dynsec: Better test coverage

2025-05-09 01:01:11 +08:00 · 2020-11-30 17:15:43 +00:00 · 2020-11-30 17:15:43 +00:00 · 6bd45f0092
commit 6bd45f0092
parent aaf30dc622
8 changed files with 266 additions and 23 deletions
--- a/test/broker/14-dynsec-acl.py
+++ b/test/broker/14-dynsec-acl.py
@ -58,6 +58,7 @@ add_client_group_role_response = {'responses': [

 add_publish_acl_command = {"commands":[
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "simple/topic", "allow": True },
+    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "single-wildcard/deny/deny", "priority":10, "allow": False },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "single-wildcard/+/+", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientSend", "topic": "multilevel-wildcard/topic/#", "allow": True },
    { "command": "addRoleACL", "rolename": "myrole", "acltype": "publishClientReceive", "topic": "single-wildcard/bob/bob", "allow": False },
@ -67,7 +68,7 @@ add_publish_acl_command = {"commands":[
 add_publish_acl_response = {'responses': [
    {'command': 'addRoleACL'}, {'command': 'addRoleACL'},
    {'command': 'addRoleACL'}, {'command': 'addRoleACL'},
-    {'command': 'addRoleACL'}
+    {'command': 'addRoleACL'}, {'command': 'addRoleACL'}
    ]}

 delete_role_command = {"commands":[
@ -110,6 +111,11 @@ puback_simple_packet_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_

 publish_simple_packet_r = mosq_test.gen_publish(topic="simple/topic", qos=0, payload="message", proto_ver=5)

+# This message is in single-wildcard/+/+ so could be allowed, but the single-wildcard/deny/deny with higher priority should override
+mid = 9
+publish_single_packet_denied = mosq_test.gen_publish(mid=mid, topic="single-wildcard/deny/deny", qos=1, payload="message", proto_ver=5)
+puback_single_packet_denied_fail = mosq_test.gen_puback(mid, reason_code=mqtt5_rc.MQTT_RC_NOT_AUTHORIZED, proto_ver=5)
+
 mid = 8
 publish_single_packet = mosq_test.gen_publish(mid=mid, topic="single-wildcard/bob/topic", qos=1, payload="message", proto_ver=5)
 puback_single_packet_success = mosq_test.gen_puback(mid, proto_ver=5)
@ -232,6 +238,9 @@ try:
    csock.send(publish_single_packet)
    mosq_test.receive_unordered(csock, publish_single_packet_r, puback_single_packet_success, "puback single 3 / publish r")

+    # Publish to "single-wildcard/deny/deny" - this is stillnot allowed
+    mosq_test.do_send_receive(csock, publish_single_packet_denied, puback_single_packet_denied_fail, "puback single denied 1")
+
    # Publish to "multilevel-wildcard/topic/topic/allowed" - this is now allowed
    csock.send(publish_multi_packet)
    mosq_test.receive_unordered(csock, publish_multi_packet_r, puback_multi_packet_success, "puback multi 3 / publish r")
--- a/test/broker/14-dynsec-client-invalid.py
+++ b/test/broker/14-dynsec-client-invalid.py
@ -70,13 +70,17 @@ create_client8_response = {'responses': [{'command': 'createClient', 'error': 'I
 create_client9_command = { 'commands': [{'command': 'createClient', 'username': 'admin', 'password':'5'}]}
 create_client9_response = {'responses': [{'command': 'createClient', 'error': 'Client already exists'}]}

+# Roles not an array
+create_client10_command = { 'commands': [{'command': 'createClient', 'username': 'user', 'password':'5', 'roles':'bad'}] }
+create_client10_response = {'responses': [{'command': 'createClient', 'error': "'roles' not an array or missing/invalid rolename"}]}
+
 # Role not found
-create_client10_command = { 'commands': [{'command': 'createClient', 'username': 'user', 'password':'5', 'roles':[{'rolename':'notfound'}]}] }
-create_client10_response = {'responses': [{'command': 'createClient', 'error': 'Role not found'}]}
+create_client11_command = { 'commands': [{'command': 'createClient', 'username': 'user', 'password':'5', 'roles':[{'rolename':'notfound'}]}] }
+create_client11_response = {'responses': [{'command': 'createClient', 'error': 'Role not found'}]}

