Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(authn): fix cert_subject and cert_common_name placeholder #8531

Merged
merged 5 commits into from
Jul 26, 2022
Merged

fix(authn): fix cert_subject and cert_common_name placeholder #8531

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f8f4ad3
fix(authn): fix cert_subject and cert_common_name placeholder
HJianBo Jul 21, 2022
ba13475
test(authn): test cert_subject/cert_common_name placeholder
HJianBo Jul 21, 2022
78449d7
chore: update changes
HJianBo Jul 21, 2022
1c8defe
chore: make elvis happy
HJianBo Jul 22, 2022
9ecb756
Merge branch 'master' into fix-authn-cndn
HJianBo Jul 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGES-5.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
* Fix `chars_limit` is not working when `formatter` is `json`. [#8518](http://github.com/emqx/emqx/pull/8518)
* Ensuring that exhook dispatches the client events are sequential. [#8530](https://github.com/emqx/emqx/pull/8530)
* Avoid using RocksDB backend for persistent sessions when such backend is unavailable. [#8528](https://github.com/emqx/emqx/pull/8528)
* Fix AuthN `cert_subject` and `cert_common_name` placeholder rendering failure. [#8531](https://github.com/emqx/emqx/pull/8531)
* Support listen on an IPv6 address, e.g: [::1]:1883 or ::1:1883. [#8547](https://github.com/emqx/emqx/pull/8547)
* GET '/rules' support for pagination and fuzzy search. [#8472](https://github.com/emqx/emqx/pull/8472)
**‼️ Note** : The previous API only returns array: `[RuleObj1,RuleObj2]`, after updating, it will become
Expand Down
11 changes: 8 additions & 3 deletions apps/emqx_authn/src/emqx_authn_utils.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,21 +117,21 @@ parse_sql(Template, ReplaceWith) ->
render_deep(Template, Credential) ->
emqx_placeholder:proc_tmpl_deep(
Template,
Credential,
mapping_credential(Credential),
#{return => full_binary, var_trans => fun handle_var/2}
).

render_str(Template, Credential) ->
emqx_placeholder:proc_tmpl(
Template,
Credential,
mapping_credential(Credential),
#{return => full_binary, var_trans => fun handle_var/2}
).

render_sql_params(ParamList, Credential) ->
emqx_placeholder:proc_tmpl(
ParamList,
Credential,
mapping_credential(Credential),
#{return => rawlist, var_trans => fun handle_sql_var/2}
).

Expand Down Expand Up @@ -216,3 +216,8 @@ handle_sql_var({var, <<"peerhost">>}, PeerHost) ->
emqx_placeholder:bin(inet:ntoa(PeerHost));
handle_sql_var(_, Value) ->
emqx_placeholder:sql_data(Value).

mapping_credential(C = #{cn := CN, dn := DN}) ->
C#{cert_common_name => CN, cert_subject => DN};
mapping_credential(C) ->
C.
12 changes: 9 additions & 3 deletions apps/emqx_authn/test/emqx_authn_http_SUITE.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@
password => <<"plain">>,
peerhost => {127, 0, 0, 1},
listener => 'tcp:default',
protocol => mqtt
protocol => mqtt,
cert_subject => <<"cert_subject_data">>,
cert_common_name => <<"cert_common_name_data">>
}).

