diff --git a/apps/emqx/src/emqx_access_control.erl b/apps/emqx/src/emqx_access_control.erl index 8ca9f3893..7b7138bef 100644 --- a/apps/emqx/src/emqx_access_control.erl +++ b/apps/emqx/src/emqx_access_control.erl @@ -20,7 +20,7 @@ -export([authenticate/1]). --export([ check_authz/3 +-export([ authorize/3 ]). -type(result() :: #{auth_result := emqx_types:auth_result(), @@ -42,25 +42,25 @@ authenticate(ClientInfo = #{zone := Zone}) -> end. %% @doc Check ACL --spec(check_authz(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic()) +-spec(authorize(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic()) -> allow | deny). -check_authz(ClientInfo, PubSub, Topic) -> +authorize(ClientInfo, PubSub, Topic) -> case emqx_acl_cache:is_enabled() of - true -> check_authz_cache(ClientInfo, PubSub, Topic); - false -> do_check_authz(ClientInfo, PubSub, Topic) + true -> authorize_cache(ClientInfo, PubSub, Topic); + false -> do_authorize(ClientInfo, PubSub, Topic) end. -check_authz_cache(ClientInfo, PubSub, Topic) -> +authorize_cache(ClientInfo, PubSub, Topic) -> case emqx_acl_cache:get_acl_cache(PubSub, Topic) of not_found -> - AclResult = do_check_authz(ClientInfo, PubSub, Topic), + AclResult = do_authorize(ClientInfo, PubSub, Topic), emqx_acl_cache:put_acl_cache(PubSub, Topic, AclResult), AclResult; AclResult -> AclResult end. -do_check_authz(ClientInfo, PubSub, Topic) -> - case run_hooks('client.check_authz', [ClientInfo, PubSub, Topic], allow) of +do_authorize(ClientInfo, PubSub, Topic) -> + case run_hooks('client.authorize', [ClientInfo, PubSub, Topic], allow) of allow -> allow; _Other -> deny end. diff --git a/apps/emqx/src/emqx_channel.erl b/apps/emqx/src/emqx_channel.erl index 2fcad5b21..99f8cb5df 100644 --- a/apps/emqx/src/emqx_channel.erl +++ b/apps/emqx/src/emqx_channel.erl @@ -1406,7 +1406,7 @@ check_pub_alias(_Packet, _Channel) -> ok. check_pub_acl(#mqtt_packet{variable = #mqtt_packet_publish{topic_name = Topic}}, #channel{clientinfo = ClientInfo}) -> case is_acl_enabled(ClientInfo) andalso - emqx_access_control:check_authz(ClientInfo, publish, Topic) of + emqx_access_control:authorize(ClientInfo, publish, Topic) of false -> ok; allow -> ok; deny -> {error, ?RC_NOT_AUTHORIZED} @@ -1440,7 +1440,7 @@ check_sub_acls([], _Channel, Acc) -> check_sub_acl(TopicFilter, #channel{clientinfo = ClientInfo}) -> case is_acl_enabled(ClientInfo) andalso - emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of + emqx_access_control:authorize(ClientInfo, subscribe, TopicFilter) of false -> allow; Result -> Result end. diff --git a/apps/emqx/src/emqx_metrics.erl b/apps/emqx/src/emqx_metrics.erl index c583276d8..cd0039791 100644 --- a/apps/emqx/src/emqx_metrics.erl +++ b/apps/emqx/src/emqx_metrics.erl @@ -172,7 +172,7 @@ {counter, 'client.connected'}, {counter, 'client.authenticate'}, {counter, 'client.auth.anonymous'}, - {counter, 'client.check_authz'}, + {counter, 'client.authorize'}, {counter, 'client.subscribe'}, {counter, 'client.unsubscribe'}, {counter, 'client.disconnected'} @@ -563,7 +563,7 @@ reserved_idx('client.connected') -> 202; reserved_idx('client.authenticate') -> 203; reserved_idx('client.enhanced_authenticate') -> 204; reserved_idx('client.auth.anonymous') -> 205; -reserved_idx('client.check_authz') -> 206; +reserved_idx('client.authorize') -> 206; reserved_idx('client.subscribe') -> 207; reserved_idx('client.unsubscribe') -> 208; reserved_idx('client.disconnected') -> 209; diff --git a/apps/emqx/test/emqx_access_control_SUITE.erl b/apps/emqx/test/emqx_access_control_SUITE.erl index 82a0c1669..b356402fb 100644 --- a/apps/emqx/test/emqx_access_control_SUITE.erl +++ b/apps/emqx/test/emqx_access_control_SUITE.erl @@ -38,9 +38,9 @@ t_authenticate(_) -> emqx_zone:set_env(zone, allow_anonymous, true), ?assertMatch({ok, _}, emqx_access_control:authenticate(clientinfo())). -t_check_authz(_) -> +t_authorize(_) -> Publish = ?PUBLISH_PACKET(?QOS_0, <<"t">>, 1, <<"payload">>), - ?assertEqual(allow, emqx_access_control:check_authz(clientinfo(), Publish, <<"t">>)). + ?assertEqual(allow, emqx_access_control:authorize(clientinfo(), Publish, <<"t">>)). t_bypass_auth_plugins(_) -> ClientInfo = clientinfo(), diff --git a/apps/emqx/test/emqx_acl_test_mod.erl