Support logging HTTP auth denial reason

 ## What?
Support logging (at INFO level) the reason provided by the HTTP auth backend why
authentication or autorisation was denied.

 ## Why?
* Security and compliance often require detailed logs of why access was denied
* Operational debugging: Operators see immediately in RabbitMQ logs why
  authentication/authorization failed without checking the HTTP backend logs

 ## How?
The HTTP body returned by the HTTP auth server is allowed to be `deny <Reason>`
where `<Reason>` is any text that will be logged by RabbitMQ at INFO level.

Author: ansd

deps/rabbitmq_auth_backend_http/README.md

@@ -123,11 +123,11 @@ Your web server should always return HTTP 200 OK, with a body
 containing:
 
 * `deny`: deny access to the user / vhost / resource
+* `deny <Reason>`: deny access to the user / vhost / resource. RabbitMQ will log the `<Reason>` at INFO level.
 * `allow`: allow access to the user / vhost / resource
 * `allow [list of tags]` (for `user_path` only): allow access, and mark the user as an having the tags listed
 
 ## Using TLS/HTTPS
-
 If your Web server uses HTTPS and certificate verification, you need to
 configure the plugin to use a CA and client certificate/key pair using the `rabbitmq_auth_backend_http.ssl_options` config variable:
 

deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl

@@ -34,16 +34,27 @@ description() ->
 %%--------------------------------------------------------------------
 
 user_login_authentication(Username, AuthProps) ->
-    case http_req(p(user_path), q([{username, Username}] ++ extract_other_credentials(AuthProps))) of
-        {error, _} = E  -> E;
-        "deny"          -> {refused, "Denied by the backing HTTP service", []};
-        "allow" ++ Rest -> Tags = [rabbit_data_coercion:to_atom(T) ||
-                                   T <- string:tokens(Rest, " ")],
-
-                           {ok, #auth_user{username = Username,
-                                           tags     = Tags,
-                                           impl     = fun() -> proplists:delete(username, AuthProps) end}};
-        Other           -> {error, {bad_response, Other}}
+    Path = p(user_path),
+    Query = q([{username, Username}] ++ extract_other_credentials(AuthProps)),
+    case http_req(Path, Query) of
+        {error, _} = Err  ->
+            Err;
+        "deny " ++ Reason ->
+            ?LOG_INFO("HTTP authentication denied for user '~ts': ~ts",
+                      [Username, Reason]),
+            {refused, "Denied by the backing HTTP service", []};
+        Body ->
+            case string:lowercase(Body) of
+                "deny" ->
+                    {refused, "Denied by the backing HTTP service", []};
+                "allow" ++ Rest ->
+                    Tags = [rabbit_data_coercion:to_atom(T)
+                            || T <- string:tokens(Rest, " ")],
+                    {ok, #auth_user{
+                            username = Username,
+                            tags = Tags,
+                            impl = fun() -> proplists:delete(username, AuthProps) end}}
+            end
     end.
 
 %% When a protocol plugin uses an internal AMQP 0-9-1 client to interact with RabbitMQ core,
@@ -153,13 +164,26 @@ context_as_parameters(_) ->
     [].
 
 bool_req(PathName, Props) ->
-    case http_req(p(PathName), q(Props)) of
-        "deny"  -> false;
-        "allow" -> true;
-        E       -> E
+    Path = p(PathName),
+    Query = q(Props),
+    case http_req(Path, Query) of
+        {error, _} = Err ->
+            Err;
+        "deny " ++ Reason ->
+            ?LOG_INFO("HTTP authorisation denied for path ~ts with query ~ts: ~ts",
+                      [Path, Query, Reason]),
+            false;
+        Body ->
+            case string:lowercase(Body) of
+                "deny" ->
+                    false;
+                "allow" ->
+                    true
+            end
     end.
 
-http_req(Path, Query) -> http_req(Path, Query, ?RETRY_ON_KEEPALIVE_CLOSED).
+http_req(Path, Query) ->
+    http_req(Path, Query, ?RETRY_ON_KEEPALIVE_CLOSED).
 
 http_req(Path, Query, Retry) ->
     case do_http_req(Path, Query) of
@@ -204,8 +228,10 @@ do_http_req(Path0, Query) ->
         {ok, {{_HTTP, Code, _}, _Headers, Body}} ->
             ?LOG_DEBUG("auth_backend_http: response code is ~tp, body: ~tp", [Code, Body]),
             case lists:member(Code, ?SUCCESSFUL_RESPONSE_CODES) of
-                true  -> parse_resp(Body);
-                false -> {error, {Code, Body}}
+                true ->
+                    string:strip(Body);
+                false ->
+                    {error, {Code, Body}}
             end;
         {error, _} = E ->
             E
@@ -240,8 +266,6 @@ escape(K, Map) when is_map(Map) ->
 escape(K, V) ->
     rabbit_data_coercion:to_list(K) ++ "=" ++ rabbit_http_util:quote_plus(V).
 
-parse_resp(Resp) -> string:to_lower(string:strip(Resp)).
-
 join_tags([])   -> "";
 join_tags(Tags) ->
   Strings = [rabbit_data_coercion:to_list(T) || T <- Tags],

deps/rabbitmq_auth_backend_http/test/auth_http_mock.erl

@@ -28,5 +28,5 @@ authenticate(QsVals, Users) ->
         {_OtherPassword, _, _} ->
             <<"deny">>;
         undefined ->
-            <<"deny">>
+            <<"deny unknown_user">>
    end.