csu3_am335x/EVSE/GPL/mosquitto-2.0.13/test/broker/14-dynsec-acl.py

#!/usr/bin/env python3

# Test ACL for allow/deny. This does not consider ACL priority and the ACLs do not overlap.

from mosq_test_helper import *
import json
import shutil

def write_config(filename, port):
    with open(filename, 'w') as f:
        f.write("listener %d\n" % (port))
        f.write("allow_anonymous false\n")
        f.write("plugin ../../plugins/dynamic-security/mosquitto_dynamic_security.so\n")
        f.write("plugin_opt_config_file %d/dynamic-security.json\n" % (port))

def command_check(sock, command_payload, expected_response):
    command_packet = mosq_test.gen_publish(topic="$CONTROL/dynamic-security/v1", qos=0, payload=json.dumps(command_payload))
    sock.send(command_packet)
    response = json.loads(mosq_test.read_publish(sock))
    if response != expected_response:
        print(expected_response)
        print(response)
        raise ValueError(response)



port = mosq_test.get_port()
conf_file = os.path.basename(__file__).replace('.py', '.conf')
write_config(conf_file, port)

add_client_command_with_id = { "commands": [{
    "command": "createClient", "username": "user_one",
    "password": "password", "clientid": "cid",
    "correlationData": "2" }]
}
add_client_response_with_id = {'responses': [{'command': 'createClient', 'correlationData': '2'}]}


add_client_group_role_command = {"commands":[
    { "command": "createGroup", "groupname": "mygroup" },
    { "command": "createRole", "rolename": "myrole" },
    { "command": "addGroupRole", "groupname": "mygroup", "rolename": "myrole" },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "subscribeLiteral", "topic": "simple/topic", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "subscribePattern", "topic": "single-wildcard/+/topic", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "subscribePattern", "topic": "multilevel-wildcard/#", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "unsubscribeLiteral", "topic": "simple/topic", "allow": False },
    { "command": "addGroupClient", "groupname": "mygroup", "username": "user_one" }
    ]}

add_client_group_role_response = {'responses': [
    {'command': 'createGroup'},
    {'command': 'createRole'},
    {'command': 'addGroupRole'},
    {'command': 'addRoleACL'}, {'command': 'addRoleACL'},
    {'command': 'addRoleACL'}, {'command': 'addRoleACL'},
    {'command': 'addGroupClient'}
    ]}

add_publish_acl_command = {"commands":[
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "simple/topic", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "single-wildcard/deny/deny", "priority":10, "allow": False },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "single-wildcard/+/+", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "multilevel-wildcard/topic/#", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientReceive", "topic": "single-wildcard/bob/bob", "allow": False },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientReceive", "topic": "multilevel-wildcard/topic/topic/denied", "allow": False },
    ]}

add_publish_acl_response = {'responses': [
    {'command': 'addRoleACL'}, {'command': 'addRoleACL'},
    {'command': 'addRoleACL'}, {'command': 'addRoleACL'},
    {'command': 'addRoleACL'}, {'command': 'addRoleACL'}
    ]}

delete_role_command = {"commands":[
    { "command": "deleteRole", "rolename": "myrole"}
    ]}
delete_role_response = {'responses': [{'command': 'deleteRole'}]}

rc = 1
keepalive = 10
connect_packet_admin = mosq_test.gen_connect("ctrl-test", keepalive=keepalive, username="admin", password="admin")
connack_packet_admin = mosq_test.gen_connack(rc=0)

mid = 2
subscribe_packet_admin = mosq_test.gen_subscribe(mid, "$CONTROL/dynamic-security/#", 1)
suback_packet_admin = mosq_test.gen_suback(mid, 1)

# Success
connect_packet_with_id1 = mosq_test.gen_connect("cid", keepalive=keepalive, username="user_one", password="password", proto_ver=5)
connack_packet_with_id1 = mosq_test.gen_connack(rc=0, proto_ver=5)

mid = 4
subscribe_simple_packet = mosq_test.gen_subscribe(mid, "simple/topic", 0, proto_ver=5)
suback_simple_packet_success = mosq_test.gen_suback(mid, 0, proto_ver=5)
suback_simple_packet_fail = mosq_test.gen_suback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

mid = 5
subscribe_single_packet = mosq_test.gen_subscribe(mid, "single-wildcard/bob/topic", 0, proto_ver=5)
suback_single_packet_success = mosq_test.gen_suback(mid, 0, proto_ver=5)
suback_single_packet_fail = mosq_test.gen_suback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

mid = 6
subscribe_multi_packet = mosq_test.gen_subscribe(mid, "multilevel-wildcard/topic/topic/#", 0, proto_ver=5)
suback_multi_packet_success = mosq_test.gen_suback(mid, 0, proto_ver=5)
suback_multi_packet_fail = mosq_test.gen_suback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

mid = 7
publish_simple_packet = mosq_test.gen_publish(mid=mid, topic="simple/topic", qos=1, payload="message", proto_ver=5)
puback_simple_packet_success = mosq_test.gen_puback(mid, proto_ver=5)
puback_simple_packet_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

publish_simple_packet_r = mosq_test.gen_publish(topic="simple/topic", qos=0, payload="message", proto_ver=5)

