yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'ce/master' into fmt-gw

This commit is contained in:
JianBo He 2022-04-01 09:52:12 +08:00
parent b30a40d2a2 4d74296fb9
commit 8500200e81
75 changed files with 8141 additions and 5455 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
apps/emqx_authn/rebar.config
View File

@ -1,23 +1,32 @@
%% -*- mode: erlang -*-
{deps,
[ {emqx, {path, "../emqx"}}
, {emqx_connector, {path, "../emqx_connector"}}
]}.
{deps, [
{emqx, {path, "../emqx"}},
{emqx_connector, {path, "../emqx_connector"}}
]}.
{edoc_opts, [{preprocess, true}]}.
{erl_opts, [warn_unused_vars,
{erl_opts, [
warn_unused_vars,
warn_shadow_vars,
warnings_as_errors,
warn_unused_import,
warn_obsolete_guard,
debug_info,
{parse_transform}]}.
{parse_transform}
]}.
{xref_checks, [undefined_function_calls, undefined_functions,
locals_not_used, deprecated_function_calls,
warnings_as_errors, deprecated_functions]}.
{xref_checks, [
undefined_function_calls,
undefined_functions,
locals_not_used,
deprecated_function_calls,
warnings_as_errors,
deprecated_functions
]}.
{cover_enabled, true}.
{cover_opts, [verbose]}.
{cover_export_enabled, true}.
{project_plugins, [erlfmt]}.

10
apps/emqx_authn/src/emqx_authn.app.src
View File

@ -1,13 +1,13 @@
%% -*- mode: erlang -*-
{application, emqx_authn,
[{description, "EMQX Authentication"},
{application, emqx_authn, [
{description, "EMQX Authentication"},
{vsn, "0.1.0"},
{modules, []},
{registered, [emqx_authn_sup, emqx_authn_registry]},
{applications, [kernel,stdlib,emqx_resource,ehttpc,epgsql,mysql,jose]},
{mod, {emqx_authn_app,[]}},
{applications, [kernel, stdlib, emqx_resource, ehttpc, epgsql, mysql, jose]},
{mod, {emqx_authn_app, []}},
{env, []},
{licenses, ["Apache-2.0"]},
{maintainers, ["EMQX Team <contact@emqx.io>"]},
{links, [{"Homepage", "https://emqx.io/"}]}
]}.
]}.

43
apps/emqx_authn/src/emqx_authn.erl
View File

@ -16,28 +16,31 @@
-module(emqx_authn).
-export([ providers/0
, check_config/1
, check_config/2
, check_configs/1
]).
-export([
providers/0,
check_config/1,
check_config/2,
check_configs/1
]).
-include("emqx_authn.hrl").
providers() ->
[ {{'password_based', 'built_in_database'}, emqx_authn_mnesia}
, {{'password_based', mysql}, emqx_authn_mysql}
, {{'password_based', postgresql}, emqx_authn_pgsql}
, {{'password_based', mongodb}, emqx_authn_mongodb}
, {{'password_based', redis}, emqx_authn_redis}
, {{'password_based', 'http'}, emqx_authn_http}
, {jwt, emqx_authn_jwt}
, {{scram, 'built_in_database'}, emqx_enhanced_authn_scram_mnesia}
[
{{'password_based', 'built_in_database'}, emqx_authn_mnesia},
{{'password_based', mysql}, emqx_authn_mysql},
{{'password_based', postgresql}, emqx_authn_pgsql},
{{'password_based', mongodb}, emqx_authn_mongodb},
{{'password_based', redis}, emqx_authn_redis},
{{'password_based', 'http'}, emqx_authn_http},
{jwt, emqx_authn_jwt},
{{scram, 'built_in_database'}, emqx_enhanced_authn_scram_mnesia}
].
check_configs(C) when is_map(C) ->
check_configs([C]);
check_configs([]) -> [];
check_configs([]) ->
[];
check_configs([Config | Configs]) ->
[check_config(Config) | check_configs(Configs)].
@ -51,7 +54,8 @@ check_config(Config, Opts) ->
end.
do_check_config(#{<<"mechanism">> := Mec} = Config, Opts) ->
Key = case maps:get(<<"backend">>, Config, false) of
Key =
case maps:get(<<"backend">>, Config, false) of
false -> atom(Mec);
Backend -> {atom(Mec), atom(Backend)}
end,
@ -59,14 +63,17 @@ do_check_config(#{<<"mechanism">> := Mec} = Config, Opts) ->
false ->
throw({unknown_handler, Key});
{_, ProviderModule} ->
hocon_tconf:check_plain(ProviderModule, #{?CONF_NS_BINARY => Config},
Opts#{atom_key => true})
hocon_tconf:check_plain(
ProviderModule,
#{?CONF_NS_BINARY => Config},
Opts#{atom_key => true}
)
end.
atom(Bin) ->
try
binary_to_existing_atom(Bin, utf8)
catch
_ : _ ->
_:_ ->
throw({unknown_auth_provider, Bin})
end.

775
apps/emqx_authn/src/emqx_authn_api.erl
View File

File diff suppressed because it is too large Load Diff

22
apps/emqx_authn/src/emqx_authn_app.erl
View File

@ -21,9 +21,10 @@
-behaviour(application).
%% Application callbacks
-export([ start/2
, stop/1
]).
-export([
start/2,
stop/1
]).
-include_lib("emqx/include/emqx_authentication.hrl").
@ -55,9 +56,11 @@ initialize() ->
AuthConfig = emqx_authn:check_configs(RawAuthConfigs),
?AUTHN:initialize_authentication(
ChainName,
AuthConfig)
AuthConfig
)
end,
chain_configs()).
chain_configs()
).
deinitialize() ->
ok = ?AUTHN:deregister_providers(provider_types()),
@ -74,12 +77,13 @@ listener_chain_configs() ->
fun({ListenerID, _}) ->
{ListenerID, emqx:get_raw_config(auth_config_path(ListenerID), [])}
end,
emqx_listeners:list()).
emqx_listeners:list()
).
auth_config_path(ListenerID) ->
[<<"listeners">>]
++ binary:split(atom_to_binary(ListenerID), <<":">>)
++ [?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_BINARY].
[<<"listeners">>] ++
binary:split(atom_to_binary(ListenerID), <<":">>) ++
[?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_BINARY].
provider_types() ->
lists:map(fun({Type, _Module}) -> Type end, emqx_authn:providers()).

122
apps/emqx_authn/src/emqx_authn_password_hashing.erl
View File

@ -18,21 +18,25 @@
-include_lib("typerefl/include/types.hrl").
-type(simple_algorithm_name() :: plain | md5 | sha | sha256 | sha512).
-type(salt_position() :: prefix | suffix).
-type simple_algorithm_name() :: plain | md5 | sha | sha256 | sha512.
-type salt_position() :: prefix | suffix.
-type(simple_algorithm() :: #{name := simple_algorithm_name(),
salt_position := salt_position()}).
-type simple_algorithm() :: #{
name := simple_algorithm_name(),
salt_position := salt_position()
}.
-type(bcrypt_algorithm() :: #{name := bcrypt}).
-type(bcrypt_algorithm_rw() :: #{name := bcrypt, salt_rounds := integer()}).
-type bcrypt_algorithm() :: #{name := bcrypt}.
-type bcrypt_algorithm_rw() :: #{name := bcrypt, salt_rounds := integer()}.
-type(pbkdf2_algorithm() :: #{name := pbkdf2,
-type pbkdf2_algorithm() :: #{
name := pbkdf2,
mac_fun := emqx_passwd:pbkdf2_mac_fun(),
iterations := pos_integer()}).
iterations := pos_integer()
}.
-type(algorithm() :: simple_algorithm() | pbkdf2_algorithm() | bcrypt_algorithm()).
-type(algorithm_rw() :: simple_algorithm() | pbkdf2_algorithm() | bcrypt_algorithm_rw()).
-type algorithm() :: simple_algorithm() | pbkdf2_algorithm() | bcrypt_algorithm().
-type algorithm_rw() :: simple_algorithm() | pbkdf2_algorithm() | bcrypt_algorithm_rw().
%%------------------------------------------------------------------------------
%% Hocon Schema
@ -40,17 +44,23 @@
-behaviour(hocon_schema).
-export([roots/0,
-export([
roots/0,
fields/1,
namespace/0]).
namespace/0
]).
-export([type_ro/1,
type_rw/1]).
-export([
type_ro/1,
type_rw/1
]).
-export([init/1,
-export([
init/1,
gen_salt/1,
hash/2,
check_password/4]).
check_password/4
]).
namespace() -> "authn-hash".
roots() -> [pbkdf2, bcrypt, bcrypt_rw, other_algorithms].
@ -58,19 +68,20 @@ roots() -> [pbkdf2, bcrypt, bcrypt_rw, other_algorithms].
fields(bcrypt_rw) ->
fields(bcrypt) ++
[{salt_rounds, fun salt_rounds/1}];
fields(bcrypt) ->
[{name, {enum, [bcrypt]}}];
fields(pbkdf2) ->
[{name, {enum, [pbkdf2]}},
[
{name, {enum, [pbkdf2]}},
{mac_fun, {enum, [md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512]}},
{iterations, integer()},
{dk_length, fun dk_length/1}];
{dk_length, fun dk_length/1}
];
fields(other_algorithms) ->
[{name, {enum, [plain, md5, sha, sha256, sha512]}},
{salt_position, fun salt_position/1}].
[
{name, {enum, [plain, md5, sha, sha256, sha512]}},
{salt_position, fun salt_position/1}
].
salt_position(type) -> {enum, [prefix, suffix]};
salt_position(desc) -> "Specifies whether the password salt is stored as a prefix or the suffix.";
@ -89,47 +100,56 @@ dk_length(_) -> undefined.
type_rw(type) ->
hoconsc:union(rw_refs());
type_rw(default) -> #{<<"name">> => sha256, <<"salt_position">> => prefix};
type_rw(_) -> undefined.
type_rw(default) ->
#{<<"name">> => sha256, <<"salt_position">> => prefix};
type_rw(_) ->
undefined.
type_ro(type) ->
hoconsc:union(ro_refs());
type_ro(default) -> #{<<"name">> => sha256, <<"salt_position">> => prefix};
type_ro(_) -> undefined.
type_ro(default) ->
#{<<"name">> => sha256, <<"salt_position">> => prefix};
type_ro(_) ->
undefined.
%%------------------------------------------------------------------------------
%% APIs
%%------------------------------------------------------------------------------
-spec(init(algorithm()) -> ok).
-spec init(algorithm()) -> ok.
init(#{name := bcrypt}) ->
{ok, _} = application:ensure_all_started(bcrypt),
ok;
init(#{name := _Other}) ->
ok.
-spec(gen_salt(algorithm_rw()) -> emqx_passwd:salt()).
-spec gen_salt(algorithm_rw()) -> emqx_passwd:salt().
gen_salt(#{name := plain}) ->
<<>>;
gen_salt(#{name := bcrypt,
salt_rounds := Rounds}) ->
gen_salt(#{
name := bcrypt,
salt_rounds := Rounds
}) ->
{ok, Salt} = bcrypt:gen_salt(Rounds),
list_to_binary(Salt);
gen_salt(#{name := Other}) when Other =/= plain, Other =/= bcrypt ->
<<X:128/big-unsigned-integer>> = crypto:strong_rand_bytes(16),
iolist_to_binary(io_lib:format("~32.16.0b", [X])).
-spec(hash(algorithm_rw(), emqx_passwd:password()) -> {emqx_passwd:hash(), emqx_passwd:salt()}).
-spec hash(algorithm_rw(), emqx_passwd:password()) -> {emqx_passwd:hash(), emqx_passwd:salt()}.
hash(#{name := bcrypt, salt_rounds := _} = Algorithm, Password) ->
Salt0 = gen_salt(Algorithm),
Hash = emqx_passwd:hash({bcrypt, Salt0}, Password),
Salt = Hash,
{Hash, Salt};
hash(#{name := pbkdf2,
hash(
#{
name := pbkdf2,
mac_fun := MacFun,
iterations := Iterations} = Algorithm, Password) ->
iterations := Iterations
} = Algorithm,
Password
) ->
Salt = gen_salt(Algorithm),
DKLength = maps:get(dk_length, Algorithm, undefined),
Hash = emqx_passwd:hash({pbkdf2, MacFun, Salt, Iterations, DKLength}, Password),
@ -139,18 +159,24 @@ hash(#{name := Other, salt_position := SaltPosition} = Algorithm, Password) ->
Hash = emqx_passwd:hash({Other, Salt, SaltPosition}, Password),
{Hash, Salt}.
-spec(check_password(
-spec check_password(
algorithm(),
emqx_passwd:salt(),
emqx_passwd:hash(),
emqx_passwd:password()) -> boolean()).
emqx_passwd:password()
) -> boolean().
check_password(#{name := bcrypt}, _Salt, PasswordHash, Password) ->
emqx_passwd:check_pass({bcrypt, PasswordHash}, PasswordHash, Password);
check_password(#{name := pbkdf2,
check_password(
#{
name := pbkdf2,
mac_fun := MacFun,
iterations := Iterations} = Algorithm,
Salt, PasswordHash, Password) ->
iterations := Iterations
} = Algorithm,
Salt,
PasswordHash,
Password
) ->
DKLength = maps:get(dk_length, Algorithm, undefined),
emqx_passwd:check_pass({pbkdf2, MacFun, Salt, Iterations, DKLength}, PasswordHash, Password);
check_password(#{name := Other, salt_position := SaltPosition}, Salt, PasswordHash, Password) ->
@ -161,11 +187,15 @@ check_password(#{name := Other, salt_position := SaltPosition}, Salt, PasswordHa
%%------------------------------------------------------------------------------
rw_refs() ->
[hoconsc:ref(?MODULE, bcrypt_rw),
[
hoconsc:ref(?MODULE, bcrypt_rw),
hoconsc:ref(?MODULE, pbkdf2),
hoconsc:ref(?MODULE, other_algorithms)].
hoconsc:ref(?MODULE, other_algorithms)
].
ro_refs() ->
[hoconsc:ref(?MODULE, bcrypt),
[
hoconsc:ref(?MODULE, bcrypt),
hoconsc:ref(?MODULE, pbkdf2),
hoconsc:ref(?MODULE, other_algorithms)].
hoconsc:ref(?MODULE, other_algorithms)
].

95
apps/emqx_authn/src/emqx_authn_schema.erl
View File

@ -20,21 +20,20 @@
-include_lib("typerefl/include/types.hrl").
-import(hoconsc, [mk/2, ref/2]).
-export([ common_fields/0
, roots/0
, fields/1
, authenticator_type/0
, root_type/0
, mechanism/1
, backend/1
]).
-export([
common_fields/0,
roots/0,
fields/1,
authenticator_type/0,
root_type/0,
mechanism/1,
backend/1
]).
roots() -> [].
common_fields() ->
[ {enable, fun enable/1}
].
[{enable, fun enable/1}].
enable(type) -> boolean();
enable(default) -> true;
@ -54,46 +53,60 @@ root_type() ->
hoconsc:array(authenticator_type()).
mechanism(Name) ->
hoconsc:mk(hoconsc:enum([Name]),
#{ required => true
, desc => "Authentication mechanism."
}).
hoconsc:mk(
hoconsc:enum([Name]),
#{
required => true,
desc => "Authentication mechanism."
}
).
backend(Name) ->
hoconsc:mk(hoconsc:enum([Name]),
#{ required => true
, desc => "Backend type."
}).
hoconsc:mk(
hoconsc:enum([Name]),
#{
required => true,
desc => "Backend type."
}
).
fields("metrics_status_fields") ->
[ {"metrics", mk(ref(?MODULE, "metrics"), #{desc => "The metrics of the resource"})}
, {"node_metrics", mk(hoconsc:array(ref(?MODULE, "node_metrics")),
#{ desc => "The metrics of the resource for each node"
})}
, {"status", mk(status(), #{desc => "The status of the resource"})}
, {"node_status", mk(hoconsc:array(ref(?MODULE, "node_status")),
#{ desc => "The status of the resource for each node"
})}
[
{"metrics", mk(ref(?MODULE, "metrics"), #{desc => "The metrics of the resource"})},
{"node_metrics",
mk(
hoconsc:array(ref(?MODULE, "node_metrics")),
#{desc => "The metrics of the resource for each node"}
)},
{"status", mk(status(), #{desc => "The status of the resource"})},
{"node_status",
mk(
hoconsc:array(ref(?MODULE, "node_status")),
#{desc => "The status of the resource for each node"}
)}
];
fields("metrics") ->
[ {"matched", mk(integer(), #{desc => "Count of this resource is queried"})}
, {"success", mk(integer(), #{desc => "Count of query success"})}
, {"failed", mk(integer(), #{desc => "Count of query failed"})}
, {"rate", mk(float(), #{desc => "The rate of matched, times/second"})}
, {"rate_max", mk(float(), #{desc => "The max rate of matched, times/second"})}
, {"rate_last5m", mk(float(),
#{desc => "The average rate of matched in the last 5 minutes, times/second"})}
[
{"matched", mk(integer(), #{desc => "Count of this resource is queried"})},
{"success", mk(integer(), #{desc => "Count of query success"})},
{"failed", mk(integer(), #{desc => "Count of query failed"})},
{"rate", mk(float(), #{desc => "The rate of matched, times/second"})},
{"rate_max", mk(float(), #{desc => "The max rate of matched, times/second"})},
{"rate_last5m",
mk(
float(),
#{desc => "The average rate of matched in the last 5 minutes, times/second"}
)}
];
fields("node_metrics") ->
[ node_name()
, {"metrics", mk(ref(?MODULE, "metrics"), #{})}
[
node_name(),
{"metrics", mk(ref(?MODULE, "metrics"), #{})}
];
fields("node_status") ->
[ node_name()
, {"status", mk(status(), #{desc => "Status of the node."})}
[
node_name(),
{"status", mk(status(), #{desc => "Status of the node."})}
].
status() ->

7
apps/emqx_authn/src/emqx_authn_sup.erl
View File

@ -18,9 +18,10 @@
-behaviour(supervisor).
-export([ start_link/0
, init/1
]).
-export([
start_link/0,
init/1
]).
start_link() ->
supervisor:start_link({local, ?MODULE}, ?MODULE, []).

58
apps/emqx_authn/src/emqx_authn_utils.erl
View File

@ -19,26 +19,29 @@
-include_lib("emqx/include/emqx_placeholder.hrl").
-include_lib("emqx_authn.hrl").
-export([ check_password_from_selected_map/3
, parse_deep/1
, parse_str/1
, parse_sql/2
, render_deep/2
, render_str/2
, render_sql_params/2
, is_superuser/1
, bin/1
, ensure_apps_started/1
, cleanup_resources/0
, make_resource_id/1
]).
-export([
check_password_from_selected_map/3,
parse_deep/1,
parse_str/1,
parse_sql/2,
render_deep/2,
render_str/2,
render_sql_params/2,
is_superuser/1,
bin/1,
ensure_apps_started/1,
cleanup_resources/0,
make_resource_id/1
]).
-define(AUTHN_PLACEHOLDERS, [?PH_USERNAME,
-define(AUTHN_PLACEHOLDERS, [
?PH_USERNAME,
?PH_CLIENTID,
?PH_PASSWORD,
?PH_PEERHOST,
?PH_CERT_SUBJECT,
?PH_CERT_CN_NAME]).
?PH_CERT_CN_NAME
]).
%%------------------------------------------------------------------------------
%% APIs
@ -47,12 +50,12 @@
check_password_from_selected_map(_Algorithm, _Selected, undefined) ->
{error, bad_username_or_password};
check_password_from_selected_map(
Algorithm, #{<<"password_hash">> := Hash} = Selected, Password) ->
Algorithm, #{<<"password_hash">> := Hash} = Selected, Password
) ->
Salt = maps:get(<<"salt">>, Selected, <<>>),
case emqx_authn_password_hashing:check_password(Algorithm, Salt, Hash, Password) of
true -> ok;
false ->
{error, bad_username_or_password}
false -> {error, bad_username_or_password}
end.
parse_deep(Template) ->
@ -64,26 +67,32 @@ parse_str(Template) ->
parse_sql(Template, ReplaceWith) ->
emqx_placeholder:preproc_sql(
Template,
#{replace_with => ReplaceWith,
placeholders => ?AUTHN_PLACEHOLDERS}).
#{
replace_with => ReplaceWith,
placeholders => ?AUTHN_PLACEHOLDERS
}
).
render_deep(Template, Credential) ->
emqx_placeholder:proc_tmpl_deep(
Template,
Credential,
#{return => full_binary, var_trans => fun handle_var/2}).
#{return => full_binary, var_trans => fun handle_var/2}
).
render_str(Template, Credential) ->
emqx_placeholder:proc_tmpl(
Template,
Credential,
#{return => full_binary, var_trans => fun handle_var/2}).
#{return => full_binary, var_trans => fun handle_var/2}
).
render_sql_params(ParamList, Credential) ->
emqx_placeholder:proc_tmpl(
ParamList,
Credential,
#{return => rawlist, var_trans => fun handle_sql_var/2}).
#{return => rawlist, var_trans => fun handle_sql_var/2}
).
is_superuser(#{<<"is_superuser">> := <<"">>}) ->
#{is_superuser => false};
@ -115,7 +124,8 @@ bin(X) -> X.
cleanup_resources() ->
lists:foreach(
fun emqx_resource:remove_local/1,
emqx_resource:list_group_instances(?RESOURCE_GROUP)).
emqx_resource:list_group_instances(?RESOURCE_GROUP)
).
make_resource_id(Name) ->
NameBin = bin(Name),

209
apps/emqx_authn/test/emqx_authn_api_SUITE.erl
View File

@ -26,12 +26,12 @@
-define(TCP_DEFAULT, 'tcp:default').
-define(
assertAuthenticatorsMatch(Guard, Path),
-define(assertAuthenticatorsMatch(Guard, Path),
(fun() ->
{ok, 200, Response} = request(get, uri(Path)),
?assertMatch(Guard, jiffy:decode(Response, [return_maps]))
end)()).
end)()
).
all() ->
emqx_common_test_helpers:all(?MODULE).
@ -43,11 +43,13 @@ init_per_testcase(_, Config) ->
{ok, _} = emqx_cluster_rpc:start_link(node(), emqx_cluster_rpc, 1000),
emqx_authn_test_lib:delete_authenticators(
[?CONF_NS_ATOM],
?GLOBAL),
?GLOBAL
),
emqx_authn_test_lib:delete_authenticators(
[listeners, tcp, default, ?CONF_NS_ATOM],
?TCP_DEFAULT),
?TCP_DEFAULT
),
{atomic, ok} = mria:clear_table(emqx_authn_mnesia),
Config.
@ -56,7 +58,8 @@ init_per_suite(Config) ->
_ = application:load(emqx_conf),
ok = emqx_common_test_helpers:start_apps(
[emqx_authn, emqx_dashboard],
fun set_special_configs/1),
fun set_special_configs/1
),
?AUTHN:delete_chain(?GLOBAL),
{ok, Chains} = ?AUTHN:list_chains(),
@ -117,108 +120,132 @@ t_listener_authenticator_import_users(_) ->
test_authenticator_import_users(["listeners", ?TCP_DEFAULT]).
test_authenticators(PathPrefix) ->
ValidConfig = emqx_authn_test_lib:http_example(),
{ok, 200, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
ValidConfig),
ValidConfig
),
{ok, 409, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
ValidConfig),
ValidConfig
),
InvalidConfig0 = ValidConfig#{method => <<"delete">>},
{ok, 400, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
InvalidConfig0),
InvalidConfig0
),
InvalidConfig1 = ValidConfig#{method => <<"get">>,
headers => #{<<"content-type">> => <<"application/json">>}},
InvalidConfig1 = ValidConfig#{
method => <<"get">>,
headers => #{<<"content-type">> => <<"application/json">>}
},
{ok, 400, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
InvalidConfig1),
InvalidConfig1
),
?assertAuthenticatorsMatch(
[#{<<"mechanism">> := <<"password_based">>, <<"backend">> := <<"http">>}],
PathPrefix ++ [?CONF_NS]).
PathPrefix ++ [?CONF_NS]
).
test_authenticator(PathPrefix) ->
ValidConfig0 = emqx_authn_test_lib:http_example(),
{ok, 200, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
ValidConfig0),
ValidConfig0
),
{ok, 200, _} = request(
get,
uri(PathPrefix ++ [?CONF_NS, "password_based:http"])),
uri(PathPrefix ++ [?CONF_NS, "password_based:http"])
),
{ok, 200, Res} = request(
get,
uri(PathPrefix ++ [?CONF_NS, "password_based:http", "status"])),
uri(PathPrefix ++ [?CONF_NS, "password_based:http", "status"])
),
{ok, RList} = emqx_json:safe_decode(Res),
Snd = fun ({_, Val}) -> Val end,
Snd = fun({_, Val}) -> Val end,
LookupVal = fun LookupV(List, RestJson) ->
case List of
[Name] -> Snd(lists:keyfind(Name, 1, RestJson));
[Name | NS] -> LookupV(NS, Snd(lists:keyfind(Name, 1, RestJson)))
end
end,
LookFun = fun (List) -> LookupVal(List, RList) end,
MetricsList = [{<<"failed">>, 0},
LookFun = fun(List) -> LookupVal(List, RList) end,
MetricsList = [
{<<"failed">>, 0},
{<<"matched">>, 0},
{<<"rate">>, 0.0},
{<<"rate_last5m">>, 0.0},
{<<"rate_max">>, 0.0},
{<<"success">>, 0}],
EqualFun = fun ({M, V}) ->
?assertEqual(V, LookFun([<<"metrics">>,
M]
{<<"success">>, 0}
],
EqualFun = fun({M, V}) ->
?assertEqual(
V,
LookFun([
<<"metrics">>,
M
])
)
) end,
end,
lists:map(EqualFun, MetricsList),
?assertEqual(<<"connected">>,
LookFun([<<"status">>
])),
?assertEqual(
<<"connected">>,
LookFun([<<"status">>])
),
{ok, 404, _} = request(
get,
uri(PathPrefix ++ [?CONF_NS, "password_based:redis"])),
uri(PathPrefix ++ [?CONF_NS, "password_based:redis"])
),
{ok, 404, _} = request(
put,
uri(PathPrefix ++ [?CONF_NS, "password_based:built_in_database"]),
emqx_authn_test_lib:built_in_database_example()),
emqx_authn_test_lib:built_in_database_example()
),
InvalidConfig0 = ValidConfig0#{method => <<"delete">>},
{ok, 400, _} = request(
put,
uri(PathPrefix ++ [?CONF_NS, "password_based:http"]),
InvalidConfig0),
InvalidConfig0
),
InvalidConfig1 = ValidConfig0#{method => <<"get">>,
headers => #{<<"content-type">> => <<"application/json">>}},
InvalidConfig1 = ValidConfig0#{
method => <<"get">>,
headers => #{<<"content-type">> => <<"application/json">>}
},
{ok, 400, _} = request(
put,
uri(PathPrefix ++ [?CONF_NS, "password_based:http"]),
InvalidConfig1),
InvalidConfig1
),
ValidConfig1 = ValidConfig0#{pool_size => 9},
{ok, 200, _} = request(
put,
uri(PathPrefix ++ [?CONF_NS, "password_based:http"]),
ValidConfig1),
ValidConfig1
),
{ok, 404, _} = request(
delete,
uri(PathPrefix ++ [?CONF_NS, "password_based:redis"])),
uri(PathPrefix ++ [?CONF_NS, "password_based:redis"])
),
{ok, 204, _} = request(
delete,
uri(PathPrefix ++ [?CONF_NS, "password_based:http"])),
uri(PathPrefix ++ [?CONF_NS, "password_based:http"])
),
?assertAuthenticatorsMatch([], PathPrefix ++ [?CONF_NS]).
@ -228,22 +255,25 @@ test_authenticator_users(PathPrefix) ->
{ok, 200, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
emqx_authn_test_lib:built_in_database_example()),
emqx_authn_test_lib:built_in_database_example()
),
InvalidUsers = [
#{clientid => <<"u1">>, password => <<"p1">>},
#{user_id => <<"u2">>},
#{user_id => <<"u3">>, password => <<"p3">>, foobar => <<"foobar">>}],
#{user_id => <<"u3">>, password => <<"p3">>, foobar => <<"foobar">>}
],
lists:foreach(
fun(User) -> {ok, 400, _} = request(post, UsersUri, User) end,
InvalidUsers),
InvalidUsers
),
ValidUsers = [
#{user_id => <<"u1">>, password => <<"p1">>},
#{user_id => <<"u2">>, password => <<"p2">>, is_superuser => true},
#{user_id => <<"u3">>, password => <<"p3">>}],
#{user_id => <<"u3">>, password => <<"p3">>}
],
lists:foreach(
fun(User) ->
@ -251,31 +281,41 @@ test_authenticator_users(PathPrefix) ->
CreatedUser = jiffy:decode(UserData, [return_maps]),
?assertMatch(#{<<"user_id">> := _}, CreatedUser)
end,
ValidUsers),
ValidUsers
),
{ok, 200, Page1Data} = request(get, UsersUri ++ "?page=1&limit=2"),
#{<<"data">> := Page1Users,
#{
<<"data">> := Page1Users,
<<"meta">> :=
#{<<"page">> := 1,
#{
<<"page">> := 1,
<<"limit">> := 2,
<<"count">> := 3}} =
<<"count">> := 3
}
} =
jiffy:decode(Page1Data, [return_maps]),
{ok, 200, Page2Data} = request(get, UsersUri ++ "?page=2&limit=2"),
#{<<"data">> := Page2Users,
#{
<<"data">> := Page2Users,
<<"meta">> :=
#{<<"page">> := 2,
#{
<<"page">> := 2,
<<"limit">> := 2,
<<"count">> := 3}} = jiffy:decode(Page2Data, [return_maps]),
<<"count">> := 3
}
} = jiffy:decode(Page2Data, [return_maps]),
?assertEqual(2, length(Page1Users)),
?assertEqual(1, length(Page2Users)),
?assertEqual(
[<<"u1">>, <<"u2">>, <<"u3">>],
lists:usort([ UserId || #{<<"user_id">> := UserId} <- Page1Users ++ Page2Users])).
lists:usort([UserId || #{<<"user_id">> := UserId} <- Page1Users ++ Page2Users])
).
test_authenticator_user(PathPrefix) ->
UsersUri = uri(PathPrefix ++ [?CONF_NS, "password_based:built_in_database", "users"]),
@ -283,7 +323,8 @@ test_authenticator_user(PathPrefix) ->
{ok, 200, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
emqx_authn_test_lib:built_in_database_example()),
emqx_authn_test_lib:built_in_database_example()
),
User = #{user_id => <<"u1">>, password => <<"p1">>},
{ok, 201, _} = request(post, UsersUri, User),
@ -300,17 +341,20 @@ test_authenticator_user(PathPrefix) ->
ValidUserUpdates = [
#{password => <<"p1">>},
#{password => <<"p1">>, is_superuser => true}],
#{password => <<"p1">>, is_superuser => true}
],
lists:foreach(
fun(UserUpdate) -> {ok, 200, _} = request(put, UsersUri ++ "/u1", UserUpdate) end,
ValidUserUpdates),
ValidUserUpdates
),
InvalidUserUpdates = [#{user_id => <<"u1">>, password => <<"p1">>}],
lists:foreach(
fun(UserUpdate) -> {ok, 400, _} = request(put, UsersUri ++ "/u1", UserUpdate) end,
InvalidUserUpdates),
InvalidUserUpdates
),
{ok, 404, _} = request(delete, UsersUri ++ "/u123"),
{ok, 204, _} = request(delete, UsersUri ++ "/u1").
@ -327,9 +371,11 @@ test_authenticator_move(PathPrefix) ->
{ok, 200, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
Conf)
Conf
)
end,
AuthenticatorConfs),
AuthenticatorConfs
),
?assertAuthenticatorsMatch(
[
@ -337,34 +383,40 @@ test_authenticator_move(PathPrefix) ->
#{<<"mechanism">> := <<"jwt">>},
#{<<"mechanism">> := <<"password_based">>, <<"backend">> := <<"built_in_database">>}
],
PathPrefix ++ [?CONF_NS]),
PathPrefix ++ [?CONF_NS]
),
%% Invalid moves
{ok, 400, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{position => <<"up">>}),
#{position => <<"up">>}
),
{ok, 400, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{}),
#{}
),
{ok, 404, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{position => <<"before:invalid">>}),
#{position => <<"before:invalid">>}
),
{ok, 404, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{position => <<"before:password_based:redis">>}),
#{position => <<"before:password_based:redis">>}
),
{ok, 404, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{position => <<"before:password_based:redis">>}),
#{position => <<"before:password_based:redis">>}
),
%% Valid moves
@ -372,7 +424,8 @@ test_authenticator_move(PathPrefix) ->
{ok, 204, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{position => <<"front">>}),
#{position => <<"front">>}
),
?assertAuthenticatorsMatch(
[
@ -380,13 +433,15 @@ test_authenticator_move(PathPrefix) ->
#{<<"mechanism">> := <<"password_based">>, <<"backend">> := <<"http">>},
#{<<"mechanism">> := <<"password_based">>, <<"backend">> := <<"built_in_database">>}
],
PathPrefix ++ [?CONF_NS]),
PathPrefix ++ [?CONF_NS]
),
%% test rear
{ok, 204, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{position => <<"rear">>}),
#{position => <<"rear">>}
),
?assertAuthenticatorsMatch(
[
@ -394,13 +449,15 @@ test_authenticator_move(PathPrefix) ->
#{<<"mechanism">> := <<"password_based">>, <<"backend">> := <<"built_in_database">>},
#{<<"mechanism">> := <<"jwt">>}
],
PathPrefix ++ [?CONF_NS]),
PathPrefix ++ [?CONF_NS]
),
%% test before
{ok, 204, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "jwt", "move"]),
#{position => <<"before:password_based:built_in_database">>}),
#{position => <<"before:password_based:built_in_database">>}
),
?assertAuthenticatorsMatch(
[
@ -408,13 +465,15 @@ test_authenticator_move(PathPrefix) ->
#{<<"mechanism">> := <<"jwt">>},
#{<<"mechanism">> := <<"password_based">>, <<"backend">> := <<"built_in_database">>}
],
PathPrefix ++ [?CONF_NS]),
PathPrefix ++ [?CONF_NS]
),
%% test after
{ok, 204, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS, "password_based%3Abuilt_in_database", "move"]),
#{position => <<"after:password_based:http">>}),
#{position => <<"after:password_based:http">>}
),
?assertAuthenticatorsMatch(
[
@ -422,18 +481,20 @@ test_authenticator_move(PathPrefix) ->
#{<<"mechanism">> := <<"password_based">>, <<"backend">> := <<"built_in_database">>},
#{<<"mechanism">> := <<"jwt">>}
],
PathPrefix ++ [?CONF_NS]).
PathPrefix ++ [?CONF_NS]
).
test_authenticator_import_users(PathPrefix) ->
ImportUri = uri(
PathPrefix ++
[?CONF_NS, "password_based:built_in_database", "import_users"]),
[?CONF_NS, "password_based:built_in_database", "import_users"]
),
{ok, 200, _} = request(
post,
uri(PathPrefix ++ [?CONF_NS]),
emqx_authn_test_lib:built_in_database_example()),
emqx_authn_test_lib:built_in_database_example()
),
{ok, 400, _} = request(post, ImportUri, #{}),

179
apps/emqx_authn/test/emqx_authn_http_SUITE.erl
View File

@ -28,12 +28,12 @@
-define(HTTP_PORT, 33333).
-define(HTTP_PATH, "/auth").
-define(CREDENTIALS, #{username => <<"plain">>,
-define(CREDENTIALS, #{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}).
}).
all() ->
emqx_common_test_helpers:all(?MODULE).
@ -47,7 +47,8 @@ init_per_suite(Config) ->
end_per_suite(_) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
emqx_common_test_helpers:stop_apps([emqx_authn]),
application:stop(cowboy),
ok.
@ -56,7 +57,8 @@ init_per_testcase(_Case, Config) ->
{ok, _} = emqx_cluster_rpc:start_link(node(), emqx_cluster_rpc, 1000),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
{ok, _} = emqx_authn_http_test_server:start_link(?HTTP_PORT, ?HTTP_PATH),
Config.
@ -72,7 +74,8 @@ t_create(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_http}]} = emqx_authentication:list_authenticators(?GLOBAL).
@ -92,14 +95,16 @@ t_create_invalid(_Config) ->
try
emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config})
{create_authenticator, ?GLOBAL, Config}
)
catch
throw:Error ->
{error, Error}
end,
{ok, []} = emqx_authentication:list_authenticators(?GLOBAL)
end,
InvalidConfigs).
InvalidConfigs
).
t_authenticate(_Config) ->
ok = lists:foreach(
@ -107,16 +112,20 @@ t_authenticate(_Config) ->
ct:pal("test_user_auth sample: ~p", [Sample]),
test_user_auth(Sample)
end,
samples()).
samples()
).
test_user_auth(#{handler := Handler,
test_user_auth(#{
handler := Handler,
config_params := SpecificConfgParams,
result := Result}) ->
result := Result
}) ->
AuthConfig = maps:merge(raw_http_auth_config(), SpecificConfgParams),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
ok = emqx_authn_http_test_server:set_handler(Handler),
@ -124,40 +133,47 @@ test_user_auth(#{handler := Handler,
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL).
?GLOBAL
).
t_destroy(_Config) ->
AuthConfig = raw_http_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
ok = emqx_authn_http_test_server:set_handler(
fun(Req0, State) ->
Req = cowboy_req:reply(200, Req0),
{ok, Req, State}
end),
end
),
{ok, [#{provider := emqx_authn_http, state := State}]}
= emqx_authentication:list_authenticators(?GLOBAL),
{ok, [#{provider := emqx_authn_http, state := State}]} =
emqx_authentication:list_authenticators(?GLOBAL),
Credentials = maps:with([username, password], ?CREDENTIALS),
{ok, _} = emqx_authn_http:authenticate(
Credentials,
State),
State
),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
% Authenticator should not be usable anymore
?assertMatch(
ignore,
emqx_authn_http:authenticate(
Credentials,
State)).
State
)
).
t_update(_Config) ->
CorrectConfig = raw_http_auth_config(),
@ -166,28 +182,32 @@ t_update(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, IncorrectConfig}),
{create_authenticator, ?GLOBAL, IncorrectConfig}
),
ok = emqx_authn_http_test_server:set_handler(
fun(Req0, State) ->
Req = cowboy_req:reply(200, Req0),
{ok, Req, State}
end),
end
),
{error, not_authorized} = emqx_access_control:authenticate(?CREDENTIALS),
% We update with config with correct query, provider should update and work properly
{ok, _} = emqx:update_config(
?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:http">>, CorrectConfig}),
{update_authenticator, ?GLOBAL, <<"password_based:http">>, CorrectConfig}
),
{ok,_} = emqx_access_control:authenticate(?CREDENTIALS).
{ok, _} = emqx_access_control:authenticate(?CREDENTIALS).
t_is_superuser(_Config) ->
Config = raw_http_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
Checks = [
{json, <<"0">>, false},
@ -210,11 +230,10 @@ t_is_superuser(_Config) ->
lists:foreach(fun test_is_superuser/1, Checks).
test_is_superuser({Kind, Value, ExpectedValue}) ->
{ContentType, Res} = case Kind of
{ContentType, Res} =
case Kind of
json ->
{<<"application/json">>,
jiffy:encode(#{is_superuser => Value})};
{<<"application/json">>, jiffy:encode(#{is_superuser => Value})};
form ->
{<<"application/x-www-form-urlencoded">>,
iolist_to_binary([<<"is_superuser=">>, Value])}
@ -226,13 +245,16 @@ test_is_superuser({Kind, Value, ExpectedValue}) ->
200,
#{<<"content-type">> => ContentType},
Res,
Req0),
Req0
),
{ok, Req, State}
end),
end
),
?assertMatch(
{ok, #{is_superuser := ExpectedValue}},
emqx_access_control:authenticate(?CREDENTIALS)).
emqx_access_control:authenticate(?CREDENTIALS)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -253,8 +275,10 @@ raw_http_auth_config() ->
samples() ->
[
%% simple get request
#{handler => fun(Req0, State) ->
#{username := <<"plain">>,
#{
handler => fun(Req0, State) ->
#{
username := <<"plain">>,
password := <<"plain">>
} = cowboy_req:match_qs([username, password], Req0),
@ -262,54 +286,66 @@ samples() ->
{ok, Req, State}
end,
config_params => #{},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
%% get request with json body response
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
Req = cowboy_req:reply(
200,
#{<<"content-type">> => <<"application/json">>},
jiffy:encode(#{is_superuser => true}),
Req0),
Req0
),
{ok, Req, State}
end,
config_params => #{},
result => {ok,#{is_superuser => true, user_property => #{}}}
result => {ok, #{is_superuser => true, user_property => #{}}}
},
%% get request with url-form-encoded body response
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
Req = cowboy_req:reply(
200,
#{<<"content-type">> =>
<<"application/x-www-form-urlencoded">>},
#{
<<"content-type">> =>
<<"application/x-www-form-urlencoded">>
},
<<"is_superuser=true">>,
Req0),
Req0
),
{ok, Req, State}
end,
config_params => #{},
result => {ok,#{is_superuser => true, user_property => #{}}}
result => {ok, #{is_superuser => true, user_property => #{}}}
},
%% get request with response of unknown encoding
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
Req = cowboy_req:reply(
200,
#{<<"content-type">> =>
<<"test/plain">>},
#{
<<"content-type">> =>
<<"test/plain">>
},
<<"is_superuser=true">>,
Req0),
Req0
),
{ok, Req, State}
end,
config_params => #{},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
%% simple post request, application/json
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
{ok, RawBody, Req1} = cowboy_req:read_body(Req0),
#{<<"username">> := <<"plain">>,
#{
<<"username">> := <<"plain">>,
<<"password">> := <<"plain">>
} = jiffy:decode(RawBody, [return_maps]),
Req = cowboy_req:reply(200, Req1),
@ -319,13 +355,15 @@ samples() ->
method => post,
headers => #{<<"content-type">> => <<"application/json">>}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
%% simple post request, application/x-www-form-urlencoded
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
{ok, PostVars, Req1} = cowboy_req:read_urlencoded_body(Req0),
#{<<"username">> := <<"plain">>,
#{
<<"username">> := <<"plain">>,
<<"password">> := <<"plain">>
} = maps:from_list(PostVars),
Req = cowboy_req:reply(200, Req1),
@ -333,56 +371,61 @@ samples() ->
end,
config_params => #{
method => post,
headers => #{<<"content-type">> =>
<<"application/x-www-form-urlencoded">>}
},
result => {ok,#{is_superuser => false}}
headers => #{
<<"content-type">> =>
<<"application/x-www-form-urlencoded">>
}
},
result => {ok, #{is_superuser => false}}
}#{
%% 204 code
#{handler => fun(Req0, State) ->
handler => fun(Req0, State) ->
Req = cowboy_req:reply(204, Req0),
{ok, Req, State}
end,
config_params => #{},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
%% custom headers
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
<<"Test Value">> = cowboy_req:header(<<"x-test-header">>, Req0),
Req = cowboy_req:reply(200, Req0),
{ok, Req, State}
end,
config_params => #{},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
%% 400 code
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
Req = cowboy_req:reply(400, Req0),
{ok, Req, State}
end,
config_params => #{},
result => {error,not_authorized}
result => {error, not_authorized}
},
%% 500 code
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
Req = cowboy_req:reply(500, Req0),
{ok, Req, State}
end,
config_params => #{},
result => {error,not_authorized}
result => {error, not_authorized}
},
%% Handling error
#{handler => fun(Req0, State) ->
#{
handler => fun(Req0, State) ->
error(woops),
{ok, Req0, State}
end,
config_params => #{},
result => {error,not_authorized}
result => {error, not_authorized}
}
].

29
apps/emqx_authn/test/emqx_authn_http_test_server.erl
View File

@ -26,11 +26,12 @@
-export([init/1]).
% API
-export([start_link/2,
-export([
start_link/2,
start_link/3,
stop/0,
set_handler/1
]).
]).
%%------------------------------------------------------------------------------
%% API
@ -57,7 +58,8 @@ init([Port, Path, SSLOpts]) ->
Dispatch = cowboy_router:compile(
[
{'_', [{Path, ?MODULE, []}]}
]),
]
),
ProtoOpts = #{env => #{dispatch => Dispatch}},
@ -83,16 +85,21 @@ init(Req, State) ->
%%------------------------------------------------------------------------------
transport_settings(Port, false) ->
TransOpts = #{socket_opts => [{port, Port}],
connection_type => supervisor},
TransOpts = #{
socket_opts => [{port, Port}],
connection_type => supervisor
},
{ranch_tcp, TransOpts, cowboy_clear};
transport_settings(Port, SSLOpts) ->
TransOpts = #{socket_opts => [{port, Port},
TransOpts = #{
socket_opts => [
{port, Port},
{next_protocols_advertised, [<<"h2">>, <<"http/1.1">>]},
{alpn_preferred_protocols, [<<"h2">>, <<"http/1.1">>]}
| SSLOpts],
connection_type => supervisor},
| SSLOpts
],
connection_type => supervisor
},
{ranch_ssl, TransOpts, cowboy_tls}.
default_handler(Req0, State) ->
@ -100,6 +107,6 @@ default_handler(Req0, State) ->
400,
#{<<"content-type">> => <<"text/plain">>},
<<"">>,
Req0),
Req0
),
{ok, Req, State}.

