diff --git a/apps/emqx/i18n/emqx_schema_i18n.conf b/apps/emqx/i18n/emqx_schema_i18n.conf
index fb308a772..5d85829f4 100644
--- a/apps/emqx/i18n/emqx_schema_i18n.conf
+++ b/apps/emqx/i18n/emqx_schema_i18n.conf
@@ -2063,6 +2063,23 @@ Type of the rate limit.
}
}
+base_listener_enable_authn {
+ desc {
+ en: """
+Set true (default) to enable client authentication on this listener.
+When set to false clients will be allowed to connect without authentication.
+"""
+ zh: """
+配置 true (默认值)启用客户端进行身份认证。
+配置 false 时,将不对客户端做任何认证。
+"""
+ }
+ label: {
+ en: "Enable authentication"
+ zh: "启用身份认证"
+ }
+}
+
mqtt_listener_access_rules {
desc {
en: """
diff --git a/apps/emqx/src/emqx_authentication.erl b/apps/emqx/src/emqx_authentication.erl
index 101be754d..ac6f42c04 100644
--- a/apps/emqx/src/emqx_authentication.erl
+++ b/apps/emqx/src/emqx_authentication.erl
@@ -214,6 +214,8 @@ when
%% Authenticate
%%------------------------------------------------------------------------------
+authenticate(#{enable_authn := false}, _AuthResult) ->
+ ignore;
authenticate(#{listener := Listener, protocol := Protocol} = Credential, _AuthResult) ->
case get_authenticators(Listener, global_chain(Protocol)) of
{ok, ChainName, Authenticators} ->
diff --git a/apps/emqx/src/emqx_channel.erl b/apps/emqx/src/emqx_channel.erl
index a562315f0..ffea58fbd 100644
--- a/apps/emqx/src/emqx_channel.erl
+++ b/apps/emqx/src/emqx_channel.erl
@@ -102,7 +102,11 @@
-type channel() :: #channel{}.
--type opts() :: #{zone := atom(), listener := {Type :: atom(), Name :: atom()}, atom() => term()}.
+-type opts() :: #{
+ zone := atom(),
+ listener := {Type :: atom(), Name :: atom()},
+ atom() => term()
+}.
-type conn_state() :: idle | connecting | connected | reauthenticating | disconnected.
@@ -235,7 +239,11 @@ init(
peername := {PeerHost, _Port},
sockname := {_Host, SockPort}
},
- #{zone := Zone, limiter := LimiterCfg, listener := {Type, Listener}}
+ #{
+ zone := Zone,
+ limiter := LimiterCfg,
+ listener := {Type, Listener}
+ } = Opts
) ->
Peercert = maps:get(peercert, ConnInfo, undefined),
Protocol = maps:get(protocol, ConnInfo, mqtt),
@@ -256,7 +264,8 @@ init(
username => undefined,
mountpoint => MountPoint,
is_bridge => false,
- is_superuser => false
+ is_superuser => false,
+ enable_authn => maps:get(enable_authn, Opts, true)
},
Zone
),
diff --git a/apps/emqx/src/emqx_listeners.erl b/apps/emqx/src/emqx_listeners.erl
index 087555b1c..9c0552601 100644
--- a/apps/emqx/src/emqx_listeners.erl
+++ b/apps/emqx/src/emqx_listeners.erl
@@ -304,7 +304,8 @@ do_start_listener(Type, ListenerName, #{bind := ListenOn} = Opts) when
#{
listener => {Type, ListenerName},
zone => zone(Opts),
- limiter => limiter(Opts)
+ limiter => limiter(Opts),
+ enable_authn => enable_authn(Opts)
}
]}
);
@@ -430,7 +431,8 @@ ws_opts(Type, ListenerName, Opts) ->
{emqx_map_lib:deep_get([websocket, mqtt_path], Opts, "/mqtt"), emqx_ws_connection, #{
zone => zone(Opts),
listener => {Type, ListenerName},
- limiter => limiter(Opts)
+ limiter => limiter(Opts),
+ enable_authn => enable_authn(Opts)
}}
],
Dispatch = cowboy_router:compile([{'_', WsPaths}]),
@@ -515,6 +517,9 @@ zone(Opts) ->
limiter(Opts) ->
maps:get(limiter, Opts, #{}).
+enable_authn(Opts) ->
+ maps:get(enable_authn, Opts, true).
+
ssl_opts(Opts) ->
maps:to_list(
emqx_tls_lib:drop_tls13_for_old_otp(
diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index 8ff16467e..ffd1896f0 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -1616,6 +1616,14 @@ base_listener(Bind) ->
desc => ?DESC(base_listener_limiter),
default => #{<<"connection">> => <<"default">>}
}
+ )},
+ {"enable_authn",
+ sc(
+ boolean(),
+ #{
+ desc => ?DESC(base_listener_enable_authn),
+ default => true
+ }
)}
].
diff --git a/apps/emqx/test/emqx_common_test_helpers.erl b/apps/emqx/test/emqx_common_test_helpers.erl
index dd9a56841..82455b3e0 100644
--- a/apps/emqx/test/emqx_common_test_helpers.erl
+++ b/apps/emqx/test/emqx_common_test_helpers.erl
@@ -38,8 +38,6 @@
]).
-export([
- change_emqx_opts/1,
- change_emqx_opts/2,
client_ssl/0,
client_ssl/1,
client_ssl_twoway/0,
@@ -320,58 +318,6 @@ wait_for(Fn, Ln, F, Timeout) ->
{Pid, Mref} = erlang:spawn_monitor(fun() -> wait_loop(F, catch_call(F)) end),
wait_for_down(Fn, Ln, Timeout, Pid, Mref, false).
-change_emqx_opts(SslType) ->
- change_emqx_opts(SslType, []).
