yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore(emqx_authn_jwt): wrap JWKS connector into emqx_resourse

This commit is contained in:
Ilya Averyanov 2022-04-13 19:03:25 +03:00
parent 6fc471e527
commit e5f04f3bf7
5 changed files with 411 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

197
apps/emqx_authn/src/simple_authn/emqx_authn_jwks_client.erl Normal file
View File

@ -0,0 +1,197 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2021-2022 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_authn_jwks_client).
-behaviour(gen_server).
-include_lib("emqx/include/logger.hrl").
-include_lib("jose/include/jose_jwk.hrl").
-include_lib("snabbkaffe/include/snabbkaffe.hrl").
-export([
start_link/1,
stop/1
]).
-export([
get_jwks/1,
update/2
]).
%% gen_server callbacks
-export([
init/1,
handle_call/3,
handle_cast/2,
handle_info/2,
terminate/2,
code_change/3
]).
%%--------------------------------------------------------------------
%% APIs
%%--------------------------------------------------------------------
start_link(Opts) ->
gen_server:start_link(?MODULE, [Opts], []).
stop(Pid) ->
gen_server:stop(Pid).
get_jwks(Pid) ->
gen_server:call(Pid, get_cached_jwks, 5000).
update(Pid, Opts) ->
gen_server:call(Pid, {update, Opts}, 5000).
%%--------------------------------------------------------------------
%% gen_server callbacks
%%--------------------------------------------------------------------
init([Opts]) ->
State = handle_options(Opts),
{ok, refresh_jwks(State)}.
handle_call(get_cached_jwks, _From, #{jwks := Jwks} = State) ->
{reply, {ok, Jwks}, State};
handle_call({update, Opts}, _From, _State) ->
NewState = handle_options(Opts),
{reply, ok, refresh_jwks(NewState)};
handle_call(_Req, _From, State) ->
{reply, ok, State}.
handle_cast(_Msg, State) ->
{noreply, State}.
handle_info(refresh_jwks, State) ->
State0 = cancel_http_request(State),
State1 = refresh_jwks(State0),
?tp(debug, refresh_jwks_by_timer, #{}),
{noreply, State1};
handle_info(
{http, {RequestID, Result}},
#{request_id := RequestID, endpoint := Endpoint} = State0
) ->
?tp(debug, jwks_endpoint_response, #{request_id => RequestID}),
State1 = State0#{request_id := undefined},
NewState =
case Result of
{error, Reason} ->
?SLOG(warning, #{
msg => "failed_to_request_jwks_endpoint",
endpoint => Endpoint,
reason => Reason
}),
State1;
{StatusLine, Headers, Body} ->
try
JWKS = jose_jwk:from(emqx_json:decode(Body, [return_maps])),
{_, JWKs} = JWKS#jose_jwk.keys,
State1#{jwks := JWKs}
catch
_:_ ->
?SLOG(warning, #{
msg => "invalid_jwks_returned",
endpoint => Endpoint,
status => StatusLine,
headers => Headers,
body => Body
}),
State1
end
end,
{noreply, NewState};
handle_info({http, {_, _}}, State) ->
%% ignore
{noreply, State};
handle_info(_Info, State) ->
{noreply, State}.
terminate(_Reason, _State) ->
ok.
code_change(_OldVsn, State, _Extra) ->
{ok, State}.
%%--------------------------------------------------------------------
%% Internal functions
%%--------------------------------------------------------------------
handle_options(#{
endpoint := Endpoint,
refresh_interval := RefreshInterval0,
ssl_opts := SSLOpts
}) ->
#{
endpoint => Endpoint,
refresh_interval => limit_refresh_interval(RefreshInterval0),
ssl_opts => maps:to_list(SSLOpts),
jwks => [],
request_id => undefined
}.
refresh_jwks(
#{
endpoint := Endpoint,
ssl_opts := SSLOpts
} = State
) ->
HTTPOpts = [
{timeout, 5000},
{connect_timeout, 5000},
{ssl, SSLOpts}
],
NState =
case
httpc:request(
get,
{Endpoint, [{"Accept", "application/json"}]},
HTTPOpts,
[{body_format, binary}, {sync, false}, {receiver, self()}]
)
of
{error, Reason} ->
?tp(warning, jwks_endpoint_request_fail, #{
endpoint => Endpoint,
http_opts => HTTPOpts,
reason => Reason
}),
State;
{ok, RequestID} ->
?tp(debug, jwks_endpoint_request_ok, #{request_id => RequestID}),
State#{request_id := RequestID}
end,
ensure_expiry_timer(NState).
ensure_expiry_timer(State = #{refresh_interval := Interval}) ->
State#{refresh_timer => erlang:send_after(timer:seconds(Interval), self(), refresh_jwks)}.
limit_refresh_interval(Interval) when Interval < 10 ->
10;
limit_refresh_interval(Interval) ->
Interval.
cancel_http_request(#{request_id := undefined} = State) ->
State;
cancel_http_request(#{request_id := RequestID} = State) ->
ok = httpc:cancel_request(RequestID),
receive
{http, _} -> ok
after 0 ->
ok
end,
State#{request_id => undefined}.

