Compare commits

...

1 Commits

Author SHA1 Message Date
Zaiming Shi 0cf8380822 chore(apps): Sync plugins to apps dir
emqx_telemetry from tag v4.2.7
all other apps are from e4.2.4
see sync-apps.sh
2021-02-06 11:42:40 +01:00
833 changed files with 84712 additions and 10 deletions

21
.gitignore vendored
View File

@ -12,33 +12,34 @@ ebin
test/ebin/*.beam test/ebin/*.beam
.exrc .exrc
plugins/*/ebin plugins/*/ebin
log/
*.swp *.swp
*.so *.so
.erlang.mk/ .erlang.mk/
cover/ cover/
emqx.d
eunit.coverdata eunit.coverdata
test/ct.cover.spec test/ct.cover.spec
logs
ct.coverdata ct.coverdata
.idea/ .idea/
emqx.iml
_rel/
data/
_build _build
.rebar3 .rebar3
rebar3.crashdump rebar3.crashdump
.DS_Store .DS_Store
emqx.iml
bbmustache/
etc/gen.emqx.conf etc/gen.emqx.conf
compile_commands.json compile_commands.json
cuttlefish cuttlefish
rebar.lock
xrefr xrefr
erlang.mk
*.coverdata *.coverdata
etc/emqx.conf.rendered etc/emqx.conf.rendered
Mnesia.*/ Mnesia.*/
*.DS_Store
_checkouts
rebar.config.rendered
/rebar3
rebar.lock
.stamp .stamp
tmp/
_packages
elvis
emqx_dialyzer_*_plt
apps/emqx_dashboard/priv/www
dist.zip

25
apps/emqx_auth_http/.gitignore vendored Normal file
View File

@ -0,0 +1,25 @@
.eunit
deps
*.o
*.beam
*.plt
erl_crash.dump
ebin
rel/example_project
.concrete/DEV_MODE
.rebar
.erlang.mk/
emqx_auth_http.d
data
ct.cover.spec
cover/
ct.coverdata
eunit.coverdata
logs/
erlang.mk
_build/
rebar.lock
rebar3.crashdump
etc/emqx_auth_http.conf.rendered
.rebar3/
*.swp

View File

@ -0,0 +1,100 @@
emqx_auth_http
==============
EMQ X HTTP Auth/ACL Plugin
Build
-----
```
make && make tests
```
Configure the Plugin
--------------------
File: etc/emqx_auth_http.conf
```
##--------------------------------------------------------------------
## Authentication request.
##
## Variables:
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %P: password
## - %C: common name of client TLS cert
## - %d: subject of client TLS cert
##
## Value: URL
auth.http.auth_req = http://127.0.0.1:8080/mqtt/auth
## Value: post | get | put
auth.http.auth_req.method = post
## Value: Params
auth.http.auth_req.params = clientid=%c,username=%u,password=%P
##--------------------------------------------------------------------
## Superuser request.
##
## Variables:
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %P: password
## - %C: common name of client TLS cert
## - %d: subject of client TLS cert
##
## Value: URL
auth.http.super_req = http://127.0.0.1:8080/mqtt/superuser
## Value: post | get | put
auth.http.super_req.method = post
## Value: Params
auth.http.super_req.params = clientid=%c,username=%u
##--------------------------------------------------------------------
## ACL request.
##
## Variables:
## - %A: 1 | 2, 1 = sub, 2 = pub
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %m: mountpoint
## - %t: topic
##
## Value: URL
auth.http.acl_req = http://127.0.0.1:8080/mqtt/acl
## Value: post | get | put
auth.http.acl_req.method = get
## Value: Params
auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t
```
Load the Plugin
---------------
```
./bin/emqx_ctl plugins load emqx_auth_http
```
HTTP API
--------
200 if ok
4xx if unauthorized
License
-------
Apache License Version 2.0
Author
------
EMQ X Team.

View File

@ -0,0 +1,162 @@
##--------------------------------------------------------------------
## HTTP Auth/ACL Plugin
##--------------------------------------------------------------------
##--------------------------------------------------------------------
## Authentication request.
## HTTP URL API path for authentication request
##
## Value: URL
##
## Examples: http://127.0.0.1:8991/mqtt/auth, https://[::1]:8991/mqtt/auth
auth.http.auth_req = http://127.0.0.1:8991/mqtt/auth
## Value: post | get | put
auth.http.auth_req.method = post
## It only works when method=post
## Value: json | x-www-form-urlencoded
auth.http.auth_req.content_type = x-www-form-urlencoded
## Variables:
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %P: password
## - %p: sockport of server accepted
## - %C: common name of client TLS cert
## - %d: subject of client TLS cert
##
## Value: Params
auth.http.auth_req.params = clientid=%c,username=%u,password=%P
##--------------------------------------------------------------------
## Superuser request.
## HTTP URL API path for Superuser request
##
## Value: URL
##
## Examples: http://127.0.0.1:8991/mqtt/superuser, https://[::1]:8991/mqtt/superuser
#auth.http.super_req = http://127.0.0.1:8991/mqtt/superuser
## Value: post | get | put
#auth.http.super_req.method = post
## It only works when method=pos
## Value: json | x-www-form-urlencoded
#auth.http.super_req.content_type = x-www-form-urlencoded
## Variables:
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %P: password
## - %p: sockport of server accepted
## - %C: common name of client TLS cert
## - %d: subject of client TLS cert
##
## Value: Params
#auth.http.super_req.params = clientid=%c,username=%u
##--------------------------------------------------------------------
## ACL request.
## HTTP URL API path for ACL request
##
## Value: URL
##
## Examples: http://127.0.0.1:8991/mqtt/acl, https://[::1]:8991/mqtt/acl
auth.http.acl_req = http://127.0.0.1:8991/mqtt/acl
## Value: post | get | put
auth.http.acl_req.method = get
## It only works when method=post
## Value: json | x-www-form-urlencoded
auth.http.acl_req.content_type = x-www-form-urlencoded
## Variables:
## - %A: 1 | 2, 1 = sub, 2 = pub
## - %u: username
## - %c: clientid
## - %a: ipaddress
## - %r: protocol
## - %m: mountpoint
## - %t: topic
##
## Value: Params
auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
##------------------------------------------------------------------------------
## Http Reqeust options
## Time-out time for the http request, 0 is never timeout.
##
## Value: Duration
## -h: hour, e.g. '2h' for 2 hours
## -m: minute, e.g. '5m' for 5 minutes
## -s: second, e.g. '30s' for 30 seconds
##
## Default: 5s
## auth.http.request.timeout = 5s
## Connection time-out time, used during the initial request
## when the client is connecting to the server
##
## Value: Duration
##
## Default is same with the timeout option
## auth.http.request.connect_timeout = 0
## Re-send http reuqest times
##
## Value: integer
##
## Default: 3
auth.http.request.retry_times = 5
## The interval for re-sending the http request
##
## Value: Duration
##
## Default: 1s
auth.http.request.retry_interval = 1s
## The 'Exponential Backoff' mechanism for re-sending request. The actually
## re-send time interval is `interval * backoff ^ times`
##
## Value: float
##
## Default: 2.0
auth.http.request.retry_backoff = 2.0
##------------------------------------------------------------------------------
## SSL options
## Path to the file containing PEM-encoded CA certificates. The CA certificates
## are used during server authentication and when building the client certificate chain.
##
## Value: File
## auth.http.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
## The path to a file containing the client's certificate.
##
## Value: File
## auth.http.ssl.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
## Path to a file containing the client's private PEM-encoded key.
##
## Value: File
## auth.http.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
##--------------------------------------------------------------------
## HTTP Request Headers
##
## Example: auth.http.header.Accept-Encoding = *
##
## Value: String
## auth.http.header.Accept = */*

View File

@ -0,0 +1,25 @@
-define(APP, emqx_auth_http).
-record(http_request, {method = post, path, headers, params, request_timeout}).
-record(auth_metrics, {
success = 'client.auth.success',
failure = 'client.auth.failure',
ignore = 'client.auth.ignore'
}).
-record(acl_metrics, {
allow = 'client.acl.allow',
deny = 'client.acl.deny',
ignore = 'client.acl.ignore'
}).
-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
-define(METRICS(Type, K), #Type{}#Type.K).
-define(AUTH_METRICS, ?METRICS(auth_metrics)).
-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
-define(ACL_METRICS, ?METRICS(acl_metrics)).
-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

View File

@ -0,0 +1,169 @@
%%-*- mode: erlang -*-
%% emqx_auth_http config mapping
{mapping, "auth.http.auth_req", "emqx_auth_http.auth_req", [
{datatype, string}
]}.
{mapping, "auth.http.auth_req.method", "emqx_auth_http.auth_req", [
{default, post},
{datatype, {enum, [post, get]}}
]}.
{mapping, "auth.http.auth_req.content_type", "emqx_auth_http.auth_req", [
{default, 'x-www-form-urlencoded'},
{datatype, {enum, ['json', 'x-www-form-urlencoded']}}
]}.
{mapping, "auth.http.auth_req.params", "emqx_auth_http.auth_req", [
{datatype, string}
]}.
{translation, "emqx_auth_http.auth_req", fun(Conf) ->
case cuttlefish:conf_get("auth.http.auth_req", Conf) of
undefined -> cuttlefish:unset();
Url ->
Params = cuttlefish:conf_get("auth.http.auth_req.params", Conf),
[{url, Url},
{method, cuttlefish:conf_get("auth.http.auth_req.method", Conf)},
{content_type, list_to_binary("application/" ++ atom_to_list(cuttlefish:conf_get("auth.http.auth_req.content_type", Conf)))},
{params, [list_to_tuple(string:tokens(S, "=")) || S <- string:tokens(Params, ",")]}]
end
end}.
{mapping, "auth.http.super_req", "emqx_auth_http.super_req", [
{datatype, string}
]}.
{mapping, "auth.http.super_req.method", "emqx_auth_http.super_req", [
{default, post},
{datatype, {enum, [post, get]}}
]}.
{mapping, "auth.http.super_req.content_type", "emqx_auth_http.super_req", [
{default, 'x-www-form-urlencoded'},
{datatype, {enum, ['json', 'x-www-form-urlencoded']}}
]}.
{mapping, "auth.http.super_req.params", "emqx_auth_http.super_req", [
{datatype, string}
]}.
{translation, "emqx_auth_http.super_req", fun(Conf) ->
case cuttlefish:conf_get("auth.http.super_req", Conf, undefined) of
undefined -> cuttlefish:unset();
Url -> Params = cuttlefish:conf_get("auth.http.super_req.params", Conf),
[{url, Url}, {method, cuttlefish:conf_get("auth.http.super_req.method", Conf)},
{content_type, list_to_binary("application/" ++ atom_to_list(cuttlefish:conf_get("auth.http.super_req.content_type", Conf)))},
{params, [list_to_tuple(string:tokens(S, "=")) || S <- string:tokens(Params, ",")]}]
end
end}.
{mapping, "auth.http.acl_req", "emqx_auth_http.acl_req", [
{default, undefined},
{datatype, string}
]}.
{mapping, "auth.http.acl_req.method", "emqx_auth_http.acl_req", [
{default, post},
{datatype, {enum, [post, get]}}
]}.
{mapping, "auth.http.acl_req.content_type", "emqx_auth_http.acl_req", [
{default, 'x-www-form-urlencoded'},
{datatype, {enum, ['json', 'x-www-form-urlencoded']}}
]}.
{mapping, "auth.http.acl_req.params", "emqx_auth_http.acl_req", [
{datatype, string}
]}.
{translation, "emqx_auth_http.acl_req", fun(Conf) ->
case cuttlefish:conf_get("auth.http.acl_req", Conf, undefined) of
undefined -> cuttlefish:unset();
Url -> Params = cuttlefish:conf_get("auth.http.acl_req.params", Conf),
[{url, Url},
{method, cuttlefish:conf_get("auth.http.acl_req.method", Conf)},
{content_type, list_to_binary("application/" ++ atom_to_list(cuttlefish:conf_get("auth.http.acl_req.content_type", Conf)))},
{params, [list_to_tuple(string:tokens(S, "=")) || S <- string:tokens(Params, ",")]}]
end
end}.
{mapping, "auth.http.request.timeout", "emqx_auth_http.request_timeout", [
{default, "5s"},
{datatype, [integer, {duration, ms}]}
]}.
{mapping, "auth.http.pool_size", "emqx_auth_http.pool_opts", [
{default, 8},
{datatype, integer}
]}.
{mapping, "auth.http.request.connect_timeout", "emqx_auth_http.pool_opts", [
{default, "5s"},
{datatype, [integer, {duration, ms}]}
]}.
{mapping, "auth.http.ssl.cacertfile", "emqx_auth_http.pool_opts", [
{datatype, string}
]}.
{mapping, "auth.http.ssl.certfile", "emqx_auth_http.pool_opts", [
{datatype, string}
]}.
{mapping, "auth.http.ssl.keyfile", "emqx_auth_http.pool_opts", [
{datatype, string}
]}.
{mapping, "auth.http.request.retry_times", "emqx_auth_http.pool_opts", [
{default, 5},
{datatype, integer}
]}.
{mapping, "auth.http.request.retry_interval", "emqx_auth_http.pool_opts", [
{default, "1s"},
{datatype, {duration, ms}}
]}.
{mapping, "auth.http.request.retry_backoff", "emqx_auth_http.pool_opts", [
{default, 2.0},
{datatype, float}
]}.
{translation, "emqx_auth_http.pool_opts", fun(Conf) ->
Filter = fun(L) -> [{K, V} || {K, V} <- L, V =/= undefined] end,
InfinityFun = fun(0) -> infinity;
(Duration) -> Duration
end,
SslOpts = Filter([{cacertfile, cuttlefish:conf_get("auth.http.ssl.cacertfile", Conf, undefined)},
{certfile, cuttlefish:conf_get("auth.http.ssl.certfile", Conf, undefined)},
{keyfile, cuttlefish:conf_get("auth.http.ssl.keyfile", Conf, undefined)}]),
Opts = [{pool_size, cuttlefish:conf_get("auth.http.pool_size", Conf)},
{connect_timeout, InfinityFun(cuttlefish:conf_get("auth.http.request.connect_timeout", Conf))},
{retry, cuttlefish:conf_get("auth.http.request.retry_times", Conf)},
{retry_timeout, cuttlefish:conf_get("auth.http.request.retry_interval", Conf)}],
case SslOpts of
[] -> Filter(Opts);
_ ->
TlsVers = ['tlsv1.2','tlsv1.1',tlsv1],
DefaultOpts = [{versions, TlsVers},
{ciphers, lists:foldl(
fun(TlsVer, Ciphers) ->
Ciphers ++ ssl:cipher_suites(all, TlsVer)
end, [], TlsVers)}],
Filter([{ssl, DefaultOpts ++ SslOpts} | Opts])
end
end}.
{mapping, "auth.http.header.$field", "emqx_auth_http.headers", [
{datatype, string}
]}.
{translation, "emqx_auth_http.headers", fun(Conf) ->
lists:map(
fun({["auth", "http", "header", Field], Value}) ->
{Field, Value}
end,
cuttlefish_variable:filter_by_prefix("auth.http.header", Conf))
end}.

View File

@ -0,0 +1,29 @@
{deps,
[{gun, {git, "https://github.com/emqx/gun", {tag, "1.3.4"}}},
{gproc, {git, "https://github.com/uwiger/gproc", {tag, "0.8.0"}}}
]}.
{edoc_opts, [{preprocess, true}]}.
{erl_opts, [warn_unused_vars,
warn_shadow_vars,
warn_unused_import,
warn_obsolete_guard,
debug_info,
{parse_transform}]}.
{xref_checks, [undefined_function_calls, undefined_functions,
locals_not_used, deprecated_function_calls,
warnings_as_errors, deprecated_functions]}.
{cover_enabled, true}.
{cover_opts, [verbose]}.
{cover_export_enabled, true}.
{profiles,
[{test,
[{deps,
[{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}},
{emqtt, {git, "https://github.com/emqx/emqtt", {tag, "v1.2.2"}}}
]}
]}
]}.

View File

@ -0,0 +1,89 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_acl_http).
-include("emqx_auth_http.hrl").
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/logger.hrl").
-logger_header("[ACL http]").
-import(emqx_auth_http_cli,
[ request/6
, feedvar/2
]).
%% ACL callbacks
-export([ register_metrics/0
, check_acl/5
, description/0
]).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
%%--------------------------------------------------------------------
%% ACL callbacks
%%--------------------------------------------------------------------
check_acl(ClientInfo, PubSub, Topic, AclResult, State) ->
return_with(fun inc_metrics/1,
do_check_acl(ClientInfo, PubSub, Topic, AclResult, State)).
do_check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _AclResult, _Config) ->
ok;
do_check_acl(ClientInfo, PubSub, Topic, _AclResult, #{acl_req := AclReq,
pool_name := PoolName}) ->
ClientInfo1 = ClientInfo#{access => access(PubSub), topic => Topic},
case check_acl_request(PoolName, AclReq, ClientInfo1) of
{ok, 200, <<"ignore">>} -> ok;
{ok, 200, _Body} -> {stop, allow};
{ok, _Code, _Body} -> {stop, deny};
{error, Error} ->
?LOG(error, "Request ACL path ~s, error: ~p",
[AclReq#http_request.path, Error]),
ok
end.
description() -> "ACL with HTTP API".
%%--------------------------------------------------------------------
%% Internal functions
%%--------------------------------------------------------------------
inc_metrics(ok) ->
emqx_metrics:inc(?ACL_METRICS(ignore));
inc_metrics({stop, allow}) ->
emqx_metrics:inc(?ACL_METRICS(allow));
inc_metrics({stop, deny}) ->
emqx_metrics:inc(?ACL_METRICS(deny)).
return_with(Fun, Result) ->
Fun(Result), Result.
check_acl_request(PoolName, #http_request{path = Path,
method = Method,
headers = Headers,
params = Params,
request_timeout = RequestTimeout}, ClientInfo) ->
request(PoolName, Method, Path, Headers, feedvar(Params, ClientInfo), RequestTimeout).
access(subscribe) -> 1;
access(publish) -> 2.

View File

@ -0,0 +1,14 @@
{application, emqx_auth_http,
[{description, "EMQ X Authentication/ACL with HTTP API"},
{vsn, "git"},
{modules, []},
{registered, [emqx_auth_http_sup]},
{applications, [kernel,stdlib,gproc,gun]},
{mod, {emqx_auth_http_app, []}},
{env, []},
{licenses, ["Apache-2.0"]},
{maintainers, ["EMQ X Team <contact@emqx.io>"]},
{links, [{"Homepage", "https://emqx.io/"},
{"Github", "https://github.com/emqx/emqx-auth-http"}
]}
]}.

View File

@ -0,0 +1,112 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_http).
-include("emqx_auth_http.hrl").
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/logger.hrl").
-include_lib("emqx/include/types.hrl").
-logger_header("[Auth http]").
-import(emqx_auth_http_cli,
[ request/6
, feedvar/2
]).
%% Callbacks
-export([ register_metrics/0
, check/3
, description/0
]).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
check(ClientInfo, AuthResult, #{auth_req := AuthReq,
super_req := SuperReq,
pool_name := PoolName}) ->
case authenticate(PoolName, AuthReq, ClientInfo) of
{ok, 200, <<"ignore">>} ->
emqx_metrics:inc(?AUTH_METRICS(ignore)), ok;
{ok, 200, Body} ->
emqx_metrics:inc(?AUTH_METRICS(success)),
IsSuperuser = is_superuser(PoolName, SuperReq, ClientInfo),
{stop, AuthResult#{is_superuser => IsSuperuser,
auth_result => success,
anonymous => false,
mountpoint => mountpoint(Body, ClientInfo)}};
{ok, Code, _Body} ->
?LOG(error, "Deny connection from path: ~s, response http code: ~p",
[AuthReq#http_request.path, Code]),
emqx_metrics:inc(?AUTH_METRICS(failure)),
{stop, AuthResult#{auth_result => http_to_connack_error(Code),
anonymous => false}};
{error, Error} ->
?LOG(error, "Request auth path: ~s, error: ~p",
[AuthReq#http_request.path, Error]),
emqx_metrics:inc(?AUTH_METRICS(failure)),
%%FIXME later: server_unavailable is not right.
{stop, AuthResult#{auth_result => server_unavailable,
anonymous => false}}
end.
description() -> "Authentication by HTTP API".
%%--------------------------------------------------------------------
%% Requests
%%--------------------------------------------------------------------
authenticate(PoolName, #http_request{path = Path,
method = Method,
headers = Headers,
params = Params,
request_timeout = RequestTimeout}, ClientInfo) ->
request(PoolName, Method, Path, Headers, feedvar(Params, ClientInfo), RequestTimeout).
-spec(is_superuser(atom(), maybe(#http_request{}), emqx_types:client()) -> boolean()).
is_superuser(_PoolName, undefined, _ClientInfo) ->
false;
is_superuser(PoolName, #http_request{path = Path,
method = Method,
headers = Headers,
params = Params,
request_timeout = RequestTimeout}, ClientInfo) ->
case request(PoolName, Method, Path, Headers, feedvar(Params, ClientInfo), RequestTimeout) of
{ok, 200, _Body} -> true;
{ok, _Code, _Body} -> false;
{error, Error} -> ?LOG(error, "Request superuser path ~s, error: ~p", [Path, Error]),
false
end.
mountpoint(Body, #{mountpoint := Mountpoint}) ->
case emqx_json:safe_decode(Body, [return_maps]) of
{error, _} -> Mountpoint;
{ok, Json} when is_map(Json) ->
maps:get(<<"mountpoint">>, Json, Mountpoint);
{ok, _NotMap} -> Mountpoint
end.
http_to_connack_error(400) -> bad_username_or_password;
http_to_connack_error(401) -> bad_username_or_password;
http_to_connack_error(403) -> not_authorized;
http_to_connack_error(429) -> banned;
http_to_connack_error(503) -> server_unavailable;
http_to_connack_error(504) -> server_busy;
http_to_connack_error(_) -> server_unavailable.

View File

@ -0,0 +1,176 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_http_app).
-behaviour(application).
-emqx_plugin(auth).
-include("emqx_auth_http.hrl").
-export([ start/2
, stop/1
]).
-export([init/1]).
%%--------------------------------------------------------------------
%% Application Callbacks
%%--------------------------------------------------------------------
start(_StartType, _StartArgs) ->
case translate_env() of
ok ->
{ok, PoolOpts} = application:get_env(?APP, pool_opts),
{ok, Sup} = emqx_http_client_sup:start_link(?APP, ssl(inet(PoolOpts))),
with_env(auth_req, fun load_auth_hook/1),
with_env(acl_req, fun load_acl_hook/1),
{ok, Sup};
{error, Reason} ->
{error, Reason}
end.
load_auth_hook(AuthReq) ->
ok = emqx_auth_http:register_metrics(),
SuperReq = r(application:get_env(?APP, super_req, undefined)),
Params = #{auth_req => AuthReq,
super_req => SuperReq,
pool_name => ?APP},
emqx:hook('client.authenticate', {emqx_auth_http, check, [Params]}).
load_acl_hook(AclReq) ->
ok = emqx_acl_http:register_metrics(),
Params = #{acl_req => AclReq,
pool_name => ?APP},
emqx:hook('client.check_acl', {emqx_acl_http, check_acl, [Params]}).
stop(_State) ->
emqx:unhook('client.authenticate', {emqx_auth_http, check}),
emqx:unhook('client.check_acl', {emqx_acl_http, check_acl}),
emqx_http_client_sup:stop_pool(?APP).
%%--------------------------------------------------------------------
%% Dummy supervisor
%%--------------------------------------------------------------------
init([]) ->
{ok, { {one_for_all, 10, 100}, []} }.
%%--------------------------------------------------------------------
%% Internel functions
%%--------------------------------------------------------------------
with_env(Par, Fun) ->
case application:get_env(?APP, Par) of
undefined -> ok;
{ok, Req} -> Fun(r(Req))
end.
r(undefined) ->
undefined;
r(Config) ->
Headers = application:get_env(?APP, headers, []),
Method = proplists:get_value(method, Config, post),
Path = proplists:get_value(path, Config),
NewHeaders = case Method =:= post orelse Method =:= put of
true ->
ContentType = proplists:get_value(content_type, Config, <<"application/x-www-form-urlencoded">>),
[{<<"content-type">>, ContentType} | Headers];
_ ->
Headers
end,
Params = proplists:get_value(params, Config),
{ok, RequestTimeout} = application:get_env(?APP, request_timeout),
#http_request{method = Method, path = Path, headers = NewHeaders, params = Params, request_timeout = RequestTimeout}.
inet(PoolOpts) ->
Host = proplists:get_value(host, PoolOpts),
TransOpts = proplists:get_value(transport_opts, PoolOpts, []),
NewPoolOpts = proplists:delete(transport_opts, PoolOpts),
Inet = case Host of
{_,_,_,_} -> inet;
{_,_,_,_,_,_,_,_} -> inet6;
_ ->
case inet:getaddr(Host, inet6) of
{error, _} -> inet;
{ok, _} -> inet6
end
end,
[{transport_opts, [Inet | TransOpts]} | NewPoolOpts].
ssl(PoolOpts) ->
case proplists:get_value(ssl, PoolOpts, []) of
[] ->
PoolOpts;
SSLOpts ->
TransOpts = proplists:get_value(transport_opts, PoolOpts, []),
NewPoolOpts = proplists:delete(transport_opts, PoolOpts),
[{transport_opts, SSLOpts ++ TransOpts}, {transport, ssl} | NewPoolOpts]
end.
translate_env() ->
URLs = lists:foldl(fun(Name, Acc) ->
case application:get_env(?APP, Name, []) of
[] -> Acc;
Env ->
URL = proplists:get_value(url, Env),
#{host := Host,
path := Path,
scheme := Scheme} = URIMap = uri_string:parse(add_default_scheme(URL)),
Port = maps:get(port, URIMap, case Scheme of
"https" -> 443;
_ -> 80
end),
[{Name, {Host, Port, path(Path)}} | Acc]
end
end, [], [acl_req, auth_req, super_req]),
case same_host_and_port(URLs) of
true ->
[begin
{ok, Req} = application:get_env(?APP, Name),
application:set_env(?APP, Name, [{path, Path} | Req])
end || {Name, {_, _, Path}} <- URLs],
{_, {Host, Port, _}} = lists:last(URLs),
PoolOpts = application:get_env(?APP, pool_opts, []),
NHost = case inet:parse_address(Host) of
{ok, {_,_,_,_} = Addr} -> Addr;
{ok, {_,_,_,_,_,_,_,_} = Addr} -> Addr;
{error, einval} -> Host
end,
application:set_env(?APP, pool_opts, [{host, NHost}, {port, Port} | PoolOpts]),
ok;
false ->
{error, different_server}
end.
same_host_and_port([_]) ->
true;
same_host_and_port([{_, {Host, Port, _}}, {_, {Host, Port, _}}]) ->
true;
same_host_and_port([{_, {Host, Port, _}}, URL = {_, {Host, Port, _}} | Rest]) ->
same_host_and_port([URL | Rest]);
same_host_and_port(_) ->
false.
path("") -> "/";
path(Path) -> Path.
add_default_scheme("http://" ++ _ = URL) ->
URL;
add_default_scheme("https://" ++ _ = URL) ->
URL;
add_default_scheme(URL) ->
"http://" ++ URL.

View File

@ -0,0 +1,103 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_http_cli).
-include("emqx_auth_http.hrl").
-export([ request/6
, feedvar/2
, feedvar/3
]).
%%--------------------------------------------------------------------
%% HTTP Request
%%--------------------------------------------------------------------
request(PoolName, get, Path, Headers, Params, Timeout) ->
NewPath = Path ++ "?" ++ binary_to_list(cow_qs:qs(bin_kw(Params))),
do_request(get, PoolName, {NewPath, Headers}, Timeout);
request(PoolName, post, Path, Headers, Params, Timeout) ->
Body = case proplists:get_value(<<"content-type">>, Headers) of
<<"application/x-www-form-urlencoded">> ->
cow_qs:qs(bin_kw(Params));
<<"application/json">> ->
emqx_json:encode(bin_kw(Params))
end,
do_request(post, PoolName, {Path, Headers, Body}, Timeout).
do_request(Method, PoolName, Req, Timeout) ->
do_request(Method, PoolName, Req, Timeout, 3).
%% Only retry when connection closed by keepalive
do_request(_Method, _PoolName, _Req, _Timeout, 0) ->
{error, normal};
do_request(Method, PoolName, Req, Timeout, Retry) ->
case emqx_http_client:request(Method, PoolName, Req, Timeout) of
{error, normal} ->
do_request(Method, PoolName, Req, Timeout, Retry - 1);
{error, Reason} ->
{error, Reason};
{ok, StatusCode, _Headers} ->
{ok, StatusCode, <<>>};
{ok, StatusCode, _Headers, Body} ->
{ok, StatusCode, Body}
end.
%% TODO: move this conversion to cuttlefish config and schema
bin_kw(KeywordList) when is_list(KeywordList) ->
[{bin(K), bin(V)} || {K, V} <- KeywordList].
bin(Atom) when is_atom(Atom) ->
list_to_binary(atom_to_list(Atom));
bin(Int) when is_integer(Int) ->
integer_to_binary(Int);
bin(Float) when is_float(Float) ->
float_to_binary(Float, [{decimals, 12}, compact]);
bin(List) when is_list(List)->
list_to_binary(List);
bin(Binary) when is_binary(Binary) ->
Binary.
%%--------------------------------------------------------------------
%% Feed Variables
%%--------------------------------------------------------------------
feedvar(Params, ClientInfo = #{clientid := ClientId,
protocol := Protocol,
peerhost := Peerhost}) ->
lists:map(fun({Param, "%u"}) -> {Param, maps:get(username, ClientInfo, null)};
({Param, "%c"}) -> {Param, ClientId};
({Param, "%r"}) -> {Param, Protocol};
({Param, "%a"}) -> {Param, inet:ntoa(Peerhost)};
({Param, "%P"}) -> {Param, maps:get(password, ClientInfo, null)};
({Param, "%p"}) -> {Param, maps:get(sockport, ClientInfo, null)};
({Param, "%C"}) -> {Param, maps:get(cn, ClientInfo, null)};
({Param, "%d"}) -> {Param, maps:get(dn, ClientInfo, null)};
({Param, "%A"}) -> {Param, maps:get(access, ClientInfo, null)};
({Param, "%t"}) -> {Param, maps:get(topic, ClientInfo, null)};
({Param, "%m"}) -> {Param, maps:get(mountpoint, ClientInfo, null)};
({Param, Var}) -> {Param, Var}
end, Params).
feedvar(Params, Var, Val) ->
lists:map(fun({Param, Var0}) when Var0 == Var ->
{Param, Val};
({Param, Var0}) ->
{Param, Var0}
end, Params).

