Convert default security to "plugin" mode.

This converts password_file and acl_file checks to act like a v5 plugin.
eclipse · Oct 15, 2020 · ef68063 · ef68063
1 parent 0b414c6
commit ef68063
Show file tree

Hide file tree

Showing 3 changed files with 115 additions and 96 deletions.
diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h
@@ -256,6 +256,7 @@ struct mosquitto__security_options {
  char *auto_id_prefix;
  int auto_id_prefix_len;
  struct plugin__callbacks plugin_callbacks;
+ mosquitto_plugin_id_t *pid; /* For registering as a "plugin" */
 };
 
 struct mosquitto__listener {
@@ -838,8 +839,6 @@ int mosquitto_psk_key_get(struct mosquitto_db *db, struct mosquitto *context, co
 int mosquitto_security_init_default(struct mosquitto_db *db, bool reload);
 int mosquitto_security_apply_default(struct mosquitto_db *db);
 int mosquitto_security_cleanup_default(struct mosquitto_db *db, bool reload);
-int mosquitto_acl_check_default(struct mosquitto_db *db, struct mosquitto *context, const char *topic, int access);
-int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *context);
 int mosquitto_psk_key_get_default(struct mosquitto_db *db, struct mosquitto *context, const char *hint, const char *identity, char *key, int max_key_len);
 
 int mosquitto_security_auth_start(struct mosquitto_db *db, struct mosquitto *context, bool reauth, const void *data_in, uint16_t data_in_len, void **data_out, uint16_t *data_out_len);

diff --git a/src/security.c b/src/security.c
@@ -679,21 +679,24 @@ int mosquitto_acl_check(struct mosquitto_db *db, struct mosquitto *context, cons
  if(!context->id){
  return MOSQ_ERR_ACL_DENIED;
  }
+ if(context->bridge){
+ return MOSQ_ERR_SUCCESS;
+ }
 
  rc = acl__check_dollar(topic, access);
  if(rc) return rc;
 
- rc = mosquitto_acl_check_default(db, context, topic, access);
- if(rc != MOSQ_ERR_PLUGIN_DEFER){
- return rc;
- }
- /* Default check has accepted or deferred at this point.
+ /* 
  * If no plugins exist we should accept at this point so set rc to success.
  */
  rc = MOSQ_ERR_SUCCESS;
 
  if(db->config->per_listener_settings){
- opts = &context->listener->security_options;
+ if(context->listener){
+ opts = &context->listener->security_options;
+ }else{
+ return MOSQ_ERR_ACL_DENIED;
+ }
  }else{
  opts = &db->config->security_options;
  }
@@ -747,14 +750,10 @@ int mosquitto_unpwd_check(struct mosquitto_db *db, struct mosquitto *context)
  struct mosquitto__security_options *opts;
  struct mosquitto_evt_basic_auth event_data;
  struct mosquitto__callback *cb_base;
+ bool plugin_used = false;
+
+ rc = MOSQ_ERR_PLUGIN_DEFER;
 
- rc = mosquitto_unpwd_check_default(db, context);
- if(rc != MOSQ_ERR_PLUGIN_DEFER){
- return rc;
- }
- /* Default check has accepted or deferred at this point.
- * If no plugins exist we should accept at this point so set rc to success.
- */
  if(db->config->per_listener_settings){
  opts = &context->listener->security_options;
  }else{
@@ -770,6 +769,7 @@ int mosquitto_unpwd_check(struct mosquitto_db *db, struct mosquitto *context)
  if(rc != MOSQ_ERR_PLUGIN_DEFER){
  return rc;
  }
+ plugin_used = true;
  }
 
  for(i=0; i<opts->auth_plugin_config_count; i++){
@@ -781,33 +781,46 @@ int mosquitto_unpwd_check(struct mosquitto_db *db, struct mosquitto *context)
  context,
  context->username,
  context->password);
+ plugin_used = true;
 
  }else if(opts->auth_plugin_configs[i].plugin.version == 3){
  rc = opts->auth_plugin_configs[i].plugin.unpwd_check_v3(
  opts->auth_plugin_configs[i].plugin.user_data,
  context,
  context->username,
  context->password);
+ plugin_used = true;
 
  }else if(opts->auth_plugin_configs[i].plugin.version == 2){
  rc = opts->auth_plugin_configs[i].plugin.unpwd_check_v2(
  opts->auth_plugin_configs[i].plugin.user_data,
  context->username,
  context->password);
+ plugin_used = true;
  }
  }
  /* If all plugins deferred, this is a denial. If rc == MOSQ_ERR_SUCCESS
  * here, then no plugins were configured. Unless we have all deferred, and
  * anonymous logins are allowed. */
- if(rc == MOSQ_ERR_PLUGIN_DEFER){
- if(context->username == NULL &&
- ((db->config->per_listener_settings && context->listener->security_options.allow_anonymous == true)
- || (!db->config->per_listener_settings && db->config->security_options.allow_anonymous == true))){
+ if(plugin_used == false){
+ if((db->config->per_listener_settings && context->listener->security_options.allow_anonymous != false)
+ || (!db->config->per_listener_settings && db->config->security_options.allow_anonymous != false)){
 
  return MOSQ_ERR_SUCCESS;
  }else{
  return MOSQ_ERR_AUTH;
  }
+ }else{
+ if(rc == MOSQ_ERR_PLUGIN_DEFER){
+ if(context->username == NULL &&
+ ((db->config->per_listener_settings && context->listener->security_options.allow_anonymous != false)
+ || (!db->config->per_listener_settings && db->config->security_options.allow_anonymous != false))){
+
+ return MOSQ_ERR_SUCCESS;
+ }else{
+ return MOSQ_ERR_AUTH;
+ }
+ }
  }
 
  return rc;