yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(authz api): support file type for sources

This commit is contained in:
zhanghongtong 2021-09-02 09:57:26 +08:00 committed by Rory Z
parent 8252771306
commit 07dcd9e705
4 changed files with 140 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
apps/emqx_authz/src/emqx_authz_api_schema.erl
View File

@ -41,7 +41,8 @@ definitions() ->
] ]
}, },
Sources = #{ Sources = #{
oneOf => [ minirest:ref(<<"connector_redis">>) oneOf => [ minirest:ref(<<"redis">>)
, minirest:ref(<<"file">>)
] ]
}, },
SSL = #{ SSL = #{
@ -55,7 +56,7 @@ definitions() ->
verify => #{type => boolean, example => false} verify => #{type => boolean, example => false}
} }
}, },
ConnectorRedis = #{ Redis = #{
type => object, type => object,
required => [type, enable, config, cmd], required => [type, enable, config, cmd],
properties => #{ properties => #{
@ -123,8 +124,35 @@ definitions() ->
} }
} }
}, },
File = #{
type => object,
required => [type, enable, rules],
properties => #{
type => #{
type => string,
enum => [<<"redis">>],
example => <<"redis">>
},
enable => #{
type => boolean,
example => true
},
rules => #{
type => array,
items => #{
type => string,
example => <<"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}.">>
}
},
path => #{
type => string,
example => <<"/path/to/authorizaiton_rules.conf">>
}
}
},
[ #{<<"returned_sources">> => RetruenedSources} [ #{<<"returned_sources">> => RetruenedSources}
, #{<<"sources">> => Sources} , #{<<"sources">> => Sources}
, #{<<"ssl">> => SSL} , #{<<"ssl">> => SSL}
, #{<<"connector_redis">> => ConnectorRedis} , #{<<"redis">> => Redis}
, #{<<"file">> => File}
]. ].