View File

@ -0,0 +1,256 @@
-module(emqx_http_client).
-behaviour(gen_server).
-include_lib("emqx/include/logger.hrl").
%% APIs
-export([ start_link/3
, request/3
, request/4
]).
%% gen_server callbacks
-export([ init/1
, handle_call/3
, handle_cast/2
, handle_info/2
, terminate/2
, code_change/3
]).
-record(state, {
pool :: ecpool:poo_name(),
id :: pos_integer(),
client :: pid() | undefined,
mref :: reference() | undefined,
host :: inet:hostname() | inet:ip_address(),
port :: inet:port_number(),
gun_opts :: proplists:proplist(),
gun_state :: down | up,
requests :: map()
}).
%%--------------------------------------------------------------------
%% APIs
%%--------------------------------------------------------------------
start_link(Pool, Id, Opts) ->
gen_server:start_link(?MODULE, [Pool, Id, Opts], []).
request(Method, Pool, Req) ->
request(Method, Pool, Req, 5000).
request(get, Pool, {Path, Headers}, Timeout) ->
call(pick(Pool), {get, {Path, Headers}, Timeout}, Timeout + 1000);
request(Method, Pool, {Path, Headers, Body}, Timeout) ->
call(pick(Pool), {Method, {Path, Headers, Body}, Timeout}, Timeout + 1000).
%%--------------------------------------------------------------------
%% gen_server callbacks
%%--------------------------------------------------------------------
init([Pool, Id, Opts]) ->
State = #state{pool = Pool,
id = Id,
client = undefined,
mref = undefined,
host = proplists:get_value(host, Opts),
port = proplists:get_value(port, Opts),
gun_opts = gun_opts(Opts),
gun_state = down,
requests = #{}},
true = gproc_pool:connect_worker(Pool, {Pool, Id}),
{ok, State}.
handle_call(Req = {_, _, _}, From, State = #state{client = undefined, gun_state = down}) ->
case open(State) of
{ok, NewState} ->
handle_call(Req, From, NewState);
{error, Reason} ->
{reply, {error, Reason}, State}
end;
handle_call(Req = {_, _, Timeout}, From, State = #state{client = Client, mref = MRef, gun_state = down}) when is_pid(Client) ->
case gun:await_up(Client, Timeout, MRef) of
{ok, _} ->
handle_call(Req, From, State#state{gun_state = up});
{error, timeout} ->
{reply, {error, timeout}, State};
{error, Reason} ->
true = erlang:demonitor(MRef, [flush]),
{reply, {error, Reason}, State#state{client = undefined, mref = undefined}}
end;
handle_call({Method, Request, Timeout}, From, State = #state{client = Client, requests = Requests, gun_state = up}) when is_pid(Client) ->
StreamRef = do_request(Client, Method, Request),
ExpirationTime = erlang:system_time(millisecond) + Timeout,
{noreply, State#state{requests = maps:put(StreamRef, {From, ExpirationTime, undefined}, Requests)}};
handle_call(Req, _From, State) ->
?LOG(error, "Unexpected call: ~p", [Req]),
{reply, ignored, State}.
handle_cast(Msg, State) ->
?LOG(error, "Unexpected cast: ~p", [Msg]),
{noreply, State}.
handle_info({gun_response, Client, StreamRef, IsFin, StatusCode, Headers}, State = #state{client = Client, requests = Requests}) ->
Now = erlang:system_time(millisecond),
case maps:take(StreamRef, Requests) of
error ->
?LOG(error, "Received 'gun_response' message from unknown stream ref: ~p", [StreamRef]),
{noreply, State};
{{_, ExpirationTime, _}, NRequests} when Now > ExpirationTime ->
gun:cancel(Client, StreamRef),
flush_stream(Client, StreamRef),
{noreply, State#state{requests = NRequests}};
{{From, ExpirationTime, undefined}, NRequests} ->
case IsFin of
fin ->
gen_server:reply(From, {ok, StatusCode, Headers}),
{noreply, State#state{requests = NRequests}};
nofin ->
{noreply, State#state{requests = NRequests#{StreamRef => {From, ExpirationTime, {StatusCode, Headers, <<>>}}}}}
end;
_ ->
?LOG(error, "Received 'gun_response' message does not match the state"),
{noreply, State}
end;
handle_info({gun_data, Client, StreamRef, IsFin, Data}, State = #state{client = Client, requests = Requests}) ->
Now = erlang:system_time(millisecond),
case maps:take(StreamRef, Requests) of
error ->
?LOG(error, "Received 'gun_data' message from unknown stream ref: ~p", [StreamRef]),
{noreply, State};
{{_, ExpirationTime, _}, NRequests} when Now > ExpirationTime ->
gun:cancel(Client, StreamRef),
flush_stream(Client, StreamRef),
{noreply, State#state{requests = NRequests}};
{{From, ExpirationTime, {StatusCode, Headers, Acc}}, NRequests} ->
case IsFin of
fin ->
gen_server:reply(From, {ok, StatusCode, Headers, <<Acc/binary, Data/binary>>}),
{noreply, State#state{requests = NRequests}};
nofin ->
{noreply, State#state{requests = NRequests#{StreamRef => {From, ExpirationTime, {StatusCode, Headers, <<Acc/binary, Data/binary>>}}}}}
end;
_ ->
?LOG(error, "Received 'gun_data' message does not match the state"),
{noreply, State}
end;
handle_info({gun_error, Client, StreamRef, Reason}, State = #state{client = Client, requests = Requests}) ->
Now = erlang:system_time(millisecond),
case maps:take(StreamRef, Requests) of
error ->
?LOG(error, "Received 'gun_error' message from unknown stream ref: ~p~n", [StreamRef]),
{noreply, State};
{{_, ExpirationTime, _}, NRequests} when Now > ExpirationTime ->
{noreply, State#state{requests = NRequests}};
{{From, _, _}, NRequests} ->
gen_server:reply(From, {error, Reason}),
{noreply, State#state{requests = NRequests}}
end;
handle_info({gun_up, Client, _}, State = #state{client = Client}) ->
{noreply, State#state{gun_state = up}};
handle_info({gun_down, Client, _, Reason, KilledStreams, _}, State = #state{client = Client, requests = Requests}) ->
Now = erlang:system_time(millisecond),
NRequests = lists:foldl(fun(StreamRef, Acc) ->
case maps:take(StreamRef, Acc) of
error -> Acc;
{{_, ExpirationTime, _}, NAcc} when Now > ExpirationTime ->
NAcc;
{{From, _, _}, NAcc} ->
gen_server:reply(From, {error, Reason}),
NAcc
end
end, Requests, KilledStreams),
{noreply, State#state{gun_state = down, requests = NRequests}};
handle_info({'DOWN', MRef, process, Client, Reason}, State = #state{mref = MRef, client = Client, requests = Requests}) ->
true = erlang:demonitor(MRef, [flush]),
Now = erlang:system_time(millisecond),
lists:foreach(fun({_, {_, ExpirationTime, _}}) when Now > ExpirationTime ->
ok;
({_, {From, _, _}}) ->
gen_server:reply(From, {error, Reason})
end, maps:to_list(Requests)),
case open(State#state{requests = #{}}) of
{ok, NewState} ->
{noreply, NewState};
{error, Reason} ->
{noreply, State#state{mref = undefined, client = undefined}}
end;
handle_info(Info, State) ->
?LOG(error, "Unexpected info: ~p", [Info]),
{noreply, State}.
terminate(_Reason, #state{pool = Pool, id = Id}) ->
gproc_pool:disconnect_worker(Pool, {Pool, Id}),
ok.
code_change(_OldVsn, State, _Extra) ->
{ok, State}.
%%--------------------------------------------------------------------
%% Internal functions
%%--------------------------------------------------------------------
open(State = #state{host = Host, port = Port, gun_opts = GunOpts}) ->
case gun:open(Host, Port, GunOpts) of
{ok, ConnPid} when is_pid(ConnPid) ->
MRef = monitor(process, ConnPid),
{ok, State#state{mref = MRef, client = ConnPid}};
{error, Reason} ->
{error, Reason}
end.
gun_opts(Opts) ->
gun_opts(Opts, #{retry => 5,
retry_timeout => 1000,
connect_timeout => 5000,
protocols => [http],
http_opts => #{keepalive => infinity}}).
gun_opts([], Acc) ->
Acc;
gun_opts([{retry, Retry} | Opts], Acc) ->
gun_opts(Opts, Acc#{retry => Retry});
gun_opts([{retry_timeout, RetryTimeout} | Opts], Acc) ->
gun_opts(Opts, Acc#{retry_timeout => RetryTimeout});
gun_opts([{connect_timeout, ConnectTimeout} | Opts], Acc) ->
gun_opts(Opts, Acc#{connect_timeout => ConnectTimeout});
gun_opts([{transport, Transport} | Opts], Acc) ->
gun_opts(Opts, Acc#{transport => Transport});
gun_opts([{transport_opts, TransportOpts} | Opts], Acc) ->
gun_opts(Opts, Acc#{transport_opts => TransportOpts});
gun_opts([_ | Opts], Acc) ->
gun_opts(Opts, Acc).
call(ChannPid, Msg, Timeout) ->
gen_server:call(ChannPid, Msg, Timeout).
pick(Pool) ->
gproc_pool:pick_worker(Pool).
do_request(Client, get, {Path, Headers}) ->
gun:get(Client, Path, Headers);
do_request(Client, post, {Path, Headers, Body}) ->
gun:post(Client, Path, Headers, Body).
flush_stream(Client, StreamRef) ->
receive
{gun_response, Client, StreamRef, _, _, _} ->
flush_stream(Client, StreamRef);
{gun_data, Client, StreamRef, _, _} ->
flush_stream(Client, StreamRef);
{gun_error, Client, StreamRef, _} ->
flush_stream(Client, StreamRef)
after 0 ->
ok
end.

View File

@ -0,0 +1,48 @@
-module(emqx_http_client_sup).
-behaviour(supervisor).
-export([ start_link/2
, init/1
, stop_pool/1
]).
start_link(Pool, Opts) ->
supervisor:start_link(?MODULE, [Pool, Opts]).
init([Pool, Opts]) ->
PoolSize = pool_size(Opts),
ok = ensure_pool(Pool, random, [{size, PoolSize}]),
{ok, {{one_for_one, 10, 100}, [
begin
ensure_pool_worker(Pool, {Pool, I}, I),
#{id => {Pool, I},
start => {emqx_http_client, start_link, [Pool, I, Opts]},
restart => transient,
shutdown => 5000,
type => worker,
modules => [emqx_http_client]}
end || I <- lists:seq(1, PoolSize)]}}.
ensure_pool(Pool, Type, Opts) ->
try gproc_pool:new(Pool, Type, Opts)
catch
error:exists -> ok
end.
ensure_pool_worker(Pool, Name, Slot) ->
try gproc_pool:add_worker(Pool, Name, Slot)
catch
error:exists -> ok
end.
pool_size(Opts) ->
Schedulers = erlang:system_info(schedulers),
proplists:get_value(pool_size, Opts, Schedulers).
stop_pool(Name) ->
Workers = gproc_pool:defined_workers(Name),
[gproc_pool:remove_worker(Name, WokerName) || {WokerName, _, _} <- Workers],
gproc_pool:delete(Name),
ok.

View File

@ -0,0 +1,168 @@
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
-module(emqx_auth_http_SUITE).
-compile(export_all).
-compile(nowarn_export_all).
-include_lib("emqx/include/emqx.hrl").
-include_lib("common_test/include/ct.hrl").
-include_lib("eunit/include/eunit.hrl").
-define(APP, emqx_auth_http).
-define(USER(ClientId, Username, Protocol, Peerhost, Zone),
#{clientid => ClientId, username => Username, protocol => Protocol,
peerhost => Peerhost, zone => Zone}).
-define(USER(ClientId, Username, Protocol, Peerhost, Zone, Mountpoint),
#{clientid => ClientId, username => Username, protocol => Protocol,
peerhost => Peerhost, zone => Zone, mountpoint => Mountpoint}).
%%--------------------------------------------------------------------
%% Setups
%%--------------------------------------------------------------------
all() ->
[{group, http_inet},
{group, http_inet6},
{group, https_inet},
{group, https_inet6}].
groups() ->
Cases = emqx_ct:all(?MODULE),
[{Name, Cases} || Name <- [http_inet, http_inet6, https_inet, https_inet6]].
init_per_group(GrpName, Cfg) ->
[Schema, Inet] = [list_to_atom(X) || X <- string:tokens(atom_to_list(GrpName), "_")],
http_auth_server:start(Schema, Inet),
Fun = fun(App) -> set_special_configs(App, Schema, Inet) end,
emqx_ct_helpers:start_apps([emqx_auth_http], Fun),
Cfg.
end_per_group(_GrpName, _Cfg) ->
http_auth_server:stop(),
emqx_ct_helpers:stop_apps([emqx_auth_http, emqx]).
set_special_configs(emqx, _Schmea, _Inet) ->
application:set_env(emqx, allow_anonymous, true),
application:set_env(emqx, enable_acl_cache, false),
LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
set_special_configs(emqx_auth_http, Schema, Inet) ->
ServerAddr = http_server(Schema, Inet),
AuthReq = #{method => get,
url => ServerAddr ++ "/mqtt/auth",
content_type => <<"application/x-www-form-urlencoded">>,
params => [{"clientid", "%c"}, {"username", "%u"}, {"password", "%P"}]},
AclReq = #{method => post,
url => ServerAddr ++ "/mqtt/acl",
content_type => <<"application/json">>,
params => [{"access", "%A"}, {"username", "%u"}, {"clientid", "%c"}, {"ipaddr", "%a"}, {"topic", "%t"}, {"mountpoint", "%m"}]},
Schema =:= https andalso set_https_client_opts(),
application:set_env(emqx_auth_http, auth_req, maps:to_list(AuthReq)),
application:set_env(emqx_auth_http, acl_req, maps:to_list(AclReq)).
%% @private
set_https_client_opts() ->
TransportOpts = emqx_ct_helpers:client_ssl_twoway(),
{ok, PoolOpts} = application:get_env(emqx_auth_http, pool_opts),
application:set_env(emqx_auth_http, pool_opts, [{transport_opts, TransportOpts}, {transport, ssl} | PoolOpts]).
%% @private
http_server(http, inet) -> "http://127.0.0.1:8991";
http_server(http, inet6) -> "http://[::1]:8991";
http_server(https, inet) -> "https://127.0.0.1:8991";
http_server(https, inet6) -> "https://[::1]:8991".
%%------------------------------------------------------------------------------
%% Testcases
%%------------------------------------------------------------------------------
t_check_acl(_) ->
SuperUser = ?USER(<<"superclient">>, <<"superuser">>, mqtt, {127,0,0,1}, external),
deny = emqx_access_control:check_acl(SuperUser, subscribe, <<"users/testuser/1">>),
deny = emqx_access_control:check_acl(SuperUser, publish, <<"anytopic">>),
User1 = ?USER(<<"client1">>, <<"testuser">>, mqtt, {127,0,0,1}, external),
UnIpUser1 = ?USER(<<"client1">>, <<"testuser">>, mqtt, {192,168,0,4}, external),
UnClientIdUser1 = ?USER(<<"unkonwc">>, <<"testuser">>, mqtt, {127,0,0,1}, external),
UnnameUser1= ?USER(<<"client1">>, <<"unuser">>, mqtt, {127,0,0,1}, external),
allow = emqx_access_control:check_acl(User1, subscribe, <<"users/testuser/1">>),
deny = emqx_access_control:check_acl(User1, publish, <<"users/testuser/1">>),
deny = emqx_access_control:check_acl(UnIpUser1, subscribe, <<"users/testuser/1">>),
deny = emqx_access_control:check_acl(UnClientIdUser1, subscribe, <<"users/testuser/1">>),
deny = emqx_access_control:check_acl(UnnameUser1, subscribe, <<"$SYS/testuser/1">>),
User2 = ?USER(<<"client2">>, <<"xyz">>, mqtt, {127,0,0,1}, external),
UserC = ?USER(<<"client2">>, <<"xyz">>, mqtt, {192,168,1,3}, external),
allow = emqx_access_control:check_acl(UserC, publish, <<"a/b/c">>),
deny = emqx_access_control:check_acl(User2, publish, <<"a/b/c">>),
deny = emqx_access_control:check_acl(User2, subscribe, <<"$SYS/testuser/1">>).
t_check_auth(_) ->
User1 = ?USER(<<"client1">>, <<"testuser1">>, mqtt, {127,0,0,1}, external, undefined),
User2 = ?USER(<<"client2">>, <<"testuser2">>, mqtt, {127,0,0,1}, exteneral, undefined),
User3 = ?USER(<<"client3">>, undefined, mqtt, {127,0,0,1}, exteneral, undefined),
{ok, #{auth_result := success,
anonymous := false,
is_superuser := false}} = emqx_access_control:authenticate(User1#{password => <<"pass1">>}),
{error, bad_username_or_password} = emqx_access_control:authenticate(User1#{password => <<"pass">>}),
{error, bad_username_or_password} = emqx_access_control:authenticate(User1#{password => <<>>}),
{ok, #{is_superuser := false}} = emqx_access_control:authenticate(User2#{password => <<"pass2">>}),
{error, bad_username_or_password} = emqx_access_control:authenticate(User2#{password => <<>>}),
{error, bad_username_or_password} = emqx_access_control:authenticate(User2#{password => <<"errorpwd">>}),
{error, bad_username_or_password} = emqx_access_control:authenticate(User3#{password => <<"pwd">>}).
t_sub_pub(_) ->
ct:pal("start client"),
{ok, T1} = emqtt:start_link([{host, "localhost"},
{clientid, <<"client1">>},
{username, <<"testuser1">>},
{password, <<"pass1">>}]),
{ok, _} = emqtt:connect(T1),
emqtt:publish(T1, <<"topic">>, <<"body">>, [{qos, 0}, {retain, true}]),
timer:sleep(1000),
{ok, T2} = emqtt:start_link([{host, "localhost"},
{clientid, <<"client2">>},
{username, <<"testuser2">>},
{password, <<"pass2">>}]),
{ok, _} = emqtt:connect(T2),
emqtt:subscribe(T2, <<"topic">>),
receive
{publish, _Topic, Payload} ->
?assertEqual(<<"body">>, Payload)
after 1000 -> false end,
emqtt:disconnect(T1),
emqtt:disconnect(T2).
t_comment_config(_) ->
AuthCount = length(emqx_hooks:lookup('client.authenticate')),
AclCount = length(emqx_hooks:lookup('client.check_acl')),
application:stop(?APP),
[application:unset_env(?APP, Par) || Par <- [acl_req, auth_req]],
application:start(?APP),
?assertEqual([], emqx_hooks:lookup('client.authenticate')),
?assertEqual(AuthCount - 1, length(emqx_hooks:lookup('client.authenticate'))),
?assertEqual(AclCount - 1, length(emqx_hooks:lookup('client.check_acl'))).

View File

@ -0,0 +1,152 @@
-module(http_auth_server).
-export([ start/2
, stop/0
]).
-define(SUPERUSER, [[{"username", "superuser"}, {"clientid", "superclient"}]]).
-define(ACL, [[{<<"username">>, <<"testuser">>},
{<<"clientid">>, <<"client1">>},
{<<"access">>, <<"1">>},
{<<"topic">>, <<"users/testuser/1">>},
{<<"ipaddr">>, <<"127.0.0.1">>},
{<<"mountpoint">>, <<"null">>}],
[{<<"username">>, <<"xyz">>},
{<<"clientid">>, <<"client2">>},
{<<"access">>, <<"2">>},
{<<"topic">>, <<"a/b/c">>},
{<<"ipaddr">>, <<"192.168.1.3">>},
{<<"mountpoint">>, <<"null">>}],
[{<<"username">>, <<"testuser1">>},
{<<"clientid">>, <<"client1">>},
{<<"access">>, <<"2">>},
{<<"topic">>, <<"topic">>},
{<<"ipaddr">>, <<"127.0.0.1">>},
{<<"mountpoint">>, <<"null">>}],
[{<<"username">>, <<"testuser2">>},
{<<"clientid">>, <<"client2">>},
{<<"access">>, <<"1">>},
{<<"topic">>, <<"topic">>},
{<<"ipaddr">>, <<"127.0.0.1">>},
{<<"mountpoint">>, <<"null">>}]]).
-define(AUTH, [[{<<"clientid">>, <<"client1">>},
{<<"username">>, <<"testuser1">>},
{<<"password">>, <<"pass1">>}],
[{<<"clientid">>, <<"client2">>},
{<<"username">>, <<"testuser2">>},
{<<"password">>, <<"pass2">>}]]).
%%------------------------------------------------------------------------------
%% REST Interface
%%------------------------------------------------------------------------------
-rest_api(#{ name => auth
, method => 'GET'
, path => "/mqtt/auth"
, func => authenticate
, descr => "Authenticate user access permission"
}).
-rest_api(#{ name => is_superuser
, method => 'GET'
, path => "/mqtt/superuser"
, func => is_superuser
, descr => "Is super user"
}).
-rest_api(#{ name => acl
, method => 'GET'
, path => "/mqtt/acl"
, func => check_acl
, descr => "Check acl"
}).
-rest_api(#{ name => auth
, method => 'POST'
, path => "/mqtt/auth"
, func => authenticate
, descr => "Authenticate user access permission"
}).
-rest_api(#{ name => is_superuser
, method => 'POST'
, path => "/mqtt/superuser"
, func => is_superuser
, descr => "Is super user"
}).
-rest_api(#{ name => acl
, method => 'POST'
, path => "/mqtt/acl"
, func => check_acl
, descr => "Check acl"
}).
-export([ authenticate/2
, is_superuser/2
, check_acl/2
]).
authenticate(_Binding, Params) ->
return(check(Params, ?AUTH)).
is_superuser(_Binding, Params) ->
return(check(Params, ?SUPERUSER)).
check_acl(_Binding, Params) ->
return(check(Params, ?ACL)).
return(allow) -> {200, <<"allow">>};
return(deny) -> {400, <<"deny">>}.
start(http, Inet) ->
application:ensure_all_started(minirest),
Handlers = [{"/", minirest:handler(#{modules => [?MODULE]})}],
Dispatch = [{"/[...]", minirest, Handlers}],
minirest:start_http(http_auth_server, #{socket_opts => [Inet, {port, 8991}]}, Dispatch);
start(https, Inet) ->
application:ensure_all_started(minirest),
Handlers = [{"/", minirest:handler(#{modules => [?MODULE]})}],
Dispatch = [{"/[...]", minirest, Handlers}],
minirest:start_https(http_auth_server, #{socket_opts => [Inet, {port, 8991} | certopts()]}, Dispatch).
%% @private
certopts() ->
Certfile = filename:join(["etc", "certs", "cert.pem"]),
Keyfile = filename:join(["etc", "certs", "key.pem"]),
CaCert = filename:join(["etc", "certs", "cacert.pem"]),
[{verify, verify_peer},
{certfile, emqx_ct_helpers:deps_path(emqx, Certfile)},
{keyfile, emqx_ct_helpers:deps_path(emqx, Keyfile)},
{cacertfile, emqx_ct_helpers:deps_path(emqx, CaCert)}] ++ emqx_ct_helpers:client_ssl().
stop() ->
minirest:stop_http(http_auth_server).
-spec check(HttpReqParams :: list(), DefinedConf :: list()) -> allow | deny.
check(_Params, []) ->
%ct:pal("check auth_result: deny~n"),
deny;
check(Params, [ConfRecord|T]) ->
% ct:pal("Params: ~p, ConfRecord:~p ~n", [Params, ConfRecord]),
case match_config(Params, ConfRecord) of
not_match ->
check(Params, T);
matched -> allow
end.
match_config([], _ConfigColumn) ->
%ct:pal("match_config auth_result: matched~n"),
matched;
match_config([Param|T], ConfigColumn) ->
%ct:pal("Param: ~p, ConfigColumn:~p ~n", [Param, ConfigColumn]),
case lists:member(Param, ConfigColumn) of
true ->
match_config(T, ConfigColumn);
false ->
not_match
end.

View File

@ -0,0 +1,29 @@
name: Run test cases
on: [push, pull_request]
jobs:
run_test_cases:
runs-on: ubuntu-latest
container:
image: erlang:22.1
steps:
- uses: actions/checkout@v1
- name: run test cases
run: |
make xref
make eunit
make ct
make cover
- uses: actions/upload-artifact@v1
if: always()
with:
name: logs
path: _build/test/logs
- uses: actions/upload-artifact@v1
with:
name: cover
path: _build/test/cover

28
apps/emqx_auth_jwt/.gitignore vendored Normal file
View File

@ -0,0 +1,28 @@
.eunit
deps
*.o
*.beam
*.plt
erl_crash.dump
ebin
rel/example_project
.concrete/DEV_MODE
.rebar
.erlang.mk/
emqx_auth_jwt.d
data/
.DS_Store
cover/
ct.coverdata
eunit.coverdata
logs/
test/ct.cover.spec
emq_auth_jwt.d
erlang.mk
_build/
rebar.lock
rebar3.crashdump
etc/emqx_auth_jwt.conf.rendered
.rebar3/
*.swp
Mnesia.nonode@nohost/

201
apps/emqx_auth_jwt/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View File

@ -0,0 +1,37 @@
## shallow clone for speed
REBAR_GIT_CLONE_OPTIONS += --depth 1
export REBAR_GIT_CLONE_OPTIONS
REBAR = rebar3
all: compile
compile:
$(REBAR) compile
clean: distclean
ct:
$(REBAR) as test ct -v
eunit:
$(REBAR) as test eunit
xref:
$(REBAR) xref
cover:
$(REBAR) cover
distclean:
@rm -rf _build
@rm -f data/app.*.config data/vm.*.args rebar.lock
CUTTLEFISH_SCRIPT = _build/default/lib/cuttlefish/cuttlefish
$(CUTTLEFISH_SCRIPT):
@${REBAR} get-deps
@if [ ! -f cuttlefish ]; then make -C _build/default/lib/cuttlefish; fi
app.config: $(CUTTLEFISH_SCRIPT) etc/emqx_auth_jwt.conf
$(verbose) $(CUTTLEFISH_SCRIPT) -l info -e etc/ -c etc/emqx_auth_jwt.conf -i priv/emqx_auth_jwt.schema -d data

View File

@ -0,0 +1,90 @@
# emqx-auth-jwt
EMQ X JWT Authentication Plugin
Build
-----
```
make && make tests
```
Configure the Plugin
--------------------
File: etc/plugins/emqx_auth_jwt.conf
```
## HMAC Hash Secret.
##
## Value: String
auth.jwt.secret = emqxsecret
## From where the JWT string can be got
##
## Value: username | password
## Default: password
auth.jwt.from = password
## RSA or ECDSA public key file.
##
## Value: File
## auth.jwt.pubkey = etc/certs/jwt_public_key.pem
## Enable to verify claims fields
##
## Value: on | off
auth.jwt.verify_claims = off
## The checklist of claims to validate
##
## Value: String
## auth.jwt.verify_claims.$name = expected
##
## Variables:
## - %u: username
## - %c: clientid
# auth.jwt.verify_claims.username = %u
```
Load the Plugin
---------------
```
./bin/emqx_ctl plugins load emqx_auth_jwt
```
Example
-------
```
mosquitto_pub -t 'pub' -m 'hello' -i test -u test -P eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiYm9iIiwiYWdlIjoyOX0.bIV_ZQ8D5nQi0LT8AVkpM4Pd6wmlbpR9S8nOLJAsA8o
```
Algorithms
----------
The JWT spec supports several algorithms for cryptographic signing. This plugin currently supports:
* HS256 - HMAC using SHA-256 hash algorithm
* HS384 - HMAC using SHA-384 hash algorithm
* HS512 - HMAC using SHA-512 hash algorithm
* RS256 - RSA with the SHA-256 hash algorithm
* RS384 - RSA with the SHA-384 hash algorithm
* RS512 - RSA with the SHA-512 hash algorithm
* ES256 - ECDSA using the P-256 curve
* ES384 - ECDSA using the P-384 curve
* ES512 - ECDSA using the P-512 curve
License
-------
Apache License Version 2.0
Author
------
EMQ X Team.

View File

@ -0,0 +1,2 @@
1. Notice for the [Critical vulnerabilities in JSON Web Token](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)

View File

@ -0,0 +1,3 @@
https://crypto.stackexchange.com/questions/30657/hmac-vs-ecdsa-for-jwt

View File

@ -0,0 +1,45 @@
##--------------------------------------------------------------------
## JWT Auth Plugin
##--------------------------------------------------------------------
## HMAC Hash Secret.
##
## Value: String
auth.jwt.secret = emqxsecret
## RSA or ECDSA public key file.
##
## Value: File
#auth.jwt.pubkey = etc/certs/jwt_public_key.pem
## The JWKs server address
##
## see: http://self-issued.info/docs/draft-ietf-jose-json-web-key.html
##
#auth.jwt.jwks = https://127.0.0.1:8080/jwks
## The JWKs refresh interval
##
## Value: Duration
#auth.jwt.jwks.refresh_interval = 5m
## From where the JWT string can be got
##
## Value: username | password
## Default: password
auth.jwt.from = password
## Enable to verify claims fields
##
## Value: on | off
auth.jwt.verify_claims = off
## The checklist of claims to validate
##
## Value: String
## auth.jwt.verify_claims.$name = expected
##
## Variables:
## - %u: username
## - %c: clientid
#auth.jwt.verify_claims.username = %u

View File

@ -0,0 +1,49 @@
%%-*- mode: erlang -*-
{mapping, "auth.jwt.secret", "emqx_auth_jwt.secret", [
{datatype, string}
]}.
{mapping, "auth.jwt.jwks", "emqx_auth_jwt.jwks", [
{datatype, string}
]}.
{mapping, "auth.jwt.jwks.refresh_interval", "emqx_auth_jwt.refresh_interval", [
{datatype, {duration, ms}}
]}.
{mapping, "auth.jwt.from", "emqx_auth_jwt.from", [
{default, password},
{datatype, atom}
]}.
{mapping, "auth.jwt.pubkey", "emqx_auth_jwt.pubkey", [
{datatype, string}
]}.
{mapping, "auth.jwt.signature_format", "emqx_auth_jwt.jwerl_opts", [
{default, "der"},
{datatype, {enum, [raw, der]}}
]}.
{mapping, "auth.jwt.verify_claims", "emqx_auth_jwt.verify_claims", [
{default, off},
{datatype, flag}
]}.
{mapping, "auth.jwt.verify_claims.$name", "emqx_auth_jwt.verify_claims", [
{datatype, string}
]}.
{translation, "emqx_auth_jwt.verify_claims", fun(Conf) ->
case cuttlefish:conf_get("auth.jwt.verify_claims", Conf) of
false -> cuttlefish:unset();
true ->
lists:foldr(
fun({["auth","jwt","verify_claims", Name], Value}, Acc) ->
[{list_to_atom(Name), list_to_binary(Value)} | Acc];
({["auth","jwt","verify_claims"], _Value}, Acc) ->
Acc
end, [], cuttlefish_variable:filter_by_prefix("auth.jwt.verify_claims", Conf))
end
end}.

View File

@ -0,0 +1,25 @@
{deps,
[
{jose, {git, "https://github.com/potatosalad/erlang-jose", {tag, "1.10.1"}}}
]}.
{edoc_opts, [{preprocess, true}]}.
{erl_opts, [warn_unused_vars,
warn_shadow_vars,
warn_unused_import,
warn_obsolete_guard,
debug_info,
{parse_transform}]}.
{xref_checks, [undefined_function_calls, undefined_functions,
locals_not_used, deprecated_function_calls,
warnings_as_errors, deprecated_functions]}.
{cover_enabled, true}.
{cover_opts, [verbose]}.
{cover_export_enabled, true}.
{profiles,
[{test,
[{deps, [{emqx_ct_helpers, {git, "http://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}}]}
]}
]}.

