Optionally return authz refusal reason to client

ansd · ansd · commit 5e08d74b4745 · 2025-10-07T16:32:48.000+02:00
## What?

If the new config setting `authorization_failure_disclosure`
is set to `true`, (`false` by default), then some RabbitMQ authorization
backends (internal, HTTP, OAuth 2.0) will return the reason why access
was denied to the client. (In future, additional backends can be modified
to return a reason.)

 ## Why?

This helps debugging and troubleshooting directly in the client.
Some clients might not have access to the RabbitMQ logs, for other
clients it's cumbersome to correlate authz denial in the client with
logs on the broker.

For example, in dev environments, it may be useful for clients to learn
why vhost/resource/topic access was denied for a given OAuth 2.0 token.

Another example is that some customers would like to pass the reason why
authorization was denied from their custom HTTP auth backend via
RabbitMQ back to the client.

 ## How?

Authz backends can now return `{false, Reason}` as an alternative to
just `false` if access is denied.

For security reasons, the additional denial reason by the authz backend
will be returned to the client only if the operator opted in by setting
`authorization_failure_disclosure` to `true`.

Note that `authorization_failure_disclosure` applies only to
already authenticated clients when they try to access resources (e.g. vhosts,
exchanges, queues, topics). For security reasons, no detailed denial reason is
returned to the client if **authentication** fails.
diff --git a/deps/rabbit/Makefile b/deps/rabbit/Makefile
@@ -115,6 +115,7 @@ define PROJECT_ENV
 	    {tracking_execution_timeout, 15000},
 	    {stream_messages_soft_limit, 256},
       	{track_auth_attempt_source, false},
+      	{authorization_failure_disclosure, false},
 		{credentials_obfuscation_fallback_secret, <<"nocookie">>},
       	{dead_letter_worker_consumer_prefetch, 32},
       	{dead_letter_worker_publisher_confirm_timeout, 180000},
diff --git a/deps/rabbit/src/rabbit_access_control.erl b/deps/rabbit/src/rabbit_access_control.erl
@@ -361,6 +361,15 @@ check_access(Fun, Module, ErrStr, ErrArgs, ErrName) ->
             ok;
         false ->
             rabbit_misc:protocol_error(ErrName, ErrStr, ErrArgs);
+        {false, Reason} ->
+            case application:get_env(rabbit, authorization_failure_disclosure) of
+                {ok, true} ->
+                    FullErrStr = ErrStr ++ " by backend ~ts: ~ts",
+                    FullErrArgs = ErrArgs ++ [Module, Reason],
+                    rabbit_misc:protocol_error(ErrName, FullErrStr, FullErrArgs);
+                _ ->
+                    rabbit_misc:protocol_error(ErrName, ErrStr, ErrArgs)
+            end;
         {error, E}  ->
             FullErrStr = ErrStr ++ ", backend ~ts returned an error: ~tp",
             FullErrArgs = ErrArgs ++ [Module, E],
diff --git a/deps/rabbit/src/rabbit_auth_backend_internal.erl b/deps/rabbit/src/rabbit_auth_backend_internal.erl
@@ -143,16 +143,21 @@ check_resource_access(#auth_user{username = Username},
                       _AuthContext) ->
     case rabbit_db_user:get_user_permissions(Username, VHostPath) of
         undefined ->
-            false;
+            {false, rabbit_misc:format("user '~ts' has no permissions for vhost '~ts'",
+                                       [Username, VHostPath])};
         #user_permission{permission = P} ->
             PermRegexp = case element(permission_index(Permission), P) of
                              %% <<"^$">> breaks Emacs' erlang mode
                              <<"">> -> <<$^, $$>>;
                              RE     -> RE
                          end,
             case re:run(Name, PermRegexp, [{capture, none}]) of
-                match    -> true;
-                nomatch  -> false
+                match ->
+                    true;
+                nomatch ->
+                    {false, rabbit_misc:format(
+                              "'~ts' does not match the permission regex '~ts'",
+                              [Name, PermRegexp])}
             end
     end.
 