219
apps/emqx_authn/src/simple_authn/emqx_authn_jwks_connector.erl
View File

@ -1,5 +1,5 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% Copyright (c) 2021-2022 EMQ Technologies Co., Ltd. All Rights Reserved. %% Copyright (c) 2022 EMQ Technologies Co., Ltd. All Rights Reserved.
%% %%
%% Licensed under the Apache License, Version 2.0 (the "License"); %% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License. %% you may not use this file except in compliance with the License.
@ -16,187 +16,72 @@
-module(emqx_authn_jwks_connector). -module(emqx_authn_jwks_connector).
-behaviour(gen_server). -behaviour(emqx_resource).
-include_lib("emqx/include/logger.hrl"). -include_lib("emqx/include/logger.hrl").
-include_lib("jose/include/jose_jwk.hrl").
-include_lib("snabbkaffe/include/snabbkaffe.hrl").
%% callbacks of behaviour emqx_resource
-export([ -export([
start_link/1, on_start/2,
stop/1 on_stop/2,
on_query/4,
on_health_check/2,
connect/1
]). ]).
-export([ -define(DEFAULT_POOL_SIZE, 8).
get_jwks/1,
update/2
]).
%% gen_server callbacks on_start(InstId, Opts) ->
-export([ PoolName = emqx_plugin_libs_pool:pool_name(InstId),
init/1, PoolOpts = [
handle_call/3, {pool_size, maps:get(pool_size, Opts, ?DEFAULT_POOL_SIZE)},
handle_cast/2, {connector_opts, Opts}
handle_info/2, ],
terminate/2, case emqx_plugin_libs_pool:start_pool(PoolName, ?MODULE, PoolOpts) of
code_change/3 ok -> {ok, #{pool_name => PoolName}};
]). {error, Reason} -> {error, Reason}
end.
%%-------------------------------------------------------------------- on_stop(_InstId, #{pool_name := PoolName}) ->
%% APIs emqx_plugin_libs_pool:stop_pool(PoolName).
%%--------------------------------------------------------------------
start_link(Opts) -> on_query(InstId, get_jwks, AfterQuery, #{pool_name := PoolName}) ->
gen_server:start_link(?MODULE, [Opts], []). Result = ecpool:pick_and_do(PoolName, {emqx_authn_jwks_client, get_jwks, []}, no_handover),
stop(Pid) ->
gen_server:stop(Pid).
get_jwks(Pid) ->
gen_server:call(Pid, get_cached_jwks, 5000).
update(Pid, Opts) ->
gen_server:call(Pid, {update, Opts}, 5000).
%%--------------------------------------------------------------------
%% gen_server callbacks
%%--------------------------------------------------------------------
init([Opts]) ->
ok = jose:json_module(jiffy),
State = handle_options(Opts),
{ok, refresh_jwks(State)}.
handle_call(get_cached_jwks, _From, #{jwks := Jwks} = State) ->
{reply, {ok, Jwks}, State};
handle_call({update, Opts}, _From, _State) ->
NewState = handle_options(Opts),
{reply, ok, refresh_jwks(NewState)};
handle_call(_Req, _From, State) ->
{reply, ok, State}.
handle_cast(_Msg, State) ->
{noreply, State}.
handle_info({refresh_jwks, _TRef, refresh}, #{request_id := RequestID} = State) ->
case RequestID of
undefined ->
ok;
_ ->
ok = httpc:cancel_request(RequestID),
receive
{http, _} -> ok
after 0 ->
ok
end
end,
{noreply, refresh_jwks(State)};
handle_info(
{http, {RequestID, Result}},
#{request_id := RequestID, endpoint := Endpoint} = State0
) ->
?tp(debug, jwks_endpoint_response, #{request_id => RequestID}),
