From d7c729232167394b3c583aaeabfc77d6e3f79ef2 Mon Sep 17 00:00:00 2001 From: JimMoen Date: Wed, 24 Nov 2021 09:57:52 +0800 Subject: [PATCH 1/8] fix(authz): placeholder regular replace --- apps/emqx_authz/include/emqx_authz.hrl | 2 ++ apps/emqx_authz/src/emqx_authz_mysql.erl | 4 ++-- apps/emqx_authz/src/emqx_authz_postgresql.erl | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apps/emqx_authz/include/emqx_authz.hrl b/apps/emqx_authz/include/emqx_authz.hrl index 371d56e30..4e0baa8fd 100644 --- a/apps/emqx_authz/include/emqx_authz.hrl +++ b/apps/emqx_authz/include/emqx_authz.hrl @@ -68,6 +68,8 @@ -define(CONF_KEY_PATH, [authorization, sources]). +-define(RE_PLACEHOLDER, "\\$\\{[a-z0-9\\-]+\\}"). + -define(USERNAME_RULES_EXAMPLE, #{username => user1, rules => [ #{topic => <<"test/toopic/1">>, permission => <<"allow">>, diff --git a/apps/emqx_authz/src/emqx_authz_mysql.erl b/apps/emqx_authz/src/emqx_authz_mysql.erl index 6821f15c3..a3a5e1ed9 100644 --- a/apps/emqx_authz/src/emqx_authz_mysql.erl +++ b/apps/emqx_authz/src/emqx_authz_mysql.erl @@ -38,10 +38,10 @@ description() -> parse_query(undefined) -> undefined; parse_query(Sql) -> - case re:run(Sql, "'%[ucCad]'", [global, {capture, all, list}]) of + case re:run(Sql, ?RE_PLACEHOLDER, [global, {capture, all, list}]) of {match, Variables} -> Params = [Var || [Var] <- Variables], - {re:replace(Sql, "'%[ucCad]'", "?", [global, {return, list}]), Params}; + {re:replace(Sql, ?RE_PLACEHOLDER, "?", [global, {return, list}]), Params}; nomatch -> {Sql, []} end. diff --git a/apps/emqx_authz/src/emqx_authz_postgresql.erl b/apps/emqx_authz/src/emqx_authz_postgresql.erl index d88b35b41..5bae5f674 100644 --- a/apps/emqx_authz/src/emqx_authz_postgresql.erl +++ b/apps/emqx_authz/src/emqx_authz_postgresql.erl @@ -38,7 +38,7 @@ description() -> parse_query(undefined) -> undefined; parse_query(Sql) -> - case re:run(Sql, "'%[ucCad]'", [global, {capture, all, list}]) of + case re:run(Sql, ?RE_PLACEHOLDER, [global, {capture, all, list}]) of {match, Variables} -> Params = [Var || [Var] <- Variables], Vars = ["$" ++ integer_to_list(I) || I <- lists:seq(1, length(Params))], From 261ca3d62579b001ed91db7d112be4cbf6d6c66d Mon Sep 17 00:00:00 2001 From: zhouzb Date: Wed, 24 Nov 2021 16:48:35 +0800 Subject: [PATCH 2/8] fix(connector): fix crash in health checking of mongo connection --- apps/emqx_connector/src/emqx_connector_mongo.erl | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/apps/emqx_connector/src/emqx_connector_mongo.erl b/apps/emqx_connector/src/emqx_connector_mongo.erl index c2d992cb6..9e4a5163b 100644 --- a/apps/emqx_connector/src/emqx_connector_mongo.erl +++ b/apps/emqx_connector/src/emqx_connector_mongo.erl @@ -169,8 +169,13 @@ health_check(PoolName) -> case ecpool_worker:client(Worker) of {ok, Conn} -> %% we don't care if this returns something or not, we just to test the connection - Res = mongo_api:find_one(Conn, <<"foo">>, {}, #{}), - Res == undefined orelse is_map(Res); + try mongo_api:find_one(Conn, <<"foo">>, {}, #{}) of + undefined -> true; + Res when is_map(Res) -> true; + _ -> false + catch + _Class:_Error -> false + end; _ -> false end end || {_WorkerName, Worker} <- ecpool:workers(PoolName)], From fb6ab93f473c2f93362917107c0dc9c2939885cc Mon Sep 17 00:00:00 2001 From: zhouzb Date: Wed, 24 Nov 2021 18:21:08 +0800 Subject: [PATCH 