From 1129c183305544077bd8562304078ad099451391 Mon Sep 17 00:00:00 2001
From: Ivan Dyachkov <dev@dyachkov.org>
Date: Thu, 30 May 2024 11:36:13 +0200
Subject: [PATCH 1/3] fix(authz_http): fix content-type header in http request

---
 apps/emqx_authz/src/emqx_authz.app.src  | 2 +-
 apps/emqx_authz/src/emqx_authz_http.erl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/emqx_authz/src/emqx_authz.app.src b/apps/emqx_authz/src/emqx_authz.app.src
index 9de573795..5c3a26eb9 100644
--- a/apps/emqx_authz/src/emqx_authz.app.src
+++ b/apps/emqx_authz/src/emqx_authz.app.src
@@ -1,7 +1,7 @@
 %% -*- mode: erlang -*-
 {application, emqx_authz, [
     {description, "An OTP application"},
-    {vsn, "0.1.25"},
+    {vsn, "0.1.26"},
     {registered, []},
     {mod, {emqx_authz_app, []}},
     {applications, [
diff --git a/apps/emqx_authz/src/emqx_authz_http.erl b/apps/emqx_authz/src/emqx_authz_http.erl
index a5dff322d..ffc4045c5 100644
--- a/apps/emqx_authz/src/emqx_authz_http.erl
+++ b/apps/emqx_authz/src/emqx_authz_http.erl
@@ -200,7 +200,7 @@ generate_request(
         _ ->
             NPath = append_query(Path, Query),
             NBody = serialize_body(
-                proplists:get_value(<<"accept">>, Headers, <<"application/json">>),
+                proplists:get_value(<<"Content-Type">>, Headers, <<"application/json">>),
                 Body
             ),
             {NPath, Headers, NBody}

From 0c4da98b5209d72405468adee97a29b478783bd7 Mon Sep 17 00:00:00 2001
From: Ivan Dyachkov <dev@dyachkov.org>
Date: Thu, 30 May 2024 11:53:00 +0200
Subject: [PATCH 2/3] chore: update deps

---
 apps/emqx_authz/src/emqx_authz_http.erl | 2 +-
 apps/emqx_bridge_dynamo/rebar.config    | 2 +-
 apps/emqx_bridge_hstreamdb/rebar.config | 2 +-
 apps/emqx_bridge_kinesis/rebar.config   | 2 +-
 apps/emqx_s3/rebar.config               | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/emqx_authz/src/emqx_authz_http.erl b/apps/emqx_authz/src/emqx_authz_http.erl
index ffc4045c5..a34a7514a 100644
--- a/apps/emqx_authz/src/emqx_authz_http.erl
+++ b/apps/emqx_authz/src/emqx_authz_http.erl
@@ -200,7 +200,7 @@ generate_request(
         _ ->
             NPath = append_query(Path, Query),
             NBody = serialize_body(
-                proplists:get_value(<<"Content-Type">>, Headers, <<"application/json">>),
+                proplists:get_value(<<"content-type">>, Headers, <<"application/json">>),
                 Body
             ),
             {NPath, Headers, NBody}
diff --git a/apps/emqx_bridge_dynamo/rebar.config b/apps/emqx_bridge_dynamo/rebar.config
index e80fb0f80..38598d313 100644
--- a/apps/emqx_bridge_dynamo/rebar.config
+++ b/apps/emqx_bridge_dynamo/rebar.config
@@ -1,6 +1,6 @@
 %% -*- mode: erlang; -*-
 {erl_opts, [debug_info]}.
-{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0-emqx-2"}}}
+{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0.3"}}}
        , {emqx_connector, {path, "../../apps/emqx_connector"}}
        , {emqx_resource, {path, "../../apps/emqx_resource"}}
        , {emqx_bridge, {path, "../../apps/emqx_bridge"}}
diff --git a/apps/emqx_bridge_hstreamdb/rebar.config b/apps/emqx_bridge_hstreamdb/rebar.config
index fb99cd627..92b9c46cd 100644
--- a/apps/emqx_bridge_hstreamdb/rebar.config
+++ b/apps/emqx_bridge_hstreamdb/rebar.config
@@ -1,7 +1,7 @@
 %% -*- mode: erlang -*-
 {erl_opts, [debug_info]}.
 {deps, [
-  {hstreamdb_erl, {git, "https://github.com/hstreamdb/hstreamdb_erl.git", {tag, "0.4.5+v0.16.1"}}},
+  {hstreamdb_erl, {git, "https://github.com/hstreamdb/hstreamdb_erl.git", {tag, "0.4.5+v0.16.1+ezstd-v1.0.5-emqx1"}}},
   {emqx, {path, "../../apps/emqx"}},
   {emqx_utils, {path, "../../apps/emqx_utils"}}
 ]}.
diff --git a/apps/emqx_bridge_kinesis/rebar.config b/apps/emqx_bridge_kinesis/rebar.config
index e4b57846e..4d7f87540 100644
--- a/apps/emqx_bridge_kinesis/rebar.config
+++ b/apps/emqx_bridge_kinesis/rebar.config
@@ -1,6 +1,6 @@
 %% -*- mode: erlang; -*-
 {erl_opts, [debug_info]}.
-{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0-emqx-2"}}}
+{deps, [ {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0.3"}}}
        , {emqx_connector, {path, "../../apps/emqx_connector"}}
        , {emqx_resource, {path, "../../apps/emqx_resource"}}
        , {emqx_bridge, {path, "../../apps/emqx_bridge"}}
diff --git a/apps/emqx_s3/rebar.config b/apps/emqx_s3/rebar.config
index 1d64e6677..e34406e54 100644
--- a/apps/emqx_s3/rebar.config
+++ b/apps/emqx_s3/rebar.config
@@ -1,6 +1,6 @@
 {deps, [
     {emqx, {path, "../../apps/emqx"}},
-    {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0-emqx-2"}}},
+    {erlcloud, {git, "https://github.com/emqx/erlcloud", {tag, "3.7.0.3"}}},
     {emqx_bridge_http, {path, "../emqx_bridge_http"}}
 ]}.
 