 # Group not found
-create_client11_command = { 'commands': [{'command': 'createClient', 'username': 'user', 'password':'5', 'groups':[{'groupname':'notfound'}]}] }
-create_client11_response = {'responses': [{'command': 'createClient', 'error': 'Group not found'}]}
+create_client12_command = { 'commands': [{'command': 'createClient', 'username': 'user', 'password':'5', 'groups':[{'groupname':'notfound'}]}] }
+create_client12_response = {'responses': [{'command': 'createClient', 'error': 'Group not found'}]}


 # ==========================================================================
@ -375,6 +379,7 @@ try:
    command_check(sock, create_client9_command, create_client9_response, "9")
    command_check(sock, create_client10_command, create_client10_response, "10")
    command_check(sock, create_client11_command, create_client11_response, "11")
+    command_check(sock, create_client12_command, create_client12_response, "12")

    command_check(sock, delete_client1_command, delete_client1_response, "1")
    command_check(sock, delete_client2_command, delete_client2_response, "2")
--- a/test/broker/14-dynsec-group.py
+++ b/test/broker/14-dynsec-group.py
@ -29,42 +29,70 @@ write_config(conf_file, port)
 create_client_command = { "commands": [{
            "command": "createClient", "username": "user_one",
            "password": "password", "clientid": "cid",
-            "textname": "Name", "textdescription": "Description",
+            "textname": "Name", "textdescription": "description",
            "rolename": "", "correlationData": "2" }]}
 create_client_response = {'responses':[{"command":"createClient","correlationData":"2"}]}

+create_client2_command = { "commands": [{
+            "command": "createClient", "username": "user_two",
+            "password": "password",
+            "textname": "Name", "textdescription": "description",
+            "rolename": "", "correlationData": "1" }]}
+create_client2_response = {'responses':[{"command":"createClient","correlationData":"1"}]}
+
 create_group_command = { "commands": [{
            "command": "createGroup", "groupname": "group_one",
-            "textname": "Name", "textdescription": "Description",
+            "textname": "Name", "textdescription": "description",
            "correlationData":"3"}]}
 create_group_response = {'responses':[{"command":"createGroup","correlationData":"3"}]}
 create_group_repeat_response = {'responses':[{"command":"createGroup","error":"Group already exists","correlationData":"3"}]}

+create_group2_command = { "commands": [{
+            "command": "createGroup", "groupname": "group_two",
+            "textname": "Name", "textdescription": "description",
+            "correlationData":"30"}]}
+create_group2_response = {'responses':[{"command":"createGroup","correlationData":"30"}]}
+
 list_groups_command = { "commands": [{
            "command": "listGroups", "verbose": False, "correlationData": "10"}]}
-list_groups_response = {'responses':[{"command": "listGroups", "data":{"totalCount":1, "groups":["group_one"]},"correlationData":"10"}]}
+list_groups_response = {'responses':[{"command": "listGroups", "data":{"totalCount":2, "groups":["group_one","group_two"]},"correlationData":"10"}]}

 list_groups_verbose_command = { "commands": [{
            "command": "listGroups", "verbose": True, "correlationData": "15"}]}
-list_groups_verbose_response = {'responses':[{'command': 'listGroups', 'data': {"totalCount":1, 'groups':
-            [{'groupname': 'group_one', 'textname': 'Name', 'textdescription': 'Description', 'clients': [
-                {"username":"user_one"}], "roles":[]}]},
+list_groups_verbose_response = {'responses':[{'command': 'listGroups', 'data': {"totalCount":2, 'groups':[
+    {'groupname': 'group_one', 'textname': 'Name', 'textdescription': 'description', 'clients': [
+    {"username":"user_one"}, {"username":"user_two"}], "roles":[]},
+    {'groupname': 'group_two', 'textname': 'Name', 'textdescription': 'description', 'clients': [
+    {"username":"user_one"}], "roles":[]}
+    ]},
    'correlationData': '15'}]}

