fix: allow for exp field to optional to keep backwards compat with 4.X

2022-07-05 15:31:53 +02:00 · 2022-07-05 15:31:53 +02:00 · dbe806d950
parent e86ad6bdeb
commit dbe806d950
5 changed files with 16 additions and 25 deletions
--- a/CHANGES-5.0.md
+++ b/CHANGES-5.0.md
@ -5,6 +5,7 @@
 * Websocket listener failed to read headers `X-Forwared-For` and `X-Forwarded-Port` [8415](https://github.com/emqx/emqx/pull/8415)
 * Deleted `cluster_singleton` from MQTT bridge config document. This config is no longer applicable in 5.0 [8407](https://github.com/emqx/emqx/pull/8407)
 * Fix `emqx/emqx:latest` docker image publish to use the Erlang flavor, but not Elixir flavor [8414](https://github.com/emqx/emqx/pull/8414)
 * Changed the `exp` field in JWT auth to be optional rather than required to fix backwards compatability with 4.X releases. [8425](https://github.com/emqx/emqx/pull/8425)
 # 5.0.2
@ -14,14 +15,14 @@ Going forward, it will be an enterprise only feature.
 Main reason: relup requires carefully crafted upgrade instructions from ALL previous versions.
 For example, 4.3 is now at 4.3.16, we have `4.3.0->4.3.16`, `4.3.1->4.3.16`, ... 16 such upgrade paths in total to maintain.
-This had been the biggest obstacle for EMQX team to act agile enought in deliverying enhancements and fixes.
+This had been the biggest obstacle for EMQX team to act agile enough in deliverying enhancements and fixes.
 ## Enhancements
 ## Bug fixes
 * Fixed a typo in `bin/emqx` which affects MacOs release when trying to enable Erlang distribution over TLS [8398](https://github.com/emqx/emqx/pull/8398)
-* Ristricted shell was accidentally disabled in 5.0.1, it has been added back. [8396]{https://github.com/emqx/emqx/pull/8396)
+* Restricted shell was accidentally disabled in 5.0.1, it has been added back. [8396](https://github.com/emqx/emqx/pull/8396)
 # 5.0.1
--- a/apps/emqx_authn/src/emqx_authn.app.src
+++ b/apps/emqx_authn/src/emqx_authn.app.src
@ -1,7 +1,7 @@
 %% -*- mode: erlang -*-
 {application, emqx_authn, [
    {description, "EMQX Authentication"},
-    {vsn, "0.1.1"},
+    {vsn, "0.1.2"},
    {modules, []},
    {registered, [emqx_authn_sup, emqx_authn_registry]},
    {applications, [kernel, stdlib, emqx_resource, ehttpc, epgsql, mysql, jose]},
--- a/apps/emqx_authn/src/emqx_authn.appup.src
+++ b/apps/emqx_authn/src/emqx_authn.appup.src
@ -1,13 +1,5 @@
 %% -*- mode: erlang -*-
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
-  [{"0.1.0",
+  [{<<".*">>,[]}],
-    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
+  [{<<".*">>,[]}]}.
     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
   {<<".*">>,[]}],
  [{"0.1.0",
    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
   {<<".*">>,[]}]}.
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@ -432,13 +432,13 @@ verify_claims(Claims, VerifyClaims0) ->
    Now = os:system_time(seconds),
    VerifyClaims =
        [
-            {<<"exp">>, required, fun(ExpireTime) ->
+            {<<"exp">>, fun(ExpireTime) ->
                is_integer(ExpireTime) andalso Now < ExpireTime
            end},
-            {<<"iat">>, optional, fun(IssueAt) ->
+            {<<"iat">>, fun(IssueAt) ->
                is_integer(IssueAt) andalso IssueAt =< Now
            end},
-            {<<"nbf">>, optional, fun(NotBefore) ->
+            {<<"nbf">>, fun(NotBefore) ->
                is_integer(NotBefore) andalso NotBefore =< Now
            end}
        ] ++ VerifyClaims0,
@ -468,13 +468,11 @@ try_convert_to_int(Claims, []) ->
 do_verify_claims(_Claims, []) ->
    ok;
-do_verify_claims(Claims, [{Name, Required, Fun} | More]) when is_function(Fun) ->
+do_verify_claims(Claims, [{Name, Fun} | More]) when is_function(Fun) ->
-    case {Required, maps:take(Name, Claims)} of
+    case maps:take(Name, Claims) of
-        {optional, error} ->
+        error ->
            do_verify_claims(Claims, More);
-        {required, error} ->
+        {Value, NClaims} ->
            {error, {missing_claim, Name}};
        {_, {Value, NClaims}} ->
            case Fun(Value) of
                true ->
                    do_verify_claims(NClaims, More);
--- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
@ -399,15 +399,15 @@ t_verify_claims(_) ->
    },
    ?assertMatch({ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential3, State1)),
-    %% No exp
+    %% No exp treated as unexpired
    Payload4 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"myuser">>},
    JWS4 = generate_jws('hmac-based', Payload4, Secret),
    Credential4 = #{
        username => <<"myuser">>,
        password => JWS4
    },
-    ?assertEqual(
+    ?assertMatch(
-        {error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential4, State1)
+        {ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential4, State1)
    ).
 t_jwt_not_allow_empty_claim_name(_) ->