From 97f9c81e19a579e2880cadd1883a4811b8a201b2 Mon Sep 17 00:00:00 2001
From: Ilya Averyanov <av@rubybox.dev>
Date: Thu, 30 May 2024 14:56:56 +0300
Subject: [PATCH 3/3] feat(auth): add legacy ${access} placeholder

---
 apps/emqx_authz/src/emqx_authz_http.erl        | 16 ++++++++++++++--
 apps/emqx_authz/test/emqx_authz_http_SUITE.erl | 13 +++++++++++--
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/apps/emqx_authz/src/emqx_authz_http.erl b/apps/emqx_authz/src/emqx_authz_http.erl
index a34a7514a..faa3a3198 100644
--- a/apps/emqx_authz/src/emqx_authz_http.erl
+++ b/apps/emqx_authz/src/emqx_authz_http.erl
@@ -39,6 +39,10 @@
 -compile(nowarn_export_all).
 -endif.
 
+-define(PH_ACCESS, <<"${access}">>).
+-define(LEGACY_SUBSCRIBE_ACTION, 1).
+-define(LEGACY_PUBLISH_ACTION, 2).
+
 -define(PLACEHOLDERS, [
     ?PH_USERNAME,
     ?PH_CLIENTID,
@@ -48,7 +52,8 @@
     ?PH_TOPIC,
     ?PH_ACTION,
     ?PH_CERT_SUBJECT,
-    ?PH_CERT_CN_NAME
+    ?PH_CERT_CN_NAME,
+    ?PH_ACCESS
 ]).
 
