Merge branch 'master' into rabbitmq-cli-155

7 files changed, 539 insertions, 1 deletions

diff --git a/src/rabbit_credential_validation.erl b/src/rabbit_credential_validation.erl
new file mode 100644
index 0000000000..4a629da14f
--- /dev/null
+++ b/src/rabbit_credential_validation.erl
@@ -0,0 +1,53 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_credential_validation).
+
+-include("rabbit.hrl").
+
+%% used for backwards compatibility
+-define(DEFAULT_BACKEND, rabbit_credential_validator_accept_everything).
+
+%%
+%% API
+%%
+
+-export([validate/2, backend/0]).
+
+-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}.
+
+%% Validates a username/password pair by delegating to the effective
+%% `rabbit_credential_validator`. Used by `rabbit_auth_backend_internal`.
+%% Note that some validators may choose to only validate passwords.
+%%
+%% Possible return values:
+%%
+%% * ok: provided credentials passed validation.
+%% * {error, Error, Args}: provided password password failed validation.
+
+validate(Username, Password) ->
+    Backend = backend(),
+    Backend:validate(Username, Password).
+
+-spec backend() -> atom().
+
+backend() ->
+  case application:get_env(rabbit, credential_validator) of
+    undefined      ->
+      ?DEFAULT_BACKEND;
+    {ok, Proplist} ->
+      proplists:get_value(validation_backend, Proplist, ?DEFAULT_BACKEND)
+  end.
diff --git a/src/rabbit_credential_validator.erl b/src/rabbit_credential_validator.erl
new file mode 100644
index 0000000000..dd12f6d2d6
--- /dev/null
+++ b/src/rabbit_credential_validator.erl
@@ -0,0 +1,28 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_credential_validator).
+
+-include("rabbit.hrl").
+
+%% Validates a password. Used by `rabbit_auth_backend_internal`.
+%%
+%% Possible return values:
+%%
+%% * ok: provided password passed validation.
+%% * {error, Error, Args}: provided password password failed validation.
+
+-callback validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}.
diff --git a/src/rabbit_credential_validator_accept_everything.erl b/src/rabbit_credential_validator_accept_everything.erl
new file mode 100644
index 0000000000..f572d67e7f
--- /dev/null
+++ b/src/rabbit_credential_validator_accept_everything.erl
@@ -0,0 +1,32 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_credential_validator_accept_everything).
+
+-include("rabbit.hrl").
+
+-behaviour(rabbit_credential_validator).
+
+%%
+%% API
+%%
+
+-export([validate/2]).
+
+-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}.
+
+validate(_Username, _Password) ->
+    ok.
diff --git a/src/rabbit_credential_validator_min_password_length.erl b/src/rabbit_credential_validator_min_password_length.erl
new file mode 100644
index 0000000000..78239fc71b
--- /dev/null
+++ b/src/rabbit_credential_validator_min_password_length.erl
@@ -0,0 +1,56 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_credential_validator_min_password_length).
+
+-include("rabbit.hrl").
+
+-behaviour(rabbit_credential_validator).
+
+%% accommodates default (localhost-only) user credentials,
+%% guest/guest
+-define(DEFAULT_MIN_LENGTH, 5).
+
+%%
+%% API
+%%
+
+-export([validate/2]).
+%% for tests
+-export([validate/3]).
+
+-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}.
+
+validate(Username, Password) ->
+    MinLength = case application:get_env(rabbit, credential_validator) of
+                    undefined ->
+                        ?DEFAULT_MIN_LENGTH;
+                    {ok, Proplist}  ->
+                        case proplists:get_value(min_length, Proplist) of
+                            undefined -> ?DEFAULT_MIN_LENGTH;
+                            Value     -> rabbit_data_coercion:to_integer(Value)
+                        end
+                end,
+    validate(Username, Password, MinLength).
+
+
+-spec validate(rabbit_types:username(), rabbit_types:password(), integer()) -> 'ok' | {'error', string(), [any()]}.
