Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ACL checks for a combination of files & jwt backend not working #279

Open
DeveloperMarius opened this issue May 16, 2023 · 6 comments
Open

Comments

@DeveloperMarius
Copy link

Hey,

when I use the files backend, everything works as expected.

time="2023-05-16T08:39:07Z" level=debug msg="user admin acl authenticated with backend Files"
time="2023-05-16T08:39:07Z" level=debug msg="Acl is true for user admin"

But when I enable the jwt backend using auth_opt_backends files, jwt it gives me:

time="2023-05-16T08:50:37Z" level=debug msg="checking user admin with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="user admin authenticated with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend JWT"
time="2023-05-16T08:50:38Z" level=debug msg="jwt parse error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=info msg="jwt local check acl error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=debug msg="Acl is false for user admin"
time="2023-05-16T08:50:38Z" level=error msg="token contains an invalid number of segments"

I think the ACL check for the files backend is somehow skipped and because the jwt backend fails, I receive an error.
Or because the jwt backend fails (admin is not a jwt token), the files ACL check is skipped.

mosquitto.conf:

max_connections 1000
allow_anonymous false


listener 8081
protocol websockets
cafile  ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

listener 1884
protocol mqtt
cafile ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

log_dest file ***/mosquitto.log


plugin /mosquitto/go-auth.so

auth_opt_hasher pbkdf2
auth_opt_backends files, jwt
auth_opt_disable_superuser true

auth_opt_files_password_path ***/password.txt
auth_opt_files_acl_path ***/auth_files.acl

auth_opt_jwt_mode local
auth_opt_jwt_db mysql
auth_opt_jwt_userfield Username
auth_opt_jwt_userquery ***
auth_opt_jwt_secret ***

auth_opt_jwt_mysql_host ***
auth_opt_jwt_mysql_port 3306
auth_opt_jwt_mysql_user ***
auth_opt_jwt_mysql_password ***
auth_opt_jwt_mysql_dbname ***

auth_opt_auth_cache_seconds 30
auth_opt_acl_cache_seconds 30
auth_opt_auth_jitter_seconds 3
auth_opt_acl_jitter_seconds 3

auth_opt_log_level debug
auth_opt_log_dest file
auth_opt_log_file ***

auth_files.acl:

user admin
topic read #
topic write #

Thank you for this project and I am looking forward to your feedback.

~ Marius

@iegomez
Copy link
Owner

iegomez commented May 16, 2023

This sounds like a bug I'll need to look into, the error should be simply skipped and the ACL check pass because of the files entry.
That said, if you need a quick workaround, you can disable ACL checks for your JWT backends by registering it to only check users, while your Files backend checks for ACLs: https://github.com/iegomez/mosquitto-go-auth#registering-checks

@iegomez
Copy link
Owner

iegomez commented Jul 18, 2023

@bilgeexuu1 I think you're commenting in the wrong issue.

@december1981
Copy link

I don't know if this is related, but I had an issue with using jwt with its own acl file.

Looking at jwt_files.go

func (o *filesJWTChecker) GetUser(token string) (bool, error) {
       return false, nil
}

To me this should say either

func (o *filesJWTChecker) GetUser(token string) (bool, error) {
	username, err := getUsernameForToken(o.options, token, o.options.skipACLExpiration)
	if err != nil {
		log.Printf("jwt get user error: %s", err)
		return false, err
	}

	_, ok := o.checker.Users()[username]
	return ok, nil
}

Or simply (to avoid getUsernameForToken twice (since CheckAcl does it, and this backend requires an acl to be defined in its NewFilesJWTChecker factory, unless I'm mistaken):

func (o *filesJWTChecker) GetUser(token string) (bool, error) {
       return true, nil
}

This works when I compile it with the latter change - it never authenticates otherwise because checkAuth will always return false from the call in backends.go

Unless I've missed a configuration I can set to avoid the user name password checks for this case (so that it just acl checks against the username claim in the encoded jwt), then I don't know.

Here is my config:

auth_opt_backends files, jwt
auth_opt_check_prefix true
auth_opt_strip_prefix false
auth_opt_prefixes files, jwt

auth_opt_jwt_mode files
auth_opt_jwt_alg HS256
auth_opt_jwt_acl_path /mosquitto/auth/jwt.acl
auth_opt_jwt_claim_username username
auth_opt_jwt_userfield Username

auth_opt_hasher = pbkdf2
auth_opt_hasher_salt_size 16
auth_opt_hasher_iterations 100000
auth_opt_hasher_keylen 64
auth_opt_hasher_algorithm sha512
auth_opt_hasher_salt_encoding base64

auth_opt_files_password_path /mosquitto/auth/passwords
auth_opt_files_acl_path /mosquitto/auth/files.acl

auth_opt_jwt_secret ***

@december1981
Copy link

To be clear, this is more about an issue with the jwt backend when it's in files mode, than with the files and the jwt backend combined, so maybe it belongs in a different issue.

@iegomez
Copy link
Owner

iegomez commented Sep 26, 2024

Yep, this is unrelated, so please open a different issue.
In fact, it's not implemented as mentioned in the README, the files option for JWT is right now only meant to be used for ACL checks, any user auth check needs to be done by some other backend.

@december1981
Copy link

Yep, this is unrelated, so please open a different issue. In fact, it's not implemented as mentioned in the README, the files option for JWT is right now only meant to be used for ACL checks, any user auth check needs to be done by some other backend.

I've added a pull request here in response to this issue
#339

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants