Merge pull request #8377 from HJianBo/refactor-http-authz-resp

refactor: authz-http return body to reject pub/sub

apps/emqx_authz/src/emqx_authz.appup.src

@@ -1,7 +1,11 @@
 %% -*- mode: erlang -*-
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
-  [{"0.1.0",[{load_module,emqx_authz_utils,brutal_purge,soft_purge,[]}]},
-   {"0.1.1",[{load_module,emqx_authz_utils,brutal_purge,soft_purge,[]}]}],
-  [{"0.1.0",[{load_module,emqx_authz_utils,brutal_purge,soft_purge,[]}]},
-   {"0.1.1",[{load_module,emqx_authz_utils,brutal_purge,soft_purge,[]}]}]}.
+  [{<<"0\\.1\\.[0-1]">>,[
+     {load_module,emqx_authz_utils,brutal_purge,soft_purge,[]},
+     {load_module,emqx_authz_http,brutal_purge,soft_purge,[]}]}
+   ],
+  [{<<"0\\.1\\.[0-1]">>,[
+     {load_module,emqx_authz_utils,brutal_purge,soft_purge,[]},
+     {load_module,emqx_authz_http,brutal_purge,soft_purge,[]}]}
+   ]}.

apps/emqx_authz/src/emqx_authz_http.erl

@@ -84,8 +84,21 @@ authorize(
             {matched, allow};
         {ok, 204, _Headers} ->
             {matched, allow};
-        {ok, 200, _Headers, _Body} ->
-            {matched, allow};
+        {ok, 200, Headers, Body} ->
+            ContentType = content_type(Headers),
+            case emqx_authz_utils:parse_http_resp_body(ContentType, Body) of
+                error ->
+                    ?SLOG(error, #{
+                        msg => authz_http_response_incorrect,
+                        content_type => proplists:get_value(
+                            <<"content-type">>, Headers
+                        ),
+                        body => Body
+                    }),
+                    nomatch;
+                Result ->
+                    {matched, Result}
+            end;
         {ok, _Status, _Headers} ->
             nomatch;
         {ok, _Status, _Headers, _Body} ->
@@ -205,6 +218,15 @@ serialize_body(<<"application/json">>, Body) ->
 serialize_body(<<"application/x-www-form-urlencoded">>, Body) ->
     query_string(Body).
 
+content_type(Headers) when is_list(Headers) ->
+    content_type(maps:from_list(Headers));
+content_type(#{<<"content-type">> := Type}) ->
+    Type;
+content_type(#{<<"Content-Type">> := Type}) ->
+    Type;
+content_type(Headers) when is_map(Headers) ->
+    <<"application/json">>.
+
 client_vars(Client, PubSub, Topic) ->
     Client#{
         action => PubSub,

apps/emqx_authz/src/emqx_authz_utils.erl

@@ -34,6 +34,8 @@
     render_sql_params/2
 ]).
 
+-export([parse_http_resp_body/2]).
+
 -define(DEFAULT_RESOURCE_OPTS, #{
     auto_retry_interval => 6000,
     start_after_created => false
@@ -130,6 +132,25 @@ render_sql_params(ParamList, Values) ->
         #{return => rawlist, var_trans => fun handle_sql_var/2}
     ).
 
+-spec parse_http_resp_body(binary(), binary()) -> allow | deny | ignore | error.
+parse_http_resp_body(<<"application/x-www-form-urlencoded", _/binary>>, Body) ->
+    try
+        result(maps:from_list(cow_qs:parse_qs(Body)))
+    catch
+        _:_ -> error
+    end;
+parse_http_resp_body(<<"application/json", _/binary>>, Body) ->
+    try
+        result(emqx_json:decode(Body, [return_maps]))
+    catch
+        _:_ -> error
+    end.
+
+result(#{<<"result">> := <<"allow">>}) -> allow;
+result(#{<<"result">> := <<"deny">>}) -> deny;
+result(#{<<"result">> := <<"ignore">>}) -> ignore;
+result(_) -> error.
+
 %%--------------------------------------------------------------------
 %% Internal functions
 %%--------------------------------------------------------------------

apps/emqx_authz/test/emqx_authz_http_SUITE.erl

@@ -85,8 +85,8 @@ t_response_handling(_Config) ->
         fun(Req0, State) ->
             Req = cowboy_req:reply(
                 200,
-                #{<<"content-type">> => <<"text/plain">>},
-                "Response body",
+                #{<<"content-type">> => <<"application/json">>},
+                "{\"result\": \"allow\"}",
                 Req0
             ),
             {ok, Req, State}