Initial commit

auth_backend/Dockerfile

@@ -0,0 +1,10 @@
+FROM python:3.11-slim
+
+WORKDIR /app
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY server.py .
+
+EXPOSE 8080
+CMD ["uvicorn", "server:app", "--host", "0.0.0.0", "--port", "8080"]

auth_backend/requirements.txt

@@ -0,0 +1,3 @@
+fastapi
+uvicorn
+python-multipart

auth_backend/server.py

@@ -0,0 +1,46 @@
+from fastapi import FastAPI, Request, Form
+from fastapi.responses import PlainTextResponse
+
+app = FastAPI()
+
+USERS = {
+    "admin": {"password": "secret", "tags": ["administrator", "management"]},
+    "user1": {"password": "password123", "tags": ["management"]},
+}
+
+@app.post("/rabbit/auth/user")
+async def auth_user(username: str = Form(...), password: str = Form(...)):
+    user = USERS.get(username)
+    if user and user["password"] == password:
+        return PlainTextResponse("allow " + ", ".join(user["tags"]))
+    return PlainTextResponse("deny", status_code=403)
+
+@app.post("/rabbit/auth/vhost")
+async def auth_vhost(username: str = Form(...), vhost: str = Form(...), ip: str = Form(...)):
+    if username in USERS:
+        return PlainTextResponse("allow")
+    return PlainTextResponse("deny", status_code=403)
+
+@app.post("/rabbit/auth/resource")
+async def auth_resource(username: str = Form(...), vhost: str = Form(...), resource: str = Form(...), name: str = Form(...), permission: str = Form(...)):
+    if username == "admin":
+        return PlainTextResponse("allow")
+
+    if username == "user1" and resource == "queue" and name.startswith("public_"):
+        if permission in ["read", "configure"]:
+            return PlainTextResponse("allow")
+
+    return PlainTextResponse("deny", status_code=403)
+
+@app.post("/rabbit/auth/topic")
+async def auth_topic(username: str = Form(...), 
+                     vhost: str = Form(...), 
+                     resource: str = Form(...), 
+                     name: str = Form(...), 
+                     permission: str = Form(...),
+                     topic_path: str = Form(...),
+                     ):
+
+    if username == "admin" or (username == "user1" and routing_key.startswith("logs.")):
+        return PlainTextResponse("allow")
+    return PlainTextResponse("deny", status_code=403)

config/enabled_plugins

@@ -0,0 +1,5 @@
+[
+  rabbitmq_management,
+  rabbitmq_management_agent,
+  rabbitmq_auth_backend_http
+].

config/rabbitmq.conf

@@ -0,0 +1,15 @@
+# this is a comment
+listeners.tcp.default = 5672
+
+auth_backends.1 = http
+auth_backends.2 = internal
+
+auth_http.http_method   = post
+auth_http.user_path     = http://rabbit-auth-server:8080/rabbit/auth/user
+auth_http.vhost_path    = http://rabbit-auth-server:8080/rabbit/auth/vhost
+auth_http.resource_path = http://rabbit-auth-server:8080/rabbit/auth/resource
+auth_http.topic_path    = http://rabbit-auth-server:8080/rabbit/auth/topic
+
+# Optional: timeout settings (milliseconds)
+auth_http.request_timeout = 5000
+auth_http.connection_timeout = 3000

docker-compose.yml

@@ -0,0 +1,27 @@
+services:
+  rabbitmq:
+    image: rabbitmq:3-management
+    container_name: rabbitmq
+    restart: unless-stopped
+    env_file: "rabbitmq.env"
+    depends_on:
+      - rabbit-auth-server
+    volumes:
+      - lib:/var/lib/rabbitmq
+      - ./config/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf
+      - ./config/enabled_plugins:/etc/rabbitmq/enabled_plugins
+    ports:
+      - 15672:15672
+      - 5672:5672/tcp
+
+  rabbit-auth-server:
+    build: ./auth_backend
+    container_name: rabbit-auth-server
+
+volumes:
+  lib:
+    driver: local
+    driver_opts:
+      type: "none"
+      o: "bind"
+      device: "./data"