61
apps/emqx_authn/test/emqx_authn_https_SUITE.erl
View File

@ -28,12 +28,12 @@
-define(HTTPS_PORT, 33333).
-define(HTTPS_PATH, "/auth").
-define(CREDENTIALS, #{username => <<"plain">>,
-define(CREDENTIALS, #{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}).
}).
all() ->
emqx_common_test_helpers:all(?MODULE).
@ -47,7 +47,8 @@ init_per_suite(Config) ->
end_per_suite(_) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
emqx_common_test_helpers:stop_apps([emqx_authn]),
application:stop(cowboy),
ok.
@ -56,7 +57,8 @@ init_per_testcase(_Case, Config) ->
{ok, _} = emqx_cluster_rpc:start_link(node(), emqx_cluster_rpc, 1000),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
{ok, _} = emqx_authn_http_test_server:start_link(?HTTPS_PORT, ?HTTPS_PATH, server_ssl_opts()),
ok = emqx_authn_http_test_server:set_handler(fun cowboy_handler/2),
Config.
@ -70,46 +72,62 @@ end_per_testcase(_Case, _Config) ->
t_create(_Config) ->
{ok, _} = create_https_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]}),
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]
}
),
?assertMatch(
{ok, _},
emqx_access_control:authenticate(?CREDENTIALS)).
emqx_access_control:authenticate(?CREDENTIALS)
).
t_create_invalid_domain(_Config) ->
{ok, _} = create_https_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server-unknown-host">>,
#{
<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]}),
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]
}
),
?assertEqual(
{error, not_authorized},
emqx_access_control:authenticate(?CREDENTIALS)).
emqx_access_control:authenticate(?CREDENTIALS)
).
t_create_invalid_version(_Config) ->
{ok, _} = create_https_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.1">>]}),
<<"versions">> => [<<"tlsv1.1">>]
}
),
?assertEqual(
{error, not_authorized},
emqx_access_control:authenticate(?CREDENTIALS)).
emqx_access_control:authenticate(?CREDENTIALS)
).
t_create_invalid_ciphers(_Config) ->
{ok, _} = create_https_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-ECDSA-AES256-SHA384">>]}),
<<"ciphers">> => [<<"ECDHE-ECDSA-AES256-SHA384">>]
}
),
?assertEqual(
{error, not_authorized},
emqx_access_control:authenticate(?CREDENTIALS)).
emqx_access_control:authenticate(?CREDENTIALS)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -122,7 +140,8 @@ create_https_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_https_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
#{enable => <<"true">>}),
#{enable => <<"true">>}
),
#{
mechanism => <<"password_based">>,
enable => <<"true">>,
@ -148,11 +167,13 @@ cert_path(FileName) ->
cowboy_handler(Req0, State) ->
Req = cowboy_req:reply(
200,
Req0),
Req0
),
{ok, Req, State}.
server_ssl_opts() ->
[{keyfile, cert_path("server.key")},
[
{keyfile, cert_path("server.key")},
{certfile, cert_path("server.crt")},
{cacertfile, cert_path("ca.crt")},
{verify, verify_none},

159
apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
View File

@ -28,7 +28,6 @@
-define(JWKS_PORT, 33333).
-define(JWKS_PATH, "/jwks.json").
all() ->
emqx_common_test_helpers:all(?MODULE).
@ -51,24 +50,30 @@ end_per_suite(_) ->
t_jwt_authenticator_hmac_based(_) ->
Secret = <<"abcdef">>,
Config = #{mechanism => jwt,
Config = #{
mechanism => jwt,
use_jwks => false,
algorithm => 'hmac-based',
secret => Secret,
secret_base64_encoded => false,
verify_claims => []},
verify_claims => []
},
{ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config),
Payload = #{<<"username">> => <<"myuser">>},
JWS = generate_jws('hmac-based', Payload, Secret),
Credential = #{username => <<"myuser">>,
password => JWS},
Credential = #{
username => <<"myuser">>,
password => JWS
},
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State)),
Payload1 = #{<<"username">> => <<"myuser">>, <<"is_superuser">> => true},
JWS1 = generate_jws('hmac-based', Payload1, Secret),
Credential1 = #{username => <<"myuser">>,
password => JWS1},
Credential1 = #{
username => <<"myuser">>,
password => JWS1
},
?assertEqual({ok, #{is_superuser => true}}, emqx_authn_jwt:authenticate(Credential1, State)),
BadJWS = generate_jws('hmac-based', Payload, <<"bad_secret">>),
@ -76,59 +81,84 @@ t_jwt_authenticator_hmac_based(_) ->
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential2, State)),
%% secret_base64_encoded
Config2 = Config#{secret => base64:encode(Secret),
secret_base64_encoded => true},
Config2 = Config#{
secret => base64:encode(Secret),
secret_base64_encoded => true
},
{ok, State2} = emqx_authn_jwt:update(Config2, State),
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State2)),
%% invalid secret
BadConfig = Config#{secret => <<"emqxsecret">>,
secret_base64_encoded => true},
BadConfig = Config#{
secret => <<"emqxsecret">>,
secret_base64_encoded => true
},
{error, {invalid_parameter, secret}} = emqx_authn_jwt:create(?AUTHN_ID, BadConfig),
Config3 = Config#{verify_claims => [{<<"username">>, <<"${username}">>}]},
{ok, State3} = emqx_authn_jwt:update(Config3, State2),
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State3)),
?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential#{username => <<"otheruser">>}, State3)),
?assertEqual(
{error, bad_username_or_password},
emqx_authn_jwt:authenticate(Credential#{username => <<"otheruser">>}, State3)
),
%% Expiration
Payload3 = #{ <<"username">> => <<"myuser">>
, <<"exp">> => erlang:system_time(second) - 60},
Payload3 = #{
<<"username">> => <<"myuser">>,
<<"exp">> => erlang:system_time(second) - 60
},
JWS3 = generate_jws('hmac-based', Payload3, Secret),
Credential3 = Credential#{password => JWS3},
?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential3, State3)),
?assertEqual(
{error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential3, State3)
),
Payload4 = #{ <<"username">> => <<"myuser">>
, <<"exp">> => erlang:system_time(second) + 60},
Payload4 = #{
<<"username">> => <<"myuser">>,
<<"exp">> => erlang:system_time(second) + 60
},
JWS4 = generate_jws('hmac-based', Payload4, Secret),
Credential4 = Credential#{password => JWS4},
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential4, State3)),
%% Issued At
Payload5 = #{ <<"username">> => <<"myuser">>
, <<"iat">> => erlang:system_time(second) - 60},
Payload5 = #{
<<"username">> => <<"myuser">>,
<<"iat">> => erlang:system_time(second) - 60
},
JWS5 = generate_jws('hmac-based', Payload5, Secret),
Credential5 = Credential#{password => JWS5},
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential5, State3)),
Payload6 = #{ <<"username">> => <<"myuser">>
, <<"iat">> => erlang:system_time(second) + 60},
Payload6 = #{
<<"username">> => <<"myuser">>,
<<"iat">> => erlang:system_time(second) + 60
},
JWS6 = generate_jws('hmac-based', Payload6, Secret),
Credential6 = Credential#{password => JWS6},
?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential6, State3)),
?assertEqual(
{error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential6, State3)
),
%% Not Before
Payload7 = #{ <<"username">> => <<"myuser">>
, <<"nbf">> => erlang:system_time(second) - 60},
Payload7 = #{
<<"username">> => <<"myuser">>,
<<"nbf">> => erlang:system_time(second) - 60
},
JWS7 = generate_jws('hmac-based', Payload7, Secret),
Credential7 = Credential6#{password => JWS7},
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential7, State3)),
Payload8 = #{ <<"username">> => <<"myuser">>
, <<"nbf">> => erlang:system_time(second) + 60},
Payload8 = #{
<<"username">> => <<"myuser">>,
<<"nbf">> => erlang:system_time(second) + 60
},
JWS8 = generate_jws('hmac-based', Payload8, Secret),
Credential8 = Credential#{password => JWS8},
?assertEqual({error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential8, State3)),
?assertEqual(
{error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential8, State3)
),
?assertEqual(ok, emqx_authn_jwt:destroy(State3)),
ok.
@ -136,19 +166,25 @@ t_jwt_authenticator_hmac_based(_) ->
t_jwt_authenticator_public_key(_) ->
PublicKey = test_rsa_key(public),
PrivateKey = test_rsa_key(private),
Config = #{mechanism => jwt,
Config = #{
mechanism => jwt,
use_jwks => false,
algorithm => 'public-key',
certificate => PublicKey,
verify_claims => []},
verify_claims => []
},
{ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config),
Payload = #{<<"username">> => <<"myuser">>},
JWS = generate_jws('public-key', Payload, PrivateKey),
Credential = #{username => <<"myuser">>,
password => JWS},
Credential = #{
username => <<"myuser">>,
password => JWS
},
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State)),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State)),
?assertEqual(
ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State)
),
?assertEqual(ok, emqx_authn_jwt:destroy(State)),
ok.
@ -160,10 +196,13 @@ t_jwks_renewal(_Config) ->
PrivateKey = test_rsa_key(private),
Payload = #{<<"username">> => <<"myuser">>},
JWS = generate_jws('public-key', Payload, PrivateKey),
Credential = #{username => <<"myuser">>,
password => JWS},
Credential = #{
username => <<"myuser">>,
password => JWS
},
BadConfig0 = #{mechanism => jwt,
BadConfig0 = #{
mechanism => jwt,
algorithm => 'public-key',
ssl => #{enable => false},
verify_claims => [],
@ -178,31 +217,39 @@ t_jwks_renewal(_Config) ->
{{ok, State0}, _} = ?wait_async_action(
emqx_authn_jwt:create(?AUTHN_ID, BadConfig0),
#{?snk_kind := jwks_endpoint_response},
10000),
10000
),
ok = snabbkaffe:stop(),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential, State0)),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State0)),
?assertEqual(
ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State0)
),
ClientSSLOpts = client_ssl_opts(),
BadClientSSLOpts = ClientSSLOpts#{server_name_indication => "authn-server-unknown-host"},
BadConfig1 = BadConfig0#{endpoint =>
BadConfig1 = BadConfig0#{
endpoint =>
"https://127.0.0.1:" ++ integer_to_list(?JWKS_PORT) ++ ?JWKS_PATH,
ssl => BadClientSSLOpts},
ssl => BadClientSSLOpts
},
ok = snabbkaffe:start_trace(),
{{ok, State1}, _} = ?wait_async_action(
emqx_authn_jwt:create(?AUTHN_ID, BadConfig1),
#{?snk_kind := jwks_endpoint_response},
10000),
10000
),
ok = snabbkaffe:stop(),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential, State1)),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State0)),
?assertEqual(
ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State0)
),
GoodConfig = BadConfig1#{ssl => ClientSSLOpts},
@ -211,12 +258,15 @@ t_jwks_renewal(_Config) ->
{{ok, State2}, _} = ?wait_async_action(
emqx_authn_jwt:update(GoodConfig, State1),
#{?snk_kind := jwks_endpoint_response},
10000),
10000
),
ok = snabbkaffe:stop(),
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State2)),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State2)),
?assertEqual(
ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State2)
),
?assertEqual(ok, emqx_authn_jwt:destroy(State2)),
ok = emqx_authn_http_test_server:stop().
@ -232,12 +282,12 @@ jwks_handler(Req0, State) ->
200,
#{<<"content-type">> => <<"application/json">>},
jiffy:encode(JWKS),
Req0),
Req0
),
{ok, Req, State}.
test_rsa_key(public) ->
data_file("public_key.pem");
test_rsa_key(private) ->
data_file("private_key.pem").
@ -250,16 +300,18 @@ cert_file(Name) ->
generate_jws('hmac-based', Payload, Secret) ->
JWK = jose_jwk:from_oct(Secret),
Header = #{ <<"alg">> => <<"HS256">>
, <<"typ">> => <<"JWT">>
Header = #{
<<"alg">> => <<"HS256">>,
<<"typ">> => <<"JWT">>
},
Signed = jose_jwt:sign(JWK, Header, Payload),
{_, JWS} = jose_jws:compact(Signed),
JWS;
generate_jws('public-key', Payload, PrivateKey) ->
JWK = jose_jwk:from_pem_file(PrivateKey),
Header = #{ <<"alg">> => <<"RS256">>
, <<"typ">> => <<"JWT">>
Header = #{
<<"alg">> => <<"RS256">>,
<<"typ">> => <<"JWT">>
},
Signed = jose_jwt:sign(JWK, Header, Payload),
{_, JWS} = jose_jws:compact(Signed),
@ -268,13 +320,16 @@ generate_jws('public-key', Payload, PrivateKey) ->
client_ssl_opts() ->
maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
#{enable => true,
#{
enable => true,
verify => verify_peer,
server_name_indication => "authn-server"
}).
}
).
server_ssl_opts() ->
[{keyfile, cert_file("server.key")},
[
{keyfile, cert_file("server.key")},
{certfile, cert_file("server.crt")},
{cacertfile, cert_file("ca.crt")},
{verify, verify_none}

108
apps/emqx_authn/test/emqx_authn_mnesia_SUITE.erl
View File

@ -76,7 +76,8 @@ t_check_schema(_Config) ->
?assertException(
throw,
{emqx_authn_mnesia, _},
hocon_tconf:check_plain(emqx_authn_mnesia, ?CONF(ConfigNotOk))).
hocon_tconf:check_plain(emqx_authn_mnesia, ?CONF(ConfigNotOk))
).
t_create(_) ->
Config0 = config(),
@ -110,7 +111,7 @@ t_destroy(_) ->
ok = emqx_authn_mnesia:destroy(State0),
{ok, State1} = emqx_authn_mnesia:create(?AUTHN_ID, Config),
{error,not_found} = emqx_authn_mnesia:lookup_user(<<"u">>, State1),
{error, not_found} = emqx_authn_mnesia:lookup_user(<<"u">>, State1),
{ok, _} = emqx_authn_mnesia:lookup_user(<<"u">>, StateOther).
t_authenticate(_) ->
@ -122,13 +123,16 @@ t_authenticate(_) ->
{ok, _} = emqx_authn_mnesia:authenticate(
#{username => <<"u">>, password => <<"p">>},
State),
State
),
{error, bad_username_or_password} = emqx_authn_mnesia:authenticate(
#{username => <<"u">>, password => <<"badpass">>},
State),
State
),
ignore = emqx_authn_mnesia:authenticate(
#{clientid => <<"u">>, password => <<"p">>},
State).
State
).
t_add_user(_) ->
Config = config(),
@ -157,16 +161,19 @@ t_update_user(_) ->
{ok, _} = emqx_authn_mnesia:add_user(User, State),
{error, not_found} = emqx_authn_mnesia:update_user(<<"u1">>, #{password => <<"p1">>}, State),
{ok,
#{user_id := <<"u">>,
is_superuser := true}} = emqx_authn_mnesia:update_user(
{ok, #{
user_id := <<"u">>,
is_superuser := true
}} = emqx_authn_mnesia:update_user(
<<"u">>,
#{password => <<"p1">>, is_superuser => true},
State),
State
),
{ok, _} = emqx_authn_mnesia:authenticate(
#{username => <<"u">>, password => <<"p1">>},
State),
State
),
{ok, #{is_superuser := true}} = emqx_authn_mnesia:lookup_user(<<"u">>, State).
@ -174,31 +181,47 @@ t_list_users(_) ->
Config = config(),
{ok, State} = emqx_authn_mnesia:create(?AUTHN_ID, Config),
Users = [#{user_id => <<"u1">>, password => <<"p">>},
Users = [
#{user_id => <<"u1">>, password => <<"p">>},
#{user_id => <<"u2">>, password => <<"p">>},
#{user_id => <<"u3">>, password => <<"p">>}],
#{user_id => <<"u3">>, password => <<"p">>}
],
lists:foreach(
fun(U) -> {ok, _} = emqx_authn_mnesia:add_user(U, State) end,
Users),
Users
),
#{data := [#{is_superuser := false,user_id := _},
#{is_superuser := false,user_id := _}],
meta := #{page := 1, limit := 2, count := 3}} = emqx_authn_mnesia:list_users(
#{
data := [
#{is_superuser := false, user_id := _},
#{is_superuser := false, user_id := _}
],
meta := #{page := 1, limit := 2, count := 3}
} = emqx_authn_mnesia:list_users(
#{<<"page">> => 1, <<"limit">> => 2},
State),
State
),
#{data := [#{is_superuser := false,user_id := _}],
meta := #{page := 2, limit := 2, count := 3}} = emqx_authn_mnesia:list_users(
#{
data := [#{is_superuser := false, user_id := _}],
meta := #{page := 2, limit := 2, count := 3}
} = emqx_authn_mnesia:list_users(
#{<<"page">> => 2, <<"limit">> => 2},
State),
State
),
#{data := [#{is_superuser := false,user_id := <<"u3">>}],
meta := #{page := 1, limit := 20, count := 1}} = emqx_authn_mnesia:list_users(
#{ <<"page">> => 1
, <<"limit">> => 20
, <<"like_username">> => <<"3">>},
State).
#{
data := [#{is_superuser := false, user_id := <<"u3">>}],
meta := #{page := 1, limit := 20, count := 1}
} = emqx_authn_mnesia:list_users(
#{
<<"page">> => 1,
<<"limit">> => 20,
<<"like_username">> => <<"3">>
},
State
).
t_import_users(_) ->
Config0 = config(),
@ -207,35 +230,43 @@ t_import_users(_) ->
ok = emqx_authn_mnesia:import_users(
data_filename(<<"user-credentials.json">>),
State),
State
),
ok = emqx_authn_mnesia:import_users(
data_filename(<<"user-credentials.csv">>),
State),
State
),
{error, {unsupported_file_format, _}} = emqx_authn_mnesia:import_users(
<<"/file/with/unknown.extension">>,
State),
State
),
{error, unknown_file_format} = emqx_authn_mnesia:import_users(
<<"/file/with/no/extension">>,
State),
State
),
{error, enoent} = emqx_authn_mnesia:import_users(
<<"/file/that/not/exist.json">>,
State),
State
),
{error, bad_format} = emqx_authn_mnesia:import_users(
data_filename(<<"user-credentials-malformed-0.json">>),
State),
State
),
{error, {_, invalid_json}} = emqx_authn_mnesia:import_users(
data_filename(<<"user-credentials-malformed-1.json">>),
State),
State
),
{error, bad_format} = emqx_authn_mnesia:import_users(
data_filename(<<"user-credentials-malformed.csv">>),
State).
State
).
%%------------------------------------------------------------------------------
%% Helpers
@ -246,7 +277,10 @@ data_filename(Name) ->
filename:join([Dir, <<"data">>, Name]).
config() ->
#{user_id_type => username,
password_hash_algorithm => #{name => bcrypt,
salt_rounds => 8}
#{
user_id_type => username,
password_hash_algorithm => #{
name => bcrypt,
salt_rounds => 8
}
}.

142
apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl
View File

@ -24,7 +24,6 @@
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-define(MONGO_HOST, "mongo").
-define(MONGO_CLIENT, 'emqx_authn_mongo_SUITE_client').
@ -38,7 +37,8 @@ init_per_testcase(_TestCase, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
{ok, _} = mc_worker_api:connect(mongo_config()),
Config.
@ -59,7 +59,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -72,7 +73,8 @@ t_create(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_mongodb}]} = emqx_authentication:list_authenticators(?GLOBAL).
@ -90,11 +92,13 @@ t_create_invalid(_Config) ->
fun(Config) ->
{error, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
{ok, []} = emqx_authentication:list_authenticators(?GLOBAL)
end,
InvalidConfigs).
InvalidConfigs
).
t_authenticate(_Config) ->
ok = init_seeds(),
@ -103,17 +107,21 @@ t_authenticate(_Config) ->
ct:pal("test_user_auth sample: ~p", [Sample]),
test_user_auth(Sample)
end,
user_seeds()),
user_seeds()
),
ok = drop_seeds().
test_user_auth(#{credentials := Credentials0,
test_user_auth(#{
credentials := Credentials0,
config_params := SpecificConfigParams,
result := Result}) ->
result := Result
}) ->
AuthConfig = maps:merge(raw_mongo_auth_config(), SpecificConfigParams),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
Credentials = Credentials0#{
listener => 'tcp:default',
@ -123,7 +131,8 @@ test_user_auth(#{credentials := Credentials0,
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL).
?GLOBAL
).
t_destroy(_Config) ->
ok = init_seeds(),
@ -131,29 +140,36 @@ t_destroy(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_mongodb, state := State}]}
= emqx_authentication:list_authenticators(?GLOBAL),
{ok, [#{provider := emqx_authn_mongodb, state := State}]} =
emqx_authentication:list_authenticators(?GLOBAL),
{ok, _} = emqx_authn_mongodb:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State),
State
),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
% Authenticator should not be usable anymore
?assertMatch(
ignore,
emqx_authn_mongodb:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State)),
State
)
),
ok = drop_seeds().
@ -165,33 +181,40 @@ t_update(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, IncorrectConfig}),
{create_authenticator, ?GLOBAL, IncorrectConfig}
),
{error, not_authorized} = emqx_access_control:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}),
}
),
% We update with config with correct selector, provider should update and work properly
{ok, _} = emqx:update_config(
?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:mongodb">>, CorrectConfig}),
{update_authenticator, ?GLOBAL, <<"password_based:mongodb">>, CorrectConfig}
),
{ok,_} = emqx_access_control:authenticate(
#{username => <<"plain">>,
{ok, _} = emqx_access_control:authenticate(
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}),
}
),
ok = drop_seeds().
t_is_superuser(_Config) ->
Config = raw_mongo_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
Checks = [
{<<"0">>, false},
@ -230,7 +253,8 @@ test_is_superuser({Value, ExpectedValue}) ->
?assertEqual(
{ok, #{is_superuser => ExpectedValue}},
emqx_access_control:authenticate(Credentials)).
emqx_access_control:authenticate(Credentials)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -239,8 +263,10 @@ test_is_superuser({Value, ExpectedValue}) ->
raw_mongo_auth_config() ->
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"mongodb">>,
@ -257,7 +283,9 @@ raw_mongo_auth_config() ->
}.
user_seeds() ->
[#{data => #{
[
#{
data => #{
username => <<"plain">>,
password_hash => <<"plainsalt">>,
salt => <<"salt">>,
@ -267,12 +295,12 @@ user_seeds() ->
username => <<"plain">>,
password => <<"plain">>
},
config_params => #{
},
result => {ok,#{is_superuser => true}}
config_params => #{},
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
username => <<"md5">>,
password_hash => <<"9b4d0c43d206d48279e69b9ad7132e22">>,
salt => <<"salt">>,
@ -283,15 +311,19 @@ user_seeds() ->
password => <<"md5">>
},
config_params => #{
password_hash_algorithm => #{name => <<"md5">>,
salt_position => <<"suffix">> }
password_hash_algorithm => #{
name => <<"md5">>,
salt_position => <<"suffix">>
}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
username => <<"sha256">>,
password_hash => <<"ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf">>,
password_hash =>
<<"ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf">>,
salt => <<"salt">>,
is_superuser => 1
},
@ -301,13 +333,16 @@ user_seeds() ->
},
config_params => #{
selector => #{<<"username">> => <<"${clientid}">>},
password_hash_algorithm => #{name => <<"sha256">>,
salt_position => <<"prefix">>}
password_hash_algorithm => #{
name => <<"sha256">>,
salt_position => <<"prefix">>
}
},
result => {ok,#{is_superuser => true}}
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
username => <<"bcrypt">>,
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
@ -321,10 +356,11 @@ user_seeds() ->
config_params => #{
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
username => <<"bcrypt0">>,
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
@ -340,10 +376,11 @@ user_seeds() ->
selector => #{<<"username">> => <<"${clientid}">>},
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
username => <<"bcrypt1">>,
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
@ -358,10 +395,11 @@ user_seeds() ->
selector => #{<<"userid">> => <<"${clientid}">>},
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
username => <<"bcrypt2">>,
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
@ -376,7 +414,7 @@ user_seeds() ->
config_params => #{
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,bad_username_or_password}
result => {error, bad_username_or_password}
}
].
@ -390,7 +428,7 @@ drop_seeds() ->
ok.
mongo_server() ->
iolist_to_binary(io_lib:format("~s",[?MONGO_HOST])).
iolist_to_binary(io_lib:format("~s", [?MONGO_HOST])).
mongo_config() ->
[

77
apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl
View File

@ -25,7 +25,6 @@
-include_lib("common_test/include/ct.hrl").
-include_lib("snabbkaffe/include/snabbkaffe.hrl").
-define(MONGO_HOST, "mongo-tls").
-define(PATH, [authentication]).
@ -38,7 +37,8 @@ init_per_testcase(_TestCase, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
init_per_suite(Config) ->
@ -55,7 +55,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -73,32 +74,42 @@ end_per_suite(_Config) ->
t_create(_Config) ->
?check_trace(
create_mongo_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]}),
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]
}
),
fun({ok, _}, Trace) ->
?assertMatch(
[ok | _],
?projection(
status,
?of_kind(emqx_connector_mongo_health_check, Trace)))
end).
?of_kind(emqx_connector_mongo_health_check, Trace)
)
)
end
).
t_create_invalid_server_name(_Config) ->
?check_trace(
create_mongo_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>}),
#{
<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>
}
),
fun(_, Trace) ->
?assertNotEqual(
[ok],
?projection(
status,
?of_kind(emqx_connector_mongo_health_check, Trace)))
end).
?of_kind(emqx_connector_mongo_health_check, Trace)
)
)
end
).
%% docker-compose-mongo-single-tls.yaml:
%% --tlsDisabledProtocols TLS1_0,TLS1_1
@ -106,17 +117,22 @@ t_create_invalid_server_name(_Config) ->
t_create_invalid_version(_Config) ->
?check_trace(
create_mongo_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.1">>]}),
<<"versions">> => [<<"tlsv1.1">>]
}
),
fun(_, Trace) ->
?assertNotEqual(
[ok],
?projection(
status,
?of_kind(emqx_connector_mongo_health_check, Trace)))
end).
?of_kind(emqx_connector_mongo_health_check, Trace)
)
)
end
).
%% docker-compose-mongo-single-tls.yaml:
%% --setParameter opensslCipherConfig='HIGH:!EXPORT:!aNULL:!DHE:!kDHE@STRENGTH'
@ -124,17 +140,23 @@ t_create_invalid_version(_Config) ->
t_invalid_ciphers(_Config) ->
?check_trace(
create_mongo_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"DHE-RSA-AES256-GCM-SHA384">>]}),
<<"ciphers">> => [<<"DHE-RSA-AES256-GCM-SHA384">>]
}
),
fun(_, Trace) ->
?assertNotEqual(
[ok],
?projection(
status,
?of_kind(emqx_connector_mongo_health_check, Trace)))
end).
?of_kind(emqx_connector_mongo_health_check, Trace)
)
)
end
).
%%------------------------------------------------------------------------------
%% Helpers
@ -149,11 +171,14 @@ create_mongo_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_mongo_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
#{enable => <<"true">>}),
#{enable => <<"true">>}
),
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"mongodb">>,
@ -176,7 +201,7 @@ raw_mongo_auth_config(SpecificSSLOpts) ->
}.
mongo_server() ->
iolist_to_binary(io_lib:format("~s",[?MONGO_HOST])).
iolist_to_binary(io_lib:format("~s", [?MONGO_HOST])).
start_apps(Apps) ->
lists:foreach(fun application:ensure_all_started/1, Apps).

44
apps/emqx_authn/test/emqx_authn_mqtt_test_client.erl
View File

@ -21,28 +21,36 @@
-include_lib("emqx/include/emqx_mqtt.hrl").
%% API
-export([start_link/2,
stop/1]).
-export([
start_link/2,
stop/1
]).
-export([send/2]).
%% gen_server callbacks
-export([init/1,
-export([
init/1,
handle_call/3,
handle_cast/2,
handle_info/2,
terminate/2]).
terminate/2
]).
-define(TIMEOUT, 1000).
-define(TCP_OPTIONS, [binary, {packet, raw}, {active, once},
{nodelay, true}]).
-define(TCP_OPTIONS, [
binary,
{packet, raw},
{active, once},
{nodelay, true}
]).
-define(PARSE_OPTIONS,
#{strict_mode => false,
-define(PARSE_OPTIONS, #{
strict_mode => false,
max_size => ?MAX_PACKET_SIZE,
version => ?MQTT_PROTO_V5
}).
}).
%%--------------------------------------------------------------------
%% API
@ -63,26 +71,30 @@ send(Pid, Packet) ->
init([Host, Port, Owner]) ->
{ok, Socket} = gen_tcp:connect(Host, Port, ?TCP_OPTIONS, ?TIMEOUT),
{ok, #{owner => Owner,
{ok, #{
owner => Owner,
socket => Socket,
parse_state => emqx_frame:initial_parse_state(?PARSE_OPTIONS)
}}.
handle_info({tcp, _Sock, Data}, #{parse_state := PSt,
handle_info(
{tcp, _Sock, Data},
#{
parse_state := PSt,
owner := Owner,
socket := Socket} = St) ->
socket := Socket
} = St
) ->
{NewPSt, Packets} = process_incoming(PSt, Data, []),
ok = deliver(Owner, Packets),
ok = run_sock(Socket),
{noreply, St#{parse_state => NewPSt}};
handle_info({tcp_closed, _Sock}, St) ->
{stop, normal, St}.
handle_call({send, Packet}, _From, #{socket := Socket} = St) ->
ok = gen_tcp:send(Socket, emqx_frame:serialize(Packet, ?MQTT_PROTO_V5)),
{reply, ok, St};
handle_call(stop, _From, #{socket := Socket} = St) ->
ok = gen_tcp:close(Socket),
{stop, normal, ok, St}.
@ -105,11 +117,11 @@ process_incoming(PSt, Data, Packets) ->
process_incoming(NewPSt, Rest, [Packet | Packets])
end.
deliver(_Owner, []) -> ok;
deliver(_Owner, []) ->
ok;
deliver(Owner, [Packet | Packets]) ->
Owner ! {packet, Packet},
deliver(Owner, Packets).
run_sock(Socket) ->
inet:setopts(Socket, [{active, once}]).

219
apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl
View File

@ -41,7 +41,8 @@ init_per_testcase(_, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
init_per_group(require_seeds, Config) ->
@ -63,7 +64,8 @@ init_per_suite(Config) ->
?RESOURCE_GROUP,
emqx_connector_mysql,
mysql_config(),
#{}),
#{}
),
Config;
false ->
{skip, no_mysql}
@ -72,7 +74,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = emqx_resource:remove_local(?MYSQL_RESOURCE),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -86,7 +89,8 @@ t_create(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_mysql}]} = emqx_authentication:list_authenticators(?GLOBAL),
emqx_authn_test_lib:delete_config(?ResourceID).
@ -106,11 +110,13 @@ t_create_invalid(_Config) ->
fun(Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
emqx_authn_test_lib:delete_config(?ResourceID),
{ok, _} = emqx_authentication:list_authenticators(?GLOBAL)
end,
InvalidConfigs).
InvalidConfigs
).
t_authenticate(_Config) ->
ok = lists:foreach(
@ -118,16 +124,20 @@ t_authenticate(_Config) ->
ct:pal("test_user_auth sample: ~p", [Sample]),
test_user_auth(Sample)
end,
user_seeds()).
user_seeds()
).
test_user_auth(#{credentials := Credentials0,
test_user_auth(#{
credentials := Credentials0,
config_params := SpecificConfigParams,
result := Result}) ->
result := Result
}) ->
AuthConfig = maps:merge(raw_mysql_auth_config(), SpecificConfigParams),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
Credentials = Credentials0#{
listener => 'tcp:default',
@ -138,66 +148,84 @@ test_user_auth(#{credentials := Credentials0,
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL).
?GLOBAL
).
t_destroy(_Config) ->
AuthConfig = raw_mysql_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_mysql, state := State}]}
= emqx_authentication:list_authenticators(?GLOBAL),
{ok, [#{provider := emqx_authn_mysql, state := State}]} =
emqx_authentication:list_authenticators(?GLOBAL),
{ok, _} = emqx_authn_mysql:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State),
State
),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
% Authenticator should not be usable anymore
?assertMatch(
ignore,
emqx_authn_mysql:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State)).
State
)
).
t_update(_Config) ->
CorrectConfig = raw_mysql_auth_config(),
IncorrectConfig =
CorrectConfig#{
query => <<"SELECT password_hash, salt, is_superuser_str as is_superuser
FROM wrong_table where username = ${username} LIMIT 1">>},
query =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM wrong_table where username = ${username} LIMIT 1"
>>
},
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, IncorrectConfig}),
{create_authenticator, ?GLOBAL, IncorrectConfig}
),
{error, not_authorized} = emqx_access_control:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}),
}
),
% We update with config with correct query, provider should update and work properly
{ok, _} = emqx:update_config(
?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:mysql">>, CorrectConfig}),
{update_authenticator, ?GLOBAL, <<"password_based:mysql">>, CorrectConfig}
),
{ok,_} = emqx_access_control:authenticate(
#{username => <<"plain">>,
{ok, _} = emqx_access_control:authenticate(
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}).
}
).
%%------------------------------------------------------------------------------
%% Helpers
@ -206,8 +234,10 @@ t_update(_Config) ->
raw_mysql_auth_config() ->
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"mysql">>,
@ -215,13 +245,18 @@ raw_mysql_auth_config() ->
username => <<"root">>,
password => <<"public">>,
query => <<"SELECT password_hash, salt, is_superuser_str as is_superuser
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
server => mysql_server()
}.
user_seeds() ->
[#{data => #{
[
#{
data => #{
username => "plain",
password_hash => "plainsalt",
salt => "salt",
@ -229,12 +264,14 @@ user_seeds() ->
},
credentials => #{
username => <<"plain">>,
password => <<"plain">>},
password => <<"plain">>
},
config_params => #{},
result => {ok,#{is_superuser => true}}
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
username => "md5",
password_hash => "9b4d0c43d206d48279e69b9ad7132e22",
salt => "salt",
@ -245,13 +282,16 @@ user_seeds() ->
password => <<"md5">>
},
config_params => #{
password_hash_algorithm => #{name => <<"md5">>,
salt_position => <<"suffix">>}
password_hash_algorithm => #{
name => <<"md5">>,
salt_position => <<"suffix">>
}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
username => "sha256",
password_hash => "ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf",
salt => "salt",
@ -262,15 +302,21 @@ user_seeds() ->
password => <<"sha256">>
},
config_params => #{
query => <<"SELECT password_hash, salt, is_superuser_int as is_superuser
FROM users where username = ${clientid} LIMIT 1">>,
password_hash_algorithm => #{name => <<"sha256">>,
salt_position => <<"prefix">>}
query =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
password_hash_algorithm => #{
name => <<"sha256">>,
salt_position => <<"prefix">>
}
},
result => {ok,#{is_superuser => true}}
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
username => <<"bcrypt">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -281,14 +327,18 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
query => <<"SELECT password_hash, salt, is_superuser_int as is_superuser
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
username => <<"bcrypt">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve"
@ -298,14 +348,18 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
query => <<"SELECT password_hash, salt, is_superuser_int as is_superuser
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
username => <<"bcrypt0">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -317,14 +371,18 @@ user_seeds() ->
},
config_params => #{
% clientid variable & username credentials
query => <<"SELECT password_hash, salt, is_superuser_int as is_superuser
FROM users where username = ${clientid} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
username => <<"bcrypt1">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -336,14 +394,18 @@ user_seeds() ->
},
config_params => #{
% Bad keys in query
query => <<"SELECT 1 AS unknown_field
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT 1 AS unknown_field\n"
" FROM users where username = ${username} LIMIT 1"
>>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
username => <<"bcrypt2">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -357,21 +419,24 @@ user_seeds() ->
config_params => #{
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,bad_username_or_password}
result => {error, bad_username_or_password}
}
].
init_seeds() ->
ok = drop_seeds(),
ok = q("CREATE TABLE users(
username VARCHAR(255),
password_hash VARCHAR(255),
salt VARCHAR(255),
is_superuser_str VARCHAR(255),
is_superuser_int TINYINT)"),
ok = q(
"CREATE TABLE users(\n"
" username VARCHAR(255),\n"
" password_hash VARCHAR(255),\n"
" salt VARCHAR(255),\n"
" is_superuser_str VARCHAR(255),\n"
" is_superuser_int TINYINT)"
),
Fields = [username, password_hash, salt, is_superuser_str, is_superuser_int],
InsertQuery = "INSERT INTO users(username, password_hash, salt, "
InsertQuery =
"INSERT INTO users(username, password_hash, salt, "
" is_superuser_str, is_superuser_int) VALUES(?, ?, ?, ?, ?)",
lists:foreach(
@ -379,26 +444,30 @@ init_seeds() ->
Params = [maps:get(F, Values, null) || F <- Fields],
ok = q(InsertQuery, Params)
end,
user_seeds()).
user_seeds()
).
q(Sql) ->
emqx_resource:query(
?MYSQL_RESOURCE,
{sql, Sql}).
{sql, Sql}
).
q(Sql, Params) ->
emqx_resource:query(
?MYSQL_RESOURCE,
{sql, Sql, Params}).
{sql, Sql, Params}
).
drop_seeds() ->
ok = q("DROP TABLE IF EXISTS users").
mysql_server() ->
iolist_to_binary(io_lib:format("~s",[?MYSQL_HOST])).
iolist_to_binary(io_lib:format("~s", [?MYSQL_HOST])).
mysql_config() ->
#{auto_reconnect => true,
#{
auto_reconnect => true,
database => <<"mqtt">>,
username => <<"root">>,
password => <<"public">>,

57
apps/emqx_authn/test/emqx_authn_mysql_tls_SUITE.erl
View File

@ -40,7 +40,8 @@ init_per_testcase(_, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
init_per_suite(Config) ->
@ -57,7 +58,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -72,36 +74,51 @@ t_create(_Config) ->
?assertMatch(
{ok, _},
create_mysql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]})).
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]
}
)
).
t_create_invalid(_Config) ->
%% invalid server_name
?assertMatch(
{ok, _},
create_mysql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>})),
#{
<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>
}
)
),
emqx_authn_test_lib:delete_config(?ResourceID),
%% incompatible versions
?assertMatch(
{ok, _},
create_mysql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.1">>]})),
<<"versions">> => [<<"tlsv1.1">>]
}
)
),
emqx_authn_test_lib:delete_config(?ResourceID),
%% incompatible ciphers
?assertMatch(
{ok, _},
create_mysql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-ECDSA-AES128-GCM-SHA256">>]})).
<<"ciphers">> => [<<"ECDHE-ECDSA-AES128-GCM-SHA256">>]
}
)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -114,11 +131,14 @@ create_mysql_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_mysql_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
#{enable => <<"true">>}),
#{enable => <<"true">>}
),
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"mysql">>,
@ -126,14 +146,17 @@ raw_mysql_auth_config(SpecificSSLOpts) ->
username => <<"root">>,
password => <<"public">>,
query => <<"SELECT password_hash, salt, is_superuser_str as is_superuser
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
server => mysql_server(),
ssl => maps:merge(SSLOpts, SpecificSSLOpts)
}.
mysql_server() ->
iolist_to_binary(io_lib:format("~s",[?MYSQL_HOST])).
iolist_to_binary(io_lib:format("~s", [?MYSQL_HOST])).
start_apps(Apps) ->
lists:foreach(fun application:ensure_all_started/1, Apps).

98
apps/emqx_authn/test/emqx_authn_password_hashing_SUITE.erl
View File

@ -38,8 +38,9 @@ end_per_suite(_Config) ->
ok.
t_gen_salt(_Config) ->
Algorithms = [#{name => Type, salt_position => suffix} || Type <- ?SIMPLE_HASHES]
++ [#{name => bcrypt, salt_rounds => 10}],
Algorithms =
[#{name => Type, salt_position => suffix} || Type <- ?SIMPLE_HASHES] ++
[#{name => bcrypt, salt_rounds => 10}],
lists:foreach(
fun(Algorithm) ->
@ -47,29 +48,35 @@ t_gen_salt(_Config) ->
ct:pal("gen_salt(~p): ~p", [Algorithm, Salt]),
?assert(is_binary(Salt))
end,
Algorithms).
Algorithms
).
t_init(_Config) ->
Algorithms = [#{name => Type, salt_position => suffix} || Type <- ?SIMPLE_HASHES]
++ [#{name => bcrypt, salt_rounds => 10}],
Algorithms =
[#{name => Type, salt_position => suffix} || Type <- ?SIMPLE_HASHES] ++
[#{name => bcrypt, salt_rounds => 10}],
lists:foreach(
fun(Algorithm) ->
ok = emqx_authn_password_hashing:init(Algorithm)
end,
Algorithms).
Algorithms
).
t_check_password(_Config) ->
lists:foreach(
fun test_check_password/1,
hash_examples()).
hash_examples()
).
test_check_password(#{
test_check_password(
#{
password_hash := Hash,
salt := Salt,
password := Password,
password_hash_algorithm := Algorithm
} = Sample) ->
} = Sample
) ->
ct:pal("t_check_password sample: ~p", [Sample]),
true = emqx_authn_password_hashing:check_password(Algorithm, Salt, Hash, Password),
false = emqx_authn_password_hashing:check_password(Algorithm, Salt, Hash, <<"wrongpass">>).
@ -77,79 +84,104 @@ test_check_password(#{
t_hash(_Config) ->
lists:foreach(
fun test_hash/1,
hash_examples()).
hash_examples()
).
test_hash(#{password := Password,
test_hash(
#{
password := Password,
password_hash_algorithm := Algorithm
} = Sample) ->
} = Sample
) ->
ct:pal("t_hash sample: ~p", [Sample]),
{Hash, Salt} = emqx_authn_password_hashing:hash(Algorithm, Password),
true = emqx_authn_password_hashing:check_password(Algorithm, Salt, Hash, Password).
hash_examples() ->
[#{
[
#{
password_hash => <<"plainsalt">>,
salt => <<"salt">>,
password => <<"plain">>,
password_hash_algorithm => #{name => plain,
salt_position => suffix}
password_hash_algorithm => #{
name => plain,
salt_position => suffix
}
},
#{
password_hash => <<"9b4d0c43d206d48279e69b9ad7132e22">>,
salt => <<"salt">>,
password => <<"md5">>,
password_hash_algorithm => #{name => md5,
salt_position => suffix}
password_hash_algorithm => #{
name => md5,
salt_position => suffix
}
},
#{
password_hash => <<"c665d4c0a9e5498806b7d9fd0b417d272853660e">>,
salt => <<"salt">>,
password => <<"sha">>,
password_hash_algorithm => #{name => sha,
salt_position => prefix}
password_hash_algorithm => #{
name => sha,
salt_position => prefix
}
},
#{
password_hash => <<"ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf">>,
salt => <<"salt">>,
password => <<"sha256">>,
password_hash_algorithm => #{name => sha256,
salt_position => prefix}
password_hash_algorithm => #{
name => sha256,
salt_position => prefix
}
},
#{
password_hash => <<"a1509ab67bfacbad020927b5ac9d91e9100a82e33a0ebb01459367ce921c0aa8"
"157aa5652f94bc84fa3babc08283e44887d61c48bcf8ad7bcb3259ee7d0eafcd">>,
password_hash => <<
"a1509ab67bfacbad020927b5ac9d91e9100a82e33a0ebb01459367ce921c0aa8"
"157aa5652f94bc84fa3babc08283e44887d61c48bcf8ad7bcb3259ee7d0eafcd"
>>,
salt => <<"salt">>,
password => <<"sha512">>,
password_hash_algorithm => #{name => sha512,
salt_position => prefix}
password_hash_algorithm => #{
name => sha512,
salt_position => prefix
}
},
#{
password_hash => <<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
salt => <<"$2b$12$wtY3h20mUjjmeaClpqZVve">>,
password => <<"bcrypt">>,
password_hash_algorithm => #{name => bcrypt,
salt_rounds => 10}
password_hash_algorithm => #{
name => bcrypt,
salt_rounds => 10
}
},
#{
password_hash => <<"01dbee7f4a9e243e988b62c73cda935d"
"a05378b93244ec8f48a99e61ad799d86">>,
password_hash => <<
"01dbee7f4a9e243e988b62c73cda935d"
"a05378b93244ec8f48a99e61ad799d86"
>>,
salt => <<"ATHENA.MIT.EDUraeburn">>,
password => <<"password">>,
password_hash_algorithm => #{name => pbkdf2,
password_hash_algorithm => #{
name => pbkdf2,
iterations => 2,
dk_length => 32,
mac_fun => sha}
mac_fun => sha
}
},
#{
password_hash => <<"01dbee7f4a9e243e988b62c73cda935da05378b9">>,
salt => <<"ATHENA.MIT.EDUraeburn">>,
password => <<"password">>,
password_hash_algorithm => #{name => pbkdf2,
password_hash_algorithm => #{
name => pbkdf2,
iterations => 2,
mac_fun => sha}
mac_fun => sha
}
}
].

