Skip to content

Commit

Permalink
feat(emqx-init): refactor
Browse files Browse the repository at this point in the history
  • Loading branch information
@prehor
prehor committed Jul 8, 2024
1 parent 9960f05 commit 1a696a6
Showing 1 changed file with 73 additions and 67 deletions.
140 changes: 73 additions & 67 deletions apps/emqx-init/entrypoint.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,13 @@
: "${INIT_EMQX_TOPIC_ACTION:=all}"
: "${INIT_EMQX_TOPIC_PERMISSION:=allow}"
: "${INIT_EMQX_TOPIC_ACLS}"
: "${CURL_PARAMS:=-s}"
: "${CURL_PARAMS:=-s -f -N}"

INIT_EMQX_BASE_API_URL="http://${INIT_EMQX_ACCESS_KEY}:${INIT_EMQX_SECRET_KEY}@${INIT_EMQX_API_HOST}:${INIT_EMQX_API_PORT}/api/v5"
INIT_EMQX_CHECK_API_URL="${INIT_EMQX_BASE_API_URL}/authentication/password_based:built_in_database/status"
INIT_EMQX_AUTHN_API_URL="${INIT_EMQX_BASE_API_URL}/authentication/password_based:built_in_database/users"
INIT_EMQX_AUTHZ_API_URL="${INIT_EMQX_BASE_API_URL}/authorization/sources/built_in_database/rules/users"

env | sort

# Wait for EMQX
wait_for_emqx() {
while ! curl ${CURL_PARAMS} "${INIT_EMQX_CHECK_API_URL}" 2> /dev/null; do
Expand All @@ -30,97 +28,105 @@ wait_for_emqx() {
}

# Authentication
check_emqx_user() {
# TODO: check_emqx_user
echo "WARNING: check_emqx_user unimplemented!"
return 1 # 0 = found, 1 = not found
}
update_emqx_user() {
# TODO: update_emqx_user
echo "ERROR: update_emqx_user unimplemented!"
exit 1
}
create_emqx_user() {
curl ${CURL_PARAMS} \
"${INIT_EMQX_AUTHN_API_URL}" \
-H 'Content-Type: application/json' \
-d "$(cat <<EOF
init_emqx_authentication_user() {
# Check if the user exists
local INIT_EMQX_USER_ID="$(curl ${CURL_PARAMS} "${INIT_EMQX_AUTHN_API_URL}/${INIT_EMQX_USER}" | jq -r 'try .user_id')"
if [ "${INIT_EMQX_USER}" == "${INIT_EMQX_USER_ID}" ]; then
# Update existing user
curl ${CURL_PARAMS} -XPUT \
"${INIT_EMQX_AUTHN_API_URL}/${INIT_EMQX_USER}" \
-H 'Content-Type: application/json' \
-d "$(cat <<EOF
{
"user_id": "${INIT_EMQX_USER}",
"is_superuser": false,
"password": "${INIT_EMQX_PASS}"
}
EOF
)"
echo
echo 'EMQX access key created!'
)" | jq -c '.'
echo "EMQX account '${INIT_EMQX_USER}' updated"
else
# Create new user
curl ${CURL_PARAMS} -XPOST \
"${INIT_EMQX_AUTHN_API_URL}" \
-H 'Content-Type: application/json' \
-d "$(cat <<EOF
{
"is_superuser": false,
"password": "${INIT_EMQX_PASS}",
"user_id": "${INIT_EMQX_USER}"
}
EOF
)" | jq -c '.'
echo "EMQX account '${INIT_EMQX_USER}' created"
fi
}

# Authorization
check_emqx_rule() {
local INIT_EMQX_TOPIC_USER="$(echo "$1" | cut -d ':' -f 1)"
local INIT_EMQX_TOPIC="$(echo "$1" | cut -d ':' -f 2)"
local INIT_EMQX_TOPIC_ACTION="$(echo "$1" | cut -d ':' -f 3)"
local INIT_EMQX_TOPIC_PERMISSION="$(echo "$1" | cut -d ':' -f 4)"

# TODO: check_emqx_rule
echo "WARNING: check_emqx_rule unimplemented!"
return 1 # 0 = found, 1 = not found
init_emqx_authorization_user() {
# Check if the user exists
if ! curl ${CURL_PARAMS} "${INIT_EMQX_AUTHZ_API_URL}/$1" -o /dev/null; then
# Create new user
curl ${CURL_PARAMS} -XPOST \
"${INIT_EMQX_AUTHZ_API_URL}" \
-H 'Content-Type: application/json' \
-d "$(cat <<EOF
[
{
"username": "$1",
"rules": []
}
]
EOF
)"
curl ${CURL_PARAMS} "${INIT_EMQX_AUTHZ_API_URL}/$1" | jq -c '.'
echo "EMQX authorization for user '$1' created"
fi
}
update_emqx_rule() {
init_emqx_authorization_rule() {
local INIT_EMQX_TOPIC_USER="$(echo "$1" | cut -d ':' -f 1)"
local INIT_EMQX_TOPIC="$(echo "$1" | cut -d ':' -f 2)"
local INIT_EMQX_TOPIC_ACTION="$(echo "$1" | cut -d ':' -f 3)"
local INIT_EMQX_TOPIC_PERMISSION="$(echo "$1" | cut -d ':' -f 4)"

