Add SASL mechanism ANONYMOUS

 ## 1. Introduce new SASL mechanism ANONYMOUS

 ### What?
Introduce a new `rabbit_auth_mechanism` implementation for SASL
mechanism ANONYMOUS called `rabbit_auth_mechanism_anonymous`.

 ### Why?
As described in AMQP section 5.3.3.1, ANONYMOUS should be used when the
client doesn't need to authenticate.

Introducing a new `rabbit_auth_mechanism` consolidates and simplifies how anonymous
logins work across all RabbitMQ protocols that support SASL. This commit
therefore allows AMQP 0.9.1, AMQP 1.0, stream clients to connect out of
the box to RabbitMQ without providing any username or password.

Today's AMQP 0.9.1 and stream protocol client libs hard code RabbitMQ default credentials
`guest:guest` for example done in:
* https://github.com/rabbitmq/rabbitmq-java-client/blob/0215e85643a9ae0800822869be0200024e2ab569/src/main/java/com/rabbitmq/client/ConnectionFactory.java#L58-L61
* https://github.com/rabbitmq/amqp091-go/blob/ddb7a2f0685689063e6d709b8e417dbf9d09469c/uri.go#L31-L32

Hard coding RabbitMQ specific default credentials in dozens of different
client libraries is an anti-pattern in my opinion.
Furthermore, there are various AMQP 1.0 and MQTT client libraries which
we do not control or maintain and which still should work out of the box
when a user is getting started with RabbitMQ (that is without
providing `guest:guest` credentials).

 ### How?
The old RabbitMQ 3.13 AMQP 1.0 plugin `default_user`
[configuration](https://github.com/rabbitmq/rabbitmq-server/blob/146b4862d8e570b344c99c37d91246760e218b18/deps/rabbitmq_amqp1_0/Makefile#L6)
is replaced with the following two new `rabbit` configurations:
```
{anonymous_login_user, <<"guest">>},
{anonymous_login_pass, <<"guest">>},
```
We call it `anonymous_login_user` because this user will be used for
anonymous logins. The subsequent commit uses the same setting for
anonymous logins in MQTT. Hence, this user is orthogonal to the protocol
used when the client connects.

Setting `anonymous_login_pass` could have been left out.
This commit decides to include it because our documentation has so far
recommended:
> It is highly recommended to pre-configure a new user with a generated username and password or delete the guest user
> or at least change its password to reasonably secure generated value that won't be known to the public.

By having the new module `rabbit_auth_mechanism_anonymous` internally
authenticate with `anonymous_login_pass` instead of blindly allowing
access without any password, we protect operators that relied on the
sentence:
> or at least change its password to reasonably secure generated value that won't be known to the public

To ease the getting started experience, since RabbitMQ already deploys a
guest user with full access to the default virtual host `/`, this commit
also allows SASL mechanism ANONYMOUS in `rabbit` setting `auth_mechanisms`.

In production, operators should disable SASL mechanism ANONYMOUS by
setting `anonymous_login_user` to `none` (or by removing ANONYMOUS from
the `auth_mechanisms` setting. This will be documented separately.
Even if operators forget or don't read the docs, this new ANONYMOUS
mechanism won't do any harm because it relies on the default user name
`guest` and password `guest`, which is recommended against in
production, and who by default can only connect from the local host.

 ## 2. Require SASL security layer in AMQP 1.0

 ### What?
An AMQP 1.0 client must use the SASL security layer.

 ### Why?
This is in line with the mandatory usage of SASL in AMQP 0.9.1 and
RabbitMQ stream protocol.
Since (presumably) any AMQP 1.0 client knows how to authenticate with a
username and password using SASL mechanism PLAIN, any AMQP 1.0 client
also (presumably) implements the trivial SASL mechanism ANONYMOUS.

Skipping SASL is not recommended in production anyway.
By requiring SASL, configuration for operators becomes easier.
Following the principle of least surprise, when an an operator
configures `auth_mechanisms` to exclude `ANONYMOUS`, anonymous logins
will be prohibited in SASL and also by disallowing skipping the SASL
layer.

 ### How?
This commit implements AMQP 1.0 figure 2.13.

A follow-up commit needs to be pushed to `v3.13.x` which will use SASL
mechanism `anon` instead of `none` in the Erlang AMQP 1.0 client
such that AMQP 1.0 shovels running on 3.13 can connect to 4.0 RabbitMQ nodes.

