def acl_check(client_id, username, topic, access, payload):
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check %r' % (mosquitto_auth.topic_matches_sub('/#', topic))
)
if access == mosquitto_auth.MOSQ_ACL_READ:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check READ (client_id: {} username: {} topic: {} access: {}, payload: {!r})'
.format(client_id, username, topic, access, payload)
)
elif access == mosquitto_auth.MOSQ_ACL_SUBSCRIBE:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check SUBSCRIBE (client_id: {} username: {} topic: {} access: {}, payload: {!r})'
.format(client_id, username, topic, access, payload)
)
elif access == mosquitto_auth.MOSQ_ACL_WRITE:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check WRITE (client_id: {} username: {} topic: {} access: {}, payload: {!r})'
.format(client_id, username, topic, access, payload)
)
return True
def acl_check(clientid, username, topic, access):
print 'acl_check', mosquitto_auth.topic_matches_sub('/#', topic)
if access == mosquitto_auth.MOSQ_ACL_READ:
print 'acl_check READ', clientid, username, topic, access
elif access == mosquitto_auth.MOSQ_ACL_WRITE:
print 'acl_check WRITE', clientid, username, topic, access
return True
def acl_check(clientid, username, topic, access):
print 'acl_check', mosquitto_auth.topic_matches_sub('/#', topic)
if access == mosquitto_auth.MOSQ_ACL_READ:
print 'acl_check READ', clientid, username, topic, access
elif access == mosquitto_auth.MOSQ_ACL_WRITE:
print 'acl_check WRITE', clientid, username, topic, access
return True
def acl_check(clientid, username, topic, access):
pat = redis_conn.hget('mosq.' + username, 'acl')
if not pat:
print 'ACL: no such user:'******'ACL: user=%s topic=%s, matches = %s' % (username, topic, matches)
return matches
def acl_check(clientid, username, topic, access):
pat = redis_conn.hget("mosq." + username, "acl")
if not pat:
print "ACL: no such user:"******"ACL: user=%s topic=%s, matches = %s" % (username, topic, matches)
return matches
def acl_check(clientid, username, topic, access):
if username is None:
print('AUTH required')
return False
pat = redis_conn.hget('mosq.' + username, 'acl')
if not pat:
print('ACL: no such user:'******'ACL: user=%s topic=%s, matches = %s' % (username, topic, matches))
return matches
def acl_check(clientid, username, topic, access):
print "acl_check"
print "client "+clientid
print "topic "+ topic
if (username=="admin"):
return True
if (username==""):
return False
# first check if this is just aimed at the client
if (mosquitto_auth.topic_matches_sub('/c/#', topic) and access == mosquitto_auth.MOSQ_ACL_WRITE):
return True # anyone can write to a client.
if ((topic == '/c/'+clientid) and access == mosquitto_auth.MOSQ_ACL_READ):
return True # this client can read messages destined for itself
if (mosquitto_auth.topic_matches_sub('/c/#', topic) and access == mosquitto_auth.MOSQ_ACL_READ):
print "unauthorized attempt to subscribe to another client"
return False # otherwise can't read
# refresh user can post to /refresh and nothing else
if (username=="r"):
if (topic=="/r" and access==mosquitto_auth.MOSQ_ACL_WRITE):
print "refresh user posting to /r"
return True
else:
return False
valid, scopes = call_token_introspection(username, "")
print "valid", valid
print "scopes", scopes
print clientid, username, topic, access
if (valid):
write = (access == mosquitto_auth.MOSQ_ACL_WRITE);
for scope in scopes:
rw = (scope['rw']).encode('ascii').lower()
print rw
if (rw=="rw" or rw=="wr" or (write and rw=="w") or ((not write) and rw=="r")):
print scope['topic']
if (mosquitto_auth.topic_matches_sub(scope['topic'], topic)):
return True
return False
def acl_check(client_id, username, topic, access, payload):
import mosquitto_auth
if username is None:
print('AUTH required')
return False
pat = redis_conn.hget('mosq.' + username, 'acl')
if not pat:
print('ACL: no such user:'******'ACL: user=%s topic=%s, matches = %s, payload = %r' % (username, topic, matches, payload))
return matches
def acl_check(clientid, username, topic, access):
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check %r' % (mosquitto_auth.topic_matches_sub('/#', topic)))
if access == mosquitto_auth.MOSQ_ACL_READ:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check READ (clientid: %s username: %s topic: %s access: %s)' %
(clientid, username, topic, access))
