yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #7789 from tigercl/chore/authn-fields 

chore: rename certificate in jwt and selector in mongodb, remove pool_size in jwks
This commit is contained in:
zhouzb 2022-04-29 10:14:06 +08:00 committed by GitHub
parent 778973b2de 95e63fcadf
commit afe526ba67
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 120 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
apps/emqx_authn/i18n/emqx_authn_jwt_i18n.conf
View File

@ -21,14 +21,14 @@ emqx_authn_jwt {
} }
} }
certificate { public_key {
desc { desc {
en: """The public key used to verify the JWT.""" en: """The public key used to verify the JWT."""
zh: """用于验证 JWT 的公钥。""" zh: """用于验证 JWT 的公钥。"""
} }
label { label {
en: """Certificate""" en: """Public Key"""
zh: """证书""" zh: """公钥"""
} }
} }
@ -123,7 +123,7 @@ emqx_authn_jwt {
server_name_indication { server_name_indication {
desc { desc {
en: """Server Name Indication (SNI).""" en: """Server Name Indication (SNI)."""
zh: """服务器名称指示SNI,未指定时将使用 <code>endpoint</code> 作为 SNI。""" zh: """服务器名称指示SNI。"""
} }
label { label {
en: """Server Name Indication""" en: """Server Name Indication"""
@ -133,8 +133,20 @@ emqx_authn_jwt {
verify_claims { verify_claims {
desc { desc {
en: """The list of claims to verify.""" en: """
zh: """The list of claims to verify.""" A list of custom claims to validate, which is a list of name/value pairs.
Values can use the following placeholders:
- <code>${username}</code>: Will be replaced at runtime with <code>Username</code> used by the client when connecting
- <code>${clientid}</code>: Will be replaced at runtime with <code>Client ID</code> used by the client when connecting
Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in <code>verify_claims</code>.
"""
zh: """
需要验证的自定义声明列表,它是一个名称/值对列表。
值可以使用以下占位符:
- <code>${username}</code>: 将在运行时被替换为客户端连接时使用的用户名
- <code>${clientid}</code>: 将在运行时被替换为客户端连接时使用的客户端标识符
认证时将验证 JWT取自 Password 字段)中 claims 的值是否与 <code>verify_claims</code> 中要求的相匹配。
"""
} }
label { label {
en: """Verify Claims""" en: """Verify Claims"""
@ -142,17 +154,6 @@ emqx_authn_jwt {
} }
} }
pool_size {
desc {
en: """JWKS connection count."""
zh: """JWKS 连接数量。"""
}
label {
en: """Pool Size"""
zh: """连接池大小"""
}
}
ssl { ssl {
desc { desc {
en: """SSL options.""" en: """SSL options."""

22
apps/emqx_authn/i18n/emqx_authn_mongodb_i18n.conf
View File

@ -31,24 +31,24 @@ emqx_authn_mongodb {
} }
} }
selector { filter {
desc { desc {
en: """ en: """
Statement that is executed during the authentication process. Conditional expression that defines the filter condition in the query.
Commands can support following wildcards:\n Filter supports the following placeholders:
- `${username}`: substituted with client's username\n - <code>${username}</code>: Will be replaced at runtime with <code>Username</code> used by the client when connecting
- `${clientid}`: substituted with the clientid - <code>${clientid}</code>: Will be replaced at runtime with <code>Client ID</code> used by the client when connecting
""" """
zh: """ zh: """
认证过程中所使用的查询命令 在查询中定义过滤条件的条件表达式
查询命令支持如下占位符: 过滤器支持如下占位符:
- `${username}`: 将在运行时被替换为客户端连接时使用的用户名 - <code>${username}</code>: 将在运行时被替换为客户端连接时使用的用户名
- `${clientid}`: 将在运行时被替换为客户端连接时使用的客户端标识符 - <code>${clientid}</code>: 将在运行时被替换为客户端连接时使用的客户端标识符
""" """
} }
label: { label: {
en: """Selector""" en: """Filter"""
zh: """查询""" zh: """过滤器"""
} }
} }

