2020-11-26 17:24:20 +00:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
|
|
|
|
|
# Test ACL for allow/deny. This does not consider ACL priority and the ACLs do not overlap.
|
|
|
|
|
|
|
|
|
|
from mosq_test_helper import *
|
|
|
|
|
import json
|
|
|
|
|
import shutil
|
|
|
|
|
|
|
|
|
|
def write_config(filename, port):
|
|
|
|
|
with open(filename, 'w') as f:
|
|
|
|
|
f.write("listener %d\n" % (port))
|
|
|
|
|
f.write("allow_anonymous false\n")
|
|
|
|
|
f.write("plugin ../../plugins/dynamic-security/mosquitto_dynamic_security.so\n")
|
|
|
|
|
f.write("plugin_opt_config_file %d/dynamic-security.json\n" % (port))
|
|
|
|
|
|
|
|
|
|
def command_check(sock, command_payload, expected_response):
|
|
|
|
|
command_packet = mosq_test.gen_publish(topic="$CONTROL/dynamic-security/v1", qos=0, payload=json.dumps(command_payload))
|
|
|
|
|
sock.send(command_packet)
|
|
|
|
|
response = json.loads(mosq_test.read_publish(sock))
|
|
|
|
|
if response != expected_response:
|
|
|
|
|
print(expected_response)
|
|
|
|
|
print(response)
|
|
|
|
|
raise ValueError(response)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
port = mosq_test.get_port()
|
|
|
|
|
conf_file = os.path.basename(__file__).replace('.py', '.conf')
|
|
|
|
|
write_config(conf_file, port)
|
|
|
|
|
|
|
|
|
|
add_client_command_with_id = { "commands": [{
|
|
|
|
|
"command": "createClient", "username": "user_one",
|
|
|
|
|
"password": "password", "clientid": "cid",
|
|
|
|
|
"correlationData": "2" }]
|
|
|
|
|
}
|
|
|
|
|
add_client_response_with_id = {'responses': [{'command': 'createClient', 'correlationData': '2'}]}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
add_client_group_role_command = {"commands":[
|
|
|
|
|
{ "command": "createGroup", "groupname": "mygroup" },
|
|
|
|
|
{ "command": "createRole", "rolename": "myrole" },
|
|
|
|
|
{ "command": "addGroupRole", "groupname": "mygroup", "rolename": "myrole" },
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "subscribeLiteral", "topic": "simple/topic", "allow": True },
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "subscribePattern", "topic": "single-wildcard/+/topic", "allow": True },
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "subscribePattern", "topic": "multilevel-wildcard/#", "allow": True },
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "unsubscribeLiteral", "topic": "simple/topic", "allow": False },
|
|
|
|
|
{ "command": "addGroupClient", "groupname": "mygroup", "username": "user_one" }
|
|
|
|
|
]}
|
|
|
|
|
|
|
|
|
|
add_client_group_role_response = {'responses': [
|
|
|
|
|
{'command': 'createGroup'},
|
|
|
|
|
{'command': 'createRole'},
|
|
|
|
|
{'command': 'addGroupRole'},
|
|
|
|
|
{'command': 'addRoleACL'}, {'command': 'addRoleACL'},
|
|
|
|
|
{'command': 'addRoleACL'}, {'command': 'addRoleACL'},
|
|
|
|
|
{'command': 'addGroupClient'}
|
|
|
|
|
]}
|
|
|
|
|
|
|
|
|
|
add_publish_acl_command = {"commands":[
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "simple/topic", "allow": True },
|
2020-11-30 17:15:43 +00:00
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "single-wildcard/deny/deny", "priority":10, "allow": False },
|
2020-11-26 17:24:20 +00:00
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "single-wildcard/+/+", "allow": True },
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "multilevel-wildcard/topic/#", "allow": True },
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientReceive", "topic": "single-wildcard/bob/bob", "allow": False },
|
|
|
|
|
{ "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientReceive", "topic": "multilevel-wildcard/topic/topic/denied", "allow": False },
|
|
|
|
|
]}
|
|
|
|
|
|
|
|
|
|
add_publish_acl_response = {'responses': [
|
|
|
|
|
{'command': 'addRoleACL'}, {'command': 'addRoleACL'},
|
|
|
|
|
{'command': 'addRoleACL'}, {'command': 'addRoleACL'},
|
2020-11-30 17:15:43 +00:00
|
|
|
{'command': 'addRoleACL'}, {'command': 'addRoleACL'}
|
2020-11-26 17:24:20 +00:00
|
|
|
]}
|
|
|
|
|
|
|
|
|
|
delete_role_command = {"commands":[
|
|
|
|
|
{ "command": "deleteRole", "rolename": "myrole"}
|
|
|
|
|
]}
|
|
|
|
|
delete_role_response = {'responses': [{'command': 'deleteRole'}]}
|
|
|
|
|
|
|
|
|
|
rc = 1
|
|
|
|
|
