yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: rename check_authz to authorize

This commit is contained in:
zhanghongtong 2021-06-28 18:40:04 +08:00 committed by Rory Z
parent c63bdc355a
commit e1b0f44a8a
27 changed files with 125 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
apps/emqx/src/emqx_access_control.erl
View File

@ -20,7 +20,7 @@
-export([authenticate/1]).
-export([ check_authz/3
-export([ authorize/3
]).
-type(result() :: #{auth_result := emqx_types:auth_result(),
@ -42,25 +42,25 @@ authenticate(ClientInfo = #{zone := Zone}) ->
end.
%% @doc Check ACL
-spec(check_authz(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic())
-spec(authorize(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic())
-> allow | deny).
check_authz(ClientInfo, PubSub, Topic) ->
authorize(ClientInfo, PubSub, Topic) ->
case emqx_acl_cache:is_enabled() of
true -> check_authz_cache(ClientInfo, PubSub, Topic);
false -> do_check_authz(ClientInfo, PubSub, Topic)
true -> authorize_cache(ClientInfo, PubSub, Topic);
false -> do_authorize(ClientInfo, PubSub, Topic)
end.
check_authz_cache(ClientInfo, PubSub, Topic) ->
authorize_cache(ClientInfo, PubSub, Topic) ->
case emqx_acl_cache:get_acl_cache(PubSub, Topic) of
not_found ->
AclResult = do_check_authz(ClientInfo, PubSub, Topic),
AclResult = do_authorize(ClientInfo, PubSub, Topic),
emqx_acl_cache:put_acl_cache(PubSub, Topic, AclResult),
AclResult;
AclResult -> AclResult
end.
do_check_authz(ClientInfo, PubSub, Topic) ->
case run_hooks('client.check_authz', [ClientInfo, PubSub, Topic], allow) of
do_authorize(ClientInfo, PubSub, Topic) ->
case run_hooks('client.authorize', [ClientInfo, PubSub, Topic], allow) of
allow -> allow;
_Other -> deny
end.

4
apps/emqx/src/emqx_channel.erl
View File

@ -1406,7 +1406,7 @@ check_pub_alias(_Packet, _Channel) -> ok.
check_pub_acl(#mqtt_packet{variable = #mqtt_packet_publish{topic_name = Topic}},
#channel{clientinfo = ClientInfo}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_authz(ClientInfo, publish, Topic) of
emqx_access_control:authorize(ClientInfo, publish, Topic) of
false -> ok;
allow -> ok;
deny -> {error, ?RC_NOT_AUTHORIZED}
@ -1440,7 +1440,7 @@ check_sub_acls([], _Channel, Acc) ->
check_sub_acl(TopicFilter, #channel{clientinfo = ClientInfo}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of
emqx_access_control:authorize(ClientInfo, subscribe, TopicFilter) of
false -> allow;
Result -> Result
end.

4
apps/emqx/src/emqx_metrics.erl
View File

@ -172,7 +172,7 @@
{counter, 'client.connected'},
{counter, 'client.authenticate'},
{counter, 'client.auth.anonymous'},
{counter, 'client.check_authz'},
{counter, 'client.authorize'},
{counter, 'client.subscribe'},
{counter, 'client.unsubscribe'},
{counter, 'client.disconnected'}
@ -563,7 +563,7 @@ reserved_idx('client.connected') -> 202;
reserved_idx('client.authenticate') -> 203;
reserved_idx('client.enhanced_authenticate') -> 204;
reserved_idx('client.auth.anonymous') -> 205;
reserved_idx('client.check_authz') -> 206;
reserved_idx('client.authorize') -> 206;
reserved_idx('client.subscribe') -> 207;
reserved_idx('client.unsubscribe') -> 208;
reserved_idx('client.disconnected') -> 209;

