feat(m2m): authorization backend

btry · btry · commit 5a19aaec1946 · 2018-05-20T09:46:44.000+02:00
Signed-off-by: Thierry Bugier &lt;tbugier@teclib.com&gt;
diff --git a/front/mosquittoauth.php b/front/mosquittoauth.php
@@ -48,6 +48,11 @@
    http_response_code($answer);
    die();
 }
+if (isset($_GET['superuser'])) {
+   $answer = $flyvemdmM2mApi->isSuperuser($_POST);
+   http_response_code($answer);
+   die();
+}
 if (isset($_GET['authorize'])) {
    $answer = $flyvemdmM2mApi->authorize($_POST);
    http_response_code($answer);
diff --git a/inc/mosquittoauth.class.php b/inc/mosquittoauth.class.php
@@ -48,6 +48,9 @@ public function authenticate($input) {
       if (!$mqttUser->getByUser($input['username'])) {
          return 404;
       }
+      if ($mqttUser->getField('enabled') == '0') {
+         return 404;
+      }
       $input['password'] = Toolbox::stripslashes_deep($input['password']);
       if ($mqttUser->comparePasswords($input['password'])) {
          return 200;
@@ -57,8 +60,50 @@ public function authenticate($input) {
    }
 
    public function authorize($input) {
+      $mqttUser = new PluginFlyvemdmMqttUser();
+      if (!$mqttUser->getByUser($input['username'])) {
+         return 403;
+      }
+      if ($mqttUser->getField('enabled') == '0') {
+         return 403;
+      }
+
+      $mqttUserId = $mqttUser->getID();
+      $acc = (int) $input['acc'];
+      $requestedTopic = explode('/', $input['topic']);
+      $mqttAcl = new PluginFlyvemdmMqttAcl();
+      $rows = $mqttAcl->find("`plugin_flyvemdm_mqttusers_id`='$mqttUserId'
+         AND `access_level` & $acc");
+      foreach ($rows as $row) {
+         $topic =  explode('/', $row['topic']);
+         $match = true;
+         foreach ($topic as $index => $pathItem) {
+            if ($pathItem === '+') {
+               // This path item matches a joker
+               continue;
+            }
+            if ($pathItem === '#' && $index === count($topic) - 1) {
+               continue;
+            }
+            if (!isset($requestedTopic[$index])) {
+               $match = false;
+               break;
+            }
+            if ($pathItem !== $requestedTopic[$index]) {
+               // This topic does not match, try the next one
+               $match = false;
+               break;
+            }
+         }
+         if ($match) {
+            return 200;
+         }
+      }
 
+      return 403;
+   }
 
-      return 404;
+   public function isSuperuser($input) {
+      return 403;
    }
 }
diff --git a/tests/suite-unit/PluginFlyvemdmMosquittoAuth.php b/tests/suite-unit/PluginFlyvemdmMosquittoAuth.php
