yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(authz): update emqx_authz for new config

This commit is contained in:
Shawn 2021-07-16 14:07:27 +08:00
parent c834494113
commit c3d24db642
7 changed files with 114 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
apps/emqx_authz/src/emqx_authz.erl
View File

@ -26,7 +26,7 @@
, compile/1
, lookup/0
, update/1
, authorize/5
, authorize/4
, match/4
]).
@ -36,19 +36,16 @@ register_metrics() ->
init() ->
ok = register_metrics(),
Rules = emqx_config:get([emqx_authz, rules], []),
NRules = [compile(Rule) || Rule <- Rules],
ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]}, -1).
ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, []}, -1).
lookup() ->
emqx_config:get([emqx_authz, rules], []).
update(Rules) ->
emqx_config:put([emqx_authz], #{rules => Rules}),
NRules = [compile(Rule) || Rule <- Rules],
Action = find_action_in_hooks(),
ok = emqx_hooks:del('client.authorize', Action),
ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]}, -1),
ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, []}, -1),
ok = emqx_acl_cache:empty_acl_cache().
%%--------------------------------------------------------------------
@ -147,12 +144,11 @@ b2l(B) when is_binary(B) -> binary_to_list(B).
%%--------------------------------------------------------------------
%% @doc Check AuthZ
-spec(authorize(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules())
-> {stop, allow} | {ok, deny}).
authorize(#{username := Username,
peerhost := IpAddress
} = Client, PubSub, Topic, _DefaultResult, Rules) ->
case do_authorize(Client, PubSub, Topic, Rules) of
-spec(authorize(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(),
emqx_permission_rule:acl_result()) -> {stop, allow} | {ok, deny}).
authorize(#{username := Username, peerhost := IpAddress} = Client,
PubSub, Topic, _DefaultResult) ->
case do_authorize(Client, PubSub, Topic, [compile(Rule) || Rule <- lookup()]) of
{matched, allow} ->
?LOG(info, "Client succeeded authorization: Username: ~p, IP: ~p, Topic: ~p, Permission: allow", [Username, IpAddress, Topic]),
emqx_metrics:inc(?AUTHZ_METRICS(allow)),

2
apps/emqx_authz/src/emqx_authz_app.erl
View File

@ -11,7 +11,7 @@
start(_StartType, _StartArgs) ->
{ok, Sup} = emqx_authz_sup:start_link(),
%ok = emqx_authz:init(),
ok = emqx_authz:init(),
{ok, Sup}.
stop(_State) ->

