def acl_check(client_id, username, topic, access, payload): mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check %r' % (mosquitto_auth.topic_matches_sub('/#', topic)) ) if access == mosquitto_auth.MOSQ_ACL_READ: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check READ (client_id: {} username: {} topic: {} access: {}, payload: {!r})' .format(client_id, username, topic, access, payload) ) elif access == mosquitto_auth.MOSQ_ACL_SUBSCRIBE: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check SUBSCRIBE (client_id: {} username: {} topic: {} access: {}, payload: {!r})' .format(client_id, username, topic, access, payload) ) elif access == mosquitto_auth.MOSQ_ACL_WRITE: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check WRITE (client_id: {} username: {} topic: {} access: {}, payload: {!r})' .format(client_id, username, topic, access, payload) ) return True
def acl_check(clientid, username, topic, access): print 'acl_check', mosquitto_auth.topic_matches_sub('/#', topic) if access == mosquitto_auth.MOSQ_ACL_READ: print 'acl_check READ', clientid, username, topic, access elif access == mosquitto_auth.MOSQ_ACL_WRITE: print 'acl_check WRITE', clientid, username, topic, access return True
def acl_check(clientid, username, topic, access): pat = redis_conn.hget('mosq.' + username, 'acl') if not pat: print 'ACL: no such user:'******'ACL: user=%s topic=%s, matches = %s' % (username, topic, matches) return matches
def acl_check(clientid, username, topic, access): pat = redis_conn.hget("mosq." + username, "acl") if not pat: print "ACL: no such user:"******"ACL: user=%s topic=%s, matches = %s" % (username, topic, matches) return matches
def acl_check(clientid, username, topic, access): if username is None: print('AUTH required') return False pat = redis_conn.hget('mosq.' + username, 'acl') if not pat: print('ACL: no such user:'******'ACL: user=%s topic=%s, matches = %s' % (username, topic, matches)) return matches
def acl_check(clientid, username, topic, access): print "acl_check" print "client "+clientid print "topic "+ topic if (username=="admin"): return True if (username==""): return False # first check if this is just aimed at the client if (mosquitto_auth.topic_matches_sub('/c/#', topic) and access == mosquitto_auth.MOSQ_ACL_WRITE): return True # anyone can write to a client. if ((topic == '/c/'+clientid) and access == mosquitto_auth.MOSQ_ACL_READ): return True # this client can read messages destined for itself if (mosquitto_auth.topic_matches_sub('/c/#', topic) and access == mosquitto_auth.MOSQ_ACL_READ): print "unauthorized attempt to subscribe to another client" return False # otherwise can't read # refresh user can post to /refresh and nothing else if (username=="r"): if (topic=="/r" and access==mosquitto_auth.MOSQ_ACL_WRITE): print "refresh user posting to /r" return True else: return False valid, scopes = call_token_introspection(username, "") print "valid", valid print "scopes", scopes print clientid, username, topic, access if (valid): write = (access == mosquitto_auth.MOSQ_ACL_WRITE); for scope in scopes: rw = (scope['rw']).encode('ascii').lower() print rw if (rw=="rw" or rw=="wr" or (write and rw=="w") or ((not write) and rw=="r")): print scope['topic'] if (mosquitto_auth.topic_matches_sub(scope['topic'], topic)): return True return False
def acl_check(client_id, username, topic, access, payload): import mosquitto_auth if username is None: print('AUTH required') return False pat = redis_conn.hget('mosq.' + username, 'acl') if not pat: print('ACL: no such user:'******'ACL: user=%s topic=%s, matches = %s, payload = %r' % (username, topic, matches, payload)) return matches
def acl_check(clientid, username, topic, access): mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check %r' % (mosquitto_auth.topic_matches_sub('/#', topic))) if access == mosquitto_auth.MOSQ_ACL_READ: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check READ (clientid: %s username: %s topic: %s access: %s)' % (clientid, username, topic, access)) elif access == mosquitto_auth.MOSQ_ACL_WRITE: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check WRITE (clientid: %s username: %s topic: %s access: %s)' % (clientid, username, topic, access)) return True
