Adds rabbit_auth_backend_internal_loopback

This auth backend behaves the same as the internal backend provided in
the core broker, but it only accepts loopback connections. External
connection attempts will receive an error.

(cherry picked from commit 6d24aef)

Author: aaron-seo

.gitignore

@@ -37,6 +37,7 @@ elvis
 !/deps/rabbitmq_amqp_client/
 !/deps/rabbitmq_auth_backend_cache/
 !/deps/rabbitmq_auth_backend_http/
+!/deps/rabbitmq_auth_backend_internal_loopback/
 !/deps/rabbitmq_auth_backend_ldap/
 !/deps/rabbitmq_auth_backend_oauth2/
 !/deps/rabbitmq_auth_mechanism_ssl/

Makefile

@@ -523,6 +523,7 @@ TIER1_PLUGINS := \
 	   rabbitmq_amqp1_0 \
 	   rabbitmq_auth_backend_cache \
 	   rabbitmq_auth_backend_http \
+	   rabbitmq_auth_backend_internal_loopback \
 	   rabbitmq_auth_backend_ldap \
 	   rabbitmq_auth_backend_oauth2 \
 	   rabbitmq_auth_mechanism_ssl \

deps/rabbit/src/rabbit_auth_mechanism_plain.erl

@@ -10,6 +10,10 @@
 
 -export([description/0, should_offer/1, init/1, handle_response/2]).
 
+-record(state, {
+          socket
+         }).
+
 -rabbit_boot_step({?MODULE,
                    [{description, "auth mechanism plain"},
                     {mfa,         {rabbit_registry, register,
@@ -26,17 +30,21 @@ description() ->
 should_offer(_Sock) ->
     true.
 
-init(_Sock) ->
-    [].
+init(Sock) ->
+    #state{socket = Sock}.
 
-handle_response(Response, _State) ->
+handle_response(Response, #state{socket = Socket}) ->
     case extract_user_pass(Response) of
         {ok, User, Pass} ->
-            rabbit_access_control:check_user_pass_login(User, Pass);
+            AuthProps = build_auth_props(Pass, Socket),
+            rabbit_access_control:check_user_login(User, AuthProps);
         error ->
             {protocol_error, "response ~tp invalid", [Response]}
     end.
 
+build_auth_props(Pass, Socket) ->
+    [{password, Pass}, {sockOrAddr, Socket}].
+
 extract_user_pass(Response) ->
     case extract_elem(Response) of
         {ok, User, Response1} ->

deps/rabbitmq_auth_backend_internal_loopback/.gitignore

@@ -0,0 +1 @@
+test/config_schema_SUITE_data/schema/

deps/rabbitmq_auth_backend_internal_loopback/CODE_OF_CONDUCT.md

@@ -0,0 +1,44 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open
+and welcoming community, we pledge to respect all people who contribute through reporting
+issues, posting feature requests, updating documentation, submitting pull requests or
+patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for
+everyone, regardless of level of experience, gender, gender identity and expression,
+sexual orientation, disability, personal appearance, body size, race, ethnicity, age,
+religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+ * The use of sexualized language or imagery
+ * Personal attacks
+ * Trolling or insulting/derogatory comments
+ * Public or private harassment
+ * Publishing other's private information, such as physical or electronic addresses,
+   without explicit permission
+ * Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments,
+commits, code, wiki edits, issues, and other contributions that are not aligned to this
+Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors
+that they deem inappropriate, threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to fairly and
+consistently applying these principles to every aspect of managing this project. Project
+maintainers who do not follow or enforce the Code of Conduct may be permanently removed
+from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces when an
+individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by
+contacting a project maintainer at [rabbitmq-core@groups.vmware.com](mailto:rabbitmq-core@groups.vmware.com). All complaints will
+be reviewed and investigated and will result in a response that is deemed necessary and
+appropriate to the circumstances. Maintainers are obligated to maintain confidentiality
+with regard to the reporter of an incident.
+
+This Code of Conduct is adapted from the
+[Contributor Covenant](https://contributor-covenant.org), version 1.3.0, available at
+[contributor-covenant.org/version/1/3/0/](https://contributor-covenant.org/version/1/3/0/)

