dynsec: Forbid deleting the anon group.

plugins/dynamic-security/groups.c

@@ -459,6 +459,11 @@ int dynsec_groups__process_delete(struct dynsec__data *data, struct plugin_cmd *
 
 	group = dynsec_groups__find(data, groupname);
 	if(group){
+		if(group == data->anonymous_group){
+			plugin__command_reply(cmd, "Deleting the anonymous group is forbidden");
+			return MOSQ_ERR_INVAL;
+		}
+
 		/* Enforce any changes */
 		group__kick_all(data, group);
 

test/broker/14-dynsec-anon-group.py

@@ -58,7 +58,7 @@ get_anon_group_response = {'responses': [{'command': 'getAnonymousGroup',
 create_role_apply_command = { "commands": [
     { "command": "createRole", "rolename": "anon", "correlationData": "4" },
     { "command": "addRoleACL", "rolename": "anon",
-		"acltype": "subscribeLiteral", "topic": "anon/topic", "allow": True,
+        "acltype": "subscribeLiteral", "topic": "anon/topic", "allow": True,
         "correlationData": "5" },
     { "command": "addGroupRole", "groupname": "anon-clients",
         "rolename": "anon", "correlationData": "6"}
@@ -70,6 +70,13 @@ create_role_apply_response = {'responses': [
     {'command': 'addGroupRole', 'correlationData': '6'}
     ]}
 
+delete_anon_group_command = { "commands": [
+    { "command": "deleteGroup", "groupname": "anon-clients", "correlationData": "40" }
+    ]
+}
+delete_anon_group_response = {'responses': [
+    {'command': 'deleteGroup', "error":'Deleting the anonymous group is forbidden', 'correlationData': '40'}
+    ]}
 
 
 rc = 1
@@ -135,6 +142,9 @@ try:
     csock = mosq_test.do_client_connect(connect_packet, connack_packet, timeout=5, port=port)
     mosq_test.do_send_receive(csock, subscribe_packet, suback_packet_success, "suback 3")
 
+    # Try to delete anon group, this should fail
+    command_check(sock, delete_anon_group_command, delete_anon_group_response)
+
     rc = 0
 
     sock.close()