diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwks_connector.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwks_connector.erl index fa7eaa7a5..c8526c73c 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwks_connector.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwks_connector.erl @@ -101,7 +101,7 @@ handle_info({http, {RequestID, Result}}, endpoint => Endpoint, reason => Reason}), State1; - {_StatusLine, _Headers, Body} -> + {StatusLine, Headers, Body} -> try JWKS = jose_jwk:from(emqx_json:decode(Body, [return_maps])), {_, JWKs} = JWKS#jose_jwk.keys, @@ -109,6 +109,8 @@ handle_info({http, {RequestID, Result}}, catch _:_ -> ?SLOG(warning, #{msg => "invalid_jwks_returned", endpoint => Endpoint, + status => StatusLine, + headers => Headers, body => Body}), State1 end diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl index c383db841..7291abf29 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl @@ -18,6 +18,7 @@ -include("emqx_authn.hrl"). -include_lib("typerefl/include/types.hrl"). +-include_lib("emqx/include/logger.hrl"). -behaviour(hocon_schema). -behaviour(emqx_authentication). @@ -272,7 +273,7 @@ verify(JWS, [JWK | More], VerifyClaims) -> verify(JWS, More, VerifyClaims) catch _:_Reason:_Stacktrace -> - %% TODO: Add log + ?TRACE("JWT", "authn_jwt_invalid_signature", #{jwk => JWK, jws => JWS}), {error, invalid_signature} end. diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl index cf5ab5a65..6e01fb7b9 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl @@ -143,6 +143,8 @@ authenticate(#{password := Password} = Credential, {error, Reason} -> ?SLOG(error, #{msg => "mongodb_query_failed", resource => ResourceId, + collection => Collection, + selector => Selector2, reason => Reason}), ignore; Doc -> @@ -152,6 +154,8 @@ authenticate(#{password := Password} = Credential, {error, {cannot_find_password_hash_field, PasswordHashField}} -> ?SLOG(error, #{msg => "cannot_find_password_hash_field", resource => ResourceId, + collection => Collection, + selector => Selector2, password_hash_field => PasswordHashField}), ignore; {error, Reason} -> diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_mysql.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_mysql.erl index fbda7ce61..53cf72066 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_mysql.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_mysql.erl @@ -123,6 +123,9 @@ authenticate(#{password := Password} = Credential, {error, Reason} -> ?SLOG(error, #{msg => "mysql_query_failed", resource => ResourceId, + query => Query, + params => Params, + timeout => Timeout, reason => Reason}), ignore end. diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_pgsql.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_pgsql.erl index 6589fc8eb..0bcca0ef6 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_pgsql.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_pgsql.erl @@ -119,6 +119,8 @@ authenticate(#{password := Password} = Credential, {error, Reason} -> ?SLOG(error, #{msg => "postgresql_query_failed", resource => ResourceId, + query => Query, + params => Params, reason => Reason}), ignore end. diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_redis.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_redis.erl index 76cebc06e..8471ad8d1 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_redis.