deps/rabbitmq_auth_backend_internal_loopback/CONTRIBUTING.md

@@ -0,0 +1,203 @@
+## Overview
+
+RabbitMQ projects use pull requests to discuss, collaborate on and accept code contributions.
+Pull requests is the primary place of discussing code changes.
+
+## How to Contribute
+
+The process is fairly standard:
+
+ * Present your idea to the RabbitMQ core team using [GitHub Discussions](https://github.com/rabbitmq/rabbitmq-server/discussions) or [RabbitMQ community Discord server](https://rabbitmq.com/discord)
+ * Fork the repository or repositories you plan on contributing to
+ * Run `git clean -xfffd && gmake clean && gmake distclean && gmake` to build all subprojects from scratch
+ * Create a branch with a descriptive name
+ * Make your changes, run tests, ensure correct code formatting, commit with a [descriptive message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html), push to your fork
+ * Submit pull requests with an explanation what has been changed and **why**
+ * Submit a filled out and signed [Contributor Agreement](https://cla.pivotal.io/) if needed (see below)
+ * Be patient. We will get to your pull request eventually
+
+
+## Running Tests
+
+Test suites of individual subprojects can be run from the subproject directory under
+`deps/*`. For example, for the core broker:
+
+``` shell
+# Running all server suites in parallel will take between 30 and 40 minutes on reasonably
+# recent multi-core machines. This is rarely necessary in development environments.
+# Running individual test suites or groups of test suites can be enough.
+#
+
+# Before you start: this will terminate all running nodes, make processes and Common Test processes
+killall -9 beam.smp; killall -9 erl; killall -9 make; killall -9 epmd; killall -9 erl_setup_child; killall -9 ct_run
+
+# the core broker subproject
+cd deps/rabbit
+
+# cleans build artifacts
+git clean -xfffd
+gmake clean; gmake distclean
+
+# builds the broker and all of its dependencies
+gmake
+# runs an integration test suite, tests/rabbit_fifo_SUITE with CT (Common Test)
+gmake ct-rabbit_fifo
+# runs an integration test suite, tests/quorum_queue_SUITE with CT (Common Test)
+gmake ct-quorum_queue
+# runs an integration test suite, tests/queue_parallel_SUITE with CT (Common Test)
+gmake ct-queue_parallel
+# runs a unit test suite tests/unit_log_management_SUITE with CT (Common Test)
+gmake ct-unit_log_management
+```
+
+### Running Specific Groups or Tests
+
+All `ct-*` Make targets support a `t=` argument which are transformed to [`-group` and `-case` Common Test runner options](https://www.erlang.org/doc/apps/common_test/run_test_chapter.html).
+
+``` shell
+# Runs a a group of tests named 'all_tests_with_prefix' in suite 'test/rabbit_mgmt_http_SUITE.erl'
+gmake ct-rabbit_mgmt_http t="all_tests_with_prefix"
+
+# Runs a test named 'users_test' in group 'all_tests_with_prefix' in suite 'test/rabbit_mgmt_http_SUITE.erl'
+gmake ct-rabbit_mgmt_http t="all_tests_with_prefix:users_test"
+# Runs a test named 'queues_test' in group 'all_tests_with_prefix' in suite 'test/rabbit_mgmt_http_SUITE.erl'
+gmake ct-rabbit_mgmt_http t="all_tests_with_prefix:queues_test"
+```
+
+### Running Tests with a Specific Schema Data Store
+
+Set `RABBITMQ_METADATA_STORE` to either `khepri` or `mnesia` to make the Common Test suites
+use a specific [schema data store]() (metadata store):
+
+``` shell
+RABBITMQ_METADATA_STORE=khepri gmake ct-quorum_queue
+```
+
+Or, with Nu shell:
+
+```nu
+with-env {'RABBITMQ_METADATA_STORE': 'khepri'} { gmake ct-quorum_queue }
+```
+
+
+## Running Single Nodes from Source
+
+``` shell
+# Run from repository root.