# This message is in single-wildcard/+/+ so could be allowed, but the single-wildcard/deny/deny with higher priority should override
mid = 9
publish_single_packet_denied = mosq_test.gen_publish(mid=mid, topic="single-wildcard/deny/deny", qos=1, payload="message", proto_ver=5)
puback_single_packet_denied_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

mid = 8
publish_single_packet = mosq_test.gen_publish(mid=mid, topic="single-wildcard/bob/topic", qos=1, payload="message", proto_ver=5)
puback_single_packet_success = mosq_test.gen_puback(mid, proto_ver=5)
puback_single_packet_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

publish_single_packet_r = mosq_test.gen_publish(topic="single-wildcard/bob/topic", qos=0, payload="message", proto_ver=5)

mid = 9
publish_multi_packet = mosq_test.gen_publish(mid=mid, topic="multilevel-wildcard/topic/topic/allowed", qos=1, payload="message", proto_ver=5)
puback_multi_packet_success = mosq_test.gen_puback(mid, proto_ver=5)
puback_multi_packet_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

mid = 10
publish_multi_denied_packet = mosq_test.gen_publish(mid=mid, topic="multilevel-wildcard/topic/topic/denied", qos=1, payload="message", proto_ver=5)
puback_multi_denied_packet = mosq_test.gen_puback(mid, proto_ver=5)

publish_multi_packet_r = mosq_test.gen_publish(topic="multilevel-wildcard/topic/topic/allowed", qos=0, payload="message", proto_ver=5)

mid = 11
unsubscribe_simple_packet = mosq_test.gen_unsubscribe(mid, "simple/topic", proto_ver=5)
unsuback_simple_packet_fail = mosq_test.gen_unsuback(mid, mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)

mid = 12
unsubscribe_single_packet = mosq_test.gen_unsubscribe(mid, "single-wildcard/bob/topic", proto_ver=5)
unsuback_single_packet_success = mosq_test.gen_unsuback(mid, 0, proto_ver=5)

mid = 13
unsubscribe_multi_packet = mosq_test.gen_unsubscribe(mid, "multilevel-wildcard/topic/topic/#", proto_ver=5)
unsuback_multi_packet_success = mosq_test.gen_unsuback(mid, 0, proto_ver=5)

disconnect_kick_packet = mosq_test.gen_disconnect(reason_code=mqtt5_rc.MQTT_RC_ADMINISTRATIVE_ACTION, proto_ver=5)

try:
    os.mkdir(str(port))
    shutil.copyfile("dynamic-security-init.json", "%d/dynamic-security.json" % (port))
except FileExistsError:
    pass

broker = mosq_test.start_broker(filename=os.path.basename(__file__), use_conf=True, port=port)

try:
    sock = mosq_test.do_client_connect(connect_packet_admin, connack_packet_admin, timeout=5, port=port)
    mosq_test.do_send_receive(sock, subscribe_packet_admin, suback_packet_admin, "suback")

    # Add client
    command_check(sock, add_client_command_with_id, add_client_response_with_id)

    # Client with username, password, and client id
    csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 1")

    # Subscribe to "simple/topic" - not allowed
    mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_fail, "suback simple 1")

    # Subscribe to "single-wildcard/bob/topic" - not allowed
    mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_fail, "suback single 1")

    # Subscribe to "multilevel-wildcard/topic/topic/topic" - not allowed
    mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_fail, "suback multi 1")

    # Publish to "simple/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_simple_packet, puback_simple_packet_fail, "puback simple 1")

    # Publish to "single-wildcard/bob/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_single_packet, puback_single_packet_fail, "puback single 1")

    # Publish to "multilevel-wildcard/topic/topic/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_multi_packet, puback_multi_packet_fail, "puback multi 1")

    # Create a group, add a role to the group, add the client to the group
    # Add some subscribe/unsubscribe ACLs - this will kick the client
    command_check(sock, add_client_group_role_command, add_client_group_role_response)

    mosq_test.expect_packet(csock, "disconnect kick 1", disconnect_kick_packet)
    csock.close()

    # Reconnect
    csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 2")

    # Subscribe to "simple/topic" - this is now allowed
    mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_success, "suback simple 2")

    # Subscribe to "single-wildcard/bob/topic" - this is now allowed
    mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_success, "suback single 2")