222
apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl
View File

@ -42,7 +42,8 @@ init_per_testcase(_, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
init_per_group(require_seeds, Config) ->
@ -64,7 +65,8 @@ init_per_suite(Config) ->
?RESOURCE_GROUP,
emqx_connector_pgsql,
pgsql_config(),
#{}),
#{}
),
Config;
false ->
{skip, no_pgsql}
@ -73,7 +75,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = emqx_resource:remove_local(?PGSQL_RESOURCE),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -87,7 +90,8 @@ t_create(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_pgsql}]} = emqx_authentication:list_authenticators(?GLOBAL),
emqx_authn_test_lib:delete_config(?ResourceID).
@ -107,11 +111,13 @@ t_create_invalid(_Config) ->
fun(Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
emqx_authn_test_lib:delete_config(?ResourceID),
{ok, []} = emqx_authentication:list_authenticators(?GLOBAL)
end,
InvalidConfigs).
InvalidConfigs
).
t_authenticate(_Config) ->
ok = lists:foreach(
@ -119,16 +125,20 @@ t_authenticate(_Config) ->
ct:pal("test_user_auth sample: ~p", [Sample]),
test_user_auth(Sample)
end,
user_seeds()).
user_seeds()
).
test_user_auth(#{credentials := Credentials0,
test_user_auth(#{
credentials := Credentials0,
config_params := SpecificConfigParams,
result := Result}) ->
result := Result
}) ->
AuthConfig = maps:merge(raw_pgsql_auth_config(), SpecificConfigParams),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
Credentials = Credentials0#{
listener => 'tcp:default',
@ -139,72 +149,91 @@ test_user_auth(#{credentials := Credentials0,
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL).
?GLOBAL
).
t_destroy(_Config) ->
AuthConfig = raw_pgsql_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_pgsql, state := State}]}
= emqx_authentication:list_authenticators(?GLOBAL),
{ok, [#{provider := emqx_authn_pgsql, state := State}]} =
emqx_authentication:list_authenticators(?GLOBAL),
{ok, _} = emqx_authn_pgsql:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State),
State
),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
% Authenticator should not be usable anymore
?assertMatch(
ignore,
emqx_authn_pgsql:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State)).
State
)
).
t_update(_Config) ->
CorrectConfig = raw_pgsql_auth_config(),
IncorrectConfig =
CorrectConfig#{
query => <<"SELECT password_hash, salt, is_superuser_str as is_superuser
FROM users where username = ${username} LIMIT 0">>},
query =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 0"
>>
},
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, IncorrectConfig}),
{create_authenticator, ?GLOBAL, IncorrectConfig}
),
{error, not_authorized} = emqx_access_control:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}),
}
),
% We update with config with correct query, provider should update and work properly
{ok, _} = emqx:update_config(
?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:postgresql">>, CorrectConfig}),
{update_authenticator, ?GLOBAL, <<"password_based:postgresql">>, CorrectConfig}
),
{ok,_} = emqx_access_control:authenticate(
#{username => <<"plain">>,
{ok, _} = emqx_access_control:authenticate(
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}).
}
).
t_is_superuser(_Config) ->
Config = raw_pgsql_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
Checks = [
{is_superuser_str, "0", false},
@ -237,13 +266,16 @@ test_is_superuser({Field, Value, ExpectedValue}) ->
ok = create_user(UserData),
Query = "SELECT password_hash, salt, " ++ atom_to_list(Field) ++ " as is_superuser "
Query =
"SELECT password_hash, salt, " ++ atom_to_list(Field) ++
" as is_superuser "
"FROM users where username = ${username} LIMIT 1",
Config = maps:put(query, Query, raw_pgsql_auth_config()),
{ok, _} = emqx:update_config(
?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:postgresql">>, Config}),
{update_authenticator, ?GLOBAL, <<"password_based:postgresql">>, Config}
),
Credentials = #{
listener => 'tcp:default',
@ -254,7 +286,8 @@ test_is_superuser({Field, Value, ExpectedValue}) ->
?assertEqual(
{ok, #{is_superuser => ExpectedValue}},
emqx_access_control:authenticate(Credentials)).
emqx_access_control:authenticate(Credentials)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -263,8 +296,10 @@ test_is_superuser({Field, Value, ExpectedValue}) ->
raw_pgsql_auth_config() ->
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"postgresql">>,
@ -272,13 +307,18 @@ raw_pgsql_auth_config() ->
username => <<"root">>,
password => <<"public">>,
query => <<"SELECT password_hash, salt, is_superuser_str as is_superuser
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_str as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
server => pgsql_server()
}.
user_seeds() ->
[#{data => #{
[
#{
data => #{
username => "plain",
password_hash => "plainsalt",
salt => "salt",
@ -286,12 +326,14 @@ user_seeds() ->
},
credentials => #{
username => <<"plain">>,
password => <<"plain">>},
password => <<"plain">>
},
config_params => #{},
result => {ok,#{is_superuser => true}}
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
username => "md5",
password_hash => "9b4d0c43d206d48279e69b9ad7132e22",
salt => "salt",
@ -302,13 +344,16 @@ user_seeds() ->
password => <<"md5">>
},
config_params => #{
password_hash_algorithm => #{name => <<"md5">>,
salt_position => <<"suffix">>}
password_hash_algorithm => #{
name => <<"md5">>,
salt_position => <<"suffix">>
}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
username => "sha256",
password_hash => "ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf",
salt => "salt",
@ -319,15 +364,21 @@ user_seeds() ->
password => <<"sha256">>
},
config_params => #{
query => <<"SELECT password_hash, salt, is_superuser_int as is_superuser
FROM users where username = ${clientid} LIMIT 1">>,
password_hash_algorithm => #{name => <<"sha256">>,
salt_position => <<"prefix">>}
query =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
password_hash_algorithm => #{
name => <<"sha256">>,
salt_position => <<"prefix">>
}
},
result => {ok,#{is_superuser => true}}
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
username => <<"bcrypt">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -338,14 +389,18 @@ user_seeds() ->
password => <<"bcrypt">>
},
config_params => #{
query => <<"SELECT password_hash, salt, is_superuser_int as is_superuser
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${username} LIMIT 1"
>>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
username => <<"bcrypt0">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -357,14 +412,18 @@ user_seeds() ->
},
config_params => #{
% clientid variable & username credentials
query => <<"SELECT password_hash, salt, is_superuser_int as is_superuser
FROM users where username = ${clientid} LIMIT 1">>,
query =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where username = ${clientid} LIMIT 1"
>>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
username => <<"bcrypt1">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -376,14 +435,18 @@ user_seeds() ->
},
config_params => #{
% Bad keys in query
query => <<"SELECT 1 AS unknown_field
FROM users where username = ${username} LIMIT 1">>,
query =>
<<
"SELECT 1 AS unknown_field\n"
" FROM users where username = ${username} LIMIT 1"
>>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
username => <<"bcrypt2">>,
password_hash => "$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u",
salt => "$2b$12$wtY3h20mUjjmeaClpqZVve",
@ -397,30 +460,34 @@ user_seeds() ->
config_params => #{
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,bad_username_or_password}
result => {error, bad_username_or_password}
}
].
init_seeds() ->
ok = drop_seeds(),
{ok, _, _} = q("CREATE TABLE users(
username varchar(255),
password_hash varchar(255),
salt varchar(255),
is_superuser_str varchar(255),
is_superuser_int smallint,
is_superuser_bool boolean)"),
{ok, _, _} = q(
"CREATE TABLE users(\n"
" username varchar(255),\n"
" password_hash varchar(255),\n"
" salt varchar(255),\n"
" is_superuser_str varchar(255),\n"
" is_superuser_int smallint,\n"
" is_superuser_bool boolean)"
),
lists:foreach(
fun(#{data := Values}) ->
ok = create_user(Values)
end,
user_seeds()).
user_seeds()
).
create_user(Values) ->
Fields = [username, password_hash, salt, is_superuser_str, is_superuser_int, is_superuser_bool],
InsertQuery = "INSERT INTO users(username, password_hash, salt,"
InsertQuery =
"INSERT INTO users(username, password_hash, salt,"
"is_superuser_str, is_superuser_int, is_superuser_bool) "
"VALUES($1, $2, $3, $4, $5, $6)",
@ -431,22 +498,25 @@ create_user(Values) ->
q(Sql) ->
emqx_resource:query(
?PGSQL_RESOURCE,
{query, Sql}).
{query, Sql}
).
q(Sql, Params) ->
emqx_resource:query(
?PGSQL_RESOURCE,
{query, Sql, Params}).
{query, Sql, Params}
).
drop_seeds() ->
{ok, _, _} = q("DROP TABLE IF EXISTS users"),
ok.
pgsql_server() ->
iolist_to_binary(io_lib:format("~s",[?PGSQL_HOST])).
iolist_to_binary(io_lib:format("~s", [?PGSQL_HOST])).
pgsql_config() ->
#{auto_reconnect => true,
#{
auto_reconnect => true,
database => <<"mqtt">>,
username => <<"root">>,
password => <<"public">>,

50
apps/emqx_authn/test/emqx_authn_pgsql_tls_SUITE.erl
View File

@ -40,7 +40,8 @@ init_per_testcase(_, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
init_per_suite(Config) ->
@ -57,7 +58,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -72,36 +74,51 @@ t_create(_Config) ->
?assertMatch(
{ok, _},
create_pgsql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]})).
<<"ciphers">> => [<<"ECDHE-RSA-AES256-GCM-SHA384">>]
}
)
).
t_create_invalid(_Config) ->
%% invalid server_name
?assertMatch(
{ok, _},
create_pgsql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>})),
#{
<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>
}
)
),
emqx_authn_test_lib:delete_config(?ResourceID),
%% incompatible versions
?assertMatch(
{ok, _},
create_pgsql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.1">>]})),
<<"versions">> => [<<"tlsv1.1">>]
}
)
),
emqx_authn_test_lib:delete_config(?ResourceID),
%% incompatible ciphers
?assertMatch(
{ok, _},
create_pgsql_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.2">>],
<<"ciphers">> => [<<"ECDHE-ECDSA-AES128-GCM-SHA256">>]})).
<<"ciphers">> => [<<"ECDHE-ECDSA-AES128-GCM-SHA256">>]
}
)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -114,11 +131,14 @@ create_pgsql_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_pgsql_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
#{enable => <<"true">>}),
#{enable => <<"true">>}
),
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"postgresql">>,
@ -132,7 +152,7 @@ raw_pgsql_auth_config(SpecificSSLOpts) ->
}.
pgsql_server() ->
iolist_to_binary(io_lib:format("~s",[?PGSQL_HOST])).
iolist_to_binary(io_lib:format("~s", [?PGSQL_HOST])).
start_apps(Apps) ->
lists:foreach(fun application:ensure_all_started/1, Apps).

182
apps/emqx_authn/test/emqx_authn_redis_SUITE.erl
View File

@ -41,7 +41,8 @@ init_per_testcase(_, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
init_per_group(require_seeds, Config) ->
@ -63,7 +64,8 @@ init_per_suite(Config) ->
?RESOURCE_GROUP,
emqx_connector_redis,
redis_config(),
#{}),
#{}
),
Config;
false ->
{skip, no_redis}
@ -72,7 +74,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = emqx_resource:remove_local(?REDIS_RESOURCE),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -87,7 +90,8 @@ t_create(_Config) ->
AuthConfig = raw_redis_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_redis}]} = emqx_authentication:list_authenticators(?GLOBAL).
@ -96,21 +100,26 @@ t_create_invalid(_Config) ->
InvalidConfigs =
[
AuthConfig#{
cmd => <<"MGET password_hash:${username} salt:${username}">>},
cmd => <<"MGET password_hash:${username} salt:${username}">>
},
AuthConfig#{
cmd => <<"HMGET mqtt_user:${username} password_hash invalid_field">>},
cmd => <<"HMGET mqtt_user:${username} password_hash invalid_field">>
},
AuthConfig#{
cmd => <<"HMGET mqtt_user:${username} salt is_superuser">>}
cmd => <<"HMGET mqtt_user:${username} salt is_superuser">>
}
],
lists:foreach(
fun(Config) ->
{error, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
{ok, []} = emqx_authentication:list_authenticators(?GLOBAL)
end,
InvalidConfigs),
InvalidConfigs
),
InvalidConfigs1 =
[
@ -124,11 +133,13 @@ t_create_invalid(_Config) ->
fun(Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
emqx_authn_test_lib:delete_config(?ResourceID),
{ok, []} = emqx_authentication:list_authenticators(?GLOBAL)
end,
InvalidConfigs1).
InvalidConfigs1
).
t_authenticate(_Config) ->
ok = lists:foreach(
@ -136,16 +147,20 @@ t_authenticate(_Config) ->
ct:pal("test_user_auth sample: ~p", [Sample]),
test_user_auth(Sample)
end,
user_seeds()).
user_seeds()
).
test_user_auth(#{credentials := Credentials0,
test_user_auth(#{
credentials := Credentials0,
config_params := SpecificConfigParams,
result := Result}) ->
result := Result
}) ->
AuthConfig = maps:merge(raw_redis_auth_config(), SpecificConfigParams),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
Credentials = Credentials0#{
listener => 'tcp:default',
@ -156,65 +171,80 @@ test_user_auth(#{credentials := Credentials0,
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL).
?GLOBAL
).
t_destroy(_Config) ->
AuthConfig = raw_redis_auth_config(),
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, AuthConfig}),
{create_authenticator, ?GLOBAL, AuthConfig}
),
{ok, [#{provider := emqx_authn_redis, state := State}]}
= emqx_authentication:list_authenticators(?GLOBAL),
{ok, [#{provider := emqx_authn_redis, state := State}]} =
emqx_authentication:list_authenticators(?GLOBAL),
{ok, _} = emqx_authn_redis:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State),
State
),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
% Authenticator should not be usable anymore
?assertMatch(
ignore,
emqx_authn_redis:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>
},
State)).
State
)
).
t_update(_Config) ->
CorrectConfig = raw_redis_auth_config(),
IncorrectConfig =
CorrectConfig#{
cmd => <<"HMGET invalid_key:${username} password_hash salt is_superuser">>},
cmd => <<"HMGET invalid_key:${username} password_hash salt is_superuser">>
},
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, IncorrectConfig}),
{create_authenticator, ?GLOBAL, IncorrectConfig}
),
{error, not_authorized} = emqx_access_control:authenticate(
#{username => <<"plain">>,
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}),
}
),
% We update with config with correct query, provider should update and work properly
{ok, _} = emqx:update_config(
?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:redis">>, CorrectConfig}),
{update_authenticator, ?GLOBAL, <<"password_based:redis">>, CorrectConfig}
),
{ok,_} = emqx_access_control:authenticate(
#{username => <<"plain">>,
{ok, _} = emqx_access_control:authenticate(
#{
username => <<"plain">>,
password => <<"plain">>,
listener => 'tcp:default',
protocol => mqtt
}).
}
).
%%------------------------------------------------------------------------------
%% Helpers
@ -223,8 +253,10 @@ t_update(_Config) ->
raw_redis_auth_config() ->
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"redis">>,
@ -235,20 +267,24 @@ raw_redis_auth_config() ->
}.
user_seeds() ->
[#{data => #{
[
#{
data => #{
password_hash => <<"plainsalt">>,
salt => <<"salt">>,
is_superuser => <<"1">>
},
credentials => #{
username => <<"plain">>,
password => <<"plain">>},
password => <<"plain">>
},
key => <<"mqtt_user:plain">>,
config_params => #{},
result => {ok,#{is_superuser => true}}
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
password_hash => <<"9b4d0c43d206d48279e69b9ad7132e22">>,
salt => <<"salt">>,
is_superuser => <<"0">>
@ -259,14 +295,18 @@ user_seeds() ->
},
key => <<"mqtt_user:md5">>,
config_params => #{
password_hash_algorithm => #{name => <<"md5">>,
salt_position => <<"suffix">>}
password_hash_algorithm => #{
name => <<"md5">>,
salt_position => <<"suffix">>
}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
password_hash => <<"ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf">>,
#{
data => #{
password_hash =>
<<"ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf">>,
salt => <<"salt">>,
is_superuser => <<"1">>
},
@ -277,13 +317,16 @@ user_seeds() ->
key => <<"mqtt_user:sha256">>,
config_params => #{
cmd => <<"HMGET mqtt_user:${clientid} password_hash salt is_superuser">>,
password_hash_algorithm => #{name => <<"sha256">>,
salt_position => <<"prefix">>}
password_hash_algorithm => #{
name => <<"sha256">>,
salt_position => <<"prefix">>
}
},
result => {ok,#{is_superuser => true}}
result => {ok, #{is_superuser => true}}
},
#{data => #{
#{
data => #{
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
salt => <<"$2b$12$wtY3h20mUjjmeaClpqZVve">>,
@ -297,9 +340,10 @@ user_seeds() ->
config_params => #{
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
password_hash => <<"01dbee7f4a9e243e988b62c73cda935da05378b9">>,
salt => <<"ATHENA.MIT.EDUraeburn">>,
is_superuser => <<"0">>
@ -310,14 +354,16 @@ user_seeds() ->
},
key => <<"mqtt_user:pbkdf2">>,
config_params => #{
password_hash_algorithm => #{name => <<"pbkdf2">>,
password_hash_algorithm => #{
name => <<"pbkdf2">>,
iterations => 2,
mac_fun => sha
}
},
result => {ok,#{is_superuser => false}}
result => {ok, #{is_superuser => false}}
},
#{data => #{
#{
data => #{
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
salt => <<"$2b$12$wtY3h20mUjjmeaClpqZVve">>,
@ -333,10 +379,11 @@ user_seeds() ->
cmd => <<"HMGET mqtt_client:${clientid} password_hash salt is_superuser">>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
salt => <<"$2b$12$wtY3h20mUjjmeaClpqZVve">>,
@ -352,10 +399,11 @@ user_seeds() ->
cmd => <<"HMGET badkey:${username} password_hash salt is_superuser">>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,not_authorized}
result => {error, not_authorized}
},
#{data => #{
#{
data => #{
password_hash =>
<<"$2b$12$wtY3h20mUjjmeaClpqZVveDWGlHzCGsvuThMlneGHA7wVeFYyns2u">>,
salt => <<"$2b$12$wtY3h20mUjjmeaClpqZVve">>,
@ -371,7 +419,7 @@ user_seeds() ->
cmd => <<"HMGET mqtt_user:${username} password_hash salt is_superuser">>,
password_hash_algorithm => #{name => <<"bcrypt">>}
},
result => {error,bad_username_or_password}
result => {error, bad_username_or_password}
}
].
@ -379,30 +427,36 @@ init_seeds() ->
ok = drop_seeds(),
lists:foreach(
fun(#{key := UserKey, data := Values}) ->
lists:foreach(fun({Key, Value}) ->
lists:foreach(
fun({Key, Value}) ->
q(["HSET", UserKey, atom_to_list(Key), Value])
end,
maps:to_list(Values))
maps:to_list(Values)
)
end,
user_seeds()).
user_seeds()
).
q(Command) ->
emqx_resource:query(
?REDIS_RESOURCE,
{cmd, Command}).
{cmd, Command}
).
drop_seeds() ->
lists:foreach(
fun(#{key := UserKey}) ->
q(["DEL", UserKey])
end,
user_seeds()).
user_seeds()
).
redis_server() ->
iolist_to_binary(io_lib:format("~s",[?REDIS_HOST])).
iolist_to_binary(io_lib:format("~s", [?REDIS_HOST])).
redis_config() ->
#{auto_reconnect => true,
#{
auto_reconnect => true,
database => 1,
pool_size => 8,
redis_type => single,

49
apps/emqx_authn/test/emqx_authn_redis_tls_SUITE.erl
View File

@ -40,7 +40,8 @@ init_per_testcase(_, Config) ->
emqx_authentication:initialize_authentication(?GLOBAL, []),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
init_per_suite(Config) ->
@ -57,7 +58,8 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
ok = stop_apps([emqx_resource, emqx_connector]),
ok = emqx_common_test_helpers:stop_apps([emqx_authn]).
@ -69,37 +71,53 @@ t_create(_Config) ->
?assertMatch(
{ok, _},
create_redis_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.3">>],
<<"ciphers">> => [<<"TLS_CHACHA20_POLY1305_SHA256">>]})).
<<"ciphers">> => [<<"TLS_CHACHA20_POLY1305_SHA256">>]
}
)
).
t_create_invalid(_Config) ->
%% invalid server_name
?assertMatch(
{ok, _},
create_redis_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server-unknown-host">>,
#{
<<"server_name_indication">> => <<"authn-server-unknown-host">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.3">>],
<<"ciphers">> => [<<"TLS_CHACHA20_POLY1305_SHA256">>]})),
<<"ciphers">> => [<<"TLS_CHACHA20_POLY1305_SHA256">>]
}
)
),
%% incompatible versions
?assertMatch(
{error, _},
create_redis_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.1">>, <<"tlsv1.2">>]})),
<<"versions">> => [<<"tlsv1.1">>, <<"tlsv1.2">>]
}
)
),
%% incompatible ciphers
?assertMatch(
{error, _},
create_redis_auth_with_ssl_opts(
#{<<"server_name_indication">> => <<"authn-server">>,
#{
<<"server_name_indication">> => <<"authn-server">>,
<<"verify">> => <<"verify_peer">>,
<<"versions">> => [<<"tlsv1.3">>],
<<"ciphers">> => [<<"TLS_AES_128_GCM_SHA256">>]})).
<<"ciphers">> => [<<"TLS_AES_128_GCM_SHA256">>]
}
)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -112,11 +130,14 @@ create_redis_auth_with_ssl_opts(SpecificSSLOpts) ->
raw_redis_auth_config(SpecificSSLOpts) ->
SSLOpts = maps:merge(
emqx_authn_test_lib:client_ssl_cert_opts(),
#{enable => <<"true">>}),
#{enable => <<"true">>}
),
#{
mechanism => <<"password_based">>,
password_hash_algorithm => #{name => <<"plain">>,
salt_position => <<"suffix">>},
password_hash_algorithm => #{
name => <<"plain">>,
salt_position => <<"suffix">>
},
enable => <<"true">>,
backend => <<"redis">>,
@ -128,7 +149,7 @@ raw_redis_auth_config(SpecificSSLOpts) ->
}.
redis_server() ->
iolist_to_binary(io_lib:format("~s:~b",[?REDIS_HOST, ?REDIS_TLS_PORT])).
iolist_to_binary(io_lib:format("~s:~b", [?REDIS_HOST, ?REDIS_TLS_PORT])).
start_apps(Apps) ->
lists:foreach(fun application:ensure_all_started/1, Apps).

18
apps/emqx_authn/test/emqx_authn_test_lib.erl
View File

@ -36,16 +36,19 @@ jwt_example() ->
delete_authenticators(Path, Chain) ->
case emqx_authentication:list_authenticators(Chain) of
{error, _} -> ok;
{error, _} ->
ok;
{ok, Authenticators} ->
lists:foreach(
fun(#{id := ID}) ->
emqx:update_config(
Path,
{delete_authenticator, Chain, ID},
#{rawconf_with_defaults => true})
#{rawconf_with_defaults => true}
)
end,
Authenticators)
Authenticators
)
end.
delete_config(ID) ->
@ -53,10 +56,13 @@ delete_config(ID) ->
emqx:update_config(
[authentication],
{delete_authenticator, ?GLOBAL, ID},
#{rawconf_with_defaults => false}).
#{rawconf_with_defaults => false}
).
client_ssl_cert_opts() ->
Dir = code:lib_dir(emqx_authn, test),
#{keyfile => filename:join([Dir, "data/certs", "client.key"]),
#{
keyfile => filename:join([Dir, "data/certs", "client.key"]),
certfile => filename:join([Dir, "data/certs", "client.crt"]),
cacertfile => filename:join([Dir, "data/certs", "ca.crt"])}.
cacertfile => filename:join([Dir, "data/certs", "ca.crt"])
}.

164
apps/emqx_authn/test/emqx_enhanced_authn_scram_mnesia_SUITE.erl
View File

@ -26,8 +26,10 @@
-define(PATH, [authentication]).
-define(USER_MAP, #{user_id := _,
is_superuser := _}).
-define(USER_MAP, #{
user_id := _,
is_superuser := _
}).
all() ->
emqx_common_test_helpers:all(?MODULE).
@ -45,7 +47,8 @@ init_per_testcase(_Case, Config) ->
mria:clear_table(emqx_enhanced_authn_scram_mnesia),
emqx_authn_test_lib:delete_authenticators(
[authentication],
?GLOBAL),
?GLOBAL
),
Config.
end_per_testcase(_Case, Config) ->
@ -65,10 +68,11 @@ t_create(_Config) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, ValidConfig}),
{create_authenticator, ?GLOBAL, ValidConfig}
),
{ok, [#{provider := emqx_enhanced_authn_scram_mnesia}]}
= emqx_authentication:list_authenticators(?GLOBAL).
{ok, [#{provider := emqx_enhanced_authn_scram_mnesia}]} =
emqx_authentication:list_authenticators(?GLOBAL).
t_create_invalid(_Config) ->
InvalidConfig = #{
@ -80,7 +84,8 @@ t_create_invalid(_Config) ->
{error, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, InvalidConfig}),
{create_authenticator, ?GLOBAL, InvalidConfig}
),
{ok, []} = emqx_authentication:list_authenticators(?GLOBAL).
@ -102,33 +107,41 @@ t_authenticate(_Config) ->
'Authentication-Method' => <<"SCRAM-SHA-512">>,
'Authentication-Data' => ClientFirstMessage
}
}),
}
),
ok = emqx_authn_mqtt_test_client:send(Pid, ConnectPacket),
?AUTH_PACKET(
?RC_CONTINUE_AUTHENTICATION,
#{'Authentication-Data' := ServerFirstMessage}) = receive_packet(),
#{'Authentication-Data' := ServerFirstMessage}
) = receive_packet(),
{continue, ClientFinalMessage, ClientCache} =
esasl_scram:check_server_first_message(
ServerFirstMessage,
#{client_first_message => ClientFirstMessage,
#{
client_first_message => ClientFirstMessage,
password => Password,
algorithm => Algorithm}
algorithm => Algorithm
}
),
AuthContinuePacket = ?AUTH_PACKET(
?RC_CONTINUE_AUTHENTICATION,
#{'Authentication-Method' => <<"SCRAM-SHA-512">>,
'Authentication-Data' => ClientFinalMessage}),
#{
'Authentication-Method' => <<"SCRAM-SHA-512">>,
'Authentication-Data' => ClientFinalMessage
}
),
ok = emqx_authn_mqtt_test_client:send(Pid, AuthContinuePacket),
?CONNACK_PACKET(
?RC_SUCCESS,
_,
#{'Authentication-Data' := ServerFinalMessage}) = receive_packet(),
#{'Authentication-Data' := ServerFinalMessage}
) = receive_packet(),
ok = esasl_scram:check_server_final_message(
ServerFinalMessage, ClientCache#{algorithm => Algorithm}
@ -152,7 +165,8 @@ t_authenticate_bad_username(_Config) ->
'Authentication-Method' => <<"SCRAM-SHA-512">>,
'Authentication-Data' => ClientFirstMessage
}
}),
}
),
ok = emqx_authn_mqtt_test_client:send(Pid, ConnectPacket),
@ -176,26 +190,33 @@ t_authenticate_bad_password(_Config) ->
'Authentication-Method' => <<"SCRAM-SHA-512">>,
'Authentication-Data' => ClientFirstMessage
}
}),
}
),
ok = emqx_authn_mqtt_test_client:send(Pid, ConnectPacket),
?AUTH_PACKET(
?RC_CONTINUE_AUTHENTICATION,
#{'Authentication-Data' := ServerFirstMessage}) = receive_packet(),
#{'Authentication-Data' := ServerFirstMessage}
) = receive_packet(),
{continue, ClientFinalMessage, _ClientCache} =
esasl_scram:check_server_first_message(
ServerFirstMessage,
#{client_first_message => ClientFirstMessage,
#{
client_first_message => ClientFirstMessage,
password => <<"badpassword">>,
algorithm => Algorithm}
algorithm => Algorithm
}
),
AuthContinuePacket = ?AUTH_PACKET(
?RC_CONTINUE_AUTHENTICATION,
#{'Authentication-Method' => <<"SCRAM-SHA-512">>,
'Authentication-Data' => ClientFinalMessage}),
#{
'Authentication-Method' => <<"SCRAM-SHA-512">>,
'Authentication-Data' => ClientFinalMessage
}
),
ok = emqx_authn_mqtt_test_client:send(Pid, AuthContinuePacket),
@ -218,7 +239,7 @@ t_destroy(_) ->
ok = emqx_enhanced_authn_scram_mnesia:destroy(State0),
{ok, State1} = emqx_enhanced_authn_scram_mnesia:create(<<"id">>, Config),
{error,not_found} = emqx_enhanced_authn_scram_mnesia:lookup_user(<<"u">>, State1),
{error, not_found} = emqx_enhanced_authn_scram_mnesia:lookup_user(<<"u">>, State1),
{ok, _} = emqx_enhanced_authn_scram_mnesia:lookup_user(<<"u">>, StateOther).
t_add_user(_) ->
@ -248,12 +269,14 @@ t_update_user(_) ->
{ok, _} = emqx_enhanced_authn_scram_mnesia:add_user(User, State),
{ok, #{is_superuser := false}} = emqx_enhanced_authn_scram_mnesia:lookup_user(<<"u">>, State),
{ok,
#{user_id := <<"u">>,
is_superuser := true}} = emqx_enhanced_authn_scram_mnesia:update_user(
{ok, #{
user_id := <<"u">>,
is_superuser := true
}} = emqx_enhanced_authn_scram_mnesia:update_user(
<<"u">>,
#{password => <<"p1">>, is_superuser => true},
State),
State
),
{ok, #{is_superuser := true}} = emqx_enhanced_authn_scram_mnesia:lookup_user(<<"u">>, State).
@ -261,29 +284,47 @@ t_list_users(_) ->
Config = config(),
{ok, State} = emqx_enhanced_authn_scram_mnesia:create(<<"id">>, Config),
Users = [#{user_id => <<"u1">>, password => <<"p">>},
Users = [
#{user_id => <<"u1">>, password => <<"p">>},
#{user_id => <<"u2">>, password => <<"p">>},
#{user_id => <<"u3">>, password => <<"p">>}],
#{user_id => <<"u3">>, password => <<"p">>}
],
lists:foreach(
fun(U) -> {ok, _} = emqx_enhanced_authn_scram_mnesia:add_user(U, State) end,
Users),
Users
),
#{data := [?USER_MAP, ?USER_MAP],
meta := #{page := 1, limit := 2, count := 3}} = emqx_enhanced_authn_scram_mnesia:list_users(
#{
data := [?USER_MAP, ?USER_MAP],
meta := #{page := 1, limit := 2, count := 3}
} = emqx_enhanced_authn_scram_mnesia:list_users(
#{<<"page">> => 1, <<"limit">> => 2},
State),
#{data := [?USER_MAP],
meta := #{page := 2, limit := 2, count := 3}} = emqx_enhanced_authn_scram_mnesia:list_users(
State
),
#{
data := [?USER_MAP],
meta := #{page := 2, limit := 2, count := 3}
} = emqx_enhanced_authn_scram_mnesia:list_users(
#{<<"page">> => 2, <<"limit">> => 2},
State),
#{data := [#{user_id := <<"u1">>,
is_superuser := _}],
meta := #{page := 1, limit := 3, count := 1}} = emqx_enhanced_authn_scram_mnesia:list_users(
#{ <<"page">> => 1
, <<"limit">> => 3
, <<"like_username">> => <<"1">>},
State).
State
),
#{
data := [
#{
user_id := <<"u1">>,
is_superuser := _
}
],
meta := #{page := 1, limit := 3, count := 1}
} = emqx_enhanced_authn_scram_mnesia:list_users(
#{
<<"page">> => 1,
<<"limit">> => 3,
<<"like_username">> => <<"1">>
},
State
).
t_is_superuser(_Config) ->
ok = test_is_superuser(#{is_superuser => false}, false),
@ -297,36 +338,44 @@ test_is_superuser(UserInfo, ExpectedIsSuperuser) ->
Username = <<"u">>,
Password = <<"p">>,
UserInfo0 = UserInfo#{user_id => Username,
password => Password},
UserInfo0 = UserInfo#{
user_id => Username,
password => Password
},
{ok, _} = emqx_enhanced_authn_scram_mnesia:add_user(UserInfo0, State),
ClientFirstMessage = esasl_scram:client_first_message(Username),
{continue, ServerFirstMessage, ServerCache}
= emqx_enhanced_authn_scram_mnesia:authenticate(
#{auth_method => <<"SCRAM-SHA-512">>,
{continue, ServerFirstMessage, ServerCache} =
emqx_enhanced_authn_scram_mnesia:authenticate(
#{
auth_method => <<"SCRAM-SHA-512">>,
auth_data => ClientFirstMessage,
auth_cache => #{}
},
State),
State
),
{continue, ClientFinalMessage, ClientCache} =
esasl_scram:check_server_first_message(
ServerFirstMessage,
#{client_first_message => ClientFirstMessage,
#{
client_first_message => ClientFirstMessage,
password => Password,
algorithm => sha512}
algorithm => sha512
}
),
{ok, UserInfo1, ServerFinalMessage}
= emqx_enhanced_authn_scram_mnesia:authenticate(
#{auth_method => <<"SCRAM-SHA-512">>,
{ok, UserInfo1, ServerFinalMessage} =
emqx_enhanced_authn_scram_mnesia:authenticate(
#{
auth_method => <<"SCRAM-SHA-512">>,
auth_data => ClientFinalMessage,
auth_cache => ServerCache
},
State),
State
),
ok = esasl_scram:check_server_final_message(
ServerFinalMessage, ClientCache#{algorithm => sha512}
@ -336,7 +385,6 @@ test_is_superuser(UserInfo, ExpectedIsSuperuser) ->
ok = emqx_enhanced_authn_scram_mnesia:destroy(State).
%%------------------------------------------------------------------------------
%% Helpers
%%------------------------------------------------------------------------------
@ -362,13 +410,15 @@ init_auth(Username, Password, Algorithm) ->
{ok, _} = emqx:update_config(
?PATH,
{create_authenticator, ?GLOBAL, Config}),
{create_authenticator, ?GLOBAL, Config}
),
{ok, [#{state := State}]} = emqx_authentication:list_authenticators(?GLOBAL),
emqx_enhanced_authn_scram_mnesia:add_user(
#{user_id => Username, password => Password},
State).
State
).
receive_packet() ->
receive

78
apps/emqx_authz/include/emqx_authz.hrl
View File

@ -16,13 +16,15 @@
-define(APP, emqx_authz).
-define(ALLOW_DENY(A), ((A =:= allow) orelse (A =:= <<"allow">>) orelse
(A =:= deny) orelse (A =:= <<"deny">>)
)).
-define(PUBSUB(A), ((A =:= subscribe) orelse (A =:= <<"subscribe">>) orelse
-define(ALLOW_DENY(A),
((A =:= allow) orelse (A =:= <<"allow">>) orelse
(A =:= deny) orelse (A =:= <<"deny">>))
).
-define(PUBSUB(A),
((A =:= subscribe) orelse (A =:= <<"subscribe">>) orelse
(A =:= publish) orelse (A =:= <<"publish">>) orelse
(A =:= all) orelse (A =:= <<"all">>)
)).
(A =:= all) orelse (A =:= <<"all">>))
).
%% authz_mnesia
-define(ACL_TABLE, emqx_acl).
@ -44,53 +46,69 @@
-define(RE_PLACEHOLDER, "\\$\\{[a-z0-9_]+\\}").
%% API examples
-define(USERNAME_RULES_EXAMPLE, #{username => user1,
rules => [ #{topic => <<"test/toopic/1">>,
-define(USERNAME_RULES_EXAMPLE, #{
username => user1,
rules => [
#{
topic => <<"test/toopic/1">>,
permission => <<"allow">>,
action => <<"publish">>
}
, #{topic => <<"test/toopic/2">>,
},
#{
topic => <<"test/toopic/2">>,
permission => <<"allow">>,
action => <<"subscribe">>
}
, #{topic => <<"eq test/#">>,
},
#{
topic => <<"eq test/#">>,
permission => <<"deny">>,
action => <<"all">>
}
]
}).
-define(CLIENTID_RULES_EXAMPLE, #{clientid => client1,
rules => [ #{topic => <<"test/toopic/1">>,
}).
-define(CLIENTID_RULES_EXAMPLE, #{
clientid => client1,
rules => [
#{
topic => <<"test/toopic/1">>,
permission => <<"allow">>,
action => <<"publish">>
}
, #{topic => <<"test/toopic/2">>,
},
#{
topic => <<"test/toopic/2">>,
permission => <<"allow">>,
action => <<"subscribe">>
}
, #{topic => <<"eq test/#">>,
},
#{
topic => <<"eq test/#">>,
permission => <<"deny">>,
action => <<"all">>
}
]
}).
-define(ALL_RULES_EXAMPLE, #{rules => [ #{topic => <<"test/toopic/1">>,
}).
-define(ALL_RULES_EXAMPLE, #{
rules => [
#{
topic => <<"test/toopic/1">>,
permission => <<"allow">>,
action => <<"publish">>
}
, #{topic => <<"test/toopic/2">>,
},
#{
topic => <<"test/toopic/2">>,
permission => <<"allow">>,
action => <<"subscribe">>
}
, #{topic => <<"eq test/#">>,
},
#{
topic => <<"eq test/#">>,
permission => <<"deny">>,
action => <<"all">>
}
]
}).
-define(META_EXAMPLE, #{ page => 1
, limit => 100
, count => 1
}).
}).
-define(META_EXAMPLE, #{
page => 1,
limit => 100,
count => 1
}).
-define(RESOURCE_GROUP, <<"emqx_authz">>).

9
apps/emqx_authz/rebar.config
View File

@ -1,11 +1,14 @@
%% -*- mode: erlang -*-
{erl_opts, [debug_info, nowarn_unused_import]}.
{deps, [ {emqx, {path, "../emqx"}}
, {emqx_connector, {path, "../emqx_connector"}}
]}.
{deps, [
{emqx, {path, "../emqx"}},
{emqx_connector, {path, "../emqx_connector"}}
]}.
{shell, [
% {config, "config/sys.config"},
{apps, [emqx_authz]}
]}.
{project_plugins, [erlfmt]}.

12
apps/emqx_authz/src/emqx_authz.app.src
View File

@ -1,18 +1,18 @@
%% -*- mode: erlang -*-
{application, emqx_authz,
[{description, "An OTP application"},
{application, emqx_authz, [
{description, "An OTP application"},
{vsn, "0.1.1"},
{registered, []},
{mod, {emqx_authz_app, []}},
{applications,
[kernel,
{applications, [
kernel,
stdlib,
crypto,
emqx_connector
]},
{env,[]},
{env, []},
{modules, []},
{licenses, ["Apache 2.0"]},
{links, []}
]}.
]}.

177
apps/emqx_authz/src/emqx_authz.erl
View File

@ -25,29 +25,30 @@
-compile(nowarn_export_all).
-endif.
-export([ register_metrics/0
, init/0
, deinit/0
, lookup/0
, lookup/1
, move/2
, update/2
, authorize/5
]).
-export([
register_metrics/0,
init/0,
deinit/0,
lookup/0,
lookup/1,
move/2,
update/2,
authorize/5
]).
-export([post_config_update/5, pre_config_update/3]).
-export([acl_conf_file/0]).
-type(source() :: map()).
-type source() :: map().
-type(match_result() :: {matched, allow} | {matched, deny} | nomatch).
-type match_result() :: {matched, allow} | {matched, deny} | nomatch.
-type(default_result() :: allow | deny).
-type default_result() :: allow | deny.
-type(authz_result() :: {stop, allow} | {ok, deny}).
-type authz_result() :: {stop, allow} | {ok, deny}.
-type(sources() :: [source()]).
-type sources() :: [source()].
-define(METRIC_ALLOW, 'client.authorize.allow').
-define(METRIC_DENY, 'client.authorize.deny').
@ -60,30 +61,25 @@
%% Initialize authz backend.
%% Populate the passed configuration map with necessary data,
%% like `ResourceID`s
-callback(init(source()) -> source()).
-callback init(source()) -> source().
%% Get authz text description.
-callback(description() -> string()).
-callback description() -> string().
%% Destroy authz backend.
%% Make cleanup of all allocated data.
%% An authz backend will not be used after `destroy`.
-callback(destroy(source()) -> ok).
%% Check if a configuration map is valid for further
%% authz backend initialization.
%% The callback must deallocate all resources allocated
%% during verification.
-callback(dry_run(source()) -> ok | {error, term()}).
-callback destroy(source()) -> ok.
%% Authorize client action.
-callback(authorize(
-callback authorize(
emqx_types:clientinfo(),
emqx_types:pubsub(),
emqx_types:topic(),
source()) -> match_result()).
source()
) -> match_result().
-spec(register_metrics() -> ok).
-spec register_metrics() -> ok.
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?METRICS).
@ -110,13 +106,16 @@ lookup(Type) ->
move(Type, ?CMD_MOVE_BEFORE(Before)) ->
emqx_authz_utils:update_config(
?CONF_KEY_PATH, {?CMD_MOVE, type(Type), ?CMD_MOVE_BEFORE(type(Before))});
?CONF_KEY_PATH, {?CMD_MOVE, type(Type), ?CMD_MOVE_BEFORE(type(Before))}
);
move(Type, ?CMD_MOVE_AFTER(After)) ->
emqx_authz_utils:update_config(
?CONF_KEY_PATH, {?CMD_MOVE, type(Type), ?CMD_MOVE_AFTER(type(After))});
?CONF_KEY_PATH, {?CMD_MOVE, type(Type), ?CMD_MOVE_AFTER(type(After))}
);
move(Type, Position) ->
emqx_authz_utils:update_config(
?CONF_KEY_PATH, {?CMD_MOVE, type(Type), Position}).
?CONF_KEY_PATH, {?CMD_MOVE, type(Type), Position}
).
update({?CMD_REPLACE, Type}, Sources) ->
emqx_authz_utils:update_config(?CONF_KEY_PATH, {{?CMD_REPLACE, type(Type)}, Sources});
@ -140,18 +139,6 @@ do_pre_config_update({?CMD_APPEND, Source}, Sources) ->
NSources = Sources ++ [NSource],
ok = check_dup_types(NSources),
NSources;
do_pre_config_update({{?CMD_REPLACE, Type}, #{<<"enable">> := Enable} = Source}, Sources)
when ?IS_ENABLED(Enable) ->
NSource = maybe_write_files(Source),
{_Old, Front, Rear} = take(Type, Sources),
case create_dry_run(Type, NSource) of
ok ->
NSources = Front ++ [NSource | Rear],
ok = check_dup_types(NSources),
NSources;
{error, _} = Error ->
throw(Error)
end;
do_pre_config_update({{?CMD_REPLACE, Type}, Source}, Sources) ->
NSource = maybe_write_files(Source),
{_Old, Front, Rear} = take(Type, Sources),
@ -223,7 +210,8 @@ do_move({?CMD_MOVE, Type, ?CMD_MOVE_AFTER(After)}, Sources) ->
{S2, Front2, Rear2} = take(After, Front1 ++ Rear1),
Front2 ++ [S2, S1] ++ Rear2.
ensure_resource_deleted(#{enable := false}) -> ok;
ensure_resource_deleted(#{enable := false}) ->
ok;
ensure_resource_deleted(#{type := Type} = Source) ->
Module = authz_module(Type),
Module:destroy(Source).
@ -231,11 +219,13 @@ ensure_resource_deleted(#{type := Type} = Source) ->
check_dup_types(Sources) ->
check_dup_types(Sources, []).
check_dup_types([], _Checked) -> ok;
check_dup_types([], _Checked) ->
ok;
check_dup_types([Source | Sources], Checked) ->
%% the input might be raw or type-checked result, so lookup both 'type' and <<"type">>
%% TODO: check: really?
Type = case maps:get(<<"type">>, Source, maps:get(type, Source, undefined)) of
Type =
case maps:get(<<"type">>, Source, maps:get(type, Source, undefined)) of
undefined ->
%% this should never happen if the value is type checked by honcon schema
throw({bad_source_input, Source});
@ -250,11 +240,6 @@ check_dup_types([Source | Sources], Checked) ->
check_dup_types(Sources, [Type | Checked])
end.
create_dry_run(Type, Source) ->
[CheckedSource] = check_sources([Source]),
Module = authz_module(Type),
Module:dry_run(CheckedSource).
init_sources(Sources) ->
{_Enabled, Disabled} = lists:partition(fun(#{enable := Enable}) -> Enable end, Sources),
case Disabled =/= [] of
@ -263,7 +248,8 @@ init_sources(Sources) ->
end,
lists:map(fun init_source/1, Sources).
init_source(#{enable := false} = Source) -> Source;
init_source(#{enable := false} = Source) ->
Source;
init_source(#{type := Type} = Source) ->
Module = authz_module(Type),
Module:init(Source).
@ -273,42 +259,63 @@ init_source(#{type := Type} = Source) ->
%%--------------------------------------------------------------------
%% @doc Check AuthZ
-spec(authorize( emqx_types:clientinfo()
, emqx_types:pubsub()
, emqx_types:topic()
, default_result()
, sources())
-> authz_result()).
authorize(#{username := Username,
-spec authorize(
emqx_types:clientinfo(),
emqx_types:pubsub(),
emqx_types:topic(),
default_result(),
sources()
) ->
authz_result().
authorize(
#{
username := Username,
peerhost := IpAddress
} = Client, PubSub, Topic, DefaultResult, Sources) ->
} = Client,
PubSub,
Topic,
DefaultResult,
Sources
) ->
case do_authorize(Client, PubSub, Topic, Sources) of
{{matched, allow}, AuthzSource}->
emqx:run_hook('client.check_authz_complete',
[Client, PubSub, Topic, allow, AuthzSource]),
?SLOG(info, #{msg => "authorization_permission_allowed",
{{matched, allow}, AuthzSource} ->
emqx:run_hook(
'client.check_authz_complete',
[Client, PubSub, Topic, allow, AuthzSource]
),
?SLOG(info, #{
msg => "authorization_permission_allowed",
username => Username,
ipaddr => IpAddress,
topic => Topic}),
topic => Topic
}),
emqx_metrics:inc(?METRIC_ALLOW),
{stop, allow};
{{matched, deny}, AuthzSource}->
emqx:run_hook('client.check_authz_complete',
[Client, PubSub, Topic, deny, AuthzSource]),
?SLOG(info, #{msg => "authorization_permission_denied",
{{matched, deny}, AuthzSource} ->
emqx:run_hook(
'client.check_authz_complete',
[Client, PubSub, Topic, deny, AuthzSource]
),
?SLOG(info, #{
msg => "authorization_permission_denied",
username => Username,
ipaddr => IpAddress,
topic => Topic}),
topic => Topic
}),
emqx_metrics:inc(?METRIC_DENY),
{stop, deny};
nomatch ->
emqx:run_hook('client.check_authz_complete',
[Client, PubSub, Topic, DefaultResult, default]),
?SLOG(info, #{msg => "authorization_failed_nomatch",
emqx:run_hook(
'client.check_authz_complete',
[Client, PubSub, Topic, DefaultResult, default]
),
?SLOG(info, #{
msg => "authorization_failed_nomatch",
username => Username,
ipaddr => IpAddress,
topic => Topic,
reason => "no-match rule"}),
reason => "no-match rule"
}),
emqx_metrics:inc(?METRIC_NOMATCH),
{stop, DefaultResult}
end.
@ -317,8 +324,12 @@ do_authorize(_Client, _PubSub, _Topic, []) ->
nomatch;
do_authorize(Client, PubSub, Topic, [#{enable := false} | Rest]) ->
do_authorize(Client, PubSub, Topic, Rest);
do_authorize(Client, PubSub, Topic,
[Connector = #{type := Type} | Tail] ) ->
do_authorize(
Client,
PubSub,
Topic,
[Connector = #{type := Type} | Tail]
) ->
Module = authz_module(Type),
case Module:authorize(Client, PubSub, Topic, Connector) of
nomatch -> do_authorize(Client, PubSub, Topic, Tail);
@ -329,12 +340,6 @@ do_authorize(Client, PubSub, Topic,
%% Internal function
%%--------------------------------------------------------------------
check_sources(RawSources) ->
Schema = #{roots => emqx_authz_schema:fields("authorization"), fields => #{}},
Conf = #{<<"sources">> => RawSources},
#{sources := Sources} = hocon_tconf:check_plain(Schema, Conf, #{atom_key => true}),
Sources.
take(Type) -> take(Type, lookup()).
%% Take the source of give type, the sources list is split into two parts
@ -350,7 +355,7 @@ take(Type, Sources) ->
find_action_in_hooks() ->
Callbacks = emqx_hooks:lookup('client.authorize'),
[Action] = [Action || {callback,{?MODULE, authorize, _} = Action, _, _} <- Callbacks ],
[Action] = [Action || {callback, {?MODULE, authorize, _} = Action, _, _} <- Callbacks],
Action.
authz_module('built_in_database') ->
@ -393,8 +398,11 @@ acl_conf_file() ->
filename:join([emqx:data_dir(), "authz", "acl.conf"]).
maybe_write_certs(#{<<"type">> := Type} = Source) ->
case emqx_tls_lib:ensure_ssl_files(
ssl_file_path(Type), maps:get(<<"ssl">>, Source, undefined)) of
case
emqx_tls_lib:ensure_ssl_files(
ssl_file_path(Type), maps:get(<<"ssl">>, Source, undefined)
)
of
{ok, SSL} ->
new_ssl_source(Source, SSL);
{error, Reason} ->
@ -409,7 +417,8 @@ clear_certs(OldSource) ->
write_file(Filename, Bytes) ->
ok = filelib:ensure_dir(Filename),
case file:write_file(Filename, Bytes) of
ok -> {ok, iolist_to_binary(Filename)};
ok ->
{ok, iolist_to_binary(Filename)};
{error, Reason} ->
?SLOG(error, #{filename => Filename, msg => "write_file_error", reason => Reason}),
throw(Reason)

