před 3 roky · ff00a6716a
--- a/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
+++ b/apps/emqx_authn/src/simple_authn/emqx_authn_jwt.erl
@@ -365,11 +365,11 @@ verify(JWT, JWKs, VerifyClaims, AclClaimName) ->
 
				 acl(Claims, AclClaimName) ->
			
 
				     Acl =
			
 
				         case Claims of
			
 
				-            #{<<"exp">> := Expire, AclClaimName := Rules} ->
			
 
				+            #{AclClaimName := Rules} ->
			
 
				                 #{
			
 
				                     acl => #{
			
 
				                         rules => Rules,
			
 
				-                        expire => Expire
			
 
				+                        expire => maps:get(<<"exp">>, Claims, undefined)
			
 
				                     }
			
 
				                 };
			
 
				             _ ->
			
--- a/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl
+++ b/apps/emqx_authz/test/emqx_authz_jwt_SUITE.erl
@@ -305,6 +305,50 @@ t_check_expire(_Config) ->
 
				 
			
 
				     ok = emqtt:disconnect(C).
			
 
				 
			
 
				+t_check_no_expire(_Config) ->
			
 
				+    Payload = #{
			
 
				+        <<"username">> => <<"username">>,
			
 
				+        <<"acl">> => #{<<"sub">> => [<<"a/b">>]}
			
 
				+    },
			
 
				+
			
 
				+    JWT = generate_jws(Payload),
			
 
				+
			
 
				+    {ok, C} = emqtt:start_link(
			
 
				+        [
			
 
				+            {clean_start, true},
			
 
				+            {proto_ver, v5},
			
 
				+            {clientid, <<"clientid">>},
			
 
				+            {username, <<"username">>},
			
 
				+            {password, JWT}
			
 
				+        ]
			
 
				+    ),
			
 
				+    {ok, _} = emqtt:connect(C),
			
 
				+    ?assertMatch(
			
 
				+        {ok, #{}, [0]},
			
 
				+        emqtt:subscribe(C, <<"a/b">>, 0)
			
 
				+    ),
			
 
				+
			
 
				+    ?assertMatch(
			
 
				+        {ok, #{}, [0]},
			
 
				+        emqtt:unsubscribe(C, <<"a/b">>)
			
 
				+    ),
			
 
				+
			
 
				+    ok = emqtt:disconnect(C).
			
 
				+
			
 
				+t_check_undefined_expire(_Config) ->
			
 
				+    Acl = #{expire => undefined, rules => #{<<"sub">> => [<<"a/b">>]}},
			
 
				+    Client = #{acl => Acl},
			
 
				+
			
 
				+    ?assertMatch(
			
 
				+        {matched, allow},
			
 
				+        emqx_authz_client_info:authorize(Client, subscribe, <<"a/b">>, undefined)
			
 
				+    ),
			
 
				+
			
 
				+    ?assertMatch(
			
 
				+        {matched, deny},
			
 
				+        emqx_authz_client_info:authorize(Client, subscribe, <<"a/bar">>, undefined)
			
 
				+    ).
			
 
				+
			
 
				 %%------------------------------------------------------------------------------
			
 
				 %% Helpers
			
 
				 %%------------------------------------------------------------------------------
			
--- a/changes/v5.0.11-en.md
+++ b/changes/v5.0.11-en.md
@@ -10,3 +10,5 @@
 
				 ## Bug fixes
			
 
				 
			
 
				 - Return 404 for status of unknown authenticator in `/authenticator/{id}/status` [#9328](https://github.com/emqx/emqx/pull/9328).
			
 
				+
			
 
				+- Fix that JWT ACL rules are only applied if an `exp` claim is set [#9368](https://github.com/emqx/emqx/pull/9368).
			
--- a/changes/v5.0.11-zh.md
+++ b/changes/v5.0.11-zh.md
@@ -10,3 +10,5 @@
 
				 ## 修复
			
 
				 
			
 
				 - 通过 `/authenticator/{id}/status` 请求未知认证器的状态时，将会返回 404。
			
 
				+
			
 
				+- 修复 JWT ACL 规则只在设置了超期时间时才生效的问题 [#9368](https://github.com/emqx/emqx/pull/9368)。