123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893 |
- /*
- Copyright (c) 2020 Roger Light <roger@atchoo.org>
- All rights reserved. This program and the accompanying materials
- are made available under the terms of the Eclipse Public License 2.0
- and Eclipse Distribution License v1.0 which accompany this distribution.
- The Eclipse Public License is available at
- https://www.eclipse.org/legal/epl-2.0/
- and the Eclipse Distribution License is available at
- http://www.eclipse.org/org/documents/edl-v10.php.
- SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
- Contributors:
- Roger Light - initial implementation and documentation.
- */
- #include "config.h"
- #include <cjson/cJSON.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- #include "mosquitto_ctrl.h"
- #include "mosquitto.h"
- #include "password_mosq.h"
- #include "get_password.h"
- void dynsec__print_usage(void)
- {
- printf("\nDynamic Security module\n");
- printf("=======================\n");
- printf("\nInitialisation\n--------------\n");
- printf("Create a new configuration file with an admin user:\n");
- printf(" mosquitto_ctrl dynsec init <new-config-file> <admin-username> [admin-password]\n");
- printf("\nGeneral\n-------\n");
- printf("Get ACL default access: getDefaultACLAccess\n");
- printf("Set ACL default access: setDefaultACLAccess <acltype> allow|deny\n");
- printf("Get group for anonymous clients: getAnonymousGroup\n");
- printf("Set group for anonymous clients: setAnonymousGroup <groupname>\n");
- printf("\nClients\n-------\n");
- printf("Create a new client: createClient <username> [-c clientid] [-p password]\n");
- printf("Delete a client: deleteClient <username>\n");
- printf("Set a client password: setClientPassword <username> [password]\n");
- printf("Set a client id: setClientId <username> [clientid]\n");
- printf("Add a role to a client: addClientRole <username> <rolename> [priority]\n");
- printf(" Higher priority (larger numerical value) roles are evaluated first.\n");
- printf("Remove role from a client: removeClientRole <username> <rolename>\n");
- printf("Get client information: getClient <username>\n");
- printf("List all clients: listClients [count [offset]]\n");
- printf("Enable client: enableClient <username>\n");
- printf("Disable client: disableClient <username>\n");
- printf("\nGroups\n------\n");
- printf("Create a new group: createGroup <groupname>\n");
- printf("Delete a group: deleteGroup <groupname>\n");
- printf("Add a role to a group: addGroupRole <groupname> <rolename> [priority]\n");
- printf(" Higher priority (larger numerical value) roles are evaluated first.\n");
- printf("Remove role from a group: removeGroupRole <groupname> <rolename>\n");
- printf("Add client to a group: addGroupClient <groupname> <username> [priority]\n");
- printf(" Priority sets the group priority for the given client only.\n");
- printf(" Higher priority (larger numerical value) groups are evaluated first.\n");
- printf("Remove client from a group: removeGroupClient <groupname> <username>\n");
- printf("Get group information: getGroup <groupname>\n");
- printf("List all groups: listGroups [count [offset]]\n");
- printf("\nRoles\n------\n");
- printf("Create a new role: createRole <rolename>\n");
- printf("Delete a role: deleteRole <rolename>\n");
- printf("Add an ACL to a role: addRoleACL <rolename> <aclspec> [priority]\n");
- printf(" Higher priority (larger numerical value) ACLs are evaluated first.\n");
- printf("Remove ACL from a role: removeRoleACL <rolename> <aclspec>\n");
- printf("Get role information: getRole <rolename>\n");
- printf("List all roles: listRoles [count [offset]]\n");
- printf("\naclspec: <acltype> <topicFilter> allow|deny\n");
- printf("acltype: publishClientSend|publishClientReceive\n");
- printf(" |subscribeLiteral|subscribePattern\n");