+
+validate(_Username, Password, MinLength) ->
+    case size(Password) >= MinLength of
+        true  -> ok;
+        false -> {error, rabbit_misc:format("minimum required password length is ~B", [MinLength])}
+    end.
diff --git a/src/rabbit_credential_validator_password_regexp.erl b/src/rabbit_credential_validator_password_regexp.erl
new file mode 100644
index 0000000000..b516175126
--- /dev/null
+++ b/src/rabbit_credential_validator_password_regexp.erl
@@ -0,0 +1,51 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+
+%% A `rabbit_credential_validator` implementation that matches
+%% password against a pre-configured regular expression.
+-module(rabbit_credential_validator_password_regexp).
+
+-include("rabbit.hrl").
+
+-behaviour(rabbit_credential_validator).
+
+%%
+%% API
+%%
+
+-export([validate/2]).
+%% for tests
+-export([validate/3]).
+
+-spec validate(rabbit_types:username(), rabbit_types:password()) -> 'ok' | {'error', string()}.
+
+validate(Username, Password) ->
+    {ok, Proplist} = application:get_env(rabbit, credential_validator),
+    Regexp         = case proplists:get_value(regexp, Proplist) of
+                         undefined -> {error, "rabbit.credential_validator.regexp config key is undefined"};
+                         Value     -> rabbit_data_coercion:to_list(Value)
+                     end,
+    validate(Username, Password, Regexp).
+
+
+-spec validate(rabbit_types:username(), rabbit_types:password(), string()) -> 'ok' | {'error', string(), [any()]}.
+
+validate(_Username, Password, Pattern) ->
+    case re:run(rabbit_data_coercion:to_list(Password), Pattern) of
+        {match, _} -> ok;
+        nomatch    -> {error, "provided password does not match the validator regular expression"}
+    end.
diff --git a/src/rabbit_table.erl b/src/rabbit_table.erl
index c8946e179d..cae47c08a9 100644
--- a/src/rabbit_table.erl
+++ b/src/rabbit_table.erl
@@ -18,7 +18,8 @@
 
 -export([create/0, create_local_copy/1, wait_for_replicated/1, wait/1,
          force_load/0, is_present/0, is_empty/0, needs_default_data/0,
-         check_schema_integrity/1, clear_ram_only_tables/0, retry_timeout/0]).
+         check_schema_integrity/1, clear_ram_only_tables/0, retry_timeout/0,
+         wait_for_replicated/0]).
 
 -include("rabbit.hrl").
 
@@ -28,6 +29,7 @@
 -spec create() -> 'ok'.
 -spec create_local_copy('disc' | 'ram') -> 'ok'.
 -spec wait_for_replicated(retry()) -> 'ok'.
+-spec wait_for_replicated() -> 'ok'.
 -spec wait([atom()]) -> 'ok'.
 -spec retry_timeout() -> {non_neg_integer() | infinity, non_neg_integer()}.
 -spec force_load() -> 'ok'.
@@ -76,6 +78,11 @@ create_local_copy(ram)  ->
     create_local_copies(ram),
     create_local_copy(schema, ram_copies).
 
+%% This arity only exists for backwards compatibility with certain
+%% plugins. See https://github.com/rabbitmq/rabbitmq-clusterer/issues/19.
+wait_for_replicated() ->
+    wait_for_replicated(false).
+
 wait_for_replicated(Retry) ->
     wait([Tab || {Tab, TabDef} <- definitions(),
                  not lists:member({local_content, true}, TabDef)], Retry).
diff --git a/test/credential_validation_SUITE.erl b/test/credential_validation_SUITE.erl
new file mode 100644
index 0000000000..d6f9fb5ec2
--- /dev/null
+++ b/test/credential_validation_SUITE.erl
@@ -0,0 +1,311 @@
+%% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(credential_validation_SUITE).
+
+-compile(export_all).
+-include_lib("proper/include/proper.hrl").
