Adds a new auth backend that only accepts loopback connections

[aaron-seo]

Proposed Changes

As discussed in #13205, this PR adds a new auth backend that works exactly like the internal one, but only accepts loopback connections. This PR does so by retrieving the socket in the plain auth mechanism and passes the socket through AuthProps to the auth_backend.

I'm able to test localhost connections, but haven't found a reliable way to test non-localhost connections.

It also accepts all loopback connections, not necessary only the loopback_users. This behavior is subject to change and open to thoughts on it.

The README.md assumes this will get shipped with 4.1.1, that is subject to change as needed.

Manual testing performed

Setup

1. gmake run-broker
2. Create users and set up tags and permissions

Listing users ...
user    tags
my_nonloopback_user     [monitoring]
guest   [administrator]
my_loopback_user        [monitoring]
...
Listing permissions for user "my_loopback_user" ...
vhost   configure       write   read
/       .*      .*      .*
...
Listing permissions for user "my_nonloopback_user" ...
vhost   configure       write   read
/       .*      .*      .*

Test localhost conections

java -jar perf-test.jar --uri amqp://my_(non)loopback_user:123@localhost:5672
id: test-093303-736, starting consumer #0
id: test-093303-736, starting consumer #0, channel #0
...

Both connect fine

Test non-localhost connections

(Note: I just manually changed rabbit_net:is_loopback/1 to return false to test for now)

java -jar perf-test.jar --uri amqp://my_(non)loopback_user:123@localhost:5672
Main thread caught exception: com.rabbitmq.client.AuthenticationFailureException: ACCESS_REFUSED - Login was refused using authentication mech
anism PLAIN. For details see the broker logfile.
09:23:37.827 [main] ERROR com.rabbitmq.perf.PerfTest - Main thread caught exception
com.rabbitmq.client.AuthenticationFailureException: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see t
he broker logfile.
...

Logs look like this for both attempts

...
2025-04-17 09:29:27.249690-07:00 [info] <0.1011.0> accepting AMQP connection [::1]:59451 -> [::1]:5672
2025-04-17 09:29:27.263415-07:00 [info] <0.1011.0> connection [::1]:59451 -> [::1]:5672 has a client-provided name: perf-test-configuration-0
2025-04-17 09:29:27.263463-07:00 [debug] <0.1011.0> Client address during authN phase: {0,0,0,0,0,0,0,1}
2025-04-17 09:29:27.263520-07:00 [debug] <0.1011.0> User 'my_nonloopback_user' failed authentication by backend rabbit_auth_backend_internal_loopback
2025-04-17 09:29:27.263664-07:00 [error] <0.1011.0> Error on AMQP connection <0.1011.0> ([::1]:59451 -> [::1]:5672, state: starting):
2025-04-17 09:29:27.263664-07:00 [error] <0.1011.0> PLAIN login refused: user 'my_nonloopback_user' attempted to log in, but the socket or address was not from loopback/localhost, which is prohibited by the internal loopback authN backend.
2025-04-17 09:29:27.264157-07:00 [info] <0.1011.0> closing AMQP connection ([::1]:59451 -> [::1]:5672 - perf-test-configuration-0, duration: '19ms')
2025-04-17 09:29:27.265272-07:00 [info] <0.1017.0> accepting AMQP connection 127.0.0.1:59452 -> 127.0.0.1:5672
2025-04-17 09:29:27.268408-07:00 [info] <0.1017.0> connection 127.0.0.1:59452 -> 127.0.0.1:5672 has a client-provided name: perf-test-configuration-0
2025-04-17 09:29:27.268437-07:00 [debug] <0.1017.0> Client address during authN phase: {0,0,0,0,0,65535,32512,1}
2025-04-17 09:29:27.268460-07:00 [debug] <0.1017.0> User 'my_nonloopback_user' failed authentication by backend rabbit_auth_backend_internal_loopback
2025-04-17 09:29:27.268558-07:00 [error] <0.1017.0> Error on AMQP connection <0.1017.0> (127.0.0.1:59452 -> 127.0.0.1:5672, state: starting):
2025-04-17 09:29:27.268558-07:00 [error] <0.1017.0> PLAIN login refused: user 'my_nonloopback_user' attempted to log in, but the socket or address was not from loopback/localhost, which is prohibited by the internal loopback authN backend.
2025-04-17 09:29:27.268761-07:00 [info] <0.1017.0> closing AMQP connection (127.0.0.1:59452 -> 127.0.0.1:5672 - perf-test-configuration-0, duration: '3ms')
...