State1 = State0#{request_id := undefined},
NewState =
case Result of case Result of
{error, Reason} -> {error, Reason} ->
?SLOG(warning, #{ ?SLOG(error, #{
msg => "failed_to_request_jwks_endpoint", msg => "emqx_authn_jwks_client_query_failed",
endpoint => Endpoint, connector => InstId,
command => get_jwks,
reason => Reason reason => Reason
}), }),
State1; emqx_resource:query_failed(AfterQuery);
{StatusLine, Headers, Body} -> _ ->
try emqx_resource:query_success(AfterQuery)
JWKS = jose_jwk:from(emqx_json:decode(Body, [return_maps])),
{_, JWKs} = JWKS#jose_jwk.keys,
State1#{jwks := JWKs}
catch
_:_ ->
?SLOG(warning, #{
msg => "invalid_jwks_returned",
endpoint => Endpoint,
status => StatusLine,
headers => Headers,
body => Body
}),
State1
end
end, end,
{noreply, NewState}; Result;
handle_info({http, {_, _}}, State) -> on_query(_InstId, {update, Opts}, AfterQuery, #{pool_name := PoolName}) ->
%% ignore lists:foreach(
{noreply, State}; fun({_, Worker}) ->
handle_info(_Info, State) -> ok = ecpool_worker:exec(Worker, {emqx_authn_jwks_client, update, [Opts]}, infinity)
{noreply, State}. end,
ecpool:workers(PoolName)
terminate(_Reason, State) -> ),
_ = cancel_timer(State), emqx_resource:query_success(AfterQuery),
ok. ok.
code_change(_OldVsn, State, _Extra) -> on_health_check(_InstId, State = #{pool_name := PoolName}) ->
{ok, State}. emqx_plugin_libs_pool:health_check(
PoolName,
%%-------------------------------------------------------------------- fun(Pid) ->
%% Internal functions case emqx_authn_jwks_client:get_jwks(Pid) of
%%-------------------------------------------------------------------- {ok, _} -> true;
_ -> false
handle_options(#{ end
endpoint := Endpoint,
refresh_interval := RefreshInterval0,
ssl_opts := SSLOpts
}) ->
#{
endpoint => Endpoint,
refresh_interval => limit_refresh_interval(RefreshInterval0),
ssl_opts => maps:to_list(SSLOpts),
jwks => [],
request_id => undefined
}.
refresh_jwks(
#{
endpoint := Endpoint,
ssl_opts := SSLOpts
} = State
) ->
HTTPOpts = [
{timeout, 5000},
{connect_timeout, 5000},
{ssl, SSLOpts}
],
NState =
case
httpc:request(
get,
{Endpoint, [{"Accept", "application/json"}]},
HTTPOpts,
[{body_format, binary}, {sync, false}, {receiver, self()}]
)
of
{error, Reason} ->
?tp(warning, jwks_endpoint_request_fail, #{
endpoint => Endpoint,
http_opts => HTTPOpts,
reason => Reason
}),
State;
{ok, RequestID} ->
?tp(debug, jwks_endpoint_request_ok, #{request_id => RequestID}),
State#{request_id := RequestID}
end, end,
ensure_expiry_timer(NState). State
).
ensure_expiry_timer(State = #{refresh_interval := Interval}) -> connect(Opts) ->
State#{refresh_timer => emqx_misc:start_timer(timer:seconds(Interval), refresh_jwks)}. ConnectorOpts = proplists:get_value(connector_opts, Opts),
emqx_authn_jwks_client:start_link(ConnectorOpts).
cancel_timer(State = #{refresh_timer := undefined}) ->
State;
cancel_timer(State = #{refresh_timer := TRef}) ->
_ = emqx_misc:cancel_timer(TRef),
State#{refresh_timer := undefined}.
limit_refresh_interval(Interval) when Interval < 10 ->
10;
limit_refresh_interval(Interval) ->
Interval.

