From ba13edc6a43e455480c6c30fbfdc19f393ee49a9 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Wed, 17 Aug 2022 12:10:24 +0100 Subject: [PATCH] dynsec: Forbid deleting the anon group. --- plugins/dynamic-security/groups.c | 5 +++++ test/broker/14-dynsec-anon-group.py | 12 +++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/plugins/dynamic-security/groups.c b/plugins/dynamic-security/groups.c index 7ac96516..2f718289 100644 --- a/plugins/dynamic-security/groups.c +++ b/plugins/dynamic-security/groups.c @@ -459,6 +459,11 @@ int dynsec_groups__process_delete(struct dynsec__data *data, struct plugin_cmd * group = dynsec_groups__find(data, groupname); if(group){ + if(group == data->anonymous_group){ + plugin__command_reply(cmd, "Deleting the anonymous group is forbidden"); + return MOSQ_ERR_INVAL; + } + /* Enforce any changes */ group__kick_all(data, group); diff --git a/test/broker/14-dynsec-anon-group.py b/test/broker/14-dynsec-anon-group.py index 5deab69e..dcb7f470 100755 --- a/test/broker/14-dynsec-anon-group.py +++ b/test/broker/14-dynsec-anon-group.py @@ -58,7 +58,7 @@ get_anon_group_response = {'responses': [{'command': 'getAnonymousGroup', create_role_apply_command = { "commands": [ { "command": "createRole", "rolename": "anon", "correlationData": "4" }, { "command": "addRoleACL", "rolename": "anon", - "acltype": "subscribeLiteral", "topic": "anon/topic", "allow": True, + "acltype": "subscribeLiteral", "topic": "anon/topic", "allow": True, "correlationData": "5" }, { "command": "addGroupRole", "groupname": "anon-clients", "rolename": "anon", "correlationData": "6"} @@ -70,6 +70,13 @@ create_role_apply_response = {'responses': [ {'command': 'addGroupRole', 'correlationData': '6'} ]} +delete_anon_group_command = { "commands": [ + { "command": "deleteGroup", "groupname": "anon-clients", "correlationData": "40" } + ] +} +delete_anon_group_response = {'responses': [ + {'command': 'deleteGroup', "error":'Deleting the anonymous group is forbidden', 'correlationData': '40'} + ]} rc = 1 @@ -135,6 +142,9 @@ try: csock = mosq_test.do_client_connect(connect_packet, connack_packet, timeout=5, port=port) mosq_test.do_send_receive(csock, subscribe_packet, suback_packet_success, "suback 3") + # Try to delete anon group, this should fail + command_check(sock, delete_anon_group_command, delete_anon_group_response) + rc = 0 sock.close()