@@ -170,12 +175,17 @@ check_topic_access(#auth_user{username = Username},
                              RE     -> RE
                          end,
             PermRegexpExpanded = expand_topic_permission(
-                PermRegexp,
-                maps:get(variable_map, Context, undefined)
-            ),
-            case re:run(maps:get(routing_key, Context), PermRegexpExpanded, [{capture, none}]) of
-                match    -> true;
-                nomatch  -> false
+                                   PermRegexp,
+                                   maps:get(variable_map, Context, undefined)
+                                  ),
+            Topic = maps:get(routing_key, Context),
+            case re:run(Topic, PermRegexpExpanded, [{capture, none}]) of
+                match ->
+                    true;
+                nomatch ->
+                    {false, rabbit_misc:format(
+                              "topic '~ts' does not match the regex '~ts'",
+                              [Topic, PermRegexpExpanded])}
             end
     end.
 
diff --git a/deps/rabbit/src/rabbit_authz_backend.erl b/deps/rabbit/src/rabbit_authz_backend.erl
@@ -32,25 +32,27 @@
 %% Possible responses:
 %% true
 %% false
+%% {false, Reason}
 %% {error, Error}
 %%     Something went wrong. Log and die.
 -callback check_vhost_access(AuthUser :: rabbit_types:auth_user(),
                              VHost :: rabbit_types:vhost(),
                              AuthzData :: rabbit_types:authz_data()) ->
-    boolean() | {'error', any()}.
+    boolean() | {false, Reason :: string()} | {'error', any()}.
 
 %% Given #auth_user, resource and permission, can a user access a resource?
 %%
 %% Possible responses:
 %% true
 %% false
+%% {false, Reason}
 %% {error, Error}
 %%     Something went wrong. Log and die.
 -callback check_resource_access(rabbit_types:auth_user(),
                                 rabbit_types:r(atom()),
                                 rabbit_types:permission_atom(),
                                 rabbit_types:authz_context()) ->
-    boolean() | {'error', any()}.
+    boolean() | {false, Reason :: string()} | {'error', any()}.
 
 %% Given #auth_user, topic as resource, permission, and context, can a user access the topic?
 %%
@@ -63,7 +65,7 @@
     rabbit_types:r(atom()),
     rabbit_types:permission_atom(),
     rabbit_types:topic_access_context()) ->
-    boolean() | {'error', any()}.
+    boolean() | {false, Reason :: string()} | {'error', any()}.
 
 %% Updates backend state that has expired.
 %%
diff --git a/deps/rabbit/test/topic_permission_SUITE.erl b/deps/rabbit/test/topic_permission_SUITE.erl
@@ -36,8 +36,10 @@ init_per_suite(Config) ->
     Config1 = rabbit_ct_helpers:set_config(
                 Config,
                 [{rmq_nodename_suffix, ?MODULE}]),
+    Config2 = rabbit_ct_helpers:merge_app_env(
+                Config1, {rabbit, [{authorization_failure_disclosure, true}]}),
     rabbit_ct_helpers:run_setup_steps(
-      Config1,
+      Config2,
       rabbit_ct_broker_helpers:setup_steps() ++
       rabbit_ct_client_helpers:setup_steps()).
 
@@ -109,10 +111,12 @@ amqp_x_cc_annotation(Config) ->
               condition = ?V_1_0_AMQP_ERROR_UNAUTHORIZED_ACCESS,
               description = {utf8, Description1}}}}} ->
             ?assertEqual(
-               <<"write access to topic 'x.1' in exchange 'amq.topic' in vhost '/' refused for user 'guest'">>,
+               <<"write access to topic 'x.1' in exchange 'amq.topic' in vhost '/' "
+                 "refused for user 'guest' by backend rabbit_auth_backend_internal: "
+                 "topic 'x.1' does not match the regex '^a'">>,
                Description1)
     after 30_000 -> amqp_utils:flush(missing_ended),
-                  ct:fail({missing_event, ?LINE})
+                    ct:fail({missing_event, ?LINE})
     end,
 