View File

@ -0,0 +1,54 @@
%%-*- mode: erlang -*-
DEPS = case lists:keyfind(deps, 1, CONFIG) of
{_, Deps} -> Deps;
_ -> []
end,
ComparingFun = fun
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2) -> _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2) -> true;
_Fun(_, _) -> false
end,
SortFun = fun(T1, T2) ->
C = fun(T) ->
[case catch list_to_integer(E) of
I when is_integer(I) -> I;
_ -> E
end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
end,
ComparingFun(C(T1), C(T2))
end,
VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
Tags = case VTags of
[] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
_ -> VTags
end,
LatestTag = lists:last(lists:sort(SortFun, Tags)),
Branch = case os:getenv("GITHUB_RUN_ID") of
false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
_ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
end,
GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
match -> {branch, Branch};
_ -> {tag, LatestTag}
end,
UrlPrefix = "https://github.com/emqx/",
EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
CONFIG1.

View File

@ -0,0 +1,14 @@
{application, emqx_auth_jwt,
[{description, "EMQ X Authentication with JWT"},
{vsn, "git"},
{modules, []},
{registered, [emqx_auth_jwt_sup]},
{applications, [kernel,stdlib,jose]},
{mod, {emqx_auth_jwt_app, []}},
{env, []},
{licenses, ["Apache-2.0"]},
{maintainers, ["EMQ X Team <contact@emqx.io>"]},
{links, [{"Homepage", "https://emqx.io/"},
{"Github", "https://github.com/emqx/emqx-auth-jwt"}
]}
]}.

View File

@ -0,0 +1,24 @@
%%-*- mode: erlang -*-
%% .app.src.script
RemoveLeadingV =
fun(Tag) ->
case re:run(Tag, "^[v|e]?[0-9]\.[0-9]\.([0-9]|(rc|beta|alpha)\.[0-9])", [{capture, none}]) of
nomatch ->
re:replace(Tag, "/", "-", [{return ,list}]);
_ ->
%% if it is a version number prefixed by 'v' or 'e', then remove it
re:replace(Tag, "[v|e]", "", [{return ,list}])
end
end,
case os:getenv("EMQX_DEPS_DEFAULT_VSN") of
false -> CONFIG; % env var not defined
[] -> CONFIG; % env var set to empty string
Tag ->
[begin
AppConf0 = lists:keystore(vsn, 1, AppConf, {vsn, RemoveLeadingV(Tag)}),
{application, App, AppConf0}
end || Conf = {application, App, AppConf} <- CONFIG]
end.

View File

@ -0,0 +1,16 @@
%% -*-: erlang -*-
{VSN,
[
{"4.2.0", [
{restart_application, emqx_auth_jwt}
]},
{<<".*">>, []}
],
[
{"4.2.0", [
{restart_application, emqx_auth_jwt}
]},
{<<".*">>, []}
]
}.

View File

@ -0,0 +1,99 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_jwt).
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/logger.hrl").
-logger_header("[JWT]").
-export([ register_metrics/0
, check/3
, description/0
]).
-record(auth_metrics, {
success = 'client.auth.success',
failure = 'client.auth.failure',
ignore = 'client.auth.ignore'
}).
-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
-define(METRICS(Type, K), #Type{}#Type.K).
-define(AUTH_METRICS, ?METRICS(auth_metrics)).
-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
%%--------------------------------------------------------------------
%% Authentication callbacks
%%--------------------------------------------------------------------
check(ClientInfo, AuthResult, #{pid := Pid,
from := From,
checklists := Checklists}) ->
case maps:find(From, ClientInfo) of
error ->
ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
{ok, undefined} ->
ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
{ok, Token} ->
case emqx_auth_jwt_svr:verify(Pid, Token) of
{error, not_found} ->
ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
{error, not_token} ->
ok = emqx_metrics:inc(?AUTH_METRICS(ignore));
{error, Reason} ->
ok = emqx_metrics:inc(?AUTH_METRICS(failure)),
{stop, AuthResult#{auth_result => Reason, anonymous => false}};
{ok, Claims} ->
{stop, maps:merge(AuthResult, verify_claims(Checklists, Claims, ClientInfo))}
end
end.
description() -> "Authentication with JWT".
%%------------------------------------------------------------------------------
%% Verify Claims
%%--------------------------------------------------------------------
verify_claims(Checklists, Claims, ClientInfo) ->
case do_verify_claims(feedvar(Checklists, ClientInfo), Claims) of
{error, Reason} ->
ok = emqx_metrics:inc(?AUTH_METRICS(failure)),
#{auth_result => Reason, anonymous => false};
ok ->
ok = emqx_metrics:inc(?AUTH_METRICS(success)),
#{auth_result => success, anonymous => false, jwt_claims => Claims}
end.
do_verify_claims([], _Claims) ->
ok;
do_verify_claims([{Key, Expected} | L], Claims) ->
case maps:get(Key, Claims, undefined) =:= Expected of
true -> do_verify_claims(L, Claims);
false -> {error, {verify_claim_failed, Key}}
end.
feedvar(Checklists, #{username := Username, clientid := ClientId}) ->
lists:map(fun({K, <<"%u">>}) -> {K, Username};
({K, <<"%c">>}) -> {K, ClientId};
({K, Expected}) -> {K, Expected}
end, Checklists).

View File

@ -0,0 +1,82 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_jwt_app).
-behaviour(application).
-behaviour(supervisor).
-emqx_plugin(auth).
-export([start/2, stop/1]).
-export([init/1]).
-define(APP, emqx_auth_jwt).
start(_Type, _Args) ->
{ok, Sup} = supervisor:start_link({local, ?MODULE}, ?MODULE, []),
{ok, Pid} = start_auth_server(jwks_svr_options()),
ok = emqx_auth_jwt:register_metrics(),
AuthEnv0 = auth_env(),
AuthEnv1 = AuthEnv0#{pid => Pid},
emqx:hook('client.authenticate', {emqx_auth_jwt, check, [AuthEnv1]}),
{ok, Sup, AuthEnv1}.
stop(AuthEnv) ->
emqx:unhook('client.authenticate', {emqx_auth_jwt, check, [AuthEnv]}).
%%--------------------------------------------------------------------
%% Dummy supervisor
%%--------------------------------------------------------------------
init([]) ->
{ok, {{one_for_all, 1, 10}, []}}.
start_auth_server(Options) ->
Spec = #{id => jwt_svr,
start => {emqx_auth_jwt_svr, start_link, [Options]},
restart => permanent,
shutdown => brutal_kill,
type => worker,
modules => [emqx_auth_jwt_svr]},
supervisor:start_child(?MODULE, Spec).
%%--------------------------------------------------------------------
%% Internal functions
%%--------------------------------------------------------------------
auth_env() ->
Checklists = [{atom_to_binary(K, utf8), V}
|| {K, V} <- env(verify_claims, [])],
#{ from => env(from, password)
, checklists => Checklists
}.
jwks_svr_options() ->
[{K, V} || {K, V}
<- [{secret, env(secret, undefined)},
{pubkey, env(pubkey, undefined)},
{jwks_addr, env(jwks, undefined)},
{interval, env(refresh_interval, undefined)}],
V /= undefined].
env(Key, Default) ->
application:get_env(?APP, Key, Default).

View File

@ -0,0 +1,222 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_jwt_svr).
-behaviour(gen_server).
-include_lib("emqx/include/logger.hrl").
-include_lib("jose/include/jose_jwk.hrl").
-logger_header("[JWT-SVR]").
%% APIs
-export([start_link/1]).
-export([verify/2]).
%% gen_server callbacks
-export([ init/1
, handle_call/3
, handle_cast/2
, handle_info/2
, terminate/2
, code_change/3
]).
-type options() :: [option()].
-type option() :: {secret, list()}
| {pubkey, list()}
| {jwks_addr, list()}
| {interval, pos_integer()}.
-define(INTERVAL, 300000).
-record(state, {static, remote, addr, tref, intv}).
%%--------------------------------------------------------------------
%% APIs
%%--------------------------------------------------------------------
-spec start_link(options()) -> gen_server:start_ret().
start_link(Options) ->
gen_server:start_link(?MODULE, [Options], []).
-spec verify(pid(), binary())
-> {error, term()}
| {ok, Payload :: map()}.
verify(S, JwsCompacted) when is_binary(JwsCompacted) ->
case catch jose_jws:peek(JwsCompacted) of
{'EXIT', _} -> {error, not_token};
_ -> gen_server:call(S, {verify, JwsCompacted})
end.
%%--------------------------------------------------------------------
%% gen_server callbacks
%%--------------------------------------------------------------------
init([Options]) ->
ok = jose:json_module(jiffy),
{Static, Remote} = do_init_jwks(Options),
Intv = proplists:get_value(interval, Options, ?INTERVAL),
{ok, reset_timer(
#state{
static = Static,
remote = Remote,
addr = proplists:get_value(jwks_addr, Options),
intv = Intv})}.
%% @private
do_init_jwks(Options) ->
K2J = fun(K, F) ->
case proplists:get_value(K, Options) of
undefined -> undefined;
V ->
try F(V) of
{error, Reason} ->
?LOG(warning, "Build ~p JWK ~p failed: {error, ~p}~n",
[K, V, Reason]),
undefined;
J -> J
catch T:R:_ ->
?LOG(warning, "Build ~p JWK ~p failed: {~p, ~p}~n",
[K, V, T, R]),
undefined
end
end
end,
OctJwk = K2J(secret, fun(V) ->
jose_jwk:from_oct(list_to_binary(V))
end),
PemJwk = K2J(pubkey, fun jose_jwk:from_pem_file/1),
Remote = K2J(jwks_addr, fun request_jwks/1),
{[J ||J <- [OctJwk, PemJwk], J /= undefined], Remote}.
handle_call({verify, JwsCompacted}, _From, State) ->
handle_verify(JwsCompacted, State);
handle_call(_Req, _From, State) ->
{reply, ok, State}.
handle_cast(_Msg, State) ->
{noreply, State}.
handle_info({timeout, _TRef, refresh}, State = #state{addr = Addr}) ->
NState = try
State#state{remote = request_jwks(Addr)}
catch _:_ ->
State
end,
{noreply, reset_timer(NState)};
handle_info(_Info, State) ->
{noreply, State}.
terminate(_Reason, State) ->
_ = cancel_timer(State),
ok.
code_change(_OldVsn, State, _Extra) ->
{ok, State}.
%%--------------------------------------------------------------------
%% Internal funcs
%%--------------------------------------------------------------------
handle_verify(JwsCompacted,
State = #state{static = Static, remote = Remote}) ->
try
Jwks = case emqx_json:decode(jose_jws:peek_protected(JwsCompacted), [return_maps]) of
#{<<"kid">> := Kid} ->
[J || J <- Remote, maps:get(<<"kid">>, J#jose_jwk.fields, undefined) =:= Kid];
_ -> Static
end,
case Jwks of
[] -> {reply, {error, not_found}, State};
_ ->
{reply, do_verify(JwsCompacted, Jwks), State}
end
catch
_:_ ->
{reply, {error, invalid_signature}, State}
end.
request_jwks(Addr) ->
case httpc:request(get, {Addr, []}, [], [{body_format, binary}]) of
{error, Reason} ->
error(Reason);
{ok, {_Code, _Headers, Body}} ->
try
JwkSet = jose_jwk:from(emqx_json:decode(Body, [return_maps])),
{_, Jwks} = JwkSet#jose_jwk.keys, Jwks
catch _:_ ->
?LOG(error, "Invalid jwks server response: ~p~n", [Body]),
error(badarg)
end
end.
reset_timer(State = #state{addr = undefined}) ->
State;
reset_timer(State = #state{intv = Intv}) ->
State#state{tref = erlang:start_timer(Intv, self(), refresh)}.
cancel_timer(State = #state{tref = undefined}) ->
State;
cancel_timer(State = #state{tref = TRef}) ->
erlang:cancel_timer(TRef),
State#state{tref = undefined}.
do_verify(_JwsCompated, []) ->
{error, invalid_signature};
do_verify(JwsCompacted, [Jwk|More]) ->
case jose_jws:verify(Jwk, JwsCompacted) of
{true, Payload, _Jws} ->
Claims = emqx_json:decode(Payload, [return_maps]),
case check_claims(Claims) of
false ->
{error, invalid_signature};
NClaims ->
{ok, NClaims}
end;
{false, _, _} ->
do_verify(JwsCompacted, More)
end.
check_claims(Claims) ->
Now = os:system_time(seconds),
Checker = [{<<"exp">>, fun(ExpireTime) ->
Now < ExpireTime
end},
{<<"iat">>, fun(IssueAt) ->
IssueAt =< Now
end},
{<<"nbf">>, fun(NotBefore) ->
NotBefore =< Now
end}
],
do_check_claim(Checker, Claims).
do_check_claim([], Claims) ->
Claims;
do_check_claim([{K, F}|More], Claims) ->
case maps:take(K, Claims) of
error -> do_check_claim(More, Claims);
{V, NClaims} ->
case F(V) of
true -> do_check_claim(More, NClaims);
_ -> false
end
end.

View File

@ -0,0 +1,142 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_jwt_SUITE).
-compile(export_all).
-compile(nowarn_export_all).
-include_lib("emqx/include/emqx.hrl").
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-define(APP, emqx_auth_jwt).
all() ->
[{group, emqx_auth_jwt}].
groups() ->
[{emqx_auth_jwt, [sequence], [ t_check_auth
, t_check_claims
, t_check_claims_clientid
, t_check_claims_username
]}
].
init_per_suite(Config) ->
emqx_ct_helpers:start_apps([emqx, emqx_auth_jwt], fun set_special_configs/1),
Config.
end_per_suite(_Config) ->
emqx_ct_helpers:stop_apps([emqx_auth_jwt, emqx]).
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, false),
application:set_env(emqx, acl_nomatch, deny),
application:set_env(emqx, enable_acl_cache, false),
LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
AclFilePath = filename:join(["test", "emqx_SUITE_data", "acl.conf"]),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, LoadedPluginPath)),
application:set_env(emqx, acl_file,
emqx_ct_helpers:deps_path(emqx, AclFilePath));
set_special_configs(emqx_auth_jwt) ->
application:set_env(emqx_auth_jwt, secret, "emqxsecret"),
application:set_env(emqx_auth_jwt, from, password);
set_special_configs(_) ->
ok.
sign(Payload, Alg, Key) ->
Jwk = jose_jwk:from_oct(Key),
Jwt = emqx_json:encode(Payload),
{_, Token} = jose_jws:compact(jose_jwt:sign(Jwk, #{<<"alg">> => Alg}, Jwt)),
Token.
%%------------------------------------------------------------------------------
%% Testcases
%%------------------------------------------------------------------------------
t_check_auth(_) ->
Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external},
Jwt = sign([{clientid, <<"client1">>},
{username, <<"plain">>},
{exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
ct:pal("Jwt: ~p~n", [Jwt]),
Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
ct:pal("Auth result: ~p~n", [Result0]),
?assertMatch({ok, #{auth_result := success, jwt_claims := #{<<"clientid">> := <<"client1">>}}}, Result0),
ct:sleep(3100),
Result1 = emqx_access_control:authenticate(Plain#{password => Jwt}),
ct:pal("Auth result after 1000ms: ~p~n", [Result1]),
?assertMatch({error, _}, Result1),
Jwt_Error = sign([{client_id, <<"client1">>},
{username, <<"plain">>}], <<"HS256">>, <<"secret">>),
ct:pal("invalid jwt: ~p~n", [Jwt_Error]),
Result2 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
ct:pal("Auth result for the invalid jwt: ~p~n", [Result2]),
?assertEqual({error, invalid_signature}, Result2),
?assertMatch({error, _}, emqx_access_control:authenticate(Plain#{password => <<"asd">>})).
t_check_claims(_) ->
application:set_env(emqx_auth_jwt, verify_claims, [{sub, <<"value">>}]),
Plain = #{clientid => <<"client1">>, username => <<"plain">>, zone => external},
Jwt = sign([{client_id, <<"client1">>},
{username, <<"plain">>},
{sub, value},
{exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
ct:pal("Auth result: ~p~n", [Result0]),
?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
Jwt_Error = sign([{clientid, <<"client1">>},
{username, <<"plain">>}], <<"HS256">>, <<"secret">>),
Result2 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
ct:pal("Auth result for the invalid jwt: ~p~n", [Result2]),
?assertEqual({error, invalid_signature}, Result2).
t_check_claims_clientid(_) ->
application:set_env(emqx_auth_jwt, verify_claims, [{clientid, <<"%c">>}]),
Plain = #{clientid => <<"client23">>, username => <<"plain">>, zone => external},
Jwt = sign([{client_id, <<"client23">>},
{username, <<"plain">>},
{exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
ct:pal("Auth result: ~p~n", [Result0]),
?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
Jwt_Error = sign([{clientid, <<"client1">>},
{username, <<"plain">>}], <<"HS256">>, <<"secret">>),
Result2 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
ct:pal("Auth result for the invalid jwt: ~p~n", [Result2]),
?assertEqual({error, invalid_signature}, Result2).
t_check_claims_username(_) ->
application:set_env(emqx_auth_jwt, verify_claims, [{username, <<"%u">>}]),
Plain = #{clientid => <<"client23">>, username => <<"plain">>, zone => external},
Jwt = sign([{client_id, <<"client23">>},
{username, <<"plain">>},
{exp, os:system_time(seconds) + 3}], <<"HS256">>, <<"emqxsecret">>),
Result0 = emqx_access_control:authenticate(Plain#{password => Jwt}),
ct:pal("Auth result: ~p~n", [Result0]),
?assertMatch({ok, #{auth_result := success, jwt_claims := _}}, Result0),
Jwt_Error = sign([{clientid, <<"client1">>},
{username, <<"plain">>}], <<"HS256">>, <<"secret">>),
Result3 = emqx_access_control:authenticate(Plain#{password => Jwt_Error}),
ct:pal("Auth result for the invalid jwt: ~p~n", [Result3]),
?assertEqual({error, invalid_signature}, Result3).

View File

@ -0,0 +1,26 @@
version: '3'
services:
erlang:
image: erlang:22.1
volumes:
- ../:/emqx_auth_ldap
networks:
- emqx_bridge
depends_on:
- ldap_server
tty: true
ldap_server:
build: ./emqx-ldap
image: emqx-ldap:1.0
restart: always
ports:
- 389:389
- 636:636
networks:
- emqx_bridge
networks:
emqx_bridge:
driver: bridge

View File

@ -0,0 +1,26 @@
FROM buildpack-deps:stretch
ENV VERSION=2.4.50
RUN apt-get update && apt-get install -y groff groff-base
RUN wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-${VERSION}.tgz \
&& gunzip -c openldap-${VERSION}.tgz | tar xvfB - \
&& cd openldap-${VERSION} \
&& ./configure && make depend && make && make install \
&& cd .. && rm -rf openldap-${VERSION}
COPY ./slapd.conf /usr/local/etc/openldap/slapd.conf
COPY ./emqx.io.ldif /usr/local/etc/openldap/schema/emqx.io.ldif
COPY ./emqx.schema /usr/local/etc/openldap/schema/emqx.schema
COPY ./*.pem /usr/local/etc/openldap/
RUN mkdir -p /usr/local/etc/openldap/data \
&& slapadd -l /usr/local/etc/openldap/schema/emqx.io.ldif -f /usr/local/etc/openldap/slapd.conf
WORKDIR /usr/local/etc/openldap
EXPOSE 389 636
ENTRYPOINT ["/usr/local/libexec/slapd", "-h", "ldap:/// ldaps:///", "-d", "3", "-f", "/usr/local/etc/openldap/slapd.conf"]
CMD []

View File

@ -0,0 +1,16 @@
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/emqx.schema
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/key.pem
database bdb
suffix "dc=emqx,dc=io"
rootdn "cn=root,dc=emqx,dc=io"
rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W
directory /usr/local/etc/openldap/data

View File

@ -0,0 +1,49 @@
name: Run test cases
on: [push, pull_request]
jobs:
run_test_cases:
runs-on: ubuntu-latest
strategy:
matrix:
network_type:
- ipv4
- ipv6
steps:
- name: install docker-compose
run: |
sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
- uses: actions/checkout@v1
- name: prepare
env:
NETWORK_TYPE: ${{ matrix.network_type }}
run: |
set -e -x -u
cp ./emqx.io.ldif ./emqx.schema ./.ci/emqx-ldap
cp ./test/certs/* ./.ci/emqx-ldap
docker-compose -f ./.ci/docker-compose.yml -p tests build
if [ "$NETWORK_TYPE" = "ipv6" ];then docker network create --driver bridge --ipv6 --subnet fd15:555::/64 tests_emqx_bridge --attachable; fi
docker-compose -f ./.ci/docker-compose.yml -p tests up -d
if [ "$NETWORK_TYPE" != "ipv6" ];then
docker exec -i tests_erlang_1 sh -c "sed -i '/auth.ldap.servers/c auth.ldap.servers = ldap_server' ./emqx_auth_ldap/etc/emqx_auth_ldap.conf"
else
ipv6_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' $(docker ps -a -f name=tests_ldap_server_1 -q))
docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "sed -i '/auth.ldap.servers/c auth.ldap.servers = $ipv6_address' /emqx_auth_ldap/etc/emqx_auth_ldap.conf"
fi
- name: run test cases
run: |
set -e -x -u
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap xref"
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap eunit"
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap ct"
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_ldap cover"
- uses: actions/upload-artifact@v1
if: failure()
with:
name: logs_${{ matrix.network_type }}
path: _build/test/logs

25
apps/emqx_auth_ldap/.gitignore vendored Normal file
View File

@ -0,0 +1,25 @@
.eunit
deps
*.o
*.beam
*.plt
erl_crash.dump
ebin
rel/example_project
.concrete/DEV_MODE
.rebar
.erlang.mk/
emqx_auth_ldap.d
data/
cover/
ct.coverdata
eunit.coverdata
logs/
test/ct.cover.spec
.DS_Store
_build/
rebar.lock
erlang.mk
rebar3.crashdump
.rebar3/
etc/emqx_auth_ldap.conf.rendered

201
apps/emqx_auth_ldap/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View File

@ -0,0 +1,35 @@
## shallow clone for speed
REBAR_GIT_CLONE_OPTIONS += --depth 1
export REBAR_GIT_CLONE_OPTIONS
REBAR = rebar3
all: compile
compile:
$(REBAR) compile
ct: compile
$(REBAR) as test ct -v
eunit: compile
$(REBAR) as test eunit
xref:
$(REBAR) xref
cover:
$(REBAR) cover
clean:
@rm -rf _build
@rm -f data/app.*.config data/vm.*.args rebar.lock
CUTTLEFISH_SCRIPT = _build/default/lib/cuttlefish/cuttlefish
$(CUTTLEFISH_SCRIPT):
@${REBAR} get-deps
@if [ ! -f cuttlefish ]; then make -C _build/default/lib/cuttlefish; fi
app.config: $(CUTTLEFISH_SCRIPT) etc/emqx_auth_ldap.conf
$(verbose) $(CUTTLEFISH_SCRIPT) -l info -e etc/ -c etc/emqx_auth_ldap.conf -i priv/emqx_auth_ldap.schema -d data

View File

@ -0,0 +1,96 @@
emqx_auth_ldap
==============
EMQ X LDAP Authentication Plugin
Build
-----
```
make
```
Load the Plugin
---------------
```
# ./bin/emqx_ctl plugins load emqx_auth_ldap
```
Generate Password
---------------
```
slappasswd -h '{ssha}' -s public
```
Configuration Open LDAP
-----------------------
vim /etc/openldap/slapd.conf
```
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/emqx.schema
database bdb
suffix "dc=emqx,dc=io"
rootdn "cn=root,dc=emqx,dc=io"
rootpw {SSHA}eoF7NhNrejVYYyGHqnt+MdKNBh4r1w3W
directory /etc/openldap/data
```
If the ldap launched with error below:
```
Unrecognized database type (bdb)
5c4a72b9 slapd.conf: line 7: <database> failed init (bdb)
slapadd: bad configuration file!
```
Insert lines to the slapd.conf
```
modulepath /usr/lib/ldap
moduleload back_bdb.la
```
Import EMQX User Data
----------------------
Use ldapadd
```
# ldapadd -x -D "cn=root,dc=emqx,dc=io" -w public -f emqx.com.ldif
```
Use slapadd
```
# sudo slapadd -l schema/emqx.io.ldif -f slapd.conf
```
Launch slapd
```
# sudo slapd -d 3
```
Test
-----
After configure slapd correctly and launch slapd successfully.
You could execute
``` bash
# make tests
```
License
-------
Apache License Version 2.0
Author
------
EMQ X Team.

View File

@ -0,0 +1,135 @@
## create emqx.io
dn:dc=emqx,dc=io
objectclass: top
objectclass: dcobject
objectclass: organization
dc:emqx
o:emqx,Inc.
# create testdevice.emqx.io
dn:ou=testdevice,dc=emqx,dc=io
objectClass: top
objectclass:organizationalUnit
ou:testdevice
# create user admin
dn:uid=admin,ou=testdevice,dc=emqx,dc=io
objectClass: top
objectClass: simpleSecurityObject
objectClass: account
userPassword:: e1NIQX1XNnBoNU1tNVB6OEdnaVVMYlBnekczN21qOWc9
uid: admin
## create user=mqttuser0001,
# password=mqttuser0001,
# passhash={SHA}mlb3fat40MKBTXUVZwCKmL73R/0=
# base64passhash=e1NIQX1tbGIzZmF0NDBNS0JUWFVWWndDS21MNzNSLzA9
dn:uid=mqttuser0001,ou=testdevice,dc=emqx,dc=io
objectClass: top
objectClass: mqttUser
objectClass: mqttDevice
objectClass: mqttSecurity
uid: mqttuser0001
isEnabled: TRUE
mqttAccountName: user1
mqttPublishTopic: mqttuser0001/pub/1
mqttPublishTopic: mqttuser0001/pub/+
mqttPublishTopic: mqttuser0001/pub/#
mqttSubscriptionTopic: mqttuser0001/sub/1
mqttSubscriptionTopic: mqttuser0001/sub/+
mqttSubscriptionTopic: mqttuser0001/sub/#
mqttPubSubTopic: mqttuser0001/pubsub/1
mqttPubSubTopic: mqttuser0001/pubsub/+
mqttPubSubTopic: mqttuser0001/pubsub/#
userPassword:: e1NIQX1tbGIzZmF0NDBNS0JUWFVWWndDS21MNzNSLzA9
## create user=mqttuser0002
# password=mqttuser0002,
# passhash={SSHA}n9XdtoG4Q/TQ3TQF4Y+khJbMBH4qXj4M
# base64passhash=e1NTSEF9bjlYZHRvRzRRL1RRM1RRRjRZK2toSmJNQkg0cVhqNE0=
dn:uid=mqttuser0002,ou=testdevice,dc=emqx,dc=io
objectClass: top
objectClass: mqttUser
objectClass: mqttDevice
objectClass: mqttSecurity
uid: mqttuser0002
isEnabled: TRUE
mqttAccountName: user2
mqttPublishTopic: mqttuser0002/pub/1
mqttPublishTopic: mqttuser0002/pub/+
mqttPublishTopic: mqttuser0002/pub/#
mqttSubscriptionTopic: mqttuser0002/sub/1
mqttSubscriptionTopic: mqttuser0002/sub/+
mqttSubscriptionTopic: mqttuser0002/sub/#
mqttPubSubTopic: mqttuser0002/pubsub/1
mqttPubSubTopic: mqttuser0002/pubsub/+
mqttPubSubTopic: mqttuser0002/pubsub/#
userPassword:: e1NTSEF9bjlYZHRvRzRRL1RRM1RRRjRZK2toSmJNQkg0cVhqNE0=
## create user mqttuser0003
# password=mqttuser0003,
# passhash={MD5}ybsPGoaK3nDyiQvveiCOIw==
# base64passhash=e01ENX15YnNQR29hSzNuRHlpUXZ2ZWlDT0l3PT0=
dn:uid=mqttuser0003,ou=testdevice,dc=emqx,dc=io
objectClass: top
objectClass: mqttUser
objectClass: mqttDevice
objectClass: mqttSecurity
uid: mqttuser0003
isEnabled: TRUE
mqttPublishTopic: mqttuser0003/pub/1
mqttPublishTopic: mqttuser0003/pub/+
mqttPublishTopic: mqttuser0003/pub/#
mqttSubscriptionTopic: mqttuser0003/sub/1
mqttSubscriptionTopic: mqttuser0003/sub/+
mqttSubscriptionTopic: mqttuser0003/sub/#
mqttPubSubTopic: mqttuser0003/pubsub/1
mqttPubSubTopic: mqttuser0003/pubsub/+
mqttPubSubTopic: mqttuser0003/pubsub/#
userPassword:: e01ENX15YnNQR29hSzNuRHlpUXZ2ZWlDT0l3PT0=
## create user mqttuser0004
# password=mqttuser0004,
# passhash={MD5}2Br6pPDSEDIEvUlu9+s+MA==
# base64passhash=e01ENX0yQnI2cFBEU0VESUV2VWx1OStzK01BPT0=
dn:uid=mqttuser0004,ou=testdevice,dc=emqx,dc=io
objectClass: top
objectClass: mqttUser
objectClass: mqttDevice
objectClass: mqttSecurity
uid: mqttuser0004
isEnabled: TRUE
mqttPublishTopic: mqttuser0004/pub/1
mqttPublishTopic: mqttuser0004/pub/+
mqttPublishTopic: mqttuser0004/pub/#
mqttSubscriptionTopic: mqttuser0004/sub/1
mqttSubscriptionTopic: mqttuser0004/sub/+
mqttSubscriptionTopic: mqttuser0004/sub/#
mqttPubSubTopic: mqttuser0004/pubsub/1
mqttPubSubTopic: mqttuser0004/pubsub/+
mqttPubSubTopic: mqttuser0004/pubsub/#
userPassword: {MD5}2Br6pPDSEDIEvUlu9+s+MA==
## create user mqttuser0005
# password=mqttuser0005,
# passhash={SHA}jKnxeEDGR14kE8AR7yuVFOelhz4=
# base64passhash=e1NIQX1qS254ZUVER1IxNGtFOEFSN3l1VkZPZWxoejQ9
objectClass: top
dn:uid=mqttuser0005,ou=testdevice,dc=emqx,dc=io
objectClass: mqttUser
objectClass: mqttDevice
objectClass: mqttSecurity
uid: mqttuser0005
isEnabled: TRUE
mqttPublishTopic: mqttuser0005/pub/1
mqttPublishTopic: mqttuser0005/pub/+
mqttPublishTopic: mqttuser0005/pub/#
mqttSubscriptionTopic: mqttuser0005/sub/1
mqttSubscriptionTopic: mqttuser0005/sub/+
mqttSubscriptionTopic: mqttuser0005/sub/#
mqttPubSubTopic: mqttuser0005/pubsub/1
mqttPubSubTopic: mqttuser0005/pubsub/+
mqttPubSubTopic: mqttuser0005/pubsub/#
userPassword: {SHA}jKnxeEDGR14kE8AR7yuVFOelhz4=