2
apps/emqx_authn/src/emqx_authn_api.erl
View File

@ -1417,7 +1417,7 @@ authenticator_examples() ->
server => <<"127.0.0.1:27017">>, server => <<"127.0.0.1:27017">>,
database => example, database => example,
collection => users, collection => users,
selector => #{ filter => #{
username => ?PH_USERNAME username => ?PH_USERNAME
}, },
password_hash_field => <<"password_hash">>, password_hash_field => <<"password_hash">>,

32
apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
View File

@ -66,13 +66,12 @@ fields('public-key') ->
{use_jwks, sc(hoconsc:enum([false]), #{required => true, desc => ?DESC(use_jwks)})}, {use_jwks, sc(hoconsc:enum([false]), #{required => true, desc => ?DESC(use_jwks)})},
{algorithm, {algorithm,
sc(hoconsc:enum(['public-key']), #{required => true, desc => ?DESC(algorithm)})}, sc(hoconsc:enum(['public-key']), #{required => true, desc => ?DESC(algorithm)})},
{certificate, fun certificate/1} {public_key, fun public_key/1}
] ++ common_fields(); ] ++ common_fields();
fields('jwks') -> fields('jwks') ->
[ [
{use_jwks, sc(hoconsc:enum([true]), #{required => true, desc => ?DESC(use_jwks)})}, {use_jwks, sc(hoconsc:enum([true]), #{required => true, desc => ?DESC(use_jwks)})},
{endpoint, fun endpoint/1}, {endpoint, fun endpoint/1},
{pool_size, fun pool_size/1},
{refresh_interval, fun refresh_interval/1}, {refresh_interval, fun refresh_interval/1},
{ssl, #{ {ssl, #{
type => hoconsc:union([ type => hoconsc:union([
@ -125,10 +124,10 @@ secret_base64_encoded(desc) -> ?DESC(?FUNCTION_NAME);
secret_base64_encoded(default) -> false; secret_base64_encoded(default) -> false;
secret_base64_encoded(_) -> undefined. secret_base64_encoded(_) -> undefined.
certificate(type) -> string(); public_key(type) -> string();
certificate(desc) -> ?DESC(?FUNCTION_NAME); public_key(desc) -> ?DESC(?FUNCTION_NAME);
certificate(required) -> ture; public_key(required) -> ture;
certificate(_) -> undefined. public_key(_) -> undefined.
endpoint(type) -> string(); endpoint(type) -> string();
endpoint(desc) -> ?DESC(?FUNCTION_NAME); endpoint(desc) -> ?DESC(?FUNCTION_NAME);
@ -179,12 +178,6 @@ verify_claims(required) ->
verify_claims(_) -> verify_claims(_) ->
undefined. undefined.
pool_size(type) -> integer();
pool_size(desc) -> ?DESC(?FUNCTION_NAME);
pool_size(default) -> 8;
pool_size(validator) -> [fun(I) -> I > 0 end];
pool_size(_) -> undefined.
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
%% APIs %% APIs
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
@ -294,10 +287,10 @@ create2(#{
create2(#{ create2(#{
use_jwks := false, use_jwks := false,
algorithm := 'public-key', algorithm := 'public-key',
certificate := Certificate, public_key := PublicKey,
verify_claims := VerifyClaims verify_claims := VerifyClaims
}) -> }) ->
JWK = create_jwk_from_pem_or_file(Certificate), JWK = create_jwk_from_public_key(PublicKey),
{ok, #{ {ok, #{
jwk => JWK, jwk => JWK,
verify_claims => VerifyClaims verify_claims => VerifyClaims
@ -320,15 +313,14 @@ create2(
verify_claims => VerifyClaims verify_claims => VerifyClaims
}}. }}.
create_jwk_from_pem_or_file(CertfileOrFilePath) when create_jwk_from_public_key(PublicKey) when
is_binary(CertfileOrFilePath); is_binary(PublicKey); is_list(PublicKey)
is_list(CertfileOrFilePath)
-> ->
case filelib:is_file(CertfileOrFilePath) of case filelib:is_file(PublicKey) of
true -> true ->
jose_jwk:from_pem_file(CertfileOrFilePath); jose_jwk:from_pem_file(PublicKey);
false -> false ->
jose_jwk:from_pem(iolist_to_binary(CertfileOrFilePath)) jose_jwk:from_pem(iolist_to_binary(PublicKey))
end. end.
connector_opts(#{ssl := #{enable := Enable} = SSL} = Config) -> connector_opts(#{ssl := #{enable := Enable} = SSL} = Config) ->

