yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

style(authz_mnesia): api spec style, rm duplicated module name

This commit is contained in:
JimMoen 2022-03-03 14:31:21 +08:00
parent f7ec74d367
commit c01aa3c580
3 changed files with 198 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
apps/emqx_authz/include/emqx_authz.hrl
View File

@ -1,3 +1,19 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020-2022 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-define(APP, emqx_authz). -define(APP, emqx_authz).
-define(ALLOW_DENY(A), ((A =:= allow) orelse (A =:= <<"allow">>) orelse -define(ALLOW_DENY(A), ((A =:= allow) orelse (A =:= <<"allow">>) orelse
@ -8,6 +24,10 @@
(A =:= all) orelse (A =:= <<"all">>) (A =:= all) orelse (A =:= <<"all">>)
)). )).
%% authz_mnesia
-define(ACL_TABLE, emqx_acl).
%% authz_cmd
-define(CMD_REPLACE, replace). -define(CMD_REPLACE, replace).
-define(CMD_DELETE, delete). -define(CMD_DELETE, delete).
-define(CMD_PREPEND, prepend). -define(CMD_PREPEND, prepend).
@ -23,6 +43,7 @@
-define(RE_PLACEHOLDER, "\\$\\{[a-z0-9_]+\\}"). -define(RE_PLACEHOLDER, "\\$\\{[a-z0-9_]+\\}").
%% API examples
-define(USERNAME_RULES_EXAMPLE, #{username => user1, -define(USERNAME_RULES_EXAMPLE, #{username => user1,
rules => [ #{topic => <<"test/toopic/1">>, rules => [ #{topic => <<"test/toopic/1">>,
permission => <<"allow">>, permission => <<"allow">>,

326
apps/emqx_authz/src/emqx_authz_api_mnesia.erl
View File

@ -22,6 +22,8 @@
-include_lib("emqx/include/logger.hrl"). -include_lib("emqx/include/logger.hrl").
-include_lib("typerefl/include/types.hrl"). -include_lib("typerefl/include/types.hrl").
-import(hoconsc, [mk/1, mk/2, ref/1, ref/2, array/1, enum/1]).
-define(FORMAT_USERNAME_FUN, {?MODULE, format_by_username}). -define(FORMAT_USERNAME_FUN, {?MODULE, format_by_username}).
-define(FORMAT_CLIENTID_FUN, {?MODULE, format_by_clientid}). -define(FORMAT_CLIENTID_FUN, {?MODULE, format_by_clientid}).
@ -68,178 +70,191 @@ paths() ->
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
schema("/authorization/sources/built-in-database/username") -> schema("/authorization/sources/built-in-database/username") ->
#{ #{ 'operationId' => users
'operationId' => users, , get =>
get => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Show the list of record for username">>
description => <<"Show the list of record for username">>, , parameters =>
parameters => [ hoconsc:ref(emqx_dashboard_swagger, page) [ ref(emqx_dashboard_swagger, page)
, hoconsc:ref(emqx_dashboard_swagger, limit)], , ref(emqx_dashboard_swagger, limit)
responses => #{ , { like_username
200 => swagger_with_example( {username_response_data, ?TYPE_REF} , mk( binary(), #{ in => query
, {username, ?PAGE_QUERY_EXAMPLE}) , required => false
, desc => <<"Fuzzy search `username` as substring">>})}
]
, responses =>
#{ 200 => swagger_with_example( {username_response_data, ?TYPE_REF}
, {username, ?PAGE_QUERY_EXAMPLE})
} }
}, }
post => #{ , post =>
tags => [<<"authorization">>], #{ tags => [<<"authorization">>]
description => <<"Add new records for username">>, , description => <<"Add new records for username">>
'requestBody' => swagger_with_example( {rules_for_username, ?TYPE_ARRAY} , 'requestBody' => swagger_with_example( {rules_for_username, ?TYPE_ARRAY}
, {username, ?POST_ARRAY_EXAMPLE}), , {username, ?POST_ARRAY_EXAMPLE})
responses => #{ , responses =>
204 => <<"Created">>, #{ 204 => <<"Created">>
400 => emqx_dashboard_swagger:error_codes( [?BAD_REQUEST] , 400 => emqx_dashboard_swagger:error_codes(
, <<"Bad username or bad rule schema">>) [?BAD_REQUEST], <<"Bad username or bad rule schema">>)
} }
