2771a10d39
test: fix a flaky one
2024-05-27 20:59:50 +02:00
238c207b09
chore: bump app versions
2024-05-27 20:26:52 +02:00
b0832ecc74
test: fix a flaky one
2024-05-23 08:55:28 +02:00
322989c83f
Merge pull request #13040 from savonarola/0513-fix-http-authn-error-handling
...
fix(auth_http): fix query encoding
2024-05-16 15:12:57 +03:00
2acde5a4e4
fix(authn/http): log meaningful error message if http header is missing
2024-05-16 11:36:52 +03:00
daf2e5a444
chore(auth_http): unify http request generation
...
Co-authored-by: Thales Macedo Garitezi <thalesmg@gmail.com>
2024-05-16 11:36:52 +03:00
93232d4253
fix(authn/http): log meaningful error message if http header is missing
2024-05-14 10:22:07 +02:00
bca3782d73
fix(auth_http): fix query encoding
...
* ignore authenticator if JSON format is set up for requests, but non-utf8 data is going to be sent
* use application/json format by default
* fix encoding of query part of the requests
2024-05-14 10:32:53 +03:00
290ebe2fc5
fix: deny subscribing to +/# by default ACL
...
Prior to this change, EMQX default ACL has a deny rule to reject
subscribing to `#`.
For completeness, the default ACL should also deny `+/#` because
they are essentially equivalent.
2024-05-13 09:26:42 +02:00
401f0fa84b
Merge branch 'release-57' into sync-r57-m-20240508
2024-05-09 09:13:30 -03:00
3b655f56cb
fix(auth,http): improve URI handling
2024-05-04 09:47:13 +03:00
42cb17360e
Merge branch 'release-57' into sync-r57-m-20240430
2024-04-30 14:42:22 -03:00
e4154dd472
feat(authn): use correct time resolution for setting channel expire in JWT authn
2024-04-30 19:01:16 +03:00
80d724c504
feat(authn): add connection expire based on authn data
2024-04-30 17:04:55 +03:00
aaf57ecfbc
chore(authz): improve and clarify types
2024-04-26 12:09:18 +03:00
01923147a2
fix(variform and authz): do not initialize empty client_attrs field
...
when client_attrs_init expression renders to empty string,
do not initialize the attribute.
also fixed an ACL error: a template render failure for a topic
would stop the ACL checks for the following topics if more
than one topic is configured.
2024-04-25 17:32:07 +02:00
d30b52f0f9
docs: refine acl.conf comments
2024-04-25 17:32:07 +02:00
407b0cd0ca
feat(jwt_auth): improve verify_claims handling and docs
2024-04-25 17:49:29 +03:00
ab763fe665
test: fix test case flakyness
2024-04-18 09:32:05 +02:00
b76b6fbe63
feat(variform): initialize client_attrs with variform
...
Moved regular expression extraction as a variform function.
2024-04-14 10:13:24 +02:00
da5b01aa46
refactor(client_attr): allow more than one initial extraction
2024-04-13 01:00:25 +02:00
db9efb9317
chore: bump apps versions
2024-03-28 10:19:09 +01:00
22838f027a
fix: mountpoint template render should not replace unknown as undefined
...
For backward compatibility, the unknown vars used in mountpoint
is kept unchanged.
e.g. '${unknown}/foo/bar' should be rendered as '${unknown}/foo/bar'
but not 'undefined/foo/bar'
2024-03-23 10:16:05 +01:00
3136ec5958
feat: allow mountpoint to use client_attrs
2024-03-23 10:16:05 +01:00
5e9814d171
fix: add debug level logging for invalid client attributes
2024-03-23 10:16:05 +01:00
0cf61932b6
feat: allow using client_attrs in authentication templates
2024-03-23 10:16:05 +01:00
2fd0a2cd4d
feat: support extracting initial client attrs from clientinfo
2024-03-23 10:16:02 +01:00
c75840306b
fix: restrict client_attr key and value string format
...
The keys and values are used to render templates for
authz rules, such as topic names, and SQL statements etc.
2024-03-23 10:16:02 +01:00
9ec99fef4a
feat: allow client_attr used in authz rules
2024-03-23 10:16:02 +01:00
e5816f5a13
refactor: rename attr to client_attr
...
client_attr is unique enough for all contexts
so the name can be unified from external responses
to internal template rendering, and rule-engine template rendering
2024-03-23 10:16:02 +01:00
5af01c041b
Merge pull request #12559 from zmstone/0221-refactor-use-atom-fileds
...
refactor: use atoms for root config fields
2024-02-23 14:38:19 +01:00
46877e979b
chore: update copyright-year
2024-02-23 08:21:06 +01:00
88b1d9ba88
refactor: use atoms for root config fields and types
2024-02-22 16:51:40 +01:00
d469f4158e
chore: bump app vsns
2024-02-20 16:53:57 -03:00
ba1d24d054
test(prom_api): '/prometheus/auth' and '/prometheus/data_integration'
2024-02-18 02:32:25 +08:00
f57f617ba3
refactor(schema): ensure roots/0 and namespace/0 for all schema modules
2024-02-16 11:35:32 +01:00
7272ef25d4
feat(emqx_auth): implement API to re-order all authenticators/authz sources
...
