yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: rename check_acl to check_authz 

update emqx_coap vsn

rename OnClientCheckAcl to OnClientCheckAuthz in exhook
This commit is contained in:
zhanghongtong 2021-06-28 15:17:21 +08:00 committed by Rory Z
parent 2bea95ff6e
commit c63bdc355a
24 changed files with 88 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
apps/emqx/src/emqx_access_control.erl
View File

@ -20,7 +20,7 @@
-export([authenticate/1]).
-export([ check_acl/3
-export([ check_authz/3
]).
-type(result() :: #{auth_result := emqx_types:auth_result(),
@ -42,25 +42,25 @@ authenticate(ClientInfo = #{zone := Zone}) ->
end.
%% @doc Check ACL
-spec(check_acl(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic())
-spec(check_authz(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic())
-> allow | deny).
check_acl(ClientInfo, PubSub, Topic) ->
check_authz(ClientInfo, PubSub, Topic) ->
case emqx_acl_cache:is_enabled() of
true -> check_acl_cache(ClientInfo, PubSub, Topic);
false -> do_check_acl(ClientInfo, PubSub, Topic)
true -> check_authz_cache(ClientInfo, PubSub, Topic);
false -> do_check_authz(ClientInfo, PubSub, Topic)
end.
check_acl_cache(ClientInfo, PubSub, Topic) ->
check_authz_cache(ClientInfo, PubSub, Topic) ->
case emqx_acl_cache:get_acl_cache(PubSub, Topic) of
not_found ->
AclResult = do_check_acl(ClientInfo, PubSub, Topic),
AclResult = do_check_authz(ClientInfo, PubSub, Topic),
emqx_acl_cache:put_acl_cache(PubSub, Topic, AclResult),
AclResult;
AclResult -> AclResult
end.
do_check_acl(ClientInfo, PubSub, Topic) ->
case run_hooks('client.check_acl', [ClientInfo, PubSub, Topic], allow) of
do_check_authz(ClientInfo, PubSub, Topic) ->
case run_hooks('client.check_authz', [ClientInfo, PubSub, Topic], allow) of
allow -> allow;
_Other -> deny
end.

4
apps/emqx/src/emqx_channel.erl
View File

@ -1406,7 +1406,7 @@ check_pub_alias(_Packet, _Channel) -> ok.
check_pub_acl(#mqtt_packet{variable = #mqtt_packet_publish{topic_name = Topic}},
#channel{clientinfo = ClientInfo}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_acl(ClientInfo, publish, Topic) of
emqx_access_control:check_authz(ClientInfo, publish, Topic) of
false -> ok;
allow -> ok;
deny -> {error, ?RC_NOT_AUTHORIZED}
@ -1440,7 +1440,7 @@ check_sub_acls([], _Channel, Acc) ->
check_sub_acl(TopicFilter, #channel{clientinfo = ClientInfo}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_acl(ClientInfo, subscribe, TopicFilter) of
emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of
false -> allow;
Result -> Result
end.

4
apps/emqx/src/emqx_metrics.erl
View File

@ -172,7 +172,7 @@
{counter, 'client.connected'},
{counter, 'client.authenticate'},
{counter, 'client.auth.anonymous'},
{counter, 'client.check_acl'},
{counter, 'client.check_authz'},
{counter, 'client.subscribe'},
{counter, 'client.unsubscribe'},
{counter, 'client.disconnected'}
@ -563,7 +563,7 @@ reserved_idx('client.connected') -> 202;
reserved_idx('client.authenticate') -> 203;
reserved_idx('client.enhanced_authenticate') -> 204;
reserved_idx('client.auth.anonymous') -> 205;
reserved_idx('client.check_acl') -> 206;
reserved_idx('client.check_authz') -> 206;
reserved_idx('client.subscribe') -> 207;
reserved_idx('client.unsubscribe') -> 208;
reserved_idx('client.disconnected') -> 209;