-define(SERVER_RESPONSE_JSON(Result), ?SERVER_RESPONSE_JSON(Result, false)).
Expand Down Expand Up @@ -517,7 +519,9 @@ samples() ->
<<"username">> := <<"plain">>,
<<"password">> := <<"plain">>,
<<"clientid">> := <<"clienta">>,
<<"peerhost">> := <<"127.0.0.1">>
<<"peerhost">> := <<"127.0.0.1">>,
<<"cert_subject">> := <<"cert_subject_data">>,
<<"cert_common_name">> := <<"cert_common_name_data">>
} = jiffy:decode(RawBody, [return_maps]),
Req = cowboy_req:reply(
200,
Expand All @@ -534,7 +538,9 @@ samples() ->
<<"clientid">> => ?PH_CLIENTID,
<<"username">> => ?PH_USERNAME,
<<"password">> => ?PH_PASSWORD,
<<"peerhost">> => ?PH_PEERHOST
<<"peerhost">> => ?PH_PEERHOST,
<<"cert_subject">> => ?PH_CERT_SUBJECT,
<<"cert_common_name">> => ?PH_CERT_CN_NAME
}
},
result => {ok, #{is_superuser => false, user_property => #{}}}
Expand Down
27 changes: 27 additions & 0 deletions apps/emqx_authn/test/emqx_authn_mongo_SUITE.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,33 @@ user_seeds() ->
result => {ok, #{is_superuser => true}}
},

#{
data => #{
cert_subject => <<"cert_subject_data">>,
cert_common_name => <<"cert_common_name_data">>,
password_hash =>
<<"ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf">>,
salt => <<"salt">>,
is_superuser => 1
},
credentials => #{
cert_subject => <<"cert_subject_data">>,
cert_common_name => <<"cert_common_name_data">>,
password => <<"sha256">>
},
config_params => #{
<<"filter">> => #{
<<"cert_subject">> => <<"${cert_subject}">>,
<<"cert_common_name">> => <<"${cert_common_name}">>
},
<<"password_hash_algorithm">> => #{
<<"name">> => <<"sha256">>,
<<"salt_position">> => <<"prefix">>
}
},
result => {ok, #{is_superuser => true}}
},

#{
data => #{
username => <<"bcrypt">>,
Expand Down
46 changes: 43 additions & 3 deletions apps/emqx_authn/test/emqx_authn_mysql_SUITE.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,36 @@ user_seeds() ->
result => {ok, #{is_superuser => true}}
},

#{
data => #{
username => "sha256",
password_hash => "ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf",
cert_subject => <<"cert_subject_data">>,
cert_common_name => <<"cert_common_name_data">>,
salt => "salt",
is_superuser_int => 1
},
credentials => #{
clientid => <<"sha256">>,
password => <<"sha256">>,
cert_subject => <<"cert_subject_data">>,
cert_common_name => <<"cert_common_name_data">>
},
config_params => #{
<<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where cert_subject = ${cert_subject} AND \n"
" cert_common_name = ${cert_common_name} LIMIT 1"
>>,
<<"password_hash_algorithm">> => #{
<<"name">> => <<"sha256">>,
<<"salt_position">> => <<"prefix">>
}
},
result => {ok, #{is_superuser => true}}
},

#{
data => #{
username => <<"bcrypt">>,
Expand Down Expand Up @@ -433,14 +463,24 @@ init_seeds() ->
" username VARCHAR(255),\n"
" password_hash VARCHAR(255),\n"
" salt VARCHAR(255),\n"
" cert_subject VARCHAR(255),\n"
" cert_common_name VARCHAR(255),\n"
" is_superuser_str VARCHAR(255),\n"
" is_superuser_int TINYINT)"
),

Fields = [username, password_hash, salt, is_superuser_str, is_superuser_int],
Fields = [
username,
password_hash,
salt,
cert_subject,
cert_common_name,
is_superuser_str,
is_superuser_int
],
InsertQuery =
"INSERT INTO users(username, password_hash, salt, "
" is_superuser_str, is_superuser_int) VALUES(?, ?, ?, ?, ?)",
"INSERT INTO users(username, password_hash, salt, cert_subject, cert_common_name,"
" is_superuser_str, is_superuser_int) VALUES(?, ?, ?, ?, ?, ?, ?)",

lists:foreach(
fun(#{data := Values}) ->
Expand Down
47 changes: 44 additions & 3 deletions apps/emqx_authn/test/emqx_authn_pgsql_SUITE.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,36 @@ user_seeds() ->
result => {ok, #{is_superuser => true}}
},