4
apps/emqx/test/emqx_access_control_SUITE.erl
View File

@ -38,9 +38,9 @@ t_authenticate(_) ->
emqx_zone:set_env(zone, allow_anonymous, true),
?assertMatch({ok, _}, emqx_access_control:authenticate(clientinfo())).
t_check_authz(_) ->
t_authorize(_) ->
Publish = ?PUBLISH_PACKET(?QOS_0, <<"t">>, 1, <<"payload">>),
?assertEqual(allow, emqx_access_control:check_authz(clientinfo(), Publish, <<"t">>)).
?assertEqual(allow, emqx_access_control:authorize(clientinfo(), Publish, <<"t">>)).
t_bypass_auth_plugins(_) ->
ClientInfo = clientinfo(),

4
apps/emqx/test/emqx_acl_test_mod.erl
View File

@ -18,14 +18,14 @@
%% ACL callbacks
-export([ init/1
, check_authz/2
, authorize/2
, description/0
]).
init(AclOpts) ->
{ok, AclOpts}.
check_authz({_User, _PubSub, _Topic}, _State) ->
authorize({_User, _PubSub, _Topic}, _State) ->
allow.
description() ->

2
apps/emqx/test/emqx_channel_SUITE.erl
View File

@ -37,7 +37,7 @@ init_per_suite(Config) ->
ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_access_control, authenticate,
fun(_) -> {ok, #{auth_result => success}} end),
ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end),
ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> allow end),
%% Broker Meck
ok = meck:new(emqx_broker, [passthrough, no_history, no_link]),
%% Hooks Meck

2
apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl
View File

@ -198,7 +198,7 @@ t_batch_subscribe(_) ->
{ok, Client} = emqtt:start_link([{proto_ver, v5}, {clientid, <<"batch_test">>}]),
{ok, _} = emqtt:connect(Client),
ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history, no_link]),
meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end),
meck:expect(emqx_access_control, authorize, fun(_, _, _) -> deny end),
{ok, _, [?RC_NOT_AUTHORIZED,
?RC_NOT_AUTHORIZED,
?RC_NOT_AUTHORIZED]} = emqtt:subscribe(Client, [{<<"t1">>, qos1},

2
apps/emqx/test/emqx_ws_connection_SUITE.erl
View File

@ -64,7 +64,7 @@ init_per_testcase(TestCase, Config) when
end),
%% Mock emqx_access_control
ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end),
ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> allow end),
%% Mock emqx_hooks
ok = meck:new(emqx_hooks, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_hooks, run, fun(_Hook, _Args) -> ok end),

