nixos/mosquitto: restore passwordless system feature

during the rewrite the checkPasswords=false feature of the old module was lost. restore it, and with it systems that allow any client to use any username.
3 years ago · d09952fea8
parent 81175b442f
commit d09952fea8
2 changed files with 33 additions and 2 deletions
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@ -264,6 +264,15 @@ let
        default = {};
      };

+      omitPasswordAuth = mkOption {
+        type = bool;
+        description = ''
+          Omits password checking, allowing anyone to log in with any user name unless
+          other mandatory authentication methods (eg TLS client certificates) are configured.
+        '';
+        default = false;
+      };
+
      acl = mkOption {
        type = listOf str;
        description = ''
@ -294,9 +303,9 @@ let
  formatListener = idx: listener:
    [
      "listener ${toString listener.port} ${toString listener.address}"
-      "password_file ${cfg.dataDir}/passwd-${toString idx}"
      "acl_file ${makeACLFile idx listener.users listener.acl}"
    ]
+    ++ optional (! listener.omitPasswordAuth) "password_file ${cfg.dataDir}/passwd-${toString idx}"
    ++ formatFreeform {} listener.settings
    ++ concatMap formatAuthPlugin listener.authPlugins;

--- a/nixos/tests/mosquitto.nix
+++ b/nixos/tests/mosquitto.nix
@ -3,6 +3,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
 let
  port = 1888;
  tlsPort = 1889;
+  anonPort = 1890;
  password = "VERY_secret";
  hashedPassword = "$7$101$/WJc4Mp+I+uYE9sR$o7z9rD1EYXHPwEP5GqQj6A7k4W1yVbePlb8TqNcuOLV9WNCiDgwHOB0JHC1WCtdkssqTBduBNUnUGd6kmZvDSw==";
  topic = "test/foo";
@ -63,7 +64,7 @@ in {
    };
  in {
    server = { pkgs, ... }: {
-      networking.firewall.allowedTCPPorts = [ port tlsPort ];
+      networking.firewall.allowedTCPPorts = [ port tlsPort anonPort ];
      services.mosquitto = {
        enable = true;
        settings = {
@ -112,6 +113,18 @@ in {
              use_identity_as_username = true;
            };
          }
+          {
+            port = anonPort;
+            omitPasswordAuth = true;
+            settings.allow_anonymous = true;
+            acl = [ "pattern read #" ];
+            users = {
+              anonWriter = {
+                password = "<ignored>" + password;
+                acl = [ "write ${topic}" ];
+              };
+            };
+          }
        ];
      };
    };
@ -182,5 +195,14 @@ in {
                topic="$SYS/#",
                port=${toString tlsPort},
                user="no_such_user"))
+
+    with subtest("check omitPasswordAuth"):
+        parallel(
+            lambda: client1.succeed(subscribe("-i fd56032c-d9cb-4813-a3b4-6be0e04c8fc3",
+                "anonReader", port=${toString anonPort})),
+            lambda: [
+                server.wait_for_console_text("fd56032c-d9cb-4813-a3b4-6be0e04c8fc3"),
+                client2.succeed(publish("-m test", "anonWriter", port=${toString anonPort}))
+            ])
  '';
 })