chore(apps): Sync plugins to apps dir

emqx_telemetry from tag v4.2.7
all other apps are from e4.2.4
see sync-apps.sh

.gitignore

@@ -12,33 +12,34 @@ ebin
 test/ebin/*.beam
 .exrc
 plugins/*/ebin
-log/
 *.swp
 *.so
 .erlang.mk/
 cover/
-emqx.d
 eunit.coverdata
 test/ct.cover.spec
-logs
 ct.coverdata
 .idea/
-emqx.iml
-_rel/
-data/
 _build
 .rebar3
 rebar3.crashdump
 .DS_Store
-emqx.iml
-bbmustache/
 etc/gen.emqx.conf
 compile_commands.json
 cuttlefish
-rebar.lock
 xrefr
-erlang.mk
 *.coverdata
 etc/emqx.conf.rendered
 Mnesia.*/
+*.DS_Store
+_checkouts
+rebar.config.rendered
+/rebar3
+rebar.lock
 .stamp
+tmp/
+_packages
+elvis
+emqx_dialyzer_*_plt
+apps/emqx_dashboard/priv/www
+dist.zip

apps/emqx_auth_http/.gitignore

@@ -0,0 +1,25 @@
+.eunit
+deps
+*.o
+*.beam
+*.plt
+erl_crash.dump
+ebin
+rel/example_project
+.concrete/DEV_MODE
+.rebar
+.erlang.mk/
+emqx_auth_http.d
+data
+ct.cover.spec
+cover/
+ct.coverdata
+eunit.coverdata
+logs/
+erlang.mk
+_build/
+rebar.lock
+rebar3.crashdump
+etc/emqx_auth_http.conf.rendered
+.rebar3/
+*.swp

apps/emqx_auth_http/README.md

@@ -0,0 +1,100 @@
+emqx_auth_http
+==============
+
+EMQ X HTTP Auth/ACL Plugin
+
+Build
+-----
+
+```
+make && make tests
+```
+
+Configure the Plugin
+--------------------
+
+File: etc/emqx_auth_http.conf
+
+```
+##--------------------------------------------------------------------
+## Authentication request.
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: URL
+auth.http.auth_req = http://127.0.0.1:8080/mqtt/auth
+## Value: post | get | put
+auth.http.auth_req.method = post
+## Value: Params
+auth.http.auth_req.params = clientid=%c,username=%u,password=%P
+
+##--------------------------------------------------------------------
+## Superuser request.
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: URL
+auth.http.super_req = http://127.0.0.1:8080/mqtt/superuser
+## Value: post | get | put
+auth.http.super_req.method = post
+## Value: Params
+auth.http.super_req.params = clientid=%c,username=%u
+
+##--------------------------------------------------------------------
+## ACL request.
+##
+## Variables:
+##  - %A: 1 | 2, 1 = sub, 2 = pub
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %m: mountpoint
+##  - %t: topic
+##
+## Value: URL
+auth.http.acl_req = http://127.0.0.1:8080/mqtt/acl
+## Value: post | get | put
+auth.http.acl_req.method = get
+## Value: Params
+auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t
+```
+
+Load the Plugin
+---------------
+
+```
+./bin/emqx_ctl plugins load emqx_auth_http
+```
+
+HTTP API
+--------
+
+200 if ok
+
+4xx if unauthorized
+
+License
+-------
+
+Apache License Version 2.0
+
+Author
+------
+
+EMQ X Team.
+

apps/emqx_auth_http/etc/emqx_auth_http.conf

@@ -0,0 +1,162 @@
+##--------------------------------------------------------------------
+## HTTP Auth/ACL Plugin
+##--------------------------------------------------------------------
+
+##--------------------------------------------------------------------
+## Authentication request.
+
+## HTTP URL API path for authentication request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/auth, https://[::1]:8991/mqtt/auth
+auth.http.auth_req = http://127.0.0.1:8991/mqtt/auth
+
+## Value: post | get | put
+auth.http.auth_req.method = post
+
+## It only works when method=post
+## Value: json | x-www-form-urlencoded
+auth.http.auth_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %p: sockport of server accepted
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: Params
+auth.http.auth_req.params = clientid=%c,username=%u,password=%P
+
+##--------------------------------------------------------------------
+## Superuser request.
+
+## HTTP URL API path for Superuser request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/superuser, https://[::1]:8991/mqtt/superuser
+#auth.http.super_req = http://127.0.0.1:8991/mqtt/superuser
+
+## Value: post | get | put
+#auth.http.super_req.method = post
+
+## It only works when method=pos
+## Value: json | x-www-form-urlencoded
+#auth.http.super_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %p: sockport of server accepted
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: Params
+#auth.http.super_req.params = clientid=%c,username=%u
+
+##--------------------------------------------------------------------
+## ACL request.
+
+## HTTP URL API path for ACL request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/acl, https://[::1]:8991/mqtt/acl
+auth.http.acl_req = http://127.0.0.1:8991/mqtt/acl
+
+## Value: post | get | put
+auth.http.acl_req.method = get
+
+## It only works when method=post
+## Value: json | x-www-form-urlencoded
+auth.http.acl_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %A: 1 | 2, 1 = sub, 2 = pub
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %m: mountpoint
+##  - %t: topic
+##
+## Value: Params
+auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
+
+##------------------------------------------------------------------------------
+## Http Reqeust options
+
+## Time-out time for the http request, 0 is never timeout.
+##
+## Value: Duration
+## -h: hour, e.g. '2h' for 2 hours
+## -m: minute, e.g. '5m' for 5 minutes
+## -s: second, e.g. '30s' for 30 seconds
+##
+## Default: 5s
+## auth.http.request.timeout = 5s
+
+## Connection time-out time, used during the initial request
+## when the client is connecting to the server
+##
+## Value: Duration
+##
+## Default is same with the timeout option
+## auth.http.request.connect_timeout = 0
+
+## Re-send http reuqest times
+##
+## Value: integer
+##
+## Default: 3
+auth.http.request.retry_times = 5
+
+## The interval for re-sending the http request
+##
+## Value: Duration
+##
+## Default: 1s
+auth.http.request.retry_interval = 1s
+
+## The 'Exponential Backoff' mechanism for re-sending request. The actually
+## re-send time interval is `interval * backoff ^ times`
+##
+## Value: float
+##
+## Default: 2.0
+auth.http.request.retry_backoff = 2.0
+
+##------------------------------------------------------------------------------
+## SSL options
+
+## Path to the file containing PEM-encoded CA certificates. The CA certificates
+## are used during server authentication and when building the client certificate chain.
+##
+## Value: File
+## auth.http.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
+
+## The path to a file containing the client's certificate.
+##
+## Value: File
+## auth.http.ssl.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
+
+## Path to a file containing the client's private PEM-encoded key.
+##
+## Value: File
+## auth.http.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+
+##--------------------------------------------------------------------
+## HTTP Request Headers
+##
+## Example: auth.http.header.Accept-Encoding = *
+##
+## Value: String
+## auth.http.header.Accept = */*

apps/emqx_auth_http/include/emqx_auth_http.hrl

@@ -0,0 +1,25 @@
+
+-define(APP, emqx_auth_http).
+
+-record(http_request, {method = post, path, headers, params, request_timeout}).
+
+-record(auth_metrics, {
+        success = 'client.auth.success',
+        failure = 'client.auth.failure',
+        ignore = 'client.auth.ignore'
+    }).
+
+-record(acl_metrics, {
+        allow = 'client.acl.allow',
+        deny = 'client.acl.deny',
+        ignore = 'client.acl.ignore'
+    }).
+
+-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
+-define(METRICS(Type, K), #Type{}#Type.K).
+
+-define(AUTH_METRICS, ?METRICS(auth_metrics)).
+-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
+
+-define(ACL_METRICS, ?METRICS(acl_metrics)).
+-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

apps/emqx_auth_http/priv/emqx_auth_http.schema

@@ -0,0 +1,169 @@
+%%-*- mode: erlang -*-
+%% emqx_auth_http config mapping
+{mapping, "auth.http.auth_req", "emqx_auth_http.auth_req", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.http.auth_req.method", "emqx_auth_http.auth_req", [
+  {default, post},
+  {datatype, {enum, [post, get]}}
+]}.
+
+{mapping, "auth.http.auth_req.content_type", "emqx_auth_http.auth_req", [
+  {default, 'x-www-form-urlencoded'},
+  {datatype, {enum, ['json', 'x-www-form-urlencoded']}}
+]}.
+
+{mapping, "auth.http.auth_req.params", "emqx_auth_http.auth_req", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_http.auth_req", fun(Conf) ->
+  case cuttlefish:conf_get("auth.http.auth_req", Conf) of
+    undefined -> cuttlefish:unset();
+    Url ->
+      Params = cuttlefish:conf_get("auth.http.auth_req.params", Conf),
+      [{url, Url},
+      {method, cuttlefish:conf_get("auth.http.auth_req.method", Conf)},
+      {content_type, list_to_binary("application/" ++ atom_to_list(cuttlefish:conf_get("auth.http.auth_req.content_type", Conf)))},
+      {params, [list_to_tuple(string:tokens(S, "=")) || S <- string:tokens(Params, ",")]}]
+  end
+end}.
+
+{mapping, "auth.http.super_req", "emqx_auth_http.super_req", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.http.super_req.method", "emqx_auth_http.super_req", [
+  {default, post},
+  {datatype, {enum, [post, get]}}
+]}.
+
+{mapping, "auth.http.super_req.content_type", "emqx_auth_http.super_req", [
+  {default, 'x-www-form-urlencoded'},
+  {datatype, {enum, ['json', 'x-www-form-urlencoded']}}
+]}.
+
+{mapping, "auth.http.super_req.params", "emqx_auth_http.super_req", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_http.super_req", fun(Conf) ->
+  case cuttlefish:conf_get("auth.http.super_req", Conf, undefined) of
+    undefined -> cuttlefish:unset();
+    Url -> Params = cuttlefish:conf_get("auth.http.super_req.params", Conf),
+           [{url, Url}, {method, cuttlefish:conf_get("auth.http.super_req.method", Conf)},
+            {content_type, list_to_binary("application/" ++ atom_to_list(cuttlefish:conf_get("auth.http.super_req.content_type", Conf)))},
+            {params, [list_to_tuple(string:tokens(S, "=")) || S <- string:tokens(Params, ",")]}]
+  end
+end}.
+
+{mapping, "auth.http.acl_req", "emqx_auth_http.acl_req", [
+  {default, undefined},
+  {datatype, string}
+]}.
+
+{mapping, "auth.http.acl_req.method", "emqx_auth_http.acl_req", [
+  {default, post},
+  {datatype, {enum, [post, get]}}
+]}.
+
+{mapping, "auth.http.acl_req.content_type", "emqx_auth_http.acl_req", [
+  {default, 'x-www-form-urlencoded'},
+  {datatype, {enum, ['json', 'x-www-form-urlencoded']}}
+]}.
+
+{mapping, "auth.http.acl_req.params", "emqx_auth_http.acl_req", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_http.acl_req", fun(Conf) ->
+  case cuttlefish:conf_get("auth.http.acl_req", Conf, undefined) of
+    undefined -> cuttlefish:unset();
+    Url -> Params = cuttlefish:conf_get("auth.http.acl_req.params", Conf),
+           [{url, Url},
+            {method, cuttlefish:conf_get("auth.http.acl_req.method", Conf)},
+            {content_type, list_to_binary("application/" ++ atom_to_list(cuttlefish:conf_get("auth.http.acl_req.content_type", Conf)))},
+            {params, [list_to_tuple(string:tokens(S, "=")) || S <- string:tokens(Params, ",")]}]
+  end
+end}.
+
+{mapping, "auth.http.request.timeout", "emqx_auth_http.request_timeout", [
+  {default, "5s"},
+  {datatype, [integer, {duration, ms}]}
+]}.
+
+{mapping, "auth.http.pool_size", "emqx_auth_http.pool_opts", [
+  {default, 8},
+  {datatype, integer}
+]}.
+
+{mapping, "auth.http.request.connect_timeout", "emqx_auth_http.pool_opts", [
+  {default, "5s"},
+  {datatype, [integer, {duration, ms}]}
+]}.
+
+{mapping, "auth.http.ssl.cacertfile", "emqx_auth_http.pool_opts", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.http.ssl.certfile", "emqx_auth_http.pool_opts", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.http.ssl.keyfile", "emqx_auth_http.pool_opts", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.http.request.retry_times", "emqx_auth_http.pool_opts", [
+  {default, 5},
+  {datatype, integer}
+]}.
+
+{mapping, "auth.http.request.retry_interval", "emqx_auth_http.pool_opts", [
+  {default, "1s"},
+  {datatype, {duration, ms}}
+]}.
+
+{mapping, "auth.http.request.retry_backoff", "emqx_auth_http.pool_opts", [
+  {default, 2.0},
+  {datatype, float}
+]}.
+
+{translation, "emqx_auth_http.pool_opts", fun(Conf) ->
+  Filter = fun(L) -> [{K, V} || {K, V} <- L, V =/= undefined] end,
+  InfinityFun = fun(0) -> infinity;
+                   (Duration) -> Duration
+                end,
+  SslOpts = Filter([{cacertfile, cuttlefish:conf_get("auth.http.ssl.cacertfile", Conf, undefined)},
+                    {certfile, cuttlefish:conf_get("auth.http.ssl.certfile", Conf, undefined)},
+                    {keyfile, cuttlefish:conf_get("auth.http.ssl.keyfile", Conf, undefined)}]),
+  Opts = [{pool_size, cuttlefish:conf_get("auth.http.pool_size", Conf)},
+          {connect_timeout, InfinityFun(cuttlefish:conf_get("auth.http.request.connect_timeout", Conf))},
+          {retry, cuttlefish:conf_get("auth.http.request.retry_times", Conf)},
+          {retry_timeout, cuttlefish:conf_get("auth.http.request.retry_interval", Conf)}],
+  case SslOpts of
+      [] -> Filter(Opts);
+      _  ->
+          TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
+          DefaultOpts = [{versions, TlsVers},
+                         {ciphers, lists:foldl(
+                                       fun(TlsVer, Ciphers) ->
+                                           Ciphers ++ ssl:cipher_suites(all, TlsVer)
+                                       end, [], TlsVers)}],
+          Filter([{ssl, DefaultOpts ++ SslOpts} | Opts])
+  end
+end}.
+
+
+{mapping, "auth.http.header.$field", "emqx_auth_http.headers", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_http.headers", fun(Conf) ->
+  lists:map(
+      fun({["auth", "http", "header", Field], Value}) ->
+          {Field, Value}
+      end,
+      cuttlefish_variable:filter_by_prefix("auth.http.header", Conf))
+end}.

apps/emqx_auth_http/rebar.config

@@ -0,0 +1,29 @@
+{deps,
+ [{gun, {git, "https://github.com/emqx/gun", {tag, "1.3.4"}}},
+  {gproc, {git, "https://github.com/uwiger/gproc", {tag, "0.8.0"}}}
+ ]}.
+
+{edoc_opts, [{preprocess, true}]}.
+{erl_opts, [warn_unused_vars,
+            warn_shadow_vars,
+            warn_unused_import,
+            warn_obsolete_guard,
+            debug_info,
+            {parse_transform}]}.
+
+{xref_checks, [undefined_function_calls, undefined_functions,
+               locals_not_used, deprecated_function_calls,
+               warnings_as_errors, deprecated_functions]}.
+
+{cover_enabled, true}.
+{cover_opts, [verbose]}.
+{cover_export_enabled, true}.
+
+{profiles,
+ [{test,
+   [{deps,
+     [{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}},
+      {emqtt, {git, "https://github.com/emqx/emqtt", {tag, "v1.2.2"}}}
+     ]}
+   ]}
+ ]}.

apps/emqx_auth_http/src/emqx_acl_http.erl

@@ -0,0 +1,89 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_acl_http).
+
+-include("emqx_auth_http.hrl").
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("emqx/include/logger.hrl").
+
+-logger_header("[ACL http]").
+
+-import(emqx_auth_http_cli,
+        [ request/6
+        , feedvar/2
+        ]).
+
+%% ACL callbacks
+-export([ register_metrics/0
+        , check_acl/5
+        , description/0
+        ]).
+
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
+
+%%--------------------------------------------------------------------
+%% ACL callbacks
+%%--------------------------------------------------------------------
+
+check_acl(ClientInfo, PubSub, Topic, AclResult, State) ->
+    return_with(fun inc_metrics/1,
+                do_check_acl(ClientInfo, PubSub, Topic, AclResult, State)).
+
+do_check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _AclResult, _Config) ->
+    ok;
+do_check_acl(ClientInfo, PubSub, Topic, _AclResult, #{acl_req := AclReq,
+                                                      pool_name := PoolName}) ->
+    ClientInfo1 = ClientInfo#{access => access(PubSub), topic => Topic},
+    case check_acl_request(PoolName, AclReq, ClientInfo1) of
+        {ok, 200, <<"ignore">>} -> ok;
+        {ok, 200, _Body}    -> {stop, allow};
+        {ok, _Code, _Body}  -> {stop, deny};
+        {error, Error}      ->
+            ?LOG(error, "Request ACL path ~s, error: ~p",
+                 [AclReq#http_request.path, Error]),
+            ok
+    end.
+
+description() -> "ACL with HTTP API".
+
+%%--------------------------------------------------------------------
+%% Internal functions
+%%--------------------------------------------------------------------
+
+inc_metrics(ok) ->
+    emqx_metrics:inc(?ACL_METRICS(ignore));
+inc_metrics({stop, allow}) ->
+    emqx_metrics:inc(?ACL_METRICS(allow));
+inc_metrics({stop, deny}) ->
+    emqx_metrics:inc(?ACL_METRICS(deny)).
+
+return_with(Fun, Result) ->
+    Fun(Result), Result.
+
+check_acl_request(PoolName, #http_request{path = Path,
+                                          method = Method,
+                                          headers = Headers,
+                                          params = Params,
+                                          request_timeout = RequestTimeout}, ClientInfo) ->
+    request(PoolName, Method, Path, Headers, feedvar(Params, ClientInfo), RequestTimeout).
+
+access(subscribe) -> 1;
+access(publish)   -> 2.
+

apps/emqx_auth_http/src/emqx_auth_http.app.src

@@ -0,0 +1,14 @@
+{application, emqx_auth_http,
+ [{description, "EMQ X Authentication/ACL with HTTP API"},
+  {vsn, "git"},
+  {modules, []},
+  {registered, [emqx_auth_http_sup]},
+  {applications, [kernel,stdlib,gproc,gun]},
+  {mod, {emqx_auth_http_app, []}},
+  {env, []},
+  {licenses, ["Apache-2.0"]},
+  {maintainers, ["EMQ X Team <contact@emqx.io>"]},
+  {links, [{"Homepage", "https://emqx.io/"},
+           {"Github", "https://github.com/emqx/emqx-auth-http"}
+          ]}
+ ]}.

apps/emqx_auth_http/src/emqx_auth_http.erl

@@ -0,0 +1,112 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_http).
+
+-include("emqx_auth_http.hrl").
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("emqx/include/logger.hrl").
+-include_lib("emqx/include/types.hrl").
+
+-logger_header("[Auth http]").
+
+-import(emqx_auth_http_cli,
+        [ request/6
+        , feedvar/2
+        ]).
+
+%% Callbacks
+-export([ register_metrics/0
+        , check/3
+        , description/0
+        ]).
+
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
+
+check(ClientInfo, AuthResult, #{auth_req   := AuthReq,
+                                super_req  := SuperReq,
+                                pool_name  := PoolName}) ->
+    case authenticate(PoolName, AuthReq, ClientInfo) of
+        {ok, 200, <<"ignore">>} ->
+            emqx_metrics:inc(?AUTH_METRICS(ignore)), ok;
+        {ok, 200, Body}  ->
+            emqx_metrics:inc(?AUTH_METRICS(success)),
+            IsSuperuser = is_superuser(PoolName, SuperReq, ClientInfo),
+            {stop, AuthResult#{is_superuser => IsSuperuser,
+                                auth_result => success,
+                                anonymous   => false,
+                                mountpoint  => mountpoint(Body, ClientInfo)}};
+        {ok, Code, _Body} ->
+            ?LOG(error, "Deny connection from path: ~s, response http code: ~p",
+                 [AuthReq#http_request.path, Code]),
+            emqx_metrics:inc(?AUTH_METRICS(failure)),
+            {stop, AuthResult#{auth_result => http_to_connack_error(Code),
+                               anonymous   => false}};
+        {error, Error} ->
+            ?LOG(error, "Request auth path: ~s, error: ~p",
+                 [AuthReq#http_request.path, Error]),
+            emqx_metrics:inc(?AUTH_METRICS(failure)),
+            %%FIXME later: server_unavailable is not right.
+            {stop, AuthResult#{auth_result => server_unavailable,
+                               anonymous   => false}}
+    end.
+
+description() -> "Authentication by HTTP API".
+
+%%--------------------------------------------------------------------
+%% Requests
+%%--------------------------------------------------------------------
+
+authenticate(PoolName, #http_request{path = Path,
+                                     method = Method,
+                                     headers = Headers,
+                                     params = Params,
+                                     request_timeout = RequestTimeout}, ClientInfo) ->
+   request(PoolName, Method, Path, Headers, feedvar(Params, ClientInfo), RequestTimeout).
+
+-spec(is_superuser(atom(), maybe(#http_request{}), emqx_types:client()) -> boolean()).
+is_superuser(_PoolName, undefined, _ClientInfo) ->
+    false;
+is_superuser(PoolName, #http_request{path = Path,
+                                     method = Method,
+                                     headers = Headers,
+                                     params = Params,
+                                     request_timeout = RequestTimeout}, ClientInfo) ->
+    case request(PoolName, Method, Path, Headers, feedvar(Params, ClientInfo), RequestTimeout) of
+        {ok, 200, _Body}   -> true;
+        {ok, _Code, _Body} -> false;
+        {error, Error}     -> ?LOG(error, "Request superuser path ~s, error: ~p", [Path, Error]),
+                              false
+    end.
+
+mountpoint(Body, #{mountpoint := Mountpoint}) ->
+    case emqx_json:safe_decode(Body, [return_maps]) of
+        {error, _} -> Mountpoint;
+        {ok, Json} when is_map(Json) ->
+            maps:get(<<"mountpoint">>, Json, Mountpoint);
+        {ok, _NotMap} -> Mountpoint
+    end.
+
+http_to_connack_error(400) -> bad_username_or_password;
+http_to_connack_error(401) -> bad_username_or_password;
+http_to_connack_error(403) -> not_authorized;
+http_to_connack_error(429) -> banned;
+http_to_connack_error(503) -> server_unavailable;
+http_to_connack_error(504) -> server_busy;
+http_to_connack_error(_) -> server_unavailable.

apps/emqx_auth_http/src/emqx_auth_http_app.erl

@@ -0,0 +1,176 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_http_app).
+
+-behaviour(application).
+
+-emqx_plugin(auth).
+
+-include("emqx_auth_http.hrl").
+
+-export([ start/2
+        , stop/1
+        ]).
+-export([init/1]).
+
+%%--------------------------------------------------------------------
+%% Application Callbacks
+%%--------------------------------------------------------------------
+
+start(_StartType, _StartArgs) ->
+    case translate_env() of
+        ok ->
+            {ok, PoolOpts} = application:get_env(?APP, pool_opts),
+            {ok, Sup} = emqx_http_client_sup:start_link(?APP, ssl(inet(PoolOpts))),
+            with_env(auth_req, fun load_auth_hook/1),
+            with_env(acl_req,  fun load_acl_hook/1),
+            {ok, Sup};
+        {error, Reason} ->
+            {error, Reason}
+    end.
+
+load_auth_hook(AuthReq) ->
+    ok = emqx_auth_http:register_metrics(),
+    SuperReq = r(application:get_env(?APP, super_req, undefined)),
+    Params = #{auth_req   => AuthReq,
+               super_req  => SuperReq,
+               pool_name  => ?APP},
+    emqx:hook('client.authenticate', {emqx_auth_http, check, [Params]}).
+
+load_acl_hook(AclReq) ->
+    ok = emqx_acl_http:register_metrics(),
+    Params = #{acl_req   => AclReq,
+               pool_name => ?APP},
+    emqx:hook('client.check_acl', {emqx_acl_http, check_acl, [Params]}).
+
+stop(_State) ->
+    emqx:unhook('client.authenticate', {emqx_auth_http, check}),
+    emqx:unhook('client.check_acl', {emqx_acl_http, check_acl}),
+    emqx_http_client_sup:stop_pool(?APP).
+
+%%--------------------------------------------------------------------
+%% Dummy supervisor
+%%--------------------------------------------------------------------
+
+init([]) ->
+    {ok, { {one_for_all, 10, 100}, []} }.
+
+%%--------------------------------------------------------------------
+%% Internel functions
+%%--------------------------------------------------------------------
+
+with_env(Par, Fun) ->
+    case application:get_env(?APP, Par) of
+        undefined -> ok;
+        {ok, Req} -> Fun(r(Req))
+    end.
+
+r(undefined) ->
+    undefined;
+r(Config) ->
+    Headers = application:get_env(?APP, headers, []),
+    Method = proplists:get_value(method, Config, post),
+    Path    = proplists:get_value(path, Config),
+    NewHeaders = case Method =:= post orelse Method =:= put of
+        true ->
+            ContentType = proplists:get_value(content_type, Config, <<"application/x-www-form-urlencoded">>),
+            [{<<"content-type">>, ContentType} | Headers];
+        _ ->
+            Headers
+    end,
+    Params = proplists:get_value(params, Config),
+    {ok, RequestTimeout} = application:get_env(?APP, request_timeout),
+    #http_request{method = Method, path = Path, headers = NewHeaders, params = Params, request_timeout = RequestTimeout}.
+
+inet(PoolOpts) ->
+    Host = proplists:get_value(host, PoolOpts),
+    TransOpts = proplists:get_value(transport_opts, PoolOpts, []),
+    NewPoolOpts = proplists:delete(transport_opts, PoolOpts),
+    Inet = case Host of
+               {_,_,_,_} -> inet;
+               {_,_,_,_,_,_,_,_} -> inet6;
+               _ ->
+                   case inet:getaddr(Host, inet6) of
+                       {error, _} -> inet;
+                       {ok, _} -> inet6
+                   end
+           end,
+    [{transport_opts, [Inet | TransOpts]} | NewPoolOpts].
+
+ssl(PoolOpts) ->
+    case proplists:get_value(ssl, PoolOpts, []) of
+        [] ->
+            PoolOpts;
+        SSLOpts ->
+            TransOpts = proplists:get_value(transport_opts, PoolOpts, []),
+            NewPoolOpts = proplists:delete(transport_opts, PoolOpts),
+            [{transport_opts, SSLOpts ++ TransOpts}, {transport, ssl} | NewPoolOpts]
+    end.
+
+translate_env() ->
+    URLs = lists:foldl(fun(Name, Acc) ->
+                    case application:get_env(?APP, Name, []) of
+                        [] -> Acc;
+                        Env ->
+                            URL = proplists:get_value(url, Env),
+                            #{host := Host,
+                              path := Path,
+                              scheme := Scheme} = URIMap = uri_string:parse(add_default_scheme(URL)),
+                            Port = maps:get(port, URIMap, case Scheme of
+                                      "https" -> 443;
+                                      _ -> 80
+                                  end),
+                            [{Name, {Host, Port, path(Path)}} | Acc]
+                    end
+                end, [], [acl_req, auth_req, super_req]),
+    case same_host_and_port(URLs) of
+        true ->
+            [begin
+                 {ok, Req} = application:get_env(?APP, Name),
+                 application:set_env(?APP, Name, [{path, Path} | Req])
+             end || {Name, {_, _, Path}} <- URLs],
+            {_, {Host, Port, _}} = lists:last(URLs),
+            PoolOpts = application:get_env(?APP, pool_opts, []),
+            NHost = case inet:parse_address(Host) of
+                        {ok, {_,_,_,_} = Addr} -> Addr;
+                        {ok, {_,_,_,_,_,_,_,_} = Addr} -> Addr;
+                        {error, einval} -> Host
+                    end,
+            application:set_env(?APP, pool_opts, [{host, NHost}, {port, Port} | PoolOpts]),
+            ok;
+        false ->
+            {error, different_server}
+    end.
+
+same_host_and_port([_]) ->
+    true;
+same_host_and_port([{_, {Host, Port, _}}, {_, {Host, Port, _}}]) ->
+    true;
+same_host_and_port([{_, {Host, Port, _}}, URL = {_, {Host, Port, _}} | Rest]) ->
+    same_host_and_port([URL | Rest]);
+same_host_and_port(_) ->
+    false.
+
+path("") -> "/";
+path(Path) -> Path.
+
+add_default_scheme("http://" ++ _ = URL) ->
+    URL;
+add_default_scheme("https://" ++ _ = URL) ->
+    URL;
+add_default_scheme(URL) ->
+    "http://" ++ URL.

apps/emqx_auth_http/src/emqx_auth_http_cli.erl

@@ -0,0 +1,103 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_http_cli).
+
+-include("emqx_auth_http.hrl").
+
+-export([ request/6
+        , feedvar/2
+        , feedvar/3
+        ]).
+
+%%--------------------------------------------------------------------
+%% HTTP Request
+%%--------------------------------------------------------------------
+
+request(PoolName, get, Path, Headers, Params, Timeout) ->
+    NewPath = Path ++ "?" ++ binary_to_list(cow_qs:qs(bin_kw(Params))),
+    do_request(get, PoolName, {NewPath, Headers}, Timeout);
+
+request(PoolName, post, Path, Headers, Params, Timeout) ->
+    Body = case proplists:get_value(<<"content-type">>, Headers) of
+               <<"application/x-www-form-urlencoded">> ->
+                   cow_qs:qs(bin_kw(Params));
+               <<"application/json">> -> 
+                   emqx_json:encode(bin_kw(Params))
+           end,
+    do_request(post, PoolName, {Path, Headers, Body}, Timeout).
+
+do_request(Method, PoolName, Req, Timeout) ->
+    do_request(Method, PoolName, Req, Timeout, 3).
+
+%% Only retry when connection closed by keepalive
+do_request(_Method, _PoolName, _Req, _Timeout, 0) ->
+    {error, normal};
+do_request(Method, PoolName, Req, Timeout, Retry) ->
+    case emqx_http_client:request(Method, PoolName, Req, Timeout) of
+        {error, normal} ->
+            do_request(Method, PoolName, Req, Timeout, Retry - 1);
+        {error, Reason} ->
+            {error, Reason};
+        {ok, StatusCode, _Headers} ->
+            {ok, StatusCode, <<>>};
+        {ok, StatusCode, _Headers, Body} ->
+            {ok, StatusCode, Body}
+    end.
+
+%% TODO: move this conversion to cuttlefish config and schema
+bin_kw(KeywordList) when is_list(KeywordList) ->
+    [{bin(K), bin(V)} || {K, V} <- KeywordList].
+
+bin(Atom) when is_atom(Atom) ->
+    list_to_binary(atom_to_list(Atom));
+bin(Int) when is_integer(Int) ->
+    integer_to_binary(Int);
+bin(Float) when is_float(Float) ->
+    float_to_binary(Float, [{decimals, 12}, compact]);
+bin(List) when is_list(List)->
+    list_to_binary(List);
+bin(Binary) when is_binary(Binary) ->
+    Binary.
+
+%%--------------------------------------------------------------------
+%% Feed Variables
+%%--------------------------------------------------------------------
+
+feedvar(Params, ClientInfo = #{clientid := ClientId,
+                               protocol := Protocol,
+                               peerhost := Peerhost}) ->
+    lists:map(fun({Param, "%u"}) -> {Param, maps:get(username, ClientInfo, null)};
+                 ({Param, "%c"}) -> {Param, ClientId};
+                 ({Param, "%r"}) -> {Param, Protocol};
+                 ({Param, "%a"}) -> {Param, inet:ntoa(Peerhost)};
+                 ({Param, "%P"}) -> {Param, maps:get(password, ClientInfo, null)};
+                 ({Param, "%p"}) -> {Param, maps:get(sockport, ClientInfo, null)};
+                 ({Param, "%C"}) -> {Param, maps:get(cn, ClientInfo, null)};
+                 ({Param, "%d"}) -> {Param, maps:get(dn, ClientInfo, null)};
+                 ({Param, "%A"}) -> {Param, maps:get(access, ClientInfo, null)};
+                 ({Param, "%t"}) -> {Param, maps:get(topic, ClientInfo, null)};
+                 ({Param, "%m"}) -> {Param, maps:get(mountpoint, ClientInfo, null)};
+                 ({Param, Var})  -> {Param, Var}
+              end, Params).
+
+feedvar(Params, Var, Val) ->
+    lists:map(fun({Param, Var0}) when Var0 == Var ->
+                      {Param, Val};
+                 ({Param, Var0}) ->
+                      {Param, Var0}
+              end, Params).
+

