Startsida Utforska Hjälp
Logga in
kennyh
/
emqx4.3
1
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: 63beb4e62a
Grenar Taggar
emqx4.3
/
test
/
emqttd_access_SUITE.erl

emqttd_access_SUITE.erl 8.3 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 
  1. %%--------------------------------------------------------------------
    2. 

  2. %% Copyright (c) 2013-2017 EMQ Enterprise, Inc. (http://emqtt.io)
    3. 

  3. %%
    4. 

  4. %% Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. %% you may not use this file except in compliance with the License.
    6. 

  6. %% You may obtain a copy of the License at
    7. 

  7. %%
    8. 

  8. %%     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. %%
    10. 

  10. %% Unless required by applicable law or agreed to in writing, software
    11. 

  11. %% distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. %% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. %% See the License for the specific language governing permissions and
    14. 

  14. %% limitations under the License.
    15. 

  15. %%--------------------------------------------------------------------
    16. 

  16. 

  17. -module(emqttd_access_SUITE).
    18. 

  18. 

  19. -compile(export_all).
    20. 

  20. 

  21. -include("emqttd.hrl").
    22. 

  22. 

  23. -define(AC, emqttd_access_control).
    24. 

  24. 

  25. -import(emqttd_access_rule, [compile/1, match/3]).
    26. 

  26. 

  27. all() ->
    28. 

  28.     [{group, access_control},
    29. 

  29.      {group, access_rule}].
    30. 

  30. 

  31. groups() ->
    32. 

  32.     [{access_control, [sequence],
    33. 

  33.       [reload_acl,
    34. 

  34.        register_mod,
    35. 

  35.        unregister_mod,
    36. 

  36.        check_acl]},
    37. 

  37.      {access_rule, [],
    38. 

  38.       [compile_rule,
    39. 

  39.        match_rule]}].
    40. 

  40. 

  41. init_per_group(access_control, Config) ->
    42. 

  42.     application:load(emqttd),
    43. 

  43.     prepare_config(),
    44. 

  44.     Config;
    45. 

  45. 

  46. init_per_group(_Group, Config) ->
    47. 

  47.     Config.
    48. 

  48. 

  49. prepare_config() ->
    50. 

  50.     Rules = [{allow, {ipaddr, "127.0.0.1"}, subscribe, ["$SYS/#", "#"]},
    51. 

  51.              {allow, {user, "testuser"}, subscribe, ["a/b/c", "d/e/f/#"]},
    52. 

  52.              {allow, {user, "admin"}, pubsub, ["a/b/c", "d/e/f/#"]},
    53. 

  53.              {allow, {client, "testClient"}, subscribe, ["testTopics/testClient"]},
    54. 

  54.              {allow, all, subscribe, ["clients/%c"]},
    55. 

  55.              {allow, all, pubsub, ["users/%u/#"]},
    56. 

  56.              {deny, all, subscribe, ["$SYS/#", "#"]},
    57. 

  57.              {deny, all}],
    58. 

  58.     write_config("access_SUITE_acl.conf", Rules),
    59. 

  59.     Config = [{auth, anonymous, []},
    60. 

  60.               {acl, internal, [{config, "access_SUITE_acl.conf"},
    61. 

  61.                                {nomatch, allow}]}],
    62. 

  62.     write_config("access_SUITE_emqttd.conf", Config),
    63. 

  63.     application:set_env(emqttd, conf, "access_SUITE_emqttd.conf").
    64. 

  64. 

  65. write_config(Filename, Terms) ->
    66. 

  66.     file:write_file(Filename, [io_lib:format("~tp.~n", [Term]) || Term <- Terms]).
    67. 

  67. 

  68. end_per_group(_Group, Config) ->
    69. 

  69.     Config.
    70. 

  70. 

  71. init_per_testcase(TestCase, Config) when TestCase =:= reload_acl;
    72. 

  72.                                          TestCase =:= register_mod;
    73. 

  73.                                          TestCase =:= unregister_mod;
    74. 

  74.                                          TestCase =:= check_acl ->
    75. 

  75.     {ok, _Pid} = ?AC:start_link(), Config;
    76. 

  76. 

  77. init_per_testcase(_TestCase, Config) ->
    78. 

  78.     Config.
    79. 

  79. 

  80. end_per_testcase(TestCase, _Config) when TestCase =:= reload_acl;
    81. 

  81.                                          TestCase =:= register_mod;
    82. 

  82.                                          TestCase =:= unregister_mod;
    83. 

  83.                                          TestCase =:= check_acl ->
    84. 

  84.     ?AC:stop();
    85. 

