Debitrot: tags not admin flag, simpler vhost permissions.

rabbitmq · Dec 1, 2011 · f5e8a40 · f5e8a40
1 parent cf2492e
commit f5e8a40
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -68,9 +68,6 @@ as follows:
 
 * `username`   - the name of the user
 * `vhost`      - the name of the virtual host being accessed
-* `permission` - the access level to the vhost:
-  * `read` (meaning learn it exists)
-  * `write` (meaning log in and use it)
 
 Note that you cannot create arbitrary virtual hosts using this plugin; you can only determine whether your users can see / access the ones that exist.
 
@@ -80,14 +77,14 @@ Note that you cannot create arbitrary virtual hosts using this plugin; you can o
 * `vhost`      - the name of the virtual host containing the resource
 * `resource`   - the type of resource (`exchange`, `queue`)
 * `name`       - the name of the resource
-* `permission` - the access level to the resource (`configure`, `write`, `read`) - see [the admin guide](http://www.rabbitmq.com/admin-guide.html#access-control) for their meaning
+* `permission` - the access level to the resource (`configure`, `write`, `read`) - see [the admin guide](http://www.rabbitmq.com/access-control.html) for their meaning
 
 Your web server should always return HTTP 200 OK, with a body
-containing a single word:
+containing:
 
 * `deny`  - deny access to the user / vhost / resource
 * `allow` - allow access to the user / vhost / resource
-* `admin` - (for `user_path` only) - allow access, and mark the user as an administrator
+* `allow [list of tags]` - (for `user_path` only) - allow access, and mark the user as an having the tags listed
 
 # Debugging
 

diff --git a/examples/rabbitmq_auth_backend_django/auth/views.py b/examples/rabbitmq_auth_backend_django/auth/views.py
@@ -8,9 +8,9 @@ def user(request):
         user = authenticate(username=username, password=password)
         if user:
             if user.is_superuser:
-                return HttpResponse("admin")
+                return HttpResponse("allow administrator")
             else:
-                return HttpResponse("allow")
+                return HttpResponse("allow management")
     return HttpResponse("deny")
 
 def vhost(request):

diff --git a/src/rabbit_auth_backend_http.erl b/src/rabbit_auth_backend_http.erl
@@ -21,7 +21,7 @@
 -include_lib("rabbit_common/include/rabbit_auth_backend_spec.hrl").
 
 -export([description/0, q/2]).
--export([check_user_login/2, check_vhost_access/3, check_resource_access/3]).
+-export([check_user_login/2, check_vhost_access/2, check_resource_access/3]).
 
 %% httpc seems to get racy when using HTTP 1.1
 -define(HTTPC_OPTS, [{version, "HTTP/1.0"}]).
@@ -35,20 +35,21 @@ description() ->
 %%--------------------------------------------------------------------
 
 check_user_login(Username, AuthProps) ->
-    case http_get(q(user_path, [{username, Username}|AuthProps]),
-                  ["deny", "allow", "admin"]) of
-        {error, _} = E -> E;
-        deny           -> {refused, "Denied by HTTP plugin", []};
-        Resp           -> {ok, #user{username     = Username,
-                                     is_admin     = Resp =:= admin,
-                                     auth_backend = ?MODULE,
-                                     impl         = none}}
+    case http_get(q(user_path, [{username, Username}|AuthProps])) of
+        {error, _} = E  -> E;
+        deny            -> {refused, "Denied by HTTP plugin", []};
+        "allow" ++ Rest -> Tags = [list_to_atom(T) ||
+                                      T <- string:tokens(Rest, " ")],
+                           {ok, #user{username     = Username,
+                                      tags         = Tags,
+                                      auth_backend = ?MODULE,
+                                      impl         = none}};
+        Other           -> {error, {bad_response, Other}}
     end.
 
-check_vhost_access(#user{username = Username}, VHost, Permission) ->
-    bool_req(vhost_path, [{username,   Username},
-                          {vhost,      VHost},
-                          {permission, Permission}]).
+check_vhost_access(#user{username = Username}, VHost) ->
+    bool_req(vhost_path, [{username, Username},
+                          {vhost,    VHost}]).
 
 check_resource_access(#user{username = Username},
                       #resource{virtual_host = VHost, kind = Type, name = Name},
@@ -63,19 +64,16 @@ check_resource_access(#user{username = Username},
 
 bool_req(PathName, Props) ->
     case http_get(q(PathName, Props)) of
-        deny  -> false;
-        allow -> true;
-        E     -> E
+        "deny"  -> false;
+        "allow" -> true;
+        E       -> E
     end.
 
 http_get(Path) ->
-    http_get(Path, ["allow", "deny"]).
-
-http_get(Path, Allowed) ->
     case httpc:request(get, {Path, []}, ?HTTPC_OPTS, []) of
         {ok, {{_HTTP, Code, _}, _Headers, Body}} ->
             case Code of
-                200 -> case parse_resp(Body, Allowed) of
+                200 -> case parse_resp(Body) of
                            {error, _} = E -> E;
                            Resp           -> Resp
                        end;
@@ -86,7 +84,7 @@ http_get(Path, Allowed) ->
     end.
 
 q(PathName, Args) ->
-    {ok, Path} = application:get_env(rabbit_auth_backend_http, PathName),
+    {ok, Path} = application:get_env(rabbitmq_auth_backend_http, PathName),
     R = Path ++ "?" ++ string:join([escape(K, V) || {K, V} <- Args], "&"),
     %%io:format("Q: ~p~n", [R]),
     R.
@@ -101,11 +99,6 @@ escape(V) when is_atom(V) ->
 escape(V) when is_list(V) ->
     edoc_lib:escape_uri(V).
 
-parse_resp(Resp, Allowed) ->
-    Resp1 = string:to_lower(string:strip(Resp)),
-    case lists:member(Resp1, Allowed) of
-        true  -> list_to_atom(Resp1);
-        false -> {error, {response, Resp}}
-    end.
+parse_resp(Resp) -> string:to_lower(string:strip(Resp)).
 
 %%--------------------------------------------------------------------