 list_clients_verbose_command = { "commands": [{
            "command": "listClients", "verbose": True, "correlationData": "20"}]}
-list_clients_verbose_response = {'responses':[{"command": "listClients", "data":{"totalCount":2, "clients":[
+list_clients_verbose_response = {'responses':[{"command": "listClients", "data":{"totalCount":3, "clients":[
            {'username': 'admin', 'textname': 'Dynsec admin user', 'roles': [{'rolename': 'admin'}], 'groups': []},
-            {"username":"user_one", "clientid":"cid", "textname":"Name", "textdescription":"Description",
-            "groups":[{"groupname":"group_one"}], "roles":[]}]}, "correlationData":"20"}]}
+            {"username":"user_one", "clientid":"cid", "textname":"Name", "textdescription":"description",
+            "groups":[{"groupname":"group_one"}, {"groupname":"group_two"}], "roles":[]},
+            {"username":"user_two", "textname":"Name", "textdescription":"description",
+            "groups":[{"groupname":"group_one"}], "roles":[]},
+            ]}, "correlationData":"20"}]}

 get_group_command = { "commands": [{"command": "getGroup", "groupname":"group_one"}]}
 get_group_response = {'responses':[{'command': 'getGroup', 'data': {'group': {'groupname': 'group_one',
-            'textname':'Name', 'textdescription':'Description', 'clients': [{"username":"user_one"}], 'roles': []}}}]}
+    'textname':'Name', 'textdescription':'description', 'clients': [{"username":"user_one"}, {"username":"user_two"}], 'roles': []}}}]}

 add_client_to_group_command = {"commands": [{"command":"addGroupClient", "username":"user_one",
            "groupname": "group_one", "correlationData":"1234"}]}
 add_client_to_group_response = {'responses':[{'command': 'addGroupClient', 'correlationData': '1234'}]}
+add_duplicate_client_to_group_response = {'responses':[{'command': 'addGroupClient', 'correlationData': '1234'}]}
+
+add_client_to_group2_command = {"commands": [{"command":"addGroupClient", "username":"user_one",
+            "groupname": "group_two", "correlationData":"1234"}]}
+add_client_to_group2_response = {'responses':[{'command': 'addGroupClient', 'correlationData': '1234'}]}
+
+add_client2_to_group_command = {"commands": [{"command":"addGroupClient", "username":"user_two",
+            "groupname": "group_one", "correlationData":"1235"}]}
+add_client2_to_group_response = {'responses':[{'command': 'addGroupClient', 'correlationData': '1235'}]}

 remove_client_from_group_command = {"commands": [{"command":"removeGroupClient", "username":"user_one",
            "groupname": "group_one", "correlationData":"4321"}]}
@ -97,12 +125,17 @@ try:

    # Add client
    command_check(sock, create_client_command, create_client_response)
+    command_check(sock, create_client2_command, create_client2_response)

    # Add group
+    command_check(sock, create_group2_command, create_group2_response)
    command_check(sock, create_group_command, create_group_response)

    # Add client to group
    command_check(sock, add_client_to_group_command, add_client_to_group_response)
+    command_check(sock, add_client_to_group2_command, add_client_to_group2_response)
+    command_check(sock, add_client2_to_group_command, add_client2_to_group_response)
+    command_check(sock, add_client_to_group_command, add_duplicate_client_to_group_response)

