feat(sso): add `role` into the result of login endpoints

apps/emqx_bridge_kafka/test/emqx_bridge_kafka_impl_producer_SUITE.erl

@@ -1260,7 +1260,7 @@ auth_header_() ->
     auth_header_(<<"admin">>, <<"public">>).
 
 auth_header_(Username, Password) ->
-    {ok, Token} = emqx_dashboard_admin:sign_token(Username, Password),
+    {ok, _Role, Token} = emqx_dashboard_admin:sign_token(Username, Password),
     {"Authorization", "Bearer " ++ binary_to_list(Token)}.
 
 api_path(Parts) ->

apps/emqx_dashboard/src/emqx_dashboard_api.erl

@@ -77,7 +77,7 @@ schema("/login") ->
             summary => <<"Dashboard authentication">>,
             'requestBody' => fields([username, password]),
             responses => #{
-                200 => fields([token, version, license]),
+                200 => fields([role, token, version, license]),
                 401 => response_schema(401)
             },
             security => []
@@ -219,14 +219,16 @@ login(post, #{body := Params}) ->
     Username = maps:get(<<"username">>, Params),
     Password = maps:get(<<"password">>, Params),
     case emqx_dashboard_admin:sign_token(Username, Password) of
-        {ok, Token} ->
+        {ok, Role, Token} ->
             ?SLOG(info, #{msg => "dashboard_login_successful", username => Username}),
             Version = iolist_to_binary(proplists:get_value(version, emqx_sys:info())),
-            {200, #{
-                token => Token,
-                version => Version,
-                license => #{edition => emqx_release:edition()}
-            }};
+            {200,
+                filter_result(#{
+                    role => Role,
+                    token => Token,
+                    version => Version,
+                    license => #{edition => emqx_release:edition()}
+                })};
         {error, R} ->
             ?SLOG(info, #{msg => "dashboard_login_failed", username => Username, reason => R}),
             {401, ?BAD_USERNAME_OR_PWD, <<"Auth failed">>}

apps/emqx_dashboard/src/emqx_dashboard_token.erl

@@ -56,7 +56,7 @@
 %%--------------------------------------------------------------------
 %% jwt function
 -spec sign(User :: dashboard_user(), Password :: binary()) ->
-    {ok, Token :: binary()} | {error, Reason :: term()}.
+    {ok, dashboard_user_role(), Token :: binary()} | {error, Reason :: term()}.
 sign(User, Password) ->
     do_sign(User, Password).
 
@@ -120,7 +120,7 @@ do_sign(#?ADMIN{username = Username} = User, Password) ->
     Role = emqx_dashboard_admin:role(User),
     JWTRec = format(Token, Username, Role, ExpTime),
     _ = mria:transaction(?DASHBOARD_SHARD, fun mnesia:write/1, [JWTRec]),
-    {ok, Token}.
+    {ok, Role, Token}.
 
 -spec do_verify(_, Token :: binary()) ->
     Result ::

apps/emqx_dashboard/test/emqx_dashboard_SUITE.erl

@@ -120,6 +120,7 @@ t_rest_api(_Config) ->
     ?assertEqual(
         [
             filter_req(#{
+                <<"backend">> => <<"local">>,
                 <<"username">> => <<"admin">>,
                 <<"description">> => <<"administrator">>,
                 <<"role">> => ?ROLE_SUPERUSER
@@ -269,7 +270,7 @@ auth_header_() ->
     auth_header_(<<"admin">>, <<"public">>).
 
 auth_header_(Username, Password) ->
-    {ok, Token} = emqx_dashboard_admin:sign_token(Username, Password),
+    {ok, _Role, Token} = emqx_dashboard_admin:sign_token(Username, Password),
     {"Authorization", "Bearer " ++ binary_to_list(Token)}.
 
 api_path(Parts) ->
@@ -286,6 +287,6 @@ filter_req(Req) ->
 -else.
 
 filter_req(Req) ->
-    maps:without([role, <<"role">>], Req).
+    maps:without([role, <<"role">>, backend, <<"backend">>], Req).
 
 -endif.

apps/emqx_dashboard/test/emqx_dashboard_admin_SUITE.erl

@@ -174,15 +174,16 @@ t_clean_token(_) ->
     Password = <<"public_www1">>,
     NewPassword = <<"public_www2">>,
     {ok, _} = emqx_dashboard_admin:add_user(Username, Password, ?ROLE_SUPERUSER, <<"desc">>),
-    {ok, Token} = emqx_dashboard_admin:sign_token(Username, Password),
-    FakeReq = #{method => <<"GET">>},
+    {ok, _, Token} = emqx_dashboard_admin:sign_token(Username, Password),
+    FakePath = erlang:list_to_binary(emqx_dashboard_swagger:relative_uri("/fake")),
+    FakeReq = #{method => <<"GET">>, path => FakePath},
     {ok, Username} = emqx_dashboard_admin:verify_token(FakeReq, Token),
     %% change password
     {ok, _} = emqx_dashboard_admin:change_password(Username, Password, NewPassword),
     timer:sleep(5),
     {error, not_found} = emqx_dashboard_admin:verify_token(FakeReq, Token),
     %% remove user
-    {ok, Token2} = emqx_dashboard_admin:sign_token(Username, NewPassword),
+    {ok, _, Token2} = emqx_dashboard_admin:sign_token(Username, NewPassword),
     {ok, Username} = emqx_dashboard_admin:verify_token(FakeReq, Token2),
     {ok, _} = emqx_dashboard_admin:remove_user(Username),
     timer:sleep(5),

apps/emqx_dashboard/test/emqx_dashboard_api_test_helpers.erl

@@ -116,7 +116,7 @@ auth_header(Username) ->
     auth_header(Username, <<"public">>).
 