View File

@ -0,0 +1,46 @@
#
# Preliminary Apple OS X Native LDAP Schema
# This file is subject to change.
#
attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.1.3 NAME 'isEnabled'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE userApplications )
attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.1 NAME ( 'mqttPublishTopic' 'mpt' )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.2 NAME ( 'mqttSubscriptionTopic' 'mst' )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.3 NAME ( 'mqttPubSubTopic' 'mpst' )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
attributetype ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4.4 NAME ( 'mqttAccountName' 'man' )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
USAGE userApplications )
objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.4 NAME 'mqttUser'
AUXILIARY
MAY ( mqttPublishTopic $ mqttSubscriptionTopic $ mqttPubSubTopic $ mqttAccountName) )
objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.2 NAME 'mqttDevice'
SUP top
STRUCTURAL
MUST ( uid )
MAY ( isEnabled ) )
objectclass ( 1.3.6.1.4.1.11.2.53.2.2.3.1.2.3.3 NAME 'mqttSecurity'
SUP top
AUXILIARY
MAY ( userPassword $ userPKCS12 $ pwdAttribute $ pwdLockout ) )

View File

@ -0,0 +1,78 @@
##--------------------------------------------------------------------
## LDAP Auth Plugin
##--------------------------------------------------------------------
## LDAP server list, seperated by ','.
##
## Value: String
auth.ldap.servers = 127.0.0.1
## LDAP server port.
##
## Value: Port
auth.ldap.port = 389
## LDAP pool size
##
## Value: String
auth.ldap.pool = 8
## LDAP Bind DN.
##
## Value: DN
auth.ldap.bind_dn = cn=root,dc=emqx,dc=io
## LDAP Bind Password.
##
## Value: String
auth.ldap.bind_password = public
## LDAP query timeout.
##
## Value: Number
auth.ldap.timeout = 30s
## Device DN.
##
## Variables:
##
## Value: DN
auth.ldap.device_dn = ou=device,dc=emqx,dc=io
## Specified ObjectClass
##
## Variables:
##
## Value: string
auth.ldap.match_objectclass = mqttUser
## attributetype for username
##
## Variables:
##
## Value: string
auth.ldap.username.attributetype = uid
## attributetype for password
##
## Variables:
##
## Value: string
auth.ldap.password.attributetype = userPassword
## Whether to enable SSL.
##
## Value: true | false
auth.ldap.ssl = false
#auth.ldap.ssl.certfile = etc/certs/cert.pem
#auth.ldap.ssl.keyfile = etc/certs/key.pem
#auth.ldap.ssl.cacertfile = etc/certs/cacert.pem
#auth.ldap.ssl.verify = verify_peer
#auth.ldap.ssl.fail_if_no_peer_cert = true
#auth.ldap.ssl.server_name_indication = your_server_name

View File

@ -0,0 +1,23 @@
-define(APP, emqx_auth_ldap).
-record(auth_metrics, {
success = 'client.auth.success',
failure = 'client.auth.failure',
ignore = 'client.auth.ignore'
}).
-record(acl_metrics, {
allow = 'client.acl.allow',
deny = 'client.acl.deny',
ignore = 'client.acl.ignore'
}).
-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
-define(METRICS(Type, K), #Type{}#Type.K).
-define(AUTH_METRICS, ?METRICS(auth_metrics)).
-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
-define(ACL_METRICS, ?METRICS(acl_metrics)).
-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

View File

@ -0,0 +1,176 @@
%%-*- mode: erlang -*-
%% emqx_auth_ldap config mapping
{mapping, "auth.ldap.servers", "emqx_auth_ldap.ldap", [
{default, "127.0.0.1"},
{datatype, string}
]}.
{mapping, "auth.ldap.port", "emqx_auth_ldap.ldap", [
{default, 389},
{datatype, integer}
]}.
{mapping, "auth.ldap.pool", "emqx_auth_ldap.ldap", [
{default, 8},
{datatype, integer}
]}.
{mapping, "auth.ldap.bind_dn", "emqx_auth_ldap.ldap", [
{datatype, string},
{default, "cn=root,dc=emqx,dc=io"}
]}.
{mapping, "auth.ldap.bind_password", "emqx_auth_ldap.ldap", [
{datatype, string},
{default, "public"}
]}.
{mapping, "auth.ldap.timeout", "emqx_auth_ldap.ldap", [
{default, "30s"},
{datatype, {duration, ms}}
]}.
{mapping, "auth.ldap.ssl", "emqx_auth_ldap.ldap", [
{default, false},
{datatype, {enum, [true, false]}}
]}.
{mapping, "auth.ldap.ssl.certfile", "emqx_auth_ldap.ldap", [
{datatype, string}
]}.
{mapping, "auth.ldap.ssl.keyfile", "emqx_auth_ldap.ldap", [
{datatype, string}
]}.
{mapping, "auth.ldap.ssl.cacertfile", "emqx_auth_ldap.ldap", [
{datatype, string}
]}.
{mapping, "auth.ldap.ssl.verify", "emqx_auth_ldap.ldap", [
{default, verify_none},
{datatype, {enum, [verify_none, verify_peer]}}
]}.
{mapping, "auth.ldap.ssl.fail_if_no_peer_cert", "emqx_auth_ldap.ldap", [
{datatype, {enum, [true, false]}}
]}.
{mapping, "auth.ldap.ssl.server_name_indication", "emqx_auth_ldap.ldap", [
{datatype, string}
]}.
{translation, "emqx_auth_ldap.ldap", fun(Conf) ->
A2N = fun(A) -> case inet:parse_address(A) of {ok, N} -> N; _ -> A end end,
Servers = [A2N(A) || A <- string:tokens(cuttlefish:conf_get("auth.ldap.servers", Conf), ",")],
Port = cuttlefish:conf_get("auth.ldap.port", Conf),
Pool = cuttlefish:conf_get("auth.ldap.pool", Conf),
BindDN = cuttlefish:conf_get("auth.ldap.bind_dn", Conf),
BindPassword = cuttlefish:conf_get("auth.ldap.bind_password", Conf),
Timeout = cuttlefish:conf_get("auth.ldap.timeout", Conf),
Filter = fun(Ls) -> [E || E = {_, V} <- Ls, V /= undefined]end,
SslOpts = fun() ->
[{certfile, cuttlefish:conf_get("auth.ldap.ssl.certfile", Conf)},
{keyfile, cuttlefish:conf_get("auth.ldap.ssl.keyfile", Conf)},
{cacertfile, cuttlefish:conf_get("auth.ldap.ssl.cacertfile", Conf, undefined)},
{verify, cuttlefish:conf_get("auth.ldap.ssl.verify", Conf, undefined)},
{server_name_indication, cuttlefish:conf_get("auth.ldap.ssl.server_name_indication", Conf, disable)},
{fail_if_no_peer_cert, cuttlefish:conf_get("auth.ldap.ssl.fail_if_no_peer_cert", Conf, undefined)}]
end,
Opts = [{servers, Servers},
{port, Port},
{timeout, Timeout},
{bind_dn, BindDN},
{bind_password, BindPassword},
{pool, Pool},
{auto_reconnect, 2}],
case cuttlefish:conf_get("auth.ldap.ssl", Conf) of
true -> [{ssl, true}, {sslopts, Filter(SslOpts())}|Opts];
false -> [{ssl, false}|Opts]
end
end}.
{mapping, "auth.ldap.device_dn", "emqx_auth_ldap.device_dn", [
{default, "ou=device,dc=emqx,dc=io"},
{datatype, string}
]}.
{mapping, "auth.ldap.match_objectclass", "emqx_auth_ldap.match_objectclass", [
{default, "mqttUser"},
{datatype, string}
]}.
{mapping, "auth.ldap.custom_base_dn", "emqx_auth_ldap.custom_base_dn", [
{default, "${username_attr}=${user},${device_dn}"},
{datatype, string}
]}.
%% auth.ldap.filters.1.key = "objectClass"
%% auth.ldap.filters.1.value = "mqttUser"
%% auth.ldap.filters.1.op = "and"
%% auth.ldap.filters.2.key = "uiAttr"
%% auth.ldap.filters.2.value "someAttr"
%% auth.ldap.filters.2.op = "or"
%% auth.ldap.filters.3.key = "someKey"
%% auth.ldap.filters.3.value = "someValue"
%% The configuratation structure sent to the application:
%% [{"objectClass","mqttUser"},"and",{"uiAttr","someAttr"},"or",{"someKey","someAttr"}]
%% The resulting LDAP filter would look like this:
%% ==> "|(&(objectClass=Class)(uiAttr=someAttr)(someKey=someValue))"
{translation, "emqx_auth_ldap.filters",
fun(Conf) ->
Settings = cuttlefish_variable:filter_by_prefix("auth.ldap.filters", Conf),
Keys = [{Num, {key, V}} || {["auth","ldap","filters", Num, "key"], V} <- Settings],
Values = [{Num, {value, V}} || {["auth","ldap","filters", Num, "value"], V} <- Settings],
Ops = [{Num, {op, V}} || {["auth","ldap","filters", Num, "op"], V} <- Settings],
RawFilters = Keys ++ Values ++ Ops,
Filters =
lists:foldl(
fun({Num,{T,V}}, Acc)->
maps:update_with(Num,
fun(F)->
maps:put(T,V,F)
end,
#{T=>V}, Acc)
end, #{}, RawFilters),
Order=lists:usort(maps:keys(Filters)),
lists:reverse(
lists:foldl(
fun(F,Acc)->
case F of
#{key:=K, op:=Op, value:=V} -> [Op,{K,V}|Acc];
#{key:=K, value:=V} -> [{K,V}|Acc]
end
end,
[],
lists:map(fun(K) -> maps:get(K, Filters) end, Order)))
end}.
{mapping, "auth.ldap.filters.$num.key", "emqx_auth_ldap.filters", [
{datatype, string}
]}.
{mapping, "auth.ldap.filters.$num.value", "emqx_auth_ldap.filters", [
{datatype, string}
]}.
{mapping, "auth.ldap.filters.$num.op", "emqx_auth_ldap.filters", [
{datatype, {enum, [ "or", "and" ] } }
]}.
{mapping, "auth.ldap.bind_as_user", "emqx_auth_ldap.bind_as_user", [
{default, false},
{datatype, {enum, [true, false]}}
]}.
{mapping, "auth.ldap.username.attributetype", "emqx_auth_ldap.username_attr", [
{default, "uid"},
{datatype, string}
]}.
{mapping, "auth.ldap.password.attributetype", "emqx_auth_ldap.password_attr", [
{default, "userPassword"},
{datatype, string}
]}.

View File

@ -0,0 +1,27 @@
{deps,
[{eldap2, {git, "https://github.com/emqx/eldap2", {tag, "v0.2.2"}}},
{ecpool, {git, "https://github.com/emqx/ecpool", {tag, "0.5.0"}}},
{emqx_passwd, {git, "https://github.com/emqx/emqx-passwd", {tag, "v1.1.1"}}}
]}.
{profiles,
[{test,
[{deps, [{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "1.2.2"}}}]}
]}
]}.
{edoc_opts, [{preprocess, true}]}.
{erl_opts, [warn_unused_vars,
warn_shadow_vars,
warn_unused_import,
warn_obsolete_guard,
debug_info,
{parse_transform}]}.
{xref_checks, [undefined_function_calls, undefined_functions,
locals_not_used, deprecated_function_calls,
warnings_as_errors, deprecated_functions]}.
{cover_enabled, true}.
{cover_opts, [verbose]}.
{cover_export_enabled, true}.

View File

@ -0,0 +1,54 @@
%%-*- mode: erlang -*-
DEPS = case lists:keyfind(deps, 1, CONFIG) of
{_, Deps} -> Deps;
_ -> []
end,
ComparingFun = fun
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2) -> _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2) -> true;
_Fun(_, _) -> false
end,
SortFun = fun(T1, T2) ->
C = fun(T) ->
[case catch list_to_integer(E) of
I when is_integer(I) -> I;
_ -> E
end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
end,
ComparingFun(C(T1), C(T2))
end,
VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
Tags = case VTags of
[] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
_ -> VTags
end,
LatestTag = lists:last(lists:sort(SortFun, Tags)),
Branch = case os:getenv("GITHUB_RUN_ID") of
false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
_ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
end,
GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
match -> {branch, Branch};
_ -> {tag, LatestTag}
end,
UrlPrefix = "https://github.com/emqx/",
EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
CONFIG1.

View File

@ -0,0 +1,98 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_acl_ldap).
-include("emqx_auth_ldap.hrl").
-include_lib("emqx/include/emqx.hrl").
-include_lib("eldap/include/eldap.hrl").
-include_lib("emqx/include/logger.hrl").
-export([ register_metrics/0
, check_acl/5
, description/0
]).
-import(proplists, [get_value/2]).
-import(emqx_auth_ldap_cli, [search/4]).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) ->
case do_check_acl(ClientInfo, PubSub, Topic, NoMatchAction, State) of
ok -> emqx_metrics:inc(?ACL_METRICS(ignore)), ok;
{stop, allow} -> emqx_metrics:inc(?ACL_METRICS(allow)), {stop, allow};
{stop, deny} -> emqx_metrics:inc(?ACL_METRICS(deny)), {stop, deny}
end.
do_check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _NoMatchAction, _State) ->
ok;
do_check_acl(#{username := Username}, PubSub, Topic, _NoMatchAction,
#{device_dn := DeviceDn,
match_objectclass := ObjectClass,
username_attr := UidAttr,
custom_base_dn := CustomBaseDN,
pool := Pool} = Config) ->
Filters = maps:get(filters, Config, []),
ReplaceRules = [{"${username_attr}", UidAttr},
{"${user}", binary_to_list(Username)},
{"${device_dn}", DeviceDn}],
Filter = emqx_auth_ldap:prepare_filter(Filters, UidAttr, ObjectClass, ReplaceRules),
Attribute = case PubSub of
publish -> "mqttPublishTopic";
subscribe -> "mqttSubscriptionTopic"
end,
Attribute1 = "mqttPubSubTopic",
?LOG(debug, "[LDAP] search dn:~p filter:~p, attribute:~p",
[DeviceDn, Filter, Attribute]),
BaseDN = emqx_auth_ldap:replace_vars(CustomBaseDN, ReplaceRules),
case search(Pool, BaseDN, Filter, [Attribute, Attribute1]) of
{error, noSuchObject} ->
ok;
{ok, #eldap_search_result{entries = []}} ->
ok;
{ok, #eldap_search_result{entries = [Entry]}} ->
Topics = get_value(Attribute, Entry#eldap_entry.attributes)
++ get_value(Attribute1, Entry#eldap_entry.attributes),
match(Topic, Topics);
Error ->
?LOG(error, "[LDAP] search error:~p", [Error]),
{stop, deny}
end.
match(_Topic, []) ->
ok;
match(Topic, [Filter | Topics]) ->
case emqx_topic:match(Topic, list_to_binary(Filter)) of
true -> {stop, allow};
false -> match(Topic, Topics)
end.
description() ->
"ACL with LDAP".

View File

@ -0,0 +1,14 @@
{application, emqx_auth_ldap,
[{description, "EMQ X Authentication/ACL with LDAP"},
{vsn, "git"},
{modules, []},
{registered, [emqx_auth_ldap_sup]},
{applications, [kernel,stdlib,eldap2,ecpool,emqx_passwd]},
{mod, {emqx_auth_ldap_app,[]}},
{env, []},
{licenses, ["Apache-2.0"]},
{maintainers, ["EMQ X Team <contact@emqx.io>"]},
{links, [{"Homepage", "https://emqx.io/"},
{"Github", "https://github.com/emqx/emqx-auth-ldap"}
]}
]}.

View File

@ -0,0 +1,24 @@
%%-*- mode: erlang -*-
%% .app.src.script
RemoveLeadingV =
fun(Tag) ->
case re:run(Tag, "^[v|e]?[0-9]\.[0-9]\.([0-9]|(rc|beta|alpha)\.[0-9])", [{capture, none}]) of
nomatch ->
re:replace(Tag, "/", "-", [{return ,list}]);
_ ->
%% if it is a version number prefixed by 'v' or 'e', then remove it
re:replace(Tag, "[v|e]", "", [{return ,list}])
end
end,
case os:getenv("EMQX_DEPS_DEFAULT_VSN") of
false -> CONFIG; % env var not defined
[] -> CONFIG; % env var set to empty string
Tag ->
[begin
AppConf0 = lists:keystore(vsn, 1, AppConf, {vsn, RemoveLeadingV(Tag)}),
{application, App, AppConf0}
end || Conf = {application, App, AppConf} <- CONFIG]
end.

View File

@ -0,0 +1,210 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ldap).
-include("emqx_auth_ldap.hrl").
-include_lib("emqx/include/emqx.hrl").
-include_lib("eldap/include/eldap.hrl").
-include_lib("emqx/include/logger.hrl").
-import(proplists, [get_value/2]).
-import(emqx_auth_ldap_cli, [search/3]).
-export([ register_metrics/0
, check/3
, description/0
, prepare_filter/4
, replace_vars/2
]).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
check(ClientInfo = #{username := Username, password := Password}, AuthResult,
State = #{password_attr := PasswdAttr, bind_as_user := BindAsUserRequired, pool := Pool}) ->
CheckResult =
case lookup_user(Username, State) of
undefined -> {error, not_found};
{error, Error} -> {error, Error};
Entry ->
PasswordString = binary_to_list(Password),
ObjectName = Entry#eldap_entry.object_name,
Attributes = Entry#eldap_entry.attributes,
case BindAsUserRequired of
true ->
emqx_auth_ldap_cli:post_bind(Pool, ObjectName, PasswordString);
false ->
case get_value(PasswdAttr, Attributes) of
undefined ->
logger:error("LDAP Search State: ~p, uid: ~p, result:~p",
[State, Username, Attributes]),
{error, not_found};
[Passhash1] ->
format_password(Passhash1, Password, ClientInfo)
end
end
end,
case CheckResult of
ok ->
ok = emqx_metrics:inc(?AUTH_METRICS(success)),
{stop, AuthResult#{auth_result => success, anonymous => false}};
{error, not_found} ->
emqx_metrics:inc(?AUTH_METRICS(ignore));
{error, ResultCode} ->
ok = emqx_metrics:inc(?AUTH_METRICS(failure)),
?LOG(error, "[LDAP] Auth from ldap failed: ~p", [ResultCode]),
{stop, AuthResult#{auth_result => ResultCode, anonymous => false}}
end.
lookup_user(Username, #{username_attr := UidAttr,
match_objectclass := ObjectClass,
device_dn := DeviceDn,
custom_base_dn := CustomBaseDN, pool := Pool} = Config) ->
Filters = maps:get(filters, Config, []),
ReplaceRules = [{"${username_attr}", UidAttr},
{"${user}", binary_to_list(Username)},
{"${device_dn}", DeviceDn}],
Filter = prepare_filter(Filters, UidAttr, ObjectClass, ReplaceRules),
%% auth.ldap.custom_base_dn = "${username_attr}=${user},${device_dn}"
BaseDN = replace_vars(CustomBaseDN, ReplaceRules),
case search(Pool, BaseDN, Filter) of
%% This clause seems to be impossible to match. `eldap2:search/2` does
%% not validates the result, so if it returns "successfully" from the
%% LDAP server, it always returns `{ok, #eldap_search_result{}}`.
{error, noSuchObject} ->
undefined;
%% In case no user was found by the search, but the search was completed
%% without error we get an empty `entries` list.
{ok, #eldap_search_result{entries = []}} ->
undefined;
{ok, #eldap_search_result{entries = [Entry]}} ->
Attributes = Entry#eldap_entry.attributes,
case get_value("isEnabled", Attributes) of
undefined ->
Entry;
[Val] ->
case list_to_atom(string:to_lower(Val)) of
true -> Entry;
false -> {error, username_disabled}
end
end;
{error, Error} ->
?LOG(error, "[LDAP] Search dn: ~p, filter: ~p, fail:~p", [DeviceDn, Filter, Error]),
{error, username_or_password_error}
end.
check_pass(Password, Password, _ClientInfo) -> ok;
check_pass(_, _, _) -> {error, bad_username_or_password}.
format_password(Passhash, Password, ClientInfo) ->
case do_format_password(Passhash, Password) of
{error, Error2} ->
{error, Error2};
{Passhash1, Password1} ->
check_pass(Passhash1, Password1, ClientInfo)
end.
do_format_password(Passhash, Password) ->
Base64PasshashHandler =
handle_passhash(fun(HashType, Passhash1, Password1) ->
Passhash2 = binary_to_list(base64:decode(Passhash1)),
resolve_passhash(HashType, Passhash2, Password1)
end,
fun(_Passhash, _Password) ->
{error, password_error}
end),
PasshashHandler = handle_passhash(fun resolve_passhash/3, Base64PasshashHandler),
PasshashHandler(Passhash, Password).
resolve_passhash(HashType, Passhash, Password) ->
[_, Passhash1] = string:tokens(Passhash, "}"),
do_resolve(HashType, Passhash1, Password).
handle_passhash(HandleMatch, HandleNoMatch) ->
fun(Passhash, Password) ->
case re:run(Passhash, "(?<={)[^{}]+(?=})", [{capture, all, list}, global]) of
{match, [[HashType]]} ->
HandleMatch(list_to_atom(string:to_lower(HashType)), Passhash, Password);
_ ->
HandleNoMatch(Passhash, Password)
end
end.
do_resolve(ssha, Passhash, Password) ->
D64 = base64:decode(Passhash),
{HashedData, Salt} = lists:split(20, binary_to_list(D64)),
NewHash = crypto:hash(sha, <<Password/binary, (list_to_binary(Salt))/binary>>),
{list_to_binary(HashedData), NewHash};
do_resolve(HashType, Passhash, Password) ->
Password1 = base64:encode(crypto:hash(HashType, Password)),
{list_to_binary(Passhash), Password1}.
description() -> "LDAP Authentication Plugin".
prepare_filter(Filters, _UidAttr, ObjectClass, ReplaceRules) ->
SubFilters =
lists:map(fun({K, V}) ->
{replace_vars(K, ReplaceRules), replace_vars(V, ReplaceRules)};
(Op) ->
Op
end, Filters),
case SubFilters of
[] -> eldap2:equalityMatch("objectClass", ObjectClass);
_List -> compile_filters(SubFilters, [])
end.
compile_filters([{Key, Value}], []) ->
compile_equal(Key, Value);
compile_filters([{K1, V1}, "and", {K2, V2} | Rest], []) ->
compile_filters(
Rest,
eldap2:'and'([compile_equal(K1, V1),
compile_equal(K2, V2)]));
compile_filters([{K1, V1}, "or", {K2, V2} | Rest], []) ->
compile_filters(
Rest,
eldap2:'or'([compile_equal(K1, V1),
compile_equal(K2, V2)]));
compile_filters(["and", {K, V} | Rest], PartialFilter) ->
compile_filters(
Rest,
eldap2:'and'([PartialFilter,
compile_equal(K, V)]));
compile_filters(["or", {K, V} | Rest], PartialFilter) ->
compile_filters(
Rest,
eldap2:'or'([PartialFilter,
compile_equal(K, V)]));
compile_filters([], Filter) ->
Filter.
compile_equal(Key, Value) ->
eldap2:equalityMatch(Key, Value).
replace_vars(CustomBaseDN, ReplaceRules) ->
lists:foldl(fun({Pattern, Substitute}, DN) ->
lists:flatten(string:replace(DN, Pattern, Substitute))
end, CustomBaseDN, ReplaceRules).

View File

@ -0,0 +1,78 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ldap_app).
-behaviour(application).
-emqx_plugin(auth).
-include("emqx_auth_ldap.hrl").
%% Application callbacks
-export([ start/2
, prep_stop/1
, stop/1
]).
start(_StartType, _StartArgs) ->
{ok, Sup} = emqx_auth_ldap_sup:start_link(),
if_enabled([device_dn, match_objectclass,
username_attr, password_attr,
filters, custom_base_dn, bind_as_user],
fun load_auth_hook/1),
if_enabled([device_dn, match_objectclass,
username_attr, password_attr,
filters, custom_base_dn, bind_as_user],
fun load_acl_hook/1),
{ok, Sup}.
prep_stop(State) ->
emqx:unhook('client.authenticate', fun emqx_auth_ldap:check/3),
emqx:unhook('client.check_acl', fun emqx_acl_ldap:check_acl/5),
State.
stop(_State) ->
ok.
load_auth_hook(DeviceDn) ->
ok = emqx_auth_ldap:register_metrics(),
Params = maps:from_list(DeviceDn),
emqx:hook('client.authenticate', fun emqx_auth_ldap:check/3, [Params#{pool => ?APP}]).
load_acl_hook(DeviceDn) ->
ok = emqx_acl_ldap:register_metrics(),
Params = maps:from_list(DeviceDn),
emqx:hook('client.check_acl', fun emqx_acl_ldap:check_acl/5 , [Params#{pool => ?APP}]).
if_enabled(Cfgs, Fun) ->
case get_env(Cfgs) of
{ok, InitArgs} -> Fun(InitArgs);
[] -> ok
end.
get_env(Cfgs) ->
get_env(Cfgs, []).
get_env([Cfg | LeftCfgs], ENVS) ->
case application:get_env(?APP, Cfg) of
{ok, ENV} ->
get_env(LeftCfgs, [{Cfg, ENV} | ENVS]);
undefined ->
get_env(LeftCfgs, ENVS)
end;
get_env([], ENVS) ->
{ok, ENVS}.

View File

@ -0,0 +1,150 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ldap_cli).
-behaviour(ecpool_worker).
-include("emqx_auth_ldap.hrl").
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/logger.hrl").
%% ecpool callback
-export([connect/1]).
-export([ search/3
, search/4
, post_bind/3
, init_args/1
]).
-import(proplists,
[ get_value/2
, get_value/3
]).
%%--------------------------------------------------------------------
%% LDAP Connect/Search
%%--------------------------------------------------------------------
connect(Opts) ->
Servers = get_value(servers, Opts, ["localhost"]),
Port = get_value(port, Opts, 389),
Timeout = get_value(timeout, Opts, 30),
BindDn = get_value(bind_dn, Opts),
BindPassword = get_value(bind_password, Opts),
LdapOpts = case get_value(ssl, Opts, false)of
true ->
SslOpts = get_value(sslopts, Opts),
[{port, Port}, {timeout, Timeout}, {sslopts, SslOpts}];
false ->
[{port, Port}, {timeout, Timeout}]
end,
?LOG(debug, "[LDAP] Connecting to OpenLDAP server: ~p, Opts:~p ...", [Servers, LdapOpts]),
case eldap2:open(Servers, LdapOpts) of
{ok, LDAP} ->
try eldap2:simple_bind(LDAP, BindDn, BindPassword) of
ok -> {ok, LDAP};
{error, Error} ->
?LOG(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Error]),
{error, Error}
catch
error:Reason ->
?LOG(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Reason]),
{error, Reason}
end;
{error, Reason} ->
?LOG(error, "[LDAP] Can't connect to OpenLDAP server: ~p", [Reason]),
{error, Reason}
end.
search(Pool, Base, Filter) ->
ecpool:with_client(Pool,
fun(C) ->
case application:get_env(?APP, bind_as_user) of
{ok, true} ->
{ok, Opts} = application:get_env(?APP, ldap),
BindDn = get_value(bind_dn, Opts),
BindPassword = get_value(bind_password, Opts),
try eldap2:simple_bind(C, BindDn, BindPassword) of
ok ->
eldap2:search(C, [{base, Base},
{filter, Filter},
{deref, eldap2:derefFindingBaseObj()}]);
{error, Error} ->
{error, Error}
catch
error:Reason -> {error, Reason}
end;
{ok, false} ->
eldap2:search(C, [{base, Base},
{filter, Filter},
{deref, eldap2:derefFindingBaseObj()}])
end
end).
search(Pool, Base, Filter, Attributes) ->
ecpool:with_client(Pool,
fun(C) ->
case application:get_env(?APP, bind_as_user) of
{ok, true} ->
{ok, Opts} = application:get_env(?APP, ldap),
BindDn = get_value(bind_dn, Opts),
BindPassword = get_value(bind_password, Opts),
try eldap2:simple_bind(C, BindDn, BindPassword) of
ok ->
eldap2:search(C, [{base, Base},
{filter, Filter},
{attributes, Attributes},
{deref, eldap2:derefFindingBaseObj()}]);
{error, Error} ->
{error, Error}
catch
error:Reason -> {error, Reason}
end;
{ok, false} ->
eldap2:search(C, [{base, Base},
{filter, Filter},
{attributes, Attributes},
{deref, eldap2:derefFindingBaseObj()}])
end
end).
post_bind(Pool, BindDn, BindPassword) ->
ecpool:with_client(Pool,
fun(C) ->
try eldap2:simple_bind(C, BindDn, BindPassword) of
ok -> ok;
{error, Error} ->
{error, Error}
catch
error:Reason -> {error, Reason}
end
end).
init_args(ENVS) ->
DeviceDn = get_value(device_dn, ENVS),
ObjectClass = get_value(match_objectclass, ENVS),
UidAttr = get_value(username_attr, ENVS),
PasswdAttr = get_value(password_attr, ENVS),
{ok, #{device_dn => DeviceDn,
match_objectclass => ObjectClass,
username_attr => UidAttr,
password_attr => PasswdAttr}}.

View File

@ -0,0 +1,35 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ldap_sup).
-behaviour(supervisor).
-include("emqx_auth_ldap.hrl").
-export([start_link/0]).
-export([init/1]).
start_link() ->
supervisor:start_link({local, ?MODULE}, ?MODULE, []).
init([]) ->
%% LDAP Connection Pool.
{ok, Server} = application:get_env(?APP, ldap),
PoolSpec = ecpool:pool_spec(?APP, ?APP, emqx_auth_ldap_cli, Server),
{ok, {{one_for_one, 10, 100}, [PoolSpec]}}.

