From 1129c183305544077bd8562304078ad099451391 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 30 May 2024 11:36:13 +0200 Subject: [PATCH 1/5] fix(authz_http): fix content-type header in http request --- apps/emqx_authz/src/emqx_authz.app.src | 2 +- apps/emqx_authz/src/emqx_authz_http.erl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/emqx_authz/src/emqx_authz.app.src b/apps/emqx_authz/src/emqx_authz.app.src index 9de573795..5c3a26eb9 100644 --- a/apps/emqx_authz/src/emqx_authz.app.src +++ b/apps/emqx_authz/src/emqx_authz.app.src @@ -1,7 +1,7 @@ %% -*- mode: erlang -*- {application, emqx_authz, [ {description, "An OTP application"}, - {vsn, "0.1.25"}, + {vsn, "0.1.26"}, {registered, []}, {mod, {emqx_authz_app, []}}, {applications, [ diff --git a/apps/emqx_authz/src/emqx_authz_http.erl b/apps/emqx_authz/src/emqx_authz_http.erl index a5dff322d..ffc4045c5 100644 --- a/apps/emqx_authz/src/emqx_authz_http.erl +++ b/apps/emqx_authz/src/emqx_authz_http.erl @@ -200,7 +200,7 @@ generate_request( _ -> NPath = append_query(Path, Query), NBody = serialize_body( - proplists:get_value(<<"accept">>, Headers, <<"application/json">>), + proplists:get_value(<<"Content-Type">>, Headers, <<"application/json">>), Body ), {NPath, Headers, NBody} From 0c4da98b5209d72405468adee97a29b478783bd7 Mon Sep 17 00:00:00 2001 From: Ivan Dyachkov Date: Thu, 30 May 2024 11:53:00 +0200 Subject: [PATCH 2/5] chore: update deps --- apps/emqx_authz/src/emqx_authz_http.erl | 2 +- apps/emqx_bridge_dynamo/rebar.config | 2 +- apps/emqx_bridge_hstreamdb/rebar.config | 2 +- apps/emqx_bridge_kinesis/rebar.config | 2 +- apps/emqx_s3/rebar.config | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/emqx_authz/src/emqx_authz_http.erl b/apps/emqx_authz/src/emqx_authz_http.erl index ffc4045c5..a34a7514a 100644 --- a/apps/emqx_authz/src/emqx_authz_http.erl +++ b/apps/emqx_authz/src/emqx_authz_http.erl @@ -200,7 +200,7 @@ generate_request( _ -> NPath = append_query(Path, Query), NBody = serialize_body( - proplists:get_value(<<"Content-Type">>, Headers, <<"application/json">>), + proplists:get_value(<<"content-type">>, Headers, <<"application/json">>), Body ), {NPath, Headers, NBody} diff --git a/apps/emqx_bridge_dynamo/rebar.config b/apps/emqx_bridge_dynamo/rebar.config index e80fb0f80..38598d313 100644 --- a/apps/emqx_bridge_dynamo/rebar.config +++ b/apps/emqx_bridge_dynamo/rebar.config @@ -1,6 +1,6 @@ %% -*- mode: erlang; -*- {erl_opts, [debug_info]}. -{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0-emqx-2"}}} +{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0.3"}}} , {emqx_connector, {path, "../../apps/emqx_connector"}} , {emqx_resource, {path, "../../apps/emqx_resource"}} , {emqx_bridge, {path, "../../apps/emqx_bridge"}} diff --git a/apps/emqx_bridge_hstreamdb/rebar.config b/apps/emqx_bridge_hstreamdb/rebar.config index fb99cd627..92b9c46cd 100644 --- a/apps/emqx_bridge_hstreamdb/rebar.config +++ b/apps/emqx_bridge_hstreamdb/rebar.config @@ -1,7 +1,7 @@ %% -*- mode: erlang -*- {erl_opts, [debug_info]}. {deps, [ - {hstreamdb_erl, {git, "https://github.com/hstreamdb/hstreamdb_erl.git", {tag, "0.4.5+v0.16.1"}}}, + {hstreamdb_erl, {git, "https://github.com/hstreamdb/hstreamdb_erl.git", {tag, "0.4.5+v0.16.1+ezstd-v1.0.5-emqx1"}}}, {emqx, {path, "../../apps/emqx"}}, {emqx_utils, {path, "../../apps/emqx_utils"}} ]}. diff --git a/apps/emqx_bridge_kinesis/rebar.config b/apps/emqx_bridge_kinesis/rebar.config index e4b57846e..4d7f87540 100644 --- a/apps/emqx_bridge_kinesis/rebar.config +++ b/apps/emqx_bridge_kinesis/rebar.config @@ -1,6 +1,6 @@ %% -*- mode: erlang; -*- {erl_opts, [debug_info]}. -{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0-emqx-2"}}} +{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0.3"}}} , {emqx_connector, {path, "../../apps/emqx_connector"}} , {emqx_resource, {path, "../../apps/emqx_resource"}} , {emqx_bridge, {path, "../../apps/emqx_bridge"}} diff --git a/apps/emqx_s3/rebar.config b/apps/emqx_s3/rebar.config index 1d64e6677..e34406e54 100644 --- a/apps/emqx_s3/rebar.config +++ b/apps/emqx_s3/rebar.config @@ -1,6 +1,6 @@ {deps, [ {emqx, {path, "../../apps/emqx"}}, - {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0-emqx-2"}}}, + {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0.3"}}}, {emqx_bridge_http, {path, "../emqx_bridge_http"}} ]}. From 97f9c81e19a579e2880cadd1883a4811b8a201b2 Mon Sep 17 00:00:00 2001 From: Ilya Averyanov Date: Thu, 30 May 2024 14:56:56 +0300 Subject: [PATCH 3/5] feat(auth): add legacy ${access} placeholder --- apps/emqx_authz/src/emqx_authz_http.erl | 16 ++++++++++++++-- apps/emqx_authz/test/emqx_authz_http_SUITE.erl | 13 +++++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/apps/emqx_authz/src/emqx_authz_http.erl b/apps/emqx_authz/src/emqx_authz_http.erl index a34a7514a..faa3a3198 100644 --- a/apps/emqx_authz/src/emqx_authz_http.erl +++ b/apps/emqx_authz/src/emqx_authz_http.erl @@ -39,6 +39,10 @@ -compile(nowarn_export_all). -endif. +-define(PH_ACCESS, <<"${access}">>). +-define(LEGACY_SUBSCRIBE_ACTION, 1). +-define(LEGACY_PUBLISH_ACTION, 2). + -define(PLACEHOLDERS, [ ?PH_USERNAME, ?PH_CLIENTID, @@ -48,7 +52,8 @@ ?PH_TOPIC, ?PH_ACTION, ?PH_CERT_SUBJECT, - ?PH_CERT_CN_NAME + ?PH_CERT_CN_NAME, + ?PH_ACCESS ]). -define(PLACEHOLDERS_FOR_RICH_ACTIONS, [ @@ -234,7 +239,14 @@ serialize_body(<<"application/x-www-form-urlencoded">>, Body) -> client_vars(Client, Action, Topic) -> Vars = emqx_authz_utils:vars_for_rule_query(Client, Action), - Vars#{topic => Topic}. + add_legacy_access_var(Vars#{topic => Topic}). + +add_legacy_access_var(#{action := subscribe} = Vars) -> + Vars#{access => ?LEGACY_SUBSCRIBE_ACTION}; +add_legacy_access_var(#{action := publish} = Vars) -> + Vars#{access => ?LEGACY_PUBLISH_ACTION}; +add_legacy_access_var(Vars) -> + Vars. to_list(A) when is_atom(A) -> atom_to_list(A); diff --git a/apps/emqx_authz/test/emqx_authz_http_SUITE.erl b/apps/emqx_authz/test/emqx_authz_http_SUITE.erl index 6cf4b5bc0..7810b5902 100644 --- a/apps/emqx_authz/test/emqx_authz_http_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_http_SUITE.erl @@ -202,6 +202,7 @@ t_query_params(_Config) -> mountpoint := <<"MOUNTPOINT">>, topic := <<"t/1">>, action := <<"publish">>, + access := <<"2">>, qos := <<"1">>, retain := <<"false">> } = cowboy_req:match_qs( @@ -213,6 +214,7 @@ t_query_params(_Config) -> mountpoint, topic, action, + access, qos, retain ], @@ -230,6 +232,7 @@ t_query_params(_Config) -> "mountpoint=${mountpoint}&" "topic=${topic}&" "action=${action}&" + "access=${access}&" "qos=${qos}&" "retain=${retain}" >> @@ -264,6 +267,7 @@ t_path(_Config) -> "MOUNTPOINT/" "t%2F1/" "publish/" + "2/" "1/" "false" >>, @@ -281,6 +285,7 @@ t_path(_Config) -> "${mountpoint}/" "${topic}/" "${action}/" + "${access}/" "${qos}/" "${retain}" >> @@ -321,6 +326,7 @@ t_json_body(_Config) -> <<"mountpoint">> := <<"MOUNTPOINT">>, <<"topic">> := <<"t">>, <<"action">> := <<"publish">>, + <<"access">> := <<"2">>, <<"qos">> := <<"1">>, <<"retain">> := <<"false">> }, @@ -338,6 +344,7 @@ t_json_body(_Config) -> <<"mountpoint">> => <<"${mountpoint}">>, <<"topic">> => <<"${topic}">>, <<"action">> => <<"${action}">>, + <<"access">> => <<"${access}">>, <<"qos">> => <<"${qos}">>, <<"retain">> => <<"${retain}">> } @@ -405,7 +412,7 @@ t_placeholder_and_body(_Config) -> cowboy_req:path(Req0) ), - {ok, [{PostVars, true}], Req1} = cowboy_req:read_urlencoded_body(Req0), + {ok, PostVars, Req1} = cowboy_req:read_urlencoded_body(Req0), ?assertMatch( #{ @@ -416,10 +423,11 @@ t_placeholder_and_body(_Config) -> <<"mountpoint">> := <<"MOUNTPOINT">>, <<"topic">> := <<"t">>, <<"action">> := <<"publish">>, + <<"access">> := <<"2">>, <<"CN">> := ?PH_CERT_CN_NAME, <<"CS">> := ?PH_CERT_SUBJECT }, - emqx_utils_json:decode(PostVars, [return_maps]) + maps:from_list(PostVars) ), {ok, ?AUTHZ_HTTP_RESP(allow, Req1), State} end, @@ -433,6 +441,7 @@ t_placeholder_and_body(_Config) -> <<"mountpoint">> => <<"${mountpoint}">>, <<"topic">> => <<"${topic}">>, <<"action">> => <<"${action}">>, + <<"access">> => <<"${access}">>, <<"CN">> => ?PH_CERT_CN_NAME, <<"CS">> => ?PH_CERT_SUBJECT }, From f681126f4dbff5a18ba1194fba96dff7c0307308 Mon Sep 17 00:00:00 2001 From: zmstone Date: Thu, 30 May 2024 22:38:56 +0200 Subject: [PATCH 4/5] docs: add changelog for PR 13164 --- changes/ce/fix-13164.en.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changes/ce/fix-13164.en.md diff --git a/changes/ce/fix-13164.en.md b/changes/ce/fix-13164.en.md new file mode 100644 index 000000000..c0ce937da --- /dev/null +++ b/changes/ce/fix-13164.en.md @@ -0,0 +1,6 @@ +Fix HTTP authorization request body encoding. + +Prior to this fix, the HTTP authorization request body encoding format was taken from the `accept` header. +The fix is to respect the `content-type` header instead. +Also added `access` templating variable for v4 compatibility. +The access code of SUBSCRIBE action is `1` and SUBSCRIBE action is `2`. From 6fe8a09e97d8bfc0b6aff640072f188ca167e0de Mon Sep 17 00:00:00 2001 From: zmstone Date: Fri, 31 May 2024 14:32:14 +0200 Subject: [PATCH 5/5] fix(authz/http): rename PH_ACCESS to VAR_ACCESS --- apps/emqx_auth_http/src/emqx_authz_http.erl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/emqx_auth_http/src/emqx_authz_http.erl b/apps/emqx_auth_http/src/emqx_authz_http.erl index c5e839472..49296f690 100644 --- a/apps/emqx_auth_http/src/emqx_authz_http.erl +++ b/apps/emqx_auth_http/src/emqx_authz_http.erl @@ -38,7 +38,7 @@ -compile(nowarn_export_all). -endif. --define(PH_ACCESS, <<"${access}">>). +-define(VAR_ACCESS, "access"). -define(LEGACY_SUBSCRIBE_ACTION, 1). -define(LEGACY_PUBLISH_ACTION, 2). @@ -52,7 +52,7 @@ ?VAR_ACTION, ?VAR_CERT_SUBJECT, ?VAR_CERT_CN_NAME, - ?PH_ACCESS, + ?VAR_ACCESS, ?VAR_NS_CLIENT_ATTRS ]).