} }
}; };
schema("/authorization/sources/built-in-database/clientid") -> schema("/authorization/sources/built-in-database/clientid") ->
#{ #{ 'operationId' => clients
'operationId' => clients, , get =>
get => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Show the list of record for clientid">>
description => <<"Show the list of record for clientid">>, , parameters =>
parameters => [ hoconsc:ref(emqx_dashboard_swagger, page) [ ref(emqx_dashboard_swagger, page)
, hoconsc:ref(emqx_dashboard_swagger, limit)], , ref(emqx_dashboard_swagger, limit)
responses => #{ , { like_clientid
200 => swagger_with_example( {clientid_response_data, ?TYPE_REF} , mk( binary()
, {clientid, ?PAGE_QUERY_EXAMPLE}) , #{ in => query
, required => false
, desc => <<"Fuzzy search `clientid` as substring">>})
}
]
, responses =>
#{ 200 => swagger_with_example( {clientid_response_data, ?TYPE_REF}
, {clientid, ?PAGE_QUERY_EXAMPLE})
}
} }
}, , post =>
post => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Add new records for clientid">>
description => <<"Add new records for clientid">>, , 'requestBody' => swagger_with_example( {rules_for_clientid, ?TYPE_ARRAY}
'requestBody' => swagger_with_example( {rules_for_clientid, ?TYPE_ARRAY} , {clientid, ?POST_ARRAY_EXAMPLE})
, {clientid, ?POST_ARRAY_EXAMPLE}), , responses =>
responses => #{ #{ 204 => <<"Created">>
204 => <<"Created">>, , 400 => emqx_dashboard_swagger:error_codes(
400 => emqx_dashboard_swagger:error_codes( [?BAD_REQUEST] [?BAD_REQUEST], <<"Bad clientid or bad rule schema">>)
, <<"Bad clientid or bad rule schema">>) }
} }
} };
};
schema("/authorization/sources/built-in-database/username/:username") -> schema("/authorization/sources/built-in-database/username/:username") ->
#{ #{ 'operationId' => user
'operationId' => user, , get =>
get => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Get record info for username">>
description => <<"Get record info for username">>, , parameters => [ref(username)]
parameters => [hoconsc:ref(username)], , responses =>
responses => #{ #{ 200 => swagger_with_example( {rules_for_username, ?TYPE_REF}
200 => swagger_with_example( {rules_for_username, ?TYPE_REF} , {username, ?PUT_MAP_EXAMPLE})
, {username, ?PUT_MAP_EXAMPLE}), , 404 => emqx_dashboard_swagger:error_codes(
404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>) [?NOT_FOUND], <<"Not Found">>)
}
} }
}, , put =>
put => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Set record for username">>
description => <<"Set record for username">>, , parameters => [ref(username)]
parameters => [hoconsc:ref(username)], , 'requestBody' => swagger_with_example( {rules_for_username, ?TYPE_REF}
'requestBody' => swagger_with_example( {rules_for_username, ?TYPE_REF} , {username, ?PUT_MAP_EXAMPLE})
, {username, ?PUT_MAP_EXAMPLE}), , responses =>
responses => #{ #{ 204 => <<"Updated">>
204 => <<"Updated">>, , 400 => emqx_dashboard_swagger:error_codes(
400 => emqx_dashboard_swagger:error_codes( [?BAD_REQUEST] [?BAD_REQUEST], <<"Bad username or bad rule schema">>)
, <<"Bad username or bad rule schema">>) }
} }
}, , delete =>
delete => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Delete one record for username">>
description => <<"Delete one record for username">>, , parameters => [ref(username)]
parameters => [hoconsc:ref(username)], , responses =>
responses => #{ #{ 204 => <<"Deleted">>
204 => <<"Deleted">>, , 400 => emqx_dashboard_swagger:error_codes(
400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad username">>) [?BAD_REQUEST], <<"Bad username">>)
}
} }
} };
};