View File

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIJAPPYCjTmxdt/MA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNV
BAYTAkNOMREwDwYDVQQIDAhoYW5nemhvdTEMMAoGA1UECgwDRU1RMQ8wDQYDVQQD
DAZSb290Q0EwHhcNMjAwNTA4MDgwNjUyWhcNMzAwNTA2MDgwNjUyWjA/MQswCQYD
VQQGEwJDTjERMA8GA1UECAwIaGFuZ3pob3UxDDAKBgNVBAoMA0VNUTEPMA0GA1UE
AwwGUm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzcgVLex1
EZ9ON64EX8v+wcSjzOZpiEOsAOuSXOEN3wb8FKUxCdsGrsJYB7a5VM/Jot25Mod2
juS3OBMg6r85k2TWjdxUoUs+HiUB/pP/ARaaW6VntpAEokpij/przWMPgJnBF3Ur
MjtbLayH9hGmpQrI5c2vmHQ2reRZnSFbY+2b8SXZ+3lZZgz9+BaQYWdQWfaUWEHZ
uDaNiViVO0OT8DRjCuiDp3yYDj3iLWbTA/gDL6Tf5XuHuEwcOQUrd+h0hyIphO8D
tsrsHZ14j4AWYLk1CPA6pq1HIUvEl2rANx2lVUNv+nt64K/Mr3RnVQd9s8bK+TXQ
KGHd2Lv/PALYuwIDAQABo1AwTjAdBgNVHQ4EFgQUGBmW+iDzxctWAWxmhgdlE8Pj
EbQwHwYDVR0jBBgwFoAUGBmW+iDzxctWAWxmhgdlE8PjEbQwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAGbhRUjpIred4cFAFJ7bbYD9hKu/yzWPWkMRa
ErlCKHmuYsYk+5d16JQhJaFy6MGXfLgo3KV2itl0d+OWNH0U9ULXcglTxy6+njo5
CFqdUBPwN1jxhzo9yteDMKF4+AHIxbvCAJa17qcwUKR5MKNvv09C6pvQDJLzid7y
E2dkgSuggik3oa0427KvctFf8uhOV94RvEDyqvT5+pgNYZ2Yfga9pD/jjpoHEUlo
88IGU8/wJCx3Ds2yc8+oBg/ynxG8f/HmCC1ET6EHHoe2jlo8FpU/SgGtghS1YL30
IWxNsPrUP+XsZpBJy/mvOhE5QXo6Y35zDqqj8tI7AGmAWu22jg==
-----END CERTIFICATE-----

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIBAjANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJDTjER
MA8GA1UECAwIaGFuZ3pob3UxDDAKBgNVBAoMA0VNUTEPMA0GA1UEAwwGUm9vdENB
MB4XDTIwMDUwODA4MDcwNVoXDTMwMDUwNjA4MDcwNVowPzELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCGhhbmd6aG91MQwwCgYDVQQKDANFTVExDzANBgNVBAMMBlNlcnZl
cjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNeWT3pE+QFfiRJzKmn
AMUrWo3K2j/Tm3+Xnl6WLz67/0rcYrJbbKvS3uyRP/stXyXEKw9CepyQ1ViBVFkW
Aoy8qQEOWFDsZc/5UzhXUnb6LXr3qTkFEjNmhj+7uzv/lbBxlUG1NlYzSeOB6/RT
8zH/lhOeKhLnWYPXdXKsa1FL6ij4X8DeDO1kY7fvAGmBn/THh1uTpDizM4YmeI+7
4dmayA5xXvARte5h4Vu5SIze7iC057N+vymToMk2Jgk+ZZFpyXrnq+yo6RaD3ANc
lrc4FbeUQZ5a5s5Sxgs9a0Y3WMG+7c5VnVXcbjBRz/aq2NtOnQQjikKKQA8GF080
BQkCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEL
BQADggEBAJefnMZpaRDHQSNUIEL3iwGXE9c6PmIsQVE2ustr+CakBp3TZ4l0enLt
iGMfEVFju69cO4oyokWv+hl5eCMkHBf14Kv51vj448jowYnF1zmzn7SEzm5Uzlsa
sqjtAprnLyof69WtLU1j5rYWBuFX86yOTwRAFNjm9fvhAcrEONBsQtqipBWkMROp
iUYMkRqbKcQMdwxov+lHBYKq9zbWRoqLROAn54SRqgQk6c15JdEfgOOjShbsOkIH
UhqcwRkQic7n1zwHVGVDgNIZVgmJ2IdIWBlPEC7oLrRrBD/X1iEEXtKab6p5o22n
KB5mN+iQaE+Oe2cpGKZJiJRdM+IqDDQ=
-----END CERTIFICATE-----

View File

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDEzCCAfugAwIBAgIBATANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJDTjER
MA8GA1UECAwIaGFuZ3pob3UxDDAKBgNVBAoMA0VNUTEPMA0GA1UEAwwGUm9vdENB
MB4XDTIwMDUwODA4MDY1N1oXDTMwMDUwNjA4MDY1N1owPzELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCGhhbmd6aG91MQwwCgYDVQQKDANFTVExDzANBgNVBAMMBkNsaWVu
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMy4hoksKcZBDbY680u6
TS25U51nuB1FBcGMlF9B/t057wPOlxF/OcmbxY5MwepS41JDGPgulE1V7fpsXkiW
1LUimYV/tsqBfymIe0mlY7oORahKji7zKQ2UBIVFhdlvQxunlIDnw6F9popUgyHt
dMhtlgZK8oqRwHxO5dbfoukYd6J/r+etS5q26sgVkf3C6dt0Td7B25H9qW+f7oLV
PbcHYCa+i73u9670nrpXsC+Qc7Mygwa2Kq/jwU+ftyLQnOeW07DuzOwsziC/fQZa
nbxR+8U9FNftgRcC3uP/JMKYUqsiRAuaDokARZxVTV5hUElfpO6z6/NItSDvvh3i
eikCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEL
BQADggEBABchYxKo0YMma7g1qDswJXsR5s56Czx/I+B41YcpMBMTrRqpUC0nHtLk
M7/tZp592u/tT8gzEnQjZLKBAhFeZaR3aaKyknLqwiPqJIgg0pgsBGITrAK3Pv4z
5/YvAJJKgTe5UdeTz6U4lvNEux/4juZ4pmqH4qSFJTOzQS7LmgSmNIdd072rwXBd
UzcSHzsJgEMb88u/LDLjj1pQ7AtZ4Tta8JZTvcgBFmjB0QUi6fgkHY6oGat/W4kR
jSRUBlMUbM/drr2PVzRc2dwbFIl3X+ZE6n5Sl3ZwRAC/s92JU6CPMRW02muVu6xl
goraNgPISnrbpR6KjxLZkVembXzjNNc=
-----END CERTIFICATE-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzLiGiSwpxkENtjrzS7pNLblTnWe4HUUFwYyUX0H+3TnvA86X
EX85yZvFjkzB6lLjUkMY+C6UTVXt+mxeSJbUtSKZhX+2yoF/KYh7SaVjug5FqEqO
LvMpDZQEhUWF2W9DG6eUgOfDoX2milSDIe10yG2WBkryipHAfE7l1t+i6Rh3on+v
561LmrbqyBWR/cLp23RN3sHbkf2pb5/ugtU9twdgJr6Lve73rvSeulewL5BzszKD
BrYqr+PBT5+3ItCc55bTsO7M7CzOIL99BlqdvFH7xT0U1+2BFwLe4/8kwphSqyJE
C5oOiQBFnFVNXmFQSV+k7rPr80i1IO++HeJ6KQIDAQABAoIBAGWgvPjfuaU3qizq
uti/FY07USz0zkuJdkANH6LiSjlchzDmn8wJ0pApCjuIE0PV/g9aS8z4opp5q/gD
UBLM/a8mC/xf2EhTXOMrY7i9p/I3H5FZ4ZehEqIw9sWKK9YzC6dw26HabB2BGOnW
5nozPSQ6cp2RGzJ7BIkxSZwPzPnVTgy3OAuPOiJytvK+hGLhsNaT+Y9bNDvplVT2
ZwYTV8GlHZC+4b2wNROILm0O86v96O+Qd8nn3fXjGHbMsAnONBq10bZS16L4fvkH
5G+W/1PeSXmtZFppdRRDxIW+DWcXK0D48WRliuxcV4eOOxI+a9N2ZJZZiNLQZGwg
w3A8+mECgYEA8HuJFrlRvdoBe2U/EwUtG74dcyy30L4yEBnN5QscXmEEikhaQCfX
Wm6EieMcIB/5I5TQmSw0cmBMeZjSXYoFdoI16/X6yMMuATdxpvhOZGdUGXxhAH+x
xoTUavWZnEqW3fkUU71kT5E2f2i+0zoatFESXHeslJyz85aAYpP92H0CgYEA2e5A
Yozt5eaA1Gyhd8SeptkEU4xPirNUnVQHStpMWUb1kzTNXrPmNWccQ7JpfpG6DcYl
zUF6p6mlzY+zkMiyPQjwEJlhiHM2NlL1QS7td0R8ewgsFoyn8WsBI4RejWrEG9td
EDniuIw+pBFkcWthnTLHwECHdzgquToyTMjrBB0CgYEA28tdGbrZXhcyAZEhHAZA
Gzog+pKlkpEzeonLKIuGKzCrEKRecIK5jrqyQsCjhS0T7ZRnL4g6i0s+umiV5M5w
fcc292pEA1h45L3DD6OlKplSQVTv55/OYS4oY3YEJtf5mfm8vWi9lQeY8sxOlQpn
O+VZTdBHmTC8PGeTAgZXHZUCgYA6Tyv88lYowB7SN2qQgBQu8jvdGtqhcs/99GCr
H3N0I69LPsKAR0QeH8OJPXBKhDUywESXAaEOwS5yrLNP1tMRz5Vj65YUCzeDG3kx
gpvY4IMp7ArX0bSRvJ6mYSFnVxy3k174G3TVCfksrtagHioVBGQ7xUg5ltafjrms
n8l55QKBgQDVzU8tQvBVqY8/1lnw11Vj4fkE/drZHJ5UkdC1eenOfSWhlSLfUJ8j
ds7vEWpRPPoVuPZYeR1y78cyxKe1GBx6Wa2lF5c7xjmiu0xbRnrxYeLolce9/ntp
asClqpnHT8/VJYTD7Kqj0fouTTZf0zkig/y+2XERppd8k+pSKjUCPQ==
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs15ZPekT5AV+JEnMqacAxStajcraP9Obf5eeXpYvPrv/Stxi
sltsq9Le7JE/+y1fJcQrD0J6nJDVWIFUWRYCjLypAQ5YUOxlz/lTOFdSdvotevep
OQUSM2aGP7u7O/+VsHGVQbU2VjNJ44Hr9FPzMf+WE54qEudZg9d1cqxrUUvqKPhf
wN4M7WRjt+8AaYGf9MeHW5OkOLMzhiZ4j7vh2ZrIDnFe8BG17mHhW7lIjN7uILTn
s36/KZOgyTYmCT5lkWnJeuer7KjpFoPcA1yWtzgVt5RBnlrmzlLGCz1rRjdYwb7t
zlWdVdxuMFHP9qrY206dBCOKQopADwYXTzQFCQIDAQABAoIBAQCuvCbr7Pd3lvI/
n7VFQG+7pHRe1VKwAxDkx2t8cYos7y/QWcm8Ptwqtw58HzPZGWYrgGMCRpzzkRSF
V9g3wP1S5Scu5C6dBu5YIGc157tqNGXB+SpdZddJQ4Nc6yGHXYERllT04ffBGc3N
WG/oYS/1cSteiSIrsDy/91FvGRCi7FPxH3wIgHssY/tw69s1Cfvaq5lr2NTFzxIG
xCvpJKEdSfVfS9I7LYiymVjst3IOR/w76/ZFY9cRa8ZtmQSWWsm0TUpRC1jdcbkm
ZoJptYWlP+gSwx/fpMYftrkJFGOJhHJHQhwxT5X/ajAISeqjjwkWSEJLwnHQd11C
Zy2+29lBAoGBANlEAIK4VxCqyPXNKfoOOi5dS64NfvyH4A1v2+KaHWc7lqaqPN49
ezfN2n3X+KWx4cviDD914Yc2JQ1vVJjSaHci7yivocDo2OfZDmjBqzaMp/y+rX1R
/f3MmiTqMa468rjaxI9RRZu7vDgpTR+za1+OBCgMzjvAng8dJuN/5gjlAoGBANNY
uYPKtearBmkqdrSV7eTUe49Nhr0XotLaVBH37TCW0Xv9wjO2xmbm5Ga/DCtPIsBb
yPeYwX9FjoasuadUD7hRvbFu6dBa0HGLmkXRJZTcD7MEX2Lhu4BuC72yDLLFd0r+
Ep9WP7F5iJyagYqIZtz+4uf7gBvUDdmvXz3sGr1VAoGAdXTD6eeKeiI6PlhKBztF
zOb3EQOO0SsLv3fnodu7ZaHbUgLaoTMPuB17r2jgrYM7FKQCBxTNdfGZmmfDjlLB
0xZ5wL8ibU30ZXL8zTlWPElST9sto4B+FYVVF/vcG9sWeUUb2ncPcJ/Po3UAktDG
jYQTTyuNGtSJHpad/YOZctkCgYBtWRaC7bq3of0rJGFOhdQT9SwItN/lrfj8hyHA
OjpqTV4NfPmhsAtu6j96OZaeQc+FHvgXwt06cE6Rt4RG4uNPRluTFgO7XYFDfitP
vCppnoIw6S5BBvHwPP+uIhUX2bsi/dm8vu8tb+gSvo4PkwtFhEr6I9HglBKmcmog
q6waEQKBgHyecFBeM6Ls11Cd64vborwJPAuxIW7HBAFj/BS99oeG4TjBx4Sz2dFd
rzUibJt4ndnHIvCN8JQkjNG14i9hJln+H3mRss8fbZ9vQdqG+2vOWADYSzzsNI55
RFY7JjluKcVkp/zCDeUxTU3O6sS+v6/3VE11Cob6OYQx3lN5wrZ3
-----END RSA PRIVATE KEY-----

View File

@ -0,0 +1,152 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ldap_SUITE).
-compile(export_all).
-compile(nowarn_export_all).
-include_lib("emqx/include/emqx.hrl").
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-define(PID, emqx_auth_ldap).
-define(APP, emqx_auth_ldap).
-define(DeviceDN, "ou=test_device,dc=emqx,dc=io").
-define(AuthDN, "ou=test_auth,dc=emqx,dc=io").
%%--------------------------------------------------------------------
%% Setups
%%--------------------------------------------------------------------
all() ->
[{group, nossl}, {group, ssl}].
groups() ->
Cases = emqx_ct:all(?MODULE),
[{nossl, Cases}, {ssl, Cases}].
init_per_group(GrpName, Cfg) ->
Fun = fun(App) -> set_special_configs(GrpName, App) end,
emqx_ct_helpers:start_apps([emqx_auth_ldap], Fun),
Cfg.
end_per_group(_GrpName, _Cfg) ->
emqx_ct_helpers:stop_apps([emqx_auth_ldap]).
%%--------------------------------------------------------------------
%% Cases
%%--------------------------------------------------------------------
t_check_auth(_) ->
MqttUser1 = #{clientid => <<"mqttuser1">>,
username => <<"mqttuser0001">>,
password => <<"mqttuser0001">>,
zone => external},
MqttUser2 = #{clientid => <<"mqttuser2">>,
username => <<"mqttuser0002">>,
password => <<"mqttuser0002">>,
zone => external},
MqttUser3 = #{clientid => <<"mqttuser3">>,
username => <<"mqttuser0003">>,
password => <<"mqttuser0003">>,
zone => external},
MqttUser4 = #{clientid => <<"mqttuser4">>,
username => <<"mqttuser0004">>,
password => <<"mqttuser0004">>,
zone => external},
MqttUser5 = #{clientid => <<"mqttuser5">>,
username => <<"mqttuser0005">>,
password => <<"mqttuser0005">>,
zone => external},
NonExistUser1 = #{clientid => <<"mqttuser6">>,
username => <<"mqttuser0006">>,
password => <<"mqttuser0006">>,
zone => external},
NonExistUser2 = #{clientid => <<"mqttuser7">>,
username => <<"mqttuser0005">>,
password => <<"mqttuser0006">>,
zone => external},
ct:log("MqttUser: ~p", [emqx_access_control:authenticate(MqttUser1)]),
?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser1)),
?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser2)),
?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser3)),
?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser4)),
?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser5)),
?assertEqual({error, not_authorized}, emqx_access_control:authenticate(NonExistUser1)),
?assertEqual({error, bad_username_or_password}, emqx_access_control:authenticate(NonExistUser2)).
t_check_acl(_) ->
MqttUser = #{clientid => <<"mqttuser1">>, username => <<"mqttuser0001">>, zone => external},
NoMqttUser = #{clientid => <<"mqttuser2">>, username => <<"mqttuser0007">>, zone => external},
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/1">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/+">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/#">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/1">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/+">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/#">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/1">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/+">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/#">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/1">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/+">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/#">>),
deny = emqx_access_control:check_acl(NoMqttUser, publish, <<"mqttuser0001/req/mqttuser0001/+">>),
deny = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/req/mqttuser0002/+">>),
deny = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/req/+/mqttuser0002">>),
ok.
%%--------------------------------------------------------------------
%% Helpers
%%--------------------------------------------------------------------
set_special_configs(_, emqx) ->
application:set_env(emqx, allow_anonymous, false),
application:set_env(emqx, enable_acl_cache, false),
application:set_env(emqx, acl_nomatch, deny),
AclFilePath = filename:join(["test", "emqx_SUITE_data", "acl.conf"]),
application:set_env(emqx, acl_file,
emqx_ct_helpers:deps_path(emqx, AclFilePath)),
LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
set_special_configs(Ssl, emqx_auth_ldap) ->
case Ssl == ssl of
true ->
LdapOpts = application:get_env(emqx_auth_ldap, ldap, []),
Path = emqx_ct_helpers:deps_path(emqx_auth_ldap, "test/certs/"),
SslOpts = [{verify, verify_peer},
{fail_if_no_peer_cert, true},
{server_name_indication, disable},
{keyfile, Path ++ "/client-key.pem"},
{certfile, Path ++ "/client-cert.pem"},
{cacertfile, Path ++ "/cacert.pem"}],
LdapOpts1 = lists:keystore(ssl, 1, LdapOpts, {ssl, true}),
LdapOpts2 = lists:keystore(sslopts, 1, LdapOpts1, {sslopts, SslOpts}),
LdapOpts3 = lists:keystore(port, 1, LdapOpts2, {port, 636}),
application:set_env(emqx_auth_ldap, ldap, LdapOpts3);
_ ->
ok
end,
application:set_env(emqx_auth_ldap, device_dn, "ou=testdevice, dc=emqx, dc=io").

View File

@ -0,0 +1,114 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_ldap_bind_as_user_SUITE).
-compile(export_all).
-compile(no_warning_export).
-include_lib("emqx/include/emqx.hrl").
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-define(PID, emqx_auth_ldap).
-define(APP, emqx_auth_ldap).
-define(DeviceDN, "ou=test_device,dc=emqx,dc=io").
-define(AuthDN, "ou=test_auth,dc=emqx,dc=io").
all() ->
[check_auth,
check_acl].
init_per_suite(Config) ->
emqx_ct_helpers:start_apps([emqx, emqx_auth_ldap], fun set_special_configs/1),
% emqx_mod_acl_internal:unload([]),
Config.
end_per_suite(_Config) ->
emqx_ct_helpers:stop_apps([emqx_auth_ldap, emqx]).
check_auth(_) ->
MqttUser1 = #{clientid => <<"mqttuser1">>,
username => <<"user1">>,
password => <<"mqttuser0001">>,
zone => external},
MqttUser2 = #{clientid => <<"mqttuser2">>,
username => <<"user2">>,
password => <<"mqttuser0002">>,
zone => external},
NonExistUser1 = #{clientid => <<"mqttuser3">>,
username => <<"user3">>,
password => <<"mqttuser0003">>,
zone => external},
ct:log("MqttUser: ~p", [emqx_access_control:authenticate(MqttUser1)]),
?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser1)),
?assertMatch({ok, #{auth_result := success}}, emqx_access_control:authenticate(MqttUser2)),
?assertEqual({error, not_authorized}, emqx_access_control:authenticate(NonExistUser1)).
check_acl(_) ->
% emqx_modules:load_module(emqx_mod_acl_internal, false),
MqttUser = #{clientid => <<"mqttuser1">>, username => <<"user1">>, zone => external},
NoMqttUser = #{clientid => <<"mqttuser2">>, username => <<"user7">>, zone => external},
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/1">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/+">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pub/#">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/1">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/+">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/sub/#">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/1">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/+">>),
allow = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/pubsub/#">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/1">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/+">>),
allow = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/pubsub/#">>),
deny = emqx_access_control:check_acl(NoMqttUser, publish, <<"mqttuser0001/req/mqttuser0001/+">>),
deny = emqx_access_control:check_acl(MqttUser, publish, <<"mqttuser0001/req/mqttuser0002/+">>),
deny = emqx_access_control:check_acl(MqttUser, subscribe, <<"mqttuser0001/req/+/mqttuser0002">>),
ok.
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, false),
application:set_env(emqx, enable_acl_cache, false),
application:set_env(emqx, acl_nomatch, deny),
AclFilePath = filename:join(["test", "emqx_SUITE_data", "acl.conf"]),
application:set_env(emqx, acl_file,
emqx_ct_helpers:deps_path(emqx, AclFilePath)),
LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
set_special_configs(emqx_auth_ldap) ->
application:set_env(emqx_auth_ldap, bind_as_user, true),
application:set_env(emqx_auth_ldap, device_dn, "ou=testdevice, dc=emqx, dc=io"),
application:set_env(emqx_auth_ldap, custom_base_dn, "${device_dn}"),
%% auth.ldap.filters.1.key = mqttAccountName
%% auth.ldap.filters.1.value = ${user}
%% auth.ldap.filters.1.op = and
%% auth.ldap.filters.2.key = objectClass
%% auth.ldap.filters.1.value = mqttUser
application:set_env(emqx_auth_ldap, filters, [{"mqttAccountName", "${user}"},
"and",
{"objectClass", "mqttUser"}]);
set_special_configs(_App) ->
ok.

View File

@ -0,0 +1,29 @@
name: Run test cases
on: [push, pull_request]
jobs:
run_test_cases:
runs-on: ubuntu-latest
container:
image: erlang:22.1
steps:
- uses: actions/checkout@v1
- name: run test cases
run: |
make xref
make eunit
make ct
make cover
- uses: actions/upload-artifact@v1
if: always()
with:
name: logs
path: _build/test/logs
- uses: actions/upload-artifact@v1
with:
name: cover
path: _build/test/cover

26
apps/emqx_auth_mnesia/.gitignore vendored Normal file
View File

@ -0,0 +1,26 @@
.eunit
deps
*.o
*.beam
*.plt
erl_crash.dump
ebin
rel/example_project
.concrete/DEV_MODE
.rebar
.erlang.mk/
emqx_auth_mnesia.d
data/
_build/
.DS_Store
cover/
ct.coverdata
eunit.coverdata
logs/
test/ct.cover.spec
rebar.lock
rebar3.crashdump
erlang.mk
.*.swp
.rebar3/
etc/emqx_auth_mnesia.conf.rendered

View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View File

@ -0,0 +1,28 @@
## shallow clone for speed
REBAR_GIT_CLONE_OPTIONS += --depth 1
export REBAR_GIT_CLONE_OPTIONS
REBAR = rebar3
all: compile
compile:
$(REBAR) compile
ct: compile
$(REBAR) as test ct -v
eunit: compile
$(REBAR) as test eunit
xref:
$(REBAR) xref
cover:
$(REBAR) cover
clean: distclean
distclean:
@rm -rf _build
@rm -f data/app.*.config data/vm.*.args rebar.lock

View File

@ -0,0 +1,2 @@
emqx_auth_mnesia
===============

View File

@ -0,0 +1,30 @@
## Password hash.
##
## Value: plain | md5 | sha | sha256 | sha512
auth.mnesia.password_hash = sha256
##--------------------------------------------------------------------
## ClientId Authentication
##--------------------------------------------------------------------
## Examples
##auth.client.1.clientid = id
##auth.client.1.password = passwd
##auth.client.2.clientid = dev:devid
##auth.client.2.password = passwd2
##auth.client.3.clientid = app:appid
##auth.client.3.password = passwd3
##auth.client.4.clientid = client~!@#$%^&*()_+
##auth.client.4.password = passwd~!@#$%^&*()_+
##--------------------------------------------------------------------
## Username Authentication
##--------------------------------------------------------------------
## Examples:
##auth.user.1.username = admin
##auth.user.1.password = public
##auth.user.2.username = feng@emqtt.io
##auth.user.2.password = public
##auth.user.3.username = name~!@#$%^&*()_+
##auth.user.3.password = pwsswd~!@#$%^&*()_+

View File

@ -0,0 +1,38 @@
-define(APP, emqx_auth_mnesia).
-type(login():: {clientid, binary()}
| {username, binary()}).
-record(emqx_user, {
login :: login(),
password :: binary(),
created_at :: integer()
}).
-record(emqx_acl, {
filter:: {login() | all, emqx_topic:topic()},
action :: pub | sub | pubsub,
access :: allow | deny,
created_at :: integer()
}).
-record(auth_metrics, {
success = 'client.auth.success',
failure = 'client.auth.failure',
ignore = 'client.auth.ignore'
}).
-record(acl_metrics, {
allow = 'client.acl.allow',
deny = 'client.acl.deny',
ignore = 'client.acl.ignore'
}).
-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
-define(METRICS(Type, K), #Type{}#Type.K).
-define(AUTH_METRICS, ?METRICS(auth_metrics)).
-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
-define(ACL_METRICS, ?METRICS(acl_metrics)).
-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

View File

@ -0,0 +1,43 @@
%%-*- mode: erlang -*-
%% emqx_auth_mnesia config mapping
{mapping, "auth.mnesia.password_hash", "emqx_auth_mnesia.password_hash", [
{default, sha256},
{datatype, {enum, [plain, md5, sha, sha256, sha512]}}
]}.
{mapping, "auth.client.$id.clientid", "emqx_auth_mnesia.clientid_list", [
{datatype, string}
]}.
{mapping, "auth.client.$id.password", "emqx_auth_mnesia.clientid_list", [
{datatype, string}
]}.
{translation, "emqx_auth_mnesia.clientid_list", fun(Conf) ->
ClientList = cuttlefish_variable:filter_by_prefix("auth.client", Conf),
lists:foldl(
fun({["auth", "client", Id, "clientid"], ClientId}, AccIn) ->
[{ClientId, cuttlefish:conf_get("auth.client." ++ Id ++ ".password", Conf)} | AccIn];
(_, AccIn) ->
AccIn
end, [], ClientList)
end}.
{mapping, "auth.user.$id.username", "emqx_auth_mnesia.username_list", [
{datatype, string}
]}.
{mapping, "auth.user.$id.password", "emqx_auth_mnesia.username_list", [
{datatype, string}
]}.
{translation, "emqx_auth_mnesia.username_list", fun(Conf) ->
Userlist = cuttlefish_variable:filter_by_prefix("auth.user", Conf),
lists:foldl(
fun({["auth", "user", Id, "username"], Username}, AccIn) ->
[{Username, cuttlefish:conf_get("auth.user." ++ Id ++ ".password", Conf)} | AccIn];
(_, AccIn) ->
AccIn
end, [], Userlist)
end}.

View File

@ -0,0 +1,29 @@
{minimum_otp_vsn, "21"}.
{deps,
[{emqx_passwd, {git, "https://github.com/emqx/emqx-passwd.git", {tag, "v1.1.1"}}},
{minirest, {git, "https://github.com/emqx/minirest.git", {tag, "0.3.2"}}}
]}.
{profiles,
[{test,
[{deps,
[{emqx_ct_helpers, {git, "https://github.com/emqx/emqx-ct-helpers", {tag, "v1.2.2"}}}
]}
]}
]}.
{erl_opts, [warn_unused_vars,
warn_shadow_vars,
warn_unused_import,
warn_obsolete_guard,
debug_info,
{parse_transform}]}.
{xref_checks, [undefined_function_calls, undefined_functions,
locals_not_used, deprecated_function_calls,
warnings_as_errors, deprecated_functions]}.
{cover_enabled, true}.
{cover_opts, [verbose]}.
{cover_export_enabled, true}.

View File

@ -0,0 +1,54 @@
%%-*- mode: erlang -*-
DEPS = case lists:keyfind(deps, 1, CONFIG) of
{_, Deps} -> Deps;
_ -> []
end,
ComparingFun = fun
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2) -> _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2) -> true;
_Fun(_, _) -> false
end,
SortFun = fun(T1, T2) ->
C = fun(T) ->
[case catch list_to_integer(E) of
I when is_integer(I) -> I;
_ -> E
end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
end,
ComparingFun(C(T1), C(T2))
end,
VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
Tags = case VTags of
[] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
_ -> VTags
end,
LatestTag = lists:last(lists:sort(SortFun, Tags)),
Branch = case os:getenv("GITHUB_RUN_ID") of
false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
_ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
end,
GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
match -> {branch, Branch};
_ -> {tag, LatestTag}
end,
UrlPrefix = "https://github.com/emqx/",
EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
CONFIG1.

View File

@ -0,0 +1,103 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_acl_mnesia).
-include("emqx_auth_mnesia.hrl").
-include_lib("stdlib/include/ms_transform.hrl").
-define(TABLE, emqx_acl).
%% ACL Callbacks
-export([ init/0
, register_metrics/0
, check_acl/5
, description/0
]).
init() ->
ok = ekka_mnesia:create_table(emqx_acl, [
{disc_copies, [node()]},
{attributes, record_info(fields, emqx_acl)},
{storage_properties, [{ets, [{read_concurrency, true}]}]}]),
ok = ekka_mnesia:copy_table(emqx_acl, disc_copies).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
check_acl(ClientInfo = #{ clientid := Clientid }, PubSub, Topic, _NoMatchAction, _Params) ->
Username = maps:get(username, ClientInfo, undefined),
Acls = case Username of
undefined ->
emqx_acl_mnesia_cli:lookup_acl({clientid, Clientid}) ++
emqx_acl_mnesia_cli:lookup_acl(all);
_ ->
emqx_acl_mnesia_cli:lookup_acl({clientid, Clientid}) ++
emqx_acl_mnesia_cli:lookup_acl({username, Username}) ++
emqx_acl_mnesia_cli:lookup_acl(all)
end,
case match(ClientInfo, PubSub, Topic, Acls) of
allow ->
emqx_metrics:inc(?ACL_METRICS(allow)),
{stop, allow};
deny ->
emqx_metrics:inc(?ACL_METRICS(deny)),
{stop, deny};
_ ->
emqx_metrics:inc(?ACL_METRICS(ignore)),
ok
end.
description() -> "Acl with Mnesia".
%%--------------------------------------------------------------------
%% Internal functions
%%-------------------------------------------------------------------
match(_ClientInfo, _PubSub, _Topic, []) ->
nomatch;
match(ClientInfo, PubSub, Topic, [ {_, ACLTopic, Action, Access, _} | Acls]) ->
case match_actions(PubSub, Action) andalso match_topic(ClientInfo, Topic, ACLTopic) of
true -> Access;
false -> match(ClientInfo, PubSub, Topic, Acls)
end.
match_topic(ClientInfo, Topic, ACLTopic) when is_binary(Topic) ->
emqx_topic:match(Topic, feed_var(ClientInfo, ACLTopic)).
match_actions(_, pubsub) -> true;
match_actions(subscribe, sub) -> true;
match_actions(publish, pub) -> true;
match_actions(_, _) -> false.
feed_var(ClientInfo, Pattern) ->
feed_var(ClientInfo, emqx_topic:words(Pattern), []).
feed_var(_ClientInfo, [], Acc) ->
emqx_topic:join(lists:reverse(Acc));
feed_var(ClientInfo = #{clientid := undefined}, [<<"%c">>|Words], Acc) ->
feed_var(ClientInfo, Words, [<<"%c">>|Acc]);
feed_var(ClientInfo = #{clientid := ClientId}, [<<"%c">>|Words], Acc) ->
feed_var(ClientInfo, Words, [ClientId |Acc]);
feed_var(ClientInfo = #{username := undefined}, [<<"%u">>|Words], Acc) ->
feed_var(ClientInfo, Words, [<<"%u">>|Acc]);
feed_var(ClientInfo = #{username := Username}, [<<"%u">>|Words], Acc) ->
feed_var(ClientInfo, Words, [Username|Acc]);
feed_var(ClientInfo, [W|Words], Acc) ->
feed_var(ClientInfo, Words, [W|Acc]).