- printf(" |unsubscribeLiteral|unsubscribePattern\n");
- printf("\nFor more information see:\n");
- printf(" https://mosquitto.org/documentation/dynamic-security/\n\n");
- }
- cJSON *cJSON_AddIntToObject(cJSON * const object, const char * const name, int number)
- {
- char buf[30];
- snprintf(buf, sizeof(buf), "%d", number);
- return cJSON_AddRawToObject(object, name, buf);
- }
- /* ################################################################
- * #
- * # Payload callback
- * #
- * ################################################################ */
- static void print_list(cJSON *j_response, const char *arrayname, const char *keyname)
- {
- cJSON *j_data, *j_array, *j_elem, *j_name;
- j_data = cJSON_GetObjectItem(j_response, "data");
- if(j_data == NULL){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- j_array = cJSON_GetObjectItem(j_data, arrayname);
- if(j_array == NULL || !cJSON_IsArray(j_array)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- cJSON_ArrayForEach(j_elem, j_array){
- if(cJSON_IsObject(j_elem)){
- j_name = cJSON_GetObjectItem(j_elem, keyname);
- if(j_name && cJSON_IsString(j_name)){
- printf("%s\n", j_name->valuestring);
- }
- }else if(cJSON_IsString(j_elem)){
- printf("%s\n", j_elem->valuestring);
- }
- }
- }
- static void print_roles(cJSON *j_roles, size_t slen)
- {
- bool first;
- cJSON *j_elem, *jtmp;
- if(j_roles && cJSON_IsArray(j_roles)){
- first = true;
- cJSON_ArrayForEach(j_elem, j_roles){
- jtmp = cJSON_GetObjectItem(j_elem, "rolename");
- if(jtmp && cJSON_IsString(jtmp)){
- if(first){
- first = false;
- printf("%-*s %s", (int)slen, "Roles:", jtmp->valuestring);
- }else{
- printf("%-*s %s", (int)slen, "", jtmp->valuestring);
- }
- jtmp = cJSON_GetObjectItem(j_elem, "priority");
- if(jtmp && cJSON_IsNumber(jtmp)){
- printf(" (priority: %d)", (int)jtmp->valuedouble);
- }else{
- printf(" (priority: -1)");
- }
- printf("\n");
- }
- }
- }else{
- printf("Roles:\n");
- }
- }
- static void print_client(cJSON *j_response)
- {
- cJSON *j_data, *j_client, *j_array, *j_elem, *jtmp;
- bool first;
- j_data = cJSON_GetObjectItem(j_response, "data");
- if(j_data == NULL || !cJSON_IsObject(j_data)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- j_client = cJSON_GetObjectItem(j_data, "client");
- if(j_client == NULL || !cJSON_IsObject(j_client)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- jtmp = cJSON_GetObjectItem(j_client, "username");
- if(jtmp == NULL || !cJSON_IsString(jtmp)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- printf("Username: %s\n", jtmp->valuestring);
- jtmp = cJSON_GetObjectItem(j_client, "clientid");
- if(jtmp && cJSON_IsString(jtmp)){
- printf("Clientid: %s\n", jtmp->valuestring);
- }else{
- printf("Clientid:\n");
- }
- jtmp = cJSON_GetObjectItem(j_client, "disabled");
- if(jtmp && cJSON_IsBool(jtmp)){
- printf("Disabled: %s\n", cJSON_IsTrue(jtmp)?"true":"false");
- }
- j_array = cJSON_GetObjectItem(j_client, "roles");
- print_roles(j_array, strlen("Username:"));
- j_array = cJSON_GetObjectItem(j_client, "groups");
- if(j_array && cJSON_IsArray(j_array)){
- first = true;
- cJSON_ArrayForEach(j_elem, j_array){
- jtmp = cJSON_GetObjectItem(j_elem, "groupname");
- if(jtmp && cJSON_IsString(jtmp)){
- if(first){
- printf("Groups: %s", jtmp->valuestring);
- first = false;
- }else{
- printf(" %s", jtmp->valuestring);
- }
- jtmp = cJSON_GetObjectItem(j_elem, "priority");
- if(jtmp && cJSON_IsNumber(jtmp)){
- printf(" (priority: %d)", (int)jtmp->valuedouble);
- }else{
- printf(" (priority: -1)");
- }
- printf("\n");
- }
- }
- }else{
- printf("Groups:\n");
- }
- }
- static void print_group(cJSON *j_response)
- {
- cJSON *j_data, *j_group, *j_array, *j_elem, *jtmp;
- bool first;
- j_data = cJSON_GetObjectItem(j_response, "data");
