yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: rename attr to client_attr 

client_attr is unique enough for all contexts
so the name can be unified from external responses
to internal template rendering, and rule-engine template rendering
This commit is contained in:
zmstone 2024-03-19 21:03:44 +01:00
parent cc4805b1ac
commit e5816f5a13
6 changed files with 37 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
apps/emqx/src/emqx_channel.erl
View File

@ -260,7 +260,7 @@ init(
is_bridge => false,
is_superuser => false,
enable_authn => maps:get(enable_authn, Opts, true),
attrs => #{}
client_attrs => #{}
},
Zone
),
@ -1730,15 +1730,16 @@ do_authenticate(Credential, #channel{clientinfo = ClientInfo} = Channel) ->
%% Authentication result may include:
%% 1. `is_superuser': The superuser flag from various backends
%% 2. `acl': ACL rules from JWT, HTTP auth backend
%% 3. `attrs': Extra client attributes from JWT, HTTP auth backend
%% 3. `client_attrs': Extra client attributes from JWT, HTTP auth backend
%% 4. Maybe more non-standard fileds used by hook callbacks
merge_auth_result(ClientInfo, AuthResult0) when is_map(ClientInfo) andalso is_map(AuthResult0) ->
IsSuperuser = maps:get(is_superuser, AuthResult, false),
AuthResult = maps:without([attrs], AuthResult0),
Attrs0 = maps:get(attrs, ClientInfo, #{}),
Attrs1 = maps:get(attrs, AuthResult0, #{}),
IsSuperuser = maps:get(is_superuser, AuthResult0, false),
AuthResult = maps:without([client_attrs], AuthResult0),
Attrs0 = maps:get(client_attrs, ClientInfo, #{}),
Attrs1 = maps:get(client_attrs, AuthResult0, #{}),
Attrs = maps:merge(Attrs0, Attrs1),
maps:merge(
ClientInfo#{attrs => Attrs},
ClientInfo#{client_attrs => Attrs},
AuthResult#{is_superuser => IsSuperuser}
).

2
apps/emqx/src/emqx_types.erl
View File

@ -191,7 +191,7 @@
cn => binary(),
dn => binary(),
%% extra attributes
attrs => client_attrs(),
client_attrs => client_attrs(),
atom() => term()
}.
-type client_attrs() :: #{binary() => binary()}.

6
apps/emqx_auth/src/emqx_authn/emqx_authn_utils.erl
View File

@ -32,6 +32,7 @@
render_urlencoded_str/2,
render_sql_params/2,
is_superuser/1,
client_attrs/1,
bin/1,
ensure_apps_started/1,
cleanup_resources/0,
@ -204,6 +205,11 @@ is_superuser(#{<<"is_superuser">> := Value}) ->
is_superuser(#{}) ->
#{is_superuser => false}.
client_attrs(#{<<"client_attrs">> := Attrs}) ->
#{client_attrs => Attrs};
client_attrs(_) ->
#{client_attrs => #{}}.
ensure_apps_started(bcrypt) ->
{ok, _} = application:ensure_all_started(bcrypt),
ok;

2
apps/emqx_auth_http/src/emqx_authn_http.erl
View File

@ -198,7 +198,7 @@ handle_response(Headers, Body) ->
case maps:get(<<"result">>, NBody, <<"ignore">>) of
<<"allow">> ->
IsSuperuser = emqx_authn_utils:is_superuser(NBody),
Attrs = maps:get(<<"attrs">>, NBody, #{}),
Attrs = emqx_authn_utils:client_attrs(NBody),
Result = maps:merge(IsSuperuser, Attrs),
{ok, Result};
<<"deny">> ->

12
apps/emqx_auth_http/test/emqx_authn_http_SUITE.erl
View File

@ -533,7 +533,7 @@ samples() ->
{ok, Req, State}
end,
config_params => #{},
result => {ok, #{is_superuser => false, attrs => #{}}}
result => {ok, #{is_superuser => false, client_attrs => #{}}}
},
%% get request with json body response
@ -548,7 +548,7 @@ samples() ->
{ok, Req, State}
end,
config_params => #{},
result => {ok, #{is_superuser => true, attrs => #{}}}
result => {ok, #{is_superuser => true, client_attrs => #{}}}
},
%% get request with url-form-encoded body response
@ -566,7 +566,7 @@ samples() ->
{ok, Req, State}
end,
config_params => #{},
result => {ok, #{is_superuser => true, attrs => #{}}}
result => {ok, #{is_superuser => true, client_attrs => #{}}}
},
%% get request with response of unknown encoding
@ -608,7 +608,7 @@ samples() ->
<<"method">> => <<"post">>,
<<"headers">> => #{<<"content-type">> => <<"application/json">>}
},
result => {ok, #{is_superuser => false, attrs => #{}}}
result => {ok, #{is_superuser => false, client_attrs => #{}}}
},
%% simple post request, application/x-www-form-urlencoded
@ -634,7 +634,7 @@ samples() ->
<<"application/x-www-form-urlencoded">>
}
},
result => {ok, #{is_superuser => false, attrs => #{}}}
result => {ok, #{is_superuser => false, client_attrs => #{}}}
},
%% simple post request for placeholders, application/json
@ -669,7 +669,7 @@ samples() ->
<<"cert_common_name">> => ?PH_CERT_CN_NAME
}
},
result => {ok, #{is_superuser => false, attrs => #{}}}
result => {ok, #{is_superuser => false, client_attrs => #{}}}
},
%% custom headers

31
apps/emqx_auth_jwt/src/emqx_authn_jwt.erl
View File

@ -219,10 +219,11 @@ verify(undefined, _, _, _) ->
verify(JWT, JWKs, VerifyClaims, AclClaimName) ->
case do_verify(JWT, JWKs, VerifyClaims) of
{ok, Extra} ->
IsSuperuser = emqx_authn_utils:is_superuser(Extra),
Attrs = emqx_authn_utils:client_attrs(Extra),
try
ACL = acl(Extra, AclClaimName),
Attrs = maps:get(<<"attrs">>, Extra, #{}),
Result = maps:merge(Attrs, ACL),
Result = maps:merge(IsSuperuser, maps:merge(ACL, Attrs)),
{ok, Result}
catch
throw:{bad_acl_rule, Reason} ->
@ -245,20 +246,18 @@ verify(JWT, JWKs, VerifyClaims, AclClaimName) ->
end.
acl(Claims, AclClaimName) ->
Acl =
case Claims of
#{AclClaimName := Rules} ->
#{
acl => #{
rules => parse_rules(Rules),
source_for_logging => jwt,
expire => maps:get(<<"exp">>, Claims, undefined)
}
};
_ ->
#{}
end,
maps:merge(emqx_authn_utils:is_superuser(Claims), Acl).
case Claims of
#{AclClaimName := Rules} ->
#{
acl => #{
rules => parse_rules(Rules),
source_for_logging => jwt,
expire => maps:get(<<"exp">>, Claims, undefined)
}
};
_ ->
#{}
end.
do_verify(_JWT, [], _VerifyClaims) ->
{error, invalid_signature};