More efficient auth subscribe handling

Author: kleunen

include/mqtt/broker/broker.hpp

@@ -2062,12 +2062,19 @@ class broker_t {
         publish_options pubopts,
         v5::properties props
     ) {
+        // Get auth rights for this topic
+        auto auth_users = security.auth_sub(std::string(topic));
 
         // publish the message to subscribers.
         // retain is delivered as the original only if rap_value is rap::retain.
         // On MQTT v3.1.1, rap_value is always rap::dont.
         auto deliver =
-            [&] (session_state& ss, subscription& sub) {
+            [&] (session_state& ss, subscription& sub, auto const& auth_users) {
+
+                // See if this session is authorized to subscribe this topic
+                auto allowed = security.auth_sub_user(auth_users, ss.get_username());
+                if (allowed != security::authorization::type::allow) return;
+
                 publish_options new_pubopts = std::min(pubopts.get_qos(), sub.subopts.get_qos());
                 if (sub.subopts.get_rap() == rap::retain && pubopts.get_retain() == MQTT_NS::retain::yes) {
                     new_pubopts |= MQTT_NS::retain::yes;
@@ -2110,15 +2117,15 @@ class broker_t {
                         // publisher is the same as subscriber, then skip it.
                         if (sub.subopts.get_nl() == nl::yes &&
                             sub.ss.get().client_id() ==  source_ss.client_id()) return;
-                        deliver(sub.ss.get(), sub);
+                        deliver(sub.ss.get(), sub, auth_users);
                     }
                     else {
                         // Shared subscriptions
                         bool inserted;
                         std::tie(std::ignore, inserted) = sent.emplace(sub.share_name, sub.topic_filter);
                         if (inserted) {
                             if (auto ssr_opt = shared_targets_.get_target(sub.share_name, sub.topic_filter)) {
-                                deliver(ssr_opt.value().get(), sub);
+                                deliver(ssr_opt.value().get(), sub, auth_users);
                             }
                         }
                     }

include/mqtt/broker/security.hpp

@@ -47,7 +47,7 @@ struct security
     {
         std::string topic;
         enum class type {
-            allow, deny
+            deny, allow
         };
 
         type type_;
@@ -70,7 +70,9 @@ struct security
     std::map<std::string, authorization> authorization_;
     MQTT_NS::optional<std::string> anonymous;
 
-    MQTT_NS::broker::multiple_subscription_map<std::string, authorization::type> auth_pub_map;
+    using auth_map_type = MQTT_NS::broker::multiple_subscription_map<std::string, authorization::type>;
+    auth_map_type auth_pub_map;
+    auth_map_type auth_sub_map;
 
     MQTT_NS::optional<std::string> login_anonymous() {
         return anonymous;
@@ -118,6 +120,14 @@ struct security
         for(auto const &i: security.authorization_) {
             for(auto const& j: i.second.sub) {
                 validate_entry(security, "topic " + i.first, j);
+
+                if(is_valid_user_name(j)) {
+                    security.auth_sub_map.insert_or_assign(i.first, j, i.second.type_);
+                }
+                else if(is_valid_group_name(j)) {
+                    for(auto const& z: security.groups_[j].members)
+                        security.auth_sub_map.insert_or_assign(i.first, z, i.second.type_);
+                }
             }
             for(auto const& j: i.second.pub) {
                 validate_entry(security, "topic " + i.first, j);
@@ -198,7 +208,7 @@ struct security
         validate(security);
     }
 
-    authorization::type auth_pub(std::string const& topic, std::string const& username) {
+    authorization::type auth_pub(std::string const& topic, std::string const& username) const {
         authorization::type result_type = authorization::type::deny;
 
         auth_pub_map.find(topic, [&](std::string const &allowed_username, authorization::type type) {
@@ -207,6 +217,22 @@ struct security
 
         return result_type;
     }
+
+    std::map<std::string, authorization::type> auth_sub(std::string const& topic) const {
+        std::map<std::string, authorization::type> result;
+
+        auth_sub_map.find(topic, [&](std::string const &allowed_username, authorization::type type) {
+            result[allowed_username] = type;
+        });
+
+        return result;
+    }
+
+    static authorization::type auth_sub_user(std::map<std::string, authorization::type> const& result, std::string const& username) {
+        auto i = result.find(username);
+        if(i == result.end()) return authorization::type::deny;
+        return i->second;
+    }
 };
 
 MQTT_BROKER_NS_END

test/unit/ut_broker_security.cpp

@@ -99,6 +99,10 @@ BOOST_AUTO_TEST_CASE(check_publish) {
     BOOST_CHECK(security.auth_pub("sub/topic", "u1") == MQTT_NS::broker::security::authorization::type::allow);
     BOOST_CHECK(security.auth_pub("sub/topic1", "u1") == MQTT_NS::broker::security::authorization::type::deny);
 
+    BOOST_CHECK(security.auth_sub_user(security.auth_sub("topic"), "u1") == MQTT_NS::broker::security::authorization::type::deny);
+    BOOST_CHECK(security.auth_sub_user(security.auth_sub("sub/topic"), "u1") == MQTT_NS::broker::security::authorization::type::allow);
+    BOOST_CHECK(security.auth_sub_user(security.auth_sub("sub/topic1"), "u1") == MQTT_NS::broker::security::authorization::type::deny);
+
 }
 
 BOOST_AUTO_TEST_SUITE_END()