Merge pull request #13196 from lafirest/fix/rules_len
fix(authz_mnesia): add a soft limit in the API for the length of ACL rules
This commit is contained in:
commit
98a54994c0
|
@ -469,8 +469,8 @@ users(get, #{query_string := QueryString}) ->
|
||||||
{200, Result}
|
{200, Result}
|
||||||
end;
|
end;
|
||||||
users(post, #{body := Body}) when is_list(Body) ->
|
users(post, #{body := Body}) when is_list(Body) ->
|
||||||
case ensure_all_not_exists(<<"username">>, username, Body) of
|
case ensure_rules_is_valid(<<"username">>, username, Body) of
|
||||||
[] ->
|
ok ->
|
||||||
lists:foreach(
|
lists:foreach(
|
||||||
fun(#{<<"username">> := Username, <<"rules">> := Rules}) ->
|
fun(#{<<"username">> := Username, <<"rules">> := Rules}) ->
|
||||||
emqx_authz_mnesia:store_rules({username, Username}, Rules)
|
emqx_authz_mnesia:store_rules({username, Username}, Rules)
|
||||||
|
@ -478,10 +478,19 @@ users(post, #{body := Body}) when is_list(Body) ->
|
||||||
Body
|
Body
|
||||||
),
|
),
|
||||||
{204};
|
{204};
|
||||||
Exists ->
|
{error, {Username, too_many_rules}} ->
|
||||||
|
{400, #{
|
||||||
|
code => <<"BAD_REQUEST">>,
|
||||||
|
message =>
|
||||||
|
binfmt(
|
||||||
|
<<"The rules length of User '~ts' exceeds the maximum limit.">>,
|
||||||
|
[Username]
|
||||||
|
)
|
||||||
|
}};
|
||||||
|
{error, {already_exists, Exists}} ->
|
||||||
{409, #{
|
{409, #{
|
||||||
code => <<"ALREADY_EXISTS">>,
|
code => <<"ALREADY_EXISTS">>,
|
||||||
message => binfmt("Users '~ts' already exist", [binjoin(Exists)])
|
message => binfmt("User '~ts' already exist", [Exists])
|
||||||
}}
|
}}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
@ -507,8 +516,8 @@ clients(get, #{query_string := QueryString}) ->
|
||||||
{200, Result}
|
{200, Result}
|
||||||
end;
|
end;
|
||||||
clients(post, #{body := Body}) when is_list(Body) ->
|
clients(post, #{body := Body}) when is_list(Body) ->
|
||||||
case ensure_all_not_exists(<<"clientid">>, clientid, Body) of
|
case ensure_rules_is_valid(<<"clientid">>, clientid, Body) of
|
||||||
[] ->
|
ok ->
|
||||||
lists:foreach(
|
lists:foreach(
|
||||||
fun(#{<<"clientid">> := ClientID, <<"rules">> := Rules}) ->
|
fun(#{<<"clientid">> := ClientID, <<"rules">> := Rules}) ->
|
||||||
emqx_authz_mnesia:store_rules({clientid, ClientID}, Rules)
|
emqx_authz_mnesia:store_rules({clientid, ClientID}, Rules)
|
||||||
|
@ -516,10 +525,19 @@ clients(post, #{body := Body}) when is_list(Body) ->
|
||||||
Body
|
Body
|
||||||
),
|
),
|
||||||
{204};
|
{204};
|
||||||
Exists ->
|
{error, {ClientId, too_many_rules}} ->
|
||||||
|
{400, #{
|
||||||
|
code => <<"BAD_REQUEST">>,
|
||||||
|
message =>
|
||||||
|
binfmt(
|
||||||
|
<<"The rules length of Client '~ts' exceeds the maximum limit.">>,
|
||||||
|
[ClientId]
|
||||||
|
)
|
||||||
|
}};
|
||||||
|
{error, {already_exists, Exists}} ->
|
||||||
{409, #{
|
{409, #{
|
||||||
code => <<"ALREADY_EXISTS">>,
|
code => <<"ALREADY_EXISTS">>,
|
||||||
message => binfmt("Clients '~ts' already exist", [binjoin(Exists)])
|
message => binfmt("Client '~ts' already exist", [Exists])
|
||||||
}}
|
}}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
@ -583,8 +601,17 @@ all(get, _) ->
|
||||||
}}
|
}}
|
||||||
end;
|
end;
|
||||||
all(post, #{body := #{<<"rules">> := Rules}}) ->
|
all(post, #{body := #{<<"rules">> := Rules}}) ->
|
||||||
emqx_authz_mnesia:store_rules(all, Rules),
|
case ensure_rules_len(Rules) of
|
||||||
{204};
|
ok ->
|
||||||
|
emqx_authz_mnesia:store_rules(all, Rules),
|
||||||
|
{204};
|
||||||
|
_ ->
|
||||||
|
{400, #{
|
||||||
|
code => <<"BAD_REQUEST">>,
|
||||||
|
message =>
|
||||||
|
<<"The length of rules exceeds the maximum limit.">>
|
||||||
|
}}
|
||||||
|
end;
|
||||||
all(delete, _) ->
|
all(delete, _) ->
|
||||||
emqx_authz_mnesia:store_rules(all, []),
|
emqx_authz_mnesia:store_rules(all, []),
|
||||||
{204}.
