yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #9044 from HJianBo/fix-jwt-acl-rules 

fix(acl): support all rules in JWT ACL
This commit is contained in:
Zaiming (Stone) Shi 2022-10-25 20:33:22 +02:00 committed by GitHub
parent 41a488b6ec bd59197a58
commit 51c73eed55
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 35 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
apps/emqx_auth_jwt/src/emqx_auth_jwt.appup.src
View File

@ -2,31 +2,13 @@
%% Unless you know what you are doing, DO NOT edit manually!! %% Unless you know what you are doing, DO NOT edit manually!!
{VSN, {VSN,
[{"4.3.7",[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]}, [{"4.3.7",[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]},
{"4.3.6", {<<"4\\.3\\.[3-6]">>,
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{"4.3.5",
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{"4.3.4",
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{"4.3.3",
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}, [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]}, {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{<<"4\\.3\\.[0-2]">>,[{restart_application,emqx_auth_jwt}]}, {<<"4\\.3\\.[0-2]">>,[{restart_application,emqx_auth_jwt}]},
{<<".*">>,[]}], {<<".*">>,[]}],
[{"4.3.7",[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]}, [{"4.3.7",[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}]},
{"4.3.6", {<<"4\\.3\\.[3-6]">>,
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{"4.3.5",
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{"4.3.4",
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{"4.3.3",
[{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]}, [{load_module,emqx_auth_jwt,brutal_purge,soft_purge,[]},
{load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]}, {load_module,emqx_auth_jwt_svr,brutal_purge,soft_purge,[]}]},
{<<"4\\.3\\.[0-2]">>,[{restart_application,emqx_auth_jwt}]}, {<<"4\\.3\\.[0-2]">>,[{restart_application,emqx_auth_jwt}]},

19
apps/emqx_auth_jwt/src/emqx_auth_jwt.erl
View File

@ -109,11 +109,20 @@ string_to_number(_) ->
%% Verify Claims %% Verify Claims
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
verify_acl(ClientInfo, #{<<"sub">> := SubTopics}, subscribe, Topic) when is_list(SubTopics) -> verify_acl(ClientInfo, Acl, PubSub, Topic) ->
verify_acl(ClientInfo, SubTopics, Topic); Key = case PubSub of
verify_acl(ClientInfo, #{<<"pub">> := PubTopics}, publish, Topic) when is_list(PubTopics) -> subscribe -> <<"sub">>;
verify_acl(ClientInfo, PubTopics, Topic); publish -> <<"pub">>
verify_acl(_ClientInfo, _Acl, _PubSub, _Topic) -> {stop, deny}. end,
Rules0 = lists:map(
fun(K) ->
case maps:get(K, Acl, undefined) of
R when is_list(R) -> R;
_ -> []
end
end, [<<"all">>, Key]),
Rules = lists:append(Rules0),
verify_acl(ClientInfo, Rules, Topic).
verify_acl(_ClientInfo, [], _Topic) -> {stop, deny}; verify_acl(_ClientInfo, [], _Topic) -> {stop, deny};
verify_acl(ClientInfo, [AclTopic | AclTopics], Topic) -> verify_acl(ClientInfo, [AclTopic | AclTopics], Topic) ->

16
apps/emqx_auth_jwt/test/emqx_auth_jwt_SUITE.erl
View File

@ -297,7 +297,8 @@ t_check_jwt_acl(_Config) ->
{username, <<"plain">>}, {username, <<"plain">>},
{sub, value}, {sub, value},
{acl, [{sub, [<<"a/b">>]}, {acl, [{sub, [<<"a/b">>]},
{pub, [<<"c/d">>]}]}, {pub, [<<"c/d">>]},
{all, [<<"all">>]}]},
{exp, erlang:system_time(seconds) + 10}], {exp, erlang:system_time(seconds) + 10}],
<<"HS256">>, <<"HS256">>,
<<"emqxsecret">>), <<"emqxsecret">>),
@ -329,6 +330,19 @@ t_check_jwt_acl(_Config) ->
after 100 -> ok after 100 -> ok
end, end,
%% can pub/sub to all rules
?assertMatch(
{ok, #{}, [0]},
emqtt:subscribe(C, <<"all">>, 0)),
?assertMatch(
ok,
emqtt:publish(C, <<"all">>, <<"hi">>, 0)),
receive
{publish, #{topic := <<"all">>}} -> ok
after 2000 ->
?assert(false, "Publish to `all` should be allowed")
end,
ok = emqtt:disconnect(C). ok = emqtt:disconnect(C).
t_check_jwt_acl_no_recs(init, _Config) -> t_check_jwt_acl_no_recs(init, _Config) ->

2
changes/v4.3.22-en.md
View File

@ -3,6 +3,8 @@
- Add a warning log if the ACL check failed for subscription [#9124](https://github.com/emqx/emqx/pull/9124). - Add a warning log if the ACL check failed for subscription [#9124](https://github.com/emqx/emqx/pull/9124).
This is to make the ACL deny logging for subscription behave the same as for publish. This is to make the ACL deny logging for subscription behave the same as for publish.
- JWT ACL claim supports `all` action to imply the rules applie to both `pub` and `sub` [#9044](https://github.com/emqx/emqx/pull/9044).
### Bug fixes ### Bug fixes
- Improve the display of rule's 'Maximum Speed' counter to only reserve 2 decimal places. [#9185](https://github.com/emqx/emqx/pull/9185) - Improve the display of rule's 'Maximum Speed' counter to only reserve 2 decimal places. [#9185](https://github.com/emqx/emqx/pull/9185)

2
changes/v4.3.22-zh.md
View File

@ -3,6 +3,8 @@
- 订阅时,如果 ACL 检查不通过,打印一个警告日志 [#9124](https://github.com/emqx/emqx/pull/9124)。 - 订阅时,如果 ACL 检查不通过,打印一个警告日志 [#9124](https://github.com/emqx/emqx/pull/9124)。
该行为的改变主要是为了跟发布失败时的行为保持一致。 该行为的改变主要是为了跟发布失败时的行为保持一致。
- 基于 JWT 的 ACL 支持 `all` 动作,指定同时适用于 `pub``sub` 两个动作的规则列表 [#9044](https://github.com/emqx/emqx/pull/9044)。
### 修复 ### 修复
- 改进规则的 "最大执行速度" 的计数,只保留小数点之后 2 位 [#9185](https://github.com/emqx/emqx/pull/9185) - 改进规则的 "最大执行速度" 的计数,只保留小数点之后 2 位 [#9185](https://github.com/emqx/emqx/pull/9185)