Merge pull request #12002 from rabbitmq/mk-ldap-password-tagging

michaelklishin · web-flow · commit 1cbe373697ed · 2024-08-14T12:34:05.000-04:00
LDAP: optional sensitive value tagging
diff --git a/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema b/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema
@@ -120,7 +120,7 @@ end}.
     [{datatype, [string]}]}.
 
 {mapping, "auth_ldap.dn_lookup_bind.password", "rabbitmq_auth_backend_ldap.dn_lookup_bind",
-    [{datatype, [string]}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 %%  - as_user (to bind as the authenticated user - requires a password)
 %%  - anon    (to bind anonymously)
@@ -161,7 +161,7 @@ end}.
     [{datatype, string}]}.
 
 {mapping, "auth_ldap.other_bind.password", "rabbitmq_auth_backend_ldap.other_bind",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {translation, "rabbitmq_auth_backend_ldap.other_bind",
 fun(Conf) ->
diff --git a/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl b/deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl
@@ -85,6 +85,7 @@ user_login_authentication(Username, _AuthProps) ->
 %% Credentials (i.e. password) maybe directly in the password attribute in AuthProps
 %% or as a Function with the attribute rabbit_auth_backend_ldap if the user was already authenticated with http backend
 %% or as a Function with the attribute rabbit_auth_backend_cache if the user was already authenticated via cache backend
+-spec extractPassword(list()) -> rabbit_types:option(binary()).
 extractPassword(AuthProps) ->
     case proplists:get_value(password, AuthProps, none) of
         none ->
diff --git a/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets b/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets
@@ -119,7 +119,7 @@
  {db_lookup_bind,
   "auth_ldap.dn_lookup_bind.user_dn = username
    auth_ldap.dn_lookup_bind.password = password",
-  [{rabbitmq_auth_backend_ldap,[{dn_lookup_bind,{"username","password"}}]}],
+  [{rabbitmq_auth_backend_ldap,[{dn_lookup_bind,{"username",<<"password">>}}]}],
   [rabbitmq_auth_backend_ldap]},
 
  {db_lookup_bind_anon,
@@ -147,7 +147,7 @@
  {other_bind_pass,
   "auth_ldap.other_bind.user_dn = username
    auth_ldap.other_bind.password = password",
-  [{rabbitmq_auth_backend_ldap,[{other_bind,{"username","password"}}]}],
+  [{rabbitmq_auth_backend_ldap,[{other_bind,{"username",<<"password">>}}]}],
   [rabbitmq_auth_backend_ldap]},
 
  {ssl_options,