-
-change_emqx_opts(SslType, MoreOpts) ->
- {ok, Listeners} = application:get_env(emqx, listeners),
- NewListeners =
- lists:map(
- fun(Listener) ->
- maybe_inject_listener_ssl_options(SslType, MoreOpts, Listener)
- end,
- Listeners
- ),
- emqx_conf:update([listeners], NewListeners, #{}).
-
-maybe_inject_listener_ssl_options(SslType, MoreOpts, {sll, Port, Opts}) ->
- %% this clause is kept to be backward compatible
- %% new config for listener is a map, old is a three-element tuple
- {ssl, Port, inject_listener_ssl_options(SslType, Opts, MoreOpts)};
-maybe_inject_listener_ssl_options(SslType, MoreOpts, #{proto := ssl, opts := Opts} = Listener) ->
- Listener#{opts := inject_listener_ssl_options(SslType, Opts, MoreOpts)};
-maybe_inject_listener_ssl_options(_SslType, _MoreOpts, Listener) ->
- Listener.
-
-inject_listener_ssl_options(SslType, Opts, MoreOpts) ->
- SslOpts = proplists:get_value(ssl_options, Opts),
- Keyfile = app_path(emqx, filename:join(["etc", "certs", "key.pem"])),
- Certfile = app_path(emqx, filename:join(["etc", "certs", "cert.pem"])),
- TupleList1 = lists:keyreplace(keyfile, 1, SslOpts, {keyfile, Keyfile}),
- TupleList2 = lists:keyreplace(certfile, 1, TupleList1, {certfile, Certfile}),
- TupleList3 =
- case SslType of
- ssl_twoway ->
- CAfile = app_path(emqx, proplists:get_value(cacertfile, ?MQTT_SSL_TWOWAY)),
- MutSslList = lists:keyreplace(
- cacertfile, 1, ?MQTT_SSL_TWOWAY, {cacertfile, CAfile}
- ),
- lists:merge(TupleList2, MutSslList);
- _ ->
- lists:filter(
- fun
- ({cacertfile, _}) -> false;
- ({verify, _}) -> false;
- ({fail_if_no_peer_cert, _}) -> false;
- (_) -> true
- end,
- TupleList2
- )
- end,
- TupleList4 = emqx_misc:merge_opts(TupleList3, proplists:get_value(ssl_options, MoreOpts, [])),
- NMoreOpts = emqx_misc:merge_opts(MoreOpts, [{ssl_options, TupleList4}]),
- emqx_misc:merge_opts(Opts, NMoreOpts).
-
flush() ->
flush([]).
diff --git a/apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl b/apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl
new file mode 100644
index 000000000..1d10169ae
--- /dev/null
+++ b/apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl
@@ -0,0 +1,103 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2022 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%% http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_authn_enable_flag_SUITE).
+
+-compile(export_all).
+-compile(nowarn_export_all).
+
+-include("emqx_authn.hrl").
+
+-define(PATH, [?CONF_NS_ATOM]).
+
+-include_lib("eunit/include/eunit.hrl").
+
+all() ->
+ emqx_common_test_helpers:all(?MODULE).
+
+init_per_suite(Config) ->
+ emqx_common_test_helpers:start_apps([emqx_conf, emqx_authn]),
+ Config.
+
+end_per_suite(_) ->
+ emqx_common_test_helpers:stop_apps([emqx_authn, emqx_conf]),
+ ok.
+
+init_per_testcase(_Case, Config) ->
+ AuthnConfig = #{
+ <<"mechanism">> => <<"password_based">>,
+ <<"backend">> => <<"built_in_database">>,
+ <<"user_id_type">> => <<"clientid">>
+ },
+ emqx:update_config(
+ ?PATH,
+ {create_authenticator, ?GLOBAL, AuthnConfig}
+ ),
+
+ emqx_conf:update(
+ [listeners, tcp, listener_authn_enabled], {create, listener_mqtt_tcp_conf(18830, true)}, #{}
+ ),
+ emqx_conf:update(
+ [listeners, tcp, listener_authn_disabled],
+ {create, listener_mqtt_tcp_conf(18831, false)},
+ #{}
+ ),
+ Config.
+
+end_per_testcase(_Case, Config) ->
+ emqx_authn_test_lib:delete_authenticators(
+ ?PATH,
+ ?GLOBAL
+ ),
+ emqx_conf:remove(
+ [listeners, tcp, listener_authn_enabled], #{}
+ ),
+ emqx_conf:remove(
+ [listeners, tcp, listener_authn_disabled], #{}
+ ),
+ Config.
+
+listener_mqtt_tcp_conf(Port, EnableAuthn) ->
+ #{
+ acceptors => 16,
+ zone => default,
+ access_rules => ["allow all"],
+ bind => {{0, 0, 0, 0}, Port},
+ max_connections => 1024000,
+ mountpoint => <<>>,
+ proxy_protocol => false,
+ proxy_protocol_timeout => 3000,
+ enable_authn => EnableAuthn
+ }.