- if(j_data == NULL || !cJSON_IsObject(j_data)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- j_group = cJSON_GetObjectItem(j_data, "group");
- if(j_group == NULL || !cJSON_IsObject(j_group)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- jtmp = cJSON_GetObjectItem(j_group, "groupname");
- if(jtmp == NULL || !cJSON_IsString(jtmp)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- printf("Groupname: %s\n", jtmp->valuestring);
- j_array = cJSON_GetObjectItem(j_group, "roles");
- print_roles(j_array, strlen("Groupname:"));
- j_array = cJSON_GetObjectItem(j_group, "clients");
- if(j_array && cJSON_IsArray(j_array)){
- first = true;
- cJSON_ArrayForEach(j_elem, j_array){
- jtmp = cJSON_GetObjectItem(j_elem, "username");
- if(jtmp && cJSON_IsString(jtmp)){
- if(first){
- first = false;
- printf("Clients: %s\n", jtmp->valuestring);
- }else{
- printf(" %s\n", jtmp->valuestring);
- }
- }
- }
- }
- }
- static void print_role(cJSON *j_response)
- {
- cJSON *j_data, *j_role, *j_array, *j_elem, *jtmp;
- bool first;
- j_data = cJSON_GetObjectItem(j_response, "data");
- if(j_data == NULL || !cJSON_IsObject(j_data)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- j_role = cJSON_GetObjectItem(j_data, "role");
- if(j_role == NULL || !cJSON_IsObject(j_role)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- jtmp = cJSON_GetObjectItem(j_role, "rolename");
- if(jtmp == NULL || !cJSON_IsString(jtmp)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- printf("Rolename: %s\n", jtmp->valuestring);
- j_array = cJSON_GetObjectItem(j_role, "acls");
- if(j_array && cJSON_IsArray(j_array)){
- first = true;
- cJSON_ArrayForEach(j_elem, j_array){
- jtmp = cJSON_GetObjectItem(j_elem, "acltype");
- if(jtmp && cJSON_IsString(jtmp)){
- if(first){
- first = false;
- printf("ACLs: %-20s", jtmp->valuestring);
- }else{
- printf(" %-20s", jtmp->valuestring);
- }
- jtmp = cJSON_GetObjectItem(j_elem, "allow");
- if(jtmp && cJSON_IsBool(jtmp)){
- printf(" : %s", cJSON_IsTrue(jtmp)?"allow":"deny ");
- }
- jtmp = cJSON_GetObjectItem(j_elem, "topic");
- if(jtmp && cJSON_IsString(jtmp)){
- printf(" : %s", jtmp->valuestring);
- }
- jtmp = cJSON_GetObjectItem(j_elem, "priority");
- if(jtmp && cJSON_IsNumber(jtmp)){
- printf(" (priority: %d)", (int)jtmp->valuedouble);
- }else{
- printf(" (priority: -1)");
- }
- printf("\n");
- }
- }
- }
- }
- static void print_anonymous_group(cJSON *j_response)
- {
- cJSON *j_data, *j_group, *j_groupname;
- j_data = cJSON_GetObjectItem(j_response, "data");
- if(j_data == NULL || !cJSON_IsObject(j_data)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- j_group = cJSON_GetObjectItem(j_data, "group");
- if(j_group == NULL || !cJSON_IsObject(j_group)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- j_groupname = cJSON_GetObjectItem(j_group, "groupname");
- if(j_groupname == NULL || !cJSON_IsString(j_groupname)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- printf("%s\n", j_groupname->valuestring);
- }
- static void print_default_acl_access(cJSON *j_response)
- {
- cJSON *j_data, *j_acls, *j_acl, *j_acltype, *j_allow;
- j_data = cJSON_GetObjectItem(j_response, "data");
- if(j_data == NULL || !cJSON_IsObject(j_data)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- j_acls = cJSON_GetObjectItem(j_data, "acls");
- if(j_acls == NULL || !cJSON_IsArray(j_acls)){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- cJSON_ArrayForEach(j_acl, j_acls){
- j_acltype = cJSON_GetObjectItem(j_acl, "acltype");
- j_allow = cJSON_GetObjectItem(j_acl, "allow");
- if(j_acltype == NULL || !cJSON_IsString(j_acltype)
- || j_allow == NULL || !cJSON_IsBool(j_allow)
- ){
- fprintf(stderr, "Error: Invalid response from server.\n");
- return;
- }
- printf("%-20s : %s\n", j_acltype->valuestring, cJSON_IsTrue(j_allow)?"allow":"deny");
- }
- }
- static void dynsec__payload_callback(struct mosq_ctrl *ctrl, long payloadlen, const void *payload)
