Merge pull request #12018 from rabbitmq/mergify/bp/v4.0.x/pr-11999

Add SASL mechanism ANONYMOUS (backport #11999)

Author: michaelklishin

deps/amqp10_client/src/amqp10_client.erl

@@ -429,8 +429,8 @@ parse_result(Map) ->
                    throw(plain_sasl_missing_userinfo);
                _ ->
                    case UserInfo of
-                       [] -> none;
-                       undefined -> none;
+                       [] -> anon;
+                       undefined -> anon;
                        U -> parse_usertoken(U)
                    end
            end,
@@ -456,11 +456,6 @@ parse_result(Map) ->
             Ret0#{tls_opts => {secure_port, TlsOpts}}
     end.
 
-
-parse_usertoken(undefined) ->
-    none;
-parse_usertoken("") ->
-    none;
 parse_usertoken(U) ->
     [User, Pass] = string:tokens(U, ":"),
     {plain,
@@ -532,7 +527,7 @@ parse_uri_test_() ->
     [?_assertEqual({ok, #{address => "my_host",
                           port => 9876,
                           hostname => <<"my_host">>,
-                          sasl => none}}, parse_uri("amqp://my_host:9876")),
+                          sasl => anon}}, parse_uri("amqp://my_host:9876")),
      %% port defaults
      ?_assertMatch({ok, #{port := 5671}}, parse_uri("amqps://my_host")),
      ?_assertMatch({ok, #{port := 5672}}, parse_uri("amqp://my_host")),

deps/amqp10_client/test/system_SUITE.erl

@@ -103,8 +103,7 @@ stop_amqp10_client_app(Config) ->
 %% -------------------------------------------------------------------
 
 init_per_group(rabbitmq, Config0) ->
-    Config = rabbit_ct_helpers:set_config(Config0,
-                                          {sasl, {plain, <<"guest">>, <<"guest">>}}),
+    Config = rabbit_ct_helpers:set_config(Config0, {sasl, anon}),
     Config1 = rabbit_ct_helpers:merge_app_env(Config,
                                               [{rabbit,
                                                 [{max_message_size, 134217728}]}]),
@@ -115,7 +114,7 @@ init_per_group(rabbitmq_strict, Config0) ->
                                           {sasl, {plain, <<"guest">>, <<"guest">>}}),
     Config1 = rabbit_ct_helpers:merge_app_env(Config,
                                               [{rabbit,
-                                                [{amqp1_0_default_user, none},
+                                                [{anonymous_login_user, none},
                                                  {max_message_size, 134217728}]}]),
     rabbit_ct_helpers:run_steps(Config1, rabbit_ct_broker_helpers:setup_steps());
 

deps/rabbit/BUILD.bazel

@@ -58,16 +58,16 @@ _APP_ENV = """[
 	    {default_user_tags, [administrator]},
 	    {default_vhost, <<"/">>},
 	    {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
-	    {amqp1_0_default_user, <<"guest">>},
-	    {amqp1_0_default_vhost, <<"/">>},
 	    {loopback_users, [<<"guest">>]},
 	    {password_hashing_module, rabbit_password_hashing_sha256},
 	    {server_properties, []},
 	    {collect_statistics, none},
 	    {collect_statistics_interval, 5000},
 	    {mnesia_table_loading_retry_timeout, 30000},
 	    {mnesia_table_loading_retry_limit, 10},
-	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
+	    {anonymous_login_user, <<"guest">>},
+	    {anonymous_login_pass, <<"guest">>},
+	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
 	    {auth_backends, [rabbit_auth_backend_internal]},
 	    {delegate_count, 16},
 	    {trace_vhosts, []},

deps/rabbit/Makefile

@@ -38,16 +38,19 @@ define PROJECT_ENV
 	    {default_user_tags, [administrator]},
 	    {default_vhost, <<"/">>},
 	    {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
-	    {amqp1_0_default_user, <<"guest">>},
-	    {amqp1_0_default_vhost, <<"/">>},
 	    {loopback_users, [<<"guest">>]},
 	    {password_hashing_module, rabbit_password_hashing_sha256},
 	    {server_properties, []},
 	    {collect_statistics, none},
 	    {collect_statistics_interval, 5000},
 	    {mnesia_table_loading_retry_timeout, 30000},
 	    {mnesia_table_loading_retry_limit, 10},
-	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
+	    %% The identity to act as for anonymous logins.
+	    {anonymous_login_user, <<"guest">>},
+	    {anonymous_login_pass, <<"guest">>},
+	    %% "The server mechanisms are ordered in decreasing level of preference."
+	    %% AMQP §5.3.3.1
+	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
 	    {auth_backends, [rabbit_auth_backend_internal]},
 	    {delegate_count, 16},
 	    {trace_vhosts, []},

