Ana Sayfa Keşfet Yardım
Giriş Yap
kennyh
/
emqx4.3
1
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

refactor: get server FQDN from principal

zmstone 1 yıl önce
ebeveyn
e6483fd33f
işleme
9418ed02bf
3 değiştirilmiş dosya ile 18 ekleme ve 20 silme
Birleşik Görünüm Farklılık Durumunu Göster
  1. 9 1
      apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl
  2. 9 6
      apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl
  3. 0 13
      rel/i18n/emqx_authn_kerberos_schema.hocon

+ 9 - 1
apps/emqx_auth_kerberos/src/emqx_authn_kerberos.erl
Dosyayı Görüntüle 

@@ -66,8 +66,16 @@ authenticate(_Credential, _State) ->
 
 %% Internal functions
 
 %% Internal functions
 
 %%------------------------------------------------------------------------------
 
 %%------------------------------------------------------------------------------
 
 
 
+%% @private Parse server principal to get server FQDN.
 
+%% The principal format is validated by config schema, so it can be assertive here.
 
+get_server_fqdn(Principal) ->
 
+    Pattern = "^([a-zA-Z0-9._-]+)/([a-zA-Z0-9.-]+)@",
 
+    {match, [_, FQDN]} = re:run(Principal, Pattern, [{capture, all_but_first, binary}]),
 
+    FQDN.
 
+
 
 auth_new(Principal) ->
 
 auth_new(Principal) ->
 
-    case sasl_auth:server_new(<<"emqx">>, Principal) of
 
+    ServerFQDN = get_server_fqdn(Principal),
 
+    case sasl_auth:server_new(<<"emqx">>, Principal, ServerFQDN) of
 
         {ok, SaslConn} ->
 
         {ok, SaslConn} ->
 
             {ok, SaslConn};
 
             {ok, SaslConn};
 
         Error ->
 
         Error ->

+ 9 - 6
apps/emqx_auth_kerberos/src/emqx_authn_kerberos_schema.erl
Dosyayı Görüntüle 

@@ -42,12 +42,8 @@ fields(kerberos) ->
 
             {principal,
 
             {principal,
 
                 ?HOCON(binary(), #{
 
                 ?HOCON(binary(), #{
 
                     required => true,
 
                     required => true,
 
-                    desc => ?DESC(principal)
 
-                })},
 
-            {server_fqdn,
 
-                ?HOCON(binary(), #{
 
-                    required => true,
 
-                    desc => ?DESC(server_fqdn)
 
+                    desc => ?DESC(principal),
 
+                    validator => fun validate_principal/1
 
                 })},
 
                 })},
 
             {keytab_file,
 
             {keytab_file,
 
                 ?HOCON(binary(), #{
 
                 ?HOCON(binary(), #{
 
@@ -62,3 +58,10 @@ desc(kerberos) ->
 
     "Settings for Kerberos authentication.";
 
     "Settings for Kerberos authentication.";
 
 desc(_) ->
 
 desc(_) ->
 
     undefined.
 
     undefined.
 
+
 
+validate_principal(S) ->
 
+    P = <<"^([a-zA-Z0-9\\._-]+)/([a-zA-Z0-9\\.-]+)(?:@([A-Z0-9\\.-]+))?$">>,
 
+    case re:run(S, P) of
 
+        nomatch -> {error, invalid_server_principal_string};
 
+        {match, _} -> ok
 
+    end.

+ 0 - 13
rel/i18n/emqx_authn_kerberos_schema.hocon
Dosyayı Görüntüle 

@@ -8,19 +8,6 @@ principal {
 
         NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
 
         NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~"""
 
 }
 
 }
 
 
 
-server_fqdn {
 
-    label: "Server FQDN"
 
-    desc: """~
 
-        This is typically the network access point of the service, such as the DNS record of the load balancer endpoint.
 
-        However, it is not strictly necessary for it to be an accessible network address.
 
-        Important considerations include:
 
-
 
-        - It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`.
 
-        - The client must use this exact value to request authentication services.
 
-
 
-        This ensures that the client and server agree on the identity being authenticated.~"""
 
-}
 
-
 
 keytab_file {
 
 keytab_file {
 
     label: "Keytab File"
 
     label: "Keytab File"
 
     desc: """~
 
     desc: """~