3/8] fix(dialyzer): fix redundant cases --- apps/emqx_connector/src/emqx_connector_mongo.erl | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apps/emqx_connector/src/emqx_connector_mongo.erl b/apps/emqx_connector/src/emqx_connector_mongo.erl index 9e4a5163b..11eac9c91 100644 --- a/apps/emqx_connector/src/emqx_connector_mongo.erl +++ b/apps/emqx_connector/src/emqx_connector_mongo.erl @@ -170,9 +170,7 @@ health_check(PoolName) -> {ok, Conn} -> %% we don't care if this returns something or not, we just to test the connection try mongo_api:find_one(Conn, <<"foo">>, {}, #{}) of - undefined -> true; - Res when is_map(Res) -> true; - _ -> false + _ -> true catch _Class:_Error -> false end; From f74e34b6a5e4168991a2ca48be827b1cf1217b4e Mon Sep 17 00:00:00 2001 From: JimMoen Date: Wed, 24 Nov 2021 18:57:30 +0800 Subject: [PATCH 4/8] fix(conf): change `max_topic_levels` default configuration --- apps/emqx/etc/emqx.conf | 5 +++-- apps/emqx/test/emqx_channel_SUITE.erl | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/apps/emqx/etc/emqx.conf b/apps/emqx/etc/emqx.conf index 486900a60..0b877cf0b 100644 --- a/apps/emqx/etc/emqx.conf +++ b/apps/emqx/etc/emqx.conf @@ -577,8 +577,9 @@ mqtt { ## @doc mqtt.max_topic_levels ## ValueType: Integer ## Range: [1, 65535] - ## Default: 65535 - max_topic_levels = 65535 + ## Default: 128 + ## Depth so big may lead to subscribing performance issues + max_topic_levels = 128 ## Maximum QoS allowed. ## diff --git a/apps/emqx/test/emqx_channel_SUITE.erl b/apps/emqx/test/emqx_channel_SUITE.erl index 911341440..284cea784 100644 --- a/apps/emqx/test/emqx_channel_SUITE.erl +++ b/apps/emqx/test/emqx_channel_SUITE.erl @@ -59,7 +59,7 @@ mqtt_conf() -> max_inflight => 32,max_mqueue_len => 1000, max_packet_size => 1048576,max_qos_allowed => 2, max_subscriptions => infinity,max_topic_alias => 65535, - max_topic_levels => 65535,mqueue_default_priority => lowest, + max_topic_levels => 128,mqueue_default_priority => lowest, mqueue_priorities => disabled,mqueue_store_qos0 => true, peer_cert_as_clientid => disabled, peer_cert_as_username => disabled, @@ -200,7 +200,7 @@ t_chan_caps(_) -> #{max_clientid_len := 65535, max_qos_allowed := 2, max_topic_alias := 65535, - max_topic_levels := 65535, + max_topic_levels := 128, retain_available := true, shared_subscription := true, subscription_identifiers := true, From d88bfdfe14eec1fad7ef599bd6b733f1079693e2 Mon Sep 17 00:00:00 2001 From: zhouzb Date: Thu, 25 Nov 2021 16:42:08 +0800 Subject: [PATCH 5/8] fix(authn): verify claims type is wrong --- apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl index 7a24afccb..67893912c 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl @@ -125,7 +125,7 @@ verify_claims(default) -> #{}; verify_claims(validator) -> [fun do_check_verify_claims/1]; verify_claims(converter) -> fun(VerifyClaims) -> - maps:to_list(VerifyClaims) + [{to_binary(K), V} || {K, V} <- maps:to_list(VerifyClaims)] end; verify_claims(_) -> undefined. @@ -349,3 +349,8 @@ validate_placeholder(<<"clientid">>) -> clientid; validate_placeholder(<<"username">>) -> username. + +to_binary(A) when is_atom(A) -> + atom_to_binary(A); +to_binary(B) when is_binary(B) -> + B. From 15654b5b281ff334272eae8384592696c6376eb9 Mon Sep 17 00:00:00 2001 From: zhouzb Date: Thu, 25 Nov 2021 17:17:44 +0800 Subject: [PATCH 6/8] fix(authn): add handling of