#{
data => #{
username => "sha256",
password_hash => "ac63a624e7074776d677dd61a003b8c803eb11db004d0ec6ae032a5d7c9c5caf",
cert_subject => <<"cert_subject_data">>,
cert_common_name => <<"cert_common_name_data">>,
salt => "salt",
is_superuser_int => 1
},
credentials => #{
clientid => <<"sha256">>,
password => <<"sha256">>,
cert_subject => <<"cert_subject_data">>,
cert_common_name => <<"cert_common_name_data">>
},
config_params => #{
<<"query">> =>
<<
"SELECT password_hash, salt, is_superuser_int as is_superuser\n"
" FROM users where cert_subject = ${cert_subject} AND \n"
" cert_common_name = ${cert_common_name} LIMIT 1"
>>,
<<"password_hash_algorithm">> => #{
<<"name">> => <<"sha256">>,
<<"salt_position">> => <<"prefix">>
}
},
result => {ok, #{is_superuser => true}}
},

#{
data => #{
username => <<"bcrypt">>,
Expand Down Expand Up @@ -474,6 +504,8 @@ init_seeds() ->
" username varchar(255),\n"
" password_hash varchar(255),\n"
" salt varchar(255),\n"
" cert_subject varchar(255),\n"
" cert_common_name varchar(255),\n"
" is_superuser_str varchar(255),\n"
" is_superuser_int smallint,\n"
" is_superuser_bool boolean)"
Expand All @@ -487,12 +519,21 @@ init_seeds() ->
).

create_user(Values) ->
Fields = [username, password_hash, salt, is_superuser_str, is_superuser_int, is_superuser_bool],
Fields = [
username,
password_hash,
salt,
cert_subject,
cert_common_name,
is_superuser_str,
is_superuser_int,
is_superuser_bool
],

InsertQuery =
"INSERT INTO users(username, password_hash, salt,"
"INSERT INTO users(username, password_hash, salt, cert_subject, cert_common_name, "
"is_superuser_str, is_superuser_int, is_superuser_bool) "
"VALUES($1, $2, $3, $4, $5, $6)",
"VALUES($1, $2, $3, $4, $5, $6, $7, $8)",

Params = [maps:get(F, Values, null) || F <- Fields],
{ok, 1} = q(InsertQuery, Params),
Expand Down
46 changes: 46 additions & 0 deletions apps/emqx_authn/test/emqx_authn_redis_SUITE.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -475,6 +475,52 @@ user_seeds() ->
}
},
result => {ok, #{is_superuser => true}}
},

#{
data => #{
password_hash =>
<<"a3c7f6b085c3e5897ffb9b86f18a9d905063f8550a74444b5892e193c1b50428">>,
is_superuser => <<"1">>
},
credentials => #{
clientid => <<"sha256_no_salt">>,
cn => <<"cert_common_name">>,
dn => <<"cert_subject_name">>,
password => <<"sha256_no_salt">>
},
key => <<"mqtt_user:cert_common_name">>,
config_params => #{
<<"cmd">> => <<"HMGET mqtt_user:${cert_common_name} password_hash is_superuser">>,
<<"password_hash_algorithm">> => #{
<<"name">> => <<"sha256">>,
<<"salt_position">> => <<"disable">>
}
},
result => {ok, #{is_superuser => true}}
},

#{
data => #{
password_hash =>
<<"a3c7f6b085c3e5897ffb9b86f18a9d905063f8550a74444b5892e193c1b50428">>,
is_superuser => <<"1">>
},
credentials => #{
clientid => <<"sha256_no_salt">>,
cn => <<"cert_common_name">>,
dn => <<"cert_subject_name">>,
password => <<"sha256_no_salt">>
},
key => <<"mqtt_user:cert_subject_name">>,
config_params => #{
<<"cmd">> => <<"HMGET mqtt_user:${cert_subject} password_hash is_superuser">>,
<<"password_hash_algorithm">> => #{
<<"name">> => <<"sha256">>,
<<"salt_position">> => <<"disable">>
}
},
result => {ok, #{is_superuser => true}}
}
].

Expand Down