From c384ae2534f4c703a160a760bd142a12c133ab6a Mon Sep 17 00:00:00 2001 From: zhouzb Date: Tue, 26 Apr 2022 19:10:38 +0800 Subject: [PATCH 1/4] chore: rename certificate in jwt to public_key, delete pool_size in jwks authn --- apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf | 35 ++++++++++--------- .../i18n/emqx_authn_mongodb_i18n.conf | 10 +++--- .../src/simple_authn/emqx_authn_jwt.erl | 32 +++++++---------- apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl | 2 +- 4 files changed, 36 insertions(+), 43 deletions(-) diff --git a/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf b/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf index 2584c4e3c..684421e71 100644 --- a/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf +++ b/apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf @@ -21,14 +21,14 @@ emqx_authn_jwt { } } - certificate { + public_key { desc { en: """The public key used to verify the JWT.""" zh: """用于验证 JWT 的公钥。""" } label { - en: """Certificate""" - zh: """证书""" + en: """Public Key""" + zh: """公钥""" } } @@ -123,7 +123,7 @@ emqx_authn_jwt { server_name_indication { desc { en: """Server Name Indication (SNI).""" - zh: """服务器名称指示(SNI),未指定时将使用 endpoint 作为 SNI。""" + zh: """服务器名称指示(SNI)。""" } label { en: """Server Name Indication""" @@ -133,8 +133,20 @@ emqx_authn_jwt { verify_claims { desc { - en: """The list of claims to verify.""" - zh: """The list of claims to verify.""" + en: """ +A list of custom claims to validate, which is a list of name/value pairs. +Values can use the following placeholders: +- ${username}: Will be replaced at runtime with Username used by the client when connecting +- ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting +Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in verify_claims. +""" + zh: """ +需要验证的自定义声明列表,它是一个名称/值对列表。 +值可以使用以下占位符: +- ${username}: 将在运行时被替换为客户端连接时使用的用户名 +- ${clientid}: 将在运行时被替换为客户端连接时使用的客户端标识符 +认证时将验证 JWT(取自 Password 字段)中 claims 的值是否与 verify_claims 中要求的相匹配。 +""" } label { en: """Verify Claims""" @@ -142,17 +154,6 @@ emqx_authn_jwt { } } - pool_size { - desc { - en: """JWKS connection count.""" - zh: """JWKS 连接数量。""" - } - label { - en: """Pool Size""" - zh: """连接池大小""" - } - } - ssl { desc { en: """SSL options.""" diff --git a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf index b96544f29..0bb4b6984 100644 --- a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf +++ b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf @@ -35,15 +35,15 @@ emqx_authn_mongodb { desc { en: """ Statement that is executed during the authentication process. -Commands can support following wildcards:\n -- `${username}`: substituted with client's username\n -- `${clientid}`: substituted with the clientid +Commands can support following wildcards: +- ${username}: Will be replaced at runtime with Username used by the client when connecting +- ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting """ zh: """ 认证过程中所使用的查询命令。 查询命令支持如下占位符: -- `${username}`: 将在运行时被替换为客户端连接时使用的用户名 -- `${clientid}`: 将在运行时被替换为客户端连接时使用的客户端标识符 +- ${username}: 将在运行时被替换为客户端连接时使用的用户名 +- ${clientid}: 将在运行时被替换为客户端连接时使用的客户端标识符 """ } label: { diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl index 58c51facb..f5a4c16a6 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl @@ -66,13 +66,12 @@ fields('public-key') -> {use_jwks, sc(hoconsc:enum([false]), #{required => true, desc => ?DESC(use_jwks)})}, {algorithm, sc(hoconsc:enum(['public-key']), #{required => true, desc => ?DESC(algorithm)})}, - {certificate, fun