yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(acl): support all rules in JWT ACL

This commit is contained in:
JianBo He 2022-09-26 11:06:59 +08:00
parent eff4c109e0
commit 1857fe643a
2 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
View File

@ -109,11 +109,17 @@ string_to_number(_) ->
%% Verify Claims
%%--------------------------------------------------------------------
verify_acl(ClientInfo, #{<<"sub">> := SubTopics}, subscribe, Topic) when is_list(SubTopics) ->
verify_acl(ClientInfo, SubTopics, Topic);
verify_acl(ClientInfo, #{<<"pub">> := PubTopics}, publish, Topic) when is_list(PubTopics) ->
verify_acl(ClientInfo, PubTopics, Topic);
verify_acl(_ClientInfo, _Acl, _PubSub, _Topic) -> {stop, deny}.
verify_acl(ClientInfo, Acl, PubSub, Topic) ->
Key = case PubSub of
subscribe -> <<"sub">>;
publish -> <<"pub">>
end,
case {maps:get(<<"all">>, Acl, []), maps:get(Key, Acl, [])} of
{Rules1, Rules2} when is_list(Rules1), is_list(Rules2) ->
verify_acl(ClientInfo, Rules1 ++ Rules2, Topic);
{_, _} ->
{stop, deny}
end.
verify_acl(_ClientInfo, [], _Topic) -> {stop, deny};
verify_acl(ClientInfo, [AclTopic | AclTopics], Topic) ->

16
apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
View File

@ -297,7 +297,8 @@ t_check_jwt_acl(_Config) ->
{username, <<"plain">>},
{sub, value},
{acl, [{sub, [<<"a/b">>]},
{pub, [<<"c/d">>]}]},
{pub, [<<"c/d">>]},
{all, [<<"all">>]}]},
{exp, erlang:system_time(seconds) + 10}],
<<"HS256">>,
<<"emqxsecret">>),
@ -329,6 +330,19 @@ t_check_jwt_acl(_Config) ->
after 100 -> ok
end,
%% can pub/sub to all rules
?assertMatch(
{ok, #{}, [0]},
emqtt:subscribe(C, <<"all">>, 0)),
?assertMatch(
ok,
emqtt:publish(C, <<"all">>, <<"hi">>, 0)),
receive
{publish, #{topic := <<"all">>}} -> ok
after 2000 ->
?assert(false, "Publish to `all` should be allowed")
end,
ok = emqtt:disconnect(C).
t_check_jwt_acl_no_recs(init, _Config) ->