+-include_lib("common_test/include/ct.hrl").
+-include_lib("eunit/include/eunit.hrl").
+
+all() ->
+    [
+     {group, unit},
+     {group, integration}
+    ].
+
+groups() ->
+    [
+     {integration, [], [
+                        min_length_integration_fails
+                        , regexp_integration_fails
+                        , min_length_integration_succeeds
+                        , regexp_integration_succeeds
+                        , min_length_change_password_integration_fails
+                        , regexp_change_password_integration_fails
+                        , min_length_change_password_integration_succeeds
+                        , regexp_change_password_integration_succeeds
+                       ]},
+     {unit, [parallel], [
+                         basic_unconditionally_accepting_succeeds,
+                         min_length_fails,
+                         min_length_succeeds,
+                         min_length_proper_fails,
+                         min_length_proper_succeeds,
+                         regexp_fails,
+                         regexp_succeeds,
+                         regexp_proper_fails,
+                         regexp_proper_succeeds
+                        ]}
+].
+
+suite() ->
+    [
+      {timetrap, {minutes, 4}}
+    ].
+
+%%
+%% Setup/teardown
+%%
+
+init_per_suite(Config) ->
+    rabbit_ct_helpers:log_environment(),
+    rabbit_ct_helpers:run_setup_steps(Config).
+
+end_per_suite(Config) ->
+    rabbit_ct_helpers:run_teardown_steps(Config).
+
+init_per_group(integration, Config) ->
+    Suffix = rabbit_ct_helpers:testcase_absname(Config, "", "-"),
+    Config1 = rabbit_ct_helpers:set_config(Config, [
+        {rmq_nodes_count, 1},
+        {rmq_nodename_suffix, Suffix}
+    ]),
+    rabbit_ct_helpers:run_steps(Config1,
+      rabbit_ct_broker_helpers:setup_steps());
+
+init_per_group(unit, Config) ->
+    Config.
+
+end_per_group(integration, Config) ->
+    switch_validator(Config, accept_everything),
+    rabbit_ct_helpers:run_steps(Config,
+      rabbit_ct_broker_helpers:teardown_steps());
+end_per_group(unit, Config) ->
+    Config.
+
+-define(USERNAME, <<"abc">>).
+
+init_per_testcase(Testcase, Config) ->
+    rabbit_ct_helpers:testcase_started(Config, Testcase).
+
+end_per_testcase(Testcase, Config) ->
+    rabbit_ct_helpers:testcase_finished(Config, Testcase).
+
+%%
+%% Test Cases
+%%
+
+basic_unconditionally_accepting_succeeds(_Config) ->
+    F = fun rabbit_credential_validator_accept_everything:validate/2,
+
+    Pwd1 = crypto:strong_rand_bytes(1),
+    ?assertEqual(ok, F(?USERNAME, Pwd1)),
+    Pwd2 = crypto:strong_rand_bytes(5),
+    ?assertEqual(ok, F(?USERNAME, Pwd2)),
+    Pwd3 = crypto:strong_rand_bytes(10),
+    ?assertEqual(ok, F(?USERNAME, Pwd3)),
+    Pwd4 = crypto:strong_rand_bytes(50),
+    ?assertEqual(ok, F(?USERNAME, Pwd4)),
+    Pwd5 = crypto:strong_rand_bytes(100),
+    ?assertEqual(ok, F(?USERNAME, Pwd5)),
+    Pwd6 = crypto:strong_rand_bytes(1000),
+    ?assertEqual(ok, F(?USERNAME, Pwd6)).
+
+min_length_fails(_Config) ->
+    F = fun rabbit_credential_validator_min_password_length:validate/3,
+
+    Pwd1 = crypto:strong_rand_bytes(1),
+    ?assertMatch({error, _}, F(?USERNAME, Pwd1, 5)),
+    Pwd2 = crypto:strong_rand_bytes(5),
+    ?assertMatch({error, _}, F(?USERNAME, Pwd2, 6)),
+    Pwd3 = crypto:strong_rand_bytes(10),
+    ?assertMatch({error, _}, F(?USERNAME, Pwd3, 15)),
+    Pwd4 = crypto:strong_rand_bytes(50),
+    ?assertMatch({error, _}, F(?USERNAME, Pwd4, 60)).
