or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

authentication-security.mdchannel-operations.mdconnection-adapters.mdconnection-management.mdexception-handling.mdindex.mdmessage-properties-types.md

authentication-security.mddocs/

0
# Authentication & Security
1


2
Authentication credential management supporting username/password and external authentication methods with SSL/TLS connection security for secure RabbitMQ connections.
3


4
## Capabilities
5


6
### Plain Credentials
7


8
Username and password authentication for RabbitMQ connections.
9


10
```python { .api }
11
class PlainCredentials:
12
    """Username/password authentication credentials."""
13
    
14
    TYPE = 'PLAIN'
15
    
16
    def __init__(self, username, password, erase_on_connect=False):
17
        """
18
        Create plain credentials.
19
        
20
        Parameters:
21
        - username (str): Authentication username
22
        - password (str): Authentication password
23
        - erase_on_connect (bool): If True, erase credentials after connection
24
        """
25
    
26
    def response_for(self, start):
27
        """
28
        Generate authentication response for connection start.
29
        
30
        Parameters:
31
        - start: Connection.Start method from server
32
        
33
        Returns:
34
        - tuple: (mechanism, response) or (None, None) if unsupported
35
        """
36
    
37
    def erase_credentials(self):
38
        """Clear stored credentials from memory."""
39
    
40
    @property
41
    def username(self) -> str:
42
        """Authentication username."""
43
    
44
    @property
45
    def password(self) -> str:
46
        """Authentication password."""
47
    
48
    @property
49
    def erase_on_connect(self) -> bool:
50
        """True if credentials should be erased after connection."""
51
```
52


53
### External Credentials
54


55
External authentication using SSL client certificates.
56


57
```python { .api }
58
class ExternalCredentials:
59
    """External authentication credentials (SSL certificates)."""
60
    
61
    TYPE = 'EXTERNAL'
62
    
63
    def __init__(self):
64
        """Create external credentials."""
65
    
66
    def response_for(self, start):
67
        """
68
        Generate authentication response for connection start.
69
        
70
        Parameters:
71
        - start: Connection.Start method from server
72
        
73
        Returns:
74
        - tuple: (mechanism, response) or (None, None) if unsupported
75
        """
76
    
77
    def erase_credentials(self):
78
        """Clear stored credentials (no-op for external auth)."""
79
    
80
    @property
81
    def erase_on_connect(self) -> bool:
82
        """Always False for external credentials."""
83
```
84


85
### SSL/TLS Configuration
86


87
SSL options for secure connections to RabbitMQ.
88


89
```python { .api }
90
class SSLOptions:
91
    """SSL/TLS connection configuration."""
92
    
93
    def __init__(self, context=None, server_hostname=None):
94
        """
95
        Create SSL options.
96
        
97
        Parameters:
98
        - context (ssl.SSLContext): SSL context for connection
99
        - server_hostname (str): Server hostname for SSL verification
100
        """
101
    
102
    @property
103
    def context(self):
104
        """SSL context for the connection."""
105
    
106
    @property
107
    def server_hostname(self) -> str:
108
        """Server hostname for SSL verification."""
109
```
110


111
### Credential Types
112


113
Valid credential types supported by pika.
114


115
```python { .api }
116
VALID_TYPES = [PlainCredentials, ExternalCredentials]
117
```
118


119
## Usage Examples
120


121
### Basic Authentication
122


123
```python
124
import pika
125


126
# Create credentials
127
credentials = pika.PlainCredentials('myuser', 'mypassword')
128


129
# Use in connection parameters
130
parameters = pika.ConnectionParameters(
131
    host='rabbitmq.example.com',
132
    credentials=credentials
133
)
134


135
connection = pika.BlockingConnection(parameters)
136
```
137


138
### Secure Credentials with Erasure
139


140
```python
141
import pika
142


143
# Credentials that are erased after connection
144
credentials = pika.PlainCredentials(
145
    'myuser', 
146
    'mypassword', 
147
    erase_on_connect=True
148
)
149


150
parameters = pika.ConnectionParameters(
151
    host='rabbitmq.example.com',
152
    credentials=credentials
153
)
154


155
connection = pika.BlockingConnection(parameters)
156
# Credentials are now erased from memory
157
```
158


159
### SSL Connection with Client Certificate
160


161
```python
162
import pika
163
import ssl
164


165
# Create SSL context
166
context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
167
context.check_hostname = False
168
context.verify_mode = ssl.CERT_REQUIRED
169


170
# Load client certificate and key
171
context.load_cert_chain('/path/to/client.crt', '/path/to/client.key')
172


173
# Load CA certificate
174
context.load_verify_locations('/path/to/ca.crt')
175


176
# Create SSL options
177
ssl_options = pika.SSLOptions(context, 'rabbitmq.example.com')
178


179
# Use external credentials for certificate-based auth
180
from pika.credentials import ExternalCredentials
181
credentials = ExternalCredentials()
182


183
parameters = pika.ConnectionParameters(
184
    host='rabbitmq.example.com',
185
    port=5671,  # SSL port
186
    credentials=credentials,
187
    ssl_options=ssl_options
188
)
189


190
connection = pika.BlockingConnection(parameters)
191
```
192


193
### SSL Connection with Password Auth
194


195
```python
196
import pika
197
import ssl
198


199
# Create SSL context
200
context = ssl.create_default_context()
201


202
# Create SSL options
203
ssl_options = pika.SSLOptions(context, 'rabbitmq.example.com')
204


205
# Use regular credentials over SSL
206
credentials = pika.PlainCredentials('myuser', 'mypassword')
207


208
parameters = pika.ConnectionParameters(
209
    host='rabbitmq.example.com',
210
    port=5671,  # SSL port
211
    credentials=credentials,
212
    ssl_options=ssl_options
213
)
214


215
connection = pika.BlockingConnection(parameters)
216
```
217


218
### URL with Authentication
219


220
```python
221
import pika
222


223
# Username and password in URL
224
url = 'amqp://myuser:mypassword@rabbitmq.example.com:5672/%2F'
225
connection = pika.BlockingConnection(pika.URLParameters(url))
226


227
# SSL URL with authentication
228
ssl_url = 'amqps://myuser:mypassword@rabbitmq.example.com:5671/%2F'
229
connection = pika.BlockingConnection(pika.URLParameters(ssl_url))
230
```
231


232
### Custom SSL Context
233


234
```python
235
import pika
236
import ssl
237


238
# Create custom SSL context
239
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
240
context.minimum_version = ssl.TLSVersion.TLSv1_2
241
context.set_ciphers('ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!MD5:!DSS')
242


243
# Disable hostname checking for self-signed certificates
244
context.check_hostname = False
245
context.verify_mode = ssl.CERT_NONE
246


247
ssl_options = pika.SSLOptions(context)
248


249
parameters = pika.ConnectionParameters(
250
    host='localhost',
251
    port=5671,
252
    ssl_options=ssl_options,
253
    credentials=pika.PlainCredentials('guest', 'guest')
254
)
255


256
connection = pika.BlockingConnection(parameters)
257
```
258


259
### Environment-Based Credentials
260


261
```python
262
import pika
263
import os
264


265
# Get credentials from environment
266
username = os.getenv('RABBITMQ_USER', 'guest')
267
password = os.getenv('RABBITMQ_PASS', 'guest')
268
host = os.getenv('RABBITMQ_HOST', 'localhost')
269


270
credentials = pika.PlainCredentials(username, password)
271
parameters = pika.ConnectionParameters(host=host, credentials=credentials)
272


273
connection = pika.BlockingConnection(parameters)
274
```