- {
- cJSON *tree, *j_responses, *j_response, *j_command, *j_error;
- UNUSED(ctrl);
- #if CJSON_VERSION_FULL < 1007013
- UNUSED(payloadlen);
- tree = cJSON_Parse(payload);
- #else
- tree = cJSON_ParseWithLength(payload, (size_t)payloadlen);
- #endif
- if(tree == NULL){
- fprintf(stderr, "Error: Payload not JSON.\n");
- return;
- }
- j_responses = cJSON_GetObjectItem(tree, "responses");
- if(j_responses == NULL || !cJSON_IsArray(j_responses)){
- fprintf(stderr, "Error: Payload missing data.\n");
- cJSON_Delete(tree);
- return;
- }
- j_response = cJSON_GetArrayItem(j_responses, 0);
- if(j_response == NULL){
- fprintf(stderr, "Error: Payload missing data.\n");
- cJSON_Delete(tree);
- return;
- }
- j_command = cJSON_GetObjectItem(j_response, "command");
- if(j_command == NULL){
- fprintf(stderr, "Error: Payload missing data.\n");
- cJSON_Delete(tree);
- return;
- }
- j_error = cJSON_GetObjectItem(j_response, "error");
- if(j_error){
- fprintf(stderr, "%s: Error: %s\n", j_command->valuestring, j_error->valuestring);
- }else{
- if(!strcasecmp(j_command->valuestring, "listClients")){
- print_list(j_response, "clients", "username");
- }else if(!strcasecmp(j_command->valuestring, "listGroups")){
- print_list(j_response, "groups", "groupname");
- }else if(!strcasecmp(j_command->valuestring, "listRoles")){
- print_list(j_response, "roles", "rolename");
- }else if(!strcasecmp(j_command->valuestring, "getClient")){
- print_client(j_response);
- }else if(!strcasecmp(j_command->valuestring, "getGroup")){
- print_group(j_response);
- }else if(!strcasecmp(j_command->valuestring, "getRole")){
- print_role(j_response);
- }else if(!strcasecmp(j_command->valuestring, "getDefaultACLAccess")){
- print_default_acl_access(j_response);
- }else if(!strcasecmp(j_command->valuestring, "getAnonymousGroup")){
- print_anonymous_group(j_response);
- }else{
- /* fprintf(stderr, "%s: Success\n", j_command->valuestring); */
- }
- }
- cJSON_Delete(tree);
- }
- /* ################################################################
- * #
- * # Default ACL access
- * #
- * ################################################################ */
- static int dynsec__set_default_acl_access(int argc, char *argv[], cJSON *j_command)
- {
- char *acltype, *access;
- bool b_access;
- cJSON *j_acls, *j_acl;
- if(argc == 2){
- acltype = argv[0];
- access = argv[1];
- }else{
- return MOSQ_ERR_INVAL;
- }
- if(strcasecmp(acltype, "publishClientSend")
- && strcasecmp(acltype, "publishClientReceive")
- && strcasecmp(acltype, "subscribe")
- && strcasecmp(acltype, "unsubscribe")){
- return MOSQ_ERR_INVAL;
- }
- if(!strcasecmp(access, "allow")){
- b_access = true;
- }else if(!strcasecmp(access, "deny")){
- b_access = false;
- }else{
- fprintf(stderr, "Error: access must be \"allow\" or \"deny\".\n");
- return MOSQ_ERR_INVAL;
- }
- if(cJSON_AddStringToObject(j_command, "command", "setDefaultACLAccess") == NULL
- || (j_acls = cJSON_AddArrayToObject(j_command, "acls")) == NULL
- ){
- return MOSQ_ERR_NOMEM;
- }
- j_acl = cJSON_CreateObject();
- if(j_acl == NULL){
- return MOSQ_ERR_NOMEM;
- }
- cJSON_AddItemToArray(j_acls, j_acl);
- if(cJSON_AddStringToObject(j_acl, "acltype", acltype) == NULL
- || cJSON_AddBoolToObject(j_acl, "allow", b_access) == NULL
- ){
- return MOSQ_ERR_NOMEM;
- }
- return MOSQ_ERR_SUCCESS;
- }
- static int dynsec__get_default_acl_access(int argc, char *argv[], cJSON *j_command)
- {
- UNUSED(argc);
- UNUSED(argv);
- if(cJSON_AddStringToObject(j_command, "command", "getDefaultACLAccess") == NULL
- ){
- return MOSQ_ERR_NOMEM;
- }
- return MOSQ_ERR_SUCCESS;
- }
- /* ################################################################
- * #
- * # Init
- * #
- * ################################################################ */