24
apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl
View File

@ -74,7 +74,7 @@ common_fields() ->
{mechanism, emqx_authn_schema:mechanism(password_based)}, {mechanism, emqx_authn_schema:mechanism(password_based)},
{backend, emqx_authn_schema:backend(mongodb)}, {backend, emqx_authn_schema:backend(mongodb)},
{collection, fun collection/1}, {collection, fun collection/1},
{selector, fun selector/1}, {filter, fun filter/1},
{password_hash_field, fun password_hash_field/1}, {password_hash_field, fun password_hash_field/1},
{salt_field, fun salt_field/1}, {salt_field, fun salt_field/1},
{is_superuser_field, fun is_superuser_field/1}, {is_superuser_field, fun is_superuser_field/1},
@ -86,11 +86,11 @@ collection(desc) -> ?DESC(?FUNCTION_NAME);
collection(required) -> true; collection(required) -> true;
collection(_) -> undefined. collection(_) -> undefined.
selector(type) -> filter(type) ->
map(); map();
selector(desc) -> filter(desc) ->
?DESC(?FUNCTION_NAME); ?DESC(?FUNCTION_NAME);
selector(_) -> filter(_) ->
undefined. undefined.
password_hash_field(type) -> binary(); password_hash_field(type) -> binary();
@ -122,8 +122,8 @@ refs() ->
create(_AuthenticatorID, Config) -> create(_AuthenticatorID, Config) ->
create(Config). create(Config).
create(#{selector := Selector} = Config) -> create(#{filter := Filter} = Config) ->
SelectorTemplate = emqx_authn_utils:parse_deep(Selector), FilterTemplate = emqx_authn_utils:parse_deep(Filter),
State = maps:with( State = maps:with(
[ [
collection, collection,
@ -139,7 +139,7 @@ create(#{selector := Selector} = Config) ->
ok = emqx_authn_password_hashing:init(Algorithm), ok = emqx_authn_password_hashing:init(Algorithm),
ResourceId = emqx_authn_utils:make_resource_id(?MODULE), ResourceId = emqx_authn_utils:make_resource_id(?MODULE),
NState = State#{ NState = State#{
selector_template => SelectorTemplate, filter_template => FilterTemplate,
resource_id => ResourceId resource_id => ResourceId
}, },
case case
@ -174,12 +174,12 @@ authenticate(
#{password := Password} = Credential, #{password := Password} = Credential,
#{ #{
collection := Collection, collection := Collection,
selector_template := SelectorTemplate, filter_template := FilterTemplate,
resource_id := ResourceId resource_id := ResourceId
} = State } = State
) -> ) ->
Selector = emqx_authn_utils:render_deep(SelectorTemplate, Credential), Filter = emqx_authn_utils:render_deep(FilterTemplate, Credential),
case emqx_resource:query(ResourceId, {find_one, Collection, Selector, #{}}) of case emqx_resource:query(ResourceId, {find_one, Collection, Filter, #{}}) of
undefined -> undefined ->
ignore; ignore;
{error, Reason} -> {error, Reason} ->
@ -187,7 +187,7 @@ authenticate(
msg => "mongodb_query_failed", msg => "mongodb_query_failed",
resource => ResourceId, resource => ResourceId,
collection => Collection, collection => Collection,
selector => Selector, filter => Filter,
reason => Reason reason => Reason
}), }),
ignore; ignore;
@ -200,7 +200,7 @@ authenticate(
msg => "cannot_find_password_hash_field", msg => "cannot_find_password_hash_field",
resource => ResourceId, resource => ResourceId,
collection => Collection, collection => Collection,
selector => Selector, filter => Filter,
password_hash_field => PasswordHashField password_hash_field => PasswordHashField
}), }),
ignore; ignore;

2
apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
View File

@ -174,7 +174,7 @@ t_jwt_authenticator_public_key(_) ->
mechanism => jwt, mechanism => jwt,
use_jwks => false, use_jwks => false,
algorithm => 'public-key', algorithm => 'public-key',
certificate => PublicKey, public_key => PublicKey,
verify_claims => [] verify_claims => []
}, },
{ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config), {ok, State} = emqx_authn_jwt:create(?AUTHN_ID, Config),

14
apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl
View File

@ -84,7 +84,7 @@ t_create_invalid(_Config) ->
InvalidConfigs = InvalidConfigs =
[ [
AuthConfig#{mongo_type => <<"unknown">>}, AuthConfig#{mongo_type => <<"unknown">>},
AuthConfig#{selector => <<"{ \"username\": \"${username}\" }">>}, AuthConfig#{filter => <<"{ \"username\": \"${username}\" }">>},
AuthConfig#{w_mode => <<"unknown">>} AuthConfig#{w_mode => <<"unknown">>}
], ],
@ -177,7 +177,7 @@ t_update(_Config) ->
ok = init_seeds(), ok = init_seeds(),
CorrectConfig = raw_mongo_auth_config(), CorrectConfig = raw_mongo_auth_config(),
IncorrectConfig = IncorrectConfig =
CorrectConfig#{selector => #{<<"wrongfield">> => <<"wrongvalue">>}}, CorrectConfig#{filter => #{<<"wrongfield">> => <<"wrongvalue">>}},
{ok, _} = emqx:update_config( {ok, _} = emqx:update_config(
?PATH, ?PATH,
@ -193,7 +193,7 @@ t_update(_Config) ->
} }
), ),
% We update with config with correct selector, provider should update and work properly % We update with config with correct filter, provider should update and work properly
{ok, _} = emqx:update_config( {ok, _} = emqx:update_config(
?PATH, ?PATH,
{update_authenticator, ?GLOBAL, <<"password_based:mongodb">>, CorrectConfig} {update_authenticator, ?GLOBAL, <<"password_based:mongodb">>, CorrectConfig}
@ -276,7 +276,7 @@ raw_mongo_auth_config() ->
server => mongo_server(), server => mongo_server(),
w_mode => <<"unsafe">>, w_mode => <<"unsafe">>,
selector => #{<<"username">> => <<"${username}">>}, filter => #{<<"username">> => <<"${username}">>},
password_hash_field => <<"password_hash">>, password_hash_field => <<"password_hash">>,
salt_field => <<"salt">>, salt_field => <<"salt">>,
is_superuser_field => <<"is_superuser">> is_superuser_field => <<"is_superuser">>
@ -332,7 +332,7 @@ user_seeds() ->
password => <<"sha256">> password => <<"sha256">>
}, },
config_params => #{ config_params => #{
selector => #{<<"username">> => <<"${clientid}">>}, filter => #{<<"username">> => <<"${clientid}">>},
password_hash_algorithm => #{ password_hash_algorithm => #{
name => <<"sha256">>, name => <<"sha256">>,
salt_position => <<"prefix">> salt_position => <<"prefix">>
@ -373,7 +373,7 @@ user_seeds() ->
}, },
config_params => #{ config_params => #{
% clientid variable & username credentials % clientid variable & username credentials
selector => #{<<"username">> => <<"${clientid}">>}, filter => #{<<"username">> => <<"${clientid}">>},
password_hash_algorithm => #{name => <<"bcrypt">>} password_hash_algorithm => #{name => <<"bcrypt">>}
}, },
result => {error, not_authorized} result => {error, not_authorized}
@ -392,7 +392,7 @@ user_seeds() ->
password => <<"bcrypt">> password => <<"bcrypt">>
}, },
config_params => #{ config_params => #{
selector => #{<<"userid">> => <<"${clientid}">>}, filter => #{<<"userid">> => <<"${clientid}">>},
password_hash_algorithm => #{name => <<"bcrypt">>} password_hash_algorithm => #{name => <<"bcrypt">>}
}, },
result => {error, not_authorized} result => {error, not_authorized}