deps/rabbit/app.bzl

@@ -58,6 +58,7 @@ def all_beam_files(name = "all_beam_files"):
             "src/rabbit_amqqueue_sup_sup.erl",
             "src/rabbit_auth_backend_internal.erl",
             "src/rabbit_auth_mechanism_amqplain.erl",
+            "src/rabbit_auth_mechanism_anonymous.erl",
             "src/rabbit_auth_mechanism_cr_demo.erl",
             "src/rabbit_auth_mechanism_plain.erl",
             "src/rabbit_autoheal.erl",
@@ -313,6 +314,7 @@ def all_test_beam_files(name = "all_test_beam_files"):
             "src/rabbit_amqqueue_sup_sup.erl",
             "src/rabbit_auth_backend_internal.erl",
             "src/rabbit_auth_mechanism_amqplain.erl",
+            "src/rabbit_auth_mechanism_anonymous.erl",
             "src/rabbit_auth_mechanism_cr_demo.erl",
             "src/rabbit_auth_mechanism_plain.erl",
             "src/rabbit_autoheal.erl",
@@ -586,6 +588,7 @@ def all_srcs(name = "all_srcs"):
             "src/rabbit_amqqueue_sup_sup.erl",
             "src/rabbit_auth_backend_internal.erl",
             "src/rabbit_auth_mechanism_amqplain.erl",
+            "src/rabbit_auth_mechanism_anonymous.erl",
             "src/rabbit_auth_mechanism_cr_demo.erl",
             "src/rabbit_auth_mechanism_plain.erl",
             "src/rabbit_autoheal.erl",

deps/rabbit/docs/rabbitmq.conf.example

@@ -232,6 +232,7 @@
 ##
 # auth_mechanisms.1 = PLAIN
 # auth_mechanisms.2 = AMQPLAIN
+# auth_mechanisms.3 = ANONYMOUS
 
 ## The rabbitmq-auth-mechanism-ssl plugin makes it possible to
 ## authenticate a user based on the client's x509 (TLS) certificate.
@@ -905,14 +906,8 @@
 ##
 # mqtt.proxy_protocol = false
 
-## Set the default user name and password used for anonymous connections (when client
-## provides no credentials). Anonymous connections are highly discouraged!
-##
-# mqtt.default_user = guest
-# mqtt.default_pass = guest
-
 ## Enable anonymous connections. If this is set to false, clients MUST provide
-## credentials in order to connect. See also the mqtt.default_user/mqtt.default_pass
+## credentials in order to connect. See also the anonymous_login_user/anonymous_login_pass
 ## keys. Anonymous connections are highly discouraged!
 ##
 # mqtt.allow_anonymous = true

deps/rabbit/priv/schema/rabbit.schema

@@ -444,13 +444,12 @@ end}.
 %% ===========================================================================
 
 %% Choose the available SASL mechanism(s) to expose.
-%% The two default (built in) mechanisms are 'PLAIN' and
-%% 'AMQPLAIN'. Additional mechanisms can be added via
-%% plugins.
+%% The three default (built in) mechanisms are 'PLAIN', 'AMQPLAIN' and 'ANONYMOUS'.
+%% Additional mechanisms can be added via plugins.
 %%
 %% See https://www.rabbitmq.com/authentication.html for more details.
 %%
-%% {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
+%% {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
 
 {mapping, "auth_mechanisms.$name", "rabbit.auth_mechanisms", [
     {datatype, atom}]}.
@@ -735,6 +734,22 @@ end}.
     end
 end}.
 
+%% Connections that skip SASL layer or use SASL mechanism ANONYMOUS will use this identity.
+%% Setting this to a username will allow (anonymous) clients to connect and act as this
+%% given user. For production environments, set this value to 'none'.
+{mapping, "anonymous_login_user", "rabbit.anonymous_login_user",
+    [{datatype, [{enum, [none]}, binary]}]}.
+
+{mapping, "anonymous_login_pass", "rabbit.anonymous_login_pass", [
+    {datatype, [tagged_binary, binary]}
+]}.
+
+{translation, "rabbit.anonymous_login_pass",
+fun(Conf) ->
+    rabbit_cuttlefish:optionally_tagged_binary("anonymous_login_pass", Conf)
+end}.
+
+
 %%
 %% Default Policies
 %% ====================
@@ -2649,32 +2664,6 @@ end}.
     end
 }.
 
-% ===============================
-% AMQP 1.0
-% ===============================
-
-%% Connections that skip SASL layer or use SASL mechanism ANONYMOUS will connect as this account.
-%% Setting this to a username will allow clients to connect without authenticating.
-%% For production environments, set this value to 'none'.
-{mapping, "amqp1_0.default_user", "rabbit.amqp1_0_default_user",
-    [{datatype, [{enum, [none]}, string]}]}.
-
-{mapping, "amqp1_0.default_vhost", "rabbit.amqp1_0_default_vhost",
-    [{datatype, string}]}.
-
-{translation, "rabbit.amqp1_0_default_user",
-fun(Conf) ->
-        case cuttlefish:conf_get("amqp1_0.default_user", Conf) of
-            none -> none;
-            User -> list_to_binary(User)
-        end
-end}.
-
-{translation , "rabbit.amqp1_0_default_vhost",
-fun(Conf) ->
-    list_to_binary(cuttlefish:conf_get("amqp1_0.default_vhost", Conf))
-end}.
-
 {mapping, "stream.replication.port_range.min", "osiris.port_range", [
     {datatype, [integer]},
     {validators, ["non_zero_positive_integer"]}