94
apps/emqx_authz/src/emqx_authz_api_sources.erl
View File

@ -23,18 +23,30 @@
-define(EXAMPLE_REDIS, -define(EXAMPLE_REDIS,
#{type=> redis, #{type=> redis,
enable => true,
config => #{server => <<"127.0.0.1:3306">>, config => #{server => <<"127.0.0.1:3306">>,
redis_type => single, redis_type => single,
pool_size => 1, pool_size => 1,
auto_reconnect => true auto_reconnect => true
}, },
cmd => <<"HGETALL mqtt_authz">>}). cmd => <<"HGETALL mqtt_authz">>}).
-define(EXAMPLE_FILE,
#{type=> file,
enable => true,
rules => [<<"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}.">>,
<<"{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}.">>
]}).
-define(EXAMPLE_RETURNED_REDIS, -define(EXAMPLE_RETURNED_REDIS,
maps:put(annotations, #{status => healthy}, ?EXAMPLE_REDIS) maps:put(annotations, #{status => healthy}, ?EXAMPLE_REDIS)
). ).
-define(EXAMPLE_RETURNED_FILE,
maps:put(annotations, #{status => healthy}, ?EXAMPLE_FILE)
).
-define(EXAMPLE_RETURNED, -define(EXAMPLE_RETURNED,
#{sources => [?EXAMPLE_RETURNED_REDIS #{sources => [ ?EXAMPLE_RETURNED_REDIS
, ?EXAMPLE_RETURNED_FILE
] ]
}). }).
@ -91,6 +103,10 @@ sources_api() ->
redis => #{ redis => #{
summary => <<"Redis">>, summary => <<"Redis">>,
value => jsx:encode(?EXAMPLE_REDIS) value => jsx:encode(?EXAMPLE_REDIS)
},
file => #{
summary => <<"File">>,
value => jsx:encode(?EXAMPLE_FILE)
} }
} }
} }
@ -113,7 +129,11 @@ sources_api() ->
examples => #{ examples => #{
redis => #{ redis => #{
summary => <<"Redis">>, summary => <<"Redis">>,
value => jsx:encode([?EXAMPLE_REDIS]) value => jsx:encode(?EXAMPLE_REDIS)
},
file => #{
summary => <<"File">>,
value => jsx:encode(?EXAMPLE_FILE)
} }
} }
} }
@ -148,9 +168,13 @@ source_api() ->
'application/json' => #{ 'application/json' => #{
schema => minirest:ref(<<"returned_sources">>), schema => minirest:ref(<<"returned_sources">>),
examples => #{ examples => #{
sources => #{ redis => #{
summary => <<"Sources">>, summary => <<"Redis">>,
value => jsx:encode(?EXAMPLE_RETURNED_REDIS) value => jsx:encode(?EXAMPLE_RETURNED_REDIS)
},
file => #{
summary => <<"File">>,
value => jsx:encode(?EXAMPLE_RETURNED_FILE)
} }
} }
} }
@ -179,6 +203,10 @@ source_api() ->
redis => #{ redis => #{
summary => <<"Redis">>, summary => <<"Redis">>,
value => jsx:encode(?EXAMPLE_REDIS) value => jsx:encode(?EXAMPLE_REDIS)
},
file => #{
summary => <<"File">>,
value => jsx:encode(?EXAMPLE_FILE)
} }
} }
} }
@ -271,7 +299,16 @@ move_source_api() ->
{"/authorization/sources/:type/move", Metadata, move_source}. {"/authorization/sources/:type/move", Metadata, move_source}.
sources(get, _) -> sources(get, _) ->
Sources = lists:foldl(fun (#{type := _Type, enable := true, config := Config, annotations := #{id := Id}} = Source, AccIn) -> Sources = lists:foldl(fun (#{enable := false} = Source, AccIn) ->
lists:append(AccIn, [Source#{annotations => #{status => unhealthy}}]);
(#{type := file, path := Path}, AccIn) ->
{ok, Rules} = file:consult(Path),
lists:append(AccIn, [#{type => file,
enable => true,
rules => [ io_lib:format("~p", [R])|| R <- Rules],
annotations => #{status => healthy}
}]);
(#{type := _Type, config := Config, annotations := #{id := Id}} = Source, AccIn) ->
NSource0 = case maps:get(server, Config, undefined) of NSource0 = case maps:get(server, Config, undefined) of
undefined -> Source; undefined -> Source;
Server -> Server ->
@ -293,15 +330,33 @@ sources(get, _) ->
lists:append(AccIn, [Source#{annotations => #{status => healthy}}]) lists:append(AccIn, [Source#{annotations => #{status => healthy}}])
end, [], emqx_authz:lookup()), end, [], emqx_authz:lookup()),
{200, #{sources => Sources}}; {200, #{sources => Sources}};
sources(post, #{body := Body}) -> sources(post, #{body := #{<<"type">> := <<"file">>, <<"rules">> := Rules, <<"enable">> := Enable}}) when is_list(Rules) ->
Filename = filename:join([emqx:get_config([node, data_dir]), "authorization_rules.conf"]),
write_file(Filename, erlang:list_to_bitstring([<<Rule/binary, "\n">> || Rule <- Rules])),
case emqx_authz:update(head, [#{type => file, enable => Enable, path => Filename}]) of
{ok, _} -> {204};
{error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>,
messgae => atom_to_binary(Reason)}}
end;
sources(post, #{body := Body}) when is_map(Body) ->
case emqx_authz:update(head, [save_cert(Body)]) of case emqx_authz:update(head, [save_cert(Body)]) of
{ok, _} -> {204}; {ok, _} -> {204};
{error, Reason} -> {error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>, {400, #{code => <<"BAD_REQUEST">>,
messgae => atom_to_binary(Reason)}} messgae => atom_to_binary(Reason)}}
end; end;
sources(put, #{body := Body}) -> sources(put, #{body := Body}) when is_list(Body) ->
case emqx_authz:update(replace, save_cert(Body)) of NBody = [ begin
case Source of
#{<<"type">> := <<"file">>, <<"rules">> := Rules, <<"enable">> := Enable} ->
Filename = filename:join([emqx:get_config([node, data_dir]), "authorization_rules.conf"]),
write_file(Filename, erlang:list_to_bitstring([<<Rule/binary, "\n">> || Rule <- Rules])),
#{type => file, enable => Enable, path => Filename};
_ -> save_cert(Source)
end
end || Source <- Body],
case emqx_authz:update(replace, NBody) of
{ok, _} -> {204}; {ok, _} -> {204};
{error, Reason} -> {error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>, {400, #{code => <<"BAD_REQUEST">>,
@ -311,8 +366,15 @@ sources(put, #{body := Body}) ->
source(get, #{bindings := #{type := Type}}) -> source(get, #{bindings := #{type := Type}}) ->
case emqx_authz:lookup(Type) of case emqx_authz:lookup(Type) of
{error, Reason} -> {404, #{messgae => atom_to_binary(Reason)}}; {error, Reason} -> {404, #{messgae => atom_to_binary(Reason)}};
#{enable := false} = Source -> {200, Source}; #{enable := false} = Source -> {200, Source#{annotations => #{status => unhealthy}}};
#{type := file} = Source -> {200, Source}; #{type := file, path := Path}->
{ok, Rules} = file:consult(Path),
{200, #{type => file,
enable => true,
rules => Rules,
annotations => #{status => healthy}
}
};
#{config := Config, annotations := #{id := Id}} = Source -> #{config := Config, annotations := #{id := Id}} = Source ->
NSource0 = case maps:get(server, Config, undefined) of NSource0 = case maps:get(server, Config, undefined) of
undefined -> Source; undefined -> Source;
@ -332,8 +394,16 @@ source(get, #{bindings := #{type := Type}}) ->
end, end,
{200, NSource2} {200, NSource2}
end; end;
source(put, #{bindings := #{type := Type}, body := Body}) -> source(put, #{bindings := #{type := file}, body := #{<<"type">> := <<"file">>, <<"rules">> := Rules, <<"enable">> := Enable}}) ->
#{path := Path} = emqx_authz:lookup(file),
write_file(Path, erlang:list_to_bitstring([<<Rule/binary, "\n">> || Rule <- Rules])),
case emqx_authz:update({replace_once, file}, #{type => file, enable => Enable, path => Path}) of
{ok, _} -> {204};
{error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>,
messgae => atom_to_binary(Reason)}}
end;
source(put, #{bindings := #{type := Type}, body := Body}) when is_map(Body) ->
case emqx_authz:update({replace_once, Type}, save_cert(Body)) of case emqx_authz:update({replace_once, Type}, save_cert(Body)) of
{ok, _} -> {204}; {ok, _} -> {204};
{error, not_found_source} -> {error, not_found_source} ->

