Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prefix not working with files backend #197

Closed
flumpt opened this issue Sep 22, 2021 · 7 comments · Fixed by #200
Closed

Prefix not working with files backend #197

flumpt opened this issue Sep 22, 2021 · 7 comments · Fixed by #200

Comments

@flumpt
Copy link

flumpt commented Sep 22, 2021

Hello,

i am using the docker image iegomez/mosquitto-go-auth:1.8.0-mosquitto_1.6.14 and am experiencing an issue with the files backend and prefixes.

When i am trying to connect to the server providing the prefix with the username (files_recorder) i get an error "Connection refused: Not authorized". The docker container only prints the following logs with debug level:

mosquitto       | time="2021-09-22T08:48:26Z" level=debug msg="Found prefix for user files_recorder, using backend files."
mosquitto       | 1632300506: Socket error on client <unknown>, disconnecting.

On the other hand when i am removing the prefix the connection is established successfully:

mosquitto       | 1632300750: New connection from 172.18.0.10 on port 1883.
mosquitto       | time="2021-09-22T08:52:30Z" level=debug msg="checking user recorder with backend JWT"
mosquitto       | time="2021-09-22T08:52:30Z" level=info msg="error code: 401"
mosquitto       | time="2021-09-22T08:52:30Z" level=debug msg="checking user recorder with backend Files"
mosquitto       | time="2021-09-22T08:52:30Z" level=debug msg="user recorder authenticated with backend Files"
mosquitto       | 1632300750: New client connected from 172.18.0.10 as mqttjs_4beedcaf (p2, c1, k60, u'recorder').
mosquitto       | time="2021-09-22T08:52:30Z" level=debug msg="Acl check with backend JWT"
mosquitto       | time="2021-09-22T08:52:30Z" level=info msg="error code: 401"
mosquitto       | time="2021-09-22T08:52:30Z" level=debug msg="Acl check with backend Files"
mosquitto       | time="2021-09-22T08:52:30Z" level=debug msg="user recorder acl authenticated with backend Files"
mosquitto       | time="2021-09-22T08:52:30Z" level=debug msg="Acl is true for user recorder"

I am not that familiar with go code so i hope you can help me find the bug.
@iegomez
Copy link
Owner

iegomez commented Sep 22, 2021

Hi, @flumpt.

Could you provide your configuration, passwords (redacted) and acl files to try to reproduce?

@flumpt
Copy link
Author

flumpt commented Sep 22, 2021

Sure @iegomez. Thank you for your quick response!

mosquitto.conf:

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /mosquitto/data/

listener 1883

listener 9001
protocol websockets

listener 8883
certfile /etc/letsencrypt/live/<mqtt_host>/cert.pem
cafile /etc/letsencrypt/live/<mqtt_host>/chain.pem
keyfile /etc/letsencrypt/live/<mqtt_host>/privkey.pem

listener 8081
protocol websockets
certfile /etc/letsencrypt/live/<mqtt_host>/cert.pem
cafile /etc/letsencrypt/live/<mqtt_host>/chain.pem
keyfile /etc/letsencrypt/live/<mqtt_host>/privkey.pem

auth_plugin /mosquitto/go-auth.so
auth_opt_log_level info
auth_opt_backends files, jwt
auth_opt_cache true
auth_opt_cache_reset true
auth_opt_auth_cache_seconds 30
auth_opt_acl_cache_seconds 30
auth_opt_disable_superuser true
auth_opt_check_prefix true
auth_opt_prefixes files, jwt
auth_opt_hasher pbkdf2
auth_opt_hasher_salt_size 16
auth_opt_hasher_iterations 100000
auth_opt_hasher_keylen 64
auth_opt_hasher_algorithm sha512
auth_opt_hasher_salt_encoding base64

auth_opt_files_password_path /etc/mosquitto/passwords
auth_opt_files_acl_path /etc/mosquitto/acl

auth_opt_jwt_mode remote
auth_opt_jwt_host <api_host>
auth_opt_jwt_port 443
auth_opt_jwt_getuser_uri /v1/mqtt/me
auth_opt_jwt_aclcheck_uri /v1/mqtt/permissions
auth_opt_jwt_with_tls true
auth_opt_jwt_response_mode json
auth_opt_jwt_params_mode form

passwords:
recorder:PBKDF2$sha512$100000$<redacted>

acl:

user recorder
topic write #
topic read #

@iegomez
Copy link
Owner

iegomez commented Sep 22, 2021

Cool, thanks, I'll take a look when I get a minute.

@iegomez
Copy link
Owner

iegomez commented Sep 23, 2021
edited
Loading

Oh, silly me, I just checked your files and noticed the problem: except for JWT, where the token must be a valid one and thus it needs the prefixed stripped, the rest of the backends will look for the entire username, including the prefix. So in this case, your files should look like this:
Passwords:

files_recorder:PBKDF2$sha512$100000$<redacted>

Acls:

user files_recorder
topic write #
topic read #

@iegomez
Copy link
Owner

iegomez commented Sep 23, 2021

@flumpt I see how this can be a bit confusing and users may expect the prefix to be stripped, but it never was the case. I'll consider adding an option to strip the prefix, hopefully sooner than later, but for now that should fix it. Could you try it out to confirm?

@iegomez iegomez mentioned this issue Sep 23, 2021
Merged
@iegomez
Copy link
Owner

iegomez commented Sep 23, 2021

Nevermind, I already opened a PR adding an option to strip prefixes on checks. Once it passes checks, I'll merge both and release a new version.

@flumpt
Copy link
Author

flumpt commented Sep 24, 2021

@iegomez Thanks for clearing this up and also providing an option to strip the prefix also for other backends. Works like a charm!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add option to strip prefixes upon checking user or acl. iegomez/mosquitto-go-auth
2 participants
@iegomez @flumpt