2
apps/emqx_authn/test/emqx_authn_mongo_tls_SUITE.erl
View File

@ -189,7 +189,7 @@ raw_mongo_auth_config(SpecificSSLOpts) ->
server => mongo_server(), server => mongo_server(),
w_mode => <<"unsafe">>, w_mode => <<"unsafe">>,
selector => #{<<"username">> => <<"${username}">>}, filter => #{<<"username">> => <<"${username}">>},
password_hash_field => <<"password_hash">>, password_hash_field => <<"password_hash">>,
salt_field => <<"salt">>, salt_field => <<"salt">>,
is_superuser_field => <<"is_superuser">>, is_superuser_field => <<"is_superuser">>,

2
apps/emqx_authz/etc/emqx_authz.conf
View File

@ -53,7 +53,7 @@ authorization {
# database: mqtt # database: mqtt
# ssl: {enable: false} # ssl: {enable: false}
# collection: mqtt_authz # collection: mqtt_authz
# selector: { "$or": [ { "username": "${username}" }, { "clientid": "${clientid}" } ] } # filter: { "$or": [ { "username": "${username}" }, { "clientid": "${clientid}" } ] }
# }, # },
{ {
type: built_in_database type: built_in_database

23
apps/emqx_authz/i18n/emqx_authz_api_schema_i18n.conf
View File

@ -119,23 +119,24 @@ emqx_authz_api_schema {
} }
} }
selector { filter {
desc { desc {
en: """ en: """
Statement that is executed during the authorize process. Conditional expression that defines the filter condition in the query.
Commands can support following wildcards:\n Filter supports the following placeholders:
- `${username}`: substituted with client's username\n - <code>${username}</code>: Will be replaced at runtime with <code>Username</code> used by the client when connecting
- `${clientid}`: substituted with the clientid - <code>${clientid}</code>: Will be replaced at runtime with <code>Client ID</code> used by the client when connecting
""" """
zh: """ zh: """
鉴权过程中所使用的查询命令。 在查询中定义过滤条件的条件表达式。
查询命令支持如下占位符: 过滤器支持如下占位符:
- `${username}`: 代替客户端的用户名 - <code>${username}</code>: 将在运行时被替换为客户端连接时使用的用户名
- `${clientid}`: 代替客户端的客户端标识符""" - <code>${clientid}</code>: 将在运行时被替换为客户端连接时使用的客户端标识符
"""
} }
label { label {
en: """selector""" en: """Filter"""
zh: """selector""" zh: """过滤器"""
} }
} }

23
apps/emqx_authz/i18n/emqx_authz_schema_i18n.conf
View File

@ -266,23 +266,24 @@ and the new rules will override all rules from the old config file.
} }
} }
selector { filter {
desc { desc {
en: """ en: """
Statement that is executed during the authorize process. Conditional expression that defines the filter condition in the query.
Commands can support following wildcards:\n Filter supports the following placeholders:
- `${username}`: substituted with client's username\n - <code>${username}</code>: Will be replaced at runtime with <code>Username</code> used by the client when connecting
- `${clientid}`: substituted with the clientid - <code>${clientid}</code>: Will be replaced at runtime with <code>Client ID</code> used by the client when connecting
""" """
zh: """ zh: """
鉴权过程中所使用的查询命令。 在查询中定义过滤条件的条件表达式。
查询命令支持如下占位符: 过滤器支持如下占位符:
- `${username}`: 代替客户端的用户名 - <code>${username}</code>: 将在运行时被替换为客户端连接时使用的用户名
- `${clientid}`: 代替客户端的客户端标识符""" - <code>${clientid}</code>: 将在运行时被替换为客户端连接时使用的客户端标识符
"""
} }
label { label {
en: """selector""" en: """Filter"""
zh: """selector""" zh: """过滤器"""
} }
} }