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_redis.erl @@ -125,6 +125,7 @@ authenticate(#{password := Password} = Credential, password_hash_algorithm := Algorithm}) -> NKey = binary_to_list(iolist_to_binary(replace_placeholders(Key, Credential))), case emqx_resource:query(ResourceId, {cmd, [Command, NKey | Fields]}) of + {ok, []} -> ignore; {ok, Values} -> case merge(Fields, Values) of #{<<"password_hash">> := _} = Selected -> @@ -137,12 +138,18 @@ authenticate(#{password := Password} = Credential, end; _ -> ?SLOG(error, #{msg => "cannot_find_password_hash_field", + cmd => Command, + keys => NKey, + fields => Fields, resource => ResourceId}), ignore end; {error, Reason} -> ?SLOG(error, #{msg => "redis_query_failed", resource => ResourceId, + cmd => Command, + keys => NKey, + fields => Fields, reason => Reason}), ignore end. diff --git a/apps/emqx_authz/src/emqx_authz_mongodb.erl b/apps/emqx_authz/src/emqx_authz_mongodb.erl index 496593896..c1b9c907a 100644 --- a/apps/emqx_authz/src/emqx_authz_mongodb.erl +++ b/apps/emqx_authz/src/emqx_authz_mongodb.erl @@ -67,6 +67,8 @@ authorize(Client, PubSub, Topic, {error, Reason} -> ?SLOG(error, #{msg => "query_mongo_error", reason => Reason, + collection => Collection, + selector => RenderedSelector, resource_id => ResourceID}), nomatch; [] -> nomatch; diff --git a/apps/emqx_authz/src/emqx_authz_mysql.erl b/apps/emqx_authz/src/emqx_authz_mysql.erl index 276073749..cb11a70fd 100644 --- a/apps/emqx_authz/src/emqx_authz_mysql.erl +++ b/apps/emqx_authz/src/emqx_authz_mysql.erl @@ -58,13 +58,16 @@ authorize(Client, PubSub, Topic, query := {Query, Params} } }) -> - case emqx_resource:query(ResourceID, {sql, Query, replvar(Params, Client)}) of + RenderParams = replvar(Params, Client), + case emqx_resource:query(ResourceID, {sql, Query, RenderParams}) of {ok, _Columns, []} -> nomatch; {ok, Columns, Rows} -> do_authorize(Client, PubSub, Topic, Columns, Rows); {error, Reason} -> ?SLOG(error, #{ msg => "query_mysql_error" , reason => Reason + , query => Query + , params => RenderParams , resource_id => ResourceID}), nomatch end. diff --git a/apps/emqx_authz/src/emqx_authz_postgresql.erl b/apps/emqx_authz/src/emqx_authz_postgresql.erl index cfd58c53f..4c2415a4e 100644 --- a/apps/emqx_authz/src/emqx_authz_postgresql.erl +++ b/apps/emqx_authz/src/emqx_authz_postgresql.erl @@ -62,8 +62,8 @@ dry_run(Source) -> parse_query(Sql) -> case re:run(Sql, ?RE_PLACEHOLDER, [global, {capture, all, list}]) of - {match, Capured} -> - PlaceHolders = [PlaceHolder || [PlaceHolder] <- Capured], + {match, Captured} -> + PlaceHolders = [PlaceHolder || [PlaceHolder] <- Captured], Replacements = ["$" ++ integer_to_list(I) || I <- lists:seq(1, length(PlaceHolders))], NSql = lists:foldl( fun({PlaceHolder, Replacement}, S) -> @@ -80,13 +80,15 @@ authorize(Client, PubSub, Topic, placeholders := Placeholders } }) -> - case emqx_resource:query(ResourceID, {prepared_query, ResourceID, replvar(Placeholders, Client)}) of + RenderedParams = replvar(Placeholders, Client), + case emqx_resource:query(ResourceID, {prepared_query, ResourceID, RenderedParams}) of {ok, _Columns, []} -> nomatch; {ok, Columns, Rows} -> do_authorize(Client, PubSub, Topic, Columns, Rows); {error, Reason} -> ?SLOG(error, #{ msg => "query_postgresql_error" , reason => Reason + , params => RenderedParams , resource_id => ResourceID}), nomatch end. diff --git a/apps/emqx_authz/src/emqx_authz_redis.erl b/apps/emqx_authz/src/emqx_authz_redis.erl index 69940e537..a1c0faf95 100644 --- a/apps/emqx_authz/src/emqx_authz_redis.erl +++ b/apps/emqx_authz/src/emqx_authz_redis.erl @@ -63,6 +63,7 @@ authorize(Client, PubSub, Topic, {error, Reason} -> ?SLOG(error, #{ msg => "query_redis_error" , reason => Reason + , cmd => NCMD , resource_id => ResourceID}), nomatch end.