def acl_check(clientid, username, topic, access): import mosquitto_auth if username is None: mosquitto_auth.log(mosquitto_auth.LOG_DEBUG, 'AUTH required') return False pat = redis_conn.hget('mosq.' + username, 'acl') if not pat: mosquitto_auth.log(mosquitto_auth.LOG_DEBUG, 'ACL: no such user: %s' % username) return True matches = mosquitto_auth.topic_matches_sub(pat.decode(), topic) mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'ACL: user=%s topic=%s, pat=%s, matches=%s' % ( username, topic, pat, matches, )) return matches
def acl_check(client_id, username, topic, access, payload): mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check %r' % (mosquitto_auth.topic_matches_sub('/#', topic))) if access == mosquitto_auth.MOSQ_ACL_READ: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check READ (client_id: {} username: {} topic: {} access: {}, payload: {!r})' .format(client_id, username, topic, access, payload)) elif access == mosquitto_auth.MOSQ_ACL_SUBSCRIBE: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check SUBSCRIBE (client_id: {} username: {} topic: {} access: {}, payload: {!r})' .format(client_id, username, topic, access, payload)) elif access == mosquitto_auth.MOSQ_ACL_WRITE: mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'acl_check WRITE (client_id: {} username: {} topic: {} access: {}, payload: {!r})' .format(client_id, username, topic, access, payload)) return True
def acl_check(clientid, username, topic, access): import mosquitto_auth if username is None: mosquitto_auth.log(mosquitto_auth.LOG_DEBUG, 'AUTH required') return False with mysql_conn.cursor() as cursor: sql = "SELECT `acl` FROM `users` WHERE `username`=%s" cursor.execute(sql, (username, )) pat = cursor.fetchone()[0] if not pat: mosquitto_auth.log(mosquitto_auth.LOG_DEBUG, 'ACL: no such user: %s' % username) return False matches = mosquitto_auth.topic_matches_sub(pat, topic) mosquitto_auth.log( mosquitto_auth.LOG_DEBUG, 'ACL: user=%s topic=%s, pat=%s, matches=%s' % ( username, topic, pat, matches, )) return matches
def acl_check(clientid, username, topic, access): if access == mosquitto_auth.MOSQ_ACL_READ: if mosquitto_auth.topic_matches_sub('mesh/+/user/' + username + '/inbox', topic): # user reading their own inbox return True elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/profile', topic): # user reading another users profile return True elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/directory', topic): # user reading another users directory entry return True elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/key', topic): # user reading another users keyblock return True elif mosquitto_auth.topic_matches_sub('mesh/+/user/+/items', topic): # user reading another users items return True elif mosquitto_auth.topic_matches_sub('$SYS/broker/clients/total', topic): # make the total number of users visible return True elif mosquitto_auth.topic_matches_sub('broker/*', topic): # users may read any broker broadcast messages return True elif mosquitto_auth.topic_matches_sub('peers', topic): # users may read any broker peer message return True elif access == mosquitto_auth.MOSQ_ACL_WRITE: if mosquitto_auth.topic_matches_sub('mesh/local/user/+/inbox', topic): # user sending a message return True elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/items', topic): # user updating their own items return True elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/profile', topic): # user updating their own profile return True elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/directory', topic): # user updating their own directory entry return True elif mosquitto_auth.topic_matches_sub('mesh/local/user/' + username + '/key', topic): # user updating their own keyblock return True elif mosquitto_auth.topic_matches_sub('broker/*', topic) and username == broker_key : # broker operator setting broadcast messages return True elif mosquitto_auth.topic_matches_sub('peers', topic) and username == broker_key : # broker operator can modify MQTT mesh peers return True # Default is to deny access unless an ACL above is explicitly matched return False