Add test suite for rabbitmq_auth_backend_internal_loopback

deps/rabbitmq_auth_backend_internal_loopback/Makefile

@@ -12,9 +12,8 @@ define PROJECT_APP_EXTRA_KEYS
 	{broker_version_requirements, []}
 endef
 
-LOCAL_DEPS = ssl inets crypto public_key
-DEPS = rabbit_common rabbit amqp_client
-TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers cowboy
+DEPS = rabbit_common rabbit
+TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers
 
 DEP_EARLY_PLUGINS = rabbit_common/mk/rabbitmq-early-plugin.mk
 DEP_PLUGINS = rabbit_common/mk/rabbitmq-plugin.mk

deps/rabbitmq_auth_backend_internal_loopback/README.md

@@ -5,7 +5,7 @@ for RabbitMQ for basic authentication for only (loopback) localhost connections.
 
 ## Installation
 
-As of 4.1.0, this plugin is distributed with RabbitMQ. Enable it with
+As of 4.1.1, this plugin is distributed with RabbitMQ. Enable it with
 
     rabbitmq-plugins enable rabbitmq_auth_backend_internal_loopback
 

deps/rabbitmq_auth_backend_internal_loopback/src/rabbit_auth_backend_internal_loopback.erl

@@ -46,11 +46,6 @@
 
 -export([hashing_module_for_user/1, expand_topic_permission/2]).
 
--ifdef(TEST).
--export([extract_user_permission_params/2,
-         extract_topic_permission_params/2]).
--endif.
-
 -import(rabbit_data_coercion, [to_atom/1, to_list/1, to_binary/1]).
 
 %%----------------------------------------------------------------------------

deps/rabbitmq_auth_backend_internal_loopback/test/rabbit_auth_backend_internal_loopback_SUITE.erl

@@ -0,0 +1,103 @@
+%% This Source Code Form is subject to the terms of the Mozilla Public
+%% License, v. 2.0. If a copy of the MPL was not distributed with this
+%% file, You can obtain one at https://mozilla.org/MPL/2.0/.
+%%
+%% Copyright (c) 2007-2025 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. All rights reserved.
+%%
+-module(rabbit_auth_backend_internal_loopback_SUITE).
+
+-include_lib("common_test/include/ct.hrl").
+-include_lib("eunit/include/eunit.hrl").
+
+-compile(export_all).
+
+-define(NO_SOCKET_OR_ADDRESS_REJECTION_MESSAGE,
+        "user '~ts' attempted to log in, but no socket or address was provided "
+        "to the internal_loopback auth backend, so cannot verify if connection "
+        "is from localhost or not.").
+
+-define(NOT_LOOPBACK_REJECTION_MESSAGE,
+        "user '~ts' attempted to log in, but the socket or address was not from "
+        "loopback/localhost, which is prohibited by the internal loopback authN "
+        "backend.").
+
+-define(LOOPBACK_USER, #{username => <<"TestLoopbackUser">>,
+                        password => <<"TestLoopbackUser">>,
+                        expected_credentials => [username, password],
+                        tags => [policymaker, monitoring]}).
+
+-define(NONLOOPBACK_USER, #{username => <<"TestNonLoopbackUser">>,
+                        password => <<"TestNonLoopbackUser">>,
+                        expected_credentials => [username, password],
+                        tags => [policymaker, monitoring]}).
+-define(LOCALHOST_ADDR, {127,0,0,1}).
+-define(NONLOCALHOST_ADDR, {192,168,1,1}).
+
+all() ->
+    [
+        {group, localhost_connection},
+        {group, nonlocalhost_connection}
+    ].
+
+groups() ->
+    [
+        {localhost_connection, [], [
+            login_from_localhost_with_loopback_user,
+            login_from_localhost_with_nonloopback_user
+        ]},
+        {nonlocalhost_connection, [], [
+            login_from_nonlocalhost_with_loopback_user,
+            login_from_nonlocalhost_with_nonloopback_user
+        ]}
+    ].
+
+init_per_suite(Config) ->
+    rabbit_ct_helpers:log_environment(),
+    rabbit_ct_helpers:run_setup_steps(Config, rabbit_ct_broker_helpers:setup_steps() ++ [ fun setup_env/1 ]).
+
+setup_env(Config) ->
+    application:set_env(rabbit, auth_backends, [rabbit_auth_backend_internal_loopback]),
+    Config.
+
+end_per_suite(Config) ->
+    rabbit_ct_helpers:run_teardown_steps(Config, rabbit_ct_broker_helpers:teardown_steps()).
+
+init_per_group(localhost_connection, Config) ->
+    ok = rabbit_ct_broker_helpers:add_user(Config, maps:get(username, ?LOOPBACK_USER)),
+    ok = rabbit_ct_broker_helpers:add_user(Config, maps:get(username, ?NONLOOPBACK_USER)),
+    [{sockOrAddr, ?LOCALHOST_ADDR} | Config];
+init_per_group(nonlocalhost_connection, Config) ->
+    [{sockOrAddr, ?NONLOCALHOST_ADDR} | Config];
+init_per_group(_, Config) ->
+    Config.
+
+end_per_group(_, Config) ->
+    Config.
+
+% Test cases for localhost connections
+login_from_localhost_with_loopback_user(Config) ->
+    AuthProps = build_auth_props(maps:get(password, ?LOOPBACK_USER), ?LOCALHOST_ADDR),
+    {ok, _AuthUser} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication,
+        [maps:get(username, ?LOOPBACK_USER), AuthProps]).
+
+login_from_localhost_with_nonloopback_user(Config) ->
+    AuthProps = build_auth_props(maps:get(password, ?NONLOOPBACK_USER), ?LOCALHOST_ADDR),
+    {ok, _AuthUser} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication,
+        [maps:get(username, ?NONLOOPBACK_USER), AuthProps]).
+
+% Test cases for non-localhost connections
+login_from_nonlocalhost_with_loopback_user(Config) ->
+    AuthProps = build_auth_props(maps:get(password, ?LOOPBACK_USER), ?NONLOCALHOST_ADDR),
+    {refused, _FailMsg, _FailArgs} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication,
+        [maps:get(username, ?LOOPBACK_USER), AuthProps]).
+
+login_from_nonlocalhost_with_nonloopback_user(Config) ->
+    AuthProps = build_auth_props(maps:get(password, ?NONLOOPBACK_USER), ?NONLOCALHOST_ADDR),
+    {refused, _FailMsg, _FailArgs} = rpc(Config, rabbit_auth_backend_internal_loopback, user_login_authentication,
+        [maps:get(username, ?NONLOOPBACK_USER), AuthProps]).
+
+rpc(Config, M, F, A) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0, M, F, A).
+
+build_auth_props(Pass, Socket) ->
+    [{password, Pass}, {sockOrAddr, Socket}].