Merge pull request #838 from rabbitmq/auth-attempt-metrics

michaelklishin · web-flow · commit 6162328593f0 · 2020-10-14T23:57:13.000+03:00
Query and rest auth attempt metrics
diff --git a/deps/rabbitmq_management/priv/www/api/index.html b/deps/rabbitmq_management/priv/www/api/index.html
@@ -1057,6 +1057,26 @@ <h2>Reference</h2>
           Provides status for all federation links. Requires the <code>rabbitmq_federation_management</code> plugin to be enabled.
         </td>
       </tr>
+      <tr>
+        <td>X</td>
+        <td></td>
+        <td>X</td>
+        <td></td>
+        <td class="path">/api/auth/attempts/<i>node</i></td>
+        <td>
+          A list of authentication attempts.
+        </td>
+      </tr>
+      <tr>
+        <td>X</td>
+        <td></td>
+        <td>X</td>
+        <td></td>
+        <td class="path">/api/auth/attempts/<i>node</i>/source</td>
+        <td>
+          A list of authentication attempts by remote address and username.
+        </td>
+      </tr>
     </table>
 
 
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_dispatcher.erl b/deps/rabbitmq_management/src/rabbit_mgmt_dispatcher.erl
@@ -179,5 +179,7 @@ dispatcher() ->
      {"/reset/:node",                                          rabbit_mgmt_wm_reset, []},
      {"/rebalance/queues",                                     rabbit_mgmt_wm_rebalance_queues, [{queues, all}]},
      {"/auth",                                                 rabbit_mgmt_wm_auth, []},
+     {"/auth/attempts/:node",                                  rabbit_mgmt_wm_auth_attempts, [all]},
+     {"/auth/attempts/:node/source",                           rabbit_mgmt_wm_auth_attempts, [by_source]},
      {"/login",                                                rabbit_mgmt_wm_login, []}
     ].
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_util.erl b/deps/rabbitmq_management/src/rabbit_mgmt_util.erl
@@ -248,26 +248,36 @@ is_authorized(ReqData, Context, Username, Password, ErrorMsg, Fun) ->
         VHost when is_binary(VHost) -> [{vhost, VHost}];
         _                           -> []
     end,
+    {IP, _} = cowboy_req:peer(ReqData),
+    RemoteAddress = list_to_binary(inet:ntoa(IP)),
     case rabbit_access_control:check_user_login(Username, AuthProps) of
         {ok, User = #user{tags = Tags}} ->
-            {IP, _} = cowboy_req:peer(ReqData),
             case rabbit_access_control:check_user_loopback(Username, IP) of
                 ok ->
                     case is_mgmt_user(Tags) of
                         true ->
                             case Fun(User) of
-                                true  -> {true, ReqData,
-                                          Context#context{user     = User,
-                                                          password = Password}};
-                                false -> ErrFun(ErrorMsg)
+                                true  ->
+                                    rabbit_core_metrics:auth_attempt_succeeded(RemoteAddress,
+                                                                               Username, http),
+                                    {true, ReqData,
+                                     Context#context{user     = User,
+                                                     password = Password}};
+                                false ->
+                                    rabbit_core_metrics:auth_attempt_failed(RemoteAddress,
+                                                                            Username, http),
+                                    ErrFun(ErrorMsg)
                             end;
                         false ->
+                            rabbit_core_metrics:auth_attempt_failed(RemoteAddress, Username, http),
                             ErrFun(<<"Not management user">>)
                     end;
                 not_allowed ->
+                    rabbit_core_metrics:auth_attempt_failed(RemoteAddress, Username, http),
                     ErrFun(<<"User can only log in via localhost">>)
             end;
         {refused, _Username, Msg, Args} ->
+            rabbit_core_metrics:auth_attempt_failed(RemoteAddress, Username, http),
             rabbit_log:warning("HTTP access denied: ~s",
                                [rabbit_misc:format(Msg, Args)]),
             not_authorised(<<"Login failed">>, ReqData, Context)
diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth_attempts.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth_attempts.erl
@@ -0,0 +1,79 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2020 VMware, Inc. or its affiliates.  All rights reserved.