4
apps/emqx/test/emqx_access_control_SUITE.erl
View File

@ -38,9 +38,9 @@ t_authenticate(_) ->
emqx_zone:set_env(zone, allow_anonymous, true),
?assertMatch({ok, _}, emqx_access_control:authenticate(clientinfo())).
t_check_acl(_) ->
t_check_authz(_) ->
Publish = ?PUBLISH_PACKET(?QOS_0, <<"t">>, 1, <<"payload">>),
?assertEqual(allow, emqx_access_control:check_acl(clientinfo(), Publish, <<"t">>)).
?assertEqual(allow, emqx_access_control:check_authz(clientinfo(), Publish, <<"t">>)).
t_bypass_auth_plugins(_) ->
ClientInfo = clientinfo(),

4
apps/emqx/test/emqx_acl_test_mod.erl
View File

@ -18,14 +18,14 @@
%% ACL callbacks
-export([ init/1
, check_acl/2
, check_authz/2
, description/0
]).
init(AclOpts) ->
{ok, AclOpts}.
check_acl({_User, _PubSub, _Topic}, _State) ->
check_authz({_User, _PubSub, _Topic}, _State) ->
allow.
description() ->

2
apps/emqx/test/emqx_channel_SUITE.erl
View File

@ -37,7 +37,7 @@ init_per_suite(Config) ->
ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_access_control, authenticate,
fun(_) -> {ok, #{auth_result => success}} end),
ok = meck:expect(emqx_access_control, check_acl, fun(_, _, _) -> allow end),
ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end),
%% Broker Meck
ok = meck:new(emqx_broker, [passthrough, no_history, no_link]),
%% Hooks Meck

2
apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl
View File

@ -198,7 +198,7 @@ t_batch_subscribe(_) ->
{ok, Client} = emqtt:start_link([{proto_ver, v5}, {clientid, <<"batch_test">>}]),
{ok, _} = emqtt:connect(Client),
ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_access_control, check_acl, fun(_, _, _) -> deny end),
meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end),
{ok, _, [?RC_NOT_AUTHORIZED,
?RC_NOT_AUTHORIZED,
?RC_NOT_AUTHORIZED]} = emqtt:subscribe(Client, [{<<"t1">>, qos1},

2
apps/emqx/test/emqx_ws_connection_SUITE.erl
View File

@ -64,7 +64,7 @@ init_per_testcase(TestCase, Config) when
end),
%% Mock emqx_access_control
ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_access_control, check_acl, fun(_, _, _) -> allow end),
ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end),
%% Mock emqx_hooks
ok = meck:new(emqx_hooks, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_hooks, run, fun(_Hook, _Args) -> ok end),

8
apps/emqx_authz/src/emqx_authz.erl
View File

@ -41,7 +41,7 @@ init() ->
#{<<"authz">> := #{<<"rules">> := Rules}} = hocon_schema:check_plain(emqx_authz_schema, RawConf),
ok = application:set_env(?APP, rules, Rules),
NRules = [compile(Rule) || Rule <- Rules],
ok = emqx_hooks:add('client.check_acl', {?MODULE, check_authz, [NRules]}, -1).
ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]}, -1).
lookup() ->
application:get_env(?APP, rules, []).
@ -50,8 +50,8 @@ update(Rules) ->
ok = application:set_env(?APP, rules, Rules),
NRules = [compile(Rule) || Rule <- Rules],
Action = find_action_in_hooks(),
ok = emqx_hooks:del('client.check_acl', Action),
ok = emqx_hooks:add('client.check_acl', {?MODULE, check_authz, [NRules]}, -1),
ok = emqx_hooks:del('client.check_authz', Action),
ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]}, -1),
ok = emqx_acl_cache:empty_acl_cache().
%%--------------------------------------------------------------------
@ -59,7 +59,7 @@ update(Rules) ->
%%--------------------------------------------------------------------
find_action_in_hooks() ->
Callbacks = emqx_hooks:lookup('client.check_acl'),
Callbacks = emqx_hooks:lookup('client.check_authz'),
[Action] = [Action || {callback,{?MODULE, check_authz, _} = Action, _, _} <- Callbacks ],
Action.

