fix: allow for exp field to optional to keep backwards compat with 4.X

2022-07-05 15:31:53 +02:00 · 2022-07-05 15:31:53 +02:00 · f74e6dde57
parent e86ad6bdeb
commit f74e6dde57
5 changed files with 35 additions and 18 deletions
--- a/CHANGES-5.0.md
+++ b/CHANGES-5.0.md
@ -5,6 +5,7 @@
 * Websocket listener failed to read headers `X-Forwared-For` and `X-Forwarded-Port` [8415](https://github.com/emqx/emqx/pull/8415)
 * Deleted `cluster_singleton` from MQTT bridge config document. This config is no longer applicable in 5.0 [8407](https://github.com/emqx/emqx/pull/8407)
 * Fix `emqx/emqx:latest` docker image publish to use the Erlang flavor, but not Elixir flavor [8414](https://github.com/emqx/emqx/pull/8414)
+* Changed the `exp` field in JWT auth to be optional rather than required to fix backwards compatability with 4.X releases. [8425](https://github.com/emqx/emqx/pull/8425)

 # 5.0.2

@ -14,14 +15,14 @@ Going forward, it will be an enterprise only feature.
 Main reason: relup requires carefully crafted upgrade instructions from ALL previous versions.

 For example, 4.3 is now at 4.3.16, we have `4.3.0->4.3.16`, `4.3.1->4.3.16`, ... 16 such upgrade paths in total to maintain.
-This had been the biggest obstacle for EMQX team to act agile enought in deliverying enhancements and fixes.
+This had been the biggest obstacle for EMQX team to act agile enough in deliverying enhancements and fixes.

 ## Enhancements

 ## Bug fixes

 * Fixed a typo in `bin/emqx` which affects MacOs release when trying to enable Erlang distribution over TLS [8398](https://github.com/emqx/emqx/pull/8398)
-* Ristricted shell was accidentally disabled in 5.0.1, it has been added back. [8396]{https://github.com/emqx/emqx/pull/8396)
+* Restricted shell was accidentally disabled in 5.0.1, it has been added back. [8396](https://github.com/emqx/emqx/pull/8396)

 # 5.0.1

--- a/apps/emqx_authn/src/emqx_authn.app.src
+++ b/apps/emqx_authn/src/emqx_authn.app.src
@ -1,7 +1,7 @@
 %% -*- mode: erlang -*-
 {application, emqx_authn, [
    {description, "EMQX Authentication"},
-    {vsn, "0.1.1"},
+    {vsn, "0.1.2"},
    {modules, []},
    {registered, [emqx_authn_sup, emqx_authn_registry]},
    {applications, [kernel, stdlib, emqx_resource, ehttpc, epgsql, mysql, jose]},
--- a/apps/emqx_authn/src/emqx_authn.appup.src
+++ b/apps/emqx_authn/src/emqx_authn.appup.src
@ -1,13 +1,5 @@
 %% -*- mode: erlang -*-
 %% Unless you know what you are doing, DO NOT edit manually!!
 {VSN,
-  [{"0.1.0",
-    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
-   {<<".*">>,[]}],
-  [{"0.1.0",
-    [{load_module,emqx_authn_http,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_utils,brutal_purge,soft_purge,[]},
-     {load_module,emqx_authn_redis,brutal_purge,soft_purge,[]}]},
-   {<<".*">>,[]}]}.
+  [{<<".*">>,[]}],
+  [{<<".*">>,[]}]}.
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@ -380,7 +380,9 @@ replace_placeholder([{Name, {placeholder, PL}} | More], Variables, Acc) ->
    Value = maps:get(PL, Variables),
    replace_placeholder(More, Variables, [{Name, Value} | Acc]);
 replace_placeholder([{Name, Value} | More], Variables, Acc) ->
-    replace_placeholder(More, Variables, [{Name, Value} | Acc]).
+    replace_placeholder(More, Variables, [{Name, Value} | Acc]);
+replace_placeholder([{_Name, _Required, _Fun} = Claim | More], Variables, Acc) ->
+    replace_placeholder(More, Variables, [Claim | Acc]).

 verify(undefined, _, _, _) ->
    ignore;
@ -432,7 +434,7 @@ verify_claims(Claims, VerifyClaims0) ->
    Now = os:system_time(seconds),
    VerifyClaims =
        [
-            {<<"exp">>, required, fun(ExpireTime) ->
+            {<<"exp">>, optional, fun(ExpireTime) ->
                is_integer(ExpireTime) andalso Now < ExpireTime
            end},
            {<<"iat">>, optional, fun(IssueAt) ->
@ -528,7 +530,9 @@ handle_verify_claims([], Acc) ->
    Acc;
 handle_verify_claims([{Name, Expected0} | More], Acc) ->
    Expected = handle_placeholder(Expected0),
-    handle_verify_claims(More, [{Name, Expected} | Acc]).
+    handle_verify_claims(More, [{Name, Expected} | Acc]);
+handle_verify_claims([{_Name, _Required, _Fun} = Claim | More], Acc) ->
+    handle_verify_claims(More, [Claim | Acc]).

 handle_placeholder(Placeholder0) ->
    case re:run(Placeholder0, "^\\$\\{[a-z0-9\\-]+\\}$", [{capture, all}]) of
--- a/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
+++ b/apps/emqx_authn/test/emqx_authn_jwt_SUITE.erl
@ -399,7 +399,27 @@ t_verify_claims(_) ->
    },
    ?assertMatch({ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential3, State1)),

-    %% No exp
+    %% No exp treated as unexpired
+    Payload4 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"myuser">>},
+    JWS4 = generate_jws('hmac-based', Payload4, Secret),
+    Credential4 = #{
+        username => <<"myuser">>,
+        password => JWS4
+    },
+    ?assertMatch(
+        {ok, #{is_superuser := false}}, emqx_authn_jwt:authenticate(Credential4, State1)
+    ),
+
+    %% No exp when required
+    Now = os:system_time(seconds),
+    Config2 = Config1#{
+        verify_claims => [
+            {<<"exp">>, required, fun(ExpireTime) ->
+                is_integer(ExpireTime) andalso Now < ExpireTime
+            end}
+        ]
+    },
+    {ok, State2} = emqx_authn_jwt:update(Config2, State1),
    Payload4 = #{<<"username">> => <<"myuser">>, <<"foo">> => <<"myuser">>},
    JWS4 = generate_jws('hmac-based', Payload4, Secret),
    Credential4 = #{
@ -407,7 +427,7 @@ t_verify_claims(_) ->
        password => JWS4
    },
    ?assertEqual(
-        {error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential4, State1)
+        {error, bad_username_or_password}, emqx_authn_jwt:authenticate(Credential4, State2)
    ).

 t_jwt_not_allow_empty_claim_name(_) ->