# TODO: update_emqx_rule
echo "ERROR: update_emqx_rule unimplemented!"
exit 1
}
create_emqx_rule() {
local INIT_EMQX_TOPIC_USER="$(echo "$1" | cut -d ':' -f 1)"
local INIT_EMQX_TOPIC="$(echo "$1" | cut -d ':' -f 2)"
local INIT_EMQX_TOPIC_ACTION="$(echo "$1" | cut -d ':' -f 3)"
local INIT_EMQX_TOPIC_PERMISSION="$(echo "$1" | cut -d ':' -f 4)"
# Be sure that the authorized user exists
init_emqx_authorization_user "${INIT_EMQX_TOPIC_USER}"

# Get other rules
local INIT_EMQX_TOPIC_OTHER_RULES="$(curl ${CURL_PARAMS} "${INIT_EMQX_AUTHZ_API_URL}/${INIT_EMQX_TOPIC_USER}" | jq -c ".rules[] | select(.topic != \"${INIT_EMQX_TOPIC}\")" | tr '\n' ' ')"

curl ${CURL_PARAMS} \
"${INIT_EMQX_AUTHZ_API_URL}" \
# Get new rule
local INIT_EMQX_TOPIC_RULE="{\"action\": \"${INIT_EMQX_TOPIC_ACTION}\",\"permission\": \"${INIT_EMQX_TOPIC_PERMISSION}\",\"topic\": \"${INIT_EMQX_TOPIC}\"}"

# Get updated rules
local INIT_EMQX_TOPIC_RULES="$(echo "${INIT_EMQX_TOPIC_RULE}${INIT_EMQX_TOPIC_OTHER_RULES}" | sed -E 's/\}\s*\{/},{/g')"

# Update rules
curl ${CURL_PARAMS} -XPUT \
"${INIT_EMQX_AUTHZ_API_URL}/${INIT_EMQX_TOPIC_USER}" \
-H 'Content-Type: application/json' \
-d "$(cat <<EOF
[
{
"username": "${INIT_EMQX_TOPIC_USER}",
"rules": [
{
"action": "${INIT_EMQX_TOPIC_ACTION}",
"permission": "${INIT_EMQX_TOPIC_PERMISSION}",
"topic": "${INIT_EMQX_TOPIC}"
}
]
"rules": [${INIT_EMQX_TOPIC_RULES}]
}
]
EOF
)"
echo
curl ${CURL_PARAMS} "${INIT_EMQX_AUTHZ_API_URL}/${INIT_EMQX_USER}" | jq -c '.' # jq -c "try .rules[] | select(.topic == \"${INIT_EMQX_TOPIC}\")"
echo "EMQX authorization rule '$1' updated"

}
create_emqx_rules() {
init_emqx_authorization_rules() {
for INIT_EMQX_TOPIC_ACL in $1; do
if check_emqx_rule ${INIT_EMQX_TOPIC_ACL}; then
update_emqx_rule "${INIT_EMQX_TOPIC_ACL}"
else
create_emqx_rule "${INIT_EMQX_TOPIC_ACL}"
fi
init_emqx_authorization_rule "${INIT_EMQX_TOPIC_ACL}"
done
echo 'EMQX authorization created!'

}

# Main
echo
echo
echo
wait_for_emqx
if check_emqx_user; then
update_emqx_user
else
create_emqx_user
fi
init_emqx_authentication_user
if [ -n "${INIT_EMQX_TOPIC}" ]; then
create_emqx_rules "${INIT_EMQX_USER}:${INIT_EMQX_TOPIC}:${INIT_EMQX_TOPIC_ACTION}:${INIT_EMQX_TOPIC_PERMISSION} ${INIT_EMQX_TOPIC_ACLS}"
init_emqx_authorization_rules "${INIT_EMQX_USER}:${INIT_EMQX_TOPIC}:${INIT_EMQX_TOPIC_ACTION}:${INIT_EMQX_TOPIC_PERMISSION} ${INIT_EMQX_TOPIC_ACLS}"
fi

0 comments on commit 1a696a6

Please sign in to comment.