Abstract authenticator (#921)

* introduce auth_chain, abstract authenticator and the basic authenticator --------- Co-authored-by: Anders Bälter <[email protected]> Co-authored-by: Jon Börjesson <[email protected]>
cloudamqp · Feb 10, 2025 · 2a21b8c · 2a21b8c
1 parent 5537a67
commit 2a21b8c
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 1 deletion.
diff --git a/.ameba.yml b/.ameba.yml
@@ -24,6 +24,7 @@ Lint/NotNil:
   - src/lavinmq/shovel/shovel.cr
   - src/lavinmq/launcher.cr
   - src/lavinmq/vhost.cr
+  - src/lavinmq/auth/authenticators/basic.cr
   - src/lavinmqperf.cr
   - spec/api/http_api_spec.cr
   - spec/api/exchanges_spec.cr

diff --git a/spec/auth_spec.cr b/spec/auth_spec.cr
@@ -0,0 +1,29 @@
+require "./spec_helper"
+require "../src/lavinmq/auth/chain"
+require "../src/lavinmq/auth/authenticators/basic"
+
+describe LavinMQ::Auth::Chain do
+  it "Creates a default authentication chain if not configured" do
+    with_amqp_server do |s|
+      chain = LavinMQ::Auth::Chain.create(s.@config, s.@users)
+      chain.@backends.should be_a Array(LavinMQ::Auth::Authenticator)
+      chain.@backends.size.should eq 1
+    end
+  end
+
+  it "Successfully authenticates and returns a basic user" do
+    with_amqp_server do |s|
+      chain = LavinMQ::Auth::Chain.create(s.@config, s.@users)
+      user = chain.authenticate("guest", "guest")
+      user.should_not be_nil
+    end
+  end
+
+  it "Does not authenticate when given invalid credentials" do
+    with_amqp_server do |s|
+      chain = LavinMQ::Auth::Chain.create(s.@config, s.@users)
+      user = chain.authenticate("guest", "invalid")
+      user.should be_nil
+    end
+  end
+end
diff --git a/src/lavinmq/amqp/connection_factory.cr b/src/lavinmq/amqp/connection_factory.cr
@@ -2,13 +2,15 @@ require "../version"
 require "../logger"
 require "./client"
 require "../client/connection_factory"
+require "../auth/chain"
 
 module LavinMQ
   module AMQP
     class ConnectionFactory < LavinMQ::ConnectionFactory
       Log = LavinMQ::Log.for "amqp.connection_factory"
 
       def initialize(@users : UserStore, @vhosts : VHostStore)
+        @auth_chain = LavinMQ::Auth::Chain.create(Config.instance, @users)
       end
 
       def start(socket, connection_info) : Client?
@@ -106,7 +108,7 @@ module LavinMQ
       def authenticate(socket, remote_address, start_ok, log)
         username, password = credentials(start_ok)
         user = @users[username]?
-        return user if user && user.password && user.password.not_nil!.verify(password) &&
+        return user if user && @auth_chain.authenticate(username, password) &&
                        guest_only_loopback?(remote_address, user)
 
         if user.nil?

diff --git a/src/lavinmq/auth/authenticator.cr b/src/lavinmq/auth/authenticator.cr
@@ -0,0 +1,9 @@
+module LavinMQ
+  module Auth
+    abstract class Authenticator
+      Log = LavinMQ::Log.for "auth.handler"
+
+      abstract def authenticate(username : String, password : String) : User?
+    end
+  end
+end
diff --git a/src/lavinmq/auth/authenticators/basic.cr b/src/lavinmq/auth/authenticators/basic.cr
@@ -0,0 +1,18 @@
+require "../authenticator"
+require "../../server"
+
+module LavinMQ
+  module Auth
+    class BasicAuthenticator < Authenticator
+      def initialize(@users : UserStore)
+      end
+
+      def authenticate(username : String, password : String) : User?
+        user = @users[username]
+        return user if user && user.password && user.password.not_nil!.verify(password)
+      rescue ex : Exception
+        Log.error { "Basic authentication failed: #{ex.message}" }
+      end
+    end
+  end
+end
diff --git a/src/lavinmq/auth/chain.cr b/src/lavinmq/auth/chain.cr
@@ -0,0 +1,38 @@
+require "./authenticator"
+require "./authenticators/basic"
+
+module LavinMQ
+  module Auth
+    class Chain < Authenticator
+      @backends : Array(Authenticator)
+
+      def initialize(backends : Array(Authenticator))
+        @backends = backends
+      end
+
+      def self.create(config : Config, users : UserStore) : Chain
+        backends = config.auth_backends
+        authenticators = Array(Authenticator).new
+        if backends.nil? || backends.empty?
+          authenticators << BasicAuthenticator.new(users)
+        else
+          backends.each do |backend|
+            case backend
+            when "basic"
+              authenticators << BasicAuthenticator.new(users)
+            else
+              raise "Unsupported authentication backend: #{backend}"
+            end
+          end
+        end
+        self.new(authenticators)
+      end
+
+      def authenticate(username : String, password : String) : User?
+        @backends.find_value do |backend|
+          backend.authenticate(username, password)
+        end
+      end
+    end
+  end
+end
diff --git a/src/lavinmq/config.cr b/src/lavinmq/config.cr
@@ -62,6 +62,7 @@ module LavinMQ
     property default_consumer_prefetch = UInt16::MAX
     property yield_each_received_bytes = 131_072    # max number of bytes to read from a client connection without letting other tasks in the server do any work
     property yield_each_delivered_bytes = 1_048_576 # max number of bytes sent to a client without tending to other tasks in the server
+    property auth_backends : Array(String) = ["basic"]
     @@instance : Config = self.new
 
     def self.instance : LavinMQ::Config