110
apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
View File

@ -70,6 +70,7 @@ fields('jwks') ->
[ [
{use_jwks, sc(hoconsc:enum([true]), #{desc => ""})}, {use_jwks, sc(hoconsc:enum([true]), #{desc => ""})},
{endpoint, fun endpoint/1}, {endpoint, fun endpoint/1},
{pool_size, fun pool_size/1},
{refresh_interval, fun refresh_interval/1}, {refresh_interval, fun refresh_interval/1},
{ssl, #{ {ssl, #{
type => hoconsc:union([ type => hoconsc:union([
@ -170,6 +171,12 @@ verify_claims(converter) ->
verify_claims(_) -> verify_claims(_) ->
undefined. undefined.
pool_size(type) -> integer();
pool_size(desc) -> "JWKS connection count";
pool_size(default) -> 8;
pool_size(validator) -> [fun(I) -> I > 0 end];
pool_size(_) -> undefined.
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
%% APIs %% APIs
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
@ -189,53 +196,68 @@ create(#{verify_claims := VerifyClaims} = Config) ->
update( update(
#{use_jwks := false} = Config, #{use_jwks := false} = Config,
#{jwk := Connector} #{jwk_resource := ResourceId}
) when ) ->
is_pid(Connector) _ = emqx_resource:remove_local(ResourceId),
->
_ = emqx_authn_jwks_connector:stop(Connector),
create(Config); create(Config);
update(#{use_jwks := false} = Config, _State) -> update(#{use_jwks := false} = Config, _State) ->
create(Config); create(Config);
update( update(
#{use_jwks := true} = Config, #{use_jwks := true} = Config,
#{jwk := Connector} = State #{jwk_resource := ResourceId} = State
) when ) ->
is_pid(Connector) case emqx_resource:query(ResourceId, {update, connector_opts(Config)}) of
-> ok ->
ok = emqx_authn_jwks_connector:update(Connector, connector_opts(Config)), case maps:get(verify_claims, Config, undefined) of
case maps:get(verify_cliams, Config, undefined) of
undefined -> undefined ->
{ok, State}; {ok, State};
VerifyClaims -> VerifyClaims ->
{ok, State#{verify_claims => handle_verify_claims(VerifyClaims)}} {ok, State#{verify_claims => handle_verify_claims(VerifyClaims)}}
end; end;
{error, Reason} ->
?SLOG(error, #{
msg => "jwks_client_option_update_failed",
resource => ResourceId,
reason => Reason
})
end;
update(#{use_jwks := true} = Config, _State) -> update(#{use_jwks := true} = Config, _State) ->
create(Config). create(Config).
authenticate(#{auth_method := _}, _) -> authenticate(#{auth_method := _}, _) ->
ignore; ignore;
authenticate(Credential = #{password := JWT}, #{ authenticate(
jwk := JWK, Credential = #{password := JWT},
verify_claims := VerifyClaims0 #{
}) -> verify_claims := VerifyClaims0,
JWKs = jwk := JWK
case erlang:is_pid(JWK) of }
false -> ) ->
[JWK]; JWKs = [JWK],
true ->
{ok, JWKs0} = emqx_authn_jwks_connector:get_jwks(JWK),
JWKs0
end,
VerifyClaims = replace_placeholder(VerifyClaims0, Credential), VerifyClaims = replace_placeholder(VerifyClaims0, Credential),
case verify(JWT, JWKs, VerifyClaims) of verify(JWT, JWKs, VerifyClaims);