schema("/authorization/sources/built-in-database/clientid/:clientid") -> schema("/authorization/sources/built-in-database/clientid/:clientid") ->
#{ #{ 'operationId' => client
'operationId' => client, , get =>
get => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Get record info for clientid">>
description => <<"Get record info for clientid">>, , parameters => [ref(clientid)]
parameters => [hoconsc:ref(clientid)], , responses =>
responses => #{ #{ 200 => swagger_with_example( {rules_for_clientid, ?TYPE_REF}
200 => swagger_with_example( {rules_for_clientid, ?TYPE_REF} , {clientid, ?PUT_MAP_EXAMPLE})
, {clientid, ?PUT_MAP_EXAMPLE}), , 404 => emqx_dashboard_swagger:error_codes(
404 => emqx_dashboard_swagger:error_codes([?NOT_FOUND], <<"Not Found">>) [?NOT_FOUND], <<"Not Found">>)
}
},
put =>
#{ tags => [<<"authorization">>]
, description => <<"Set record for clientid">>
, parameters => [ref(clientid)]
, 'requestBody' => swagger_with_example( {rules_for_clientid, ?TYPE_REF}
, {clientid, ?PUT_MAP_EXAMPLE})
, responses =>
#{ 204 => <<"Updated">>
, 400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid or bad rule schema">>)
}
} }
}, , delete =>
put => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Delete one record for clientid">>
description => <<"Set record for clientid">>, , parameters => [ref(clientid)]
parameters => [hoconsc:ref(clientid)], , responses =>
'requestBody' => swagger_with_example( {rules_for_clientid, ?TYPE_REF} #{ 204 => <<"Deleted">>
, {clientid, ?PUT_MAP_EXAMPLE}), , 400 => emqx_dashboard_swagger:error_codes(
responses => #{ [?BAD_REQUEST], <<"Bad clientid">>)
204 => <<"Updated">>, }
400 => emqx_dashboard_swagger:error_codes(
[?BAD_REQUEST], <<"Bad clientid or bad rule schema">>)
} }
}, };
delete => #{
tags => [<<"authorization">>],
description => <<"Delete one record for clientid">>,
parameters => [hoconsc:ref(clientid)],
responses => #{
204 => <<"Deleted">>,
400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad clientid">>)
}
}
};
schema("/authorization/sources/built-in-database/all") -> schema("/authorization/sources/built-in-database/all") ->
#{ #{ 'operationId' => all
'operationId' => all, , get =>
get => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Show the list of rules for all">>
description => <<"Show the list of rules for all">>, , responses =>
responses => #{ #{200 => swagger_with_example({rules, ?TYPE_REF}, {all, ?PUT_MAP_EXAMPLE})}
200 => swagger_with_example({rules_for_all, ?TYPE_REF}, {all, ?PUT_MAP_EXAMPLE})
} }
}, , put =>
put => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Set the list of rules for all">>
description => <<"Set the list of rules for all">>, , 'requestBody' =>
'requestBody' => swagger_with_example({rules, ?TYPE_REF}, {all, ?PUT_MAP_EXAMPLE})
swagger_with_example({rules_for_all, ?TYPE_REF}, {all, ?PUT_MAP_EXAMPLE}), , responses =>
responses => #{ #{ 204 => <<"Created">>
204 => <<"Created">>, , 400 => emqx_dashboard_swagger:error_codes(
400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad rule schema">>) [?BAD_REQUEST], <<"Bad rule schema">>)
}
} }
} };
};
schema("/authorization/sources/built-in-database/purge-all") -> schema("/authorization/sources/built-in-database/purge-all") ->
#{ #{ 'operationId' => purge
'operationId' => purge, , delete =>
delete => #{ #{ tags => [<<"authorization">>]
tags => [<<"authorization">>], , description => <<"Purge all records">>
description => <<"Purge all records">>, , responses =>
responses => #{ #{ 204 => <<"Deleted">>
204 => <<"Deleted">>, , 400 => emqx_dashboard_swagger:error_codes(
400 => emqx_dashboard_swagger:error_codes([?BAD_REQUEST], <<"Bad Request">>) [?BAD_REQUEST], <<"Bad Request">>)
}
} }
} }.
}.
