ACL checks for a combination of files & jwt backend not working

[DeveloperMarius]

Hey,

when I use the files backend, everything works as expected.

time="2023-05-16T08:39:07Z" level=debug msg="user admin acl authenticated with backend Files"
time="2023-05-16T08:39:07Z" level=debug msg="Acl is true for user admin"

But when I enable the jwt backend using auth_opt_backends files, jwt it gives me:

time="2023-05-16T08:50:37Z" level=debug msg="checking user admin with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="user admin authenticated with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend JWT"
time="2023-05-16T08:50:38Z" level=debug msg="jwt parse error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=info msg="jwt local check acl error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=debug msg="Acl is false for user admin"
time="2023-05-16T08:50:38Z" level=error msg="token contains an invalid number of segments"

I think the ACL check for the files backend is somehow skipped and because the jwt backend fails, I receive an error.
Or because the jwt backend fails (admin is not a jwt token), the files ACL check is skipped.

mosquitto.conf:

max_connections 1000
allow_anonymous false


listener 8081
protocol websockets
cafile  ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

listener 1884
protocol mqtt
cafile ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

log_dest file ***/mosquitto.log


plugin /mosquitto/go-auth.so

auth_opt_hasher pbkdf2
auth_opt_backends files, jwt
auth_opt_disable_superuser true

auth_opt_files_password_path ***/password.txt
auth_opt_files_acl_path ***/auth_files.acl

auth_opt_jwt_mode local
auth_opt_jwt_db mysql
auth_opt_jwt_userfield Username
auth_opt_jwt_userquery ***
auth_opt_jwt_secret ***

auth_opt_jwt_mysql_host ***
auth_opt_jwt_mysql_port 3306
auth_opt_jwt_mysql_user ***
auth_opt_jwt_mysql_password ***
auth_opt_jwt_mysql_dbname ***

auth_opt_auth_cache_seconds 30
auth_opt_acl_cache_seconds 30
auth_opt_auth_jitter_seconds 3
auth_opt_acl_jitter_seconds 3

auth_opt_log_level debug
auth_opt_log_dest file
auth_opt_log_file ***

auth_files.acl:

user admin
topic read #
topic write #

Thank you for this project and I am looking forward to your feedback.

~ Marius

[iegomez]

This sounds like a bug I'll need to look into, the error should be simply skipped and the ACL check pass because of the files entry.
That said, if you need a quick workaround, you can disable ACL checks for your JWT backends by registering it to only check users, while your Files backend checks for ACLs: https://github.com/iegomez/mosquitto-go-auth#registering-checks

[iegomez]

@bilgeexuu1 I think you're commenting in the wrong issue.

[december1981]

I don't know if this is related, but I had an issue with using jwt with its own acl file.

Looking at jwt_files.go

func (o *filesJWTChecker) GetUser(token string) (bool, error) {
       return false, nil
}

To me this should say either

func (o *filesJWTChecker) GetUser(token string) (bool, error) {
	username, err := getUsernameForToken(o.options, token, o.options.skipACLExpiration)
	if err != nil {
		log.Printf("jwt get user error: %s", err)
		return false, err
	}

	_, ok := o.checker.Users()[username]
	return ok, nil
}

Or simply (to avoid getUsernameForToken twice (since CheckAcl does it, and this backend requires an acl to be defined in its NewFilesJWTChecker factory, unless I'm mistaken):

func (o *filesJWTChecker) GetUser(token string) (bool, error) {
       return true, nil
}

This works when I compile it with the latter change - it never authenticates otherwise because checkAuth will always return false from the call in backends.go

Unless I've missed a configuration I can set to avoid the user name password checks for this case (so that it just acl checks against the username claim in the encoded jwt), then I don't know.

Here is my config:

auth_opt_backends files, jwt
auth_opt_check_prefix true
auth_opt_strip_prefix false
auth_opt_prefixes files, jwt

auth_opt_jwt_mode files
auth_opt_jwt_alg HS256
auth_opt_jwt_acl_path /mosquitto/auth/jwt.acl
auth_opt_jwt_claim_username username
auth_opt_jwt_userfield Username

auth_opt_hasher = pbkdf2
auth_opt_hasher_salt_size 16
auth_opt_hasher_iterations 100000
auth_opt_hasher_keylen 64
auth_opt_hasher_algorithm sha512
auth_opt_hasher_salt_encoding base64

auth_opt_files_password_path /mosquitto/auth/passwords
auth_opt_files_acl_path /mosquitto/auth/files.acl

auth_opt_jwt_secret ***

[december1981]

To be clear, this is more about an issue with the jwt backend when it's in files mode, than with the files and the jwt backend combined, so maybe it belongs in a different issue.

[iegomez]

Yep, this is unrelated, so please open a different issue.
In fact, it's not implemented as mentioned in the README, the files option for JWT is right now only meant to be used for ACL checks, any user auth check needs to be done by some other backend.

[december1981]

Yep, this is unrelated, so please open a different issue. In fact, it's not implemented as mentioned in the README, the files option for JWT is right now only meant to be used for ACL checks, any user auth check needs to be done by some other backend.

I've added a pull request here in response to this issue
#339