Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: exhook client.authorize never be execauted #8780

Merged
merged 4 commits into from
Sep 2, 2022
Merged

fix: exhook client.authorize never be execauted #8780

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
168f44e
fix: exhook client.authorize never be execauted
HJianBo Aug 23, 2022
71aaf5c
fix(authz): fix dialyzer && test case && proper error
lafirest Aug 31, 2022
63a6cd1
test: add emqx_access_control:authorize case for exhook
lafirest Aug 31, 2022
05bbadc
chore: bump ahutz version && update CHANGES-5.0.md
lafirest Aug 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGES-5.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# 5.0.8

## Bug fixes

* Fix exhook `client.authorize` never being execauted. [#8780](https://github.com/emqx/emqx/pull/8780)

## Enhancements

* change the `/gateway` API path to plural form. [#8823](https://github.com/emqx/emqx/pull/8823)
Expand Down
24 changes: 21 additions & 3 deletions apps/emqx/src/emqx_access_control.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
-module(emqx_access_control).

-include("emqx.hrl").
-include("logger.hrl").

-export([
authenticate/1,
Expand Down Expand Up @@ -70,9 +71,26 @@ check_authorization_cache(ClientInfo, PubSub, Topic) ->

do_authorize(ClientInfo, PubSub, Topic) ->
NoMatch = emqx:get_config([authorization, no_match], allow),
case run_hooks('client.authorize', [ClientInfo, PubSub, Topic], NoMatch) of
allow -> allow;
_Other -> deny
Default = #{result => NoMatch, from => default},
case run_hooks('client.authorize', [ClientInfo, PubSub, Topic], Default) of
AuthzResult = #{result := Result} when Result == allow; Result == deny ->
From = maps:get(from, AuthzResult, unknown),
emqx:run_hook(
'client.check_authz_complete',
[ClientInfo, PubSub, Topic, Result, From]
),
Result;
Other ->
?SLOG(error, #{
msg => "unknown_authorization_return_format",
expected_example => "#{result => allow, from => default}",
got => Other
}),
emqx:run_hook(
'client.check_authz_complete',
[ClientInfo, PubSub, Topic, deny, unknown_return_format]
),
deny
end.

-compile({inline, [run_hooks/3]}).
Expand Down
1 change: 1 addition & 0 deletions apps/emqx/test/emqx_proper_types.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ conninfo() ->
{conn_props, properties()},
{connected, boolean()},
{connected_at, timestamp()},
{disconnected_at, timestamp()},
{keepalive, range(0, 16#ffff)},
{receive_maximum, non_neg_integer()},
{expiry_interval, non_neg_integer()}
Expand Down
2 changes: 1 addition & 1 deletion apps/emqx_authz/src/emqx_authz.app.src
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
%% -*- mode: erlang -*-
{application, emqx_authz, [
{description, "An OTP application"},
{vsn, "0.1.4"},
{vsn, "0.1.5"},
{registered, []},
{mod, {emqx_authz_app, []}},
{applications, [
Expand Down
25 changes: 7 additions & 18 deletions apps/emqx_authz/src/emqx_authz.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@

-type default_result() :: allow | deny.

-type authz_result() :: {stop, allow} | {ok, deny}.
-type authz_result_value() :: #{result := allow | deny, from => _}.
-type authz_result() :: {stop, authz_result_value()} | {ok, authz_result_value()} | ignore.

-type sources() :: [source()].

Expand Down Expand Up @@ -319,7 +320,7 @@ authorize(
is_superuser => true
}),
emqx_metrics:inc(?METRIC_SUPERUSER),
{stop, allow};
{stop, #{result => allow, from => superuser}};
false ->
authorize_non_superuser(Client, PubSub, Topic, DefaultResult, Sources)
end.
Expand All @@ -331,15 +332,11 @@ authorize_non_superuser(
} = Client,
PubSub,
Topic,
DefaultResult,
_DefaultResult,
Sources
) ->
case do_authorize(Client, PubSub, Topic, sources_with_defaults(Sources)) of
{{matched, allow}, AuthzSource} ->
emqx:run_hook(
'client.check_authz_complete',
[Client, PubSub, Topic, allow, AuthzSource]
),
log_allowed(#{
username => Username,
ipaddr => IpAddress,
Expand All @@ -348,12 +345,8 @@ authorize_non_superuser(
}),
emqx_metrics_worker:inc(authz_metrics, AuthzSource, allow),
emqx_metrics:inc(?METRIC_ALLOW),
{stop, allow};
{stop, #{result => allow, from => AuthzSource}};
{{matched, deny}, AuthzSource} ->
emqx:run_hook(
'client.check_authz_complete',
[Client, PubSub, Topic, deny, AuthzSource]
),
?SLOG(warning, #{
msg => "authorization_permission_denied",
username => Username,
Expand All @@ -363,12 +356,8 @@ authorize_non_superuser(
}),
emqx_metrics_worker:inc(authz_metrics, AuthzSource, deny),
emqx_metrics:inc(?METRIC_DENY),
{stop, deny};
{stop, #{result => deny, from => AuthzSource}};
nomatch ->
emqx:run_hook(
'client.check_authz_complete',
[Client, PubSub, Topic, DefaultResult, default]
),
?SLOG(info, #{
msg => "authorization_failed_nomatch",
username => Username,
Expand All @@ -377,7 +366,7 @@ authorize_non_superuser(
reason => "no-match rule"
}),
emqx_metrics:inc(?METRIC_NOMATCH),
{stop, DefaultResult}
ignore
end.

