Add new option require_auth_for_api_desc_page to mgmt

This allows restricting access to the /api/index.html and
the /cli/index.html page to authenticated users should the
user really want to. This can be enabled via advanced.config.

(cherry picked from commit 400e800)

Author: lhoguin

deps/rabbitmq_management/Makefile

@@ -14,7 +14,8 @@ define PROJECT_ENV
 	    {cors_max_age, 1800},
 	    {content_security_policy, "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'"},
 	    {max_http_body_size, 10000000},
-	    {delegate_count, 5}
+	    {delegate_count, 5},
+	    {require_auth_for_api_desc_page, false}
 	  ]
 endef
 

deps/rabbitmq_management/src/rabbit_mgmt_wm_static.erl

@@ -11,9 +11,11 @@
 -module(rabbit_mgmt_wm_static).
 
 -include_lib("kernel/include/file.hrl").
+-include_lib("rabbitmq_web_dispatch/include/rabbitmq_web_dispatch_records.hrl").
 
 -export([init/2]).
 -export([malformed_request/2]).
+-export([is_authorized/2]).
 -export([forbidden/2]).
 -export([content_types_provided/2]).
 -export([resource_exists/2]).
@@ -46,6 +48,21 @@ do_init(Req, App, Path) ->
 malformed_request(Req, State) ->
     cowboy_static:malformed_request(Req, State).
 
+is_authorized(Req0=#{path := Path}, State)
+        when Path =:= <<"/api/index.html">>; Path =:= <<"/cli/index.html">> ->
+    case application:get_env(rabbitmq_management, require_auth_for_api_desc_page) of
+        {ok, true} ->
+            %% We temporarily use #context{} here to make authorization work,
+            %% and discard it immediately after since we only want to check
+            %% whether the user authenticates successfully.
+            {Res, Req, _} = rabbit_mgmt_util:is_authorized(Req0, #context{}),
+            {Res, Req, State};
+        _ ->
+            {true, Req0, State}
+    end;
+is_authorized(Req, State) ->
+    {true, Req, State}.
+
 forbidden(Req, State) ->
     cowboy_static:forbidden(Req, State).