fields(rule_item) -> fields(rule_item) ->
[ {topic, hoconsc:mk(string(), [ {topic, mk(string(),
#{ required => true #{ required => true
, desc => <<"Rule on specific topic">> , desc => <<"Rule on specific topic">>
, example => <<"test/topic/1">> , example => <<"test/topic/1">>
})} })}
, {permission, hoconsc:mk(hoconsc:enum([allow, deny]), , {permission, mk(enum([allow, deny]),
#{ desc => <<"Permission">> #{ desc => <<"Permission">>
, required => true , required => true
, example => allow , example => allow
})} })}
, {action, hoconsc:mk(hoconsc:enum([publish, subscribe, all]), , {action, mk(enum([publish, subscribe, all]),
#{ required => true #{ required => true
, example => publish , example => publish
, desc => <<"Authorized action">> , desc => <<"Authorized action">>
})} })}
]; ];
fields(clientid) -> fields(clientid) ->
[ {clientid, hoconsc:mk(binary(), [ {clientid, mk(binary(),
#{ in => path #{ in => path
, required => true , required => true
, desc => <<"ClientID">> , desc => <<"ClientID">>
@ -247,50 +262,49 @@ fields(clientid) ->
})} })}
]; ];
fields(username) -> fields(username) ->
[ {username, hoconsc:mk(binary(), [ {username, mk(binary(),
#{ in => path #{ in => path
, required => true , required => true
, desc => <<"Username">> , desc => <<"Username">>
, example => <<"user1">>})} , example => <<"user1">>})}
]; ];
fields(rules_for_username) -> fields(rules_for_username) ->
[ {rules, hoconsc:mk(hoconsc:array(hoconsc:ref(rule_item)), #{})} fields(rules)
] ++ fields(username); ++ fields(username);
fields(username_response_data) -> fields(username_response_data) ->
[ {data, hoconsc:mk(hoconsc:array(hoconsc:ref(rules_for_username)), #{})} [ {data, mk(array(ref(rules_for_username)), #{})}
, {meta, hoconsc:ref(meta)} , {meta, ref(meta)}
]; ];
fields(rules_for_clientid) -> fields(rules_for_clientid) ->
[ {rules, hoconsc:mk(hoconsc:array(hoconsc:ref(rule_item)), #{})} fields(rules)
] ++ fields(clientid); ++ fields(clientid);
fields(clientid_response_data) -> fields(clientid_response_data) ->
[ {data, hoconsc:mk(hoconsc:array(hoconsc:ref(rules_for_clientid)), #{})} [ {data, mk(array(ref(rules_for_clientid)), #{})}
, {meta, hoconsc:ref(meta)} , {meta, ref(meta)}
];
fields(rules_for_all) ->
[ {rules, hoconsc:mk(hoconsc:array(hoconsc:ref(rule_item)), #{})}
]; ];
fields(rules) ->
[{rules, mk(array(ref(rule_item)))}];
fields(meta) -> fields(meta) ->
emqx_dashboard_swagger:fields(page) emqx_dashboard_swagger:fields(page)
++ emqx_dashboard_swagger:fields(limit) ++ emqx_dashboard_swagger:fields(limit)
++ [{count, hoconsc:mk(integer(), #{example => 1})}]. ++ [{count, mk(integer(), #{example => 1})}].
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% HTTP API %% HTTP API
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
users(get, #{query_string := PageParams}) -> users(get, #{query_string := QString}) ->
{Table, MatchSpec} = emqx_authz_mnesia:list_username_rules(), {Table, MatchSpec} = emqx_authz_mnesia:list_username_rules(),
{200, emqx_mgmt_api:paginate(Table, MatchSpec, PageParams, ?FORMAT_USERNAME_FUN)}; {200, emqx_mgmt_api:paginate(Table, MatchSpec, QString, ?FORMAT_USERNAME_FUN)};
users(post, #{body := Body}) when is_list(Body) -> users(post, #{body := Body}) when is_list(Body) ->
lists:foreach(fun(#{<<"username">> := Username, <<"rules">> := Rules}) -> lists:foreach(fun(#{<<"username">> := Username, <<"rules">> := Rules}) ->
emqx_authz_mnesia:store_rules({username, Username}, format_rules(Rules)) emqx_authz_mnesia:store_rules({username, Username}, format_rules(Rules))
end, Body), end, Body),
{204}. {204}.
clients(get, #{query_string := PageParams}) -> clients(get, #{query_string := QueryString}) ->
{Table, MatchSpec} = emqx_authz_mnesia:list_clientid_rules(), {Table, MatchSpec} = emqx_authz_mnesia:list_clientid_rules(),
{200, emqx_mgmt_api:paginate(Table, MatchSpec, PageParams, ?FORMAT_CLIENTID_FUN)}; {200, emqx_mgmt_api:paginate(Table, MatchSpec, QueryString, ?FORMAT_CLIENTID_FUN)};
clients(post, #{body := Body}) when is_list(Body) -> clients(post, #{body := Body}) when is_list(Body) ->
lists:foreach(fun(#{<<"clientid">> := Clientid, <<"rules">> := Rules}) -> lists:foreach(fun(#{<<"clientid">> := Clientid, <<"rules">> := Rules}) ->
emqx_authz_mnesia:store_rules({clientid, Clientid}, format_rules(Rules)) emqx_authz_mnesia:store_rules({clientid, Clientid}, format_rules(Rules))
@ -402,8 +416,8 @@ atom(A) when is_atom(A) -> A.
