yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(test): add two way ssl test (#4025)

This commit is contained in:
wwhai 2021-01-16 22:28:15 +08:00 committed by GitHub
parent 2751fa6a41
commit a6de90c3f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 71 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/run_cts_tests.yaml vendored
View File

@ -194,6 +194,12 @@ jobs:
run: | run: |
docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml build --no-cache docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml build --no-cache
docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml up -d docker-compose -f .ci/compatibility_tests/docker-compose-pgsql-tls.yaml up -d
if [ "$PGSQL_TAG" = "12" ] || [ "$PGSQL_TAG" = "13" ]; then
sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = tlsv1.3,tlsv1.2|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
else
sed -i 's|^[#[:space:]]*auth.pgsql.ssl.tls_versions[ \t]*=.*|auth.pgsql.ssl.tls_versions = tlsv1.2,tlsv1.1|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
fi
sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf sed -i 's|^[#[:space:]]*auth.pgsql.username[ \t]*=.*|auth.pgsql.username = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf sed -i 's|^[#[:space:]]*auth.pgsql.password[ \t]*=.*|auth.pgsql.password = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf sed -i 's|^[#[:space:]]*auth.pgsql.database[ \t]*=.*|auth.pgsql.database = postgres|g' apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf

9
apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf
View File

@ -39,6 +39,14 @@ auth.pgsql.encoding = utf8
## Value: on | off ## Value: on | off
auth.pgsql.ssl = off auth.pgsql.ssl = off
## TLS version
## You can configure multi-version use "," split,
## default value is :tlsv1.2
## Example:
## tlsv1.1,tlsv1.2,tlsv1.3
##
## auth.pgsql.ssl_opts.tls_versions = tlsv1.2
## SSL keyfile. ## SSL keyfile.
## ##
## Value: File ## Value: File
@ -107,4 +115,3 @@ auth.pgsql.super_query = select is_superuser from mqtt_user where username = '%u
## ##
## Note: You can add the 'ORDER BY' statement to control the rules match order ## Note: You can add the 'ORDER BY' statement to control the rules match order
auth.pgsql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c' auth.pgsql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'

9
apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema
View File

@ -35,6 +35,11 @@
{datatype, {enum, [on, off, true, false]}} %% FIXME: true/fasle is compatible with 4.0-4.2 version format, plan to delete in 5.0 {datatype, {enum, [on, off, true, false]}} %% FIXME: true/fasle is compatible with 4.0-4.2 version format, plan to delete in 5.0
]}. ]}.
{mapping, "auth.pgsql.ssl.tls_versions", "emqx_auth_pgsql.server", [
{default, "tlsv1.2"},
{datatype, string}
]}.
{mapping, "auth.pgsql.ssl.keyfile", "emqx_auth_pgsql.server", [ {mapping, "auth.pgsql.ssl.keyfile", "emqx_auth_pgsql.server", [
{datatype, string} {datatype, string}
]}. ]}.
@ -81,7 +86,9 @@
SslOpts = fun(Prefix) -> SslOpts = fun(Prefix) ->
Filter([{keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)}, Filter([{keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
{certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
{cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}]) {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined),
{versions, [list_to_existing_atom(Value)
||Value <- string:tokens(cuttlefish:conf_get("auth.pgsql.ssl.tls_versions", Conf), " ,")]}}])
end, end,
%% FIXME: compatible with 4.0-4.2 version format, plan to delete in 5.0 %% FIXME: compatible with 4.0-4.2 version format, plan to delete in 5.0

