search

iegomez / mosquitto-go-auth

Auth plugin for mosquitto.
MIT License
495 stars 165 forks source link

ACL checks for a combination of files & jwt backend not working #279

Open DeveloperMarius opened 1 year ago

DeveloperMarius commented 1 year ago

Hey,

when I use the files backend, everything works as expected.

time="2023-05-16T08:39:07Z" level=debug msg="user admin acl authenticated with backend Files"
time="2023-05-16T08:39:07Z" level=debug msg="Acl is true for user admin"

But when I enable the jwt backend using auth_opt_backends files, jwt it gives me:

time="2023-05-16T08:50:37Z" level=debug msg="checking user admin with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="user admin authenticated with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend JWT"
time="2023-05-16T08:50:38Z" level=debug msg="jwt parse error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=info msg="jwt local check acl error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=debug msg="Acl is false for user admin"
time="2023-05-16T08:50:38Z" level=error msg="token contains an invalid number of segments"

I think the ACL check for the files backend is somehow skipped and because the jwt backend fails, I receive an error. Or because the jwt backend fails (admin is not a jwt token), the files ACL check is skipped.

mosquitto.conf:

max_connections 1000
allow_anonymous false

listener 8081
protocol websockets
cafile  ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

listener 1884
protocol mqtt
cafile ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

log_dest file ***/mosquitto.log

plugin /mosquitto/go-auth.so

auth_opt_hasher pbkdf2
auth_opt_backends files, jwt
auth_opt_disable_superuser true

auth_opt_files_password_path ***/password.txt
auth_opt_files_acl_path ***/auth_files.acl

auth_opt_jwt_mode local
auth_opt_jwt_db mysql
auth_opt_jwt_userfield Username
auth_opt_jwt_userquery ***
auth_opt_jwt_secret ***

auth_opt_jwt_mysql_host ***
auth_opt_jwt_mysql_port 3306
auth_opt_jwt_mysql_user ***
auth_opt_jwt_mysql_password ***
auth_opt_jwt_mysql_dbname ***

auth_opt_auth_cache_seconds 30
auth_opt_acl_cache_seconds 30
auth_opt_auth_jitter_seconds 3
auth_opt_acl_jitter_seconds 3

auth_opt_log_level debug
auth_opt_log_dest file
auth_opt_log_file ***

auth_files.acl:

user admin
topic read #
topic write #

Thank you for this project and I am looking forward to your feedback.

~ Marius

iegomez commented 1 year ago

This sounds like a bug I'll need to look into, the error should be simply skipped and the ACL check pass because of the files entry. That said, if you need a quick workaround, you can disable ACL checks for your JWT backends by registering it to only check users, while your Files backend checks for ACLs: https://github.com/iegomez/mosquitto-go-auth#registering-checks

iegomez commented 1 year ago

@bilgeexuu1 I think you're commenting in the wrong issue.