Merge pull request #11490 from lafirest/fix/absent_pw

fix(authn): quickly return when the password is absent in password-based authentication

apps/emqx_authn/src/simple_authn/emqx_authn_mnesia.erl

@@ -173,6 +173,8 @@ update(Config, _State) ->
 
 authenticate(#{auth_method := _}, _) ->
     ignore;
+authenticate(#{password := undefined}, _) ->
+    {error, bad_username_or_password};
 authenticate(
     #{password := Password} = Credential,
     #{

apps/emqx_authn/src/simple_authn/emqx_authn_mongodb.erl

@@ -160,6 +160,8 @@ destroy(#{resource_id := ResourceId}) ->
 
 authenticate(#{auth_method := _}, _) ->
     ignore;
+authenticate(#{password := undefined}, _) ->
+    {error, bad_username_or_password};
 authenticate(
     #{password := Password} = Credential,
     #{

apps/emqx_authn/src/simple_authn/emqx_authn_mysql.erl

@@ -110,6 +110,8 @@ destroy(#{resource_id := ResourceId}) ->
 
 authenticate(#{auth_method := _}, _) ->
     ignore;
+authenticate(#{password := undefined}, _) ->
+    {error, bad_username_or_password};
 authenticate(
     #{password := Password} = Credential,
     #{

apps/emqx_authn/src/simple_authn/emqx_authn_pgsql.erl

@@ -113,6 +113,8 @@ destroy(#{resource_id := ResourceId}) ->
 
 authenticate(#{auth_method := _}, _) ->
     ignore;
+authenticate(#{password := undefined}, _) ->
+    {error, bad_username_or_password};
 authenticate(
     #{password := Password} = Credential,
     #{

apps/emqx_authn/src/simple_authn/emqx_authn_redis.erl

@@ -148,6 +148,8 @@ destroy(#{resource_id := ResourceId}) ->
 
 authenticate(#{auth_method := _}, _) ->
     ignore;
+authenticate(#{password := undefined}, _) ->
+    {error, bad_username_or_password};
 authenticate(
     #{password := Password} = Credential,
     #{

apps/emqx_authn/test/emqx_authn_SUITE.erl

@@ -102,7 +102,7 @@ t_will_message_connection_denied(Config) when is_list(Config) ->
     {error, _} = emqtt:connect(Publisher),
     receive
         {'DOWN', Ref, process, Publisher, Reason} ->
-            ?assertEqual({shutdown, unauthorized_client}, Reason)
+            ?assertEqual({shutdown, malformed_username_or_password}, Reason)
     after 2000 ->
         error(timeout)
     end,
@@ -151,7 +151,7 @@ t_password_undefined(Config) when is_list(Config) ->
                     header = #mqtt_packet_header{type = ?CONNACK},
                     variable = #mqtt_packet_connack{
                         ack_flags = 0,
-                        reason_code = ?CONNACK_AUTH
+                        reason_code = ?CONNACK_CREDENTIALS
                     },
                     payload = undefined
                 },

apps/emqx_authn/test/emqx_authn_api_SUITE.erl

@@ -359,7 +359,7 @@ test_authenticator_users(PathPrefix) ->
                 <<"metrics">> := #{
                     <<"total">> := 1,
                     <<"success">> := 0,
-                    <<"nomatch">> := 1
+                    <<"failed">> := 1
                 }
             } = emqx_utils_json:decode(PageData0, [return_maps]);
         ["listeners", 'tcp:default'] ->
@@ -417,7 +417,7 @@ test_authenticator_users(PathPrefix) ->
                 <<"metrics">> := #{
                     <<"total">> := 2,
                     <<"success">> := 1,
-                    <<"nomatch">> := 1
+                    <<"failed">> := 1
                 }
             } = emqx_utils_json:decode(PageData01, [return_maps]);
         ["listeners", 'tcp:default'] ->

apps/emqx_authn/test/emqx_authn_enable_flag_SUITE.erl

@@ -102,7 +102,7 @@ t_enable_authn(_Config) ->
     %% enable_authn set to true, we go to the set up authn and fail
     {ok, ConnPid1} = emqtt:start_link([{port, 18830}, {clientid, <<"clientid">>}]),
     ?assertMatch(
-        {error, {unauthorized_client, _}},
+        {error, {malformed_username_or_password, _}},
         emqtt:connect(ConnPid1)
     ),
     ok.

apps/emqx_ldap/src/emqx_ldap_authn.erl

@@ -109,6 +109,8 @@ destroy(#{resource_id := ResourceId}) ->
 
 authenticate(#{auth_method := _}, _) ->
     ignore;
+authenticate(#{password := undefined}, _) ->
+    {error, bad_username_or_password};
 authenticate(
     #{password := Password} = Credential,
     #{

changes/ce/perf-11490.en.md

@@ -0,0 +1 @@
+Quickly return the result when the password is absent in password-based authentication.