Hi!

I'm trying to setup this with docker. This is my current config-file:

FROM debian:jessie


# Build-time metadata as defined at http://label-schema.org
ARG BUILD_DATE
ARG VCS_REF
LABEL org.label-schema.build-date=$BUILD_DATE \
    org.label-schema.docker.dockerfile="/Dockerfile" \
    org.label-schema.license="BSD 3-Clause" \
    org.label-schema.name="docker-mosquitto" \
    org.label-schema.url="https://hub.docker.com/r/toke/mosquitto/" \
    org.label-schema.vcs-ref=$VCS_REF \
    org.label-schema.vcs-type="Git" \
    org.label-schema.vcs-url="https://github.com/toke/docker-mosquitto"

RUN apt-get update && apt-get install -y wget && \
    wget -q -O - https://repo.mosquitto.org/debian/mosquitto-repo.gpg.key | gpg --import && \
    gpg -a --export 8277CCB49EC5B595F2D2C71361611AE430993623 | apt-key add - && \
    wget -q -O /etc/apt/sources.list.d/mosquitto-jessie.list https://repo.mosquitto.org/debian/mosquitto-jessie.list && \
    apt-get update && apt-get install -y mosquitto mosquitto-clients && \
    adduser --system --disabled-password --disabled-login mosquitto


RUN \
  wget https://dl.google.com/go/go1.9.5.linux-amd64.tar.gz && \
  tar -C /usr/local -xzf go1.9.5.linux-amd64.tar.gz

ENV PATH $PATH:/usr/local/go/bin
ENV GOPATH /go

RUN mkdir /go

RUN apt-get install -y git && \
  apt-get install -y make && \
  apt-get install gcc -y

RUN mkdir -p $GOPATH/src/github.com/iegomez && \
  cd $GOPATH/src/github.com/iegomez/ && \
  git clone https://github.com/iegomez/mosquitto-go-auth.git && \
  cd mosquitto-go-auth && \
  make requirements && \
  make


RUN mkdir -p /mqtt/config /mqtt/data /mqtt/log
COPY config /mqtt/config
RUN chown -R mosquitto:mosquitto /mqtt
VOLUME ["/mqtt/config", "/mqtt/data", "/mqtt/log"]


EXPOSE 1883 9001

ADD docker-entrypoint.sh /usr/bin/

ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["/usr/sbin/mosquitto", "-c", "/mqtt/config/mosquitto.conf"]

When I try to build this I get this error:

Installing development tools
go build -buildmode=c-archive go-auth.go
go build -buildmode=c-shared -o go-auth.so
# github.com/iegomez/mosquitto-go-auth
auth-plugin.c:6:23: fatal error: mosquitto.h: No such file or directory
 #include <mosquitto.h>
                       ^
compilation terminated.

Is there any other way you could use this plugin with docker?

Hi folks,

I'm not sure if this is platform specific or I'd done something dumb.
Environment details:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS"

After a fresh compile of the latest release of the auth plug-in I'm getting an error
The original Makefile had the following:
go build -buildmode=c-shared -o go-auth.so

but this results in an error:

flag needs an argument: -o
usage: build [-o output] [-i] [build flags] [packages]
Run 'go help build' for details.

If I move the -o parameter to first in the line - it cleanly compiles but won't load due to the following:

1532398762: mosquitto version 1.4.15 (build date 2018-07-24 13:34:50+1200) starting
1532398762: Config loaded from /etc/mosquitto/mosquitto.conf.
1532398762: Error: Unable to load auth plugin "/usr/local/lib/go-auth.so".
1532398762: Load error: /usr/local/lib/go-auth.so: cannot dynamically load executable

libraries are all owned by the user mosquitto (but I don't think that's what the problem is here)

Can anyone help here ?

Thanks
Vince.

We used the jpmens/mosquitto-auth-plug mosquitto plugin with PBKDF2. Trying to switch the auth plugin to this one we cannot authenticated users anymore as passwords do not match.

