From 1857fe643adf683c4c8df6c83aa93b4f994f397e Mon Sep 17 00:00:00 2001
From: JianBo He <heeejianbo@gmail.com>
Date: Mon, 26 Sep 2022 11:06:59 +0800
Subject: [PATCH] fix(acl): support all rules in JWT ACL

---
 apps/emqx_auth_jwt/src/emqx_auth_jwt.erl        | 16 +++++++++++-----
 apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl | 16 +++++++++++++++-
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
index 0b3f17b04..18b9ef675 100644
--- a/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
+++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
@@ -109,11 +109,17 @@ string_to_number(_) ->
 %% Verify Claims
 %%--------------------------------------------------------------------
 
-verify_acl(ClientInfo, #{<<"sub">> := SubTopics}, subscribe, Topic) when is_list(SubTopics) ->
-    verify_acl(ClientInfo, SubTopics, Topic);
-verify_acl(ClientInfo, #{<<"pub">> := PubTopics}, publish, Topic) when is_list(PubTopics) ->
-    verify_acl(ClientInfo, PubTopics, Topic);
-verify_acl(_ClientInfo, _Acl, _PubSub, _Topic) -> {stop, deny}.
+verify_acl(ClientInfo, Acl, PubSub, Topic) ->
+    Key = case PubSub of
+              subscribe -> <<"sub">>;
+              publish -> <<"pub">>
+          end,
+    case {maps:get(<<"all">>, Acl, []), maps:get(Key, Acl, [])} of
+        {Rules1, Rules2} when is_list(Rules1), is_list(Rules2) ->
+            verify_acl(ClientInfo, Rules1 ++ Rules2, Topic);
+        {_, _} ->
+            {stop, deny}
+    end.
 
 verify_acl(_ClientInfo, [], _Topic) -> {stop, deny};
 verify_acl(ClientInfo, [AclTopic | AclTopics], Topic) ->
diff --git a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
index 62f753904..7452091bd 100644
--- a/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
+++ b/apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
@@ -297,7 +297,8 @@ t_check_jwt_acl(_Config) ->
                 {username, <<"plain">>},
                 {sub, value},
                 {acl, [{sub, [<<"a/b">>]},
-                       {pub, [<<"c/d">>]}]},
+                       {pub, [<<"c/d">>]},
+                       {all, [<<"all">>]}]},
                 {exp, erlang:system_time(seconds) + 10}],
                <<"HS256">>,
                <<"emqxsecret">>),
@@ -329,6 +330,19 @@ t_check_jwt_acl(_Config) ->
     after 100 -> ok
     end,
 
+    %% can pub/sub to all rules
+    ?assertMatch(
+      {ok, #{}, [0]},
+      emqtt:subscribe(C, <<"all">>, 0)),
+
+    ?assertMatch(
+      ok,
+      emqtt:publish(C, <<"all">>, <<"hi">>, 0)),
+    receive
+        {publish, #{topic := <<"all">>}} -> ok
+    after 2000 ->
+              ?assert(false, "Publish to `all` should be allowed")
+    end,
     ok = emqtt:disconnect(C).
 
 t_check_jwt_acl_no_recs(init, _Config) ->