  85. 

  86. end_per_testcase(_TestCase, _Config) ->
    87. 

  87.     ok.
    88. 

  88. 

  89. %%--------------------------------------------------------------------
    90. 

  90. %% emqttd_access_control
    91. 

  91. %%--------------------------------------------------------------------
    92. 

  92. 

  93. reload_acl(_) ->
    94. 

  94.     [] = ?AC:reload_acl().
    95. 

  95. 

  96. register_mod(_) ->
    97. 

  97.     ok = ?AC:register_mod(acl, emqttd_acl_test_mod, []),
    98. 

  98.     {error, already_existed} = ?AC:register_mod(acl, emqttd_acl_test_mod, []),
    99. 

  99.     [{emqttd_acl_test_mod, _, 0}] = ?AC:lookup_mods(acl),
    100. 

  100.     ok = ?AC:register_mod(auth, emqttd_auth_anonymous_test_mod,[]),
    101. 

  101.     ok = ?AC:register_mod(auth, emqttd_auth_dashboard, [], 99),
    102. 

  102.     [{emqttd_auth_dashboard, _, 99},
    103. 

  103.      {emqttd_auth_anonymous_test_mod, _, 0}] = ?AC:lookup_mods(auth).
    104. 

  104. 

  105. unregister_mod(_) ->
    106. 

  106.     ok = ?AC:register_mod(acl, emqttd_acl_test_mod, []),
    107. 

  107.     [{emqttd_acl_test_mod, _, 0}] = ?AC:lookup_mods(acl),
    108. 

  108.     ok = ?AC:unregister_mod(acl, emqttd_acl_test_mod),
    109. 

  109.     timer:sleep(5),
    110. 

  110.     [] = ?AC:lookup_mods(acl),
    111. 

  111.     ok = ?AC:register_mod(auth, emqttd_auth_anonymous_test_mod,[]),
    112. 

  112.     [{emqttd_auth_anonymous_test_mod, _, 0}] = ?AC:lookup_mods(auth),
    113. 

  113. 

  114.     ok = ?AC:unregister_mod(auth, emqttd_auth_anonymous_test_mod),
    115. 

  115.     timer:sleep(5),
    116. 

  116.     [] = ?AC:lookup_mods(auth).
    117. 

  117. 

  118. check_acl(_) ->
    119. 

  119.     User1 = #mqtt_client{client_id = <<"client1">>, username = <<"testuser">>},
    120. 

  120.     User2 = #mqtt_client{client_id = <<"client2">>, username = <<"xyz">>},
    121. 

  121.     allow = ?AC:check_acl(User1, subscribe, <<"users/testuser/1">>),
    122. 

  122.     allow = ?AC:check_acl(User1, subscribe, <<"clients/client1">>),
    123. 

  123.     allow = ?AC:check_acl(User1, subscribe, <<"clients/client1/x/y">>),
    124. 

  124.     allow = ?AC:check_acl(User1, publish, <<"users/testuser/1">>),
    125. 

  125.     allow = ?AC:check_acl(User1, subscribe, <<"a/b/c">>),
    126. 

  126.     allow = ?AC:check_acl(User2, subscribe, <<"a/b/c">>).
    127. 

  127. 

  128. %%--------------------------------------------------------------------
    129. 

  129. %% emqttd_access_rule
    130. 

  130. %%--------------------------------------------------------------------
    131. 

  131. 

  132. compile_rule(_) ->
    133. 

  133. 

  134.     {allow, {'and', [{ipaddr, {{127,0,0,1}, {127,0,0,1}, 32}},
    135. 

  135.                      {user, <<"user">>}]}, subscribe, [ [<<"$SYS">>, '#'], ['#'] ]} =
    136. 

  136.         compile({allow, {'and', [{ipaddr, "127.0.0.1"}, {user, <<"user">>}]}, subscribe, ["$SYS/#", "#"]}),
    137. 

  137.     {allow, {'or', [{ipaddr, {{127,0,0,1}, {127,0,0,1}, 32}},
    138. 

  138.                     {user, <<"user">>}]}, subscribe, [ [<<"$SYS">>, '#'], ['#'] ]} =
    139. 

  139.         compile({allow, {'or', [{ipaddr, "127.0.0.1"}, {user, <<"user">>}]}, subscribe, ["$SYS/#", "#"]}),
    140. 

  140. 

  141.     {allow, {ipaddr, {{127,0,0,1}, {127,0,0,1}, 32}}, subscribe, [ [<<"$SYS">>, '#'], ['#'] ]} =
    142. 