apps/emqx_auth_http/src/emqx_http_client.erl

@@ -0,0 +1,256 @@
+-module(emqx_http_client).
+
+-behaviour(gen_server).
+
+-include_lib("emqx/include/logger.hrl").
+
+%% APIs
+-export([ start_link/3
+        , request/3
+        , request/4
+        ]).
+
+%% gen_server callbacks
+-export([ init/1
+        , handle_call/3
+        , handle_cast/2
+        , handle_info/2
+        , terminate/2
+        , code_change/3
+        ]).
+
+-record(state, {
+          pool      :: ecpool:poo_name(),
+          id        :: pos_integer(),
+          client    :: pid() | undefined,
+          mref      :: reference() | undefined,
+          host      :: inet:hostname() | inet:ip_address(),
+          port      :: inet:port_number(),
+          gun_opts  :: proplists:proplist(),
+          gun_state :: down | up,
+          requests  :: map()
+         }).
+
+%%--------------------------------------------------------------------
+%% APIs
+%%--------------------------------------------------------------------
+
+start_link(Pool, Id, Opts) ->
+    gen_server:start_link(?MODULE, [Pool, Id, Opts], []).
+
+request(Method, Pool, Req) ->
+    request(Method, Pool, Req, 5000).
+
+request(get, Pool, {Path, Headers}, Timeout) ->
+    call(pick(Pool), {get, {Path, Headers}, Timeout}, Timeout + 1000);
+request(Method, Pool, {Path, Headers, Body}, Timeout) ->
+    call(pick(Pool), {Method, {Path, Headers, Body}, Timeout}, Timeout + 1000).
+
+%%--------------------------------------------------------------------
+%% gen_server callbacks
+%%--------------------------------------------------------------------
+
+init([Pool, Id, Opts]) ->
+    State = #state{pool = Pool,
+                   id = Id,
+                   client = undefined,
+                   mref = undefined,
+                   host = proplists:get_value(host, Opts),
+                   port = proplists:get_value(port, Opts),
+                   gun_opts = gun_opts(Opts),
+                   gun_state = down,
+                   requests = #{}},
+    true = gproc_pool:connect_worker(Pool, {Pool, Id}),
+    {ok, State}.
+
+handle_call(Req = {_, _, _}, From, State = #state{client = undefined, gun_state = down}) ->
+    case open(State) of
+        {ok, NewState} ->
+            handle_call(Req, From, NewState);
+        {error, Reason} ->
+            {reply, {error, Reason}, State}
+    end;
+
+handle_call(Req = {_, _, Timeout}, From, State = #state{client = Client, mref = MRef, gun_state = down}) when is_pid(Client) ->
+    case gun:await_up(Client, Timeout, MRef) of
+        {ok, _} ->
+            handle_call(Req, From, State#state{gun_state = up});
+        {error, timeout} ->
+            {reply, {error, timeout}, State};
+        {error, Reason} ->
+            true = erlang:demonitor(MRef, [flush]),
+            {reply, {error, Reason}, State#state{client = undefined, mref = undefined}}
+    end;
+
+handle_call({Method, Request, Timeout}, From, State = #state{client = Client, requests = Requests, gun_state = up}) when is_pid(Client) ->
+    StreamRef = do_request(Client, Method, Request),
+    ExpirationTime = erlang:system_time(millisecond) + Timeout,
+    {noreply, State#state{requests = maps:put(StreamRef, {From, ExpirationTime, undefined}, Requests)}};
+
+handle_call(Req, _From, State) ->
+    ?LOG(error, "Unexpected call: ~p", [Req]),
+    {reply, ignored, State}.
+
+handle_cast(Msg, State) ->
+    ?LOG(error, "Unexpected cast: ~p", [Msg]),
+    {noreply, State}.
+
+handle_info({gun_response, Client, StreamRef, IsFin, StatusCode, Headers}, State = #state{client = Client, requests = Requests}) ->
+    Now = erlang:system_time(millisecond),
+    case maps:take(StreamRef, Requests) of
+        error ->
+            ?LOG(error, "Received 'gun_response' message from unknown stream ref: ~p", [StreamRef]),
+            {noreply, State};
+        {{_, ExpirationTime, _}, NRequests} when Now > ExpirationTime ->
+            gun:cancel(Client, StreamRef),
+            flush_stream(Client, StreamRef),
+            {noreply, State#state{requests = NRequests}};
+        {{From, ExpirationTime, undefined}, NRequests} ->
+            case IsFin of
+                fin ->
+                    gen_server:reply(From, {ok, StatusCode, Headers}),
+                    {noreply, State#state{requests = NRequests}};
+                nofin ->
+                    {noreply, State#state{requests = NRequests#{StreamRef => {From, ExpirationTime, {StatusCode, Headers, <<>>}}}}}
+            end;
+        _ ->
+            ?LOG(error, "Received 'gun_response' message does not match the state"),
+            {noreply, State}
+    end;
+
+handle_info({gun_data, Client, StreamRef, IsFin, Data}, State = #state{client = Client, requests = Requests}) ->
+    Now = erlang:system_time(millisecond),
+    case maps:take(StreamRef, Requests) of
+        error ->
+            ?LOG(error, "Received 'gun_data' message from unknown stream ref: ~p", [StreamRef]),
+            {noreply, State};
+        {{_, ExpirationTime, _}, NRequests} when Now > ExpirationTime ->
+            gun:cancel(Client, StreamRef),
+            flush_stream(Client, StreamRef),
+            {noreply, State#state{requests = NRequests}};
+        {{From, ExpirationTime, {StatusCode, Headers, Acc}}, NRequests} ->
+            case IsFin of
+                fin ->
+                    gen_server:reply(From, {ok, StatusCode, Headers, <<Acc/binary, Data/binary>>}),
+                    {noreply, State#state{requests = NRequests}};
+                nofin ->
+                    {noreply, State#state{requests = NRequests#{StreamRef => {From, ExpirationTime, {StatusCode, Headers, <<Acc/binary, Data/binary>>}}}}}
+            end;
+        _ ->
+            ?LOG(error, "Received 'gun_data' message does not match the state"),
+            {noreply, State}
+    end;
+
+handle_info({gun_error, Client, StreamRef, Reason}, State = #state{client = Client, requests = Requests}) ->
+    Now = erlang:system_time(millisecond),
+    case maps:take(StreamRef, Requests) of
+        error ->
+            ?LOG(error, "Received 'gun_error' message from unknown stream ref: ~p~n", [StreamRef]),
+            {noreply, State};
+        {{_, ExpirationTime, _}, NRequests} when Now > ExpirationTime ->
+            {noreply, State#state{requests = NRequests}};
+        {{From, _, _}, NRequests} ->
+            gen_server:reply(From, {error, Reason}),
+            {noreply, State#state{requests = NRequests}}
+    end;
+
+handle_info({gun_up, Client, _}, State = #state{client = Client}) ->
+    {noreply, State#state{gun_state = up}};
+
+handle_info({gun_down, Client, _, Reason, KilledStreams, _}, State = #state{client = Client, requests = Requests}) ->
+    Now = erlang:system_time(millisecond),
+    NRequests = lists:foldl(fun(StreamRef, Acc) ->
+                                case maps:take(StreamRef, Acc) of
+                                    error -> Acc;
+                                    {{_, ExpirationTime, _}, NAcc} when Now > ExpirationTime ->
+                                        NAcc;
+                                    {{From, _, _}, NAcc} ->
+                                        gen_server:reply(From, {error, Reason}),
+                                        NAcc
+                                end
+                            end, Requests, KilledStreams),
+    {noreply, State#state{gun_state = down, requests = NRequests}};
+
+handle_info({'DOWN', MRef, process, Client, Reason}, State = #state{mref = MRef, client = Client, requests = Requests}) ->
+    true = erlang:demonitor(MRef, [flush]),
+    Now = erlang:system_time(millisecond),
+    lists:foreach(fun({_, {_, ExpirationTime, _}}) when Now > ExpirationTime ->
+                      ok;
+                     ({_, {From, _, _}}) ->
+                      gen_server:reply(From, {error, Reason})
+                  end, maps:to_list(Requests)),
+    case open(State#state{requests = #{}}) of
+        {ok, NewState} ->
+            {noreply, NewState};
+        {error, Reason} ->
+            {noreply, State#state{mref = undefined, client = undefined}}
+    end;
+
+handle_info(Info, State) ->
+    ?LOG(error, "Unexpected info: ~p", [Info]),
+    {noreply, State}.
+
+terminate(_Reason, #state{pool = Pool, id = Id}) ->
+    gproc_pool:disconnect_worker(Pool, {Pool, Id}),
+    ok.
+
+code_change(_OldVsn, State, _Extra) ->
+    {ok, State}.
+
+%%--------------------------------------------------------------------
+%% Internal functions
+%%--------------------------------------------------------------------
+
+open(State = #state{host = Host, port = Port, gun_opts = GunOpts}) ->
+    case gun:open(Host, Port, GunOpts) of
+        {ok, ConnPid} when is_pid(ConnPid) ->
+            MRef = monitor(process, ConnPid),
+            {ok, State#state{mref = MRef, client = ConnPid}};
+        {error, Reason} ->
+            {error, Reason}
+    end.
+
+gun_opts(Opts) ->
+    gun_opts(Opts, #{retry => 5,
+                     retry_timeout => 1000,
+                     connect_timeout => 5000,
+                     protocols => [http],
+                     http_opts => #{keepalive => infinity}}).
+
+gun_opts([], Acc) ->
+    Acc;
+gun_opts([{retry, Retry} | Opts], Acc) ->
+    gun_opts(Opts, Acc#{retry => Retry});
+gun_opts([{retry_timeout, RetryTimeout} | Opts], Acc) ->
+    gun_opts(Opts, Acc#{retry_timeout => RetryTimeout});
+gun_opts([{connect_timeout, ConnectTimeout} | Opts], Acc) ->
+    gun_opts(Opts, Acc#{connect_timeout => ConnectTimeout});
+gun_opts([{transport, Transport} | Opts], Acc) ->
+    gun_opts(Opts, Acc#{transport => Transport});
+gun_opts([{transport_opts, TransportOpts} | Opts], Acc) ->
+    gun_opts(Opts, Acc#{transport_opts => TransportOpts});
+gun_opts([_ | Opts], Acc) ->
+    gun_opts(Opts, Acc).
+
+call(ChannPid, Msg, Timeout) ->
+    gen_server:call(ChannPid, Msg, Timeout).
+
+pick(Pool) ->
+    gproc_pool:pick_worker(Pool).
+
+do_request(Client, get, {Path, Headers}) ->
+    gun:get(Client, Path, Headers);
+do_request(Client, post, {Path, Headers, Body}) ->
+    gun:post(Client, Path, Headers, Body).
+
+flush_stream(Client, StreamRef) ->
+    receive
+        {gun_response, Client, StreamRef, _, _, _} ->
+            flush_stream(Client, StreamRef);
+        {gun_data, Client, StreamRef, _, _} ->
+            flush_stream(Client, StreamRef);
+        {gun_error, Client, StreamRef, _} ->
+            flush_stream(Client, StreamRef)
+	after 0 ->
+		ok
+	end.

apps/emqx_auth_http/src/emqx_http_client_sup.erl

@@ -0,0 +1,48 @@
+-module(emqx_http_client_sup).
+
+-behaviour(supervisor).
+
+-export([ start_link/2
+        , init/1
+        , stop_pool/1
+        ]).
+
+start_link(Pool, Opts) ->
+    supervisor:start_link(?MODULE, [Pool, Opts]).
+
+init([Pool, Opts]) ->
+    PoolSize = pool_size(Opts),
+    ok = ensure_pool(Pool, random, [{size, PoolSize}]),
+    {ok, {{one_for_one, 10, 100}, [
+        begin
+            ensure_pool_worker(Pool, {Pool, I}, I),
+            #{id => {Pool, I},
+              start => {emqx_http_client, start_link, [Pool, I, Opts]},
+              restart => transient,
+              shutdown => 5000,
+              type => worker,
+              modules => [emqx_http_client]}
+        end || I <- lists:seq(1, PoolSize)]}}.
+
+
+ensure_pool(Pool, Type, Opts) ->
+    try gproc_pool:new(Pool, Type, Opts)
+    catch
+        error:exists -> ok
+    end.
+
+ensure_pool_worker(Pool, Name, Slot) ->
+    try gproc_pool:add_worker(Pool, Name, Slot)
+    catch
+        error:exists -> ok
+    end.
+
+pool_size(Opts) ->
+    Schedulers = erlang:system_info(schedulers),
+    proplists:get_value(pool_size, Opts, Schedulers).
+
+stop_pool(Name) ->
+    Workers = gproc_pool:defined_workers(Name),
+    [gproc_pool:remove_worker(Name, WokerName) || {WokerName, _, _} <- Workers],
+    gproc_pool:delete(Name),
+    ok.

apps/emqx_auth_http/test/emqx_auth_http_SUITE.erl

@@ -0,0 +1,168 @@
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+
+-module(emqx_auth_http_SUITE).
+
+-compile(export_all).
+-compile(nowarn_export_all).
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("common_test/include/ct.hrl").
+-include_lib("eunit/include/eunit.hrl").
+
+-define(APP, emqx_auth_http).
+
+-define(USER(ClientId, Username, Protocol, Peerhost, Zone),
+        #{clientid => ClientId, username => Username, protocol => Protocol,
+          peerhost => Peerhost, zone => Zone}).
+
+-define(USER(ClientId, Username, Protocol, Peerhost, Zone, Mountpoint),
+        #{clientid => ClientId, username => Username, protocol => Protocol,
+          peerhost => Peerhost, zone => Zone, mountpoint => Mountpoint}).
+
+%%--------------------------------------------------------------------
+%% Setups
+%%--------------------------------------------------------------------
+
+all() ->
+    [{group, http_inet},
+     {group, http_inet6},
+     {group, https_inet},
+     {group, https_inet6}].
+
+groups() ->
+    Cases = emqx_ct:all(?MODULE),
+    [{Name, Cases} || Name <- [http_inet, http_inet6, https_inet, https_inet6]].
+
+init_per_group(GrpName, Cfg) ->
+    [Schema, Inet] = [list_to_atom(X) || X <- string:tokens(atom_to_list(GrpName), "_")],
+    http_auth_server:start(Schema, Inet),
+    Fun = fun(App) -> set_special_configs(App, Schema, Inet) end,
+    emqx_ct_helpers:start_apps([emqx_auth_http], Fun),
+    Cfg.
+
+end_per_group(_GrpName, _Cfg) ->
+    http_auth_server:stop(),
+    emqx_ct_helpers:stop_apps([emqx_auth_http, emqx]).
+
+set_special_configs(emqx, _Schmea, _Inet) ->
+    application:set_env(emqx, allow_anonymous, true),
+    application:set_env(emqx, enable_acl_cache, false),
+    LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
+    application:set_env(emqx, plugins_loaded_file,
+                        emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
+
+set_special_configs(emqx_auth_http, Schema, Inet) ->
+    ServerAddr = http_server(Schema, Inet),
+
+    AuthReq = #{method => get,
+                url => ServerAddr ++ "/mqtt/auth",
+                content_type => <<"application/x-www-form-urlencoded">>,
+                params => [{"clientid", "%c"}, {"username", "%u"}, {"password", "%P"}]},
+    AclReq = #{method => post,
+               url => ServerAddr ++ "/mqtt/acl",
+               content_type => <<"application/json">>,
+               params => [{"access", "%A"}, {"username", "%u"}, {"clientid", "%c"}, {"ipaddr", "%a"}, {"topic", "%t"}, {"mountpoint", "%m"}]},
+
+    Schema =:= https andalso set_https_client_opts(),
+
+    application:set_env(emqx_auth_http, auth_req, maps:to_list(AuthReq)),
+    application:set_env(emqx_auth_http, acl_req, maps:to_list(AclReq)).
+
+%% @private
+set_https_client_opts() ->
+    TransportOpts = emqx_ct_helpers:client_ssl_twoway(),
+    {ok, PoolOpts} = application:get_env(emqx_auth_http, pool_opts),
+    application:set_env(emqx_auth_http, pool_opts, [{transport_opts, TransportOpts}, {transport, ssl} | PoolOpts]).
+
+%% @private
+http_server(http, inet) -> "http://127.0.0.1:8991";
+http_server(http, inet6) -> "http://[::1]:8991";
+http_server(https, inet) -> "https://127.0.0.1:8991";
+http_server(https, inet6) -> "https://[::1]:8991".
+
+%%------------------------------------------------------------------------------
+%% Testcases
+%%------------------------------------------------------------------------------
+
+t_check_acl(_) ->
+    SuperUser = ?USER(<<"superclient">>, <<"superuser">>, mqtt, {127,0,0,1}, external),
+    deny = emqx_access_control:check_acl(SuperUser, subscribe, <<"users/testuser/1">>),
+    deny = emqx_access_control:check_acl(SuperUser, publish, <<"anytopic">>),
+
+    User1 = ?USER(<<"client1">>, <<"testuser">>, mqtt, {127,0,0,1}, external),
+    UnIpUser1 = ?USER(<<"client1">>, <<"testuser">>, mqtt, {192,168,0,4}, external),
+    UnClientIdUser1 = ?USER(<<"unkonwc">>, <<"testuser">>, mqtt, {127,0,0,1}, external),
+    UnnameUser1= ?USER(<<"client1">>, <<"unuser">>, mqtt, {127,0,0,1}, external),
+    allow = emqx_access_control:check_acl(User1, subscribe, <<"users/testuser/1">>),
+    deny = emqx_access_control:check_acl(User1, publish, <<"users/testuser/1">>),
+    deny = emqx_access_control:check_acl(UnIpUser1, subscribe, <<"users/testuser/1">>),
+    deny = emqx_access_control:check_acl(UnClientIdUser1, subscribe, <<"users/testuser/1">>),
+    deny  = emqx_access_control:check_acl(UnnameUser1, subscribe, <<"$SYS/testuser/1">>),
+
+    User2 = ?USER(<<"client2">>, <<"xyz">>, mqtt, {127,0,0,1}, external),
+    UserC = ?USER(<<"client2">>, <<"xyz">>, mqtt, {192,168,1,3}, external),
+    allow = emqx_access_control:check_acl(UserC, publish, <<"a/b/c">>),
+    deny = emqx_access_control:check_acl(User2, publish, <<"a/b/c">>),
+    deny  = emqx_access_control:check_acl(User2, subscribe, <<"$SYS/testuser/1">>).
+
+t_check_auth(_) ->
+    User1 = ?USER(<<"client1">>, <<"testuser1">>, mqtt, {127,0,0,1}, external, undefined),
+    User2 = ?USER(<<"client2">>, <<"testuser2">>, mqtt, {127,0,0,1}, exteneral, undefined),
+    User3 = ?USER(<<"client3">>, undefined, mqtt, {127,0,0,1}, exteneral, undefined),
+
+    {ok, #{auth_result := success,
+           anonymous := false,
+           is_superuser := false}} = emqx_access_control:authenticate(User1#{password => <<"pass1">>}),
+    {error, bad_username_or_password} = emqx_access_control:authenticate(User1#{password => <<"pass">>}),
+    {error, bad_username_or_password} = emqx_access_control:authenticate(User1#{password => <<>>}),
+
+    {ok, #{is_superuser := false}} = emqx_access_control:authenticate(User2#{password => <<"pass2">>}),
+    {error, bad_username_or_password} = emqx_access_control:authenticate(User2#{password => <<>>}),
+    {error, bad_username_or_password} = emqx_access_control:authenticate(User2#{password => <<"errorpwd">>}),
+
+    {error, bad_username_or_password} = emqx_access_control:authenticate(User3#{password => <<"pwd">>}).
+
+t_sub_pub(_) ->
+    ct:pal("start client"),
+    {ok, T1} = emqtt:start_link([{host, "localhost"},
+                                 {clientid, <<"client1">>},
+                                 {username, <<"testuser1">>},
+                                 {password, <<"pass1">>}]),
+    {ok, _} = emqtt:connect(T1),
+    emqtt:publish(T1, <<"topic">>, <<"body">>, [{qos, 0}, {retain, true}]),
+    timer:sleep(1000),
+    {ok, T2} = emqtt:start_link([{host, "localhost"},
+                                 {clientid, <<"client2">>},
+                                 {username, <<"testuser2">>},
+                                 {password, <<"pass2">>}]),
+    {ok, _} = emqtt:connect(T2),
+    emqtt:subscribe(T2, <<"topic">>),
+    receive
+        {publish, _Topic, Payload} ->
+            ?assertEqual(<<"body">>, Payload)
+        after 1000 -> false end,
+    emqtt:disconnect(T1),
+    emqtt:disconnect(T2).
+
+t_comment_config(_) ->
+    AuthCount = length(emqx_hooks:lookup('client.authenticate')),
+    AclCount = length(emqx_hooks:lookup('client.check_acl')),
+    application:stop(?APP),
+    [application:unset_env(?APP, Par) || Par <- [acl_req, auth_req]],
+    application:start(?APP),
+    ?assertEqual([], emqx_hooks:lookup('client.authenticate')),
+    ?assertEqual(AuthCount - 1, length(emqx_hooks:lookup('client.authenticate'))),
+    ?assertEqual(AclCount - 1, length(emqx_hooks:lookup('client.check_acl'))).
+

apps/emqx_auth_http/test/http_auth_server.erl

@@ -0,0 +1,152 @@
+-module(http_auth_server).
+
+-export([ start/2
+        , stop/0
+        ]).
+
+-define(SUPERUSER, [[{"username", "superuser"}, {"clientid", "superclient"}]]).
+
+-define(ACL, [[{<<"username">>, <<"testuser">>},
+               {<<"clientid">>, <<"client1">>},
+               {<<"access">>, <<"1">>},
+               {<<"topic">>, <<"users/testuser/1">>},
+               {<<"ipaddr">>, <<"127.0.0.1">>},
+               {<<"mountpoint">>, <<"null">>}],
+              [{<<"username">>, <<"xyz">>},
+               {<<"clientid">>, <<"client2">>},
+               {<<"access">>, <<"2">>},
+               {<<"topic">>, <<"a/b/c">>},
+               {<<"ipaddr">>, <<"192.168.1.3">>},
+               {<<"mountpoint">>, <<"null">>}],
+              [{<<"username">>, <<"testuser1">>},
+               {<<"clientid">>, <<"client1">>},
+               {<<"access">>, <<"2">>},
+               {<<"topic">>, <<"topic">>},
+               {<<"ipaddr">>, <<"127.0.0.1">>},
+               {<<"mountpoint">>, <<"null">>}],
+              [{<<"username">>, <<"testuser2">>},
+               {<<"clientid">>, <<"client2">>},
+               {<<"access">>, <<"1">>},
+               {<<"topic">>, <<"topic">>},
+               {<<"ipaddr">>, <<"127.0.0.1">>},
+               {<<"mountpoint">>, <<"null">>}]]).
+
+-define(AUTH, [[{<<"clientid">>, <<"client1">>},
+                {<<"username">>, <<"testuser1">>},
+                {<<"password">>, <<"pass1">>}],
+               [{<<"clientid">>, <<"client2">>},
+                {<<"username">>, <<"testuser2">>},
+                {<<"password">>, <<"pass2">>}]]).
+
+%%------------------------------------------------------------------------------
+%% REST Interface
+%%------------------------------------------------------------------------------
+
+-rest_api(#{ name   => auth
+           , method => 'GET'
+           , path   => "/mqtt/auth"
+           , func   => authenticate
+           , descr  => "Authenticate user access permission"
+           }).
+
+-rest_api(#{ name   => is_superuser
+           , method => 'GET'
+           , path   => "/mqtt/superuser"
+           , func   => is_superuser
+           , descr  => "Is super user"
+           }).
+
+-rest_api(#{ name   => acl
+           , method => 'GET'
+           , path   => "/mqtt/acl"
+           , func   => check_acl
+           , descr  => "Check acl"
+           }).
+
+-rest_api(#{ name   => auth
+           , method => 'POST'
+           , path   => "/mqtt/auth"
+           , func   => authenticate
+           , descr  => "Authenticate user access permission"
+           }).
+
+-rest_api(#{ name   => is_superuser
+           , method => 'POST'
+           , path   => "/mqtt/superuser"
+           , func   => is_superuser
+           , descr  => "Is super user"
+           }).
+
+-rest_api(#{ name   => acl
+           , method => 'POST'
+           , path   => "/mqtt/acl"
+           , func   => check_acl
+           , descr  => "Check acl"
+           }).
+
+-export([ authenticate/2
+        , is_superuser/2
+        , check_acl/2
+        ]).
+
+authenticate(_Binding, Params) ->
+    return(check(Params, ?AUTH)).
+
+is_superuser(_Binding, Params) ->
+    return(check(Params, ?SUPERUSER)).
+
+check_acl(_Binding, Params) ->
+    return(check(Params, ?ACL)).
+
+return(allow) -> {200, <<"allow">>};
+return(deny) -> {400, <<"deny">>}.
+
+start(http, Inet) ->
+    application:ensure_all_started(minirest),
+    Handlers = [{"/", minirest:handler(#{modules => [?MODULE]})}],
+    Dispatch = [{"/[...]", minirest, Handlers}],
+    minirest:start_http(http_auth_server, #{socket_opts => [Inet, {port, 8991}]}, Dispatch);
+
+start(https, Inet) ->
+    application:ensure_all_started(minirest),
+    Handlers = [{"/", minirest:handler(#{modules => [?MODULE]})}],
+    Dispatch = [{"/[...]", minirest, Handlers}],
+    minirest:start_https(http_auth_server, #{socket_opts => [Inet, {port, 8991} | certopts()]}, Dispatch).
+
+%% @private
+certopts() ->
+    Certfile = filename:join(["etc", "certs", "cert.pem"]),
+    Keyfile = filename:join(["etc", "certs", "key.pem"]),
+    CaCert = filename:join(["etc", "certs", "cacert.pem"]),
+    [{verify, verify_peer},
+     {certfile, emqx_ct_helpers:deps_path(emqx, Certfile)},
+     {keyfile, emqx_ct_helpers:deps_path(emqx, Keyfile)},
+     {cacertfile, emqx_ct_helpers:deps_path(emqx, CaCert)}] ++ emqx_ct_helpers:client_ssl().
+
+stop() ->
+    minirest:stop_http(http_auth_server).
+
+-spec check(HttpReqParams :: list(), DefinedConf :: list()) -> allow | deny.
+check(_Params, []) ->
+    %ct:pal("check auth_result: deny~n"),
+    deny;
+check(Params, [ConfRecord|T]) ->
+    % ct:pal("Params: ~p, ConfRecord:~p ~n", [Params, ConfRecord]),
+    case match_config(Params, ConfRecord) of
+        not_match ->
+            check(Params, T);
+        matched -> allow
+     end.
+
+match_config([], _ConfigColumn) ->
+    %ct:pal("match_config auth_result: matched~n"),
+    matched;
+
+match_config([Param|T], ConfigColumn) ->
+    %ct:pal("Param: ~p, ConfigColumn:~p ~n", [Param, ConfigColumn]),
+    case lists:member(Param, ConfigColumn) of
+        true ->
+            match_config(T, ConfigColumn);
+        false ->
+           not_match
+    end.

apps/emqx_auth_jwt/.github/workflows/run_test_cases.yaml

@@ -0,0 +1,29 @@
+name: Run test cases
+
+on: [push, pull_request]
+
+jobs:    
+    run_test_cases:
+        runs-on: ubuntu-latest
+      
+        container:
+            image: erlang:22.1
+            
+        steps:
+            - uses: actions/checkout@v1
+            - name: run test cases
+              run: |
+                make xref
+                make eunit  
+                make ct
+                make cover
+            - uses: actions/upload-artifact@v1
+              if: always()
+              with:
+                name: logs
+                path: _build/test/logs
+            - uses: actions/upload-artifact@v1
+              with:
+                name: cover
+                path: _build/test/cover
+

apps/emqx_auth_jwt/.gitignore

@@ -0,0 +1,28 @@
+.eunit
+deps
+*.o
+*.beam
+*.plt
+erl_crash.dump
+ebin
+rel/example_project
+.concrete/DEV_MODE
+.rebar
+.erlang.mk/
+emqx_auth_jwt.d
+data/
+.DS_Store
+cover/
+ct.coverdata
+eunit.coverdata
+logs/
+test/ct.cover.spec
+emq_auth_jwt.d
+erlang.mk
+_build/
+rebar.lock
+rebar3.crashdump
+etc/emqx_auth_jwt.conf.rendered
+.rebar3/
+*.swp
+Mnesia.nonode@nohost/

apps/emqx_auth_jwt/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

apps/emqx_auth_jwt/Makefile

@@ -0,0 +1,37 @@
+## shallow clone for speed
+
+REBAR_GIT_CLONE_OPTIONS += --depth 1
+export REBAR_GIT_CLONE_OPTIONS
+
+REBAR = rebar3
+all: compile
+
+compile:
+	$(REBAR) compile
+
+clean: distclean
+
+ct:
+	$(REBAR) as test ct -v
+
+eunit:
+	$(REBAR) as test eunit
+
+xref:
+	$(REBAR) xref
+
+cover:
+	$(REBAR) cover
+
+distclean:
+	@rm -rf _build
+	@rm -f data/app.*.config data/vm.*.args rebar.lock
+
+CUTTLEFISH_SCRIPT = _build/default/lib/cuttlefish/cuttlefish
+
+$(CUTTLEFISH_SCRIPT):
+	@${REBAR} get-deps
+	@if [ ! -f cuttlefish ]; then make -C _build/default/lib/cuttlefish; fi
+
+app.config: $(CUTTLEFISH_SCRIPT) etc/emqx_auth_jwt.conf
+	$(verbose) $(CUTTLEFISH_SCRIPT) -l info -e etc/ -c etc/emqx_auth_jwt.conf -i priv/emqx_auth_jwt.schema -d data

apps/emqx_auth_jwt/README.md

@@ -0,0 +1,90 @@
+
+# emqx-auth-jwt
+
+EMQ X JWT Authentication Plugin
+
+Build
+-----
+
+```
+make && make tests
+```
+
+Configure the Plugin
+--------------------
+
+File: etc/plugins/emqx_auth_jwt.conf
+
+```
+## HMAC Hash Secret.
+##
+## Value: String
+auth.jwt.secret = emqxsecret
+
+## From where the JWT string can be got
+##
+## Value: username | password
+## Default: password
+auth.jwt.from = password
+
+## RSA or ECDSA public key file.
+##
+## Value: File
+## auth.jwt.pubkey = etc/certs/jwt_public_key.pem
+
+## Enable to verify claims fields
+##
+## Value: on | off
+auth.jwt.verify_claims = off
+
+## The checklist of claims to validate
+##
+## Value: String
+## auth.jwt.verify_claims.$name = expected
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+# auth.jwt.verify_claims.username = %u
+```
+
+Load the Plugin
+---------------
+
+```
+./bin/emqx_ctl plugins load emqx_auth_jwt
+```
+
+Example
+-------
+
+```
+mosquitto_pub -t 'pub' -m 'hello' -i test -u test -P eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiYm9iIiwiYWdlIjoyOX0.bIV_ZQ8D5nQi0LT8AVkpM4Pd6wmlbpR9S8nOLJAsA8o
+```
+
+Algorithms
+----------
+
+The JWT spec supports several algorithms for cryptographic signing. This plugin currently supports:
+
+* HS256 - HMAC using SHA-256 hash algorithm
+* HS384 - HMAC using SHA-384 hash algorithm
+* HS512 - HMAC using SHA-512 hash algorithm
+
+* RS256 - RSA with the SHA-256 hash algorithm
+* RS384 - RSA with the SHA-384 hash algorithm
+* RS512 - RSA with the SHA-512 hash algorithm
+
+* ES256 - ECDSA using the P-256 curve
+* ES384 - ECDSA using the P-384 curve
+* ES512 - ECDSA using the P-512 curve
+
+License
+-------
+
+Apache License Version 2.0
+
+Author
+------
+
+EMQ X Team.

apps/emqx_auth_jwt/TODO.md

@@ -0,0 +1,2 @@
+1. Notice for the [Critical vulnerabilities in JSON Web Token](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
+

apps/emqx_auth_jwt/doc/hmac-vs-ecdsa-for-jwt.txt

@@ -0,0 +1,3 @@
+
+https://crypto.stackexchange.com/questions/30657/hmac-vs-ecdsa-for-jwt
+

apps/emqx_auth_jwt/etc/emqx_auth_jwt.conf

@@ -0,0 +1,45 @@
+##--------------------------------------------------------------------
+## JWT Auth Plugin
+##--------------------------------------------------------------------
+
+## HMAC Hash Secret.
+##
+## Value: String
+auth.jwt.secret = emqxsecret
+
+## RSA or ECDSA public key file.
+##
+## Value: File
+#auth.jwt.pubkey = etc/certs/jwt_public_key.pem
+
+## The JWKs server address
+##
+## see: http://self-issued.info/docs/draft-ietf-jose-json-web-key.html
+##
+#auth.jwt.jwks = https://127.0.0.1:8080/jwks
+
+## The JWKs refresh interval
+##
+## Value: Duration
+#auth.jwt.jwks.refresh_interval = 5m
+
+## From where the JWT string can be got
+##
+## Value: username | password
+## Default: password
+auth.jwt.from = password
+
+## Enable to verify claims fields
+##
+## Value: on | off
+auth.jwt.verify_claims = off
+
+## The checklist of claims to validate
+##
+## Value: String
+## auth.jwt.verify_claims.$name = expected
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+#auth.jwt.verify_claims.username = %u

apps/emqx_auth_jwt/priv/emqx_auth_jwt.schema

@@ -0,0 +1,49 @@
+%%-*- mode: erlang -*-
+
+{mapping, "auth.jwt.secret", "emqx_auth_jwt.secret", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.jwt.jwks", "emqx_auth_jwt.jwks", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.jwt.jwks.refresh_interval", "emqx_auth_jwt.refresh_interval", [
+  {datatype, {duration, ms}}
+]}.
+
+{mapping, "auth.jwt.from", "emqx_auth_jwt.from", [
+  {default, password},
+  {datatype, atom}
+]}.
+
+{mapping, "auth.jwt.pubkey", "emqx_auth_jwt.pubkey", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.jwt.signature_format", "emqx_auth_jwt.jwerl_opts", [
+  {default, "der"},
+  {datatype, {enum, [raw, der]}}
+]}.
+
+{mapping, "auth.jwt.verify_claims", "emqx_auth_jwt.verify_claims", [
+  {default, off},
+  {datatype, flag}
+]}.
+
+{mapping, "auth.jwt.verify_claims.$name", "emqx_auth_jwt.verify_claims", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_jwt.verify_claims", fun(Conf) ->
+    case cuttlefish:conf_get("auth.jwt.verify_claims", Conf) of
+        false -> cuttlefish:unset();
+        true ->
+            lists:foldr(
+              fun({["auth","jwt","verify_claims", Name], Value}, Acc) ->
+                      [{list_to_atom(Name), list_to_binary(Value)} | Acc];
+                 ({["auth","jwt","verify_claims"], _Value}, Acc) ->
+                      Acc
+              end, [], cuttlefish_variable:filter_by_prefix("auth.jwt.verify_claims", Conf))
+   end
+end}.

apps/emqx_auth_jwt/rebar.config

@@ -0,0 +1,25 @@
+{deps,
+ [
+  {jose, {git, "https://github.com/potatosalad/erlang-jose", {tag, "1.10.1"}}}
+ ]}.
+
+{edoc_opts, [{preprocess, true}]}.
+{erl_opts, [warn_unused_vars,
+            warn_shadow_vars,
+            warn_unused_import,
+            warn_obsolete_guard,
+            debug_info,
+            {parse_transform}]}.
+
+{xref_checks, [undefined_function_calls, undefined_functions,
+               locals_not_used, deprecated_function_calls,
+               warnings_as_errors, deprecated_functions]}.
+{cover_enabled, true}.
+{cover_opts, [verbose]}.
+{cover_export_enabled, true}.
+
+{profiles,
+ [{test,
+   [{deps, [{emqx_ct_helpers, {git, "http://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}}]}
+   ]}
+ ]}.

apps/emqx_auth_jwt/rebar.config.script

@@ -0,0 +1,54 @@
+%%-*- mode: erlang -*-
+
+DEPS = case lists:keyfind(deps, 1, CONFIG) of
+          {_, Deps} -> Deps;
+          _ -> []
+      end,
+
+ComparingFun = fun
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
+                                            is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2)    -> _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2)    -> true;
+                _Fun(_, _) -> false
+              end,
+
+SortFun = fun(T1, T2) ->
+            C = fun(T) ->
+                  [case catch list_to_integer(E) of
+                      I when is_integer(I) -> I;
+                      _ -> E
+                    end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
+                end,
+            ComparingFun(C(T1), C(T2))
+          end,
+
+VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
+
+Tags = case VTags of
+         [] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
+         _ -> VTags
+       end,
+
+LatestTag = lists:last(lists:sort(SortFun, Tags)),
+
+Branch = case os:getenv("GITHUB_RUN_ID") of
+                false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
+                _ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
+         end,
+
+GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
+                match -> {branch, Branch};
+                _ -> {tag, LatestTag}
+              end,
+
+UrlPrefix = "https://github.com/emqx/",
+
+EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
+EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
+
+NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
+
+CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
+
+CONFIG1.