+
+t_enable_authn(_Config) ->
+ %% enable_authn set to false, we connect successfully
+ {ok, ConnPid0} = emqtt:start_link([{port, 18831}, {clientid, <<"clientid">>}]),
+ ?assertMatch(
+ {ok, _},
+ emqtt:connect(ConnPid0)
+ ),
+ ok = emqtt:disconnect(ConnPid0),
+
+ process_flag(trap_exit, true),
+
+ %% enable_authn set to true, we go to the set up authn and fail
+ {ok, ConnPid1} = emqtt:start_link([{port, 18830}, {clientid, <<"clientid">>}]),
+ ?assertMatch(
+ {error, {unauthorized_client, _}},
+ emqtt:connect(ConnPid1)
+ ),
+ ok.
diff --git a/apps/emqx_authn/test/emqx_authn_http_SUITE.erl b/apps/emqx_authn/test/emqx_authn_http_SUITE.erl
index a22c7765e..fc79970af 100644
--- a/apps/emqx_authn/test/emqx_authn_http_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_http_SUITE.erl
@@ -84,8 +84,8 @@ t_create_invalid(_Config) ->
InvalidConfigs =
[
- AuthConfig#{headers => []},
- AuthConfig#{method => delete}
+ AuthConfig#{<<"headers">> => []},
+ AuthConfig#{<<"method">> => <<"delete">>}
],
lists:foreach(
@@ -181,7 +181,7 @@ t_destroy(_Config) ->
t_update(_Config) ->
CorrectConfig = raw_http_auth_config(),
IncorrectConfig =
- CorrectConfig#{url => <<"http://127.0.0.1:32333/invalid">>},
+ CorrectConfig#{<<"url">> => <<"http://127.0.0.1:32333/invalid">>},
{ok, _} = emqx:update_config(
?PATH,
@@ -265,14 +265,14 @@ test_is_superuser({Kind, Value, ExpectedValue}) ->
raw_http_auth_config() ->
#{
- mechanism => <<"password_based">>,
- enable => <<"true">>,
+ <<"mechanism">> => <<"password_based">>,
+ <<"enable">> => <<"true">>,
- backend => <<"http">>,
- method => <<"get">>,
- url => <<"http://127.0.0.1:32333/auth">>,
- body => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD},
- headers => #{<<"X-Test-Header">> => <<"Test Value">>}
+ <<"backend">> => <<"http">>,
+ <<"method">> => <<"get">>,
+ <<"url">> => <<"http://127.0.0.1:32333/auth">>,
+ <<"body">> => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD},
+ <<"headers">> => #{<<"X-Test-Header">> => <<"Test Value">>}
}.
samples() ->
@@ -355,8 +355,8 @@ samples() ->
{ok, Req, State}
end,
config_params => #{
- method => post,
- headers => #{<<"content-type">> => <<"application/json">>}
+ <<"method">> => <<"post">>,
+ <<"headers">> => #{<<"content-type">> => <<"application/json">>}
},
result => {ok, #{is_superuser => false}}
},
@@ -373,8 +373,8 @@ samples() ->
{ok, Req, State}
end,
config_params => #{
- method => post,
- headers => #{
+ <<"method">> => <<"post">>,
+ <<"headers">> => #{
<<"content-type">> =>
<<"application/x-www-form-urlencoded">>
}
diff --git a/apps/emqx_authn/test/emqx_authn_https_SUITE.erl b/apps/emqx_authn/test/emqx_authn_https_SUITE.erl
index c3327c31b..ae4508967 100644
--- a/apps/emqx_authn/test/emqx_authn_https_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_https_SUITE.erl
@@ -140,18 +140,18 @@ create_https_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_https_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
- #{enable => <<"true">>}
+ #{<<"enable">> => <<"true">>}
),
#{
- mechanism => <<"password_based">>,
- enable => <<"true">>,
+ <<"mechanism">> => <<"password_based">>,
+ <<"enable">> => <<"true">>,
- backend => <<"http">>,
- method => <<"get">>,
- url => <<"https://127.0.0.1:32334/auth">>,
- body => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD},
- headers => #{<<"X-Test-Header">> => <<"Test Value">>},
- ssl => maps:merge(SSLOpts, SpecificSSLOpts)
+ <<"backend">> => <<"http">>,
+ <<"method">> => <<"get">>,
+ <<"url">> => <<"https://127.0.0.1:32334/auth">>,
+ <<"body">> => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD},
+ <<"headers">> => #{<<"X-Test-Header">> => <<"Test Value">>},
+ <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts)
}.
start_apps(Apps) ->
diff --git a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
index 69ed42cd7..e5d56aa1f 100644
--- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
@@ -492,14 +492,14 @@ generate_jws('public-key', Payload, PrivateKey) ->
JWS.
client_ssl_opts() ->
- maps:merge(
- emqx_authn_test_lib:client_ssl_cert_opts(),
- #{
- enable => true,
- verify => verify_peer,
- server_name_indication => "authn-server"
- }
- ).
+ #{
+ keyfile => cert_file("client.key"),
+ certfile => cert_file("client.crt"),
+ cacertfile => cert_file("ca.crt"),
+ enable => true,
+ verify => verify_peer,
+ server_name_indication => "authn-server"
+ }.
server_ssl_opts() ->
[
diff --git a/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl
index dfdc0fdd1..c39d4a2a2 100644
--- a/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl
@@ -83,9 +83,9 @@ t_create_invalid(_Config) ->
InvalidConfigs =
[
- AuthConfig#{mongo_type => <<"unknown">>},
- AuthConfig#{filter => <<"{ \"username\": \"${username}\" }">>},
- AuthConfig#{w_mode => <<"unknown">>}
+ AuthConfig#{<<"mongo_type">> => <<"unknown">>},
+ AuthConfig#{<<"filter">> => <<"{ \"username\": \"${username}\" }">>},
+ AuthConfig#{<<"w_mode">> => <<"unknown">>}
],
lists:foreach(
@@ -180,7 +180,7 @@ t_update(_Config) ->
ok = init_seeds(),
CorrectConfig = raw_mongo_auth_config(),
IncorrectConfig =
- CorrectConfig#{filter => #{<<"wrongfield">> => <<"wrongvalue">>}},
+ CorrectConfig#{<<"filter">> => #{<<"wrongfield">> => <<"wrongvalue">>}},
{ok, _} = emqx:update_config(
?PATH,
@@ -265,24 +265,24 @@ test_is_superuser({Value, ExpectedValue}) ->
raw_mongo_auth_config() ->
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"mongodb">>,
- mongo_type => <<"single">>,
- database => <<"mqtt">>,
- collection => <<"users">>,
- server => mongo_server(),
- w_mode => <<"unsafe">>,
+ <<"backend">> => <<"mongodb">>,
+ <<"mongo_type">> => <<"single">>,
+ <<"database">> => <<"mqtt">>,
+ <<"collection">> => <<"users">>,
+ <<"server">> => mongo_server(),
+ <<"w_mode">> => <<"unsafe">>,
- filter => #{<<"username">> => <<"${username}">>},
- password_hash_field => <<"password_hash">>,
- salt_field => <<"salt">>,
- is_superuser_field => <<"is_superuser">>
+ <<"filter">> => #{<<"username">> => <<"${username}">>},
+ <<"password_hash_field">> => <<"password_hash">>,
+ <<"salt_field">> => <<"salt">>,
+ <<"is_superuser_field">> => <<"is_superuser">>
}.