  142.         compile({allow, {ipaddr, "127.0.0.1"}, subscribe, ["$SYS/#", "#"]}),
    143. 

  143.     {allow, {user, <<"testuser">>}, subscribe, [ [<<"a">>, <<"b">>, <<"c">>], [<<"d">>, <<"e">>, <<"f">>, '#'] ]} =
    144. 

  144.         compile({allow, {user, "testuser"}, subscribe, ["a/b/c", "d/e/f/#"]}),
    145. 

  145.     {allow, {user, <<"admin">>}, pubsub, [ [<<"d">>, <<"e">>, <<"f">>, '#'] ]} =
    146. 

  146.         compile({allow, {user, "admin"}, pubsub, ["d/e/f/#"]}),
    147. 

  147.     {allow, {client, <<"testClient">>}, publish, [ [<<"testTopics">>, <<"testClient">>] ]} =
    148. 

  148.         compile({allow, {client, "testClient"}, publish, ["testTopics/testClient"]}),
    149. 

  149.     {allow, all, pubsub, [{pattern, [<<"clients">>, <<"%c">>]}]} =
    150. 

  150.         compile({allow, all, pubsub, ["clients/%c"]}),
    151. 

  151.     {allow, all, subscribe, [{pattern, [<<"users">>, <<"%u">>, '#']}]} =
    152. 

  152.         compile({allow, all, subscribe, ["users/%u/#"]}),
    153. 

  153.     {deny, all, subscribe, [ [<<"$SYS">>, '#'], ['#'] ]} =
    154. 

  154.         compile({deny, all, subscribe, ["$SYS/#", "#"]}),
    155. 

  155.     {allow, all} = compile({allow, all}),
    156. 

  156.     {deny, all} = compile({deny, all}).
    157. 

  157. 

  158. match_rule(_) ->
    159. 

  159.     User = #mqtt_client{peername = {{127,0,0,1}, 2948}, client_id = <<"testClient">>, username = <<"TestUser">>},
    160. 

  160.     User2 = #mqtt_client{peername = {{192,168,0,10}, 3028}, client_id = <<"testClient">>, username = <<"TestUser">>},
    161. 

  161.     
    162. 

  162.     {matched, allow} = match(User, <<"Test/Topic">>, {allow, all}),
    163. 

  163.     {matched, deny} = match(User, <<"Test/Topic">>, {deny, all}),
    164. 

  164.     {matched, allow} = match(User, <<"Test/Topic">>, compile({allow, {ipaddr, "127.0.0.1"}, subscribe, ["$SYS/#", "#"]})),
    165. 

  165.     {matched, allow} = match(User2, <<"Test/Topic">>, compile({allow, {ipaddr, "192.168.0.1/24"}, subscribe, ["$SYS/#", "#"]})),
    166. 

  166.     {matched, allow} = match(User, <<"d/e/f/x">>, compile({allow, {user, "TestUser"}, subscribe, ["a/b/c", "d/e/f/#"]})),
    167. 

  167.     nomatch = match(User, <<"d/e/f/x">>, compile({allow, {user, "admin"}, pubsub, ["d/e/f/#"]})),
    168. 

  168.     {matched, allow} = match(User, <<"testTopics/testClient">>, compile({allow, {client, "testClient"}, publish, ["testTopics/testClient"]})),
    169. 

  169.     {matched, allow} = match(User, <<"clients/testClient">>, compile({allow, all, pubsub, ["clients/%c"]})),
    170. 

  170.     {matched, allow} = match(#mqtt_client{username = <<"user2">>}, <<"users/user2/abc/def">>,
    171. 

  171.                              compile({allow, all, subscribe, ["users/%u/#"]})),
    172. 

  172.     {matched, deny} = match(User, <<"d/e/f">>, compile({deny, all, subscribe, ["$SYS/#", "#"]})),
    173. 

  173.     Rule = compile({allow, {'and', [{ipaddr, "127.0.0.1"}, {user, <<"WrongUser">>}]}, publish, <<"Topic">>}),
    174. 

  174.     nomatch = match(User, <<"Topic">>, Rule),
    175. 

  175.     AndRule = compile({allow, {'and', [{ipaddr, "127.0.0.1"}, {user, <<"TestUser">>}]}, publish, <<"Topic">>}),
    176. 

  176.     {matched, allow} = match(User, <<"Topic">>, AndRule),
    177. 

  177.     OrRule = compile({allow, {'or', [{ipaddr, "127.0.0.1"}, {user, <<"WrongUser">>}]}, publish, ["Topic"]}),
    178. 

  178.     {matched, allow} = match(User, <<"Topic">>, OrRule).
    179. 

  179.