keepalive = 10
|
|
|
|
|
connect_packet_admin = mosq_test.gen_connect("ctrl-test", keepalive=keepalive, username="admin", password="admin")
|
|
|
|
|
connack_packet_admin = mosq_test.gen_connack(rc=0)
|
|
|
|
|
|
|
|
|
|
mid = 2
|
|
|
|
|
subscribe_packet_admin = mosq_test.gen_subscribe(mid, "$CONTROL/dynamic-security/#", 1)
|
|
|
|
|
suback_packet_admin = mosq_test.gen_suback(mid, 1)
|
|
|
|
|
|
|
|
|
|
# Success
|
|
|
|
|
connect_packet_with_id1 = mosq_test.gen_connect("cid", keepalive=keepalive, username="user_one", password="password", proto_ver=5)
|
|
|
|
|
connack_packet_with_id1 = mosq_test.gen_connack(rc=0, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 4
|
|
|
|
|
subscribe_simple_packet = mosq_test.gen_subscribe(mid, "simple/topic", 0, proto_ver=5)
|
|
|
|
|
suback_simple_packet_success = mosq_test.gen_suback(mid, 0, proto_ver=5)
|
|
|
|
|
suback_simple_packet_fail = mosq_test.gen_suback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 5
|
|
|
|
|
subscribe_single_packet = mosq_test.gen_subscribe(mid, "single-wildcard/bob/topic", 0, proto_ver=5)
|
|
|
|
|
suback_single_packet_success = mosq_test.gen_suback(mid, 0, proto_ver=5)
|
|
|
|
|
suback_single_packet_fail = mosq_test.gen_suback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 6
|
|
|
|
|
subscribe_multi_packet = mosq_test.gen_subscribe(mid, "multilevel-wildcard/topic/topic/#", 0, proto_ver=5)
|
|
|
|
|
suback_multi_packet_success = mosq_test.gen_suback(mid, 0, proto_ver=5)
|
|
|
|
|
suback_multi_packet_fail = mosq_test.gen_suback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 7
|
|
|
|
|
publish_simple_packet = mosq_test.gen_publish(mid=mid, topic="simple/topic", qos=1, payload="message", proto_ver=5)
|
|
|
|
|
puback_simple_packet_success = mosq_test.gen_puback(mid, proto_ver=5)
|
|
|
|
|
puback_simple_packet_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
publish_simple_packet_r = mosq_test.gen_publish(topic="simple/topic", qos=0, payload="message", proto_ver=5)
|
|
|
|
|
|
2020-11-30 17:15:43 +00:00
|
|
|
# This message is in single-wildcard/+/+ so could be allowed, but the single-wildcard/deny/deny with higher priority should override
|
|
|
|
|
mid = 9
|
|
|
|
|
publish_single_packet_denied = mosq_test.gen_publish(mid=mid, topic="single-wildcard/deny/deny", qos=1, payload="message", proto_ver=5)
|
|
|
|
|
puback_single_packet_denied_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
2020-11-26 17:24:20 +00:00
|
|
|
mid = 8
|
|
|
|
|
publish_single_packet = mosq_test.gen_publish(mid=mid, topic="single-wildcard/bob/topic", qos=1, payload="message", proto_ver=5)
|
|
|
|
|
puback_single_packet_success = mosq_test.gen_puback(mid, proto_ver=5)
|
|
|
|
|
puback_single_packet_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
publish_single_packet_r = mosq_test.gen_publish(topic="single-wildcard/bob/topic", qos=0, payload="message", proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 9
|
|
|
|
|
publish_multi_packet = mosq_test.gen_publish(mid=mid, topic="multilevel-wildcard/topic/topic/allowed", qos=1, payload="message", proto_ver=5)
|
|
|
|
|
puback_multi_packet_success = mosq_test.gen_puback(mid, proto_ver=5)
|
|
|
|
|
puback_multi_packet_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 10
|
|
|
|
|
publish_multi_denied_packet = mosq_test.gen_publish(mid=mid, topic="multilevel-wildcard/topic/topic/denied", qos=1, payload="message", proto_ver=5)
|
|
|
|
|
puback_multi_denied_packet = mosq_test.gen_puback(mid, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
publish_multi_packet_r = mosq_test.gen_publish(topic="multilevel-wildcard/topic/topic/allowed", qos=0, payload="message", proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 11
|
|
|
|
|
unsubscribe_simple_packet = mosq_test.gen_unsubscribe(mid, "simple/topic", proto_ver=5)
|
|
|
|
|
unsuback_simple_packet_fail = mosq_test.gen_unsuback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 12
|
|
|
|
|
unsubscribe_single_packet = mosq_test.gen_unsubscribe(mid, "single-wildcard/bob/topic", proto_ver=5)
|
|
|
|
|
unsuback_single_packet_success = mosq_test.gen_unsuback(mid, 0, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
mid = 13
|
|
|
|
|