32
apps/emqx_authz/src/emqx_authz.erl
View File

@ -26,7 +26,7 @@
, compile/1
, lookup/0
, update/1
, check_authz/5
, authorize/5
, match/4
]).
@ -41,7 +41,7 @@ init() ->
#{<<"authz">> := #{<<"rules">> := Rules}} = hocon_schema:check_plain(emqx_authz_schema, RawConf),
ok = application:set_env(?APP, rules, Rules),
NRules = [compile(Rule) || Rule <- Rules],
ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]}, -1).
ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]}, -1).
lookup() ->
application:get_env(?APP, rules, []).
@ -50,8 +50,8 @@ update(Rules) ->
ok = application:set_env(?APP, rules, Rules),
NRules = [compile(Rule) || Rule <- Rules],
Action = find_action_in_hooks(),
ok = emqx_hooks:del('client.check_authz', Action),
ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]}, -1),
ok = emqx_hooks:del('client.authorize', Action),
ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]}, -1),
ok = emqx_acl_cache:empty_acl_cache().
%%--------------------------------------------------------------------
@ -59,8 +59,8 @@ update(Rules) ->
%%--------------------------------------------------------------------
find_action_in_hooks() ->
Callbacks = emqx_hooks:lookup('client.check_authz'),
[Action] = [Action || {callback,{?MODULE, check_authz, _} = Action, _, _} <- Callbacks ],
Callbacks = emqx_hooks:lookup('client.authorize'),
[Action] = [Action || {callback,{?MODULE, authorize, _} = Action, _, _} <- Callbacks ],
Action.
create_resource(#{<<"type">> := DB,
@ -149,12 +149,12 @@ b2l(B) when is_binary(B) -> binary_to_list(B).
%%--------------------------------------------------------------------
%% @doc Check ACL
-spec(check_authz(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules())
-spec(authorize(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules())
-> {stop, allow} | {ok, deny}).
check_authz(#{username := Username,
authorize(#{username := Username,
peerhost := IpAddress
} = Client, PubSub, Topic, _DefaultResult, Rules) ->
case do_check_authz(Client, PubSub, Topic, Rules) of
case do_authorize(Client, PubSub, Topic, Rules) of
{matched, allow} ->
?LOG(info, "Client succeeded authorization: Username: ~p, IP: ~p, Topic: ~p, Permission: allow", [Username, IpAddress, Topic]),
emqx_metrics:inc(?ACL_METRICS(allow)),
@ -168,25 +168,25 @@ check_authz(#{username := Username,
{stop, deny}
end.
do_check_authz(Client, PubSub, Topic,
do_authorize(Client, PubSub, Topic,
[Connector = #{<<"principal">> := Principal,
<<"type">> := DB} | Tail] ) ->
case match_principal(Client, Principal) of
true ->
Mod = list_to_existing_atom(io_lib:format("~s_~s",[emqx_authz, DB])),
case Mod:check_authz(Client, PubSub, Topic, Connector) of
nomatch -> do_check_authz(Client, PubSub, Topic, Tail);
case Mod:authorize(Client, PubSub, Topic, Connector) of
nomatch -> do_authorize(Client, PubSub, Topic, Tail);
Matched -> Matched
end;
false -> do_check_authz(Client, PubSub, Topic, Tail)
false -> do_authorize(Client, PubSub, Topic, Tail)
end;
do_check_authz(Client, PubSub, Topic,
do_authorize(Client, PubSub, Topic,
[#{<<"permission">> := Permission} = Rule | Tail]) ->
case match(Client, PubSub, Topic, Rule) of
true -> {matched, Permission};
false -> do_check_authz(Client, PubSub, Topic, Tail)
false -> do_authorize(Client, PubSub, Topic, Tail)
end;
do_check_authz(_Client, _PubSub, _Topic, []) -> nomatch.
do_authorize(_Client, _PubSub, _Topic, []) -> nomatch.
match(Client, PubSub, Topic,
#{<<"principal">> := Principal,

12
apps/emqx_authz/src/emqx_authz_mysql.erl
View File

@ -23,7 +23,7 @@
%% ACL Callbacks
-export([ description/0
, parse_query/1
, check_authz/4
, authorize/4
]).
-ifdef(TEST).
@ -45,25 +45,25 @@ parse_query(Sql) ->
{Sql, []}
end.
check_authz(Client, PubSub, Topic,
authorize(Client, PubSub, Topic,
#{<<"resource_id">> := ResourceID,
<<"sql">> := {SQL, Params}
}) ->
case emqx_resource:query(ResourceID, {sql, SQL, replvar(Params, Client)}) of
{ok, _Columns, []} -> nomatch;
{ok, Columns, Rows} ->
do_check_authz(Client, PubSub, Topic, Columns, Rows);
do_authorize(Client, PubSub, Topic, Columns, Rows);
{error, Reason} ->
?LOG(error, "[AuthZ] Query mysql error: ~p~n", [Reason]),
nomatch
end.
do_check_authz(_Client, _PubSub, _Topic, _Columns, []) ->
do_authorize(_Client, _PubSub, _Topic, _Columns, []) ->
nomatch;
do_check_authz(Client, PubSub, Topic, Columns, [Row | Tail]) ->
do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) ->
case match(Client, PubSub, Topic, format_result(Columns, Row)) of
{matched, Permission} -> {matched, Permission};
nomatch -> do_check_authz(Client, PubSub, Topic, Columns, Tail)
nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail)
end.
format_result(Columns, Row) ->