     {ok, Session3} = amqp10_client:begin_session_sync(Connection),
@@ -132,10 +136,12 @@ amqp_x_cc_annotation(Config) ->
               condition = ?V_1_0_AMQP_ERROR_UNAUTHORIZED_ACCESS,
               description = {utf8, Description2}}}}} ->
             ?assertEqual(
-               <<"write access to topic 'x.2' in exchange 'amq.topic' in vhost '/' refused for user 'guest'">>,
+               <<"write access to topic 'x.2' in exchange 'amq.topic' in vhost '/' "
+                 "refused for user 'guest' by backend rabbit_auth_backend_internal: "
+                 "topic 'x.2' does not match the regex '^a'">>,
                Description2)
     after 30_000 -> amqp_utils:flush(missing_ended),
-                  ct:fail({missing_event, ?LINE})
+                    ct:fail({missing_event, ?LINE})
     end,
 
     {ok, #{message_count := 0}} = rabbitmq_amqp_client:delete_queue(LinkPair, QName1),
@@ -190,8 +196,9 @@ amqpl_headers(Header, Config) ->
                 props = #'P_basic'{headers = [{Header, array, [{longstr, <<"a.2">>}]}]}}),
     ok = assert_channel_down(
            Ch1,
-           <<"ACCESS_REFUSED - write access to topic 'x.1' in exchange "
-             "'amq.topic' in vhost '/' refused for user 'guest'">>),
+           <<"ACCESS_REFUSED - write access to topic 'x.1' in exchange 'amq.topic' "
+             "in vhost '/' refused for user 'guest' by backend rabbit_auth_backend_internal: "
+             "topic 'x.1' does not match the regex '^a'">>),
 
     Ch2 = rabbit_ct_client_helpers:open_channel(Config),
     monitor(process, Ch2),
@@ -203,8 +210,9 @@ amqpl_headers(Header, Config) ->
                 props = #'P_basic'{headers = [{Header, array, [{longstr, <<"x.2">>}]}]}}),
     ok = assert_channel_down(
            Ch2,
-           <<"ACCESS_REFUSED - write access to topic 'x.2' in exchange "
-             "'amq.topic' in vhost '/' refused for user 'guest'">>),
+           <<"ACCESS_REFUSED - write access to topic 'x.2' in exchange 'amq.topic' "
+             "in vhost '/' refused for user 'guest' by backend rabbit_auth_backend_internal: "
+             "topic 'x.2' does not match the regex '^a'">>),
 
     Ch3 = rabbit_ct_client_helpers:open_channel(Config),
     ?assertEqual(#'queue.delete_ok'{message_count = 1},
@@ -337,12 +345,14 @@ topic_permission_checks1(_Config) ->
         Context
     ) || Perm <- Permissions],
     %% user has access to exchange, routing key does not match
-    [false = rabbit_auth_backend_internal:check_topic_access(
-        User,
-        Topic,
-        Perm,
-        #{routing_key => <<"x.y.z">>}
-    ) || Perm <- Permissions],
+    [?assertEqual(
+        {false, "topic 'x.y.z' does not match the regex '^a'"},
+        rabbit_auth_backend_internal:check_topic_access(
+          User,
+          Topic,
+          Perm,
+          #{routing_key => <<"x.y.z">>}
+         )) || Perm <- Permissions],
     %% user has access to exchange but not on this vhost
     %% let pass when there's no match
     [true = rabbit_auth_backend_internal:check_topic_access(
@@ -379,17 +389,20 @@ topic_permission_checks1(_Config) ->
         }
     ) || Perm <- Permissions],
     %% routing key KO
-    [false = rabbit_auth_backend_internal:check_topic_access(
-        User,
-        Topic#resource{virtual_host = <<"other-vhost">>},
-        Perm,
-        #{routing_key   => <<"services.default.accounts.dummy.notifications">>,
-          variable_map  => #{
-              <<"username">> => <<"guest">>,
-              <<"vhost">>    => <<"other-vhost">>
-          }
-        }
-    ) || Perm <- Permissions],
+    [?assertEqual(
+        {false, "topic 'services.default.accounts.dummy.notifications' does not "
+         "match the regex 'services.other-vhost.accounts.guest.notifications'"},
+        rabbit_auth_backend_internal:check_topic_access(
+          User,
+          Topic#resource{virtual_host = <<"other-vhost">>},
+          Perm,
+          #{routing_key   => <<"services.default.accounts.dummy.notifications">>,
+            variable_map  => #{
+                               <<"username">> => <<"guest">>,
+                               <<"vhost">>    => <<"other-vhost">>
+                              }
+           }
+         )) || Perm <- Permissions],
 
     ok.
 