24
apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl
View File

@ -95,23 +95,23 @@ t_authz(_) ->
},
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, publish, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, publish, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end),
?assertEqual(allow, emqx_access_control:check_acl(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end),
?assertEqual(allow, emqx_access_control:check_acl(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:check_acl(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo3, publish, <<"test">>)), % nomatch
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, publish, <<"test">>)), % nomatch
ok.

24
apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl
View File

@ -95,23 +95,23 @@ t_authz(_) ->
},
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, publish, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo1, publish, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end),
?assertEqual(allow, emqx_access_control:check_acl(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo2, subscribe, <<"+">>)),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end),
?assertEqual(allow, emqx_access_control:check_acl(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:check_acl(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_acl(ClientInfo3, publish, <<"test">>)), % nomatch
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, publish, <<"test">>)), % nomatch
ok.

16
apps/emqx_authz/test/emqx_authz_redis_SUITE.erl
View File

@ -84,30 +84,30 @@ t_authz(_) ->
meck:expect(emqx_resource, query, fun(_, _) -> {ok, []} end),
% nomatch
?assertEqual(deny,
emqx_access_control:check_acl(ClientInfo, subscribe, <<"#">>)),
emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)),
?assertEqual(deny,
emqx_access_control:check_acl(ClientInfo, publish, <<"#">>)),
emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE1 ++ ?RULE2} end),
% nomatch
?assertEqual(deny,
emqx_access_control:check_acl(ClientInfo, subscribe, <<"+">>)),
emqx_access_control:check_authz(ClientInfo, subscribe, <<"+">>)),
% nomatch
?assertEqual(deny,
emqx_access_control:check_acl(ClientInfo, subscribe, <<"test/username">>)),
emqx_access_control:check_authz(ClientInfo, subscribe, <<"test/username">>)),
?assertEqual(allow,
emqx_access_control:check_acl(ClientInfo, publish, <<"test/clientid">>)),
emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)),
?assertEqual(allow,
emqx_access_control:check_acl(ClientInfo, publish, <<"test/clientid">>)),
emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE3} end),
?assertEqual(allow,
emqx_access_control:check_acl(ClientInfo, subscribe, <<"#">>)),
emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)),
% nomatch
?assertEqual(deny,
emqx_access_control:check_acl(ClientInfo, publish, <<"#">>)),
emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)),
ok.

2
apps/emqx_coap/src/emqx_coap.app.src
View File

@ -1,6 +1,6 @@
{application, emqx_coap,
[{description, "EMQ X CoAP Gateway"},
{vsn, "4.3.0"}, % strict semver, bump manually!
{vsn, "5.0.0"}, % strict semver, bump manually!
{modules, []},
{registered, []},
{applications, [kernel,stdlib,gen_coap]},

4
apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl
View File

@ -222,7 +222,7 @@ code_change(_OldVsn, State, _Extra) ->
chann_subscribe(Topic, State = #state{clientid = ClientId}) ->
?LOG(debug, "subscribe Topic=~p", [Topic]),
case emqx_access_control:check_acl(clientinfo(State), subscribe, Topic) of
case emqx_access_control:check_authz(clientinfo(State), subscribe, Topic) of
allow ->
emqx_broker:subscribe(Topic, ClientId, ?SUBOPTS),
emqx_hooks:run('session.subscribed', [clientinfo(State), Topic, ?SUBOPTS]),
@ -241,7 +241,7 @@ chann_unsubscribe(Topic, State) ->
chann_publish(Topic, Payload, State = #state{clientid = ClientId}) ->
?LOG(debug, "publish Topic=~p, Payload=~p", [Topic, Payload]),
case emqx_access_control:check_acl(clientinfo(State), publish, Topic) of
case emqx_access_control:check_authz(clientinfo(State), publish, Topic) of
allow ->
_ = emqx_broker:publish(
emqx_message:set_flag(retain, false,