69
apps/emqx_authz/test/emqx_authz_SUITE.erl
View File

@ -29,23 +29,16 @@ groups() ->
[].
init_per_suite(Config) ->
ok = emqx_ct_helpers:start_apps([emqx_authz], fun set_special_configs/1),
ok = emqx_ct_helpers:start_apps([emqx_authz]),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, cache, enable], false),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, enable], true),
emqx_config:put([emqx_authz], #{rules => []}),
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz]).
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, true),
application:set_env(emqx, enable_acl_cache, false),
ok;
set_special_configs(emqx_authz) ->
emqx_config:put([emqx_authz], #{rules => []}),
ok;
set_special_configs(_App) ->
ok.
-define(RULE1, #{principal => all,
topics => [<<"#">>],
action => all,
@ -121,44 +114,62 @@ t_compile(_) ->
t_authz(_) ->
ClientInfo1 = #{clientid => <<"test">>,
username => <<"test">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
ClientInfo2 = #{clientid => <<"test">>,
username => <<"test">>,
peerhost => {192,168,0,10}
peerhost => {192,168,0,10},
zone => default,
listener => mqtt_tcp
},
ClientInfo3 = #{clientid => <<"test">>,
username => <<"fake">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
ClientInfo4 = #{clientid => <<"fake">>,
username => <<"test">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
Rules1 = [emqx_authz:compile(Rule) || Rule <- [?RULE1, ?RULE2]],
Rules2 = [emqx_authz:compile(Rule) || Rule <- [?RULE2, ?RULE1]],
Rules3 = [emqx_authz:compile(Rule) || Rule <- [?RULE3, ?RULE4]],
Rules4 = [emqx_authz:compile(Rule) || Rule <- [?RULE4, ?RULE1]],
Rules1 = [?RULE1, ?RULE2],
Rules2 = [?RULE2, ?RULE1],
Rules3 = [?RULE3, ?RULE4],
Rules4 = [?RULE4, ?RULE1],
emqx_config:put([emqx_authz], #{rules => []}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo1, subscribe, <<"#">>, deny, [])),
emqx_authz:authorize(ClientInfo1, subscribe, <<"#">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules1}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules1)),
emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules2}),
?assertEqual({stop, allow},
emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules2)),
emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules3}),
?assertEqual({stop, allow},
emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules3)),
emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules4}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules4)),
emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules2}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo2, subscribe, <<"#">>, deny, Rules2)),
emqx_authz:authorize(ClientInfo2, subscribe, <<"#">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules3}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo3, publish, <<"test">>, deny, Rules3)),
emqx_authz:authorize(ClientInfo3, publish, <<"test">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules4}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo3, publish, <<"fake">>, deny, Rules4)),
emqx_authz:authorize(ClientInfo3, publish, <<"fake">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules3}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo4, publish, <<"test">>, deny, Rules3)),
emqx_authz:authorize(ClientInfo4, publish, <<"test">>, deny)),
emqx_config:put([emqx_authz], #{rules => Rules4}),
?assertEqual({stop, deny},
emqx_authz:authorize(ClientInfo4, publish, <<"fake">>, deny, Rules4)),
emqx_authz:authorize(ClientInfo4, publish, <<"fake">>, deny)),
ok.

41
apps/emqx_authz/test/emqx_authz_mongo_SUITE.erl
View File

@ -31,22 +31,10 @@ groups() ->
init_per_suite(Config) ->
meck:new(emqx_resource, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_resource, create, fun(_, _, _) -> {ok, meck_data} end ),
ok = emqx_ct_helpers:start_apps([emqx_authz], fun set_special_configs/1),
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, true),
application:set_env(emqx, enable_acl_cache, false),
application:set_env(emqx, acl_nomatch, deny),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, "test/loaded_plguins")),
ok;
set_special_configs(emqx_authz) ->
ok = emqx_ct_helpers:start_apps([emqx_authz]),
ct:pal("---- emqx_hooks: ~p", [ets:tab2list(emqx_hooks)]),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, cache, enable], false),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, enable], true),
Rules = [#{config =>#{},
principal => all,
collection => <<"fake">>,
@ -54,9 +42,12 @@ set_special_configs(emqx_authz) ->
type => mongo}
],
emqx_config:put([emqx_authz], #{rules => Rules}),
ok;
set_special_configs(_App) ->
ok.
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
-define(RULE1,[#{<<"topics">> => [<<"#">>],
<<"permission">> => <<"deny">>,
@ -78,15 +69,21 @@ set_special_configs(_App) ->
t_authz(_) ->
ClientInfo1 = #{clientid => <<"test">>,
username => <<"test">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
ClientInfo2 = #{clientid => <<"test_clientid">>,
username => <<"test_username">>,
peerhost => {192,168,0,10}
peerhost => {192,168,0,10},
zone => default,
listener => mqtt_tcp
},
ClientInfo3 = #{clientid => <<"test_clientid">>,
username => <<"fake_username">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
meck:expect(emqx_resource, query, fun(_, _) -> [] end),