@@ -407,11 +420,10 @@ clear_topic_permissions(Config) ->
            Config, 0, rabbit_auth_backend_internal, clear_topic_permissions,
            [<<"guest">>, <<"/">>, <<"acting-user">>]).
 
-assert_channel_down(Ch, Reason) ->
+assert_channel_down(Ch, ExpectedReason) ->
     receive {'DOWN', _MonitorRef, process, Ch,
-             {shutdown,
-              {server_initiated_close, 403, Reason}}} ->
-                ok
+             {shutdown, {server_initiated_close, 403, ActualReason}}} ->
+                ?assertEqual(ExpectedReason, ActualReason)
     after 30_000 ->
-              ct:fail({did_not_receive, Reason})
+              ct:fail({missing_down, ExpectedReason})
     end.
diff --git a/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl b/deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
@@ -120,34 +120,34 @@ check_vhost_access(#auth_user{username = Username, tags = Tags}, VHost,
 
 do_check_vhost_access(Username, Tags, VHost, Ip, AuthzData) ->
     OptionsParameters = context_as_parameters(AuthzData),
-    bool_req(vhost_path, [{username, Username},
-                          {vhost,    VHost},
-                          {ip,       Ip},
-                          {tags,     join_tags(Tags)}] ++ OptionsParameters).
+    req(vhost_path, [{username, Username},
+                     {vhost,    VHost},
+                     {ip,       Ip},
+                     {tags,     join_tags(Tags)}] ++ OptionsParameters).
 
 check_resource_access(#auth_user{username = Username, tags = Tags},
                       #resource{virtual_host = VHost, kind = Type, name = Name},
                       Permission,
                       AuthzContext) ->
     OptionsParameters = context_as_parameters(AuthzContext),
-    bool_req(resource_path, [{username,   Username},
-                             {vhost,      VHost},
-                             {resource,   Type},
-                             {name,       Name},
-                             {permission, Permission},
-                             {tags, join_tags(Tags)}] ++ OptionsParameters).
+    req(resource_path, [{username,   Username},
+                        {vhost,      VHost},
+                        {resource,   Type},
+                        {name,       Name},
+                        {permission, Permission},
+                        {tags, join_tags(Tags)}] ++ OptionsParameters).
 
 check_topic_access(#auth_user{username = Username, tags = Tags},
                    #resource{virtual_host = VHost, kind = topic = Type, name = Name},
                    Permission,
                    Context) ->
     OptionsParameters = context_as_parameters(Context),
-    bool_req(topic_path, [{username,   Username},
-        {vhost,      VHost},
-        {resource,   Type},
-        {name,       Name},
-        {permission, Permission},
-        {tags, join_tags(Tags)}] ++ OptionsParameters).
+    req(topic_path, [{username,   Username},
+                     {vhost,      VHost},
+                     {resource,   Type},
+                     {name,       Name},
+                     {permission, Permission},
+                     {tags, join_tags(Tags)}] ++ OptionsParameters).
 
 expiry_timestamp(_) -> never.
 
@@ -163,7 +163,7 @@ context_as_parameters(Options) when is_map(Options) ->
 context_as_parameters(_) ->
     [].
 