+%%
+
+-module(rabbit_mgmt_wm_auth_attempts).
+
+-export([init/2, to_json/2, content_types_provided/2, allowed_methods/2, is_authorized/2,
+         delete_resource/2, resource_exists/2]).
+-export([variances/2]).
+
+-import(rabbit_misc, [pget/2]).
+
+-include_lib("rabbitmq_management_agent/include/rabbit_mgmt_records.hrl").
+-include_lib("rabbit_common/include/rabbit.hrl").
+
+%%--------------------------------------------------------------------
+init(Req, [Mode]) ->
+    {cowboy_rest, rabbit_mgmt_headers:set_common_permission_headers(Req, ?MODULE),
+     {Mode, #context{}}}.
+
+variances(Req, Context) ->
+    {[<<"accept-encoding">>, <<"origin">>], Req, Context}.
+
+content_types_provided(ReqData, Context) ->
+   {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
+
+allowed_methods(ReqData, Context) ->
+    {[<<"HEAD">>, <<"GET">>, <<"DELETE">>, <<"OPTIONS">>], ReqData, Context}.
+
+resource_exists(ReqData, Context) ->
+    {node_exists(ReqData, get_node(ReqData)), ReqData, Context}.
+
+to_json(ReqData, {Mode, Context}) ->
+    rabbit_mgmt_util:reply(augment(Mode, ReqData), ReqData, Context).
+
+is_authorized(ReqData, {Mode, Context}) ->
+    {Res, Req2, Context2} = rabbit_mgmt_util:is_authorized_monitor(ReqData, Context),
+    {Res, Req2, {Mode, Context2}}.
+
+delete_resource(ReqData, Context) ->
+    Node = get_node(ReqData),
+    case node_exists(ReqData, Node) of
+        false ->
+            {false, ReqData, Context};
+        true ->
+            case rpc:call(Node, rabbit_core_metrics, reset_auth_attempt_metrics, [], infinity) of
+                {badrpc, _} -> {false, ReqData, Context};
+                ok          -> {true, ReqData, Context}
+            end
+    end.
+%%--------------------------------------------------------------------
+get_node(ReqData) ->
+    list_to_atom(binary_to_list(rabbit_mgmt_util:id(node, ReqData))).
+
+node_exists(ReqData, Node) ->
+    case [N || N <- rabbit_mgmt_wm_nodes:all_nodes(ReqData),
+               proplists:get_value(name, N) == Node] of
+        [] -> false;
+        [_] -> true
+    end.
+
+augment(Mode, ReqData) ->
+    Node = get_node(ReqData),
+    case node_exists(ReqData, Node) of
+        false ->
+            not_found;
+        true ->
+            Fun = case Mode of
+                      all -> get_auth_attempts;
+                      by_source -> get_auth_attempts_by_source
+                  end,
+            case rpc:call(Node, rabbit_core_metrics, Fun, [], infinity) of
+                {badrpc, _} -> not_available;
+                Result      -> Result
+            end
+    end.
diff --git a/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl b/deps/rabbitmq_management/test/rabbit_mgmt_http_SUITE.erl
@@ -148,7 +148,8 @@ all_tests() -> [
     oauth_test,
     disable_basic_auth_test,
     login_test,
-    csp_headers_test
+    csp_headers_test,
+    auth_attempts_test
 ].
 
 %% -------------------------------------------------------------------
@@ -3386,6 +3387,62 @@ disable_basic_auth_test(Config) ->
     %% Defaults to 'false' when config is invalid
     http_get(Config, "/overview", ?OK).