invalid secret --- .../src/simple_authn/emqx_authn_jwt.erl | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl index 67893912c..a4359dae6 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl @@ -201,15 +201,14 @@ create2(#{use_jwks := false, secret := Secret0, secret_base64_encoded := Base64Encoded, verify_claims := VerifyClaims}) -> - Secret = case Base64Encoded of - true -> - base64:decode(Secret0); - false -> - Secret0 - end, - JWK = jose_jwk:from_oct(Secret), - {ok, #{jwk => JWK, - verify_claims => VerifyClaims}}; + case may_decode_secret(Base64Encoded, Secret0) of + {error, Reason} -> + {error, Reason}; + Secret -> + JWK = jose_jwk:from_oct(Secret), + {ok, #{jwk => JWK, + verify_claims => VerifyClaims}} + end; create2(#{use_jwks := false, algorithm := 'public-key', @@ -234,6 +233,14 @@ create2(#{use_jwks := true, {error, Reason} end. +may_decode_secret(false, Secret) -> Secret; +may_decode_secret(true, Secret) -> + try base64:decode(Secret) + catch + error : _ -> + {error, {invalid_parameter, Secret}} + end. + replace_placeholder(L, Variables) -> replace_placeholder(L, Variables, []). From ecd3c9f85c2c253e2eca7500977f88c27aa75544 Mon Sep 17 00:00:00 2001 From: zhouzb Date: Thu, 25 Nov 2021 19:03:11 +0800 Subject: [PATCH 7/8] test(authn): add test cases for jwt authn --- .../src/simple_authn/emqx_authn_jwt.erl | 2 +- apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl | 228 +++++++++--------- 2 files changed, 116 insertions(+), 114 deletions(-) diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl index a4359dae6..2d311a689 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl @@ -238,7 +238,7 @@ may_decode_secret(true, Secret) -> try base64:decode(Secret) catch error : _ -> - {error, {invalid_parameter, Secret}} + {error, {invalid_parameter, secret}} end. replace_placeholder(L, Variables) -> diff --git a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl index 170449dcc..54db0a3c5 100644 --- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl @@ -19,140 +19,142 @@ -compile(export_all). -compile(nowarn_export_all). -% -include_lib("common_test/include/ct.hrl"). -% -include_lib("eunit/include/eunit.hrl"). +-include_lib("common_test/include/ct.hrl"). +-include_lib("eunit/include/eunit.hrl"). -% -include("emqx_authn.hrl"). +-include("emqx_authn.hrl"). -% -define(AUTH, emqx_authn). +-define(AUTHN_ID, <<"mechanism:jwt">>). all() -> emqx_common_test_helpers:all(?MODULE). -% init_per_suite(Config) -> -% emqx_common_test_helpers:start_apps([emqx_authn]), -% Config. +init_per_suite(Config) -> + emqx_common_test_helpers:start_apps([emqx_authn]), + Config. -% end_per_suite(_) -> -% emqx_common_test_helpers:stop_apps([emqx_authn]), -% ok. +end_per_suite(_) -> + emqx_common_test_helpers:stop_apps([emqx_authn]), + ok. -% t_jwt_authenticator(_) -> -% AuthenticatorName = <<"myauthenticator">>, -% Config = #{name => AuthenticatorName, -% mechanism => jwt, -% use_jwks => false, -% algorithm => 'hmac-based', -% secret => <<"abcdef">>, -% secret_base64_encoded => false, -% verify_claims => []}, -% {ok, #{name := AuthenticatorName, id := ID}} = ?AUTH:create_authenticator(?CHAIN, Config), +t_jwt_authenticator(_) -> + Secret = <<"abcdef">>, + Config = #{mechanism => jwt, + use_jwks => false, + algorithm => 'hmac-based', + secret => Secret, + secret_base64_encoded => false, + verify_claims => []}, + {ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config), -% Payload = #{<<"username">> => <<"myuser">>}, -% JWS = generate_jws('hmac-based', Payload, <<"abcdef">>), -% ClientInfo = #{username => <<"myuser">>, -% password => JWS}, -% ?assertEqual({stop, {ok, #{is_superuser => false}}}, ?AUTH:authenticate(ClientInfo, ignored)), + Payload = #{<<"username">> => <<"myuser">>}, + JWS = generate_jws('hmac-based', Payload, Secret), + Credential = #{username => <<"myuser">>, + password => JWS}, + ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State)), -% Payload1 = #{<<"username">> => <<"myuser">>, <<"is_superuser">> => true}, -% JWS1 = generate_jws('hmac-based', Payload1, <<"abcdef">>), -% ClientInfo1 = #{username => <<"myuser">>, -% password => JWS1}, -% ?assertEqual({stop, {ok, #{is_superuser => true}}}, ?AUTH:authenticate(ClientInfo1, ignored)), + Payload1 = #{<<"username">> => <<"myuser">>, <<"is_superuser">> => true}, + JWS1 = generate_jws('hmac-based', Payload1, Secret), + Credential1 = #{username => <<"myuser">>, + password => JWS1}, + ?assertEqual({ok, #{is_superuser => true}}, emqx_authn_jwt:authenticate(Credential1, State)), -% BadJWS = generate_jws('hmac-based', Payload, <<"bad_secret">>), -% ClientInfo2 = ClientInfo#{password => BadJWS}, -% ?assertEqual({stop, {error, not_authorized}}, ?AUTH:authenticate(ClientInfo2, ignored)), + BadJWS = generate_jws('hmac-based', Payload, <<"bad_secret">>), + Credential2 = Credential#{password => BadJWS}, + ?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential2, State)), -% %% secret_base64_encoded -% Config2 = Config#{secret => base64:encode(<<"abcdef">>), -% secret_base64_encoded => true}, -% ?assertMatch({ok, _}, ?AUTH:update_authenticator(?CHAIN, ID, Config2)), -% ?assertEqual({stop, {ok, #{is_superuser => false}}}, ?AUTH:authenticate(ClientInfo, ignored)), + %% secret_base64_encoded + Config2 = Config#{secret => base64:encode(Secret), + secret_base64_encoded => true}, + {ok, State2} = emqx_authn_jwt:update(Config2, State), + ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State2)), -% Config3 = Config#{verify_claims => [{<<"username">>, <<"${mqtt-username}">>}]}, -% ?assertMatch({ok, _}, ?AUTH:update_authenticator(?CHAIN, ID, Config3)), -% ?assertEqual({stop, {ok, #{is_superuser => false}}}, ?AUTH:authenticate(ClientInfo, ignored)), -% ?assertEqual({stop, {error, bad_username_or_password}}, ?AUTH:authenticate(ClientInfo#{username => <<"otheruser">>}, ok)), + %% invalid secret + BadConfig = Config#{secret => <<"emqxsecret">>, + secret_base64_encoded => true}, + {error, {invalid_parameter, secret}} = emqx_authn_jwt:create(?AUTHN_ID, BadConfig), -% %% Expiration -% Payload3 = #{ <<"username">> => <<"myuser">> -% , <<"exp">> => erlang:system_time(second) - 60}, -% JWS3 = generate_jws('hmac-based', Payload3, <<"abcdef">>), -% ClientInfo3 = ClientInfo#{password => JWS3}, -% ?assertEqual({stop, {error, bad_username_or_password}}, ?AUTH:authenticate(ClientInfo3, ignored)), + Config3 = Config#{verify_claims => [{<<"username">>, <<"${username}">>}]}, + {ok, State3} = emqx_authn_jwt:update(Config3, State2), + ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State3)), + ?