16
apps/emqx_authz/test/emqx_authz_SUITE.erl
View File

@ -114,6 +114,11 @@ init_per_testcase(_, Config) ->
<<"ssl">> => #{<<"enable">> => false}}, <<"ssl">> => #{<<"enable">> => false}},
<<"cmd">> => <<"HGETALL mqtt_authz:%u">> <<"cmd">> => <<"HGETALL mqtt_authz:%u">>
}). }).
-define(SOURCE6, #{<<"type">> => <<"file">>,
<<"enable">> => true,
<<"path">> => emqx_ct_helpers:deps_path(emqx_authz, "etc/authorization_rules.conf")
}).
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
%% Testcases %% Testcases
@ -125,12 +130,14 @@ t_update_source(_) ->
{ok, _} = emqx_authz:update(head, [?SOURCE1]), {ok, _} = emqx_authz:update(head, [?SOURCE1]),
{ok, _} = emqx_authz:update(tail, [?SOURCE4]), {ok, _} = emqx_authz:update(tail, [?SOURCE4]),
{ok, _} = emqx_authz:update(tail, [?SOURCE5]), {ok, _} = emqx_authz:update(tail, [?SOURCE5]),
{ok, _} = emqx_authz:update(tail, [?SOURCE6]),
?assertMatch([ #{type := http, enable := true} ?assertMatch([ #{type := http, enable := true}
, #{type := mongo, enable := true} , #{type := mongo, enable := true}
, #{type := mysql, enable := true} , #{type := mysql, enable := true}
, #{type := pgsql, enable := true} , #{type := pgsql, enable := true}
, #{type := redis, enable := true} , #{type := redis, enable := true}
, #{type := file, enable := true}
], emqx:get_config([authorization, sources], [])), ], emqx:get_config([authorization, sources], [])),
{ok, _} = emqx_authz:update({replace_once, http}, ?SOURCE1#{<<"enable">> := false}), {ok, _} = emqx_authz:update({replace_once, http}, ?SOURCE1#{<<"enable">> := false}),
@ -138,23 +145,26 @@ t_update_source(_) ->
{ok, _} = emqx_authz:update({replace_once, mysql}, ?SOURCE3#{<<"enable">> := false}), {ok, _} = emqx_authz:update({replace_once, mysql}, ?SOURCE3#{<<"enable">> := false}),
{ok, _} = emqx_authz:update({replace_once, pgsql}, ?SOURCE4#{<<"enable">> := false}), {ok, _} = emqx_authz:update({replace_once, pgsql}, ?SOURCE4#{<<"enable">> := false}),
{ok, _} = emqx_authz:update({replace_once, redis}, ?SOURCE5#{<<"enable">> := false}), {ok, _} = emqx_authz:update({replace_once, redis}, ?SOURCE5#{<<"enable">> := false}),
{ok, _} = emqx_authz:update({replace_once, file}, ?SOURCE6#{<<"enable">> := false}),
?assertMatch([ #{type := http, enable := false} ?assertMatch([ #{type := http, enable := false}
, #{type := mongo, enable := false} , #{type := mongo, enable := false}
, #{type := mysql, enable := false} , #{type := mysql, enable := false}
, #{type := pgsql, enable := false} , #{type := pgsql, enable := false}
, #{type := redis, enable := false} , #{type := redis, enable := false}
, #{type := file, enable := false}
], emqx:get_config([authorization, sources], [])), ], emqx:get_config([authorization, sources], [])),
{ok, _} = emqx_authz:update(replace, []). {ok, _} = emqx_authz:update(replace, []).
t_move_source(_) -> t_move_source(_) ->
{ok, _} = emqx_authz:update(replace, [?SOURCE1, ?SOURCE2, ?SOURCE3, ?SOURCE4, ?SOURCE5]), {ok, _} = emqx_authz:update(replace, [?SOURCE1, ?SOURCE2, ?SOURCE3, ?SOURCE4, ?SOURCE5, ?SOURCE6]),
?assertMatch([ #{type := http} ?assertMatch([ #{type := http}
, #{type := mongo} , #{type := mongo}
, #{type := mysql} , #{type := mysql}
, #{type := pgsql} , #{type := pgsql}
, #{type := redis} , #{type := redis}
, #{type := file}
], emqx_authz:lookup()), ], emqx_authz:lookup()),
{ok, _} = emqx_authz:move(pgsql, <<"top">>), {ok, _} = emqx_authz:move(pgsql, <<"top">>),
@ -163,6 +173,7 @@ t_move_source(_) ->
, #{type := mongo} , #{type := mongo}
, #{type := mysql} , #{type := mysql}
, #{type := redis} , #{type := redis}
, #{type := file}
], emqx_authz:lookup()), ], emqx_authz:lookup()),
{ok, _} = emqx_authz:move(http, <<"bottom">>), {ok, _} = emqx_authz:move(http, <<"bottom">>),
@ -170,6 +181,7 @@ t_move_source(_) ->
, #{type := mongo} , #{type := mongo}
, #{type := mysql} , #{type := mysql}
, #{type := redis} , #{type := redis}
, #{type := file}
, #{type := http} , #{type := http}
], emqx_authz:lookup()), ], emqx_authz:lookup()),
@ -178,6 +190,7 @@ t_move_source(_) ->
, #{type := pgsql} , #{type := pgsql}
, #{type := mongo} , #{type := mongo}
, #{type := redis} , #{type := redis}
, #{type := file}
, #{type := http} , #{type := http}
], emqx_authz:lookup()), ], emqx_authz:lookup()),
@ -185,6 +198,7 @@ t_move_source(_) ->
?assertMatch([ #{type := mysql} ?assertMatch([ #{type := mysql}
, #{type := pgsql} , #{type := pgsql}
, #{type := redis} , #{type := redis}
, #{type := file}
, #{type := http} , #{type := http}
, #{type := mongo} , #{type := mongo}
], emqx_authz:lookup()), ], emqx_authz:lookup()),

