diff --git a/deps/rabbitmq_auth_backend_internal_loopback/Makefile b/deps/rabbitmq_auth_backend_internal_loopback/Makefile index 3867d32c4d..6f639b7de3 100644 --- a/deps/rabbitmq_auth_backend_internal_loopback/Makefile +++ b/deps/rabbitmq_auth_backend_internal_loopback/Makefile @@ -12,9 +12,8 @@ define PROJECT_APP_EXTRA_KEYS {broker_version_requirements, []} endef -LOCAL_DEPS = ssl inets crypto public_key -DEPS = rabbit_common rabbit amqp_client -TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers cowboy +DEPS = rabbit_common rabbit +TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers DEP_EARLY_PLUGINS = rabbit_common/mk/rabbitmq-early-plugin.mk DEP_PLUGINS = rabbit_common/mk/rabbitmq-plugin.mk diff --git a/deps/rabbitmq_auth_backend_internal_loopback/README.md b/deps/rabbitmq_auth_backend_internal_loopback/README.md index 3cdadf988e..59fdda677c 100644 --- a/deps/rabbitmq_auth_backend_internal_loopback/README.md +++ b/deps/rabbitmq_auth_backend_internal_loopback/README.md @@ -5,7 +5,7 @@ for RabbitMQ for basic authentication for only (loopback) localhost connections. ## Installation -As of 4.1.0, this plugin is distributed with RabbitMQ. Enable it with +As of 4.1.1, this plugin is distributed with RabbitMQ. Enable it with rabbitmq-plugins enable rabbitmq_auth_backend_internal_loopback diff --git a/deps/rabbitmq_auth_backend_internal_loopback/src/rabbit_auth_backend_internal_loopback.erl b/deps/rabbitmq_auth_backend_internal_loopback/src/rabbit_auth_backend_internal_loopback.erl index 2040e9227d..96274a5cdf 100644 --- a/deps/rabbitmq_auth_backend_internal_loopback/src/rabbit_auth_backend_internal_loopback.erl +++ b/deps/rabbitmq_auth_backend_internal_loopback/src/rabbit_auth_backend_internal_loopback.erl @@ -46,11 +46,6 @@ -export([hashing_module_for_user/1, expand_topic_permission/2]). --ifdef(TEST). --export([extract_user_permission_params/2, - extract_topic_permission_params/2]). --endif. - -import(rabbit_data_coercion, [to_atom/1, to_list/1, to_binary/1]). %%---------------------------------------------------------------------------- diff --git a/deps/rabbitmq_auth_backend_internal_loopback/test/rabbit_auth_backend_internal_loopback_SUITE.erl b/deps/rabbitmq_auth_backend_internal_loopback/test/rabbit_auth_backend_internal_loopback_SUITE.erl new file mode 100644 index 0000000000..6ebbd46f1c --- /dev/null +++ b/deps/rabbitmq_auth_backend_internal_loopback/test/rabbit_auth_backend_internal_loopback_SUITE.erl @@ -0,0 +1,103 @@ +%% This Source Code Form is subject to the terms of the Mozilla Public +%% License, v. 2.0. If a copy of the MPL was not distributed with this +%% file, You can obtain one at https://mozilla.org/MPL/2.0/. +%% +%% Copyright (c) 2007-2025 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved. +%% +-module(rabbit_auth_backend_internal_loopback_SUITE). + +-include_lib("common_test/include/ct.hrl"). +-include_lib("eunit/include/eunit.hrl"). + +-compile(export_all). + +-define(NO_SOCKET_OR_ADDRESS_REJECTION_MESSAGE, + "user '~ts' attempted to log in, but no socket or address was provided " + "to the internal_loopback auth backend, so cannot verify if connection " + "is from localhost or not."). + +-define(NOT_LOOPBACK_REJECTION_MESSAGE, + "user '~ts' attempted to log in, but the socket or address was not from " + "loopback/localhost, which is prohibited by the internal loopback authN " + "backend."). + +-define(LOOPBACK_USER, #{username => <<"TestLoopbackUser">>, + password => <<"TestLoopbackUser">>, + expected_credentials => [username, password], + tags => [policymaker, monitoring]}). + +-define(NONLOOPBACK_USER, #{username => <<"TestNonLoopbackUser">>, + password => <<"TestNonLoopbackUser">>, + expected_credentials => [username, password], + tags => [policymaker, monitoring]}). +-define(LOCALHOST_ADDR, {127,0,0,1}). +-define(NONLOCALHOST_ADDR, {192,168,1,1}). + +all() -> + [ + {group, localhost_connection}, + {group, nonlocalhost_connection} + ]. + +groups() -> + [ + {localhost_connection, [], [ + login_from_localhost_with_loopback_user, + login_from_localhost_with_nonloopback_user + ]}, + {nonlocalhost_connection, [], [ + login_from_nonlocalhost_with_loopback_user, + login_from_nonlocalhost_with_nonloopback_user + ]} + ]. + +init_per_suite(Config) -> + rabbit_ct_helpers:log_environment(), + rabbit_ct_helpers:run_setup_steps(Config, rabbit_ct_broker_helpers:setup_steps() ++ [ fun setup_env/1 ]). + +setup_env(Config) -> + application:set_env(rabbit, auth_backends, [rabbit_auth_backend_internal_loopback]), + Config. + +end_per_suite(Config) -> + rabbit_ct_helpers:run_teardown_steps(Config, rabbit_ct_broker_helpers:teardown_steps()). + +init_per_group(localhost_connection, Config) -> + ok = rabbit_ct_broker_helpers:add_user(Config, maps:get(username, ?LOOPBACK_USER)), + ok = rabbit_ct_broker_helpers:add_user(Config, maps:get(username, ?NONLOOPBACK_USER)), + [{sockOrAddr, ?LOCALHOST_ADDR} | Config]; +init_per_group(nonlocalhost_connection, Config) -> + [{sockOrAddr, ?NONLOCALHOST_ADDR} | Config]; +init_per_group(_, Config) -> + Config. + +end_per_group(_, Config) -> + Config. + +% Test cases for localhost connections +login_from_localhost_with_loopback_user(Config) -> + AuthProps = build_auth_props(maps:get(password, ?LOOPBACK_USER), ?LOCALHOST_ADDR), + {ok, _AuthUser} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication, + [maps:get(username, ?LOOPBACK_USER), AuthProps]). + +login_from_localhost_with_nonloopback_user(Config) -> + AuthProps = build_auth_props(maps:get(password, ?NONLOOPBACK_USER), ?LOCALHOST_ADDR), + {ok, _AuthUser} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication, + [maps:get(username, ?NONLOOPBACK_USER), AuthProps]). + +% Test cases for non-localhost connections +login_from_nonlocalhost_with_loopback_user(Config) -> + AuthProps = build_auth_props(maps:get(password, ?LOOPBACK_USER), ?NONLOCALHOST_ADDR), + {refused, _FailMsg, _FailArgs} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication, + [maps:get(username, ?LOOPBACK_USER), AuthProps]). + +login_from_nonlocalhost_with_nonloopback_user(Config) -> + AuthProps = build_auth_props(maps:get(password, ?NONLOOPBACK_USER), ?NONLOCALHOST_ADDR), + {refused, _FailMsg, _FailArgs} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication, + [maps:get(username, ?NONLOOPBACK_USER), AuthProps]). + +rpc(Config, M, F, A) -> + rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A). + +build_auth_props(Pass, Socket) -> + [{password, Pass}, {sockOrAddr, Socket}].