diff --git a/apps/emqx_authz/src/emqx_authz_http.erl b/apps/emqx_authz/src/emqx_authz_http.erl index a34a7514a..faa3a3198 100644 --- a/apps/emqx_authz/src/emqx_authz_http.erl +++ b/apps/emqx_authz/src/emqx_authz_http.erl @@ -39,6 +39,10 @@ -compile(nowarn_export_all). -endif. +-define(PH_ACCESS, <<"${access}">>). +-define(LEGACY_SUBSCRIBE_ACTION, 1). +-define(LEGACY_PUBLISH_ACTION, 2). + -define(PLACEHOLDERS, [ ?PH_USERNAME, ?PH_CLIENTID, @@ -48,7 +52,8 @@ ?PH_TOPIC, ?PH_ACTION, ?PH_CERT_SUBJECT, - ?PH_CERT_CN_NAME + ?PH_CERT_CN_NAME, + ?PH_ACCESS ]). -define(PLACEHOLDERS_FOR_RICH_ACTIONS, [ @@ -234,7 +239,14 @@ serialize_body(<<"application/x-www-form-urlencoded">>, Body) -> client_vars(Client, Action, Topic) -> Vars = emqx_authz_utils:vars_for_rule_query(Client, Action), - Vars#{topic => Topic}. + add_legacy_access_var(Vars#{topic => Topic}). + +add_legacy_access_var(#{action := subscribe} = Vars) -> + Vars#{access => ?LEGACY_SUBSCRIBE_ACTION}; +add_legacy_access_var(#{action := publish} = Vars) -> + Vars#{access => ?LEGACY_PUBLISH_ACTION}; +add_legacy_access_var(Vars) -> + Vars. to_list(A) when is_atom(A) -> atom_to_list(A); diff --git a/apps/emqx_authz/test/emqx_authz_http_SUITE.erl b/apps/emqx_authz/test/emqx_authz_http_SUITE.erl index 6cf4b5bc0..7810b5902 100644 --- a/apps/emqx_authz/test/emqx_authz_http_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_http_SUITE.erl @@ -202,6 +202,7 @@ t_query_params(_Config) -> mountpoint := <<"MOUNTPOINT">>, topic := <<"t/1">>, action := <<"publish">>, + access := <<"2">>, qos := <<"1">>, retain := <<"false">> } = cowboy_req:match_qs( @@ -213,6 +214,7 @@ t_query_params(_Config) -> mountpoint, topic, action, + access, qos, retain ], @@ -230,6 +232,7 @@ t_query_params(_Config) -> "mountpoint=${mountpoint}&" "topic=${topic}&" "action=${action}&" + "access=${access}&" "qos=${qos}&" "retain=${retain}" >> @@ -264,6 +267,7 @@ t_path(_Config) -> "MOUNTPOINT/" "t%2F1/" "publish/" + "2/" "1/" "false" >>, @@ -281,6 +285,7 @@ t_path(_Config) -> "${mountpoint}/" "${topic}/" "${action}/" + "${access}/" "${qos}/" "${retain}" >> @@ -321,6 +326,7 @@ t_json_body(_Config) -> <<"mountpoint">> := <<"MOUNTPOINT">>, <<"topic">> := <<"t">>, <<"action">> := <<"publish">>, + <<"access">> := <<"2">>, <<"qos">> := <<"1">>, <<"retain">> := <<"false">> }, @@ -338,6 +344,7 @@ t_json_body(_Config) -> <<"mountpoint">> => <<"${mountpoint}">>, <<"topic">> => <<"${topic}">>, <<"action">> => <<"${action}">>, + <<"access">> => <<"${access}">>, <<"qos">> => <<"${qos}">>, <<"retain">> => <<"${retain}">> } @@ -405,7 +412,7 @@ t_placeholder_and_body(_Config) -> cowboy_req:path(Req0) ), - {ok, [{PostVars, true}], Req1} = cowboy_req:read_urlencoded_body(Req0), + {ok, PostVars, Req1} = cowboy_req:read_urlencoded_body(Req0), ?assertMatch( #{ @@ -416,10 +423,11 @@ t_placeholder_and_body(_Config) -> <<"mountpoint">> := <<"MOUNTPOINT">>, <<"topic">> := <<"t">>, <<"action">> := <<"publish">>, + <<"access">> := <<"2">>, <<"CN">> := ?PH_CERT_CN_NAME, <<"CS">> := ?PH_CERT_SUBJECT }, - emqx_utils_json:decode(PostVars, [return_maps]) + maps:from_list(PostVars) ), {ok, ?AUTHZ_HTTP_RESP(allow, Req1), State} end, @@ -433,6 +441,7 @@ t_placeholder_and_body(_Config) -> <<"mountpoint">> => <<"${mountpoint}">>, <<"topic">> => <<"${topic}">>, <<"action">> => <<"${action}">>, + <<"access">> => <<"${access}">>, <<"CN">> => ?PH_CERT_CN_NAME, <<"CS">> => ?PH_CERT_SUBJECT },