As booth plugins use PBKDF2 with the same string format i thought passwords generated via jpmens np Tool or via NodeJS module manolodd/mosquitto-pbkdf2 would work in your plugin too. Your commons/HashCompare function extracts all parts correctly but generates a different password hash, therefore authentication failes...

Can you explain whats different between your and jpmens implementaion/usage of PBKDF2 and suggest how to create a working password hash with NodeJS?

Thanks in advance,
Stefan Seide

With the jpmens plugin I was able to define a connection string that specified the authSource, as-per https://docs.mongodb.com/manual/reference/connection-string/#components.

I don't think I'm able to do this with the existing plugin options, snipped from the readme:

auth_opt_mongo_host 
auth_opt_mongo_port 
auth_opt_mongo_dbname 
auth_opt_mongo_username 
auth_opt_mongo_password 
auth_opt_mongo_users 
auth_opt_mongo_acls 

These options assume that the auth_opt_mongo_username exists in the same db as the users we wish to authenticate via the plugin. The user that plugin will connect with resides in my admin database, but the users I want the plugin to authenticate are in the users database, this difference results in the following log entries on my mongodb instance:

2020-01-14T21:38:13.153+0000 I  ACCESS   [conn228] Supported SASL mechanisms requested for unknown user '<admin>@users'
2020-01-14T21:38:13.154+0000 I  ACCESS   [conn228] SASL SCRAM-SHA-1 authentication failed for <admin> on users from client <ip address>:<port>; UserNotFound: Could not find user "<admin>" for db "users"

I tried defining username as <admin>@admin but the mongodb log entries persist, albeit with the database name appended to the username:

2020-01-14T21:43:27.163+0000 I  ACCESS   [conn518] Supported SASL mechanisms requested for unknown user '<admin>@admin@users'
2020-01-14T21:43:27.164+0000 I  ACCESS   [conn518] SASL SCRAM-SHA-1 authentication failed for <admin>@admin on users from client <ip>:<port>; UserNotFound: Could not find user "<admin>@admin" for db "users"

Hi there

I’m getting this error:

time=“2019-09-03T16:29:36Z” level=debug msg=“checking auth cache for user1”
time=“2019-09-03T16:29:36Z” level=debug msg=“checking user user1 with backend Mongo”
time=“2019-09-03T16:30:06Z” level=debug msg=“Mongo get user error: server selection error: server selection timeout\ncurrent topology: Type: ReplicaSetNoPrimary\nServers:\nAddr: localhost:27017, Type: Unknown, State: Connected, Avergage RTT: 0, Last error: dial tcp 127.0.0.1:27017: connect: connection refused\n”

Even though my parameters are all corrects, I’ve placed a debug on source code mongo.go and got:

time=“2019-09-03T16:29:35Z” level=debug msg=“Host: ip-XXX-XX-XX-XXX.sa-east-1.compute.internal”
time=“2019-09-03T16:29:35Z” level=debug msg=“Port: 27017”
time=“2019-09-03T16:29:35Z” level=debug msg=“Username: mqtt”
time=“2019-09-03T16:29:35Z” level=debug msg=“Password: mqtt123*”
time=“2019-09-03T16:29:35Z” level=debug msg=“DBName: iotBackend”
time=“2019-09-03T16:29:35Z” level=debug msg=“UsersCollection: mqttusers”
time=“2019-09-03T16:29:35Z” level=debug msg="AclsCollection: "

Maybe a relevant information, my Mongo Server isn’t on localhost, but in another VPS on same network and firewall rules are tuned.

if I try connecting to the same database using same credentials in command line I’m getting no problems:

ubuntu@ip-XXX-XX-XX-XXX:~/mosquitto-go-auth$ mongo mongodb://mqtt:mqtt123*@ip-XXX-XX-XX-XXX.sa-east-1.compute.internal:27017/iotBackend
MongoDB shell version v3.6.3
connecting to: mongodb://ip-XXX-XX-XX-XXX.sa-east-1.compute.internal:27017/iotBackend
MongoDB server version: 4.0.11
WARNING: shell and server versions do not match
MongoDB Enterprise rs0:PRIMARY>
The collection mqttusers exists but not acl collection.