|
{204}.
|
||||||
|
@ -700,28 +727,45 @@ rules_example({ExampleName, ExampleType}) ->
|
||||||
}
|
}
|
||||||
}.
|
}.
|
||||||
|
|
||||||
ensure_all_not_exists(Key, Type, Cfgs) ->
|
ensure_rules_len(Rules) ->
|
||||||
lists:foldl(
|
emqx_authz_api_sources:with_source(
|
||||||
fun(#{Key := Id}, Acc) ->
|
?AUTHZ_TYPE_BIN,
|
||||||
case emqx_authz_mnesia:get_rules({Type, Id}) of
|
fun(#{<<"max_rules">> := MaxLen}) ->
|
||||||
not_found ->
|
ensure_rules_len(Rules, MaxLen)
|
||||||
Acc;
|
end
|
||||||
_ ->
|
|
||||||
[Id | Acc]
|
|
||||||
end
|
|
||||||
end,
|
|
||||||
[],
|
|
||||||
Cfgs
|
|
||||||
).
|
).
|
||||||
|
|
||||||
binjoin([Bin]) ->
|
ensure_rules_len(Rules, MaxLen) ->
|
||||||
Bin;
|
case erlang:length(Rules) =< MaxLen of
|
||||||
binjoin(Bins) ->
|
true ->
|
||||||
binjoin(Bins, <<>>).
|
ok;
|
||||||
|
_ ->
|
||||||
|
{error, too_many_rules}
|
||||||
|
end.
|
||||||
|
|
||||||
binjoin([H | T], Acc) ->
|
ensure_rules_is_valid(Key, Type, Cfgs) ->
|
||||||
binjoin(T, <<H/binary, $,, Acc/binary>>);
|
MaxLen = emqx_authz_api_sources:with_source(
|
||||||
binjoin([], Acc) ->
|
?AUTHZ_TYPE_BIN,
|
||||||
Acc.
|
fun(#{<<"max_rules">> := MaxLen}) ->
|
||||||
|
MaxLen
|
||||||
|
end
|
||||||
|
),
|
||||||
|
ensure_rules_is_valid(Key, Type, MaxLen, Cfgs).
|
||||||
|
|
||||||
|
ensure_rules_is_valid(Key, Type, MaxLen, [Cfg | Cfgs]) ->
|
||||||
|
#{Key := Id, <<"rules">> := Rules} = Cfg,
|
||||||
|
case emqx_authz_mnesia:get_rules({Type, Id}) of
|
||||||
|
not_found ->
|
||||||
|
case ensure_rules_len(Rules, MaxLen) of
|
||||||
|
ok ->
|
||||||
|
ensure_rules_is_valid(Key, Type, MaxLen, Cfgs);
|
||||||
|
{error, Reason} ->
|
||||||
|
{error, {Id, Reason}}
|
||||||
|
end;
|
||||||
|
_ ->
|
||||||
|
{error, {already_exists, Id}}
|
||||||
|
end;
|
||||||
|
ensure_rules_is_valid(_Key, _Type, _MaxLen, []) ->
|
||||||
|
ok.
|
||||||
|
|
||||||
binfmt(Fmt, Args) -> iolist_to_binary(io_lib:format(Fmt, Args)).
|
binfmt(Fmt, Args) -> iolist_to_binary(io_lib:format(Fmt, Args)).
|
||||||
|
|
|
@ -30,12 +30,24 @@
|
||||||
namespace/0
|
namespace/0
|
||||||
]).
|
]).
|
||||||
|
|
||||||
|
-define(MAX_RULES, 100).
|
||||||
|
|
||||||
namespace() -> "authz".
|
namespace() -> "authz".
|
||||||
|
|
||||||
type() -> ?AUTHZ_TYPE.
|
type() -> ?AUTHZ_TYPE.
|
||||||
|
|
||||||
fields(builtin_db) ->
|
fields(builtin_db) ->
|
||||||
emqx_authz_schema:authz_common_fields(?AUTHZ_TYPE).