View File

@ -0,0 +1,237 @@
%c%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_acl_mnesia_api).
-include("emqx_auth_mnesia.hrl").
-include_lib("stdlib/include/ms_transform.hrl").
-import(proplists, [ get_value/2
, get_value/3
]).
-import(minirest, [return/1]).
-rest_api(#{name => list_clientid,
method => 'GET',
path => "/acl/clientid",
func => list_clientid,
descr => "List available mnesia in the cluster"
}).
-rest_api(#{name => list_username,
method => 'GET',
path => "/acl/username",
func => list_username,
descr => "List available mnesia in the cluster"
}).
-rest_api(#{name => list_all,
method => 'GET',
path => "/acl/$all",
func => list_all,
descr => "List available mnesia in the cluster"
}).
-rest_api(#{name => lookup_clientid,
method => 'GET',
path => "/acl/clientid/:bin:clientid",
func => lookup,
descr => "Lookup mnesia in the cluster"
}).
-rest_api(#{name => lookup_username,
method => 'GET',
path => "/acl/username/:bin:username",
func => lookup,
descr => "Lookup mnesia in the cluster"
}).
-rest_api(#{name => add,
method => 'POST',
path => "/acl",
func => add,
descr => "Add mnesia in the cluster"
}).
-rest_api(#{name => delete_clientid,
method => 'DELETE',
path => "/acl/clientid/:bin:clientid/topic/:bin:topic",
func => delete,
descr => "Delete mnesia in the cluster"
}).
-rest_api(#{name => delete_username,
method => 'DELETE',
path => "/acl/username/:bin:username/topic/:bin:topic",
func => delete,
descr => "Delete mnesia in the cluster"
}).
-rest_api(#{name => delete_all,
method => 'DELETE',
path => "/acl/$all/topic/:bin:topic",
func => delete,
descr => "Delete mnesia in the cluster"
}).
-export([ list_clientid/2
, list_username/2
, list_all/2
, lookup/2
, add/2
, delete/2
]).
list_clientid(_Bindings, Params) ->
MatchSpec = ets:fun2ms(
fun({emqx_acl, {{clientid, Clientid}, Topic}, Action, Access, CreatedAt}) -> {{clientid,Clientid}, Topic, Action,Access, CreatedAt} end),
return({ok, emqx_auth_mnesia_api:paginate(emqx_acl, MatchSpec, Params, fun emqx_acl_mnesia_cli:comparing/2, fun format/1)}).
list_username(_Bindings, Params) ->
MatchSpec = ets:fun2ms(
fun({emqx_acl, {{username, Username}, Topic}, Action, Access, CreatedAt}) -> {{username, Username}, Topic, Action,Access, CreatedAt} end),
return({ok, emqx_auth_mnesia_api:paginate(emqx_acl, MatchSpec, Params, fun emqx_acl_mnesia_cli:comparing/2, fun format/1)}).
list_all(_Bindings, Params) ->
MatchSpec = ets:fun2ms(
fun({emqx_acl, {all, Topic}, Action, Access, CreatedAt}) -> {all, Topic, Action,Access, CreatedAt}end
),
return({ok, emqx_auth_mnesia_api:paginate(emqx_acl, MatchSpec, Params, fun emqx_acl_mnesia_cli:comparing/2, fun format/1)}).
lookup(#{clientid := Clientid}, _Params) ->
return({ok, format(emqx_acl_mnesia_cli:lookup_acl({clientid, urldecode(Clientid)}))});
lookup(#{username := Username}, _Params) ->
return({ok, format(emqx_acl_mnesia_cli:lookup_acl({username, urldecode(Username)}))}).
add(_Bindings, Params) ->
[ P | _] = Params,
case is_list(P) of
true -> return(do_add(Params, []));
false ->
Re = do_add(Params),
case Re of
#{result := ok} -> return({ok, Re});
#{result := <<"ok">>} -> return({ok, Re});
_ -> return({error, Re})
end
end.
do_add([ Params | ParamsN ], ReList) ->
do_add(ParamsN, [do_add(Params) | ReList]);
do_add([], ReList) ->
{ok, ReList}.
do_add(Params) ->
Clientid = get_value(<<"clientid">>, Params, undefined),
Username = get_value(<<"username">>, Params, undefined),
Login = case {Clientid, Username} of
{undefined, undefined} -> all;
{_, undefined} -> {clientid, urldecode(Clientid)};
{undefined, _} -> {username, urldecode(Username)}
end,
Topic = urldecode(get_value(<<"topic">>, Params)),
Action = urldecode(get_value(<<"action">>, Params)),
Access = urldecode(get_value(<<"access">>, Params)),
Re = case validate([login, topic, action, access], [Login, Topic, Action, Access]) of
ok ->
emqx_acl_mnesia_cli:add_acl(Login, Topic, erlang:binary_to_atom(Action, utf8), erlang:binary_to_atom(Access, utf8));
Err -> Err
end,
maps:merge(#{topic => Topic,
action => Action,
access => Access,
result => format_msg(Re)
}, case Login of
all -> #{all => '$all'};
_ -> maps:from_list([Login])
end).
delete(#{clientid := Clientid, topic := Topic}, _) ->
return(emqx_acl_mnesia_cli:remove_acl({clientid, urldecode(Clientid)}, urldecode(Topic)));
delete(#{username := Username, topic := Topic}, _) ->
return(emqx_acl_mnesia_cli:remove_acl({username, urldecode(Username)}, urldecode(Topic)));
delete(#{topic := Topic}, _) ->
return(emqx_acl_mnesia_cli:remove_acl(all, urldecode(Topic))).
%%------------------------------------------------------------------------------
%% Interval Funcs
%%------------------------------------------------------------------------------
format({{clientid, Clientid}, Topic, Action, Access, _CreatedAt}) ->
#{clientid => Clientid, topic => Topic, action => Action, access => Access};
format({{username, Username}, Topic, Action, Access, _CreatedAt}) ->
#{username => Username, topic => Topic, action => Action, access => Access};
format({all, Topic, Action, Access, _CreatedAt}) ->
#{all => '$all', topic => Topic, action => Action, access => Access};
format(List) when is_list(List) ->
format(List, []).
format([L | List], Relist) ->
format(List, [format(L) | Relist]);
format([], ReList) -> lists:reverse(ReList).
validate([], []) ->
ok;
validate([K|Keys], [V|Values]) ->
case do_validation(K, V) of
false -> {error, K};
true -> validate(Keys, Values)
end.
do_validation(login, all) ->
true;
do_validation(login, {clientid, V}) when is_binary(V)
andalso byte_size(V) > 0->
true;
do_validation(login, {username, V}) when is_binary(V)
andalso byte_size(V) > 0->
true;
do_validation(clientid, V) when is_binary(V)
andalso byte_size(V) > 0 ->
true;
do_validation(username, V) when is_binary(V)
andalso byte_size(V) > 0 ->
true;
do_validation(topic, V) when is_binary(V)
andalso byte_size(V) > 0 ->
true;
do_validation(action, V) when is_binary(V) ->
case V =:= <<"pub">> orelse V =:= <<"sub">> orelse V =:= <<"pubsub">> of
true -> true;
false -> false
end;
do_validation(access, V) when V =:= <<"allow">> orelse V =:= <<"deny">> ->
true;
do_validation(_, _) ->
false.
format_msg(Message)
when is_atom(Message);
is_binary(Message) -> Message;
format_msg(Message) when is_tuple(Message) ->
iolist_to_binary(io_lib:format("~p", [Message])).
-if(?OTP_RELEASE >= 23).
urldecode(S) ->
[{R, _}] = uri_string:dissect_query(S), R.
-else.
urldecode(S) ->
http_uri:decode(S).
-endif.

View File

@ -0,0 +1,198 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_acl_mnesia_cli).
-include("emqx_auth_mnesia.hrl").
-include_lib("emqx/include/logger.hrl").
-include_lib("stdlib/include/ms_transform.hrl").
-define(TABLE, emqx_acl).
%% Acl APIs
-export([ add_acl/4
, lookup_acl/1
, all_acls/0
, all_acls/1
, remove_acl/2
]).
-export([cli/1]).
-export([comparing/2]).
%%--------------------------------------------------------------------
%% Acl API
%%--------------------------------------------------------------------
%% @doc Add Acls
-spec(add_acl(login() |all, emqx_topic:topic(), pub | sub| pubsub, allow | deny) -> ok | {error, any()}).
add_acl(Login, Topic, Action, Access) ->
Acls = #?TABLE{
filter = {Login, Topic},
action = Action,
access = Access,
created_at = erlang:system_time(millisecond)
},
ret(mnesia:transaction(fun mnesia:write/1, [Acls])).
%% @doc Lookup acl by login
-spec(lookup_acl(login() | all) -> list()).
lookup_acl(undefined) -> [];
lookup_acl(Login) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {Filter, ACLTopic}, Action, Access, CreatedAt})
when Filter =:= Login -> {Filter, ACLTopic, Action, Access, CreatedAt} end),
lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec)).
%% @doc Remove acl
-spec(remove_acl(login() | all, emqx_topic:topic()) -> ok | {error, any()}).
remove_acl(Login, Topic) ->
ret(mnesia:transaction(fun mnesia:delete/1, [{?TABLE, {Login, Topic}}])).
%% @doc All logins
-spec(all_acls() -> list()).
all_acls() ->
all_acls(clientid) ++
all_acls(username) ++
all_acls(all).
all_acls(clientid) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {{clientid, Clientid}, Topic}, Action, Access, CreatedAt}) -> {{clientid, Clientid}, Topic, Action, Access, CreatedAt} end),
lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec));
all_acls(username) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {{username, Username}, Topic}, Action, Access, CreatedAt}) -> {{username, Username}, Topic, Action, Access, CreatedAt} end),
lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec));
all_acls(all) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {all, Topic}, Action, Access, CreatedAt}) -> {all, Topic, Action, Access, CreatedAt} end),
lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec)).
%%--------------------------------------------------------------------
%% Internal functions
%%--------------------------------------------------------------------
comparing({_, _, _, _, CreatedAt1},
{_, _, _, _, CreatedAt2}) ->
CreatedAt1 >= CreatedAt2.
ret({atomic, ok}) -> ok;
ret({aborted, Error}) -> {error, Error}.
validate(action, "pub") -> true;
validate(action, "sub") -> true;
validate(action, "pubsub") -> true;
validate(access, "allow") -> true;
validate(access, "deny") -> true;
validate(_, _) -> false.
%%--------------------------------------------------------------------
%% ACL Cli
%%--------------------------------------------------------------------
cli(["list"]) ->
[ begin
case Filter of
{clientid, Clientid} ->
emqx_ctl:print("Acl(clientid = ~p topic = ~p action = ~p access = ~p)~n",[Clientid, Topic, Action, Access]);
{username, Username} ->
emqx_ctl:print("Acl(username = ~p topic = ~p action = ~p access = ~p)~n",[Username, Topic, Action, Access]);
all ->
emqx_ctl:print("Acl($all topic = ~p action = ~p access = ~p)~n",[Topic, Action, Access])
end
end || {Filter, Topic, Action, Access, _} <- all_acls()];
cli(["list", "clientid"]) ->
[emqx_ctl:print("Acl(clientid = ~p topic = ~p action = ~p access = ~p)~n",[Clientid, Topic, Action, Access])
|| {{clientid, Clientid}, Topic, Action, Access, _} <- all_acls(clientid) ];
cli(["list", "username"]) ->
[emqx_ctl:print("Acl(username = ~p topic = ~p action = ~p access = ~p)~n",[Username, Topic, Action, Access])
|| {{username, Username}, Topic, Action, Access, _} <- all_acls(username) ];
cli(["list", "_all"]) ->
[emqx_ctl:print("Acl($all topic = ~p action = ~p access = ~p)~n",[Topic, Action, Access])
|| {all, Topic, Action, Access, _} <- all_acls(all) ];
cli(["add", "clientid", Clientid, Topic, Action, Access]) ->
case validate(action, Action) andalso validate(access, Access) of
true ->
case add_acl({clientid, iolist_to_binary(Clientid)}, iolist_to_binary(Topic), list_to_existing_atom(Action), list_to_existing_atom(Access)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
_ ->
emqx_ctl:print("Error: Input is illegal~n")
end;
cli(["add", "username", Username, Topic, Action, Access]) ->
case validate(action, Action) andalso validate(access, Access) of
true ->
case add_acl({username, iolist_to_binary(Username)}, iolist_to_binary(Topic), list_to_existing_atom(Action), list_to_existing_atom(Access)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
_ ->
emqx_ctl:print("Error: Input is illegal~n")
end;
cli(["add", "_all", Topic, Action, Access]) ->
case validate(action, Action) andalso validate(access, Access) of
true ->
case add_acl(all, iolist_to_binary(Topic), list_to_existing_atom(Action), list_to_existing_atom(Access)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
_ ->
emqx_ctl:print("Error: Input is illegal~n")
end;
cli(["show", "clientid", Clientid]) ->
[emqx_ctl:print("Acl(clientid = ~p topic = ~p action = ~p access = ~p)~n",[NClientid, Topic, Action, Access])
|| {{clientid, NClientid}, Topic, Action, Access, _} <- lookup_acl({clientid, iolist_to_binary(Clientid)}) ];
cli(["show", "username", Username]) ->
[emqx_ctl:print("Acl(username = ~p topic = ~p action = ~p access = ~p)~n",[NUsername, Topic, Action, Access])
|| {{username, NUsername}, Topic, Action, Access, _} <- lookup_acl({username, iolist_to_binary(Username)}) ];
cli(["del", "clientid", Clientid, Topic])->
case remove_acl({clientid, iolist_to_binary(Clientid)}, iolist_to_binary(Topic)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
cli(["del", "username", Username, Topic])->
case remove_acl({username, iolist_to_binary(Username)}, iolist_to_binary(Topic)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
cli(["del", "_all", Topic])->
case remove_acl(all, iolist_to_binary(Topic)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
cli(_) ->
emqx_ctl:usage([ {"acl list clientid","List clientid acls"}
, {"acl list username","List username acls"}
, {"acl list _all","List $all acls"}
, {"acl show clientid <Clientid>", "Lookup clientid acl detail"}
, {"acl show username <Username>", "Lookup username acl detail"}
, {"acl aad clientid <Clientid> <Topic> <Action> <Access>", "Add clientid acl"}
, {"acl add Username <Username> <Topic> <Action> <Access>", "Add username acl"}
, {"acl add _all <Topic> <Action> <Access>", "Add $all acl"}
, {"acl del clientid <Clientid> <Topic>", "Delete clientid acl"}
, {"acl del username <Username> <Topic>", "Delete username acl"}
, {"acl del _all <Topic>", "Delete $all acl"}
]).

View File

@ -0,0 +1,14 @@
{application, emqx_auth_mnesia,
[{description, "EMQ X Authentication with Mnesia"},
{vsn, "git"},
{modules, []},
{registered, []},
{applications, [kernel,stdlib,mnesia]},
{mod, {emqx_auth_mnesia_app,[]}},
{env, []},
{licenses, ["Apache-2.0"]},
{maintainers, ["EMQ X Team <contact@emqx.io>"]},
{links, [{"Homepage", "https://emqx.io/"},
{"Github", "https://github.com/emqx/emqx-auth-mnesia"}
]}
]}.

View File

@ -0,0 +1,24 @@
%%-*- mode: erlang -*-
%% .app.src.script
RemoveLeadingV =
fun(Tag) ->
case re:run(Tag, "^[v|e]?[0-9]\.[0-9]\.([0-9]|(rc|beta|alpha)\.[0-9])", [{capture, none}]) of
nomatch ->
re:replace(Tag, "/", "-", [{return ,list}]);
_ ->
%% if it is a version number prefixed by 'v' or 'e', then remove it
re:replace(Tag, "[v|e]", "", [{return ,list}])
end
end,
case os:getenv("EMQX_DEPS_DEFAULT_VSN") of
false -> CONFIG; % env var not defined
[] -> CONFIG; % env var set to empty string
Tag ->
[begin
AppConf0 = lists:keystore(vsn, 1, AppConf, {vsn, RemoveLeadingV(Tag)}),
{application, App, AppConf0}
end || Conf = {application, App, AppConf} <- CONFIG]
end.

View File

@ -0,0 +1,39 @@
%% -*-: erlang -*-
{VSN,
[
{"4.2.2", [
{load_module, emqx_auth_mnesia_app},
{load_module, emqx_auth_mnesia_cli},
{load_module, emqx_acl_mnesia_cli},
{apply, {emqx_ctl, unregister_command, [username]}}
]},
{"4.2.1", [
{load_module, emqx_auth_mnesia_app},
{load_module, emqx_auth_mnesia_cli},
{load_module, emqx_acl_mnesia_cli},
{apply, {emqx_ctl, unregister_command, [username]}}
]},
{"4.2.0", [
{restart_application, emqx_auth_mnesia}
]},
{<<".*">>, []}
],
[
{"4.2.2", [
{load_module, emqx_auth_mnesia_app},
{load_module, emqx_auth_mnesia_cli},
{load_module, emqx_acl_mnesia_cli},
{apply, {emqx_ctl, register_command, [username, {emqx_auth_mnesia_cli, auth_username_cli}, []]}}
]},
{"4.2.1", [
{load_module, emqx_auth_mnesia_app},
{load_module, emqx_auth_mnesia_cli},
{load_module, emqx_acl_mnesia_cli},
{apply, {emqx_ctl, register_command, [username, {emqx_auth_mnesia_cli, auth_username_cli}, []]}}
]},
{"4.2.0", [
{restart_application, emqx_auth_mnesia}
]},
{<<".*">>, []}
]
}.

View File

@ -0,0 +1,109 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_mnesia).
-include("emqx_auth_mnesia.hrl").
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/logger.hrl").
-include_lib("emqx/include/types.hrl").
-include_lib("stdlib/include/ms_transform.hrl").
-define(TABLE, emqx_user).
%% Auth callbacks
-export([ init/1
, register_metrics/0
, check/3
, description/0
]).
init(#{clientid_list := ClientidList, username_list := UsernameList}) ->
ok = ekka_mnesia:create_table(emqx_user, [
{disc_copies, [node()]},
{attributes, record_info(fields, emqx_user)},
{storage_properties, [{ets, [{read_concurrency, true}]}]}]),
[ add_default_user({{clientid, iolist_to_binary(Clientid)}, iolist_to_binary(Password)})
|| {Clientid, Password} <- ClientidList],
[ add_default_user({{username, iolist_to_binary(Username)}, iolist_to_binary(Password)})
|| {Username, Password} <- UsernameList],
ok = ekka_mnesia:copy_table(emqx_user, disc_copies).
%% @private
add_default_user({Login, Password}) when is_tuple(Login) ->
emqx_auth_mnesia_cli:add_user(Login, Password).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?AUTH_METRICS).
check(ClientInfo = #{ clientid := Clientid
, password := NPassword
}, AuthResult, #{hash_type := HashType}) ->
Username = maps:get(username, ClientInfo, undefined),
MatchSpec = ets:fun2ms(fun({?TABLE, {clientid, X }, Password, InterTime}) when X =:= Clientid-> Password;
({?TABLE, {username, X }, Password, InterTime}) when X =:= Username andalso X =/= undefined -> Password
end),
case ets:select(?TABLE, MatchSpec) of
[] ->
emqx_metrics:inc(?AUTH_METRICS(ignore)),
ok;
List ->
case match_password(NPassword, HashType, List) of
false ->
?LOG(error, "[Mnesia] Auth from mnesia failed: ~p", [ClientInfo]),
emqx_metrics:inc(?AUTH_METRICS(failure)),
{stop, AuthResult#{anonymous => false, auth_result => password_error}};
_ ->
emqx_metrics:inc(?AUTH_METRICS(success)),
{stop, AuthResult#{anonymous => false, auth_result => success}}
end
end.
description() -> "Authentication with Mnesia".
match_password(Password, HashType, HashList) ->
lists:any(
fun(Secret) ->
case is_salt_hash(Secret, HashType) of
true ->
<<Salt:4/binary, Hash/binary>> = Secret,
Hash =:= hash(Password, Salt, HashType);
_ ->
Secret =:= hash(Password, HashType)
end
end, HashList).
hash(undefined, HashType) ->
hash(<<>>, HashType);
hash(Password, HashType) ->
emqx_passwd:hash(HashType, Password).
hash(undefined, SaltBin, HashType) ->
hash(<<>>, SaltBin, HashType);
hash(Password, SaltBin, HashType) ->
emqx_passwd:hash(HashType, <<SaltBin/binary, Password/binary>>).
is_salt_hash(_, plain) ->
true;
is_salt_hash(Secret, HashType) ->
not (byte_size(Secret) == len(HashType)).
len(md5) -> 32;
len(sha) -> 40;
len(sha256) -> 64;
len(sha512) -> 128.

View File

@ -0,0 +1,319 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_mnesia_api).
-include_lib("stdlib/include/qlc.hrl").
-include_lib("stdlib/include/ms_transform.hrl").
-define(TABLE, emqx_user).
-import(proplists, [get_value/2]).
-import(minirest, [return/1]).
-export([paginate/5]).
-export([ list_clientid/2
, lookup_clientid/2
, add_clientid/2
, update_clientid/2
, delete_clientid/2
]).
-rest_api(#{name => list_clientid,
method => 'GET',
path => "/auth_clientid",
func => list_clientid,
descr => "List available clientid in the cluster"
}).
-rest_api(#{name => lookup_clientid,
method => 'GET',
path => "/auth_clientid/:bin:clientid",
func => lookup_clientid,
descr => "Lookup clientid in the cluster"
}).
-rest_api(#{name => add_clientid,
method => 'POST',
path => "/auth_clientid",
func => add_clientid,
descr => "Add clientid in the cluster"
}).
-rest_api(#{name => update_clientid,
method => 'PUT',
path => "/auth_clientid/:bin:clientid",
func => update_clientid,
descr => "Update clientid in the cluster"
}).
-rest_api(#{name => delete_clientid,
method => 'DELETE',
path => "/auth_clientid/:bin:clientid",
func => delete_clientid,
descr => "Delete clientid in the cluster"
}).
-export([ list_username/2
, lookup_username/2
, add_username/2
, update_username/2
, delete_username/2
]).
-rest_api(#{name => list_username,
method => 'GET',
path => "/auth_username",
func => list_username,
descr => "List available username in the cluster"
}).
-rest_api(#{name => lookup_username,
method => 'GET',
path => "/auth_username/:bin:username",
func => lookup_username,
descr => "Lookup username in the cluster"
}).
-rest_api(#{name => add_username,
method => 'POST',
path => "/auth_username",
func => add_username,
descr => "Add username in the cluster"
}).
-rest_api(#{name => update_username,
method => 'PUT',
path => "/auth_username/:bin:username",
func => update_username,
descr => "Update username in the cluster"
}).
-rest_api(#{name => delete_username,
method => 'DELETE',
path => "/auth_username/:bin:username",
func => delete_username,
descr => "Delete username in the cluster"
}).
%%------------------------------------------------------------------------------
%% Auth Clientid Api
%%------------------------------------------------------------------------------
list_clientid(_Bindings, Params) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {clientid, Clientid}, Password, CreatedAt}) -> {?TABLE, {clientid, Clientid}, Password, CreatedAt} end),
return({ok, paginate(?TABLE, MatchSpec, Params, fun emqx_auth_mnesia_cli:comparing/2, fun({?TABLE, {clientid, X}, _, _}) -> #{clientid => X} end)}).
lookup_clientid(#{clientid := Clientid}, _Params) ->
return({ok, format(emqx_auth_mnesia_cli:lookup_user({clientid, urldecode(Clientid)}))}).
add_clientid(_Bindings, Params) ->
[ P | _] = Params,
case is_list(P) of
true -> return(do_add_clientid(Params, []));
false ->
Re = do_add_clientid(Params),
case Re of
ok -> return(ok);
<<"ok">> -> return(ok);
_ -> return({error, format_msg(Re)})
end
end.
do_add_clientid([ Params | ParamsN ], ReList ) ->
Clientid = urldecode(get_value(<<"clientid">>, Params)),
do_add_clientid(ParamsN, [{Clientid, format_msg(do_add_clientid(Params))} | ReList]);
do_add_clientid([], ReList) ->
{ok, ReList}.
do_add_clientid(Params) ->
Clientid = urldecode(get_value(<<"clientid">>, Params)),
Password = urldecode(get_value(<<"password">>, Params)),
Login = {clientid, Clientid},
case validate([login, password], [Login, Password]) of
ok ->
emqx_auth_mnesia_cli:add_user(Login, Password);
Err -> Err
end.
update_clientid(#{clientid := Clientid}, Params) ->
Password = get_value(<<"password">>, Params),
case validate([password], [Password]) of
ok -> return(emqx_auth_mnesia_cli:update_user({clientid, urldecode(Clientid)}, urldecode(Password)));
Err -> return(Err)
end.
delete_clientid(#{clientid := Clientid}, _) ->
return(emqx_auth_mnesia_cli:remove_user({clientid, urldecode(Clientid)})).
%%------------------------------------------------------------------------------
%% Auth Username Api
%%------------------------------------------------------------------------------
list_username(_Bindings, Params) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {username, Username}, Password, CreatedAt}) -> {?TABLE, {username, Username}, Password, CreatedAt} end),
return({ok, paginate(?TABLE, MatchSpec, Params, fun emqx_auth_mnesia_cli:comparing/2, fun({?TABLE, {username, X}, _, _}) -> #{username => X} end)}).
lookup_username(#{username := Username}, _Params) ->
return({ok, format(emqx_auth_mnesia_cli:lookup_user({username, urldecode(Username)}))}).
add_username(_Bindings, Params) ->
[ P | _] = Params,
case is_list(P) of
true -> return(do_add_username(Params, []));
false ->
case do_add_username(Params) of
ok -> return(ok);
<<"ok">> -> return(ok);
Error -> return({error, format_msg(Error)})
end
end.
do_add_username([ Params | ParamsN ], ReList ) ->
Username = urldecode(get_value(<<"username">>, Params)),
do_add_username(ParamsN, [{Username, format_msg(do_add_username(Params))} | ReList]);
do_add_username([], ReList) ->
{ok, ReList}.
do_add_username(Params) ->
Username = urldecode(get_value(<<"username">>, Params)),
Password = urldecode(get_value(<<"password">>, Params)),
Login = {username, Username},
case validate([login, password], [Login, Password]) of
ok ->
emqx_auth_mnesia_cli:add_user(Login, Password);
Err -> Err
end.
update_username(#{username := Username}, Params) ->
Password = get_value(<<"password">>, Params),
case validate([password], [Password]) of
ok -> return(emqx_auth_mnesia_cli:update_user({username, urldecode(Username)}, urldecode(Password)));
Err -> return(Err)
end.
delete_username(#{username := Username}, _) ->
return(emqx_auth_mnesia_cli:remove_user({username, urldecode(Username)})).
%%------------------------------------------------------------------------------
%% Paging Query
%%------------------------------------------------------------------------------
paginate(Tables, MatchSpec, Params, ComparingFun, RowFun) ->
Qh = query_handle(Tables, MatchSpec),
Count = count(Tables, MatchSpec),
Page = page(Params),
Limit = limit(Params),
Cursor = qlc:cursor(Qh),
case Page > 1 of
true -> qlc:next_answers(Cursor, (Page - 1) * Limit);
false -> ok
end,
Rows = qlc:next_answers(Cursor, Limit),
qlc:delete_cursor(Cursor),
#{meta => #{page => Page, limit => Limit, count => Count},
data => [RowFun(Row) || Row <- lists:sort(ComparingFun, Rows)]}.
query_handle(Table, MatchSpec) when is_atom(Table) ->
Options = {traverse, {select, MatchSpec}},
qlc:q([R|| R <- ets:table(Table, Options)]);
query_handle([Table], MatchSpec) when is_atom(Table) ->
Options = {traverse, {select, MatchSpec}},
qlc:q([R|| R <- ets:table(Table, Options)]);
query_handle(Tables, MatchSpec) ->
Options = {traverse, {select, MatchSpec}},
qlc:append([qlc:q([E || E <- ets:table(T, Options)]) || T <- Tables]).
count(Table, MatchSpec) when is_atom(Table) ->
[{MatchPattern, Where, _Re}] = MatchSpec,
NMatchSpec = [{MatchPattern, Where, [true]}],
ets:select_count(Table, NMatchSpec);
count([Table], MatchSpec) when is_atom(Table) ->
[{MatchPattern, Where, _Re}] = MatchSpec,
NMatchSpec = [{MatchPattern, Where, [true]}],
ets:select_count(Table, NMatchSpec);
count(Tables, MatchSpec) ->
lists:sum([count(T, MatchSpec) || T <- Tables]).
page(Params) ->
binary_to_integer(proplists:get_value(<<"_page">>, Params, <<"1">>)).
limit(Params) ->
case proplists:get_value(<<"_limit">>, Params) of
undefined -> 10;
Size -> binary_to_integer(Size)
end.
%%------------------------------------------------------------------------------
%% Interval Funcs
%%------------------------------------------------------------------------------
format({?TABLE, {clientid, ClientId}, Password, _InterTime}) ->
#{clientid => ClientId,
password => Password};
format({?TABLE, {username, Username}, Password, _InterTime}) ->
#{username => Username,
password => Password};
format([{?TABLE, {clientid, ClientId}, Password, _InterTime}]) ->
#{clientid => ClientId,
password => Password};
format([{?TABLE, {username, Username}, Password, _InterTime}]) ->
#{username => Username,
password => Password};
format([]) ->
#{}.
validate([], []) ->
ok;
validate([K|Keys], [V|Values]) ->
case do_validation(K, V) of
false -> {error, K};
true -> validate(Keys, Values)
end.
do_validation(login, {clientid, V}) when is_binary(V)
andalso byte_size(V) > 0 ->
true;
do_validation(login, {username, V}) when is_binary(V)
andalso byte_size(V) > 0 ->
true;
do_validation(password, V) when is_binary(V)
andalso byte_size(V) > 0 ->
true;
do_validation(_, _) ->
false.
format_msg(Message)
when is_atom(Message);
is_binary(Message) -> Message;
format_msg(Message) when is_tuple(Message) ->
iolist_to_binary(io_lib:format("~p", [Message])).
-if(?OTP_RELEASE >= 23).
urldecode(S) ->
[{R, _}] = uri_string:dissect_query(S), R.
-else.
urldecode(S) ->
http_uri:decode(S).
-endif.

View File

@ -0,0 +1,68 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_mnesia_app).
-behaviour(application).
-emqx_plugin(auth).
-include("emqx_auth_mnesia.hrl").
%% Application callbacks
-export([ start/2
, prep_stop/1
, stop/1
]).
%%--------------------------------------------------------------------
%% Application callbacks
%%--------------------------------------------------------------------
start(_StartType, _StartArgs) ->
{ok, Sup} = emqx_auth_mnesia_sup:start_link(),
emqx_ctl:register_command(clientid, {emqx_auth_mnesia_cli, auth_clientid_cli}, []),
emqx_ctl:register_command(user, {emqx_auth_mnesia_cli, auth_username_cli}, []),
emqx_ctl:register_command(acl, {emqx_acl_mnesia_cli, cli}, []),
load_auth_hook(),
load_acl_hook(),
{ok, Sup}.
prep_stop(State) ->
emqx:unhook('client.authenticate', fun emqx_auth_mnesia:check/3),
emqx:unhook('client.check_acl', fun emqx_acl_mnesia:check_acl/5),
emqx_ctl:unregister_command(clientid),
emqx_ctl:unregister_command(user),
emqx_ctl:unregister_command(acl),
State.
stop(_State) ->
ok.
load_auth_hook() ->
ClientidList = application:get_env(?APP, clientid_list, []),
UsernameList = application:get_env(?APP, username_list, []),
ok = emqx_auth_mnesia:init(#{clientid_list => ClientidList, username_list => UsernameList}),
ok = emqx_auth_mnesia:register_metrics(),
Params = #{
hash_type => application:get_env(emqx_auth_mnesia, hash_type, sha256)
},
emqx:hook('client.authenticate', fun emqx_auth_mnesia:check/3, [Params]).
load_acl_hook() ->
ok = emqx_acl_mnesia:init(),
ok = emqx_acl_mnesia:register_metrics(),
emqx:hook('client.check_acl', fun emqx_acl_mnesia:check_acl/5, [#{}]).