    # Get group
    command_check(sock, get_group_command, get_group_response)
--- a/test/broker/14-dynsec-plugin-invalid.py
+++ b/test/broker/14-dynsec-plugin-invalid.py
@ -0,0 +1,150 @@
+#!/usr/bin/env python3
+
+# Check invalid inputs for plugin commands
+
+from mosq_test_helper import *
+import json
+import shutil
+
+def write_config(filename, port):
+    with open(filename, 'w') as f:
+        f.write("listener %d\n" % (port))
+        f.write("allow_anonymous true\n")
+        f.write("plugin ../../plugins/dynamic-security/mosquitto_dynamic_security.so\n")
+        f.write("plugin_opt_config_file %d/dynamic-security.json\n" % (port))
+
+def command_check(sock, command_payload, expected_response, msg=""):
+    command_packet = mosq_test.gen_publish(topic="$CONTROL/dynamic-security/v1", qos=0, payload=json.dumps(command_payload))
+    sock.send(command_packet)
+    response = json.loads(mosq_test.read_publish(sock))
+    if response != expected_response:
+        print(expected_response)
+        print(response)
+        if msg != "":
+            print(msg)
+        raise ValueError(response)
+
+
+def command_check_text(sock, command_payload, expected_response, msg=""):
+    command_packet = mosq_test.gen_publish(topic="$CONTROL/dynamic-security/v1", qos=0, payload=command_payload)
+    sock.send(command_packet)
+    response = json.loads(mosq_test.read_publish(sock))
+    if response != expected_response:
+        print(expected_response)
+        print(response)
+        if msg != "":
+            print(msg)
+        raise ValueError(response)
+
+
+port = mosq_test.get_port()
+conf_file = os.path.basename(__file__).replace('.py', '.conf')
+write_config(conf_file, port)
+
+# ==========================================================================
+# Bad commands
+# ==========================================================================
+
+# Invalid JSON
+bad1_command = 'not json'
+bad1_response = {'responses': [{'command': 'Unknown command', 'error': 'Invalid/missing commands'}]}
+
+# No commands
+bad2_command = {}
+bad2_response = {'responses': [{'command': 'Unknown command', 'error': 'Invalid/missing commands'}]}
+
+# Commands not an array
+bad3_command = {'commands': 'test'}
+bad3_response = {'responses': [{'command': 'Unknown command', 'error': 'Invalid/missing commands'}]}
+
+# Empty commands array
+bad4_command = {'commands': []}
+bad4_response = {'responses': []}
+
+# Empty command
+bad5_command = {'commands': ['bad']}
+bad5_response = {'responses': [{'command': 'Unknown command', 'error': 'Command not an object'}]}
+
+# Bad array type
+bad6_command = {'commands': [{}]}
+bad6_response = {'responses': [{'command': 'Unknown command', 'error': 'Missing command'}]}
+
+# Bad command type
+bad7_command = {'commands': [{'command':6}]}
+bad7_response = {'responses': [{'command': 'Unknown command', 'error': 'Missing command'}]}
+
+# Bad correlationData type
+bad8_command = {'commands': [{'command':'command', 'correlationData':6}]}
+bad8_response = {'responses': [{'command': 'command', 'error': 'Invalid correlationData data type.'}]}
+
+# Unknown command
+bad9_command = {'commands': [{'command':'command'}]}
+bad9_response = {'responses': [{'command': 'command', 'error': 'Unknown command'}]}
+
+# ==========================================================================
+# setDefaultACLAccess
+# ==========================================================================
+
+# Missing actions array
+set_default1_command = {'commands': [{'command':'setDefaultACLAccess'}]}
+set_default1_response = {'responses': [{'command': 'setDefaultACLAccess', 'error': 'Missing/invalid actions array'}]}
+
+# Actions array not an array
+set_default2_command = {'commands': [{'command':'setDefaultACLAccess', 'actions':'bad'}]}
+set_default2_response = {'responses': [{'command': 'setDefaultACLAccess', 'error': 'Missing/invalid actions array'}]}
+
+
+rc = 1
+keepalive = 10
+connect_packet = mosq_test.gen_connect("ctrl-test", keepalive=keepalive, username="admin", password="admin")
+connack_packet = mosq_test.gen_connack(rc=0)
+
+mid = 2
+subscribe_packet = mosq_test.gen_subscribe(mid, "$CONTROL/dynamic-security/#", 1)
+suback_packet = mosq_test.gen_suback(mid, 1)
+
+try:
+    os.mkdir(str(port))
+    shutil.copyfile("dynamic-security-init.json", "%d/dynamic-security.json" % (port))
+except FileExistsError:
+    pass
+
+broker = mosq_test.start_broker(filename=os.path.basename(__file__), use_conf=True, port=port)
+
+try:
+    sock = mosq_test.do_client_connect(connect_packet, connack_packet, timeout=5, port=port)
+    mosq_test.do_send_receive(sock, subscribe_packet, suback_packet, "suback")
+
+    command_check(sock, bad1_command, bad1_response, "1")
+    command_check(sock, bad2_command, bad2_response, "2")
+    command_check(sock, bad3_command, bad3_response, "3")
+    command_check(sock, bad4_command, bad4_response, "4")
+    command_check(sock, bad5_command, bad5_response, "5")
+    command_check(sock, bad6_command, bad6_response, "6")
+    command_check(sock, bad7_command, bad7_response, "7")
+    command_check(sock, bad8_command, bad8_response, "8")
+    command_check(sock, bad9_command, bad9_response, "9")
+
+    command_check(sock, set_default1_command, set_default1_response, "1")
+    command_check(sock, set_default2_command, set_default2_response, "2")
+
+    rc = 0
+
+    sock.close()
+except mosq_test.TestError:
+    pass
+finally:
+    os.remove(conf_file)
+    try:
+        os.remove(f"{port}/dynamic-security.json")
+    except FileNotFoundError:
+        pass
+    os.rmdir(f"{port}")
+    broker.terminate()
+    broker.wait()
+    (stdo, stde) = broker.communicate()
+    if rc:
+        print(stde.decode('utf-8'))
+
+
+exit(rc)
--- a/test/broker/14-dynsec-role-invalid.py
+++ b/test/broker/14-dynsec-role-invalid.py
@ -144,12 +144,15 @@ add_role_acl6_response = {'responses': [{'command': 'addRoleACL', 'error': 'Unkn
 add_role_acl7_command = { 'commands': [{'command': 'addRoleACL', 'rolename': 'validrole', 'acltype':'unsubscribePattern' }] }
 add_role_acl7_response = {'responses': [{'command': 'addRoleACL', 'error': 'Invalid/missing topic'}]}