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential#{username => <<"otheruser">>}, State3)), -% Payload4 = #{ <<"username">> => <<"myuser">> -% , <<"exp">> => erlang:system_time(second) + 60}, -% JWS4 = generate_jws('hmac-based', Payload4, <<"abcdef">>), -% ClientInfo4 = ClientInfo#{password => JWS4}, -% ?assertEqual({stop, {ok, #{is_superuser => false}}}, ?AUTH:authenticate(ClientInfo4, ignored)), + %% Expiration + Payload3 = #{ <<"username">> => <<"myuser">> + , <<"exp">> => erlang:system_time(second) - 60}, + JWS3 = generate_jws('hmac-based', Payload3, Secret), + Credential3 = Credential#{password => JWS3}, + ?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential3, State3)), -% %% Issued At -% Payload5 = #{ <<"username">> => <<"myuser">> -% , <<"iat">> => erlang:system_time(second) - 60}, -% JWS5 = generate_jws('hmac-based', Payload5, <<"abcdef">>), -% ClientInfo5 = ClientInfo#{password => JWS5}, -% ?assertEqual({stop, {ok, #{is_superuser => false}}}, ?AUTH:authenticate(ClientInfo5, ignored)), + Payload4 = #{ <<"username">> => <<"myuser">> + , <<"exp">> => erlang:system_time(second) + 60}, + JWS4 = generate_jws('hmac-based', Payload4, Secret), + Credential4 = Credential#{password => JWS4}, + ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential4, State3)), -% Payload6 = #{ <<"username">> => <<"myuser">> -% , <<"iat">> => erlang:system_time(second) + 60}, -% JWS6 = generate_jws('hmac-based', Payload6, <<"abcdef">>), -% ClientInfo6 = ClientInfo#{password => JWS6}, -% ?assertEqual({stop, {error, bad_username_or_password}}, ?AUTH:authenticate(ClientInfo6, ignored)), + %% Issued At + Payload5 = #{ <<"username">> => <<"myuser">> + , <<"iat">> => erlang:system_time(second) - 60}, + JWS5 = generate_jws('hmac-based', Payload5, Secret), + Credential5 = Credential#{password => JWS5}, + ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential5, State3)), -% %% Not Before -% Payload7 = #{ <<"username">> => <<"myuser">> -% , <<"nbf">> => erlang:system_time(second) - 60}, -% JWS7 = generate_jws('hmac-based', Payload7, <<"abcdef">>), -% ClientInfo7 = ClientInfo#{password => JWS7}, -% ?assertEqual({stop, {ok, #{is_superuser => false}}}, ?AUTH:authenticate(ClientInfo7, ignored)), + Payload6 = #{ <<"username">> => <<"myuser">> + , <<"iat">> => erlang:system_time(second) + 60}, + JWS6 = generate_jws('hmac-based', Payload6, Secret), + Credential6 = Credential#{password => JWS6}, + ?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential6, State3)), -% Payload8 = #{ <<"username">> => <<"myuser">> -% , <<"nbf">> => erlang:system_time(second) + 60}, -% JWS8 = generate_jws('hmac-based', Payload8, <<"abcdef">>), -% ClientInfo8 = ClientInfo#{password => JWS8}, -% ?assertEqual({stop, {error, bad_username_or_password}}, ?AUTH:authenticate(ClientInfo8, ignored)), + %% Not Before + Payload7 = #{ <<"username">> => <<"myuser">> + , <<"nbf">> => erlang:system_time(second) - 60}, + JWS7 = generate_jws('hmac-based', Payload7, Secret), + Credential7 = Credential6#{password => JWS7}, + ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential7, State3)), -% ?assertEqual(ok, ?AUTH:delete_authenticator(?CHAIN, ID)), -% ok. + Payload8 = #{ <<"username">> => <<"myuser">> + , <<"nbf">> => erlang:system_time(second) + 60}, + JWS8 = generate_jws('hmac-based', Payload8, Secret), + Credential8 = Credential#{password => JWS8}, + ?