Fixes: EMQX-11770
2024-02-14 14:35:46 +02:00
90fd2b26d3
feat(banned): allow ban by clientid/username regexps, peerhost cidrs
2024-02-10 17:59:22 +03:00
9aad7997ca
chore: compatible the contet-type sytanx
2024-02-02 08:48:56 +01:00
aedfc8e8c0
fix(user_import): ensure the last record overwrites previous one
2024-01-30 14:14:20 +08:00
8fc8106819
test: cover password_type and new data format
2024-01-29 10:49:07 +08:00
829887630d
test: refine existed test cases
2024-01-29 10:49:07 +08:00
e65cfb836c
feat(import_users): support user's password in plain text
2024-01-29 10:49:07 +08:00
9e8a67fd68
feat: support authz cache exclusion config
...
now one can configure a list of topic-filters to avoid
caching ACL check results
for example
authorization.cache.excludes = ["nocache/#"]
this means ACL check results for topics having 'nocache/' prefix
will not be cached
2024-01-10 13:52:00 +01:00
23ded313ec
chore: update app versions
2023-12-22 15:29:22 +01:00
322b7bb7d2
chore: bump app vsn
2023-12-22 13:00:37 +01:00
2be898ca4d
refactor(auth/jwt): support raw rules from jwt acl claim
2023-12-19 08:10:38 +01:00
a9963e043b
refactor(authz): improve logging
...
Move authz result logging to common place.
Prior to this change, the final result is not logged when
fallback to the default authorization.no_match config value.
Aso, if the result is provided by a hook callback,
it's also not logged.
After this change, only the final result is logged.
The authz chain resutls can be traced (or logged at debug level).
2023-12-17 22:32:26 +01:00
c73b371a7a
feat: don't merge default headers if user already setting one
2023-12-13 08:47:55 +08:00
ddbb8560fa
fix(dialyzer): batch 2
2023-12-08 17:59:55 +01:00
33a7282cdd
fix(dialyzer): only include eunit when TEST is defined
2023-12-06 20:39:26 +01:00
8ba116d378
fix(emqx_auth): check authenticator exists in /authenticator/:id/users
2023-11-23 16:15:03 +01:00
d9f964a44f
test: fix test cases after schema type namespace change
2023-11-22 16:58:05 +01:00
db33bc616a
feat(schema): Add v2 scheam JSON dump
2023-11-22 13:12:35 +01:00
1b2c052646
docs: add type namespaces
2023-11-22 13:12:35 +01:00
28a577ad09
chore: bump apps versions
2023-11-14 11:02:26 +01:00
f1de0aa176
fix(schema): add namespace to authn schemas
2023-11-10 13:41:51 +01:00
86110824eb
feat: upgrade hocon to 0.40.0 which supports union type display name
2023-11-10 13:41:51 +01:00
b24b66081a
refactor(authn/authz_http_schema): use typerefl alias
2023-11-10 13:41:51 +01:00
910e81bc41
Merge pull request #10442 from keynslug/ft/EMQX-9257/placeholder
...
feat(tpl): split `emqx_placeholder` into a couple of modules
2023-11-02 22:50:05 +07:00
8e4585d64f
chore: move template modules to `emqx_utils`
...
Even though most of the time these modules will be used by
connectors, there are exceptions (namely, `emqx_rule_engine`).
Besides, they are general enough to land there, more so given
that `emqx_placeholder` is already there.
2023-11-02 17:11:12 +07:00
343b679741
feat(tpl): make escaping mechanism more foolproof
...
Treat "${$}" as literal "$". This allows to template express
strings, for example, of the form "${some_var_value}" where
`some_var_value` is interpolated from bindings.
2023-11-02 17:11:11 +07:00
a9693eada7
fix(tpl): rename `trivial` -> `is_const`
...
This is clearer. Former naming was a bit misleading.
2023-11-02 17:11:11 +07:00
49fba40ee7
fix(tpl): ensure backward compat with authz / authn templates
...
This commit leans heavy into discouraging the former approach where
only part of placeholders were interpolated, depending on `placeholders`
option.
2023-11-02 17:11:10 +07:00
49f5325c67
feat(tpl): unify validations / errors var representations
2023-11-02 17:11:10 +07:00
0538a77700
feat(tpl): use `emqx_connector_template` in `emqx_authn`, `emqx_authz`
...
This slightly changes semantics: now the attempt to create authenticator
with illegal bindings in templates will fail, instead of treating them
as literals. The runtime behaviour on the other hand should be the same.
2023-11-02 17:11:10 +07:00
3f6c09b195
Merge pull request #11780 from savonarola/1017-fix-pbkdf2-validation
...
fix(authn): fix pbkdf2 option validation
2023-10-30 16:37:37 +02:00
4e0e755b28
fix: return 404 if built_in_database not configured as auth source
2023-10-23 16:26:41 +02:00
edde661da3
fix(authn): fix pbkdf2 option validation
2023-10-23 10:26:11 +03:00
8d82c30b00
Merge pull request #11771 from savonarola/1015-validate-bcrypt-schema-in-api
...
feat(authn): allow authn providers to define a separate schama for API
2023-10-19 15:34:34 +03:00
6354f3b04f
feat(authn): allow authn providers to define a separate schama for API
2023-10-17 13:19:11 +03:00
6eb3bb7cff
Merge remote-tracking branch 'origin/release-53' into 1114-sync-release-53
2023-10-14 10:16:38 +02:00
4ecd5e17a2
chore(authz): trace non-resultative authz calls to backend modules
2023-10-12 12:29:39 +03:00
03ae5bf3c8
chore(auth): cleanup code
2023-10-11 13:13:50 +03:00
5dff36474d
chore(auth): get rid of hardcoded schema modules in auth
2023-10-05 13:41:50 +03:00
c2c56ba481
chore(auth): update tests
2023-10-05 13:41:50 +03:00
1eb75b43c4
chore(auth): split emqx_authn and emqx_authz apps
2023-10-05 13:41:50 +03:00
zmstone