b/apps/emqx/test/emqx_acl_test_mod.erl index be461d584..f88e0354b 100644 --- a/apps/emqx/test/emqx_acl_test_mod.erl +++ b/apps/emqx/test/emqx_acl_test_mod.erl @@ -18,14 +18,14 @@ %% ACL callbacks -export([ init/1 - , check_authz/2 + , authorize/2 , description/0 ]). init(AclOpts) -> {ok, AclOpts}. -check_authz({_User, _PubSub, _Topic}, _State) -> +authorize({_User, _PubSub, _Topic}, _State) -> allow. description() -> diff --git a/apps/emqx/test/emqx_channel_SUITE.erl b/apps/emqx/test/emqx_channel_SUITE.erl index cc77acb56..09ac7a683 100644 --- a/apps/emqx/test/emqx_channel_SUITE.erl +++ b/apps/emqx/test/emqx_channel_SUITE.erl @@ -37,7 +37,7 @@ init_per_suite(Config) -> ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]), ok = meck:expect(emqx_access_control, authenticate, fun(_) -> {ok, #{auth_result => success}} end), - ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end), + ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> allow end), %% Broker Meck ok = meck:new(emqx_broker, [passthrough, no_history, no_link]), %% Hooks Meck diff --git a/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl b/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl index e60d52a86..ab4d96eea 100644 --- a/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl +++ b/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl @@ -198,7 +198,7 @@ t_batch_subscribe(_) -> {ok, Client} = emqtt:start_link([{proto_ver, v5}, {clientid, <<"batch_test">>}]), {ok, _} = emqtt:connect(Client), ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history, no_link]), - meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end), + meck:expect(emqx_access_control, authorize, fun(_, _, _) -> deny end), {ok, _, [?RC_NOT_AUTHORIZED, ?RC_NOT_AUTHORIZED, ?RC_NOT_AUTHORIZED]} = emqtt:subscribe(Client, [{<<"t1">>, qos1}, diff --git a/apps/emqx/test/emqx_ws_connection_SUITE.erl b/apps/emqx/test/emqx_ws_connection_SUITE.erl index b5020439b..93c192b86 100644 --- a/apps/emqx/test/emqx_ws_connection_SUITE.erl +++ b/apps/emqx/test/emqx_ws_connection_SUITE.erl @@ -64,7 +64,7 @@ init_per_testcase(TestCase, Config) when end), %% Mock emqx_access_control ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]), - ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end), + ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> allow end), %% Mock emqx_hooks ok = meck:new(emqx_hooks, [passthrough, no_history, no_link]), ok = meck:expect(emqx_hooks, run, fun(_Hook, _Args) -> ok end), diff --git a/apps/emqx_authz/src/emqx_authz.erl b/apps/emqx_authz/src/emqx_authz.erl index b757c8908..8f6ae5f2b 100644 --- a/apps/emqx_authz/src/emqx_authz.erl +++ b/apps/emqx_authz/src/emqx_authz.erl @@ -26,7 +26,7 @@ , compile/1 , lookup/0 , update/1 - , check_authz/5 + , authorize/5 , match/4 ]). @@ -41,7 +41,7 @@ init() -> #{<<"authz">> := #{<<"rules">> := Rules}} = hocon_schema:check_plain(emqx_authz_schema, RawConf), ok = application:set_env(?APP, rules, Rules), NRules = [compile(Rule) || Rule <- Rules], - ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]}, -1). + ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]}, -1). lookup() -> application:get_env(?APP, rules, []). @@ -50,8 +50,8 @@ update(Rules) -> ok = application:set_env(?APP, rules, Rules), NRules = [compile(Rule) || Rule <- Rules], Action = find_action_in_hooks(), - ok = emqx_hooks:del('client.check_authz', Action), - ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]}, -1), + ok = emqx_hooks:del('client.authorize', Action), + ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]}, -1), ok = emqx_acl_cache:empty_acl_cache(). %%-------------------------------------------------------------------- @@ -59,8 +59,8 @@ update(Rules) -> %%-------------------------------------------------------------------- find_action_in_hooks() -> - Callbacks = emqx_hooks:lookup('client.check_authz'), - [Action] = [Action || {callback,{?MODULE, check_authz, _} = Action, _, _} <- Callbacks ], + Callbacks = emqx_hooks:lookup('client.authorize'), + [Action] = [Action || {callback,{?MODULE, authorize, _} = Action, _, _} <- Callbacks ], Action. create_resource(#{<<"type">> := DB, @@ -149,12 +149,12 @@ b2l(B) when is_binary(B) -> binary_to_list(B). %%-------------------------------------------------------------------- %% @doc