apps/emqx_auth_jwt/src/emqx_auth_jwt.app.src

@@ -0,0 +1,14 @@
+{application, emqx_auth_jwt,
+ [{description, "EMQ X Authentication with JWT"},
+  {vsn, "git"},
+  {modules, []},
+  {registered, [emqx_auth_jwt_sup]},
+  {applications, [kernel,stdlib,jose]},
+  {mod, {emqx_auth_jwt_app, []}},
+  {env, []},
+  {licenses, ["Apache-2.0"]},
+  {maintainers, ["EMQ X Team <contact@emqx.io>"]},
+  {links, [{"Homepage", "https://emqx.io/"},
+           {"Github", "https://github.com/emqx/emqx-auth-jwt"}
+          ]}
+ ]}.

apps/emqx_auth_jwt/src/emqx_auth_jwt.app.src.script

@@ -0,0 +1,24 @@
+%%-*- mode: erlang -*-
+%% .app.src.script
+
+RemoveLeadingV =
+    fun(Tag) ->
+        case re:run(Tag, "^[v|e]?[0-9]\.[0-9]\.([0-9]|(rc|beta|alpha)\.[0-9])", [{capture, none}]) of
+            nomatch ->
+                re:replace(Tag, "/", "-", [{return ,list}]);
+            _ ->
+                %% if it is a version number prefixed by 'v' or 'e', then remove it
+                re:replace(Tag, "[v|e]", "", [{return ,list}])
+        end
+    end,
+
+case os:getenv("EMQX_DEPS_DEFAULT_VSN") of
+    false -> CONFIG; % env var not defined
+    []    -> CONFIG; % env var set to empty string
+    Tag ->
+       [begin
+           AppConf0 = lists:keystore(vsn, 1, AppConf, {vsn, RemoveLeadingV(Tag)}),
+           {application, App, AppConf0}
+        end || Conf = {application, App, AppConf} <- CONFIG]
+end.
+

apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src

@@ -0,0 +1,16 @@
+%% -*-: erlang -*-
+
+{VSN,
+  [
+    {"4.2.0", [
+      {restart_application, emqx_auth_jwt}
+    ]},
+    {<<".*">>, []}
+  ],
+  [
+    {"4.2.0", [
+      {restart_application, emqx_auth_jwt}
+    ]},
+    {<<".*">>, []}
+  ]
+}.

apps/emqx_auth_jwt/src/emqx_auth_jwt.erl

@@ -0,0 +1,99 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_jwt).
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("emqx/include/logger.hrl").
+
+-logger_header("[JWT]").
+
+-export([ register_metrics/0
+        , check/3
+        , description/0
+        ]).
+
+-record(auth_metrics, {
+        success = 'client.auth.success',
+        failure = 'client.auth.failure',
+        ignore = 'client.auth.ignore'
+    }).
+
+-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
+-define(METRICS(Type, K), #Type{}#Type.K).
+
+-define(AUTH_METRICS, ?METRICS(auth_metrics)).
+-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
+
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
+
+%%--------------------------------------------------------------------
+%% Authentication callbacks
+%%--------------------------------------------------------------------
+
+check(ClientInfo, AuthResult, #{pid := Pid,
+                                from := From,
+                                checklists := Checklists}) ->
+    case maps:find(From, ClientInfo) of
+        error ->
+            ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
+        {ok, undefined} ->
+            ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
+        {ok, Token} ->
+            case emqx_auth_jwt_svr:verify(Pid, Token) of
+                {error, not_found} ->
+                    ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
+                {error, not_token} ->
+                    ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
+                {error, Reason} ->
+                    ok = emqx_metrics:inc(?AUTH_METRICS(failure)),
+                    {stop, AuthResult#{auth_result => Reason, anonymous => false}};
+                {ok, Claims} ->
+                    {stop, maps:merge(AuthResult, verify_claims(Checklists, Claims, ClientInfo))}
+            end
+    end.
+
+description() -> "Authentication with JWT".
+
+%%------------------------------------------------------------------------------
+%% Verify Claims
+%%--------------------------------------------------------------------
+
+verify_claims(Checklists, Claims, ClientInfo) ->
+    case do_verify_claims(feedvar(Checklists, ClientInfo), Claims) of
+        {error, Reason} ->
+            ok = emqx_metrics:inc(?AUTH_METRICS(failure)),
+            #{auth_result => Reason, anonymous => false};
+        ok ->
+            ok = emqx_metrics:inc(?AUTH_METRICS(success)),
+            #{auth_result => success, anonymous => false, jwt_claims => Claims}
+    end.
+
+do_verify_claims([], _Claims) ->
+    ok;
+do_verify_claims([{Key, Expected} | L], Claims) ->
+    case maps:get(Key, Claims, undefined) =:= Expected of
+        true -> do_verify_claims(L, Claims);
+        false -> {error, {verify_claim_failed, Key}}
+    end.
+
+feedvar(Checklists, #{username := Username, clientid := ClientId}) ->
+    lists:map(fun({K, <<"%u">>}) -> {K, Username};
+                 ({K, <<"%c">>}) -> {K, ClientId};
+                 ({K, Expected}) -> {K, Expected}
+              end, Checklists).

apps/emqx_auth_jwt/src/emqx_auth_jwt_app.erl

@@ -0,0 +1,82 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_jwt_app).
+
+-behaviour(application).
+
+-behaviour(supervisor).
+
+-emqx_plugin(auth).
+
+-export([start/2, stop/1]).
+
+-export([init/1]).
+
+-define(APP, emqx_auth_jwt).
+
+start(_Type, _Args) ->
+    {ok, Sup} = supervisor:start_link({local, ?MODULE}, ?MODULE, []),
+
+    {ok, Pid} = start_auth_server(jwks_svr_options()),
+    ok = emqx_auth_jwt:register_metrics(),
+
+    AuthEnv0 = auth_env(),
+    AuthEnv1 = AuthEnv0#{pid => Pid},
+
+    emqx:hook('client.authenticate', {emqx_auth_jwt, check, [AuthEnv1]}),
+    {ok, Sup, AuthEnv1}.
+
+stop(AuthEnv) ->
+    emqx:unhook('client.authenticate', {emqx_auth_jwt, check, [AuthEnv]}).
+
+%%--------------------------------------------------------------------
+%% Dummy supervisor
+%%--------------------------------------------------------------------
+
+init([]) ->
+    {ok, {{one_for_all, 1, 10}, []}}.
+
+start_auth_server(Options) ->
+    Spec = #{id => jwt_svr,
+             start => {emqx_auth_jwt_svr, start_link, [Options]},
+             restart => permanent,
+             shutdown => brutal_kill,
+             type => worker,
+             modules => [emqx_auth_jwt_svr]},
+    supervisor:start_child(?MODULE, Spec).
+
+%%--------------------------------------------------------------------
+%% Internal functions
+%%--------------------------------------------------------------------
+
+auth_env() ->
+    Checklists = [{atom_to_binary(K, utf8), V}
+                  || {K, V} <- env(verify_claims, [])],
+    #{ from => env(from, password)
+     , checklists => Checklists
+     }.
+
+jwks_svr_options() ->
+    [{K, V} || {K, V}
+             <- [{secret, env(secret, undefined)},
+                 {pubkey, env(pubkey, undefined)},
+                 {jwks_addr, env(jwks, undefined)},
+                 {interval, env(refresh_interval, undefined)}],
+             V /= undefined].
+
+env(Key, Default) ->
+    application:get_env(?APP, Key, Default).

apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl

@@ -0,0 +1,222 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_jwt_svr).
+
+-behaviour(gen_server).
+
+-include_lib("emqx/include/logger.hrl").
+-include_lib("jose/include/jose_jwk.hrl").
+
+-logger_header("[JWT-SVR]").
+
+%% APIs
+-export([start_link/1]).
+
+-export([verify/2]).
+
+%% gen_server callbacks
+-export([ init/1
+        , handle_call/3
+        , handle_cast/2
+        , handle_info/2
+        , terminate/2
+        , code_change/3
+        ]).
+
+-type options() :: [option()].
+-type option() :: {secret, list()}
+                | {pubkey, list()}
+                | {jwks_addr, list()}
+                | {interval, pos_integer()}.
+
+-define(INTERVAL, 300000).
+
+-record(state, {static, remote, addr, tref, intv}).
+
+%%--------------------------------------------------------------------
+%% APIs
+%%--------------------------------------------------------------------
+
+-spec start_link(options()) -> gen_server:start_ret().
+start_link(Options) ->
+    gen_server:start_link(?MODULE, [Options], []).
+
+-spec verify(pid(), binary())
+    -> {error, term()}
+     | {ok, Payload :: map()}.
+verify(S, JwsCompacted) when is_binary(JwsCompacted) ->
+    case catch jose_jws:peek(JwsCompacted) of
+        {'EXIT', _} -> {error, not_token};
+        _ -> gen_server:call(S, {verify, JwsCompacted})
+    end.
+
+%%--------------------------------------------------------------------
+%% gen_server callbacks
+%%--------------------------------------------------------------------
+
+init([Options]) ->
+    ok = jose:json_module(jiffy),
+    {Static, Remote} = do_init_jwks(Options),
+    Intv = proplists:get_value(interval, Options, ?INTERVAL),
+    {ok, reset_timer(
+           #state{
+              static = Static,
+              remote = Remote,
+              addr = proplists:get_value(jwks_addr, Options),
+              intv = Intv})}.
+
+%% @private
+do_init_jwks(Options) ->
+    K2J = fun(K, F) ->
+              case proplists:get_value(K, Options) of
+                  undefined -> undefined;
+                  V ->
+                     try F(V) of
+                         {error, Reason} ->
+                             ?LOG(warning, "Build ~p JWK ~p failed: {error, ~p}~n",
+                                  [K, V, Reason]),
+                             undefined;
+                         J -> J
+                     catch T:R:_ ->
+                         ?LOG(warning, "Build ~p JWK ~p failed: {~p, ~p}~n",
+                              [K, V, T, R]),
+                         undefined
+                     end
+              end
+          end,
+    OctJwk = K2J(secret, fun(V) ->
+                             jose_jwk:from_oct(list_to_binary(V))
+                         end),
+    PemJwk = K2J(pubkey, fun jose_jwk:from_pem_file/1),
+    Remote = K2J(jwks_addr, fun request_jwks/1),
+    {[J ||J <- [OctJwk, PemJwk], J /= undefined], Remote}.
+
+handle_call({verify, JwsCompacted}, _From, State) ->
+    handle_verify(JwsCompacted, State);
+
+handle_call(_Req, _From, State) ->
+    {reply, ok, State}.
+
+handle_cast(_Msg, State) ->
+    {noreply, State}.
+
+handle_info({timeout, _TRef, refresh}, State = #state{addr = Addr}) ->
+    NState = try
+                 State#state{remote = request_jwks(Addr)}
+             catch _:_ ->
+                 State
+             end,
+    {noreply, reset_timer(NState)};
+
+handle_info(_Info, State) ->
+    {noreply, State}.
+
+terminate(_Reason, State) ->
+    _ = cancel_timer(State),
+    ok.
+
+code_change(_OldVsn, State, _Extra) ->
+    {ok, State}.
+
+%%--------------------------------------------------------------------
+%% Internal funcs
+%%--------------------------------------------------------------------
+
+handle_verify(JwsCompacted,
+              State = #state{static = Static, remote = Remote}) ->
+    try
+        Jwks = case emqx_json:decode(jose_jws:peek_protected(JwsCompacted), [return_maps]) of
+                   #{<<"kid">> := Kid} ->
+                       [J || J <- Remote, maps:get(<<"kid">>, J#jose_jwk.fields, undefined) =:= Kid];
+                   _ -> Static
+               end,
+        case Jwks of
+            [] -> {reply, {error, not_found}, State};
+            _ ->
+                {reply, do_verify(JwsCompacted, Jwks), State}
+        end
+    catch
+        _:_ ->
+            {reply, {error, invalid_signature}, State}
+    end.
+
+request_jwks(Addr) ->
+    case httpc:request(get, {Addr, []}, [], [{body_format, binary}]) of
+        {error, Reason} ->
+            error(Reason);
+        {ok, {_Code, _Headers, Body}} ->
+            try
+                JwkSet = jose_jwk:from(emqx_json:decode(Body, [return_maps])),
+                {_, Jwks} = JwkSet#jose_jwk.keys, Jwks
+            catch _:_ ->
+                ?LOG(error, "Invalid jwks server response: ~p~n", [Body]),
+                error(badarg)
+            end
+    end.
+
+reset_timer(State = #state{addr = undefined}) ->
+    State;
+reset_timer(State = #state{intv = Intv}) ->
+    State#state{tref = erlang:start_timer(Intv, self(), refresh)}.
+
+cancel_timer(State = #state{tref = undefined}) ->
+    State;
+cancel_timer(State = #state{tref = TRef}) ->
+    erlang:cancel_timer(TRef),
+    State#state{tref = undefined}.
+
+do_verify(_JwsCompated, []) ->
+    {error, invalid_signature};
+do_verify(JwsCompacted, [Jwk|More]) ->
+    case jose_jws:verify(Jwk, JwsCompacted) of
+        {true, Payload, _Jws} ->
+            Claims = emqx_json:decode(Payload, [return_maps]),
+            case check_claims(Claims) of
+                false ->
+                    {error, invalid_signature};
+                NClaims ->
+                    {ok, NClaims}
+            end;
+        {false, _, _} ->
+            do_verify(JwsCompacted, More)
+    end.
+
+check_claims(Claims) ->
+    Now = os:system_time(seconds),
+    Checker = [{<<"exp">>, fun(ExpireTime) ->
+                               Now < ExpireTime
+                           end},
+               {<<"iat">>, fun(IssueAt) ->
+                               IssueAt =< Now
+                           end},
+               {<<"nbf">>, fun(NotBefore) ->
+                               NotBefore =< Now
+                           end}
+              ],
+    do_check_claim(Checker, Claims).
+
+do_check_claim([], Claims) ->
+    Claims;
+do_check_claim([{K, F}|More], Claims) ->
+    case maps:take(K, Claims) of
+        error -> do_check_claim(More, Claims);
+        {V, NClaims} ->
+            case F(V) of
+                true -> do_check_claim(More, NClaims);
+                _ -> false
+            end
+    end.

apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl

@@ -0,0 +1,142 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_jwt_SUITE).
+
+-compile(export_all).
+-compile(nowarn_export_all).
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+-define(APP, emqx_auth_jwt).
+
+all() ->
+    [{group, emqx_auth_jwt}].
+
+groups() ->
+    [{emqx_auth_jwt, [sequence], [ t_check_auth
+                                 , t_check_claims
+                                 , t_check_claims_clientid
+                                 , t_check_claims_username
+                                 ]}
+    ].
+
+init_per_suite(Config) ->
+    emqx_ct_helpers:start_apps([emqx, emqx_auth_jwt], fun set_special_configs/1),
+    Config.
+
+end_per_suite(_Config) ->
+    emqx_ct_helpers:stop_apps([emqx_auth_jwt, emqx]).
+
+set_special_configs(emqx) ->
+    application:set_env(emqx, allow_anonymous, false),
+    application:set_env(emqx, acl_nomatch, deny),
+    application:set_env(emqx, enable_acl_cache, false),
+    LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
+    AclFilePath = filename:join(["test", "emqx_SUITE_data", "acl.conf"]),
+    application:set_env(emqx, plugins_loaded_file,
+                        emqx_ct_helpers:deps_path(emqx, LoadedPluginPath)),
+    application:set_env(emqx, acl_file,
+                        emqx_ct_helpers:deps_path(emqx, AclFilePath));
+
+set_special_configs(emqx_auth_jwt) ->
+    application:set_env(emqx_auth_jwt, secret, "emqxsecret"),
+    application:set_env(emqx_auth_jwt, from, password);
+
+set_special_configs(_) ->
+    ok.
+
+sign(Payload, Alg, Key) ->
+    Jwk = jose_jwk:from_oct(Key),
+    Jwt = emqx_json:encode(Payload),
+    {_, Token} = jose_jws:compact(jose_jwt:sign(Jwk, #{<<"alg">> => Alg}, Jwt)),
+    Token.
+
+%%------------------------------------------------------------------------------
+%% Testcases
+%%------------------------------------------------------------------------------
+
+t_check_auth(_) ->
+    Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external},
+    Jwt = sign([{clientid, <<"client1">>},
+                {username, <<"plain">>},
+                {exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
+    ct:pal("Jwt: ~p~n", [Jwt]),
+
+    Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
+    ct:pal("Auth result: ~p~n", [Result0]),
+    ?assertMatch({ok, #{auth_result := success, jwt_claims := #{<<"clientid">> := <<"client1">>}}}, Result0),
+
+    ct:sleep(3100),
+    Result1 = emqx_access_control:authenticate(Plain#{password => Jwt}),
+    ct:pal("Auth result after 1000ms: ~p~n", [Result1]),
+    ?assertMatch({error, _}, Result1),
+
+    Jwt_Error = sign([{client_id, <<"client1">>},
+                      {username, <<"plain">>}], <<"HS256">>, <<"secret">>),
+    ct:pal("invalid jwt: ~p~n", [Jwt_Error]),
+    Result2 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
+    ct:pal("Auth result for the invalid jwt: ~p~n", [Result2]),
+    ?assertEqual({error, invalid_signature}, Result2),
+    ?assertMatch({error, _}, emqx_access_control:authenticate(Plain#{password => <<"asd">>})).
+
+t_check_claims(_) ->
+    application:set_env(emqx_auth_jwt, verify_claims, [{sub, <<"value">>}]),
+    Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external},
+    Jwt = sign([{client_id, <<"client1">>},
+                {username, <<"plain">>},
+                {sub, value},
+                {exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
+    Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
+    ct:pal("Auth result: ~p~n", [Result0]),
+    ?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
+    Jwt_Error = sign([{clientid, <<"client1">>},
+                       {username, <<"plain">>}], <<"HS256">>, <<"secret">>),
+    Result2 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
+    ct:pal("Auth result for the invalid jwt: ~p~n", [Result2]),
+    ?assertEqual({error, invalid_signature}, Result2).
+
+t_check_claims_clientid(_) ->
+    application:set_env(emqx_auth_jwt, verify_claims, [{clientid, <<"%c">>}]),
+    Plain = #{clientid => <<"client23">>, username => <<"plain">>, zone => external},
+    Jwt = sign([{client_id, <<"client23">>},
+                {username, <<"plain">>},
+                {exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
+    Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
+    ct:pal("Auth result: ~p~n", [Result0]),
+    ?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
+    Jwt_Error = sign([{clientid, <<"client1">>},
+                      {username, <<"plain">>}], <<"HS256">>, <<"secret">>),
+    Result2 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
+    ct:pal("Auth result for the invalid jwt: ~p~n", [Result2]),
+    ?assertEqual({error, invalid_signature}, Result2).
+
+t_check_claims_username(_) ->
+    application:set_env(emqx_auth_jwt, verify_claims, [{username, <<"%u">>}]),
+    Plain = #{clientid => <<"client23">>, username => <<"plain">>, zone => external},
+    Jwt = sign([{client_id, <<"client23">>},
+                {username, <<"plain">>},
+                {exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
+    Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
+    ct:pal("Auth result: ~p~n", [Result0]),
+    ?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
+    Jwt_Error = sign([{clientid, <<"client1">>},
+                      {username, <<"plain">>}], <<"HS256">>, <<"secret">>),
+    Result3 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
+    ct:pal("Auth result for the invalid jwt: ~p~n", [Result3]),
+    ?assertEqual({error, invalid_signature}, Result3).

apps/emqx_auth_ldap/.ci/docker-compose.yml

@@ -0,0 +1,26 @@
+version: '3'
+
+services:
+  erlang:
+    image: erlang:22.1
+    volumes:
+      - ../:/emqx_auth_ldap
+    networks:
+      - emqx_bridge
+    depends_on:
+      - ldap_server
+    tty: true
+
+  ldap_server:
+    build: ./emqx-ldap
+    image: emqx-ldap:1.0
+    restart: always
+    ports:
+      - 389:389
+      - 636:636
+    networks:
+      - emqx_bridge
+
+networks:
+  emqx_bridge:
+    driver: bridge

apps/emqx_auth_ldap/.ci/emqx-ldap/Dockerfile

@@ -0,0 +1,26 @@
+FROM buildpack-deps:stretch
+
+ENV VERSION=2.4.50
+
+RUN apt-get update && apt-get install -y groff groff-base
+RUN wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-${VERSION}.tgz \
+    && gunzip -c openldap-${VERSION}.tgz | tar xvfB - \
+    && cd openldap-${VERSION} \
+    && ./configure && make depend && make && make install \
+    && cd .. && rm -rf  openldap-${VERSION}
+
+COPY ./slapd.conf /usr/local/etc/openldap/slapd.conf
+COPY ./emqx.io.ldif /usr/local/etc/openldap/schema/emqx.io.ldif
+COPY ./emqx.schema /usr/local/etc/openldap/schema/emqx.schema
+COPY ./*.pem /usr/local/etc/openldap/
+
+RUN mkdir -p /usr/local/etc/openldap/data \
+    && slapadd -l /usr/local/etc/openldap/schema/emqx.io.ldif -f /usr/local/etc/openldap/slapd.conf
+
+WORKDIR /usr/local/etc/openldap
+
+EXPOSE 389 636
+
+ENTRYPOINT ["/usr/local/libexec/slapd", "-h", "ldap:/// ldaps:///", "-d", "3", "-f", "/usr/local/etc/openldap/slapd.conf"]
+
+CMD []

apps/emqx_auth_ldap/.ci/emqx-ldap/slapd.conf

@@ -0,0 +1,16 @@
+include         /usr/local/etc/openldap/schema/core.schema
+include         /usr/local/etc/openldap/schema/cosine.schema
+include         /usr/local/etc/openldap/schema/inetorgperson.schema
+include         /usr/local/etc/openldap/schema/ppolicy.schema
+include         /usr/local/etc/openldap/schema/emqx.schema
+
+TLSCACertificateFile  /usr/local/etc/openldap/cacert.pem
+TLSCertificateFile    /usr/local/etc/openldap/cert.pem
+TLSCertificateKeyFile /usr/local/etc/openldap/key.pem
+
+database bdb
+suffix "dc=emqx,dc=io"
+rootdn "cn=root,dc=emqx,dc=io"
+rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W
+
+directory       /usr/local/etc/openldap/data

apps/emqx_auth_ldap/.github/workflows/run_test_cases.yaml

@@ -0,0 +1,49 @@
+name: Run test cases
+
+on: [push, pull_request]
+
+jobs:
+    run_test_cases:
+        runs-on: ubuntu-latest
+
+        strategy:
+            matrix:
+                network_type:
+                    - ipv4
+                    - ipv6
+
+        steps:
+            - name: install docker-compose
+              run: |
+                sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+                sudo chmod +x /usr/local/bin/docker-compose
+            - uses: actions/checkout@v1
+            - name: prepare
+              env:
+                  NETWORK_TYPE: ${{ matrix.network_type }}
+              run: |
+                set -e -x -u
+                cp ./emqx.io.ldif ./emqx.schema ./.ci/emqx-ldap
+                cp ./test/certs/* ./.ci/emqx-ldap
+                docker-compose -f ./.ci/docker-compose.yml -p tests build
+                if [ "$NETWORK_TYPE" = "ipv6" ];then docker network create --driver bridge --ipv6 --subnet fd15:555::/64  tests_emqx_bridge --attachable; fi
+                docker-compose -f ./.ci/docker-compose.yml -p tests up -d
+                if [ "$NETWORK_TYPE" != "ipv6" ];then
+                    docker exec -i tests_erlang_1 sh -c "sed -i '/auth.ldap.servers/c auth.ldap.servers = ldap_server' ./emqx_auth_ldap/etc/emqx_auth_ldap.conf"
+                else
+                    ipv6_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' $(docker ps -a -f name=tests_ldap_server_1 -q))
+                    docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "sed -i '/auth.ldap.servers/c auth.ldap.servers = $ipv6_address' /emqx_auth_ldap/etc/emqx_auth_ldap.conf"
+                fi
+            - name: run test cases
+              run: |
+                set -e -x -u
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap xref"
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap eunit"
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap ct"
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap cover"
+            - uses: actions/upload-artifact@v1
+              if: failure()
+              with:
+                name: logs_${{ matrix.network_type }}
+                path: _build/test/logs
+

apps/emqx_auth_ldap/.gitignore

@@ -0,0 +1,25 @@
+.eunit
+deps
+*.o
+*.beam
+*.plt
+erl_crash.dump
+ebin
+rel/example_project
+.concrete/DEV_MODE
+.rebar
+.erlang.mk/
+emqx_auth_ldap.d
+data/
+cover/
+ct.coverdata
+eunit.coverdata
+logs/
+test/ct.cover.spec
+.DS_Store
+_build/
+rebar.lock
+erlang.mk
+rebar3.crashdump
+.rebar3/
+etc/emqx_auth_ldap.conf.rendered

apps/emqx_auth_ldap/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

apps/emqx_auth_ldap/Makefile

@@ -0,0 +1,35 @@
+## shallow clone for speed
+
+REBAR_GIT_CLONE_OPTIONS += --depth 1
+export REBAR_GIT_CLONE_OPTIONS
+
+REBAR = rebar3
+all: compile
+
+
+compile:
+	$(REBAR) compile
+
+ct: compile
+	$(REBAR) as test ct -v
+
+eunit: compile
+	$(REBAR) as test eunit
+
+xref:
+	$(REBAR) xref
+
+cover:
+	$(REBAR) cover
+
+clean:
+	@rm -rf _build
+	@rm -f data/app.*.config data/vm.*.args rebar.lock
+CUTTLEFISH_SCRIPT = _build/default/lib/cuttlefish/cuttlefish
+
+$(CUTTLEFISH_SCRIPT):
+	@${REBAR} get-deps
+	@if [ ! -f cuttlefish ]; then make -C _build/default/lib/cuttlefish; fi
+
+app.config: $(CUTTLEFISH_SCRIPT) etc/emqx_auth_ldap.conf
+	$(verbose) $(CUTTLEFISH_SCRIPT) -l info -e etc/ -c etc/emqx_auth_ldap.conf -i priv/emqx_auth_ldap.schema -d data

apps/emqx_auth_ldap/README.md

@@ -0,0 +1,96 @@
+emqx_auth_ldap
+==============
+
+EMQ X LDAP Authentication Plugin
+
+Build
+-----
+
+```
+make
+```
+
+Load the Plugin
+---------------
+
+```
+# ./bin/emqx_ctl plugins load emqx_auth_ldap
+```
+
+Generate Password
+---------------
+
+```
+slappasswd -h '{ssha}' -s public
+```
+
+Configuration Open LDAP
+-----------------------
+
+vim /etc/openldap/slapd.conf
+
+```
+include         /etc/openldap/schema/core.schema
+include         /etc/openldap/schema/cosine.schema
+include         /etc/openldap/schema/inetorgperson.schema
+include         /etc/openldap/schema/ppolicy.schema
+include         /etc/openldap/schema/emqx.schema
+
+database bdb
+suffix "dc=emqx,dc=io"
+rootdn "cn=root,dc=emqx,dc=io"
+rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W
+
+directory       /etc/openldap/data
+```
+
+If the ldap launched with error below:
+```
+Unrecognized database type (bdb)
+5c4a72b9 slapd.conf: line 7: <database> failed init (bdb)
+slapadd: bad configuration file!
+```
+
+Insert lines to the slapd.conf
+```
+modulepath /usr/lib/ldap
+moduleload back_bdb.la
+```
+
+Import EMQX User Data
+----------------------
+
+Use ldapadd
+```
+# ldapadd -x -D "cn=root,dc=emqx,dc=io" -w public -f emqx.com.ldif
+```
+
+Use slapadd
+```
+# sudo slapadd -l schema/emqx.io.ldif -f slapd.conf
+```
+
+Launch slapd
+```
+# sudo slapd -d 3
+```
+
+Test
+-----
+After configure slapd correctly and launch slapd successfully.
+You could execute
+
+``` bash
+# make tests
+```
+
+License
+-------
+
+Apache License Version 2.0
+
+Author
+------
+
+EMQ X Team.
+

apps/emqx_auth_ldap/emqx.io.ldif

@@ -0,0 +1,135 @@
+## create emqx.io
+
+dn:dc=emqx,dc=io
+objectclass: top
+objectclass: dcobject
+objectclass: organization
+dc:emqx
+o:emqx,Inc.
+
+# create testdevice.emqx.io
+dn:ou=testdevice,dc=emqx,dc=io
+objectClass: top
+objectclass:organizationalUnit
+ou:testdevice
+
+# create user admin
+dn:uid=admin,ou=testdevice,dc=emqx,dc=io
+objectClass: top
+objectClass: simpleSecurityObject
+objectClass: account
+userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9
+uid: admin
+
+## create user=mqttuser0001,
+#         password=mqttuser0001,
+#         passhash={SHA}mlb3fat40MKBTXUVZwCKmL73R/0=
+#         base64passhash=e1NIQX1tbGIzZmF0NDBNS0JUWFVWWndDS21MNzNSLzA9
+dn:uid=mqttuser0001,ou=testdevice,dc=emqx,dc=io
+objectClass: top
+objectClass: mqttUser
+objectClass: mqttDevice
+objectClass: mqttSecurity
+uid: mqttuser0001
+isEnabled: TRUE
+mqttAccountName: user1
+mqttPublishTopic: mqttuser0001/pub/1
+mqttPublishTopic: mqttuser0001/pub/+
+mqttPublishTopic: mqttuser0001/pub/#
+mqttSubscriptionTopic: mqttuser0001/sub/1
+mqttSubscriptionTopic: mqttuser0001/sub/+
+mqttSubscriptionTopic: mqttuser0001/sub/#
+mqttPubSubTopic: mqttuser0001/pubsub/1
+mqttPubSubTopic: mqttuser0001/pubsub/+
+mqttPubSubTopic: mqttuser0001/pubsub/#
+userPassword:: e1NIQX1tbGIzZmF0NDBNS0JUWFVWWndDS21MNzNSLzA9
+
+## create user=mqttuser0002
+#         password=mqttuser0002,
+#         passhash={SSHA}n9XdtoG4Q/TQ3TQF4Y+khJbMBH4qXj4M
+#         base64passhash=e1NTSEF9bjlYZHRvRzRRL1RRM1RRRjRZK2toSmJNQkg0cVhqNE0=
+dn:uid=mqttuser0002,ou=testdevice,dc=emqx,dc=io
+objectClass: top
+objectClass: mqttUser
+objectClass: mqttDevice
+objectClass: mqttSecurity
+uid: mqttuser0002
+isEnabled: TRUE
+mqttAccountName: user2
+mqttPublishTopic: mqttuser0002/pub/1
+mqttPublishTopic: mqttuser0002/pub/+
+mqttPublishTopic: mqttuser0002/pub/#
+mqttSubscriptionTopic: mqttuser0002/sub/1
+mqttSubscriptionTopic: mqttuser0002/sub/+
+mqttSubscriptionTopic: mqttuser0002/sub/#
+mqttPubSubTopic: mqttuser0002/pubsub/1
+mqttPubSubTopic: mqttuser0002/pubsub/+
+mqttPubSubTopic: mqttuser0002/pubsub/#
+userPassword:: e1NTSEF9bjlYZHRvRzRRL1RRM1RRRjRZK2toSmJNQkg0cVhqNE0=
+
+## create user mqttuser0003
+#         password=mqttuser0003,
+#         passhash={MD5}ybsPGoaK3nDyiQvveiCOIw==
+#         base64passhash=e01ENX15YnNQR29hSzNuRHlpUXZ2ZWlDT0l3PT0=
+dn:uid=mqttuser0003,ou=testdevice,dc=emqx,dc=io
+objectClass: top
+objectClass: mqttUser
+objectClass: mqttDevice
+objectClass: mqttSecurity
+uid: mqttuser0003
+isEnabled: TRUE
+mqttPublishTopic: mqttuser0003/pub/1
+mqttPublishTopic: mqttuser0003/pub/+
+mqttPublishTopic: mqttuser0003/pub/#
+mqttSubscriptionTopic: mqttuser0003/sub/1
+mqttSubscriptionTopic: mqttuser0003/sub/+
+mqttSubscriptionTopic: mqttuser0003/sub/#
+mqttPubSubTopic: mqttuser0003/pubsub/1
+mqttPubSubTopic: mqttuser0003/pubsub/+
+mqttPubSubTopic: mqttuser0003/pubsub/#
+userPassword:: e01ENX15YnNQR29hSzNuRHlpUXZ2ZWlDT0l3PT0=
+
+## create user mqttuser0004
+#         password=mqttuser0004,
+#         passhash={MD5}2Br6pPDSEDIEvUlu9+s+MA==
+#         base64passhash=e01ENX0yQnI2cFBEU0VESUV2VWx1OStzK01BPT0=
+dn:uid=mqttuser0004,ou=testdevice,dc=emqx,dc=io
+objectClass: top
+objectClass: mqttUser
+objectClass: mqttDevice
+objectClass: mqttSecurity
+uid: mqttuser0004
+isEnabled: TRUE
+mqttPublishTopic: mqttuser0004/pub/1
+mqttPublishTopic: mqttuser0004/pub/+
+mqttPublishTopic: mqttuser0004/pub/#
+mqttSubscriptionTopic: mqttuser0004/sub/1
+mqttSubscriptionTopic: mqttuser0004/sub/+
+mqttSubscriptionTopic: mqttuser0004/sub/#
+mqttPubSubTopic: mqttuser0004/pubsub/1
+mqttPubSubTopic: mqttuser0004/pubsub/+
+mqttPubSubTopic: mqttuser0004/pubsub/#
+userPassword: {MD5}2Br6pPDSEDIEvUlu9+s+MA==
+
+## create user mqttuser0005
+#         password=mqttuser0005,
+#         passhash={SHA}jKnxeEDGR14kE8AR7yuVFOelhz4=
+#         base64passhash=e1NIQX1qS254ZUVER1IxNGtFOEFSN3l1VkZPZWxoejQ9
+objectClass: top
+dn:uid=mqttuser0005,ou=testdevice,dc=emqx,dc=io
+objectClass: mqttUser
+objectClass: mqttDevice
+objectClass: mqttSecurity
+uid: mqttuser0005
+isEnabled: TRUE
+mqttPublishTopic: mqttuser0005/pub/1
+mqttPublishTopic: mqttuser0005/pub/+
+mqttPublishTopic: mqttuser0005/pub/#
+mqttSubscriptionTopic: mqttuser0005/sub/1
+mqttSubscriptionTopic: mqttuser0005/sub/+
+mqttSubscriptionTopic: mqttuser0005/sub/#
+mqttPubSubTopic: mqttuser0005/pubsub/1
+mqttPubSubTopic: mqttuser0005/pubsub/+
+mqttPubSubTopic: mqttuser0005/pubsub/#
+userPassword: {SHA}jKnxeEDGR14kE8AR7yuVFOelhz4=
+

