Fix invalid behaviour in dynsec plugin.

This occurred if a group or client was deleted before a role that was attached to the group or client is deleted. Closes #1998. Thanks to Willem Eradus.
eclipse · Jan 8, 2021 · 7e1a818 · 7e1a818
1 parent 5b3acfe
commit 7e1a818
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -9,6 +9,9 @@ Broker:
  /var/lib/mosquitto/mosquitto.db.new. Closes #1978.
 - Fix potential intermittent initial bridge connections when using poll().
 - Fix `bind_interface` option. Closes #1999.
+- Fix invalid behaviour in dynsec plugin if a group or client is deleted
+ before a role that was attached to the group or client is deleted.
+ Closes #1998.
 
 Apps:
 - Disallow control characters in mosquitto_passwd usernames.

diff --git a/plugins/dynamic-security/clients.c b/plugins/dynamic-security/clients.c
@@ -35,6 +35,7 @@ SPDX-License-Identifier: EPL-2.0 OR EDL-1.0
  * ################################################################ */
 
 static int dynsec__remove_client_from_all_groups(const char *username);
+static void client__remove_all_roles(struct dynsec__client *client);
 
 /* ################################################################
  * #
@@ -482,6 +483,7 @@ int dynsec_clients__process_delete(cJSON *j_responses, struct mosquitto *context
  client = dynsec_clients__find(username);
  if(client){
  dynsec__remove_client_from_all_groups(username);
+ client__remove_all_roles(client);
  client__free_item(client);
  dynsec__config_save();
  dynsec__command_reply(j_responses, context, "deleteClient", NULL, correlation_data);

diff --git a/plugins/dynamic-security/groups.c b/plugins/dynamic-security/groups.c
@@ -44,6 +44,7 @@ struct dynsec__group *dynsec_anonymous_group = NULL;
  * ################################################################ */
 
 static int dynsec__remove_all_clients_from_group(struct dynsec__group *group);
+static int dynsec__remove_all_roles_from_group(struct dynsec__group *group);
 static cJSON *add_group_to_json(struct dynsec__group *group);
 
 
@@ -460,6 +461,7 @@ int dynsec_groups__process_delete(cJSON *j_responses, struct mosquitto *context,
  /* Enforce any changes */
  group__kick_all(group);
 
+ dynsec__remove_all_roles_from_group(group);
  group__free_item(group);
  dynsec__config_save();
  dynsec__command_reply(j_responses, context, "deleteGroup", NULL, correlation_data);
@@ -583,6 +585,17 @@ static int dynsec__remove_all_clients_from_group(struct dynsec__group *group)
  return MOSQ_ERR_SUCCESS;
 }
 
+static int dynsec__remove_all_roles_from_group(struct dynsec__group *group)
+{
+ struct dynsec__rolelist *rolelist, *rolelist_tmp;
+
+ HASH_ITER(hh, group->rolelist, rolelist, rolelist_tmp){
+ dynsec_rolelist__group_remove(group, rolelist->role);
+ }
+
+ return MOSQ_ERR_SUCCESS;
+}
+
 int dynsec_groups__remove_client(const char *username, const char *groupname, bool update_config)
 {
  struct dynsec__client *client;