[dynsec] Problems with authorizing clients authenticated by certificate

[dimabarbul]

I believe this is a bug, because it leads to inconsistent behavior for authN using username/password and certificate.

I need Mosquitto to allow connections for some clients with valid certificates. In order to implement this I configure mosquitto to require certificate and use dynamic-security plugin to configure ACLs. In dynamic-security I create clients only for the certificate CNs I want to allow, and grant only permissions they should have. Sometimes I need to disable clients.

According to documentation deleting or disabling client should disconnect currently connected clients and forbid future connections.

There are following problems:

1. When the client does not exist, the connection can still be established. No permissions are granted though: any attempt to subscribe or publish is denied.
2. When client exists and is disabled, it can perform any granted operations.

I tested such functionality for username/password authN and it works fine - when the client does not exist or is disabled, the connection cannot be established.

mosquitto.conf

listener 8883

require_certificate true
use_identity_as_username true

cafile /mosquitto/certs/ca.crt
keyfile /mosquitto/certs/server.key
certfile /mosquitto/certs/server.crt

plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /tmp/dynamic-security.json

log_type all