8
apps/emqx_authz/src/emqx_authz_api_schema.erl
View File

@ -181,7 +181,7 @@ authz_mongo_common_fields() ->
authz_common_fields(mongodb) ++ authz_common_fields(mongodb) ++
[ [
{collection, fun collection/1}, {collection, fun collection/1},
{selector, fun selector/1} {filter, fun filter/1}
]. ].
collection(type) -> binary(); collection(type) -> binary();
@ -189,11 +189,11 @@ collection(desc) -> ?DESC(?FUNCTION_NAME);
collection(required) -> true; collection(required) -> true;
collection(_) -> undefined. collection(_) -> undefined.
selector(type) -> filter(type) ->
map(); map();
selector(desc) -> filter(desc) ->
?DESC(?FUNCTION_NAME); ?DESC(?FUNCTION_NAME);
selector(_) -> filter(_) ->
undefined. undefined.
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------

14
apps/emqx_authz/src/emqx_authz_mongodb.erl
View File

@ -45,15 +45,15 @@
description() -> description() ->
"AuthZ with MongoDB". "AuthZ with MongoDB".
init(#{selector := Selector} = Source) -> init(#{filter := Filter} = Source) ->
case emqx_authz_utils:create_resource(emqx_connector_mongo, Source) of case emqx_authz_utils:create_resource(emqx_connector_mongo, Source) of
{error, Reason} -> {error, Reason} ->
error({load_config_error, Reason}); error({load_config_error, Reason});
{ok, Id} -> {ok, Id} ->
Source#{ Source#{
annotations => #{id => Id}, annotations => #{id => Id},
selector_template => emqx_authz_utils:parse_deep( filter_template => emqx_authz_utils:parse_deep(
Selector, Filter,
?PLACEHOLDERS ?PLACEHOLDERS
) )
} }
@ -68,14 +68,14 @@ authorize(
Topic, Topic,
#{ #{
collection := Collection, collection := Collection,
selector_template := SelectorTemplate, filter_template := FilterTemplate,
annotations := #{id := ResourceID} annotations := #{id := ResourceID}
} }
) -> ) ->
RenderedSelector = emqx_authz_utils:render_deep(SelectorTemplate, Client), RenderedFilter = emqx_authz_utils:render_deep(FilterTemplate, Client),
Result = Result =
try try
emqx_resource:query(ResourceID, {find, Collection, RenderedSelector, #{}}) emqx_resource:query(ResourceID, {find, Collection, RenderedFilter, #{}})
catch catch
error:Error -> {error, Error} error:Error -> {error, Error}
end, end,
@ -86,7 +86,7 @@ authorize(
msg => "query_mongo_error", msg => "query_mongo_error",
reason => Reason, reason => Reason,
collection => Collection, collection => Collection,
selector => RenderedSelector, filter => RenderedFilter,
resource_id => ResourceID resource_id => ResourceID
}), }),
nomatch; nomatch;

4
apps/emqx_authz/src/emqx_authz_schema.erl
View File

@ -199,10 +199,10 @@ mongo_common_fields() ->
required => true, required => true,
desc => ?DESC(collection) desc => ?DESC(collection)
}}, }},
{selector, #{ {filter, #{
type => map(), type => map(),
required => true, required => true,
desc => ?DESC(selector) desc => ?DESC(filter)
}} }}
]. ].