Author: ansd

deps/amqp10_client/src/amqp10_client.erl

@@ -429,8 +429,8 @@ parse_result(Map) ->
                    throw(plain_sasl_missing_userinfo);
                _ ->
                    case UserInfo of
-                       [] -> none;
-                       undefined -> none;
+                       [] -> anon;
+                       undefined -> anon;
                        U -> parse_usertoken(U)
                    end
            end,
@@ -456,11 +456,6 @@ parse_result(Map) ->
             Ret0#{tls_opts => {secure_port, TlsOpts}}
     end.
 
-
-parse_usertoken(undefined) ->
-    none;
-parse_usertoken("") ->
-    none;
 parse_usertoken(U) ->
     [User, Pass] = string:tokens(U, ":"),
     {plain,
@@ -532,7 +527,7 @@ parse_uri_test_() ->
     [?_assertEqual({ok, #{address => "my_host",
                           port => 9876,
                           hostname => <<"my_host">>,
-                          sasl => none}}, parse_uri("amqp://my_host:9876")),
+                          sasl => anon}}, parse_uri("amqp://my_host:9876")),
      %% port defaults
      ?_assertMatch({ok, #{port := 5671}}, parse_uri("amqps://my_host")),
      ?_assertMatch({ok, #{port := 5672}}, parse_uri("amqp://my_host")),

deps/amqp10_client/test/system_SUITE.erl

@@ -103,8 +103,7 @@ stop_amqp10_client_app(Config) ->
 %% -------------------------------------------------------------------
 
 init_per_group(rabbitmq, Config0) ->
-    Config = rabbit_ct_helpers:set_config(Config0,
-                                          {sasl, {plain, <<"guest">>, <<"guest">>}}),
+    Config = rabbit_ct_helpers:set_config(Config0, {sasl, anon}),
     Config1 = rabbit_ct_helpers:merge_app_env(Config,
                                               [{rabbit,
                                                 [{max_message_size, 134217728}]}]),
@@ -115,7 +114,7 @@ init_per_group(rabbitmq_strict, Config0) ->
                                           {sasl, {plain, <<"guest">>, <<"guest">>}}),
     Config1 = rabbit_ct_helpers:merge_app_env(Config,
                                               [{rabbit,
-                                                [{amqp1_0_default_user, none},
+                                                [{anonymous_login_user, none},
                                                  {max_message_size, 134217728}]}]),
     rabbit_ct_helpers:run_steps(Config1, rabbit_ct_broker_helpers:setup_steps());
 

deps/rabbit/BUILD.bazel

@@ -58,16 +58,16 @@ _APP_ENV = """[
 	    {default_user_tags, [administrator]},
 	    {default_vhost, <<"/">>},
 	    {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
-	    {amqp1_0_default_user, <<"guest">>},
-	    {amqp1_0_default_vhost, <<"/">>},
 	    {loopback_users, [<<"guest">>]},
 	    {password_hashing_module, rabbit_password_hashing_sha256},
 	    {server_properties, []},
 	    {collect_statistics, none},
 	    {collect_statistics_interval, 5000},
 	    {mnesia_table_loading_retry_timeout, 30000},
 	    {mnesia_table_loading_retry_limit, 10},
-	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
+	    {anonymous_login_user, <<"guest">>},
+	    {anonymous_login_pass, <<"guest">>},
+	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
 	    {auth_backends, [rabbit_auth_backend_internal]},
 	    {delegate_count, 16},
 	    {trace_vhosts, []},

deps/rabbit/Makefile

@@ -38,16 +38,19 @@ define PROJECT_ENV
 	    {default_user_tags, [administrator]},
 	    {default_vhost, <<"/">>},
 	    {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
-	    {amqp1_0_default_user, <<"guest">>},
-	    {amqp1_0_default_vhost, <<"/">>},
 	    {loopback_users, [<<"guest">>]},
 	    {password_hashing_module, rabbit_password_hashing_sha256},
 	    {server_properties, []},
 	    {collect_statistics, none},
 	    {collect_statistics_interval, 5000},
 	    {mnesia_table_loading_retry_timeout, 30000},
 	    {mnesia_table_loading_retry_limit, 10},
-	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
+	    %% The identity to act as for anonymous logins.
+	    {anonymous_login_user, <<"guest">>},
+	    {anonymous_login_pass, <<"guest">>},
+	    %% "The server mechanisms are ordered in decreasing level of preference."
+	    %% AMQP §5.3.3.1
+	    {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
 	    {auth_backends, [rabbit_auth_backend_internal]},
 	    {delegate_count, 16},
 	    {trace_vhosts, []},