- static cJSON *init_add_acl_to_role(cJSON *j_acls, const char *type, const char *topic)
- {
- cJSON *j_acl;
- j_acl = cJSON_CreateObject();
- if(j_acl == NULL) return NULL;
- if(cJSON_AddStringToObject(j_acl, "acltype", type) == NULL
- || cJSON_AddStringToObject(j_acl, "topic", topic) == NULL
- || cJSON_AddBoolToObject(j_acl, "allow", true) == NULL
- ){
- cJSON_Delete(j_acl);
- return NULL;
- }
- cJSON_AddItemToArray(j_acls, j_acl);
- return j_acl;
- }
- static cJSON *init_add_role(const char *rolename)
- {
- cJSON *j_role, *j_acls;
- j_role = cJSON_CreateObject();
- if(j_role == NULL){
- return NULL;
- }
- if(cJSON_AddStringToObject(j_role, "rolename", rolename) == NULL){
- cJSON_Delete(j_role);
- return NULL;
- }
- j_acls = cJSON_CreateArray();
- if(j_acls == NULL){
- cJSON_Delete(j_role);
- return NULL;
- }
- cJSON_AddItemToObject(j_role, "acls", j_acls);
- if(init_add_acl_to_role(j_acls, "publishClientSend", "$CONTROL/dynamic-security/#") == NULL
- || init_add_acl_to_role(j_acls, "publishClientReceive", "$CONTROL/dynamic-security/#") == NULL
- || init_add_acl_to_role(j_acls, "subscribePattern", "$CONTROL/dynamic-security/#") == NULL
- || init_add_acl_to_role(j_acls, "publishClientReceive", "$SYS/#") == NULL
- || init_add_acl_to_role(j_acls, "subscribePattern", "$SYS/#") == NULL
- || init_add_acl_to_role(j_acls, "publishClientReceive", "#") == NULL
- || init_add_acl_to_role(j_acls, "subscribePattern", "#") == NULL
- || init_add_acl_to_role(j_acls, "unsubscribePattern", "#") == NULL
- ){
- cJSON_Delete(j_role);
- return NULL;
- }
- return j_role;
- }
- static cJSON *init_add_client(const char *username, const char *password, const char *rolename)
- {
- cJSON *j_client, *j_roles, *j_role;
- struct mosquitto_pw pw;
- char *salt64 = NULL, *hash64 = NULL;
- char buf[10];
- memset(&pw, 0, sizeof(pw));
- pw.hashtype = pw_sha512_pbkdf2;
- if(pw__hash(password, &pw, true, PW_DEFAULT_ITERATIONS) != 0){
- return NULL;
- }
- if(base64__encode(pw.salt, sizeof(pw.salt), &salt64)
- || base64__encode(pw.password_hash, sizeof(pw.password_hash), &hash64)
- ){
- fprintf(stderr, "dynsec init: Internal error while encoding password.\n");
- free(salt64);
- free(hash64);
- return NULL;
- }
- j_client = cJSON_CreateObject();
- if(j_client == NULL){
- free(salt64);
- free(hash64);
- return NULL;
- }
- snprintf(buf, sizeof(buf), "%d", PW_DEFAULT_ITERATIONS);
- if(cJSON_AddStringToObject(j_client, "username", username) == NULL
- || cJSON_AddStringToObject(j_client, "textName", "Dynsec admin user") == NULL
- || cJSON_AddStringToObject(j_client, "password", hash64) == NULL
- || cJSON_AddStringToObject(j_client, "salt", salt64) == NULL
- || cJSON_AddRawToObject(j_client, "iterations", buf) == NULL
- ){
- free(salt64);
- free(hash64);
- cJSON_Delete(j_client);
- return NULL;
- }
- free(salt64);
- free(hash64);
- j_roles = cJSON_CreateArray();
- if(j_roles == NULL){
- cJSON_Delete(j_client);
- return NULL;
- }
- cJSON_AddItemToObject(j_client, "roles", j_roles);
- j_role = cJSON_CreateObject();
- if(j_role == NULL){
- cJSON_Delete(j_client);
- return NULL;
- }
- cJSON_AddItemToArray(j_roles, j_role);
- if(cJSON_AddStringToObject(j_role, "rolename", rolename) == NULL){
- cJSON_Delete(j_client);
- return NULL;
- }
- return j_client;
- }
- static cJSON *init_create(const char *username, const char *password, const char *rolename)
- {
- cJSON *tree, *j_clients, *j_client, *j_roles, *j_role;
- cJSON *j_default_access;
- tree = cJSON_CreateObject();
- if(tree == NULL) return NULL;
- if((j_clients = cJSON_AddArrayToObject(tree, "clients")) == NULL
- || (j_roles = cJSON_AddArrayToObject(tree, "roles")) == NULL
- || (j_default_access = cJSON_AddObjectToObject(tree, "defaultACLAccess")) == NULL
- ){
- cJSON_Delete(tree);
- return NULL;
- }
- /* Set default behaviour:
- * * Client can not publish to the broker by default.
