Skip to content

Commit

Permalink
Merge pull request #12018 from rabbitmq/mergify/bp/v4.0.x/pr-11999
Browse files Browse the repository at this point in the history
Add SASL mechanism ANONYMOUS (backport #11999)
  • Loading branch information
michaelklishin authored Aug 15, 2024
2 parents 334c43b + 954bd11 commit 7b64132
Show file tree
Hide file tree
Showing 29 changed files with 431 additions and 398 deletions.
11 changes: 3 additions & 8 deletions deps/amqp10_client/src/amqp10_client.erl
Original file line number Diff line number Diff line change
Expand Up @@ -429,8 +429,8 @@ parse_result(Map) ->
throw(plain_sasl_missing_userinfo);
_ ->
case UserInfo of
[] -> none;
undefined -> none;
[] -> anon;
undefined -> anon;
U -> parse_usertoken(U)
end
end,
Expand All @@ -456,11 +456,6 @@ parse_result(Map) ->
Ret0#{tls_opts => {secure_port, TlsOpts}}
end.


parse_usertoken(undefined) ->
none;
parse_usertoken("") ->
none;
parse_usertoken(U) ->
[User, Pass] = string:tokens(U, ":"),
{plain,
Expand Down Expand Up @@ -532,7 +527,7 @@ parse_uri_test_() ->
[?_assertEqual({ok, #{address => "my_host",
port => 9876,
hostname => <<"my_host">>,
sasl => none}}, parse_uri("amqp://my_host:9876")),
sasl => anon}}, parse_uri("amqp://my_host:9876")),
%% port defaults
?_assertMatch({ok, #{port := 5671}}, parse_uri("amqps://my_host")),
?_assertMatch({ok, #{port := 5672}}, parse_uri("amqp://my_host")),
Expand Down
5 changes: 2 additions & 3 deletions deps/amqp10_client/test/system_SUITE.erl
Original file line number Diff line number Diff line change
Expand Up @@ -103,8 +103,7 @@ stop_amqp10_client_app(Config) ->
%% -------------------------------------------------------------------

init_per_group(rabbitmq, Config0) ->
Config = rabbit_ct_helpers:set_config(Config0,
{sasl, {plain, <<"guest">>, <<"guest">>}}),
Config = rabbit_ct_helpers:set_config(Config0, {sasl, anon}),
Config1 = rabbit_ct_helpers:merge_app_env(Config,
[{rabbit,
[{max_message_size, 134217728}]}]),
Expand All @@ -115,7 +114,7 @@ init_per_group(rabbitmq_strict, Config0) ->
{sasl, {plain, <<"guest">>, <<"guest">>}}),
Config1 = rabbit_ct_helpers:merge_app_env(Config,
[{rabbit,
[{amqp1_0_default_user, none},
[{anonymous_login_user, none},
{max_message_size, 134217728}]}]),
rabbit_ct_helpers:run_steps(Config1, rabbit_ct_broker_helpers:setup_steps());

Expand Down
6 changes: 3 additions & 3 deletions deps/rabbit/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -58,16 +58,16 @@ _APP_ENV = """[
{default_user_tags, [administrator]},
{default_vhost, <<"/">>},
{default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
{amqp1_0_default_user, <<"guest">>},
{amqp1_0_default_vhost, <<"/">>},
{loopback_users, [<<"guest">>]},
{password_hashing_module, rabbit_password_hashing_sha256},
{server_properties, []},
{collect_statistics, none},
{collect_statistics_interval, 5000},
{mnesia_table_loading_retry_timeout, 30000},
{mnesia_table_loading_retry_limit, 10},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
{anonymous_login_user, <<"guest">>},
{anonymous_login_pass, <<"guest">>},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
{auth_backends, [rabbit_auth_backend_internal]},
{delegate_count, 16},
{trace_vhosts, []},
Expand Down
9 changes: 6 additions & 3 deletions deps/rabbit/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,19 @@ define PROJECT_ENV
{default_user_tags, [administrator]},
{default_vhost, <<"/">>},
{default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
{amqp1_0_default_user, <<"guest">>},
{amqp1_0_default_vhost, <<"/">>},
{loopback_users, [<<"guest">>]},
{password_hashing_module, rabbit_password_hashing_sha256},
{server_properties, []},
{collect_statistics, none},
{collect_statistics_interval, 5000},
{mnesia_table_loading_retry_timeout, 30000},
{mnesia_table_loading_retry_limit, 10},
{auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
%% The identity to act as for anonymous logins.
{anonymous_login_user, <<"guest">>},
{anonymous_login_pass, <<"guest">>},
%% "The server mechanisms are ordered in decreasing level of preference."
%% AMQP §5.3.3.1
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},
{auth_backends, [rabbit_auth_backend_internal]},
{delegate_count, 16},
{trace_vhosts, []},
Expand Down
3 changes: 3 additions & 0 deletions deps/rabbit/app.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ def all_beam_files(name = "all_beam_files"):
"src/rabbit_amqqueue_sup_sup.erl",
"src/rabbit_auth_backend_internal.erl",
"src/rabbit_auth_mechanism_amqplain.erl",
"src/rabbit_auth_mechanism_anonymous.erl",
"src/rabbit_auth_mechanism_cr_demo.erl",
"src/rabbit_auth_mechanism_plain.erl",
"src/rabbit_autoheal.erl",
Expand Down Expand Up @@ -313,6 +314,7 @@ def all_test_beam_files(name = "all_test_beam_files"):
"src/rabbit_amqqueue_sup_sup.erl",
"src/rabbit_auth_backend_internal.erl",
"src/rabbit_auth_mechanism_amqplain.erl",
"src/rabbit_auth_mechanism_anonymous.erl",
"src/rabbit_auth_mechanism_cr_demo.erl",
"src/rabbit_auth_mechanism_plain.erl",
"src/rabbit_autoheal.erl",
Expand Down Expand Up @@ -586,6 +588,7 @@ def all_srcs(name = "all_srcs"):
"src/rabbit_amqqueue_sup_sup.erl",
"src/rabbit_auth_backend_internal.erl",
"src/rabbit_auth_mechanism_amqplain.erl",
"src/rabbit_auth_mechanism_anonymous.erl",
"src/rabbit_auth_mechanism_cr_demo.erl",
"src/rabbit_auth_mechanism_plain.erl",
"src/rabbit_autoheal.erl",
Expand Down
9 changes: 2 additions & 7 deletions deps/rabbit/docs/rabbitmq.conf.example
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,7 @@
##
# auth_mechanisms.1 = PLAIN
# auth_mechanisms.2 = AMQPLAIN
# auth_mechanisms.3 = ANONYMOUS