apps/emqx_auth_ldap/emqx.schema

@@ -0,0 +1,46 @@
+#
+# Preliminary Apple OS X Native LDAP Schema
+# This file is subject to change.
+#
+attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.1.3 NAME 'isEnabled'
+	EQUALITY booleanMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
+	SINGLE-VALUE
+	USAGE userApplications )
+
+attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.1 NAME ( 'mqttPublishTopic' 'mpt' )
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	USAGE userApplications )
+attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.2 NAME ( 'mqttSubscriptionTopic' 'mst' )
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	USAGE userApplications )
+attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.3 NAME ( 'mqttPubSubTopic' 'mpst' )
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	USAGE userApplications )
+attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.4 NAME ( 'mqttAccountName' 'man' )
+	EQUALITY caseIgnoreMatch
+	SUBSTR caseIgnoreSubstringsMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+	USAGE userApplications )
+
+
+objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4 NAME 'mqttUser'
+	AUXILIARY
+	MAY ( mqttPublishTopic $ mqttSubscriptionTopic $ mqttPubSubTopic $ mqttAccountName) )
+
+objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.2 NAME 'mqttDevice'
+	SUP top
+	STRUCTURAL
+	MUST ( uid )
+	MAY ( isEnabled ) )
+
+objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.3 NAME 'mqttSecurity'
+	SUP top
+	AUXILIARY
+	MAY ( userPassword $ userPKCS12 $ pwdAttribute $ pwdLockout ) )

apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf

@@ -0,0 +1,78 @@
+##--------------------------------------------------------------------
+## LDAP Auth Plugin
+##--------------------------------------------------------------------
+
+## LDAP server list, seperated by ','.
+##
+## Value: String
+auth.ldap.servers = 127.0.0.1
+
+## LDAP server port.
+##
+## Value: Port
+auth.ldap.port = 389
+
+## LDAP pool size
+##
+## Value: String
+auth.ldap.pool = 8
+
+## LDAP Bind DN.
+##
+## Value: DN
+auth.ldap.bind_dn = cn=root,dc=emqx,dc=io
+
+## LDAP Bind Password.
+##
+## Value: String
+auth.ldap.bind_password = public
+
+## LDAP query timeout.
+##
+## Value: Number
+auth.ldap.timeout = 30s
+
+## Device DN.
+##
+## Variables:
+##
+## Value: DN
+auth.ldap.device_dn = ou=device,dc=emqx,dc=io
+
+## Specified ObjectClass
+##
+## Variables:
+##
+## Value: string
+auth.ldap.match_objectclass = mqttUser
+
+## attributetype for username
+##
+## Variables:
+##
+## Value: string
+auth.ldap.username.attributetype = uid
+
+## attributetype for password
+##
+## Variables:
+##
+## Value: string
+auth.ldap.password.attributetype = userPassword
+
+## Whether to enable SSL.
+##
+## Value: true | false
+auth.ldap.ssl = false
+
+#auth.ldap.ssl.certfile = etc/certs/cert.pem
+
+#auth.ldap.ssl.keyfile = etc/certs/key.pem
+
+#auth.ldap.ssl.cacertfile = etc/certs/cacert.pem
+
+#auth.ldap.ssl.verify = verify_peer
+
+#auth.ldap.ssl.fail_if_no_peer_cert = true
+
+#auth.ldap.ssl.server_name_indication = your_server_name

apps/emqx_auth_ldap/include/emqx_auth_ldap.hrl

@@ -0,0 +1,23 @@
+
+-define(APP, emqx_auth_ldap).
+
+-record(auth_metrics, {
+        success = 'client.auth.success',
+        failure = 'client.auth.failure',
+        ignore = 'client.auth.ignore'
+    }).
+
+-record(acl_metrics, {
+        allow = 'client.acl.allow',
+        deny = 'client.acl.deny',
+        ignore = 'client.acl.ignore'
+    }).
+
+-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
+-define(METRICS(Type, K), #Type{}#Type.K).
+
+-define(AUTH_METRICS, ?METRICS(auth_metrics)).
+-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
+
+-define(ACL_METRICS, ?METRICS(acl_metrics)).
+-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

apps/emqx_auth_ldap/priv/emqx_auth_ldap.schema

@@ -0,0 +1,176 @@
+%%-*- mode: erlang -*-
+%% emqx_auth_ldap config mapping
+
+{mapping, "auth.ldap.servers", "emqx_auth_ldap.ldap", [
+  {default, "127.0.0.1"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.ldap.port", "emqx_auth_ldap.ldap", [
+  {default, 389},
+  {datatype, integer}
+]}.
+
+{mapping, "auth.ldap.pool", "emqx_auth_ldap.ldap", [
+  {default, 8},
+  {datatype, integer}
+]}.
+
+{mapping, "auth.ldap.bind_dn", "emqx_auth_ldap.ldap", [
+  {datatype, string},
+  {default, "cn=root,dc=emqx,dc=io"}
+]}.
+
+{mapping, "auth.ldap.bind_password", "emqx_auth_ldap.ldap", [
+  {datatype, string},
+  {default, "public"}
+]}.
+
+{mapping, "auth.ldap.timeout", "emqx_auth_ldap.ldap", [
+  {default, "30s"},
+  {datatype, {duration, ms}}
+]}.
+
+{mapping, "auth.ldap.ssl", "emqx_auth_ldap.ldap", [
+  {default, false},
+  {datatype, {enum, [true, false]}}
+]}.
+
+{mapping, "auth.ldap.ssl.certfile", "emqx_auth_ldap.ldap", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.ldap.ssl.keyfile", "emqx_auth_ldap.ldap", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.ldap.ssl.cacertfile", "emqx_auth_ldap.ldap", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.ldap.ssl.verify", "emqx_auth_ldap.ldap", [
+  {default, verify_none},
+  {datatype, {enum, [verify_none, verify_peer]}}
+]}.
+
+{mapping, "auth.ldap.ssl.fail_if_no_peer_cert", "emqx_auth_ldap.ldap", [
+  {datatype, {enum, [true, false]}}
+]}.
+
+{mapping, "auth.ldap.ssl.server_name_indication", "emqx_auth_ldap.ldap", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_ldap.ldap", fun(Conf) ->
+    A2N = fun(A) -> case inet:parse_address(A) of {ok, N} -> N; _ -> A end end,
+    Servers = [A2N(A) || A <- string:tokens(cuttlefish:conf_get("auth.ldap.servers", Conf), ",")],
+    Port = cuttlefish:conf_get("auth.ldap.port", Conf),
+    Pool = cuttlefish:conf_get("auth.ldap.pool", Conf),
+    BindDN = cuttlefish:conf_get("auth.ldap.bind_dn", Conf),
+    BindPassword = cuttlefish:conf_get("auth.ldap.bind_password", Conf),
+    Timeout = cuttlefish:conf_get("auth.ldap.timeout", Conf),
+    Filter = fun(Ls) -> [E || E = {_, V} <- Ls, V /= undefined]end,
+    SslOpts = fun() ->
+                [{certfile, cuttlefish:conf_get("auth.ldap.ssl.certfile", Conf)},
+                 {keyfile, cuttlefish:conf_get("auth.ldap.ssl.keyfile", Conf)},
+                 {cacertfile, cuttlefish:conf_get("auth.ldap.ssl.cacertfile", Conf, undefined)},
+                 {verify, cuttlefish:conf_get("auth.ldap.ssl.verify", Conf, undefined)},
+                 {server_name_indication, cuttlefish:conf_get("auth.ldap.ssl.server_name_indication", Conf, disable)},
+                 {fail_if_no_peer_cert, cuttlefish:conf_get("auth.ldap.ssl.fail_if_no_peer_cert", Conf, undefined)}]
+              end,
+    Opts = [{servers, Servers},
+            {port, Port},
+            {timeout, Timeout},
+            {bind_dn, BindDN},
+            {bind_password, BindPassword},
+            {pool, Pool},
+            {auto_reconnect, 2}],
+    case cuttlefish:conf_get("auth.ldap.ssl", Conf) of
+        true  -> [{ssl, true}, {sslopts, Filter(SslOpts())}|Opts];
+        false -> [{ssl, false}|Opts]
+    end
+end}.
+
+{mapping, "auth.ldap.device_dn", "emqx_auth_ldap.device_dn", [
+  {default, "ou=device,dc=emqx,dc=io"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.ldap.match_objectclass", "emqx_auth_ldap.match_objectclass", [
+  {default, "mqttUser"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.ldap.custom_base_dn", "emqx_auth_ldap.custom_base_dn", [
+  {default, "${username_attr}=${user},${device_dn}"},
+  {datatype, string}
+]}.
+
+%% auth.ldap.filters.1.key = "objectClass"
+%% auth.ldap.filters.1.value = "mqttUser"
+%% auth.ldap.filters.1.op = "and"
+%% auth.ldap.filters.2.key = "uiAttr"
+%% auth.ldap.filters.2.value "someAttr"
+%% auth.ldap.filters.2.op = "or"
+%% auth.ldap.filters.3.key = "someKey"
+%% auth.ldap.filters.3.value = "someValue"
+%% The configuratation structure sent to the application:
+%%   [{"objectClass","mqttUser"},"and",{"uiAttr","someAttr"},"or",{"someKey","someAttr"}]
+%% The resulting LDAP filter would look like this:
+%% ==> "|(&(objectClass=Class)(uiAttr=someAttr)(someKey=someValue))"
+{translation, "emqx_auth_ldap.filters",
+fun(Conf) ->
+        Settings = cuttlefish_variable:filter_by_prefix("auth.ldap.filters", Conf),
+        Keys = [{Num, {key, V}} || {["auth","ldap","filters", Num, "key"], V} <- Settings],
+        Values = [{Num, {value, V}} || {["auth","ldap","filters", Num, "value"], V} <- Settings],
+        Ops = [{Num, {op, V}} || {["auth","ldap","filters", Num, "op"], V} <- Settings],
+        RawFilters = Keys ++ Values ++ Ops,
+        Filters =
+            lists:foldl(
+              fun({Num,{T,V}}, Acc)->
+                      maps:update_with(Num,
+                                       fun(F)->
+                                               maps:put(T,V,F)
+                                       end,
+                                       #{T=>V}, Acc)
+              end, #{}, RawFilters),
+        Order=lists:usort(maps:keys(Filters)),
+        lists:reverse(
+          lists:foldl(
+            fun(F,Acc)->
+                    case F of
+                        #{key:=K, op:=Op, value:=V} -> [Op,{K,V}|Acc];
+                        #{key:=K, value:=V} -> [{K,V}|Acc]
+                    end
+            end,
+            [],
+            lists:map(fun(K) -> maps:get(K, Filters) end, Order)))
+end}.
+
+{mapping, "auth.ldap.filters.$num.key", "emqx_auth_ldap.filters", [
+    {datatype, string}
+]}.
+
+{mapping, "auth.ldap.filters.$num.value", "emqx_auth_ldap.filters", [
+    {datatype, string}
+]}.
+
+{mapping, "auth.ldap.filters.$num.op", "emqx_auth_ldap.filters", [
+    {datatype, {enum, [ "or", "and" ] } }
+]}.
+
+
+{mapping, "auth.ldap.bind_as_user", "emqx_auth_ldap.bind_as_user", [
+  {default, false},
+  {datatype, {enum, [true, false]}}
+]}.
+
+{mapping, "auth.ldap.username.attributetype", "emqx_auth_ldap.username_attr", [
+  {default, "uid"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.ldap.password.attributetype", "emqx_auth_ldap.password_attr", [
+  {default, "userPassword"},
+  {datatype, string}
+]}.

apps/emqx_auth_ldap/rebar.config

@@ -0,0 +1,27 @@
+{deps,
+ [{eldap2, {git, "https://github.com/emqx/eldap2", {tag, "v0.2.2"}}},
+  {ecpool, {git, "https://github.com/emqx/ecpool", {tag, "0.5.0"}}},
+  {emqx_passwd, {git, "https://github.com/emqx/emqx-passwd", {tag, "v1.1.1"}}}
+ ]}.
+
+{profiles,
+ [{test,
+   [{deps, [{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}}]}
+   ]}
+ ]}.
+
+{edoc_opts, [{preprocess, true}]}.
+{erl_opts, [warn_unused_vars,
+            warn_shadow_vars,
+            warn_unused_import,
+            warn_obsolete_guard,
+            debug_info,
+            {parse_transform}]}.
+
+{xref_checks, [undefined_function_calls, undefined_functions,
+               locals_not_used, deprecated_function_calls,
+               warnings_as_errors, deprecated_functions]}.
+{cover_enabled, true}.
+{cover_opts, [verbose]}.
+{cover_export_enabled, true}.
+

apps/emqx_auth_ldap/rebar.config.script

@@ -0,0 +1,54 @@
+%%-*- mode: erlang -*-
+
+DEPS = case lists:keyfind(deps, 1, CONFIG) of
+          {_, Deps} -> Deps;
+          _ -> []
+      end,
+
+ComparingFun = fun
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
+                                            is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2)    -> _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2)    -> true;
+                _Fun(_, _) -> false
+              end,
+
+SortFun = fun(T1, T2) ->
+            C = fun(T) ->
+                  [case catch list_to_integer(E) of
+                      I when is_integer(I) -> I;
+                      _ -> E
+                    end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
+                end,
+            ComparingFun(C(T1), C(T2))
+          end,
+
+VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
+
+Tags = case VTags of
+         [] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
+         _ -> VTags
+       end,
+
+LatestTag = lists:last(lists:sort(SortFun, Tags)),
+
+Branch = case os:getenv("GITHUB_RUN_ID") of
+                false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
+                _ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
+         end,
+
+GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
+                match -> {branch, Branch};
+                _ -> {tag, LatestTag}
+              end,
+
+UrlPrefix = "https://github.com/emqx/",
+
+EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
+EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
+
+NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
+
+CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
+
+CONFIG1.

apps/emqx_auth_ldap/src/emqx_acl_ldap.erl

@@ -0,0 +1,98 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_acl_ldap).
+
+-include("emqx_auth_ldap.hrl").
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("eldap/include/eldap.hrl").
+-include_lib("emqx/include/logger.hrl").
+
+-export([ register_metrics/0
+        , check_acl/5
+        , description/0
+        ]).
+
+-import(proplists, [get_value/2]).
+
+-import(emqx_auth_ldap_cli, [search/4]).
+
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
+
+check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) ->
+    case do_check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) of
+        ok -> emqx_metrics:inc(?ACL_METRICS(ignore)), ok;
+        {stop, allow} -> emqx_metrics:inc(?ACL_METRICS(allow)), {stop, allow};
+        {stop, deny} -> emqx_metrics:inc(?ACL_METRICS(deny)), {stop, deny}
+    end.
+
+do_check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) ->
+    ok;
+
+do_check_acl(#{username := Username}, PubSub, Topic, _NoMatchAction,
+             #{device_dn         := DeviceDn,
+               match_objectclass := ObjectClass,
+               username_attr     := UidAttr,
+               custom_base_dn    := CustomBaseDN,
+               pool := Pool} = Config) ->
+
+    Filters = maps:get(filters, Config, []),
+
+    ReplaceRules = [{"${username_attr}", UidAttr},
+                    {"${user}", binary_to_list(Username)},
+                    {"${device_dn}", DeviceDn}],
+
+    Filter = emqx_auth_ldap:prepare_filter(Filters, UidAttr, ObjectClass, ReplaceRules),
+
+    Attribute = case PubSub of
+                    publish   -> "mqttPublishTopic";
+                    subscribe -> "mqttSubscriptionTopic"
+                end,
+    Attribute1 = "mqttPubSubTopic",
+    ?LOG(debug, "[LDAP] search dn:~p filter:~p, attribute:~p",
+         [DeviceDn, Filter, Attribute]),
+
+    BaseDN = emqx_auth_ldap:replace_vars(CustomBaseDN, ReplaceRules),
+
+    case search(Pool, BaseDN, Filter, [Attribute, Attribute1]) of
+        {error, noSuchObject} ->
+            ok;
+        {ok, #eldap_search_result{entries = []}} ->
+            ok;
+        {ok, #eldap_search_result{entries = [Entry]}} ->
+            Topics = get_value(Attribute, Entry#eldap_entry.attributes)
+                ++ get_value(Attribute1, Entry#eldap_entry.attributes),
+            match(Topic, Topics);
+        Error ->
+            ?LOG(error, "[LDAP] search error:~p", [Error]),
+            {stop, deny}
+    end.
+
+match(_Topic, []) ->
+    ok;
+
+match(Topic, [Filter | Topics]) ->
+    case emqx_topic:match(Topic, list_to_binary(Filter)) of
+        true  -> {stop, allow};
+        false -> match(Topic, Topics)
+    end.
+
+description() ->
+    "ACL with LDAP".
+

apps/emqx_auth_ldap/src/emqx_auth_ldap.app.src

@@ -0,0 +1,14 @@
+{application, emqx_auth_ldap,
+ [{description, "EMQ X Authentication/ACL with LDAP"},
+  {vsn, "git"},
+  {modules, []},
+  {registered, [emqx_auth_ldap_sup]},
+  {applications, [kernel,stdlib,eldap2,ecpool,emqx_passwd]},
+  {mod, {emqx_auth_ldap_app,[]}},
+  {env, []},
+  {licenses, ["Apache-2.0"]},
+  {maintainers, ["EMQ X Team <contact@emqx.io>"]},
+  {links, [{"Homepage", "https://emqx.io/"},
+           {"Github", "https://github.com/emqx/emqx-auth-ldap"}
+          ]}
+ ]}.

apps/emqx_auth_ldap/src/emqx_auth_ldap.app.src.script

@@ -0,0 +1,24 @@
+%%-*- mode: erlang -*-
+%% .app.src.script
+
+RemoveLeadingV =
+    fun(Tag) ->
+        case re:run(Tag, "^[v|e]?[0-9]\.[0-9]\.([0-9]|(rc|beta|alpha)\.[0-9])", [{capture, none}]) of
+            nomatch ->
+                re:replace(Tag, "/", "-", [{return ,list}]);
+            _ ->
+                %% if it is a version number prefixed by 'v' or 'e', then remove it
+                re:replace(Tag, "[v|e]", "", [{return ,list}])
+        end
+    end,
+
+case os:getenv("EMQX_DEPS_DEFAULT_VSN") of
+    false -> CONFIG; % env var not defined
+    []    -> CONFIG; % env var set to empty string
+    Tag ->
+       [begin
+           AppConf0 = lists:keystore(vsn, 1, AppConf, {vsn, RemoveLeadingV(Tag)}),
+           {application, App, AppConf0}
+        end || Conf = {application, App, AppConf} <- CONFIG]
+end.
+

apps/emqx_auth_ldap/src/emqx_auth_ldap.erl

@@ -0,0 +1,210 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_ldap).
+
+-include("emqx_auth_ldap.hrl").
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("eldap/include/eldap.hrl").
+-include_lib("emqx/include/logger.hrl").
+
+-import(proplists, [get_value/2]).
+
+-import(emqx_auth_ldap_cli, [search/3]).
+
+-export([ register_metrics/0
+        , check/3
+        , description/0
+        , prepare_filter/4
+        , replace_vars/2
+        ]).
+
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
+
+check(ClientInfo = #{username := Username, password := Password}, AuthResult,
+      State = #{password_attr := PasswdAttr, bind_as_user := BindAsUserRequired, pool := Pool}) ->
+    CheckResult =
+        case lookup_user(Username, State) of
+            undefined -> {error, not_found};
+            {error, Error} -> {error, Error};
+            Entry ->
+                PasswordString = binary_to_list(Password),
+                ObjectName = Entry#eldap_entry.object_name,
+                Attributes = Entry#eldap_entry.attributes,
+                case BindAsUserRequired of
+                    true ->
+                        emqx_auth_ldap_cli:post_bind(Pool, ObjectName, PasswordString);
+                    false ->
+                        case get_value(PasswdAttr, Attributes) of
+                            undefined ->
+                                logger:error("LDAP Search State: ~p, uid: ~p, result:~p",
+                                             [State, Username, Attributes]),
+                                {error, not_found};
+                            [Passhash1] ->
+                                format_password(Passhash1, Password, ClientInfo)
+                        end
+                end
+        end,
+    case CheckResult of
+        ok ->
+            ok = emqx_metrics:inc(?AUTH_METRICS(success)),
+            {stop, AuthResult#{auth_result => success, anonymous => false}};
+        {error, not_found} ->
+            emqx_metrics:inc(?AUTH_METRICS(ignore));
+        {error, ResultCode} ->
+            ok = emqx_metrics:inc(?AUTH_METRICS(failure)),
+            ?LOG(error, "[LDAP] Auth from ldap failed: ~p", [ResultCode]),
+            {stop, AuthResult#{auth_result => ResultCode, anonymous => false}}
+    end.
+
+lookup_user(Username, #{username_attr := UidAttr,
+                        match_objectclass := ObjectClass,
+                        device_dn := DeviceDn,
+                        custom_base_dn := CustomBaseDN, pool := Pool} = Config) ->
+
+    Filters = maps:get(filters, Config, []),
+
+    ReplaceRules = [{"${username_attr}", UidAttr},
+                    {"${user}", binary_to_list(Username)},
+                    {"${device_dn}", DeviceDn}],
+
+    Filter = prepare_filter(Filters, UidAttr, ObjectClass, ReplaceRules),
+
+    %% auth.ldap.custom_base_dn = "${username_attr}=${user},${device_dn}"
+    BaseDN = replace_vars(CustomBaseDN, ReplaceRules),
+
+    case search(Pool, BaseDN, Filter) of
+        %% This clause seems to be impossible to match. `eldap2:search/2` does
+        %% not validates the result, so if it returns "successfully" from the
+        %% LDAP server, it always returns `{ok, #eldap_search_result{}}`.
+        {error, noSuchObject} ->
+            undefined;
+        %% In case no user was found by the search, but the search was completed
+        %% without error we get an empty `entries` list.
+        {ok, #eldap_search_result{entries = []}} ->
+            undefined;
+        {ok, #eldap_search_result{entries = [Entry]}} ->
+            Attributes = Entry#eldap_entry.attributes,
+            case get_value("isEnabled", Attributes) of
+                undefined ->
+                    Entry;
+                [Val] ->
+                    case list_to_atom(string:to_lower(Val)) of
+                        true -> Entry;
+                        false -> {error, username_disabled}
+                    end
+            end;
+        {error, Error} ->
+            ?LOG(error, "[LDAP] Search dn: ~p, filter: ~p, fail:~p", [DeviceDn, Filter, Error]),
+            {error, username_or_password_error}
+    end.
+
+check_pass(Password, Password, _ClientInfo) -> ok;
+check_pass(_, _, _) -> {error, bad_username_or_password}.
+
+format_password(Passhash, Password, ClientInfo) ->
+    case do_format_password(Passhash, Password) of
+        {error, Error2} ->
+            {error, Error2};
+        {Passhash1, Password1} ->
+            check_pass(Passhash1, Password1, ClientInfo)
+    end.
+
+do_format_password(Passhash, Password) ->
+    Base64PasshashHandler =
+    handle_passhash(fun(HashType, Passhash1, Password1) ->
+                            Passhash2 = binary_to_list(base64:decode(Passhash1)),
+                            resolve_passhash(HashType, Passhash2, Password1)
+                    end,
+                    fun(_Passhash, _Password) ->
+                            {error, password_error}
+                    end),
+    PasshashHandler = handle_passhash(fun resolve_passhash/3, Base64PasshashHandler),
+    PasshashHandler(Passhash, Password).
+
+resolve_passhash(HashType, Passhash, Password) ->
+    [_, Passhash1] = string:tokens(Passhash, "}"),
+    do_resolve(HashType, Passhash1, Password).
+
+handle_passhash(HandleMatch, HandleNoMatch) ->
+    fun(Passhash, Password) ->
+            case re:run(Passhash, "(?<={)[^{}]+(?=})", [{capture, all, list}, global]) of
+                {match, [[HashType]]} ->
+                    HandleMatch(list_to_atom(string:to_lower(HashType)), Passhash, Password);
+                _ ->
+                    HandleNoMatch(Passhash, Password)
+            end
+    end.
+
+do_resolve(ssha, Passhash, Password) ->
+    D64 = base64:decode(Passhash),
+    {HashedData, Salt} = lists:split(20, binary_to_list(D64)),
+    NewHash = crypto:hash(sha, <<Password/binary, (list_to_binary(Salt))/binary>>),
+    {list_to_binary(HashedData), NewHash};
+do_resolve(HashType, Passhash, Password) ->
+    Password1 = base64:encode(crypto:hash(HashType, Password)),
+    {list_to_binary(Passhash), Password1}.
+
+description() -> "LDAP Authentication Plugin".
+
+prepare_filter(Filters, _UidAttr, ObjectClass, ReplaceRules) ->
+    SubFilters =
+        lists:map(fun({K, V}) ->
+                          {replace_vars(K, ReplaceRules), replace_vars(V, ReplaceRules)};
+                     (Op) ->
+                          Op
+                  end, Filters),
+    case SubFilters of
+        [] -> eldap2:equalityMatch("objectClass", ObjectClass);
+        _List -> compile_filters(SubFilters, [])
+    end.
+
+
+compile_filters([{Key, Value}], []) ->
+    compile_equal(Key, Value);
+compile_filters([{K1, V1}, "and", {K2, V2} | Rest], []) ->
+    compile_filters(
+      Rest,
+      eldap2:'and'([compile_equal(K1, V1),
+                    compile_equal(K2, V2)]));
+compile_filters([{K1, V1}, "or", {K2, V2} | Rest], []) ->
+    compile_filters(
+      Rest,
+      eldap2:'or'([compile_equal(K1, V1),
+                   compile_equal(K2, V2)]));
+compile_filters(["and", {K, V} | Rest], PartialFilter) ->
+    compile_filters(
+      Rest,
+      eldap2:'and'([PartialFilter,
+                    compile_equal(K, V)]));
+compile_filters(["or", {K, V} | Rest], PartialFilter) ->
+    compile_filters(
+      Rest,
+      eldap2:'or'([PartialFilter,
+                   compile_equal(K, V)]));
+compile_filters([], Filter) ->
+    Filter.
+
+compile_equal(Key, Value) ->
+    eldap2:equalityMatch(Key, Value).
+
+replace_vars(CustomBaseDN, ReplaceRules) ->
+    lists:foldl(fun({Pattern, Substitute}, DN) ->
+                        lists:flatten(string:replace(DN, Pattern, Substitute))
+                end, CustomBaseDN, ReplaceRules).

apps/emqx_auth_ldap/src/emqx_auth_ldap_app.erl

@@ -0,0 +1,78 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_ldap_app).
+
+-behaviour(application).
+
+-emqx_plugin(auth).
+
+-include("emqx_auth_ldap.hrl").
+
+%% Application callbacks
+-export([ start/2
+        , prep_stop/1
+        , stop/1
+        ]).
+
+start(_StartType, _StartArgs) ->
+    {ok, Sup} = emqx_auth_ldap_sup:start_link(),
+    if_enabled([device_dn, match_objectclass,
+                username_attr, password_attr,
+                filters, custom_base_dn, bind_as_user],
+               fun load_auth_hook/1),
+    if_enabled([device_dn, match_objectclass,
+                username_attr, password_attr,
+                filters, custom_base_dn, bind_as_user],
+               fun load_acl_hook/1),
+    {ok, Sup}.
+
+prep_stop(State) ->
+    emqx:unhook('client.authenticate', fun emqx_auth_ldap:check/3),
+    emqx:unhook('client.check_acl', fun emqx_acl_ldap:check_acl/5),
+    State.
+
+stop(_State) ->
+    ok.
+
+load_auth_hook(DeviceDn) ->
+    ok = emqx_auth_ldap:register_metrics(),
+    Params = maps:from_list(DeviceDn),
+    emqx:hook('client.authenticate', fun emqx_auth_ldap:check/3, [Params#{pool => ?APP}]).
+
+load_acl_hook(DeviceDn) ->
+    ok = emqx_acl_ldap:register_metrics(),
+    Params = maps:from_list(DeviceDn),
+    emqx:hook('client.check_acl', fun emqx_acl_ldap:check_acl/5 , [Params#{pool => ?APP}]).
+
+if_enabled(Cfgs, Fun) ->
+    case get_env(Cfgs) of
+        {ok, InitArgs} -> Fun(InitArgs);
+        [] -> ok
+    end.
+
+get_env(Cfgs) ->
+   get_env(Cfgs, []).
+
+get_env([Cfg | LeftCfgs], ENVS) ->
+    case application:get_env(?APP, Cfg) of
+        {ok, ENV} ->
+            get_env(LeftCfgs, [{Cfg, ENV} | ENVS]);
+        undefined ->
+            get_env(LeftCfgs, ENVS)
+    end;
+get_env([], ENVS) ->
+   {ok, ENVS}.

apps/emqx_auth_ldap/src/emqx_auth_ldap_cli.erl

@@ -0,0 +1,150 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_ldap_cli).
+
+-behaviour(ecpool_worker).
+
+-include("emqx_auth_ldap.hrl").
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("emqx/include/logger.hrl").
+
+%% ecpool callback
+-export([connect/1]).
+
+-export([ search/3
+        , search/4
+        , post_bind/3
+        , init_args/1
+        ]).
+
+-import(proplists,
+        [ get_value/2
+        , get_value/3
+        ]).
+
+%%--------------------------------------------------------------------
+%% LDAP Connect/Search
+%%--------------------------------------------------------------------
+
+connect(Opts) ->
+    Servers      = get_value(servers, Opts, ["localhost"]),
+    Port         = get_value(port, Opts, 389),
+    Timeout      = get_value(timeout, Opts, 30),
+    BindDn       = get_value(bind_dn, Opts),
+    BindPassword = get_value(bind_password, Opts),
+    LdapOpts     = case get_value(ssl, Opts, false)of
+                       true ->
+                           SslOpts = get_value(sslopts, Opts),
+                           [{port, Port}, {timeout, Timeout}, {sslopts, SslOpts}];
+                       false ->
+                           [{port, Port}, {timeout, Timeout}]
+                   end,
+    ?LOG(debug, "[LDAP] Connecting to OpenLDAP server: ~p, Opts:~p ...", [Servers, LdapOpts]),
+
+    case eldap2:open(Servers, LdapOpts) of
+        {ok, LDAP} ->
+            try eldap2:simple_bind(LDAP, BindDn, BindPassword) of
+                ok -> {ok, LDAP};
+                {error, Error} ->
+                    ?LOG(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Error]),
+                    {error, Error}
+            catch
+                error:Reason ->
+                    ?LOG(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Reason]),
+                    {error, Reason}
+            end;
+        {error, Reason} ->
+            ?LOG(error, "[LDAP] Can't connect to OpenLDAP server: ~p", [Reason]),
+            {error, Reason}
+    end.
+
+search(Pool, Base, Filter) ->
+    ecpool:with_client(Pool,
+        fun(C) ->
+                case application:get_env(?APP, bind_as_user) of
+                    {ok, true} ->
+                        {ok, Opts} = application:get_env(?APP, ldap),
+                        BindDn       = get_value(bind_dn, Opts),
+                        BindPassword = get_value(bind_password, Opts),
+                        try eldap2:simple_bind(C, BindDn, BindPassword) of
+                            ok ->
+                                eldap2:search(C, [{base, Base},
+                                                  {filter, Filter},
+                                                  {deref, eldap2:derefFindingBaseObj()}]);
+                            {error, Error} ->
+                                {error, Error}
+                        catch
+                            error:Reason -> {error, Reason}
+                        end;
+                    {ok, false} ->
+                        eldap2:search(C, [{base, Base},
+                                          {filter, Filter},
+                                          {deref, eldap2:derefFindingBaseObj()}])
+                end
+        end).
+
+search(Pool, Base, Filter, Attributes) ->
+    ecpool:with_client(Pool,
+        fun(C) ->
+                case application:get_env(?APP, bind_as_user) of
+                    {ok, true} ->
+                        {ok, Opts} = application:get_env(?APP, ldap),
+                        BindDn       = get_value(bind_dn, Opts),
+                        BindPassword = get_value(bind_password, Opts),
+                        try eldap2:simple_bind(C, BindDn, BindPassword) of
+                            ok ->
+                                eldap2:search(C, [{base, Base},
+                                                  {filter, Filter},
+                                                  {attributes, Attributes},
+                                                  {deref, eldap2:derefFindingBaseObj()}]);
+                            {error, Error} ->
+                                {error, Error}
+                        catch
+                            error:Reason -> {error, Reason}
+                        end;
+                    {ok, false} ->
+                        eldap2:search(C, [{base, Base},
+                                          {filter, Filter},
+                                          {attributes, Attributes},
+                                          {deref, eldap2:derefFindingBaseObj()}])
+                end
+        end).
+
+post_bind(Pool, BindDn, BindPassword) ->
+    ecpool:with_client(Pool,
+                       fun(C) ->
+                               try eldap2:simple_bind(C, BindDn, BindPassword) of
+                                   ok -> ok;
+                                   {error, Error} ->
+                                       {error, Error}
+                               catch
+                                   error:Reason -> {error, Reason}
+                               end
+                       end).
+
+
+init_args(ENVS) ->
+    DeviceDn = get_value(device_dn, ENVS),
+    ObjectClass = get_value(match_objectclass, ENVS),
+    UidAttr = get_value(username_attr, ENVS),
+    PasswdAttr = get_value(password_attr, ENVS),
+    {ok, #{device_dn => DeviceDn,
+           match_objectclass => ObjectClass,
+           username_attr => UidAttr,
+           password_attr => PasswdAttr}}.
+

apps/emqx_auth_ldap/src/emqx_auth_ldap_sup.erl

@@ -0,0 +1,35 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_ldap_sup).
+
+-behaviour(supervisor).
+
+-include("emqx_auth_ldap.hrl").
+
+-export([start_link/0]).
+
+-export([init/1]).
+
+start_link() ->
+    supervisor:start_link({local, ?MODULE}, ?MODULE, []).
+
+init([]) ->
+    %% LDAP Connection Pool.
+    {ok, Server} = application:get_env(?APP, ldap),
+    PoolSpec = ecpool:pool_spec(?APP, ?APP, emqx_auth_ldap_cli, Server),
+    {ok, {{one_for_one, 10, 100}, [PoolSpec]}}.
+