12
apps/emqx_authz/src/emqx_authz_pgsql.erl
View File

@ -23,7 +23,7 @@
%% ACL Callbacks
-export([ description/0
, parse_query/1
, check_authz/4
, authorize/4
]).
-ifdef(TEST).
@ -49,25 +49,25 @@ parse_query(Sql) ->
{Sql, []}
end.
check_authz(Client, PubSub, Topic,
authorize(Client, PubSub, Topic,
#{<<"resource_id">> := ResourceID,
<<"sql">> := {SQL, Params}
}) ->
case emqx_resource:query(ResourceID, {sql, SQL, replvar(Params, Client)}) of
{ok, _Columns, []} -> nomatch;
{ok, Columns, Rows} ->
do_check_authz(Client, PubSub, Topic, Columns, Rows);
do_authorize(Client, PubSub, Topic, Columns, Rows);
{error, Reason} ->
?LOG(error, "[AuthZ] Query pgsql error: ~p~n", [Reason]),
nomatch
end.
do_check_authz(_Client, _PubSub, _Topic, _Columns, []) ->
do_authorize(_Client, _PubSub, _Topic, _Columns, []) ->
nomatch;
do_check_authz(Client, PubSub, Topic, Columns, [Row | Tail]) ->
do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) ->
case match(Client, PubSub, Topic, format_result(Columns, Row)) of
{matched, Permission} -> {matched, Permission};
nomatch -> do_check_authz(Client, PubSub, Topic, Columns, Tail)
nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail)
end.
format_result(Columns, Row) ->

12
apps/emqx_authz/src/emqx_authz_redis.erl
View File

@ -21,7 +21,7 @@
-include_lib("emqx/include/logger.hrl").
%% ACL Callbacks
-export([ check_authz/4
-export([ authorize/4
, description/0
]).
@ -33,7 +33,7 @@
description() ->
"AuthZ with redis".
check_authz(Client, PubSub, Topic,
authorize(Client, PubSub, Topic,
#{<<"resource_id">> := ResourceID,
<<"cmd">> := CMD
}) ->
@ -41,22 +41,22 @@ check_authz(Client, PubSub, Topic,
case emqx_resource:query(ResourceID, {cmd, NCMD}) of
{ok, []} -> nomatch;
{ok, Rows} ->
do_check_authz(Client, PubSub, Topic, Rows);
do_authorize(Client, PubSub, Topic, Rows);
{error, Reason} ->
?LOG(error, "[AuthZ] Query redis error: ~p", [Reason]),
nomatch
end.
do_check_authz(_Client, _PubSub, _Topic, []) ->
do_authorize(_Client, _PubSub, _Topic, []) ->
nomatch;
do_check_authz(Client, PubSub, Topic, [TopicFilter, Action | Tail]) ->
do_authorize(Client, PubSub, Topic, [TopicFilter, Action | Tail]) ->
case match(Client, PubSub, Topic,
#{topics => TopicFilter,
action => Action
})
of
{matched, Permission} -> {matched, Permission};
nomatch -> do_check_authz(Client, PubSub, Topic, Tail)
nomatch -> do_authorize(Client, PubSub, Topic, Tail)
end.
match(Client, PubSub, Topic,