+# Starts a node with the management plugin enabled
+gmake run-broker RABBITMQ_PLUGINS=rabbitmq_management
+```
+
+The nodes will be started in the background. They will use `rabbit@{hostname}` for its name, so CLI will be able to contact
+it without an explicit `-n` (`--node`) argument:
+
+```shell
+# Run from repository root.
+./sbin/rabbitmq-diagnostics status
+```
+
+## Running Clusters from Source
+
+``` shell
+# Run from repository root.
+# Starts a three node cluster with the management plugin enabled
+gmake start-cluster NODES=3 RABBITMQ_PLUGINS=rabbitmq_management
+```
+
+The node will use `rabbit-{n}@{hostname}` for names, so CLI must
+be explicitly given explicit an `-n` (`--node`) argument in order to
+contact one of the nodes:
+
+ * `rabbit-1`
+ * `rabbit-2`
+ * `rabbit-3`
+
+The names of the nodes can be looked up via
+
+``` shell
+epmd -names
+```
+
+``` shell
+# Run from repository root.
+# Makes CLI tools talk to node rabbit-2
+sbin/rabbitmq-diagnostics cluster_status -n rabbit-2
+
+# Run from repository root.
+# Makes CLI tools talk to node rabbit-1
+sbin/rabbitmq-diagnostics status -n rabbit-1
+```
+
+To stop a previously started cluster:
+
+``` shell
+# Run from repository root.
+# Stops a three node cluster started earlier
+gmake stop-cluster NODES=3
+```
+
+
+## Working on Management UI with BrowserSync
+
+When working on management UI code, besides starting the node with
+
+``` shell
+# starts a node with the management plugin enabled
+gmake run-broker RABBITMQ_PLUGINS=rabbitmq_management
+```
+
+(or any other set of plugins), it is highly recommended to use [BrowserSync](https://browsersync.io/#install)
+to shorten the edit/feedback cycle for JS files, CSS, and so on.
+
+First, install BrowserSync using NPM:
+
+``` shell
+npm install -g browser-sync
+```
+
+Assuming a node running locally with HTTP API on port `15672`, start
+a BrowserSync proxy like so:
+
+``` shell
+cd deps/rabbitmq_management/priv/www
+
+browser-sync start --proxy localhost:15672 --serverStatic . --files .
+```
+
+BrowserSync will automatically open a browser window for you to use. The window
+will automatically refresh when one of the static (templates, JS, CSS) files change.
+
+All HTTP requests that BrowserSync does not know how to handle will be proxied to
+the HTTP API at `localhost:15672`.
+
+
+## Formatting the RabbitMQ CLI
+
+The RabbitMQ CLI uses the standard [Elixir code formatter](https://hexdocs.pm/mix/main/Mix.Tasks.Format.html). To ensure correct code formatting of the CLI:
+
+```
+cd deps/rabbitmq_cli
+mix format
+```
+
+Running `make` will validate the CLI formatting and issue any necessary warnings. Alternatively, run the format checker in the `deps/rabbitmq_cli` directory:
+
+```
+mix format --check-formatted
+```
+
+## Code of Conduct
+
+See [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md).
+
+## Contributor Agreement
+
+If you want to contribute a non-trivial change, please submit a signed copy of our
+[Contributor Agreement](https://cla.pivotal.io/) around the time
+you submit your pull request. This will make it much easier (in some cases, possible)
+for the RabbitMQ team at Pivotal to merge your contribution.
+
+## Where to Ask Questions
+
+If something isn't clear, feel free to ask on [GitHub Discussions](https://github.com/rabbitmq/rabbitmq-server/discussions)
+and [community Discord server](https://rabbitmq.com/discord).

deps/rabbitmq_auth_backend_internal_loopback/LICENSE

@@ -0,0 +1,3 @@
+This package is licensed under the MPL 2.0. For the MPL 2.0, please see LICENSE-MPL-RabbitMQ.
+
+If you have any questions regarding licensing, please contact us at rabbitmq-core@groups.vmware.com.