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential8, State3)), -% t_jwt_authenticator2(_) -> -% Dir = code:lib_dir(emqx_authn, test), -% PublicKey = list_to_binary(filename:join([Dir, "data/public_key.pem"])), -% PrivateKey = list_to_binary(filename:join([Dir, "data/private_key.pem"])), -% AuthenticatorName = <<"myauthenticator">>, -% Config = #{name => AuthenticatorName, -% mechanism => jwt, -% use_jwks => false, -% algorithm => 'public-key', -% certificate => PublicKey, -% verify_claims => []}, -% {ok, #{name := AuthenticatorName, id := ID}} = ?AUTH:create_authenticator(?CHAIN, Config), + ?assertEqual(ok, emqx_authn_jwt:destroy(State3)), + ok. -% Payload = #{<<"username">> => <<"myuser">>}, -% JWS = generate_jws('public-key', Payload, PrivateKey), -% ClientInfo = #{username => <<"myuser">>, -% password => JWS}, -% ?assertEqual({stop, {ok, #{is_superuser => false}}}, ?AUTH:authenticate(ClientInfo, ignored)), -% ?assertEqual({stop, {error, not_authorized}}, ?AUTH:authenticate(ClientInfo#{password => <<"badpassword">>}, ignored)), +t_jwt_authenticator2(_) -> + Dir = code:lib_dir(emqx_authn, test), + PublicKey = list_to_binary(filename:join([Dir, "data/public_key.pem"])), + PrivateKey = list_to_binary(filename:join([Dir, "data/private_key.pem"])), + Config = #{mechanism => jwt, + use_jwks => false, + algorithm => 'public-key', + certificate => PublicKey, + verify_claims => []}, + {ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config), -% ?assertEqual(ok, ?AUTH:delete_authenticator(?CHAIN, ID)), -% ok. + Payload = #{<<"username">> => <<"myuser">>}, + JWS = generate_jws('public-key', Payload, PrivateKey), + Credential = #{username => <<"myuser">>, + password => JWS}, + ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State)), + ?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State)), -% generate_jws('hmac-based', Payload, Secret) -> -% JWK = jose_jwk:from_oct(Secret), -% Header = #{ <<"alg">> => <<"HS256">> -% , <<"typ">> => <<"JWT">> -% }, -% Signed = jose_jwt:sign(JWK, Header, Payload), -% {_, JWS} = jose_jws:compact(Signed), -% JWS; -% generate_jws('public-key', Payload, PrivateKey) -> -% JWK = jose_jwk:from_pem_file(PrivateKey), -% Header = #{ <<"alg">> => <<"RS256">> -% , <<"typ">> => <<"JWT">> -% }, -% Signed = jose_jwt:sign(JWK, Header, Payload), -% {_, JWS} = jose_jws:compact(Signed), -% JWS. + ?assertEqual(ok, emqx_authn_jwt:destroy(State)), + ok. + +generate_jws('hmac-based', Payload, Secret) -> + JWK = jose_jwk:from_oct(Secret), + Header = #{ <<"alg">> => <<"HS256">> + , <<"typ">> => <<"JWT">> + }, + Signed = jose_jwt:sign(JWK, Header, Payload), + {_, JWS} = jose_jws:compact(Signed), + JWS; +generate_jws('public-key', Payload, PrivateKey) -> + JWK = jose_jwk:from_pem_file(PrivateKey), + Header = #{ <<"alg">> => <<"RS256">> + , <<"typ">> => <<"JWT">> + }, + Signed = jose_jwt:sign(JWK, Header, Payload), + {_, JWS} = jose_jws:compact(Signed), + JWS. From 349fd1608be951dcb716cc3d821da828b66d7b8a Mon Sep 17 00:00:00 2001 From: zhouzb Date: Fri, 26 Nov 2021 10:29:57 +0800 Subject: [PATCH 8/8] style(authn): improve code formatting --- apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl index 2d311a689..7ec7eac6d 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl @@ -207,7 +207,7 @@ create2(#{use_jwks := false, Secret -> JWK = jose_jwk:from_oct(Secret), {ok, #{jwk => JWK, - verify_claims => VerifyClaims}} + verify_claims => VerifyClaims}} end; create2(#{use_jwks := false,