Why does the driver states the error on localhost:27017 ?

I am trying to configure postgres DB with mosquitto-go-auth .

auth_plugin /mosquitto/go-auth.so

auth_opt_log_level debug
auth_opt_backends postgres
auth_opt_check_prefix false


auth_opt_pg_host postgres
auth_opt_pg_port 5432
auth_opt_pg_dbname mqtt_auth
auth_opt_pg_user admin
auth_opt_pg_password password
auth_opt_pg_userquery select password_hash from test_user where username = $1 and is_admin = true limit 1
auth_opt_pg_aclquery select topic from test_acl where username = $1 AND (rw=$2 or rw=3)

With this configuration :
What's working :

• Particular user can publish on particular topic(which is mentioned on DB column aslo) , basically read-only is happening .
• Particular user can publish on particular topic and subscribe to that particular topic also , basically read-write is happening .
  What's not working : I want to define a user which can only be subscribe to a particular topic and cant publish to that topic , basically write-only .

 id | username |    topic    | rw
----+----------+-------------+----
  1 | Jack         | test/user/#       | 2
  3 | jhon         | house/second |  3
  2 | Rock        |  floor/temp      |  1

I want 'Rock' only can subscribe to 'floor/temp' , shouldn't have right to publish. But with this configuration it is allowing Rock to publish , i dont want to happen that , so let me know what i am doing here .

mqtt_1           | 1559595124: New connection from 172.22.0.1 on port 1883.
mqtt_1           | time="2019-06-03T20:51:58Z" level=debug msg="checking user test with backend Mongo"
mqtt_1           | time="2019-06-03T20:51:58Z" level=debug msg="Mongo get user error: command find requires authentication"
mqtt_1           | 1559595245: Socket error on client <unknown>, disconnecting.

My mongo configuration:

1. admin user with password pass
2. full access to any database
3. I generate password test for table users using pw -p test, user the same (test)
4. connection info are the same in mongo and mosquitto config

Without plugin everything works

Hi,

Unfortunately the plugin doesn't work on Alpine Linux: Mosquitto crashes because of a segfault.
From GDB, I've got this trace: #0 0x00007f3a34102660 in runtime.sysargs () from /usr/local/lib/go-auth.so

It seems that there is a bug with GO c-shared builds and Musl.

More informations can be found on this issue:
golang/go#13492

Unfortunately, I have no idea if the problem can be solved directly on mosquitto-go-auth code or if GO has to be patched.

hi,could you please give us more introductions about this plugin.Now I could not run it exactly,but there are little ducuments to find.

Hi I am having trouble on a centos7 system.

I have installed the following;

go
libwebsockets
libwebsockets-devel
c-ares
c-ares-devel
openssl
openssl-devel
uuid
uuid-devel
gcc-c++

I set the go path as export PATH=$PATH:/usr/local/go/bin as per the go instructions. I created the test go application and compiled/ran it ok.

I then git cloned this repository, changed to the directory and ran make.

Output is as follows;

[gjt211@vps1 mosquitto-go-auth]$ go build -buildmode=c-archive go-auth.go
go-auth.go:17:2: cannot find package "github.com/go-redis/redis" in any of:
	/usr/local/go/src/github.com/go-redis/redis (from $GOROOT)
	/home/gjt211/go/src/github.com/go-redis/redis (from $GOPATH)
go-auth.go:18:2: cannot find package "github.com/iegomez/mosquitto-go-auth/backends" in any of:
	/usr/local/go/src/github.com/iegomez/mosquitto-go-auth/backends (from $GOROOT)
	/home/gjt211/go/src/github.com/iegomez/mosquitto-go-auth/backends (from $GOPATH)
go-auth.go:11:2: cannot find package "github.com/sirupsen/logrus" in any of:
	/usr/local/go/src/github.com/sirupsen/logrus (from $GOROOT)
	/home/gjt211/go/src/github.com/sirupsen/logrus (from $GOPATH)

When is pg_superquery executed instead of pg_userquery? Does the topic decides this?