6
apps/emqx_coap/test/emqx_coap_SUITE.erl
View File

@ -77,7 +77,7 @@ t_publish_acl_deny(_Config) ->
emqx:subscribe(Topic),
ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]),
ok = meck:expect(emqx_access_control, check_acl, 3, deny),
ok = meck:expect(emqx_access_control, check_authz, 3, deny),
Reply = er_coap_client:request(put, URI, #coap_content{format = <<"application/octet-stream">>, payload = Payload}),
?assertEqual({error,forbidden}, Reply),
ok = meck:unload(emqx_access_control),
@ -114,7 +114,7 @@ t_observe_acl_deny(_Config) ->
Topic = <<"abc">>, TopicStr = binary_to_list(Topic),
Uri = "coap://127.0.0.1/mqtt/"++TopicStr++"?c=client1&u=tom&p=secret",
ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]),
ok = meck:expect(emqx_access_control, check_acl, 3, deny),
ok = meck:expect(emqx_access_control, check_authz, 3, deny),
?assertEqual({error,forbidden}, er_coap_observer:observe(Uri)),
[] = emqx:subscribers(Topic),
ok = meck:unload(emqx_access_control).
@ -289,7 +289,7 @@ t_acl(Config) ->
ok
end,
ok = emqx_hooks:del('client.check_acl', {emqx_authz, check_authz}),
ok = emqx_hooks:del('client.check_authz', {emqx_authz, check_authz}),
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
application:set_env(emqx, plugins_etc_dir, OldPath),
application:stop(emqx_authz).

2
apps/emqx_exhook/include/emqx_exhook.hrl
View File

@ -25,7 +25,7 @@
, {'client.connected', {emqx_exhook_handler, on_client_connected, []}}
, {'client.disconnected', {emqx_exhook_handler, on_client_disconnected, []}}
, {'client.authenticate', {emqx_exhook_handler, on_client_authenticate, []}}
, {'client.check_acl', {emqx_exhook_handler, on_client_check_acl, []}}
, {'client.check_authz', {emqx_exhook_handler, on_client_check_authz, []}}
, {'client.subscribe', {emqx_exhook_handler, on_client_subscribe, []}}
, {'client.unsubscribe', {emqx_exhook_handler, on_client_unsubscribe, []}}
, {'session.created', {emqx_exhook_handler, on_session_created, []}}

12
apps/emqx_exhook/priv/protos/exhook.proto
View File

@ -40,7 +40,7 @@ service HookProvider {
rpc OnClientAuthenticate(ClientAuthenticateRequest) returns (ValuedResponse) {};
rpc OnClientCheckAcl(ClientCheckAclRequest) returns (ValuedResponse) {};
rpc OnClientCheckAuthz(ClientCheckAuthzRequest) returns (ValuedResponse) {};
rpc OnClientSubscribe(ClientSubscribeRequest) returns (EmptySuccess) {};
@ -123,18 +123,18 @@ message ClientAuthenticateRequest {
bool result = 2;
}
message ClientCheckAclRequest {
message ClientCheckAuthzRequest {
ClientInfo clientinfo = 1;
enum AclReqType {
enum AuthzReqType {
PUBLISH = 0;
SUBSCRIBE = 1;
}
AclReqType type = 2;
AuthzReqType type = 2;
string topic = 3;
@ -253,7 +253,7 @@ message ValuedResponse {
oneof value {
// Boolean result, used on the 'client.authenticate', 'client.check_acl' hooks
// Boolean result, used on the 'client.authenticate', 'client.check_authz' hooks
bool bool_result = 3;
// Message result, used on the 'message.*' hooks
@ -279,7 +279,7 @@ message HookSpec {
// Available value:
// "client.connect", "client.connack"
// "client.connected", "client.disconnected"
// "client.authenticate", "client.check_acl"
// "client.authenticate", "client.check_authz"
// "client.subscribe", "client.unsubscribe"
//
// "session.created", "session.subscribed"