-bool_req(PathName, Props) ->
+req(PathName, Props) ->
     Path = p(PathName),
     Query = q(Props),
     case http_req(Path, Query) of
@@ -172,7 +172,7 @@ bool_req(PathName, Props) ->
         "deny " ++ Reason ->
             ?LOG_INFO("HTTP authorisation denied for path ~ts with query ~ts: ~ts",
                       [Path, Query, Reason]),
-            false;
+            {false, Reason};
         Body ->
             case string:lowercase(Body) of
                 "deny" ->
diff --git a/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_scope.erl b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_scope.erl
@@ -24,37 +24,56 @@
 -spec vhost_access(binary(), [binary()]) -> boolean().
 vhost_access(VHost, Scopes) ->
     PermissionScopes = get_scope_permissions(Scopes),
-    lists:any(
-        fun({VHostPattern, _, _, _}) ->
-            wildcard:match(VHost, VHostPattern)
-        end,
-        PermissionScopes).
+    case lists:any(
+           fun({VHostPattern, _, _, _}) ->
+                   wildcard:match(VHost, VHostPattern)
+           end,
+           PermissionScopes) of
+        true ->
+            true;
+        false ->
+            {false, rabbit_misc:format("no scope in ~tp matches vhost '~ts'",
+                                       [Scopes, VHost])}
+    end.
 
 -spec resource_access(rabbit_types:r(atom()), permission(), [binary()]) -> boolean().
-resource_access(#resource{virtual_host = VHost, name = Name},
+resource_access(#resource{virtual_host = VHost, name = Name} = Resource,
                 Permission, Scopes) ->
-    lists:any(
-        fun({VHostPattern, NamePattern, _, ScopeGrantedPermission}) ->
-            wildcard:match(VHost, VHostPattern) andalso
-            wildcard:match(Name, NamePattern) andalso
-            Permission =:= ScopeGrantedPermission
-        end,
-        get_scope_permissions(Scopes)).
+    case lists:any(
+           fun({VHostPattern, NamePattern, _, ScopeGrantedPermission}) ->
+                   wildcard:match(VHost, VHostPattern) andalso
+                   wildcard:match(Name, NamePattern) andalso
+                   Permission =:= ScopeGrantedPermission
+           end,
+           get_scope_permissions(Scopes)) of
+        true ->
+            true;
+        false ->
+            {false, rabbit_misc:format("no scope in ~tp has '~s' permission for ~ts",
+                                       [Scopes, Permission, rabbit_misc:rs(Resource)])}
+    end.
 
 -spec topic_access(rabbit_types:r(atom()), permission(), map(), [binary()]) -> boolean().
-topic_access(#resource{virtual_host = VHost, name = ExchangeName},
+topic_access(#resource{virtual_host = VHost, name = ExchangeName} = Resource,
              Permission,
              #{routing_key := RoutingKey},
              Scopes) ->
-    lists:any(
-        fun({VHostPattern, ExchangeNamePattern, RoutingKeyPattern, ScopeGrantedPermission}) ->
-            is_binary(RoutingKeyPattern) andalso
-            wildcard:match(VHost, VHostPattern) andalso
-            wildcard:match(ExchangeName, ExchangeNamePattern) andalso
-            wildcard:match(RoutingKey, RoutingKeyPattern) andalso
-            Permission =:= ScopeGrantedPermission
-        end,
-        get_scope_permissions(Scopes)).
+    case lists:any(
+           fun({VHostPattern, ExchangeNamePattern, RoutingKeyPattern, ScopeGrantedPermission}) ->
+                   is_binary(RoutingKeyPattern) andalso
+                   wildcard:match(VHost, VHostPattern) andalso
+                   wildcard:match(ExchangeName, ExchangeNamePattern) andalso
+                   wildcard:match(RoutingKey, RoutingKeyPattern) andalso
+                   Permission =:= ScopeGrantedPermission
+           end,
+           get_scope_permissions(Scopes)) of
+        true ->
+            true;
+        false ->
+            {false, rabbit_misc:format(
+                      "no scope in ~tp has '~s' permission for exchange ~ts and topic '~ts'",
+                      [Scopes, Permission, rabbit_misc:rs(Resource), RoutingKey])}
+    end.
 
 %% Internal -------------------------------------------------------------------
 
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/scope_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/scope_SUITE.erl
diff --git a/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl b/deps/rabbitmq_auth_backend_oauth2/test/unit_SUITE.erl
diff --git a/deps/rabbitmq_mqtt/src/rabbit_mqtt_processor.erl b/deps/rabbitmq_mqtt/src/rabbit_mqtt_processor.erl