20
apps/emqx_authz/test/emqx_authz_SUITE.erl
View File

@ -145,23 +145,23 @@ t_authz(_) ->
Rules4 = [emqx_authz:compile(Rule) || Rule <- [?RULE4, ?RULE1]],
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo1, subscribe, <<"#">>, deny, [])),
emqx_authz:authorize(ClientInfo1, subscribe, <<"#">>, deny, [])),
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo1, subscribe, <<"+">>, deny, Rules1)),
emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules1)),
?assertEqual({stop, allow},
emqx_authz:check_authz(ClientInfo1, subscribe, <<"+">>, deny, Rules2)),
emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules2)),
?assertEqual({stop, allow},
emqx_authz:check_authz(ClientInfo1, publish, <<"test">>, deny, Rules3)),
emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules3)),
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo1, publish, <<"test">>, deny, Rules4)),
emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules4)),
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo2, subscribe, <<"#">>, deny, Rules2)),
emqx_authz:authorize(ClientInfo2, subscribe, <<"#">>, deny, Rules2)),
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo3, publish, <<"test">>, deny, Rules3)),
emqx_authz:authorize(ClientInfo3, publish, <<"test">>, deny, Rules3)),
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo3, publish, <<"fake">>, deny, Rules4)),
emqx_authz:authorize(ClientInfo3, publish, <<"fake">>, deny, Rules4)),
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo4, publish, <<"test">>, deny, Rules3)),
emqx_authz:authorize(ClientInfo4, publish, <<"test">>, deny, Rules3)),
?assertEqual({stop, deny},
emqx_authz:check_authz(ClientInfo4, publish, <<"fake">>, deny, Rules4)),
emqx_authz:authorize(ClientInfo4, publish, <<"fake">>, deny, Rules4)),
ok.

24
apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl
View File

@ -95,23 +95,23 @@ t_authz(_) ->
},
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"#">>)), % nomatch
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(allow, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, publish, <<"test">>)), % nomatch
?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, publish, <<"test">>)), % nomatch
ok.

24
apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl
View File

@ -95,23 +95,23 @@ t_authz(_) ->
},
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), % nomatch
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"#">>)), % nomatch
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"+">>)),
?assertEqual(allow, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, subscribe, <<"+">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:check_authz(ClientInfo3, publish, <<"test">>)), % nomatch
?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_clientid">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_username">>)),
?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, publish, <<"test/test_username">>)),
?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, subscribe, <<"test">>)), % nomatch
?assertEqual(deny, emqx_access_control:authorize(ClientInfo3, publish, <<"test">>)), % nomatch
ok.

16
apps/emqx_authz/test/emqx_authz_redis_SUITE.erl
View File

@ -84,30 +84,30 @@ t_authz(_) ->
meck:expect(emqx_resource, query, fun(_, _) -> {ok, []} end),
% nomatch
?assertEqual(deny,
emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)),
emqx_access_control:authorize(ClientInfo, subscribe, <<"#">>)),
?assertEqual(deny,
emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"#">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE1 ++ ?RULE2} end),
% nomatch
?assertEqual(deny,
emqx_access_control:check_authz(ClientInfo, subscribe, <<"+">>)),
emqx_access_control:authorize(ClientInfo, subscribe, <<"+">>)),
% nomatch
?assertEqual(deny,
emqx_access_control:check_authz(ClientInfo, subscribe, <<"test/username">>)),
emqx_access_control:authorize(ClientInfo, subscribe, <<"test/username">>)),
?assertEqual(allow,
emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"test/clientid">>)),
?assertEqual(allow,
emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"test/clientid">>)),
meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE3} end),
?assertEqual(allow,
emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)),
emqx_access_control:authorize(ClientInfo, subscribe, <<"#">>)),
% nomatch
?assertEqual(deny,
emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)),
emqx_access_control:authorize(ClientInfo, publish, <<"#">>)),
ok.

4
apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl
View File

@ -222,7 +222,7 @@ code_change(_OldVsn, State, _Extra) ->
chann_subscribe(Topic, State = #state{clientid = ClientId}) ->
?LOG(debug, "subscribe Topic=~p", [Topic]),
case emqx_access_control:check_authz(clientinfo(State), subscribe, Topic) of
case emqx_access_control:authorize(clientinfo(State), subscribe, Topic) of
allow ->
emqx_broker:subscribe(Topic, ClientId, ?SUBOPTS),
emqx_hooks:run('session.subscribed', [clientinfo(State), Topic, ?SUBOPTS]),
@ -241,7 +241,7 @@ chann_unsubscribe(Topic, State) ->
chann_publish(Topic, Payload, State = #state{clientid = ClientId}) ->
?LOG(debug, "publish Topic=~p, Payload=~p", [Topic, Payload]),
case emqx_access_control:check_authz(clientinfo(State), publish, Topic) of
case emqx_access_control:authorize(clientinfo(State), publish, Topic) of
allow ->
_ = emqx_broker:publish(
emqx_message:set_flag(retain, false,