View File

@ -0,0 +1,181 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_mnesia_cli).
-include("emqx_auth_mnesia.hrl").
-include_lib("emqx/include/logger.hrl").
-include_lib("stdlib/include/ms_transform.hrl").
-define(TABLE, emqx_user).
%% Auth APIs
-export([ add_user/2
, update_user/2
, remove_user/1
, lookup_user/1
, all_users/0
, all_users/1
]).
%% Cli
-export([ auth_clientid_cli/1
, auth_username_cli/1
]).
%% Helper
-export([comparing/2]).
%%--------------------------------------------------------------------
%% Auth APIs
%%--------------------------------------------------------------------
%% @doc Add User
-spec(add_user(tuple(), binary()) -> ok | {error, any()}).
add_user(Login, Password) ->
User = #emqx_user{login = Login, password = encrypted_data(Password), created_at = erlang:system_time(millisecond)},
ret(mnesia:transaction(fun insert_user/1, [User])).
insert_user(User = #emqx_user{login = Login}) ->
case mnesia:read(?TABLE, Login) of
[] -> mnesia:write(User);
[_|_] -> mnesia:abort(existed)
end.
%% @doc Update User
-spec(update_user(tuple(), binary()) -> ok | {error, any()}).
update_user(Login, NewPassword) ->
User = #emqx_user{login = Login, password = encrypted_data(NewPassword)},
ret(mnesia:transaction(fun do_update_user/1, [User])).
do_update_user(User = #emqx_user{login = Login}) ->
case mnesia:read(?TABLE, Login) of
[{?TABLE, Login, _, CreateAt}] -> mnesia:write(User#emqx_user{created_at = CreateAt});
[] -> mnesia:abort(noexisted)
end.
%% @doc Lookup user by login
-spec(lookup_user(tuple()) -> list()).
lookup_user(undefined) -> [];
lookup_user(Login) ->
case mnesia:dirty_read(?TABLE, Login) of
{error, Reason} ->
?LOG(error, "[Mnesia] do_check_user error: ~p~n", [Reason]),
[];
Re ->
lists:sort(fun comparing/2, Re)
end.
%% @doc Remove user
-spec(remove_user(tuple()) -> ok | {error, any()}).
remove_user(Login) ->
ret(mnesia:transaction(fun mnesia:delete/1, [{?TABLE, Login}])).
%% @doc All logins
-spec(all_users() -> list()).
all_users() -> mnesia:dirty_all_keys(?TABLE).
all_users(clientid) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {clientid, Clientid}, Password, CreatedAt}) -> {?TABLE, {clientid, Clientid}, Password, CreatedAt} end),
lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec));
all_users(username) ->
MatchSpec = ets:fun2ms(fun({?TABLE, {username, Username}, Password, CreatedAt}) -> {?TABLE, {username, Username}, Password, CreatedAt} end),
lists:sort(fun comparing/2, ets:select(?TABLE, MatchSpec)).
%%--------------------------------------------------------------------
%% Internal functions
%%--------------------------------------------------------------------
comparing({?TABLE, _, _, CreatedAt1},
{?TABLE, _, _, CreatedAt2}) ->
CreatedAt1 >= CreatedAt2.
ret({atomic, ok}) -> ok;
ret({aborted, Error}) -> {error, Error}.
encrypted_data(Password) ->
HashType = application:get_env(emqx_auth_mnesia, password_hash, sha256),
SaltBin = salt(),
<<SaltBin/binary, (hash(Password, SaltBin, HashType))/binary>>.
hash(undefined, SaltBin, HashType) ->
hash(<<>>, SaltBin, HashType);
hash(Password, SaltBin, HashType) ->
emqx_passwd:hash(HashType, <<SaltBin/binary, Password/binary>>).
salt() ->
rand:seed(exsplus, erlang:timestamp()),
Salt = rand:uniform(16#ffffffff), <<Salt:32>>.
%%--------------------------------------------------------------------
%% Auth Clientid Cli
%%--------------------------------------------------------------------
auth_clientid_cli(["list"]) ->
[emqx_ctl:print("~s~n", [ClientId]) || {?TABLE, {clientid, ClientId}, _Password, _CreatedAt} <- all_users(clientid)];
auth_clientid_cli(["add", ClientId, Password]) ->
case add_user({clientid, iolist_to_binary(ClientId)}, iolist_to_binary(Password)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
auth_clientid_cli(["update", ClientId, NewPassword]) ->
case update_user({clientid, iolist_to_binary(ClientId)}, iolist_to_binary(NewPassword)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
auth_clientid_cli(["del", ClientId]) ->
case remove_user({clientid, iolist_to_binary(ClientId)}) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
auth_clientid_cli(_) ->
emqx_ctl:usage([{"clientid list", "List clientid auth rules"},
{"clientid add <Username> <Password>", "Add clientid auth rule"},
{"clientid update <Username> <NewPassword>", "Update clientid auth rule"},
{"clientid del <Username>", "Delete clientid auth rule"}]).
%%--------------------------------------------------------------------
%% Auth Username Cli
%%--------------------------------------------------------------------
auth_username_cli(["list"]) ->
[emqx_ctl:print("~s~n", [Username]) || {?TABLE, {username, Username}, _Password, _CreatedAt}<- all_users(username)];
auth_username_cli(["add", Username, Password]) ->
case add_user({username, iolist_to_binary(Username)}, iolist_to_binary(Password)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
auth_username_cli(["update", Username, NewPassword]) ->
case update_user({username, iolist_to_binary(Username)}, iolist_to_binary(NewPassword)) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
auth_username_cli(["del", Username]) ->
case remove_user({username, iolist_to_binary(Username)}) of
ok -> emqx_ctl:print("ok~n");
{error, Reason} -> emqx_ctl:print("Error: ~p~n", [Reason])
end;
auth_username_cli(_) ->
emqx_ctl:usage([{"user list", "List username auth rules"},
{"user add <Username> <Password>", "Add username auth rule"},
{"user update <Username> <NewPassword>", "Update username auth rule"},
{"user del <Username>", "Delete username auth rule"}]).

View File

@ -0,0 +1,36 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_mnesia_sup).
-behaviour(supervisor).
-include("emqx_auth_mnesia.hrl").
-export([start_link/0]).
%% Supervisor callbacks
-export([init/1]).
start_link() ->
supervisor:start_link({local, ?MODULE}, ?MODULE, []).
%%--------------------------------------------------------------------
%% Supervisor callbacks
%%--------------------------------------------------------------------
init([]) ->
{ok, {{one_for_one, 10, 100}, []}}.

View File

@ -0,0 +1,215 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_acl_mnesia_SUITE).
-compile(export_all).
-include("emqx_auth_mnesia.hrl").
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-import(emqx_ct_http, [ request_api/3
, request_api/5
, get_http_data/1
, create_default_app/0
, default_auth_header/0
]).
-define(HOST, "http://127.0.0.1:8081/").
-define(API_VERSION, "v4").
-define(BASE_PATH, "api").
all() ->
emqx_ct:all(?MODULE).
groups() ->
[].
init_per_suite(Config) ->
emqx_ct_helpers:start_apps([emqx_management, emqx_auth_mnesia], fun set_special_configs/1),
create_default_app(),
Config.
end_per_suite(_Config) ->
emqx_ct_helpers:stop_apps([emqx_management, emqx_auth_mnesia]).
init_per_testcase(t_check_acl_as_clientid, Config) ->
emqx:hook('client.check_acl', fun emqx_acl_mnesia:check_acl/5, [#{key_as => clientid}]),
Config;
init_per_testcase(_, Config) ->
emqx:hook('client.check_acl', fun emqx_acl_mnesia:check_acl/5, [#{key_as => username}]),
Config.
end_per_testcase(_, Config) ->
emqx:unhook('client.check_acl', fun emqx_acl_mnesia:check_acl/5),
Config.
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, true),
application:set_env(emqx, enable_acl_cache, false),
LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
set_special_configs(_App) ->
ok.
%%------------------------------------------------------------------------------
%% Testcases
%%------------------------------------------------------------------------------
t_management(_Config) ->
clean_all_acls(),
?assertEqual("Acl with Mnesia", emqx_acl_mnesia:description()),
?assertEqual([], emqx_acl_mnesia_cli:all_acls()),
ok = emqx_acl_mnesia_cli:add_acl({clientid, <<"test_clientid">>}, <<"topic/%c">>, sub, allow),
ok = emqx_acl_mnesia_cli:add_acl({clientid, <<"test_clientid">>}, <<"topic/+">>, pub, deny),
ok = emqx_acl_mnesia_cli:add_acl({username, <<"test_username">>}, <<"topic/%u">>, sub, deny),
ok = emqx_acl_mnesia_cli:add_acl({username, <<"test_username">>}, <<"topic/+">>, pub, allow),
ok = emqx_acl_mnesia_cli:add_acl(all, <<"#">>, pubsub, deny),
?assertEqual(2, length(emqx_acl_mnesia_cli:lookup_acl({clientid, <<"test_clientid">>}))),
?assertEqual(2, length(emqx_acl_mnesia_cli:lookup_acl({username, <<"test_username">>}))),
?assertEqual(1, length(emqx_acl_mnesia_cli:lookup_acl(all))),
?assertEqual(5, length(emqx_acl_mnesia_cli:all_acls())),
User1 = #{zone => external, clientid => <<"test_clientid">>},
User2 = #{zone => external, clientid => <<"no_exist">>, username => <<"test_username">>},
User3 = #{zone => external, clientid => <<"test_clientid">>, username => <<"test_username">>},
allow = emqx_access_control:check_acl(User1, subscribe, <<"topic/test_clientid">>),
deny = emqx_access_control:check_acl(User1, publish, <<"topic/A">>),
deny = emqx_access_control:check_acl(User2, subscribe, <<"topic/test_username">>),
allow = emqx_access_control:check_acl(User2, publish, <<"topic/A">>),
allow = emqx_access_control:check_acl(User3, subscribe, <<"topic/test_clientid">>),
deny = emqx_access_control:check_acl(User3, subscribe, <<"topic/test_username">>),
deny = emqx_access_control:check_acl(User3, publish, <<"topic/A">>),
deny = emqx_access_control:check_acl(User3, subscribe, <<"topic/A/B">>),
deny = emqx_access_control:check_acl(User3, publish, <<"topic/A/B">>),
ok = emqx_acl_mnesia_cli:remove_acl({clientid, <<"test_clientid">>}, <<"topic/%c">>),
ok = emqx_acl_mnesia_cli:remove_acl({clientid, <<"test_clientid">>}, <<"topic/+">>),
ok = emqx_acl_mnesia_cli:remove_acl({username, <<"test_username">>}, <<"topic/%u">>),
ok = emqx_acl_mnesia_cli:remove_acl({username, <<"test_username">>}, <<"topic/+">>),
ok = emqx_acl_mnesia_cli:remove_acl(all, <<"#">>),
?assertEqual([], emqx_acl_mnesia_cli:all_acls()).
t_acl_cli(_Config) ->
meck:new(emqx_ctl, [non_strict, passthrough]),
meck:expect(emqx_ctl, print, fun(Arg) -> emqx_ctl:format(Arg) end),
meck:expect(emqx_ctl, print, fun(Msg, Arg) -> emqx_ctl:format(Msg, Arg) end),
meck:expect(emqx_ctl, usage, fun(Usages) -> emqx_ctl:format_usage(Usages) end),
meck:expect(emqx_ctl, usage, fun(Cmd, Descr) -> emqx_ctl:format_usage(Cmd, Descr) end),
clean_all_acls(),
?assertEqual(0, length(emqx_acl_mnesia_cli:cli(["list"]))),
emqx_acl_mnesia_cli:cli(["add", "clientid", "test_clientid", "topic/A", "pub", "allow"]),
?assertMatch(["Acl(clientid = <<\"test_clientid\">> topic = <<\"topic/A\">> action = pub access = allow)\n"], emqx_acl_mnesia_cli:cli(["show", "clientid", "test_clientid"])),
?assertMatch(["Acl(clientid = <<\"test_clientid\">> topic = <<\"topic/A\">> action = pub access = allow)\n"], emqx_acl_mnesia_cli:cli(["list", "clientid"])),
emqx_acl_mnesia_cli:cli(["add", "username", "test_username", "topic/B", "sub", "deny"]),
?assertMatch(["Acl(username = <<\"test_username\">> topic = <<\"topic/B\">> action = sub access = deny)\n"], emqx_acl_mnesia_cli:cli(["show", "username", "test_username"])),
?assertMatch(["Acl(username = <<\"test_username\">> topic = <<\"topic/B\">> action = sub access = deny)\n"], emqx_acl_mnesia_cli:cli(["list", "username"])),
emqx_acl_mnesia_cli:cli(["add", "_all", "#", "pubsub", "deny"]),
?assertMatch(["Acl($all topic = <<\"#\">> action = pubsub access = deny)\n"], emqx_acl_mnesia_cli:cli(["list", "_all"])),
?assertEqual(3, length(emqx_acl_mnesia_cli:cli(["list"]))),
emqx_acl_mnesia_cli:cli(["del", "clientid", "test_clientid", "topic/A"]),
emqx_acl_mnesia_cli:cli(["del", "username", "test_username", "topic/B"]),
emqx_acl_mnesia_cli:cli(["del", "_all", "#"]),
?assertEqual(0, length(emqx_acl_mnesia_cli:cli(["list"]))),
meck:unload(emqx_ctl).
t_rest_api(_Config) ->
clean_all_acls(),
Params1 = [#{<<"clientid">> => <<"test_clientid">>, <<"topic">> => <<"topic/A">>, <<"action">> => <<"pub">>, <<"access">> => <<"allow">>},
#{<<"clientid">> => <<"test_clientid">>, <<"topic">> => <<"topic/B">>, <<"action">> => <<"sub">>, <<"access">> => <<"allow">>},
#{<<"clientid">> => <<"test_clientid">>, <<"topic">> => <<"topic/C">>, <<"action">> => <<"pubsub">>, <<"access">> => <<"deny">>}],
{ok, _} = request_http_rest_add([], Params1),
{ok, Re1} = request_http_rest_list(["clientid", "test_clientid"]),
?assertMatch(3, length(get_http_data(Re1))),
{ok, _} = request_http_rest_delete(["clientid", "test_clientid", "topic", "topic/A"]),
{ok, _} = request_http_rest_delete(["clientid", "test_clientid", "topic", "topic/B"]),
{ok, _} = request_http_rest_delete(["clientid", "test_clientid", "topic", "topic/C"]),
{ok, Res1} = request_http_rest_list(["clientid"]),
?assertMatch([], get_http_data(Res1)),
Params2 = [#{<<"username">> => <<"test_username">>, <<"topic">> => <<"topic/A">>, <<"action">> => <<"pub">>, <<"access">> => <<"allow">>},
#{<<"username">> => <<"test_username">>, <<"topic">> => <<"topic/B">>, <<"action">> => <<"sub">>, <<"access">> => <<"allow">>},
#{<<"username">> => <<"test_username">>, <<"topic">> => <<"topic/C">>, <<"action">> => <<"pubsub">>, <<"access">> => <<"deny">>}],
{ok, _} = request_http_rest_add([], Params2),
{ok, Re2} = request_http_rest_list(["username", "test_username"]),
?assertMatch(3, length(get_http_data(Re2))),
{ok, _} = request_http_rest_delete(["username", "test_username", "topic", "topic/A"]),
{ok, _} = request_http_rest_delete(["username", "test_username", "topic", "topic/B"]),
{ok, _} = request_http_rest_delete(["username", "test_username", "topic", "topic/C"]),
{ok, Res2} = request_http_rest_list(["username"]),
?assertMatch([], get_http_data(Res2)),
Params3 = [#{<<"topic">> => <<"topic/A">>, <<"action">> => <<"pub">>, <<"access">> => <<"allow">>},
#{<<"topic">> => <<"topic/B">>, <<"action">> => <<"sub">>, <<"access">> => <<"allow">>},
#{<<"topic">> => <<"topic/C">>, <<"action">> => <<"pubsub">>, <<"access">> => <<"deny">>}],
{ok, _} = request_http_rest_add([], Params3),
{ok, Re3} = request_http_rest_list(["$all"]),
?assertMatch(3, length(get_http_data(Re3))),
{ok, _} = request_http_rest_delete(["$all", "topic", "topic/A"]),
{ok, _} = request_http_rest_delete(["$all", "topic", "topic/B"]),
{ok, _} = request_http_rest_delete(["$all", "topic", "topic/C"]),
{ok, Res3} = request_http_rest_list(["$all"]),
?assertMatch([], get_http_data(Res3)).
%%------------------------------------------------------------------------------
%% Helpers
%%------------------------------------------------------------------------------
clean_all_acls() ->
[ mnesia:dirty_delete({emqx_acl, Login})
|| Login <- mnesia:dirty_all_keys(emqx_acl)].
%%--------------------------------------------------------------------
%% HTTP Request
%%--------------------------------------------------------------------
request_http_rest_list(Path) ->
request_api(get, uri(Path), default_auth_header()).
request_http_rest_lookup(Path) ->
request_api(get, uri(Path), default_auth_header()).
request_http_rest_add(Path, Params) ->
request_api(post, uri(Path), [], default_auth_header(), Params).
request_http_rest_delete(Path) ->
request_api(delete, uri(Path), default_auth_header()).
uri() -> uri([]).
uri(Parts) when is_list(Parts) ->
NParts = [b2l(E) || E <- Parts],
?HOST ++ filename:join([?BASE_PATH, ?API_VERSION, "acl"| NParts]).
%% @private
b2l(B) when is_binary(B) ->
http_uri:encode(binary_to_list(B));
b2l(L) when is_list(L) ->
http_uri:encode(L).

View File

@ -0,0 +1,284 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License. %% You may obtain a copy of the License at %% %% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_auth_mnesia_SUITE).
-compile(export_all).
-include("emqx_auth_mnesia.hrl").
-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-import(emqx_ct_http, [ request_api/3
, request_api/5
, get_http_data/1
, create_default_app/0
, default_auth_header/0
]).
-define(HOST, "http://127.0.0.1:8081/").
-define(API_VERSION, "v4").
-define(BASE_PATH, "api").
-define(TABLE, emqx_user).
-define(CLIENTID, <<"clientid_for_ct">>).
-define(USERNAME, <<"username_for_ct">>).
-define(PASSWORD, <<"password">>).
-define(NPASSWORD, <<"new_password">>).
all() ->
emqx_ct:all(?MODULE).
groups() ->
[].
init_per_suite(Config) ->
ok = emqx_ct_helpers:start_apps([emqx_management, emqx_auth_mnesia], fun set_special_configs/1),
create_default_app(),
Config.
end_per_suite(_Config) ->
emqx_ct_helpers:stop_apps([emqx_management, emqx_auth_mnesia]).
init_per_testcase(t_check_as_clientid, Config) ->
Params = #{
hash_type => application:get_env(emqx_auth_mnesia, hash_type, sha256),
key_as => clientid
},
emqx:hook('client.authenticate', fun emqx_auth_mnesia:check/3, [Params]),
Config;
init_per_testcase(_, Config) ->
Params = #{
hash_type => application:get_env(emqx_auth_mnesia, hash_type, sha256),
key_as => username
},
emqx:hook('client.authenticate', fun emqx_auth_mnesia:check/3, [Params]),
Config.
end_per_suite(_, Config) ->
emqx:unhook('client.authenticate', fun emqx_auth_mnesia:check/3),
Config.
set_special_configs(emqx) ->
application:set_env(emqx, allow_anonymous, true),
application:set_env(emqx, enable_acl_cache, false),
LoadedPluginPath = filename:join(["test", "emqx_SUITE_data", "loaded_plugins"]),
application:set_env(emqx, plugins_loaded_file,
emqx_ct_helpers:deps_path(emqx, LoadedPluginPath));
set_special_configs(_App) ->
ok.
%%------------------------------------------------------------------------------
%% Testcases
%%------------------------------------------------------------------------------
t_management(_Config) ->
clean_all_users(),
ok = emqx_auth_mnesia_cli:add_user({username,?USERNAME}, ?PASSWORD),
{error, existed} = emqx_auth_mnesia_cli:add_user({username,?USERNAME}, ?PASSWORD),
?assertMatch([{?TABLE, {username, ?USERNAME}, _Password, _InterTime}], emqx_auth_mnesia_cli:all_users(username)),
ok = emqx_auth_mnesia_cli:add_user({clientid,?CLIENTID}, ?PASSWORD),
{error, existed} = emqx_auth_mnesia_cli:add_user({clientid,?CLIENTID}, ?PASSWORD),
?assertMatch([{?TABLE, {clientid, ?CLIENTID}, _Password, _InterTime}], emqx_auth_mnesia_cli:all_users(clientid)),
?assertEqual(2,length(emqx_auth_mnesia_cli:all_users())),
ok = emqx_auth_mnesia_cli:update_user({username,?USERNAME}, ?NPASSWORD),
{error,noexisted} = emqx_auth_mnesia_cli:update_user({username, <<"no_existed_user">>}, ?PASSWORD),
ok = emqx_auth_mnesia_cli:update_user({clientid,?CLIENTID}, ?NPASSWORD),
{error,noexisted} = emqx_auth_mnesia_cli:update_user({clientid, <<"no_existed_user">>}, ?PASSWORD),
?assertMatch([{?TABLE, {username, ?USERNAME}, _Password, _InterTime}], emqx_auth_mnesia_cli:lookup_user({username, ?USERNAME})),
?assertMatch([{?TABLE, {clientid, ?CLIENTID}, _Password, _InterTime}], emqx_auth_mnesia_cli:lookup_user({clientid, ?CLIENTID})),
User1 = #{username => ?USERNAME,
clientid => undefined,
password => ?NPASSWORD,
zone => external},
{ok, #{auth_result := success,
anonymous := false}} = emqx_access_control:authenticate(User1),
{error,password_error} = emqx_access_control:authenticate(User1#{password => <<"error_password">>}),
ok = emqx_auth_mnesia_cli:remove_user({username,?USERNAME}),
{ok, #{auth_result := success,
anonymous := true }} = emqx_access_control:authenticate(User1),
User2 = #{clientid => ?CLIENTID,
password => ?NPASSWORD,
zone => external},
{ok, #{auth_result := success,
anonymous := false}} = emqx_access_control:authenticate(User2),
{error,password_error} = emqx_access_control:authenticate(User2#{password => <<"error_password">>}),
ok = emqx_auth_mnesia_cli:remove_user({clientid,?CLIENTID}),
{ok, #{auth_result := success,
anonymous := true }} = emqx_access_control:authenticate(User2),
[] = emqx_auth_mnesia_cli:all_users().
t_auth_clientid_cli(_) ->
clean_all_users(),
HashType = application:get_env(emqx_auth_mnesia, password_hash, sha256),
emqx_auth_mnesia_cli:auth_clientid_cli(["add", ?CLIENTID, ?PASSWORD]),
[{_, {clientid, ?CLIENTID}, <<Salt:4/binary, Hash/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({clientid, ?CLIENTID}),
?assertEqual(Hash, emqx_passwd:hash(HashType, <<Salt/binary, ?PASSWORD/binary>>)),
emqx_auth_mnesia_cli:auth_clientid_cli(["update", ?CLIENTID, ?NPASSWORD]),
[{_, {clientid, ?CLIENTID}, <<Salt1:4/binary, Hash1/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({clientid, ?CLIENTID}),
?assertEqual(Hash1, emqx_passwd:hash(HashType, <<Salt1/binary, ?NPASSWORD/binary>>)),
emqx_auth_mnesia_cli:auth_clientid_cli(["del", ?CLIENTID]),
?assertEqual([], emqx_auth_mnesia_cli:lookup_user(?CLIENTID)),
emqx_auth_mnesia_cli:auth_clientid_cli(["add", "user1", "pass1"]),
emqx_auth_mnesia_cli:auth_clientid_cli(["add", "user2", "pass2"]),
?assertEqual(2, length(emqx_auth_mnesia_cli:auth_clientid_cli(["list"]))),
emqx_auth_mnesia_cli:auth_clientid_cli(usage).
t_auth_username_cli(_) ->
clean_all_users(),
HashType = application:get_env(emqx_auth_mnesia, password_hash, sha256),
emqx_auth_mnesia_cli:auth_username_cli(["add", ?USERNAME, ?PASSWORD]),
[{_, {username, ?USERNAME}, <<Salt:4/binary, Hash/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({username, ?USERNAME}),
?assertEqual(Hash, emqx_passwd:hash(HashType, <<Salt/binary, ?PASSWORD/binary>>)),
emqx_auth_mnesia_cli:auth_username_cli(["update", ?USERNAME, ?NPASSWORD]),
[{_, {username, ?USERNAME}, <<Salt1:4/binary, Hash1/binary>>, _}] = emqx_auth_mnesia_cli:lookup_user({username, ?USERNAME}),
?assertEqual(Hash1, emqx_passwd:hash(HashType, <<Salt1/binary, ?NPASSWORD/binary>>)),
emqx_auth_mnesia_cli:auth_username_cli(["del", ?USERNAME]),
?assertEqual([], emqx_auth_mnesia_cli:lookup_user(?USERNAME)),
emqx_auth_mnesia_cli:auth_username_cli(["add", "user1", "pass1"]),
emqx_auth_mnesia_cli:auth_username_cli(["add", "user2", "pass2"]),
?assertEqual(2, length(emqx_auth_mnesia_cli:auth_username_cli(["list"]))),
emqx_auth_mnesia_cli:auth_username_cli(usage).
t_clientid_rest_api(_Config) ->
clean_all_users(),
{ok, Result1} = request_http_rest_list(["auth_clientid"]),
[] = get_http_data(Result1),
Params1 = #{<<"clientid">> => ?CLIENTID, <<"password">> => ?PASSWORD},
{ok, _} = request_http_rest_add(["auth_clientid"], Params1),
Params2 = #{<<"clientid">> => ?CLIENTID, <<"password">> => ?NPASSWORD},
{ok, _} = request_http_rest_update(["auth_clientid/" ++ binary_to_list(?CLIENTID)], Params2),
{ok, Result2} = request_http_rest_lookup(["auth_clientid/" ++ binary_to_list(?CLIENTID)]),
?assertMatch(#{<<"clientid">> := ?CLIENTID}, get_http_data(Result2)),
Params3 = [ #{<<"clientid">> => ?CLIENTID, <<"password">> => ?PASSWORD}
, #{<<"clientid">> => <<"clientid1">>, <<"password">> => ?PASSWORD}
, #{<<"clientid">> => <<"clientid2">>, <<"password">> => ?PASSWORD}
],
{ok, Result3} = request_http_rest_add(["auth_clientid"], Params3),
?assertMatch(#{ ?CLIENTID := <<"{error,existed}">>
, <<"clientid1">> := <<"ok">>
, <<"clientid2">> := <<"ok">>
}, get_http_data(Result3)),
{ok, Result4} = request_http_rest_list(["auth_clientid"]),
?assertEqual(3, length(get_http_data(Result4))),
{ok, _} = request_http_rest_delete(["auth_clientid/" ++ binary_to_list(?CLIENTID)]),
{ok, Result5} = request_http_rest_lookup(["auth_clientid/" ++ binary_to_list(?CLIENTID)]),
?assertMatch(#{}, get_http_data(Result5)).
t_username_rest_api(_Config) ->
clean_all_users(),
{ok, Result1} = request_http_rest_list(["auth_username"]),
[] = get_http_data(Result1),
Params1 = #{<<"username">> => ?USERNAME, <<"password">> => ?PASSWORD},
{ok, _} = request_http_rest_add(["auth_username"], Params1),
Params2 = #{<<"username">> => ?USERNAME, <<"password">> => ?NPASSWORD},
{ok, _} = request_http_rest_update(["auth_username/" ++ binary_to_list(?USERNAME)], Params2),
{ok, Result2} = request_http_rest_lookup(["auth_username/" ++ binary_to_list(?USERNAME)]),
?assertMatch(#{<<"username">> := ?USERNAME}, get_http_data(Result2)),
Params3 = [ #{<<"username">> => ?USERNAME, <<"password">> => ?PASSWORD}
, #{<<"username">> => <<"username1">>, <<"password">> => ?PASSWORD}
, #{<<"username">> => <<"username2">>, <<"password">> => ?PASSWORD}
],
{ok, Result3} = request_http_rest_add(["auth_username"], Params3),
?assertMatch(#{ ?USERNAME := <<"{error,existed}">>
, <<"username1">> := <<"ok">>
, <<"username2">> := <<"ok">>
}, get_http_data(Result3)),
{ok, Result4} = request_http_rest_list(["auth_username"]),
?assertEqual(3, length(get_http_data(Result4))),
{ok, _} = request_http_rest_delete(["auth_username/" ++ binary_to_list(?USERNAME)]),
{ok, Result5} = request_http_rest_lookup(["auth_username/" ++ binary_to_list(?USERNAME)]),
?assertMatch(#{}, get_http_data(Result5)).
%%------------------------------------------------------------------------------
%% Helpers
%%------------------------------------------------------------------------------
clean_all_users() ->
[ mnesia:dirty_delete({emqx_user, Login})
|| Login <- mnesia:dirty_all_keys(emqx_user)].
%%--------------------------------------------------------------------
%% HTTP Request
%%--------------------------------------------------------------------
request_http_rest_list(Path) ->
request_api(get, uri(Path), default_auth_header()).
request_http_rest_lookup(Path) ->
request_api(get, uri([Path]), default_auth_header()).
request_http_rest_add(Path, Params) ->
request_api(post, uri(Path), [], default_auth_header(), Params).
request_http_rest_update(Path, Params) ->
request_api(put, uri([Path]), [], default_auth_header(), Params).
request_http_rest_delete(Login) ->
request_api(delete, uri([Login]), default_auth_header()).
uri() -> uri([]).
uri(Parts) when is_list(Parts) ->
NParts = [b2l(E) || E <- Parts],
?HOST ++ filename:join([?BASE_PATH, ?API_VERSION | NParts]).
%% @private
b2l(B) when is_binary(B) ->
binary_to_list(B);
b2l(L) when is_list(L) ->
L.

