nixos/mosquitto: restore passwordless system feature
during the rewrite the checkPasswords=false feature of the old module was lost. restore it, and with it systems that allow any client to use any username.
This commit is contained in:
parent
81175b442f
commit
d09952fea8
|
@ -264,6 +264,15 @@ let
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
omitPasswordAuth = mkOption {
|
||||||
|
type = bool;
|
||||||
|
description = ''
|
||||||
|
Omits password checking, allowing anyone to log in with any user name unless
|
||||||
|
other mandatory authentication methods (eg TLS client certificates) are configured.
|
||||||
|
'';
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
acl = mkOption {
|
acl = mkOption {
|
||||||
type = listOf str;
|
type = listOf str;
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -294,9 +303,9 @@ let
|
||||||
formatListener = idx: listener:
|
formatListener = idx: listener:
|
||||||
[
|
[
|
||||||
"listener ${toString listener.port} ${toString listener.address}"
|
"listener ${toString listener.port} ${toString listener.address}"
|
||||||
"password_file ${cfg.dataDir}/passwd-${toString idx}"
|
|
||||||
"acl_file ${makeACLFile idx listener.users listener.acl}"
|
"acl_file ${makeACLFile idx listener.users listener.acl}"
|
||||||
]
|
]
|
||||||
|
++ optional (! listener.omitPasswordAuth) "password_file ${cfg.dataDir}/passwd-${toString idx}"
|
||||||
++ formatFreeform {} listener.settings
|
++ formatFreeform {} listener.settings
|
||||||
++ concatMap formatAuthPlugin listener.authPlugins;
|
++ concatMap formatAuthPlugin listener.authPlugins;
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
port = 1888;
|
port = 1888;
|
||||||
tlsPort = 1889;
|
tlsPort = 1889;
|
||||||
|
anonPort = 1890;
|
||||||
password = "VERY_secret";
|
password = "VERY_secret";
|
||||||
hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
|
hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
|
||||||
topic = "test/foo";
|
topic = "test/foo";
|
||||||
|
@ -63,7 +64,7 @@ in {
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
server = { pkgs, ... }: {
|
server = { pkgs, ... }: {
|
||||||
networking.firewall.allowedTCPPorts = [ port tlsPort ];
|
networking.firewall.allowedTCPPorts = [ port tlsPort anonPort ];
|
||||||
services.mosquitto = {
|
services.mosquitto = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -112,6 +113,18 @@ in {
|
||||||
use_identity_as_username = true;
|
use_identity_as_username = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
port = anonPort;
|
||||||
|
omitPasswordAuth = true;
|
||||||
|
settings.allow_anonymous = true;
|
||||||
|
acl = [ "pattern read #" ];
|
||||||
|
users = {
|
||||||
|
anonWriter = {
|
||||||
|
password = "<ignored>" + password;
|
||||||
|
acl = [ "write ${topic}" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -182,5 +195,14 @@ in {
|
||||||
topic="$SYS/#",
|
topic="$SYS/#",
|
||||||
port=${toString tlsPort},
|
port=${toString tlsPort},
|
||||||
user="no_such_user"))
|
user="no_such_user"))
|
||||||
|
|
||||||
|
with subtest("check omitPasswordAuth"):
|
||||||
|
parallel(
|
||||||
|
lambda: client1.succeed(subscribe("-i fd56032c-d9cb-4813-a3b4-6be0e04c8fc3",
|
||||||
|
"anonReader", port=${toString anonPort})),
|
||||||
|
lambda: [
|
||||||
|
server.wait_for_console_text("fd56032c-d9cb-4813-a3b4-6be0e04c8fc3"),
|
||||||
|
client2.succeed(publish("-m test", "anonWriter", port=${toString anonPort}))
|
||||||
|
])
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in a new issue