deps/rabbit/app.bzl

@@ -58,6 +58,7 @@ def all_beam_files(name = "all_beam_files"):
             "src/rabbit_amqqueue_sup_sup.erl",
             "src/rabbit_auth_backend_internal.erl",
             "src/rabbit_auth_mechanism_amqplain.erl",
+            "src/rabbit_auth_mechanism_anonymous.erl",
             "src/rabbit_auth_mechanism_cr_demo.erl",
             "src/rabbit_auth_mechanism_plain.erl",
             "src/rabbit_autoheal.erl",
@@ -313,6 +314,7 @@ def all_test_beam_files(name = "all_test_beam_files"):
             "src/rabbit_amqqueue_sup_sup.erl",
             "src/rabbit_auth_backend_internal.erl",
             "src/rabbit_auth_mechanism_amqplain.erl",
+            "src/rabbit_auth_mechanism_anonymous.erl",
             "src/rabbit_auth_mechanism_cr_demo.erl",
             "src/rabbit_auth_mechanism_plain.erl",
             "src/rabbit_autoheal.erl",
@@ -586,6 +588,7 @@ def all_srcs(name = "all_srcs"):
             "src/rabbit_amqqueue_sup_sup.erl",
             "src/rabbit_auth_backend_internal.erl",
             "src/rabbit_auth_mechanism_amqplain.erl",
+            "src/rabbit_auth_mechanism_anonymous.erl",
             "src/rabbit_auth_mechanism_cr_demo.erl",
             "src/rabbit_auth_mechanism_plain.erl",
             "src/rabbit_autoheal.erl",

deps/rabbit/priv/schema/rabbit.schema

@@ -444,13 +444,12 @@ end}.
 %% ===========================================================================
 
 %% Choose the available SASL mechanism(s) to expose.
-%% The two default (built in) mechanisms are 'PLAIN' and
-%% 'AMQPLAIN'. Additional mechanisms can be added via
-%% plugins.
+%% The three default (built in) mechanisms are 'PLAIN', 'AMQPLAIN' and 'ANONYMOUS'.
+%% Additional mechanisms can be added via plugins.
 %%
 %% See https://www.rabbitmq.com/authentication.html for more details.
 %%
-%% {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
+%% {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
 
 {mapping, "auth_mechanisms.$name", "rabbit.auth_mechanisms", [
     {datatype, atom}]}.
@@ -735,6 +734,30 @@ end}.
     end
 end}.
 
+%% Connections that skip SASL layer or use SASL mechanism ANONYMOUS will use this identity.
+%% Setting this to a username will allow (anonymous) clients to connect and act as this
+%% given user. For production environments, set this value to 'none'.
+{mapping, "anonymous_login_user", "rabbit.anonymous_login_user",
+    [{datatype, [{enum, [none]}, string]}]}.
+
+{translation, "rabbit.anonymous_login_user",
+fun(Conf) ->
+        case cuttlefish:conf_get("anonymous_login_user", Conf) of
+            none -> none;
+            User -> list_to_binary(User)
+        end
+end}.
+
+{mapping, "anonymous_login_pass", "rabbit.anonymous_login_pass", [
+    {datatype, [tagged_binary, binary]}
+]}.
+
+{translation, "rabbit.anonymous_login_pass",
+fun(Conf) ->
+    rabbit_cuttlefish:optionally_tagged_binary("anonymous_login_pass", Conf)
+end}.
+
+
 %%
 %% Default Policies
 %% ====================
@@ -2649,32 +2672,6 @@ end}.
     end
 }.
 
-% ===============================
-% AMQP 1.0
-% ===============================
-
-%% Connections that skip SASL layer or use SASL mechanism ANONYMOUS will connect as this account.
-%% Setting this to a username will allow clients to connect without authenticating.
-%% For production environments, set this value to 'none'.
-{mapping, "amqp1_0.default_user", "rabbit.amqp1_0_default_user",
-    [{datatype, [{enum, [none]}, string]}]}.
-
-{mapping, "amqp1_0.default_vhost", "rabbit.amqp1_0_default_vhost",
-    [{datatype, string}]}.
-
-{translation, "rabbit.amqp1_0_default_user",
-fun(Conf) ->
-        case cuttlefish:conf_get("amqp1_0.default_user", Conf) of
-            none -> none;
-            User -> list_to_binary(User)
-        end
-end}.
-
-{translation , "rabbit.amqp1_0_default_vhost",
-fun(Conf) ->
-    list_to_binary(cuttlefish:conf_get("amqp1_0.default_vhost", Conf))
-end}.
-
 {mapping, "stream.replication.port_range.min", "osiris.port_range", [
     {datatype, [integer]},
     {validators, ["non_zero_positive_integer"]}