yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #11649 from lafirest/fix/sso_running_authz 

fix(sso): use the correct way to mark the API as authorization-free
This commit is contained in:
lafirest 2023-09-21 18:09:09 +08:00 committed by GitHub
parent d92a93d4b3 9a128517d8
commit 1dce264243
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
apps/emqx_dashboard/src/emqx_dashboard.erl
View File

@ -216,32 +216,13 @@ authorize(Req) ->
{403, 'UNAUTHORIZED_ROLE', {403, 'UNAUTHORIZED_ROLE',
<<"You don't have permission to access this resource">>} <<"You don't have permission to access this resource">>}
end; end;
_ ->
case is_authorization_free(Req) of
true ->
ok;
_ -> _ ->
return_unauthorized( return_unauthorized(
<<"AUTHORIZATION_HEADER_ERROR">>, <<"AUTHORIZATION_HEADER_ERROR">>,
<<"Support authorization: basic/bearer ">> <<"Support authorization: basic/bearer ">>
) )
end
end. end.
-if(?EMQX_RELEASE_EDITION == ee).
%% this is a temporary design to skip the authorization for some APIs,
%% it will be removed future
is_authorization_free(Req) ->
emqx_dashboard_sso_api:is_authorization_free(Req).
-else.
-dialyzer({no_match, [authorize/1]}).
is_authorization_free(_Req) ->
false.
-endif.
return_unauthorized(Code, Message) -> return_unauthorized(Code, Message) ->
{401, {401,
#{ #{

19
apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl
View File

@ -31,7 +31,7 @@
backend/2 backend/2
]). ]).
-export([sso_parameters/1, is_authorization_free/1]). -export([sso_parameters/1]).
-define(BAD_USERNAME_OR_PWD, 'BAD_USERNAME_OR_PWD'). -define(BAD_USERNAME_OR_PWD, 'BAD_USERNAME_OR_PWD').
-define(BAD_REQUEST, 'BAD_REQUEST'). -define(BAD_REQUEST, 'BAD_REQUEST').
@ -59,7 +59,8 @@ schema("/sso/running") ->
desc => ?DESC(list_running), desc => ?DESC(list_running),
responses => #{ responses => #{
200 => array(enum(emqx_dashboard_sso:types())) 200 => array(enum(emqx_dashboard_sso:types()))
} },
security => []
} }
}; };
schema("/sso") -> schema("/sso") ->
@ -85,7 +86,8 @@ schema("/sso/login/:backend") ->
200 => emqx_dashboard_api:fields([token, version, license]), 200 => emqx_dashboard_api:fields([token, version, license]),
401 => response_schema(401), 401 => response_schema(401),
404 => response_schema(404) 404 => response_schema(404)
} },
security => []
} }
}; };
schema("/sso/:backend") -> schema("/sso/:backend") ->
@ -191,10 +193,6 @@ backend(delete, #{bindings := #{backend := Backend}}) ->
sso_parameters(Params) -> sso_parameters(Params) ->
backend_name_as_arg(query, [local], <<"local">>) ++ Params. backend_name_as_arg(query, [local], <<"local">>) ++ Params.
is_authorization_free(Req) ->
Path = cowboy_req:path(Req),
is_path_authorization_free(Path).
%% ------------------------------------------------------------------------------------------------- %% -------------------------------------------------------------------------------------------------
%% internal %% internal
response_schema(401) -> response_schema(401) ->
@ -255,10 +253,3 @@ to_json(Data) ->
{K, emqx_utils_maps:binary_string(V)} {K, emqx_utils_maps:binary_string(V)}
end end
). ).
is_path_authorization_free(<<"/api/v5/sso/running">>) ->
true;
is_path_authorization_free(<<"/api/v5/sso/login", _/binary>>) ->
true;
is_path_authorization_free(_) ->
false.