6
apps/emqx_coap/test/emqx_coap_SUITE.erl
View File

@ -77,7 +77,7 @@ t_publish_acl_deny(_Config) ->
emqx:subscribe(Topic),
ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]),
ok = meck:expect(emqx_access_control, check_authz, 3, deny),
ok = meck:expect(emqx_access_control, authorize, 3, deny),
Reply = er_coap_client:request(put, URI, #coap_content{format = <<"application/octet-stream">>, payload = Payload}),
?assertEqual({error,forbidden}, Reply),
ok = meck:unload(emqx_access_control),
@ -114,7 +114,7 @@ t_observe_acl_deny(_Config) ->
Topic = <<"abc">>, TopicStr = binary_to_list(Topic),
Uri = "coap://127.0.0.1/mqtt/"++TopicStr++"?c=client1&u=tom&p=secret",
ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]),
ok = meck:expect(emqx_access_control, check_authz, 3, deny),
ok = meck:expect(emqx_access_control, authorize, 3, deny),
?assertEqual({error,forbidden}, er_coap_observer:observe(Uri)),
[] = emqx:subscribers(Topic),
ok = meck:unload(emqx_access_control).
@ -289,7 +289,7 @@ t_acl(Config) ->
ok
end,
ok = emqx_hooks:del('client.check_authz', {emqx_authz, check_authz}),
ok = emqx_hooks:del('client.authorize', {emqx_authz, authorize}),
file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
application:set_env(emqx, plugins_etc_dir, OldPath),
application:stop(emqx_authz).

2
apps/emqx_exhook/include/emqx_exhook.hrl
View File

@ -25,7 +25,7 @@
, {'client.connected', {emqx_exhook_handler, on_client_connected, []}}
, {'client.disconnected', {emqx_exhook_handler, on_client_disconnected, []}}
, {'client.authenticate', {emqx_exhook_handler, on_client_authenticate, []}}
, {'client.check_authz', {emqx_exhook_handler, on_client_check_authz, []}}
, {'client.authorize', {emqx_exhook_handler, on_client_authorize, []}}
, {'client.subscribe', {emqx_exhook_handler, on_client_subscribe, []}}
, {'client.unsubscribe', {emqx_exhook_handler, on_client_unsubscribe, []}}
, {'session.created', {emqx_exhook_handler, on_session_created, []}}

8
apps/emqx_exhook/priv/protos/exhook.proto
View File

@ -40,7 +40,7 @@ service HookProvider {
rpc OnClientAuthenticate(ClientAuthenticateRequest) returns (ValuedResponse) {};
rpc OnClientCheckAuthz(ClientCheckAuthzRequest) returns (ValuedResponse) {};
rpc OnClientAuthorize(ClientAuthorizeRequest) returns (ValuedResponse) {};
rpc OnClientSubscribe(ClientSubscribeRequest) returns (EmptySuccess) {};
@ -123,7 +123,7 @@ message ClientAuthenticateRequest {
bool result = 2;
}
message ClientCheckAuthzRequest {
message ClientAuthorizeRequest {
ClientInfo clientinfo = 1;
@ -253,7 +253,7 @@ message ValuedResponse {
oneof value {
// Boolean result, used on the 'client.authenticate', 'client.check_authz' hooks
// Boolean result, used on the 'client.authenticate', 'client.authorize' hooks
bool bool_result = 3;
// Message result, used on the 'message.*' hooks
@ -279,7 +279,7 @@ message HookSpec {
// Available value:
// "client.connect", "client.connack"
// "client.connected", "client.disconnected"
// "client.authenticate", "client.check_authz"
// "client.authenticate", "client.authorize"
// "client.subscribe", "client.unsubscribe"
//
// "session.created", "session.subscribed"

