chore(auth): make pre_hook_authenticate be part of emqx_access_control domain
This commit is contained in:
Ilya Averyanov
parent
c60751b401
commit
ce2b159022
|
|
@ -32,3 +32,6 @@
|
|||
-define(authz_action(PUBSUB, QOS), #{action_type := PUBSUB, qos := QOS}).
|
||||
-define(authz_action(PUBSUB), ?authz_action(PUBSUB, _)).
|
||||
-define(authz_action, ?authz_action(_)).
|
||||
|
||||
-define(AUTHN_TRACE_TAG, "AUTHN").
|
||||
|
||||
|
|
|
|||
|
|
@ -18,8 +18,8 @@
|
|||
-define(EMQX_AUTHENTICATION_HRL, true).
|
||||
|
||||
-include_lib("emqx/include/logger.hrl").
|
||||
-include_lib("emqx/include/emqx_access_control.hrl").
|
||||
|
||||
-define(AUTHN_TRACE_TAG, "AUTHN").
|
||||
-define(GLOBAL, 'mqtt:global').
|
||||
|
||||
-define(TRACE_AUTHN_PROVIDER(Msg), ?TRACE_AUTHN_PROVIDER(Msg, #{})).
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@
|
|||
-module(emqx_access_control).
|
||||
|
||||
-include("emqx.hrl").
|
||||
-include("emqx_access_control.hrl").
|
||||
-include("logger.hrl").
|
||||
|
||||
-export([
|
||||
|
|
@ -29,6 +30,14 @@
|
|||
-compile(nowarn_export_all).
|
||||
-endif.
|
||||
|
||||
-define(TRACE_RESULT(Label, Tag, Result, Reason), begin
|
||||
?TRACE(Label, Tag, #{
|
||||
result => (Result),
|
||||
reason => (Reason)
|
||||
}),
|
||||
Result
|
||||
end).
|
||||
|
||||
%%--------------------------------------------------------------------
|
||||
%% APIs
|
||||
%%--------------------------------------------------------------------
|
||||
|
|
@ -44,7 +53,7 @@ authenticate(Credential) ->
|
|||
%% if auth backend returning nothing but just 'ok'
|
||||
%% it means it's not a superuser, or there is no way to tell.
|
||||
NotSuperUser = #{is_superuser => false},
|
||||
case emqx_authentication:pre_hook_authenticate(Credential) of
|
||||
case pre_hook_authenticate(Credential) of
|
||||
ok ->
|
||||
inc_authn_metrics(anonymous),
|
||||
{ok, NotSuperUser};
|
||||
|
|
@ -99,6 +108,34 @@ authorize(ClientInfo, Action, Topic) ->
|
|||
inc_authz_metrics(Result),
|
||||
Result.
|
||||
|
||||
%%--------------------------------------------------------------------
|
||||
%% Internal Functions
|
||||
%%--------------------------------------------------------------------
|
||||
|
||||
-spec pre_hook_authenticate(emqx_types:clientinfo()) ->
|
||||
ok | continue | {error, not_authorized}.
|
||||
pre_hook_authenticate(#{enable_authn := false}) ->
|
||||
?TRACE_RESULT("pre_hook_authenticate", ?AUTHN_TRACE_TAG, ok, enable_authn_false);
|
||||
pre_hook_authenticate(#{enable_authn := quick_deny_anonymous} = Credential) ->
|
||||
case is_username_defined(Credential) of
|
||||
true ->
|
||||
continue;
|
||||
false ->
|
||||
?TRACE_RESULT(
|
||||
"pre_hook_authenticate",
|
||||
?AUTHN_TRACE_TAG,
|
||||
{error, not_authorized},
|
||||
enable_authn_false
|
||||
)
|
||||
end;
|
||||
pre_hook_authenticate(_) ->
|
||||
continue.
|
||||
|
||||
is_username_defined(#{username := undefined}) -> false;
|
||||
is_username_defined(#{username := <<>>}) -> false;
|
||||
is_username_defined(#{username := _Username}) -> true;
|
||||
is_username_defined(_) -> false.
|
||||
|
||||
check_authorization_cache(ClientInfo, Action, Topic) ->
|
||||
case emqx_authz_cache:get_authz_cache(Action, Topic) of
|
||||
not_found ->
|
||||
|
|
|
|||
|
|
@ -29,11 +29,9 @@
|
|||
-include_lib("stdlib/include/ms_transform.hrl").
|
||||
|
||||
-define(CONF_ROOT, ?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_ATOM).
|
||||
-define(IS_UNDEFINED(X), (X =:= undefined orelse X =:= <<>>)).
|
||||
|
||||
%% The authentication entrypoint.
|
||||
-export([
|
||||
pre_hook_authenticate/1,
|
||||
authenticate/2
|
||||
]).
|
||||
|
||||
|
|
@ -220,21 +218,6 @@ when
|
|||
%%------------------------------------------------------------------------------
|
||||
%% Authenticate
|
||||
%%------------------------------------------------------------------------------
|
||||
-spec pre_hook_authenticate(emqx_types:clientinfo()) ->
|
||||
ok | continue | {error, not_authorized}.
|
||||
pre_hook_authenticate(#{enable_authn := false}) ->
|
||||
?TRACE_RESULT("authentication_result", ok, enable_authn_false);
|
||||
pre_hook_authenticate(#{enable_authn := quick_deny_anonymous} = Credential) ->
|
||||
case maps:get(username, Credential, undefined) of
|
||||
U when ?IS_UNDEFINED(U) ->
|
||||
?TRACE_RESULT(
|
||||
"authentication_result", {error, not_authorized}, enable_authn_false
|
||||
);
|
||||
_ ->
|
||||
continue
|
||||
end;
|
||||
pre_hook_authenticate(_) ->
|
||||
continue.
|
||||
|
||||
authenticate(#{listener := Listener, protocol := Protocol} = Credential, AuthResult) ->
|
||||
case get_authenticators(Listener, global_chain(Protocol)) of
|
||||
|
|
|
|||
Loading…
Reference in New Issue