elif access == mosquitto_auth.MOSQ_ACL_WRITE:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check WRITE (clientid: %s username: %s topic: %s access: %s)'
% (clientid, username, topic, access))
return True
def acl_check(clientid, username, topic, access):
import mosquitto_auth
if username is None:
mosquitto_auth.log(mosquitto_auth.LOG_DEBUG, 'AUTH required')
return False
pat = redis_conn.hget('mosq.' + username, 'acl')
if not pat:
mosquitto_auth.log(mosquitto_auth.LOG_DEBUG,
'ACL: no such user: %s' % username)
return True
matches = mosquitto_auth.topic_matches_sub(pat.decode(), topic)
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'ACL: user=%s topic=%s, pat=%s, matches=%s' % (
username,
topic,
pat,
matches,
))
return matches
def acl_check(client_id, username, topic, access, payload):
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check %r' % (mosquitto_auth.topic_matches_sub('/#', topic)))
if access == mosquitto_auth.MOSQ_ACL_READ:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check READ (client_id: {} username: {} topic: {} access: {}, payload: {!r})'
.format(client_id, username, topic, access, payload))
elif access == mosquitto_auth.MOSQ_ACL_SUBSCRIBE:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check SUBSCRIBE (client_id: {} username: {} topic: {} access: {}, payload: {!r})'
.format(client_id, username, topic, access, payload))
elif access == mosquitto_auth.MOSQ_ACL_WRITE:
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'acl_check WRITE (client_id: {} username: {} topic: {} access: {}, payload: {!r})'
.format(client_id, username, topic, access, payload))
return True
def acl_check(clientid, username, topic, access):
import mosquitto_auth
if username is None:
mosquitto_auth.log(mosquitto_auth.LOG_DEBUG, 'AUTH required')
return False
with mysql_conn.cursor() as cursor:
sql = "SELECT `acl` FROM `users` WHERE `username`=%s"
cursor.execute(sql, (username, ))
pat = cursor.fetchone()[0]
if not pat:
mosquitto_auth.log(mosquitto_auth.LOG_DEBUG,
'ACL: no such user: %s' % username)
return False
matches = mosquitto_auth.topic_matches_sub(pat, topic)
mosquitto_auth.log(
mosquitto_auth.LOG_DEBUG,
'ACL: user=%s topic=%s, pat=%s, matches=%s' % (
username,
topic,
pat,
matches,
))
return matches
def acl_check(clientid, username, topic, access):
if access == mosquitto_auth.MOSQ_ACL_READ:
if mosquitto_auth.topic_matches_sub('mesh/+/user/' + username + '/inbox', topic): # user reading their own inbox
return True
elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/profile', topic): # user reading another users profile
return True
elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/directory', topic): # user reading another users directory entry
return True
elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/key', topic): # user reading another users keyblock
return True
elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/items', topic): # user reading another users items
return True
elif mosquitto_auth.topic_matches_sub('$SYS/broker/clients/total', topic): # make the total number of users visible
return True
elif mosquitto_auth.topic_matches_sub('broker/*', topic): # users may read any broker broadcast messages
return True
elif mosquitto_auth.topic_matches_sub('peers', topic): # users may read any broker peer message
return True
elif access == mosquitto_auth.MOSQ_ACL_WRITE:
if mosquitto_auth.topic_matches_sub('mesh/local/user/+/inbox', topic): # user sending a message
return True
elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/items', topic): # user updating their own items
return True
elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/profile', topic): # user updating their own profile
return True
elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/directory', topic): # user updating their own directory entry
return True
elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/key', topic): # user updating their own keyblock
return True
elif mosquitto_auth.topic_matches_sub('broker/*', topic) and username == broker_key : # broker operator setting broadcast messages
return True
elif mosquitto_auth.topic_matches_sub('peers', topic) and username == broker_key : # broker operator can modify MQTT mesh peers
return True
# Default is to deny access unless an ACL above is explicitly matched
return False