|
emqx_authz_schema:authz_common_fields(?AUTHZ_TYPE) ++
|
||||||
|
[
|
||||||
|
{max_rules,
|
||||||
|
?HOCON(
|
||||||
|
pos_integer(),
|
||||||
|
#{
|
||||||
|
default => ?MAX_RULES,
|
||||||
|
desc => ?DESC(max_rules)
|
||||||
|
}
|
||||||
|
)}
|
||||||
|
].
|
||||||
|
|
||||||
source_refs() ->
|
source_refs() ->
|
||||||
[?R_REF(builtin_db)].
|
[?R_REF(builtin_db)].
|
||||||
|
|
|
@ -36,7 +36,7 @@ init_per_suite(Config) ->
|
||||||
{emqx_conf,
|
{emqx_conf,
|
||||||
"authorization.cache { enable = false },"
|
"authorization.cache { enable = false },"
|
||||||
"authorization.no_match = deny,"
|
"authorization.no_match = deny,"
|
||||||
"authorization.sources = [{type = built_in_database}]"},
|
"authorization.sources = [{type = built_in_database, max_rules = 5}]"},
|
||||||
emqx,
|
emqx,
|
||||||
emqx_auth,
|
emqx_auth,
|
||||||
emqx_auth_mnesia,
|
emqx_auth_mnesia,
|
||||||
|
@ -66,6 +66,14 @@ t_api(_) ->
|
||||||
[?USERNAME_RULES_EXAMPLE]
|
[?USERNAME_RULES_EXAMPLE]
|
||||||
),
|
),
|
||||||
|
|
||||||
|
%% check length limit
|
||||||
|
{ok, 400, _} =
|
||||||
|
request(
|
||||||
|
post,
|
||||||
|
uri(["authorization", "sources", "built_in_database", "rules", "users"]),
|
||||||
|
[dup_rules_example(?USERNAME_RULES_EXAMPLE)]
|
||||||
|
),
|
||||||
|
|
||||||
{ok, 409, _} =
|
{ok, 409, _} =
|
||||||
request(
|
request(
|
||||||
post,
|
post,
|
||||||
|
@ -171,6 +179,13 @@ t_api(_) ->
|
||||||
[?CLIENTID_RULES_EXAMPLE]
|
[?CLIENTID_RULES_EXAMPLE]
|
||||||
),
|
),
|
||||||
|
|
||||||
|
{ok, 400, _} =
|
||||||
|
request(
|
||||||
|
post,
|
||||||
|
uri(["authorization", "sources", "built_in_database", "rules", "clients"]),
|
||||||
|
[dup_rules_example(?CLIENTID_RULES_EXAMPLE)]
|
||||||
|
),
|
||||||
|
|
||||||
{ok, 409, _} =
|
{ok, 409, _} =
|
||||||
request(
|
request(
|
||||||
post,
|
post,
|
||||||
|
@ -238,6 +253,14 @@ t_api(_) ->
|
||||||
uri(["authorization", "sources", "built_in_database", "rules", "all"]),
|
uri(["authorization", "sources", "built_in_database", "rules", "all"]),
|
||||||
?ALL_RULES_EXAMPLE
|
?ALL_RULES_EXAMPLE
|
||||||
),
|
),
|
||||||
|
|
||||||
|
{ok, 400, _} =
|
||||||
|
request(
|
||||||
|
post,
|
||||||
|
uri(["authorization", "sources", "built_in_database", "rules", "all"]),
|
||||||
|
dup_rules_example(?ALL_RULES_EXAMPLE)
|
||||||
|
),
|
||||||
|
|
||||||
{ok, 200, Request7} =
|
{ok, 200, Request7} =
|
||||||
request(
|
request(
|
||||||
get,
|
get,
|
||||||
|
@ -491,3 +514,10 @@ replace_parts(Parts, Replacements) ->
|
||||||
end,
|
end,
|
||||||
Parts
|
Parts
|
||||||
).
|
).
|
||||||
|
|
||||||
|
dup_rules_example(#{username := _, rules := Rules}) ->
|
||||||
|
#{username => user2, rules => Rules ++ Rules};
|
||||||
|
dup_rules_example(#{clientid := _, rules := Rules}) ->
|
||||||
|
#{clientid => client2, rules => Rules ++ Rules};
|
||||||
|
dup_rules_example(#{rules := Rules}) ->
|
||||||
|
#{rules => Rules ++ Rules}.
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
In the built-in database of authorization, added a limit for the number of rules per client/user, and the default values is 100.
|
|
@ -6,4 +6,7 @@ builtin_db.desc:
|
||||||
builtin_db.label:
|
builtin_db.label:
|
||||||
"""Builtin Database"""
|
"""Builtin Database"""
|
||||||
|
|
||||||
|
max_rules.desc:
|
||||||
|
"""Maximum number of rules per client/user. Note that performance may decrease as number of rules increases."""
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue