Add trivial basic authentication plugin based on IP.

plugins/Makefile

@@ -1,4 +1,5 @@
 DIRS= \
+ auth-by-ip \
  dynamic-security \
  message-timestamp \
  payload-modification

plugins/README.md

@@ -18,3 +18,6 @@ This is an **example** plugin to demonstrate how it is possible to modify the pa
 If you are considering using this feature, you should be very certain you have verified the payload is the correct format before modifying it.
 
 This plugin adds the text string "hello " to the beginning of each payload, so with anything other than simple plain text messages it will corrupt the payload contents.
+
+## Authenticate by IP address
+This is an **example** plugin that demonstrates a basic authentication callback that allows clients based on their IP address. Password based authentication is preferred over this very simple type of access control.

plugins/auth-by-ip/CMakeLists.txt

@@ -0,0 +1,11 @@
+include_directories(${mosquitto_SOURCE_DIR} ${mosquitto_SOURCE_DIR}/include
+ ${STDBOOL_H_PATH} ${STDINT_H_PATH})
+
+add_library(mosquitto_auth_by_ip SHARED mosquitto_auth_by_ip.c)
+set_target_properties(mosquitto_auth_by_ip PROPERTIES
+ POSITION_INDEPENDENT_CODE 1
+)
+set_target_properties(mosquitto_auth_by_ip PROPERTIES PREFIX "")
+
+# Don't install, these are example plugins only.
+#install(TARGETS mosquitto_auth_by_ip RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}")

plugins/auth-by-ip/Makefile

@@ -0,0 +1,27 @@
+include ../../config.mk
+
+.PHONY : all binary check clean reallyclean test install uninstall
+
+PLUGIN_NAME=mosquitto_auth_by_ip
+
+all : binary
+
+binary : ${PLUGIN_NAME}.so
+
+${PLUGIN_NAME}.so : ${PLUGIN_NAME}.c
+ $(CROSS_COMPILE)$(CC) $(PLUGIN_CPPFLAGS) $(PLUGIN_CFLAGS) $(PLUGIN_LDFLAGS) -fPIC -shared $< -o $@
+
+reallyclean : clean
+clean:
+ -rm -f *.o ${PLUGIN_NAME}.so *.gcda *.gcno
+
+check: test
+test:
+
+install: ${PLUGIN_NAME}.so
+ # Don't install, these are examples only.
+ #$(INSTALL) -d "${DESTDIR}$(libdir)"
+ #$(INSTALL) ${STRIP_OPTS} ${PLUGIN_NAME}.so "${DESTDIR}${libdir}/${PLUGIN_NAME}.so"
+
+uninstall :
+ -rm -f "${DESTDIR}${libdir}/${PLUGIN_NAME}.so"

plugins/auth-by-ip/mosquitto_auth_by_ip.c

@@ -0,0 +1,82 @@
+/*
+Copyright (c) 2021 Roger Light <[email protected]>
+
+All rights reserved. This program and the accompanying materials
+are made available under the terms of the Eclipse Public License 2.0
+and Eclipse Distribution License v1.0 which accompany this distribution.
+ 
+The Eclipse Public License is available at
+ https://www.eclipse.org/legal/epl-2.0/
+and the Eclipse Distribution License is available at
+ https://www.eclipse.org/org/documents/edl-v10.php.
+ 
+SPDX-License-Identifier: EPL-2.0 OR EDL-1.0
+
+Contributors:
+ Roger Light - initial implementation and documentation.
+*/
+
+/*
+ * This is an example plugin showing how to use the basic authentication
+ * callback to allow/disallow client connections based on client IP addresses.
+ *
+ * This is an extremely basic type of access control, password based or similar
+ * authentication is preferred.
+ *
+ * Compile with:
+ * gcc -I<path to mosquitto-repo/include> -fPIC -shared mosquitto_auth_by_ip.c -o mosquitto_auth_by_ip.so
+ *
+ * Use in config with:
+ *
+ * plugin /path/to/mosquitto_auth_by_ip.so
+ *
+ * Note that this only works on Mosquitto 2.0 or later.
+ */
+
+
+#include <stdio.h>
+#include <string.h>
+
+#include "mosquitto_broker.h"
+#include "mosquitto_plugin.h"
+#include "mosquitto.h"
+#include "mqtt_protocol.h"
+
+static mosquitto_plugin_id_t *mosq_pid = NULL;
+
+static int basic_auth_callback(int event, void *event_data, void *userdata)
+{
+ struct mosquitto_evt_basic_auth *ed = event_data;
+ const char *ip_address;
+
+ ip_address = mosquitto_client_address(ed->client);
+ if(!strcmp(ip_address, "127.0.0.1")){
+ /* Only allow connections from localhost */
+ return MOSQ_ERR_SUCCESS;
+ }else{
+ return MOSQ_ERR_AUTH;
+ }
+}
+
+int mosquitto_plugin_version(int supported_version_count, const int *supported_versions)
+{
+ int i;
+
+ for(i=0; i<supported_version_count; i++){
+ if(supported_versions[i] == 5){
+ return 5;
+ }
+ }
+ return -1;
+}
+
+int mosquitto_plugin_init(mosquitto_plugin_id_t *identifier, void **user_data, struct mosquitto_opt *opts, int opt_count)
+{
+ mosq_pid = identifier;
+ return mosquitto_callback_register(mosq_pid, MOSQ_EVT_BASIC_AUTH, basic_auth_callback, NULL, NULL);
+}
+
+int mosquitto_plugin_cleanup(void *user_data, struct mosquitto_opt *opts, int opt_count)
+{
+ return mosquitto_callback_unregister(mosq_pid, MOSQ_EVT_BASIC_AUTH, basic_auth_callback, NULL);
+}