{ok, Extra} -> {ok, Extra}; authenticate(
{error, invalid_signature} -> ignore; Credential = #{password := JWT},
{error, {claims, _}} -> {error, bad_username_or_password} #{
verify_claims := VerifyClaims0,
jwk_resource := ResourceId
}
) ->
case emqx_resource:query(ResourceId, get_jwks) of
{error, Reason} ->
?SLOG(error, #{
msg => "get_jwks_failed",
resource => ResourceId,
reason => Reason
}),
ignore;
{ok, JWKs} ->
VerifyClaims = replace_placeholder(VerifyClaims0, Credential),
verify(JWT, JWKs, VerifyClaims)
end. end.
destroy(#{jwk := Connector}) when is_pid(Connector) -> destroy(#{jwk_resource := ResourceId}) ->
_ = emqx_authn_jwks_connector:stop(Connector), _ = emqx_resource:remove_local(ResourceId),
ok; ok;
destroy(_) -> destroy(_) ->
ok. ok.
@ -278,15 +300,17 @@ create2(
verify_claims := VerifyClaims verify_claims := VerifyClaims
} = Config } = Config
) -> ) ->
case emqx_authn_jwks_connector:start_link(connector_opts(Config)) of ResourceId = emqx_authn_utils:make_resource_id(?MODULE),
{ok, Connector} -> {ok, _} = emqx_resource:create_local(
ResourceId,
?RESOURCE_GROUP,
emqx_authn_jwks_connector,
connector_opts(Config)
),
{ok, #{ {ok, #{
jwk => Connector, jwk_resource => ResourceId,
verify_claims => VerifyClaims verify_claims => VerifyClaims
}}; }}.
{error, Reason} ->
{error, Reason}
end.
create_jwk_from_pem_or_file(CertfileOrFilePath) when create_jwk_from_pem_or_file(CertfileOrFilePath) when
is_binary(CertfileOrFilePath); is_binary(CertfileOrFilePath);
@ -328,9 +352,17 @@ replace_placeholder([{Name, {placeholder, PL}} | More], Variables, Acc) ->
replace_placeholder([{Name, Value} | More], Variables, Acc) -> replace_placeholder([{Name, Value} | More], Variables, Acc) ->
replace_placeholder(More, Variables, [{Name, Value} | Acc]). replace_placeholder(More, Variables, [{Name, Value} | Acc]).
verify(_JWS, [], _VerifyClaims) -> verify(JWT, JWKs, VerifyClaims) ->
case do_verify(JWT, JWKs, VerifyClaims) of
{ok, Extra} -> {ok, Extra};
{error, {missing_claim, _}} -> {error, bad_username_or_password};
{error, invalid_signature} -> ignore;
{error, {claims, _}} -> {error, bad_username_or_password}
end.
do_verify(_JWS, [], _VerifyClaims) ->
{error, invalid_signature}; {error, invalid_signature};
verify(JWS, [JWK | More], VerifyClaims) -> do_verify(JWS, [JWK | More], VerifyClaims) ->
try jose_jws:verify(JWK, JWS) of try jose_jws:verify(JWK, JWS) of
{true, Payload, _JWS} -> {true, Payload, _JWS} ->
Claims = emqx_json:decode(Payload, [return_maps]), Claims = emqx_json:decode(Payload, [return_maps]),
@ -341,7 +373,7 @@ verify(JWS, [JWK | More], VerifyClaims) ->
{error, Reason} {error, Reason}
end; end;
{false, _, _} -> {false, _, _} ->
verify(JWS, More, VerifyClaims) do_verify(JWS, More, VerifyClaims)
catch catch
_:_Reason -> _:_Reason ->
?TRACE("JWT", "authn_jwt_invalid_signature", #{jwk => JWK, jws => JWS}), ?TRACE("JWT", "authn_jwt_invalid_signature", #{jwk => JWK, jws => JWS}),

95
apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
View File

@ -38,9 +38,13 @@ init_per_testcase(_, Config) ->
init_per_suite(Config) -> init_per_suite(Config) ->
_ = application:load(emqx_conf), _ = application:load(emqx_conf),
emqx_common_test_helpers:start_apps([emqx_authn]), emqx_common_test_helpers:start_apps([emqx_authn]),
application:ensure_all_started(emqx_resource),
application:ensure_all_started(emqx_connector),
Config. Config.
end_per_suite(_) -> end_per_suite(_) ->
application:stop(emqx_connector),
application:stop(emqx_resource),
emqx_common_test_helpers:stop_apps([emqx_authn]), emqx_common_test_helpers:stop_apps([emqx_authn]),
ok. ok.
@ -194,11 +198,11 @@ t_jwks_renewal(_Config) ->
ok = emqx_authn_http_test_server:set_handler(fun jwks_handler/2), ok = emqx_authn_http_test_server:set_handler(fun jwks_handler/2),
PrivateKey = test_rsa_key(private), PrivateKey = test_rsa_key(private),
Payload = #{<<"username">> => <<"myuser">>}, Payload0 = #{<<"username">> => <<"myuser">>},
JWS = generate_jws('public-key', Payload, PrivateKey), JWS0 = generate_jws('public-key', Payload0, PrivateKey),
Credential = #{ Credential0 = #{
username => <<"myuser">>, username => <<"myuser">>,
password => JWS password => JWS0
}, },
BadConfig0 = #{ BadConfig0 = #{
@ -209,7 +213,8 @@ t_jwks_renewal(_Config) ->
use_jwks => true, use_jwks => true,
endpoint => "https://127.0.0.1:" ++ integer_to_list(?JWKS_PORT + 1) ++ ?JWKS_PATH, endpoint => "https://127.0.0.1:" ++ integer_to_list(?JWKS_PORT + 1) ++ ?JWKS_PATH,
refresh_interval => 1000 refresh_interval => 1000,
pool_size => 1
}, },
ok = snabbkaffe:start_trace(), ok = snabbkaffe:start_trace(),
@ -222,9 +227,9 @@ t_jwks_renewal(_Config) ->
ok = snabbkaffe:stop(), ok = snabbkaffe:stop(),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential, State0)), ?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential0, State0)),
?assertEqual( ?assertEqual(
ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State0) ignore, emqx_authn_jwt:authenticate(Credential0#{password => <<"badpassword">>}, State0)
), ),
ClientSSLOpts = client_ssl_opts(), ClientSSLOpts = client_ssl_opts(),
@ -246,12 +251,24 @@ t_jwks_renewal(_Config) ->
ok = snabbkaffe:stop(), ok = snabbkaffe:stop(),
?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential, State1)), ?assertEqual(ignore, emqx_authn_jwt:authenticate(Credential0, State1)),
?assertEqual( ?assertEqual(
ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State0) ignore, emqx_authn_jwt:authenticate(Credential0#{password => <<"badpassword">>}, State0)
), ),
GoodConfig = BadConfig1#{ssl => ClientSSLOpts}, GoodConfig = BadConfig1#{
ssl => ClientSSLOpts,
verify_claims => [{<<"foo">>, <<"${username}">>}]
},
Payload1 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"myuser">>},
Payload2 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"notmyuser">>},
JWS1 = generate_jws('public-key', Payload1, PrivateKey),
JWS2 = generate_jws('public-key', Payload2, PrivateKey),
Credential1 = #{
username => <<"myuser">>,
password => JWS1
},
ok = snabbkaffe:start_trace(), ok = snabbkaffe:start_trace(),
@ -263,14 +280,68 @@ t_jwks_renewal(_Config) ->
ok = snabbkaffe:stop(), ok = snabbkaffe:stop(),
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential, State2)), ?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential1, State2)),
?assertEqual( ?assertEqual(
ignore, emqx_authn_jwt:authenticate(Credential#{password => <<"badpassword">>}, State2) {error, bad_username_or_password},
emqx_authn_jwt:authenticate(Credential1#{password => JWS2}, State2)
), ),
?assertEqual(ok, emqx_authn_jwt:destroy(State2)), ?assertEqual(ok, emqx_authn_jwt:destroy(State2)),
ok = emqx_authn_http_test_server:stop(). ok = emqx_authn_http_test_server:stop().
t_jwt_authenticator_verify_claims(_) ->
Secret = <<"abcdef">>,
Config0 = #{
mechanism => jwt,
use_jwks => false,
algorithm => 'hmac-based',
secret => Secret,
secret_base64_encoded => false,
verify_claims => [{<<"foo">>, <<"bar">>}]
},
{ok, State0} = emqx_authn_jwt:create(?AUTHN_ID, Config0),
Payload0 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"bar">>},
JWS0 = generate_jws('hmac-based', Payload0, Secret),
Credential0 = #{
username => <<"myuser">>,
password => JWS0
},
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential0, State0)),
Config1 = Config0#{
verify_claims => [{<<"foo">>, <<"${username}">>}]
},
{ok, State1} = emqx_authn_jwt:update(Config1, State0),
Payload1 = #{<<"username">> => <<"myuser">>},
JWS1 = generate_jws('hmac-based', Payload1, Secret),
Credential1 = #{
username => <<"myuser">>,
password => JWS1
},
?assertEqual(
{error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential1, State1)
),
Payload2 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"notmyuser">>},
JWS2 = generate_jws('hmac-based', Payload2, Secret),
Credential2 = #{
username => <<"myuser">>,
password => JWS2
},
?assertEqual(
{error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential2, State1)
),
Payload3 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"myuser">>},
JWS3 = generate_jws('hmac-based', Payload3, Secret),
Credential3 = #{
username => <<"myuser">>,
password => JWS3
},
?assertEqual({ok, #{is_superuser => false}}, emqx_authn_jwt:authenticate(Credential3, State1)).
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------
%% Helpers %% Helpers
%%------------------------------------------------------------------------------ %%------------------------------------------------------------------------------

4
apps/emqx_resource/test/emqx_test_resource.erl
View File

@ -25,7 +25,6 @@
, on_stop/2 , on_stop/2
, on_query/4 , on_query/4
, on_health_check/2 , on_health_check/2
, on_config_merge/3
]). ]).
%% callbacks for emqx_resource config schema %% callbacks for emqx_resource config schema
@ -85,9 +84,6 @@ on_health_check(_InstId, State = #{pid := Pid}) ->
false -> {error, dead, State} false -> {error, dead, State}
end. end.
on_config_merge(OldConfig, NewConfig, _Params) ->
maps:merge(OldConfig, NewConfig).
spawn_dummy_process(Name, Register) -> spawn_dummy_process(Name, Register) ->
spawn( spawn(
fun() -> fun() ->