certificate/1} + {public_key, fun public_key/1} ] ++ common_fields(); fields('jwks') -> [ {use_jwks, sc(hoconsc:enum([true]), #{required => true, desc => ?DESC(use_jwks)})}, {endpoint, fun endpoint/1}, - {pool_size, fun pool_size/1}, {refresh_interval, fun refresh_interval/1}, {ssl, #{ type => hoconsc:union([ @@ -125,10 +124,10 @@ secret_base64_encoded(desc) -> ?DESC(?FUNCTION_NAME); secret_base64_encoded(default) -> false; secret_base64_encoded(_) -> undefined. -certificate(type) -> string(); -certificate(desc) -> ?DESC(?FUNCTION_NAME); -certificate(required) -> ture; -certificate(_) -> undefined. +public_key(type) -> string(); +public_key(desc) -> ?DESC(?FUNCTION_NAME); +public_key(required) -> ture; +public_key(_) -> undefined. endpoint(type) -> string(); endpoint(desc) -> ?DESC(?FUNCTION_NAME); @@ -179,12 +178,6 @@ verify_claims(required) -> verify_claims(_) -> undefined. -pool_size(type) -> integer(); -pool_size(desc) -> ?DESC(?FUNCTION_NAME); -pool_size(default) -> 8; -pool_size(validator) -> [fun(I) -> I > 0 end]; -pool_size(_) -> undefined. - %%------------------------------------------------------------------------------ %% APIs %%------------------------------------------------------------------------------ @@ -294,10 +287,10 @@ create2(#{ create2(#{ use_jwks := false, algorithm := 'public-key', - certificate := Certificate, + public_key := PublicKey, verify_claims := VerifyClaims }) -> - JWK = create_jwk_from_pem_or_file(Certificate), + JWK = create_jwk_from_public_key(PublicKey), {ok, #{ jwk => JWK, verify_claims => VerifyClaims @@ -320,15 +313,14 @@ create2( verify_claims => VerifyClaims }}. -create_jwk_from_pem_or_file(CertfileOrFilePath) when - is_binary(CertfileOrFilePath); - is_list(CertfileOrFilePath) +create_jwk_from_public_key(PublicKey) when + is_binary(PublicKey); is_list(PublicKey) -> - case filelib:is_file(CertfileOrFilePath) of + case filelib:is_file(PublicKey) of true -> - jose_jwk:from_pem_file(CertfileOrFilePath); + jose_jwk:from_pem_file(PublicKey); false -> - jose_jwk:from_pem(iolist_to_binary(CertfileOrFilePath)) + jose_jwk:from_pem(iolist_to_binary(PublicKey)) end. connector_opts(#{ssl := #{enable := Enable} = SSL} = Config) -> diff --git a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl index f7534b880..670ffe6fb 100644 --- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl @@ -174,7 +174,7 @@ t_jwt_authenticator_public_key(_) -> mechanism => jwt, use_jwks => false, algorithm => 'public-key', - certificate => PublicKey, + public_key => PublicKey, verify_claims => [] }, {ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config), From fa9bd745957a36f41ecc0d5fbfd613109fa7bbac Mon Sep 17 00:00:00 2001 From: zhouzb Date: Wed, 27 Apr 2022 09:22:50 +0800 Subject: [PATCH 2/4] chore: rename selector to filter and fix spellcheck --- .../i18n/emqx_authn_mongodb_i18n.conf | 6 ++--- apps/emqx_authn/src/emqx_authn_api.erl | 2 +- .../src/simple_authn/emqx_authn_mongodb.erl | 24 +++++++++---------- .../test/emqx_authn_mongo_SUITE.erl | 14 +++++------ .../test/emqx_authn_mongo_tls_SUITE.erl | 2 +- apps/emqx_authz/etc/emqx_authz.conf | 2 +- .../i18n/emqx_authz_api_schema_i18n.conf | 6 ++--- .../i18n/emqx_authz_schema_i18n.conf | 6 ++--- apps/emqx_authz/src/emqx_authz_api_schema.erl | 8 +++---- apps/emqx_authz/src/emqx_authz_mongodb.erl | 14 +++++------ apps/emqx_authz/src/emqx_authz_schema.erl | 4 ++-- apps/emqx_authz/test/emqx_authz_SUITE.erl | 2 +- .../test/emqx_authz_api_sources_SUITE.erl | 2 +- .../test/emqx_authz_mongodb_SUITE.erl | 18 +++++++------- .../src/emqx_connector_mongo.erl | 16 ++++++------- 15 files changed, 63 insertions(+), 63 deletions(-) diff --git a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf index 0bb4b6984..95e31be35 100644 --- a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf +++ b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf @@ -31,7 +31,7 @@ emqx_authn_mongodb { } } - selector { + filter { desc { en: """ Statement that is executed during the authentication process. @@ -47,8 +47,8 @@ Commands can support following wildcards: """ } label: { - en: """Selector""" - zh: """查询""" + en: """Filter""" + zh: """过滤器""" } } diff --git a/apps/emqx_authn/src/emqx_authn_api.erl b/apps/emqx_authn/src/emqx_authn_api.erl index 0e7f03ce7..1817009d2 100644 --- a/apps/emqx_authn/src/emqx_authn_api.erl +++ b/apps/emqx_authn/src/emqx_authn_api.erl @@ -1401,7 +1401,7 @@ authenticator_examples() -> server => <<"127.0.0.1:27017">>, database => example, collection => users, - selector => #{ + filter => #{ username => ?PH_USERNAME }, password_hash_field => <<"password_hash">>, diff --git a/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl b/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl index 2174406e0..1faabf75d 100644 --- a/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl +++ b/apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl @@ -74,7 +74,7 @@ common_fields() -> {mechanism, emqx_authn_schema:mechanism(password_based)}, {backend, emqx_authn_schema:backend(mongodb)}, {collection, fun collection/1}, - {selector, fun selector/1}, + {filter, fun filter/1}, {password_hash_field, fun password_hash_field/1}, {salt_field, fun salt_field/1}, {is_superuser_field, fun is_superuser_field/1}, @@ -86,11 +86,11 @@ collection(desc) -> ?DESC(?FUNCTION_NAME); collection(required) -> true; collection(_) -> undefined. -selector(type) -> +filter(type) -> map(); -selector(desc) -> +filter(desc) -> ?DESC(?FUNCTION_NAME); -selector(_) -> +filter(_) -> undefined. password_hash_field(type) -> binary(); @@ -122,8 +122,8 @@ refs() -> create(_AuthenticatorID, Config) -> create(Config). -create(#{selector := Selector} = Config) -> - SelectorTemplate = emqx_authn_utils:parse_deep(Selector), +create(#{filter := Filter} = Config) -> + FilterTemplate = emqx_authn_utils:parse_deep(Filter), State = maps:with( [ collection, @@ -139,7 +139,7 @@ create(#{selector := Selector} = Config) -> ok = emqx_authn_password_hashing:init(Algorithm), ResourceId = emqx_authn_utils:make_resource_id(?MODULE), NState = State#{ - selector_template => SelectorTemplate, + filter_template => FilterTemplate, resource_id => ResourceId }, case @@ -174,12 +174,12 @@ authenticate( #{password := Password} = Credential, #{ collection := Collection, - selector_template := SelectorTemplate, + filter_template := FilterTemplate, resource_id := ResourceId } = State ) -> - Selector = emqx_authn_utils:render_deep(SelectorTemplate, Credential), - case emqx_resource:query(ResourceId, {find_one, Collection, Selector, #{}}) of + Filter = emqx_authn_utils:render_deep(FilterTemplate, Credential), + case emqx_resource:query(ResourceId, {find_one, Collection, Filter, #{}}) of undefined -> ignore; {error, Reason} -> @@ -187,7 +187,7 @@ authenticate( msg => "mongodb_query_failed", resource => ResourceId, collection => Collection, - selector => Selector, + filter => Filter, reason => Reason }), ignore; @@ -200,7 +200,7 @@ authenticate( msg => "cannot_find_password_hash_field", resource => ResourceId, collection => Collection, - selector => Selector, + filter => Filter, password_hash_field => PasswordHashField }), ignore; diff --git a/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl index ffd3dfd39..f49d259ac 100644 --- a/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl @@ -84,7 +84,7 @@ t_create_invalid(_Config) -> InvalidConfigs = [ AuthConfig#{mongo_type => <<"unknown">>}, - AuthConfig#{selector => <<"{ \"username\": \"${username}\" }">>}, + AuthConfig#{filter => <<"{ \"username\": \"${username}\" }">>}, AuthConfig#{w_mode => <<"unknown">>} ], @@ -177,7 +177,7 @@ t_update(_Config) -> ok = init_seeds(), CorrectConfig = raw_mongo_auth_config(), IncorrectConfig = - CorrectConfig#{selector => #{<<"wrongfield">> => <<"wrongvalue">>}}, + CorrectConfig#{filter => #{<<"wrongfield">> => <<"wrongvalue">>}}, {ok, _} = emqx:update_config( ?PATH, @@ -193,7 +193,7 @@ t_update(_Config) -> } ), - % We update with config with correct selector, provider should update and work properly + % We update with config with correct filter, provider should update and work properly {ok, _} = emqx:update_config( ?PATH, {update_authenticator, ?GLOBAL, <<"password_based:mongodb">>, CorrectConfig} @@ -276,7 +276,7 @@ raw_mongo_auth_config() -> server => mongo_server(), w_mode => <<"unsafe">>, - selector => #{<<"username">> => <<"${username}">>}, + filter => #{<<"username">> => <<"${username}">>}, password_hash_field => <<"password_hash">>, salt_field => <<"salt">>, is_superuser_field => <<"is_superuser">> @@ -332,7 +332,7 @@ user_seeds() -> password => <<"sha256">> }, config_params => #{ - selector => #{<<"username">> => <<"${clientid}">>}, + filter => #{<<"username">> => <<"${clientid}">>}, password_hash_algorithm => #{ name => <<"sha256">>, salt_position => <<"prefix">> @@ -373,7 +373,7 @@ user_seeds() -> }, config_params => #{ % clientid variable & username credentials - selector => #{<<"username">> => <<"${clientid}">>}, + filter => #{<<"username">> => <<"${clientid}">>}, password_hash_algorithm => #{name => <<"bcrypt">>} }, result => {error, not_authorized} @@ -392,7 +392,7 @@ user_seeds() -> password => <<"bcrypt">> }, config_params => #{ - selector => #{<<"userid">> => <<"${clientid}">>}, + filter => #{<<"userid">> => <<"${clientid}">>}, password_hash_algorithm => #{name => <<"bcrypt">>} }, result => {error, not_authorized} diff --git a/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl b/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl index 48cee7509..274c5b7a4 100644 --- a/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl +++ b/apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl @@ -189,7 +189,7 @@ raw_mongo_auth_config(SpecificSSLOpts) -> server => mongo_server(), w_mode => <<"unsafe">>, - selector => #{<<"username">> => <<"${username}">>}, + filter => #{<<"username">> => <<"${username}">>}, password_hash_field => <<"password_hash">>, salt_field => <<"salt">>, is_superuser_field => <<"is_superuser">>, diff --git a/apps/emqx_authz/etc/emqx_authz.conf b/apps/emqx_authz/etc/emqx_authz.conf index 082f60ae0..f35cf7abe 100644 --- a/apps/emqx_authz/etc/emqx_authz.conf +++ b/apps/emqx_authz/etc/emqx_authz.conf @@ -53,7 +53,7 @@ authorization { # database: mqtt # ssl: {enable: false} # collection: mqtt_authz - # selector: { "$or": [ { "username": "${username}" }, { "clientid": "${clientid}" } ] } + # filter: { "$or": [ { "username": "${username}" }, { "clientid": "${clientid}" } ] } # }, { type: built_in_database diff --git a/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf b/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf index 28fae341d..45dc66cf6 100644 --- a/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf +++ b/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf @@ -119,7 +119,7 @@ emqx_authz_api_schema { } } - selector { + filter { desc { en: """ Statement that is executed during the authorize process. @@ -134,8 +134,8 @@ Commands can support following wildcards:\n - `${clientid}`: 代替客户端的客户端标识符""" } label { - en: """selector""" - zh: """selector""" + en: """filter""" + zh: """filter""" } } diff --git a/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf b/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf index ee7b15c6f..42777f00f 100644 --- a/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf +++ b/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf @@ -266,7 +266,7 @@ and the new rules will override all rules from the old config file. } } - selector { + filter { desc { en: """ Statement that is executed during the authorize process. @@ -281,8 +281,8 @@ Commands can support following wildcards:\n - `${clientid}`: 代替客户端的客户端标识符""" } label { - en: """selector""" - zh: """selector""" + en: """filter""" + zh: """filter""" } } diff --git a/apps/emqx_authz/src/emqx_authz_api_schema.erl b/apps/emqx_authz/src/emqx_authz_api_schema.erl index a398479bd..bed953dbb 100644 --- a/apps/emqx_authz/src/emqx_authz_api_schema.erl +++ b/apps/emqx_authz/src/emqx_authz_api_schema.erl @@ -181,7 +181,7 @@ authz_mongo_common_fields() -> authz_common_fields(mongodb) ++ [ {collection, fun collection/1}, - {selector, fun selector/1} + {filter, fun filter/1} ]. collection(type) -> binary(); @@ -189,11 +189,11 @@ collection(desc) -> ?DESC(?FUNCTION_NAME); collection(required) -> true; collection(_) -> undefined. -selector(type) -> +filter(type) -> map(); -selector(desc) -> +filter(desc) -> ?DESC(?FUNCTION_NAME); -selector(_) -> +filter(_) -> undefined. %%------------------------------------------------------------------------------ diff --git a/apps/emqx_authz/src/emqx_authz_mongodb.erl b/apps/emqx_authz/src/emqx_authz_mongodb.erl index 2bac33003..620ca5b42 100644 --- a/apps/emqx_authz/src/emqx_authz_mongodb.erl +++ b/apps/emqx_authz/src/emqx_authz_mongodb.erl @@ -45,15 +45,15 @@ description() -> "AuthZ with MongoDB". -init(#{selector := Selector} = Source) -> +init(#{filter := Filter} = Source) -> case emqx_authz_utils:create_resource(emqx_connector_mongo, Source) of {error, Reason} -> error({load_config_error, Reason}); {ok, Id} -> Source#{ annotations => #{id => Id}, - selector_template => emqx_authz_utils:parse_deep( - Selector, + filter_template => emqx_authz_utils:parse_deep( + Filter, ?PLACEHOLDERS ) } @@ -68,14 +68,14 @@ authorize( Topic, #{ collection := Collection, - selector_template := SelectorTemplate, + filter_template := FilterTemplate, annotations := #{id := ResourceID} } ) -> - RenderedSelector = emqx_authz_utils:render_deep(SelectorTemplate, Client), + RenderedFilter = emqx_authz_utils:render_deep(FilterTemplate, Client), Result = try - emqx_resource:query(ResourceID, {find, Collection, RenderedSelector, #{}}) + emqx_resource:query(ResourceID, {find, Collection, RenderedFilter, #{}}) catch error:Error -> {error, Error} end, @@ -86,7 +86,7 @@ authorize( msg => "query_mongo_error", reason => Reason, collection => Collection, - selector => RenderedSelector, + filter => RenderedFilter, resource_id => ResourceID }), nomatch; diff --git a/apps/emqx_authz/src/emqx_authz_schema.erl b/apps/emqx_authz/src/emqx_authz_schema.erl index f61bd258d..3debb6a0f 100644 --- a/apps/emqx_authz/src/emqx_authz_schema.erl +++ b/apps/emqx_authz/src/emqx_authz_schema.erl @@ -199,10 +199,10 @@ mongo_common_fields() -> required => true, desc => ?DESC(collection) }}, - {selector, #{ + {filter, #{ type => map(), required => true, - desc => ?DESC(selector) + desc => ?DESC(filter) }} ]. diff --git a/apps/emqx_authz/test/emqx_authz_SUITE.erl b/apps/emqx_authz/test/emqx_authz_SUITE.erl index 052f8cdcf..14d5cb25f 100644 --- a/apps/emqx_authz/test/emqx_authz_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_SUITE.erl @@ -91,7 +91,7 @@ set_special_configs(_App) -> <<"database">> => <<"mqtt">>, <<"ssl">> => #{<<"enable">> => false}, <<"collection">> => <<"authz">>, - <<"selector">> => #{<<"a">> => <<"b">>} + <<"filter">> => #{<<"a">> => <<"b">>} }). -define(SOURCE3, #{ <<"type">> => <<"mysql">>, diff --git a/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl b/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl index 308e67d53..4a599a14f 100644 --- a/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl @@ -47,7 +47,7 @@ <<"database">> => <<"mqtt">>, <<"ssl">> => #{<<"enable">> => false}, <<"collection">> => <<"fake">>, - <<"selector">> => #{<<"a">> => <<"b">>} + <<"filter">> => #{<<"a">> => <<"b">>} }). -define(SOURCE3, #{ <<"type">> => <<"mysql">>, diff --git a/apps/emqx_authz/test/emqx_authz_mongodb_SUITE.erl b/apps/emqx_authz/test/emqx_authz_mongodb_SUITE.erl index e0220488f..5e5a6ca1e 100644 --- a/apps/emqx_authz/test/emqx_authz_mongodb_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_mongodb_SUITE.erl @@ -85,7 +85,7 @@ t_topic_rules(_Config) -> ok = emqx_authz_test_lib:test_deny_topic_rules(ClientInfo, fun setup_client_samples/2). -t_complex_selector(_) -> +t_complex_filter(_) -> %% atom and string values also supported ClientInfo = #{ clientid => clientid, @@ -111,7 +111,7 @@ t_complex_selector(_) -> ok = setup_samples(Samples), ok = setup_config( #{ - <<"selector">> => #{ + <<"filter">> => #{ <<"x">> => #{ <<"u">> => <<"${username}">>, <<"c">> => [#{<<"c">> => <<"${clientid}">>}], @@ -137,7 +137,7 @@ t_mongo_error(_Config) -> ok = setup_samples([]), ok = setup_config( - #{<<"selector">> => #{<<"$badoperator">> => <<"$badoperator">>}} + #{<<"filter">> => #{<<"$badoperator">> => <<"$badoperator">>}} ), ok = emqx_authz_test_lib:test_samples( @@ -165,7 +165,7 @@ t_lookups(_Config) -> ok = setup_samples([ByClientid]), ok = setup_config( - #{<<"selector">> => #{<<"clientid">> => <<"${clientid}">>}} + #{<<"filter">> => #{<<"clientid">> => <<"${clientid}">>}} ), ok = emqx_authz_test_lib:test_samples( @@ -185,7 +185,7 @@ t_lookups(_Config) -> ok = setup_samples([ByPeerhost]), ok = setup_config( - #{<<"selector">> => #{<<"peerhost">> => <<"${peerhost}">>}} + #{<<"filter">> => #{<<"peerhost">> => <<"${peerhost}">>}} ), ok = emqx_authz_test_lib:test_samples( @@ -196,7 +196,7 @@ t_lookups(_Config) -> ] ). -t_bad_selector(_Config) -> +t_bad_filter(_Config) -> ClientInfo = #{ clientid => <<"clientid">>, cn => <<"cn">>, @@ -208,7 +208,7 @@ t_bad_selector(_Config) -> }, ok = setup_config( - #{<<"selector">> => #{<<"$in">> => #{<<"a">> => 1}}} + #{<<"filter">> => #{<<"$in">> => #{<<"a">> => 1}}} ), ok = emqx_authz_test_lib:test_samples( @@ -251,7 +251,7 @@ setup_client_samples(ClientInfo, Samples) -> Samples ), setup_samples(Records), - setup_config(#{<<"selector">> => #{<<"username">> => <<"${username}">>}}). + setup_config(#{<<"filter">> => #{<<"username">> => <<"${username}">>}}). reset_samples() -> {true, _} = mc_worker_api:delete(?MONGO_CLIENT, <<"acl">>, #{}), @@ -273,7 +273,7 @@ raw_mongo_authz_config() -> <<"collection">> => <<"acl">>, <<"server">> => mongo_server(), - <<"selector">> => #{<<"username">> => <<"${username}">>} + <<"filter">> => #{<<"username">> => <<"${username}">>} }. mongo_server() -> diff --git a/apps/emqx_connector/src/emqx_connector_mongo.erl b/apps/emqx_connector/src/emqx_connector_mongo.erl index d81aa04a4..cee07c865 100644 --- a/apps/emqx_connector/src/emqx_connector_mongo.erl +++ b/apps/emqx_connector/src/emqx_connector_mongo.erl @@ -155,14 +155,14 @@ on_stop(InstId, #{poolname := PoolName}) -> emqx_plugin_libs_pool:stop_pool(PoolName). on_query(InstId, - {Action, Collection, Selector, Projector}, + {Action, Collection, Filter, Projector}, AfterQuery, #{poolname := PoolName} = State) -> - Request = {Action, Collection, Selector, Projector}, + Request = {Action, Collection, Filter, Projector}, ?TRACE("QUERY", "mongodb_connector_received", #{request => Request, connector => InstId, state => State}), case ecpool:pick_and_do(PoolName, - {?MODULE, mongo_query, [Action, Collection, Selector, Projector]}, + {?MODULE, mongo_query, [Action, Collection, Filter, Projector]}, no_handover) of {error, Reason} -> ?SLOG(error, #{msg => "mongodb_connector_do_query_failed", @@ -242,14 +242,14 @@ connect(Opts) -> WorkerOptions = proplists:get_value(worker_options, Opts, []), mongo_api:connect(Type, Hosts, Options, WorkerOptions). -mongo_query(Conn, find, Collection, Selector, Projector) -> - mongo_api:find(Conn, Collection, Selector, Projector); +mongo_query(Conn, find, Collection, Filter, Projector) -> + mongo_api:find(Conn, Collection, Filter, Projector); -mongo_query(Conn, find_one, Collection, Selector, Projector) -> - mongo_api:find_one(Conn, Collection, Selector, Projector); +mongo_query(Conn, find_one, Collection, Filter, Projector) -> + mongo_api:find_one(Conn, Collection, Filter, Projector); %% Todo xxx -mongo_query(_Conn, _Action, _Collection, _Selector, _Projector) -> +mongo_query(_Conn, _Action, _Collection, _Filter, _Projector) -> ok. init_type(#{mongo_type := rs, replica_set_name := ReplicaSetName}) -> From 7ddd020dd2c859ef1bef1506bc0f943aa93f3163 Mon Sep 17 00:00:00 2001 From: zhouzb Date: Wed, 27 Apr 2022 09:58:22 +0800 Subject: [PATCH 3/4] docs: improve desc for filter field --- .../i18n/emqx_authn_mongodb_i18n.conf | 8 +++---- .../i18n/emqx_authz_api_schema_i18n.conf | 21 ++++++++++--------- .../i18n/emqx_authz_schema_i18n.conf | 21 ++++++++++--------- 3 files changed, 26 insertions(+), 24 deletions(-) diff --git a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf index 95e31be35..440e6edb1 100644 --- a/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf +++ b/apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf @@ -34,14 +34,14 @@ emqx_authn_mongodb { filter { desc { en: """ -Statement that is executed during the authentication process. -Commands can support following wildcards: +Conditional expression that defines the filter condition in the query. +Filter supports the following placeholders: - ${username}: Will be replaced at runtime with Username used by the client when connecting - ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting """ zh: """ -认证过程中所使用的查询命令。 -查询命令支持如下占位符: +在查询中定义过滤条件的条件表达式。 +过滤器支持如下占位符: - ${username}: 将在运行时被替换为客户端连接时使用的用户名 - ${clientid}: 将在运行时被替换为客户端连接时使用的客户端标识符 """ diff --git a/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf b/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf index 45dc66cf6..d5c86ba59 100644 --- a/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf +++ b/apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf @@ -122,20 +122,21 @@ emqx_authz_api_schema { filter { desc { en: """ -Statement that is executed during the authorize process. -Commands can support following wildcards:\n - - `${username}`: substituted with client's username\n - - `${clientid}`: substituted with the clientid +Conditional expression that defines the filter condition in the query. +Filter supports the following placeholders: + - ${username}: Will be replaced at runtime with Username used by the client when connecting + - ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting """ zh: """ -鉴权过程中所使用的查询命令。 -查询命令支持如下占位符: -- `${username}`: 代替客户端的用户名 -- `${clientid}`: 代替客户端的客户端标识符""" +在查询中定义过滤条件的条件表达式。 +过滤器支持如下占位符: +- ${username}: 将在运行时被替换为客户端连接时使用的用户名 +- ${clientid}: 将在运行时被替换为客户端连接时使用的客户端标识符 +""" } label { - en: """filter""" - zh: """filter""" + en: """Filter""" + zh: """过滤器""" } } diff --git a/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf b/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf index 42777f00f..2dc89901e 100644 --- a/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf +++ b/apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf @@ -269,20 +269,21 @@ and the new rules will override all rules from the old config file. filter { desc { en: """ -Statement that is executed during the authorize process. -Commands can support following wildcards:\n - - `${username}`: substituted with client's username\n - - `${clientid}`: substituted with the clientid +Conditional expression that defines the filter condition in the query. +Filter supports the following placeholders: + - ${username}: Will be replaced at runtime with Username used by the client when connecting + - ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting """ zh: """ -鉴权过程中所使用的查询命令。 -查询命令支持如下占位符: -- `${username}`: 代替客户端的用户名 -- `${clientid}`: 代替客户端的客户端标识符""" +在查询中定义过滤条件的条件表达式。 +过滤器支持如下占位符: +- ${username}: 将在运行时被替换为客户端连接时使用的用户名 +- ${clientid}: 将在运行时被替换为客户端连接时使用的客户端标识符 +""" } label { - en: """filter""" - zh: """filter""" + en: """Filter""" + zh: """过滤器""" } } From 95e63fcadfed72aa7eb8c887c0d00f91eb8b66e7 Mon Sep 17 00:00:00 2001 From: zhouzb Date: Thu, 28 Apr 2022 16:51:36 +0800 Subject: [PATCH 4/4] fix: fix bad code --- apps/emqx_connector/src/emqx_connector_mongo.erl | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/apps/emqx_connector/src/emqx_connector_mongo.erl b/apps/emqx_connector/src/emqx_connector_mongo.erl index 84aabcd48..4fa7449d5 100644 --- a/apps/emqx_connector/src/emqx_connector_mongo.erl +++ b/apps/emqx_connector/src/emqx_connector_mongo.erl @@ -186,23 +186,13 @@ on_stop(InstId, #{poolname := PoolName}) -> }), emqx_plugin_libs_pool:stop_pool(PoolName). -on_query(InstId, - {Action, Collection, Filter, Projector}, - AfterQuery, - #{poolname := PoolName} = State) -> - Request = {Action, Collection, Filter, Projector}, - ?TRACE("QUERY", "mongodb_connector_received", - #{request => Request, connector => InstId, state => State}), - case ecpool:pick_and_do(PoolName, - {?MODULE, mongo_query, [Action, Collection, Filter, Projector]}, - no_handover) of on_query( InstId, {Action, Collection, Filter, Projector}, AfterQuery, #{poolname := PoolName} = State ) -> - Request = {Action, Collection, Selector, Projector}, + Request = {Action, Collection, Filter, Projector}, ?TRACE( "QUERY", "mongodb_connector_received", @@ -211,7 +201,7 @@ on_query( case ecpool:pick_and_do( PoolName, - {?MODULE, mongo_query, [Action, Collection, Selector, Projector]}, + {?MODULE, mongo_query, [Action, Collection, Filter, Projector]}, no_handover ) of