From e381e3698f67d4a140fa71fcd584e873a2394688 Mon Sep 17 00:00:00 2001 From: Ilya Averyanov Date: Wed, 15 Jun 2022 16:50:05 +0300 Subject: [PATCH 1/2] feat(authn): add enable_authn flag for listeners --- apps/emqx/i18n/emqx_schema_i18n.conf | 17 +++ apps/emqx/src/emqx_authentication.erl | 2 + apps/emqx/src/emqx_channel.erl | 15 ++- apps/emqx/src/emqx_listeners.erl | 9 +- apps/emqx/src/emqx_schema.erl | 8 ++ apps/emqx/test/emqx_common_test_helpers.erl | 54 --------- .../test/emqx_authn_enable_flag_SUITE.erl | 103 ++++++++++++++++++ .../i18n/emqx_gateway_schema_i18n.conf | 9 ++ .../src/coap/emqx_coap_channel.erl | 2 + apps/emqx_gateway/src/emqx_gateway_ctx.erl | 8 +- apps/emqx_gateway/src/emqx_gateway_schema.erl | 8 ++ .../src/exproto/emqx_exproto_channel.erl | 7 +- .../src/lwm2m/emqx_lwm2m_channel.erl | 2 + .../src/mqttsn/emqx_sn_channel.erl | 2 + .../src/stomp/emqx_stomp_channel.erl | 2 + .../test/emqx_gateway_authn_SUITE.erl | 36 ++++++ .../test/emqx_gateway_ctx_SUITE.erl | 2 +- 17 files changed, 219 insertions(+), 67 deletions(-) create mode 100644 apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl diff --git a/apps/emqx/i18n/emqx_schema_i18n.conf b/apps/emqx/i18n/emqx_schema_i18n.conf index fb308a772..5d85829f4 100644 --- a/apps/emqx/i18n/emqx_schema_i18n.conf +++ b/apps/emqx/i18n/emqx_schema_i18n.conf @@ -2063,6 +2063,23 @@ Type of the rate limit. } } +base_listener_enable_authn { + desc { + en: """ +Set true (default) to enable client authentication on this listener. +When set to false clients will be allowed to connect without authentication. +""" + zh: """ +配置 true (默认值)启用客户端进行身份认证。 +配置 false 时,将不对客户端做任何认证。 +""" + } + label: { + en: "Enable authentication" + zh: "启用身份认证" + } +} + mqtt_listener_access_rules { desc { en: """ diff --git a/apps/emqx/src/emqx_authentication.erl b/apps/emqx/src/emqx_authentication.erl index 101be754d..ac6f42c04 100644 --- a/apps/emqx/src/emqx_authentication.erl +++ b/apps/emqx/src/emqx_authentication.erl @@ -214,6 +214,8 @@ when %% Authenticate %%------------------------------------------------------------------------------ +authenticate(#{enable_authn := false}, _AuthResult) -> + ignore; authenticate(#{listener := Listener, protocol := Protocol} = Credential, _AuthResult) -> case get_authenticators(Listener, global_chain(Protocol)) of {ok, ChainName, Authenticators} -> diff --git a/apps/emqx/src/emqx_channel.erl b/apps/emqx/src/emqx_channel.erl index a562315f0..ffea58fbd 100644 --- a/apps/emqx/src/emqx_channel.erl +++ b/apps/emqx/src/emqx_channel.erl @@ -102,7 +102,11 @@ -type channel() :: #channel{}. --type opts() :: #{zone := atom(), listener := {Type :: atom(), Name :: atom()}, atom() => term()}. +-type opts() :: #{ + zone := atom(), + listener := {Type :: atom(), Name :: atom()}, + atom() => term() +}. -type conn_state() :: idle | connecting | connected | reauthenticating | disconnected. @@ -235,7 +239,11 @@ init( peername := {PeerHost, _Port}, sockname := {_Host, SockPort} }, - #{zone := Zone, limiter := LimiterCfg, listener := {Type, Listener}} + #{ + zone := Zone, + limiter := LimiterCfg, + listener := {Type, Listener} + } = Opts ) -> Peercert = maps:get(peercert, ConnInfo, undefined), Protocol = maps:get(protocol, ConnInfo, mqtt), @@ -256,7 +264,8 @@ init( username => undefined, mountpoint => MountPoint, is_bridge => false, - is_superuser => false + is_superuser => false, + enable_authn => maps:get(enable_authn, Opts, true) }, Zone ), diff --git a/apps/emqx/src/emqx_listeners.erl b/apps/emqx/src/emqx_listeners.erl index 087555b1c..9c0552601 100644 --- a/apps/emqx/src/emqx_listeners.erl +++ b/apps/emqx/src/emqx_listeners.erl @@ -304,7 +304,8 @@ do_start_listener(Type, ListenerName, #{bind := ListenOn} = Opts) when #{ listener => {Type, ListenerName}, zone => zone(Opts), - limiter => limiter(Opts) + limiter => limiter(Opts), + enable_authn => enable_authn(Opts) } ]} ); @@ -430,7 +431,8 @@ ws_opts(Type, ListenerName, Opts) -> {emqx_map_lib:deep_get([websocket, mqtt_path], Opts, "/mqtt"), emqx_ws_connection, #{ zone => zone(Opts), listener => {Type, ListenerName}, - limiter => limiter(Opts) + limiter => limiter(Opts), + enable_authn => enable_authn(Opts) }} ], Dispatch = cowboy_router:compile([{'_', WsPaths}]), @@ -515,6 +517,9 @@ zone(Opts) -> limiter(Opts) -> maps:get(limiter, Opts, #{}). +enable_authn(Opts) -> + maps:get(enable_authn, Opts, true). + ssl_opts(Opts) -> maps:to_list( emqx_tls_lib:drop_tls13_for_old_otp( diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl index 8ff16467e..ffd1896f0 100644 --- a/apps/emqx/src/emqx_schema.erl +++ b/apps/emqx/src/emqx_schema.erl @@ -1616,6 +1616,14 @@ base_listener(Bind) -> desc => ?DESC(base_listener_limiter), default => #{<<"connection">> => <<"default">>} } + )}, + {"enable_authn", + sc( + boolean(), + #{ + desc => ?DESC(base_listener_enable_authn), + default => true + } )} ]. diff --git a/apps/emqx/test/emqx_common_test_helpers.erl b/apps/emqx/test/emqx_common_test_helpers.erl index dd9a56841..82455b3e0 100644 --- a/apps/emqx/test/emqx_common_test_helpers.erl +++ b/apps/emqx/test/emqx_common_test_helpers.erl @@ -38,8 +38,6 @@ ]). -export([ - change_emqx_opts/1, - change_emqx_opts/2, client_ssl/0, client_ssl/1, client_ssl_twoway/0, @@ -320,58 +318,6 @@ wait_for(Fn, Ln, F, Timeout) -> {Pid, Mref} = erlang:spawn_monitor(fun() -> wait_loop(F, catch_call(F)) end), wait_for_down(Fn, Ln, Timeout, Pid, Mref, false). -change_emqx_opts(SslType) -> - change_emqx_opts(SslType, []). - -change_emqx_opts(SslType, MoreOpts) -> - {ok, Listeners} = application:get_env(emqx, listeners), - NewListeners = - lists:map( - fun(Listener) -> - maybe_inject_listener_ssl_options(SslType, MoreOpts, Listener) - end, - Listeners - ), - emqx_conf:update([listeners], NewListeners, #{}). - -maybe_inject_listener_ssl_options(SslType, MoreOpts, {sll, Port, Opts}) -> - %% this clause is kept to be backward compatible - %% new config for listener is a map, old is a three-element tuple - {ssl, Port, inject_listener_ssl_options(SslType, Opts, MoreOpts)}; -maybe_inject_listener_ssl_options(SslType, MoreOpts, #{proto := ssl, opts := Opts} = Listener) -> - Listener#{opts := inject_listener_ssl_options(SslType, Opts, MoreOpts)}; -maybe_inject_listener_ssl_options(_SslType, _MoreOpts, Listener) -> - Listener. - -inject_listener_ssl_options(SslType, Opts, MoreOpts) -> - SslOpts = proplists:get_value(ssl_options, Opts), - Keyfile = app_path(emqx, filename:join(["etc", "certs", "key.pem"])), - Certfile = app_path(emqx, filename:join(["etc", "certs", "cert.pem"])), - TupleList1 = lists:keyreplace(keyfile, 1, SslOpts, {keyfile, Keyfile}), - TupleList2 = lists:keyreplace(certfile, 1, TupleList1, {certfile, Certfile}), - TupleList3 = - case SslType of - ssl_twoway -> - CAfile = app_path(emqx, proplists:get_value(cacertfile, ?MQTT_SSL_TWOWAY)), - MutSslList = lists:keyreplace( - cacertfile, 1, ?MQTT_SSL_TWOWAY, {cacertfile, CAfile} - ), - lists:merge(TupleList2, MutSslList); - _ -> - lists:filter( - fun - ({cacertfile, _}) -> false; - ({verify, _}) -> false; - ({fail_if_no_peer_cert, _}) -> false; - (_) -> true - end, - TupleList2 - ) - end, - TupleList4 = emqx_misc:merge_opts(TupleList3, proplists:get_value(ssl_options, MoreOpts, [])), - NMoreOpts = emqx_misc:merge_opts(MoreOpts, [{ssl_options, TupleList4}]), - emqx_misc:merge_opts(Opts, NMoreOpts). - flush() -> flush([]). diff --git a/apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl b/apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl new file mode 100644 index 000000000..1d10169ae --- /dev/null +++ b/apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl @@ -0,0 +1,103 @@ +%%-------------------------------------------------------------------- +%% Copyright (c) 2022 EMQ Technologies Co., Ltd. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%% http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%%-------------------------------------------------------------------- + +-module(emqx_authn_enable_flag_SUITE). + +-compile(export_all). +-compile(nowarn_export_all). + +-include("emqx_authn.hrl"). + +-define(PATH, [?CONF_NS_ATOM]). + +-include_lib("eunit/include/eunit.hrl"). + +all() -> + emqx_common_test_helpers:all(?MODULE). + +init_per_suite(Config) -> + emqx_common_test_helpers:start_apps([emqx_conf, emqx_authn]), + Config. + +end_per_suite(_) -> + emqx_common_test_helpers:stop_apps([emqx_authn, emqx_conf]), + ok. + +init_per_testcase(_Case, Config) -> + AuthnConfig = #{ + <<"mechanism">> => <<"password_based">>, + <<"backend">> => <<"built_in_database">>, + <<"user_id_type">> => <<"clientid">> + }, + emqx:update_config( + ?PATH, + {create_authenticator, ?GLOBAL, AuthnConfig} + ), + + emqx_conf:update( + [listeners, tcp, listener_authn_enabled], {create, listener_mqtt_tcp_conf(18830, true)}, #{} + ), + emqx_conf:update( + [listeners, tcp, listener_authn_disabled], + {create, listener_mqtt_tcp_conf(18831, false)}, + #{} + ), + Config. + +end_per_testcase(_Case, Config) -> + emqx_authn_test_lib:delete_authenticators( + ?PATH, + ?GLOBAL + ), + emqx_conf:remove( + [listeners, tcp, listener_authn_enabled], #{} + ), + emqx_conf:remove( + [listeners, tcp, listener_authn_disabled], #{} + ), + Config. + +listener_mqtt_tcp_conf(Port, EnableAuthn) -> + #{ + acceptors => 16, + zone => default, + access_rules => ["allow all"], + bind => {{0, 0, 0, 0}, Port}, + max_connections => 1024000, + mountpoint => <<>>, + proxy_protocol => false, + proxy_protocol_timeout => 3000, + enable_authn => EnableAuthn + }. + +t_enable_authn(_Config) -> + %% enable_authn set to false, we connect successfully + {ok, ConnPid0} = emqtt:start_link([{port, 18831}, {clientid, <<"clientid">>}]), + ?assertMatch( + {ok, _}, + emqtt:connect(ConnPid0) + ), + ok = emqtt:disconnect(ConnPid0), + + process_flag(trap_exit, true), + + %% enable_authn set to true, we go to the set up authn and fail + {ok, ConnPid1} = emqtt:start_link([{port, 18830}, {clientid, <<"clientid">>}]), + ?assertMatch( + {error, {unauthorized_client, _}}, + emqtt:connect(ConnPid1) + ), + ok. diff --git a/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf b/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf index fb9a5377d..7f8bd6dcf 100644 --- a/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf +++ b/apps/emqx_gateway/i18n/emqx_gateway_schema_i18n.conf @@ -589,6 +589,15 @@ See: https://erlang.org/doc/man/inet.html#setopts-2""" } } + gateway_common_listener_enable_authn { + desc { + en: """Set true (default) to enable client authentication on this listener. +When set to false clients will be allowed to connect without authentication.""" + zh: """配置 true (默认值)启用客户端进行身份认证。 +配置 false 时,将不对客户端做任何认证。""" + } + } + gateway_common_listener_mountpoint { desc { en: """When publishing or subscribing, prefix all topics with a mountpoint string. diff --git a/apps/emqx_gateway/src/coap/emqx_coap_channel.erl b/apps/emqx_gateway/src/coap/emqx_coap_channel.erl index 207524448..c40cbe467 100644 --- a/apps/emqx_gateway/src/coap/emqx_coap_channel.erl +++ b/apps/emqx_gateway/src/coap/emqx_coap_channel.erl @@ -131,6 +131,7 @@ init( ) -> Peercert = maps:get(peercert, ConnInfo, undefined), Mountpoint = maps:get(mountpoint, Config, <<>>), + EnableAuthn = maps:get(enable_authn, Config, true), ListenerId = case maps:get(listener, Config, undefined) of undefined -> undefined; @@ -148,6 +149,7 @@ init( username => undefined, is_bridge => false, is_superuser => false, + enable_authn => EnableAuthn, mountpoint => Mountpoint } ), diff --git a/apps/emqx_gateway/src/emqx_gateway_ctx.erl b/apps/emqx_gateway/src/emqx_gateway_ctx.erl index dfe7c9466..d6b9c17b2 100644 --- a/apps/emqx_gateway/src/emqx_gateway_ctx.erl +++ b/apps/emqx_gateway/src/emqx_gateway_ctx.erl @@ -26,11 +26,9 @@ %% configuration, register devices and other common operations. %% -type context() :: - %% Gateway Name #{ + %% Gateway Name gwname := gateway_name(), - %% Authentication chains - auth := [emqx_authentication:chain_name()], %% The ConnectionManager PID cm := pid() }. @@ -67,9 +65,7 @@ -spec authenticate(context(), emqx_types:clientinfo()) -> {ok, emqx_types:clientinfo()} | {error, any()}. -authenticate(_Ctx = #{auth := _ChainNames}, ClientInfo0) when - is_list(_ChainNames) --> +authenticate(_Ctx, ClientInfo0) -> ClientInfo = ClientInfo0#{zone => default}, case emqx_access_control:authenticate(ClientInfo) of {ok, _} -> diff --git a/apps/emqx_gateway/src/emqx_gateway_schema.erl b/apps/emqx_gateway/src/emqx_gateway_schema.erl index e5cec7861..dfe937024 100644 --- a/apps/emqx_gateway/src/emqx_gateway_schema.erl +++ b/apps/emqx_gateway/src/emqx_gateway_schema.erl @@ -649,6 +649,14 @@ common_listener_opts() -> } )}, {?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_ATOM, authentication_schema()}, + {"enable_authn", + sc( + boolean(), + #{ + desc => ?DESC(gateway_common_listener_enable_authn), + default => true + } + )}, {mountpoint, sc( binary(), diff --git a/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl b/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl index c0cce4456..861ae3189 100644 --- a/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl +++ b/apps/emqx_gateway/src/exproto/emqx_exproto_channel.erl @@ -157,7 +157,12 @@ init( undefined -> undefined; {GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName) end, - ClientInfo = maps:put(listener, ListenerId, default_clientinfo(ConnInfo)), + EnableAuthn = maps:get(enable_authn, Options, true), + DefaultClientInfo = default_clientinfo(ConnInfo), + ClientInfo = DefaultClientInfo#{ + listener => ListenerId, + enable_authn => EnableAuthn + }, Channel = #channel{ ctx = Ctx, gcli = #{channel => GRpcChann, pool_name => PoolName}, diff --git a/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl b/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl index 61b08239a..b6f2b870e 100644 --- a/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl +++ b/apps/emqx_gateway/src/lwm2m/emqx_lwm2m_channel.erl @@ -128,6 +128,7 @@ init( undefined -> undefined; {GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName) end, + EnableAuthn = maps:get(enable_authn, Config, true), ClientInfo = set_peercert_infos( Peercert, #{ @@ -140,6 +141,7 @@ init( clientid => undefined, is_bridge => false, is_superuser => false, + enable_authn => EnableAuthn, mountpoint => Mountpoint } ), diff --git a/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl b/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl index 9955f75d9..b5e051193 100644 --- a/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl +++ b/apps/emqx_gateway/src/mqttsn/emqx_sn_channel.erl @@ -156,6 +156,7 @@ init( undefined -> undefined; {GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName) end, + EnableAuthn = maps:get(enable_authn, Option, true), ClientInfo = set_peercert_infos( Peercert, #{ @@ -168,6 +169,7 @@ init( username => undefined, is_bridge => false, is_superuser => false, + enable_authn => EnableAuthn, mountpoint => Mountpoint } ), diff --git a/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl b/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl index 6e6a67d0b..e698ce17f 100644 --- a/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl +++ b/apps/emqx_gateway/src/stomp/emqx_stomp_channel.erl @@ -127,6 +127,7 @@ init( undefined -> undefined; {GwName, Type, LisName} -> emqx_gateway_utils:listener_id(GwName, Type, LisName) end, + EnableAuthn = maps:get(enable_authn, Option, true), ClientInfo = setting_peercert_infos( Peercert, #{ @@ -139,6 +140,7 @@ init( username => undefined, is_bridge => false, is_superuser => false, + enable_authn => EnableAuthn, mountpoint => Mountpoint } ), diff --git a/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl b/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl index dece25ea9..604321897 100644 --- a/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl +++ b/apps/emqx_gateway/test/emqx_gateway_authn_SUITE.erl @@ -109,6 +109,12 @@ t_case_coap(_) -> Prefix ++ "/connection?clientid=client1&username=bad&password=bad", Login(LeftUrl, ?checkMatch({error, bad_request, _Data})), + + disable_authn(coap, udp, default), + NowRightUrl = + Prefix ++ + "/connection?clientid=client1&username=bad&password=bad", + Login(NowRightUrl, ?checkMatch({ok, created, _Data})), ok. -record(coap_content, {content_format, payload = <<>>}). @@ -155,6 +161,11 @@ t_case_lwm2m(_) -> NoInfoUrl = "coap://127.0.0.1:~b/rd?ep=~ts<=345&lwm2m=1", Login(NoInfoUrl, MakeCheker(ack, {error, bad_request})), + + disable_authn(lwm2m, udp, default), + NowRightUrl = "coap://127.0.0.1:~b/rd?ep=~ts<=345&lwm2m=1&imei=bad&password=bad", + Login(NowRightUrl, MakeCheker(ack, {ok, created})), + ok. -define(SN_CONNACK, 16#05). @@ -182,6 +193,9 @@ t_case_mqttsn(_) -> end, Login(<<"badadmin">>, <<"badpassowrd">>, <<3, ?SN_CONNACK, 16#80>>), Login(<<"admin">>, <<"public">>, <<3, ?SN_CONNACK, 0>>), + + disable_authn(mqttsn, udp, default), + Login(<<"badadmin">>, <<"badpassowrd">>, <<3, ?SN_CONNACK, 0>>), ok. t_case_stomp(_) -> @@ -220,6 +234,15 @@ t_case_stomp(_) -> ?assertEqual(<<"Login Failed: not_authorized">>, Mod:get_field(body, Frame)) end), + disable_authn(stomp, tcp, default), + Login( + <<"bad">>, + <<"bad">>, + ?FUNCTOR( + Frame, + ?assertEqual(<<"CONNECTED">>, Mod:get_field(command, Frame)) + ) + ), ok. t_case_exproto(_) -> @@ -249,5 +272,18 @@ t_case_exproto(_) -> end, Login(<<"admin">>, <<"public">>, SvrMod:frame_connack(0)), Login(<<"bad">>, <<"bad">>, SvrMod:frame_connack(1)), + + disable_authn(exproto, tcp, default), + Login(<<"bad">>, <<"bad">>, SvrMod:frame_connack(0)), + SvrMod:stop(Svrs), ok. + +disable_authn(GwName, Type, Name) -> + RawCfg = emqx_conf:get_raw([gateway, GwName], #{}), + ListenerCfg = emqx_map_lib:deep_get( + [<<"listeners">>, atom_to_binary(Type), atom_to_binary(Name)], RawCfg + ), + {ok, _} = emqx_gateway_conf:update_listener(GwName, {Type, Name}, ListenerCfg#{ + <<"enable_authn">> => false + }). diff --git a/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl b/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl index 32e155068..094da93d2 100644 --- a/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl +++ b/apps/emqx_gateway/test/emqx_gateway_ctx_SUITE.erl @@ -50,7 +50,7 @@ end_per_suite(_Conf) -> %%-------------------------------------------------------------------- t_authenticate(_) -> - Ctx = #{gwname => mqttsn, auth => [], cm => self()}, + Ctx = #{gwname => mqttsn, cm => self()}, Info1 = #{ mountpoint => undefined, clientid => <<"user1">> From 2c5450e7f6bfabaaecfeb5dec10af422d7578d29 Mon Sep 17 00:00:00 2001 From: Ilya Averyanov Date: Wed, 15 Jun 2022 19:51:39 +0300 Subject: [PATCH 2/2] chore(authn): fix raw authn configs --- .../emqx_authn/test/emqx_authn_http_SUITE.erl | 28 +++---- .../test/emqx_authn_https_SUITE.erl | 18 ++-- apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl | 16 ++-- .../test/emqx_authn_mongo_SUITE.erl | 64 +++++++------- .../test/emqx_authn_mongo_tls_SUITE.erl | 40 ++++----- .../test/emqx_authn_mysql_SUITE.erl | 64 +++++++------- .../test/emqx_authn_mysql_tls_SUITE.erl | 26 +++--- .../test/emqx_authn_pgsql_SUITE.erl | 62 +++++++------- .../test/emqx_authn_pgsql_tls_SUITE.erl | 26 +++--- .../test/emqx_authn_redis_SUITE.erl | 84 +++++++++---------- .../test/emqx_authn_redis_tls_SUITE.erl | 26 +++--- apps/emqx_authn/test/emqx_authn_test_lib.erl | 6 +- 12 files changed, 230 insertions(+), 230 deletions(-) diff --git a/apps/emqx_authn/test/emqx_authn_http_SUITE.erl b/apps/emqx_authn/test/emqx_authn_http_SUITE.erl index a22c7765e..fc79970af 100644 --- a/apps/emqx_authn/test/emqx_authn_http_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_http_SUITE.erl @@ -84,8 +84,8 @@ t_create_invalid(_Config) -> InvalidConfigs = [ - AuthConfig#{headers => []}, - AuthConfig#{method => delete} + AuthConfig#{<<"headers">> => []}, + AuthConfig#{<<"method">> => <<"delete">>} ], lists:foreach( @@ -181,7 +181,7 @@ t_destroy(_Config) -> t_update(_Config) -> CorrectConfig = raw_http_auth_config(), IncorrectConfig = - CorrectConfig#{url => <<"http://127.0.0.1:32333/invalid">>}, + CorrectConfig#{<<"url">> => <<"http://127.0.0.1:32333/invalid">>}, {ok, _} = emqx:update_config( ?PATH, @@ -265,14 +265,14 @@ test_is_superuser({Kind, Value, ExpectedValue}) -> raw_http_auth_config() -> #{ - mechanism => <<"password_based">>, - enable => <<"true">>, + <<"mechanism">> => <<"password_based">>, + <<"enable">> => <<"true">>, - backend => <<"http">>, - method => <<"get">>, - url => <<"http://127.0.0.1:32333/auth">>, - body => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD}, - headers => #{<<"X-Test-Header">> => <<"Test Value">>} + <<"backend">> => <<"http">>, + <<"method">> => <<"get">>, + <<"url">> => <<"http://127.0.0.1:32333/auth">>, + <<"body">> => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD}, + <<"headers">> => #{<<"X-Test-Header">> => <<"Test Value">>} }. samples() -> @@ -355,8 +355,8 @@ samples() -> {ok, Req, State} end, config_params => #{ - method => post, - headers => #{<<"content-type">> => <<"application/json">>} + <<"method">> => <<"post">>, + <<"headers">> => #{<<"content-type">> => <<"application/json">>} }, result => {ok, #{is_superuser => false}} }, @@ -373,8 +373,8 @@ samples() -> {ok, Req, State} end, config_params => #{ - method => post, - headers => #{ + <<"method">> => <<"post">>, + <<"headers">> => #{ <<"content-type">> => <<"application/x-www-form-urlencoded">> } diff --git a/apps/emqx_authn/test/emqx_authn_https_SUITE.erl b/apps/emqx_authn/test/emqx_authn_https_SUITE.erl index c3327c31b..ae4508967 100644 --- a/apps/emqx_authn/test/emqx_authn_https_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_https_SUITE.erl @@ -140,18 +140,18 @@ create_https_auth_with_ssl_opts(SpecificSSLOpts) -> raw_https_auth_config(SpecificSSLOpts) -> SSLOpts = maps:merge( emqx_authn_test_lib:client_ssl_cert_opts(), - #{enable => <<"true">>} + #{<<"enable">> => <<"true">>} ), #{ - mechanism => <<"password_based">>, - enable => <<"true">>, + <<"mechanism">> => <<"password_based">>, + <<"enable">> => <<"true">>, - backend => <<"http">>, - method => <<"get">>, - url => <<"https://127.0.0.1:32334/auth">>, - body => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD}, - headers => #{<<"X-Test-Header">> => <<"Test Value">>}, - ssl => maps:merge(SSLOpts, SpecificSSLOpts) + <<"backend">> => <<"http">>, + <<"method">> => <<"get">>, + <<"url">> => <<"https://127.0.0.1:32334/auth">>, + <<"body">> => #{<<"username">> => ?PH_USERNAME, <<"password">> => ?PH_PASSWORD}, + <<"headers">> => #{<<"X-Test-Header">> => <<"Test Value">>}, + <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts) }. start_apps(Apps) -> diff --git a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl index 69ed42cd7..e5d56aa1f 100644 --- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl @@ -492,14 +492,14 @@ generate_jws('public-key', Payload, PrivateKey) -> JWS. client_ssl_opts() -> - maps:merge( - emqx_authn_test_lib:client_ssl_cert_opts(), - #{ - enable => true, - verify => verify_peer, - server_name_indication => "authn-server" - } - ). + #{ + keyfile => cert_file("client.key"), + certfile => cert_file("client.crt"), + cacertfile => cert_file("ca.crt"), + enable => true, + verify => verify_peer, + server_name_indication => "authn-server" + }. server_ssl_opts() -> [ diff --git a/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl index dfdc0fdd1..c39d4a2a2 100644 --- a/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl @@ -83,9 +83,9 @@ t_create_invalid(_Config) -> InvalidConfigs = [ - AuthConfig#{mongo_type => <<"unknown">>}, - AuthConfig#{filter => <<"{ \"username\": \"${username}\" }">>}, - AuthConfig#{w_mode => <<"unknown">>} + AuthConfig#{<<"mongo_type">> => <<"unknown">>}, + AuthConfig#{<<"filter">> => <<"{ \"username\": \"${username}\" }">>}, + AuthConfig#{<<"w_mode">> => <<"unknown">>} ], lists:foreach( @@ -180,7 +180,7 @@ t_update(_Config) -> ok = init_seeds(), CorrectConfig = raw_mongo_auth_config(), IncorrectConfig = - CorrectConfig#{filter => #{<<"wrongfield">> => <<"wrongvalue">>}}, + CorrectConfig#{<<"filter">> => #{<<"wrongfield">> => <<"wrongvalue">>}}, {ok, _} = emqx:update_config( ?PATH, @@ -265,24 +265,24 @@ test_is_superuser({Value, ExpectedValue}) -> raw_mongo_auth_config() -> #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"mongodb">>, - mongo_type => <<"single">>, - database => <<"mqtt">>, - collection => <<"users">>, - server => mongo_server(), - w_mode => <<"unsafe">>, + <<"backend">> => <<"mongodb">>, + <<"mongo_type">> => <<"single">>, + <<"database">> => <<"mqtt">>, + <<"collection">> => <<"users">>, + <<"server">> => mongo_server(), + <<"w_mode">> => <<"unsafe">>, - filter => #{<<"username">> => <<"${username}">>}, - password_hash_field => <<"password_hash">>, - salt_field => <<"salt">>, - is_superuser_field => <<"is_superuser">> + <<"filter">> => #{<<"username">> => <<"${username}">>}, + <<"password_hash_field">> => <<"password_hash">>, + <<"salt_field">> => <<"salt">>, + <<"is_superuser_field">> => <<"is_superuser">> }. user_seeds() -> @@ -314,9 +314,9 @@ user_seeds() -> password => <<"md5">> }, config_params => #{ - password_hash_algorithm => #{ - name => <<"md5">>, - salt_position => <<"suffix">> + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"md5">>, + <<"salt_position">> => <<"suffix">> } }, result => {ok, #{is_superuser => false}} @@ -335,10 +335,10 @@ user_seeds() -> password => <<"sha256">> }, config_params => #{ - filter => #{<<"username">> => <<"${clientid}">>}, - password_hash_algorithm => #{ - name => <<"sha256">>, - salt_position => <<"prefix">> + <<"filter">> => #{<<"username">> => <<"${clientid}">>}, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"sha256">>, + <<"salt_position">> => <<"prefix">> } }, result => {ok, #{is_superuser => true}} @@ -357,7 +357,7 @@ user_seeds() -> password => <<"bcrypt">> }, config_params => #{ - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {ok, #{is_superuser => false}} }, @@ -376,8 +376,8 @@ user_seeds() -> }, config_params => #{ % clientid variable & username credentials - filter => #{<<"username">> => <<"${clientid}">>}, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"filter">> => #{<<"username">> => <<"${clientid}">>}, + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -395,8 +395,8 @@ user_seeds() -> password => <<"bcrypt">> }, config_params => #{ - filter => #{<<"userid">> => <<"${clientid}">>}, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"filter">> => #{<<"userid">> => <<"${clientid}">>}, + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -415,7 +415,7 @@ user_seeds() -> password => <<"wrongpass">> }, config_params => #{ - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, bad_username_or_password} } diff --git a/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl index f46316488..ebece6c3e 100644 --- a/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl @@ -171,33 +171,33 @@ create_mongo_auth_with_ssl_opts(SpecificSSLOpts) -> raw_mongo_auth_config(SpecificSSLOpts) -> SSLOpts = maps:merge( emqx_authn_test_lib:client_ssl_cert_opts(), - #{enable => <<"true">>} + #{<<"enable">> => <<"true">>} ), #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"mongodb">>, - pool_size => 2, - mongo_type => <<"single">>, - database => <<"mqtt">>, - collection => <<"users">>, - server => mongo_server(), - w_mode => <<"unsafe">>, + <<"backend">> => <<"mongodb">>, + <<"pool_size">> => 2, + <<"mongo_type">> => <<"single">>, + <<"database">> => <<"mqtt">>, + <<"collection">> => <<"users">>, + <<"server">> => mongo_server(), + <<"w_mode">> => <<"unsafe">>, - filter => #{<<"username">> => <<"${username}">>}, - password_hash_field => <<"password_hash">>, - salt_field => <<"salt">>, - is_superuser_field => <<"is_superuser">>, - topology => #{ - server_selection_timeout_ms => <<"10000ms">> + <<"filter">> => #{<<"username">> => <<"${username}">>}, + <<"password_hash_field">> => <<"password_hash">>, + <<"salt_field">> => <<"salt">>, + <<"is_superuser_field">> => <<"is_superuser">>, + <<"topology">> => #{ + <<"server_selection_timeout_ms">> => <<"10000ms">> }, - ssl => maps:merge(SSLOpts, SpecificSSLOpts) + <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts) }. mongo_server() -> diff --git a/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl index c8bee9223..abf36c167 100644 --- a/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl @@ -100,10 +100,10 @@ t_create_invalid(_Config) -> InvalidConfigs = [ - maps:without([server], AuthConfig), - AuthConfig#{server => <<"unknownhost:3333">>}, - AuthConfig#{password => <<"wrongpass">>}, - AuthConfig#{database => <<"wrongdatabase">>} + maps:without([<<"server">>], AuthConfig), + AuthConfig#{<<"server">> => <<"unknownhost:3333">>}, + AuthConfig#{<<"password">> => <<"wrongpass">>}, + AuthConfig#{<<"database">> => <<"wrongdatabase">>} ], lists:foreach( @@ -194,7 +194,7 @@ t_update(_Config) -> CorrectConfig = raw_mysql_auth_config(), IncorrectConfig = CorrectConfig#{ - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_str as is_superuser\n" " FROM wrong_table where username = ${username} LIMIT 1" @@ -236,24 +236,24 @@ t_update(_Config) -> raw_mysql_auth_config() -> #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"mysql">>, - database => <<"mqtt">>, - username => <<"root">>, - password => <<"public">>, + <<"backend">> => <<"mysql">>, + <<"database">> => <<"mqtt">>, + <<"username">> => <<"root">>, + <<"password">> => <<"public">>, - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_str as is_superuser\n" " FROM users where username = ${username} LIMIT 1" >>, - server => mysql_server() + <<"server">> => mysql_server() }. user_seeds() -> @@ -285,9 +285,9 @@ user_seeds() -> password => <<"md5">> }, config_params => #{ - password_hash_algorithm => #{ - name => <<"md5">>, - salt_position => <<"suffix">> + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"md5">>, + <<"salt_position">> => <<"suffix">> } }, result => {ok, #{is_superuser => false}} @@ -305,14 +305,14 @@ user_seeds() -> password => <<"sha256">> }, config_params => #{ - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_int as is_superuser\n" " FROM users where username = ${clientid} LIMIT 1" >>, - password_hash_algorithm => #{ - name => <<"sha256">>, - salt_position => <<"prefix">> + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"sha256">>, + <<"salt_position">> => <<"prefix">> } }, result => {ok, #{is_superuser => true}} @@ -330,12 +330,12 @@ user_seeds() -> password => <<"bcrypt">> }, config_params => #{ - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_int as is_superuser\n" " FROM users where username = ${username} LIMIT 1" >>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {ok, #{is_superuser => false}} }, @@ -351,12 +351,12 @@ user_seeds() -> password => <<"bcrypt">> }, config_params => #{ - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_int as is_superuser\n" " FROM users where username = ${username} LIMIT 1" >>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {ok, #{is_superuser => false}} }, @@ -374,12 +374,12 @@ user_seeds() -> }, config_params => #{ % clientid variable & username credentials - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_int as is_superuser\n" " FROM users where username = ${clientid} LIMIT 1" >>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -397,12 +397,12 @@ user_seeds() -> }, config_params => #{ % Bad keys in query - query => + <<"query">> => << "SELECT 1 AS unknown_field\n" " FROM users where username = ${username} LIMIT 1" >>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -420,7 +420,7 @@ user_seeds() -> password => <<"wrongpass">> }, config_params => #{ - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, bad_username_or_password} } diff --git a/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl index f3af66cae..7d642c230 100644 --- a/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl @@ -131,28 +131,28 @@ create_mysql_auth_with_ssl_opts(SpecificSSLOpts) -> raw_mysql_auth_config(SpecificSSLOpts) -> SSLOpts = maps:merge( emqx_authn_test_lib:client_ssl_cert_opts(), - #{enable => <<"true">>} + #{<<"enable">> => <<"true">>} ), #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"mysql">>, - database => <<"mqtt">>, - username => <<"root">>, - password => <<"public">>, + <<"backend">> => <<"mysql">>, + <<"database">> => <<"mqtt">>, + <<"username">> => <<"root">>, + <<"password">> => <<"public">>, - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_str as is_superuser\n" " FROM users where username = ${username} LIMIT 1" >>, - server => mysql_server(), - ssl => maps:merge(SSLOpts, SpecificSSLOpts) + <<"server">> => mysql_server(), + <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts) }. mysql_server() -> diff --git a/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl b/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl index 618768e42..ec29ba422 100644 --- a/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl @@ -101,10 +101,10 @@ t_create_invalid(_Config) -> InvalidConfigs = [ - maps:without([server], AuthConfig), - AuthConfig#{server => <<"unknownhost:3333">>}, - AuthConfig#{password => <<"wrongpass">>}, - AuthConfig#{database => <<"wrongdatabase">>} + maps:without([<<"server">>], AuthConfig), + AuthConfig#{<<"server">> => <<"unknownhost:3333">>}, + AuthConfig#{<<"password">> => <<"wrongpass">>}, + AuthConfig#{<<"database">> => <<"wrongdatabase">>} ], lists:foreach( @@ -195,7 +195,7 @@ t_update(_Config) -> CorrectConfig = raw_pgsql_auth_config(), IncorrectConfig = CorrectConfig#{ - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_str as is_superuser\n" " FROM users where username = ${username} LIMIT 0" @@ -274,7 +274,7 @@ test_is_superuser({Field, Value, ExpectedValue}) -> " as is_superuser " "FROM users where username = ${username} LIMIT 1", - Config = maps:put(query, Query, raw_pgsql_auth_config()), + Config = maps:put(<<"query">>, Query, raw_pgsql_auth_config()), {ok, _} = emqx:update_config( ?PATH, {update_authenticator, ?GLOBAL, <<"password_based:postgresql">>, Config} @@ -298,24 +298,24 @@ test_is_superuser({Field, Value, ExpectedValue}) -> raw_pgsql_auth_config() -> #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"postgresql">>, - database => <<"mqtt">>, - username => <<"root">>, - password => <<"public">>, + <<"backend">> => <<"postgresql">>, + <<"database">> => <<"mqtt">>, + <<"username">> => <<"root">>, + <<"password">> => <<"public">>, - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_str as is_superuser\n" " FROM users where username = ${username} LIMIT 1" >>, - server => pgsql_server() + <<"server">> => pgsql_server() }. user_seeds() -> @@ -347,9 +347,9 @@ user_seeds() -> password => <<"md5">> }, config_params => #{ - password_hash_algorithm => #{ - name => <<"md5">>, - salt_position => <<"suffix">> + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"md5">>, + <<"salt_position">> => <<"suffix">> } }, result => {ok, #{is_superuser => false}} @@ -367,14 +367,14 @@ user_seeds() -> password => <<"sha256">> }, config_params => #{ - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_int as is_superuser\n" " FROM users where username = ${clientid} LIMIT 1" >>, - password_hash_algorithm => #{ - name => <<"sha256">>, - salt_position => <<"prefix">> + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"sha256">>, + <<"salt_position">> => <<"prefix">> } }, result => {ok, #{is_superuser => true}} @@ -392,12 +392,12 @@ user_seeds() -> password => <<"bcrypt">> }, config_params => #{ - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_int as is_superuser\n" " FROM users where username = ${username} LIMIT 1" >>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {ok, #{is_superuser => false}} }, @@ -415,12 +415,12 @@ user_seeds() -> }, config_params => #{ % clientid variable & username credentials - query => + <<"query">> => << "SELECT password_hash, salt, is_superuser_int as is_superuser\n" " FROM users where username = ${clientid} LIMIT 1" >>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -438,12 +438,12 @@ user_seeds() -> }, config_params => #{ % Bad keys in query - query => + <<"query">> => << "SELECT 1 AS unknown_field\n" " FROM users where username = ${username} LIMIT 1" >>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -461,7 +461,7 @@ user_seeds() -> password => <<"wrongpass">> }, config_params => #{ - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, bad_username_or_password} } diff --git a/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl index a1a34927a..e2b44b93d 100644 --- a/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl @@ -131,24 +131,24 @@ create_pgsql_auth_with_ssl_opts(SpecificSSLOpts) -> raw_pgsql_auth_config(SpecificSSLOpts) -> SSLOpts = maps:merge( emqx_authn_test_lib:client_ssl_cert_opts(), - #{enable => <<"true">>} + #{<<"enable">> => <<"true">>} ), #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"postgresql">>, - database => <<"mqtt">>, - username => <<"root">>, - password => <<"public">>, + <<"backend">> => <<"postgresql">>, + <<"database">> => <<"mqtt">>, + <<"username">> => <<"root">>, + <<"password">> => <<"public">>, - query => <<"SELECT 1">>, - server => pgsql_server(), - ssl => maps:merge(SSLOpts, SpecificSSLOpts) + <<"query">> => <<"SELECT 1">>, + <<"server">> => pgsql_server(), + <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts) }. pgsql_server() -> diff --git a/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl b/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl index 1ff391729..77e35bf3b 100644 --- a/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_redis_SUITE.erl @@ -102,16 +102,16 @@ t_create_invalid(_Config) -> InvalidConfigs = [ AuthConfig#{ - cmd => <<"MGET password_hash:${username} salt:${username}">> + <<"cmd">> => <<"MGET password_hash:${username} salt:${username}">> }, AuthConfig#{ - cmd => <<"HMGET mqtt_user:${username} password_hash invalid_field">> + <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash invalid_field">> }, AuthConfig#{ - cmd => <<"HMGET mqtt_user:${username} salt is_superuser">> + <<"cmd">> => <<"HMGET mqtt_user:${username} salt is_superuser">> }, AuthConfig#{ - cmd => <<"HGETALL mqtt_user:${username} salt is_superuser">> + <<"cmd">> => <<"HGETALL mqtt_user:${username} salt is_superuser">> } ], lists:foreach( @@ -131,10 +131,10 @@ t_create_invalid(_Config) -> InvalidConfigs1 = [ - maps:without([server], AuthConfig), - AuthConfig#{server => <<"unknownhost:3333">>}, - AuthConfig#{password => <<"wrongpass">>}, - AuthConfig#{database => <<"5678">>} + maps:without([<<"server">>], AuthConfig), + AuthConfig#{<<"server">> => <<"unknownhost:3333">>}, + AuthConfig#{<<"password">> => <<"wrongpass">>}, + AuthConfig#{<<"database">> => <<"5678">>} ], lists:foreach( @@ -225,7 +225,7 @@ t_update(_Config) -> CorrectConfig = raw_redis_auth_config(), IncorrectConfig = CorrectConfig#{ - cmd => <<"HMGET invalid_key:${username} password_hash salt is_superuser">> + <<"cmd">> => <<"HMGET invalid_key:${username} password_hash salt is_superuser">> }, {ok, _} = emqx:update_config( @@ -263,19 +263,19 @@ t_update(_Config) -> raw_redis_auth_config() -> #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"redis">>, - cmd => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>, - database => <<"1">>, - password => <<"public">>, - redis_type => <<"single">>, - server => redis_server() + <<"backend">> => <<"redis">>, + <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>, + <<"database">> => <<"1">>, + <<"password">> => <<"public">>, + <<"redis_type">> => <<"single">>, + <<"server">> => redis_server() }. user_seeds() -> @@ -307,9 +307,9 @@ user_seeds() -> }, key => <<"mqtt_user:md5">>, config_params => #{ - password_hash_algorithm => #{ - name => <<"md5">>, - salt_position => <<"suffix">> + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"md5">>, + <<"salt_position">> => <<"suffix">> } }, result => {ok, #{is_superuser => false}} @@ -328,10 +328,10 @@ user_seeds() -> }, key => <<"mqtt_user:sha256">>, config_params => #{ - cmd => <<"HMGET mqtt_user:${clientid} password_hash salt is_superuser">>, - password_hash_algorithm => #{ - name => <<"sha256">>, - salt_position => <<"prefix">> + <<"cmd">> => <<"HMGET mqtt_user:${clientid} password_hash salt is_superuser">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"sha256">>, + <<"salt_position">> => <<"prefix">> } }, result => {ok, #{is_superuser => true}} @@ -349,10 +349,10 @@ user_seeds() -> }, key => <<"mqtt_user:sha256_no_salt">>, config_params => #{ - cmd => <<"HMGET mqtt_user:${clientid} password_hash is_superuser">>, - password_hash_algorithm => #{ - name => <<"sha256">>, - salt_position => <<"disable">> + <<"cmd">> => <<"HMGET mqtt_user:${clientid} password_hash is_superuser">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"sha256">>, + <<"salt_position">> => <<"disable">> } }, result => {ok, #{is_superuser => true}} @@ -371,7 +371,7 @@ user_seeds() -> }, key => <<"mqtt_user:bcrypt">>, config_params => #{ - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {ok, #{is_superuser => false}} }, @@ -387,10 +387,10 @@ user_seeds() -> }, key => <<"mqtt_user:pbkdf2">>, config_params => #{ - password_hash_algorithm => #{ - name => <<"pbkdf2">>, - iterations => 2, - mac_fun => sha + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"pbkdf2">>, + <<"iterations">> => <<"2">>, + <<"mac_fun">> => <<"sha">> } }, result => {ok, #{is_superuser => false}} @@ -409,8 +409,8 @@ user_seeds() -> key => <<"mqtt_user:bcrypt0">>, config_params => #{ % clientid variable & username credentials - cmd => <<"HMGET mqtt_client:${clientid} password_hash salt is_superuser">>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"cmd">> => <<"HMGET mqtt_client:${clientid} password_hash salt is_superuser">>, + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -429,8 +429,8 @@ user_seeds() -> key => <<"mqtt_user:bcrypt1">>, config_params => #{ % Bad key in cmd - cmd => <<"HMGET badkey:${username} password_hash salt is_superuser">>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"cmd">> => <<"HMGET badkey:${username} password_hash salt is_superuser">>, + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, not_authorized} }, @@ -449,8 +449,8 @@ user_seeds() -> }, key => <<"mqtt_user:bcrypt2">>, config_params => #{ - cmd => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>, - password_hash_algorithm => #{name => <<"bcrypt">>} + <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>, + <<"password_hash_algorithm">> => #{<<"name">> => <<"bcrypt">>} }, result => {error, bad_username_or_password} } diff --git a/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl index 6ef889166..781d84d98 100644 --- a/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl @@ -130,23 +130,23 @@ create_redis_auth_with_ssl_opts(SpecificSSLOpts) -> raw_redis_auth_config(SpecificSSLOpts) -> SSLOpts = maps:merge( emqx_authn_test_lib:client_ssl_cert_opts(), - #{enable => <<"true">>} + #{<<"enable">> => <<"true">>} ), #{ - mechanism => <<"password_based">>, - password_hash_algorithm => #{ - name => <<"plain">>, - salt_position => <<"suffix">> + <<"mechanism">> => <<"password_based">>, + <<"password_hash_algorithm">> => #{ + <<"name">> => <<"plain">>, + <<"salt_position">> => <<"suffix">> }, - enable => <<"true">>, + <<"enable">> => <<"true">>, - backend => <<"redis">>, - cmd => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>, - database => <<"1">>, - password => <<"public">>, - server => redis_server(), - redis_type => <<"single">>, - ssl => maps:merge(SSLOpts, SpecificSSLOpts) + <<"backend">> => <<"redis">>, + <<"cmd">> => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>, + <<"database">> => <<"1">>, + <<"password">> => <<"public">>, + <<"server">> => redis_server(), + <<"redis_type">> => <<"single">>, + <<"ssl">> => maps:merge(SSLOpts, SpecificSSLOpts) }. redis_server() -> diff --git a/apps/emqx_authn/test/emqx_authn_test_lib.erl b/apps/emqx_authn/test/emqx_authn_test_lib.erl index 9e162b718..7a770be5a 100644 --- a/apps/emqx_authn/test/emqx_authn_test_lib.erl +++ b/apps/emqx_authn/test/emqx_authn_test_lib.erl @@ -62,7 +62,7 @@ delete_config(ID) -> client_ssl_cert_opts() -> Dir = code:lib_dir(emqx_authn, test), #{ - keyfile => filename:join([Dir, "data/certs", "client.key"]), - certfile => filename:join([Dir, "data/certs", "client.crt"]), - cacertfile => filename:join([Dir, "data/certs", "ca.crt"]) + <<"keyfile">> => filename:join([Dir, <<"data/certs">>, <<"client.key">>]), + <<"certfile">> => filename:join([Dir, <<"data/certs">>, <<"client.crt">>]), + <<"cacertfile">> => filename:join([Dir, <<"data/certs">>, <<"ca.crt">>]) }.