686
apps/emqx_authz/src/emqx_authz_api_mnesia.erl
View File

@ -30,25 +30,28 @@
-define(ACL_USERNAME_QSCHEMA, [{<<"like_username">>, binary}]).
-define(ACL_CLIENTID_QSCHEMA, [{<<"like_clientid">>, binary}]).
-export([ api_spec/0
, paths/0
, schema/1
, fields/1
]).
-export([
api_spec/0,
paths/0,
schema/1,
fields/1
]).
%% operation funs
-export([ users/2
, clients/2
, user/2
, client/2
, all/2
, purge/2
]).
-export([
users/2,
clients/2,
user/2,
client/2,
all/2,
purge/2
]).
%% query funs
-export([ query_username/4
, query_clientid/4]).
-export([
query_username/4,
query_clientid/4
]).
-export([format_result/1]).
@ -65,279 +68,399 @@ api_spec() ->
emqx_dashboard_swagger:spec(?MODULE, #{check_schema => true}).
paths() ->
[ "/authorization/sources/built_in_database/username"
, "/authorization/sources/built_in_database/clientid"
, "/authorization/sources/built_in_database/username/:username"
, "/authorization/sources/built_in_database/clientid/:clientid"
, "/authorization/sources/built_in_database/all"
, "/authorization/sources/built_in_database/purge-all"].
[
"/authorization/sources/built_in_database/username",
"/authorization/sources/built_in_database/clientid",
"/authorization/sources/built_in_database/username/:username",
"/authorization/sources/built_in_database/clientid/:clientid",
"/authorization/sources/built_in_database/all",
"/authorization/sources/built_in_database/purge-all"
].
%%--------------------------------------------------------------------
%% Schema for each URI
%%--------------------------------------------------------------------
schema("/authorization/sources/built_in_database/username") ->
#{ 'operationId' => users
, get =>
#{ tags => [<<"authorization">>]
, description => <<"Show the list of record for username">>
, parameters =>
[ ref(emqx_dashboard_swagger, page)
, ref(emqx_dashboard_swagger, limit)
, { like_username
, mk( binary(), #{ in => query
, required => false
, desc => <<"Fuzzy search `username` as substring">>})}
]
, responses =>
#{ 200 => swagger_with_example( {username_response_data, ?TYPE_REF}
, {username, ?PAGE_QUERY_EXAMPLE})
#{
'operationId' => users,
get =>
#{
tags => [<<"authorization">>],
description => <<"Show the list of record for username">>,
parameters =>
[
ref(emqx_dashboard_swagger, page),
ref(emqx_dashboard_swagger, limit),
{like_username,
mk(binary(), #{
in => query,
required => false,
desc => <<"Fuzzy search `username` as substring">>
})}
],
responses =>
#{
200 => swagger_with_example(
{username_response_data, ?TYPE_REF},
{username, ?PAGE_QUERY_EXAMPLE}
)
}
}
, post =>
#{ tags => [<<"authorization">>]
, description => <<"Add new records for username">>
, 'requestBody' => swagger_with_example( {rules_for_username, ?TYPE_ARRAY}
, {username, ?POST_ARRAY_EXAMPLE})
, responses =>
#{ 204 => <<"Created">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad username or bad rule schema">>)
},
post =>
#{
tags => [<<"authorization">>],
description => <<"Add new records for username">>,
'requestBody' => swagger_with_example(
{rules_for_username, ?TYPE_ARRAY},
{username, ?POST_ARRAY_EXAMPLE}
),
responses =>
#{
204 => <<"Created">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad username or bad rule schema">>
)
}
}
};
schema("/authorization/sources/built_in_database/clientid") ->
#{ 'operationId' => clients
, get =>
#{ tags => [<<"authorization">>]
, description => <<"Show the list of record for clientid">>
, parameters =>
[ ref(emqx_dashboard_swagger, page)
, ref(emqx_dashboard_swagger, limit)
, { like_clientid
, mk( binary()
, #{ in => query
, required => false
, desc => <<"Fuzzy search `clientid` as substring">>})
#{
'operationId' => clients,
get =>
#{
tags => [<<"authorization">>],
description => <<"Show the list of record for clientid">>,
parameters =>
[
ref(emqx_dashboard_swagger, page),
ref(emqx_dashboard_swagger, limit),
{like_clientid,
mk(
binary(),
#{
in => query,
required => false,
desc => <<"Fuzzy search `clientid` as substring">>
}
]
, responses =>
#{ 200 => swagger_with_example( {clientid_response_data, ?TYPE_REF}
, {clientid, ?PAGE_QUERY_EXAMPLE})
)}
],
responses =>
#{
200 => swagger_with_example(
{clientid_response_data, ?TYPE_REF},
{clientid, ?PAGE_QUERY_EXAMPLE}
)
}
}
, post =>
#{ tags => [<<"authorization">>]
, description => <<"Add new records for clientid">>
, 'requestBody' => swagger_with_example( {rules_for_clientid, ?TYPE_ARRAY}
, {clientid, ?POST_ARRAY_EXAMPLE})
, responses =>
#{ 204 => <<"Created">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid or bad rule schema">>)
},
post =>
#{
tags => [<<"authorization">>],
description => <<"Add new records for clientid">>,
'requestBody' => swagger_with_example(
{rules_for_clientid, ?TYPE_ARRAY},
{clientid, ?POST_ARRAY_EXAMPLE}
),
responses =>
#{
204 => <<"Created">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid or bad rule schema">>
)
}
}
};
schema("/authorization/sources/built_in_database/username/:username") ->
#{ 'operationId' => user
, get =>
#{ tags => [<<"authorization">>]
, description => <<"Get record info for username">>
, parameters => [ref(username)]
, responses =>
#{ 200 => swagger_with_example( {rules_for_username, ?TYPE_REF}
, {username, ?PUT_MAP_EXAMPLE})
, 404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"Not Found">>)
#{
'operationId' => user,
get =>
#{
tags => [<<"authorization">>],
description => <<"Get record info for username">>,
parameters => [ref(username)],
responses =>
#{
200 => swagger_with_example(
{rules_for_username, ?TYPE_REF},
{username, ?PUT_MAP_EXAMPLE}
),
404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"Not Found">>
)
}
},
put =>
#{
tags => [<<"authorization">>],
description => <<"Set record for username">>,
parameters => [ref(username)],
'requestBody' => swagger_with_example(
{rules_for_username, ?TYPE_REF},
{username, ?PUT_MAP_EXAMPLE}
),
responses =>
#{
204 => <<"Updated">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad username or bad rule schema">>
)
}
, put =>
#{ tags => [<<"authorization">>]
, description => <<"Set record for username">>
, parameters => [ref(username)]
, 'requestBody' => swagger_with_example( {rules_for_username, ?TYPE_REF}
, {username, ?PUT_MAP_EXAMPLE})
, responses =>
#{ 204 => <<"Updated">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad username or bad rule schema">>)
}
}
, delete =>
#{ tags => [<<"authorization">>]
, description => <<"Delete one record for username">>
, parameters => [ref(username)]
, responses =>
#{ 204 => <<"Deleted">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad username">>)
, 404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"Username Not Found">>)
},
delete =>
#{
tags => [<<"authorization">>],
description => <<"Delete one record for username">>,
parameters => [ref(username)],
responses =>
#{
204 => <<"Deleted">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad username">>
),
404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"Username Not Found">>
)
}
}
};
schema("/authorization/sources/built_in_database/clientid/:clientid") ->
#{ 'operationId' => client
, get =>
#{ tags => [<<"authorization">>]
, description => <<"Get record info for clientid">>
, parameters => [ref(clientid)]
, responses =>
#{ 200 => swagger_with_example( {rules_for_clientid, ?TYPE_REF}
, {clientid, ?PUT_MAP_EXAMPLE})
, 404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"Not Found">>)
#{
'operationId' => client,
get =>
#{
tags => [<<"authorization">>],
description => <<"Get record info for clientid">>,
parameters => [ref(clientid)],
responses =>
#{
200 => swagger_with_example(
{rules_for_clientid, ?TYPE_REF},
{clientid, ?PUT_MAP_EXAMPLE}
),
404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"Not Found">>
)
}
},
put =>
#{ tags => [<<"authorization">>]
, description => <<"Set record for clientid">>
, parameters => [ref(clientid)]
, 'requestBody' => swagger_with_example( {rules_for_clientid, ?TYPE_REF}
, {clientid, ?PUT_MAP_EXAMPLE})
, responses =>
#{ 204 => <<"Updated">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid or bad rule schema">>)
#{
tags => [<<"authorization">>],
description => <<"Set record for clientid">>,
parameters => [ref(clientid)],
'requestBody' => swagger_with_example(
{rules_for_clientid, ?TYPE_REF},
{clientid, ?PUT_MAP_EXAMPLE}
),
responses =>
#{
204 => <<"Updated">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid or bad rule schema">>
)
}
}
, delete =>
#{ tags => [<<"authorization">>]
, description => <<"Delete one record for clientid">>
, parameters => [ref(clientid)]
, responses =>
#{ 204 => <<"Deleted">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid">>)
, 404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"ClientID Not Found">>)
},
delete =>
#{
tags => [<<"authorization">>],
description => <<"Delete one record for clientid">>,
parameters => [ref(clientid)],
responses =>
#{
204 => <<"Deleted">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid">>
),
404 => emqx_dashboard_swagger:error_codes(
[?NOT_FOUND], <<"ClientID Not Found">>
)
}
}
};
schema("/authorization/sources/built_in_database/all") ->
#{ 'operationId' => all
, get =>
#{ tags => [<<"authorization">>]
, description => <<"Show the list of rules for all">>
, responses =>
#{
'operationId' => all,
get =>
#{
tags => [<<"authorization">>],
description => <<"Show the list of rules for all">>,
responses =>
#{200 => swagger_with_example({rules, ?TYPE_REF}, {all, ?PUT_MAP_EXAMPLE})}
}
, post =>
#{ tags => [<<"authorization">>]
, description => <<"Create/Update the list of rules for all. "
"Set a empty list to clean up rules">>
, 'requestBody' =>
swagger_with_example({rules, ?TYPE_REF}, {all, ?PUT_MAP_EXAMPLE})
, responses =>
#{ 204 => <<"Updated">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad rule schema">>)
},
post =>
#{
tags => [<<"authorization">>],
description => <<
"Create/Update the list of rules for all. "
"Set a empty list to clean up rules"
>>,
'requestBody' =>
swagger_with_example({rules, ?TYPE_REF}, {all, ?PUT_MAP_EXAMPLE}),
responses =>
#{
204 => <<"Updated">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad rule schema">>
)
}
}
};
schema("/authorization/sources/built_in_database/purge-all") ->
#{ 'operationId' => purge
, delete =>
#{ tags => [<<"authorization">>]
, description => <<"Purge all records">>
, responses =>
#{ 204 => <<"Deleted">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad Request">>)
#{
'operationId' => purge,
delete =>
#{
tags => [<<"authorization">>],
description => <<"Purge all records">>,
responses =>
#{
204 => <<"Deleted">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad Request">>
)
}
}
}.
fields(rule_item) ->
[ {topic, mk(string(),
#{ required => true
, desc => <<"Rule on specific topic">>
, example => <<"test/topic/1">>
})}
, {permission, mk(enum([allow, deny]),
#{ desc => <<"Permission">>
, required => true
, example => allow
})}
, {action, mk(enum([publish, subscribe, all]),
#{ required => true
, example => publish
, desc => <<"Authorized action">>
})}
[
{topic,
mk(
string(),
#{
required => true,
desc => <<"Rule on specific topic">>,
example => <<"test/topic/1">>
}
)},
{permission,
mk(
enum([allow, deny]),
#{
desc => <<"Permission">>,
required => true,
example => allow
}
)},
{action,
mk(
enum([publish, subscribe, all]),
#{
required => true,
example => publish,
desc => <<"Authorized action">>
}
)}
];
fields(clientid) ->
[ {clientid, mk(binary(),
#{ in => path
, required => true
, desc => <<"ClientID">>
, example => <<"client1">>
})}
[
{clientid,
mk(
binary(),
#{
in => path,
required => true,
desc => <<"ClientID">>,
example => <<"client1">>
}
)}
];
fields(username) ->
[ {username, mk(binary(),
#{ in => path
, required => true
, desc => <<"Username">>
, example => <<"user1">>})}
[
{username,
mk(
binary(),
#{
in => path,
required => true,
desc => <<"Username">>,
example => <<"user1">>
}
)}
];
fields(rules_for_username) ->
fields(rules)
++ fields(username);
fields(rules) ++
fields(username);
fields(username_response_data) ->
[ {data, mk(array(ref(rules_for_username)), #{})}
, {meta, ref(meta)}
[
{data, mk(array(ref(rules_for_username)), #{})},
{meta, ref(meta)}
];
fields(rules_for_clientid) ->
fields(rules)
++ fields(clientid);
fields(rules) ++
fields(clientid);
fields(clientid_response_data) ->
[ {data, mk(array(ref(rules_for_clientid)), #{})}
, {meta, ref(meta)}
[
{data, mk(array(ref(rules_for_clientid)), #{})},
{meta, ref(meta)}
];
fields(rules) ->
[{rules, mk(array(ref(rule_item)))}];
fields(meta) ->
emqx_dashboard_swagger:fields(page)
++ emqx_dashboard_swagger:fields(limit)
++ [{count, mk(integer(), #{example => 1})}].
emqx_dashboard_swagger:fields(page) ++
emqx_dashboard_swagger:fields(limit) ++
[{count, mk(integer(), #{example => 1})}].
%%--------------------------------------------------------------------
%% HTTP API
%%--------------------------------------------------------------------
users(get, #{query_string := QueryString}) ->
Response = emqx_mgmt_api:node_query(node(), QueryString,
?ACL_TABLE, ?ACL_USERNAME_QSCHEMA, ?QUERY_USERNAME_FUN),
Response = emqx_mgmt_api:node_query(
node(),
QueryString,
?ACL_TABLE,
?ACL_USERNAME_QSCHEMA,
?QUERY_USERNAME_FUN
),
emqx_mgmt_util:generate_response(Response);
users(post, #{body := Body}) when is_list(Body) ->
lists:foreach(fun(#{<<"username">> := Username, <<"rules">> := Rules}) ->
lists:foreach(
fun(#{<<"username">> := Username, <<"rules">> := Rules}) ->
emqx_authz_mnesia:store_rules({username, Username}, format_rules(Rules))
end, Body),
end,
Body
),
{204}.
clients(get, #{query_string := QueryString}) ->
Response = emqx_mgmt_api:node_query(node(), QueryString,
?ACL_TABLE, ?ACL_CLIENTID_QSCHEMA, ?QUERY_CLIENTID_FUN),
Response = emqx_mgmt_api:node_query(
node(),
QueryString,
?ACL_TABLE,
?ACL_CLIENTID_QSCHEMA,
?QUERY_CLIENTID_FUN
),
emqx_mgmt_util:generate_response(Response);
clients(post, #{body := Body}) when is_list(Body) ->
lists:foreach(fun(#{<<"clientid">> := ClientID, <<"rules">> := Rules}) ->
lists:foreach(
fun(#{<<"clientid">> := ClientID, <<"rules">> := Rules}) ->
emqx_authz_mnesia:store_rules({clientid, ClientID}, format_rules(Rules))
end, Body),
end,
Body
),
{204}.
user(get, #{bindings := #{username := Username}}) ->
case emqx_authz_mnesia:get_rules({username, Username}) of
not_found -> {404, #{code => <<"NOT_FOUND">>, message => <<"Not Found">>}};
not_found ->
{404, #{code => <<"NOT_FOUND">>, message => <<"Not Found">>}};
{ok, Rules} ->
{200, #{username => Username,
rules => [ #{topic => Topic,
{200, #{
username => Username,
rules => [
#{
topic => Topic,
action => Action,
permission => Permission
} || {Permission, Action, Topic} <- Rules]}
}
|| {Permission, Action, Topic} <- Rules
]
}}
end;
user(put, #{bindings := #{username := Username},
body := #{<<"username">> := Username, <<"rules">> := Rules}}) ->
user(put, #{
bindings := #{username := Username},
body := #{<<"username">> := Username, <<"rules">> := Rules}
}) ->
emqx_authz_mnesia:store_rules({username, Username}, format_rules(Rules)),
{204};
user(delete, #{bindings := #{username := Username}}) ->
@ -351,17 +474,25 @@ user(delete, #{bindings := #{username := Username}}) ->
client(get, #{bindings := #{clientid := ClientID}}) ->
case emqx_authz_mnesia:get_rules({clientid, ClientID}) of
not_found -> {404, #{code => <<"NOT_FOUND">>, message => <<"Not Found">>}};
not_found ->
{404, #{code => <<"NOT_FOUND">>, message => <<"Not Found">>}};
{ok, Rules} ->
{200, #{clientid => ClientID,
rules => [ #{topic => Topic,
{200, #{
clientid => ClientID,
rules => [
#{
topic => Topic,
action => Action,
permission => Permission
} || {Permission, Action, Topic} <- Rules]}
}
|| {Permission, Action, Topic} <- Rules
]
}}
end;
client(put, #{bindings := #{clientid := ClientID},
body := #{<<"clientid">> := ClientID, <<"rules">> := Rules}}) ->
client(put, #{
bindings := #{clientid := ClientID},
body := #{<<"clientid">> := ClientID, <<"rules">> := Rules}
}) ->
emqx_authz_mnesia:store_rules({clientid, ClientID}, format_rules(Rules)),
{204};
client(delete, #{bindings := #{clientid := ClientID}}) ->
@ -378,11 +509,16 @@ all(get, _) ->
not_found ->
{200, #{rules => []}};
{ok, Rules} ->
{200, #{rules => [ #{topic => Topic,
{200, #{
rules => [
#{
topic => Topic,
action => Action,
permission => Permission
} || {Permission, Action, Topic} <- Rules]}
}
|| {Permission, Action, Topic} <- Rules
]
}}
end;
all(post, #{body := #{<<"rules">> := Rules}}) ->
emqx_authz_mnesia:store_rules(all, format_rules(Rules)),
@ -394,11 +530,14 @@ purge(delete, _) ->
ok = emqx_authz_mnesia:purge_rules(),
{204};
[#{<<"enable">> := true}] ->
{400, #{code => <<"BAD_REQUEST">>,
{400, #{
code => <<"BAD_REQUEST">>,
message =>
<<"'built_in_database' type source must be disabled before purge.">>}};
<<"'built_in_database' type source must be disabled before purge.">>
}};
[] ->
{404, #{code => <<"BAD_REQUEST">>,
{404, #{
code => <<"BAD_REQUEST">>,
message => <<"'built_in_database' type source is not found.">>
}}
end.
@ -408,25 +547,43 @@ purge(delete, _) ->
query_username(Tab, {_QString, []}, Continuation, Limit) ->
Ms = emqx_authz_mnesia:list_username_rules(),
emqx_mgmt_api:select_table_with_count(Tab, Ms, Continuation, Limit,
fun format_result/1);
emqx_mgmt_api:select_table_with_count(
Tab,
Ms,
Continuation,
Limit,
fun format_result/1
);
query_username(Tab, {_QString, FuzzyQString}, Continuation, Limit) ->
Ms = emqx_authz_mnesia:list_username_rules(),
FuzzyFilterFun = fuzzy_filter_fun(FuzzyQString),
emqx_mgmt_api:select_table_with_count(Tab, {Ms, FuzzyFilterFun}, Continuation, Limit,
fun format_result/1).
emqx_mgmt_api:select_table_with_count(
Tab,
{Ms, FuzzyFilterFun},
Continuation,
Limit,
fun format_result/1
).
query_clientid(Tab, {_QString, []}, Continuation, Limit) ->
Ms = emqx_authz_mnesia:list_clientid_rules(),
emqx_mgmt_api:select_table_with_count(Tab, Ms, Continuation, Limit,
fun format_result/1);
emqx_mgmt_api:select_table_with_count(
Tab,
Ms,
Continuation,
Limit,
fun format_result/1
);
query_clientid(Tab, {_QString, FuzzyQString}, Continuation, Limit) ->
Ms = emqx_authz_mnesia:list_clientid_rules(),
FuzzyFilterFun = fuzzy_filter_fun(FuzzyQString),
emqx_mgmt_api:select_table_with_count(Tab, {Ms, FuzzyFilterFun}, Continuation, Limit,
fun format_result/1).
emqx_mgmt_api:select_table_with_count(
Tab,
{Ms, FuzzyFilterFun},
Continuation,
Limit,
fun format_result/1
).
%%--------------------------------------------------------------------
%% Match funcs
@ -434,17 +591,23 @@ query_clientid(Tab, {_QString, FuzzyQString}, Continuation, Limit) ->
%% Fuzzy username funcs
fuzzy_filter_fun(Fuzzy) ->
fun(MsRaws) when is_list(MsRaws) ->
lists:filter( fun(E) -> run_fuzzy_filter(E, Fuzzy) end
, MsRaws)
lists:filter(
fun(E) -> run_fuzzy_filter(E, Fuzzy) end,
MsRaws
)
end.
run_fuzzy_filter(_, []) ->
true;
run_fuzzy_filter( E = [{username, Username}, _Rule]
, [{username, like, UsernameSubStr} | Fuzzy]) ->
run_fuzzy_filter(
E = [{username, Username}, _Rule],
[{username, like, UsernameSubStr} | Fuzzy]
) ->
binary:match(Username, UsernameSubStr) /= nomatch andalso run_fuzzy_filter(E, Fuzzy);
run_fuzzy_filter( E = [{clientid, ClientId}, _Rule]
, [{clientid, like, ClientIdSubStr} | Fuzzy]) ->
run_fuzzy_filter(
E = [{clientid, ClientId}, _Rule],
[{clientid, like, ClientIdSubStr} | Fuzzy]
) ->
binary:match(ClientId, ClientIdSubStr) /= nomatch andalso run_fuzzy_filter(E, Fuzzy).
%%--------------------------------------------------------------------
@ -452,31 +615,52 @@ run_fuzzy_filter( E = [{clientid, ClientId}, _Rule]
%% format rule from api
format_rules(Rules) when is_list(Rules) ->
lists:foldl(fun(#{<<"topic">> := Topic,
lists:foldl(
fun(
#{
<<"topic">> := Topic,
<<"action">> := Action,
<<"permission">> := Permission
}, AccIn) when ?PUBSUB(Action)
andalso ?ALLOW_DENY(Permission) ->
AccIn ++ [{ atom(Permission), atom(Action), Topic }]
end, [], Rules).
},
AccIn
) when
?PUBSUB(Action) andalso
?ALLOW_DENY(Permission)
->
AccIn ++ [{atom(Permission), atom(Action), Topic}]
end,
[],
Rules
).
%% format result from mnesia tab
format_result([{username, Username}, {rules, Rules}]) ->
#{username => Username,
rules => [ #{topic => Topic,
#{
username => Username,
rules => [
#{
topic => Topic,
action => Action,
permission => Permission
} || {Permission, Action, Topic} <- Rules]
}
|| {Permission, Action, Topic} <- Rules
]
};
format_result([{clientid, ClientID}, {rules, Rules}]) ->
#{clientid => ClientID,
rules => [ #{topic => Topic,
#{
clientid => ClientID,
rules => [
#{
topic => Topic,
action => Action,
permission => Permission
} || {Permission, Action, Topic} <- Rules]
}
|| {Permission, Action, Topic} <- Rules
]
}.
atom(B) when is_binary(B) ->
try binary_to_existing_atom(B, utf8)
try
binary_to_existing_atom(B, utf8)
catch
_Error:_Expection -> binary_to_atom(B)
end;
@ -492,7 +676,8 @@ swagger_with_example({Ref, TypeP}, {_Name, _Type} = Example) ->
?TYPE_REF -> ref(?MODULE, Ref);
?TYPE_ARRAY -> array(ref(?MODULE, Ref))
end,
rules_example(Example)).
rules_example(Example)
).
rules_example({ExampleName, ExampleType}) ->
{Summary, Example} =
@ -503,7 +688,8 @@ rules_example({ExampleName, ExampleType}) ->
end,
Value =
case ExampleType of
?PAGE_QUERY_EXAMPLE -> #{
?PAGE_QUERY_EXAMPLE ->
#{
data => [Example],
meta => ?META_EXAMPLE
};

190
apps/emqx_authz/src/emqx_authz_api_schema.erl
View File

@ -25,58 +25,77 @@
-export([fields/1, authz_sources_types/1]).
fields(http) ->
authz_common_fields(http)
++ [ {url, fun url/1}
, {method, #{ type => enum([get, post])
, default => get}}
, {headers, fun headers/1}
, {body, map([{fuzzy, term(), binary()}])}
, {request_timeout, mk_duration("Request timeout", #{default => "30s"})}]
++ maps:to_list(maps:without([ base_url
, pool_type],
maps:from_list(emqx_connector_http:fields(config))));
authz_common_fields(http) ++
[
{url, fun url/1},
{method, #{
type => enum([get, post]),
default => get
}},
{headers, fun headers/1},
{body, map([{fuzzy, term(), binary()}])},
{request_timeout, mk_duration("Request timeout", #{default => "30s"})}
] ++
maps:to_list(
maps:without(
[
base_url,
pool_type
],
maps:from_list(emqx_connector_http:fields(config))
)
);
fields('built_in_database') ->
authz_common_fields('built_in_database');
fields(mongo_single) ->
authz_mongo_common_fields()
++ emqx_connector_mongo:fields(single);
authz_mongo_common_fields() ++
emqx_connector_mongo:fields(single);
fields(mongo_rs) ->
authz_mongo_common_fields()
++ emqx_connector_mongo:fields(rs);
authz_mongo_common_fields() ++
emqx_connector_mongo:fields(rs);
fields(mongo_sharded) ->
authz_mongo_common_fields()
++ emqx_connector_mongo:fields(sharded);
authz_mongo_common_fields() ++
emqx_connector_mongo:fields(sharded);
fields(mysql) ->
authz_common_fields(mysql)
++ [ {query, #{type => binary()}}]
++ emqx_connector_mysql:fields(config);
authz_common_fields(mysql) ++
[{query, #{type => binary()}}] ++
emqx_connector_mysql:fields(config);
fields(postgresql) ->
authz_common_fields(postgresql)
++ [ {query, #{type => binary()}}]
++ proplists:delete(named_queries, emqx_connector_pgsql:fields(config));
authz_common_fields(postgresql) ++
[{query, #{type => binary()}}] ++
proplists:delete(named_queries, emqx_connector_pgsql:fields(config));
fields(redis_single) ->
authz_redis_common_fields()
++ emqx_connector_redis:fields(single);
authz_redis_common_fields() ++
emqx_connector_redis:fields(single);
fields(redis_sentinel) ->
authz_redis_common_fields()
++ emqx_connector_redis:fields(sentinel);
authz_redis_common_fields() ++
emqx_connector_redis:fields(sentinel);
fields(redis_cluster) ->
authz_redis_common_fields()
++ emqx_connector_redis:fields(cluster);
authz_redis_common_fields() ++
emqx_connector_redis:fields(cluster);
fields(file) ->
authz_common_fields(file)
++ [ { rules, #{ type => binary()
, required => true
, example =>
<<"{allow,{username,\"^dashboard?\"},","subscribe,[\"$SYS/#\"]}.\n",
"{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}.">>}}
authz_common_fields(file) ++
[
{rules, #{
type => binary(),
required => true,
example =>
<<"{allow,{username,\"^dashboard?\"},", "subscribe,[\"$SYS/#\"]}.\n",
"{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}.">>
}}
];
fields(position) ->
[ { position
, mk( string()
, #{ desc => <<"Where to place the source">>
, required => true
, in => body})}].
[
{position,
mk(
string(),
#{
desc => <<"Where to place the source">>,
required => true,
in => body
}
)}
].
%%------------------------------------------------------------------------------
%% http type funcs
@ -86,40 +105,51 @@ url(validator) -> [?NOT_EMPTY("the value of the field 'url' cannot be empty")];
url(required) -> true;
url(_) -> undefined.
headers(type) -> map();
headers(type) ->
map();
headers(converter) ->
fun(Headers) ->
maps:merge(default_headers(), transform_header_name(Headers))
end;
headers(default) -> default_headers();
headers(_) -> undefined.
headers(default) ->
default_headers();
headers(_) ->
undefined.
%% headers
default_headers() ->
maps:put(<<"content-type">>,
maps:put(
<<"content-type">>,
<<"application/json">>,
default_headers_no_content_type()).
default_headers_no_content_type()
).
default_headers_no_content_type() ->
#{ <<"accept">> => <<"application/json">>
, <<"cache-control">> => <<"no-cache">>
, <<"connection">> => <<"keep-alive">>
, <<"keep-alive">> => <<"timeout=30, max=1000">>
#{
<<"accept">> => <<"application/json">>,
<<"cache-control">> => <<"no-cache">>,
<<"connection">> => <<"keep-alive">>,
<<"keep-alive">> => <<"timeout=30, max=1000">>
}.
transform_header_name(Headers) ->
maps:fold(fun(K0, V, Acc) ->
maps:fold(
fun(K0, V, Acc) ->
K = list_to_binary(string:to_lower(to_list(K0))),
maps:put(K, V, Acc)
end, #{}, Headers).
end,
#{},
Headers
).
%%------------------------------------------------------------------------------
%% MonogDB type funcs
authz_mongo_common_fields() ->
authz_common_fields(mongodb) ++
[ {collection, fun collection/1}
, {selector, fun selector/1}
[
{collection, fun collection/1},
{selector, fun selector/1}
].
collection(type) -> binary();
@ -133,19 +163,24 @@ selector(_) -> undefined.
authz_redis_common_fields() ->
authz_common_fields(redis) ++
[ {cmd, #{ type => binary()
, example => <<"HGETALL mqtt_authz">>}}].
[
{cmd, #{
type => binary(),
example => <<"HGETALL mqtt_authz">>
}}
].
%%------------------------------------------------------------------------------
%% Authz api type funcs
authz_common_fields(Type) when is_atom(Type)->
[ {enable, fun enable/1}
, {type, #{ type => enum([Type])
, default => Type
, in => body
}
}
authz_common_fields(Type) when is_atom(Type) ->
[
{enable, fun enable/1},
{type, #{
type => enum([Type]),
default => Type,
in => body
}}
].
enable(type) -> boolean();
@ -158,20 +193,25 @@ enable(_) -> undefined.
authz_sources_types(Type) ->
case Type of
simple -> [mongodb, redis];
detailed -> [ mongo_single
, mongo_rs
, mongo_sharded
, redis_single
, redis_sentinel
, redis_cluster]
end
++
[ http
, 'built_in_database'
, mysql
, postgresql
, file].
simple ->
[mongodb, redis];
detailed ->
[
mongo_single,
mongo_rs,
mongo_sharded,
redis_single,
redis_sentinel,
redis_cluster
]
end ++
[
http,
'built_in_database',
mysql,
postgresql,
file
].
to_list(A) when is_atom(A) ->
atom_to_list(A);

46
apps/emqx_authz/src/emqx_authz_api_settings.erl
View File

@ -20,10 +20,11 @@
-import(hoconsc, [mk/1, ref/2]).
-export([ api_spec/0
, paths/0
, schema/1
]).
-export([
api_spec/0,
paths/0,
schema/1
]).
-export([settings/2]).
@ -40,18 +41,23 @@ paths() ->
%%--------------------------------------------------------------------
schema("/authorization/settings") ->
#{ 'operationId' => settings
, get =>
#{ description => <<"Get authorization settings">>
, responses =>
#{
'operationId' => settings,
get =>
#{
description => <<"Get authorization settings">>,
responses =>
#{200 => ref_authz_schema()}
},
put =>
#{
description => <<"Update authorization settings">>,
'requestBody' => ref_authz_schema(),
responses =>
#{
200 => ref_authz_schema(),
400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>)
}
, put =>
#{ description => <<"Update authorization settings">>
, 'requestBody' => ref_authz_schema()
, responses =>
#{ 200 => ref_authz_schema()
, 400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>)}
}
}.
@ -60,13 +66,17 @@ ref_authz_schema() ->
settings(get, _Params) ->
{200, authorization_settings()};
settings(put, #{body := #{<<"no_match">> := NoMatch,
settings(put, #{
body := #{
<<"no_match">> := NoMatch,
<<"deny_action">> := DenyAction,
<<"cache">> := Cache}}) ->
<<"cache">> := Cache
}
}) ->
{ok, _} = emqx_authz_utils:update_config([authorization, no_match], NoMatch),
{ok, _} = emqx_authz_utils:update_config(
[authorization, deny_action], DenyAction),
[authorization, deny_action], DenyAction
),
{ok, _} = emqx_authz_utils:update_config([authorization, cache], Cache),
ok = emqx_authz_cache:drain_cache(),
{200, authorization_settings()}.

499
apps/emqx_authz/src/emqx_authz_api_sources.erl
View File

@ -29,224 +29,292 @@
-define(API_SCHEMA_MODULE, emqx_authz_api_schema).
-export([ get_raw_sources/0
, get_raw_source/1
, source_status/2
, lookup_from_local_node/1
, lookup_from_all_nodes/1
]).
-export([
get_raw_sources/0,
get_raw_source/1,
source_status/2,
lookup_from_local_node/1,
lookup_from_all_nodes/1
]).
-export([ api_spec/0
, paths/0
, schema/1
]).
-export([
api_spec/0,
paths/0,
schema/1
]).
-export([ sources/2
, source/2
, move_source/2
]).
-export([
sources/2,
source/2,
move_source/2
]).
api_spec() ->
emqx_dashboard_swagger:spec(?MODULE, #{check_schema => true}).
paths() ->
[ "/authorization/sources"
, "/authorization/sources/:type"
, "/authorization/sources/:type/status"
, "/authorization/sources/:type/move"].
[
"/authorization/sources",
"/authorization/sources/:type",
"/authorization/sources/:type/status",
"/authorization/sources/:type/move"
].
%%--------------------------------------------------------------------
%% Schema for each URI
%%--------------------------------------------------------------------
schema("/authorization/sources") ->
#{ 'operationId' => sources
, get =>
#{ description => <<"List all authorization sources">>
, responses =>
#{ 200 => mk( array(hoconsc:union(authz_sources_type_refs()))
, #{desc => <<"Authorization source">>})
#{
'operationId' => sources,
get =>
#{
description => <<"List all authorization sources">>,
responses =>
#{
200 => mk(
array(hoconsc:union(authz_sources_type_refs())),
#{desc => <<"Authorization source">>}
)
}
}
, post =>
#{ description => <<"Add a new source">>
, 'requestBody' => mk( hoconsc:union(authz_sources_type_refs())
, #{desc => <<"Source config">>})
, responses =>
#{ 204 => <<"Authorization source created successfully">>
, 400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST],
<<"Bad Request">>)
},
post =>
#{
description => <<"Add a new source">>,
'requestBody' => mk(
hoconsc:union(authz_sources_type_refs()),
#{desc => <<"Source config">>}
),
responses =>
#{
204 => <<"Authorization source created successfully">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST],
<<"Bad Request">>
)
}
}
};
schema("/authorization/sources/:type") ->
#{ 'operationId' => source
, get =>
#{ description => <<"Get a authorization source">>
, parameters => parameters_field()
, responses =>
#{ 200 => mk( hoconsc:union(authz_sources_type_refs())
, #{desc => <<"Authorization source">>})
, 404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>)
#{
'operationId' => source,
get =>
#{
description => <<"Get a authorization source">>,
parameters => parameters_field(),
responses =>
#{
200 => mk(
hoconsc:union(authz_sources_type_refs()),
#{desc => <<"Authorization source">>}
),
404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>)
}
},
put =>
#{
description => <<"Update source">>,
parameters => parameters_field(),
'requestBody' => mk(hoconsc:union(authz_sources_type_refs())),
responses =>
#{
204 => <<"Authorization source updated successfully">>,
400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>)
}
, put =>
#{ description => <<"Update source">>
, parameters => parameters_field()
, 'requestBody' => mk(hoconsc:union(authz_sources_type_refs()))
, responses =>
#{ 204 => <<"Authorization source updated successfully">>
, 400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>)
}
}
, delete =>
#{ description => <<"Delete source">>
, parameters => parameters_field()
, responses =>
#{ 204 => <<"Deleted successfully">>
, 400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>)
},
delete =>
#{
description => <<"Delete source">>,
parameters => parameters_field(),
responses =>
#{
204 => <<"Deleted successfully">>,
400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>)
}
}
};
schema("/authorization/sources/:type/status") ->
#{ 'operationId' => source_status
, get =>
#{ description => <<"Get a authorization source">>
, parameters => parameters_field()
, responses =>
#{ 200 => emqx_dashboard_swagger:schema_with_examples(
#{
'operationId' => source_status,
get =>
#{
description => <<"Get a authorization source">>,
parameters => parameters_field(),
responses =>
#{
200 => emqx_dashboard_swagger:schema_with_examples(
hoconsc:ref(emqx_authn_schema, "metrics_status_fields"),
status_metrics_example())
, 400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad request">>)
, 404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>)
status_metrics_example()
),
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad request">>
),
404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>)
}
}
};
schema("/authorization/sources/:type/move") ->
#{ 'operationId' => move_source
, post =>
#{ description => <<"Change the order of sources">>
, parameters => parameters_field()
, 'requestBody' =>
#{
'operationId' => move_source,
post =>
#{
description => <<"Change the order of sources">>,
parameters => parameters_field(),
'requestBody' =>
emqx_dashboard_swagger:schema_with_examples(
ref(?API_SCHEMA_MODULE, position),
position_example())
, responses =>
#{ 204 => <<"No Content">>
, 400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>)
, 404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>)
position_example()
),
responses =>
#{
204 => <<"No Content">>,
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad Request">>
),
404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>)
}
}
}.
%%--------------------------------------------------------------------
%% Operation functions
%%--------------------------------------------------------------------
sources(Method, #{bindings := #{type := Type} = Bindings } = Req)
when is_atom(Type) ->
sources(Method, #{bindings := #{type := Type} = Bindings} = Req) when
is_atom(Type)
->
sources(Method, Req#{bindings => Bindings#{type => atom_to_binary(Type, utf8)}});
sources(get, _) ->
Sources = lists:foldl(fun (#{<<"type">> := <<"file">>,
<<"enable">> := Enable, <<"path">> := Path}, AccIn) ->
Sources = lists:foldl(
fun
(
#{
<<"type">> := <<"file">>,
<<"enable">> := Enable,
<<"path">> := Path
},
AccIn
) ->
case file:read_file(Path) of
{ok, Rules} ->
lists:append(AccIn, [#{type => file,
lists:append(AccIn, [
#{
type => file,
enable => Enable,
rules => Rules
}]);
}
]);
{error, _} ->
lists:append(AccIn, [#{type => file,
lists:append(AccIn, [
#{
type => file,
enable => Enable,
rules => <<"">>
}])
}
])
end;
(Source, AccIn) ->
lists:append(AccIn, [read_certs(Source)])
end, [], get_raw_sources()),
end,
[],
get_raw_sources()
),
{200, #{sources => Sources}};
sources(post, #{body := #{<<"type">> := <<"file">>} = Body}) ->
create_authz_file(Body);
sources(post, #{body := Body}) ->
update_config(?CMD_PREPEND, Body).
source(Method, #{bindings := #{type := Type} = Bindings } = Req)
when is_atom(Type) ->
source(Method, #{bindings := #{type := Type} = Bindings} = Req) when
is_atom(Type)
->
source(Method, Req#{bindings => Bindings#{type => atom_to_binary(Type, utf8)}});
source(get, #{bindings := #{type := Type}}) ->
case get_raw_source(Type) of
[] -> {404, #{message => <<"Not found ", Type/binary>>}};
[] ->
{404, #{message => <<"Not found ", Type/binary>>}};
[#{<<"type">> := <<"file">>, <<"enable">> := Enable, <<"path">> := Path}] ->
case file:read_file(Path) of
{ok, Rules} ->
{200, #{type => file,
{200, #{
type => file,
enable => Enable,
rules => Rules
}
};
}};
{error, Reason} ->
{500, #{code => <<"INTERNAL_ERROR">>,
message => bin(Reason)}}
{500, #{
code => <<"INTERNAL_ERROR">>,
message => bin(Reason)
}}
end;
[Source] -> {200, read_certs(Source)}
[Source] ->
{200, read_certs(Source)}
end;
source(put, #{bindings := #{type := <<"file">>}, body := #{<<"type">> := <<"file">>} = Body}) ->
update_authz_file(Body);
source(put, #{bindings := #{type := Type}, body := Body}) ->
case emqx_authz:update({?CMD_REPLACE, Type}, Body) of
{ok, _} -> {204};
{error, {emqx_conf_schema, _}} ->
{400, #{code => <<"BAD_REQUEST">>,
message => <<"BAD_SCHEMA">>}};
{error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>,
message => bin(Reason)}}
end;
update_config({?CMD_REPLACE, Type}, Body);
source(delete, #{bindings := #{type := Type}}) ->
update_config({?CMD_DELETE, Type}, #{}).
source_status(get, #{bindings := #{type := Type}}) ->
BinType = atom_to_binary(Type, utf8),
case get_raw_source(BinType) of
[] -> {404, #{code => <<"NOT_FOUND">>,
message => <<"Not found", BinType/binary>>}};
[] ->
{404, #{
code => <<"NOT_FOUND">>,
message => <<"Not found", BinType/binary>>
}};
[#{<<"type">> := <<"file">>}] ->
{400, #{code => <<"BAD_REQUEST">>,
message => <<"Not Support Status">>}};
{400, #{
code => <<"BAD_REQUEST">>,
message => <<"Not Support Status">>
}};
[_] ->
case emqx_authz:lookup(Type) of
#{annotations := #{id := ResourceId }} -> lookup_from_all_nodes(ResourceId);
#{annotations := #{id := ResourceId}} -> lookup_from_all_nodes(ResourceId);
_ -> {400, #{code => <<"BAD_REQUEST">>, message => <<"Resource Disable">>}}
end
end.
move_source(Method, #{bindings := #{type := Type} = Bindings } = Req)
when is_atom(Type) ->
move_source(Method, #{bindings := #{type := Type} = Bindings} = Req) when
is_atom(Type)
->
move_source(Method, Req#{bindings => Bindings#{type => atom_to_binary(Type, utf8)}});
move_source(post, #{bindings := #{type := Type}, body := #{<<"position">> := Position}}) ->
case parse_position(Position) of
{ok, NPosition} ->
try emqx_authz:move(Type, NPosition) of
{ok, _} -> {204};
{ok, _} ->
{204};
{error, {not_found_source, _Type}} ->
{404, #{code => <<"NOT_FOUND">>,
message => <<"source ", Type/binary, " not found">>}};
{404, #{
code => <<"NOT_FOUND">>,
message => <<"source ", Type/binary, " not found">>
}};
{error, {emqx_conf_schema, _}} ->
{400, #{code => <<"BAD_REQUEST">>,
message => <<"BAD_SCHEMA">>}};
{400, #{
code => <<"BAD_REQUEST">>,
message => <<"BAD_SCHEMA">>
}};
{error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>,
message => bin(Reason)}}
{400, #{
code => <<"BAD_REQUEST">>,
message => bin(Reason)
}}
catch
error : {unknown_authz_source_type, Unknown} ->
error:{unknown_authz_source_type, Unknown} ->
NUnknown = bin(Unknown),
{400, #{code => <<"BAD_REQUEST">>,
message => <<"Unknown authz Source Type: ", NUnknown/binary>>}}
{400, #{
code => <<"BAD_REQUEST">>,
message => <<"Unknown authz Source Type: ", NUnknown/binary>>
}}
end;
{error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>,
message => bin(Reason)}}
{400, #{
code => <<"BAD_REQUEST">>,
message => bin(Reason)
}}
end.
%%--------------------------------------------------------------------
@ -257,8 +325,7 @@ lookup_from_local_node(ResourceId) ->
NodeId = node(self()),
case emqx_resource:get_instance(ResourceId) of
{error, not_found} -> {error, {NodeId, not_found_resource}};
{ok, _, #{ status := Status, metrics := Metrics }} ->
{ok, {NodeId, Status, Metrics}}
{ok, _, #{status := Status, metrics := Metrics}} -> {ok, {NodeId, Status, Metrics}}
end.
lookup_from_all_nodes(ResourceId) ->
@ -268,35 +335,43 @@ lookup_from_all_nodes(ResourceId) ->
{StatusMap, MetricsMap, _} = make_result_map(ResList),
AggregateStatus = aggregate_status(maps:values(StatusMap)),
AggregateMetrics = aggregate_metrics(maps:values(MetricsMap)),
Fun = fun (_, V1) -> restructure_map(V1) end,
MKMap = fun (Name) -> fun ({Key, Val}) -> #{ node => Key, Name => Val } end end,
HelpFun = fun (M, Name) -> lists:map(MKMap(Name), maps:to_list(M)) end,
Fun = fun(_, V1) -> restructure_map(V1) end,
MKMap = fun(Name) -> fun({Key, Val}) -> #{node => Key, Name => Val} end end,
HelpFun = fun(M, Name) -> lists:map(MKMap(Name), maps:to_list(M)) end,
case AggregateStatus of
empty_metrics_and_status -> {400, #{code => <<"BAD_REQUEST">>,
message => <<"Resource Not Support Status">>}};
_ -> {200, #{node_status => HelpFun(StatusMap, status),
empty_metrics_and_status ->
{400, #{
code => <<"BAD_REQUEST">>,
message => <<"Resource Not Support Status">>
}};
_ ->
{200, #{
node_status => HelpFun(StatusMap, status),
node_metrics => HelpFun(maps:map(Fun, MetricsMap), metrics),
status => AggregateStatus,
metrics => restructure_map(AggregateMetrics)
}
}
}}
end;
{error, ErrL} ->
{500, #{code => <<"INTERNAL_ERROR">>,
message => bin_t(io_lib:format("~p", [ErrL]))}}
{500, #{
code => <<"INTERNAL_ERROR">>,
message => bin_t(io_lib:format("~p", [ErrL]))
}}
end.
aggregate_status([]) -> empty_metrics_and_status;
aggregate_status([]) ->
empty_metrics_and_status;
aggregate_status(AllStatus) ->
Head = fun ([A | _]) -> A end,
Head = fun([A | _]) -> A end,
HeadVal = Head(AllStatus),
AllRes = lists:all(fun (Val) -> Val == HeadVal end, AllStatus),
AllRes = lists:all(fun(Val) -> Val == HeadVal end, AllStatus),
case AllRes of
true -> HeadVal;
false -> inconsistent
end.
aggregate_metrics([]) -> empty_metrics_and_status;
aggregate_metrics([]) ->
empty_metrics_and_status;
aggregate_metrics([HeadMetrics | AllMetrics]) ->
CombinerFun =
fun ComFun(Val1, Val2) ->
@ -305,8 +380,9 @@ aggregate_metrics([HeadMetrics | AllMetrics]) ->
false -> Val1 + Val2
end
end,
Fun = fun (ElemMap, AccMap) ->
emqx_map_lib:merge_with(CombinerFun, ElemMap, AccMap) end,
Fun = fun(ElemMap, AccMap) ->
emqx_map_lib:merge_with(CombinerFun, ElemMap, AccMap)
end,
lists:foldl(Fun, HeadMetrics, AllMetrics).
make_result_map(ResList) ->
@ -314,25 +390,23 @@ make_result_map(ResList) ->
fun(Elem, {StatusMap, MetricsMap, ErrorMap}) ->
case Elem of
{ok, {NodeId, Status, Metrics}} ->
{maps:put(NodeId, Status, StatusMap),
{
maps:put(NodeId, Status, StatusMap),
maps:put(NodeId, Metrics, MetricsMap),
ErrorMap
};
{error, {NodeId, Reason}} ->
{StatusMap,
MetricsMap,
maps:put(NodeId, Reason, ErrorMap)
}
{StatusMap, MetricsMap, maps:put(NodeId, Reason, ErrorMap)}
end
end,
lists:foldl(Fun, {maps:new(), maps:new(), maps:new()}, ResList).
restructure_map(#{counters := #{failed := Failed, matched := Match, success := Succ},
rate := #{matched := #{current := Rate, last5m := Rate5m, max := RateMax}
}
}
) ->
#{matched => Match,
restructure_map(#{
counters := #{failed := Failed, matched := Match, success := Succ},
rate := #{matched := #{current := Rate, last5m := Rate5m, max := RateMax}}
}) ->
#{
matched => Match,
success => Succ,
failed => Failed,
rate => Rate,
@ -346,7 +420,15 @@ bin_t(S) when is_list(S) ->
list_to_binary(S).
is_ok(ResL) ->
case lists:filter(fun({ok, _}) -> false; (_) -> true end, ResL) of
case
lists:filter(
fun
({ok, _}) -> false;
(_) -> true
end,
ResL
)
of
[] -> {ok, [Res || {ok, Res} <- ResL]};
ErrL -> {error, ErrL}
end.
@ -360,7 +442,8 @@ get_raw_sources() ->
merge_default_headers(Sources).
merge_default_headers(Sources) ->
lists:map(fun(Source) ->
lists:map(
fun(Source) ->
case maps:find(<<"headers">>, Source) of
{ok, Headers} ->
NewHeaders =
@ -369,34 +452,50 @@ merge_default_headers(Sources) ->
(emqx_authz_schema:headers_no_content_type(converter))(Headers);
#{<<"method">> := <<"post">>} ->
(emqx_authz_schema:headers(converter))(Headers);
_ -> Headers
_ ->
Headers
end,
Source#{<<"headers">> => NewHeaders};
error -> Source
error ->
Source
end
end, Sources).
end,
Sources
).
get_raw_source(Type) ->
lists:filter(fun (#{<<"type">> := T}) ->
lists:filter(
fun(#{<<"type">> := T}) ->
T =:= Type
end, get_raw_sources()).
end,
get_raw_sources()
).
update_config(Cmd, Sources) ->
case emqx_authz:update(Cmd, Sources) of
{ok, _} -> {204};
{ok, _} ->
{204};
{error, {pre_config_update, emqx_authz, Reason}} ->
{400, #{code => <<"BAD_REQUEST">>,
message => bin(Reason)}};
{400, #{
code => <<"BAD_REQUEST">>,
message => bin(Reason)
}};
{error, {post_config_update, emqx_authz, Reason}} ->
{400, #{code => <<"BAD_REQUEST">>,
message => bin(Reason)}};
{400, #{
code => <<"BAD_REQUEST">>,
message => bin(Reason)
}};
%% TODO: The `Reason` may cann't be trans to json term. (i.e. ecpool start failed)
{error, {emqx_conf_schema, _}} ->
{400, #{code => <<"BAD_REQUEST">>,
message => <<"BAD_SCHEMA">>}};
{400, #{
code => <<"BAD_REQUEST">>,
message => <<"BAD_SCHEMA">>
}};
{error, Reason} ->
{400, #{code => <<"BAD_REQUEST">>,
message => bin(Reason)}}
{400, #{
code => <<"BAD_REQUEST">>,
message => bin(Reason)
}}
end.
read_certs(#{<<"ssl">> := SSL} = Source) ->
@ -407,12 +506,16 @@ read_certs(#{<<"ssl">> := SSL} = Source) ->
{ok, NewSSL} ->
Source#{<<"ssl">> => NewSSL}
end;
read_certs(Source) -> Source.
read_certs(Source) ->
Source.
parameters_field() ->
[ {type, mk( enum(?API_SCHEMA_MODULE:authz_sources_types(simple))
, #{in => path, desc => <<"Authorization type">>})
}
[
{type,
mk(
enum(?API_SCHEMA_MODULE:authz_sources_types(simple)),
#{in => path, desc => <<"Authorization type">>}
)}
].
parse_position(<<"front">>) ->
@ -431,36 +534,52 @@ parse_position(_) ->
{error, <<"Invalid parameter. Unknow position">>}.
position_example() ->
#{ front =>
#{ summary => <<"front example">>
, value => #{<<"position">> => <<"front">>}}
, rear =>
#{ summary => <<"rear example">>
, value => #{<<"position">> => <<"rear">>}}
, relative_before =>
#{ summary => <<"relative example">>
, value => #{<<"position">> => <<"before:file">>}}
, relative_after =>
#{ summary => <<"relative example">>
, value => #{<<"position">> => <<"after:file">>}}
#{
front =>
#{
summary => <<"front example">>,
value => #{<<"position">> => <<"front">>}
},
rear =>
#{
summary => <<"rear example">>,
value => #{<<"position">> => <<"rear">>}
},
relative_before =>
#{
summary => <<"relative example">>,
value => #{<<"position">> => <<"before:file">>}
},
relative_after =>
#{
summary => <<"relative example">>,
value => #{<<"position">> => <<"after:file">>}
}
}.
authz_sources_type_refs() ->
[ref(?API_SCHEMA_MODULE, Type)
|| Type <- emqx_authz_api_schema:authz_sources_types(detailed)].
[
ref(?API_SCHEMA_MODULE, Type)
|| Type <- emqx_authz_api_schema:authz_sources_types(detailed)
].
bin(Term) -> erlang:iolist_to_binary(io_lib:format("~p", [Term])).
status_metrics_example() ->
#{ metrics => #{ matched => 0,
#{
metrics => #{
matched => 0,
success => 0,
failed => 0,
rate => 0.0,
rate_last5m => 0.0,
rate_max => 0.0
},
node_metrics => [ #{node => node(),
metrics => #{ matched => 0,
node_metrics => [
#{
node => node(),
metrics => #{
matched => 0,
success => 0,
failed => 0,
rate => 0.0,
@ -470,7 +589,9 @@ status_metrics_example() ->
}
],
status => connected,
node_status => [ #{node => node(),
node_status => [
#{
node => node(),
status => connected
}
]