12
apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl
View File

@ -96,6 +96,13 @@
}, },
<<"cmd">> => <<"HGETALL mqtt_authz:%u">> <<"cmd">> => <<"HGETALL mqtt_authz:%u">>
}). }).
-define(SOURCE6, #{<<"type">> => <<"file">>,
<<"enable">> => true,
<<"rules">> =>
[<<"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}.">>,
<<"{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}.">>
]
}).
all() -> all() ->
emqx_ct:all(?MODULE). emqx_ct:all(?MODULE).
@ -183,7 +190,7 @@ t_api(_) ->
{ok, 200, Result2} = request(get, uri(["authorization", "sources"]), []), {ok, 200, Result2} = request(get, uri(["authorization", "sources"]), []),
?assertEqual(20, length(get_sources(Result2))), ?assertEqual(20, length(get_sources(Result2))),
{ok, 204, _} = request(put, uri(["authorization", "sources"]), [?SOURCE1, ?SOURCE2, ?SOURCE3, ?SOURCE4]), {ok, 204, _} = request(put, uri(["authorization", "sources"]), [?SOURCE1, ?SOURCE2, ?SOURCE3, ?SOURCE4, ?SOURCE5, ?SOURCE6]),
{ok, 200, Result3} = request(get, uri(["authorization", "sources"]), []), {ok, 200, Result3} = request(get, uri(["authorization", "sources"]), []),
Sources = get_sources(Result3), Sources = get_sources(Result3),
@ -191,7 +198,10 @@ t_api(_) ->
, #{<<"type">> := <<"mongo">>} , #{<<"type">> := <<"mongo">>}
, #{<<"type">> := <<"mysql">>} , #{<<"type">> := <<"mysql">>}
, #{<<"type">> := <<"pgsql">>} , #{<<"type">> := <<"pgsql">>}
, #{<<"type">> := <<"redis">>}
, #{<<"type">> := <<"file">>}
], Sources), ], Sources),
?assert(filelib:is_file(filename:join([emqx:get_config([node, data_dir]), "authorization_rules.conf"]))),
{ok, 204, _} = request(put, uri(["authorization", "sources", "http"]), ?SOURCE1#{<<"enable">> := false}), {ok, 204, _} = request(put, uri(["authorization", "sources", "http"]), ?SOURCE1#{<<"enable">> := false}),
{ok, 200, Result4} = request(get, uri(["authorization", "sources", "http"]), []), {ok, 200, Result4} = request(get, uri(["authorization", "sources", "http"]), []),