Check ACL --spec(check_authz(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules()) +-spec(authorize(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules()) -> {stop, allow} | {ok, deny}). -check_authz(#{username := Username, +authorize(#{username := Username, peerhost := IpAddress } = Client, PubSub, Topic, _DefaultResult, Rules) -> - case do_check_authz(Client, PubSub, Topic, Rules) of + case do_authorize(Client, PubSub, Topic, Rules) of {matched, allow} -> ?LOG(info, "Client succeeded authorization: Username: ~p, IP: ~p, Topic: ~p, Permission: allow", [Username, IpAddress, Topic]), emqx_metrics:inc(?ACL_METRICS(allow)), @@ -168,25 +168,25 @@ check_authz(#{username := Username, {stop, deny} end. -do_check_authz(Client, PubSub, Topic, +do_authorize(Client, PubSub, Topic, [Connector = #{<<"principal">> := Principal, <<"type">> := DB} | Tail] ) -> case match_principal(Client, Principal) of true -> Mod = list_to_existing_atom(io_lib:format("~s_~s",[emqx_authz, DB])), - case Mod:check_authz(Client, PubSub, Topic, Connector) of - nomatch -> do_check_authz(Client, PubSub, Topic, Tail); + case Mod:authorize(Client, PubSub, Topic, Connector) of + nomatch -> do_authorize(Client, PubSub, Topic, Tail); Matched -> Matched end; - false -> do_check_authz(Client, PubSub, Topic, Tail) + false -> do_authorize(Client, PubSub, Topic, Tail) end; -do_check_authz(Client, PubSub, Topic, +do_authorize(Client, PubSub, Topic, [#{<<"permission">> := Permission} = Rule | Tail]) -> case match(Client, PubSub, Topic, Rule) of true -> {matched, Permission}; - false -> do_check_authz(Client, PubSub, Topic, Tail) + false -> do_authorize(Client, PubSub, Topic, Tail) end; -do_check_authz(_Client, _PubSub, _Topic, []) -> nomatch. +do_authorize(_Client, _PubSub, _Topic, []) -> nomatch. match(Client, PubSub, Topic, #{<<"principal">> := Principal, diff --git a/apps/emqx_authz/src/emqx_authz_mysql.erl b/apps/emqx_authz/src/emqx_authz_mysql.erl index c1ab20125..6acb154fb 100644 --- a/apps/emqx_authz/src/emqx_authz_mysql.erl +++ b/apps/emqx_authz/src/emqx_authz_mysql.erl @@ -23,7 +23,7 @@ %% ACL Callbacks -export([ description/0 , parse_query/1 - , check_authz/4 + , authorize/4 ]). -ifdef(TEST). @@ -45,25 +45,25 @@ parse_query(Sql) -> {Sql, []} end. -check_authz(Client, PubSub, Topic, +authorize(Client, PubSub, Topic, #{<<"resource_id">> := ResourceID, <<"sql">> := {SQL, Params} }) -> case emqx_resource:query(ResourceID, {sql, SQL, replvar(Params, Client)}) of {ok, _Columns, []} -> nomatch; {ok, Columns, Rows} -> - do_check_authz(Client, PubSub, Topic, Columns, Rows); + do_authorize(Client, PubSub, Topic, Columns, Rows); {error, Reason} -> ?LOG(error, "[AuthZ] Query mysql error: ~p~n", [Reason]), nomatch end. -do_check_authz(_Client, _PubSub, _Topic, _Columns, []) -> +do_authorize(_Client, _PubSub, _Topic, _Columns, []) -> nomatch; -do_check_authz(Client, PubSub, Topic, Columns, [Row | Tail]) -> +do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) -> case match(Client, PubSub, Topic, format_result(Columns, Row)) of {matched, Permission} -> {matched, Permission}; - nomatch -> do_check_authz(Client, PubSub, Topic, Columns, Tail) + nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail) end. format_result(Columns, Row) -> diff --git a/apps/emqx_authz/src/emqx_authz_pgsql.erl b/apps/emqx_authz/src/emqx_authz_pgsql.erl index edea8102f..c7cebf1e2 100644 --- a/apps/emqx_authz/src/emqx_authz_pgsql.erl +++ b/apps/emqx_authz/src/emqx_authz_pgsql.erl @@ -23,7 +23,7 @@ %% ACL Callbacks -export([ description/0 , parse_query/1 - , check_authz/4 + , authorize/4 ]). -ifdef(TEST). @@ -49,25 +49,25 @@ parse_query(Sql) -> {Sql, []} end. -check_authz(Client, PubSub, Topic, +authorize(Client, PubSub, Topic, #{<<"resource_id">> := ResourceID, <<"sql">> := {SQL, Params} }) -> case emqx_resource:query(ResourceID, {sql, SQL, replvar(Params, Client)}) of {ok, _Columns, []} -> nomatch; {ok, Columns, Rows} -> - do_check_authz(Client, PubSub, Topic, Columns, Rows); + do_authorize(Client, PubSub, Topic, Columns, Rows); {error, Reason} -> ?LOG(error, "[AuthZ] Query pgsql error: ~p~n", [Reason]), nomatch