## The rabbitmq-auth-mechanism-ssl plugin makes it possible to
## authenticate a user based on the client's x509 (TLS) certificate.
Expand Down Expand Up @@ -905,14 +906,8 @@
##
# mqtt.proxy_protocol = false

## Set the default user name and password used for anonymous connections (when client
## provides no credentials). Anonymous connections are highly discouraged!
##
# mqtt.default_user = guest
# mqtt.default_pass = guest

## Enable anonymous connections. If this is set to false, clients MUST provide
## credentials in order to connect. See also the mqtt.default_user/mqtt.default_pass
## credentials in order to connect. See also the anonymous_login_user/anonymous_login_pass
## keys. Anonymous connections are highly discouraged!
##
# mqtt.allow_anonymous = true
Expand Down
49 changes: 19 additions & 30 deletions deps/rabbit/priv/schema/rabbit.schema
Original file line number Diff line number Diff line change
Expand Up @@ -444,13 +444,12 @@ end}.
%% ===========================================================================

%% Choose the available SASL mechanism(s) to expose.
%% The two default (built in) mechanisms are 'PLAIN' and
%% 'AMQPLAIN'. Additional mechanisms can be added via
%% plugins.
%% The three default (built in) mechanisms are 'PLAIN', 'AMQPLAIN' and 'ANONYMOUS'.
%% Additional mechanisms can be added via plugins.
%%
%% See https://www.rabbitmq.com/authentication.html for more details.
%%
%% {auth_mechanisms, ['PLAIN', 'AMQPLAIN']},
%% {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'ANONYMOUS']},

{mapping, "auth_mechanisms.$name", "rabbit.auth_mechanisms", [
{datatype, atom}]}.
Expand Down Expand Up @@ -735,6 +734,22 @@ end}.
end
end}.

%% Connections that skip SASL layer or use SASL mechanism ANONYMOUS will use this identity.
%% Setting this to a username will allow (anonymous) clients to connect and act as this
%% given user. For production environments, set this value to 'none'.
{mapping, "anonymous_login_user", "rabbit.anonymous_login_user",
[{datatype, [{enum, [none]}, binary]}]}.

{mapping, "anonymous_login_pass", "rabbit.anonymous_login_pass", [
{datatype, [tagged_binary, binary]}
]}.

{translation, "rabbit.anonymous_login_pass",
fun(Conf) ->
rabbit_cuttlefish:optionally_tagged_binary("anonymous_login_pass", Conf)
end}.


%%
%% Default Policies
%% ====================
Expand Down Expand Up @@ -2649,32 +2664,6 @@ end}.
end
}.

% ===============================
% AMQP 1.0
% ===============================

%% Connections that skip SASL layer or use SASL mechanism ANONYMOUS will connect as this account.
%% Setting this to a username will allow clients to connect without authenticating.
%% For production environments, set this value to 'none'.
{mapping, "amqp1_0.default_user", "rabbit.amqp1_0_default_user",
[{datatype, [{enum, [none]}, string]}]}.

{mapping, "amqp1_0.default_vhost", "rabbit.amqp1_0_default_vhost",
[{datatype, string}]}.

{translation, "rabbit.amqp1_0_default_user",
fun(Conf) ->
case cuttlefish:conf_get("amqp1_0.default_user", Conf) of
none -> none;
User -> list_to_binary(User)
end
end}.

{translation , "rabbit.amqp1_0_default_vhost",
fun(Conf) ->
list_to_binary(cuttlefish:conf_get("amqp1_0.default_vhost", Conf))
end}.

{mapping, "stream.replication.port_range.min", "osiris.port_range", [
{datatype, [integer]},
{validators, ["non_zero_positive_integer"]}
Expand Down
Loading

0 comments on commit 7b64132

Please sign in to comment.