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

• Bug fix (non-breaking change which fixes issue #NNNN)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause an observable behavior change in existing systems)
• Documentation improvements (corrections, new content, etc)
• Cosmetic change (whitespace, formatting, etc)
• Build system and/or CI

Checklist

Put an x in the boxes that apply.
You can also fill these out after creating the PR.
If you're unsure about any of them, don't hesitate to ask on the mailing list.
We're here to help!
This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING.md document
• I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
• I have added tests that prove my fix is effective or that my feature works
• All tests pass locally with my changes
• If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website
• If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution
you did and what alternatives you considered, etc.

[michaelklishin]

@aaron-seo if the goal of this backend is to only allow loopback connections of automation tools, accepting all local connections without requiring them to be whitelisted make sense to me.

I'm not sure I understand the part about testing remote connections. It should be a matter of connecting from any other host?

[michaelklishin]

4.1.0 has already shipped, so the plugin cannot be included into it by definition.

[aaron-seo]

4.1.0 has already shipped, so the plugin cannot be included into it by definition.

Ah, wrote that before 4.1 shipped, will update to 4.2

I'm not sure I understand the part about testing remote connections. It should be a matter of connecting from any other host?

If I'm running locally with gmake run-broker, and the broker is running on localhost, not sure how to connect from another host without port forwarding, etc. I guess I could just not run it locally (or maybe run in on docker containers!) and it would be much easier to test, which I'll try today.

[aaron-seo]

Working on a fix for the failures in rabbitmq_stream_SUITE, I think there's an issue with the Socket not being handled properly for these cases

[michaelklishin]

Submitted as #13795 to see if the Selenium suite failures might have something to do with the secret access.

[michaelklishin]

Quoting @MarcialRosales in #13795:

When I run one of the failing selenium tests I capture the following stack trace in the logs. I can consistently reproduce this issue. If I run it from main it works fine:

2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0> [{rabbit_http_util,quote_plus,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                    [#Port<0.5439>,[]],
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                    [{file,"rabbit_http_util.erl"},{line,136}]},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>  {rabbit_auth_backend_http,escape,2,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                            [{file,"rabbit_auth_backend_http.erl"},{line,236}]},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>  {rabbit_auth_backend_http,'-q/1-lc$^0/1-0-',1,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                            [{file,"rabbit_auth_backend_http.erl"},{line,230}]},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>  {rabbit_auth_backend_http,'-q/1-lc$^0/1-0-',1,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                            [{file,"rabbit_auth_backend_http.erl"},{line,230}]},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>  {rabbit_auth_backend_http,q,1,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                            [{file,"rabbit_auth_backend_http.erl"},{line,230}]},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>  {rabbit_auth_backend_http,user_login_authentication,2,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                            [{file,"rabbit_auth_backend_http.erl"},{line,36}]},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>  {rabbit_auth_backend_cache,with_cache,3,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                             [{file,"rabbit_auth_backend_cache.erl"},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                              {line,90}]},
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>  {rabbit_access_control,try_authenticate,3,
2025-04-25 11:38:32.743764+02:00 [debug] <0.1229.0>                         [{file,"rabbit_access_control.erl"},{line,95}]}]

@aaron-seo To run the test locally and from source you can follow these instructions:

1. From a terminal, launch rabbitmq for the suite that is failing, for instance: suites/authnz-messaging/auth-cache-http-backends.sh

cd selenium
suites/authnz-messaging/auth-cache-http-backends.sh start-rabbitmq

This command starts up RabbitMQ using gmake and configured for the test suite

2. From another terminal, run these commands. npm install is required the fist time you run the tests. start-others runs any component the test suite depends on. This suite, in particular, needs a mock http backend. It is launched as a docker container and in the background.

cd selenium
npm install
suites/authnz-messaging/auth-cache-http-backends.sh start-others
suites/authnz-messaging/auth-cache-http-backends.sh test

3. Go to the logs of RabbitMQ

If you do not want to run it from source but directly against a RabbitMQ docker image, all you need to do is run this command (this is explained here):

cd selenium
RABBITMQ_DOCKER_IMAGE=<docker_image:tag> suites/authnz-messaging/auth-cache-http-backends.sh 

[aaron-seo]

Thank you for checking and for the instructions! Turns out to be an issue with rabbit_auth_backend_http trying to escape the sockOrAddr AuthProp added by this PR. I decided to just filter out that sockOrAddr, as it's not used by the http auth backend.

[michaelklishin]

Merged in #13818.