 auth_header(Username, Password) ->
-    {ok, Token} = emqx_dashboard_admin:sign_token(Username, Password),
+    {ok, _Role, Token} = emqx_dashboard_admin:sign_token(Username, Password),
     {"Authorization", "Bearer " ++ binary_to_list(Token)}.
 
 multipart_formdata_request(Url, Fields, Files) ->

apps/emqx_dashboard/test/emqx_dashboard_haproxy_SUITE.erl

@@ -55,7 +55,7 @@ t_status(_Config) ->
         [binary, {active, false}, {packet, raw}]
     ),
     ok = gen_tcp:send(Socket, ranch_proxy_header:header(ProxyInfo)),
-    {ok, Token} = emqx_dashboard_admin:sign_token(<<"admin">>, <<"public">>),
+    {ok, _Role, Token} = emqx_dashboard_admin:sign_token(<<"admin">>, <<"public">>),
     ok = gen_tcp:send(
         Socket,
         "GET /status HTTP/1.1\r\n"

apps/emqx_dashboard_rbac/test/emqx_dashboard_rbac_SUITE.erl

@@ -135,7 +135,7 @@ t_clean_token(_) ->
     Desc = <<"desc">>,
     NewDesc = <<"new desc">>,
     {ok, _} = emqx_dashboard_admin:add_user(Username, Password, ?ROLE_SUPERUSER, Desc),
-    {ok, Token} = emqx_dashboard_admin:sign_token(Username, Password),
+    {ok, _Role, Token} = emqx_dashboard_admin:sign_token(Username, Password),
     FakePath = erlang:list_to_binary(emqx_dashboard_swagger:relative_uri("/fake")),
     FakeReq = #{method => <<"GET">>, path => FakePath},
     {ok, Username} = emqx_dashboard_admin:verify_token(FakeReq, Token),
@@ -154,7 +154,7 @@ t_login_out(_) ->
     Password = <<"public_www1">>,
     Desc = <<"desc">>,
     {ok, _} = emqx_dashboard_admin:add_user(Username, Password, ?ROLE_SUPERUSER, Desc),
-    {ok, Token} = emqx_dashboard_admin:sign_token(Username, Password),
+    {ok, _Role, Token} = emqx_dashboard_admin:sign_token(Username, Password),
     FakePath = erlang:list_to_binary(emqx_dashboard_swagger:relative_uri("/logout")),
     FakeReq = #{method => <<"POST">>, path => FakePath},
     {ok, Username} = emqx_dashboard_admin:verify_token(FakeReq, Token),

apps/emqx_dashboard_sso/src/emqx_dashboard_sso.erl

@@ -5,6 +5,7 @@
 -module(emqx_dashboard_sso).
 
 -include_lib("hocon/include/hoconsc.hrl").
+-include_lib("emqx_dashboard/include/emqx_dashboard.hrl").
 
 -export([
     hocon_ref/1,
@@ -38,7 +39,7 @@
     {ok, NewState :: state()} | {error, Reason :: term()}.
 -callback destroy(State :: state()) -> ok.
 -callback login(request(), State :: state()) ->
-    {ok, Token :: binary()} | {error, Reason :: term()}.
+    {ok, dashboard_user_role(), Token :: binary()} | {error, Reason :: term()}.
 
 %%------------------------------------------------------------------------------
 %% Callback Interface

apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl

@@ -83,7 +83,7 @@ schema("/sso/login/:backend") ->
             parameters => backend_name_in_path(),
             'requestBody' => login_union(),
             responses => #{
-                200 => emqx_dashboard_api:fields([token, version, license]),
+                200 => emqx_dashboard_api:fields([role, token, version, license]),
                 401 => response_schema(401),
                 404 => response_schema(404)
             },
@@ -148,10 +148,11 @@ login(post, #{bindings := #{backend := Backend}, body := Sign}) ->
         State ->
             Provider = emqx_dashboard_sso:provider(Backend),
             case emqx_dashboard_sso:login(Provider, Sign, State) of
-                {ok, Token} ->
+                {ok, Role, Token} ->
                     ?SLOG(info, #{msg => "dashboard_sso_login_successful", request => Sign}),
                     Version = iolist_to_binary(proplists:get_value(version, emqx_sys:info())),
                     {200, #{
+                        role => Role,
                         token => Token,
                         version => Version,
                         license => #{edition => emqx_release:edition()}

apps/emqx_dashboard_sso/test/emqx_dashboard_sso_ldap_SUITE.erl

@@ -101,7 +101,7 @@ t_first_login(_) ->
     },
     %% this API is authorization-free
     {ok, 200, Result} = request_without_authorization(post, Path, Req),
-    ?assertMatch(#{license := _, token := _}, decode_json(Result)),
+    ?assertMatch(#{license := _, token := _, role := ?ROLE_VIEWER}, decode_json(Result)),
     ?assertMatch(
         [#?ADMIN{username = ?SSO_USERNAME(ldap, ?LDAP_USER)}],
         emqx_dashboard_admin:lookup_user(ldap, ?LDAP_USER)

apps/emqx_management/test/emqx_mgmt_api_plugins_SUITE.erl

@@ -252,7 +252,7 @@ describe_plugins(Name) ->
     end.
 
 install_plugin(FilePath) ->
-    {ok, Token} = emqx_dashboard_admin:sign_token(<<"admin">>, <<"public">>),
+    {ok, _Role, Token} = emqx_dashboard_admin:sign_token(<<"admin">>, <<"public">>),
     Path = emqx_mgmt_api_test_util:api_path(["plugins", "install"]),
     case
         emqx_mgmt_api_test_util:upload_request(