27
apps/emqx_authz/src/emqx_authz_file.erl
View File

@ -27,24 +27,27 @@
-endif.
%% APIs
-export([ description/0
, init/1
, destroy/1
, dry_run/1
, authorize/4
]).
-export([
description/0,
init/1,
destroy/1,
authorize/4
]).
description() ->
"AuthZ with static rules".
init(#{path := Path} = Source) ->
Rules = case file:consult(Path) of
Rules =
case file:consult(Path) of
{ok, Terms} ->
[emqx_authz_rule:compile(Term) || Term <- Terms];
{error, Reason} when is_atom(Reason) ->
?SLOG(alert, #{msg => failed_to_read_acl_file,
?SLOG(alert, #{
msg => failed_to_read_acl_file,
path => Path,
explain => emqx_misc:explain_posix(Reason)}),
explain => emqx_misc:explain_posix(Reason)
}),
throw(failed_to_read_acl_file);
{error, Reason} ->
?SLOG(alert, #{msg => bad_acl_file_content, path => Path, reason => Reason}),
@ -54,11 +57,5 @@ init(#{path := Path} = Source) ->
destroy(_Source) -> ok.
dry_run(#{path := Path}) ->
case file:consult(Path) of
{ok, _} -> ok;
{error, _} = Error -> Error
end.
authorize(Client, PubSub, Topic, #{annotations := #{rules := Rules}}) ->
emqx_authz_rule:matches(Client, PubSub, Topic, Rules).

118
apps/emqx_authz/src/emqx_authz_http.erl
View File

@ -24,26 +24,28 @@
-behaviour(emqx_authz).
%% AuthZ Callbacks
-export([ description/0
, init/1
, destroy/1
, dry_run/1
, authorize/4
, parse_url/1
]).
-export([
description/0,
init/1,
destroy/1,
authorize/4,
parse_url/1
]).
-ifdef(TEST).
-compile(export_all).
-compile(nowarn_export_all).
-endif.
-define(PLACEHOLDERS, [?PH_USERNAME,
-define(PLACEHOLDERS, [
?PH_USERNAME,
?PH_CLIENTID,
?PH_PEERHOST,
?PH_PROTONAME,
?PH_MOUNTPOINT,
?PH_TOPIC,
?PH_ACTION]).
?PH_ACTION
]).
description() ->
"AuthZ with http".
@ -58,17 +60,17 @@ init(Config) ->
destroy(#{annotations := #{id := Id}}) ->
ok = emqx_resource:remove_local(Id).
dry_run(Config) ->
emqx_resource:create_dry_run_local(emqx_connector_http, parse_config(Config)).
authorize( Client
, PubSub
, Topic
, #{ type := http
, annotations := #{id := ResourceID}
, method := Method
, request_timeout := RequestTimeout
} = Config) ->
authorize(
Client,
PubSub,
Topic,
#{
type := http,
annotations := #{id := ResourceID},
method := Method,
request_timeout := RequestTimeout
} = Config
) ->
Request = generate_request(PubSub, Topic, Client, Config),
case emqx_resource:query(ResourceID, {Method, Request, RequestTimeout}) of
{ok, 200, _Headers} ->
@ -82,38 +84,47 @@ authorize( Client
{ok, _Status, _Headers, _Body} ->
nomatch;
{error, Reason} ->
?SLOG(error, #{msg => "http_server_query_failed",
?SLOG(error, #{
msg => "http_server_query_failed",
resource => ResourceID,
reason => Reason}),
reason => Reason
}),
ignore
end.
parse_config(#{ url := URL
, method := Method
, headers := Headers
, request_timeout := ReqTimeout
} = Conf) ->
parse_config(
#{
url := URL,
method := Method,
headers := Headers,
request_timeout := ReqTimeout
} = Conf
) ->
{BaseURLWithPath, Query} = parse_fullpath(URL),
BaseURLMap = parse_url(BaseURLWithPath),
Conf#{ method => Method
, base_url => maps:remove(query, BaseURLMap)
, base_query_template => emqx_authz_utils:parse_deep(
Conf#{
method => Method,
base_url => maps:remove(query, BaseURLMap),
base_query_template => emqx_authz_utils:parse_deep(
cow_qs:parse_qs(bin(Query)),
?PLACEHOLDERS)
, body_template => emqx_authz_utils:parse_deep(
?PLACEHOLDERS
),
body_template => emqx_authz_utils:parse_deep(
maps:to_list(maps:get(body, Conf, #{})),
?PLACEHOLDERS)
, headers => Headers
, request_timeout => ReqTimeout
?PLACEHOLDERS
),
headers => Headers,
request_timeout => ReqTimeout,
%% pool_type default value `random`
, pool_type => random
pool_type => random
}.
parse_fullpath(RawURL) ->
cow_http:parse_fullpath(bin(RawURL)).
parse_url(URL)
when URL =:= undefined ->
parse_url(URL) when
URL =:= undefined
->
#{};
parse_url(URL) ->
{ok, URIMap} = emqx_http_lib:uri_parse(URL),
@ -124,15 +135,18 @@ parse_url(URL) ->
URIMap
end.
generate_request( PubSub
, Topic
, Client
, #{ method := Method
, base_url := #{path := Path}
, base_query_template := BaseQueryTemplate
, headers := Headers
, body_template := BodyTemplate
}) ->
generate_request(
PubSub,
Topic,
Client,
#{
method := Method,
base_url := #{path := Path},
base_query_template := BaseQueryTemplate,
headers := Headers,
body_template := BodyTemplate
}
) ->
Values = client_vars(Client, PubSub, Topic),
Body = emqx_authz_utils:render_deep(BodyTemplate, Values),
NBaseQuery = emqx_authz_utils:render_deep(BaseQueryTemplate, Values),
@ -165,9 +179,13 @@ query_string([], Acc) ->
<<>>
end;
query_string([{K, V} | More], Acc) ->
query_string( More
, [ ["&", emqx_http_lib:uri_encode(K), "=", emqx_http_lib:uri_encode(V)]
| Acc]).
query_string(
More,
[
["&", emqx_http_lib:uri_encode(K), "=", emqx_http_lib:uri_encode(V)]
| Acc
]
).
serialize_body(<<"application/json">>, Body) ->
jsx:encode(Body);

108
apps/emqx_authz/src/emqx_authz_mnesia.erl
View File

@ -29,39 +29,40 @@
-define(ACL_TABLE_USERNAME, 1).
-define(ACL_TABLE_CLIENTID, 2).
-type(username() :: {username, binary()}).
-type(clientid() :: {clientid, binary()}).
-type(who() :: username() | clientid() | all).
-type username() :: {username, binary()}.
-type clientid() :: {clientid, binary()}.
-type who() :: username() | clientid() | all.
-type(rule() :: {emqx_authz_rule:permission(), emqx_authz_rule:action(), emqx_topic:topic()}).
-type(rules() :: [rule()]).
-type rule() :: {emqx_authz_rule:permission(), emqx_authz_rule:action(), emqx_topic:topic()}.
-type rules() :: [rule()].
-record(emqx_acl, {
who :: ?ACL_TABLE_ALL | {?ACL_TABLE_USERNAME, binary()} | {?ACL_TABLE_CLIENTID, binary()},
rules :: rules()
}).
}).
-behaviour(emqx_authz).
%% AuthZ Callbacks
-export([ description/0
, init/1
, destroy/1
, dry_run/1
, authorize/4
]).
-export([
description/0,
init/1,
destroy/1,
authorize/4
]).
%% Management API
-export([ mnesia/1
, init_tables/0
, store_rules/2
, purge_rules/0
, get_rules/1
, delete_rules/1
, list_clientid_rules/0
, list_username_rules/0
, record_count/0
]).
-export([
mnesia/1,
init_tables/0,
store_rules/2,
purge_rules/0,
get_rules/1,
delete_rules/1,
list_clientid_rules/0,
list_username_rules/0,
record_count/0
]).
-ifdef(TEST).
-compile(export_all).
@ -70,14 +71,15 @@
-boot_mnesia({mnesia, [boot]}).
-spec(mnesia(boot | copy) -> ok).
-spec mnesia(boot | copy) -> ok.
mnesia(boot) ->
ok = mria:create_table(?ACL_TABLE, [
{type, ordered_set},
{rlog_shard, ?ACL_SHARDED},
{storage, disc_copies},
{attributes, record_info(fields, ?ACL_TABLE)},
{storage_properties, [{ets, [{read_concurrency, true}]}]}]).
{storage_properties, [{ets, [{read_concurrency, true}]}]}
]).
%%--------------------------------------------------------------------
%% emqx_authz callbacks
@ -90,21 +92,25 @@ init(Source) -> Source.
destroy(_Source) -> ok.
dry_run(_Source) -> ok.
authorize(#{username := Username,
authorize(
#{
username := Username,
clientid := Clientid
} = Client, PubSub, Topic, #{type := 'built_in_database'}) ->
Rules = case mnesia:dirty_read(?ACL_TABLE, {?ACL_TABLE_CLIENTID, Clientid}) of
} = Client,
PubSub,
Topic,
#{type := 'built_in_database'}
) ->
Rules =
case mnesia:dirty_read(?ACL_TABLE, {?ACL_TABLE_CLIENTID, Clientid}) of
[] -> [];
[#emqx_acl{rules = Rules0}] when is_list(Rules0) -> Rules0
end
++ case mnesia:dirty_read(?ACL_TABLE, {?ACL_TABLE_USERNAME, Username}) of
end ++
case mnesia:dirty_read(?ACL_TABLE, {?ACL_TABLE_USERNAME, Username}) of
[] -> [];
[#emqx_acl{rules = Rules1}] when is_list(Rules1) -> Rules1
end
++ case mnesia:dirty_read(?ACL_TABLE, ?ACL_TABLE_ALL) of
end ++
case mnesia:dirty_read(?ACL_TABLE, ?ACL_TABLE_ALL) of
[] -> [];
[#emqx_acl{rules = Rules2}] when is_list(Rules2) -> Rules2
end,
@ -115,12 +121,12 @@ authorize(#{username := Username,
%%--------------------------------------------------------------------
%% Init
-spec(init_tables() -> ok).
-spec init_tables() -> ok.
init_tables() ->
ok = mria_rlog:wait_for_shards([?ACL_SHARDED], infinity).
%% @doc Update authz rules
-spec(store_rules(who(), rules()) -> ok).
-spec store_rules(who(), rules()) -> ok.
store_rules({username, Username}, Rules) ->
Record = #emqx_acl{who = {?ACL_TABLE_USERNAME, Username}, rules = normalize_rules(Rules)},
mria:dirty_write(Record);
@ -132,16 +138,17 @@ store_rules(all, Rules) ->
mria:dirty_write(Record).
%% @doc Clean all authz rules for (username & clientid & all)
-spec(purge_rules() -> ok).
-spec purge_rules() -> ok.
purge_rules() ->
ok = lists:foreach(
fun(Key) ->
ok = mria:dirty_delete(?ACL_TABLE, Key)
end,
mnesia:dirty_all_keys(?ACL_TABLE)).
mnesia:dirty_all_keys(?ACL_TABLE)
).
%% @doc Get one record
-spec(get_rules(who()) -> {ok, rules()} | not_found).
-spec get_rules(who()) -> {ok, rules()} | not_found.
get_rules({username, Username}) ->
do_get_rules({?ACL_TABLE_USERNAME, Username});
get_rules({clientid, Clientid}) ->
@ -150,7 +157,7 @@ get_rules(all) ->
do_get_rules(?ACL_TABLE_ALL).
%% @doc Delete one record
-spec(delete_rules(who()) -> ok).
-spec delete_rules(who()) -> ok.
delete_rules({username, Username}) ->
mria:dirty_delete(?ACL_TABLE, {?ACL_TABLE_USERNAME, Username});
delete_rules({clientid, Clientid}) ->
@ -158,21 +165,23 @@ delete_rules({clientid, Clientid}) ->
delete_rules(all) ->
mria:dirty_delete(?ACL_TABLE, ?ACL_TABLE_ALL).
-spec(list_username_rules() -> ets:match_spec()).
-spec list_username_rules() -> ets:match_spec().
list_username_rules() ->
ets:fun2ms(
fun(#emqx_acl{who = {?ACL_TABLE_USERNAME, Username}, rules = Rules}) ->
[{username, Username}, {rules, Rules}]
end).
end
).
-spec(list_clientid_rules() -> ets:match_spec()).
-spec list_clientid_rules() -> ets:match_spec().
list_clientid_rules() ->
ets:fun2ms(
fun(#emqx_acl{who = {?ACL_TABLE_CLIENTID, Clientid}, rules = Rules}) ->
[{clientid, Clientid}, {rules, Rules}]
end).
end
).
-spec(record_count() -> non_neg_integer()).
-spec record_count() -> non_neg_integer().
record_count() ->
mnesia:table_info(?ACL_TABLE, size).
@ -184,9 +193,7 @@ normalize_rules(Rules) ->
lists:map(fun normalize_rule/1, Rules).
normalize_rule({Permission, Action, Topic}) ->
{normalize_permission(Permission),
normalize_action(Action),
normalize_topic(Topic)};
{normalize_permission(Permission), normalize_action(Action), normalize_topic(Topic)};
normalize_rule(Rule) ->
error({invalid_rule, Rule}).
@ -209,8 +216,9 @@ do_get_rules(Key) ->
[] -> not_found
end.
do_authorize(_Client, _PubSub, _Topic, []) -> nomatch;
do_authorize(Client, PubSub, Topic, [ {Permission, Action, TopicFilter} | Tail]) ->
do_authorize(_Client, _PubSub, _Topic, []) ->
nomatch;
do_authorize(Client, PubSub, Topic, [{Permission, Action, TopicFilter} | Tail]) ->
Rule = emqx_authz_rule:compile({Permission, all, Action, [TopicFilter]}),
case emqx_authz_rule:match(Client, PubSub, Topic, Rule) of
{matched, Permission} -> {matched, Permission};

65
apps/emqx_authz/src/emqx_authz_mongodb.erl
View File

@ -24,47 +24,57 @@
-behaviour(emqx_authz).
%% AuthZ Callbacks
-export([ description/0
, init/1
, destroy/1
, dry_run/1
, authorize/4
]).
-export([
description/0,
init/1,
destroy/1,
authorize/4
]).
-ifdef(TEST).
-compile(export_all).
-compile(nowarn_export_all).
-endif.
-define(PLACEHOLDERS, [?PH_USERNAME,
-define(PLACEHOLDERS, [
?PH_USERNAME,
?PH_CLIENTID,
?PH_PEERHOST]).
?PH_PEERHOST
]).
description() ->
"AuthZ with MongoDB".
init(#{selector := Selector} = Source) ->
case emqx_authz_utils:create_resource(emqx_connector_mongo, Source) of
{error, Reason} -> error({load_config_error, Reason});
{ok, Id} -> Source#{annotations => #{id => Id},
{error, Reason} ->
error({load_config_error, Reason});
{ok, Id} ->
Source#{
annotations => #{id => Id},
selector_template => emqx_authz_utils:parse_deep(
Selector,
?PLACEHOLDERS)}
?PLACEHOLDERS
)
}
end.
dry_run(Source) ->
emqx_resource:create_dry_run_local(emqx_connector_mongo, Source).
destroy(#{annotations := #{id := Id}}) ->
ok = emqx_resource:remove_local(Id).
authorize(Client, PubSub, Topic,
#{collection := Collection,
authorize(
Client,
PubSub,
Topic,
#{
collection := Collection,
selector_template := SelectorTemplate,
annotations := #{id := ResourceID}
}) ->
}
) ->
RenderedSelector = emqx_authz_utils:render_deep(SelectorTemplate, Client),
Result = try
Result =
try
emqx_resource:query(ResourceID, {find, Collection, RenderedSelector, #{}})
catch
error:Error -> {error, Error}
@ -72,18 +82,25 @@ authorize(Client, PubSub, Topic,
case Result of
{error, Reason} ->
?SLOG(error, #{msg => "query_mongo_error",
?SLOG(error, #{
msg => "query_mongo_error",
reason => Reason,
collection => Collection,
selector => RenderedSelector,
resource_id => ResourceID}),
resource_id => ResourceID
}),
nomatch;
[] ->
nomatch;
[] -> nomatch;
Rows ->
Rules = [ emqx_authz_rule:compile({Permission, all, Action, Topics})
|| #{<<"topics">> := Topics,
Rules = [
emqx_authz_rule:compile({Permission, all, Action, Topics})
|| #{
<<"topics">> := Topics,
<<"permission">> := Permission,
<<"action">> := Action} <- Rows],
<<"action">> := Action
} <- Rows
],
do_authorize(Client, PubSub, Topic, Rules)
end.

77
apps/emqx_authz/src/emqx_authz_mysql.erl
View File

@ -24,70 +24,89 @@
-behaviour(emqx_authz).
%% AuthZ Callbacks
-export([ description/0
, init/1
, destroy/1
, dry_run/1
, authorize/4
]).
-export([
description/0,
init/1,
destroy/1,
authorize/4
]).
-ifdef(TEST).
-compile(export_all).
-compile(nowarn_export_all).
-endif.
-define(PLACEHOLDERS, [?PH_USERNAME,
-define(PLACEHOLDERS, [
?PH_USERNAME,
?PH_CLIENTID,
?PH_PEERHOST,
?PH_CERT_CN_NAME,
?PH_CERT_SUBJECT]).
?PH_CERT_SUBJECT
]).
description() ->
"AuthZ with Mysql".
init(#{query := SQL} = Source) ->
case emqx_authz_utils:create_resource(emqx_connector_mysql, Source) of
{error, Reason} -> error({load_config_error, Reason});
{ok, Id} -> Source#{annotations =>
#{id => Id,
{error, Reason} ->
error({load_config_error, Reason});
{ok, Id} ->
Source#{
annotations =>
#{
id => Id,
query => emqx_authz_utils:parse_sql(
SQL,
'?',
?PLACEHOLDERS)}}
?PLACEHOLDERS
)
}
}
end.
dry_run(Source) ->
emqx_resource:create_dry_run_local(emqx_connector_mysql, Source).
destroy(#{annotations := #{id := Id}}) ->
ok = emqx_resource:remove_local(Id).
authorize(Client, PubSub, Topic,
#{annotations := #{id := ResourceID,
authorize(
Client,
PubSub,
Topic,
#{
annotations := #{
id := ResourceID,
query := {Query, Params}
}
}) ->
}
) ->
RenderParams = emqx_authz_utils:render_sql_params(Params, Client),
case emqx_resource:query(ResourceID, {sql, Query, RenderParams}) of
{ok, _Columns, []} -> nomatch;
{ok, _Columns, []} ->
nomatch;
{ok, Columns, Rows} ->
do_authorize(Client, PubSub, Topic, Columns, Rows);
{error, Reason} ->
?SLOG(error, #{ msg => "query_mysql_error"
, reason => Reason
, query => Query
, params => RenderParams
, resource_id => ResourceID}),
?SLOG(error, #{
msg => "query_mysql_error",
reason => Reason,
query => Query,
params => RenderParams,
resource_id => ResourceID
}),
nomatch
end.
do_authorize(_Client, _PubSub, _Topic, _Columns, []) ->
nomatch;
do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) ->
case emqx_authz_rule:match(Client, PubSub, Topic,
case
emqx_authz_rule:match(
Client,
PubSub,
Topic,
emqx_authz_rule:compile(format_result(Columns, Row))
) of
)
of
{matched, Permission} -> {matched, Permission};
nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail)
end.
@ -101,5 +120,5 @@ format_result(Columns, Row) ->
index(Elem, List) ->
index(Elem, List, 1).
index(_Elem, [], _Index) -> {error, not_found};
index(Elem, [ Elem | _List], Index) -> Index;
index(Elem, [ _ | List], Index) -> index(Elem, List, Index + 1).
index(Elem, [Elem | _List], Index) -> Index;
index(Elem, [_ | List], Index) -> index(Elem, List, Index + 1).

84
apps/emqx_authz/src/emqx_authz_postgresql.erl
View File

@ -24,23 +24,25 @@
-behaviour(emqx_authz).
%% AuthZ Callbacks
-export([ description/0
, init/1
, destroy/1
, dry_run/1
, authorize/4
]).
-export([
description/0,
init/1,
destroy/1,
authorize/4
]).
-ifdef(TEST).
-compile(export_all).
-compile(nowarn_export_all).
-endif.
-define(PLACEHOLDERS, [?PH_USERNAME,
-define(PLACEHOLDERS, [
?PH_USERNAME,
?PH_CLIENTID,
?PH_PEERHOST,
?PH_CERT_CN_NAME,
?PH_CERT_SUBJECT]).
?PH_CERT_SUBJECT
]).
description() ->
"AuthZ with PostgreSQL".
@ -49,18 +51,26 @@ init(#{query := SQL0} = Source) ->
{SQL, PlaceHolders} = emqx_authz_utils:parse_sql(
SQL0,
'$n',
?PLACEHOLDERS),
?PLACEHOLDERS
),
ResourceID = emqx_authz_utils:make_resource_id(emqx_connector_pgsql),
case emqx_resource:create_local(
case
emqx_resource:create_local(
ResourceID,
?RESOURCE_GROUP,
emqx_connector_pgsql,
Source#{named_queries => #{ResourceID => SQL}},
#{}) of
#{}
)
of
{ok, _} ->
Source#{annotations =>
#{id => ResourceID,
placeholders => PlaceHolders}};
Source#{
annotations =>
#{
id => ResourceID,
placeholders => PlaceHolders
}
};
{error, Reason} ->
error({load_config_error, Reason})
end.
@ -68,33 +78,44 @@ init(#{query := SQL0} = Source) ->
destroy(#{annotations := #{id := Id}}) ->
ok = emqx_resource:remove_local(Id).
dry_run(Source) ->
emqx_resource:create_dry_run_local(emqx_connector_pgsql, Source).
authorize(Client, PubSub, Topic,
#{annotations := #{id := ResourceID,
authorize(
Client,
PubSub,
Topic,
#{
annotations := #{
id := ResourceID,
placeholders := Placeholders
}
}) ->
}
) ->
RenderedParams = emqx_authz_utils:render_sql_params(Placeholders, Client),
case emqx_resource:query(ResourceID, {prepared_query, ResourceID, RenderedParams}) of
{ok, _Columns, []} -> nomatch;
{ok, _Columns, []} ->
nomatch;
{ok, Columns, Rows} ->
do_authorize(Client, PubSub, Topic, Columns, Rows);
{error, Reason} ->
?SLOG(error, #{ msg => "query_postgresql_error"
, reason => Reason
, params => RenderedParams
, resource_id => ResourceID}),
?SLOG(error, #{
msg => "query_postgresql_error",
reason => Reason,
params => RenderedParams,
resource_id => ResourceID
}),
nomatch
end.
do_authorize(_Client, _PubSub, _Topic, _Columns, []) ->
nomatch;
do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) ->
case emqx_authz_rule:match(Client, PubSub, Topic,
case
emqx_authz_rule:match(
Client,
PubSub,
Topic,
emqx_authz_rule:compile(format_result(Columns, Row))
) of
)
of
{matched, Permission} -> {matched, Permission};
nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail)
end.
@ -108,6 +129,9 @@ format_result(Columns, Row) ->
index(Key, N, TupleList) when is_integer(N) ->
Tuple = lists:keyfind(Key, N, TupleList),
index(Tuple, TupleList, 1);
index(_Tuple, [], _Index) -> {error, not_found};
index(Tuple, [Tuple | _TupleList], Index) -> Index;
index(Tuple, [_ | TupleList], Index) -> index(Tuple, TupleList, Index + 1).
index(_Tuple, [], _Index) ->
{error, not_found};
index(Tuple, [Tuple | _TupleList], Index) ->
Index;
index(Tuple, [_ | TupleList], Index) ->
index(Tuple, TupleList, Index + 1).

65
apps/emqx_authz/src/emqx_authz_redis.erl
View File

@ -24,23 +24,25 @@
-behaviour(emqx_authz).
%% AuthZ Callbacks
-export([ description/0
, init/1
, destroy/1
, dry_run/1
, authorize/4
]).
-export([
description/0,
init/1,
destroy/1,
authorize/4
]).
-ifdef(TEST).
-compile(export_all).
-compile(nowarn_export_all).
-endif.
-define(PLACEHOLDERS, [?PH_CERT_CN_NAME,
-define(PLACEHOLDERS, [
?PH_CERT_CN_NAME,
?PH_CERT_SUBJECT,
?PH_PEERHOST,
?PH_CLIENTID,
?PH_USERNAME]).
?PH_USERNAME
]).
description() ->
"AuthZ with Redis".
@ -49,41 +51,54 @@ init(#{cmd := CmdStr} = Source) ->
Cmd = tokens(CmdStr),
CmdTemplate = emqx_authz_utils:parse_deep(Cmd, ?PLACEHOLDERS),
case emqx_authz_utils:create_resource(emqx_connector_redis, Source) of
{error, Reason} -> error({load_config_error, Reason});
{ok, Id} -> Source#{annotations => #{id => Id},
cmd_template => CmdTemplate}
{error, Reason} ->
error({load_config_error, Reason});
{ok, Id} ->
Source#{
annotations => #{id => Id},
cmd_template => CmdTemplate
}
end.
destroy(#{annotations := #{id := Id}}) ->
ok = emqx_resource:remove_local(Id).
dry_run(Source) ->
emqx_resource:create_dry_run_local(emqx_connector_redis, Source).
authorize(Client, PubSub, Topic,
#{cmd_template := CmdTemplate,
authorize(
Client,
PubSub,
Topic,
#{
cmd_template := CmdTemplate,
annotations := #{id := ResourceID}
}) ->
}
) ->
Cmd = emqx_authz_utils:render_deep(CmdTemplate, Client),
case emqx_resource:query(ResourceID, {cmd, Cmd}) of
{ok, []} -> nomatch;
{ok, []} ->
nomatch;
{ok, Rows} ->
do_authorize(Client, PubSub, Topic, Rows);
{error, Reason} ->
?SLOG(error, #{ msg => "query_redis_error"
, reason => Reason
, cmd => Cmd
, resource_id => ResourceID}),
?SLOG(error, #{
msg => "query_redis_error",
reason => Reason,
cmd => Cmd,
resource_id => ResourceID
}),
nomatch
end.
do_authorize(_Client, _PubSub, _Topic, []) ->
nomatch;
do_authorize(Client, PubSub, Topic, [TopicFilter, Action | Tail]) ->
case emqx_authz_rule:match(
Client, PubSub, Topic,
case
emqx_authz_rule:match(
Client,
PubSub,
Topic,
emqx_authz_rule:compile({allow, all, Action, [TopicFilter]})
) of
)
of
{matched, Permission} -> {matched, Permission};
nomatch -> do_authorize(Client, PubSub, Topic, Tail)
end.

137
apps/emqx_authz/src/emqx_authz_rule.erl
View File

@ -26,50 +26,66 @@
-endif.
%% APIs
-export([ match/4
, matches/4
, compile/1
]).
-export([
match/4,
matches/4,
compile/1
]).
-type(ipaddress() :: {ipaddr, esockd_cidr:cidr_string()} |
{ipaddrs, list(esockd_cidr:cidr_string())}).
-type ipaddress() ::
{ipaddr, esockd_cidr:cidr_string()}
| {ipaddrs, list(esockd_cidr:cidr_string())}.
-type(username() :: {username, binary()}).
-type username() :: {username, binary()}.
-type(clientid() :: {clientid, binary()}).
-type clientid() :: {clientid, binary()}.
-type(who() :: ipaddress() | username() | clientid() |
{'and', [ipaddress() | username() | clientid()]} |
{'or', [ipaddress() | username() | clientid()]} |
all).
-type who() ::
ipaddress()
| username()
| clientid()
| {'and', [ipaddress() | username() | clientid()]}
| {'or', [ipaddress() | username() | clientid()]}
| all.
-type(action() :: subscribe | publish | all).
-type(permission() :: allow | deny).
-type action() :: subscribe | publish | all.
-type permission() :: allow | deny.
-type(rule() :: {permission(), who(), action(), list(emqx_types:topic())}).
-type rule() :: {permission(), who(), action(), list(emqx_types:topic())}.
-export_type([ action/0
, permission/0
]).
-export_type([
action/0,
permission/0
]).
compile({Permission, all})
when ?ALLOW_DENY(Permission) -> {Permission, all, all, [compile_topic(<<"#">>)]};
compile({Permission, Who, Action, TopicFilters})
when ?ALLOW_DENY(Permission), ?PUBSUB(Action), is_list(TopicFilters) ->
{ atom(Permission), compile_who(Who), atom(Action)
, [compile_topic(Topic) || Topic <- TopicFilters]}.
compile({Permission, all}) when
?ALLOW_DENY(Permission)
->
{Permission, all, all, [compile_topic(<<"#">>)]};
compile({Permission, Who, Action, TopicFilters}) when
?ALLOW_DENY(Permission), ?PUBSUB(Action), is_list(TopicFilters)
->
{atom(Permission), compile_who(Who), atom(Action), [
compile_topic(Topic)
|| Topic <- TopicFilters
]}.
compile_who(all) -> all;
compile_who({user, Username}) -> compile_who({username, Username});
compile_who(all) ->
all;
compile_who({user, Username}) ->
compile_who({username, Username});
compile_who({username, {re, Username}}) ->
{ok, MP} = re:compile(bin(Username)),
{username, MP};
compile_who({username, Username}) -> {username, {eq, bin(Username)}};
compile_who({client, Clientid}) -> compile_who({clientid, Clientid});
compile_who({username, Username}) ->
{username, {eq, bin(Username)}};
compile_who({client, Clientid}) ->
compile_who({clientid, Clientid});
compile_who({clientid, {re, Clientid}}) ->
{ok, MP} = re:compile(bin(Clientid)),
{clientid, MP};
compile_who({clientid, Clientid}) -> {clientid, {eq, bin(Clientid)}};
compile_who({clientid, Clientid}) ->
{clientid, {eq, bin(Clientid)}};
compile_who({ipaddr, CIDR}) ->
{ipaddr, esockd_cidr:parse(CIDR, true)};
compile_who({ipaddrs, CIDRs}) ->
@ -94,7 +110,8 @@ pattern(Words) ->
lists:member(?PH_USERNAME, Words) orelse lists:member(?PH_CLIENTID, Words).
atom(B) when is_binary(B) ->
try binary_to_existing_atom(B, utf8)
try
binary_to_existing_atom(B, utf8)
catch
_E:_S -> binary_to_atom(B)
end;
@ -105,21 +122,24 @@ bin(L) when is_list(L) ->
bin(B) when is_binary(B) ->
B.
-spec(matches(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic(), [rule()])
-> {matched, allow} | {matched, deny} | nomatch).
matches(_Client, _PubSub, _Topic, []) -> nomatch;
-spec matches(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic(), [rule()]) ->
{matched, allow} | {matched, deny} | nomatch.
matches(_Client, _PubSub, _Topic, []) ->
nomatch;
matches(Client, PubSub, Topic, [{Permission, Who, Action, TopicFilters} | Tail]) ->
case match(Client, PubSub, Topic, {Permission, Who, Action, TopicFilters}) of
nomatch -> matches(Client, PubSub, Topic, Tail);
Matched -> Matched
end.
-spec(match(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic(), rule())
-> {matched, allow} | {matched, deny} | nomatch).
-spec match(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic(), rule()) ->
{matched, allow} | {matched, deny} | nomatch.
match(Client, PubSub, Topic, {Permission, Who, Action, TopicFilters}) ->
case match_action(PubSub, Action) andalso
case
match_action(PubSub, Action) andalso
match_who(Client, Who) andalso
match_topics(Client, Topic, TopicFilters) of
match_topics(Client, Topic, TopicFilters)
of
true -> {matched, Permission};
_ -> nomatch
end.
@ -129,16 +149,19 @@ match_action(subscribe, subscribe) -> true;
match_action(_, all) -> true;
match_action(_, _) -> false.
match_who(_, all) -> true;
match_who(_, all) ->
true;
match_who(#{username := undefined}, {username, _}) ->
false;
match_who(#{username := Username}, {username, {eq, Username}}) -> true;
match_who(#{username := Username}, {username, {eq, Username}}) ->
true;
match_who(#{username := Username}, {username, {re_pattern, _, _, _, _} = MP}) ->
case re:run(Username, MP) of
{match, _} -> true;
_ -> false
end;
match_who(#{clientid := Clientid}, {clientid, {eq, Clientid}}) -> true;
match_who(#{clientid := Clientid}, {clientid, {eq, Clientid}}) ->
true;
match_who(#{clientid := Clientid}, {clientid, {re_pattern, _, _, _, _} = MP}) ->
case re:run(Clientid, MP) of
{match, _} -> true;
@ -151,28 +174,40 @@ match_who(#{peerhost := IpAddress}, {ipaddr, CIDR}) ->
match_who(#{peerhost := undefined}, {ipaddrs, _CIDR}) ->
false;
match_who(#{peerhost := IpAddress}, {ipaddrs, CIDRs}) ->
lists:any(fun(CIDR) ->
lists:any(
fun(CIDR) ->
esockd_cidr:match(IpAddress, CIDR)
end, CIDRs);
end,
CIDRs
);
match_who(ClientInfo, {'and', Principals}) when is_list(Principals) ->
lists:foldl(fun(Principal, Permission) ->
lists:foldl(
fun(Principal, Permission) ->
match_who(ClientInfo, Principal) andalso Permission
end, true, Principals);
end,
true,
Principals
);
match_who(ClientInfo, {'or', Principals}) when is_list(Principals) ->
lists:foldl(fun(Principal, Permission) ->
lists:foldl(
fun(Principal, Permission) ->
match_who(ClientInfo, Principal) orelse Permission
end, false, Principals);
match_who(_, _) -> false.
end,
false,
Principals
);
match_who(_, _) ->
false.
match_topics(_ClientInfo, _Topic, []) ->
false;
match_topics(ClientInfo, Topic, [{pattern, PatternFilter} | Filters]) ->
TopicFilter = feed_var(ClientInfo, PatternFilter),
match_topic(emqx_topic:words(Topic), TopicFilter)
orelse match_topics(ClientInfo, Topic, Filters);
match_topic(emqx_topic:words(Topic), TopicFilter) orelse
match_topics(ClientInfo, Topic, Filters);
match_topics(ClientInfo, Topic, [TopicFilter | Filters]) ->
match_topic(emqx_topic:words(Topic), TopicFilter)
orelse match_topics(ClientInfo, Topic, Filters).
match_topic(emqx_topic:words(Topic), TopicFilter) orelse
match_topics(ClientInfo, Topic, Filters).
match_topic(Topic, {'eq', TopicFilter}) ->
Topic =:= TopicFilter;

285
apps/emqx_authz/src/emqx_authz_schema.erl
View File

@ -19,22 +19,25 @@
-include_lib("typerefl/include/types.hrl").
-include_lib("emqx_connector/include/emqx_connector.hrl").
-reflect_type([ permission/0
, action/0
]).
-reflect_type([
permission/0,
action/0
]).
-type action() :: publish | subscribe | all.
-type permission() :: allow | deny.
-export([ namespace/0
, roots/0
, fields/1
, validations/0
]).
-export([
namespace/0,
roots/0,
fields/1,
validations/0
]).
-export([ headers_no_content_type/1
, headers/1
]).
-export([
headers_no_content_type/1,
headers/1
]).
-import(emqx_schema, [mk_duration/2]).
-include_lib("hocon/include/hoconsc.hrl").
@ -50,73 +53,84 @@ namespace() -> authz.
roots() -> [].
fields("authorization") ->
[ {sources, #{type => union_array(
[ hoconsc:ref(?MODULE, file)
, hoconsc:ref(?MODULE, http_get)
, hoconsc:ref(?MODULE, http_post)
, hoconsc:ref(?MODULE, mnesia)
, hoconsc:ref(?MODULE, mongo_single)
, hoconsc:ref(?MODULE, mongo_rs)
, hoconsc:ref(?MODULE, mongo_sharded)
, hoconsc:ref(?MODULE, mysql)
, hoconsc:ref(?MODULE, postgresql)
, hoconsc:ref(?MODULE, redis_single)
, hoconsc:ref(?MODULE, redis_sentinel)
, hoconsc:ref(?MODULE, redis_cluster)
]),
[
{sources, #{
type => union_array(
[
hoconsc:ref(?MODULE, file),
hoconsc:ref(?MODULE, http_get),
hoconsc:ref(?MODULE, http_post),
hoconsc:ref(?MODULE, mnesia),
hoconsc:ref(?MODULE, mongo_single),
hoconsc:ref(?MODULE, mongo_rs),
hoconsc:ref(?MODULE, mongo_sharded),
hoconsc:ref(?MODULE, mysql),
hoconsc:ref(?MODULE, postgresql),
hoconsc:ref(?MODULE, redis_single),
hoconsc:ref(?MODULE, redis_sentinel),
hoconsc:ref(?MODULE, redis_cluster)
]
),
default => [],
desc =>
"
Authorization data sources.<br>
An array of authorization (ACL) data providers.
It is designed as an array, not a hash-map, so the sources can be
ordered to form a chain of access controls.<br>
When authorizing a 'publish' or 'subscribe' action, the configured
sources are checked in order. When checking an ACL source,
in case the client (identified by username or client ID) is not found,
it moves on to the next source. And it stops immediately
once an 'allow' or 'deny' decision is returned.<br>
If the client is not found in any of the sources,
the default action configured in 'authorization.no_match' is applied.<br>
NOTE:
The source elements are identified by their 'type'.
It is NOT allowed to configure two or more sources of the same type.
"
}
}
"\n"
"Authorization data sources.<br>\n"
"An array of authorization (ACL) data providers.\n"
"It is designed as an array, not a hash-map, so the sources can be\n"
"ordered to form a chain of access controls.<br>\n"
"\n"
"When authorizing a 'publish' or 'subscribe' action, the configured\n"
"sources are checked in order. When checking an ACL source,\n"
"in case the client (identified by username or client ID) is not found,\n"
"it moves on to the next source. And it stops immediately\n"
"once an 'allow' or 'deny' decision is returned.<br>\n"
"\n"
"If the client is not found in any of the sources,\n"
"the default action configured in 'authorization.no_match' is applied.<br>\n"
"\n"
"NOTE:\n"
"The source elements are identified by their 'type'.\n"
"It is NOT allowed to configure two or more sources of the same type.\n"
}}
];
fields(file) ->
[ {type, #{type => file}}
, {enable, #{type => boolean(),
default => true}}
, {path, #{type => string(),
[
{type, #{type => file}},
{enable, #{
type => boolean(),
default => true
}},
{path, #{
type => string(),
required => true,
desc => "
Path to the file which contains the ACL rules.<br>
If the file provisioned before starting EMQX node,
it can be placed anywhere as long as EMQX has read access to it.
In case the rule-set is created from EMQX dashboard or management API,
the file will be placed in `authz` subdirectory inside EMQX's `data_dir`,
and the new rules will override all rules from the old config file.
"
desc =>
"\n"
"Path to the file which contains the ACL rules.<br>\n"
"If the file provisioned before starting EMQX node,\n"
"it can be placed anywhere as long as EMQX has read access to it.\n"
"\n"
"In case the rule-set is created from EMQX dashboard or management API,\n"
"the file will be placed in `authz` subdirectory inside EMQX's `data_dir`,\n"
"and the new rules will override all rules from the old config file.\n"
}}
];
fields(http_get) ->
[ {method, #{type => get, default => post}}
, {headers, fun headers_no_content_type/1}
[
{method, #{type => get, default => post}},
{headers, fun headers_no_content_type/1}
] ++ http_common_fields();
fields(http_post) ->
[ {method, #{type => post, default => post}}
, {headers, fun headers/1}
[
{method, #{type => post, default => post}},
{headers, fun headers/1}
] ++ http_common_fields();
fields(mnesia) ->
[ {type, #{type => 'built_in_database'}}
, {enable, #{type => boolean(),
default => true}}
[
{type, #{type => 'built_in_database'}},
{enable, #{
type => boolean(),
default => true
}}
];
fields(mongo_single) ->
mongo_common_fields() ++ emqx_connector_mongo:fields(single);
@ -126,62 +140,88 @@ fields(mongo_sharded) ->
mongo_common_fields() ++ emqx_connector_mongo:fields(sharded);
fields(mysql) ->
connector_fields(mysql) ++
[ {query, query()} ];
[{query, query()}];
fields(postgresql) ->
[ {query, query()}
, {type, #{type => postgresql}}
, {enable, #{type => boolean(),
default => true}}
[
{query, query()},
{type, #{type => postgresql}},
{enable, #{
type => boolean(),
default => true
}}
] ++ emqx_connector_pgsql:fields(config);
fields(redis_single) ->
connector_fields(redis, single) ++
[ {cmd, query()} ];
[{cmd, query()}];
fields(redis_sentinel) ->
connector_fields(redis, sentinel) ++
[ {cmd, query()} ];
[{cmd, query()}];
fields(redis_cluster) ->
connector_fields(redis, cluster) ++
[ {cmd, query()} ].
[{cmd, query()}].
http_common_fields() ->
[ {url, fun url/1}
, {request_timeout, mk_duration("Request timeout", #{default => "30s", desc => "Request timeout."})}
, {body, #{type => map(), required => false, desc => "HTTP request body."}}
] ++ maps:to_list(maps:without([ base_url
, pool_type],
maps:from_list(connector_fields(http)))).
[
{url, fun url/1},
{request_timeout,
mk_duration("Request timeout", #{default => "30s", desc => "Request timeout."})},
{body, #{type => map(), required => false, desc => "HTTP request body."}}
] ++
maps:to_list(
maps:without(
[
base_url,
pool_type
],
maps:from_list(connector_fields(http))
)
).
mongo_common_fields() ->
[ {collection, #{type => atom(), desc => "`MongoDB` collection containing the authorization data."}}
, {selector, #{type => map(), desc => "MQL query used to select the authorization record."}}
, {type, #{type => mongodb, desc => "Database backend."}}
, {enable, #{type => boolean(),
[
{collection, #{
type => atom(), desc => "`MongoDB` collection containing the authorization data."
}},
{selector, #{type => map(), desc => "MQL query used to select the authorization record."}},
{type, #{type => mongodb, desc => "Database backend."}},
{enable, #{
type => boolean(),
default => true,
desc => "Enable or disable the backend."}}
desc => "Enable or disable the backend."
}}
].
validations() ->
[ {check_ssl_opts, fun check_ssl_opts/1}
, {check_headers, fun check_headers/1}
[
{check_ssl_opts, fun check_ssl_opts/1},
{check_headers, fun check_headers/1}
].
headers(type) -> list({binary(), binary()});
headers(desc) -> "List of HTTP headers.";
headers(type) ->
list({binary(), binary()});
headers(desc) ->
"List of HTTP headers.";
headers(converter) ->
fun(Headers) ->
maps:to_list(maps:merge(default_headers(), transform_header_name(Headers)))
end;
headers(default) -> default_headers();
headers(_) -> undefined.
headers(default) ->
default_headers();
headers(_) ->
undefined.
headers_no_content_type(type) -> list({binary(), binary()});
headers_no_content_type(desc) -> "List of HTTP headers.";
headers_no_content_type(type) ->
list({binary(), binary()});
headers_no_content_type(desc) ->
"List of HTTP headers.";
headers_no_content_type(converter) ->
fun(Headers) ->
maps:to_list(maps:merge(default_headers_no_content_type(), transform_header_name(Headers)))
end;
headers_no_content_type(default) -> default_headers_no_content_type();
headers_no_content_type(_) -> undefined.
headers_no_content_type(default) ->
default_headers_no_content_type();
headers_no_content_type(_) ->
undefined.
url(type) -> binary();
url(desc) -> "URL of the auth server.";
@ -194,26 +234,34 @@ url(_) -> undefined.
%%--------------------------------------------------------------------
default_headers() ->
maps:put(<<"content-type">>,
maps:put(
<<"content-type">>,
<<"application/json">>,
default_headers_no_content_type()).
default_headers_no_content_type()
).
default_headers_no_content_type() ->
#{ <<"accept">> => <<"application/json">>
, <<"cache-control">> => <<"no-cache">>
, <<"connection">> => <<"keep-alive">>
, <<"keep-alive">> => <<"timeout=30, max=1000">>
#{
<<"accept">> => <<"application/json">>,
<<"cache-control">> => <<"no-cache">>,
<<"connection">> => <<"keep-alive">>,
<<"keep-alive">> => <<"timeout=30, max=1000">>
}.
transform_header_name(Headers) ->
maps:fold(fun(K0, V, Acc) ->
maps:fold(
fun(K0, V, Acc) ->
K = list_to_binary(string:to_lower(to_list(K0))),
maps:put(K, V, Acc)
end, #{}, Headers).
end,
#{},
Headers
).
check_ssl_opts(Conf) ->
case hocon_maps:get("config.url", Conf) of
undefined -> true;
undefined ->
true;
Url ->
case emqx_authz_http:parse_url(Url) of
#{scheme := https} ->
@ -221,19 +269,23 @@ check_ssl_opts(Conf) ->
true -> true;
_ -> {error, ssl_not_enable}
end;
#{scheme := http} -> true;
Bad -> {bad_scheme, Url, Bad}
#{scheme := http} ->
true;
Bad ->
{bad_scheme, Url, Bad}
end
end.
check_headers(Conf) ->
case hocon_maps:get("config.method", Conf) of
undefined -> true;
undefined ->
true;
Method0 ->
Method = to_bin(Method0),
Headers = hocon_maps:get("config.headers", Conf),
case Method of
<<"post">> -> true;
<<"post">> ->
true;
_ when Headers =:= undefined -> true;
_ when is_list(Headers) ->
case lists:member(<<"content-type">>, Headers) of
@ -247,7 +299,8 @@ union_array(Item) when is_list(Item) ->
hoconsc:array(hoconsc:union(Item)).
query() ->
#{type => binary(),
#{
type => binary(),
desc => "",
validator => fun(S) ->
case size(S) > 0 of
@ -260,8 +313,9 @@ query() ->
connector_fields(DB) ->
connector_fields(DB, config).
connector_fields(DB, Fields) ->
Mod0 = io_lib:format("~ts_~ts",[emqx_connector, DB]),
Mod = try
Mod0 = io_lib:format("~ts_~ts", [emqx_connector, DB]),
Mod =
try
list_to_existing_atom(Mod0)
catch
error:badarg ->
@ -269,10 +323,13 @@ connector_fields(DB, Fields) ->
error:Reason ->
erlang:error(Reason)
end,
[ {type, #{type => DB, desc => "Database backend."}}
, {enable, #{type => boolean(),
[
{type, #{type => DB, desc => "Database backend."}},
{enable, #{
type => boolean(),
default => true,
desc => "Enable or disable the backend."}}
desc => "Enable or disable the backend."
}}
] ++ erlang:apply(Mod, fields, [Fields]).
to_list(A) when is_atom(A) ->

6
apps/emqx_authz/src/emqx_authz_sup.erl
View File

@ -33,8 +33,10 @@ start_link() ->
supervisor:start_link({local, ?SERVER}, ?MODULE, []).
init([]) ->
SupFlags = #{strategy => one_for_all,
SupFlags = #{
strategy => one_for_all,
intensity => 0,
period => 1},
period => 1
},
ChildSpecs = [],
{ok, {SupFlags, ChildSpecs}}.

56
apps/emqx_authz/src/emqx_authz_utils.erl
View File

@ -19,15 +19,16 @@
-include_lib("emqx/include/emqx_placeholder.hrl").
-include_lib("emqx_authz.hrl").
-export([ cleanup_resources/0
, make_resource_id/1
, create_resource/2
, update_config/2
, parse_deep/2
, parse_sql/3
, render_deep/2
, render_sql_params/2
]).
-export([
cleanup_resources/0,
make_resource_id/1,
create_resource/2,
update_config/2,
parse_deep/2,
parse_sql/3,
render_deep/2,
render_sql_params/2
]).
%%------------------------------------------------------------------------------
%% APIs
@ -35,10 +36,15 @@
create_resource(Module, Config) ->
ResourceID = make_resource_id(Module),
case emqx_resource:create_local(ResourceID,
case
emqx_resource:create_local(
ResourceID,
?RESOURCE_GROUP,
Module, Config,
#{}) of
Module,
Config,
#{}
)
of
{ok, already_created} -> {ok, ResourceID};
{ok, _} -> {ok, ResourceID};
{error, Reason} -> {error, Reason}
@ -47,15 +53,18 @@ create_resource(Module, Config) ->
cleanup_resources() ->
lists:foreach(
fun emqx_resource:remove_local/1,
emqx_resource:list_group_instances(?RESOURCE_GROUP)).
emqx_resource:list_group_instances(?RESOURCE_GROUP)
).
make_resource_id(Name) ->
NameBin = bin(Name),
emqx_resource:generate_id(NameBin).
update_config(Path, ConfigRequest) ->
emqx_conf:update(Path, ConfigRequest, #{rawconf_with_defaults => true,
override_to => cluster}).
emqx_conf:update(Path, ConfigRequest, #{
rawconf_with_defaults => true,
override_to => cluster
}).
parse_deep(Template, PlaceHolders) ->
emqx_placeholder:preproc_tmpl_deep(Template, #{placeholders => PlaceHolders}).
@ -63,20 +72,25 @@ parse_deep(Template, PlaceHolders) ->
parse_sql(Template, ReplaceWith, PlaceHolders) ->
emqx_placeholder:preproc_sql(
Template,
#{replace_with => ReplaceWith,
placeholders => PlaceHolders}).
#{
replace_with => ReplaceWith,
placeholders => PlaceHolders
}
).
render_deep(Template, Values) ->
emqx_placeholder:proc_tmpl_deep(
Template,
client_vars(Values),
#{return => full_binary, var_trans => fun handle_var/2}).
#{return => full_binary, var_trans => fun handle_var/2}
).
render_sql_params(ParamList, Values) ->
emqx_placeholder:proc_tmpl(
ParamList,
client_vars(Values),
#{return => rawlist, var_trans => fun handle_sql_var/2}).
#{return => rawlist, var_trans => fun handle_sql_var/2}
).
%%------------------------------------------------------------------------------
%% Internal functions
@ -86,7 +100,9 @@ client_vars(ClientInfo) ->
maps:from_list(
lists:map(
fun convert_client_var/1,
maps:to_list(ClientInfo))).
maps:to_list(ClientInfo)
)
).
convert_client_var({cn, CN}) -> {cert_common_name, CN};
convert_client_var({dn, DN}) -> {cert_subject, DN};

198
apps/emqx_authz/test/emqx_authz_SUITE.erl
View File

@ -33,23 +33,29 @@ init_per_suite(Config) ->
meck:new(emqx_resource, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_resource, create_local, fun(_, _, _, _) -> {ok, meck_data} end),
meck:expect(emqx_resource, remove_local, fun(_) -> ok end),
meck:expect(emqx_resource, create_dry_run_local, fun(_, _) -> ok end),
meck:expect(emqx_authz, acl_conf_file,
meck:expect(
emqx_authz,
acl_conf_file,
fun() ->
emqx_common_test_helpers:deps_path(emqx_authz, "etc/acl.conf")
end),
end
),
ok = emqx_common_test_helpers:start_apps(
[emqx_connector, emqx_conf, emqx_authz],
fun set_special_configs/1),
fun set_special_configs/1
),
Config.
end_per_suite(_Config) ->
{ok, _} = emqx:update_config(
[authorization],
#{<<"no_match">> => <<"allow">>,
#{
<<"no_match">> => <<"allow">>,
<<"cache">> => #{<<"enable">> => <<"true">>},
<<"sources">> => []}),
<<"sources">> => []
}
),
ok = stop_apps([emqx_resource]),
emqx_common_test_helpers:stop_apps([emqx_authz, emqx_conf]),
meck:unload(emqx_resource),
@ -67,14 +73,16 @@ set_special_configs(emqx_authz) ->
set_special_configs(_App) ->
ok.
-define(SOURCE1, #{<<"type">> => <<"http">>,
-define(SOURCE1, #{
<<"type">> => <<"http">>,
<<"enable">> => true,
<<"url">> => <<"https://example.com:443/a/b?c=d">>,
<<"headers">> => #{},
<<"method">> => <<"get">>,
<<"request_timeout">> => 5000
}).
-define(SOURCE2, #{<<"type">> => <<"mongodb">>,
}).
-define(SOURCE2, #{
<<"type">> => <<"mongodb">>,
<<"enable">> => true,
<<"mongo_type">> => <<"single">>,
<<"server">> => <<"127.0.0.1:27017">>,
@ -84,8 +92,9 @@ set_special_configs(_App) ->
<<"ssl">> => #{<<"enable">> => false},
<<"collection">> => <<"authz">>,
<<"selector">> => #{<<"a">> => <<"b">>}
}).
-define(SOURCE3, #{<<"type">> => <<"mysql">>,
}).
-define(SOURCE3, #{
<<"type">> => <<"mysql">>,
<<"enable">> => true,
<<"server">> => <<"127.0.0.1:27017">>,
<<"pool_size">> => 1,
@ -95,8 +104,9 @@ set_special_configs(_App) ->
<<"auto_reconnect">> => true,
<<"ssl">> => #{<<"enable">> => false},
<<"query">> => <<"abcb">>
}).
-define(SOURCE4, #{<<"type">> => <<"postgresql">>,
}).
-define(SOURCE4, #{
<<"type">> => <<"postgresql">>,
<<"enable">> => true,
<<"server">> => <<"127.0.0.1:27017">>,
<<"pool_size">> => 1,
@ -106,8 +116,9 @@ set_special_configs(_App) ->
<<"auto_reconnect">> => true,
<<"ssl">> => #{<<"enable">> => false},
<<"query">> => <<"abcb">>
}).
-define(SOURCE5, #{<<"type">> => <<"redis">>,
}).
-define(SOURCE5, #{
<<"type">> => <<"redis">>,
<<"redis_type">> => <<"single">>,
<<"enable">> => true,
<<"server">> => <<"127.0.0.1:27017">>,
@ -117,14 +128,16 @@ set_special_configs(_App) ->
<<"auto_reconnect">> => true,
<<"ssl">> => #{<<"enable">> => false},
<<"cmd">> => <<"HGETALL mqtt_authz:", ?PH_USERNAME/binary>>
}).
-define(SOURCE6, #{<<"type">> => <<"file">>,
}).
-define(SOURCE6, #{
<<"type">> => <<"file">>,
<<"enable">> => true,
<<"rules">> =>
<<"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}."
"\n{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}.">>
}).
<<
"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}."
"\n{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}."
>>
}).
%%------------------------------------------------------------------------------
%% Testcases
@ -139,13 +152,17 @@ t_update_source(_) ->
{ok, _} = emqx_authz:update(?CMD_APPEND, ?SOURCE5),
{ok, _} = emqx_authz:update(?CMD_APPEND, ?SOURCE6),
?assertMatch([ #{type := http, enable := true}
, #{type := mongodb, enable := true}
, #{type := mysql, enable := true}
, #{type := postgresql, enable := true}
, #{type := redis, enable := true}
, #{type := file, enable := true}
], emqx_conf:get([authorization, sources], [])),
?assertMatch(
[
#{type := http, enable := true},
#{type := mongodb, enable := true},
#{type := mysql, enable := true},
#{type := postgresql, enable := true},
#{type := redis, enable := true},
#{type := file, enable := true}
],
emqx_conf:get([authorization, sources], [])
),
{ok, _} = emqx_authz:update({?CMD_REPLACE, http}, ?SOURCE1#{<<"enable">> := true}),
{ok, _} = emqx_authz:update({?CMD_REPLACE, mongodb}, ?SOURCE2#{<<"enable">> := true}),
@ -161,73 +178,104 @@ t_update_source(_) ->
{ok, _} = emqx_authz:update({?CMD_REPLACE, redis}, ?SOURCE5#{<<"enable">> := false}),
{ok, _} = emqx_authz:update({?CMD_REPLACE, file}, ?SOURCE6#{<<"enable">> := false}),
?assertMatch([ #{type := http, enable := false}
, #{type := mongodb, enable := false}
, #{type := mysql, enable := false}
, #{type := postgresql, enable := false}
, #{type := redis, enable := false}
, #{type := file, enable := false}
], emqx_conf:get([authorization, sources], [])),
?assertMatch(
[
#{type := http, enable := false},
#{type := mongodb, enable := false},
#{type := mysql, enable := false},
#{type := postgresql, enable := false},
#{type := redis, enable := false},
#{type := file, enable := false}
],
emqx_conf:get([authorization, sources], [])
),
{ok, _} = emqx_authz:update(?CMD_REPLACE, []).
t_delete_source(_) ->
{ok, _} = emqx_authz:update(?CMD_REPLACE, [?SOURCE1]),
?assertMatch([ #{type := http, enable := true}
], emqx_conf:get([authorization, sources], [])),
?assertMatch([#{type := http, enable := true}], emqx_conf:get([authorization, sources], [])),
{ok, _} = emqx_authz:update({?CMD_DELETE, http}, #{}),
?assertMatch([], emqx_conf:get([authorization, sources], [])).
t_move_source(_) ->
{ok, _} = emqx_authz:update(?CMD_REPLACE,
[?SOURCE1, ?SOURCE2, ?SOURCE3,
?SOURCE4, ?SOURCE5, ?SOURCE6]),
?assertMatch([ #{type := http}
, #{type := mongodb}
, #{type := mysql}
, #{type := postgresql}
, #{type := redis}
, #{type := file}
], emqx_authz:lookup()),
{ok, _} = emqx_authz:update(
?CMD_REPLACE,
[
?SOURCE1,
?SOURCE2,
?SOURCE3,
?SOURCE4,
?SOURCE5,
?SOURCE6
]
),
?assertMatch(
[
#{type := http},
#{type := mongodb},
#{type := mysql},
#{type := postgresql},
#{type := redis},
#{type := file}
],
emqx_authz:lookup()
),
{ok, _} = emqx_authz:move(postgresql, ?CMD_MOVE_FRONT),
?assertMatch([ #{type := postgresql}
, #{type := http}
, #{type := mongodb}
, #{type := mysql}
, #{type := redis}
, #{type := file}
], emqx_authz:lookup()),
?assertMatch(
[
#{type := postgresql},
#{type := http},
#{type := mongodb},
#{type := mysql},
#{type := redis},
#{type := file}
],
emqx_authz:lookup()
),
{ok, _} = emqx_authz:move(http, ?CMD_MOVE_REAR),
?assertMatch([ #{type := postgresql}
, #{type := mongodb}
, #{type := mysql}
, #{type := redis}
, #{type := file}
, #{type := http}
], emqx_authz:lookup()),
?assertMatch(
[
#{type := postgresql},
#{type := mongodb},
#{type := mysql},
#{type := redis},
#{type := file},
#{type := http}
],
emqx_authz:lookup()
),
{ok, _} = emqx_authz:move(mysql, ?CMD_MOVE_BEFORE(postgresql)),
?assertMatch([ #{type := mysql}
, #{type := postgresql}
, #{type := mongodb}
, #{type := redis}
, #{type := file}
, #{type := http}
], emqx_authz:lookup()),
?assertMatch(
[
#{type := mysql},
#{type := postgresql},
#{type := mongodb},
#{type := redis},
#{type := file},
#{type := http}
],
emqx_authz:lookup()
),
{ok, _} = emqx_authz:move(mongodb, ?CMD_MOVE_AFTER(http)),
?assertMatch([ #{type := mysql}
, #{type := postgresql}
, #{type := redis}
, #{type := file}
, #{type := http}
, #{type := mongodb}
], emqx_authz:lookup()),
?assertMatch(
[
#{type := mysql},
#{type := postgresql},
#{type := redis},
#{type := file},
#{type := http},
#{type := mongodb}
],
emqx_authz:lookup()
),
ok.

304
apps/emqx_authz/test/emqx_authz_api_mnesia_SUITE.erl
View File

@ -33,15 +33,19 @@ groups() ->
init_per_suite(Config) ->
ok = emqx_common_test_helpers:start_apps(
[emqx_conf, emqx_authz, emqx_dashboard],
fun set_special_configs/1),
fun set_special_configs/1
),
Config.
end_per_suite(_Config) ->
{ok, _} = emqx:update_config(
[authorization],
#{<<"no_match">> => <<"allow">>,
#{
<<"no_match">> => <<"allow">>,
<<"cache">> => #{<<"enable">> => <<"true">>},
<<"sources">> => []}),
<<"sources">> => []
}
),
emqx_common_test_helpers:stop_apps([emqx_dashboard, emqx_authz, emqx_conf]),
ok.
@ -50,8 +54,10 @@ set_special_configs(emqx_dashboard) ->
set_special_configs(emqx_authz) ->
{ok, _} = emqx:update_config([authorization, cache, enable], false),
{ok, _} = emqx:update_config([authorization, no_match], deny),
{ok, _} = emqx:update_config([authorization, sources],
[#{<<"type">> => <<"built_in_database">>}]),
{ok, _} = emqx:update_config(
[authorization, sources],
[#{<<"type">> => <<"built_in_database">>}]
),
ok;
set_special_configs(_App) ->
ok.
@ -62,176 +68,248 @@ set_special_configs(_App) ->
t_api(_) ->
{ok, 204, _} =
request( post
, uri(["authorization", "sources", "built_in_database", "username"])
, [?USERNAME_RULES_EXAMPLE]),
request(
post,
uri(["authorization", "sources", "built_in_database", "username"]),
[?USERNAME_RULES_EXAMPLE]
),
{ok, 200, Request1} =
request( get
, uri(["authorization", "sources", "built_in_database", "username"])
, []),
#{<<"data">> := [#{<<"username">> := <<"user1">>, <<"rules">> := Rules1}],
<<"meta">> := #{<<"count">> := 1,
request(
get,
uri(["authorization", "sources", "built_in_database", "username"]),
[]
),
#{
<<"data">> := [#{<<"username">> := <<"user1">>, <<"rules">> := Rules1}],
<<"meta">> := #{
<<"count">> := 1,
<<"limit">> := 100,
<<"page">> := 1}} = jsx:decode(Request1),
<<"page">> := 1
}
} = jsx:decode(Request1),
?assertEqual(3, length(Rules1)),
{ok, 200, Request1_1} =
request( get
, uri([ "authorization"
, "sources"
, "built_in_database"
, "username?page=1&limit=20&like_username=noexist"])
, []),
#{<<"data">> := [],
<<"meta">> := #{<<"count">> := 0,
request(
get,
uri([
"authorization",
"sources",
"built_in_database",
"username?page=1&limit=20&like_username=noexist"
]),
[]
),
#{
<<"data">> := [],
<<"meta">> := #{
<<"count">> := 0,
<<"limit">> := 20,
<<"page">> := 1}} = jsx:decode(Request1_1),
<<"page">> := 1
}
} = jsx:decode(Request1_1),
{ok, 200, Request2} =
request( get
, uri(["authorization", "sources", "built_in_database", "username", "user1"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "username", "user1"]),
[]
),
#{<<"username">> := <<"user1">>, <<"rules">> := Rules1} = jsx:decode(Request2),
{ok, 204, _} =
request( put
, uri(["authorization", "sources", "built_in_database", "username", "user1"])
, ?USERNAME_RULES_EXAMPLE#{rules => []}),
request(
put,
uri(["authorization", "sources", "built_in_database", "username", "user1"]),
?USERNAME_RULES_EXAMPLE#{rules => []}
),
{ok, 200, Request3} =
request( get
, uri(["authorization", "sources", "built_in_database", "username", "user1"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "username", "user1"]),
[]
),
#{<<"username">> := <<"user1">>, <<"rules">> := Rules2} = jsx:decode(Request3),
?assertEqual(0, length(Rules2)),
{ok, 204, _} =
request( delete
, uri(["authorization", "sources", "built_in_database", "username", "user1"])
, []),
request(
delete,
uri(["authorization", "sources", "built_in_database", "username", "user1"]),
[]
),
{ok, 404, _} =
request( get
, uri(["authorization", "sources", "built_in_database", "username", "user1"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "username", "user1"]),
[]
),
{ok, 404, _} =
request( delete
, uri(["authorization", "sources", "built_in_database", "username", "user1"])
, []),
request(
delete,
uri(["authorization", "sources", "built_in_database", "username", "user1"]),
[]
),
{ok, 204, _} =
request( post
, uri(["authorization", "sources", "built_in_database", "clientid"])
, [?CLIENTID_RULES_EXAMPLE]),
request(
post,
uri(["authorization", "sources", "built_in_database", "clientid"]),
[?CLIENTID_RULES_EXAMPLE]
),
{ok, 200, Request4} =
request( get
, uri(["authorization", "sources", "built_in_database", "clientid"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "clientid"]),
[]
),
{ok, 200, Request5} =
request( get
, uri(["authorization", "sources", "built_in_database", "clientid", "client1"])
, []),
#{<<"data">> := [#{<<"clientid">> := <<"client1">>, <<"rules">> := Rules3}],
<<"meta">> := #{<<"count">> := 1, <<"limit">> := 100, <<"page">> := 1}}
= jsx:decode(Request4),
request(
get,
uri(["authorization", "sources", "built_in_database", "clientid", "client1"]),
[]
),
#{
<<"data">> := [#{<<"clientid">> := <<"client1">>, <<"rules">> := Rules3}],
<<"meta">> := #{<<"count">> := 1, <<"limit">> := 100, <<"page">> := 1}
} =
jsx:decode(Request4),
#{<<"clientid">> := <<"client1">>, <<"rules">> := Rules3} = jsx:decode(Request5),
?assertEqual(3, length(Rules3)),
{ok, 204, _} =
request( put
, uri(["authorization", "sources", "built_in_database", "clientid", "client1"])
, ?CLIENTID_RULES_EXAMPLE#{rules => []}),
request(
put,
uri(["authorization", "sources", "built_in_database", "clientid", "client1"]),
?CLIENTID_RULES_EXAMPLE#{rules => []}
),
{ok, 200, Request6} =
request( get
, uri(["authorization", "sources", "built_in_database", "clientid", "client1"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "clientid", "client1"]),
[]
),
#{<<"clientid">> := <<"client1">>, <<"rules">> := Rules4} = jsx:decode(Request6),
?assertEqual(0, length(Rules4)),
{ok, 204, _} =
request( delete
, uri(["authorization", "sources", "built_in_database", "clientid", "client1"])
, []),
request(
delete,
uri(["authorization", "sources", "built_in_database", "clientid", "client1"]),
[]
),
{ok, 404, _} =
request( get
, uri(["authorization", "sources", "built_in_database", "clientid", "client1"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "clientid", "client1"]),
[]
),
{ok, 404, _} =
request( delete
, uri(["authorization", "sources", "built_in_database", "clientid", "client1"])
, []),
request(
delete,
uri(["authorization", "sources", "built_in_database", "clientid", "client1"]),
[]
),
{ok, 204, _} =
request( post
, uri(["authorization", "sources", "built_in_database", "all"])
, ?ALL_RULES_EXAMPLE),
request(
post,
uri(["authorization", "sources", "built_in_database", "all"]),
?ALL_RULES_EXAMPLE
),
{ok, 200, Request7} =
request( get
, uri(["authorization", "sources", "built_in_database", "all"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "all"]),
[]
),
#{<<"rules">> := Rules5} = jsx:decode(Request7),
?assertEqual(3, length(Rules5)),
{ok, 204, _} =
request( post
, uri(["authorization", "sources", "built_in_database", "all"])
request(
post,
uri(["authorization", "sources", "built_in_database", "all"]),
, ?ALL_RULES_EXAMPLE#{rules => []}),
?ALL_RULES_EXAMPLE#{rules => []}
),
{ok, 200, Request8} =
request( get
, uri(["authorization", "sources", "built_in_database", "all"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "all"]),
[]
),
#{<<"rules">> := Rules6} = jsx:decode(Request8),
?assertEqual(0, length(Rules6)),
{ok, 204, _} =
request( post
, uri(["authorization", "sources", "built_in_database", "username"])
, [ #{username => erlang:integer_to_binary(N), rules => []}
|| N <- lists:seq(1, 20) ]),
request(
post,
uri(["authorization", "sources", "built_in_database", "username"]),
[
#{username => erlang:integer_to_binary(N), rules => []}
|| N <- lists:seq(1, 20)
]
),
{ok, 200, Request9} =
request( get
, uri(["authorization", "sources", "built_in_database", "username?page=2&limit=5"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "username?page=2&limit=5"]),
[]
),
#{<<"data">> := Data1} = jsx:decode(Request9),
?assertEqual(5, length(Data1)),
{ok, 204, _} =
request( post
, uri(["authorization", "sources", "built_in_database", "clientid"])
, [ #{clientid => erlang:integer_to_binary(N), rules => []}
|| N <- lists:seq(1, 20) ]),
request(
post,
uri(["authorization", "sources", "built_in_database", "clientid"]),
[
#{clientid => erlang:integer_to_binary(N), rules => []}
|| N <- lists:seq(1, 20)
]
),
{ok, 200, Request10} =
request( get
, uri(["authorization", "sources", "built_in_database", "clientid?limit=5"])
, []),
request(
get,
uri(["authorization", "sources", "built_in_database", "clientid?limit=5"]),
[]
),
#{<<"data">> := Data2} = jsx:decode(Request10),
?assertEqual(5, length(Data2)),
{ok, 400, Msg1} =
request( delete
, uri(["authorization", "sources", "built_in_database", "purge-all"])
, []),
request(
delete,
uri(["authorization", "sources", "built_in_database", "purge-all"]),
[]
),
?assertMatch({match, _}, re:run(Msg1, "must\sbe\sdisabled\sbefore")),
{ok, 204, _} =
request( put
, uri(["authorization", "sources", "built_in_database"])
, #{<<"enable">> => true, <<"type">> => <<"built_in_database">>}),
request(
put,
uri(["authorization", "sources", "built_in_database"]),
#{<<"enable">> => true, <<"type">> => <<"built_in_database">>}
),
%% test idempotence
{ok, 204, _} =
request( put
, uri(["authorization", "sources", "built_in_database"])
, #{<<"enable">> => true, <<"type">> => <<"built_in_database">>}),
request(
put,
uri(["authorization", "sources", "built_in_database"]),
#{<<"enable">> => true, <<"type">> => <<"built_in_database">>}
),
{ok, 204, _} =
request( put
, uri(["authorization", "sources", "built_in_database"])
, #{<<"enable">> => false, <<"type">> => <<"built_in_database">>}),
request(
put,
uri(["authorization", "sources", "built_in_database"]),
#{<<"enable">> => false, <<"type">> => <<"built_in_database">>}
),
{ok, 204, _} =
request( delete
, uri(["authorization", "sources", "built_in_database", "purge-all"])
, []),
request(
delete,
uri(["authorization", "sources", "built_in_database", "purge-all"]),
[]
),
?assertEqual(0, emqx_authz_mnesia:record_count()),
ok.

16
apps/emqx_authz/test/emqx_authz_api_settings_SUITE.erl
View File

@ -32,15 +32,19 @@ groups() ->
init_per_suite(Config) ->
ok = emqx_common_test_helpers:start_apps(
[emqx_conf, emqx_authz, emqx_dashboard],
fun set_special_configs/1),
fun set_special_configs/1
),
Config.
end_per_suite(_Config) ->
{ok, _} = emqx:update_config(
[authorization],
#{<<"no_match">> => <<"allow">>,
#{
<<"no_match">> => <<"allow">>,
<<"cache">> => #{<<"enable">> => <<"true">>},
<<"sources">> => []}),
<<"sources">> => []
}
),
ok = stop_apps([emqx_resource, emqx_connector]),
emqx_common_test_helpers:stop_apps([emqx_dashboard, emqx_authz, emqx_conf]),
ok.
@ -60,7 +64,8 @@ set_special_configs(_App) ->
%%------------------------------------------------------------------------------
t_api(_) ->
Settings1 = #{<<"no_match">> => <<"deny">>,
Settings1 = #{
<<"no_match">> => <<"deny">>,
<<"deny_action">> => <<"disconnect">>,
<<"cache">> => #{
<<"enable">> => false,
@ -73,7 +78,8 @@ t_api(_) ->
{ok, 200, Result1} = request(get, uri(["authorization", "settings"]), []),
?assertEqual(Settings1, jsx:decode(Result1)),
Settings2 = #{<<"no_match">> => <<"allow">>,
Settings2 = #{
<<"no_match">> => <<"allow">>,
<<"deny_action">> => <<"ignore">>,
<<"cache">> => #{
<<"enable">> => true,

324
apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl
View File

@ -29,14 +29,16 @@
-define(PGSQL_HOST, "pgsql").
-define(REDIS_SINGLE_HOST, "redis").
-define(SOURCE1, #{<<"type">> => <<"http">>,
-define(SOURCE1, #{
<<"type">> => <<"http">>,
<<"enable">> => true,
<<"url">> => <<"https://fake.com:443/acl?username=", ?PH_USERNAME/binary>>,
<<"headers">> => #{},
<<"method">> => <<"get">>,
<<"request_timeout">> => <<"5s">>
}).
-define(SOURCE2, #{<<"type">> => <<"mongodb">>,
}).
-define(SOURCE2, #{
<<"type">> => <<"mongodb">>,
<<"enable">> => true,
<<"mongo_type">> => <<"single">>,
<<"server">> => <<?MONGO_SINGLE_HOST>>,
@ -46,8 +48,9 @@
<<"ssl">> => #{<<"enable">> => false},
<<"collection">> => <<"fake">>,
<<"selector">> => #{<<"a">> => <<"b">>}
}).
-define(SOURCE3, #{<<"type">> => <<"mysql">>,
}).
-define(SOURCE3, #{
<<"type">> => <<"mysql">>,
<<"enable">> => true,
<<"server">> => <<?MYSQL_HOST>>,
<<"pool_size">> => 1,
@ -57,8 +60,9 @@
<<"auto_reconnect">> => true,
<<"ssl">> => #{<<"enable">> => false},
<<"query">> => <<"abcb">>
}).
-define(SOURCE4, #{<<"type">> => <<"postgresql">>,
}).
-define(SOURCE4, #{
<<"type">> => <<"postgresql">>,
<<"enable">> => true,
<<"server">> => <<?PGSQL_HOST>>,
<<"pool_size">> => 1,
@ -68,8 +72,9 @@
<<"auto_reconnect">> => true,
<<"ssl">> => #{<<"enable">> => false},
<<"query">> => <<"abcb">>
}).
-define(SOURCE5, #{<<"type">> => <<"redis">>,
}).
-define(SOURCE5, #{
<<"type">> => <<"redis">>,
<<"enable">> => true,
<<"servers">> => <<?REDIS_SINGLE_HOST, ",127.0.0.1:6380">>,
<<"pool_size">> => 1,
@ -78,13 +83,16 @@
<<"auto_reconnect">> => true,
<<"ssl">> => #{<<"enable">> => false},
<<"cmd">> => <<"HGETALL mqtt_authz:", ?PH_USERNAME/binary>>
}).
-define(SOURCE6, #{<<"type">> => <<"file">>,
}).
-define(SOURCE6, #{
<<"type">> => <<"file">>,
<<"enable">> => true,
<<"rules">> =>
<<"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}."
"\n{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}.">>
}).
<<
"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}."
"\n{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}."
>>
}).
-define(MATCH_RSA_KEY, <<"-----BEGIN RSA PRIVATE KEY", _/binary>>).
-define(MATCH_CERT, <<"-----BEGIN CERTIFICATE", _/binary>>).
@ -99,30 +107,32 @@ init_per_suite(Config) ->
ok = stop_apps([emqx_resource, emqx_connector]),
meck:new(emqx_resource, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_resource, create_local, fun(_, _, _, _) -> {ok, meck_data} end),
meck:expect(emqx_resource, create_dry_run_local,
fun(emqx_connector_mysql, _) -> ok;
(emqx_connector_mongo, _) -> ok;
(T, C) -> meck:passthrough([T, C])
end),
meck:expect(emqx_resource, health_check, fun(St) -> {ok, St} end),
meck:expect(emqx_resource, remove_local, fun(_) -> ok end ),
meck:expect(emqx_authz, acl_conf_file,
meck:expect(emqx_resource, remove_local, fun(_) -> ok end),
meck:expect(
emqx_authz,
acl_conf_file,
fun() ->
emqx_common_test_helpers:deps_path(emqx_authz, "etc/acl.conf")
end),
end
),
ok = emqx_common_test_helpers:start_apps(
[emqx_conf, emqx_authz, emqx_dashboard],
fun set_special_configs/1),
fun set_special_configs/1
),
ok = start_apps([emqx_resource, emqx_connector]),
Config.
end_per_suite(_Config) ->
{ok, _} = emqx:update_config(
[authorization],
#{<<"no_match">> => <<"allow">>,
#{
<<"no_match">> => <<"allow">>,
<<"cache">> => #{<<"enable">> => <<"true">>},
<<"sources">> => []}),
<<"sources">> => []
}
),
%% resource and connector should be stop first,
%% or authz_[mysql|pgsql|redis..]_SUITE would be failed
ok = stop_apps([emqx_resource, emqx_connector]),
@ -145,19 +155,24 @@ init_per_testcase(t_api, Config) ->
meck:expect(emqx_misc, gen_id, fun() -> "fake" end),
meck:new(emqx, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx, data_dir,
meck:expect(
emqx,
data_dir,
fun() ->
{data_dir, Data} = lists:keyfind(data_dir, 1, Config),
Data
end),
end
),
Config;
init_per_testcase(_, Config) -> Config.
init_per_testcase(_, Config) ->
Config.
end_per_testcase(t_api, _Config) ->
meck:unload(emqx_misc),
meck:unload(emqx),
ok;
end_per_testcase(_, _Config) -> ok.
end_per_testcase(_, _Config) ->
ok.
%%------------------------------------------------------------------------------
%% Testcases
@ -167,112 +182,153 @@ t_api(_) ->
{ok, 200, Result1} = request(get, uri(["authorization", "sources"]), []),
?assertEqual([], get_sources(Result1)),
[ begin {ok, 204, _} = request(post, uri(["authorization", "sources"]), Source) end
|| Source <- lists:reverse([?SOURCE2, ?SOURCE3, ?SOURCE4, ?SOURCE5, ?SOURCE6])],
[
begin
{ok, 204, _} = request(post, uri(["authorization", "sources"]), Source)
end
|| Source <- lists:reverse([?SOURCE2, ?SOURCE3, ?SOURCE4, ?SOURCE5, ?SOURCE6])
],
{ok, 204, _} = request(post, uri(["authorization", "sources"]), ?SOURCE1),
Snd = fun ({_, Val}) -> Val end,
Snd = fun({_, Val}) -> Val end,
LookupVal = fun LookupV(List, RestJson) ->
case List of
[Name] -> Snd(lists:keyfind(Name, 1, RestJson));
[Name | NS] -> LookupV(NS, Snd(lists:keyfind(Name, 1, RestJson)))
end
end,
EqualFun = fun (RList) ->
fun ({M, V}) ->
?assertEqual(V,
LookupVal([<<"metrics">>, M],
RList)
EqualFun = fun(RList) ->
fun({M, V}) ->
?assertEqual(
V,
LookupVal(
[<<"metrics">>, M],
RList
)
)
end
end,
AssertFun =
fun (ResultJson) ->
fun(ResultJson) ->
{ok, RList} = emqx_json:safe_decode(ResultJson),
MetricsList = [{<<"failed">>, 0},
MetricsList = [
{<<"failed">>, 0},
{<<"matched">>, 0},
{<<"rate">>, 0.0},
{<<"rate_last5m">>, 0.0},
{<<"rate_max">>, 0.0},
{<<"success">>, 0}],
{<<"success">>, 0}
],
lists:map(EqualFun(RList), MetricsList)
end,
{ok, 200, Result2} = request(get, uri(["authorization", "sources"]), []),
Sources = get_sources(Result2),
?assertMatch([ #{<<"type">> := <<"http">>}
, #{<<"type">> := <<"mongodb">>}
, #{<<"type">> := <<"mysql">>}
, #{<<"type">> := <<"postgresql">>}
, #{<<"type">> := <<"redis">>}
, #{<<"type">> := <<"file">>}
], Sources),
?assertMatch(
[
#{<<"type">> := <<"http">>},
#{<<"type">> := <<"mongodb">>},
#{<<"type">> := <<"mysql">>},
#{<<"type">> := <<"postgresql">>},
#{<<"type">> := <<"redis">>},
#{<<"type">> := <<"file">>}
],
Sources
),
?assert(filelib:is_file(emqx_authz:acl_conf_file())),
{ok, 204, _} = request(put, uri(["authorization", "sources", "http"]),
?SOURCE1#{<<"enable">> := false}),
{ok, 204, _} = request(
put,
uri(["authorization", "sources", "http"]),
?SOURCE1#{<<"enable">> := false}
),
{ok, 200, Result3} = request(get, uri(["authorization", "sources", "http"]), []),
?assertMatch(#{<<"type">> := <<"http">>, <<"enable">> := false}, jsx:decode(Result3)),
Keyfile = emqx_common_test_helpers:app_path(
emqx,
filename:join(["etc", "certs", "key.pem"])),
filename:join(["etc", "certs", "key.pem"])
),
Certfile = emqx_common_test_helpers:app_path(
emqx,
filename:join(["etc", "certs", "cert.pem"])),
filename:join(["etc", "certs", "cert.pem"])
),
Cacertfile = emqx_common_test_helpers:app_path(
emqx,
filename:join(["etc", "certs", "cacert.pem"])),
filename:join(["etc", "certs", "cacert.pem"])
),
{ok, 204, _} = request(put, uri(["authorization", "sources", "mongodb"]),
?SOURCE2#{<<"ssl">> => #{
{ok, 204, _} = request(
put,
uri(["authorization", "sources", "mongodb"]),
?SOURCE2#{
<<"ssl">> => #{
<<"enable">> => <<"true">>,
<<"cacertfile">> => Cacertfile,
<<"certfile">> => Certfile,
<<"keyfile">> => Keyfile,
<<"verify">> => <<"verify_none">>
}}),
}
}
),
{ok, 200, Result4} = request(get, uri(["authorization", "sources", "mongodb"]), []),
{ok, 200, Status4} = request(get, uri(["authorization", "sources", "mongodb", "status"]), []),
AssertFun(Status4),
?assertMatch(#{<<"type">> := <<"mongodb">>,
<<"ssl">> := #{<<"enable">> := <<"true">>,
?assertMatch(
#{
<<"type">> := <<"mongodb">>,
<<"ssl">> := #{
<<"enable">> := <<"true">>,
<<"cacertfile">> := ?MATCH_CERT,
<<"certfile">> := ?MATCH_CERT,
<<"keyfile">> := ?MATCH_RSA_KEY,
<<"verify">> := <<"verify_none">>
}
}, jsx:decode(Result4)),
},
jsx:decode(Result4)
),
{ok, Cacert} = file:read_file(Cacertfile),
{ok, Cert} = file:read_file(Certfile),
{ok, Key} = file:read_file(Keyfile),
{ok, 204, _} = request(put, uri(["authorization", "sources", "mongodb"]),
?SOURCE2#{<<"ssl">> => #{
{ok, 204, _} = request(
put,
uri(["authorization", "sources", "mongodb"]),
?SOURCE2#{
<<"ssl">> => #{
<<"enable">> => <<"true">>,
<<"cacertfile">> => Cacert,
<<"certfile">> => Cert,
<<"keyfile">> => Key,
<<"verify">> => <<"verify_none">>
}}),
}
}
),
{ok, 200, Result5} = request(get, uri(["authorization", "sources", "mongodb"]), []),
{ok, 200, Status5} = request(get, uri(["authorization", "sources", "mongodb", "status"]), []),
AssertFun(Status5),
?assertMatch(#{<<"type">> := <<"mongodb">>,
<<"ssl">> := #{<<"enable">> := <<"true">>,
?assertMatch(
#{
<<"type">> := <<"mongodb">>,
<<"ssl">> := #{
<<"enable">> := <<"true">>,
<<"cacertfile">> := ?MATCH_CERT,
<<"certfile">> := ?MATCH_CERT,
<<"keyfile">> := ?MATCH_RSA_KEY,
<<"verify">> := <<"verify_none">>
}
}, jsx:decode(Result5)),
},
jsx:decode(Result5)
),
#{ssl := #{cacertfile := SavedCacertfile,
#{
ssl := #{
cacertfile := SavedCacertfile,
certfile := SavedCertfile,
keyfile := SavedKeyfile
}} = emqx_authz:lookup(mongodb),
}
} = emqx_authz:lookup(mongodb),
?assert(filelib:is_file(SavedCacertfile)),
?assert(filelib:is_file(SavedCertfile)),
@ -281,25 +337,35 @@ t_api(_) ->
{ok, 204, _} = request(
put,
uri(["authorization", "sources", "mysql"]),
?SOURCE3#{<<"server">> := <<"192.168.1.100:3306">>}),
?SOURCE3#{<<"server">> := <<"192.168.1.100:3306">>}
),
{ok, 400, _} = request(
{ok, 204, _} = request(
put,
uri(["authorization", "sources", "postgresql"]),
?SOURCE4#{<<"server">> := <<"fake">>}),
{ok, 400, _} = request(
?SOURCE4#{<<"server">> := <<"fake">>}
),
{ok, 204, _} = request(
put,
uri(["authorization", "sources", "redis"]),
?SOURCE5#{<<"servers">> := [<<"192.168.1.100:6379">>,
<<"192.168.1.100:6380">>]}),
?SOURCE5#{
<<"servers">> := [
<<"192.168.1.100:6379">>,
<<"192.168.1.100:6380">>
]
}
),
lists:foreach(
fun(#{<<"type">> := Type}) ->
{ok, 204, _} = request(
delete,
uri(["authorization", "sources", binary_to_list(Type)]),
[])
end, Sources),
[]
)
end,
Sources
),
{ok, 200, Result6} = request(get, uri(["authorization", "sources"]), []),
?assertEqual([], get_sources(Result6)),
?assertEqual([], emqx:get_config([authorization, sources])),
@ -307,48 +373,80 @@ t_api(_) ->
t_move_source(_) ->
{ok, _} = emqx_authz:update(replace, [?SOURCE1, ?SOURCE2, ?SOURCE3, ?SOURCE4, ?SOURCE5]),
?assertMatch([ #{type := http}
, #{type := mongodb}
, #{type := mysql}
, #{type := postgresql}
, #{type := redis}
], emqx_authz:lookup()),
?assertMatch(
[
#{type := http},
#{type := mongodb},
#{type := mysql},
#{type := postgresql},
#{type := redis}
],
emqx_authz:lookup()
),
{ok, 204, _} = request(post, uri(["authorization", "sources", "postgresql", "move"]),
#{<<"position">> => <<"front">>}),
?assertMatch([ #{type := postgresql}
, #{type := http}
, #{type := mongodb}
, #{type := mysql}
, #{type := redis}
], emqx_authz:lookup()),
{ok, 204, _} = request(
post,
uri(["authorization", "sources", "postgresql", "move"]),
#{<<"position">> => <<"front">>}
),
?assertMatch(
[
#{type := postgresql},
#{type := http},
#{type := mongodb},
#{type := mysql},
#{type := redis}
],
emqx_authz:lookup()
),
{ok, 204, _} = request(post, uri(["authorization", "sources", "http", "move"]),
#{<<"position">> => <<"rear">>}),
?assertMatch([ #{type := postgresql}
, #{type := mongodb}
, #{type := mysql}
, #{type := redis}
, #{type := http}
], emqx_authz:lookup()),
{ok, 204, _} = request(
post,
uri(["authorization", "sources", "http", "move"]),
#{<<"position">> => <<"rear">>}
),
?assertMatch(
[
#{type := postgresql},
#{type := mongodb},
#{type := mysql},
#{type := redis},
#{type := http}
],
emqx_authz:lookup()
),
{ok, 204, _} = request(post, uri(["authorization", "sources", "mysql", "move"]),
#{<<"position">> => <<"before:postgresql">>}),
?assertMatch([ #{type := mysql}
, #{type := postgresql}
, #{type := mongodb}
, #{type := redis}
, #{type := http}
], emqx_authz:lookup()),
{ok, 204, _} = request(
post,
uri(["authorization", "sources", "mysql", "move"]),
#{<<"position">> => <<"before:postgresql">>}
),
?assertMatch(
[
#{type := mysql},
#{type := postgresql},
#{type := mongodb},
#{type := redis},
#{type := http}
],
emqx_authz:lookup()
),
{ok, 204, _} = request(post, uri(["authorization", "sources", "mongodb", "move"]),
#{<<"position">> => <<"after:http">>}),
?assertMatch([ #{type := mysql}
, #{type := postgresql}
, #{type := redis}
, #{type := http}
, #{type := mongodb}
], emqx_authz:lookup()),
{ok, 204, _} = request(
post,
uri(["authorization", "sources", "mongodb", "move"]),
#{<<"position">> => <<"after:http">>}
),
?assertMatch(
[
#{type := mysql},
#{type := postgresql},
#{type := redis},
#{type := http},
#{type := mongodb}
],
emqx_authz:lookup()
),
ok.

55
apps/emqx_authz/test/emqx_authz_file_SUITE.erl
View File

@ -22,12 +22,15 @@
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-define(RAW_SOURCE, #{<<"type">> => <<"file">>,
-define(RAW_SOURCE, #{
<<"type">> => <<"file">>,
<<"enable">> => true,
<<"rules">> =>
<<"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}."
"\n{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}.">>
}).
<<
"{allow,{username,\"^dashboard?\"},subscribe,[\"$SYS/#\"]}."
"\n{allow,{ipaddr,\"127.0.0.1\"},all,[\"$SYS/#\",\"#\"]}."
>>
}).
all() ->
emqx_common_test_helpers:all(?MODULE).
@ -38,12 +41,16 @@ groups() ->
init_per_suite(Config) ->
ok = emqx_common_test_helpers:start_apps(
[emqx_conf, emqx_authz],
fun set_special_configs/1),
fun set_special_configs/1
),
%% meck after authz started
meck:expect(emqx_authz, acl_conf_file,
meck:expect(
emqx_authz,
acl_conf_file,
fun() ->
emqx_common_test_helpers:deps_path(emqx_authz, "etc/acl.conf")
end),
end
),
Config.
end_per_suite(_Config) ->
@ -57,7 +64,6 @@ init_per_testcase(_TestCase, Config) ->
set_special_configs(emqx_authz) ->
ok = emqx_authz_test_lib:reset_authorizers();
set_special_configs(_) ->
ok.
@ -66,43 +72,55 @@ set_special_configs(_) ->
%%------------------------------------------------------------------------------
t_ok(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = setup_config(?RAW_SOURCE#{<<"rules">> => <<"{allow, {user, \"username\"}, publish, [\"t\"]}.">>}),
ok = setup_config(?RAW_SOURCE#{
<<"rules">> => <<"{allow, {user, \"username\"}, publish, [\"t\"]}.">>
}),
io:format("~p", [emqx_authz:acl_conf_file()]),
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
),
?assertEqual(
deny,
emqx_access_control:authorize(ClientInfo, subscribe, <<"t">>)).
emqx_access_control:authorize(ClientInfo, subscribe, <<"t">>)
).
t_invalid_file(_Config) ->
?assertMatch(
{error, bad_acl_file_content},
emqx_authz:update(?CMD_REPLACE, [?RAW_SOURCE#{<<"rules">> => <<"{{invalid term">>}])).
emqx_authz:update(?CMD_REPLACE, [?RAW_SOURCE#{<<"rules">> => <<"{{invalid term">>}])
).
t_update(_Config) ->
ok = setup_config(?RAW_SOURCE#{<<"rules">> => <<"{allow, {user, \"username\"}, publish, [\"t\"]}.">>}),
ok = setup_config(?RAW_SOURCE#{
<<"rules">> => <<"{allow, {user, \"username\"}, publish, [\"t\"]}.">>
}),
?assertMatch(
{error, _},
emqx_authz:update(
{?CMD_REPLACE, file},
?RAW_SOURCE#{<<"rules">> => <<"{{invalid term">>})),
?RAW_SOURCE#{<<"rules">> => <<"{{invalid term">>}
)
),
?assertMatch(
{ok, _},
emqx_authz:update(
{?CMD_REPLACE, file}, ?RAW_SOURCE)).
{?CMD_REPLACE, file}, ?RAW_SOURCE
)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -111,7 +129,8 @@ t_update(_Config) ->
setup_config(SpecialParams) ->
emqx_authz_test_lib:setup_config(
?RAW_SOURCE,
SpecialParams).
SpecialParams
).
stop_apps(Apps) ->
lists:foreach(fun application:stop/1, Apps).

180
apps/emqx_authz/test/emqx_authz_http_SUITE.erl
View File

@ -45,7 +45,6 @@ end_per_suite(_Config) ->
set_special_configs(emqx_authz) ->
ok = emqx_authz_test_lib:reset_authorizers();
set_special_configs(_) ->
ok.
@ -62,9 +61,10 @@ end_per_testcase(_Case, _Config) ->
%%------------------------------------------------------------------------------
t_response_handling(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -75,7 +75,8 @@ t_response_handling(_Config) ->
Req = cowboy_req:reply(200, Req0),
{ok, Req, State}
end,
#{}),
#{}
),
allow = emqx_access_control:authorize(ClientInfo, publish, <<"t">>),
@ -86,14 +87,17 @@ t_response_handling(_Config) ->
200,
#{<<"content-type">> => <<"text/plain">>},
"Response body",
Req0),
Req0
),
{ok, Req, State}
end,
#{}),
#{}
),
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
),
%% OK, get, 204
ok = setup_handler_and_config(
@ -101,11 +105,13 @@ t_response_handling(_Config) ->
Req = cowboy_req:reply(204, Req0),
{ok, Req, State}
end,
#{}),
#{}
),
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
),
%% Not OK, get, 400
ok = setup_handler_and_config(
@ -113,11 +119,13 @@ t_response_handling(_Config) ->
Req = cowboy_req:reply(400, Req0),
{ok, Req, State}
end,
#{}),
#{}
),
?assertEqual(
deny,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
),
%% Not OK, get, 400 + body & headers
ok = setup_handler_and_config(
@ -126,19 +134,23 @@ t_response_handling(_Config) ->
400,
#{<<"content-type">> => <<"text/plain">>},
"Response body",
Req0),
Req0
),
{ok, Req, State}
end,
#{}),
#{}
),
?assertEqual(
deny,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)).
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
).
t_query_params(_Config) ->
ok = setup_handler_and_config(
fun(Req0, State) ->
#{username := <<"user name">>,
#{
username := <<"user name">>,
clientid := <<"client id">>,
peerhost := <<"127.0.0.1">>,
proto_name := <<"MQTT">>,
@ -146,30 +158,38 @@ t_query_params(_Config) ->
topic := <<"t">>,
action := <<"publish">>
} = cowboy_req:match_qs(
[username,
[
username,
clientid,
peerhost,
proto_name,
mountpoint,
topic,
action],
Req0),
action
],
Req0
),
Req = cowboy_req:reply(200, Req0),
{ok, Req, State}
end,
#{<<"url">> => <<"http://127.0.0.1:33333/authz/users/?"
#{
<<"url">> => <<
"http://127.0.0.1:33333/authz/users/?"
"username=${username}&"
"clientid=${clientid}&"
"peerhost=${peerhost}&"
"proto_name=${proto_name}&"
"mountpoint=${mountpoint}&"
"topic=${topic}&"
"action=${action}">>
}),
"action=${action}"
>>
}
),
ClientInfo = #{clientid => <<"client id">>,
ClientInfo = #{
clientid => <<"client id">>,
username => <<"user name">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
protocol => <<"MQTT">>,
mountpoint => <<"MOUNTPOINT">>,
zone => default,
@ -178,43 +198,53 @@ t_query_params(_Config) ->
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)).
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
).
t_json_body(_Config) ->
ok = setup_handler_and_config(
fun(Req0, State) ->
?assertEqual(
<<"/authz/users/">>,
cowboy_req:path(Req0)),
cowboy_req:path(Req0)
),
{ok, RawBody, Req1} = cowboy_req:read_body(Req0),
?assertMatch(
#{<<"username">> := <<"user name">>,
#{
<<"username">> := <<"user name">>,
<<"CLIENT">> := <<"client id">>,
<<"peerhost">> := <<"127.0.0.1">>,
<<"proto_name">> := <<"MQTT">>,
<<"mountpoint">> := <<"MOUNTPOINT">>,
<<"topic">> := <<"t">>,
<<"action">> := <<"publish">>},
jiffy:decode(RawBody, [return_maps])),
<<"action">> := <<"publish">>
},
jiffy:decode(RawBody, [return_maps])
),
Req = cowboy_req:reply(200, Req1),
{ok, Req, State}
end,
#{<<"method">> => <<"post">>,
<<"body">> => #{<<"username">> => <<"${username}">>,
#{
<<"method">> => <<"post">>,
<<"body">> => #{
<<"username">> => <<"${username}">>,
<<"CLIENT">> => <<"${clientid}">>,
<<"peerhost">> => <<"${peerhost}">>,
<<"proto_name">> => <<"${proto_name}">>,
<<"mountpoint">> => <<"${mountpoint}">>,
<<"topic">> => <<"${topic}">>,
<<"action">> => <<"${action}">>}
}),
<<"action">> => <<"${action}">>
}
}
),
ClientInfo = #{clientid => <<"client id">>,
ClientInfo = #{
clientid => <<"client id">>,
username => <<"user name">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
protocol => <<"MQTT">>,
mountpoint => <<"MOUNTPOINT">>,
zone => default,
@ -223,45 +253,54 @@ t_json_body(_Config) ->
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)).
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
).
t_form_body(_Config) ->
ok = setup_handler_and_config(
fun(Req0, State) ->
?assertEqual(
<<"/authz/users/">>,
cowboy_req:path(Req0)),
cowboy_req:path(Req0)
),
{ok, [{PostVars, true}], Req1} = cowboy_req:read_urlencoded_body(Req0),
?assertMatch(
#{<<"username">> := <<"user name">>,
#{
<<"username">> := <<"user name">>,
<<"clientid">> := <<"client id">>,
<<"peerhost">> := <<"127.0.0.1">>,
<<"proto_name">> := <<"MQTT">>,
<<"mountpoint">> := <<"MOUNTPOINT">>,
<<"topic">> := <<"t">>,
<<"action">> := <<"publish">>},
jiffy:decode(PostVars, [return_maps])),
<<"action">> := <<"publish">>
},
jiffy:decode(PostVars, [return_maps])
),
Req = cowboy_req:reply(200, Req1),
{ok, Req, State}
end,
#{<<"method">> => <<"post">>,
<<"body">> => #{<<"username">> => <<"${username}">>,
#{
<<"method">> => <<"post">>,
<<"body">> => #{
<<"username">> => <<"${username}">>,
<<"clientid">> => <<"${clientid}">>,
<<"peerhost">> => <<"${peerhost}">>,
<<"proto_name">> => <<"${proto_name}">>,
<<"mountpoint">> => <<"${mountpoint}">>,
<<"topic">> => <<"${topic}">>,
<<"action">> => <<"${action}">>},
<<"action">> => <<"${action}">>
},
<<"headers">> => #{<<"content-type">> => <<"application/x-www-form-urlencoded">>}
}),
}
),
ClientInfo = #{clientid => <<"client id">>,
ClientInfo = #{
clientid => <<"client id">>,
username => <<"user name">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
protocol => <<"MQTT">>,
mountpoint => <<"MOUNTPOINT">>,
zone => default,
@ -270,13 +309,14 @@ t_form_body(_Config) ->
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)).
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
).
t_create_replace(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -287,40 +327,35 @@ t_create_replace(_Config) ->
Req = cowboy_req:reply(200, Req0),
{ok, Req, State}
end,
#{<<"url">> =>
<<"http://127.0.0.1:33333/authz/users/?topic=${topic}&action=${action}">>}),
#{
<<"url">> =>
<<"http://127.0.0.1:33333/authz/users/?topic=${topic}&action=${action}">>
}
),
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)),
%% Changing to other bad config does not work
BadConfig = maps:merge(
raw_http_authz_config(),
#{<<"url">> =>
<<"http://127.0.0.1:33332/authz/users/?topic=${topic}&action=${action}">>}),
?assertMatch(
{error, _},
emqx_authz:update({?CMD_REPLACE, http}, BadConfig)),
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
),
%% Changing to valid config
OkConfig = maps:merge(
raw_http_authz_config(),
#{<<"url">> =>
<<"http://127.0.0.1:33333/authz/users/?topic=${topic}&action=${action}">>}),
#{
<<"url">> =>
<<"http://127.0.0.1:33333/authz/users/?topic=${topic}&action=${action}">>
}
),
?assertMatch(
{ok, _},
emqx_authz:update({?CMD_REPLACE, http}, OkConfig)),
emqx_authz:update({?CMD_REPLACE, http}, OkConfig)
),
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)).
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -339,7 +374,8 @@ setup_handler_and_config(Handler, Config) ->
ok = emqx_authz_http_test_server:set_handler(Handler),
ok = emqx_authz_test_lib:setup_config(
raw_http_authz_config(),
Config).
Config
).
start_apps(Apps) ->
lists:foreach(fun application:ensure_all_started/1, Apps).

18
apps/emqx_authz/test/emqx_authz_http_test_server.erl
View File

@ -26,10 +26,11 @@
-export([init/1]).
% API
-export([start_link/2,
-export([
start_link/2,
stop/0,
set_handler/1
]).
]).
%%------------------------------------------------------------------------------
%% API
@ -53,9 +54,12 @@ init([Port, Path]) ->
Dispatch = cowboy_router:compile(
[
{'_', [{Path, ?MODULE, []}]}
]),
TransOpts = #{socket_opts => [{port, Port}],
connection_type => supervisor},
]
),
TransOpts = #{
socket_opts => [{port, Port}],
connection_type => supervisor
},
ProtoOpts = #{env => #{dispatch => Dispatch}},
Tab = ets:new(?MODULE, [set, named_table, public]),
@ -81,6 +85,6 @@ default_handler(Req0, State) ->
400,
#{<<"content-type">> => <<"text/plain">>},
<<"">>,
Req0),
Req0
),
{ok, Req, State}.

41
apps/emqx_authz/test/emqx_authz_mnesia_SUITE.erl
View File

@ -30,7 +30,8 @@ groups() ->
init_per_suite(Config) ->
ok = emqx_common_test_helpers:start_apps(
[emqx_conf, emqx_authz],
fun set_special_configs/1),
fun set_special_configs/1
),
Config.
end_per_suite(_Config) ->
@ -47,7 +48,6 @@ end_per_testcase(_TestCase, _Config) ->
set_special_configs(emqx_authz) ->
ok = emqx_authz_test_lib:reset_authorizers();
set_special_configs(_) ->
ok.
@ -64,9 +64,10 @@ t_all_topic_rules(_Config) ->
ok = test_topic_rules(all).
test_topic_rules(Key) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -82,41 +83,50 @@ test_topic_rules(Key) ->
ok = emqx_authz_test_lib:test_deny_topic_rules(ClientInfo, SetupSamples).
t_normalize_rules(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = emqx_authz_mnesia:store_rules(
{username, <<"username">>},
[{allow, publish, "t"}]),
[{allow, publish, "t"}]
),
?assertEqual(
allow,
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"t">>)
),
?assertException(
error,
{invalid_rule, _},
emqx_authz_mnesia:store_rules(
{username, <<"username">>},
[[allow, publish, <<"t">>]])),
[[allow, publish, <<"t">>]]
)
),
?assertException(
error,
{invalid_rule_action, _},
emqx_authz_mnesia:store_rules(
{username, <<"username">>},
[{allow, pub, <<"t">>}])),
[{allow, pub, <<"t">>}]
)
),
?assertException(
error,
{invalid_rule_permission, _},
emqx_authz_mnesia:store_rules(
{username, <<"username">>},
[{accept, publish, <<"t">>}])).
[{accept, publish, <<"t">>}]
)
).
%%------------------------------------------------------------------------------
%% Helpers
@ -136,11 +146,14 @@ setup_client_samples(ClientInfo, Samples, Key) ->
fun(Topic) ->
{binary_to_atom(Permission), binary_to_atom(Action), Topic}
end,
Topics)
Topics
)
end,
Samples),
Samples
),
#{username := Username, clientid := ClientId} = ClientInfo,
Who = case Key of
Who =
case Key of
username -> {username, Username};
clientid -> {clientid, ClientId};
all -> all

119
apps/emqx_authz/test/emqx_authz_mongodb_SUITE.erl
View File

@ -54,7 +54,6 @@ end_per_suite(_Config) ->
set_special_configs(emqx_authz) ->
ok = emqx_authz_test_lib:reset_authorizers();
set_special_configs(_) ->
ok.
@ -72,9 +71,10 @@ end_per_testcase(_TestCase, _Config) ->
%%------------------------------------------------------------------------------
t_topic_rules(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -87,104 +87,137 @@ t_topic_rules(_Config) ->
t_complex_selector(_) ->
%% atom and string values also supported
ClientInfo = #{clientid => clientid,
ClientInfo = #{
clientid => clientid,
username => "username",
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
Samples = [#{<<"x">> => #{<<"u">> => <<"username">>,
Samples = [
#{
<<"x">> => #{
<<"u">> => <<"username">>,
<<"c">> => [#{<<"c">> => <<"clientid">>}],
<<"y">> => 1},
<<"y">> => 1
},
<<"permission">> => <<"allow">>,
<<"action">> => <<"publish">>,
<<"topics">> => [<<"t">>]
}],
}
],
ok = setup_samples(Samples),
ok = setup_config(
#{<<"selector">> => #{<<"x">> => #{<<"u">> => <<"${username}">>,
#{
<<"selector">> => #{
<<"x">> => #{
<<"u">> => <<"${username}">>,
<<"c">> => [#{<<"c">> => <<"${clientid}">>}],
<<"y">> => 1}
<<"y">> => 1
}
}),
}
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, publish, <<"t">>}]).
[{allow, publish, <<"t">>}]
).
t_mongo_error(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = setup_samples([]),
ok = setup_config(
#{<<"selector">> => #{<<"$badoperator">> => <<"$badoperator">>}}),
#{<<"selector">> => #{<<"$badoperator">> => <<"$badoperator">>}}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{deny, publish, <<"t">>}]).
[{deny, publish, <<"t">>}]
).
t_lookups(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
cn => <<"cn">>,
dn => <<"dn">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ByClientid = #{<<"clientid">> => <<"clientid">>,
ByClientid = #{
<<"clientid">> => <<"clientid">>,
<<"topics">> => [<<"a">>],
<<"action">> => <<"all">>,
<<"permission">> => <<"allow">>},
<<"permission">> => <<"allow">>
},
ok = setup_samples([ByClientid]),
ok = setup_config(
#{<<"selector">> => #{<<"clientid">> => <<"${clientid}">>}}),
#{<<"selector">> => #{<<"clientid">> => <<"${clientid}">>}}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
ByPeerhost = #{<<"peerhost">> => <<"127.0.0.1">>,
ByPeerhost = #{
<<"peerhost">> => <<"127.0.0.1">>,
<<"topics">> => [<<"a">>],
<<"action">> => <<"all">>,
<<"permission">> => <<"allow">>},
<<"permission">> => <<"allow">>
},
ok = setup_samples([ByPeerhost]),
ok = setup_config(
#{<<"selector">> => #{<<"peerhost">> => <<"${peerhost}">>}}),
#{<<"selector">> => #{<<"peerhost">> => <<"${peerhost}">>}}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]).
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
).
t_bad_selector(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
cn => <<"cn">>,
dn => <<"dn">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = setup_config(
#{<<"selector">> => #{<<"$in">> => #{<<"a">> => 1}}}),
#{<<"selector">> => #{<<"$in">> => #{<<"a">> => 1}}}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{deny, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]).
[
{deny, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
).
%%------------------------------------------------------------------------------
%% Helpers
@ -202,16 +235,21 @@ setup_client_samples(ClientInfo, Samples) ->
#{username := Username} = ClientInfo,
Records = lists:map(
fun(Sample) ->
#{topics := Topics,
#{
topics := Topics,
permission := Permission,
action := Action} = Sample,
action := Action
} = Sample,
#{<<"topics">> => Topics,
#{
<<"topics">> => Topics,
<<"permission">> => Permission,
<<"action">> => Action,
<<"username">> => Username}
<<"username">> => Username
}
end,
Samples),
Samples
),
setup_samples(Records),
setup_config(#{<<"selector">> => #{<<"username">> => <<"${username}">>}}).
@ -222,7 +260,8 @@ reset_samples() ->
setup_config(SpecialParams) ->
emqx_authz_test_lib:setup_config(
raw_mongo_authz_config(),
SpecialParams).
SpecialParams
).
raw_mongo_authz_config() ->
#{
@ -238,7 +277,7 @@ raw_mongo_authz_config() ->
}.
mongo_server() ->
iolist_to_binary(io_lib:format("~s",[?MONGO_HOST])).
iolist_to_binary(io_lib:format("~s", [?MONGO_HOST])).
mongo_config() ->
[

231
apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl
View File

@ -46,7 +46,8 @@ init_per_suite(Config) ->
?RESOURCE_GROUP,
emqx_connector_mysql,
mysql_config(),
#{}),
#{}
),
Config;
false ->
{skip, no_mysql}
@ -64,7 +65,6 @@ init_per_testcase(_TestCase, Config) ->
set_special_configs(emqx_authz) ->
ok = emqx_authz_test_lib:reset_authorizers();
set_special_configs(_) ->
ok.
@ -73,9 +73,10 @@ set_special_configs(_) ->
%%------------------------------------------------------------------------------
t_topic_rules(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -86,13 +87,13 @@ t_topic_rules(_Config) ->
ok = emqx_authz_test_lib:test_deny_topic_rules(ClientInfo, fun setup_client_samples/2).
t_lookups(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
cn => <<"cn">>,
dn => <<"dn">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -100,113 +101,176 @@ t_lookups(_Config) ->
%% by clientid
ok = init_table(),
ok = q(<<"INSERT INTO acl(clientid, topic, permission, action)"
"VALUES(?, ?, ?, ?)">>,
[<<"clientid">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = q(
<<
"INSERT INTO acl(clientid, topic, permission, action)"
"VALUES(?, ?, ?, ?)"
>>,
[<<"clientid">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
%% by peerhost
ok = init_table(),
ok = q(<<"INSERT INTO acl(peerhost, topic, permission, action)"
"VALUES(?, ?, ?, ?)">>,
[<<"127.0.0.1">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = q(
<<
"INSERT INTO acl(peerhost, topic, permission, action)"
"VALUES(?, ?, ?, ?)"
>>,
[<<"127.0.0.1">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE peerhost = ${peerhost}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE peerhost = ${peerhost}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
%% by cn
ok = init_table(),
ok = q(<<"INSERT INTO acl(cn, topic, permission, action)"
"VALUES(?, ?, ?, ?)">>,
[<<"cn">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = q(
<<
"INSERT INTO acl(cn, topic, permission, action)"
"VALUES(?, ?, ?, ?)"
>>,
[<<"cn">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE cn = ${cert_common_name}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE cn = ${cert_common_name}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
%% by dn
ok = init_table(),
ok = q(<<"INSERT INTO acl(dn, topic, permission, action)"
"VALUES(?, ?, ?, ?)">>,
[<<"dn">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = q(
<<
"INSERT INTO acl(dn, topic, permission, action)"
"VALUES(?, ?, ?, ?)"
>>,
[<<"dn">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE dn = ${cert_subject}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE dn = ${cert_subject}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]).
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
).
t_mysql_error(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = setup_config(
#{<<"query">> => <<"SOME INVALID STATEMENT">>}),
#{<<"query">> => <<"SOME INVALID STATEMENT">>}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{deny, subscribe, <<"a">>}]).
[{deny, subscribe, <<"a">>}]
).
t_create_invalid(_Config) ->
BadConfig = maps:merge(
raw_mysql_authz_config(),
#{<<"server">> => <<"255.255.255.255:33333">>}),
#{<<"server">> => <<"255.255.255.255:33333">>}
),
{ok, _} = emqx_authz:update(?CMD_REPLACE, [BadConfig]),
[_] = emqx_authz:lookup().
t_nonbinary_values(_Config) ->
ClientInfo = #{clientid => clientid,
ClientInfo = #{
clientid => clientid,
username => "username",
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = init_table(),
ok = q(<<"INSERT INTO acl(clientid, username, topic, permission, action)"
"VALUES(?, ?, ?, ?, ?)">>,
[<<"clientid">>, <<"username">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = q(
<<
"INSERT INTO acl(clientid, username, topic, permission, action)"
"VALUES(?, ?, ?, ?, ?)"
>>,
[<<"clientid">>, <<"username">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid} AND username = ${username}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid} AND username = ${username}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]).
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
).
%%------------------------------------------------------------------------------
%% Helpers
@ -221,8 +285,10 @@ raw_mysql_authz_config() ->
<<"username">> => <<"root">>,
<<"password">> => <<"public">>,
<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}">>,
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}"
>>,
<<"server">> => mysql_server()
}.
@ -230,24 +296,28 @@ raw_mysql_authz_config() ->
q(Sql) ->
emqx_resource:query(
?MYSQL_RESOURCE,
{sql, Sql}).
{sql, Sql}
).
q(Sql, Params) ->
emqx_resource:query(
?MYSQL_RESOURCE,
{sql, Sql, Params}).
{sql, Sql, Params}
).
init_table() ->
ok = drop_table(),
ok = q("CREATE TABLE acl(
username VARCHAR(255),
clientid VARCHAR(255),
peerhost VARCHAR(255),
cn VARCHAR(255),
dn VARCHAR(255),
topic VARCHAR(255),
permission VARCHAR(255),
action VARCHAR(255))").
ok = q(
"CREATE TABLE acl(\n"
" username VARCHAR(255),\n"
" clientid VARCHAR(255),\n"
" peerhost VARCHAR(255),\n"
" cn VARCHAR(255),\n"
" dn VARCHAR(255),\n"
" topic VARCHAR(255),\n"
" permission VARCHAR(255),\n"
" action VARCHAR(255))"
).
drop_table() ->
ok = q("DROP TABLE IF EXISTS acl").
@ -259,27 +329,40 @@ setup_client_samples(ClientInfo, Samples) ->
fun(#{topics := Topics, permission := Permission, action := Action}) ->
lists:foreach(
fun(Topic) ->
q(<<"INSERT INTO acl(username, topic, permission, action)"
"VALUES(?, ?, ?, ?)">>,
[Username, Topic, Permission, Action])
q(
<<
"INSERT INTO acl(username, topic, permission, action)"
"VALUES(?, ?, ?, ?)"
>>,
[Username, Topic, Permission, Action]
)
end,
Topics)
Topics
)
end,
Samples),
Samples
),
setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}">>}).
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}"
>>
}
).
setup_config(SpecialParams) ->
emqx_authz_test_lib:setup_config(
raw_mysql_authz_config(),
SpecialParams).
SpecialParams
).
mysql_server() ->
iolist_to_binary(io_lib:format("~s",[?MYSQL_HOST])).
iolist_to_binary(io_lib:format("~s", [?MYSQL_HOST])).
mysql_config() ->
#{auto_reconnect => true,
#{
auto_reconnect => true,
database => <<"mqtt">>,
username => <<"root">>,
password => <<"public">>,

237
apps/emqx_authz/test/emqx_authz_postgresql_SUITE.erl
View File

@ -46,7 +46,8 @@ init_per_suite(Config) ->
?RESOURCE_GROUP,
emqx_connector_pgsql,
pgsql_config(),
#{}),
#{}
),
Config;
false ->
{skip, no_pgsql}
@ -64,7 +65,6 @@ init_per_testcase(_TestCase, Config) ->
set_special_configs(emqx_authz) ->
ok = emqx_authz_test_lib:reset_authorizers();
set_special_configs(_) ->
ok.
@ -73,9 +73,10 @@ set_special_configs(_) ->
%%------------------------------------------------------------------------------
t_topic_rules(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -86,13 +87,13 @@ t_topic_rules(_Config) ->
ok = emqx_authz_test_lib:test_deny_topic_rules(ClientInfo, fun setup_client_samples/2).
t_lookups(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
cn => <<"cn">>,
dn => <<"dn">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -100,114 +101,181 @@ t_lookups(_Config) ->
%% by clientid
ok = init_table(),
ok = insert(<<"INSERT INTO acl(clientid, topic, permission, action)"
"VALUES($1, $2, $3, $4)">>,
[<<"clientid">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = insert(
<<
"INSERT INTO acl(clientid, topic, permission, action)"
"VALUES($1, $2, $3, $4)"
>>,
[<<"clientid">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
%% by peerhost
ok = init_table(),
ok = insert(<<"INSERT INTO acl(peerhost, topic, permission, action)"
"VALUES($1, $2, $3, $4)">>,
[<<"127.0.0.1">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = insert(
<<
"INSERT INTO acl(peerhost, topic, permission, action)"
"VALUES($1, $2, $3, $4)"
>>,
[<<"127.0.0.1">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE peerhost = ${peerhost}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE peerhost = ${peerhost}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
%% by cn
ok = init_table(),
ok = insert(<<"INSERT INTO acl(cn, topic, permission, action)"
"VALUES($1, $2, $3, $4)">>,
[<<"cn">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = insert(
<<
"INSERT INTO acl(cn, topic, permission, action)"
"VALUES($1, $2, $3, $4)"
>>,
[<<"cn">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE cn = ${cert_common_name}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE cn = ${cert_common_name}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
%% by dn
ok = init_table(),
ok = insert(<<"INSERT INTO acl(dn, topic, permission, action)"
"VALUES($1, $2, $3, $4)">>,
[<<"dn">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = insert(
<<
"INSERT INTO acl(dn, topic, permission, action)"
"VALUES($1, $2, $3, $4)"
>>,
[<<"dn">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE dn = ${cert_subject}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE dn = ${cert_subject}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]).
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
).
t_pgsql_error(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${username}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${username}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{deny, subscribe, <<"a">>}]).
[{deny, subscribe, <<"a">>}]
).
t_create_invalid(_Config) ->
BadConfig = maps:merge(
raw_pgsql_authz_config(),
#{<<"server">> => <<"255.255.255.255:33333">>}),
#{<<"server">> => <<"255.255.255.255:33333">>}
),
{ok, _} = emqx_authz:update(?CMD_REPLACE, [BadConfig]),
[_] = emqx_authz:lookup().
t_nonbinary_values(_Config) ->
ClientInfo = #{clientid => clientid,
ClientInfo = #{
clientid => clientid,
username => "username",
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ok = init_table(),
ok = insert(<<"INSERT INTO acl(clientid, username, topic, permission, action)"
"VALUES($1, $2, $3, $4, $5)">>,
[<<"clientid">>, <<"username">>, <<"a">>, <<"allow">>, <<"subscribe">>]),
ok = insert(
<<
"INSERT INTO acl(clientid, username, topic, permission, action)"
"VALUES($1, $2, $3, $4, $5)"
>>,
[<<"clientid">>, <<"username">>, <<"a">>, <<"allow">>, <<"subscribe">>]
),
ok = setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid} AND username = ${username}">>}),
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE clientid = ${clientid} AND username = ${username}"
>>
}
),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]).
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
).
%%------------------------------------------------------------------------------
%% Helpers
@ -222,8 +290,10 @@ raw_pgsql_authz_config() ->
<<"username">> => <<"root">>,
<<"password">> => <<"public">>,
<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}">>,
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}"
>>,
<<"server">> => pgsql_server()
}.
@ -231,25 +301,29 @@ raw_pgsql_authz_config() ->
q(Sql) ->
emqx_resource:query(
?PGSQL_RESOURCE,
{query, Sql}).
{query, Sql}
).
insert(Sql, Params) ->
{ok, _} = emqx_resource:query(
?PGSQL_RESOURCE,
{query, Sql, Params}),
{query, Sql, Params}
),
ok.
init_table() ->
ok = drop_table(),
{ok, _, _} = q("CREATE TABLE acl(
username VARCHAR(255),
clientid VARCHAR(255),
peerhost VARCHAR(255),
cn VARCHAR(255),
dn VARCHAR(255),
topic VARCHAR(255),
permission VARCHAR(255),
action VARCHAR(255))"),
{ok, _, _} = q(
"CREATE TABLE acl(\n"
" username VARCHAR(255),\n"
" clientid VARCHAR(255),\n"
" peerhost VARCHAR(255),\n"
" cn VARCHAR(255),\n"
" dn VARCHAR(255),\n"
" topic VARCHAR(255),\n"
" permission VARCHAR(255),\n"
" action VARCHAR(255))"
),
ok.
drop_table() ->
@ -263,27 +337,40 @@ setup_client_samples(ClientInfo, Samples) ->
fun(#{topics := Topics, permission := Permission, action := Action}) ->
lists:foreach(
fun(Topic) ->
insert(<<"INSERT INTO acl(username, topic, permission, action)"
"VALUES($1, $2, $3, $4)">>,
[Username, Topic, Permission, Action])
insert(
<<
"INSERT INTO acl(username, topic, permission, action)"
"VALUES($1, $2, $3, $4)"
>>,
[Username, Topic, Permission, Action]
)
end,
Topics)
Topics
)
end,
Samples),
Samples
),
setup_config(
#{<<"query">> => <<"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}">>}).
#{
<<"query">> => <<
"SELECT permission, action, topic "
"FROM acl WHERE username = ${username}"
>>
}
).
setup_config(SpecialParams) ->
emqx_authz_test_lib:setup_config(
raw_pgsql_authz_config(),
SpecialParams).
SpecialParams
).
pgsql_server() ->
iolist_to_binary(io_lib:format("~s",[?PGSQL_HOST])).
iolist_to_binary(io_lib:format("~s", [?PGSQL_HOST])).
pgsql_config() ->
#{auto_reconnect => true,
#{
auto_reconnect => true,
database => <<"mqtt">>,
username => <<"root">>,
password => <<"public">>,

110
apps/emqx_authz/test/emqx_authz_redis_SUITE.erl
View File

@ -47,7 +47,8 @@ init_per_suite(Config) ->
?RESOURCE_GROUP,
emqx_connector_redis,
redis_config(),
#{}),
#{}
),
Config;
false ->
{skip, no_redis}
@ -65,19 +66,18 @@ init_per_testcase(_TestCase, Config) ->
set_special_configs(emqx_authz) ->
ok = emqx_authz_test_lib:reset_authorizers();
set_special_configs(_) ->
ok.
%%------------------------------------------------------------------------------
%% Tests
%%------------------------------------------------------------------------------
t_topic_rules(_Config) ->
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -86,85 +86,107 @@ t_topic_rules(_Config) ->
ok = emqx_authz_test_lib:test_allow_topic_rules(ClientInfo, fun setup_client_samples/2).
t_lookups(_Config) ->
ClientInfo = #{clientid => <<"client id">>,
ClientInfo = #{
clientid => <<"client id">>,
cn => <<"cn">>,
dn => <<"dn">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ByClientid = #{<<"mqtt_user:client id">> =>
#{<<"a">> => <<"all">>}},
ByClientid = #{
<<"mqtt_user:client id">> =>
#{<<"a">> => <<"all">>}
},
ok = setup_sample(ByClientid),
ok = setup_config(#{<<"cmd">> => <<"HGETALL mqtt_user:${clientid}">>}),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
ByPeerhost = #{<<"mqtt_user:127.0.0.1">> =>
#{<<"a">> => <<"all">>}},
ByPeerhost = #{
<<"mqtt_user:127.0.0.1">> =>
#{<<"a">> => <<"all">>}
},
ok = setup_sample(ByPeerhost),
ok = setup_config(#{<<"cmd">> => <<"HGETALL mqtt_user:${peerhost}">>}),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
ByCN = #{<<"mqtt_user:cn">> =>
#{<<"a">> => <<"all">>}},
ByCN = #{
<<"mqtt_user:cn">> =>
#{<<"a">> => <<"all">>}
},
ok = setup_sample(ByCN),
ok = setup_config(#{<<"cmd">> => <<"HGETALL mqtt_user:${cert_common_name}">>}),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]),
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
),
ByDN = #{<<"mqtt_user:dn">> =>
#{<<"a">> => <<"all">>}},
ByDN = #{
<<"mqtt_user:dn">> =>
#{<<"a">> => <<"all">>}
},
ok = setup_sample(ByDN),
ok = setup_config(#{<<"cmd">> => <<"HGETALL mqtt_user:${cert_subject}">>}),
ok = emqx_authz_test_lib:test_samples(
ClientInfo,
[{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}]).
[
{allow, subscribe, <<"a">>},
{deny, subscribe, <<"b">>}
]
).
t_create_invalid(_Config) ->
AuthzConfig = raw_redis_authz_config(),
InvalidConfigs =
[maps:without([<<"server">>], AuthzConfig),
[
maps:without([<<"server">>], AuthzConfig),
AuthzConfig#{<<"server">> => <<"unknownhost:3333">>},
AuthzConfig#{<<"password">> => <<"wrongpass">>},
AuthzConfig#{<<"database">> => <<"5678">>}],
AuthzConfig#{<<"database">> => <<"5678">>}
],
lists:foreach(
fun(Config) ->
{ok, _} = emqx_authz:update(?CMD_REPLACE, [Config]),
[_] = emqx_authz:lookup()
end,
InvalidConfigs).
InvalidConfigs
).
t_redis_error(_Config) ->
ok = setup_config(#{<<"cmd">> => <<"INVALID COMMAND">>}),
ClientInfo = #{clientid => <<"clientid">>,
ClientInfo = #{
clientid => <<"clientid">>,
username => <<"username">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
@ -183,25 +205,31 @@ setup_sample(AuthzData) ->
fun({TopicFilter, Action}) ->
q(["HSET", Key, TopicFilter, Action])
end,
maps:to_list(Values))
maps:to_list(Values)
)
end,
maps:to_list(AuthzData)).
maps:to_list(AuthzData)
).
setup_client_samples(ClientInfo, Samples) ->
#{username := Username} = ClientInfo,
Key = <<"mqtt_user:", Username/binary>>,
lists:foreach(
fun(Sample) ->
#{topics := Topics,
#{
topics := Topics,
permission := <<"allow">>,
action := Action} = Sample,
action := Action
} = Sample,
lists:foreach(
fun(Topic) ->
q(["HSET", Key, Topic, Action])
end,
Topics)
Topics
)
end,
Samples),
Samples
),
setup_config(#{}).
setup_config(SpecialParams) ->
@ -221,15 +249,17 @@ raw_redis_authz_config() ->
}.
redis_server() ->
iolist_to_binary(io_lib:format("~s",[?REDIS_HOST])).
iolist_to_binary(io_lib:format("~s", [?REDIS_HOST])).
q(Command) ->
emqx_resource:query(
?REDIS_RESOURCE,
{cmd, Command}).
{cmd, Command}
).
redis_config() ->
#{auto_reconnect => true,
#{
auto_reconnect => true,
database => 1,
pool_size => 8,
redis_type => single,

317
apps/emqx_authz/test/emqx_authz_rule_SUITE.erl
View File

@ -27,10 +27,14 @@
-define(SOURCE2, {allow, {ipaddr, "127.0.0.1"}, all, [{eq, "#"}, {eq, "+"}]}).
-define(SOURCE3, {allow, {ipaddrs, ["127.0.0.1", "192.168.1.0/24"]}, subscribe, [?PH_S_CLIENTID]}).
-define(SOURCE4, {allow, {'and', [{client, "test"}, {user, "test"}]}, publish, ["topic/test"]}).
-define(SOURCE5, {allow, {'or',
[{username, {re, "^test"}},
{clientid, {re, "test?"}}]},
publish, [?PH_S_USERNAME, ?PH_S_CLIENTID]}).
-define(SOURCE5,
{allow,
{'or', [
{username, {re, "^test"}},
{clientid, {re, "test?"}}
]},
publish, [?PH_S_USERNAME, ?PH_S_CLIENTID]}
).
all() ->
emqx_common_test_helpers:all(?MODULE).
@ -38,15 +42,19 @@ all() ->
init_per_suite(Config) ->
ok = emqx_common_test_helpers:start_apps(
[emqx_conf, emqx_authz],
fun set_special_configs/1),
fun set_special_configs/1
),
Config.
end_per_suite(_Config) ->
{ok, _} = emqx:update_config(
[authorization],
#{<<"no_match">> => <<"allow">>,
#{
<<"no_match">> => <<"allow">>,
<<"cache">> => #{<<"enable">> => <<"true">>},
<<"sources">> => []}),
<<"sources">> => []
}
),
emqx_common_test_helpers:stop_apps([emqx_authz, emqx_conf]),
ok.
@ -61,115 +69,242 @@ set_special_configs(_App) ->
t_compile(_) ->
?assertEqual({deny, all, all, [['#']]}, emqx_authz_rule:compile(?SOURCE1)),
?assertEqual({allow, {ipaddr, {{127,0,0,1}, {127,0,0,1}, 32}},
all, [{eq, ['#']}, {eq, ['+']}]}, emqx_authz_rule:compile(?SOURCE2)),
?assertEqual(
{allow, {ipaddr, {{127, 0, 0, 1}, {127, 0, 0, 1}, 32}}, all, [{eq, ['#']}, {eq, ['+']}]},
emqx_authz_rule:compile(?SOURCE2)
),
?assertEqual({allow,
{ipaddrs,[{{127,0,0,1},{127,0,0,1},32},
{{192,168,1,0},{192,168,1,255},24}]},
subscribe,
[{pattern,[?PH_CLIENTID]}]
}, emqx_authz_rule:compile(?SOURCE3)),
?assertEqual(
{allow,
{ipaddrs, [
{{127, 0, 0, 1}, {127, 0, 0, 1}, 32},
{{192, 168, 1, 0}, {192, 168, 1, 255}, 24}
]},
subscribe, [{pattern, [?PH_CLIENTID]}]},
emqx_authz_rule:compile(?SOURCE3)
),
?assertMatch({allow,
{'and', [{clientid, {eq, <<"test">>}}, {username, {eq, <<"test">>}}]},
publish,
[[<<"topic">>, <<"test">>]]
}, emqx_authz_rule:compile(?SOURCE4)),
?assertMatch(
{allow, {'and', [{clientid, {eq, <<"test">>}}, {username, {eq, <<"test">>}}]}, publish, [
[<<"topic">>, <<"test">>]
]},
emqx_authz_rule:compile(?SOURCE4)
),
?assertMatch({allow,
{'or', [{username, {re_pattern, _, _, _, _}},
{clientid, {re_pattern, _, _, _, _}}]},
publish, [{pattern, [?PH_USERNAME]}, {pattern, [?PH_CLIENTID]}]
}, emqx_authz_rule:compile(?SOURCE5)),
?assertMatch(
{allow,
{'or', [
{username, {re_pattern, _, _, _, _}},
{clientid, {re_pattern, _, _, _, _}}
]},
publish, [{pattern, [?PH_USERNAME]}, {pattern, [?PH_CLIENTID]}]},
emqx_authz_rule:compile(?SOURCE5)
),
ok.
t_match(_) ->
ClientInfo1 = #{clientid => <<"test">>,
ClientInfo1 = #{
clientid => <<"test">>,
username => <<"test">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ClientInfo2 = #{clientid => <<"test">>,
ClientInfo2 = #{
clientid => <<"test">>,
username => <<"test">>,
peerhost => {192,168,1,10},
peerhost => {192, 168, 1, 10},
zone => default,
listener => {tcp, default}
},
ClientInfo3 = #{clientid => <<"test">>,
ClientInfo3 = #{
clientid => <<"test">>,
username => <<"fake">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
ClientInfo4 = #{clientid => <<"fake">>,
ClientInfo4 = #{
clientid => <<"fake">>,
username => <<"test">>,
peerhost => {127,0,0,1},
peerhost => {127, 0, 0, 1},
zone => default,
listener => {tcp, default}
},
?assertEqual({matched, deny},
emqx_authz_rule:match(ClientInfo1, subscribe, <<"#">>,
emqx_authz_rule:compile(?SOURCE1))),
?assertEqual({matched, deny},
emqx_authz_rule:match(ClientInfo2, subscribe, <<"+">>,
emqx_authz_rule:compile(?SOURCE1))),
?assertEqual({matched, deny},
emqx_authz_rule:match(ClientInfo3, subscribe, <<"topic/test">>,
emqx_authz_rule:compile(?SOURCE1))),
?assertEqual(
{matched, deny},
emqx_authz_rule:match(
ClientInfo1,
subscribe,
<<"#">>,
emqx_authz_rule:compile(?SOURCE1)
)
),
?assertEqual(
{matched, deny},
emqx_authz_rule:match(
ClientInfo2,
subscribe,
<<"+">>,
emqx_authz_rule:compile(?SOURCE1)
)
),
?assertEqual(
{matched, deny},
emqx_authz_rule:match(
ClientInfo3,
subscribe,
<<"topic/test">>,
emqx_authz_rule:compile(?SOURCE1)
)
),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo1, subscribe, <<"#">>,
emqx_authz_rule:compile(?SOURCE2))),
?assertEqual(nomatch,
emqx_authz_rule:match(ClientInfo1, subscribe, <<"topic/test">>,
emqx_authz_rule:compile(?SOURCE2))),
?assertEqual(nomatch,
emqx_authz_rule:match(ClientInfo2, subscribe, <<"#">>,
emqx_authz_rule:compile(?SOURCE2))),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo1,
subscribe,
<<"#">>,
emqx_authz_rule:compile(?SOURCE2)
)
),
?assertEqual(
nomatch,
emqx_authz_rule:match(
ClientInfo1,
subscribe,
<<"topic/test">>,
emqx_authz_rule:compile(?SOURCE2)
)
),
?assertEqual(
nomatch,
emqx_authz_rule:match(
ClientInfo2,
subscribe,
<<"#">>,
emqx_authz_rule:compile(?SOURCE2)
)
),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo1, subscribe, <<"test">>,
emqx_authz_rule:compile(?SOURCE3))),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo2, subscribe, <<"test">>,
emqx_authz_rule:compile(?SOURCE3))),
?assertEqual(nomatch,
emqx_authz_rule:match(ClientInfo2, subscribe, <<"topic/test">>,
emqx_authz_rule:compile(?SOURCE3))),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo1,
subscribe,
<<"test">>,
emqx_authz_rule:compile(?SOURCE3)
)
),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo2,
subscribe,
<<"test">>,
emqx_authz_rule:compile(?SOURCE3)
)
),
?assertEqual(
nomatch,
emqx_authz_rule:match(
ClientInfo2,
subscribe,
<<"topic/test">>,
emqx_authz_rule:compile(?SOURCE3)
)
),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo1, publish, <<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4))),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo2, publish, <<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4))),
?assertEqual(nomatch,
emqx_authz_rule:match(ClientInfo3, publish, <<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4))),
?assertEqual(nomatch,
emqx_authz_rule:match(ClientInfo4, publish, <<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4))),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo1,
publish,
<<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4)
)
),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo2,
publish,
<<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4)
)
),
?assertEqual(
nomatch,
emqx_authz_rule:match(
ClientInfo3,
publish,
<<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4)
)
),
?assertEqual(
nomatch,
emqx_authz_rule:match(
ClientInfo4,
publish,
<<"topic/test">>,
emqx_authz_rule:compile(?SOURCE4)
)
),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo1, publish, <<"test">>,
emqx_authz_rule:compile(?SOURCE5))),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo2, publish, <<"test">>,
emqx_authz_rule:compile(?SOURCE5))),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo3, publish, <<"test">>,
emqx_authz_rule:compile(?SOURCE5))),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo3, publish, <<"fake">>,
emqx_authz_rule:compile(?SOURCE5))),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo4, publish, <<"test">>,
emqx_authz_rule:compile(?SOURCE5))),
?assertEqual({matched, allow},
emqx_authz_rule:match(ClientInfo4, publish, <<"fake">>,
emqx_authz_rule:compile(?SOURCE5))),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo1,
publish,
<<"test">>,
emqx_authz_rule:compile(?SOURCE5)
)
),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo2,
publish,
<<"test">>,
emqx_authz_rule:compile(?SOURCE5)
)
),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo3,
publish,
<<"test">>,
emqx_authz_rule:compile(?SOURCE5)
)
),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo3,
publish,
<<"fake">>,
emqx_authz_rule:compile(?SOURCE5)
)
),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo4,
publish,
<<"test">>,
emqx_authz_rule:compile(?SOURCE5)
)
),
?assertEqual(
{matched, allow},
emqx_authz_rule:match(
ClientInfo4,
publish,
<<"fake">>,
emqx_authz_rule:compile(?SOURCE5)
)
),
ok.