+
+min_length_succeeds(_Config) ->
+    F = fun rabbit_credential_validator_min_password_length:validate/3,
+
+    ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(1), 1)),
+    ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(6), 6)),
+    ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(7), 6)),
+    ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(20), 20)),
+    ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(40), 30)),
+    ?assertEqual(ok, F(?USERNAME, crypto:strong_rand_bytes(50), 50)).
+
+min_length_proper_fails(_Config) ->
+    rabbit_ct_proper_helpers:run_proper(fun prop_min_length_fails_validation/0, [], 500).
+
+min_length_proper_succeeds(_Config) ->
+    rabbit_ct_proper_helpers:run_proper(fun prop_min_length_passes_validation/0, [], 500).
+
+regexp_fails(_Config) ->
+    F = fun rabbit_credential_validator_password_regexp:validate/3,
+
+    ?assertMatch({error, _}, F(?USERNAME, <<"abc">>,    "^xyz")),
+    ?assertMatch({error, _}, F(?USERNAME, <<"abcdef">>, "^xyz")),
+    ?assertMatch({error, _}, F(?USERNAME, <<"abcxyz">>, "^abc\\d+")).
+
+regexp_succeeds(_Config) ->
+    F = fun rabbit_credential_validator_password_regexp:validate/3,
+
+    ?assertEqual(ok, F(?USERNAME, <<"abc">>,    "^abc")),
+    ?assertEqual(ok, F(?USERNAME, <<"abcdef">>, "^abc")),
+    ?assertEqual(ok, F(?USERNAME, <<"abc123">>, "^abc\\d+")).
+
+regexp_proper_fails(_Config) ->
+    rabbit_ct_proper_helpers:run_proper(fun prop_regexp_fails_validation/0, [], 500).
+
+regexp_proper_succeeds(_Config) ->
+    rabbit_ct_proper_helpers:run_proper(fun prop_regexp_passes_validation/0, [], 500).
+
+min_length_integration_fails(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, min_length, 50),
+    ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)),
+    ?assertMatch({error, "minimum required password length is 50"},
+                 add_user(Config, ?USERNAME, <<"_">>)).
+
+regexp_integration_fails(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, regexp),
+    ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)),
+    ?assertMatch({error, _}, add_user(Config, ?USERNAME, <<"_">>)).
+
+min_length_integration_succeeds(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, min_length, 5),
+    ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)),
+    ?assertMatch(ok, add_user(Config, ?USERNAME, <<"abcdefghi">>)).
+
+regexp_integration_succeeds(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, regexp),
+    ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)),
+    ?assertMatch(ok, add_user(Config, ?USERNAME, <<"xyz12345678901">>)).
+
+min_length_change_password_integration_fails(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, accept_everything),
+    add_user(Config, ?USERNAME, <<"abcdefghi">>),
+    switch_validator(Config, min_length, 50),
+    ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)),
+    ?assertMatch({error, "minimum required password length is 50"},
+                 change_password(Config, ?USERNAME, <<"_">>)).
+
+regexp_change_password_integration_fails(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, accept_everything),
+    add_user(Config, ?USERNAME, <<"abcdefghi">>),
+    switch_validator(Config, regexp),
+    ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)),
+    ?assertMatch({error, _}, change_password(Config, ?USERNAME, <<"_">>)).
+
+min_length_change_password_integration_succeeds(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, accept_everything),
+    add_user(Config, ?USERNAME, <<"abcdefghi">>),
+    switch_validator(Config, min_length, 5),
+    ?assertMatch(rabbit_credential_validator_min_password_length, validator_backend(Config)),
+    ?assertMatch(ok, change_password(Config, ?USERNAME, <<"abcdefghi">>)).
+
+regexp_change_password_integration_succeeds(Config) ->
+    delete_user(Config, ?USERNAME),
+    switch_validator(Config, accept_everything),
+    add_user(Config, ?USERNAME, <<"abcdefghi">>),
+    switch_validator(Config, regexp),
+    ?assertMatch(rabbit_credential_validator_password_regexp, validator_backend(Config)),
+    ?assertMatch(ok, change_password(Config, ?USERNAME, <<"xyz12345678901">>)).
+
+%%
+%% PropEr
+%%
+
+prop_min_length_fails_validation() ->
+    N = 5,
+    F = fun rabbit_credential_validator_min_password_length:validate/3,
+    ?FORALL(Val, binary(N),
+            ?FORALL(Length, choose(N + 1, 100),
+                   failed_validation(F(?USERNAME, Val, Length + 1)))).
+
+prop_min_length_passes_validation() ->
+    N = 20,
+    F = fun rabbit_credential_validator_min_password_length:validate/3,
+    ?FORALL(Val, binary(N),
+            ?FORALL(Length, choose(1, N - 1),
+                   passed_validation(F(?USERNAME, Val, Length)))).
+
+prop_regexp_fails_validation() ->
+    N = 5,
+    F = fun rabbit_credential_validator_password_regexp:validate/3,
+    ?FORALL(Val, binary(N),
+            ?FORALL(Length, choose(N + 1, 100),
+                   failed_validation(F(?USERNAME, Val, regexp_that_requires_length_of_at_least(Length + 1))))).
+
+prop_regexp_passes_validation() ->
+    N = 5,
+    F = fun rabbit_credential_validator_password_regexp:validate/3,
+    ?FORALL(Val, binary(N),
+            passed_validation(F(?USERNAME, Val, regexp_that_requires_length_of_at_most(size(Val) + 1)))).
+
+%%
+%% Helpers
+%%
+
+passed_validation(ok) ->
+    true;
+passed_validation({error, _}) ->
+    false.
+
+failed_validation(Result) ->
+    not passed_validation(Result).
+
+regexp_that_requires_length_of_at_least(N) when is_integer(N) ->
+    rabbit_misc:format("^[a-zA-Z0-9]{~p,~p}", [N, N + 10]).
+
+regexp_that_requires_length_of_at_most(N) when is_integer(N) ->
+    rabbit_misc:format("^[a-zA-Z0-9]{0,~p}", [N]).
+
+switch_validator(Config, accept_everything) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
+                                 [rabbit, credential_validator,
+                                  [{validation_backend, rabbit_credential_validator_accept_everything}]]);
+
+switch_validator(Config, min_length) ->
+    switch_validator(Config, min_length, 5);
+
+switch_validator(Config, regexp) ->
+    switch_validator(Config, regexp, <<"^xyz\\d{10,12}$">>).
+
+
+switch_validator(Config, min_length, MinLength) ->
+    ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
+                                 [rabbit, credential_validator,
+                                  [{validation_backend, rabbit_credential_validator_min_password_length},
+                                   {min_length,         MinLength}]]);
+
+switch_validator(Config, regexp, RegExp) ->
+    ok = rabbit_ct_broker_helpers:rpc(Config, 0, application, set_env,
+                                 [rabbit, credential_validator,
+                                  [{validation_backend, rabbit_credential_validator_password_regexp},
+                                   {regexp,             RegExp}]]).
+
+add_user(Config, Username, Password) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0,
+                                 rabbit_auth_backend_internal, add_user, [Username, Password]).
+
+delete_user(Config, Username) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0,
+                                 rabbit_auth_backend_internal, delete_user, [Username]).
+
+change_password(Config, Username, Password) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0,
+                                 rabbit_auth_backend_internal, change_password, [Username, Password]).
+
+validator_backend(Config) ->
+    rabbit_ct_broker_helpers:rpc(Config, 0, rabbit_credential_validation, backend, []).
+