apps/emqx_auth_ldap/test/certs/cacert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIJAPPYCjTmxdt/MA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNV
+BAYTAkNOMREwDwYDVQQIDAhoYW5nemhvdTEMMAoGA1UECgwDRU1RMQ8wDQYDVQQD
+DAZSb290Q0EwHhcNMjAwNTA4MDgwNjUyWhcNMzAwNTA2MDgwNjUyWjA/MQswCQYD
+VQQGEwJDTjERMA8GA1UECAwIaGFuZ3pob3UxDDAKBgNVBAoMA0VNUTEPMA0GA1UE
+AwwGUm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzcgVLex1
+EZ9ON64EX8v+wcSjzOZpiEOsAOuSXOEN3wb8FKUxCdsGrsJYB7a5VM/Jot25Mod2
+juS3OBMg6r85k2TWjdxUoUs+HiUB/pP/ARaaW6VntpAEokpij/przWMPgJnBF3Ur
+MjtbLayH9hGmpQrI5c2vmHQ2reRZnSFbY+2b8SXZ+3lZZgz9+BaQYWdQWfaUWEHZ
+uDaNiViVO0OT8DRjCuiDp3yYDj3iLWbTA/gDL6Tf5XuHuEwcOQUrd+h0hyIphO8D
+tsrsHZ14j4AWYLk1CPA6pq1HIUvEl2rANx2lVUNv+nt64K/Mr3RnVQd9s8bK+TXQ
+KGHd2Lv/PALYuwIDAQABo1AwTjAdBgNVHQ4EFgQUGBmW+iDzxctWAWxmhgdlE8Pj
+EbQwHwYDVR0jBBgwFoAUGBmW+iDzxctWAWxmhgdlE8PjEbQwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAGbhRUjpIred4cFAFJ7bbYD9hKu/yzWPWkMRa
+ErlCKHmuYsYk+5d16JQhJaFy6MGXfLgo3KV2itl0d+OWNH0U9ULXcglTxy6+njo5
+CFqdUBPwN1jxhzo9yteDMKF4+AHIxbvCAJa17qcwUKR5MKNvv09C6pvQDJLzid7y
+E2dkgSuggik3oa0427KvctFf8uhOV94RvEDyqvT5+pgNYZ2Yfga9pD/jjpoHEUlo
+88IGU8/wJCx3Ds2yc8+oBg/ynxG8f/HmCC1ET6EHHoe2jlo8FpU/SgGtghS1YL30
+IWxNsPrUP+XsZpBJy/mvOhE5QXo6Y35zDqqj8tI7AGmAWu22jg==
+-----END CERTIFICATE-----

apps/emqx_auth_ldap/test/certs/cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIBAjANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJDTjER
+MA8GA1UECAwIaGFuZ3pob3UxDDAKBgNVBAoMA0VNUTEPMA0GA1UEAwwGUm9vdENB
+MB4XDTIwMDUwODA4MDcwNVoXDTMwMDUwNjA4MDcwNVowPzELMAkGA1UEBhMCQ04x
+ETAPBgNVBAgMCGhhbmd6aG91MQwwCgYDVQQKDANFTVExDzANBgNVBAMMBlNlcnZl
+cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNeWT3pE+QFfiRJzKmn
+AMUrWo3K2j/Tm3+Xnl6WLz67/0rcYrJbbKvS3uyRP/stXyXEKw9CepyQ1ViBVFkW
+Aoy8qQEOWFDsZc/5UzhXUnb6LXr3qTkFEjNmhj+7uzv/lbBxlUG1NlYzSeOB6/RT
+8zH/lhOeKhLnWYPXdXKsa1FL6ij4X8DeDO1kY7fvAGmBn/THh1uTpDizM4YmeI+7
+4dmayA5xXvARte5h4Vu5SIze7iC057N+vymToMk2Jgk+ZZFpyXrnq+yo6RaD3ANc
+lrc4FbeUQZ5a5s5Sxgs9a0Y3WMG+7c5VnVXcbjBRz/aq2NtOnQQjikKKQA8GF080
+BQkCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEL
+BQADggEBAJefnMZpaRDHQSNUIEL3iwGXE9c6PmIsQVE2ustr+CakBp3TZ4l0enLt
+iGMfEVFju69cO4oyokWv+hl5eCMkHBf14Kv51vj448jowYnF1zmzn7SEzm5Uzlsa
+sqjtAprnLyof69WtLU1j5rYWBuFX86yOTwRAFNjm9fvhAcrEONBsQtqipBWkMROp
+iUYMkRqbKcQMdwxov+lHBYKq9zbWRoqLROAn54SRqgQk6c15JdEfgOOjShbsOkIH
+UhqcwRkQic7n1zwHVGVDgNIZVgmJ2IdIWBlPEC7oLrRrBD/X1iEEXtKab6p5o22n
+KB5mN+iQaE+Oe2cpGKZJiJRdM+IqDDQ=
+-----END CERTIFICATE-----

apps/emqx_auth_ldap/test/certs/client-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIBATANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJDTjER
+MA8GA1UECAwIaGFuZ3pob3UxDDAKBgNVBAoMA0VNUTEPMA0GA1UEAwwGUm9vdENB
+MB4XDTIwMDUwODA4MDY1N1oXDTMwMDUwNjA4MDY1N1owPzELMAkGA1UEBhMCQ04x
+ETAPBgNVBAgMCGhhbmd6aG91MQwwCgYDVQQKDANFTVExDzANBgNVBAMMBkNsaWVu
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMy4hoksKcZBDbY680u6
+TS25U51nuB1FBcGMlF9B/t057wPOlxF/OcmbxY5MwepS41JDGPgulE1V7fpsXkiW
+1LUimYV/tsqBfymIe0mlY7oORahKji7zKQ2UBIVFhdlvQxunlIDnw6F9popUgyHt
+dMhtlgZK8oqRwHxO5dbfoukYd6J/r+etS5q26sgVkf3C6dt0Td7B25H9qW+f7oLV
+PbcHYCa+i73u9670nrpXsC+Qc7Mygwa2Kq/jwU+ftyLQnOeW07DuzOwsziC/fQZa
+nbxR+8U9FNftgRcC3uP/JMKYUqsiRAuaDokARZxVTV5hUElfpO6z6/NItSDvvh3i
+eikCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEL
+BQADggEBABchYxKo0YMma7g1qDswJXsR5s56Czx/I+B41YcpMBMTrRqpUC0nHtLk
+M7/tZp592u/tT8gzEnQjZLKBAhFeZaR3aaKyknLqwiPqJIgg0pgsBGITrAK3Pv4z
+5/YvAJJKgTe5UdeTz6U4lvNEux/4juZ4pmqH4qSFJTOzQS7LmgSmNIdd072rwXBd
+UzcSHzsJgEMb88u/LDLjj1pQ7AtZ4Tta8JZTvcgBFmjB0QUi6fgkHY6oGat/W4kR
+jSRUBlMUbM/drr2PVzRc2dwbFIl3X+ZE6n5Sl3ZwRAC/s92JU6CPMRW02muVu6xl
+goraNgPISnrbpR6KjxLZkVembXzjNNc=
+-----END CERTIFICATE-----

apps/emqx_auth_ldap/test/certs/client-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzLiGiSwpxkENtjrzS7pNLblTnWe4HUUFwYyUX0H+3TnvA86X
+EX85yZvFjkzB6lLjUkMY+C6UTVXt+mxeSJbUtSKZhX+2yoF/KYh7SaVjug5FqEqO
+LvMpDZQEhUWF2W9DG6eUgOfDoX2milSDIe10yG2WBkryipHAfE7l1t+i6Rh3on+v
+561LmrbqyBWR/cLp23RN3sHbkf2pb5/ugtU9twdgJr6Lve73rvSeulewL5BzszKD
+BrYqr+PBT5+3ItCc55bTsO7M7CzOIL99BlqdvFH7xT0U1+2BFwLe4/8kwphSqyJE
+C5oOiQBFnFVNXmFQSV+k7rPr80i1IO++HeJ6KQIDAQABAoIBAGWgvPjfuaU3qizq
+uti/FY07USz0zkuJdkANH6LiSjlchzDmn8wJ0pApCjuIE0PV/g9aS8z4opp5q/gD
+UBLM/a8mC/xf2EhTXOMrY7i9p/I3H5FZ4ZehEqIw9sWKK9YzC6dw26HabB2BGOnW
+5nozPSQ6cp2RGzJ7BIkxSZwPzPnVTgy3OAuPOiJytvK+hGLhsNaT+Y9bNDvplVT2
+ZwYTV8GlHZC+4b2wNROILm0O86v96O+Qd8nn3fXjGHbMsAnONBq10bZS16L4fvkH
+5G+W/1PeSXmtZFppdRRDxIW+DWcXK0D48WRliuxcV4eOOxI+a9N2ZJZZiNLQZGwg
+w3A8+mECgYEA8HuJFrlRvdoBe2U/EwUtG74dcyy30L4yEBnN5QscXmEEikhaQCfX
+Wm6EieMcIB/5I5TQmSw0cmBMeZjSXYoFdoI16/X6yMMuATdxpvhOZGdUGXxhAH+x
+xoTUavWZnEqW3fkUU71kT5E2f2i+0zoatFESXHeslJyz85aAYpP92H0CgYEA2e5A
+Yozt5eaA1Gyhd8SeptkEU4xPirNUnVQHStpMWUb1kzTNXrPmNWccQ7JpfpG6DcYl
+zUF6p6mlzY+zkMiyPQjwEJlhiHM2NlL1QS7td0R8ewgsFoyn8WsBI4RejWrEG9td
+EDniuIw+pBFkcWthnTLHwECHdzgquToyTMjrBB0CgYEA28tdGbrZXhcyAZEhHAZA
+Gzog+pKlkpEzeonLKIuGKzCrEKRecIK5jrqyQsCjhS0T7ZRnL4g6i0s+umiV5M5w
+fcc292pEA1h45L3DD6OlKplSQVTv55/OYS4oY3YEJtf5mfm8vWi9lQeY8sxOlQpn
+O+VZTdBHmTC8PGeTAgZXHZUCgYA6Tyv88lYowB7SN2qQgBQu8jvdGtqhcs/99GCr
+H3N0I69LPsKAR0QeH8OJPXBKhDUywESXAaEOwS5yrLNP1tMRz5Vj65YUCzeDG3kx
+gpvY4IMp7ArX0bSRvJ6mYSFnVxy3k174G3TVCfksrtagHioVBGQ7xUg5ltafjrms
+n8l55QKBgQDVzU8tQvBVqY8/1lnw11Vj4fkE/drZHJ5UkdC1eenOfSWhlSLfUJ8j
+ds7vEWpRPPoVuPZYeR1y78cyxKe1GBx6Wa2lF5c7xjmiu0xbRnrxYeLolce9/ntp
+asClqpnHT8/VJYTD7Kqj0fouTTZf0zkig/y+2XERppd8k+pSKjUCPQ==
+-----END RSA PRIVATE KEY-----

apps/emqx_auth_ldap/test/certs/key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAs15ZPekT5AV+JEnMqacAxStajcraP9Obf5eeXpYvPrv/Stxi
+sltsq9Le7JE/+y1fJcQrD0J6nJDVWIFUWRYCjLypAQ5YUOxlz/lTOFdSdvotevep
+OQUSM2aGP7u7O/+VsHGVQbU2VjNJ44Hr9FPzMf+WE54qEudZg9d1cqxrUUvqKPhf
+wN4M7WRjt+8AaYGf9MeHW5OkOLMzhiZ4j7vh2ZrIDnFe8BG17mHhW7lIjN7uILTn
+s36/KZOgyTYmCT5lkWnJeuer7KjpFoPcA1yWtzgVt5RBnlrmzlLGCz1rRjdYwb7t
+zlWdVdxuMFHP9qrY206dBCOKQopADwYXTzQFCQIDAQABAoIBAQCuvCbr7Pd3lvI/
+n7VFQG+7pHRe1VKwAxDkx2t8cYos7y/QWcm8Ptwqtw58HzPZGWYrgGMCRpzzkRSF
+V9g3wP1S5Scu5C6dBu5YIGc157tqNGXB+SpdZddJQ4Nc6yGHXYERllT04ffBGc3N
+WG/oYS/1cSteiSIrsDy/91FvGRCi7FPxH3wIgHssY/tw69s1Cfvaq5lr2NTFzxIG
+xCvpJKEdSfVfS9I7LYiymVjst3IOR/w76/ZFY9cRa8ZtmQSWWsm0TUpRC1jdcbkm
+ZoJptYWlP+gSwx/fpMYftrkJFGOJhHJHQhwxT5X/ajAISeqjjwkWSEJLwnHQd11C
+Zy2+29lBAoGBANlEAIK4VxCqyPXNKfoOOi5dS64NfvyH4A1v2+KaHWc7lqaqPN49
+ezfN2n3X+KWx4cviDD914Yc2JQ1vVJjSaHci7yivocDo2OfZDmjBqzaMp/y+rX1R
+/f3MmiTqMa468rjaxI9RRZu7vDgpTR+za1+OBCgMzjvAng8dJuN/5gjlAoGBANNY
+uYPKtearBmkqdrSV7eTUe49Nhr0XotLaVBH37TCW0Xv9wjO2xmbm5Ga/DCtPIsBb
+yPeYwX9FjoasuadUD7hRvbFu6dBa0HGLmkXRJZTcD7MEX2Lhu4BuC72yDLLFd0r+
+Ep9WP7F5iJyagYqIZtz+4uf7gBvUDdmvXz3sGr1VAoGAdXTD6eeKeiI6PlhKBztF
+zOb3EQOO0SsLv3fnodu7ZaHbUgLaoTMPuB17r2jgrYM7FKQCBxTNdfGZmmfDjlLB
+0xZ5wL8ibU30ZXL8zTlWPElST9sto4B+FYVVF/vcG9sWeUUb2ncPcJ/Po3UAktDG
+jYQTTyuNGtSJHpad/YOZctkCgYBtWRaC7bq3of0rJGFOhdQT9SwItN/lrfj8hyHA
+OjpqTV4NfPmhsAtu6j96OZaeQc+FHvgXwt06cE6Rt4RG4uNPRluTFgO7XYFDfitP
+vCppnoIw6S5BBvHwPP+uIhUX2bsi/dm8vu8tb+gSvo4PkwtFhEr6I9HglBKmcmog
+q6waEQKBgHyecFBeM6Ls11Cd64vborwJPAuxIW7HBAFj/BS99oeG4TjBx4Sz2dFd
+rzUibJt4ndnHIvCN8JQkjNG14i9hJln+H3mRss8fbZ9vQdqG+2vOWADYSzzsNI55
+RFY7JjluKcVkp/zCDeUxTU3O6sS+v6/3VE11Cob6OYQx3lN5wrZ3
+-----END RSA PRIVATE KEY-----

apps/emqx_auth_ldap/test/emqx_auth_ldap_SUITE.erl

@@ -0,0 +1,152 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_ldap_SUITE).
+
+-compile(export_all).
+-compile(nowarn_export_all).
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+-define(PID, emqx_auth_ldap).
+
+-define(APP, emqx_auth_ldap).
+
+-define(DeviceDN, "ou=test_device,dc=emqx,dc=io").
+
+-define(AuthDN, "ou=test_auth,dc=emqx,dc=io").
+
+%%--------------------------------------------------------------------
+%% Setups
+%%--------------------------------------------------------------------
+
+all() ->
+    [{group, nossl}, {group, ssl}].
+
+groups() ->
+    Cases = emqx_ct:all(?MODULE),
+    [{nossl, Cases}, {ssl, Cases}].
+
+init_per_group(GrpName, Cfg) ->
+    Fun = fun(App) -> set_special_configs(GrpName, App) end,
+    emqx_ct_helpers:start_apps([emqx_auth_ldap], Fun),
+    Cfg.
+
+end_per_group(_GrpName, _Cfg) ->
+    emqx_ct_helpers:stop_apps([emqx_auth_ldap]).
+
+%%--------------------------------------------------------------------
+%% Cases
+%%--------------------------------------------------------------------
+
+t_check_auth(_) ->
+    MqttUser1 = #{clientid => <<"mqttuser1">>,
+                  username => <<"mqttuser0001">>,
+                  password => <<"mqttuser0001">>,
+                  zone => external},
+    MqttUser2 = #{clientid => <<"mqttuser2">>,
+                  username => <<"mqttuser0002">>,
+                  password => <<"mqttuser0002">>,
+                  zone => external},
+    MqttUser3 = #{clientid => <<"mqttuser3">>,
+                  username => <<"mqttuser0003">>,
+                  password => <<"mqttuser0003">>,
+                  zone => external},
+    MqttUser4 = #{clientid => <<"mqttuser4">>,
+                  username => <<"mqttuser0004">>,
+                  password => <<"mqttuser0004">>,
+                  zone => external},
+    MqttUser5 = #{clientid => <<"mqttuser5">>,
+                  username => <<"mqttuser0005">>,
+                  password => <<"mqttuser0005">>,
+                  zone => external},
+    NonExistUser1 = #{clientid => <<"mqttuser6">>,
+                      username => <<"mqttuser0006">>,
+                      password => <<"mqttuser0006">>,
+                      zone => external},
+    NonExistUser2 = #{clientid => <<"mqttuser7">>,
+                      username => <<"mqttuser0005">>,
+                      password => <<"mqttuser0006">>,
+                      zone => external},
+    ct:log("MqttUser: ~p", [emqx_access_control:authenticate(MqttUser1)]),
+    ?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser1)),
+    ?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser2)),
+    ?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser3)),
+    ?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser4)),
+    ?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser5)),
+    ?assertEqual({error, not_authorized}, emqx_access_control:authenticate(NonExistUser1)),
+    ?assertEqual({error, bad_username_or_password}, emqx_access_control:authenticate(NonExistUser2)).
+
+t_check_acl(_) ->
+    MqttUser = #{clientid => <<"mqttuser1">>, username => <<"mqttuser0001">>, zone => external},
+    NoMqttUser = #{clientid => <<"mqttuser2">>, username => <<"mqttuser0007">>, zone => external},
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/#">>),
+
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/#">>),
+
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/#">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/#">>),
+
+    deny = emqx_access_control:check_acl(NoMqttUser, publish, <<"mqttuser0001/req/mqttuser0001/+">>),
+    deny = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/req/mqttuser0002/+">>),
+    deny = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/req/+/mqttuser0002">>),
+    ok.
+
+%%--------------------------------------------------------------------
+%% Helpers
+%%--------------------------------------------------------------------
+
+set_special_configs(_, emqx) ->
+    application:set_env(emqx, allow_anonymous, false),
+    application:set_env(emqx, enable_acl_cache, false),
+    application:set_env(emqx, acl_nomatch, deny),
+    AclFilePath = filename:join(["test", "emqx_SUITE_data", "acl.conf"]),
+    application:set_env(emqx, acl_file,
+		        emqx_ct_helpers:deps_path(emqx, AclFilePath)),
+    LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
+    application:set_env(emqx, plugins_loaded_file,
+                        emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
+
+set_special_configs(Ssl, emqx_auth_ldap) ->
+    case Ssl == ssl of
+        true ->
+            LdapOpts = application:get_env(emqx_auth_ldap, ldap, []),
+            Path = emqx_ct_helpers:deps_path(emqx_auth_ldap, "test/certs/"),
+            SslOpts = [{verify, verify_peer},
+                       {fail_if_no_peer_cert, true},
+                       {server_name_indication, disable},
+                       {keyfile, Path ++ "/client-key.pem"},
+                       {certfile, Path ++ "/client-cert.pem"},
+                       {cacertfile, Path ++ "/cacert.pem"}],
+            LdapOpts1 = lists:keystore(ssl, 1, LdapOpts, {ssl, true}),
+            LdapOpts2 = lists:keystore(sslopts, 1, LdapOpts1, {sslopts, SslOpts}),
+            LdapOpts3 = lists:keystore(port, 1, LdapOpts2, {port, 636}),
+            application:set_env(emqx_auth_ldap, ldap, LdapOpts3);
+        _ ->
+            ok
+    end,
+    application:set_env(emqx_auth_ldap, device_dn, "ou=testdevice, dc=emqx, dc=io").
+

apps/emqx_auth_ldap/test/emqx_auth_ldap_bind_as_user_SUITE.erl

@@ -0,0 +1,114 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_ldap_bind_as_user_SUITE).
+
+-compile(export_all).
+-compile(no_warning_export).
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+-define(PID, emqx_auth_ldap).
+
+-define(APP, emqx_auth_ldap).
+
+-define(DeviceDN, "ou=test_device,dc=emqx,dc=io").
+
+-define(AuthDN, "ou=test_auth,dc=emqx,dc=io").
+
+all() ->
+    [check_auth,
+     check_acl].
+
+init_per_suite(Config) ->
+    emqx_ct_helpers:start_apps([emqx, emqx_auth_ldap], fun set_special_configs/1),
+    % emqx_mod_acl_internal:unload([]),
+    Config.
+
+end_per_suite(_Config) ->
+    emqx_ct_helpers:stop_apps([emqx_auth_ldap, emqx]).
+
+check_auth(_) ->
+    MqttUser1 = #{clientid => <<"mqttuser1">>,
+                  username => <<"user1">>,
+                  password => <<"mqttuser0001">>,
+                  zone => external},
+    MqttUser2 = #{clientid => <<"mqttuser2">>,
+                  username => <<"user2">>,
+                  password => <<"mqttuser0002">>,
+                  zone => external},
+    NonExistUser1 = #{clientid => <<"mqttuser3">>,
+                      username => <<"user3">>,
+                      password => <<"mqttuser0003">>,
+                      zone => external},
+    ct:log("MqttUser: ~p", [emqx_access_control:authenticate(MqttUser1)]),
+    ?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser1)),
+    ?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser2)),
+    ?assertEqual({error, not_authorized}, emqx_access_control:authenticate(NonExistUser1)).
+
+check_acl(_) ->
+    % emqx_modules:load_module(emqx_mod_acl_internal, false),
+    MqttUser = #{clientid => <<"mqttuser1">>, username => <<"user1">>, zone => external},
+    NoMqttUser = #{clientid => <<"mqttuser2">>, username => <<"user7">>, zone => external},
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/#">>),
+
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/#">>),
+
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/#">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/1">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/+">>),
+    allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/#">>),
+
+    deny = emqx_access_control:check_acl(NoMqttUser, publish, <<"mqttuser0001/req/mqttuser0001/+">>),
+    deny = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/req/mqttuser0002/+">>),
+    deny = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/req/+/mqttuser0002">>),
+    ok.
+
+set_special_configs(emqx) ->
+    application:set_env(emqx, allow_anonymous, false),
+    application:set_env(emqx, enable_acl_cache, false),
+    application:set_env(emqx, acl_nomatch, deny),
+    AclFilePath = filename:join(["test", "emqx_SUITE_data", "acl.conf"]),
+    application:set_env(emqx, acl_file,
+		        emqx_ct_helpers:deps_path(emqx, AclFilePath)),
+    LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
+    application:set_env(emqx, plugins_loaded_file,
+                        emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
+
+set_special_configs(emqx_auth_ldap) ->
+    application:set_env(emqx_auth_ldap, bind_as_user, true),
+    application:set_env(emqx_auth_ldap, device_dn, "ou=testdevice, dc=emqx, dc=io"),
+    application:set_env(emqx_auth_ldap, custom_base_dn, "${device_dn}"),
+    %% auth.ldap.filters.1.key = mqttAccountName
+    %% auth.ldap.filters.1.value = ${user}
+    %% auth.ldap.filters.1.op = and
+    %% auth.ldap.filters.2.key = objectClass
+    %% auth.ldap.filters.1.value = mqttUser
+    application:set_env(emqx_auth_ldap, filters, [{"mqttAccountName", "${user}"},
+                                                  "and",
+                                                  {"objectClass", "mqttUser"}]);
+
+set_special_configs(_App) ->
+    ok.
+

apps/emqx_auth_mnesia/.github/workflows/run_test_cases.yaml

@@ -0,0 +1,29 @@
+name: Run test cases
+
+on: [push, pull_request]
+
+jobs:    
+    run_test_cases:
+        runs-on: ubuntu-latest
+      
+        container:
+            image: erlang:22.1
+            
+        steps:
+            - uses: actions/checkout@v1
+            - name: run test cases
+              run: |
+                make xref
+                make eunit
+                make ct
+                make cover
+            - uses: actions/upload-artifact@v1
+              if: always()
+              with:
+                name: logs
+                path: _build/test/logs
+            - uses: actions/upload-artifact@v1
+              with:
+                name: cover
+                path: _build/test/cover
+

apps/emqx_auth_mnesia/.gitignore

@@ -0,0 +1,26 @@
+.eunit
+deps
+*.o
+*.beam
+*.plt
+erl_crash.dump
+ebin
+rel/example_project
+.concrete/DEV_MODE
+.rebar
+.erlang.mk/
+emqx_auth_mnesia.d
+data/
+_build/
+.DS_Store
+cover/
+ct.coverdata
+eunit.coverdata
+logs/
+test/ct.cover.spec
+rebar.lock
+rebar3.crashdump
+erlang.mk
+.*.swp
+.rebar3/
+etc/emqx_auth_mnesia.conf.rendered

apps/emqx_auth_mnesia/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

apps/emqx_auth_mnesia/Makefile

@@ -0,0 +1,28 @@
+## shallow clone for speed
+
+REBAR_GIT_CLONE_OPTIONS += --depth 1
+export REBAR_GIT_CLONE_OPTIONS
+
+REBAR = rebar3
+all: compile
+
+compile:
+	$(REBAR) compile
+
+ct: compile
+	$(REBAR) as test ct -v
+
+eunit: compile
+	$(REBAR) as test eunit
+
+xref:
+	$(REBAR) xref
+
+cover:
+	$(REBAR) cover
+
+clean: distclean
+
+distclean:
+	@rm -rf _build
+	@rm -f data/app.*.config data/vm.*.args rebar.lock

apps/emqx_auth_mnesia/README.md

@@ -0,0 +1,2 @@
+emqx_auth_mnesia
+===============

apps/emqx_auth_mnesia/etc/emqx_auth_mnesia.conf

@@ -0,0 +1,30 @@
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 | sha512
+auth.mnesia.password_hash = sha256
+
+##--------------------------------------------------------------------
+## ClientId Authentication
+##--------------------------------------------------------------------
+
+## Examples
+##auth.client.1.clientid = id
+##auth.client.1.password = passwd
+##auth.client.2.clientid = dev:devid
+##auth.client.2.password = passwd2
+##auth.client.3.clientid = app:appid
+##auth.client.3.password = passwd3
+##auth.client.4.clientid = client~!@#$%^&*()_+
+##auth.client.4.password = passwd~!@#$%^&*()_+
+
+##--------------------------------------------------------------------
+## Username Authentication
+##--------------------------------------------------------------------
+
+## Examples:
+##auth.user.1.username = admin
+##auth.user.1.password = public
+##auth.user.2.username = feng@emqtt.io
+##auth.user.2.password = public
+##auth.user.3.username = name~!@#$%^&*()_+
+##auth.user.3.password = pwsswd~!@#$%^&*()_+

apps/emqx_auth_mnesia/include/emqx_auth_mnesia.hrl

@@ -0,0 +1,38 @@
+-define(APP, emqx_auth_mnesia).
+
+-type(login():: {clientid, binary()}
+              | {username, binary()}).
+
+-record(emqx_user, {
+          login :: login(),
+          password :: binary(),
+          created_at :: integer()
+        }).
+
+-record(emqx_acl, {
+          filter:: {login() | all, emqx_topic:topic()},
+          action :: pub | sub | pubsub,
+          access :: allow | deny,
+          created_at :: integer()
+         }).
+
+-record(auth_metrics, {
+        success = 'client.auth.success',
+        failure = 'client.auth.failure',
+        ignore = 'client.auth.ignore'
+    }).
+
+-record(acl_metrics, {
+        allow = 'client.acl.allow',
+        deny = 'client.acl.deny',
+        ignore = 'client.acl.ignore'
+    }).
+
+-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
+-define(METRICS(Type, K), #Type{}#Type.K).
+
+-define(AUTH_METRICS, ?METRICS(auth_metrics)).
+-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
+
+-define(ACL_METRICS, ?METRICS(acl_metrics)).
+-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

apps/emqx_auth_mnesia/priv/emqx_auth_mnesia.schema

@@ -0,0 +1,43 @@
+%%-*- mode: erlang -*-
+%% emqx_auth_mnesia config mapping
+
+{mapping, "auth.mnesia.password_hash", "emqx_auth_mnesia.password_hash", [
+  {default, sha256},
+  {datatype, {enum, [plain, md5, sha, sha256, sha512]}}
+]}.
+
+{mapping, "auth.client.$id.clientid", "emqx_auth_mnesia.clientid_list", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.client.$id.password", "emqx_auth_mnesia.clientid_list", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_mnesia.clientid_list", fun(Conf) ->
+  ClientList = cuttlefish_variable:filter_by_prefix("auth.client", Conf),
+  lists:foldl(
+       fun({["auth", "client", Id, "clientid"], ClientId}, AccIn) ->
+        [{ClientId, cuttlefish:conf_get("auth.client." ++ Id ++ ".password", Conf)} | AccIn];
+       (_, AccIn) ->
+        AccIn
+       end, [], ClientList)
+end}.
+
+{mapping, "auth.user.$id.username", "emqx_auth_mnesia.username_list", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.user.$id.password", "emqx_auth_mnesia.username_list", [
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_mnesia.username_list", fun(Conf) ->
+  Userlist = cuttlefish_variable:filter_by_prefix("auth.user", Conf),
+  lists:foldl(
+    fun({["auth", "user", Id, "username"], Username}, AccIn) ->
+        [{Username, cuttlefish:conf_get("auth.user." ++ Id ++ ".password", Conf)} | AccIn];
+       (_, AccIn) ->
+        AccIn
+       end, [], Userlist)
+end}.

apps/emqx_auth_mnesia/rebar.config

@@ -0,0 +1,29 @@
+{minimum_otp_vsn, "21"}.
+
+{deps,
+ [{emqx_passwd, {git, "https://github.com/emqx/emqx-passwd.git", {tag, "v1.1.1"}}},
+  {minirest, {git, "https://github.com/emqx/minirest.git", {tag, "0.3.2"}}}
+ ]}.
+
+{profiles,
+ [{test,
+   [{deps,
+     [{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "v1.2.2"}}}
+     ]}
+   ]}
+ ]}.
+
+{erl_opts, [warn_unused_vars,
+            warn_shadow_vars,
+            warn_unused_import,
+            warn_obsolete_guard,
+            debug_info,
+            {parse_transform}]}.
+
+{xref_checks, [undefined_function_calls, undefined_functions,
+               locals_not_used, deprecated_function_calls,
+               warnings_as_errors, deprecated_functions]}.
+{cover_enabled, true}.
+{cover_opts, [verbose]}.
+{cover_export_enabled, true}.
+

apps/emqx_auth_mnesia/rebar.config.script

@@ -0,0 +1,54 @@
+%%-*- mode: erlang -*-
+
+DEPS = case lists:keyfind(deps, 1, CONFIG) of
+          {_, Deps} -> Deps;
+          _ -> []
+      end,
+
+ComparingFun = fun
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
+                                            is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2)    -> _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2)    -> true;
+                _Fun(_, _) -> false
+              end,
+
+SortFun = fun(T1, T2) ->
+            C = fun(T) ->
+                  [case catch list_to_integer(E) of
+                      I when is_integer(I) -> I;
+                      _ -> E
+                    end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
+                end,
+            ComparingFun(C(T1), C(T2))
+          end,
+
+VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
+
+Tags = case VTags of
+         [] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
+         _ -> VTags
+       end,
+
+LatestTag = lists:last(lists:sort(SortFun, Tags)),
+
+Branch = case os:getenv("GITHUB_RUN_ID") of
+                false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
+                _ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
+         end,
+
+GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
+                match -> {branch, Branch};
+                _ -> {tag, LatestTag}
+              end,
+
+UrlPrefix = "https://github.com/emqx/",
+
+EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
+EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
+
+NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
+
+CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
+
+CONFIG1.

apps/emqx_auth_mnesia/src/emqx_acl_mnesia.erl

@@ -0,0 +1,103 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_acl_mnesia).
+
+-include("emqx_auth_mnesia.hrl").
+
+-include_lib("stdlib/include/ms_transform.hrl").
+
+-define(TABLE, emqx_acl).
+
+%% ACL Callbacks
+-export([ init/0
+        , register_metrics/0
+        , check_acl/5
+        , description/0
+        ]).
+
+init() ->
+    ok = ekka_mnesia:create_table(emqx_acl, [
+            {disc_copies, [node()]},
+            {attributes, record_info(fields, emqx_acl)},
+            {storage_properties, [{ets, [{read_concurrency, true}]}]}]),
+    ok = ekka_mnesia:copy_table(emqx_acl, disc_copies).
+
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
+
+check_acl(ClientInfo = #{ clientid := Clientid }, PubSub, Topic, _NoMatchAction, _Params) ->
+    Username = maps:get(username, ClientInfo, undefined),
+
+    Acls = case Username of
+               undefined ->
+                   emqx_acl_mnesia_cli:lookup_acl({clientid, Clientid}) ++
+                   emqx_acl_mnesia_cli:lookup_acl(all);
+               _ ->
+                   emqx_acl_mnesia_cli:lookup_acl({clientid, Clientid}) ++
+                   emqx_acl_mnesia_cli:lookup_acl({username, Username}) ++
+                   emqx_acl_mnesia_cli:lookup_acl(all)
+           end,
+
+    case match(ClientInfo, PubSub, Topic, Acls) of
+        allow ->
+            emqx_metrics:inc(?ACL_METRICS(allow)),
+            {stop, allow};
+        deny ->
+            emqx_metrics:inc(?ACL_METRICS(deny)),
+            {stop, deny};
+        _ ->
+            emqx_metrics:inc(?ACL_METRICS(ignore)),
+            ok
+    end.
+
+description() -> "Acl with Mnesia".
+
+%%--------------------------------------------------------------------
+%% Internal functions
+%%-------------------------------------------------------------------
+
+match(_ClientInfo,  _PubSub, _Topic, []) ->
+    nomatch;
+match(ClientInfo, PubSub, Topic, [ {_, ACLTopic, Action, Access, _} | Acls]) ->
+    case match_actions(PubSub, Action) andalso match_topic(ClientInfo, Topic, ACLTopic) of
+        true -> Access;
+        false -> match(ClientInfo, PubSub, Topic, Acls)
+    end.
+
+match_topic(ClientInfo, Topic, ACLTopic) when is_binary(Topic) ->
+    emqx_topic:match(Topic, feed_var(ClientInfo, ACLTopic)).
+
+match_actions(_, pubsub) -> true;
+match_actions(subscribe, sub) -> true;
+match_actions(publish, pub) -> true;
+match_actions(_, _) -> false.
+
+feed_var(ClientInfo, Pattern) ->
+    feed_var(ClientInfo, emqx_topic:words(Pattern), []).
+feed_var(_ClientInfo, [], Acc) ->
+    emqx_topic:join(lists:reverse(Acc));
+feed_var(ClientInfo = #{clientid := undefined}, [<<"%c">>|Words], Acc) ->
+    feed_var(ClientInfo, Words, [<<"%c">>|Acc]);
+feed_var(ClientInfo = #{clientid := ClientId}, [<<"%c">>|Words], Acc) ->
+    feed_var(ClientInfo, Words, [ClientId |Acc]);
+feed_var(ClientInfo = #{username := undefined}, [<<"%u">>|Words], Acc) ->
+    feed_var(ClientInfo, Words, [<<"%u">>|Acc]);
+feed_var(ClientInfo = #{username := Username}, [<<"%u">>|Words], Acc) ->
+    feed_var(ClientInfo, Words, [Username|Acc]);
+feed_var(ClientInfo, [W|Words], Acc) ->
+    feed_var(ClientInfo, Words, [W|Acc]).

apps/emqx_auth_mnesia/src/emqx_acl_mnesia_api.erl

@@ -0,0 +1,237 @@
+%c%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_acl_mnesia_api).
+
+-include("emqx_auth_mnesia.hrl").
+
+-include_lib("stdlib/include/ms_transform.hrl").
+
+-import(proplists, [ get_value/2
+                   , get_value/3
+                   ]).
+
+-import(minirest,  [return/1]).
+
+-rest_api(#{name   => list_clientid,
+            method => 'GET',
+            path   => "/acl/clientid",
+            func   => list_clientid,
+            descr  => "List available mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => list_username,
+            method => 'GET',
+            path   => "/acl/username",
+            func   => list_username,
+            descr  => "List available mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => list_all,
+            method => 'GET',
+            path   => "/acl/$all",
+            func   => list_all,
+            descr  => "List available mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => lookup_clientid,
+            method => 'GET',
+            path   => "/acl/clientid/:bin:clientid",
+            func   => lookup,
+            descr  => "Lookup mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => lookup_username,
+            method => 'GET',
+            path   => "/acl/username/:bin:username",
+            func   => lookup,
+            descr  => "Lookup mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => add,
+            method => 'POST',
+            path   => "/acl",
+            func   => add,
+            descr  => "Add mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => delete_clientid,
+            method => 'DELETE',
+            path   => "/acl/clientid/:bin:clientid/topic/:bin:topic",
+            func   => delete,
+            descr  => "Delete mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => delete_username,
+            method => 'DELETE',
+            path   => "/acl/username/:bin:username/topic/:bin:topic",
+            func   => delete,
+            descr  => "Delete mnesia in the cluster"
+           }).
+
+-rest_api(#{name   => delete_all,
+            method => 'DELETE',
+            path   => "/acl/$all/topic/:bin:topic",
+            func   => delete,
+            descr  => "Delete mnesia in the cluster"
+           }).
+
+
+-export([ list_clientid/2
+        , list_username/2
+        , list_all/2
+        , lookup/2
+        , add/2
+        , delete/2
+        ]).
+
+list_clientid(_Bindings, Params) ->
+    MatchSpec = ets:fun2ms(
+                  fun({emqx_acl, {{clientid, Clientid}, Topic}, Action, Access, CreatedAt}) -> {{clientid,Clientid}, Topic, Action,Access, CreatedAt} end),
+    return({ok, emqx_auth_mnesia_api:paginate(emqx_acl, MatchSpec, Params, fun emqx_acl_mnesia_cli:comparing/2, fun format/1)}).
+
+list_username(_Bindings, Params) ->
+    MatchSpec = ets:fun2ms(
+                  fun({emqx_acl, {{username, Username}, Topic}, Action, Access, CreatedAt}) -> {{username, Username}, Topic, Action,Access, CreatedAt} end),
+    return({ok, emqx_auth_mnesia_api:paginate(emqx_acl, MatchSpec, Params, fun emqx_acl_mnesia_cli:comparing/2, fun format/1)}).
+
+list_all(_Bindings, Params) ->
+    MatchSpec = ets:fun2ms(
+                  fun({emqx_acl, {all, Topic}, Action, Access, CreatedAt}) -> {all, Topic, Action,Access, CreatedAt}end
+                 ),
+    return({ok, emqx_auth_mnesia_api:paginate(emqx_acl, MatchSpec, Params, fun emqx_acl_mnesia_cli:comparing/2, fun format/1)}).
+
+
+lookup(#{clientid := Clientid}, _Params) ->
+    return({ok, format(emqx_acl_mnesia_cli:lookup_acl({clientid, urldecode(Clientid)}))});
+lookup(#{username := Username}, _Params) ->
+    return({ok, format(emqx_acl_mnesia_cli:lookup_acl({username, urldecode(Username)}))}).
+
+add(_Bindings, Params) ->
+    [ P | _] = Params,
+    case is_list(P) of
+        true -> return(do_add(Params, []));
+        false ->
+            Re = do_add(Params),
+            case Re of
+                #{result := ok} -> return({ok, Re});
+                #{result := <<"ok">>} -> return({ok, Re});
+                _ -> return({error, Re})
+            end
+    end.
+
+do_add([ Params | ParamsN ], ReList) ->
+    do_add(ParamsN, [do_add(Params) | ReList]);
+
+do_add([], ReList) ->
+    {ok, ReList}.
+
+do_add(Params) ->
+    Clientid = get_value(<<"clientid">>, Params, undefined),
+    Username = get_value(<<"username">>, Params, undefined),
+    Login = case {Clientid, Username} of
+                {undefined, undefined} -> all;
+                {_, undefined} -> {clientid, urldecode(Clientid)};
+                {undefined, _} -> {username, urldecode(Username)}
+            end,
+    Topic = urldecode(get_value(<<"topic">>, Params)),
+    Action = urldecode(get_value(<<"action">>, Params)),
+    Access = urldecode(get_value(<<"access">>, Params)),
+    Re = case validate([login, topic, action, access], [Login, Topic, Action, Access]) of
+        ok -> 
+            emqx_acl_mnesia_cli:add_acl(Login, Topic, erlang:binary_to_atom(Action, utf8), erlang:binary_to_atom(Access, utf8));
+        Err -> Err
+    end,
+    maps:merge(#{topic => Topic,
+                 action => Action,
+                 access => Access,
+                 result => format_msg(Re)
+                }, case Login of
+                     all -> #{all => '$all'};
+                     _ -> maps:from_list([Login])
+                   end).
+    
+delete(#{clientid := Clientid, topic := Topic}, _) ->
+    return(emqx_acl_mnesia_cli:remove_acl({clientid, urldecode(Clientid)}, urldecode(Topic)));
+delete(#{username := Username, topic := Topic}, _) ->
+    return(emqx_acl_mnesia_cli:remove_acl({username, urldecode(Username)}, urldecode(Topic)));
+delete(#{topic := Topic}, _) ->
+    return(emqx_acl_mnesia_cli:remove_acl(all, urldecode(Topic))).
+
+%%------------------------------------------------------------------------------
+%% Interval Funcs
+%%------------------------------------------------------------------------------
+format({{clientid, Clientid}, Topic, Action, Access, _CreatedAt}) ->
+    #{clientid => Clientid, topic => Topic, action => Action, access => Access};
+format({{username, Username}, Topic, Action, Access, _CreatedAt}) ->
+    #{username => Username, topic => Topic, action => Action, access => Access};
+format({all, Topic, Action, Access, _CreatedAt}) ->
+    #{all => '$all', topic => Topic, action => Action, access => Access};
+format(List) when is_list(List) ->
+    format(List, []).
+
+format([L | List], Relist) ->
+    format(List, [format(L) | Relist]);
+format([], ReList) -> lists:reverse(ReList).
+
+validate([], []) ->
+    ok;
+validate([K|Keys], [V|Values]) ->
+   case do_validation(K, V) of
+       false -> {error, K};
+       true  -> validate(Keys, Values)
+   end.
+do_validation(login, all) ->
+    true;
+do_validation(login, {clientid, V}) when is_binary(V)
+                     andalso byte_size(V) > 0->
+    true;
+do_validation(login, {username, V}) when is_binary(V)
+                     andalso byte_size(V) > 0->
+    true;
+do_validation(clientid, V) when is_binary(V)
+                     andalso byte_size(V) > 0 ->
+    true;
+do_validation(username, V) when is_binary(V)
+                     andalso byte_size(V) > 0 ->
+    true;
+do_validation(topic, V) when is_binary(V)
+                     andalso byte_size(V) > 0 ->
+    true;
+do_validation(action, V) when is_binary(V) ->
+    case V =:= <<"pub">> orelse V =:= <<"sub">> orelse V =:= <<"pubsub">> of
+        true -> true;
+        false -> false
+    end;
+do_validation(access, V) when V =:= <<"allow">> orelse V =:= <<"deny">> ->
+    true;
+do_validation(_, _) ->
+    false.
+
+format_msg(Message)
+  when is_atom(Message);
+       is_binary(Message) -> Message;
+
+format_msg(Message) when is_tuple(Message) ->
+    iolist_to_binary(io_lib:format("~p", [Message])).
+
+-if(?OTP_RELEASE >= 23).
+urldecode(S) ->
+    [{R, _}] = uri_string:dissect_query(S), R.
+-else.
+urldecode(S) ->
+    http_uri:decode(S).
+-endif.

apps/emqx_auth_mnesia/src/emqx_acl_mnesia_cli.erl

@@ -0,0 +1,198 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_acl_mnesia_cli).
+
+-include("emqx_auth_mnesia.hrl").
+-include_lib("emqx/include/logger.hrl").
+-include_lib("stdlib/include/ms_transform.hrl").
+-define(TABLE, emqx_acl).
+
+%% Acl APIs
+-export([ add_acl/4
+        , lookup_acl/1
+        , all_acls/0
+        , all_acls/1
+        , remove_acl/2
+        ]).
+
+-export([cli/1]).
+-export([comparing/2]).
+%%--------------------------------------------------------------------
+%% Acl API
+%%--------------------------------------------------------------------
+
+%% @doc Add Acls
+-spec(add_acl(login() |all, emqx_topic:topic(), pub | sub| pubsub, allow | deny) -> ok | {error, any()}).
+add_acl(Login, Topic, Action, Access) ->
+    Acls = #?TABLE{
+              filter = {Login, Topic},
+              action = Action,
+              access = Access,
+              created_at = erlang:system_time(millisecond)
+             },
+    ret(mnesia:transaction(fun mnesia:write/1, [Acls])).
+
+%% @doc Lookup acl by login
+-spec(lookup_acl(login() | all) -> list()).
+lookup_acl(undefined) -> [];
+lookup_acl(Login) ->
+    MatchSpec = ets:fun2ms(fun({?TABLE, {Filter, ACLTopic}, Action, Access, CreatedAt})
+                                 when Filter =:= Login -> {Filter, ACLTopic, Action, Access, CreatedAt} end),
+    lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec)).
+
+%% @doc Remove acl
+-spec(remove_acl(login() | all, emqx_topic:topic()) -> ok | {error, any()}).
+remove_acl(Login, Topic) ->
+    ret(mnesia:transaction(fun mnesia:delete/1, [{?TABLE, {Login, Topic}}])).
+
+%% @doc All logins
+-spec(all_acls() -> list()).
+all_acls() -> 
+    all_acls(clientid) ++
+    all_acls(username) ++
+    all_acls(all).
+
+all_acls(clientid) -> 
+    MatchSpec = ets:fun2ms(fun({?TABLE, {{clientid, Clientid}, Topic}, Action, Access, CreatedAt}) -> {{clientid, Clientid}, Topic, Action, Access, CreatedAt} end),
+    lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec));
+all_acls(username) -> 
+    MatchSpec = ets:fun2ms(fun({?TABLE, {{username, Username}, Topic}, Action, Access, CreatedAt}) -> {{username, Username}, Topic, Action, Access, CreatedAt} end),
+    lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec));
+all_acls(all) -> 
+    MatchSpec = ets:fun2ms(fun({?TABLE, {all, Topic}, Action, Access, CreatedAt}) -> {all, Topic, Action, Access, CreatedAt} end),
+    lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec)).
+
+%%--------------------------------------------------------------------
+%% Internal functions
+%%--------------------------------------------------------------------
+
+comparing({_, _, _, _, CreatedAt1},
+          {_, _, _, _, CreatedAt2}) ->
+    CreatedAt1 >= CreatedAt2.
+
+ret({atomic, ok})     -> ok;
+ret({aborted, Error}) -> {error, Error}.
+
+validate(action, "pub") -> true;
+validate(action, "sub") -> true;
+validate(action, "pubsub") -> true;
+validate(access, "allow") -> true;
+validate(access, "deny") -> true;
+validate(_, _) -> false.
+
+%%--------------------------------------------------------------------
+%% ACL Cli
+%%--------------------------------------------------------------------
+
+cli(["list"]) ->
+    [ begin
+        case Filter of
+            {clientid, Clientid} ->
+                emqx_ctl:print("Acl(clientid = ~p topic = ~p action = ~p access = ~p)~n",[Clientid, Topic, Action, Access]);
+            {username, Username} ->
+                emqx_ctl:print("Acl(username = ~p topic = ~p action = ~p access = ~p)~n",[Username, Topic, Action, Access]);
+            all ->
+                emqx_ctl:print("Acl($all topic = ~p action = ~p access = ~p)~n",[Topic, Action, Access])
+        end
+      end || {Filter, Topic, Action, Access, _} <- all_acls()];
+
+cli(["list", "clientid"]) ->
+    [emqx_ctl:print("Acl(clientid = ~p topic = ~p action = ~p access = ~p)~n",[Clientid, Topic, Action, Access])
+     || {{clientid, Clientid}, Topic, Action, Access, _} <- all_acls(clientid) ];
+
+cli(["list", "username"]) ->
+    [emqx_ctl:print("Acl(username = ~p topic = ~p action = ~p access = ~p)~n",[Username, Topic, Action, Access])
+     || {{username, Username}, Topic, Action, Access, _} <- all_acls(username) ];
+
+cli(["list", "_all"]) ->
+    [emqx_ctl:print("Acl($all topic = ~p action = ~p access = ~p)~n",[Topic, Action, Access])
+     || {all, Topic, Action, Access, _} <- all_acls(all) ];
+
+cli(["add", "clientid", Clientid, Topic, Action, Access]) ->
+    case validate(action, Action) andalso validate(access, Access) of
+        true ->
+            case add_acl({clientid, iolist_to_binary(Clientid)}, iolist_to_binary(Topic), list_to_existing_atom(Action), list_to_existing_atom(Access)) of
+                ok -> emqx_ctl:print("ok~n");
+                {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+            end;
+        _ ->
+             emqx_ctl:print("Error: Input is illegal~n")
+    end;
+
+cli(["add", "username", Username, Topic, Action, Access]) ->
+    case validate(action, Action) andalso validate(access, Access) of
+        true ->
+            case add_acl({username, iolist_to_binary(Username)}, iolist_to_binary(Topic), list_to_existing_atom(Action), list_to_existing_atom(Access)) of
+                ok -> emqx_ctl:print("ok~n");
+                {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+            end;
+        _ ->
+             emqx_ctl:print("Error: Input is illegal~n")
+    end;
+
+cli(["add", "_all", Topic, Action, Access]) ->
+    case validate(action, Action) andalso validate(access, Access) of
+        true ->
+            case add_acl(all, iolist_to_binary(Topic), list_to_existing_atom(Action), list_to_existing_atom(Access)) of
+                ok -> emqx_ctl:print("ok~n");
+                {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+            end;
+        _ ->
+             emqx_ctl:print("Error: Input is illegal~n")
+    end;
+
+cli(["show", "clientid", Clientid]) ->
+    [emqx_ctl:print("Acl(clientid = ~p topic = ~p action = ~p access = ~p)~n",[NClientid, Topic, Action, Access])
+     || {{clientid, NClientid}, Topic, Action, Access, _} <- lookup_acl({clientid, iolist_to_binary(Clientid)}) ];
+
+cli(["show", "username", Username]) ->
+    [emqx_ctl:print("Acl(username = ~p topic = ~p action = ~p access = ~p)~n",[NUsername, Topic, Action, Access])
+     || {{username, NUsername}, Topic, Action, Access, _} <- lookup_acl({username, iolist_to_binary(Username)}) ];
+
+cli(["del", "clientid", Clientid, Topic])->
+    case remove_acl({clientid, iolist_to_binary(Clientid)}, iolist_to_binary(Topic)) of
+         ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+cli(["del", "username", Username, Topic])->
+    case remove_acl({username, iolist_to_binary(Username)}, iolist_to_binary(Topic)) of
+         ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+cli(["del", "_all", Topic])->
+    case remove_acl(all, iolist_to_binary(Topic)) of
+         ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+cli(_) ->
+    emqx_ctl:usage([ {"acl list clientid","List clientid acls"}
+                   , {"acl list username","List username acls"}
+                   , {"acl list _all","List $all acls"}
+                   , {"acl show clientid <Clientid>", "Lookup clientid acl detail"}
+                   , {"acl show username <Username>", "Lookup username acl detail"}
+                   , {"acl aad clientid <Clientid> <Topic> <Action> <Access>", "Add clientid acl"}
+                   , {"acl add Username <Username> <Topic> <Action> <Access>", "Add username acl"}
+                   , {"acl add _all <Topic> <Action> <Access>", "Add $all acl"}
+                   , {"acl del clientid <Clientid> <Topic>", "Delete clientid acl"}
+                   , {"acl del username <Username> <Topic>", "Delete username acl"}
+                   , {"acl del _all <Topic>", "Delete $all acl"}
+                   ]).
+
+

apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src

@@ -0,0 +1,14 @@
+{application, emqx_auth_mnesia,
+ [{description, "EMQ X Authentication with Mnesia"},
+  {vsn, "git"},
+  {modules, []},
+  {registered, []},
+  {applications, [kernel,stdlib,mnesia]},
+  {mod, {emqx_auth_mnesia_app,[]}},
+  {env, []},
+  {licenses, ["Apache-2.0"]},
+  {maintainers, ["EMQ X Team <contact@emqx.io>"]},
+  {links, [{"Homepage", "https://emqx.io/"},
+           {"Github", "https://github.com/emqx/emqx-auth-mnesia"}
+          ]}
+ ]}.

apps/emqx_auth_mnesia/src/emqx_auth_mnesia.app.src.script

@@ -0,0 +1,24 @@
+%%-*- mode: erlang -*-
+%% .app.src.script
+
+RemoveLeadingV =
+    fun(Tag) ->
+        case re:run(Tag, "^[v|e]?[0-9]\.[0-9]\.([0-9]|(rc|beta|alpha)\.[0-9])", [{capture, none}]) of
+            nomatch ->
+                re:replace(Tag, "/", "-", [{return ,list}]);
+            _ ->
+                %% if it is a version number prefixed by 'v' or 'e', then remove it
+                re:replace(Tag, "[v|e]", "", [{return ,list}])
+        end
+    end,
+
+case os:getenv("EMQX_DEPS_DEFAULT_VSN") of
+    false -> CONFIG; % env var not defined
+    []    -> CONFIG; % env var set to empty string
+    Tag ->
+       [begin
+           AppConf0 = lists:keystore(vsn, 1, AppConf, {vsn, RemoveLeadingV(Tag)}),
+           {application, App, AppConf0}
+        end || Conf = {application, App, AppConf} <- CONFIG]
+end.
+

apps/emqx_auth_mnesia/src/emqx_auth_mnesia.appup.src

@@ -0,0 +1,39 @@
+%% -*-: erlang -*-
+{VSN,
+ [ 
+  {"4.2.2", [
+    {load_module, emqx_auth_mnesia_app},
+    {load_module, emqx_auth_mnesia_cli},
+    {load_module, emqx_acl_mnesia_cli},
+    {apply, {emqx_ctl, unregister_command, [username]}}
+  ]},
+  {"4.2.1", [
+    {load_module, emqx_auth_mnesia_app},
+    {load_module, emqx_auth_mnesia_cli},
+    {load_module, emqx_acl_mnesia_cli},
+    {apply, {emqx_ctl, unregister_command, [username]}}
+  ]},
+  {"4.2.0", [
+    {restart_application, emqx_auth_mnesia}
+  ]},
+  {<<".*">>, []}
+ ],
+ [
+  {"4.2.2", [
+    {load_module, emqx_auth_mnesia_app},
+    {load_module, emqx_auth_mnesia_cli},
+    {load_module, emqx_acl_mnesia_cli},
+    {apply, {emqx_ctl, register_command, [username, {emqx_auth_mnesia_cli, auth_username_cli}, []]}}
+  ]},
+  {"4.2.1", [
+    {load_module, emqx_auth_mnesia_app},
+    {load_module, emqx_auth_mnesia_cli},
+    {load_module, emqx_acl_mnesia_cli},
+    {apply, {emqx_ctl, register_command, [username, {emqx_auth_mnesia_cli, auth_username_cli}, []]}}
+  ]},
+  {"4.2.0", [
+    {restart_application, emqx_auth_mnesia}
+  ]},
+  {<<".*">>, []}
+ ]
+}.

apps/emqx_auth_mnesia/src/emqx_auth_mnesia.erl

@@ -0,0 +1,109 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_mnesia).
+
+-include("emqx_auth_mnesia.hrl").
+
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("emqx/include/logger.hrl").
+-include_lib("emqx/include/types.hrl").
+
+-include_lib("stdlib/include/ms_transform.hrl").
+
+-define(TABLE, emqx_user).
+%% Auth callbacks
+-export([ init/1
+        , register_metrics/0
+        , check/3
+        , description/0
+        ]).
+
+init(#{clientid_list := ClientidList, username_list := UsernameList}) ->
+    ok = ekka_mnesia:create_table(emqx_user, [
+            {disc_copies, [node()]},
+            {attributes, record_info(fields, emqx_user)},
+            {storage_properties, [{ets, [{read_concurrency, true}]}]}]),
+    [ add_default_user({{clientid, iolist_to_binary(Clientid)}, iolist_to_binary(Password)})
+      || {Clientid, Password} <- ClientidList],
+    [ add_default_user({{username, iolist_to_binary(Username)}, iolist_to_binary(Password)})
+      || {Username, Password} <- UsernameList],
+    ok = ekka_mnesia:copy_table(emqx_user, disc_copies).
+
+%% @private
+add_default_user({Login, Password}) when is_tuple(Login) ->
+    emqx_auth_mnesia_cli:add_user(Login, Password).
+
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
+
+check(ClientInfo = #{ clientid := Clientid
+                    , password := NPassword
+                    }, AuthResult, #{hash_type := HashType}) ->
+    Username = maps:get(username, ClientInfo, undefined),
+    MatchSpec = ets:fun2ms(fun({?TABLE, {clientid, X }, Password, InterTime}) when X =:= Clientid-> Password;
+                              ({?TABLE, {username, X }, Password, InterTime}) when X =:= Username andalso X =/= undefined -> Password
+                           end),
+    case ets:select(?TABLE, MatchSpec) of
+        [] -> 
+            emqx_metrics:inc(?AUTH_METRICS(ignore)),
+            ok;
+        List ->
+            case match_password(NPassword, HashType, List)  of
+                false ->
+                    ?LOG(error, "[Mnesia] Auth from mnesia failed: ~p", [ClientInfo]),
+                    emqx_metrics:inc(?AUTH_METRICS(failure)),
+                    {stop, AuthResult#{anonymous => false, auth_result => password_error}};
+                _ ->
+                    emqx_metrics:inc(?AUTH_METRICS(success)),
+                    {stop, AuthResult#{anonymous => false, auth_result => success}}
+            end
+    end.
+
+description() -> "Authentication with Mnesia".
+
+match_password(Password, HashType, HashList) ->
+    lists:any(
+      fun(Secret) ->
+        case is_salt_hash(Secret, HashType) of
+            true ->
+                <<Salt:4/binary, Hash/binary>> = Secret,
+                Hash =:= hash(Password, Salt, HashType);
+            _ ->
+                Secret =:= hash(Password, HashType)
+        end
+      end, HashList).
+
+hash(undefined, HashType) ->
+    hash(<<>>, HashType);
+hash(Password, HashType) ->
+    emqx_passwd:hash(HashType, Password).
+
+hash(undefined, SaltBin, HashType) ->
+    hash(<<>>, SaltBin, HashType);
+hash(Password, SaltBin, HashType) ->
+    emqx_passwd:hash(HashType, <<SaltBin/binary, Password/binary>>).
+
+is_salt_hash(_, plain) ->
+    true;
+is_salt_hash(Secret, HashType) ->
+    not (byte_size(Secret) == len(HashType)).
+
+len(md5) -> 32;
+len(sha) -> 40;
+len(sha256) -> 64;
+len(sha512) -> 128.

apps/emqx_auth_mnesia/src/emqx_auth_mnesia_api.erl

@@ -0,0 +1,319 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_mnesia_api).
+
+-include_lib("stdlib/include/qlc.hrl").
+-include_lib("stdlib/include/ms_transform.hrl").
+
+-define(TABLE, emqx_user).
+
+-import(proplists, [get_value/2]).
+-import(minirest,  [return/1]).
+-export([paginate/5]).
+
+-export([ list_clientid/2
+        , lookup_clientid/2
+        , add_clientid/2
+        , update_clientid/2
+        , delete_clientid/2
+        ]).
+
+-rest_api(#{name   => list_clientid,
+            method => 'GET',
+            path   => "/auth_clientid",
+            func   => list_clientid,
+            descr  => "List available clientid in the cluster"
+           }).
+
+-rest_api(#{name   => lookup_clientid,
+            method => 'GET',
+            path   => "/auth_clientid/:bin:clientid",
+            func   => lookup_clientid,
+            descr  => "Lookup clientid in the cluster"
+           }).
+
+-rest_api(#{name   => add_clientid,
+            method => 'POST',
+            path   => "/auth_clientid",
+            func   => add_clientid,
+            descr  => "Add clientid in the cluster"
+           }).
+
+-rest_api(#{name   => update_clientid,
+            method => 'PUT',
+            path   => "/auth_clientid/:bin:clientid",
+            func   => update_clientid,
+            descr  => "Update clientid in the cluster"
+           }).
+
+-rest_api(#{name   => delete_clientid,
+            method => 'DELETE',
+            path   => "/auth_clientid/:bin:clientid",
+            func   => delete_clientid,
+            descr  => "Delete clientid in the cluster"
+           }).
+
+-export([ list_username/2
+        , lookup_username/2
+        , add_username/2
+        , update_username/2
+        , delete_username/2
+        ]).
+
+-rest_api(#{name   => list_username,
+            method => 'GET',
+            path   => "/auth_username",
+            func   => list_username,
+            descr  => "List available username in the cluster"
+           }).
+
+-rest_api(#{name   => lookup_username,
+            method => 'GET',
+            path   => "/auth_username/:bin:username",
+            func   => lookup_username,
+            descr  => "Lookup username in the cluster"
+           }).
+
+-rest_api(#{name   => add_username,
+            method => 'POST',
+            path   => "/auth_username",
+            func   => add_username,
+            descr  => "Add username in the cluster"
+           }).
+
+-rest_api(#{name   => update_username,
+            method => 'PUT',
+            path   => "/auth_username/:bin:username",
+            func   => update_username,
+            descr  => "Update username in the cluster"
+           }).
+
+-rest_api(#{name   => delete_username,
+            method => 'DELETE',
+            path   => "/auth_username/:bin:username",
+            func   => delete_username,
+            descr  => "Delete username in the cluster"
+           }).
+
+%%------------------------------------------------------------------------------
+%% Auth Clientid Api
+%%------------------------------------------------------------------------------
+
+list_clientid(_Bindings, Params) ->
+    MatchSpec = ets:fun2ms(fun({?TABLE, {clientid, Clientid}, Password, CreatedAt}) -> {?TABLE, {clientid, Clientid}, Password, CreatedAt} end),
+    return({ok, paginate(?TABLE, MatchSpec, Params, fun emqx_auth_mnesia_cli:comparing/2, fun({?TABLE, {clientid, X}, _, _}) -> #{clientid => X} end)}).
+
+lookup_clientid(#{clientid := Clientid}, _Params) ->
+    return({ok, format(emqx_auth_mnesia_cli:lookup_user({clientid, urldecode(Clientid)}))}).
+
+add_clientid(_Bindings, Params) ->
+    [ P | _] = Params,
+    case is_list(P) of
+        true -> return(do_add_clientid(Params, []));
+        false ->
+            Re = do_add_clientid(Params),
+            case Re of
+                ok -> return(ok);
+                <<"ok">> -> return(ok);
+                _ -> return({error, format_msg(Re)})
+            end
+    end.
+
+do_add_clientid([ Params | ParamsN ], ReList ) ->
+    Clientid = urldecode(get_value(<<"clientid">>, Params)),
+    do_add_clientid(ParamsN, [{Clientid, format_msg(do_add_clientid(Params))} | ReList]);
+
+do_add_clientid([], ReList) ->
+    {ok, ReList}.
+
+do_add_clientid(Params) ->
+    Clientid = urldecode(get_value(<<"clientid">>, Params)),
+    Password = urldecode(get_value(<<"password">>, Params)),
+    Login = {clientid, Clientid},
+    case validate([login, password], [Login, Password]) of
+        ok -> 
+            emqx_auth_mnesia_cli:add_user(Login, Password);
+        Err -> Err
+    end.
+
+update_clientid(#{clientid := Clientid}, Params) ->
+    Password = get_value(<<"password">>, Params),
+    case validate([password], [Password]) of
+        ok -> return(emqx_auth_mnesia_cli:update_user({clientid, urldecode(Clientid)}, urldecode(Password)));
+        Err -> return(Err)
+    end.
+
+delete_clientid(#{clientid := Clientid}, _) ->
+    return(emqx_auth_mnesia_cli:remove_user({clientid, urldecode(Clientid)})).
+
+%%------------------------------------------------------------------------------
+%% Auth Username Api
+%%------------------------------------------------------------------------------
+
+list_username(_Bindings, Params) ->
+    MatchSpec = ets:fun2ms(fun({?TABLE, {username, Username}, Password, CreatedAt}) -> {?TABLE, {username, Username}, Password, CreatedAt} end),
+    return({ok, paginate(?TABLE, MatchSpec, Params, fun emqx_auth_mnesia_cli:comparing/2, fun({?TABLE, {username, X}, _, _}) -> #{username => X} end)}).
+
+lookup_username(#{username := Username}, _Params) ->
+    return({ok, format(emqx_auth_mnesia_cli:lookup_user({username, urldecode(Username)}))}).
+
+add_username(_Bindings, Params) ->
+    [ P | _] = Params,
+    case is_list(P) of
+        true -> return(do_add_username(Params, []));
+        false ->
+            case do_add_username(Params) of
+                ok -> return(ok);
+                <<"ok">> -> return(ok);
+                Error -> return({error, format_msg(Error)})
+            end
+    end.
+
+do_add_username([ Params | ParamsN ], ReList ) ->
+    Username = urldecode(get_value(<<"username">>, Params)),
+    do_add_username(ParamsN, [{Username, format_msg(do_add_username(Params))} | ReList]);
+
+do_add_username([], ReList) ->
+    {ok, ReList}.
+
+do_add_username(Params) ->
+    Username = urldecode(get_value(<<"username">>, Params)),
+    Password = urldecode(get_value(<<"password">>, Params)),
+    Login = {username, Username},
+    case validate([login, password], [Login, Password]) of
+        ok ->
+            emqx_auth_mnesia_cli:add_user(Login, Password);
+        Err -> Err
+    end.
+
+update_username(#{username := Username}, Params) ->
+    Password = get_value(<<"password">>, Params),
+    case validate([password], [Password]) of
+        ok -> return(emqx_auth_mnesia_cli:update_user({username, urldecode(Username)}, urldecode(Password)));
+        Err -> return(Err)
+    end.
+
+delete_username(#{username := Username}, _) ->
+    return(emqx_auth_mnesia_cli:remove_user({username, urldecode(Username)})).
+
+%%------------------------------------------------------------------------------
+%% Paging Query
+%%------------------------------------------------------------------------------
+
+paginate(Tables, MatchSpec, Params, ComparingFun, RowFun) ->
+    Qh = query_handle(Tables, MatchSpec),
+    Count = count(Tables, MatchSpec),
+    Page = page(Params),
+    Limit = limit(Params),
+    Cursor = qlc:cursor(Qh),
+    case Page > 1 of
+        true  -> qlc:next_answers(Cursor, (Page - 1) * Limit);
+        false -> ok
+    end,
+    Rows = qlc:next_answers(Cursor, Limit),
+    qlc:delete_cursor(Cursor),
+    #{meta  => #{page => Page, limit => Limit, count => Count},
+      data  => [RowFun(Row) || Row <- lists:sort(ComparingFun, Rows)]}.
+
+query_handle(Table, MatchSpec) when is_atom(Table) ->
+    Options = {traverse, {select, MatchSpec}},
+    qlc:q([R|| R <- ets:table(Table, Options)]);
+query_handle([Table], MatchSpec) when is_atom(Table) ->
+    Options = {traverse, {select, MatchSpec}},
+    qlc:q([R|| R <- ets:table(Table, Options)]);
+query_handle(Tables, MatchSpec) ->
+    Options = {traverse, {select, MatchSpec}},
+    qlc:append([qlc:q([E || E <- ets:table(T, Options)]) || T <- Tables]).
+
+count(Table, MatchSpec) when is_atom(Table) ->
+    [{MatchPattern, Where, _Re}] = MatchSpec,
+    NMatchSpec = [{MatchPattern, Where, [true]}],
+    ets:select_count(Table, NMatchSpec);
+count([Table], MatchSpec) when is_atom(Table) ->
+    [{MatchPattern, Where, _Re}] = MatchSpec,
+    NMatchSpec = [{MatchPattern, Where, [true]}],
+    ets:select_count(Table, NMatchSpec);
+count(Tables, MatchSpec) ->
+    lists:sum([count(T, MatchSpec) || T <- Tables]).
+
+page(Params) ->
+    binary_to_integer(proplists:get_value(<<"_page">>, Params, <<"1">>)).
+
+limit(Params) ->
+    case proplists:get_value(<<"_limit">>, Params) of
+        undefined -> 10;
+        Size      -> binary_to_integer(Size)
+    end.
+
+%%------------------------------------------------------------------------------
+%% Interval Funcs
+%%------------------------------------------------------------------------------
+
+format({?TABLE, {clientid, ClientId}, Password, _InterTime}) ->
+    #{clientid => ClientId,
+      password => Password};
+
+format({?TABLE, {username, Username}, Password, _InterTime}) ->
+    #{username => Username,
+      password => Password};
+
+format([{?TABLE, {clientid, ClientId}, Password, _InterTime}]) ->
+    #{clientid => ClientId,
+      password => Password};
+
+format([{?TABLE, {username, Username}, Password, _InterTime}]) ->
+    #{username => Username,
+      password => Password};
+
+format([]) ->
+    #{}.
+
+validate([], []) ->
+    ok;
+validate([K|Keys], [V|Values]) ->
+   case do_validation(K, V) of
+       false -> {error, K};
+       true  -> validate(Keys, Values)
+   end.
+
+do_validation(login, {clientid, V}) when is_binary(V)
+                     andalso byte_size(V) > 0 ->
+    true;
+do_validation(login, {username, V}) when is_binary(V)
+                     andalso byte_size(V) > 0 ->
+    true;
+do_validation(password, V) when is_binary(V)
+                     andalso byte_size(V) > 0 ->
+    true;
+do_validation(_, _) ->
+    false.
+
+format_msg(Message)
+  when is_atom(Message);
+       is_binary(Message) -> Message;
+
+format_msg(Message) when is_tuple(Message) ->
+    iolist_to_binary(io_lib:format("~p", [Message])).
+
+-if(?OTP_RELEASE >= 23).
+urldecode(S) ->
+    [{R, _}] = uri_string:dissect_query(S), R.
+-else.
+urldecode(S) ->
+    http_uri:decode(S).
+-endif.
+

apps/emqx_auth_mnesia/src/emqx_auth_mnesia_app.erl

@@ -0,0 +1,68 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_mnesia_app).
+
+-behaviour(application).
+
+-emqx_plugin(auth).
+
+-include("emqx_auth_mnesia.hrl").
+
+%% Application callbacks
+-export([ start/2
+        , prep_stop/1
+        , stop/1
+        ]).
+
+%%--------------------------------------------------------------------
+%% Application callbacks
+%%--------------------------------------------------------------------
+
+start(_StartType, _StartArgs) ->
+    {ok, Sup} = emqx_auth_mnesia_sup:start_link(),
+    emqx_ctl:register_command(clientid, {emqx_auth_mnesia_cli, auth_clientid_cli}, []),
+    emqx_ctl:register_command(user, {emqx_auth_mnesia_cli, auth_username_cli}, []),
+    emqx_ctl:register_command(acl, {emqx_acl_mnesia_cli, cli}, []),
+    load_auth_hook(),
+    load_acl_hook(),
+    {ok, Sup}.
+
+prep_stop(State) ->
+    emqx:unhook('client.authenticate', fun emqx_auth_mnesia:check/3),
+    emqx:unhook('client.check_acl', fun emqx_acl_mnesia:check_acl/5),
+    emqx_ctl:unregister_command(clientid),
+    emqx_ctl:unregister_command(user),
+    emqx_ctl:unregister_command(acl),
+    State.
+
+stop(_State) ->
+    ok.
+
+load_auth_hook() ->
+    ClientidList = application:get_env(?APP, clientid_list, []),
+    UsernameList = application:get_env(?APP, username_list, []),
+    ok = emqx_auth_mnesia:init(#{clientid_list => ClientidList, username_list => UsernameList}),
+    ok = emqx_auth_mnesia:register_metrics(),
+    Params = #{
+            hash_type => application:get_env(emqx_auth_mnesia, hash_type, sha256)
+            },
+    emqx:hook('client.authenticate', fun emqx_auth_mnesia:check/3, [Params]).
+
+load_acl_hook() ->
+    ok = emqx_acl_mnesia:init(),
+    ok = emqx_acl_mnesia:register_metrics(),
+    emqx:hook('client.check_acl', fun emqx_acl_mnesia:check_acl/5, [#{}]).