2
apps/emqx_authz/test/emqx_authz_SUITE.erl
View File

@ -91,7 +91,7 @@ set_special_configs(_App) ->
<<"database">> => <<"mqtt">>, <<"database">> => <<"mqtt">>,
<<"ssl">> => #{<<"enable">> => false}, <<"ssl">> => #{<<"enable">> => false},
<<"collection">> => <<"authz">>, <<"collection">> => <<"authz">>,
<<"selector">> => #{<<"a">> => <<"b">>} <<"filter">> => #{<<"a">> => <<"b">>}
}). }).
-define(SOURCE3, #{ -define(SOURCE3, #{
<<"type">> => <<"mysql">>, <<"type">> => <<"mysql">>,

2
apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl
View File

@ -47,7 +47,7 @@
<<"database">> => <<"mqtt">>, <<"database">> => <<"mqtt">>,
<<"ssl">> => #{<<"enable">> => false}, <<"ssl">> => #{<<"enable">> => false},
<<"collection">> => <<"fake">>, <<"collection">> => <<"fake">>,
<<"selector">> => #{<<"a">> => <<"b">>} <<"filter">> => #{<<"a">> => <<"b">>}
}). }).
-define(SOURCE3, #{ -define(SOURCE3, #{
<<"type">> => <<"mysql">>, <<"type">> => <<"mysql">>,

18
apps/emqx_authz/test/emqx_authz_mongodb_SUITE.erl
View File

@ -85,7 +85,7 @@ t_topic_rules(_Config) ->
ok = emqx_authz_test_lib:test_deny_topic_rules(ClientInfo, fun setup_client_samples/2). ok = emqx_authz_test_lib:test_deny_topic_rules(ClientInfo, fun setup_client_samples/2).
t_complex_selector(_) -> t_complex_filter(_) ->
%% atom and string values also supported %% atom and string values also supported
ClientInfo = #{ ClientInfo = #{
clientid => clientid, clientid => clientid,
@ -111,7 +111,7 @@ t_complex_selector(_) ->
ok = setup_samples(Samples), ok = setup_samples(Samples),
ok = setup_config( ok = setup_config(
#{ #{
<<"selector">> => #{ <<"filter">> => #{
<<"x">> => #{ <<"x">> => #{
<<"u">> => <<"${username}">>, <<"u">> => <<"${username}">>,
<<"c">> => [#{<<"c">> => <<"${clientid}">>}], <<"c">> => [#{<<"c">> => <<"${clientid}">>}],
@ -137,7 +137,7 @@ t_mongo_error(_Config) ->
ok = setup_samples([]), ok = setup_samples([]),
ok = setup_config( ok = setup_config(
#{<<"selector">> => #{<<"$badoperator">> => <<"$badoperator">>}} #{<<"filter">> => #{<<"$badoperator">> => <<"$badoperator">>}}
), ),
ok = emqx_authz_test_lib:test_samples( ok = emqx_authz_test_lib:test_samples(
@ -165,7 +165,7 @@ t_lookups(_Config) ->
ok = setup_samples([ByClientid]), ok = setup_samples([ByClientid]),
ok = setup_config( ok = setup_config(
#{<<"selector">> => #{<<"clientid">> => <<"${clientid}">>}} #{<<"filter">> => #{<<"clientid">> => <<"${clientid}">>}}
), ),
ok = emqx_authz_test_lib:test_samples( ok = emqx_authz_test_lib:test_samples(
@ -185,7 +185,7 @@ t_lookups(_Config) ->
ok = setup_samples([ByPeerhost]), ok = setup_samples([ByPeerhost]),
ok = setup_config( ok = setup_config(
#{<<"selector">> => #{<<"peerhost">> => <<"${peerhost}">>}} #{<<"filter">> => #{<<"peerhost">> => <<"${peerhost}">>}}
), ),
ok = emqx_authz_test_lib:test_samples( ok = emqx_authz_test_lib:test_samples(
@ -196,7 +196,7 @@ t_lookups(_Config) ->
] ]
). ).
t_bad_selector(_Config) -> t_bad_filter(_Config) ->
ClientInfo = #{ ClientInfo = #{
clientid => <<"clientid">>, clientid => <<"clientid">>,
cn => <<"cn">>, cn => <<"cn">>,
@ -208,7 +208,7 @@ t_bad_selector(_Config) ->
}, },
ok = setup_config( ok = setup_config(
#{<<"selector">> => #{<<"$in">> => #{<<"a">> => 1}}} #{<<"filter">> => #{<<"$in">> => #{<<"a">> => 1}}}
), ),
ok = emqx_authz_test_lib:test_samples( ok = emqx_authz_test_lib:test_samples(
@ -251,7 +251,7 @@ setup_client_samples(ClientInfo, Samples) ->
Samples Samples
), ),
setup_samples(Records), setup_samples(Records),
setup_config(#{<<"selector">> => #{<<"username">> => <<"${username}">>}}). setup_config(#{<<"filter">> => #{<<"username">> => <<"${username}">>}}).
reset_samples() -> reset_samples() ->
{true, _} = mc_worker_api:delete(?MONGO_CLIENT, <<"acl">>, #{}), {true, _} = mc_worker_api:delete(?MONGO_CLIENT, <<"acl">>, #{}),
@ -273,7 +273,7 @@ raw_mongo_authz_config() ->
<<"collection">> => <<"acl">>, <<"collection">> => <<"acl">>,
<<"server">> => mongo_server(), <<"server">> => mongo_server(),
<<"selector">> => #{<<"username">> => <<"${username}">>} <<"filter">> => #{<<"username">> => <<"${username}">>}
}. }.
mongo_server() -> mongo_server() ->

