Authentication with client certificates and PostgreSQL

rebsp commented 5 years ago

Environment

VerneMQ Version: 1.9.2
OS: Docker

VerneMQ configuration ~~(vernemq.conf)~~ or the changes from the default

  - DOCKER_VERNEMQ_plugins.vmq_diversity=on
  - DOCKER_VERNEMQ_plugins.vmq_passwd=off
  - DOCKER_VERNEMQ_plugins.vmq_acl=off
  - DOCKER_VERNEMQ_vmq_diversity.auth_postgres.enabled=on
  - DOCKER_VERNEMQ_vmq_diversity.postgres.host=database
  - DOCKER_VERNEMQ_vmq_diversity.postgres.port=5432
  - DOCKER_VERNEMQ_vmq_diversity.postgres.user=vernemq
  - DOCKER_VERNEMQ_vmq_diversity.postgres.password=
  - DOCKER_VERNEMQ_vmq_diversity.postgres.database=vernemq
  - DOCKER_VERNEMQ_vmq_diversity.postgres.password_hash_method=crypt
  - DOCKER_VERNEMQ_listener.ssl.default=0.0.0.0:8883
  - DOCKER_VERNEMQ_listener.ssl.cafile=/etc/ssl/all-ca.crt
  - DOCKER_VERNEMQ_listener.ssl.certfile=/etc/ssl/server.crt
  - DOCKER_VERNEMQ_listener.ssl.keyfile=/etc/ssl/server.key
  - DOCKER_VERNEMQ_listener.ssl.use_identity_as_username=on
  - DOCKER_VERNEMQ_listener.ssl.require_certificate=on

Cluster size/standalone: standalone

Expected behaviour

Connect to VerneMQ using a client certificate and authorize to topics using PostgreSQL

Actual behaviour

TLS handshake is successful but receiving bad user name or password for authentication. I have tried several combinations like no password, empty password, password same as CN but none seem to be accepted:

[warning] can't authenticate client {[],<<"test">>} from 172.25.0.1:41876 due to invalid_credentials

Steps to reproduce

All certificates used from https://github.com/vernemq/vernemq/tree/master/apps/vmq_server/test/ssl

Create PostgreSQL auth database and insert user with username 'test client' (according to client.crt CN), client_id 'test' and pattern 'test':

WITH x AS (
SELECT
    ''::text AS mountpoint,
       'test'::text AS client_id,
       'test client'::text AS username,
       ''::text AS password,
       gen_salt('bf')::text AS salt,
       '[{"pattern": "test"}]'::json AS publish_acl,
       '[{"pattern": "test"}]'::json AS subscribe_acl
) 
INSERT INTO vmq_auth_acl (mountpoint, client_id, username, password, publish_acl, subscribe_acl)
SELECT 
    x.mountpoint,
    x.client_id,
    x.username,
    crypt(x.password, x.salt),
    publish_acl,
    subscribe_acl
FROM x;

Try to connect to VerneMQ using client certificate and client_id 'test'

rebsp commented 5 years ago

Were you able to reproduce this? Otherwise I can provide a repository with my test environment.

larshesel commented 5 years ago

Sorry, we haven't had a chance to look into this yet. Can you try to do a trace vmq-admin trace client client-id=<the clientid> and then connect and check that the username/pwd are what you expect them to be.

Btw. with the above entry you'd need to pass username: test client, password: ` (empty string) and client_id:test` when connecting.

Hope this helps

rebsp commented 5 years ago

I think I've found the issue. Could it be that the option use_identity_as_username sets the CN as username but keeps the password as undefined, so that this line: https://github.com/vernemq/vernemq/blob/45ac0c6a7bb59ab507ac4dcb5f9f62fdf6d0a410/apps/vmq_diversity/priv/auth/postgres_cockroach_commons.lua#L94 evaluates to false whenever I arrive with a client certificate?

Edit: Yep, see https://github.com/vernemq/vernemq/issues/523

Thanks & best regards

vernemq / vernemq