swagger_with_example({Ref, TypeP}, {_Name, _Type} = Example) -> swagger_with_example({Ref, TypeP}, {_Name, _Type} = Example) ->
emqx_dashboard_swagger:schema_with_examples( emqx_dashboard_swagger:schema_with_examples(
case TypeP of case TypeP of
?TYPE_REF -> hoconsc:ref(?MODULE, Ref); ?TYPE_REF -> ref(?MODULE, Ref);
?TYPE_ARRAY -> hoconsc:array(hoconsc:ref(?MODULE, Ref)) ?TYPE_ARRAY -> array(ref(?MODULE, Ref))
end, end,
rules_example(Example)). rules_example(Example)).

9
apps/emqx_authz/src/emqx_authz_mnesia.erl
View File

@ -20,9 +20,9 @@
-include_lib("stdlib/include/ms_transform.hrl"). -include_lib("stdlib/include/ms_transform.hrl").
-include_lib("emqx/include/logger.hrl"). -include_lib("emqx/include/logger.hrl").
-define(ACL_SHARDED, emqx_acl_sharded). -include("emqx_authz.hrl").
-define(ACL_TABLE, emqx_acl). -define(ACL_SHARDED, emqx_acl_sharded).
%% To save some space, use an integer for label, 0 for 'all', {1, Username} and {2, ClientId}. %% To save some space, use an integer for label, 0 for 'all', {1, Username} and {2, ClientId}.
-define(ACL_TABLE_ALL, 0). -define(ACL_TABLE_ALL, 0).
@ -114,10 +114,12 @@ authorize(#{username := Username,
%% Management API %% Management API
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% Init
-spec(init_tables() -> ok). -spec(init_tables() -> ok).
init_tables() -> init_tables() ->
ok = mria_rlog:wait_for_shards([?ACL_SHARDED], infinity). ok = mria_rlog:wait_for_shards([?ACL_SHARDED], infinity).
%% @doc Update authz rules
-spec(store_rules(who(), rules()) -> ok). -spec(store_rules(who(), rules()) -> ok).
store_rules({username, Username}, Rules) -> store_rules({username, Username}, Rules) ->
Record = #emqx_acl{who = {?ACL_TABLE_USERNAME, Username}, rules = normalize_rules(Rules)}, Record = #emqx_acl{who = {?ACL_TABLE_USERNAME, Username}, rules = normalize_rules(Rules)},
@ -129,6 +131,7 @@ store_rules(all, Rules) ->
Record = #emqx_acl{who = ?ACL_TABLE_ALL, rules = normalize_rules(Rules)}, Record = #emqx_acl{who = ?ACL_TABLE_ALL, rules = normalize_rules(Rules)},
mria:dirty_write(Record). mria:dirty_write(Record).
%% @doc Clean all authz rules for (username & clientid & all)
-spec(purge_rules() -> ok). -spec(purge_rules() -> ok).
purge_rules() -> purge_rules() ->
ok = lists:foreach( ok = lists:foreach(
@ -137,6 +140,7 @@ purge_rules() ->
end, end,
mnesia:dirty_all_keys(?ACL_TABLE)). mnesia:dirty_all_keys(?ACL_TABLE)).
%% @doc Get one record
-spec(get_rules(who()) -> {ok, rules()} | not_found). -spec(get_rules(who()) -> {ok, rules()} | not_found).
get_rules({username, Username}) -> get_rules({username, Username}) ->
do_get_rules({?ACL_TABLE_USERNAME, Username}); do_get_rules({?ACL_TABLE_USERNAME, Username});
@ -145,6 +149,7 @@ get_rules({clientid, Clientid}) ->
get_rules(all) -> get_rules(all) ->
do_get_rules(?ACL_TABLE_ALL). do_get_rules(?ACL_TABLE_ALL).
%% @doc Delete one record
-spec(delete_rules(who()) -> ok). -spec(delete_rules(who()) -> ok).
delete_rules({username, Username}) -> delete_rules({username, Username}) ->
mria:dirty_delete(?ACL_TABLE, {?ACL_TABLE_USERNAME, Username}); mria:dirty_delete(?ACL_TABLE, {?ACL_TABLE_USERNAME, Username});