yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore(auth): make pre_hook_authenticate be part of emqx_access_control domain

This commit is contained in:
Ilya Averyanov 2023-08-01 16:48:45 +03:00
parent c60751b401
commit ce2b159022
4 changed files with 42 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/emqx/include/emqx_access_control.hrl
View File

@ -32,3 +32,6 @@
-define(authz_action(PUBSUB, QOS), #{action_type := PUBSUB, qos := QOS}). -define(authz_action(PUBSUB, QOS), #{action_type := PUBSUB, qos := QOS}).
-define(authz_action(PUBSUB), ?authz_action(PUBSUB, _)). -define(authz_action(PUBSUB), ?authz_action(PUBSUB, _)).
-define(authz_action, ?authz_action(_)). -define(authz_action, ?authz_action(_)).
-define(AUTHN_TRACE_TAG, "AUTHN").

2
apps/emqx/include/emqx_authentication.hrl
View File

@ -18,8 +18,8 @@
-define(EMQX_AUTHENTICATION_HRL, true). -define(EMQX_AUTHENTICATION_HRL, true).
-include_lib("emqx/include/logger.hrl"). -include_lib("emqx/include/logger.hrl").
-include_lib("emqx/include/emqx_access_control.hrl").
-define(AUTHN_TRACE_TAG, "AUTHN").
-define(GLOBAL, 'mqtt:global'). -define(GLOBAL, 'mqtt:global').
-define(TRACE_AUTHN_PROVIDER(Msg), ?TRACE_AUTHN_PROVIDER(Msg, #{})). -define(TRACE_AUTHN_PROVIDER(Msg), ?TRACE_AUTHN_PROVIDER(Msg, #{})).

39
apps/emqx/src/emqx_access_control.erl
View File

@ -17,6 +17,7 @@
-module(emqx_access_control). -module(emqx_access_control).
-include("emqx.hrl"). -include("emqx.hrl").
-include("emqx_access_control.hrl").
-include("logger.hrl"). -include("logger.hrl").
-export([ -export([
@ -29,6 +30,14 @@
-compile(nowarn_export_all). -compile(nowarn_export_all).
-endif. -endif.
-define(TRACE_RESULT(Label, Tag, Result, Reason), begin
?TRACE(Label, Tag, #{
result => (Result),
reason => (Reason)
}),
Result
end).
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% APIs %% APIs
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
@ -44,7 +53,7 @@ authenticate(Credential) ->
%% if auth backend returning nothing but just 'ok' %% if auth backend returning nothing but just 'ok'
%% it means it's not a superuser, or there is no way to tell. %% it means it's not a superuser, or there is no way to tell.
NotSuperUser = #{is_superuser => false}, NotSuperUser = #{is_superuser => false},
case emqx_authentication:pre_hook_authenticate(Credential) of case pre_hook_authenticate(Credential) of
ok -> ok ->
inc_authn_metrics(anonymous), inc_authn_metrics(anonymous),
{ok, NotSuperUser}; {ok, NotSuperUser};
@ -99,6 +108,34 @@ authorize(ClientInfo, Action, Topic) ->
inc_authz_metrics(Result), inc_authz_metrics(Result),
Result. Result.
%%--------------------------------------------------------------------
%% Internal Functions
%%--------------------------------------------------------------------
-spec pre_hook_authenticate(emqx_types:clientinfo()) ->
ok | continue | {error, not_authorized}.
pre_hook_authenticate(#{enable_authn := false}) ->
?TRACE_RESULT("pre_hook_authenticate", ?AUTHN_TRACE_TAG, ok, enable_authn_false);
pre_hook_authenticate(#{enable_authn := quick_deny_anonymous} = Credential) ->
case is_username_defined(Credential) of
true ->
continue;
false ->
?TRACE_RESULT(
"pre_hook_authenticate",
?AUTHN_TRACE_TAG,
{error, not_authorized},
enable_authn_false
)
end;
pre_hook_authenticate(_) ->
continue.
is_username_defined(#{username := undefined}) -> false;
is_username_defined(#{username := <<>>}) -> false;
is_username_defined(#{username := _Username}) -> true;
is_username_defined(_) -> false.
check_authorization_cache(ClientInfo, Action, Topic) -> check_authorization_cache(ClientInfo, Action, Topic) ->
case emqx_authz_cache:get_authz_cache(Action, Topic) of case emqx_authz_cache:get_authz_cache(Action, Topic) of
not_found -> not_found ->

17
apps/emqx/src/emqx_authentication.erl
View File

@ -29,11 +29,9 @@
-include_lib("stdlib/include/ms_transform.hrl"). -include_lib("stdlib/include/ms_transform.hrl").
-define(CONF_ROOT, ?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_ATOM). -define(CONF_ROOT, ?EMQX_AUTHENTICATION_CONFIG_ROOT_NAME_ATOM).
-define(IS_UNDEFINED(X), (X =:= undefined orelse X =:= <<>>)).
%% The authentication entrypoint. %% The authentication entrypoint.
-export([ -export([
pre_hook_authenticate/1,
authenticate/2 authenticate/2
]). ]).
@ -220,21 +218,6 @@ when
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
%% Authenticate %% Authenticate
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
-spec pre_hook_authenticate(emqx_types:clientinfo()) ->
ok | continue | {error, not_authorized}.
pre_hook_authenticate(#{enable_authn := false}) ->
?TRACE_RESULT("authentication_result", ok, enable_authn_false);
pre_hook_authenticate(#{enable_authn := quick_deny_anonymous} = Credential) ->
case maps:get(username, Credential, undefined) of
U when ?IS_UNDEFINED(U) ->
?TRACE_RESULT(
"authentication_result", {error, not_authorized}, enable_authn_false
);
_ ->
continue
end;
pre_hook_authenticate(_) ->
continue.
authenticate(#{listener := Listener, protocol := Protocol} = Credential, AuthResult) -> authenticate(#{listener := Listener, protocol := Protocol} = Credential, AuthResult) ->
case get_authenticators(Listener, global_chain(Protocol)) of case get_authenticators(Listener, global_chain(Protocol)) of