Inconsistent rw Permission Behavior Not Matching Documentation

[deffuseyou]

Hello,

I've been working with mosquitto-go-auth and have encountered an issue with the rw permission setting that does not behave as expected based on the documentation. Specifically, the permission levels seem to act differently than described when attempting to publish and subscribe to topics. Here's a summary of the behavior I observed:

1. With rw set to 1, I cannot perform any actions (neither publish nor subscribe).
2. With rw set to 2 or 3, publishing is possible, but subscribing is not.
3. Only when rw is set to 4, both publishing and subscribing are allowed.

Could you please look into this issue? Any clarification on the expected behavior of the rw permission settings or guidance on how to properly configure them would be greatly appreciated.

mosqiutto.conf:

log_type  all
listener 1883
allow_anonymous false
auth_plugin /mosquitto/go-auth.so
auth_opt_log_level debug

# postgress options:
auth_opt_backends postgres
auth_opt_pg_hasher bcrypt
auth_opt_pg_sslmode disable
auth_opt_pg_connect_tries 5

auth_opt_pg_host db
auth_opt_pg_port 5432
auth_opt_pg_user mosquitto
auth_opt_pg_password mosquitto_password
auth_opt_pg_dbname mosquitto_db
auth_opt_pg_userquery SELECT password_hash FROM "user" WHERE username = $1 AND is_active = true LIMIT 1
auth_opt_pg_superquery SELECT count(*) FROM "user" WHERE username = $1 AND is_admin = true AND is_active = true
auth_opt_pg_aclquery SELECT topic FROM "acl" WHERE (username = $1) AND (rw >= $2)

compose.yaml:

services:
  postgres:
    image: postgres
    container_name: db
    environment:
      POSTGRES_USER: mosquitto
      POSTGRES_PASSWORD: mosquitto_password
      POSTGRES_DB: mosquitto_db
    ports:
      - "5432:5432"
    networks:
      - mosquitto-net

  mosquitto:
    depends_on:
      db:
        condition: service_healthy
    image: iegomez/mosquitto-go-auth
    volumes:
      - /home/user/mqtt/mosquitto.conf:/etc/mosquitto/mosquitto.conf
    ports:
      - "1883:1883"
    depends_on:
      - postgres
    networks:
      - mosquitto-net

networks:
  mosquitto-net:

db:

CREATE TABLE "user" (
    id serial PRIMARY KEY,
    username varchar UNIQUE NOT NULL,
    password_hash varchar NOT NULL,
    is_active boolean NOT NULL default true,
    is_admin boolean NOT NULL default false
);

CREATE TABLE "acl" (
    id serial PRIMARY KEY,
    username varchar NOT NULL,
    topic varchar NOT NULL,
    rw integer NOT NULL
);

[iegomez]

There's no issue in the plugin, if you're using a DB as backend you're in charge of writing correct auth logic via your queries, so you need to rewrite this:

auth_opt_pg_aclquery SELECT topic FROM "acl" WHERE (username = $1) AND (rw >= $2)

Look at some old, closed issues, there are some examples in there.

[deffuseyou]

I read the old issue and replaced it with a strict equality rw = $2. but still the same behavior. as I understood, the database should return all the topics with user and rw. I checked the query SELECT topic FROM "acl" WHERE (username = 'user') AND (rw = 3); I got testtopic/# and tt2/#, which are in the database. in the server logs:

mosquitto_1  | time="2024-04-01T18:04:02Z" level=debug msg="Superuser check with backend Postgres"
mosquitto_1  | time="2024-04-01T18:04:02Z" level=debug msg="Acl check with backend Postgres"
mosquitto_1  | time="2024-04-01T18:04:02Z" level=debug msg="Acl is false for user user"
mosquitto_1  | 1711994642: Denied PUBLISH from MQTTool-915234461 (d0, q0, r0, m0, 'testtopic/2', ... (8 bytes))

[iegomez]

But 3 is not a valid ACL value, Mosquitto won't ever pass a 3 to be checked.
Values are 0, 1, 2 and 4, see https://github.com/iegomez/mosquitto-go-auth?tab=readme-ov-file#acl-access-values.

[deffuseyou]

I think I got it, thank you.