View File

@ -0,0 +1,59 @@
name: Run test cases
on: [push, pull_request]
jobs:
run_test_cases:
runs-on: ubuntu-latest
strategy:
matrix:
mongo_tag:
- 3
- 4
network_type:
- ipv4
- ipv6
connect_type:
- ssl
- tcp
steps:
- name: install docker-compose
run: |
sudo curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
- uses: actions/checkout@v1
- name: run test cases
env:
MONGO_TAG: ${{ matrix.mongo_tag }}
NETWORK_TYPE: ${{ matrix.network_type }}
CONNECT_TYPE: ${{ matrix.connect_type }}
run: |
set -e -u -x
if [ "$NETWORK_TYPE" = "ipv6" ];then docker network create --driver bridge --ipv6 --subnet fd15:555::/64 tests_emqx_bridge --attachable; fi
if [ "$CONNECT_TYPE" = "ssl" ]; then
docker-compose -f ./docker-compose-ssl.yml -p tests up -d
docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl = true' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl_opts.cacertfile = /emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl_opts.certfile = /emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "echo 'auth.mongo.ssl_opts.keyfile = /emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
else
docker-compose -f ./docker-compose.yml -p tests up -d
fi
if [ "$NETWORK_TYPE" != "ipv6" ];then
docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "sed -i '/auth.mongo.server/c auth.mongo.server = mongo_server:27017' /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
else
ipv6_address=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}' $(docker ps -a -f name=tests_mongo_server_1 -q))
docker exec -i $(docker ps -a -f name=tests_erlang_1 -q) sh -c "sed -i '/auth.mongo.server/c auth.mongo.server = $ipv6_address:27017' /emqx_auth_mongo/etc/emqx_auth_mongo.conf"
fi
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo xref"
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo eunit"
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo ct"
docker exec -i tests_erlang_1 sh -c "make -C /emqx_auth_mongo cover"
- uses: actions/upload-artifact@v1
if: failure()
with:
name: logs_mongo${{ matrix.mongo_tag}}_${{ matrix.network_type }}
path: _build/test/logs

24
apps/emqx_auth_mongo/.gitignore vendored Normal file
View File

@ -0,0 +1,24 @@
.eunit
deps
*.o
*.beam
*.plt
erl_crash.dump
ebin
rel/example_project
.concrete/DEV_MODE
.rebar
.DS_Store
.erlang.mk/
emqx_auth_mongo.d
ct.coverdata
logs/
test/ct.cover.spec
data/
cover/
eunit.coverdata
_build/
rebar.lock
erlang.mk
etc/emqx_auth_mongo.conf.rendered
.rebar3

View File

@ -0,0 +1,31 @@
2.0.7 (2017-01-20)
------------------
Tag 2.0.7 - use `cuttlefish:unset()` for commented ACL/super config
2.0.1 (2016-11-30)
------------------
Tag 2.0.1
2.0-beta.1 (2016-08-24)
-----------------------
gen_conf
1.1.3-beta (2016-08-19)
-----------------------
Bump version to 1.1.3
1.1.2-beta (2016-06-30)
-----------------------
Bump version to 1.1.2
1.1-beta (2016-05-28)
---------------------
First public release

View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View File

@ -0,0 +1,37 @@
## shallow clone for speed
REBAR_GIT_CLONE_OPTIONS += --depth 1
export REBAR_GIT_CLONE_OPTIONS
REBAR = rebar3
all: compile
compile:
$(REBAR) compile
clean: distclean
ct: compile
$(REBAR) as test ct -v
eunit: compile
$(REBAR) as test eunit
xref:
$(REBAR) xref
cover:
$(REBAR) cover
distclean:
@rm -rf _build
@rm -f data/app.*.config data/vm.*.args rebar.lock
CUTTLEFISH_SCRIPT = _build/default/lib/cuttlefish/cuttlefish
$(CUTTLEFISH_SCRIPT):
@${REBAR} get-deps
@if [ ! -f cuttlefish ]; then make -C _build/default/lib/cuttlefish; fi
app.config: $(CUTTLEFISH_SCRIPT) etc/emqx_auth_mongo.conf
$(verbose) $(CUTTLEFISH_SCRIPT) -l info -e etc/ -c etc/emqx_auth_mongo.conf -i priv/emqx_auth_mongo.schema -d data

View File

@ -0,0 +1,192 @@
emqx_auth_mongo
===============
EMQ X Authentication/ACL with MongoDB
Build the Plugin
----------------
```
make & make tests
```
Configuration
-------------
File: etc/emqx_auth_mongo.conf
```
## MongoDB Topology Type.
##
## Value: single | unknown | sharded | rs
auth.mongo.type = single
## Sets the set name if type is rs.
##
## Value: String
## auth.mongo.rs_set_name =
## MongoDB server list.
##
## Value: String
##
## Examples: 127.0.0.1:27017,127.0.0.2:27017...
auth.mongo.server = 127.0.0.1:27017
## MongoDB pool size
##
## Value: Number
auth.mongo.pool = 8
## MongoDB login user.
##
## Value: String
## auth.mongo.login =
## MongoDB password.
##
## Value: String
## auth.mongo.password =
## MongoDB AuthSource
##
## Value: String
## Default: mqtt
## auth.mongo.auth_source = admin
## MongoDB database
##
## Value: String
auth.mongo.database = mqtt
## MongoDB write mode.
##
## Value: unsafe | safe
## auth.mongo.w_mode =
## Mongo read mode.
##
## Value: master | slave_ok
## auth.mongo.r_mode =
## MongoDB topology options.
auth.mongo.topology.pool_size = 1
auth.mongo.topology.max_overflow = 0
## auth.mongo.topology.overflow_ttl = 1000
## auth.mongo.topology.overflow_check_period = 1000
## auth.mongo.topology.local_threshold_ms = 1000
## auth.mongo.topology.connect_timeout_ms = 20000
## auth.mongo.topology.socket_timeout_ms = 100
## auth.mongo.topology.server_selection_timeout_ms = 30000
## auth.mongo.topology.wait_queue_timeout_ms = 1000
## auth.mongo.topology.heartbeat_frequency_ms = 10000
## auth.mongo.topology.min_heartbeat_frequency_ms = 1000
## Authentication query.
auth.mongo.auth_query.collection = mqtt_user
auth.mongo.auth_query.password_field = password
## Password hash.
##
## Value: plain | md5 | sha | sha256 | bcrypt
auth.mongo.auth_query.password_hash = sha256
## sha256 with salt suffix
## auth.mongo.auth_query.password_hash = sha256,salt
## sha256 with salt prefix
## auth.mongo.auth_query.password_hash = salt,sha256
## bcrypt with salt prefix
## auth.mongo.auth_query.password_hash = salt,bcrypt
## pbkdf2 with macfun iterations dklen
## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
## auth.mongo.auth_query.password_hash = pbkdf2,sha256,1000,20
auth.mongo.auth_query.selector = username=%u
## Enable superuser query.
auth.mongo.super_query = on
auth.mongo.super_query.collection = mqtt_user
auth.mongo.super_query.super_field = is_superuser
auth.mongo.super_query.selector = username=%u
## Enable ACL query.
auth.mongo.acl_query = on
auth.mongo.acl_query.collection = mqtt_acl
auth.mongo.acl_query.selector = username=%u
```
Load the Plugin
---------------
```
./bin/emqx_ctl plugins load emqx_auth_mongo
```
MongoDB Database
----------------
```
use mqtt
db.createCollection("mqtt_user")
db.createCollection("mqtt_acl")
db.mqtt_user.ensureIndex({"username":1})
```
mqtt_user Collection
--------------------
```
{
username: "user",
password: "password hash",
salt: "password salt",
is_superuser: boolean (true, false),
created: "datetime"
}
```
For example:
```
db.mqtt_user.insert({username: "test", password: "password hash", salt: "password salt", is_superuser: false})
db.mqtt_user.insert({username: "root", is_superuser: true})
```
mqtt_acl Collection
-------------------
```
{
username: "username",
clientid: "clientid",
publish: ["topic1", "topic2", ...],
subscribe: ["subtop1", "subtop2", ...],
pubsub: ["topic/#", "topic1", ...]
}
```
For example:
```
db.mqtt_acl.insert({username: "test", publish: ["t/1", "t/2"], subscribe: ["user/%u", "client/%c"]})
db.mqtt_acl.insert({username: "admin", pubsub: ["#"]})
```
License
-------
Apache License Version 2.0
Author
------
EMQ X Team.

View File

@ -0,0 +1,31 @@
version: '3'
services:
erlang:
image: erlang:22.1
volumes:
- ./:/emqx_auth_mongo
networks:
- emqx_bridge
depends_on:
- mongo_server
tty: true
mongo_server:
image: mongo:${MONGO_TAG}
restart: always
environment:
MONGO_INITDB_DATABASE: mqtt
volumes:
- ./test/emqx_auth_mongo_SUITE_data/mongodb.pem/:/etc/certs/mongodb.pem
networks:
- emqx_bridge
command:
--ipv6
--bind_ip_all
--sslMode requireSSL
--sslPEMKeyFile /etc/certs/mongodb.pem
networks:
emqx_bridge:
driver: bridge

View File

@ -0,0 +1,27 @@
version: '3'
services:
erlang:
image: erlang:22.1
volumes:
- ./:/emqx_auth_mongo
networks:
- emqx_bridge
depends_on:
- mongo_server
tty: true
mongo_server:
image: mongo:${MONGO_TAG}
restart: always
environment:
MONGO_INITDB_DATABASE: mqtt
networks:
- emqx_bridge
command:
--ipv6
--bind_ip_all
networks:
emqx_bridge:
driver: bridge

View File

@ -0,0 +1,172 @@
##--------------------------------------------------------------------
## MongoDB Auth/ACL Plugin
##--------------------------------------------------------------------
## MongoDB Topology Type.
##
## Value: single | unknown | sharded | rs
auth.mongo.type = single
## The set name if type is rs.
##
## Value: String
## auth.mongo.rs_set_name =
## MongoDB server list.
##
## Value: String
##
## Examples: 127.0.0.1:27017,127.0.0.2:27017...
auth.mongo.server = 127.0.0.1:27017
## MongoDB pool size
##
## Value: Number
auth.mongo.pool = 8
## MongoDB login user.
##
## Value: String
## auth.mongo.login =
## MongoDB password.
##
## Value: String
## auth.mongo.password =
## MongoDB AuthSource
##
## Value: String
## Default: mqtt
## auth.mongo.auth_source = admin
## MongoDB database
##
## Value: String
auth.mongo.database = mqtt
## MongoDB query timeout
##
## Value: Duration
## auth.mongo.query_timeout = 5s
## Whether to enable SSL connection.
##
## Value: true | false
## auth.mongo.ssl = false
## SSL keyfile.
##
## Value: File
## auth.mongo.ssl_opts.keyfile =
## SSL certfile.
##
## Value: File
## auth.mongo.ssl_opts.certfile =
## SSL cacertfile.
##
## Value: File
## auth.mongo.ssl_opts.cacertfile =
## MongoDB write mode.
##
## Value: unsafe | safe
## auth.mongo.w_mode =
## Mongo read mode.
##
## Value: master | slave_ok
## auth.mongo.r_mode =
## MongoDB topology options.
auth.mongo.topology.pool_size = 1
auth.mongo.topology.max_overflow = 0
## auth.mongo.topology.overflow_ttl = 1000
## auth.mongo.topology.overflow_check_period = 1000
## auth.mongo.topology.local_threshold_ms = 1000
## auth.mongo.topology.connect_timeout_ms = 20000
## auth.mongo.topology.socket_timeout_ms = 100
## auth.mongo.topology.server_selection_timeout_ms = 30000
## auth.mongo.topology.wait_queue_timeout_ms = 1000
## auth.mongo.topology.heartbeat_frequency_ms = 10000
## auth.mongo.topology.min_heartbeat_frequency_ms = 1000
## -------------------------------------------------
## Auth Query
## -------------------------------------------------
## Password hash.
##
## Value: plain | md5 | sha | sha256 | bcrypt
auth.mongo.auth_query.password_hash = sha256
## sha256 with salt suffix
## auth.mongo.auth_query.password_hash = sha256,salt
## sha256 with salt prefix
## auth.mongo.auth_query.password_hash = salt,sha256
## bcrypt with salt prefix
## auth.mongo.auth_query.password_hash = salt,bcrypt
## pbkdf2 with macfun iterations dklen
## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
## auth.mongo.auth_query.password_hash = pbkdf2,sha256,1000,20
## Authentication query.
auth.mongo.auth_query.collection = mqtt_user
## Password mainly fields
##
## Value: password | password,salt
auth.mongo.auth_query.password_field = password
## Authentication Selector.
##
## Variables:
## - %u: username
## - %c: clientid
## - %C: common name of client TLS cert
## - %d: subject of client TLS cert
##
## auth.mongo.auth_query.selector = {Field}={Placeholder}
auth.mongo.auth_query.selector = username=%u
## -------------------------------------------------
## Super User Query
## -------------------------------------------------
auth.mongo.super_query.collection = mqtt_user
auth.mongo.super_query.super_field = is_superuser
#auth.mongo.super_query.selector = username=%u, clientid=%c
auth.mongo.super_query.selector = username=%u
## ACL Selector.
##
## Multiple selectors could be combined with '$or'
## when query acl from mongo.
##
## e.g.
##
## With following 2 selectors configured:
##
## auth.mongo.acl_query.selector.1 = username=%u
## auth.mongo.acl_query.selector.2 = username=$all
##
## And if a client connected using username 'ilyas',
## then the following mongo command will be used to
## retrieve acl entries:
##
## db.mqtt_acl.find({$or: [{username: "ilyas"}, {username: "$all"}]});
##
## Variables:
## - %u: username
## - %c: clientid
##
## Examples:
##
## auth.mongo.acl_query.selector.1 = username=%u,clientid=%c
## auth.mongo.acl_query.selector.2 = username=$all
## auth.mongo.acl_query.selector.3 = clientid=$all
auth.mongo.acl_query.collection = mqtt_acl
auth.mongo.acl_query.selector = username=%u

View File

@ -0,0 +1,37 @@
-define(APP, emqx_auth_mongo).
-define(DEFAULT_SELECTORS, [{<<"username">>, <<"%u">>}]).
-record(superquery, {collection = <<"mqtt_user">>,
field = <<"is_superuser">>,
selector = {<<"username">>, <<"%u">>}}).
-record(authquery, {collection = <<"mqtt_user">>,
field = <<"password">>,
hash = sha256,
selector = {<<"username">>, <<"%u">>}}).
-record(aclquery, {collection = <<"mqtt_acl">>,
selector = {<<"username">>, <<"%u">>}}).
-record(auth_metrics, {
success = 'client.auth.success',
failure = 'client.auth.failure',
ignore = 'client.auth.ignore'
}).
-record(acl_metrics, {
allow = 'client.acl.allow',
deny = 'client.acl.deny',
ignore = 'client.acl.ignore'
}).
-define(METRICS(Type), tl(tuple_to_list(#Type{}))).
-define(METRICS(Type, K), #Type{}#Type.K).
-define(AUTH_METRICS, ?METRICS(auth_metrics)).
-define(AUTH_METRICS(K), ?METRICS(auth_metrics, K)).
-define(ACL_METRICS, ?METRICS(acl_metrics)).
-define(ACL_METRICS(K), ?METRICS(acl_metrics, K)).

View File

@ -0,0 +1,292 @@
%%-*- mode: erlang -*-
%% emqx_auth_mongo config mapping
{mapping, "auth.mongo.type", "emqx_auth_mongo.server", [
{default, single},
{datatype, {enum, [single, unknown, sharded, rs]}}
]}.
{mapping, "auth.mongo.rs_set_name", "emqx_auth_mongo.server", [
{default, "mqtt"},
{datatype, string}
]}.
{mapping, "auth.mongo.server", "emqx_auth_mongo.server", [
{default, "127.0.0.1:27017"},
{datatype, string}
]}.
{mapping, "auth.mongo.pool", "emqx_auth_mongo.server", [
{default, 8},
{datatype, integer}
]}.
{mapping, "auth.mongo.login", "emqx_auth_mongo.server", [
{default, ""},
{datatype, string}
]}.
{mapping, "auth.mongo.password", "emqx_auth_mongo.server", [
{default, ""},
{datatype, string}
]}.
{mapping, "auth.mongo.database", "emqx_auth_mongo.server", [
{default, "mqtt"},
{datatype, string}
]}.
{mapping, "auth.mongo.auth_source", "emqx_auth_mongo.server", [
{default, "mqtt"},
{datatype, string}
]}.
{mapping, "auth.mongo.ssl", "emqx_auth_mongo.server", [
{default, false},
{datatype, {enum, [true, false]}}
]}.
{mapping, "auth.mongo.ssl_opts.keyfile", "emqx_auth_mongo.server", [
{datatype, string}
]}.
{mapping, "auth.mongo.ssl_opts.certfile", "emqx_auth_mongo.server", [
{datatype, string}
]}.
{mapping, "auth.mongo.ssl_opts.cacertfile", "emqx_auth_mongo.server", [
{datatype, string}
]}.
{mapping, "auth.mongo.w_mode", "emqx_auth_mongo.server", [
{default, undef},
{datatype, {enum, [safe, unsafe, undef]}}
]}.
{mapping, "auth.mongo.r_mode", "emqx_auth_mongo.server", [
{default, undef},
{datatype, {enum, [master, slave_ok, undef]}}
]}.
{mapping, "auth.mongo.topology.$name", "emqx_auth_mongo.server", [
{datatype, integer}
]}.
{translation, "emqx_auth_mongo.server", fun(Conf) ->
H = cuttlefish:conf_get("auth.mongo.server", Conf),
Hosts = string:tokens(H, ","),
Type0 = cuttlefish:conf_get("auth.mongo.type", Conf),
Pool = cuttlefish:conf_get("auth.mongo.pool", Conf),
Login = cuttlefish:conf_get("auth.mongo.login", Conf),
Passwd = cuttlefish:conf_get("auth.mongo.password", Conf),
DB = cuttlefish:conf_get("auth.mongo.database", Conf),
AuthSrc = cuttlefish:conf_get("auth.mongo.auth_source", Conf),
R = cuttlefish:conf_get("auth.mongo.w_mode", Conf),
W = cuttlefish:conf_get("auth.mongo.r_mode", Conf),
Login0 = case Login =:= [] of
true -> [];
false -> [{login, list_to_binary(Login)}]
end,
Passwd0 = case Passwd =:= [] of
true -> [];
false -> [{password, list_to_binary(Passwd)}]
end,
W0 = case W =:= undef of
true -> [];
false -> [{w_mode, W}]
end,
R0 = case R =:= undef of
true -> [];
false -> [{r_mode, R}]
end,
Ssl = case cuttlefish:conf_get("auth.mongo.ssl", Conf) of
true ->
Filter = fun(Opts) -> [{K, V} || {K, V} <- Opts, V =/= undefined] end,
SslOpts = fun(Prefix) ->
Filter([{keyfile, cuttlefish:conf_get(Prefix ++ ".keyfile", Conf, undefined)},
{certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)},
{cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}])
end,
[{ssl, true}, {ssl_opts, SslOpts("auth.mongo.ssl_opts")}];
false ->
[]
end,
WorkerOptions = [{database, list_to_binary(DB)}, {auth_source, list_to_binary(AuthSrc)}]
++ Login0 ++ Passwd0 ++ W0 ++ R0 ++ Ssl,
Vars = cuttlefish_variable:fuzzy_matches(["auth", "mongo", "topology", "$name"], Conf),
Options = lists:map(fun({_, Name}) ->
Name2 = case Name of
"local_threshold_ms" -> "localThresholdMS";
"connect_timeout_ms" -> "connectTimeoutMS";
"socket_timeout_ms" -> "socketTimeoutMS";
"server_selection_timeout_ms" -> "serverSelectionTimeoutMS";
"wait_queue_timeout_ms" -> "waitQueueTimeoutMS";
"heartbeat_frequency_ms" -> "heartbeatFrequencyMS";
"min_heartbeat_frequency_ms" -> "minHeartbeatFrequencyMS";
_ -> Name
end,
{list_to_atom(Name2), cuttlefish:conf_get("auth.mongo.topology."++Name, Conf)}
end, Vars),
Type = case Type0 =:= rs of
true -> {Type0, list_to_binary(cuttlefish:conf_get("auth.mongo.rs_set_name", Conf))};
false -> Type0
end,
[{type, Type},
{hosts, Hosts},
{options, Options},
{worker_options, WorkerOptions},
{auto_reconnect, 1},
{pool_size, Pool}]
end}.
%% The mongodb operation timeout is specified by the value of `cursor_timeout` from application config,
%% or `infinity` if `cursor_timeout` not specified
{mapping, "auth.mongo.query_timeout", "mongodb.cursor_timeout", [
{datatype, string}
]}.
{translation, "mongodb.cursor_timeout", fun(Conf) ->
case cuttlefish:conf_get("auth.mongo.query_timeout", Conf, undefined) of
undefined -> infinity;
Duration ->
case cuttlefish_duration:parse(Duration, ms) of
{error, Reason} -> error(Reason);
Ms when is_integer(Ms) -> Ms
end
end
end}.
{mapping, "auth.mongo.auth_query.collection", "emqx_auth_mongo.auth_query", [
{default, "mqtt_user"},
{datatype, string}
]}.
{mapping, "auth.mongo.auth_query.password_field", "emqx_auth_mongo.auth_query", [
{default, "password"},
{datatype, string}
]}.
{mapping, "auth.mongo.auth_query.password_hash", "emqx_auth_mongo.auth_query", [
{datatype, string}
]}.
{mapping, "auth.mongo.auth_query.selector", "emqx_auth_mongo.auth_query", [
{default, ""},
{datatype, string}
]}.
{translation, "emqx_auth_mongo.auth_query", fun(Conf) ->
case cuttlefish:conf_get("auth.mongo.auth_query.collection", Conf) of
undefined -> cuttlefish:unset();
Collection ->
PasswordField = cuttlefish:conf_get("auth.mongo.auth_query.password_field", Conf),
PasswordHash = cuttlefish:conf_get("auth.mongo.auth_query.password_hash", Conf),
SelectorStr = cuttlefish:conf_get("auth.mongo.auth_query.selector", Conf),
SelectorList =
lists:map(fun(Selector) ->
case string:tokens(Selector, "=") of
[Field, Val] -> {list_to_binary(Field), list_to_binary(Val)};
_ -> {<<"username">>, <<"%u">>}
end
end, string:tokens(SelectorStr, ", ")),
PasswordFields = [list_to_binary(Field) || Field <- string:tokens(PasswordField, ",")],
HashValue =
case string:tokens(PasswordHash, ",") of
[Hash] -> list_to_atom(Hash);
[Prefix, Suffix] -> {list_to_atom(Prefix), list_to_atom(Suffix)};
[Hash, MacFun, Iterations, Dklen] -> {list_to_atom(Hash), list_to_atom(MacFun), list_to_integer(Iterations), list_to_integer(Dklen)};
_ -> plain
end,
[{collection, Collection},
{password_field, PasswordFields},
{password_hash, HashValue},
{selector, SelectorList}]
end
end}.
{mapping, "auth.mongo.super_query", "emqx_auth_mongo.super_query", [
{default, off},
{datatype, flag}
]}.
{mapping, "auth.mongo.super_query.collection", "emqx_auth_mongo.super_query", [
{default, "mqtt_user"},
{datatype, string}
]}.
{mapping, "auth.mongo.super_query.super_field", "emqx_auth_mongo.super_query", [
{default, "is_superuser"},
{datatype, string}
]}.
{mapping, "auth.mongo.super_query.selector", "emqx_auth_mongo.super_query", [
{default, ""},
{datatype, string}
]}.
{translation, "emqx_auth_mongo.super_query", fun(Conf) ->
case cuttlefish:conf_get("auth.mongo.super_query.collection", Conf) of
undefined -> cuttlefish:unset();
Collection ->
SuperField = cuttlefish:conf_get("auth.mongo.super_query.super_field", Conf),
SelectorStr = cuttlefish:conf_get("auth.mongo.super_query.selector", Conf),
SelectorList =
lists:map(fun(Selector) ->
case string:tokens(Selector, "=") of
[Field, Val] -> {list_to_binary(Field), list_to_binary(Val)};
_ -> {<<"username">>, <<"%u">>}
end
end, string:tokens(SelectorStr, ", ")),
[{collection, Collection}, {super_field, SuperField}, {selector, SelectorList}]
end
end}.
{mapping, "auth.mongo.acl_query", "emqx_auth_mongo.acl_query", [
{default, off},
{datatype, flag}
]}.
{mapping, "auth.mongo.acl_query.collection", "emqx_auth_mongo.acl_query", [
{default, "mqtt_user"},
{datatype, string}
]}.
{mapping, "auth.mongo.acl_query.selector", "emqx_auth_mongo.acl_query", [
{default, ""},
{datatype, string}
]}.
{mapping, "auth.mongo.acl_query.selector.$id", "emqx_auth_mongo.acl_query", [
{default, ""},
{datatype, string}
]}.
{translation, "emqx_auth_mongo.acl_query", fun(Conf) ->
case cuttlefish:conf_get("auth.mongo.acl_query.collection", Conf) of
undefined -> cuttlefish:unset();
Collection ->
SelectorStrList =
lists:map(
fun
({["auth","mongo","acl_query","selector"], ConfEntry}) ->
ConfEntry;
({["auth","mongo","acl_query","selector", _], ConfEntry}) ->
ConfEntry
end,
cuttlefish_variable:filter_by_prefix("auth.mongo.acl_query.selector", Conf)),
SelectorListList =
lists:map(
fun(SelectorStr) ->
lists:map(fun(Selector) ->
case string:tokens(Selector, "=") of
[Field, Val] -> {list_to_binary(Field), list_to_binary(Val)};
_ -> {<<"username">>, <<"%u">>}
end
end, string:tokens(SelectorStr, ", "))
end,
SelectorStrList),
[{collection, Collection}, {selector, SelectorListList}]
end
end}.

View File

@ -0,0 +1,35 @@
{deps,
[{mongodb, {git,"https://github.com/emqx/mongodb-erlang", {tag, "v3.0.7"}}},
{ecpool, {git,"https://github.com/emqx/ecpool", {tag, "0.5.0"}}},
{emqx_passwd, {git, "https://github.com/emqx/emqx-passwd", {tag, "v1.1.1"}}}
]}.
{edoc_opts, [{preprocess, true}]}.
{erl_opts, [warn_unused_vars,
warn_shadow_vars,
warn_unused_import,
warn_obsolete_guard,
debug_info,
compressed,
{parse_transform}
]}.
{overrides, [{add, [{erl_opts, [compressed]}]}]}.
{xref_checks, [undefined_function_calls, undefined_functions,
locals_not_used, deprecated_function_calls,
warnings_as_errors, deprecated_functions
]}.
{cover_enabled, true}.
{cover_opts, [verbose]}.
{cover_export_enabled, true}.
{profiles,
[{test,
[{deps,
[{emqx_ct_helper, {git, "https://github.com/emqx/emqx-ct-helper", {tag, "1.2.2"}}},
{emqtt, {git, "https://github.com/emqx/emqtt", {tag, "1.2.3"}}}
]},
{erl_opts, [debug_info]}
]}
]}.

View File

@ -0,0 +1,54 @@
%%-*- mode: erlang -*-
DEPS = case lists:keyfind(deps, 1, CONFIG) of
{_, Deps} -> Deps;
_ -> []
end,
ComparingFun = fun
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_list(C2);
is_integer(C1), is_integer(C2) -> C1 < C2 orelse _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_integer(C1), is_list(C2) -> _Fun(R1, R2);
_Fun([C1|R1], [C2|R2]) when is_list(C1), is_integer(C2) -> true;
_Fun(_, _) -> false
end,
SortFun = fun(T1, T2) ->
C = fun(T) ->
[case catch list_to_integer(E) of
I when is_integer(I) -> I;
_ -> E
end || E <- re:split(string:sub_string(T, 2), "[.-]", [{return, list}])]
end,
ComparingFun(C(T1), C(T2))
end,
VTags = string:tokens(os:cmd("git tag -l \"v*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n"),
Tags = case VTags of
[] -> string:tokens(os:cmd("git tag -l \"e*\" --points-at $(git rev-parse $(git describe --abbrev=0 --tags))"), "\n");
_ -> VTags
end,
LatestTag = lists:last(lists:sort(SortFun, Tags)),
Branch = case os:getenv("GITHUB_RUN_ID") of
false -> os:cmd("git branch | grep -e '^*' | cut -d' ' -f 2") -- "\n";
_ -> re:replace(os:getenv("GITHUB_REF"), "^refs/heads/|^refs/tags/", "", [global, {return ,list}])
end,
GitDescribe = case re:run(Branch, "master|^dev/|^hotfix/", [{capture, none}]) of
match -> {branch, Branch};
_ -> {tag, LatestTag}
end,
UrlPrefix = "https://github.com/emqx/",
EMQX_DEP = {emqx, {git, UrlPrefix ++ "emqx", GitDescribe}},
EMQX_MGMT_DEP = {emqx_management, {git, UrlPrefix ++ "emqx-management", GitDescribe}},
NewDeps = [EMQX_DEP, EMQX_MGMT_DEP | DEPS],
CONFIG1 = lists:keystore(deps, 1, CONFIG, {deps, NewDeps}),
CONFIG1.

View File

@ -0,0 +1,90 @@
%%--------------------------------------------------------------------
%% Copyright (c) 2020 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%% http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------
-module(emqx_acl_mongo).
-include("emqx_auth_mongo.hrl").
-include_lib("emqx/include/emqx.hrl").
-include_lib("emqx/include/logger.hrl").
%% ACL callbacks
-export([ register_metrics/0
, check_acl/5
, description/0
]).
-spec(register_metrics() -> ok).
register_metrics() ->
lists:foreach(fun emqx_metrics:ensure/1, ?ACL_METRICS).
check_acl(#{username := <<$$, _/binary>>}, _PubSub, _Topic, _AclResult, _State) ->
ok;
check_acl(ClientInfo, PubSub, Topic, _AclResult, #{aclquery := AclQuery , pool := Pool}) ->
#aclquery{collection = Coll, selector = SelectorList} = AclQuery,
SelectorMapList =
lists:map(fun(Selector) ->
maps:from_list(emqx_auth_mongo:replvars(Selector, ClientInfo))
end, SelectorList),
case emqx_auth_mongo:query_multi(Pool, Coll, SelectorMapList) of
[] -> ok;
Rows ->
try match(ClientInfo, Topic, topics(PubSub, Rows)) of
matched -> emqx_metrics:inc(?ACL_METRICS(allow)),
{stop, allow};
nomatch -> emqx_metrics:inc(?ACL_METRICS(deny)),
{stop, deny}
catch
_Err:Reason->
?LOG(error, "[MongoDB] Check mongo ~p ACL failed, got ACL config: ~p, error: :~p",
[PubSub, Rows, Reason]),
emqx_metrics:inc(?ACL_METRICS(ignore)),
ignore
end
end.
match(_ClientInfo, _Topic, []) ->
nomatch;
match(ClientInfo, Topic, [TopicFilter|More]) ->
case emqx_topic:match(Topic, feedvar(ClientInfo, TopicFilter)) of
true -> matched;
false -> match(ClientInfo, Topic, More)
end.
topics(publish, Rows) ->
lists:foldl(fun(Row, Acc) ->
Topics = maps:get(<<"publish">>, Row, []) ++ maps:get(<<"pubsub">>, Row, []),
lists:umerge(Acc, Topics)
end, [], Rows);
topics(subscribe, Rows) ->
lists:foldl(fun(Row, Acc) ->
Topics = maps:get(<<"subscribe">>, Row, []) ++ maps:get(<<"pubsub">>, Row, []),
lists:umerge(Acc, Topics)
end, [], Rows).
feedvar(#{clientid := ClientId, username := Username}, Str) ->
lists:foldl(fun({Var, Val}, Acc) ->
feedvar(Acc, Var, Val)
end, Str, [{"%u", Username}, {"%c", ClientId}]).
feedvar(Str, _Var, undefined) ->
Str;
feedvar(Str, Var, Val) ->
re:replace(Str, Var, Val, [global, {return, binary}]).
description() -> "ACL with MongoDB".

Some files were not shown because too many files have changed in this diff Show More