2019-05-29T16:26:23: mosquitto version 1.6.2 starting
2019-05-29T16:26:23: Config loaded from /mosquitto/mosquitto.conf.
2019-05-29T16:26:23: Loading plugin: /mosquitto/go-auth.so
2019-05-29T16:26:23: Error: Unable to load auth plugin "/mosquitto/go-auth.so".
2019-05-29T16:26:23: Load error: Error relocating /mosquitto/go-auth.so: runtime.tlsg: initial-exec TLS resolves to dynamic definition in /mosquitto/go-auth.so

Mosquitto is built from source in Alpine Linux Docker container

Hi,

I can get MySQL to have write only with an 'rw' value of 2 and read-write with 'rw' value of 3 but if I set it to 1. It doesn't work.

I tried writing my own query to save the '?' inputs and got $username on the first ? as expect and 2 for write and 4 for read on the second '?'

Does anyone know what is wrong? Thanks

Hi, thanks for your work!
I would ask about auth_opt_redis_userquery and auth_opt_redis_aclquery, why were these options removed?

Is there any way to customize the queries?

Thanks!

Hello
I am trying to build this package and I have zero knowledge in go.
after install golang and gogcc etc.
this error appeared
go build -buildmode=c-archive go-auth.go go-auth.go:15:2: cannot find package "plugin" in any of: /usr/src/plugin (from $GOROOT) /home/ik/go/src/plugin (from $GOPATH) Makefile:2: recipe for target 'all' failed make: *** [all] Error 1

What can I do to fix this problem.

thanks..

When I try to install the Plugin, I get an error when running make requirements command.

[root@vmi150543 mosquitto-go-auth]# make requirements
dep ensure -v
/home/nrehwald/mosquitto/src/mosquitto-go-auth is not within a known GOPATH/src
make: *** [requirements] Error 1
[root@vmi150543 mosquitto-go-auth]# echo $GOPATH
/home/nrehwald/mosquitto
[root@vmi150543 mosquitto-go-auth]# pwd
/home/nrehwald/mosquitto/src/mosquitto-go-auth

To me it looks like all is fine, files are located in $GOPATH/src/mosquitto-go-auth so I don't quite understand the error message. System is CentOS 7, versions are

golang-bin-1.11.5-1.el7.x86_64
mosquitto version 1.6.0 (Probably irrelevant at this point in time)
mosquitto-go-auth code checked out from GitHub just a few minutes ago

Thanks for any hint what I'm doing wrong

In this case, the table has a column rw containing 1 for
readonly topics, 2 for writeonly topics and 3 for readwrite topics:

SELECT topic FROM acl WHERE (username = $1) AND (rw = $2 or rw = 3)

find a problem when subscript a topic in the mosquitto1.5.4,but no problem in the mosquitto1.4.15

I faild when subscribe to the readonly topic in the mosquitto1.5.4

Hi,

Thanks for this promising plugin!

Unfortunately it seems that no release have been published yet.
Is it possible to publish one to follow new versions in future please?

Thanks :)

(auth-plugin.c line 99 and 111)
When the acl check returns 500, the error code is MOSQ_ERR_ACL_DENIED. But it should be MOSQ_ERR_UNKNOWN.

In the C plugin, the error codes are correct.

I'm having the next problem:

go build -buildmode=c-archive go-auth.go
go: verifying github.com/go-stack/[email protected]/go.mod: checksum mismatch
downloaded: h1:G7mAYYxgmS0lVkHyy2hEOLQCFB0DlQFTMLWggykrydY=
go.sum: h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
make: *** [Makefile:2: all] Error 1

Any idea?