unsubscribe_multi_packet = mosq_test.gen_unsubscribe(mid, "multilevel-wildcard/topic/topic/#", proto_ver=5)
|
|
|
|
|
unsuback_multi_packet_success = mosq_test.gen_unsuback(mid, 0, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
disconnect_kick_packet = mosq_test.gen_disconnect(reason_code=mqtt5_rc.MQTT_RC_ADMINISTRATIVE_ACTION, proto_ver=5)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
os.mkdir(str(port))
|
|
|
|
|
shutil.copyfile("dynamic-security-init.json", "%d/dynamic-security.json" % (port))
|
|
|
|
|
except FileExistsError:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
broker = mosq_test.start_broker(filename=os.path.basename(__file__), use_conf=True, port=port)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
sock = mosq_test.do_client_connect(connect_packet_admin, connack_packet_admin, timeout=5, port=port)
|
|
|
|
|
mosq_test.do_send_receive(sock, subscribe_packet_admin, suback_packet_admin, "suback")
|
|
|
|
|
|
|
|
|
|
# Add client
|
|
|
|
|
command_check(sock, add_client_command_with_id, add_client_response_with_id)
|
|
|
|
|
|
|
|
|
|
# Client with username, password, and client id
|
|
|
|
|
csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 1")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "simple/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_fail, "suback simple 1")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "single-wildcard/bob/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_fail, "suback single 1")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "multilevel-wildcard/topic/topic/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_fail, "suback multi 1")
|
|
|
|
|
|
|
|
|
|
# Publish to "simple/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_simple_packet, puback_simple_packet_fail, "puback simple 1")
|
|
|
|
|
|
|
|
|
|
# Publish to "single-wildcard/bob/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_single_packet, puback_single_packet_fail, "puback single 1")
|
|
|
|
|
|
|
|
|
|
# Publish to "multilevel-wildcard/topic/topic/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_multi_packet, puback_multi_packet_fail, "puback multi 1")
|
|
|
|
|
|
|
|
|
|
# Create a group, add a role to the group, add the client to the group
|
|
|
|
|
# Add some subscribe/unsubscribe ACLs - this will kick the client
|
|
|
|
|
command_check(sock, add_client_group_role_command, add_client_group_role_response)
|
|
|
|
|
|
|
|
|
|
mosq_test.expect_packet(csock, "disconnect kick 1", disconnect_kick_packet)
|
|
|
|
|
csock.close()
|
|
|
|
|
|
|
|
|
|
# Reconnect
|
|
|
|
|
csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 2")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "simple/topic" - this is now allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_success, "suback simple 2")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "single-wildcard/bob/topic" - this is now allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_success, "suback single 2")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "multilevel-wildcard/topic/topic/topic" - this is now allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_success, "suback multi 2")
|
|
|
|
|
|
|
|
|
|
# Publish to "simple/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_simple_packet, puback_simple_packet_fail, "puback 2")
|
|
|
|
|
|
|
|
|
|
# Publish to "single-wildcard/bob/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_single_packet, puback_single_packet_fail, "puback single 2")
|
|
|
|
|
|
|
|
|
|
# Publish to "multilevel-wildcard/topic/topic/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_multi_packet, puback_multi_packet_fail, "puback multi 2")
|
|
|
|
|
|
|
|
|
|
# Add some publish ACLs - this will kick the client
|
|
|
|
|
command_check(sock, add_publish_acl_command, add_publish_acl_response)
|
|
|
|
|
|
|
|
|
|
mosq_test.expect_packet(csock, "disconnect kick 2", disconnect_kick_packet)
|
|
|
|
|
csock.close()
|
|
|
|
|
|
|
|
|
|
# Reconnect
|
|
|
|
|
csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 3")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "simple/topic" - this is now allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_success, "suback simple 3")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "single-wildcard/bob/topic" - this is now allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_success, "suback single 3")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "multilevel-wildcard/topic/topic/allowed" - this is now allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_success, "suback multi 3")
|
|
|
|
|
|
|
|
|
|
# Publish to "simple/topic" - this is now allowed
|
|
|
|
|
csock.send(publish_simple_packet)
|
|
|
|
|
mosq_test.receive_unordered(csock, publish_simple_packet_r, puback_simple_packet_success, "puback simple 3 / publish r")
|
|
|
|
|
|
|
|
|
|
# Publish to "single-wildcard/bob/topic" - this is now allowed
|
|
|
|
|
csock.send(publish_single_packet)
|
|
|
|
|
mosq_test.receive_unordered(csock, publish_single_packet_r, puback_single_packet_success, "puback single 3 / publish r")
|
|
|
|
|
|
2020-11-30 17:15:43 +00:00
|
|
|
# Publish to "single-wildcard/deny/deny" - this is stillnot allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_single_packet_denied, puback_single_packet_denied_fail, "puback single denied 1")
|
|
|
|
|
|
2020-11-26 17:24:20 +00:00
|
|
|
# Publish to "multilevel-wildcard/topic/topic/allowed" - this is now allowed
|
|
|
|
|
csock.send(publish_multi_packet)
|
|
|
|
|
mosq_test.receive_unordered(csock, publish_multi_packet_r, puback_multi_packet_success, "puback multi 3 / publish r")
|
|
|
|
|
|
|
|
|
|
# Publish to "multilevel-wildcard/topic/topic/denied" - receiving is denied by publishClientReceive
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_multi_denied_packet, puback_multi_denied_packet, "puback multi denied")
|
|
|
|
|
mosq_test.do_ping(csock)
|
|
|
|
|
|
|
|
|
|
# Simple unsubscribe should be denied
|
|
|
|
|
mosq_test.do_send_receive(csock, unsubscribe_simple_packet, unsuback_simple_packet_fail, "unsuback simple 1")
|
|
|
|
|
|
|
|
|
|
# Single unsubscribe should be allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, unsubscribe_single_packet, unsuback_single_packet_success, "unsuback single 1")
|
|
|
|
|
|
|
|
|
|
# Multi unsubscribe should be allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, unsubscribe_multi_packet, unsuback_multi_packet_success, "unsuback multi 1")
|
|
|
|
|
|
|
|
|
|
# Delete the role, client should be kicked
|
|
|
|
|
command_check(sock, delete_role_command, delete_role_response)
|
|
|
|
|
|
|
|
|
|
mosq_test.expect_packet(csock, "disconnect kick 3", disconnect_kick_packet)
|
|
|
|
|
csock.close()
|
|
|
|
|
|
|
|
|
|
# Reconnect - these should all be denied again.
|
|
|
|
|
csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 4")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "simple/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_fail, "suback simple 4")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "single-wildcard/bob/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_fail, "suback single 4")
|
|
|
|
|
|
|
|
|
|
# Subscribe to "multilevel-wildcard/topic/topic/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_fail, "suback multi 4")
|
|
|
|
|
|
|
|
|
|
# Publish to "simple/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_simple_packet, puback_simple_packet_fail, "puback simple 4")
|
|
|
|
|
|
|
|
|
|
# Publish to "single-wildcard/bob/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_single_packet, puback_single_packet_fail, "puback single 4")
|
|
|
|
|
|
|
|
|
|
# Publish to "multilevel-wildcard/topic/topic/topic" - not allowed
|
|
|
|
|
mosq_test.do_send_receive(csock, publish_multi_packet, puback_multi_packet_fail, "puback multi 4")
|
|
|
|
|
|
|
|
|
|
csock.close()
|
|
|
|
|
|
|
|
|
|
rc = 0
|
|
|
|
|
|
|
|
|
|
sock.close()
|
|
|
|
|
except mosq_test.TestError:
|
|
|
|
|
pass
|
|
|
|
|
finally:
|
|
|
|
|
os.remove(conf_file)
|
|
|
|
|
try:
|
|
|
|
|
os.remove(f"{port}/dynamic-security.json")
|
|
|
|
|
except FileNotFoundError:
|
|
|
|
|
pass
|
|
|
|
|
os.rmdir(f"{port}")
|
|
|
|
|
broker.terminate()
|
|
|
|
|
broker.wait()
|
|
|
|
|
(stdo, stde) = broker.communicate()
|
|
|
|
|
if rc:
|
|
|
|
|
print(stde.decode('utf-8'))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
exit(rc)
|
|
|
|
|
|
|
|
|
|
publishClientSend
|
|
|
|
|
publishClientReceive
|
|
|
|
|
subscribeLiteral
|
|
|
|
|
subscribePattern
|