end. -do_check_authz(_Client, _PubSub, _Topic, _Columns, []) -> +do_authorize(_Client, _PubSub, _Topic, _Columns, []) -> nomatch; -do_check_authz(Client, PubSub, Topic, Columns, [Row | Tail]) -> +do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) -> case match(Client, PubSub, Topic, format_result(Columns, Row)) of {matched, Permission} -> {matched, Permission}; - nomatch -> do_check_authz(Client, PubSub, Topic, Columns, Tail) + nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail) end. format_result(Columns, Row) -> diff --git a/apps/emqx_authz/src/emqx_authz_redis.erl b/apps/emqx_authz/src/emqx_authz_redis.erl index 7a85b26af..1b99dc2ec 100644 --- a/apps/emqx_authz/src/emqx_authz_redis.erl +++ b/apps/emqx_authz/src/emqx_authz_redis.erl @@ -21,7 +21,7 @@ -include_lib("emqx/include/logger.hrl"). %% ACL Callbacks --export([ check_authz/4 +-export([ authorize/4 , description/0 ]). @@ -33,7 +33,7 @@ description() -> "AuthZ with redis". -check_authz(Client, PubSub, Topic, +authorize(Client, PubSub, Topic, #{<<"resource_id">> := ResourceID, <<"cmd">> := CMD }) -> @@ -41,22 +41,22 @@ check_authz(Client, PubSub, Topic, case emqx_resource:query(ResourceID, {cmd, NCMD}) of {ok, []} -> nomatch; {ok, Rows} -> - do_check_authz(Client, PubSub, Topic, Rows); + do_authorize(Client, PubSub, Topic, Rows); {error, Reason} -> ?LOG(error, "[AuthZ] Query redis error: ~p", [Reason]), nomatch end. -do_check_authz(_Client, _PubSub, _Topic, []) -> +do_authorize(_Client, _PubSub, _Topic, []) -> nomatch; -do_check_authz(Client, PubSub, Topic, [TopicFilter, Action | Tail]) -> +do_authorize(Client, PubSub, Topic, [TopicFilter, Action | Tail]) -> case match(Client, PubSub, Topic, #{topics => TopicFilter, action => Action }) of {matched, Permission} -> {matched, Permission}; - nomatch -> do_check_authz(Client, PubSub, Topic, Tail) + nomatch -> do_authorize(Client, PubSub, Topic, Tail) end. match(Client, PubSub, Topic, diff --git a/apps/emqx_authz/test/emqx_authz_SUITE.erl b/apps/emqx_authz/test/emqx_authz_SUITE.erl index d036d1dec..93be27146 100644 --- a/apps/emqx_authz/test/emqx_authz_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_SUITE.erl @@ -145,23 +145,23 @@ t_authz(_) -> Rules4 = [emqx_authz:compile(Rule) || Rule <- [?RULE4, ?RULE1]], ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo1, subscribe, <<"#">>, deny, [])), + emqx_authz:authorize(ClientInfo1, subscribe, <<"#">>, deny, [])), ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo1, subscribe, <<"+">>, deny, Rules1)), + emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules1)), ?assertEqual({stop, allow}, - emqx_authz:check_authz(ClientInfo1, subscribe, <<"+">>, deny, Rules2)), + emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules2)), ?assertEqual({stop, allow}, - emqx_authz:check_authz(ClientInfo1, publish, <<"test">>, deny, Rules3)), + emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules3)), ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo1, publish, <<"test">>, deny, Rules4)), + emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules4)), ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo2, subscribe, <<"#">>, deny, Rules2)), + emqx_authz:authorize(ClientInfo2, subscribe, <<"#">>, deny, Rules2)), ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo3, publish, <<"test">>, deny, Rules3)), + emqx_authz:authorize(ClientInfo3, publish, <<"test">>, deny, Rules3)), ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo3, publish, <<"fake">>, deny, Rules4)), + emqx_authz:authorize(ClientInfo3, publish, <<"fake">>, deny, Rules4)), ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo4, publish, <<"test">>, deny, Rules3)), + emqx_authz:authorize(ClientInfo4, publish, <<"test">>, deny, Rules3)), ?assertEqual({stop, deny}, - emqx_authz:check_authz(ClientInfo4, publish, <<"fake">>, deny, Rules4)), + emqx_authz:authorize(ClientInfo4, publish, <<"fake">>, deny, Rules4)), ok. diff --git a/apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl b/apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl index e4704c5f3..6ee229ec7 100644 --- a/apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl @@ -95,23 +95,23 @@ t_authz(_) -> }, meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), % nomatch + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"#">>)), % nomatch meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"+">>)), meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end), - ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)), + ?assertEqual(allow, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)), meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end), - ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_clientid">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)), - ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_username">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, publish, <<"test">>)), % nomatch + ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_clientid">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_clientid">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_username">>)), + ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_username">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, subscribe, <<"test">>)), % nomatch + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, publish, <<"test">>)), % nomatch ok. diff --git a/apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl b/apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl index d03cd3338..8fb9cd3e0 100644 --- a/apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl @@ -95,23 +95,23 @@ t_authz(_) -> }, meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), % nomatch + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"#">>)), % nomatch meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"+">>)), meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end), - ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"+">>)), + ?assertEqual(allow, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, subscribe, <<"+">>)), meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end), - ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_clientid">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)), - ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_username">>)), - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch - ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, publish, <<"test">>)), % nomatch + ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_clientid">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_clientid">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_username">>)), + ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_username">>)), + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, subscribe, <<"test">>)), % nomatch + ?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, publish, <<"test">>)), % nomatch ok. diff --git a/apps/emqx_authz/test/emqx_authz_redis_SUITE.erl b/apps/emqx_authz/test/emqx_authz_redis_SUITE.erl index ab8465ffa..6e5015b7e 100644 --- a/apps/emqx_authz/test/emqx_authz_redis_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_redis_SUITE.erl @@ -84,30 +84,30 @@ t_authz(_) -> meck:expect(emqx_resource, query, fun(_, _) -> {ok, []} end), % nomatch ?assertEqual(deny, - emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)), + emqx_access_control:authorize(ClientInfo, subscribe, <<"#">>)), ?assertEqual(deny, - emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)), + emqx_access_control:authorize(ClientInfo, publish, <<"#">>)), meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE1 ++ ?RULE2} end), % nomatch ?assertEqual(deny, - emqx_access_control:check_authz(ClientInfo, subscribe, <<"+">>)), + emqx_access_control:authorize(ClientInfo, subscribe, <<"+">>)), % nomatch ?assertEqual(deny, - emqx_access_control:check_authz(ClientInfo, subscribe, <<"test/username">>)), + emqx_access_control:authorize(ClientInfo, subscribe, <<"test/username">>)), ?assertEqual(allow, - emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)), + emqx_access_control:authorize(ClientInfo, publish, <<"test/clientid">>)), ?assertEqual(allow, - emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)), + emqx_access_control:authorize(ClientInfo, publish, <<"test/clientid">>)), meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE3} end), ?assertEqual(allow, - emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)), + emqx_access_control:authorize(ClientInfo, subscribe, <<"#">>)), % nomatch ?assertEqual(deny, - emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)), + emqx_access_control:authorize(ClientInfo, publish, <<"#">>)), ok. diff --git a/apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl b/apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl index a1633a9be..b93d1c640 100644 --- a/apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl +++ b/apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl @@ -222,7 +222,7 @@ code_change(_OldVsn, State, _Extra) -> chann_subscribe(Topic, State = #state{clientid = ClientId}) -> ?LOG(debug, "subscribe Topic=~p", [Topic]), - case emqx_access_control:check_authz(clientinfo(State), subscribe, Topic) of + case emqx_access_control:authorize(clientinfo(State), subscribe, Topic) of allow -> emqx_broker:subscribe(Topic, ClientId, ?SUBOPTS), emqx_hooks:run('session.subscribed', [clientinfo(State), Topic, ?SUBOPTS]), @@ -241,7 +241,7 @@ chann_unsubscribe(Topic, State) -> chann_publish(Topic, Payload, State = #state{clientid = ClientId}) -> ?LOG(debug, "publish Topic=~p, Payload=~p", [Topic, Payload]), - case emqx_access_control:check_authz(clientinfo(State), publish, Topic) of + case emqx_access_control:authorize(clientinfo(State), publish, Topic) of allow -> _ = emqx_broker:publish( emqx_message:set_flag(retain, false, diff --git a/apps/emqx_coap/test/emqx_coap_SUITE.erl b/apps/emqx_coap/test/emqx_coap_SUITE.erl index 35975621b..9618425a3 100644 --- a/apps/emqx_coap/test/emqx_coap_SUITE.erl +++ b/apps/emqx_coap/test/emqx_coap_SUITE.erl @@ -77,7 +77,7 @@ t_publish_acl_deny(_Config) -> emqx:subscribe(Topic), ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]), - ok = meck:expect(emqx_access_control, check_authz, 3, deny), + ok = meck:expect(emqx_access_control, authorize, 3, deny), Reply = er_coap_client:request(put, URI, #coap_content{format = <<"application/octet-stream">>, payload = Payload}), ?assertEqual({error,forbidden}, Reply), ok = meck:unload(emqx_access_control), @@ -114,7 +114,7 @@ t_observe_acl_deny(_Config) -> Topic = <<"abc">>, TopicStr = binary_to_list(Topic), Uri = "coap://127.0.0.1/mqtt/"++TopicStr++"?c=client1&u=tom&p=secret", ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]), - ok = meck:expect(emqx_access_control, check_authz, 3, deny), + ok = meck:expect(emqx_access_control, authorize, 3, deny), ?assertEqual({error,forbidden}, er_coap_observer:observe(Uri)), [] = emqx:subscribers(Topic), ok = meck:unload(emqx_access_control). @@ -289,7 +289,7 @@ t_acl(Config) -> ok end, - ok = emqx_hooks:del('client.check_authz', {emqx_authz, check_authz}), + ok = emqx_hooks:del('client.authorize', {emqx_authz, authorize}), file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')), application:set_env(emqx, plugins_etc_dir, OldPath), application:stop(emqx_authz). diff --git a/apps/emqx_exhook/include/emqx_exhook.hrl b/apps/emqx_exhook/include/emqx_exhook.hrl index f640a5916..64131735e 100644 --- a/apps/emqx_exhook/include/emqx_exhook.hrl +++ b/apps/emqx_exhook/include/emqx_exhook.hrl @@ -25,7 +25,7 @@ , {'client.connected', {emqx_exhook_handler, on_client_connected, []}} , {'client.disconnected', {emqx_exhook_handler, on_client_disconnected, []}} , {'client.authenticate', {emqx_exhook_handler, on_client_authenticate, []}} - , {'client.check_authz', {emqx_exhook_handler, on_client_check_authz, []}} + , {'client.authorize', {emqx_exhook_handler, on_client_authorize, []}} , {'client.subscribe', {emqx_exhook_handler, on_client_subscribe, []}} , {'client.unsubscribe', {emqx_exhook_handler, on_client_unsubscribe, []}} , {'session.created', {emqx_exhook_handler, on_session_created, []}} diff --git a/apps/emqx_exhook/priv/protos/exhook.proto b/apps/emqx_exhook/priv/protos/exhook.proto index 3b8fa8861..97a011352 100644 --- a/apps/emqx_exhook/priv/protos/exhook.proto +++ b/apps/emqx_exhook/priv/protos/exhook.proto @@ -40,7 +40,7 @@ service HookProvider { rpc OnClientAuthenticate(ClientAuthenticateRequest) returns (ValuedResponse) {}; - rpc OnClientCheckAuthz(ClientCheckAuthzRequest) returns (ValuedResponse) {}; + rpc OnClientAuthorize(ClientAuthorizeRequest) returns (ValuedResponse) {}; rpc OnClientSubscribe(ClientSubscribeRequest) returns (EmptySuccess) {}; @@ -123,7 +123,7 @@ message ClientAuthenticateRequest { bool result = 2; } -message ClientCheckAuthzRequest { +message ClientAuthorizeRequest { ClientInfo clientinfo = 1; @@ -253,7 +253,7 @@ message ValuedResponse { oneof value { - // Boolean result, used on the 'client.authenticate', 'client.check_authz' hooks + // Boolean result, used on the 'client.authenticate', 'client.authorize' hooks bool bool_result = 3; // Message result, used on the 'message.