- * * Broker *CAN* publish to the client by default.
- * * Client con not subscribe to topics by default.
- * * Client *CAN* unsubscribe from topics by default.
- */
- if(cJSON_AddBoolToObject(j_default_access, "publishClientSend", false) == NULL
- || cJSON_AddBoolToObject(j_default_access, "publishClientReceive", true) == NULL
- || cJSON_AddBoolToObject(j_default_access, "subscribe", false) == NULL
- || cJSON_AddBoolToObject(j_default_access, "unsubscribe", true) == NULL
- ){
- cJSON_Delete(tree);
- return NULL;
- }
- j_client = init_add_client(username, password, rolename);
- if(j_client == NULL){
- cJSON_Delete(tree);
- return NULL;
- }
- cJSON_AddItemToArray(j_clients, j_client);
- j_role = init_add_role(rolename);
- if(j_role == NULL){
- cJSON_Delete(tree);
- return NULL;
- }
- cJSON_AddItemToArray(j_roles, j_role);
- return tree;
- }
- /* mosquitto_ctrl dynsec init <filename> <admin-user> <admin-password> [role-name] */
- static int dynsec_init(int argc, char *argv[])
- {
- char *filename;
- char *admin_user;
- char *admin_password;
- char *json_str;
- cJSON *tree;
- FILE *fptr;
- char prompt[200], verify_prompt[200];
- char password[200];
- int rc;
- if(argc < 2){
- fprintf(stderr, "dynsec init: Not enough arguments - filename, or admin-user missing.\n");
- return MOSQ_ERR_INVAL;
- }
- if(argc > 3){
- fprintf(stderr, "dynsec init: Too many arguments.\n");
- return MOSQ_ERR_INVAL;
- }
- filename = argv[0];
- admin_user = argv[1];
- if(argc == 3){
- admin_password = argv[2];
- }else{
- snprintf(prompt, sizeof(prompt), "New password for %s: ", admin_user);
- snprintf(verify_prompt, sizeof(verify_prompt), "Reenter password for %s: ", admin_user);
- rc = get_password(prompt, verify_prompt, false, password, sizeof(password));
- if(rc){
- mosquitto_lib_cleanup();
- return -1;
- }
- admin_password = password;
- }
- fptr = fopen(filename, "rb");
- if(fptr){
- fclose(fptr);
- fprintf(stderr, "dynsec init: '%s' already exists. Remove the file or use a different location..\n", filename);
- return -1;
- }
- tree = init_create(admin_user, admin_password, "admin");
- if(tree == NULL){
- fprintf(stderr, "dynsec init: Out of memory.\n");
- return MOSQ_ERR_NOMEM;
- }
- json_str = cJSON_Print(tree);
- cJSON_Delete(tree);
- fptr = fopen(filename, "wb");
- if(fptr){
- fprintf(fptr, "%s", json_str);
- free(json_str);
- fclose(fptr);
- }else{
- free(json_str);
- fprintf(stderr, "dynsec init: Unable to open '%s' for writing.\n", filename);
- return -1;
- }
- printf("The client '%s' has been created in the file '%s'.\n", admin_user, filename);
- printf("This client is configured to allow you to administer the dynamic security plugin only.\n");
- printf("It does not have access to publish messages to normal topics.\n");
- printf("You should create your application clients to do that, for example:\n");
- printf(" mosquitto_ctrl <connect options> dynsec createClient <username>\n");
- printf(" mosquitto_ctrl <connect options> dynsec createRole <rolename>\n");
- printf(" mosquitto_ctrl <connect options> dynsec addRoleACL <rolename> publishClientSend my/topic [priority]\n");
- printf(" mosquitto_ctrl <connect options> dynsec addClientRole <username> <rolename> [priority]\n");
- printf("See https://mosquitto.org/documentation/dynamic-security/ for details of all commands.\n");
- return -1; /* Suppress client connection */
- }
- /* ################################################################
- * #
- * # Main
- * #
- * ################################################################ */
- int dynsec__main(int argc, char *argv[], struct mosq_ctrl *ctrl)
- {
- int rc = -1;
- cJSON *j_tree;
- cJSON *j_commands, *j_command;
- if(!strcasecmp(argv[0], "help")){
- dynsec__print_usage();
- return -1;
- }else if(!strcasecmp(argv[0], "init")){
- return dynsec_init(argc-1, &argv[1]);
- }
- /* The remaining commands need a network connection and JSON command. */
- ctrl->payload_callback = dynsec__payload_callback;