user_seeds() ->
@@ -314,9 +314,9 @@ user_seeds() ->
password => <<"md5">>
},
config_params => #{
- password_hash_algorithm => #{
- name => <<"md5">>,
- salt_position => <<"suffix">>
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"md5">>,
+ <<"salt_position">> => <<"suffix">>
}
},
result => {ok, #{is_superuser => false}}
@@ -335,10 +335,10 @@ user_seeds() ->
password => <<"sha256">>
},
config_params => #{
- filter => #{<<"username">> => <<"${clientid}">>},
- password_hash_algorithm => #{
- name => <<"sha256">>,
- salt_position => <<"prefix">>
+ <<"filter">> => #{<<"username">> => <<"${clientid}">>},
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"sha256">>,
+ <<"salt_position">> => <<"prefix">>
}
},
result => {ok, #{is_superuser => true}}
@@ -357,7 +357,7 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {ok, #{is_superuser => false}}
},
@@ -376,8 +376,8 @@ user_seeds() ->
},
config_params => #{
% clientid variable & username credentials
- filter => #{<<"username">> => <<"${clientid}">>},
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"filter">> => #{<<"username">> => <<"${clientid}">>},
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -395,8 +395,8 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
- filter => #{<<"userid">> => <<"${clientid}">>},
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"filter">> => #{<<"userid">> => <<"${clientid}">>},
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -415,7 +415,7 @@ user_seeds() ->
password => <<"wrongpass">>
},
config_params => #{
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, bad_username_or_password}
}
diff --git a/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl
index f46316488..ebece6c3e 100644
--- a/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl
@@ -171,33 +171,33 @@ create_mongo_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_mongo_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
- #{enable => <<"true">>}
+ #{<<"enable">> => <<"true">>}
),
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"mongodb">>,
- pool_size => 2,
- mongo_type => <<"single">>,
- database => <<"mqtt">>,
- collection => <<"users">>,
- server => mongo_server(),
- w_mode => <<"unsafe">>,
+ <<"backend">> => <<"mongodb">>,
+ <<"pool_size">> => 2,
+ <<"mongo_type">> => <<"single">>,
+ <<"database">> => <<"mqtt">>,
+ <<"collection">> => <<"users">>,
+ <<"server">> => mongo_server(),
+ <<"w_mode">> => <<"unsafe">>,
- filter => #{<<"username">> => <<"${username}">>},
- password_hash_field => <<"password_hash">>,
- salt_field => <<"salt">>,
- is_superuser_field => <<"is_superuser">>,
- topology => #{
- server_selection_timeout_ms => <<"10000ms">>
+ <<"filter">> => #{<<"username">> => <<"${username}">>},
+ <<"password_hash_field">> => <<"password_hash">>,
+ <<"salt_field">> => <<"salt">>,
+ <<"is_superuser_field">> => <<"is_superuser">>,
+ <<"topology">> => #{
+ <<"server_selection_timeout_ms">> => <<"10000ms">>
},
- ssl => maps:merge(SSLOpts, SpecificSSLOpts)
+ <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts)
}.
mongo_server() ->
diff --git a/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl
index c8bee9223..abf36c167 100644
--- a/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl
@@ -100,10 +100,10 @@ t_create_invalid(_Config) ->
InvalidConfigs =
[
- maps:without([server], AuthConfig),
- AuthConfig#{server => <<"unknownhost:3333">>},
- AuthConfig#{password => <<"wrongpass">>},
- AuthConfig#{database => <<"wrongdatabase">>}
+ maps:without([<<"server">>], AuthConfig),
+ AuthConfig#{<<"server">> => <<"unknownhost:3333">>},
+ AuthConfig#{<<"password">> => <<"wrongpass">>},
+ AuthConfig#{<<"database">> => <<"wrongdatabase">>}
],
lists:foreach(
@@ -194,7 +194,7 @@ t_update(_Config) ->
CorrectConfig = raw_mysql_auth_config(),
IncorrectConfig =
CorrectConfig#{
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM wrong_table where username = ${username} LIMIT 1"
@@ -236,24 +236,24 @@ t_update(_Config) ->
raw_mysql_auth_config() ->
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"mysql">>,
- database => <<"mqtt">>,
- username => <<"root">>,
- password => <<"public">>,
+ <<"backend">> => <<"mysql">>,
+ <<"database">> => <<"mqtt">>,
+ <<"username">> => <<"root">>,
+ <<"password">> => <<"public">>,
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- server => mysql_server()
+ <<"server">> => mysql_server()
}.