40
apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl
View File

@ -31,31 +31,21 @@ groups() ->
init_per_suite(Config) ->
meck:new(emqx_resource, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_resource, create, fun(_, _, _) -> {ok, meck_data} end ),
ok = emqx_ct_helpers:start_apps([emqx_authz], fun set_special_configs/1),
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, false),
application:set_env(emqx, enable_acl_cache, false),
application:set_env(emqx, acl_nomatch, deny),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, "test/loaded_plguins")),
ok;
set_special_configs(emqx_authz) ->
ok = emqx_ct_helpers:start_apps([emqx_authz]),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, cache, enable], false),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, enable], true),
Rules = [#{config =>#{},
principal => all,
sql => <<"fake">>,
type => mysql}
],
emqx_config:put([emqx_authz], #{rules => Rules}),
ok;
set_special_configs(_App) ->
ok.
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
-define(COLUMNS, [ <<"ipaddress">>
, <<"username">>
@ -76,15 +66,21 @@ set_special_configs(_App) ->
t_authz(_) ->
ClientInfo1 = #{clientid => <<"test">>,
username => <<"test">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
ClientInfo2 = #{clientid => <<"test_clientid">>,
username => <<"test_username">>,
peerhost => {192,168,0,10}
peerhost => {192,168,0,10},
zone => default,
listener => mqtt_tcp
},
ClientInfo3 = #{clientid => <<"test_clientid">>,
username => <<"fake_username">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),

40
apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl
View File

@ -31,31 +31,21 @@ groups() ->
init_per_suite(Config) ->
meck:new(emqx_resource, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_resource, create, fun(_, _, _) -> {ok, meck_data} end ),
ok = emqx_ct_helpers:start_apps([emqx_authz], fun set_special_configs/1),
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, false),
application:set_env(emqx, enable_acl_cache, false),
application:set_env(emqx, acl_nomatch, deny),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, "test/loaded_plguins")),
ok;
set_special_configs(emqx_authz) ->
ok = emqx_ct_helpers:start_apps([emqx_authz]),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, cache, enable], false),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, enable], true),
Rules = [#{config =>#{},
principal => all,
sql => <<"fake">>,
type => pgsql}
],
emqx_config:put([emqx_authz], #{rules => Rules}),
ok;
set_special_configs(_App) ->
ok.
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
-define(COLUMNS, [ {column, <<"ipaddress">>, meck, meck, meck, meck, meck, meck, meck}
, {column, <<"username">>, meck, meck, meck, meck, meck, meck, meck}
@ -76,15 +66,21 @@ set_special_configs(_App) ->
t_authz(_) ->
ClientInfo1 = #{clientid => <<"test">>,
username => <<"test">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
ClientInfo2 = #{clientid => <<"test_clientid">>,
username => <<"test_username">>,
peerhost => {192,168,0,10}
peerhost => {192,168,0,10},
zone => default,
listener => mqtt_tcp
},
ClientInfo3 = #{clientid => <<"test_clientid">>,
username => <<"fake_username">>,
peerhost => {127,0,0,1}
peerhost => {127,0,0,1},
zone => default,
listener => mqtt_tcp
},
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),

28
apps/emqx_authz/test/emqx_authz_redis_SUITE.erl
View File

@ -31,31 +31,21 @@ groups() ->
init_per_suite(Config) ->
meck:new(emqx_resource, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_resource, create, fun(_, _, _) -> {ok, meck_data} end ),
ok = emqx_ct_helpers:start_apps([emqx_authz], fun set_special_configs/1),
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, true),
application:set_env(emqx, enable_acl_cache, false),
application:set_env(emqx, acl_nomatch, deny),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, "test/loaded_plguins")),
ok;
set_special_configs(emqx_authz) ->
ok = emqx_ct_helpers:start_apps([emqx_authz]),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, cache, enable], false),
emqx_config:put_listener_conf(default, mqtt_tcp, [acl, enable], true),
Rules = [#{config =>#{},
principal => all,
cmd => <<"fake">>,
type => redis}
],
emqx_config:put([emqx_authz], #{rules => Rules}),
ok;
set_special_configs(_App) ->
ok.
Config.
end_per_suite(_Config) ->
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
emqx_ct_helpers:stop_apps([emqx_authz, emqx_resource]),
meck:unload(emqx_resource).
-define(RULE1, [<<"test/%u">>, <<"publish">>]).
-define(RULE2, [<<"test/%c">>, <<"publish">>]).