    # Subscribe to "multilevel-wildcard/topic/topic/topic" - this is now allowed
    mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_success, "suback multi 2")

    # Publish to "simple/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_simple_packet, puback_simple_packet_fail, "puback 2")

    # Publish to "single-wildcard/bob/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_single_packet, puback_single_packet_fail, "puback single 2")

    # Publish to "multilevel-wildcard/topic/topic/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_multi_packet, puback_multi_packet_fail, "puback multi 2")

    # Add some publish ACLs - this will kick the client
    command_check(sock, add_publish_acl_command, add_publish_acl_response)

    mosq_test.expect_packet(csock, "disconnect kick 2", disconnect_kick_packet)
    csock.close()

    # Reconnect
    csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 3")

    # Subscribe to "simple/topic" - this is now allowed
    mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_success, "suback simple 3")

    # Subscribe to "single-wildcard/bob/topic" - this is now allowed
    mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_success, "suback single 3")

    # Subscribe to "multilevel-wildcard/topic/topic/allowed" - this is now allowed
    mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_success, "suback multi 3")

    # Publish to "simple/topic" - this is now allowed
    csock.send(publish_simple_packet)
    mosq_test.receive_unordered(csock, publish_simple_packet_r, puback_simple_packet_success, "puback simple 3 / publish r")

    # Publish to "single-wildcard/bob/topic" - this is now allowed
    csock.send(publish_single_packet)
    mosq_test.receive_unordered(csock, publish_single_packet_r, puback_single_packet_success, "puback single 3 / publish r")

    # Publish to "single-wildcard/deny/deny" - this is stillnot allowed
    mosq_test.do_send_receive(csock, publish_single_packet_denied, puback_single_packet_denied_fail, "puback single denied 1")

    # Publish to "multilevel-wildcard/topic/topic/allowed" - this is now allowed
    csock.send(publish_multi_packet)
    mosq_test.receive_unordered(csock, publish_multi_packet_r, puback_multi_packet_success, "puback multi 3 / publish r")

    # Publish to "multilevel-wildcard/topic/topic/denied" - receiving is denied by publishClientReceive
    mosq_test.do_send_receive(csock, publish_multi_denied_packet, puback_multi_denied_packet, "puback multi denied")
    mosq_test.do_ping(csock)

    # Simple unsubscribe should be denied
    mosq_test.do_send_receive(csock, unsubscribe_simple_packet, unsuback_simple_packet_fail, "unsuback simple 1")

    # Single unsubscribe should be allowed
    mosq_test.do_send_receive(csock, unsubscribe_single_packet, unsuback_single_packet_success, "unsuback single 1")

    # Multi unsubscribe should be allowed
    mosq_test.do_send_receive(csock, unsubscribe_multi_packet, unsuback_multi_packet_success, "unsuback multi 1")

    # Delete the role, client should be kicked
    command_check(sock, delete_role_command, delete_role_response)

    mosq_test.expect_packet(csock, "disconnect kick 3", disconnect_kick_packet)
    csock.close()

    # Reconnect - these should all be denied again.
    csock = mosq_test.do_client_connect(connect_packet_with_id1, connack_packet_with_id1, timeout=5, port=port, connack_error="connack 4")

    # Subscribe to "simple/topic" - not allowed
    mosq_test.do_send_receive(csock, subscribe_simple_packet, suback_simple_packet_fail, "suback simple 4")

    # Subscribe to "single-wildcard/bob/topic" - not allowed
    mosq_test.do_send_receive(csock, subscribe_single_packet, suback_single_packet_fail, "suback single 4")

    # Subscribe to "multilevel-wildcard/topic/topic/topic" - not allowed
    mosq_test.do_send_receive(csock, subscribe_multi_packet, suback_multi_packet_fail, "suback multi 4")

    # Publish to "simple/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_simple_packet, puback_simple_packet_fail, "puback simple 4")

    # Publish to "single-wildcard/bob/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_single_packet, puback_single_packet_fail, "puback single 4")

    # Publish to "multilevel-wildcard/topic/topic/topic" - not allowed
    mosq_test.do_send_receive(csock, publish_multi_packet, puback_multi_packet_fail, "puback multi 4")

    csock.close()

    rc = 0

    sock.close()
except mosq_test.TestError:
    pass
finally:
    os.remove(conf_file)
    try:
        os.remove(f"{port}/dynamic-security.json")
    except FileNotFoundError:
        pass
    os.rmdir(f"{port}")
    broker.terminate()
    broker.wait()
    (stdo, stde) = broker.communicate()
    if rc:
        print(stde.decode('utf-8'))


exit(rc)

publishClientSend
publishClientReceive
subscribeLiteral
subscribePattern