;
+parse_query_handle_eval({value, {for, Q}=T, _}) when is_list(Q) ->
+    T;
+parse_query_handle_eval({value, {'not', _}=T, _}) ->
+    T;
+parse_query_handle_eval({value, {'and', Q}=T, _}) when is_list(Q) ->
+    T;
+parse_query_handle_eval({value, {'or', Q}=T, _}) when is_list(Q) ->
+    T;
+parse_query_handle_eval({value, {equals, _, _}=T, _}) ->
+    T;
+parse_query_handle_eval({value, {match, _, _}=T, _}) ->
+    T;
+parse_query_handle_eval({value, T, _}) when is_list(T) ->
+    %% NB: tag_queries uses this form
+    T;
+parse_query_handle_eval({value, Unexpected, _}) ->
+    cuttlefish:invalid(fmt("invalid query: ~tp", [Unexpected])).
+
+fmt(Fmt, Args) ->
+    rabbit_data_coercion:to_unicode_charlist(io_lib:format(Fmt, Args)).

deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets

@@ -1,3 +1,6 @@
+%% vim:ft=erlang:
+%% -*- mode: erlang; -*-
+
 [{ldap_servers,
   "auth_ldap.servers.1 = DC1.domain.com
    auth_ldap.servers.2 = DC1.eng.domain.com",
@@ -334,5 +337,94 @@
              {versions,['tlsv1.2','tlsv1.1']}
              ]},
         {use_ssl, true}]}],
-  []}
+  []},
+
+ {vhost_access_query,
+  "auth_ldap.queries.vhost_access = '''
+       {in_group,\"ou=${vhost}-users,ou=vhosts,dc=example,dc=com\"}
+   '''",
+  [
+    {rabbitmq_auth_backend_ldap, [
+       {vhost_access_query, {in_group,"ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}}
+    ]}
+  ],
+  [rabbitmq_auth_backend_ldap]},
+
+ {vhost_access_query_period_ending,
+  "auth_ldap.queries.vhost_access = '''
+       {in_group,\"ou=${vhost}-users,ou=vhosts,dc=example,dc=com\"}.
+   '''",
+  [
+    {rabbitmq_auth_backend_ldap, [
+       {vhost_access_query, {in_group,"ou=${vhost}-users,ou=vhosts,dc=example,dc=com"}}
+    ]}
+  ],
+  [rabbitmq_auth_backend_ldap]},
+
+ {resource_access_query,
+  "auth_ldap.queries.resource_access = '''
+       {for, [
+           {permission, configure, {in_group, \"cn=admin,dc=example,dc=com\"}},
+           {permission, write, {for, [
+               {resource, queue, {in_group, \"cn=admin,dc=example,dc=com\"}},
+               {resource, exchange, {constant, true}}
+           ]}},
+           {permission, read, {for, [
+               {resource, exchange, {in_group, \"cn=admin,dc=example,dc=com\"}},
+               {resource, queue,    {constant, true}}
+           ]}}
+       ]}
+   '''",
+  [
+    {rabbitmq_auth_backend_ldap, [
+       {resource_access_query,
+           {for, [
+               {permission, configure, {in_group, "cn=admin,dc=example,dc=com"}},
+               {permission, write, {for, [
+                   {resource, queue, {in_group, "cn=admin,dc=example,dc=com"}},
+                   {resource, exchange, {constant, true}}
+               ]}},
+               {permission, read, {for, [
+                   {resource, exchange, {in_group, "cn=admin,dc=example,dc=com"}},
+                   {resource, queue,    {constant, true}}
+               ]}}
+           ]}
+       }
+    ]}
+  ],
+  [rabbitmq_auth_backend_ldap]},
+
+ {topic_access_query,
+  "auth_ldap.queries.topic_access = '''
+       {for, [
+           {permission, write, {match, {string, \"${routing_key}\"}, {string, \"^a\"}}},
+           {permission, read,  {constant, true}}
+       ]}
+   '''",
+  [
+    {rabbitmq_auth_backend_ldap, [
+       {topic_access_query,
+           {for, [
+               {permission, write, {match, {string, "${routing_key}"}, {string, "^a"}}},
+               {permission, read,  {constant, true}}
+           ]}
+       }
+    ]}
+  ],
+  [rabbitmq_auth_backend_ldap]},
+
+ {tag_queries,
+  "auth_ldap.queries.tags = '''
+       [{administrator, {constant, false}},
+        {management,    {constant, true}}]
+   '''",
+  [
+    {rabbitmq_auth_backend_ldap, [
+       {tag_queries, [
+           {administrator, {constant, false}},
+           {management,    {constant, true}}
+       ]}
+    ]}
+  ],
+  [rabbitmq_auth_backend_ldap]}
 ].

rabbitmq-components.mk

@@ -43,7 +43,7 @@ dep_accept = hex 0.3.5
 dep_cowboy = hex 2.14.1
 dep_cowlib = hex 2.16.0
 dep_credentials_obfuscation = hex 3.5.0
-dep_cuttlefish = hex 3.5.0
+dep_cuttlefish = hex 3.6.0
 dep_gen_batch_server = hex 0.8.8
 dep_jose = hex 1.11.10
 dep_khepri = hex 0.17.2