- ctrl->request_topic = strdup("$CONTROL/dynamic-security/v1");
- ctrl->response_topic = strdup("$CONTROL/dynamic-security/v1/response");
- if(ctrl->request_topic == NULL || ctrl->response_topic == NULL){
- return MOSQ_ERR_NOMEM;
- }
- j_tree = cJSON_CreateObject();
- if(j_tree == NULL) return MOSQ_ERR_NOMEM;
- j_commands = cJSON_AddArrayToObject(j_tree, "commands");
- if(j_commands == NULL){
- cJSON_Delete(j_tree);
- j_tree = NULL;
- return MOSQ_ERR_NOMEM;
- }
- j_command = cJSON_CreateObject();
- if(j_command == NULL){
- cJSON_Delete(j_tree);
- j_tree = NULL;
- return MOSQ_ERR_NOMEM;
- }
- cJSON_AddItemToArray(j_commands, j_command);
- if(!strcasecmp(argv[0], "setDefaultACLAccess")){
- rc = dynsec__set_default_acl_access(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "getDefaultACLAccess")){
- rc = dynsec__get_default_acl_access(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "createClient")){
- rc = dynsec_client__create(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "deleteClient")){
- rc = dynsec_client__delete(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "getClient")){
- rc = dynsec_client__get(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "listClients")){
- rc = dynsec_client__list_all(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "setClientId")){
- rc = dynsec_client__set_id(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "setClientPassword")){
- rc = dynsec_client__set_password(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "addClientRole")){
- rc = dynsec_client__add_remove_role(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "removeClientRole")){
- rc = dynsec_client__add_remove_role(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "enableClient")){
- rc = dynsec_client__enable_disable(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "disableClient")){
- rc = dynsec_client__enable_disable(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "createGroup")){
- rc = dynsec_group__create(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "deleteGroup")){
- rc = dynsec_group__delete(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "getGroup")){
- rc = dynsec_group__get(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "listGroups")){
- rc = dynsec_group__list_all(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "addGroupRole")){
- rc = dynsec_group__add_remove_role(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "removeGroupRole")){
- rc = dynsec_group__add_remove_role(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "addGroupClient")){
- rc = dynsec_group__add_remove_client(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "removeGroupClient")){
- rc = dynsec_group__add_remove_client(argc-1, &argv[1], j_command, argv[0]);
- }else if(!strcasecmp(argv[0], "setAnonymousGroup")){
- rc = dynsec_group__set_anonymous(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "getAnonymousGroup")){
- rc = dynsec_group__get_anonymous(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "createRole")){
- rc = dynsec_role__create(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "deleteRole")){
- rc = dynsec_role__delete(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "getRole")){
- rc = dynsec_role__get(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "listRoles")){
- rc = dynsec_role__list_all(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "addRoleACL")){
- rc = dynsec_role__add_acl(argc-1, &argv[1], j_command);
- }else if(!strcasecmp(argv[0], "removeRoleACL")){
- rc = dynsec_role__remove_acl(argc-1, &argv[1], j_command);
- }else{
- fprintf(stderr, "Command '%s' not recognised.\n", argv[0]);
- return MOSQ_ERR_UNKNOWN;
- }
- if(rc == MOSQ_ERR_SUCCESS){
- ctrl->payload = cJSON_PrintUnformatted(j_tree);
- cJSON_Delete(j_tree);
- if(ctrl->payload == NULL){
- fprintf(stderr, "Error: Out of memory.\n");
- return MOSQ_ERR_NOMEM;
- }
- }
- return rc;
- }
|