Skip to content

Commit

Permalink
[#3530] Changed mqtt credentials expired behavior
Browse files Browse the repository at this point in the history 
* Changed the exception that is used in case a mqtt device tries to send a message with expired credentials to an AuthorizationException to have the correct error code in the error message to the device.
* Extended the list of terminal errors for mqtt and amqp messages with unauthorized error.

Signed-off-by: Matthias Kaemmer <[email protected]>
  • Loading branch information
@mattkaem
mattkaem committed Aug 15, 2023
1 parent 9c39c65 commit f8ffa97
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 9 deletions.
4 changes: 3 additions & 1 deletion adapter-base/src/main/java/org/eclipse/hono/adapter/AbstractProtocolAdapterBase.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1062,6 +1062,7 @@ public static ConnectionAttemptOutcome getOutcome(final Throwable e) {
* <li>The adapter is disabled for the tenant that the client belongs to.</li>
* <li>The authenticated device or gateway is disabled or not registered.</li>
* <li>The tenant is disabled or does not exist.</li>
* <li>The authenticated device is not authorized anymore (e.g. device credentials expired).</li>
* </ul>
*
* @param error The error to be checked.
Expand Down Expand Up @@ -1096,7 +1097,8 @@ protected Future<Boolean> isTerminalError(final Throwable error, final String de

return Future.succeededFuture(error instanceof AdapterDisabledException
|| error instanceof GatewayDisabledOrNotRegisteredException
|| error instanceof TenantDisabledOrNotRegisteredException);
|| error instanceof TenantDisabledOrNotRegisteredException
|| error instanceof AuthorizationException);
}
}
}
3 changes: 2 additions & 1 deletion ...se/src/main/java/org/eclipse/hono/adapter/mqtt/AbstractVertxBasedMqttProtocolAdapter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1310,6 +1310,7 @@ private Future<Void> checkTopic(final MqttContext context) {

private boolean disconnectOnExpired() {
if (authenticatedDevice != null && authenticatedDevice.expired()) {
log.debug("Credentials of device {} have expired - Disconnecting device.", authenticatedDevice.getDeviceId());
endpoint.close();
return true;
}
Expand All @@ -1318,7 +1319,7 @@ private boolean disconnectOnExpired() {

private Future<Void> checkExpiration(final MqttContext context) {
if (context.authenticatedDevice() != null && context.authenticatedDevice().expired()) {
return Future.failedFuture(new MqttConnectionException(MqttConnectReturnCode.CONNECTION_REFUSED_NOT_AUTHORIZED));
return Future.failedFuture(new AuthorizationException(context.tenant(), "Device credentials expired.", null));
} else {
return Future.succeededFuture();
}
Expand Down
1 change: 1 addition & 0 deletions site/documentation/content/user-guide/amqp-adapter.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,7 @@ are listed below.
* The adapter is disabled for the tenant that the client belongs to.
* The authenticated device or gateway is disabled or not registered.
* The tenant is disabled or does not exist.
* The authenticated device is not authorized anymore.

## Command-line Client

Expand Down
16 changes: 9 additions & 7 deletions site/documentation/content/user-guide/mqtt-adapter.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -856,13 +856,14 @@ The MQTT adapter publishes error messages with a UTF-8 encoded JSON payload cont

The error message's *code* field may contain the following HTTP status codes:

| Code | Description |
| :---- | :---------- |
| *400* | Bad Request, the request cannot be processed. A possible reason for this is an invalid *PUBLISH* topic. |
| *403* | Forbidden, the device's registration status cannot be asserted. |
| *404* | Not Found, the device is disabled or does not exist. |
| *413* | Request Entity Too Large, the request body exceeds the maximum supported size. |
| *429* | Too Many Requests, the tenant's message limit for the current period is exceeded. |
| Code | Description |
| :---- |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| *400* | Bad Request, the request cannot be processed. A possible reason for this is an invalid *PUBLISH* topic. |
| *401* | Unauthorized, the device connection is not authorized (e.g. device credentials expired). |
| *403* | Forbidden, the device's registration status cannot be asserted. |
| *404* | Not Found, the device is disabled or does not exist. |
| *413* | Request Entity Too Large, the request body exceeds the maximum supported size. |
| *429* | Too Many Requests, the tenant's message limit for the current period is exceeded. |
| *503* | Service Unavailable, the request cannot be processed. Possible reasons for this include:<ul><li>There is no consumer of telemetry data for the given tenant connected to Hono, or the consumer has not indicated that it may receive further messages (not giving credits). </li><li>If the QoS level header is set to `1` (*at least once* semantics), the reason may be: <ul><li>The consumer has indicated that it didn't process the telemetry data.</li> <li>The consumer failed to indicate in time whether it has processed the telemetry data.</li></ul></li></ul>|

Example payload:
Expand Down Expand Up @@ -890,6 +891,7 @@ terminal error happens. The errors that are classified as terminal are listed be
* The adapter is disabled for the tenant that the client belongs to.
* The authenticated device or gateway is disabled or not registered.
* The tenant is disabled or does not exist.
* The authenticated device is not authorized anymore (e.g. the connection expired).

{{% notice info %}}
When a terminal error occurs, the connection will always be closed irrespective of any *on-error* parameter or error
Expand Down

0 comments on commit f8ffa97

Please sign in to comment.