6
apps/emqx_exhook/src/emqx_exhook_handler.erl
View File

@ -27,7 +27,7 @@
, on_client_connected/2
, on_client_disconnected/3
, on_client_authenticate/2
, on_client_check_acl/4
, on_client_check_authz/4
, on_client_subscribe/3
, on_client_unsubscribe/3
]).
@ -109,7 +109,7 @@ on_client_authenticate(ClientInfo, AuthResult) ->
{ok, AuthResult}
end.
on_client_check_acl(ClientInfo, PubSub, Topic, Result) ->
on_client_check_authz(ClientInfo, PubSub, Topic, Result) ->
Bool = Result == allow,
Type = case PubSub of
publish -> 'PUBLISH';
@ -120,7 +120,7 @@ on_client_check_acl(ClientInfo, PubSub, Topic, Result) ->
topic => Topic,
result => Bool
},
case call_fold('client.check_acl', Req,
case call_fold('client.check_authz', Req,
fun merge_responsed_bool/2) of
{StopOrOk, #{result := Result0}} when is_boolean(Result0) ->
NResult = case Result0 of true -> allow; _ -> deny end,

6
apps/emqx_exhook/src/emqx_exhook_server.erl
View File

@ -58,7 +58,7 @@
| 'client.connected'
| 'client.disconnected'
| 'client.authenticate'
| 'client.check_acl'
| 'client.check_authz'
| 'client.subscribe'
| 'client.unsubscribe'
| 'session.created'
@ -297,7 +297,7 @@ hk2func('client.connack') -> 'on_client_connack';
hk2func('client.connected') -> 'on_client_connected';
hk2func('client.disconnected') -> 'on_client_disconnected';
hk2func('client.authenticate') -> 'on_client_authenticate';
hk2func('client.check_acl') -> 'on_client_check_acl';
hk2func('client.check_authz') -> 'on_client_check_authz';
hk2func('client.subscribe') -> 'on_client_subscribe';
hk2func('client.unsubscribe') -> 'on_client_unsubscribe';
hk2func('session.created') -> 'on_session_created';
@ -320,7 +320,7 @@ message_hooks() ->
-compile({inline, [available_hooks/0]}).
available_hooks() ->
['client.connect', 'client.connack', 'client.connected',
'client.disconnected', 'client.authenticate', 'client.check_acl',
'client.disconnected', 'client.authenticate', 'client.check_authz',
'client.subscribe', 'client.unsubscribe',
'session.created', 'session.subscribed', 'session.unsubscribed',
'session.resumed', 'session.discarded', 'session.takeovered',

8
apps/emqx_exhook/test/emqx_exhook_demo_svr.erl
View File

@ -33,7 +33,7 @@
, on_client_connected/2
, on_client_disconnected/2
, on_client_authenticate/2
, on_client_check_acl/2
, on_client_check_authz/2
, on_client_subscribe/2
, on_client_unsubscribe/2
, on_session_created/2
@ -122,7 +122,7 @@ on_provider_loaded(Req, Md) ->
#{name => <<"client.connected">>},
#{name => <<"client.disconnected">>},
#{name => <<"client.authenticate">>},
#{name => <<"client.check_acl">>},
#{name => <<"client.check_authz">>},
#{name => <<"client.subscribe">>},
#{name => <<"client.unsubscribe">>},
#{name => <<"session.created">>},
@ -197,10 +197,10 @@ on_client_authenticate(#{clientinfo := #{username := Username}} = Req, Md) ->
{ok, #{type => 'IGNORE'}, Md}
end.
-spec on_client_check_acl(emqx_exhook_pb:client_check_acl_request(), grpc:metadata())
-spec on_client_check_authz(emqx_exhook_pb:client_check_authz_request(), grpc:metadata())
-> {ok, emqx_exhook_pb:valued_response(), grpc:metadata()}
| {error, grpc_cowboy_h:error_response()}.
on_client_check_acl(#{clientinfo := #{username := Username}} = Req, Md) ->
on_client_check_authz(#{clientinfo := #{username := Username}} = Req, Md) ->
?MODULE:in({?FUNCTION_NAME, Req}),
%io:format("fun: ~p, req: ~0p~n", [?FUNCTION_NAME, Req]),
%% some cases for testing