user_seeds() ->
@@ -285,9 +285,9 @@ user_seeds() ->
password => <<"md5">>
},
config_params => #{
- password_hash_algorithm => #{
- name => <<"md5">>,
- salt_position => <<"suffix">>
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"md5">>,
+ <<"salt_position">> => <<"suffix">>
}
},
result => {ok, #{is_superuser => false}}
@@ -305,14 +305,14 @@ user_seeds() ->
password => <<"sha256">>
},
config_params => #{
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
- password_hash_algorithm => #{
- name => <<"sha256">>,
- salt_position => <<"prefix">>
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"sha256">>,
+ <<"salt_position">> => <<"prefix">>
}
},
result => {ok, #{is_superuser => true}}
@@ -330,12 +330,12 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {ok, #{is_superuser => false}}
},
@@ -351,12 +351,12 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {ok, #{is_superuser => false}}
},
@@ -374,12 +374,12 @@ user_seeds() ->
},
config_params => #{
% clientid variable & username credentials
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -397,12 +397,12 @@ user_seeds() ->
},
config_params => #{
% Bad keys in query
- query =>
+ <<"query">> =>
<<
"SELECT 1 AS unknown_field\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -420,7 +420,7 @@ user_seeds() ->
password => <<"wrongpass">>
},
config_params => #{
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, bad_username_or_password}
}
diff --git a/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl
index f3af66cae..7d642c230 100644
--- a/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl
@@ -131,28 +131,28 @@ create_mysql_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_mysql_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
- #{enable => <<"true">>}
+ #{<<"enable">> => <<"true">>}
),
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"mysql">>,
- database => <<"mqtt">>,
- username => <<"root">>,
- password => <<"public">>,
+ <<"backend">> => <<"mysql">>,
+ <<"database">> => <<"mqtt">>,
+ <<"username">> => <<"root">>,
+ <<"password">> => <<"public">>,
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- server => mysql_server(),
- ssl => maps:merge(SSLOpts, SpecificSSLOpts)
+ <<"server">> => mysql_server(),
+ <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts)
}.
mysql_server() ->
diff --git a/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl b/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl
index 618768e42..ec29ba422 100644
--- a/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl
@@ -101,10 +101,10 @@ t_create_invalid(_Config) ->
InvalidConfigs =
[
- maps:without([server], AuthConfig),
- AuthConfig#{server => <<"unknownhost:3333">>},
- AuthConfig#{password => <<"wrongpass">>},
- AuthConfig#{database => <<"wrongdatabase">>}
+ maps:without([<<"server">>], AuthConfig),
+ AuthConfig#{<<"server">> => <<"unknownhost:3333">>},
+ AuthConfig#{<<"password">> => <<"wrongpass">>},
+ AuthConfig#{<<"database">> => <<"wrongdatabase">>}
],
lists:foreach(
@@ -195,7 +195,7 @@ t_update(_Config) ->
CorrectConfig = raw_pgsql_auth_config(),
IncorrectConfig =
CorrectConfig#{
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 0"
@@ -274,7 +274,7 @@ test_is_superuser({Field, Value, ExpectedValue}) ->
" as is_superuser "
"FROM users where username = ${username} LIMIT 1",
- Config = maps:put(query, Query, raw_pgsql_auth_config()),
+ Config = maps:put(<<"query">>, Query, raw_pgsql_auth_config()),
{ok, _} = emqx:update_config(
?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:postgresql">>, Config}
@@ -298,24 +298,24 @@ test_is_superuser({Field, Value, ExpectedValue}) ->
raw_pgsql_auth_config() ->
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"postgresql">>,
- database => <<"mqtt">>,
- username => <<"root">>,
- password => <<"public">>,
+ <<"backend">> => <<"postgresql">>,
+ <<"database">> => <<"mqtt">>,
+ <<"username">> => <<"root">>,
+ <<"password">> => <<"public">>,
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- server => pgsql_server()
+ <<"server">> => pgsql_server()
}.
user_seeds() ->
@@ -347,9 +347,9 @@ user_seeds() ->
password => <<"md5">>
},
config_params => #{
- password_hash_algorithm => #{
- name => <<"md5">>,
- salt_position => <<"suffix">>
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"md5">>,
+ <<"salt_position">> => <<"suffix">>
}
},
result => {ok, #{is_superuser => false}}
@@ -367,14 +367,14 @@ user_seeds() ->
password => <<"sha256">>
},
config_params => #{
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
- password_hash_algorithm => #{
- name => <<"sha256">>,
- salt_position => <<"prefix">>
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"sha256">>,
+ <<"salt_position">> => <<"prefix">>
}
},
result => {ok, #{is_superuser => true}}
@@ -392,12 +392,12 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {ok, #{is_superuser => false}}
},
@@ -415,12 +415,12 @@ user_seeds() ->
},
config_params => #{
% clientid variable & username credentials
- query =>
+ <<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -438,12 +438,12 @@ user_seeds() ->
},
config_params => #{
% Bad keys in query
- query =>
+ <<"query">> =>
<<
"SELECT 1 AS unknown_field\n"
" FROM users where username = ${username} LIMIT 1"
>>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -461,7 +461,7 @@ user_seeds() ->
password => <<"wrongpass">>
},
config_params => #{
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, bad_username_or_password}
}
diff --git a/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl
index a1a34927a..e2b44b93d 100644
--- a/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl
@@ -131,24 +131,24 @@ create_pgsql_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_pgsql_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
- #{enable => <<"true">>}
+ #{<<"enable">> => <<"true">>}
),
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"postgresql">>,
- database => <<"mqtt">>,
- username => <<"root">>,
- password => <<"public">>,
+ <<"backend">> => <<"postgresql">>,
+ <<"database">> => <<"mqtt">>,
+ <<"username">> => <<"root">>,
+ <<"password">> => <<"public">>,
- query => <<"SELECT 1">>,
- server => pgsql_server(),
- ssl => maps:merge(SSLOpts, SpecificSSLOpts)
+ <<"query">> => <<"SELECT 1">>,
+ <<"server">> => pgsql_server(),
+ <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts)
}.