-add_role_acl8_command = { 'commands': [{'command': 'addRoleACL', 'rolename': 'validrole', 'acltype':'unsubscribePattern', 'topic':5 }] }
+add_role_acl8_command = { 'commands': [{'command': 'addRoleACL', 'rolename': 'validrole', 'acltype':'subscribePattern', 'topic':5 }] }
 add_role_acl8_response = {'responses': [{'command': 'addRoleACL', 'error': 'Invalid/missing topic'}]}

-add_role_acl9_command = { 'commands': [{'command': 'addRoleACL', 'rolename': 'validrole', 'acltype':'unsubscribePattern', 'topic':'LO' }] }
+add_role_acl9_command = { 'commands': [{'command': 'addRoleACL', 'rolename': 'validrole', 'acltype':'unsubscribeLiteral', 'topic':'LO' }] }
 add_role_acl9_response = {'responses': [{'command': 'addRoleACL', 'error': 'Topic not valid UTF-8'}]}

+add_role_acl10_command = { 'commands': [{'command': 'addRoleACL', 'rolename': 'validrole', 'acltype':'unsubscribeLiteral', 'topic':'not/#/valid' }] }
+add_role_acl10_response = {'responses': [{'command': 'addRoleACL', 'error': 'Invalid ACL topic'}]}
+

 # ==========================================================================
 # Remove role ACL
@ -278,6 +281,7 @@ try:
    command_check(sock, add_role_acl7_command, add_role_acl7_response, "7")
    command_check(sock, add_role_acl8_command, add_role_acl8_response, "8")
    command_check(sock, add_role_acl9_command, add_role_acl9_response, "9")
+    command_check(sock, add_role_acl10_command, add_role_acl10_response, "10")

    command_check(sock, remove_role_acl1_command, remove_role_acl1_response, "1")
    command_check(sock, remove_role_acl2_command, remove_role_acl2_response, "2")
--- a/test/broker/14-dynsec-role.py
+++ b/test/broker/14-dynsec-role.py
@ -35,6 +35,14 @@ create_client_command = { "commands": [{
 }
 create_client_response = {'responses': [{'command': 'createClient', 'correlationData': '2'}]}

+create_client2_command = { "commands": [{
+    "command": "createClient", "username": "user_two",
+    "password": "password",
+    "textname": "Name", "textdescription": "Description",
+    "rolename": "", "correlationData": "3" }]
+}
+create_client2_response = {'responses': [{'command': 'createClient', 'correlationData': '3'}]}
+
 create_group_command = { "commands": [{
            "command": "createGroup", "groupname": "group_one",
            "textname": "Name", "textdescription": "Description",
@ -47,11 +55,21 @@ create_role_command = { "commands": [{'command': 'createRole', 'correlationData'
    }]}
 create_role_response = {'responses': [{'command': 'createRole', 'correlationData': '3'}]}

+create_role2_command = { "commands": [{'command': 'createRole', 'correlationData': '3',
+    "rolename": "basic2", "acls":[
+    {"acltype":"publishClientSend", "topic": "out/#", "priority":3, "allow": True}], "textname":"name", "textdescription":"desc"
+    }]}
+create_role2_response = {'responses': [{'command': 'createRole', 'correlationData': '3'}]}
+

 add_role_to_client_command = {"commands": [{'command': 'addClientRole', "username": "user_one",
    "rolename": "basic"}]}
 add_role_to_client_response = {'responses': [{'command': 'addClientRole'}]}

