nixos/mosquitto: restore passwordless system feature
during the rewrite the checkPasswords=false feature of the old module was lost. restore it, and with it systems that allow any client to use any username.
This commit is contained in:
parent
81175b442f
commit
d09952fea8
|
@ -264,6 +264,15 @@ let
|
|||
default = {};
|
||||
};
|
||||
|
||||
omitPasswordAuth = mkOption {
|
||||
type = bool;
|
||||
description = ''
|
||||
Omits password checking, allowing anyone to log in with any user name unless
|
||||
other mandatory authentication methods (eg TLS client certificates) are configured.
|
||||
'';
|
||||
default = false;
|
||||
};
|
||||
|
||||
acl = mkOption {
|
||||
type = listOf str;
|
||||
description = ''
|
||||
|
@ -294,9 +303,9 @@ let
|
|||
formatListener = idx: listener:
|
||||
[
|
||||
"listener ${toString listener.port} ${toString listener.address}"
|
||||
"password_file ${cfg.dataDir}/passwd-${toString idx}"
|
||||
"acl_file ${makeACLFile idx listener.users listener.acl}"
|
||||
]
|
||||
++ optional (! listener.omitPasswordAuth) "password_file ${cfg.dataDir}/passwd-${toString idx}"
|
||||
++ formatFreeform {} listener.settings
|
||||
++ concatMap formatAuthPlugin listener.authPlugins;
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
|
|||
let
|
||||
port = 1888;
|
||||
tlsPort = 1889;
|
||||
anonPort = 1890;
|
||||
password = "VERY_secret";
|
||||
hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
|
||||
topic = "test/foo";
|
||||
|
@ -63,7 +64,7 @@ in {
|
|||
};
|
||||
in {
|
||||
server = { pkgs, ... }: {
|
||||
networking.firewall.allowedTCPPorts = [ port tlsPort ];
|
||||
networking.firewall.allowedTCPPorts = [ port tlsPort anonPort ];
|
||||
services.mosquitto = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -112,6 +113,18 @@ in {
|
|||
use_identity_as_username = true;
|
||||
};
|
||||
}
|
||||
{
|
||||
port = anonPort;
|
||||
omitPasswordAuth = true;
|
||||
settings.allow_anonymous = true;
|
||||
acl = [ "pattern read #" ];
|
||||
users = {
|
||||
anonWriter = {
|
||||
password = "<ignored>" + password;
|
||||
acl = [ "write ${topic}" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
@ -182,5 +195,14 @@ in {
|
|||
topic="$SYS/#",
|
||||
port=${toString tlsPort},
|
||||
user="no_such_user"))
|
||||
|
||||
with subtest("check omitPasswordAuth"):
|
||||
parallel(
|
||||
lambda: client1.succeed(subscribe("-i fd56032c-d9cb-4813-a3b4-6be0e04c8fc3",
|
||||
"anonReader", port=${toString anonPort})),
|
||||
lambda: [
|
||||
server.wait_for_console_text("fd56032c-d9cb-4813-a3b4-6be0e04c8fc3"),
|
||||
client2.succeed(publish("-m test", "anonWriter", port=${toString anonPort}))
|
||||
])
|
||||
'';
|
||||
})
|
||||
|
|
Loading…
Reference in a new issue