pgsql_server() ->
diff --git a/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl b/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl
index 1ff391729..77e35bf3b 100644
--- a/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl
@@ -102,16 +102,16 @@ t_create_invalid(_Config) ->
InvalidConfigs =
[
AuthConfig#{
- cmd => <<"MGET password_hash:${username} salt:${username}">>
+ <<"cmd">> => <<"MGET password_hash:${username} salt:${username}">>
},
AuthConfig#{
- cmd => <<"HMGET mqtt_user:${username} password_hash invalid_field">>
+ <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash invalid_field">>
},
AuthConfig#{
- cmd => <<"HMGET mqtt_user:${username} salt is_superuser">>
+ <<"cmd">> => <<"HMGET mqtt_user:${username} salt is_superuser">>
},
AuthConfig#{
- cmd => <<"HGETALL mqtt_user:${username} salt is_superuser">>
+ <<"cmd">> => <<"HGETALL mqtt_user:${username} salt is_superuser">>
}
],
lists:foreach(
@@ -131,10 +131,10 @@ t_create_invalid(_Config) ->
InvalidConfigs1 =
[
- maps:without([server], AuthConfig),
- AuthConfig#{server => <<"unknownhost:3333">>},
- AuthConfig#{password => <<"wrongpass">>},
- AuthConfig#{database => <<"5678">>}
+ maps:without([<<"server">>], AuthConfig),
+ AuthConfig#{<<"server">> => <<"unknownhost:3333">>},
+ AuthConfig#{<<"password">> => <<"wrongpass">>},
+ AuthConfig#{<<"database">> => <<"5678">>}
],
lists:foreach(
@@ -225,7 +225,7 @@ t_update(_Config) ->
CorrectConfig = raw_redis_auth_config(),
IncorrectConfig =
CorrectConfig#{
- cmd => <<"HMGET invalid_key:${username} password_hash salt is_superuser">>
+ <<"cmd">> => <<"HMGET invalid_key:${username} password_hash salt is_superuser">>
},
{ok, _} = emqx:update_config(
@@ -263,19 +263,19 @@ t_update(_Config) ->
raw_redis_auth_config() ->
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"redis">>,
- cmd => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>,
- database => <<"1">>,
- password => <<"public">>,
- redis_type => <<"single">>,
- server => redis_server()
+ <<"backend">> => <<"redis">>,
+ <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>,
+ <<"database">> => <<"1">>,
+ <<"password">> => <<"public">>,
+ <<"redis_type">> => <<"single">>,
+ <<"server">> => redis_server()
}.
user_seeds() ->
@@ -307,9 +307,9 @@ user_seeds() ->
},
key => <<"mqtt_user:md5">>,
config_params => #{
- password_hash_algorithm => #{
- name => <<"md5">>,
- salt_position => <<"suffix">>
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"md5">>,
+ <<"salt_position">> => <<"suffix">>
}
},
result => {ok, #{is_superuser => false}}
@@ -328,10 +328,10 @@ user_seeds() ->
},
key => <<"mqtt_user:sha256">>,
config_params => #{
- cmd => <<"HMGET mqtt_user:${clientid} password_hash salt is_superuser">>,
- password_hash_algorithm => #{
- name => <<"sha256">>,
- salt_position => <<"prefix">>
+ <<"cmd">> => <<"HMGET mqtt_user:${clientid} password_hash salt is_superuser">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"sha256">>,
+ <<"salt_position">> => <<"prefix">>
}
},
result => {ok, #{is_superuser => true}}
@@ -349,10 +349,10 @@ user_seeds() ->
},
key => <<"mqtt_user:sha256_no_salt">>,
config_params => #{
- cmd => <<"HMGET mqtt_user:${clientid} password_hash is_superuser">>,
- password_hash_algorithm => #{
- name => <<"sha256">>,
- salt_position => <<"disable">>
+ <<"cmd">> => <<"HMGET mqtt_user:${clientid} password_hash is_superuser">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"sha256">>,
+ <<"salt_position">> => <<"disable">>
}
},
result => {ok, #{is_superuser => true}}
@@ -371,7 +371,7 @@ user_seeds() ->
},
key => <<"mqtt_user:bcrypt">>,
config_params => #{
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {ok, #{is_superuser => false}}
},
@@ -387,10 +387,10 @@ user_seeds() ->
},
key => <<"mqtt_user:pbkdf2">>,
config_params => #{
- password_hash_algorithm => #{
- name => <<"pbkdf2">>,
- iterations => 2,
- mac_fun => sha
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"pbkdf2">>,
+ <<"iterations">> => <<"2">>,
+ <<"mac_fun">> => <<"sha">>
}
},
result => {ok, #{is_superuser => false}}
@@ -409,8 +409,8 @@ user_seeds() ->
key => <<"mqtt_user:bcrypt0">>,
config_params => #{
% clientid variable & username credentials
- cmd => <<"HMGET mqtt_client:${clientid} password_hash salt is_superuser">>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"cmd">> => <<"HMGET mqtt_client:${clientid} password_hash salt is_superuser">>,
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -429,8 +429,8 @@ user_seeds() ->
key => <<"mqtt_user:bcrypt1">>,
config_params => #{
% Bad key in cmd
- cmd => <<"HMGET badkey:${username} password_hash salt is_superuser">>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"cmd">> => <<"HMGET badkey:${username} password_hash salt is_superuser">>,
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, not_authorized}
},
@@ -449,8 +449,8 @@ user_seeds() ->
},
key => <<"mqtt_user:bcrypt2">>,
config_params => #{
- cmd => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>,
- password_hash_algorithm => #{name => <<"bcrypt">>}
+ <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>,
+ <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>}
},
result => {error, bad_username_or_password}
}
diff --git a/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl
index 6ef889166..781d84d98 100644
--- a/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl
@@ -130,23 +130,23 @@ create_redis_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_redis_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
- #{enable => <<"true">>}
+ #{<<"enable">> => <<"true">>}
),
#{
- mechanism => <<"password_based">>,
- password_hash_algorithm => #{
- name => <<"plain">>,
- salt_position => <<"suffix">>
+ <<"mechanism">> => <<"password_based">>,
+ <<"password_hash_algorithm">> => #{
+ <<"name">> => <<"plain">>,
+ <<"salt_position">> => <<"suffix">>
},
- enable => <<"true">>,
+ <<"enable">> => <<"true">>,
- backend => <<"redis">>,
- cmd => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>,
- database => <<"1">>,
- password => <<"public">>,
- server => redis_server(),
- redis_type => <<"single">>,
- ssl => maps:merge(SSLOpts, SpecificSSLOpts)
+ <<"backend">> => <<"redis">>,
+ <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>,
+ <<"database">> => <<"1">>,
+ <<"password">> => <<"public">>,
+ <<"server">> => redis_server(),
+ <<"redis_type">> => <<"single">>,
+ <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts)
}.