+add_role_to_client2_command = {"commands": [{'command': 'addClientRole', "username": "user_one",
+    "rolename": "basic2"}]}
+add_role_to_client2_response = {'responses': [{'command': 'addClientRole'}]}
+
 add_role_to_group_command = {"commands": [{'command': 'addGroupRole', "groupname": "group_one",
    "rolename": "basic"}]}
 add_role_to_group_response = {'responses': [{'command': 'addGroupRole'}]}
@ -61,7 +79,7 @@ list_roles_verbose_command1 = { "commands": [{
    "command": "listRoles", "verbose": True, "correlationData": "21"}]
 }
 list_roles_verbose_response1 = {'responses': [{'command': 'listRoles', 'data':
-    {'totalCount':2, 'roles': [
+    {'totalCount':3, 'roles': [
    {"rolename":"admin","acls":[
    {"acltype": "publishClientSend", "topic": "$CONTROL/dynamic-security/#", "priority":0, "allow": True },
    {"acltype": "publishClientReceive", "topic": "$CONTROL/dynamic-security/#", "priority":0, "allow": True },
@ -72,6 +90,8 @@ list_roles_verbose_response1 = {'responses': [{'command': 'listRoles', 'data':
    {"acltype": "subscribePattern", "topic": "#", "priority":0, "allow": True},
    {"acltype": "unsubscribePattern", "topic": "#", "priority":0, "allow": True}]},
    {'rolename': 'basic', "textname": "name", "textdescription": "desc",
+    'acls': [{'acltype':'publishClientSend', 'topic': 'out/#', 'priority': 3, 'allow': True}]},
+    {'rolename': 'basic2', "textname": "name", "textdescription": "desc",
    'acls': [{'acltype':'publishClientSend', 'topic': 'out/#', 'priority': 3, 'allow': True}]
    }]}, 'correlationData': '21'}]}

@ -79,10 +99,14 @@ add_acl_command = {"commands": [{'command': "addRoleACL", "rolename":"basic", "a
    "topic":"basic/out", "priority":1, "allow":True}]}
 add_acl_response = {'responses': [{'command': 'addRoleACL'}]}

+add_acl2_command = {"commands": [{'command': "addRoleACL", "rolename":"basic", "acltype":"subscribeLiteral",
+    "topic":"basic/out", "priority":1, "allow":True}]}
+add_acl2_response = {'responses': [{'command': 'addRoleACL', 'error':'ACL with this topic already exists'}]}
+
 list_roles_verbose_command2 = { "commands": [{
    "command": "listRoles", "verbose": True, "correlationData": "22"}]
 }
-list_roles_verbose_response2 = {'responses': [{'command': 'listRoles', 'data': {'totalCount':2, 'roles':
+list_roles_verbose_response2 = {'responses': [{'command': 'listRoles', 'data': {'totalCount':3, 'roles':
    [{"rolename":"admin","acls":[
    {"acltype": "publishClientSend", "topic": "$CONTROL/dynamic-security/#", "priority":0, "allow": True },
    {"acltype": "publishClientReceive", "topic": "$CONTROL/dynamic-security/#", "priority":0, "allow": True },
@ -94,7 +118,9 @@ list_roles_verbose_response2 = {'responses': [{'command': 'listRoles', 'data': {
    {"acltype": "unsubscribePattern", "topic": "#", "priority":0, "allow": True}]},
    {'rolename': 'basic', 'textname': 'name', 'textdescription': 'desc', 'acls':
    [{'acltype':'publishClientSend', 'topic': 'out/#', 'priority': 3, 'allow': True},
-    {'acltype':'subscribeLiteral', 'topic': 'basic/out', 'priority': 1, 'allow': True}],
+    {'acltype':'subscribeLiteral', 'topic': 'basic/out', 'priority': 1, 'allow': True}]},
+    {'rolename': 'basic2', "textname": "name", "textdescription": "desc",
+    'acls': [{'acltype':'publishClientSend', 'topic': 'out/#', 'priority': 3, 'allow': True}]
    }]}, 'correlationData': '22'}]}

 get_role_command = {"commands": [{'command': "getRole", "rolename":"basic"}]}
@ -108,16 +134,25 @@ remove_acl_command = {"commands": [{'command': "removeRoleACL", "rolename":"basi
    "topic":"basic/out"}]}
 remove_acl_response = {'responses': [{'command': 'removeRoleACL'}]}