16
apps/emqx_connector/src/emqx_connector_mongo.erl
View File

@ -188,11 +188,11 @@ on_stop(InstId, #{poolname := PoolName}) ->
on_query( on_query(
InstId, InstId,
{Action, Collection, Selector, Projector}, {Action, Collection, Filter, Projector},
AfterQuery, AfterQuery,
#{poolname := PoolName} = State #{poolname := PoolName} = State
) -> ) ->
Request = {Action, Collection, Selector, Projector}, Request = {Action, Collection, Filter, Projector},
?TRACE( ?TRACE(
"QUERY", "QUERY",
"mongodb_connector_received", "mongodb_connector_received",
@ -201,7 +201,7 @@ on_query(
case case
ecpool:pick_and_do( ecpool:pick_and_do(
PoolName, PoolName,
{?MODULE, mongo_query, [Action, Collection, Selector, Projector]}, {?MODULE, mongo_query, [Action, Collection, Filter, Projector]},
no_handover no_handover
) )
of of
@ -297,12 +297,12 @@ connect(Opts) ->
WorkerOptions = proplists:get_value(worker_options, Opts, []), WorkerOptions = proplists:get_value(worker_options, Opts, []),
mongo_api:connect(Type, Hosts, Options, WorkerOptions). mongo_api:connect(Type, Hosts, Options, WorkerOptions).
mongo_query(Conn, find, Collection, Selector, Projector) -> mongo_query(Conn, find, Collection, Filter, Projector) ->
mongo_api:find(Conn, Collection, Selector, Projector); mongo_api:find(Conn, Collection, Filter, Projector);
mongo_query(Conn, find_one, Collection, Selector, Projector) -> mongo_query(Conn, find_one, Collection, Filter, Projector) ->
mongo_api:find_one(Conn, Collection, Selector, Projector); mongo_api:find_one(Conn, Collection, Filter, Projector);
%% Todo xxx %% Todo xxx
mongo_query(_Conn, _Action, _Collection, _Selector, _Projector) -> mongo_query(_Conn, _Action, _Collection, _Filter, _Projector) ->
ok. ok.
init_type(#{mongo_type := rs, replica_set_name := ReplicaSetName}) -> init_type(#{mongo_type := rs, replica_set_name := ReplicaSetName}) ->