Same topic and ACL evaluate to false

[mdelete]

If I have an ACL for a user saying foo/+ and this user wants to subscribe to the topic foo/+ it gets rejected. Is this intended? Am I mental? Or is this a bug?

The function mosquitto_topic_matches_sub("foo/+", "foo/+", &b) returns MOSQ_ERR_INVAL and b==false

Btw: mosquitto_topic_matches_sub("foo/+", "foo/bar/+", &b) also evaluates to b==false (as it should) but it returns MOSQ_ERR_SUCCESS

[ralight]

What you're running into here is the difference between topics, and topic filters (subscriptions). They aren't the same thing, despite appearances. You publish and receive messages on topics, and subscribe to topic filters. A topic filter/subscription is allowed to have wildcards in it, a topic isn't.

So: mosquitto_topic_matches_sub("foo/+", "foo/+", &b) - this should return MOSQ_ERR_INVAL, because the input topic isn't a valid topic. It should return non-matching as well, although that's irrelevant with invalid input.

mosquitto_topic_matches_sub("foo/+", "foo/bar/+", &b) - this should do the same. There is a bug here strictly speaking, because the input topic still isn't valid, so it should return MOSQ_ERR_INVAL as well. I'll look into that.

[ralight]

That change should make it work consistently.

[mdelete]

Thanks for your quick response! I still wonder, because this function is not only called when matching topics to topic filters but also when checking access for a subscription. How would you write an ACL for a wildcard topic filter?

In another example, mosquitto_topic_matches_sub("foo/#", "foo/bar/+", &b), where foo/# is from the ACL and foo/bar/+ is the topic-filter, would result in MOSQ_ERR_SUCCESS and b==true. This is what I would expect. The user who is allowed to subscribe to everything below foo/ may subscribe to foo/bar/something.

But when I call mosquitto_topic_matches_sub("foo/#", "foo/+", &b), the call yields MOSQ_ERR_INVAL and b==false which is not expected. The user is allowed to subscribe to everything below foo/, why should he be rejected if he just wants one level below foo/?

[ralight]

If you're referring to the use of mosquitto_topic_matches_sub() in mosquitto_acl_check_default(), then I'm afraid you are mistaken - this check only occurs for publish messages that are received by the broker, or are being sent to a client. Subscribe messages are currently always granted. This is safe because if you subscribe to # then you will still only receive messages that are allowed by the ACLs that are checked for publish messages.

For your two examples I can only repeat what I've already said, mosquitto_topic_matches_sub() is exclusively for checking whether a topic matches a topic filter/subscription. If you pass it a topic filter as an input to the topic argument, it will tell you that you have given invalid input by returning MOSQ_ERR_INVAL.

[mdelete]

Yes, you're right, I found the FIXME while studying the code ;)
I know now that the problem I encountered was with a 3rd-party auth plugin (which has nothing to with this project, I just wasn't aware of this) that tries to check subscriptions with mosquitto_topic_matches_sub() which is wrong now that I understand it. Sorry for the inconvenience and thank you for your support. Closing the ticket.