 
+auth_attempts_test(Config) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0, rabbit_core_metrics, reset_auth_attempt_metrics, []),
+    {Conn, _Ch} = open_connection_and_channel(Config),
+    close_connection(Conn),
+    [NodeData] = http_get(Config, "/nodes"),
+    Node = binary_to_atom(maps:get(name, NodeData), utf8),
+    Map = http_get(Config, "/auth/attempts/" ++ atom_to_list(Node), ?OK),
+    Http = get_auth_attempts(<<"http">>, Map),
+    Amqp091 = get_auth_attempts(<<"amqp091">>, Map),
+    ?assertEqual(false, maps:is_key(remote_address, Amqp091)),
+    ?assertEqual(false, maps:is_key(username, Amqp091)),
+    ?assertEqual(1, maps:get(auth_attempts, Amqp091)),
+    ?assertEqual(1, maps:get(auth_attempts_succeeded, Amqp091)),
+    ?assertEqual(0, maps:get(auth_attempts_failed, Amqp091)),
+    ?assertEqual(false, maps:is_key(remote_address, Http)),
+    ?assertEqual(false, maps:is_key(username, Http)),
+    ?assertEqual(2, maps:get(auth_attempts, Http)),
+    ?assertEqual(2, maps:get(auth_attempts_succeeded, Http)),
+    ?assertEqual(0, maps:get(auth_attempts_failed, Http)),
+
+    rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
+                                 [rabbit, track_auth_attempt_source, true]),
+    {Conn2, _Ch2} = open_connection_and_channel(Config),
+    close_connection(Conn2),
+    Map2 = http_get(Config, "/auth/attempts/" ++ atom_to_list(Node) ++ "/source", ?OK),
+    Map3 = http_get(Config, "/auth/attempts/" ++ atom_to_list(Node), ?OK),
+    Http2 = get_auth_attempts(<<"http">>, Map2),
+    Http3 = get_auth_attempts(<<"http">>, Map3),
+    Amqp091_2 = get_auth_attempts(<<"amqp091">>, Map2),
+    Amqp091_3 = get_auth_attempts(<<"amqp091">>, Map3),
+    ?assertEqual(<<"127.0.0.1">>, maps:get(remote_address, Http2)),
+    ?assertEqual(<<"guest">>, maps:get(username, Http2)),
+    ?assertEqual(1, maps:get(auth_attempts, Http2)),
+    ?assertEqual(1, maps:get(auth_attempts_succeeded, Http2)),
+    ?assertEqual(0, maps:get(auth_attempts_failed, Http2)),
+
+    ?assertEqual(false, maps:is_key(remote_address, Http3)),
+    ?assertEqual(false, maps:is_key(username, Http3)),
+    ?assertEqual(4, maps:get(auth_attempts, Http3)),
+    ?assertEqual(4, maps:get(auth_attempts_succeeded, Http3)),
+    ?assertEqual(0, maps:get(auth_attempts_failed, Http3)),
+
+    ?assertEqual(true, <<>> =/= maps:get(remote_address, Amqp091_2)),
+    ?assertEqual(<<"guest">>, maps:get(username, Amqp091_2)),
+    ?assertEqual(1, maps:get(auth_attempts, Amqp091_2)),
+    ?assertEqual(1, maps:get(auth_attempts_succeeded, Amqp091_2)),
+    ?assertEqual(0, maps:get(auth_attempts_failed, Amqp091_2)),
+
+    ?assertEqual(false, maps:is_key(remote_address, Amqp091_3)),
+    ?assertEqual(false, maps:is_key(username, Amqp091_3)),
+    ?assertEqual(2, maps:get(auth_attempts, Amqp091_3)),
+    ?assertEqual(2, maps:get(auth_attempts_succeeded, Amqp091_3)),
+    ?assertEqual(0, maps:get(auth_attempts_failed, Amqp091_3)),
+
+    passed.
+
 %% -------------------------------------------------------------------
 %% Helpers.
 %% -------------------------------------------------------------------
@@ -3477,3 +3534,9 @@ format_multipart_filedata(Boundary, Files) ->
     EndingParts = [lists:concat(["--", Boundary, "--"]), ""],
     Parts = lists:append([FileParts2, EndingParts]),
     string:join(Parts, "\r\n").
+
+get_auth_attempts(Protocol, Map) ->
+    [A] = lists:filter(fun(#{protocol := P}) ->
+                               P == Protocol
+                       end, Map),
+    A.