6
apps/emqx_exhook/test/props/prop_exhook_hooks.erl
View File

@ -109,14 +109,14 @@ prop_client_authenticate() ->
true
end).
prop_client_check_acl() ->
prop_client_check_authz() ->
?ALL({ClientInfo0, PubSub, Topic, Result},
{clientinfo(), oneof([publish, subscribe]),
topic(), oneof([allow, deny])},
begin
ClientInfo = inject_magic_into(username, ClientInfo0),
OutResult = emqx_hooks:run_fold(
'client.check_acl',
'client.check_authz',
[ClientInfo, PubSub, Topic],
Result),
ExpectedOutResult = case maps:get(username, ClientInfo) of
@ -127,7 +127,7 @@ prop_client_check_acl() ->
end,
?assertEqual(ExpectedOutResult, OutResult),
{'on_client_check_acl', Resp} = emqx_exhook_demo_svr:take(),
{'on_client_check_authz', Resp} = emqx_exhook_demo_svr:take(),
Expected =
#{result => aclresult_to_bool(Result),
type => pubsub_to_enum(PubSub),

4
apps/emqx_exproto/src/emqx_exproto_channel.erl
View File

@ -305,7 +305,7 @@ handle_call({subscribe, TopicFilter, Qos},
conn_state = connected,
clientinfo = ClientInfo}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_acl(ClientInfo, subscribe, TopicFilter) of
emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of
deny ->
{reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel};
_ ->
@ -325,7 +325,7 @@ handle_call({publish, Topic, Qos, Payload},
= #{clientid := From,
mountpoint := Mountpoint}}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_acl(ClientInfo, publish, Topic) of
emqx_access_control:check_authz(ClientInfo, publish, Topic) of
deny ->
{reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel};
_ ->

2
apps/emqx_exproto/test/emqx_exproto_SUITE.erl
View File

@ -167,7 +167,7 @@ t_acl_deny(Cfg) ->
Password = <<"123456">>,
ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_access_control, check_acl, fun(_, _, _) -> deny end),
ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end),
ConnBin = frame_connect(Client, Password),
ConnAckBin = frame_connack(0),

6
apps/emqx_prometheus/src/emqx_prometheus.erl
View File

@ -414,8 +414,8 @@ emqx_collect(emqx_client_authenticate, Stats) ->
counter_metric(?C('client.authenticate', Stats));
emqx_collect(emqx_client_auth_anonymous, Stats) ->
counter_metric(?C('client.auth.anonymous', Stats));
emqx_collect(emqx_client_check_acl, Stats) ->
counter_metric(?C('client.check_acl', Stats));
emqx_collect(emqx_client_check_authz, Stats) ->
counter_metric(?C('client.check_authz', Stats));
emqx_collect(emqx_client_subscribe, Stats) ->
counter_metric(?C('client.subscribe', Stats));
emqx_collect(emqx_client_unsubscribe, Stats) ->
@ -567,7 +567,7 @@ emqx_metrics_client() ->
[ emqx_client_connected
, emqx_client_authenticate
, emqx_client_auth_anonymous
, emqx_client_check_acl
, emqx_client_check_authz
, emqx_client_subscribe
, emqx_client_unsubscribe
, emqx_client_disconnected