73
apps/emqx_authz/test/emqx_authz_test_lib.erl
View File

@ -33,9 +33,12 @@ restore_authorizers() ->
reset_authorizers(Nomatch, ChacheEnabled) ->
{ok, _} = emqx:update_config(
[authorization],
#{<<"no_match">> => atom_to_binary(Nomatch),
#{
<<"no_match">> => atom_to_binary(Nomatch),
<<"cache">> => #{<<"enable">> => atom_to_binary(ChacheEnabled)},
<<"sources">> => []}),
<<"sources">> => []
}
),
ok.
setup_config(BaseConfig, SpecialParams) ->
@ -50,15 +53,19 @@ test_samples(ClientInfo, Samples) ->
fun({Expected, Action, Topic}) ->
ct:pal(
"client_info: ~p, action: ~p, topic: ~p, expected: ~p",
[ClientInfo, Action, Topic, Expected]),
[ClientInfo, Action, Topic, Expected]
),
?assertEqual(
Expected,
emqx_access_control:authorize(
ClientInfo,
Action,
Topic))
Topic
)
)
end,
Samples).
Samples
).
test_no_topic_rules(ClientInfo, SetupSamples) ->
%% No rules
@ -68,30 +75,40 @@ test_no_topic_rules(ClientInfo, SetupSamples) ->
ok = test_samples(
ClientInfo,
[{deny, subscribe, <<"#">>},
[
{deny, subscribe, <<"#">>},
{deny, subscribe, <<"subs">>},
{deny, publish, <<"pub">>}]).
{deny, publish, <<"pub">>}
]
).
test_allow_topic_rules(ClientInfo, SetupSamples) ->
Samples = [#{
topics => [<<"eq testpub1/${username}">>,
Samples = [
#{
topics => [
<<"eq testpub1/${username}">>,
<<"testpub2/${clientid}">>,
<<"testpub3/#">>],
<<"testpub3/#">>
],
permission => <<"allow">>,
action => <<"publish">>
},
#{
topics => [<<"eq testsub1/${username}">>,
topics => [
<<"eq testsub1/${username}">>,
<<"testsub2/${clientid}">>,
<<"testsub3/#">>],
<<"testsub3/#">>
],
permission => <<"allow">>,
action => <<"subscribe">>
},
#{
topics => [<<"eq testall1/${username}">>,
topics => [
<<"eq testall1/${username}">>,
<<"testall2/${clientid}">>,
<<"testall3/#">>],
<<"testall3/#">>
],
permission => <<"allow">>,
action => <<"all">>
}
@ -103,7 +120,6 @@ test_allow_topic_rules(ClientInfo, SetupSamples) ->
ok = test_samples(
ClientInfo,
[
%% Publish rules
{deny, publish, <<"testpub1/username">>},
@ -114,7 +130,6 @@ test_allow_topic_rules(ClientInfo, SetupSamples) ->
{deny, publish, <<"testpub2/username">>},
{deny, publish, <<"testpub1/clientid">>},
{deny, subscribe, <<"testpub1/username">>},
{deny, subscribe, <<"testpub2/clientid">>},
{deny, subscribe, <<"testpub3/foobar">>},
@ -154,29 +169,36 @@ test_allow_topic_rules(ClientInfo, SetupSamples) ->
{deny, publish, <<"testall2/username">>},
{deny, publish, <<"testall1/clientid">>},
{deny, publish, <<"testall4/foobar">>}
]).
]
).
test_deny_topic_rules(ClientInfo, SetupSamples) ->
Samples = [
#{
topics => [<<"eq testpub1/${username}">>,
topics => [
<<"eq testpub1/${username}">>,
<<"testpub2/${clientid}">>,
<<"testpub3/#">>],
<<"testpub3/#">>
],
permission => <<"deny">>,
action => <<"publish">>
},
#{
topics => [<<"eq testsub1/${username}">>,
topics => [
<<"eq testsub1/${username}">>,
<<"testsub2/${clientid}">>,
<<"testsub3/#">>],
<<"testsub3/#">>
],
permission => <<"deny">>,
action => <<"subscribe">>
},
#{
topics => [<<"eq testall1/${username}">>,
topics => [
<<"eq testall1/${username}">>,
<<"testall2/${clientid}">>,
<<"testall3/#">>],
<<"testall3/#">>
],
permission => <<"deny">>,
action => <<"all">>
}
@ -188,7 +210,6 @@ test_deny_topic_rules(ClientInfo, SetupSamples) ->
ok = test_samples(
ClientInfo,
[
%% Publish rules
{allow, publish, <<"testpub1/username">>},
@ -199,7 +220,6 @@ test_deny_topic_rules(ClientInfo, SetupSamples) ->
{allow, publish, <<"testpub2/username">>},
{allow, publish, <<"testpub1/clientid">>},
{allow, subscribe, <<"testpub1/username">>},
{allow, subscribe, <<"testpub2/clientid">>},
{allow, subscribe, <<"testpub3/foobar">>},
@ -239,4 +259,5 @@ test_deny_topic_rules(ClientInfo, SetupSamples) ->
{allow, publish, <<"testall2/username">>},
{allow, publish, <<"testall1/clientid">>},
{allow, publish, <<"testall4/foobar">>}
]).
]
).

4
apps/emqx_dashboard/test/emqx_dashboard_api_test_helpers.erl
View File

@ -18,6 +18,7 @@
-export([set_default_config/0,
set_default_config/1,
request/2,
request/3,
request/4,
uri/0,
@ -39,6 +40,9 @@ set_default_config(DefaultUsername) ->
emqx_config:put([dashboard], Config),
ok.
request(Method, Url) ->
request(Method, Url, []).
request(Method, Url, Body) ->
request(<<"admin">>, Method, Url, Body).

4
apps/emqx_exhook/src/emqx_exhook.erl
View File

@ -33,7 +33,7 @@ cast(Hookpoint, Req) ->
cast(_, _, []) ->
ok;
cast(Hookpoint, Req, [ServerName|More]) ->
cast(Hookpoint, Req, [ServerName | More]) ->
%% XXX: Need a real asynchronous running
_ = emqx_exhook_server:call(Hookpoint, Req,
emqx_exhook_mgr:server(ServerName)),
@ -51,7 +51,7 @@ call_fold(Hookpoint, Req, AccFun) ->
call_fold(_, Req, _, []) ->
{ok, Req};
call_fold(Hookpoint, Req, AccFun, [ServerName|More]) ->
call_fold(Hookpoint, Req, AccFun, [ServerName | More]) ->
Server = emqx_exhook_mgr:server(ServerName),
case emqx_exhook_server:call(Hookpoint, Req, Server) of
{ok, Resp} ->

11
apps/emqx_exhook/src/emqx_exhook_metrics.erl
View File

@ -34,6 +34,7 @@
, window_rate :: integer()
}).
-type metrics() :: #metrics{}.
-type server_name() :: emqx_exhook_mgr:server_name().
-type hookpoint() :: emqx_exhook_server:hookpoint().
-type index() :: {server_name(), hookpoint()}.
@ -72,16 +73,16 @@ new_metric_info() ->
succeed(Server, Hook) ->
inc(Server, Hook, #metrics.succeed,
#metrics{ index = {Server, Hook}
, window_rate = 1
, succeed = 1
, window_rate = 0
, succeed = 0
}).
-spec failed(server_name(), hookpoint()) -> ok.
failed(Server, Hook) ->
inc(Server, Hook, #metrics.failed,
#metrics{ index = {Server, Hook}
, window_rate = 1
, failed = 1
, window_rate = 0
, failed = 0
}).
-spec update(pos_integer()) -> true.
@ -187,7 +188,7 @@ metrics_aggregate_by_key(Key, MetricsL) ->
%%--------------------------------------------------------------------
%%% Internal functions
%%--------------------------------------------------------------------
-spec inc(server_name(), hookpoint(), pos_integer(), #metrics{}) -> ok.
-spec inc(server_name(), hookpoint(), pos_integer(), metrics()) -> ok.
inc(Server, Hook, Pos, Default) ->
Index = {Server, Hook},
_ = ets:update_counter(?HOOKS_METRICS,

16
apps/emqx_exhook/src/emqx_exhook_server.erl
View File

@ -36,6 +36,9 @@
, failed_action/1
]).
-ifdef(TEST).
-export([hk2func/1]).
-endif.
-type server() :: #{%% Server name (equal to grpc client channel name)
name := binary(),
@ -105,7 +108,8 @@ load(Name, #{request_timeout := Timeout, failed_action := FailedAction} = Opts)
hookspec => HookSpecs,
prefix => Prefix }};
{error, _} = E ->
emqx_exhook_sup:stop_grpc_client_channel(Name), E
emqx_exhook_sup:stop_grpc_client_channel(Name),
E
end;
{error, _} = E -> E
end.
@ -287,12 +291,20 @@ match_topic_filter(_, []) ->
match_topic_filter(TopicName, TopicFilter) ->
lists:any(fun(F) -> emqx_topic:match(TopicName, F) end, TopicFilter).
-ifdef(TEST).
-define(CALL_PB_CLIENT(ChanneName, Fun, Req, Options),
apply(?PB_CLIENT_MOD, Fun, [Req, #{<<"channel">> => ChannName}, Options])).
-else.
-define(CALL_PB_CLIENT(ChanneName, Fun, Req, Options),
apply(?PB_CLIENT_MOD, Fun, [Req, Options])).
-endif.
-spec do_call(binary(), atom(), atom(), map(), map()) -> {ok, map()} | {error, term()}.
do_call(ChannName, Hookpoint, Fun, Req, ReqOpts) ->
Options = ReqOpts#{channel => ChannName},
?SLOG(debug, #{msg => "do_call", module => ?PB_CLIENT_MOD, function => Fun,
req => Req, options => Options}),
case catch apply(?PB_CLIENT_MOD, Fun, [Req, Options]) of
case catch ?CALL_PB_CLIENT(ChanneName, Fun, Req, Options) of
{ok, Resp, Metadata} ->
?SLOG(debug, #{msg => "do_call_ok", resp => Resp, metadata => Metadata}),
update_metrics(Hookpoint, ChannName, fun emqx_exhook_metrics:succeed/2),

5
apps/emqx_exhook/test/emqx_exhook_SUITE.erl
View File

@ -59,7 +59,7 @@ init_per_suite(Cfg) ->
meck:expect(emqx_alarm, deactivate, 3, ok),
_ = emqx_exhook_demo_svr:start(),
ok = emqx_common_test_helpers:load_config(emqx_exhook_schema, ?CONF_DEFAULT),
load_cfg(?CONF_DEFAULT),
emqx_common_test_helpers:start_apps([emqx_exhook]),
Cfg.
@ -86,6 +86,9 @@ end_per_testcase(_, Config) ->
end,
Config.
load_cfg(Cfg) ->
ok = emqx_common_test_helpers:load_config(emqx_exhook_schema, Cfg).
%%--------------------------------------------------------------------
%% Test cases
%%--------------------------------------------------------------------

220
apps/emqx_exhook/test/emqx_exhook_metrics_SUITE.erl Normal file
View File

@ -0,0 +1,220 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020-2022 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_exhook_metrics_SUITE).
-compile(export_all).
-compile(nowarn_export_all).
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-include_lib("emqx_exhook/include/emqx_exhook.hrl").
-define(SvrFun(SvrName, FuncName), {SvrName, FuncName}).
-define(TARGET_HOOK, 'message.publish').
-define(CONF, <<"
exhook {
servers = [
{ name = succed,
url = \"http://127.0.0.1:9000\"
},
{ name = failed,
failed_action = ignore,
url = \"http://127.0.0.1:9001\"
},
]
}
">>).
%%--------------------------------------------------------------------
%% Setups
%%--------------------------------------------------------------------
all() -> emqx_common_test_helpers:all(?MODULE).
init_per_suite(Cfg) ->
application:load(emqx_conf),
meck:new(emqx_exhook_mgr, [non_strict, passthrough, no_link]),
meck:new(emqx_exhook_demo_svr, [non_strict, passthrough, no_link]),
meck:expect(emqx_exhook_mgr, refresh_tick, fun() -> ok end),
init_injections(hook_injects()),
emqx_exhook_SUITE:load_cfg(?CONF),
_ = emqx_exhook_demo_svr:start(),
_ = emqx_exhook_demo_svr:start(failed, 9001),
emqx_common_test_helpers:start_apps([emqx_exhook]),
Cfg.
end_per_suite(Cfg) ->
meck:unload(emqx_exhook_demo_svr),
meck:unload(emqx_exhook_mgr),
emqx_exhook_demo_svr:stop(),
emqx_exhook_demo_svr:stop(failed),
emqx_common_test_helpers:stop_apps([emqx_exhook]).
init_per_testcase(_, Config) ->
clear_metrics(),
Config.
end_per_testcase(_, Config) ->
Config.
%%--------------------------------------------------------------------
%% Test cases
%%--------------------------------------------------------------------
t_servers_metrics(_Cfg) ->
Test = fun(C) ->
Repeat = fun() ->
emqtt:publish(C, <<"/exhook/metrics">>, <<>>, qos0)
end,
repeat(Repeat, 10)
end,
with_connection(Test),
timer:sleep(200),
SM = emqx_exhook_metrics:server_metrics(<<"succed">>),
?assertMatch(#{failed := 0, succeed := 10}, SM),
FM = emqx_exhook_metrics:server_metrics(<<"failed">>),
?assertMatch(#{failed := 10, succeed := 0}, FM),
SvrsM = emqx_exhook_metrics:servers_metrics(),
?assertEqual(SM, maps:get(<<"succed">>, SvrsM)),
?assertEqual(FM, maps:get(<<"failed">>, SvrsM)),
ok.
t_rate(_) ->
Test = fun(C) ->
Repeat = fun() ->
emqtt:publish(C, <<"/exhook/metrics">>, <<>>, qos0)
end,
repeat(Repeat, 5),
timer:sleep(200),
emqx_exhook_metrics:update(timer:seconds(1)),
SM = emqx_exhook_metrics:server_metrics(<<"succed">>),
?assertMatch(#{rate := 5, max_rate := 5}, SM),
repeat(Repeat, 6),
timer:sleep(200),
emqx_exhook_metrics:update(timer:seconds(1)),
SM2 = emqx_exhook_metrics:server_metrics(<<"succed">>),
?assertMatch(#{rate := 6, max_rate := 6}, SM2),
repeat(Repeat, 3),
timer:sleep(200),
emqx_exhook_metrics:update(timer:seconds(1)),
SM3 = emqx_exhook_metrics:server_metrics(<<"succed">>),
?assertMatch(#{rate := 3, max_rate := 6}, SM3)
end,
with_connection(Test),
ok.
t_hooks_metrics(_) ->
Test = fun(C) ->
Repeat = fun() ->
emqtt:publish(C, <<"/exhook/metrics">>, <<>>, qos0)
end,
repeat(Repeat, 5),
timer:sleep(200),
HM = emqx_exhook_metrics:hooks_metrics(<<"succed">>),
?assertMatch(#{'message.publish' :=
#{failed := 0, succeed := 5}}, HM)
end,
with_connection(Test),
ok.
t_on_server_deleted(_) ->
Test = fun(C) ->
Repeat = fun() ->
emqtt:publish(C, <<"/exhook/metrics">>, <<>>, qos0)
end,
repeat(Repeat, 10)
end,
with_connection(Test),
timer:sleep(200),
SM = emqx_exhook_metrics:server_metrics(<<"succed">>),
?assertMatch(#{failed := 0, succeed := 10}, SM),
emqx_exhook_metrics:on_server_deleted(<<"succed">>),
SM2 = emqx_exhook_metrics:server_metrics(<<"succed">>),
?assertMatch(#{failed := 0, succeed := 0}, SM2),
ok.
%%--------------------------------------------------------------------
%% Utils
%%--------------------------------------------------------------------
clear_metrics() ->
ets:delete_all_objects(?HOOKS_METRICS).
init_injections(Injects) ->
lists:map(fun({Name, _}) ->
Str = erlang:atom_to_list(Name),
case lists:prefix("on_", Str) of
true ->
Action = fun(Req, #{<<"channel">> := SvrName} = Md) ->
case maps:get(?SvrFun(SvrName, Name), Injects, undefined) of
undefined ->
meck:passthrough([Req, Md]);
Injection ->
Injection(Req, Md)
end
end,
meck:expect(emqx_exhook_demo_svr, Name, Action);
_ ->
false
end
end,
emqx_exhook_demo_svr:module_info(exports)).
hook_injects() ->
#{?SvrFun(<<"failed">>, emqx_exhook_server:hk2func(?TARGET_HOOK)) =>
fun(_Req, _Md) ->
{error, "Error due to test"}
end,
?SvrFun(<<"failed">>, on_provider_loaded) =>
fun(_Req, Md) ->
{ok, #{hooks => [#{name => <<"message.publish">>}]}, Md}
end,
?SvrFun(<<"succed">>, on_provider_loaded) =>
fun(_Req, Md) ->
{ok, #{hooks => [#{name => <<"message.publish">>}]}, Md}
end
}.
with_connection(Fun) ->
{ok, C} = emqtt:start_link([{host, "localhost"},
{port, 1883},
{username, <<"admin">>},
{clientid, <<"exhook_tester">>}]),
{ok, _} = emqtt:connect(C),
try
Fun(C)
catch Type:Error:Trace ->
emqtt:stop(C),
erlang:raise(Type, Error, Trace)
end.
repeat(_Fun, 0) ->
ok;
repeat(Fun, N) ->
Fun(),
repeat(Fun, N - 1).

15
apps/emqx_modules/src/emqx_delayed.erl
View File

@ -21,6 +21,7 @@
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/types.hrl").
-include_lib("emqx/include/logger.hrl").
-include_lib("snabbkaffe/include/snabbkaffe.hrl").
%% Mnesia bootstrap
-export([mnesia/1]).
@ -275,17 +276,13 @@ init([Opts]) ->
handle_call({set_max_delayed_messages, Max}, _From, State) ->
{reply, ok, State#{max_delayed_messages => Max}};
handle_call(
{store, DelayedMsg = #delayed_message{key = Key}},
_From,
State = #{max_delayed_messages := 0}
{store, DelayedMsg = #delayed_message{key = Key}}, _From, State = #{max_delayed_messages := 0}
) ->
ok = mria:dirty_write(?TAB, DelayedMsg),
emqx_metrics:inc('messages.delayed'),
{reply, ok, ensure_publish_timer(Key, State)};
handle_call(
{store, DelayedMsg = #delayed_message{key = Key}},
_From,
State = #{max_delayed_messages := Max}
{store, DelayedMsg = #delayed_message{key = Key}}, _From, State = #{max_delayed_messages := Max}
) ->
Size = mnesia:table_info(?TAB, size),
case Size >= Max of
@ -303,11 +300,11 @@ handle_call(disable, _From, State) ->
emqx_hooks:del('message.publish', {?MODULE, on_message_publish}),
{reply, ok, State};
handle_call(Req, _From, State) ->
?SLOG(error, #{msg => "unexpected_call", call => Req}),
?tp(error, emqx_delayed_unexpected_call, #{call => Req}),
{reply, ignored, State}.
handle_cast(Msg, State) ->
?SLOG(error, #{msg => "unexpected_cast", cast => Msg}),
?tp(error, emqx_delayed_unexpected_cast, #{cast => Msg}),
{noreply, State}.
%% Do Publish...
@ -320,7 +317,7 @@ handle_info(stats, State = #{stats_fun := StatsFun}) ->
StatsFun(delayed_count()),
{noreply, State#{stats_timer := StatsTimer}, hibernate};
handle_info(Info, State) ->
?SLOG(error, #{msg => "unexpected_info", info => Info}),
?tp(error, emqx_delayed_unexpected_info, #{info => Info}),
{noreply, State}.
terminate(_Reason, #{publish_timer := PublishTimer, stats_timer := StatsTimer}) ->

20
apps/emqx_modules/src/emqx_delayed_api.erl
View File

@ -24,7 +24,7 @@
-import(hoconsc, [mk/2, ref/1, ref/2]).
-define(MAX_PAYLOAD_LENGTH, 2048).
-define(PAYLOAD_TOO_LARGE, 'PAYLOAD_TOO_LARGE').
-define(PAYLOAD_TOO_LARGE, <<"PAYLOAD_TOO_LARGE">>).
-export([
status/2,
@ -49,8 +49,6 @@
-define(MESSAGE_ID_NOT_FOUND, 'MESSAGE_ID_NOT_FOUND').
-define(MESSAGE_ID_SCHEMA_ERROR, 'MESSAGE_ID_SCHEMA_ERROR').
-define(INVALID_NODE, 'INVALID_NODE').
%% 1MB = 1024 x 1024
-define(MAX_PAYLOAD_SIZE, 1048576).
api_spec() ->
emqx_dashboard_swagger:spec(?MODULE).
@ -106,7 +104,7 @@ schema("/mqtt/delayed/messages/:node/:msgid") ->
responses => #{
200 => ref("message_without_payload"),
400 => emqx_dashboard_swagger:error_codes(
[?MESSAGE_ID_SCHEMA_ERROR],
[?MESSAGE_ID_SCHEMA_ERROR, ?INVALID_NODE],
<<"Bad MsgId format">>
),
404 => emqx_dashboard_swagger:error_codes(
@ -129,7 +127,7 @@ schema("/mqtt/delayed/messages/:node/:msgid") ->
responses => #{
204 => <<"Delete delayed message success">>,
400 => emqx_dashboard_swagger:error_codes(
[?MESSAGE_ID_SCHEMA_ERROR],
[?MESSAGE_ID_SCHEMA_ERROR, ?INVALID_NODE],
<<"Bad MsgId format">>
),
404 => emqx_dashboard_swagger:error_codes(
@ -175,7 +173,7 @@ fields("message_without_payload") ->
];
fields("message") ->
PayloadDesc = io_lib:format(
"Payload, base64 encode. Payload will be ~p if length large than ~p",
"Payload, base64 encoded. Payload will be set to ~p if its length is larger than ~p",
[?PAYLOAD_TOO_LARGE, ?MAX_PAYLOAD_LENGTH]
),
fields("message_without_payload") ++
@ -193,7 +191,7 @@ delayed_messages(get, #{query_string := Qs}) ->
{200, emqx_delayed:cluster_list(Qs)}.
delayed_message(get, #{bindings := #{node := NodeBin, msgid := HexId}}) ->
MaybeNode = make_maybe(NodeBin, invalid_node, fun erlang:binary_to_atom/1),
MaybeNode = make_maybe(NodeBin, invalid_node, fun erlang:binary_to_existing_atom/1),
MaybeId = make_maybe(HexId, id_schema_error, fun emqx_guid:from_hexstr/1),
with_maybe(
[MaybeNode, MaybeId],
@ -201,14 +199,16 @@ delayed_message(get, #{bindings := #{node := NodeBin, msgid := HexId}}) ->
case emqx_delayed:get_delayed_message(Node, Id) of
{ok, Message} ->
Payload = maps:get(payload, Message),
case erlang:byte_size(Payload) > ?MAX_PAYLOAD_SIZE of
case erlang:byte_size(Payload) > ?MAX_PAYLOAD_LENGTH of
true ->
{200, Message};
{200, Message#{payload => ?PAYLOAD_TOO_LARGE}};
_ ->
{200, Message#{payload => base64:encode(Payload)}}
end;
{error, not_found} ->
{404, generate_http_code_map(not_found, Id)}
{404, generate_http_code_map(not_found, Id)};
{badrpc, _} ->
{400, generate_http_code_map(invalid_node, Id)}
end
end
);

6
apps/emqx_modules/src/emqx_topic_metrics.erl
View File

@ -21,6 +21,7 @@
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/logger.hrl").
-include_lib("emqx/include/emqx_mqtt.hrl").
-include_lib("snabbkaffe/include/snabbkaffe.hrl").
-export([
on_message_publish/1,
@ -212,6 +213,7 @@ init([Opts]) ->
error("max topic metrics quota exceeded")
end
end,
?tp(debug, emqx_topic_metrics_started, #{}),
{ok, #state{speeds = lists:foldl(Fun, #{}, Opts)}, hibernate}.
handle_call({register, Topic}, _From, State = #state{speeds = Speeds}) ->
@ -262,7 +264,7 @@ handle_call({get_rates, Topic, Metric}, _From, State = #state{speeds = Speeds})
end.
handle_cast(Msg, State) ->
?SLOG(error, #{msg => "unexpected_cast", cast => Msg}),
?tp(error, emqx_topic_metrics_unexpected_cast, #{cast => Msg}),
{noreply, State}.
handle_info(ticking, State = #state{speeds = Speeds}) ->
@ -278,7 +280,7 @@ handle_info(ticking, State = #state{speeds = Speeds}) ->
erlang:send_after(timer:seconds(?TICKING_INTERVAL), self(), ticking),
{noreply, State#state{speeds = NSpeeds}};
handle_info(Info, State) ->
?SLOG(error, #{msg => "unexpected_info", info => Info}),
?tp(error, emqx_topic_metrics_unexpected_info, #{info => Info}),
{noreply, State}.
terminate(_Reason, _State) ->

8
apps/emqx_modules/src/proto/emqx_delayed_proto_v1.erl
View File

@ -31,9 +31,9 @@ introduced_in() ->
-spec get_delayed_message(node(), binary()) ->
emqx_delayed:with_id_return(map()) | emqx_rpc:badrpc().
get_delayed_message(Node, HexId) ->
rpc:call(Node, emqx_delayed, get_delayed_message, [HexId]).
get_delayed_message(Node, Id) ->
rpc:call(Node, emqx_delayed, get_delayed_message, [Id]).
-spec delete_delayed_message(node(), binary()) -> emqx_delayed:with_id_return() | emqx_rpc:badrpc().
delete_delayed_message(Node, HexId) ->
rpc:call(Node, emqx_delayed, delete_delayed_message, [HexId]).
delete_delayed_message(Node, Id) ->
rpc:call(Node, emqx_delayed, delete_delayed_message, [Id]).

104
apps/emqx_modules/test/emqx_delayed_SUITE.erl
View File

@ -43,6 +43,16 @@ init_per_suite(Config) ->
end_per_suite(_) ->
emqx_common_test_helpers:stop_apps([emqx_modules]).
init_per_testcase(t_load_case, Config) ->
Config;
init_per_testcase(_Case, Config) ->
{atomic, ok} = mria:clear_table(emqx_delayed),
ok = emqx_delayed:enable(),
Config.
end_per_testcase(_Case, _Config) ->
ok = emqx_delayed:disable().
%%--------------------------------------------------------------------
%% Test cases
%%--------------------------------------------------------------------
@ -57,7 +67,6 @@ t_load_case(_) ->
ok.
t_delayed_message(_) ->
ok = emqx_delayed:enable(),
DelayedMsg = emqx_message:make(?MODULE, 1, <<"$delayed/1/publish">>, <<"delayed_m">>),
?assertEqual(
{stop, DelayedMsg#message{topic = <<"publish">>, headers = #{allow_publish => false}}},
@ -67,11 +76,94 @@ t_delayed_message(_) ->
Msg = emqx_message:make(?MODULE, 1, <<"no_delayed_msg">>, <<"no_delayed">>),
?assertEqual({ok, Msg}, on_message_publish(Msg)),
[Key] = mnesia:dirty_all_keys(emqx_delayed),
[#delayed_message{msg = #message{payload = Payload}}] = mnesia:dirty_read({emqx_delayed, Key}),
[#delayed_message{msg = #message{payload = Payload}}] = ets:tab2list(emqx_delayed),
?assertEqual(<<"delayed_m">>, Payload),
timer:sleep(5000),
ct:sleep(2000),
EmptyKey = mnesia:dirty_all_keys(emqx_delayed),
?assertEqual([], EmptyKey),
ok = emqx_delayed:disable().
?assertEqual([], EmptyKey).
t_delayed_message_abs_time(_) ->
Ts0 = integer_to_binary(erlang:system_time(second) + 1),
DelayedMsg0 = emqx_message:make(
?MODULE, 1, <<"$delayed/", Ts0/binary, "/publish">>, <<"delayed_abs">>
),
_ = on_message_publish(DelayedMsg0),
?assertMatch(
[#delayed_message{msg = #message{payload = <<"delayed_abs">>}}],
ets:tab2list(emqx_delayed)
),
ct:sleep(2000),
?assertMatch(
[],
ets:tab2list(emqx_delayed)
),
Ts1 = integer_to_binary(erlang:system_time(second) + 10000000),
DelayedMsg1 = emqx_message:make(
?MODULE, 1, <<"$delayed/", Ts1/binary, "/publish">>, <<"delayed_abs">>
),
?assertError(
invalid_delayed_timestamp,
on_message_publish(DelayedMsg1)
).
t_list(_) ->
Ts0 = integer_to_binary(erlang:system_time(second) + 1),
DelayedMsg0 = emqx_message:make(
?MODULE, 1, <<"$delayed/", Ts0/binary, "/publish">>, <<"delayed_abs">>
),
_ = on_message_publish(DelayedMsg0),
?assertMatch(
#{data := [#{topic := <<"publish">>}]},
emqx_delayed:list(#{})
).
t_max(_) ->
emqx_delayed:set_max_delayed_messages(1),
DelayedMsg0 = emqx_message:make(?MODULE, 1, <<"$delayed/10/t0">>, <<"delayed0">>),
DelayedMsg1 = emqx_message:make(?MODULE, 1, <<"$delayed/10/t1">>, <<"delayed1">>),
_ = on_message_publish(DelayedMsg0),
_ = on_message_publish(DelayedMsg1),
?assertMatch(
#{data := [#{topic := <<"t0">>}]},
emqx_delayed:list(#{})
).
t_cluster(_) ->
DelayedMsg = emqx_message:make(?MODULE, 1, <<"$delayed/1/publish">>, <<"delayed">>),
Id = emqx_message:id(DelayedMsg),
_ = on_message_publish(DelayedMsg),
?assertMatch(
{ok, _},
emqx_delayed_proto_v1:get_delayed_message(node(), Id)
),
?assertEqual(
emqx_delayed:get_delayed_message(Id),
emqx_delayed_proto_v1:get_delayed_message(node(), Id)
),
ok = emqx_delayed_proto_v1:delete_delayed_message(node(), Id),
?assertMatch(
{error, _},
emqx_delayed:get_delayed_message(Id)
).
t_unknown_messages(_) ->
OldPid = whereis(emqx_delayed),
OldPid ! unknown,
ok = gen_server:cast(OldPid, unknown),
?assertEqual(
ignored,
gen_server:call(OldPid, unknown)
).

156
apps/emqx_modules/test/emqx_delayed_api_SUITE.erl
View File

@ -20,74 +20,79 @@
-include_lib("common_test/include/ct.hrl").
-include_lib("eunit/include/eunit.hrl").
-include_lib("emqx/include/emqx.hrl").
-define(CLUSTER_RPC_SHARD, emqx_cluster_rpc_shard).
-define(BASE_CONF, #{
<<"dealyed">> => <<"true">>,
<<"max_delayed_messages">> => <<"0">>
}).
-import(emqx_mgmt_api_test_util, [request_api/2, request_api/5, api_path/1, auth_header_/0]).
-import(emqx_dashboard_api_test_helpers, [request/2, request/3, uri/1]).
all() ->
emqx_common_test_helpers:all(?MODULE).
init_per_suite(Config) ->
application:load(emqx_conf),
ok = ekka:start(),
ok = mria:start(),
ok = mria_rlog:wait_for_shards([?CLUSTER_RPC_SHARD], infinity),
emqx_config:put([dealyed], #{enable => true, max_delayed_messages => 10}),
meck:new(emqx_config, [non_strict, passthrough, no_history, no_link]),
meck:expect(
emqx_config,
get_schema_mod,
fun
(delayed) -> emqx_conf_schema;
(Any) -> meck:passthrough(Any)
end
),
ok = emqx_common_test_helpers:load_config(emqx_modules_schema, ?BASE_CONF),
ok = emqx_delayed:mnesia(boot),
emqx_mgmt_api_test_util:init_suite([emqx_modules]),
ok = emqx_common_test_helpers:start_apps(
[emqx_conf, emqx_modules, emqx_dashboard],
fun set_special_configs/1
),
emqx_delayed:enable(),
Config.
end_per_suite(Config) ->
ekka:stop(),
mria:stop(),
mria_mnesia:delete_schema(),
meck:unload(emqx_config),
ok = emqx_delayed:disable(),
emqx_mgmt_api_test_util:end_suite([emqx_modules]),
emqx_common_test_helpers:stop_apps([emqx_conf, emqx_dashboard, emqx_modules]),
Config.
init_per_testcase(_, Config) ->
{ok, _} = emqx_cluster_rpc:start_link(),
Config.
set_special_configs(emqx_dashboard) ->
emqx_dashboard_api_test_helpers:set_default_config();
set_special_configs(_App) ->
ok.
%%------------------------------------------------------------------------------
%% Test Cases
%%------------------------------------------------------------------------------
t_status(_Config) ->
Path = api_path(["mqtt", "delayed"]),
Auth = emqx_mgmt_api_test_util:auth_header_(),
{ok, R1} = request_api(
Path = uri(["mqtt", "delayed"]),
{ok, 200, R1} = request(
put,
Path,
"",
Auth,
#{enable => false, max_delayed_messages => 10}
),
?assertMatch(#{enable := false, max_delayed_messages := 10}, decode_json(R1)),
{ok, R2} = request_api(
{ok, 200, R2} = request(
put,
Path,
"",
Auth,
#{enable => true, max_delayed_messages => 12}
),
?assertMatch(#{enable := true, max_delayed_messages := 12}, decode_json(R2)),
{ok, ConfJson} = request_api(get, Path),
?assertMatch(
{ok, 200, _},
request(
put,
Path,
#{enable => true}
)
),
?assertMatch(
{ok, 400, _},
request(
put,
Path,
#{enable => true, max_delayed_messages => -5}
)
),
{ok, 200, ConfJson} = request(get, Path),
ReturnConf = decode_json(ConfJson),
?assertMatch(#{enable := true, max_delayed_messages := 12}, ReturnConf).
@ -131,25 +136,100 @@ t_messages(_) ->
),
MsgId = maps:get(msgid, First),
{ok, LookupMsg} = request_api(
{ok, 200, LookupMsg} = request(
get,
api_path(["mqtt", "delayed", "messages", node(), MsgId])
uri(["mqtt", "delayed", "messages", node(), MsgId])
),
?assertEqual(MsgId, maps:get(msgid, decode_json(LookupMsg))),
{ok, _} = request_api(
?assertMatch(
{ok, 404, _},
request(
get,
uri(["mqtt", "delayed", "messages", node(), emqx_guid:to_hexstr(emqx_guid:gen())])
)
),
?assertMatch(
{ok, 400, _},
request(
get,
uri(["mqtt", "delayed", "messages", node(), "invalid_msg_id"])
)
),
?assertMatch(
{ok, 400, _},
request(
get,
uri(["mqtt", "delayed", "messages", atom_to_list('unknownnode@127.0.0.1'), MsgId])
)
),
?assertMatch(
{ok, 400, _},
request(
get,
uri(["mqtt", "delayed", "messages", "some_unknown_atom", MsgId])
)
),
?assertMatch(
{ok, 404, _},
request(
delete,
api_path(["mqtt", "delayed", "messages", node(), MsgId])
uri(["mqtt", "delayed", "messages", node(), emqx_guid:to_hexstr(emqx_guid:gen())])
)
),
?assertMatch(
{ok, 204, _},
request(
delete,
uri(["mqtt", "delayed", "messages", node(), MsgId])
)
),
_ = get_messages(4),
ok = emqtt:disconnect(C1).
t_large_payload(_) ->
clear_all_record(),
{ok, C1} = emqtt:start_link([{clean_start, true}]),
{ok, _} = emqtt:connect(C1),
timer:sleep(500),
Topic = <<"$delayed/123/msgs">>,
emqtt:publish(
C1,
Topic,
iolist_to_binary([<<"x">> || _ <- lists:seq(1, 5000)]),
[{qos, 0}, {retain, true}]
),
timer:sleep(500),
[#{msgid := MsgId}] = get_messages(1),
{ok, 200, Msg} = request(
get,
uri(["mqtt", "delayed", "messages", node(), MsgId])
),
?assertMatch(
#{
payload := <<"PAYLOAD_TOO_LARGE">>,
topic := <<"msgs">>
},
decode_json(Msg)
).
%%--------------------------------------------------------------------
%% HTTP Request
%%--------------------------------------------------------------------
decode_json(Data) ->
BinJson = emqx_json:decode(Data, [return_maps]),
emqx_map_lib:unsafe_atom_key_map(BinJson).
@ -158,7 +238,7 @@ clear_all_record() ->
ets:delete_all_objects(emqx_delayed).
get_messages(Len) ->
{ok, MsgsJson} = request_api(get, api_path(["mqtt", "delayed", "messages"])),
{ok, 200, MsgsJson} = request(get, uri(["mqtt", "delayed", "messages"])),
#{data := Msgs} = decode_json(MsgsJson),
MsgLen = erlang:length(Msgs),
?assert(

114
apps/emqx_modules/test/emqx_topic_metrics_SUITE.erl
View File

@ -19,14 +19,10 @@
-compile(export_all).
-compile(nowarn_export_all).
-define(TOPIC, <<
""
"\n"
"topic_metrics: []"
""
>>).
-define(TOPIC, #{<<"topic_metrics">> => []}).
-include_lib("eunit/include/eunit.hrl").
-include_lib("snabbkaffe/include/snabbkaffe.hrl").
all() -> emqx_common_test_helpers:all(?MODULE).
@ -39,8 +35,17 @@ init_per_suite(Config) ->
end_per_suite(_Config) ->
emqx_common_test_helpers:stop_apps([emqx_modules]).
t_nonexistent_topic_metrics(_) ->
init_per_testcase(_Case, Config) ->
emqx_topic_metrics:enable(),
emqx_topic_metrics:deregister_all(),
Config.
end_per_testcase(_Case, _Config) ->
emqx_topic_metrics:deregister_all(),
emqx_config:put([topic_metrics], []),
emqx_topic_metrics:disable().
t_nonexistent_topic_metrics(_) ->
?assertEqual({error, topic_not_found}, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.in')),
?assertEqual({error, topic_not_found}, emqx_topic_metrics:inc(<<"a/b/c">>, 'messages.in')),
?assertEqual({error, topic_not_found}, emqx_topic_metrics:rate(<<"a/b/c">>, 'messages.in')),
@ -56,12 +61,9 @@ t_nonexistent_topic_metrics(_) ->
%% emqx_topic_metrics:rates(<<"a/b/c">>, 'invalid.metrics')
%% ),
emqx_topic_metrics:deregister(<<"a/b/c">>),
emqx_topic_metrics:disable().
ok = emqx_topic_metrics:deregister(<<"a/b/c">>).
t_topic_metrics(_) ->
emqx_topic_metrics:enable(),
?assertEqual(false, emqx_topic_metrics:is_registered(<<"a/b/c">>)),
?assertEqual([], emqx_topic_metrics:all_registered_topics()),
emqx_topic_metrics:register(<<"a/b/c">>),
@ -78,11 +80,9 @@ t_topic_metrics(_) ->
%% #{long => 0, medium => 0, short => 0}
%% ),
emqx_topic_metrics:deregister(<<"a/b/c">>),
emqx_topic_metrics:disable().
ok = emqx_topic_metrics:deregister(<<"a/b/c">>).
t_hook(_) ->
emqx_topic_metrics:enable(),
emqx_topic_metrics:register(<<"a/b/c">>),
?assertEqual(0, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.in')),
@ -97,19 +97,85 @@ t_hook(_) ->
{username, "myuser"}
]),
{ok, _} = emqtt:connect(C),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, 0),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, [{qos, 0}]),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, [{qos, 1}]),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, [{qos, 2}]),
ct:sleep(100),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.in')),
?assertEqual(3, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.in')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos0.in')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.dropped')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos1.in')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos2.in')),
?assertEqual(3, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.dropped')),
emqtt:subscribe(C, <<"a/b/c">>),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, 0),
emqtt:subscribe(C, <<"a/b/c">>, [{qos, 2}]),
ct:sleep(100),
?assertEqual(2, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.in')),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, [{qos, 0}]),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, [{qos, 1}]),
emqtt:publish(C, <<"a/b/c">>, <<"Hello world">>, [{qos, 2}]),
ct:sleep(100),
?assertEqual(6, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.in')),
?assertEqual(2, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos0.in')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.out')),
?assertEqual(2, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos1.in')),
?assertEqual(2, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos2.in')),
?assertEqual(3, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.out')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos0.out')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.dropped')),
emqx_topic_metrics:deregister(<<"a/b/c">>),
emqx_topic_metrics:disable().
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos1.out')),
?assertEqual(1, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.qos2.out')),
?assertEqual(3, emqx_topic_metrics:val(<<"a/b/c">>, 'messages.dropped')),
ok = emqx_topic_metrics:deregister(<<"a/b/c">>).
t_topic_server_restart(_) ->
emqx_config:put([topic_metrics], [#{topic => <<"a/b/c">>}]),
?check_trace(
begin
?wait_async_action(
erlang:exit(whereis(emqx_topic_metrics), kill),
#{?snk_kind := emqx_topic_metrics_started},
500
)
end,
fun(Trace) ->
?assertMatch(
[_ | _],
?of_kind(emqx_topic_metrics_started, Trace)
)
end
),
?assertEqual(
[<<"a/b/c">>],
emqx_topic_metrics:all_registered_topics()
).
t_unknown_messages(_) ->
OldPid = whereis(emqx_topic_metrics),
?check_trace(
begin
?wait_async_action(
OldPid ! unknown,
#{?snk_kind := emqx_topic_metrics_unexpected_info},
500
),
?wait_async_action(
gen_server:cast(OldPid, unknown),
#{?snk_kind := emqx_topic_metrics_unexpected_cast},
500
)
end,
fun(Trace) ->
?assertMatch(
[_ | _],
?of_kind(emqx_topic_metrics_unexpected_info, Trace)
),
?assertMatch(
[_ | _],
?of_kind(emqx_topic_metrics_unexpected_cast, Trace)
)
end
),
%% emqx_topic_metrics did not crash from unexpected calls
?assertEqual(
OldPid,
whereis(emqx_topic_metrics)
).

4
git-blame-ignore-revs
View File

@ -4,6 +4,10 @@
# reformat apps/emqx_modules
4d3157743e0d3ac7e6c09f108f6e79c820fd9c00
f2168f5b0d24e8c91a0952373fa181aaded99f38
# reformat apps/emqx_authn
aae2d01582b980302f30913522eedf1d9d3d217c
# reformat apps/emqx_authz
82559b9b089c6cfadf54b7ce5143156dd403876f
# reformat lib-ee/emqx_license
4f396cceb84d79d5ef540e91c1a8420e8de74a56
4e3fd9febd0df11f3fe5f221cd2c4362be57c886

1
scripts/check-format.sh
View File

@ -9,6 +9,7 @@ cd -P -- "$(dirname -- "$0")/.."
APPS=()
APPS+=( 'apps/emqx' 'apps/emqx_modules' 'apps/emqx_gateway')
APPS+=( 'apps/emqx_authn' 'apps/emqx_authz' )
APPS+=( 'lib-ee/emqx_enterprise_conf' 'lib-ee/emqx_license' )
for app in "${APPS[@]}"; do