Merge pull request #10074 from sstrigler/EMQX-8550-put-authorization-sources-type-doesnt-check-type-constraint

fix(emqx_authz): check if type param matches type in body

apps/emqx_authz/src/emqx_authz_api_sources.erl

@@ -262,8 +262,10 @@ source(get, #{bindings := #{type := Type}}) ->
     end;
 source(put, #{bindings := #{type := <<"file">>}, body := #{<<"type">> := <<"file">>} = Body}) ->
     update_authz_file(Body);
-source(put, #{bindings := #{type := Type}, body := Body}) ->
+source(put, #{bindings := #{type := Type}, body := #{<<"type">> := Type} = Body}) ->
     update_config({?CMD_REPLACE, Type}, Body);
+source(put, #{bindings := #{type := _Type}, body := #{<<"type">> := _OtherType}}) ->
+    {400, #{code => <<"BAD_REQUEST">>, message => <<"Type mismatch">>}};
 source(delete, #{bindings := #{type := Type}}) ->
     update_config({?CMD_DELETE, Type}, #{}).
 

apps/emqx_authz/test/emqx_authz_api_sources_SUITE.erl

@@ -332,6 +332,7 @@ t_api(_) ->
         uri(["authorization", "sources", "postgresql"]),
         ?SOURCE4#{<<"server">> := <<"fake">>}
     ),
+
     {ok, 204, _} = request(
         put,
         uri(["authorization", "sources", "redis"]),
@@ -343,6 +344,19 @@ t_api(_) ->
         }
     ),
 
+    {ok, 400, TypeMismatch} = request(
+        put,
+        uri(["authorization", "sources", "file"]),
+        #{<<"type">> => <<"built_in_database">>, <<"enable">> => false}
+    ),
+    ?assertMatch(
+        #{
+            <<"code">> := <<"BAD_REQUEST">>,
+            <<"message">> := <<"Type mismatch", _/binary>>
+        },
+        jiffy:decode(TypeMismatch, [return_maps])
+    ),
+
     lists:foreach(
         fun(#{<<"type">> := Type}) ->
             {ok, 204, _} = request(

changes/ce/fix-10074.en.md

@@ -0,0 +1 @@
+Check if type in `PUT /authorization/sources/:type` matches `type` given in body of request.

changes/ce/fix-10074.zh.md

@@ -0,0 +1 @@
+检查 `PUT /authorization/sources/:type` 中的类型是否与请求正文中的 `type` 相符。