+remove_acl2_command = {"commands": [{'command': "removeRoleACL", "rolename":"basic", "acltype":"subscribeLiteral",
+    "topic":"basic/out"}]}
+remove_acl2_response = {'responses': [{'command': 'removeRoleACL', 'error':'ACL not found'}]}
+
 delete_role_command = {"commands": [{'command': "deleteRole", "rolename":"basic"}]}
 delete_role_response = {"responses": [{"command": "deleteRole"}]}

+delete_role2_command = {"commands": [{'command': "deleteRole", "rolename":"basic"}]}
+delete_role2_response = {"responses": [{"command": "deleteRole"}]}
+
 list_clients_verbose_command = { "commands": [{
    "command": "listClients", "verbose": True, "correlationData": "20"}]
 }
-list_clients_verbose_response = {'responses':[{"command": "listClients", "data":{'totalCount':2, "clients":[
+list_clients_verbose_response = {'responses':[{"command": "listClients", "data":{'totalCount':3, "clients":[
    {'username': 'admin', 'textname': 'Dynsec admin user', 'roles': [{'rolename': 'admin'}], 'groups': []},
    {"username":"user_one", "clientid":"cid", "textname":"Name", "textdescription":"Description",
-    "groups":[], "roles":[{'rolename':'basic'}]}]}, "correlationData":"20"}]}
+    "groups":[], "roles":[{'rolename':'basic'}, {'rolename':'basic2'}]},
+    {"username":"user_two", "textname":"Name", "textdescription":"Description",
+    "groups":[], "roles":[]}]}, "correlationData":"20"}]}

 list_groups_verbose_command = { "commands": [{
    "command": "listGroups", "verbose": True, "correlationData": "20"}]
@ -157,6 +192,7 @@ try:
    mosq_test.do_send_receive(sock, subscribe_packet, suback_packet, "suback")

    # Create client
+    command_check(sock, create_client2_command, create_client2_response)
    command_check(sock, create_client_command, create_client_response)

    # Create group
@ -164,8 +200,10 @@ try:

    # Create role
    command_check(sock, create_role_command, create_role_response)
+    command_check(sock, create_role2_command, create_role2_response)

    # Add role to client
+    command_check(sock, add_role_to_client2_command, add_role_to_client2_response)
    command_check(sock, add_role_to_client_command, add_role_to_client_response)

    # Add role to group
@ -182,6 +220,7 @@ try:

    # Add ACL
    command_check(sock, add_acl_command, add_acl_response)
+    command_check(sock, add_acl2_command, add_acl2_response)

    # List roles verbose 2
    command_check(sock, list_roles_verbose_command2, list_roles_verbose_response2, "list roles verbose 2a")
@ -202,6 +241,7 @@ try:

    # Remove ACL
    command_check(sock, remove_acl_command, remove_acl_response)
+    command_check(sock, remove_acl2_command, remove_acl2_response)

    # List roles verbose 1
    command_check(sock, list_roles_verbose_command1, list_roles_verbose_response1, "list roles verbose 1b")
--- a/test/broker/Makefile
+++ b/test/broker/Makefile
@ -235,6 +235,7 @@ ifeq ($(WITH_CJSON),yes)
 	./14-dynsec-modify-client.py
 	./14-dynsec-modify-group.py
 	./14-dynsec-modify-role.py
+	./14-dynsec-plugin-invalid.py
 	./14-dynsec-role.py
 	./14-dynsec-role-invalid.py
 endif
--- a/test/broker/test.py
+++ b/test/broker/test.py
@ -201,6 +201,7 @@ tests = [
    (1, './14-dynsec-modify-client.py'),
    (1, './14-dynsec-modify-group.py'),
    (1, './14-dynsec-modify-role.py'),
+    (1, './14-dynsec-plugin-invalid.py'),
    (1, './14-dynsec-role.py'),
    (1, './14-dynsec-role-invalid.py'),
    ]