56
apps/emqx_auth_pgsql/test/emqx_auth_pgsql_SUITE.erl
View File

@ -72,7 +72,7 @@ all() ->
init_per_suite(Config) -> init_per_suite(Config) ->
emqx_ct_helpers:start_apps([emqx_auth_pgsql]), emqx_ct_helpers:start_apps([emqx_auth_pgsql]),
drop_acl(), drop_acl(),
init_auth(), drop_auth(),
init_auth(), init_auth(),
init_acl(), init_acl(),
set_special_configs(), set_special_configs(),
@ -97,6 +97,30 @@ t_comment_config(_) ->
?assertEqual(AuthCount - 1, length(emqx_hooks:lookup('client.authenticate'))), ?assertEqual(AuthCount - 1, length(emqx_hooks:lookup('client.authenticate'))),
?assertEqual(AclCount - 1, length(emqx_hooks:lookup('client.check_acl'))). ?assertEqual(AclCount - 1, length(emqx_hooks:lookup('client.check_acl'))).
t_placeholders(_) ->
ClientA = #{username => <<"plain">>, clientid => <<"plain">>, zone => external},
reload([{password_hash, plain},
{auth_query, "select password from mqtt_user where username = '%u' and 'a_cn_val' = '%C' limit 1"}]),
{error, not_authorized} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>}),
{error, not_authorized} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>, cn => undefined}),
{ok, _} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>, cn => <<"a_cn_val">>}),
reload([{auth_query, "select password from mqtt_user where username = '%c' and 'a_dn_val' = '%d' limit 1"}]),
{error, not_authorized} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>}),
{error, not_authorized} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>, dn => undefined}),
{ok, _} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>, dn => <<"a_dn_val">>}),
reload([{auth_query, "select password from mqtt_user where username = '%u' and '192.168.1.5' = '%a' limit 1"}]),
{error, not_authorized} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>}),
{ok, _} =
emqx_access_control:authenticate(ClientA#{password => <<"plain">>, peerhost => {192,168,1,5}}).
t_check_auth(_) -> t_check_auth(_) ->
Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external}, Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external},
Md5 = #{clientid => <<"md5">>, username => <<"md5">>, zone => external}, Md5 = #{clientid => <<"md5">>, username => <<"md5">>, zone => external},
@ -106,22 +130,32 @@ t_check_auth(_) ->
BcryptFoo = #{clientid => <<"bcrypt_foo">>, username => <<"bcrypt_foo">>, zone => external}, BcryptFoo = #{clientid => <<"bcrypt_foo">>, username => <<"bcrypt_foo">>, zone => external},
User1 = #{clientid => <<"bcrypt_foo">>, username => <<"user">>, zone => external}, User1 = #{clientid => <<"bcrypt_foo">>, username => <<"user">>, zone => external},
Bcrypt = #{clientid => <<"bcrypt">>, username => <<"bcrypt">>, zone => external}, Bcrypt = #{clientid => <<"bcrypt">>, username => <<"bcrypt">>, zone => external},
% BcryptWrong = #{clientid => <<"bcrypt_wrong">>, username => <<"bcrypt_wrong">>, zone => external},
reload([{password_hash, plain}]), reload([{password_hash, plain}]),
{ok, #{is_superuser := true}} = emqx_access_control:authenticate(Plain#{password => <<"plain">>}), {ok,#{is_superuser := true}} =
emqx_access_control:authenticate(Plain#{password => <<"plain">>}),
reload([{password_hash, md5}]), reload([{password_hash, md5}]),
{ok, #{is_superuser := false}} = emqx_access_control:authenticate(Md5#{password => <<"md5">>}), {ok,#{is_superuser := false}} =
emqx_access_control:authenticate(Md5#{password => <<"md5">>}),
reload([{password_hash, sha}]), reload([{password_hash, sha}]),
{ok, #{is_superuser := false}} = emqx_access_control:authenticate(Sha#{password => <<"sha">>}), {ok,#{is_superuser := false}} =
emqx_access_control:authenticate(Sha#{password => <<"sha">>}),
reload([{password_hash, sha256}]), reload([{password_hash, sha256}]),
{ok, #{is_superuser := false}} = emqx_access_control:authenticate(Sha256#{password => <<"sha256">>}), {ok,#{is_superuser := false}} =
emqx_access_control:authenticate(Sha256#{password => <<"sha256">>}),
reload([{password_hash, bcrypt}]), reload([{password_hash, bcrypt}]),
{ok, #{is_superuser := false}} = emqx_access_control:authenticate(Bcrypt#{password => <<"password">>}), {ok,#{is_superuser := false}} =
emqx_access_control:authenticate(Bcrypt#{password => <<"password">>}),
reload([{password_hash, {pbkdf2, sha, 1, 16}}, {auth_query, "select password, salt from mqtt_user where username = '%u' limit 1"}]), {error, not_authorized} =
{ok, #{is_superuser := false}} = emqx_access_control:authenticate(Pbkdf2#{password => <<"password">>}), emqx_access_control:authenticate(BcryptWrong#{password => <<"password">>}),
%%pbkdf2 sha
reload([{password_hash, {pbkdf2, sha, 1, 16}},
{auth_query, "select password, salt from mqtt_user where username = '%u' limit 1"}]),
{ok,#{is_superuser := false}} =
emqx_access_control:authenticate(Pbkdf2#{password => <<"password">>}),
reload([{password_hash, {salt, bcrypt}}]), reload([{password_hash, {salt, bcrypt}}]),
{ok, #{is_superuser := false}} = emqx_access_control:authenticate(BcryptFoo#{password => <<"foo">>}), {ok,#{is_superuser := false}} =
emqx_access_control:authenticate(BcryptFoo#{password => <<"foo">>}),
{error, _} = emqx_access_control:authenticate(User1#{password => <<"foo">>}), {error, _} = emqx_access_control:authenticate(User1#{password => <<"foo">>}),
{error, not_authorized} = emqx_access_control:authenticate(Bcrypt#{password => <<"password">>}). {error, not_authorized} = emqx_access_control:authenticate(Bcrypt#{password => <<"password">>}).