 -define(PLACEHOLDERS_FOR_RICH_ACTIONS, [
@@ -234,7 +239,14 @@ serialize_body(<<"application/x-www-form-urlencoded">>, Body) ->
 
 client_vars(Client, Action, Topic) ->
     Vars = emqx_authz_utils:vars_for_rule_query(Client, Action),
-    Vars#{topic => Topic}.
+    add_legacy_access_var(Vars#{topic => Topic}).
+
+add_legacy_access_var(#{action := subscribe} = Vars) ->
+    Vars#{access => ?LEGACY_SUBSCRIBE_ACTION};
+add_legacy_access_var(#{action := publish} = Vars) ->
+    Vars#{access => ?LEGACY_PUBLISH_ACTION};
+add_legacy_access_var(Vars) ->
+    Vars.
 
 to_list(A) when is_atom(A) ->
     atom_to_list(A);
diff --git a/apps/emqx_authz/test/emqx_authz_http_SUITE.erl b/apps/emqx_authz/test/emqx_authz_http_SUITE.erl
index 6cf4b5bc0..7810b5902 100644
--- a/apps/emqx_authz/test/emqx_authz_http_SUITE.erl
+++ b/apps/emqx_authz/test/emqx_authz_http_SUITE.erl
@@ -202,6 +202,7 @@ t_query_params(_Config) ->
                 mountpoint := <<"MOUNTPOINT">>,
                 topic := <<"t/1">>,
                 action := <<"publish">>,
+                access := <<"2">>,
                 qos := <<"1">>,
                 retain := <<"false">>
             } = cowboy_req:match_qs(
@@ -213,6 +214,7 @@ t_query_params(_Config) ->
                     mountpoint,
                     topic,
                     action,
+                    access,
                     qos,
                     retain
                 ],
@@ -230,6 +232,7 @@ t_query_params(_Config) ->
                 "mountpoint=${mountpoint}&"
                 "topic=${topic}&"
                 "action=${action}&"
+                "access=${access}&"
                 "qos=${qos}&"
                 "retain=${retain}"
             >>
@@ -264,6 +267,7 @@ t_path(_Config) ->
                     "MOUNTPOINT/"
                     "t%2F1/"
                     "publish/"
+                    "2/"
                     "1/"
                     "false"
                 >>,
@@ -281,6 +285,7 @@ t_path(_Config) ->
                 "${mountpoint}/"
                 "${topic}/"
                 "${action}/"
+                "${access}/"
                 "${qos}/"
                 "${retain}"
             >>
@@ -321,6 +326,7 @@ t_json_body(_Config) ->
                     <<"mountpoint">> := <<"MOUNTPOINT">>,
                     <<"topic">> := <<"t">>,
                     <<"action">> := <<"publish">>,
+                    <<"access">> := <<"2">>,
                     <<"qos">> := <<"1">>,
                     <<"retain">> := <<"false">>
                 },
@@ -338,6 +344,7 @@ t_json_body(_Config) ->
                 <<"mountpoint">> => <<"${mountpoint}">>,
                 <<"topic">> => <<"${topic}">>,
                 <<"action">> => <<"${action}">>,
+                <<"access">> => <<"${access}">>,
                 <<"qos">> => <<"${qos}">>,
                 <<"retain">> => <<"${retain}">>
             }
@@ -405,7 +412,7 @@ t_placeholder_and_body(_Config) ->
                 cowboy_req:path(Req0)
             ),
 
-            {ok, [{PostVars, true}], Req1} = cowboy_req:read_urlencoded_body(Req0),
+            {ok, PostVars, Req1} = cowboy_req:read_urlencoded_body(Req0),
 
             ?assertMatch(
                 #{
@@ -416,10 +423,11 @@ t_placeholder_and_body(_Config) ->
                     <<"mountpoint">> := <<"MOUNTPOINT">>,
                     <<"topic">> := <<"t">>,
                     <<"action">> := <<"publish">>,
+                    <<"access">> := <<"2">>,
                     <<"CN">> := ?PH_CERT_CN_NAME,
                     <<"CS">> := ?PH_CERT_SUBJECT
                 },
-                emqx_utils_json:decode(PostVars, [return_maps])
+                maps:from_list(PostVars)
             ),
             {ok, ?AUTHZ_HTTP_RESP(allow, Req1), State}
         end,
@@ -433,6 +441,7 @@ t_placeholder_and_body(_Config) ->
                 <<"mountpoint">> => <<"${mountpoint}">>,
                 <<"topic">> => <<"${topic}">>,
                 <<"action">> => <<"${action}">>,
+                <<"access">> => <<"${access}">>,
                 <<"CN">> => ?PH_CERT_CN_NAME,
                 <<"CS">> => ?PH_CERT_SUBJECT
             },