log_allowed(Meta) ->
Expand Down
4 changes: 2 additions & 2 deletions apps/emqx_exhook/src/emqx_exhook_handler.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ on_client_authenticate(ClientInfo, AuthResult) ->
end.

on_client_authorize(ClientInfo, PubSub, Topic, Result) ->
Bool = Result == allow,
Bool = maps:get(result, Result, deny) == allow,
Type =
case PubSub of
publish -> 'PUBLISH';
Expand All @@ -158,7 +158,7 @@ on_client_authorize(ClientInfo, PubSub, Topic, Result) ->
true -> allow;
_ -> deny
end,
{StopOrOk, NResult};
{StopOrOk, #{result => NResult, from => exhook}};
_ ->
{ok, Result}
end.
Expand Down
32 changes: 29 additions & 3 deletions apps/emqx_exhook/test/emqx_exhook_SUITE.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

-include_lib("eunit/include/eunit.hrl").
-include_lib("common_test/include/ct.hrl").
-include_lib("emqx/include/emqx_hooks.hrl").

-define(DEFAULT_CLUSTER_NAME_ATOM, emqxcl).

Expand Down Expand Up @@ -105,7 +106,10 @@ load_cfg(Cfg) ->
%%--------------------------------------------------------------------

t_access_failed_if_no_server_running(Config) ->
emqx_exhook_mgr:disable(<<"default">>),
meck:expect(emqx_metrics_worker, inc, fun(_, _, _) -> ok end),
meck:expect(emqx_metrics, inc, fun(_) -> ok end),
emqx_hooks:add('client.authorize', {emqx_authz, authorize, [[]]}, ?HP_AUTHZ),

ClientInfo = #{
clientid => <<"user-id-1">>,
username => <<"usera">>,
Expand All @@ -114,14 +118,35 @@ t_access_failed_if_no_server_running(Config) ->
protocol => mqtt,
mountpoint => undefined
},
?assertMatch(
allow,
emqx_access_control:authorize(
ClientInfo#{username => <<"gooduser">>},
publish,
<<"acl/1">>
)
),

?assertMatch(
deny,
emqx_access_control:authorize(
ClientInfo#{username => <<"baduser">>},
publish,
<<"acl/2">>
)
),

emqx_exhook_mgr:disable(<<"default">>),
?assertMatch(
{stop, {error, not_authorized}},
emqx_exhook_handler:on_client_authenticate(ClientInfo, #{auth_result => success})
),

?assertMatch(
{stop, deny},
emqx_exhook_handler:on_client_authorize(ClientInfo, publish, <<"t/1">>, allow)
{stop, #{result := deny, from := exhook}},
emqx_exhook_handler:on_client_authorize(ClientInfo, publish, <<"t/1">>, #{
result => allow, from => exhook
})
),

Message = emqx_message:make(<<"t/1">>, <<"abc">>),
Expand All @@ -130,6 +155,7 @@ t_access_failed_if_no_server_running(Config) ->
emqx_exhook_handler:on_message_publish(Message)
),
emqx_exhook_mgr:enable(<<"default">>),
emqx_hooks:del('client.authorize', {emqx_authz, authorize}),
assert_get_basic_usage_info(Config).

t_lookup(_) ->
Expand Down
17 changes: 12 additions & 5 deletions apps/emqx_exhook/test/props/prop_exhook_hooks.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,9 +133,16 @@ prop_client_authenticate() ->
).

prop_client_authorize() ->
MkResult = fun(Result) -> #{result => Result, from => exhook} end,
?ALL(
{ClientInfo0, PubSub, Topic, Result, Meta},
{clientinfo(), oneof([publish, subscribe]), topic(), oneof([allow, deny]), request_meta()},
{
clientinfo(),
oneof([publish, subscribe]),
topic(),
oneof([MkResult(allow), MkResult(deny)]),
request_meta()
},
begin
ClientInfo = inject_magic_into(username, ClientInfo0),
OutResult = emqx_hooks:run_fold(
Expand All @@ -145,9 +152,9 @@ prop_client_authorize() ->
),
ExpectedOutResult =
case maps:get(username, ClientInfo) of
<<"baduser">> -> deny;
<<"gooduser">> -> allow;
<<"normaluser">> -> allow;
<<"baduser">> -> MkResult(deny);
<<"gooduser">> -> MkResult(allow);
<<"normaluser">> -> MkResult(allow);
_ -> Result
end,
?assertEqual(ExpectedOutResult, OutResult),
Expand Down Expand Up @@ -544,7 +551,7 @@ subopts(SubOpts) ->
authresult_to_bool(AuthResult) ->
AuthResult == ok.

aclresult_to_bool(Result) ->
aclresult_to_bool(#{result := Result}) ->
Result == allow.

pubsub_to_enum(publish) -> 'PUBLISH';
Expand Down