LWT message does not check ACL (again)

[minhpq331]

Environment:

• EMQ X version (e.g. emqx_ctl status): docker emqx/emqx:4.2.10
• Env vars:

            EMQX_LOADED_PLUGINS: "emqx_management,emqx_auth_http,emqx_recon,emqx_retainer,emqx_dashboard"
            EMQX_ALLOW_ANONYMOUS: "false"
            EMQX_AUTH__HTTP__AUTH_REQ: "http:\/\/my-api:3000\/mqtt\/auth"
            EMQX_AUTH__HTTP__AUTH_REQ__METHOD: post
            EMQX_AUTH__HTTP__AUTH_REQ__CONTENT_TYPE: json
            EMQX_AUTH__HTTP__AUTH_REQ__PARAMS: clientid=%c,username=%u,password=%P,ipaddr=%a
            EMQX_AUTH__HTTP__ACL_REQ: "http:\/\/my-api:3000\/mqtt\/acl"
            EMQX_AUTH__HTTP__ACL_REQ__METHOD: post
            EMQX_AUTH__HTTP__ACL_REQ__CONTENT_TYPE: json
            EMQX_AUTH__HTTP__ACL_REQ__PARAMS: access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t
            EMQX_AUTH__HTTP__SUPER_REQ: "http:\/\/my-api:3000\/mqtt\/super"
            EMQX_AUTH__HTTP__SUPER_REQ__METHOD: post
            EMQX_AUTH__HTTP__SUPER_REQ__CONTENT_TYPE: json
            EMQX_AUTH__HTTP__SUPER_REQ__PARAMS: clientid=%c,username=%u,ipaddr=%a

What happened and what you expected to happen:

• When a client disconnects with last will message (LWT), EMQ X does not check ACL (no request to auth plugin) for that topic and I can publish to any topic using LWT.
• Expected: check ACL when publish LWT message

How to reproduce it (as minimally and precisely as possible):

• Use a normal client (superadmin = false) with LWT config to topic: test
• Use a superadmin client subscribe to topic test
• Disconnect normal client -> Superadmin client can see LWT message in topic test, no ACL request is made to auth plugin

I saw another issue about this problem but it was resolved in version 2.3.6. Does it happen again?

https://github.com/emqx/emqx/issues/1524

[terry-xiaoyu]

Then we should fix it again.

[cimplart]

I confirm this issue in emqx 4.3.7 is not fixed.

[SergeTupchiy]

Fixed in EMQX v5.0.9/e5.0.0, v4.3.21/v4.4.10.

Test example: acl file:

{allow, all, all, ["${username}"]}.
{deny, all}.

sub with will:

$ mqttx-cli sub -t topic -u topic -Wt will -Wm 'my-will'
[2/2/2024] [6:47:28 PM] › …  Connecting...
[2/2/2024] [6:47:28 PM] › ✔  Connected
[2/2/2024] [6:47:28 PM] › …  Subscribing to topic...
[2/2/2024] [6:47:28 PM] › ✔  Subscribed to topic
^C

log:

2024-02-02T18:47:36.330188+02:00 [warning] msg: last_will_testament_publish_denied, mfa: emqx_channel:publish_will_msg/2(2252), peername: 127.0.0.1:44692, clientid: mqttx_873bb3b0, topic: will, client_banned: false, publishing_disallowed: true

[zmstone]

Thank you @SergeTupchiy