redis_server() ->
diff --git a/apps/emqx_authn/test/emqx_authn_test_lib.erl b/apps/emqx_authn/test/emqx_authn_test_lib.erl
index 9e162b718..7a770be5a 100644
--- a/apps/emqx_authn/test/emqx_authn_test_lib.erl
+++ b/apps/emqx_authn/test/emqx_authn_test_lib.erl
@@ -62,7 +62,7 @@ delete_config(ID) ->
client_ssl_cert_opts() ->
Dir = code:lib_dir(emqx_authn, test),
#{
- keyfile => filename:join([Dir, "data/certs", "client.key"]),
- certfile => filename:join([Dir, "data/certs", "client.crt"]),
- cacertfile => filename:join([Dir, "data/certs", "ca.crt"])
+ <<"keyfile">> => filename:join([Dir, <<"data/certs">>, <<"client.key">>]),
+ <<"certfile">> => filename:join([Dir, <<"data/certs">>, <<"client.crt">>]),
+ <<"cacertfile">> => filename:join([Dir, <<"data/certs">>, <<"ca.crt">>])
}.
diff --git a/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf b/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf
index fb9a5377d..7f8bd6dcf 100644
--- a/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf
+++ b/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf
@@ -589,6 +589,15 @@ See: https://erlang.org/doc/man/inet.html#setopts-2"""
}
}
+ gateway_common_listener_enable_authn {
+ desc {
+ en: """Set true (default) to enable client authentication on this listener.
+When set to false clients will be allowed to connect without authentication."""
+ zh: """配置 true (默认值)启用客户端进行身份认证。
+配置 false 时,将不对客户端做任何认证。"""
+ }
+ }
+
gateway_common_listener_mountpoint {
desc {
en: """When publishing or subscribing, prefix all topics with a mountpoint string.
diff --git a/apps/emqx_gateway/src/coap/emqx_coap_channel.erl b/apps/emqx_gateway/src/coap/emqx_coap_channel.erl
index 207524448..c40cbe467 100644
--- a/apps/emqx_gateway/src/coap/emqx_coap_channel.erl
+++ b/apps/emqx_gateway/src/coap/emqx_coap_channel.erl
@@ -131,6 +131,7 @@ init(
) ->
Peercert = maps:get(peercert, ConnInfo, undefined),
Mountpoint = maps:get(mountpoint, Config, <<>>),
+ EnableAuthn = maps:get(enable_authn, Config, true),
ListenerId =
case maps:get(listener, Config, undefined) of
undefined -> undefined;
@@ -148,6 +149,7 @@ init(
username => undefined,
is_bridge => false,
is_superuser => false,
+ enable_authn => EnableAuthn,
mountpoint => Mountpoint
}
),
diff --git a/apps/emqx_gateway/src/emqx_gateway_ctx.erl b/apps/emqx_gateway/src/emqx_gateway_ctx.erl
index dfe7c9466..d6b9c17b2 100644
--- a/apps/emqx_gateway/src/emqx_gateway_ctx.erl
+++ b/apps/emqx_gateway/src/emqx_gateway_ctx.erl
@@ -26,11 +26,9 @@
%% configuration, register devices and other common operations.
%%
-type context() ::
- %% Gateway Name
#{
+ %% Gateway Name
gwname := gateway_name(),
- %% Authentication chains
- auth := [emqx_authentication:chain_name()],
%% The ConnectionManager PID
cm := pid()
}.
@@ -67,9 +65,7 @@
-spec authenticate(context(), emqx_types:clientinfo()) ->
{ok, emqx_types:clientinfo()}
| {error, any()}.