apps/emqx_auth_mnesia/src/emqx_auth_mnesia_cli.erl

@@ -0,0 +1,181 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_mnesia_cli).
+
+-include("emqx_auth_mnesia.hrl").
+-include_lib("emqx/include/logger.hrl").
+-include_lib("stdlib/include/ms_transform.hrl").
+-define(TABLE, emqx_user).
+%% Auth APIs
+-export([ add_user/2
+        , update_user/2
+        , remove_user/1
+        , lookup_user/1
+        , all_users/0
+        , all_users/1
+        ]).
+%% Cli
+-export([ auth_clientid_cli/1
+        , auth_username_cli/1
+        ]).
+
+%% Helper
+-export([comparing/2]).
+
+%%--------------------------------------------------------------------
+%% Auth APIs
+%%--------------------------------------------------------------------
+
+%% @doc Add User
+-spec(add_user(tuple(), binary()) -> ok | {error, any()}).
+add_user(Login, Password) ->
+    User = #emqx_user{login = Login, password = encrypted_data(Password), created_at = erlang:system_time(millisecond)},
+    ret(mnesia:transaction(fun insert_user/1, [User])).
+
+insert_user(User = #emqx_user{login = Login}) ->
+    case mnesia:read(?TABLE, Login) of
+        []    -> mnesia:write(User);
+        [_|_] -> mnesia:abort(existed)
+    end.
+
+%% @doc Update User
+-spec(update_user(tuple(), binary()) -> ok | {error, any()}).
+update_user(Login, NewPassword) ->
+    User = #emqx_user{login = Login, password = encrypted_data(NewPassword)},
+    ret(mnesia:transaction(fun do_update_user/1, [User])).
+
+do_update_user(User = #emqx_user{login = Login}) ->
+    case mnesia:read(?TABLE, Login) of
+        [{?TABLE, Login, _, CreateAt}] -> mnesia:write(User#emqx_user{created_at = CreateAt});
+        [] -> mnesia:abort(noexisted)
+    end.
+
+%% @doc Lookup user by login
+-spec(lookup_user(tuple()) -> list()).
+lookup_user(undefined) -> [];
+lookup_user(Login) ->
+    case mnesia:dirty_read(?TABLE, Login) of
+        {error, Reason} ->
+            ?LOG(error, "[Mnesia] do_check_user error: ~p~n", [Reason]),
+            [];
+        Re ->
+            lists:sort(fun comparing/2, Re)
+    end.
+
+%% @doc Remove user
+-spec(remove_user(tuple()) -> ok | {error, any()}).
+remove_user(Login) ->
+    ret(mnesia:transaction(fun mnesia:delete/1, [{?TABLE, Login}])).
+
+%% @doc All logins
+-spec(all_users() -> list()).
+all_users() -> mnesia:dirty_all_keys(?TABLE).
+
+all_users(clientid) ->
+    MatchSpec = ets:fun2ms(fun({?TABLE, {clientid, Clientid}, Password, CreatedAt}) -> {?TABLE, {clientid, Clientid}, Password, CreatedAt} end),
+    lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec));
+
+all_users(username) ->
+    MatchSpec = ets:fun2ms(fun({?TABLE, {username, Username}, Password, CreatedAt}) -> {?TABLE, {username, Username}, Password, CreatedAt} end),
+    lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec)).
+
+%%--------------------------------------------------------------------
+%% Internal functions
+%%--------------------------------------------------------------------
+
+comparing({?TABLE, _, _, CreatedAt1},
+          {?TABLE, _, _, CreatedAt2}) ->
+    CreatedAt1 >= CreatedAt2.
+
+ret({atomic, ok})     -> ok;
+ret({aborted, Error}) -> {error, Error}.
+
+encrypted_data(Password) ->
+    HashType = application:get_env(emqx_auth_mnesia, password_hash, sha256),
+    SaltBin = salt(),
+    <<SaltBin/binary, (hash(Password, SaltBin, HashType))/binary>>.
+
+hash(undefined, SaltBin, HashType) ->
+    hash(<<>>, SaltBin, HashType);
+hash(Password, SaltBin, HashType) ->
+    emqx_passwd:hash(HashType, <<SaltBin/binary, Password/binary>>).
+
+salt() ->
+    rand:seed(exsplus, erlang:timestamp()),
+    Salt = rand:uniform(16#ffffffff), <<Salt:32>>.
+
+%%--------------------------------------------------------------------
+%% Auth Clientid Cli
+%%--------------------------------------------------------------------
+
+auth_clientid_cli(["list"]) ->
+    [emqx_ctl:print("~s~n", [ClientId]) || {?TABLE, {clientid, ClientId}, _Password, _CreatedAt} <- all_users(clientid)];
+
+auth_clientid_cli(["add", ClientId, Password]) ->
+    case add_user({clientid, iolist_to_binary(ClientId)}, iolist_to_binary(Password)) of
+        ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+auth_clientid_cli(["update", ClientId, NewPassword]) ->
+    case update_user({clientid, iolist_to_binary(ClientId)}, iolist_to_binary(NewPassword)) of
+        ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+auth_clientid_cli(["del", ClientId]) ->
+    case  remove_user({clientid, iolist_to_binary(ClientId)}) of
+        ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+auth_clientid_cli(_) ->
+    emqx_ctl:usage([{"clientid list", "List clientid auth rules"},
+                    {"clientid add <Username> <Password>", "Add clientid auth rule"},
+                    {"clientid update <Username> <NewPassword>", "Update clientid auth rule"},
+                    {"clientid del <Username>", "Delete clientid auth rule"}]).
+
+%%--------------------------------------------------------------------
+%% Auth Username Cli
+%%--------------------------------------------------------------------
+
+auth_username_cli(["list"]) ->
+    [emqx_ctl:print("~s~n", [Username]) || {?TABLE, {username, Username}, _Password, _CreatedAt}<- all_users(username)];
+
+auth_username_cli(["add", Username, Password]) ->
+    case add_user({username, iolist_to_binary(Username)}, iolist_to_binary(Password)) of
+        ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+auth_username_cli(["update", Username, NewPassword]) ->
+    case update_user({username, iolist_to_binary(Username)}, iolist_to_binary(NewPassword)) of
+        ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+auth_username_cli(["del", Username]) ->
+    case  remove_user({username, iolist_to_binary(Username)}) of
+        ok -> emqx_ctl:print("ok~n");
+        {error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
+    end;
+
+auth_username_cli(_) ->
+    emqx_ctl:usage([{"user list", "List username auth rules"},
+                    {"user add <Username> <Password>", "Add username auth rule"},
+                    {"user update <Username> <NewPassword>", "Update username auth rule"},
+                    {"user del <Username>", "Delete username auth rule"}]).

apps/emqx_auth_mnesia/src/emqx_auth_mnesia_sup.erl

@@ -0,0 +1,36 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_mnesia_sup).
+
+-behaviour(supervisor).
+
+-include("emqx_auth_mnesia.hrl").
+
+-export([start_link/0]).
+
+%% Supervisor callbacks
+-export([init/1]).
+
+start_link() ->
+    supervisor:start_link({local, ?MODULE}, ?MODULE, []).
+
+%%--------------------------------------------------------------------
+%% Supervisor callbacks
+%%--------------------------------------------------------------------
+
+init([]) ->
+    {ok, {{one_for_one, 10, 100}, []}}.

apps/emqx_auth_mnesia/test/emqx_acl_mnesia_SUITE.erl

@@ -0,0 +1,215 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_acl_mnesia_SUITE).
+
+-compile(export_all).
+
+-include("emqx_auth_mnesia.hrl").
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+-import(emqx_ct_http, [ request_api/3
+                      , request_api/5
+                      , get_http_data/1
+                      , create_default_app/0
+                      , default_auth_header/0
+                      ]).
+
+-define(HOST, "http://127.0.0.1:8081/").
+-define(API_VERSION, "v4").
+-define(BASE_PATH, "api").
+
+all() ->
+    emqx_ct:all(?MODULE).
+
+groups() ->
+    [].
+
+init_per_suite(Config) ->
+    emqx_ct_helpers:start_apps([emqx_management, emqx_auth_mnesia], fun set_special_configs/1),
+    create_default_app(),
+    Config.
+
+end_per_suite(_Config) ->
+    emqx_ct_helpers:stop_apps([emqx_management, emqx_auth_mnesia]).
+
+init_per_testcase(t_check_acl_as_clientid, Config) ->
+    emqx:hook('client.check_acl', fun emqx_acl_mnesia:check_acl/5, [#{key_as => clientid}]),
+    Config;
+
+init_per_testcase(_, Config) ->
+    emqx:hook('client.check_acl', fun emqx_acl_mnesia:check_acl/5, [#{key_as => username}]),
+    Config.
+
+end_per_testcase(_, Config) ->
+    emqx:unhook('client.check_acl', fun emqx_acl_mnesia:check_acl/5),
+    Config.
+
+set_special_configs(emqx) ->
+    application:set_env(emqx, allow_anonymous, true),
+    application:set_env(emqx, enable_acl_cache, false),
+    LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
+    application:set_env(emqx, plugins_loaded_file,
+                        emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
+
+set_special_configs(_App) ->
+    ok.
+
+%%------------------------------------------------------------------------------
+%% Testcases
+%%------------------------------------------------------------------------------
+
+t_management(_Config) ->
+    clean_all_acls(),
+    ?assertEqual("Acl with Mnesia", emqx_acl_mnesia:description()),
+    ?assertEqual([], emqx_acl_mnesia_cli:all_acls()),
+
+    ok = emqx_acl_mnesia_cli:add_acl({clientid, <<"test_clientid">>}, <<"topic/%c">>, sub, allow),
+    ok = emqx_acl_mnesia_cli:add_acl({clientid, <<"test_clientid">>}, <<"topic/+">>, pub, deny),
+    ok = emqx_acl_mnesia_cli:add_acl({username, <<"test_username">>}, <<"topic/%u">>, sub, deny),
+    ok = emqx_acl_mnesia_cli:add_acl({username, <<"test_username">>}, <<"topic/+">>, pub, allow),
+    ok = emqx_acl_mnesia_cli:add_acl(all, <<"#">>, pubsub, deny),
+
+    ?assertEqual(2, length(emqx_acl_mnesia_cli:lookup_acl({clientid, <<"test_clientid">>}))),
+    ?assertEqual(2, length(emqx_acl_mnesia_cli:lookup_acl({username, <<"test_username">>}))),
+    ?assertEqual(1, length(emqx_acl_mnesia_cli:lookup_acl(all))),
+    ?assertEqual(5, length(emqx_acl_mnesia_cli:all_acls())),
+
+    User1 = #{zone => external, clientid => <<"test_clientid">>},
+    User2 = #{zone => external, clientid => <<"no_exist">>, username => <<"test_username">>},
+    User3 = #{zone => external, clientid => <<"test_clientid">>, username => <<"test_username">>},
+    allow = emqx_access_control:check_acl(User1, subscribe, <<"topic/test_clientid">>),
+    deny  = emqx_access_control:check_acl(User1, publish,   <<"topic/A">>),
+    deny  = emqx_access_control:check_acl(User2, subscribe, <<"topic/test_username">>),
+    allow = emqx_access_control:check_acl(User2, publish,   <<"topic/A">>),
+    allow = emqx_access_control:check_acl(User3, subscribe, <<"topic/test_clientid">>),
+    deny  = emqx_access_control:check_acl(User3, subscribe, <<"topic/test_username">>),
+    deny  = emqx_access_control:check_acl(User3, publish,   <<"topic/A">>),
+    deny  = emqx_access_control:check_acl(User3, subscribe, <<"topic/A/B">>),
+    deny  = emqx_access_control:check_acl(User3, publish,   <<"topic/A/B">>),
+
+    ok = emqx_acl_mnesia_cli:remove_acl({clientid, <<"test_clientid">>}, <<"topic/%c">>),
+    ok = emqx_acl_mnesia_cli:remove_acl({clientid, <<"test_clientid">>}, <<"topic/+">>),
+    ok = emqx_acl_mnesia_cli:remove_acl({username, <<"test_username">>}, <<"topic/%u">>),
+    ok = emqx_acl_mnesia_cli:remove_acl({username, <<"test_username">>}, <<"topic/+">>),
+    ok = emqx_acl_mnesia_cli:remove_acl(all, <<"#">>),
+
+    ?assertEqual([], emqx_acl_mnesia_cli:all_acls()).
+
+t_acl_cli(_Config) ->
+    meck:new(emqx_ctl, [non_strict, passthrough]),
+    meck:expect(emqx_ctl, print, fun(Arg) -> emqx_ctl:format(Arg) end),
+    meck:expect(emqx_ctl, print, fun(Msg, Arg) -> emqx_ctl:format(Msg, Arg) end),
+    meck:expect(emqx_ctl, usage, fun(Usages) -> emqx_ctl:format_usage(Usages) end),
+    meck:expect(emqx_ctl, usage, fun(Cmd, Descr) -> emqx_ctl:format_usage(Cmd, Descr) end),
+
+    clean_all_acls(),
+
+    ?assertEqual(0, length(emqx_acl_mnesia_cli:cli(["list"]))),
+
+    emqx_acl_mnesia_cli:cli(["add", "clientid", "test_clientid", "topic/A", "pub", "allow"]),
+    ?assertMatch(["Acl(clientid = <<\"test_clientid\">> topic = <<\"topic/A\">> action = pub access = allow)\n"], emqx_acl_mnesia_cli:cli(["show", "clientid", "test_clientid"])),
+    ?assertMatch(["Acl(clientid = <<\"test_clientid\">> topic = <<\"topic/A\">> action = pub access = allow)\n"], emqx_acl_mnesia_cli:cli(["list", "clientid"])),
+
+    emqx_acl_mnesia_cli:cli(["add", "username", "test_username", "topic/B", "sub", "deny"]),
+    ?assertMatch(["Acl(username = <<\"test_username\">> topic = <<\"topic/B\">> action = sub access = deny)\n"], emqx_acl_mnesia_cli:cli(["show", "username", "test_username"])),
+    ?assertMatch(["Acl(username = <<\"test_username\">> topic = <<\"topic/B\">> action = sub access = deny)\n"], emqx_acl_mnesia_cli:cli(["list", "username"])),
+
+    emqx_acl_mnesia_cli:cli(["add", "_all", "#", "pubsub", "deny"]),
+    ?assertMatch(["Acl($all topic = <<\"#\">> action = pubsub access = deny)\n"], emqx_acl_mnesia_cli:cli(["list", "_all"])),
+    ?assertEqual(3, length(emqx_acl_mnesia_cli:cli(["list"]))),
+
+    emqx_acl_mnesia_cli:cli(["del", "clientid", "test_clientid", "topic/A"]),
+    emqx_acl_mnesia_cli:cli(["del", "username", "test_username", "topic/B"]),
+    emqx_acl_mnesia_cli:cli(["del", "_all", "#"]),
+    ?assertEqual(0, length(emqx_acl_mnesia_cli:cli(["list"]))),
+
+    meck:unload(emqx_ctl).
+
+t_rest_api(_Config) ->
+    clean_all_acls(),
+
+    Params1 = [#{<<"clientid">> => <<"test_clientid">>, <<"topic">> => <<"topic/A">>, <<"action">> => <<"pub">>, <<"access">> => <<"allow">>},
+               #{<<"clientid">> => <<"test_clientid">>, <<"topic">> => <<"topic/B">>, <<"action">> => <<"sub">>, <<"access">> => <<"allow">>},
+               #{<<"clientid">> => <<"test_clientid">>, <<"topic">> => <<"topic/C">>, <<"action">> => <<"pubsub">>, <<"access">> => <<"deny">>}],
+    {ok, _} = request_http_rest_add([], Params1),
+    {ok, Re1} = request_http_rest_list(["clientid", "test_clientid"]),
+    ?assertMatch(3, length(get_http_data(Re1))),
+    {ok, _} = request_http_rest_delete(["clientid", "test_clientid", "topic", "topic/A"]),
+    {ok, _} = request_http_rest_delete(["clientid", "test_clientid", "topic", "topic/B"]),
+    {ok, _} = request_http_rest_delete(["clientid", "test_clientid", "topic", "topic/C"]),
+    {ok, Res1} = request_http_rest_list(["clientid"]),
+    ?assertMatch([], get_http_data(Res1)),
+
+    Params2 = [#{<<"username">> => <<"test_username">>, <<"topic">> => <<"topic/A">>, <<"action">> => <<"pub">>, <<"access">> => <<"allow">>},
+               #{<<"username">> => <<"test_username">>, <<"topic">> => <<"topic/B">>, <<"action">> => <<"sub">>, <<"access">> => <<"allow">>},
+               #{<<"username">> => <<"test_username">>, <<"topic">> => <<"topic/C">>, <<"action">> => <<"pubsub">>, <<"access">> => <<"deny">>}],
+    {ok, _} = request_http_rest_add([], Params2),
+    {ok, Re2} = request_http_rest_list(["username", "test_username"]),
+    ?assertMatch(3, length(get_http_data(Re2))),
+    {ok, _} = request_http_rest_delete(["username", "test_username", "topic", "topic/A"]),
+    {ok, _} = request_http_rest_delete(["username", "test_username", "topic", "topic/B"]),
+    {ok, _} = request_http_rest_delete(["username", "test_username", "topic", "topic/C"]),
+    {ok, Res2} = request_http_rest_list(["username"]),
+    ?assertMatch([], get_http_data(Res2)),
+
+    Params3 = [#{<<"topic">> => <<"topic/A">>, <<"action">> => <<"pub">>, <<"access">> => <<"allow">>},
+               #{<<"topic">> => <<"topic/B">>, <<"action">> => <<"sub">>, <<"access">> => <<"allow">>},
+               #{<<"topic">> => <<"topic/C">>, <<"action">> => <<"pubsub">>, <<"access">> => <<"deny">>}],
+    {ok, _} = request_http_rest_add([], Params3),
+    {ok, Re3} = request_http_rest_list(["$all"]),
+    ?assertMatch(3, length(get_http_data(Re3))),
+    {ok, _} = request_http_rest_delete(["$all", "topic", "topic/A"]),
+    {ok, _} = request_http_rest_delete(["$all", "topic", "topic/B"]),
+    {ok, _} = request_http_rest_delete(["$all", "topic", "topic/C"]),
+    {ok, Res3} = request_http_rest_list(["$all"]),
+    ?assertMatch([], get_http_data(Res3)).
+
+%%------------------------------------------------------------------------------
+%% Helpers
+%%------------------------------------------------------------------------------
+
+clean_all_acls() ->
+    [ mnesia:dirty_delete({emqx_acl, Login})
+      || Login <- mnesia:dirty_all_keys(emqx_acl)].
+
+%%--------------------------------------------------------------------
+%% HTTP Request
+%%--------------------------------------------------------------------
+
+request_http_rest_list(Path) ->
+    request_api(get, uri(Path), default_auth_header()).
+
+request_http_rest_lookup(Path) ->
+    request_api(get, uri(Path), default_auth_header()).
+
+request_http_rest_add(Path, Params) ->
+    request_api(post, uri(Path), [], default_auth_header(), Params).
+
+request_http_rest_delete(Path) ->
+    request_api(delete, uri(Path), default_auth_header()).
+
+uri() -> uri([]).
+uri(Parts) when is_list(Parts) ->
+    NParts = [b2l(E) || E <- Parts],
+    ?HOST ++ filename:join([?BASE_PATH, ?API_VERSION, "acl"| NParts]).
+
+%% @private
+b2l(B) when is_binary(B) ->
+    http_uri:encode(binary_to_list(B));
+b2l(L) when is_list(L) ->
+    http_uri:encode(L).

apps/emqx_auth_mnesia/test/emqx_auth_mnesia_SUITE.erl

@@ -0,0 +1,284 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.  %% You may obtain a copy of the License at %% %%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_auth_mnesia_SUITE).
+
+-compile(export_all).
+
+-include("emqx_auth_mnesia.hrl").
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("common_test/include/ct.hrl").
+
+-import(emqx_ct_http, [ request_api/3
+                      , request_api/5
+                      , get_http_data/1
+                      , create_default_app/0
+                      , default_auth_header/0
+                      ]).
+
+-define(HOST, "http://127.0.0.1:8081/").
+-define(API_VERSION, "v4").
+-define(BASE_PATH, "api").
+
+-define(TABLE, emqx_user).
+-define(CLIENTID,  <<"clientid_for_ct">>).
+-define(USERNAME,  <<"username_for_ct">>).
+-define(PASSWORD,  <<"password">>).
+-define(NPASSWORD, <<"new_password">>).
+
+all() ->
+    emqx_ct:all(?MODULE).
+
+groups() ->
+    [].
+
+init_per_suite(Config) ->
+    ok = emqx_ct_helpers:start_apps([emqx_management, emqx_auth_mnesia], fun set_special_configs/1),
+    create_default_app(),
+    Config.
+
+end_per_suite(_Config) ->
+    emqx_ct_helpers:stop_apps([emqx_management, emqx_auth_mnesia]).
+
+init_per_testcase(t_check_as_clientid, Config) ->
+    Params = #{
+            hash_type => application:get_env(emqx_auth_mnesia, hash_type, sha256),
+            key_as => clientid
+            },
+    emqx:hook('client.authenticate', fun emqx_auth_mnesia:check/3, [Params]),
+    Config;
+
+init_per_testcase(_, Config) ->
+    Params = #{
+            hash_type => application:get_env(emqx_auth_mnesia, hash_type, sha256),
+            key_as => username
+            },
+    emqx:hook('client.authenticate', fun emqx_auth_mnesia:check/3, [Params]),
+    Config.
+
+end_per_suite(_, Config) ->
+    emqx:unhook('client.authenticate', fun emqx_auth_mnesia:check/3),
+    Config.
+
+set_special_configs(emqx) ->
+    application:set_env(emqx, allow_anonymous, true),
+    application:set_env(emqx, enable_acl_cache, false),
+    LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
+    application:set_env(emqx, plugins_loaded_file,
+                        emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
+
+set_special_configs(_App) ->
+    ok.
+
+%%------------------------------------------------------------------------------
+%% Testcases
+%%------------------------------------------------------------------------------
+
+t_management(_Config) ->
+    clean_all_users(),
+
+    ok = emqx_auth_mnesia_cli:add_user({username,?USERNAME}, ?PASSWORD),
+    {error, existed} = emqx_auth_mnesia_cli:add_user({username,?USERNAME}, ?PASSWORD),
+    ?assertMatch([{?TABLE, {username, ?USERNAME}, _Password, _InterTime}], emqx_auth_mnesia_cli:all_users(username)),
+
+    ok = emqx_auth_mnesia_cli:add_user({clientid,?CLIENTID}, ?PASSWORD),
+    {error, existed} = emqx_auth_mnesia_cli:add_user({clientid,?CLIENTID}, ?PASSWORD),
+    ?assertMatch([{?TABLE, {clientid, ?CLIENTID}, _Password, _InterTime}], emqx_auth_mnesia_cli:all_users(clientid)),
+
+    ?assertEqual(2,length(emqx_auth_mnesia_cli:all_users())),
+
+    ok = emqx_auth_mnesia_cli:update_user({username,?USERNAME}, ?NPASSWORD),
+    {error,noexisted} = emqx_auth_mnesia_cli:update_user({username, <<"no_existed_user">>}, ?PASSWORD),
+
+    ok = emqx_auth_mnesia_cli:update_user({clientid,?CLIENTID}, ?NPASSWORD),
+    {error,noexisted} = emqx_auth_mnesia_cli:update_user({clientid, <<"no_existed_user">>}, ?PASSWORD),
+
+    
+    ?assertMatch([{?TABLE, {username, ?USERNAME}, _Password, _InterTime}], emqx_auth_mnesia_cli:lookup_user({username, ?USERNAME})),
+    ?assertMatch([{?TABLE, {clientid, ?CLIENTID}, _Password, _InterTime}], emqx_auth_mnesia_cli:lookup_user({clientid, ?CLIENTID})),
+
+    User1 = #{username => ?USERNAME,
+              clientid => undefined,
+              password => ?NPASSWORD,
+              zone     => external},
+
+    {ok, #{auth_result := success,
+           anonymous := false}} = emqx_access_control:authenticate(User1),
+
+    {error,password_error} = emqx_access_control:authenticate(User1#{password => <<"error_password">>}),
+
+    ok = emqx_auth_mnesia_cli:remove_user({username,?USERNAME}),
+    {ok, #{auth_result := success,
+           anonymous := true }} = emqx_access_control:authenticate(User1),
+
+    User2 = #{clientid => ?CLIENTID,
+              password => ?NPASSWORD,
+              zone     => external},
+
+    {ok, #{auth_result := success,
+           anonymous := false}} = emqx_access_control:authenticate(User2),
+
+    {error,password_error} = emqx_access_control:authenticate(User2#{password => <<"error_password">>}),
+
+    ok = emqx_auth_mnesia_cli:remove_user({clientid,?CLIENTID}),
+    {ok, #{auth_result := success,
+           anonymous := true }} = emqx_access_control:authenticate(User2),
+
+    [] = emqx_auth_mnesia_cli:all_users().
+
+t_auth_clientid_cli(_) ->
+    clean_all_users(),
+
+    HashType = application:get_env(emqx_auth_mnesia, password_hash, sha256),
+
+    emqx_auth_mnesia_cli:auth_clientid_cli(["add", ?CLIENTID, ?PASSWORD]),
+    [{_, {clientid, ?CLIENTID}, <<Salt:4/binary, Hash/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({clientid, ?CLIENTID}),
+    ?assertEqual(Hash, emqx_passwd:hash(HashType, <<Salt/binary, ?PASSWORD/binary>>)),
+
+    emqx_auth_mnesia_cli:auth_clientid_cli(["update", ?CLIENTID, ?NPASSWORD]),
+    [{_, {clientid, ?CLIENTID}, <<Salt1:4/binary, Hash1/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({clientid, ?CLIENTID}),
+    ?assertEqual(Hash1, emqx_passwd:hash(HashType, <<Salt1/binary, ?NPASSWORD/binary>>)),
+
+    emqx_auth_mnesia_cli:auth_clientid_cli(["del", ?CLIENTID]),
+    ?assertEqual([], emqx_auth_mnesia_cli:lookup_user(?CLIENTID)),
+
+    emqx_auth_mnesia_cli:auth_clientid_cli(["add", "user1", "pass1"]),
+    emqx_auth_mnesia_cli:auth_clientid_cli(["add", "user2", "pass2"]),
+    ?assertEqual(2, length(emqx_auth_mnesia_cli:auth_clientid_cli(["list"]))),
+
+    emqx_auth_mnesia_cli:auth_clientid_cli(usage).
+
+t_auth_username_cli(_) ->
+    clean_all_users(),
+
+    HashType = application:get_env(emqx_auth_mnesia, password_hash, sha256),
+
+    emqx_auth_mnesia_cli:auth_username_cli(["add", ?USERNAME, ?PASSWORD]),
+    [{_, {username, ?USERNAME}, <<Salt:4/binary, Hash/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({username, ?USERNAME}),
+    ?assertEqual(Hash, emqx_passwd:hash(HashType, <<Salt/binary, ?PASSWORD/binary>>)),
+
+    emqx_auth_mnesia_cli:auth_username_cli(["update", ?USERNAME, ?NPASSWORD]),
+    [{_, {username, ?USERNAME}, <<Salt1:4/binary, Hash1/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({username, ?USERNAME}),
+    ?assertEqual(Hash1, emqx_passwd:hash(HashType, <<Salt1/binary, ?NPASSWORD/binary>>)),
+
+    emqx_auth_mnesia_cli:auth_username_cli(["del", ?USERNAME]),
+    ?assertEqual([], emqx_auth_mnesia_cli:lookup_user(?USERNAME)),
+
+    emqx_auth_mnesia_cli:auth_username_cli(["add", "user1", "pass1"]),
+    emqx_auth_mnesia_cli:auth_username_cli(["add", "user2", "pass2"]),
+    ?assertEqual(2, length(emqx_auth_mnesia_cli:auth_username_cli(["list"]))),
+
+    emqx_auth_mnesia_cli:auth_username_cli(usage).
+
+
+t_clientid_rest_api(_Config) ->
+    clean_all_users(),
+
+    {ok, Result1} = request_http_rest_list(["auth_clientid"]),
+    [] = get_http_data(Result1),
+
+    Params1 = #{<<"clientid">> => ?CLIENTID, <<"password">> => ?PASSWORD},
+    {ok, _} = request_http_rest_add(["auth_clientid"], Params1),
+
+    Params2 = #{<<"clientid">> => ?CLIENTID, <<"password">> => ?NPASSWORD},
+    {ok, _} = request_http_rest_update(["auth_clientid/" ++ binary_to_list(?CLIENTID)], Params2),
+ 
+    {ok, Result2} = request_http_rest_lookup(["auth_clientid/" ++ binary_to_list(?CLIENTID)]),
+    ?assertMatch(#{<<"clientid">> := ?CLIENTID}, get_http_data(Result2)),
+
+    Params3 = [ #{<<"clientid">> => ?CLIENTID, <<"password">> => ?PASSWORD}
+              , #{<<"clientid">> => <<"clientid1">>, <<"password">> => ?PASSWORD}
+              , #{<<"clientid">> => <<"clientid2">>, <<"password">> => ?PASSWORD}
+              ],
+    {ok, Result3} = request_http_rest_add(["auth_clientid"], Params3),
+    ?assertMatch(#{ ?CLIENTID := <<"{error,existed}">>
+                  , <<"clientid1">> := <<"ok">>
+                  , <<"clientid2">> := <<"ok">>
+                  }, get_http_data(Result3)),
+
+    {ok, Result4} = request_http_rest_list(["auth_clientid"]),
+    ?assertEqual(3, length(get_http_data(Result4))),
+
+    {ok, _} = request_http_rest_delete(["auth_clientid/" ++ binary_to_list(?CLIENTID)]),
+    {ok, Result5} = request_http_rest_lookup(["auth_clientid/" ++ binary_to_list(?CLIENTID)]),
+    ?assertMatch(#{}, get_http_data(Result5)).
+
+t_username_rest_api(_Config) ->
+    clean_all_users(),
+
+    {ok, Result1} = request_http_rest_list(["auth_username"]),
+    [] = get_http_data(Result1),
+
+    Params1 = #{<<"username">> => ?USERNAME, <<"password">> => ?PASSWORD},
+    {ok, _} = request_http_rest_add(["auth_username"], Params1),
+
+    Params2 = #{<<"username">> => ?USERNAME, <<"password">> => ?NPASSWORD},
+    {ok, _} = request_http_rest_update(["auth_username/" ++ binary_to_list(?USERNAME)], Params2),
+
+    {ok, Result2} = request_http_rest_lookup(["auth_username/" ++ binary_to_list(?USERNAME)]),
+    ?assertMatch(#{<<"username">> := ?USERNAME}, get_http_data(Result2)),
+
+    Params3 = [ #{<<"username">> => ?USERNAME, <<"password">> => ?PASSWORD}
+              , #{<<"username">> => <<"username1">>, <<"password">> => ?PASSWORD}
+              , #{<<"username">> => <<"username2">>, <<"password">> => ?PASSWORD}
+              ],
+    {ok, Result3} = request_http_rest_add(["auth_username"], Params3),
+    ?assertMatch(#{ ?USERNAME := <<"{error,existed}">>
+                  , <<"username1">> := <<"ok">>
+                  , <<"username2">> := <<"ok">>
+                  }, get_http_data(Result3)),
+
+    {ok, Result4} = request_http_rest_list(["auth_username"]),
+    ?assertEqual(3, length(get_http_data(Result4))),
+
+    {ok, _} = request_http_rest_delete(["auth_username/" ++ binary_to_list(?USERNAME)]),
+    {ok, Result5} = request_http_rest_lookup(["auth_username/" ++ binary_to_list(?USERNAME)]),
+    ?assertMatch(#{}, get_http_data(Result5)).
+
+%%------------------------------------------------------------------------------
+%% Helpers
+%%------------------------------------------------------------------------------
+
+clean_all_users() ->
+    [ mnesia:dirty_delete({emqx_user, Login})
+      || Login <- mnesia:dirty_all_keys(emqx_user)].
+
+%%--------------------------------------------------------------------
+%% HTTP Request
+%%--------------------------------------------------------------------
+
+request_http_rest_list(Path) ->
+    request_api(get, uri(Path), default_auth_header()).
+
+request_http_rest_lookup(Path) ->
+    request_api(get, uri([Path]), default_auth_header()).
+
+request_http_rest_add(Path, Params) ->
+    request_api(post, uri(Path), [], default_auth_header(), Params).
+
+request_http_rest_update(Path, Params) ->
+    request_api(put, uri([Path]), [], default_auth_header(), Params).
+
+request_http_rest_delete(Login) ->
+    request_api(delete, uri([Login]), default_auth_header()).
+
+uri() -> uri([]).
+uri(Parts) when is_list(Parts) ->
+    NParts = [b2l(E) || E <- Parts],
+    ?HOST ++ filename:join([?BASE_PATH, ?API_VERSION | NParts]).
+
+%% @private
+b2l(B) when is_binary(B) ->
+    binary_to_list(B);
+b2l(L) when is_list(L) ->
+    L.

