From 07ce6368030d9e22ec39f2a6b62e86c754fd6d09 Mon Sep 17 00:00:00 2001
From: zhouzb <zhouzb@emqx.io>
Date: Thu, 15 Jul 2021 16:16:41 +0800
Subject: [PATCH] feat(authn): support enable authn in config

---
 apps/emqx_authn/etc/emqx_authn.conf              |  1 +
 apps/emqx_authn/src/emqx_authn_app.erl           | 11 +++++++----
 apps/emqx_authn/src/emqx_authn_schema.erl        |  8 +++++++-
 apps/emqx_authn/test/emqx_authn_SUITE.erl        |  9 +++++++++
 apps/emqx_authn/test/emqx_authn_mnesia_SUITE.erl | 14 ++++++++++----
 5 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/apps/emqx_authn/etc/emqx_authn.conf b/apps/emqx_authn/etc/emqx_authn.conf
index 5194445b8..3e69ae46d 100644
--- a/apps/emqx_authn/etc/emqx_authn.conf
+++ b/apps/emqx_authn/etc/emqx_authn.conf
@@ -1,4 +1,5 @@
 emqx_authn: {
+    enable: false
     authenticators: [
     #     {
     #         name: "authenticator1"
diff --git a/apps/emqx_authn/src/emqx_authn_app.erl b/apps/emqx_authn/src/emqx_authn_app.erl
index a78fa54f1..225969cd2 100644
--- a/apps/emqx_authn/src/emqx_authn_app.erl
+++ b/apps/emqx_authn/src/emqx_authn_app.erl
@@ -38,12 +38,15 @@ stop(_State) ->
     ok.
 
 initialize() ->
-    #{authenticators := Authenticators} = emqx_config:get([emqx_authn], #{authenticators => []}),
-    initialize(Authenticators).
+    AuthNConfig = emqx_config:get([emqx_authn], #{enable => false,
+                                                  authenticators => []}),
+    initialize(AuthNConfig).
 
-initialize(Authenticators) ->
+initialize(#{enable := Enable, authenticators := Authenticators}) ->
     {ok, _} = emqx_authn:create_chain(#{id => ?CHAIN}),
-    initialize_authenticators(Authenticators).
+    initialize_authenticators(Authenticators),
+    Enable =:= true andalso emqx_authn:enable(),
+    ok.
 
 initialize_authenticators([]) ->
     ok;
diff --git a/apps/emqx_authn/src/emqx_authn_schema.erl b/apps/emqx_authn/src/emqx_authn_schema.erl
index 8b844ab69..7ed5a9999 100644
--- a/apps/emqx_authn/src/emqx_authn_schema.erl
+++ b/apps/emqx_authn/src/emqx_authn_schema.erl
@@ -31,7 +31,9 @@
 structs() -> ["emqx_authn"].
 
 fields("emqx_authn") ->
-    [ {authenticators, fun authenticators/1} ];
+    [ {enable, fun enable/1}
+    , {authenticators, fun authenticators/1}
+    ];
 
 fields('password-based') ->
     [ {name,      fun authenticator_name/1}
@@ -63,6 +65,10 @@ fields(scram) ->
                              ]))}
     ].
 
+enable(type) -> boolean();
+enable(defualt) -> false;
+enable(_) -> undefined.
+
 authenticators(type) ->
     hoconsc:array({union, [ hoconsc:ref(?MODULE, 'password-based')
                           , hoconsc:ref(?MODULE, jwt)
diff --git a/apps/emqx_authn/test/emqx_authn_SUITE.erl b/apps/emqx_authn/test/emqx_authn_SUITE.erl
index 827eb49ab..b93e32e3d 100644
--- a/apps/emqx_authn/test/emqx_authn_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_SUITE.erl
@@ -94,3 +94,12 @@ t_authenticator(_) ->
     ?assertEqual(ok, ?AUTH:delete_authenticator(?CHAIN, AuthenticatorName2)),
     ?assertEqual({ok, []}, ?AUTH:list_authenticators(?CHAIN)),
     ok.
+
+t_authenticate(_) ->
+    ?assertEqual(false, emqx_zone:get_env(external, bypass_auth_plugins, false)),
+    ClientInfo = #{zone => external,
+                   username => <<"myuser">>,
+			       password => <<"mypass">>},
+    ?assertEqual(ok, emqx_access_control:authenticate(ClientInfo)),
+    emqx_authn:enable(),
+    ?assertEqual({error, not_authorized}, emqx_access_control:authenticate(ClientInfo)).
diff --git a/apps/emqx_authn/test/emqx_authn_mnesia_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mnesia_SUITE.erl
index 75dd497ae..fe7d244cd 100644
--- a/apps/emqx_authn/test/emqx_authn_mnesia_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_mnesia_SUITE.erl
@@ -48,9 +48,6 @@ set_special_configs(_App) ->
     ok.
 
 t_mnesia_authenticator(_) ->
-    ct:pal("11111 ~p~n", [?AUTH:list_authenticators(<<"mqtt">>)]),
-
-
     AuthenticatorName = <<"myauthenticator">>,
     AuthenticatorConfig = #{name => AuthenticatorName,
                             mechanism => 'password-based',
@@ -67,13 +64,22 @@ t_mnesia_authenticator(_) ->
     ?assertEqual({ok, #{user_id => <<"myuser">>}}, ?AUTH:add_user(?CHAIN, AuthenticatorName, UserInfo)),
     ?assertEqual({ok, #{user_id => <<"myuser">>}}, ?AUTH:lookup_user(?CHAIN, AuthenticatorName, <<"myuser">>)),
 
-    ClientInfo = #{username => <<"myuser">>,
+    ?assertEqual(false, emqx_zone:get_env(external, bypass_auth_plugins, false)),
+
+    ClientInfo = #{zone => external,
+                   username => <<"myuser">>,
 			       password => <<"mypass">>},
     ?assertEqual({stop, ok}, ?AUTH:authenticate(ClientInfo, ok)),
+    ?AUTH:enable(),
+    ?assertEqual(ok, emqx_access_control:authenticate(ClientInfo)),
+
     ClientInfo2 = ClientInfo#{username => <<"baduser">>},
     ?assertEqual({stop, {error, not_authorized}}, ?AUTH:authenticate(ClientInfo2, ok)),
+    ?assertEqual({error, not_authorized}, emqx_access_control:authenticate(ClientInfo2)),
+
     ClientInfo3 = ClientInfo#{password => <<"badpass">>},
     ?assertEqual({stop, {error, bad_username_or_password}}, ?AUTH:authenticate(ClientInfo3, ok)),
+    ?assertEqual({error, bad_username_or_password}, emqx_access_control:authenticate(ClientInfo3)),
 
     UserInfo2 = UserInfo#{<<"password">> => <<"mypass2">>},
     ?assertEqual({ok, #{user_id => <<"myuser">>}}, ?AUTH:update_user(?CHAIN, AuthenticatorName, <<"myuser">>, UserInfo2)),