-authenticate(_Ctx = #{auth := _ChainNames}, ClientInfo0) when
- is_list(_ChainNames)
-->
+authenticate(_Ctx, ClientInfo0) ->
ClientInfo = ClientInfo0#{zone => default},
case emqx_access_control:authenticate(ClientInfo) of
{ok, _} ->
diff --git a/apps/emqx_gateway/src/emqx_gateway_schema.erl b/apps/emqx_gateway/src/emqx_gateway_schema.erl
index e5cec7861..dfe937024 100644
--- a/apps/emqx_gateway/src/emqx_gateway_schema.erl
+++ b/apps/emqx_gateway/src/emqx_gateway_schema.erl
@@ -649,6 +649,14 @@ common_listener_opts() ->
}
)},
{?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_ATOM, authentication_schema()},
+ {"enable_authn",
+ sc(
+ boolean(),
+ #{
+ desc => ?DESC(gateway_common_listener_enable_authn),
+ default => true
+ }
+ )},
{mountpoint,
sc(
binary(),
diff --git a/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl b/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl
index c0cce4456..861ae3189 100644
--- a/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl
+++ b/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl
@@ -157,7 +157,12 @@ init(
undefined -> undefined;
{GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName)
end,
- ClientInfo = maps:put(listener, ListenerId, default_clientinfo(ConnInfo)),
+ EnableAuthn = maps:get(enable_authn, Options, true),
+ DefaultClientInfo = default_clientinfo(ConnInfo),
+ ClientInfo = DefaultClientInfo#{
+ listener => ListenerId,
+ enable_authn => EnableAuthn
+ },
Channel = #channel{
ctx = Ctx,
gcli = #{channel => GRpcChann, pool_name => PoolName},
diff --git a/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl b/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl
index 61b08239a..b6f2b870e 100644
--- a/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl
+++ b/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl
@@ -128,6 +128,7 @@ init(
undefined -> undefined;
{GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName)
end,
+ EnableAuthn = maps:get(enable_authn, Config, true),
ClientInfo = set_peercert_infos(
Peercert,
#{
@@ -140,6 +141,7 @@ init(
clientid => undefined,
is_bridge => false,
is_superuser => false,
+ enable_authn => EnableAuthn,
mountpoint => Mountpoint
}
),
diff --git a/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl b/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl
index 9955f75d9..b5e051193 100644
--- a/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl
+++ b/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl
@@ -156,6 +156,7 @@ init(
undefined -> undefined;
{GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName)
end,
+ EnableAuthn = maps:get(enable_authn, Option, true),
ClientInfo = set_peercert_infos(
Peercert,
#{
@@ -168,6 +169,7 @@ init(
username => undefined,
is_bridge => false,
is_superuser => false,
+ enable_authn => EnableAuthn,
mountpoint => Mountpoint
}
),
diff --git a/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl b/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl
index 6e6a67d0b..e698ce17f 100644
--- a/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl
+++ b/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl
@@ -127,6 +127,7 @@ init(
undefined -> undefined;
{GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName)
end,
+ EnableAuthn = maps:get(enable_authn, Option, true),
ClientInfo = setting_peercert_infos(
Peercert,
#{
@@ -139,6 +140,7 @@ init(
username => undefined,
is_bridge => false,
is_superuser => false,
+ enable_authn => EnableAuthn,
mountpoint => Mountpoint
}
),
diff --git a/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl b/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl
index dece25ea9..604321897 100644
--- a/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl
+++ b/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl
@@ -109,6 +109,12 @@ t_case_coap(_) ->
Prefix ++
"/connection?clientid=client1&username=bad&password=bad",
Login(LeftUrl, ?checkMatch({error, bad_request, _Data})),
+
+ disable_authn(coap, udp, default),
+ NowRightUrl =
+ Prefix ++
+ "/connection?clientid=client1&username=bad&password=bad",
+ Login(NowRightUrl, ?checkMatch({ok, created, _Data})),
ok.
-record(coap_content, {content_format, payload = <<>>}).
@@ -155,6 +161,11 @@ t_case_lwm2m(_) ->
NoInfoUrl = "coap://127.0.0.1:~b/rd?ep=~ts<=345&lwm2m=1",
Login(NoInfoUrl, MakeCheker(ack, {error, bad_request})),
+
+ disable_authn(lwm2m, udp, default),
+ NowRightUrl = "coap://127.0.0.1:~b/rd?ep=~ts<=345&lwm2m=1&imei=bad&password=bad",
+ Login(NowRightUrl, MakeCheker(ack, {ok, created})),
+
ok.
-define(SN_CONNACK, 16#05).
@@ -182,6 +193,9 @@ t_case_mqttsn(_) ->
end,
Login(<<"badadmin">>, <<"badpassowrd">>, <<3, ?SN_CONNACK, 16#80>>),
Login(<<"admin">>, <<"public">>, <<3, ?SN_CONNACK, 0>>),
+
+ disable_authn(mqttsn, udp, default),
+ Login(<<"badadmin">>, <<"badpassowrd">>, <<3, ?SN_CONNACK, 0>>),
ok.
t_case_stomp(_) ->
@@ -220,6 +234,15 @@ t_case_stomp(_) ->
?assertEqual(<<"Login Failed: not_authorized">>, Mod:get_field(body, Frame))
end),
+ disable_authn(stomp, tcp, default),
+ Login(
+ <<"bad">>,
+ <<"bad">>,
+ ?FUNCTOR(
+ Frame,
+ ?assertEqual(<<"CONNECTED">>, Mod:get_field(command, Frame))
+ )
+ ),
ok.
t_case_exproto(_) ->
@@ -249,5 +272,18 @@ t_case_exproto(_) ->
end,
Login(<<"admin">>, <<"public">>, SvrMod:frame_connack(0)),
Login(<<"bad">>, <<"bad">>, SvrMod:frame_connack(1)),
+
+ disable_authn(exproto, tcp, default),
+ Login(<<"bad">>, <<"bad">>, SvrMod:frame_connack(0)),
+
SvrMod:stop(Svrs),
ok.
+
+disable_authn(GwName, Type, Name) ->
+ RawCfg = emqx_conf:get_raw([gateway, GwName], #{}),
+ ListenerCfg = emqx_map_lib:deep_get(
+ [<<"listeners">>, atom_to_binary(Type), atom_to_binary(Name)], RawCfg
+ ),
+ {ok, _} = emqx_gateway_conf:update_listener(GwName, {Type, Name}, ListenerCfg#{
+ <<"enable_authn">> => false
+ }).
diff --git a/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl b/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl
index 32e155068..094da93d2 100644
--- a/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl
+++ b/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl
@@ -50,7 +50,7 @@ end_per_suite(_Conf) ->
%%--------------------------------------------------------------------
t_authenticate(_) ->
- Ctx = #{gwname => mqttsn, auth => [], cm => self()},
+ Ctx = #{gwname => mqttsn, cm => self()},
Info1 = #{
mountpoint => undefined,
clientid => <<"user1">>