6
apps/emqx_exhook/src/emqx_exhook_handler.erl
View File

@ -27,7 +27,7 @@
, on_client_connected/2
, on_client_disconnected/3
, on_client_authenticate/2
, on_client_check_authz/4
, on_client_authorize/4
, on_client_subscribe/3
, on_client_unsubscribe/3
]).
@ -109,7 +109,7 @@ on_client_authenticate(ClientInfo, AuthResult) ->
{ok, AuthResult}
end.
on_client_check_authz(ClientInfo, PubSub, Topic, Result) ->
on_client_authorize(ClientInfo, PubSub, Topic, Result) ->
Bool = Result == allow,
Type = case PubSub of
publish -> 'PUBLISH';
@ -120,7 +120,7 @@ on_client_check_authz(ClientInfo, PubSub, Topic, Result) ->
topic => Topic,
result => Bool
},
case call_fold('client.check_authz', Req,
case call_fold('client.authorize', Req,
fun merge_responsed_bool/2) of
{StopOrOk, #{result := Result0}} when is_boolean(Result0) ->
NResult = case Result0 of true -> allow; _ -> deny end,

6
apps/emqx_exhook/src/emqx_exhook_server.erl
View File

@ -58,7 +58,7 @@
| 'client.connected'
| 'client.disconnected'
| 'client.authenticate'
| 'client.check_authz'
| 'client.authorize'
| 'client.subscribe'
| 'client.unsubscribe'
| 'session.created'
@ -297,7 +297,7 @@ hk2func('client.connack') -> 'on_client_connack';
hk2func('client.connected') -> 'on_client_connected';
hk2func('client.disconnected') -> 'on_client_disconnected';
hk2func('client.authenticate') -> 'on_client_authenticate';
hk2func('client.check_authz') -> 'on_client_check_authz';
hk2func('client.authorize') -> 'on_client_authorize';
hk2func('client.subscribe') -> 'on_client_subscribe';
hk2func('client.unsubscribe') -> 'on_client_unsubscribe';
hk2func('session.created') -> 'on_session_created';
@ -320,7 +320,7 @@ message_hooks() ->
-compile({inline, [available_hooks/0]}).
available_hooks() ->
['client.connect', 'client.connack', 'client.connected',
'client.disconnected', 'client.authenticate', 'client.check_authz',
'client.disconnected', 'client.authenticate', 'client.authorize',
'client.subscribe', 'client.unsubscribe',
'session.created', 'session.subscribed', 'session.unsubscribed',
'session.resumed', 'session.discarded', 'session.takeovered',

8
apps/emqx_exhook/test/emqx_exhook_demo_svr.erl
View File

@ -33,7 +33,7 @@
, on_client_connected/2
, on_client_disconnected/2
, on_client_authenticate/2
, on_client_check_authz/2
, on_client_authorize/2
, on_client_subscribe/2
, on_client_unsubscribe/2
, on_session_created/2
@ -122,7 +122,7 @@ on_provider_loaded(Req, Md) ->
#{name => <<"client.connected">>},
#{name => <<"client.disconnected">>},
#{name => <<"client.authenticate">>},
#{name => <<"client.check_authz">>},
#{name => <<"client.authorize">>},
#{name => <<"client.subscribe">>},
#{name => <<"client.unsubscribe">>},
#{name => <<"session.created">>},
@ -197,10 +197,10 @@ on_client_authenticate(#{clientinfo := #{username := Username}} = Req, Md) ->
{ok, #{type => 'IGNORE'}, Md}
end.
-spec on_client_check_authz(emqx_exhook_pb:client_check_authz_request(), grpc:metadata())
-spec on_client_authorize(emqx_exhook_pb:client_authorize_request(), grpc:metadata())
-> {ok, emqx_exhook_pb:valued_response(), grpc:metadata()}
| {error, grpc_cowboy_h:error_response()}.
on_client_check_authz(#{clientinfo := #{username := Username}} = Req, Md) ->
on_client_authorize(#{clientinfo := #{username := Username}} = Req, Md) ->
?MODULE:in({?FUNCTION_NAME, Req}),
%io:format("fun: ~p, req: ~0p~n", [?FUNCTION_NAME, Req]),
%% some cases for testing