apps/emqx_auth_mongo/.github/workflows/run_test_cases.yaml

@@ -0,0 +1,59 @@
+name: Run test cases
+
+on: [push, pull_request]
+
+jobs:
+    run_test_cases:
+        runs-on: ubuntu-latest
+
+        strategy:
+            matrix:
+                mongo_tag:
+                    - 3
+                    - 4
+                network_type:
+                    - ipv4
+                    - ipv6
+                connect_type:
+                    - ssl
+                    - tcp
+
+        steps:
+            - name: install docker-compose
+              run: |
+                sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+                sudo chmod +x /usr/local/bin/docker-compose
+            - uses: actions/checkout@v1
+            - name: run test cases
+              env:
+                  MONGO_TAG: ${{ matrix.mongo_tag }}
+                  NETWORK_TYPE: ${{ matrix.network_type }}
+                  CONNECT_TYPE: ${{ matrix.connect_type }}
+              run: |
+                set -e -u -x
+                if [ "$NETWORK_TYPE" = "ipv6" ];then docker network create --driver bridge --ipv6 --subnet fd15:555::/64  tests_emqx_bridge --attachable; fi
+                if [ "$CONNECT_TYPE" = "ssl" ]; then
+                    docker-compose -f ./docker-compose-ssl.yml -p tests up -d
+                    docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl = true' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
+                    docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl_opts.cacertfile = /emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
+                    docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl_opts.certfile = /emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
+                    docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl_opts.keyfile = /emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
+                else
+                    docker-compose -f ./docker-compose.yml -p tests up -d
+                fi
+                if [ "$NETWORK_TYPE" != "ipv6" ];then
+                    docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "sed -i '/auth.mongo.server/c auth.mongo.server = mongo_server:27017' /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
+                else
+                    ipv6_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' $(docker ps -a -f name=tests_mongo_server_1 -q))
+                    docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "sed -i '/auth.mongo.server/c auth.mongo.server = $ipv6_address:27017' /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
+                fi
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo xref"
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo eunit"
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo ct"
+                docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo cover"
+            - uses: actions/upload-artifact@v1
+              if: failure()
+              with:
+                name: logs_mongo${{ matrix.mongo_tag}}_${{ matrix.network_type }}
+                path: _build/test/logs
+

apps/emqx_auth_mongo/.gitignore

@@ -0,0 +1,24 @@
+.eunit
+deps
+*.o
+*.beam
+*.plt
+erl_crash.dump
+ebin
+rel/example_project
+.concrete/DEV_MODE
+.rebar
+.DS_Store
+.erlang.mk/
+emqx_auth_mongo.d
+ct.coverdata
+logs/
+test/ct.cover.spec
+data/
+cover/
+eunit.coverdata
+_build/
+rebar.lock
+erlang.mk
+etc/emqx_auth_mongo.conf.rendered
+.rebar3

apps/emqx_auth_mongo/CHANGES

@@ -0,0 +1,31 @@
+
+2.0.7 (2017-01-20)
+------------------
+
+Tag 2.0.7 - use `cuttlefish:unset()` for commented ACL/super config
+
+2.0.1 (2016-11-30)
+------------------
+
+Tag 2.0.1
+
+2.0-beta.1 (2016-08-24)
+-----------------------
+
+gen_conf
+
+1.1.3-beta (2016-08-19)
+-----------------------
+
+Bump version to 1.1.3
+
+1.1.2-beta (2016-06-30)
+-----------------------
+
+Bump version to 1.1.2
+
+1.1-beta (2016-05-28)
+---------------------
+
+First public release
+

apps/emqx_auth_mongo/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright {yyyy} {name of copyright owner}
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

apps/emqx_auth_mongo/Makefile

@@ -0,0 +1,37 @@
+## shallow clone for speed
+
+REBAR_GIT_CLONE_OPTIONS += --depth 1
+export REBAR_GIT_CLONE_OPTIONS
+
+REBAR = rebar3
+all: compile
+
+compile:
+	$(REBAR) compile
+
+clean: distclean
+
+ct: compile
+	$(REBAR) as test ct -v
+
+eunit: compile
+	$(REBAR) as test eunit
+
+xref:
+	$(REBAR) xref
+
+cover:
+	$(REBAR) cover
+
+distclean:
+	@rm -rf _build
+	@rm -f data/app.*.config data/vm.*.args rebar.lock
+
+CUTTLEFISH_SCRIPT = _build/default/lib/cuttlefish/cuttlefish
+
+$(CUTTLEFISH_SCRIPT):
+	@${REBAR} get-deps
+	@if [ ! -f cuttlefish ]; then make -C _build/default/lib/cuttlefish; fi
+
+app.config: $(CUTTLEFISH_SCRIPT) etc/emqx_auth_mongo.conf
+	$(verbose) $(CUTTLEFISH_SCRIPT) -l info -e etc/ -c etc/emqx_auth_mongo.conf -i priv/emqx_auth_mongo.schema -d data

apps/emqx_auth_mongo/README.md

@@ -0,0 +1,192 @@
+emqx_auth_mongo
+===============
+
+EMQ X Authentication/ACL with MongoDB
+
+Build the Plugin
+----------------
+
+```
+make & make tests
+```
+
+Configuration
+-------------
+
+File: etc/emqx_auth_mongo.conf
+
+```
+## MongoDB Topology Type.
+##
+## Value: single | unknown | sharded | rs
+auth.mongo.type = single
+
+## Sets the set name if type is rs.
+##
+## Value: String
+## auth.mongo.rs_set_name =
+
+## MongoDB server list.
+##
+## Value: String
+##
+## Examples: 127.0.0.1:27017,127.0.0.2:27017...
+auth.mongo.server = 127.0.0.1:27017
+
+## MongoDB pool size
+##
+## Value: Number
+auth.mongo.pool = 8
+
+## MongoDB login user.
+##
+## Value: String
+## auth.mongo.login =
+
+## MongoDB password.
+##
+## Value: String
+## auth.mongo.password =
+
+## MongoDB AuthSource
+##
+## Value: String
+## Default: mqtt
+## auth.mongo.auth_source = admin
+
+## MongoDB database
+##
+## Value: String
+auth.mongo.database = mqtt
+
+## MongoDB write mode.
+##
+## Value: unsafe | safe
+## auth.mongo.w_mode =
+
+## Mongo read mode.
+##
+## Value: master | slave_ok
+## auth.mongo.r_mode =
+
+## MongoDB topology options.
+auth.mongo.topology.pool_size = 1
+auth.mongo.topology.max_overflow = 0
+## auth.mongo.topology.overflow_ttl = 1000
+## auth.mongo.topology.overflow_check_period = 1000
+## auth.mongo.topology.local_threshold_ms = 1000
+## auth.mongo.topology.connect_timeout_ms = 20000
+## auth.mongo.topology.socket_timeout_ms = 100
+## auth.mongo.topology.server_selection_timeout_ms = 30000
+## auth.mongo.topology.wait_queue_timeout_ms = 1000
+## auth.mongo.topology.heartbeat_frequency_ms = 10000
+## auth.mongo.topology.min_heartbeat_frequency_ms = 1000
+
+## Authentication query.
+auth.mongo.auth_query.collection = mqtt_user
+
+auth.mongo.auth_query.password_field = password
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 | bcrypt
+auth.mongo.auth_query.password_hash = sha256
+
+## sha256 with salt suffix
+## auth.mongo.auth_query.password_hash = sha256,salt
+
+## sha256 with salt prefix
+## auth.mongo.auth_query.password_hash = salt,sha256
+
+## bcrypt with salt prefix
+## auth.mongo.auth_query.password_hash = salt,bcrypt
+
+## pbkdf2 with macfun iterations dklen
+## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
+## auth.mongo.auth_query.password_hash = pbkdf2,sha256,1000,20
+
+auth.mongo.auth_query.selector = username=%u
+
+## Enable superuser query.
+auth.mongo.super_query = on
+
+auth.mongo.super_query.collection = mqtt_user
+
+auth.mongo.super_query.super_field = is_superuser
+
+auth.mongo.super_query.selector = username=%u
+
+## Enable ACL query.
+auth.mongo.acl_query = on
+
+auth.mongo.acl_query.collection = mqtt_acl
+
+auth.mongo.acl_query.selector = username=%u
+```
+
+Load the Plugin
+---------------
+
+```
+./bin/emqx_ctl plugins load emqx_auth_mongo
+```
+
+MongoDB Database
+----------------
+
+```
+use mqtt
+db.createCollection("mqtt_user")
+db.createCollection("mqtt_acl")
+db.mqtt_user.ensureIndex({"username":1})
+```
+
+mqtt_user Collection
+--------------------
+
+```
+{
+    username: "user",
+    password: "password hash",
+    salt: "password salt",
+    is_superuser: boolean (true, false),
+    created: "datetime"
+}
+```
+
+For example:
+```
+db.mqtt_user.insert({username: "test", password: "password hash", salt: "password salt", is_superuser: false})
+db.mqtt_user.insert({username: "root", is_superuser: true})
+```
+
+mqtt_acl Collection
+-------------------
+
+```
+{
+    username: "username",
+    clientid: "clientid",
+    publish: ["topic1", "topic2", ...],
+    subscribe: ["subtop1", "subtop2", ...],
+    pubsub: ["topic/#", "topic1", ...]
+}
+```
+
+For example:
+
+```
+db.mqtt_acl.insert({username: "test", publish: ["t/1", "t/2"], subscribe: ["user/%u", "client/%c"]})
+db.mqtt_acl.insert({username: "admin", pubsub: ["#"]})
+```
+
+License
+-------
+
+Apache License Version 2.0
+
+Author
+------
+
+EMQ X Team.
+

apps/emqx_auth_mongo/docker-compose-ssl.yml

@@ -0,0 +1,31 @@
+version: '3'
+
+services:
+  erlang:
+    image: erlang:22.1
+    volumes:
+      - ./:/emqx_auth_mongo
+    networks:
+      - emqx_bridge
+    depends_on:
+      - mongo_server
+    tty: true
+
+  mongo_server:
+    image: mongo:${MONGO_TAG}
+    restart: always
+    environment:
+      MONGO_INITDB_DATABASE: mqtt
+    volumes:
+        - ./test/emqx_auth_mongo_SUITE_data/mongodb.pem/:/etc/certs/mongodb.pem
+    networks:
+      - emqx_bridge
+    command:
+      --ipv6
+      --bind_ip_all
+      --sslMode requireSSL
+      --sslPEMKeyFile /etc/certs/mongodb.pem
+
+networks:
+  emqx_bridge:
+    driver: bridge

apps/emqx_auth_mongo/docker-compose.yml

@@ -0,0 +1,27 @@
+version: '3'
+
+services:
+  erlang:
+    image: erlang:22.1
+    volumes:
+      - ./:/emqx_auth_mongo
+    networks:
+      - emqx_bridge
+    depends_on:
+      - mongo_server
+    tty: true
+
+  mongo_server:
+    image: mongo:${MONGO_TAG}
+    restart: always
+    environment:
+      MONGO_INITDB_DATABASE: mqtt
+    networks:
+      - emqx_bridge
+    command:
+      --ipv6
+      --bind_ip_all
+
+networks:
+  emqx_bridge:
+    driver: bridge

apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf

@@ -0,0 +1,172 @@
+##--------------------------------------------------------------------
+## MongoDB Auth/ACL Plugin
+##--------------------------------------------------------------------
+
+## MongoDB Topology Type.
+##
+## Value: single | unknown | sharded | rs
+auth.mongo.type = single
+
+## The set name if type is rs.
+##
+## Value: String
+## auth.mongo.rs_set_name =
+
+## MongoDB server list.
+##
+## Value: String
+##
+## Examples: 127.0.0.1:27017,127.0.0.2:27017...
+auth.mongo.server = 127.0.0.1:27017
+
+## MongoDB pool size
+##
+## Value: Number
+auth.mongo.pool = 8
+
+## MongoDB login user.
+##
+## Value: String
+## auth.mongo.login =
+
+## MongoDB password.
+##
+## Value: String
+## auth.mongo.password =
+
+## MongoDB AuthSource
+##
+## Value: String
+## Default: mqtt
+## auth.mongo.auth_source = admin
+
+## MongoDB database
+##
+## Value: String
+auth.mongo.database = mqtt
+
+## MongoDB query timeout
+##
+## Value: Duration
+## auth.mongo.query_timeout = 5s
+
+## Whether to enable SSL connection.
+##
+## Value: true | false
+## auth.mongo.ssl = false
+
+## SSL keyfile.
+##
+## Value: File
+## auth.mongo.ssl_opts.keyfile =
+
+## SSL certfile.
+##
+## Value: File
+## auth.mongo.ssl_opts.certfile =
+
+## SSL cacertfile.
+##
+## Value: File
+## auth.mongo.ssl_opts.cacertfile =
+
+## MongoDB write mode.
+##
+## Value: unsafe | safe
+## auth.mongo.w_mode =
+
+## Mongo read mode.
+##
+## Value: master | slave_ok
+## auth.mongo.r_mode =
+
+## MongoDB topology options.
+auth.mongo.topology.pool_size = 1
+auth.mongo.topology.max_overflow = 0
+## auth.mongo.topology.overflow_ttl = 1000
+## auth.mongo.topology.overflow_check_period = 1000
+## auth.mongo.topology.local_threshold_ms = 1000
+## auth.mongo.topology.connect_timeout_ms = 20000
+## auth.mongo.topology.socket_timeout_ms = 100
+## auth.mongo.topology.server_selection_timeout_ms = 30000
+## auth.mongo.topology.wait_queue_timeout_ms = 1000
+## auth.mongo.topology.heartbeat_frequency_ms = 10000
+## auth.mongo.topology.min_heartbeat_frequency_ms = 1000
+
+## -------------------------------------------------
+## Auth Query
+## -------------------------------------------------
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 | bcrypt
+auth.mongo.auth_query.password_hash = sha256
+
+## sha256 with salt suffix
+## auth.mongo.auth_query.password_hash = sha256,salt
+
+## sha256 with salt prefix
+## auth.mongo.auth_query.password_hash = salt,sha256
+
+## bcrypt with salt prefix
+## auth.mongo.auth_query.password_hash = salt,bcrypt
+
+## pbkdf2 with macfun iterations dklen
+## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
+## auth.mongo.auth_query.password_hash = pbkdf2,sha256,1000,20
+
+## Authentication query.
+auth.mongo.auth_query.collection = mqtt_user
+
+## Password mainly fields
+##
+## Value:  password | password,salt
+auth.mongo.auth_query.password_field = password
+
+## Authentication Selector.
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## auth.mongo.auth_query.selector = {Field}={Placeholder}
+auth.mongo.auth_query.selector = username=%u
+
+## -------------------------------------------------
+## Super User Query
+## -------------------------------------------------
+auth.mongo.super_query.collection = mqtt_user
+auth.mongo.super_query.super_field = is_superuser
+#auth.mongo.super_query.selector = username=%u, clientid=%c
+auth.mongo.super_query.selector = username=%u
+
+## ACL Selector.
+##
+## Multiple selectors could be combined with '$or'
+##   when query acl from mongo.
+##
+## e.g.
+##
+## With following 2 selectors configured:
+##
+## auth.mongo.acl_query.selector.1 = username=%u
+## auth.mongo.acl_query.selector.2 = username=$all
+##
+## And if a client connected using username 'ilyas',
+##   then the following mongo command will be used to
+##   retrieve acl entries:
+##
+## db.mqtt_acl.find({$or: [{username: "ilyas"},  {username: "$all"}]});
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##
+## Examples:
+##
+## auth.mongo.acl_query.selector.1 = username=%u,clientid=%c
+## auth.mongo.acl_query.selector.2 = username=$all
+## auth.mongo.acl_query.selector.3 = clientid=$all
+auth.mongo.acl_query.collection = mqtt_acl
+auth.mongo.acl_query.selector = username=%u

apps/emqx_auth_mongo/include/emqx_auth_mongo.hrl

@@ -0,0 +1,37 @@
+
+-define(APP, emqx_auth_mongo).
+
+-define(DEFAULT_SELECTORS, [{<<"username">>, <<"%u">>}]).
+
+-record(superquery, {collection = <<"mqtt_user">>,
+                     field      = <<"is_superuser">>,
+                     selector   = {<<"username">>, <<"%u">>}}).
+
+-record(authquery, {collection = <<"mqtt_user">>,
+                    field      = <<"password">>,
+                    hash       = sha256,
+                    selector   = {<<"username">>, <<"%u">>}}).
+
+-record(aclquery, {collection = <<"mqtt_acl">>,
+                   selector   = {<<"username">>, <<"%u">>}}).
+
+-record(auth_metrics, {
+        success = 'client.auth.success',
+        failure = 'client.auth.failure',
+        ignore  = 'client.auth.ignore'
+    }).
+
+-record(acl_metrics, {
+        allow = 'client.acl.allow',
+        deny = 'client.acl.deny',
+        ignore = 'client.acl.ignore'
+    }).
+
+-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
+-define(METRICS(Type, K), #Type{}#Type.K).
+
+-define(AUTH_METRICS, ?METRICS(auth_metrics)).
+-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
+
+-define(ACL_METRICS, ?METRICS(acl_metrics)).
+-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

apps/emqx_auth_mongo/priv/emqx_auth_mongo.schema

@@ -0,0 +1,292 @@
+%%-*- mode: erlang -*-
+%% emqx_auth_mongo config mapping
+
+{mapping, "auth.mongo.type", "emqx_auth_mongo.server", [
+  {default, single},
+  {datatype, {enum, [single, unknown, sharded, rs]}}
+]}.
+
+{mapping, "auth.mongo.rs_set_name", "emqx_auth_mongo.server", [
+  {default, "mqtt"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.server", "emqx_auth_mongo.server", [
+  {default, "127.0.0.1:27017"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.pool", "emqx_auth_mongo.server", [
+  {default, 8},
+  {datatype, integer}
+]}.
+
+{mapping, "auth.mongo.login", "emqx_auth_mongo.server", [
+  {default, ""},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.password", "emqx_auth_mongo.server", [
+  {default, ""},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.database", "emqx_auth_mongo.server", [
+  {default, "mqtt"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.auth_source", "emqx_auth_mongo.server", [
+  {default, "mqtt"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.ssl", "emqx_auth_mongo.server", [
+  {default, false},
+  {datatype, {enum, [true, false]}}
+]}.
+
+{mapping, "auth.mongo.ssl_opts.keyfile", "emqx_auth_mongo.server", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.ssl_opts.certfile", "emqx_auth_mongo.server", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.ssl_opts.cacertfile", "emqx_auth_mongo.server", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.w_mode", "emqx_auth_mongo.server", [
+  {default, undef},
+  {datatype, {enum, [safe, unsafe, undef]}}
+]}.
+
+{mapping, "auth.mongo.r_mode", "emqx_auth_mongo.server", [
+  {default, undef},
+  {datatype, {enum, [master, slave_ok, undef]}}
+]}.
+
+{mapping, "auth.mongo.topology.$name", "emqx_auth_mongo.server", [
+  {datatype, integer}
+]}.
+
+{translation, "emqx_auth_mongo.server", fun(Conf) ->
+  H = cuttlefish:conf_get("auth.mongo.server", Conf),
+  Hosts = string:tokens(H, ","),
+  Type0 = cuttlefish:conf_get("auth.mongo.type", Conf),
+  Pool = cuttlefish:conf_get("auth.mongo.pool", Conf),
+  Login = cuttlefish:conf_get("auth.mongo.login", Conf),
+  Passwd = cuttlefish:conf_get("auth.mongo.password", Conf),
+  DB = cuttlefish:conf_get("auth.mongo.database", Conf),
+  AuthSrc = cuttlefish:conf_get("auth.mongo.auth_source", Conf),
+  R = cuttlefish:conf_get("auth.mongo.w_mode", Conf),
+  W = cuttlefish:conf_get("auth.mongo.r_mode", Conf),
+  Login0 = case Login =:= [] of
+    true -> [];
+    false -> [{login, list_to_binary(Login)}]
+  end,
+  Passwd0 = case Passwd =:= [] of
+    true -> [];
+    false -> [{password, list_to_binary(Passwd)}]
+  end,
+  W0 = case W =:= undef of
+    true -> [];
+    false -> [{w_mode, W}]
+  end,
+  R0 = case R =:= undef  of
+    true -> [];
+    false -> [{r_mode, R}]
+  end,
+  Ssl = case cuttlefish:conf_get("auth.mongo.ssl", Conf) of
+    true ->
+      Filter  = fun(Opts) -> [{K, V} || {K, V} <- Opts, V =/= undefined] end,
+      SslOpts = fun(Prefix) ->
+                    Filter([{keyfile,    cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
+                            {certfile,   cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
+                            {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}])
+                end,
+      [{ssl, true}, {ssl_opts, SslOpts("auth.mongo.ssl_opts")}];
+    false ->
+      []
+  end,
+  WorkerOptions = [{database, list_to_binary(DB)}, {auth_source, list_to_binary(AuthSrc)}]
+                    ++ Login0 ++ Passwd0 ++ W0 ++ R0 ++ Ssl,
+
+  Vars = cuttlefish_variable:fuzzy_matches(["auth", "mongo", "topology", "$name"], Conf),
+  Options = lists:map(fun({_, Name}) ->
+    Name2 = case Name of
+      "local_threshold_ms"          -> "localThresholdMS";
+      "connect_timeout_ms"          -> "connectTimeoutMS";
+      "socket_timeout_ms"           -> "socketTimeoutMS";
+      "server_selection_timeout_ms" -> "serverSelectionTimeoutMS";
+      "wait_queue_timeout_ms"       -> "waitQueueTimeoutMS";
+      "heartbeat_frequency_ms"      -> "heartbeatFrequencyMS";
+      "min_heartbeat_frequency_ms"  -> "minHeartbeatFrequencyMS";
+      _ -> Name
+    end,
+    {list_to_atom(Name2), cuttlefish:conf_get("auth.mongo.topology."++Name, Conf)}
+  end, Vars),
+
+  Type = case Type0 =:= rs of
+    true -> {Type0, list_to_binary(cuttlefish:conf_get("auth.mongo.rs_set_name", Conf))};
+    false -> Type0
+  end,
+  [{type, Type},
+   {hosts, Hosts},
+   {options, Options},
+   {worker_options, WorkerOptions},
+   {auto_reconnect, 1},
+   {pool_size, Pool}]
+end}.
+
+%% The mongodb operation timeout is specified by the value of `cursor_timeout` from application config,
+%% or `infinity` if `cursor_timeout` not specified
+{mapping, "auth.mongo.query_timeout", "mongodb.cursor_timeout", [
+  {datatype, string}
+]}.
+
+{translation, "mongodb.cursor_timeout", fun(Conf) ->
+  case cuttlefish:conf_get("auth.mongo.query_timeout", Conf, undefined) of
+      undefined -> infinity;
+      Duration ->
+          case cuttlefish_duration:parse(Duration, ms) of
+              {error, Reason} -> error(Reason);
+              Ms when is_integer(Ms) -> Ms
+          end
+  end
+end}.
+
+{mapping, "auth.mongo.auth_query.collection", "emqx_auth_mongo.auth_query", [
+  {default, "mqtt_user"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.auth_query.password_field", "emqx_auth_mongo.auth_query", [
+  {default, "password"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.auth_query.password_hash", "emqx_auth_mongo.auth_query", [
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.auth_query.selector", "emqx_auth_mongo.auth_query", [
+  {default, ""},
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_mongo.auth_query", fun(Conf) ->
+  case cuttlefish:conf_get("auth.mongo.auth_query.collection", Conf) of
+    undefined -> cuttlefish:unset();
+    Collection ->
+      PasswordField = cuttlefish:conf_get("auth.mongo.auth_query.password_field", Conf),
+      PasswordHash = cuttlefish:conf_get("auth.mongo.auth_query.password_hash", Conf),
+      SelectorStr = cuttlefish:conf_get("auth.mongo.auth_query.selector", Conf),
+      SelectorList =
+          lists:map(fun(Selector) ->
+                  case string:tokens(Selector, "=") of
+                      [Field, Val] -> {list_to_binary(Field), list_to_binary(Val)};
+                      _ -> {<<"username">>, <<"%u">>}
+                  end
+              end, string:tokens(SelectorStr, ", ")),
+
+      PasswordFields = [list_to_binary(Field) || Field <- string:tokens(PasswordField, ",")],
+      HashValue =
+        case string:tokens(PasswordHash, ",") of
+              [Hash]           -> list_to_atom(Hash);
+              [Prefix, Suffix] -> {list_to_atom(Prefix), list_to_atom(Suffix)};
+              [Hash, MacFun, Iterations, Dklen] -> {list_to_atom(Hash), list_to_atom(MacFun), list_to_integer(Iterations), list_to_integer(Dklen)};
+              _                -> plain
+        end,
+      [{collection, Collection},
+       {password_field, PasswordFields},
+       {password_hash, HashValue},
+       {selector, SelectorList}]
+    end
+end}.
+
+{mapping, "auth.mongo.super_query", "emqx_auth_mongo.super_query", [
+  {default, off},
+  {datatype, flag}
+]}.
+
+{mapping, "auth.mongo.super_query.collection", "emqx_auth_mongo.super_query", [
+  {default, "mqtt_user"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.super_query.super_field", "emqx_auth_mongo.super_query", [
+  {default, "is_superuser"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.super_query.selector", "emqx_auth_mongo.super_query", [
+  {default, ""},
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_mongo.super_query", fun(Conf) ->
+  case cuttlefish:conf_get("auth.mongo.super_query.collection", Conf) of
+    undefined -> cuttlefish:unset();
+    Collection  ->
+      SuperField = cuttlefish:conf_get("auth.mongo.super_query.super_field", Conf),
+      SelectorStr = cuttlefish:conf_get("auth.mongo.super_query.selector", Conf),
+      SelectorList =
+          lists:map(fun(Selector) ->
+                  case string:tokens(Selector, "=") of
+                      [Field, Val] -> {list_to_binary(Field), list_to_binary(Val)};
+                      _ -> {<<"username">>, <<"%u">>}
+                  end
+              end, string:tokens(SelectorStr, ", ")),
+      [{collection, Collection}, {super_field, SuperField}, {selector, SelectorList}]
+  end
+end}.
+
+{mapping, "auth.mongo.acl_query", "emqx_auth_mongo.acl_query", [
+  {default, off},
+  {datatype, flag}
+]}.
+
+{mapping, "auth.mongo.acl_query.collection", "emqx_auth_mongo.acl_query", [
+  {default, "mqtt_user"},
+  {datatype, string}
+]}.
+
+{mapping, "auth.mongo.acl_query.selector", "emqx_auth_mongo.acl_query", [
+  {default, ""},
+  {datatype, string}
+]}.
+{mapping, "auth.mongo.acl_query.selector.$id", "emqx_auth_mongo.acl_query", [
+  {default, ""},
+  {datatype, string}
+]}.
+
+{translation, "emqx_auth_mongo.acl_query", fun(Conf) ->
+  case cuttlefish:conf_get("auth.mongo.acl_query.collection", Conf) of
+    undefined -> cuttlefish:unset();
+    Collection  ->
+      SelectorStrList =
+        lists:map(
+            fun
+                ({["auth","mongo","acl_query","selector"], ConfEntry}) ->
+                    ConfEntry;
+                ({["auth","mongo","acl_query","selector", _], ConfEntry}) ->
+                    ConfEntry
+            end,
+            cuttlefish_variable:filter_by_prefix("auth.mongo.acl_query.selector", Conf)),
+      SelectorListList =
+          lists:map(
+            fun(SelectorStr) ->
+                lists:map(fun(Selector) ->
+                        case string:tokens(Selector, "=") of
+                            [Field, Val] -> {list_to_binary(Field), list_to_binary(Val)};
+                            _ -> {<<"username">>, <<"%u">>}
+                        end
+                    end, string:tokens(SelectorStr, ", "))
+            end,
+            SelectorStrList),
+      [{collection, Collection}, {selector, SelectorListList}]
+  end
+end}.

apps/emqx_auth_mongo/rebar.config

@@ -0,0 +1,35 @@
+{deps,
+ [{mongodb, {git,"https://github.com/emqx/mongodb-erlang", {tag, "v3.0.7"}}},
+  {ecpool, {git,"https://github.com/emqx/ecpool", {tag, "0.5.0"}}},
+  {emqx_passwd, {git, "https://github.com/emqx/emqx-passwd", {tag, "v1.1.1"}}}
+ ]}.
+
+{edoc_opts, [{preprocess, true}]}.
+{erl_opts, [warn_unused_vars,
+            warn_shadow_vars,
+            warn_unused_import,
+            warn_obsolete_guard,
+            debug_info,
+            compressed,
+            {parse_transform}
+           ]}.
+{overrides, [{add, [{erl_opts, [compressed]}]}]}.
+
+{xref_checks, [undefined_function_calls, undefined_functions,
+               locals_not_used, deprecated_function_calls,
+               warnings_as_errors, deprecated_functions
+              ]}.
+
+{cover_enabled, true}.
+{cover_opts, [verbose]}.
+{cover_export_enabled, true}.
+
+{profiles,
+ [{test,
+   [{deps,
+     [{emqx_ct_helper, {git, "https://github.com/emqx/emqx-ct-helper", {tag, "1.2.2"}}},
+      {emqtt, {git, "https://github.com/emqx/emqtt", {tag, "1.2.3"}}}
+     ]},
+    {erl_opts, [debug_info]}
+   ]}
+ ]}.

apps/emqx_auth_mongo/rebar.config.script

@@ -0,0 +1,54 @@
+%%-*- mode: erlang -*-
+
+DEPS = case lists:keyfind(deps, 1, CONFIG) of
+          {_, Deps} -> Deps;
+          _ -> []
+      end,
+
+ComparingFun = fun
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
+                                            is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2)    -> _Fun(R1, R2);
+                _Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2)    -> true;
+                _Fun(_, _) -> false
+              end,
+
+SortFun = fun(T1, T2) ->
+            C = fun(T) ->
+                  [case catch list_to_integer(E) of
+                      I when is_integer(I) -> I;
+                      _ -> E
+                    end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
+                end,
+            ComparingFun(C(T1), C(T2))
+          end,
+
+VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
+
+Tags = case VTags of
+         [] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
+         _ -> VTags
+       end,
+
+LatestTag = lists:last(lists:sort(SortFun, Tags)),
+
+Branch = case os:getenv("GITHUB_RUN_ID") of
+                false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
+                _ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
+         end,
+
+GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
+                match -> {branch, Branch};
+                _ -> {tag, LatestTag}
+              end,
+
+UrlPrefix = "https://github.com/emqx/",
+
+EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
+EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
+
+NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
+
+CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
+
+CONFIG1.

apps/emqx_auth_mongo/src/emqx_acl_mongo.erl

@@ -0,0 +1,90 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+-module(emqx_acl_mongo).
+
+-include("emqx_auth_mongo.hrl").
+-include_lib("emqx/include/emqx.hrl").
+-include_lib("emqx/include/logger.hrl").
+
+%% ACL callbacks
+-export([ register_metrics/0
+        , check_acl/5
+        , description/0
+        ]).
+-spec(register_metrics() -> ok).
+register_metrics() ->
+    lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
+
+check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _AclResult, _State) ->
+    ok;
+
+check_acl(ClientInfo, PubSub, Topic, _AclResult, #{aclquery := AclQuery , pool := Pool}) ->
+    #aclquery{collection = Coll, selector = SelectorList} = AclQuery,
+    SelectorMapList =
+        lists:map(fun(Selector) ->
+            maps:from_list(emqx_auth_mongo:replvars(Selector, ClientInfo))
+        end, SelectorList),
+    case emqx_auth_mongo:query_multi(Pool, Coll, SelectorMapList) of
+        [] -> ok;
+        Rows ->
+            try match(ClientInfo, Topic, topics(PubSub, Rows)) of
+                matched -> emqx_metrics:inc(?ACL_METRICS(allow)),
+                           {stop, allow};
+                nomatch -> emqx_metrics:inc(?ACL_METRICS(deny)),
+                           {stop, deny}
+            catch
+                _Err:Reason->
+                    ?LOG(error, "[MongoDB] Check mongo ~p ACL failed, got ACL config: ~p, error: :~p",
+                                [PubSub, Rows, Reason]),
+                    emqx_metrics:inc(?ACL_METRICS(ignore)),
+                    ignore
+            end
+    end.
+
+
+match(_ClientInfo, _Topic, []) ->
+    nomatch;
+match(ClientInfo, Topic, [TopicFilter|More]) ->
+    case emqx_topic:match(Topic, feedvar(ClientInfo, TopicFilter)) of
+        true  -> matched;
+        false -> match(ClientInfo, Topic, More)
+    end.
+
+topics(publish, Rows) ->
+    lists:foldl(fun(Row, Acc) ->
+        Topics = maps:get(<<"publish">>, Row, []) ++ maps:get(<<"pubsub">>, Row, []),
+        lists:umerge(Acc, Topics)
+    end, [], Rows);
+
+topics(subscribe, Rows) ->
+    lists:foldl(fun(Row, Acc) ->
+        Topics = maps:get(<<"subscribe">>, Row, []) ++ maps:get(<<"pubsub">>, Row, []),
+        lists:umerge(Acc, Topics)
+    end, [], Rows).
+
+feedvar(#{clientid := ClientId, username := Username}, Str) ->
+    lists:foldl(fun({Var, Val}, Acc) ->
+                    feedvar(Acc, Var, Val)
+                end, Str, [{"%u", Username}, {"%c", ClientId}]).
+
+feedvar(Str, _Var, undefined) ->
+    Str;
+feedvar(Str, Var, Val) ->
+    re:replace(Str, Var, Val, [global, {return, binary}]).
+
+description() -> "ACL with MongoDB".
+