*' hooks @@ -279,7 +279,7 @@ message HookSpec { // Available value: // "client.connect", "client.connack" // "client.connected", "client.disconnected" - // "client.authenticate", "client.check_authz" + // "client.authenticate", "client.authorize" // "client.subscribe", "client.unsubscribe" // // "session.created", "session.subscribed" diff --git a/apps/emqx_exhook/src/emqx_exhook_handler.erl b/apps/emqx_exhook/src/emqx_exhook_handler.erl index 695b1116b..db653c52b 100644 --- a/apps/emqx_exhook/src/emqx_exhook_handler.erl +++ b/apps/emqx_exhook/src/emqx_exhook_handler.erl @@ -27,7 +27,7 @@ , on_client_connected/2 , on_client_disconnected/3 , on_client_authenticate/2 - , on_client_check_authz/4 + , on_client_authorize/4 , on_client_subscribe/3 , on_client_unsubscribe/3 ]). @@ -109,7 +109,7 @@ on_client_authenticate(ClientInfo, AuthResult) -> {ok, AuthResult} end. -on_client_check_authz(ClientInfo, PubSub, Topic, Result) -> +on_client_authorize(ClientInfo, PubSub, Topic, Result) -> Bool = Result == allow, Type = case PubSub of publish -> 'PUBLISH'; @@ -120,7 +120,7 @@ on_client_check_authz(ClientInfo, PubSub, Topic, Result) -> topic => Topic, result => Bool }, - case call_fold('client.check_authz', Req, + case call_fold('client.authorize', Req, fun merge_responsed_bool/2) of {StopOrOk, #{result := Result0}} when is_boolean(Result0) -> NResult = case Result0 of true -> allow; _ -> deny end, diff --git a/apps/emqx_exhook/src/emqx_exhook_server.erl b/apps/emqx_exhook/src/emqx_exhook_server.erl index 5c5da4a85..a3b132065 100644 --- a/apps/emqx_exhook/src/emqx_exhook_server.erl +++ b/apps/emqx_exhook/src/emqx_exhook_server.erl @@ -58,7 +58,7 @@ | 'client.connected' | 'client.disconnected' | 'client.authenticate' - | 'client.check_authz' + | 'client.authorize' | 'client.subscribe' | 'client.unsubscribe' | 'session.created' @@ -297,7 +297,7 @@ hk2func('client.connack') -> 'on_client_connack'; hk2func('client.connected') -> 'on_client_connected'; hk2func('client.disconnected') -> 'on_client_disconnected'; hk2func('client.authenticate') -> 'on_client_authenticate'; -hk2func('client.check_authz') -> 'on_client_check_authz'; +hk2func('client.authorize') -> 'on_client_authorize'; hk2func('client.subscribe') -> 'on_client_subscribe'; hk2func('client.unsubscribe') -> 'on_client_unsubscribe'; hk2func('session.created') -> 'on_session_created'; @@ -320,7 +320,7 @@ message_hooks() -> -compile({inline, [available_hooks/0]}). available_hooks() -> ['client.connect', 'client.connack', 'client.connected', - 'client.disconnected', 'client.authenticate', 'client.check_authz', + 'client.disconnected', 'client.authenticate', 'client.authorize', 'client.subscribe', 'client.unsubscribe', 'session.created', 'session.subscribed', 'session.unsubscribed', 'session.resumed', 'session.discarded', 'session.takeovered', diff --git a/apps/emqx_exhook/test/emqx_exhook_demo_svr.erl b/apps/emqx_exhook/test/emqx_exhook_demo_svr.erl index da32a9cf1..656788b5e 100644 --- a/apps/emqx_exhook/test/emqx_exhook_demo_svr.erl +++ b/apps/emqx_exhook/test/emqx_exhook_demo_svr.erl @@ -33,7 +33,7 @@ , on_client_connected/2 , on_client_disconnected/2 , on_client_authenticate/2 - , on_client_check_authz/2 + , on_client_authorize/2 , on_client_subscribe/2 , on_client_unsubscribe/2 , on_session_created/2 @@ -122,7 +122,7 @@ on_provider_loaded(Req, Md) -> #{name => <<"client.connected">>}, #{name => <<"client.disconnected">>}, #{name => <<"client.authenticate">>}, - #{name => <<"client.check_authz">>}, + #{name => <<"client.authorize">>}, #{name => <<"client.subscribe">>}, #{name => <<"client.unsubscribe">>}, #{name => <<"session.created">>}, @@ -197,10 +197,10 @@ on_client_authenticate(#{clientinfo := #{username := Username}} = Req, Md) -> {ok, #{type => 'IGNORE'}, Md} end. --spec on_client_check_authz(emqx_exhook_pb:client_check_authz_request(), grpc:metadata()) +-spec on_client_authorize(emqx_exhook_pb:client_authorize_request(), grpc:metadata()) -> {ok, emqx_exhook_pb:valued_response(), grpc:metadata()} | {error, grpc_cowboy_h:error_response()}. -on_client_check_authz(#{clientinfo := #{username := Username}} = Req, Md) -> +on_client_authorize(#{clientinfo := #{username := Username}} = Req, Md) -> ?MODULE:in({?FUNCTION_NAME, Req}), %io:format("fun: ~p, req: ~0p~n", [?FUNCTION_NAME, Req]), %% some cases for testing diff --git a/apps/emqx_exhook/test/props/prop_exhook_hooks.erl b/apps/emqx_exhook/test/props/prop_exhook_hooks.erl index f276333dc..12f54eef6 100644 --- a/apps/emqx_exhook/test/props/prop_exhook_hooks.erl +++ b/apps/emqx_exhook/test/props/prop_exhook_hooks.erl @@ -109,14 +109,14 @@ prop_client_authenticate() -> true end). -prop_client_check_authz() -> +prop_client_authorize() -> ?ALL({ClientInfo0, PubSub, Topic, Result}, {clientinfo(), oneof([publish, subscribe]), topic(), oneof([allow, deny])}, begin ClientInfo = inject_magic_into(username, ClientInfo0), OutResult = emqx_hooks:run_fold( - 'client.check_authz', + 'client.authorize', [ClientInfo, PubSub, Topic], Result), ExpectedOutResult = case maps:get(username, ClientInfo) of @@ -127,7 +127,7 @@ prop_client_check_authz() -> end, ?assertEqual(ExpectedOutResult, OutResult), - {'on_client_check_authz', Resp} = emqx_exhook_demo_svr:take(), + {'on_client_authorize', Resp} = emqx_exhook_demo_svr:take(), Expected = #{result => aclresult_to_bool(Result), type => pubsub_to_enum(PubSub), diff --git a/apps/emqx_exproto/src/emqx_exproto_channel.erl b/apps/emqx_exproto/src/emqx_exproto_channel.erl index c76617047..d45f445ab 100644 --- a/apps/emqx_exproto/src/emqx_exproto_channel.erl +++ b/apps/emqx_exproto/src/emqx_exproto_channel.erl @@ -305,7 +305,7 @@ handle_call({subscribe, TopicFilter, Qos}, conn_state = connected, clientinfo = ClientInfo}) -> case is_acl_enabled(ClientInfo) andalso - emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of + emqx_access_control:authorize(ClientInfo, subscribe, TopicFilter) of deny -> {reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel}; _ -> @@ -325,7 +325,7 @@ handle_call({publish, Topic, Qos, Payload}, = #{clientid := From, mountpoint := Mountpoint}}) -> case is_acl_enabled(ClientInfo) andalso - emqx_access_control:check_authz(ClientInfo, publish, Topic) of + emqx_access_control:authorize(ClientInfo, publish, Topic) of deny -> {reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel}; _ -> diff --git a/apps/emqx_exproto/test/emqx_exproto_SUITE.erl b/apps/emqx_exproto/test/emqx_exproto_SUITE.erl index fe6fbbb08..e38347e5e 100644 --- a/apps/emqx_exproto/test/emqx_exproto_SUITE.erl +++ b/apps/emqx_exproto/test/emqx_exproto_SUITE.erl @@ -167,7 +167,7 @@ t_acl_deny(Cfg) -> Password = <<"123456">>, ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]), - ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end), + ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> deny end), ConnBin = frame_connect(Client, Password), ConnAckBin = frame_connack(0), diff --git a/apps/emqx_prometheus/src/emqx_prometheus.erl b/apps/emqx_prometheus/src/emqx_prometheus.erl index 94f5baa4f..29acc72f6 100644 --- a/apps/emqx_prometheus/src/emqx_prometheus.erl +++ b/apps/emqx_prometheus/src/emqx_prometheus.erl @@ -414,8 +414,8 @@ emqx_collect(emqx_client_authenticate, Stats) -> counter_metric(?C('client.authenticate', Stats)); emqx_collect(emqx_client_auth_anonymous, Stats) -> counter_metric(?C('client.auth.anonymous', Stats)); -emqx_collect(emqx_client_check_authz, Stats) -> - counter_metric(?C('client.check_authz', Stats)); +emqx_collect(emqx_client_authorize, Stats) -> + counter_metric(?C('client.authorize', Stats)); emqx_collect(emqx_client_subscribe, Stats) -> counter_metric(?C('client.subscribe', Stats)); emqx_collect(emqx_client_unsubscribe, Stats) -> @@ -567,7 +567,7 @@ emqx_metrics_client() -> [ emqx_client_connected , emqx_client_authenticate , emqx_client_auth_anonymous - , emqx_client_check_authz + , emqx_client_authorize , emqx_client_subscribe , emqx_client_unsubscribe , emqx_client_disconnected