6
apps/emqx_exhook/test/props/prop_exhook_hooks.erl
View File

@ -109,14 +109,14 @@ prop_client_authenticate() ->
true
end).
prop_client_check_authz() ->
prop_client_authorize() ->
?ALL({ClientInfo0, PubSub, Topic, Result},
{clientinfo(), oneof([publish, subscribe]),
topic(), oneof([allow, deny])},
begin
ClientInfo = inject_magic_into(username, ClientInfo0),
OutResult = emqx_hooks:run_fold(
'client.check_authz',
'client.authorize',
[ClientInfo, PubSub, Topic],
Result),
ExpectedOutResult = case maps:get(username, ClientInfo) of
@ -127,7 +127,7 @@ prop_client_check_authz() ->
end,
?assertEqual(ExpectedOutResult, OutResult),
{'on_client_check_authz', Resp} = emqx_exhook_demo_svr:take(),
{'on_client_authorize', Resp} = emqx_exhook_demo_svr:take(),
Expected =
#{result => aclresult_to_bool(Result),
type => pubsub_to_enum(PubSub),

4
apps/emqx_exproto/src/emqx_exproto_channel.erl
View File

@ -305,7 +305,7 @@ handle_call({subscribe, TopicFilter, Qos},
conn_state = connected,
clientinfo = ClientInfo}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of
emqx_access_control:authorize(ClientInfo, subscribe, TopicFilter) of
deny ->
{reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel};
_ ->
@ -325,7 +325,7 @@ handle_call({publish, Topic, Qos, Payload},
= #{clientid := From,
mountpoint := Mountpoint}}) ->
case is_acl_enabled(ClientInfo) andalso
emqx_access_control:check_authz(ClientInfo, publish, Topic) of
emqx_access_control:authorize(ClientInfo, publish, Topic) of
deny ->
{reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel};
_ ->

2
apps/emqx_exproto/test/emqx_exproto_SUITE.erl
View File

@ -167,7 +167,7 @@ t_acl_deny(Cfg) ->
Password = <<"123456">>,
ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end),
ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> deny end),
ConnBin = frame_connect(Client, Password),
ConnAckBin = frame_connack(0),

6
apps/emqx_prometheus/src/emqx_prometheus.erl
View File

@ -414,8 +414,8 @@ emqx_collect(emqx_client_authenticate, Stats) ->
counter_metric(?C('client.authenticate', Stats));
emqx_collect(emqx_client_auth_anonymous, Stats) ->
counter_metric(?C('client.auth.anonymous', Stats));
emqx_collect(emqx_client_check_authz, Stats) ->
counter_metric(?C('client.check_authz', Stats));
emqx_collect(emqx_client_authorize, Stats) ->
counter_metric(?C('client.authorize', Stats));
emqx_collect(emqx_client_subscribe, Stats) ->
counter_metric(?C('client.subscribe', Stats));
emqx_collect(emqx_client_unsubscribe, Stats) ->
@ -567,7 +567,7 @@ emqx_metrics_client() ->
[ emqx_client_connected
, emqx_client_authenticate
, emqx_client_auth_anonymous
, emqx_client_check_authz
, emqx_client_authorize
, emqx_client_subscribe
, emqx_client_unsubscribe
, emqx_client_disconnected