Hallo @iegomez ,

i try to write a auth plugin that based on oauth2 and I think i found a bug in the costum plugin integration. The function CheckPluginAcl seems to return every time a false. The answer of the checks doesnt matter.

the mosquitto log show too many file open

then i try counting open file in /proc/'PID'/fd
using this command ""watch -n 0.5 "ls -l | wc -l"
and found that when broker get new client connection, opened file increase by 3 (maybe from GetUser, GetSuperuser and CheckAcl ) and when the client disconnect, opened file reduce only 1

and i try change "return httpRequest..." to "return true"
the problem is solved

it may have some bug in httpRequest function

The handling of auth_cache_seconds and acl_cache_seconds does not seem to be right? I made a fix on my fork.

I followed everything from the readme and I almost done set up everything including mosquitto build, Go-Auth plugin build and all.

But when I linked the Mongo DB and try to authenticate I get an error which I got from the log of mosquitto
time="2019-07-18T13:24:49+05:30" level=info msg="Cleaning up plugin" time="2019-07-18T13:24:50+05:30" level=info msg="Backend registered: Mongo" time="2019-07-18T13:24:50+05:30" level=info msg="No cache set." time="2019-07-18T13:24:52+05:30" level=debug msg="checking user (*username) with backend Mongo" time="2019-07-18T13:24:52+05:30" level=debug msg="Mongo get user error: cannot decode string into an integer type"

below are my settings in config files.

default.conf

allow_anonymous false

moquitto.conf

include_dir /etc/mosquitto/conf.d

In go-config.conf

`auth_plugin /etc/mosquitto/go-auth.so
auth_opt_backends mongo

auth_opt_mongo_host localhost
auth_opt_mongo_port 27017
auth_opt_mongo_dbname go-auth
#auth_opt_mongo_username ""
#auth_opt_mongo_password ""
auth_opt_mongo_users users
auth_opt_mongo_acls acls

auth_opt_log_level debug
auth_opt_log_dest file
auth_opt_log_file /var/log/mosquitto/mosquitto.log

auth_opt_check_prefix false`

Waiting. :)

Need to refactor unnecessarily exported functions and fields.

Hello, we're using go-auth in replacement of archived project mosquitto-auth-plugin. We strongly rely on Debian installation (and for mosquitto-go-auth there was the deb package) so I think one of the only missing feature of this project is Debian support.
I forked your repository and I'm working on it, I'll submit a PR soon but I'll happier if somebod else can/want contribute. I find two issue in this process:

1. Changed API from 1.4 to 1.5 and the need for accessory functions (eg. mosquitto_client_id and mosquitto_client_username). It cannot compile because these funcions are not exported in mosquitto-dev Debian package. The only pragmatic solution I find is a patch to bypass that functions (for 1.5) and use internal structures. In this way it compile and run, but the requirement is to have the sources of mosquitto package already patched and configured (eg. apt-get source mosquitto) but the dipendence from another source is not a canonical procedure (and I cannot find other solutions).
2. I had to disable test cases because all test are executed independently from the lack or presence of external database and if it was previously configured to pass the tests or not. So in an environment without mongodb and/or mysql and/or postgresql part of tests will always fails (and have to wait for a long time to timeout).
3. Not sure about version number (to be agreed with you, in my tests I used 0.6.1-1), package maintainer, etc.

All backends should have consistent behaviour regarding the MOSQ_ACL_SUBSCRIBE access.

Is it possible to compile the plugin for Raspberry?

Hi, is there a specific motivation (maybe Mosquitto is enforcing it) behind the fact that the HTTP plugin passes as parameter the clientId only when invoking the "acl" method ? Why the "login" method is prevented from receiving the clientid ?

These are some possible enhancements I'm considering:

1. Strict mode: allow to restrict authentication and acl to be done by the same backend. This means if user "my-user" is authed by Postgres, then only Postgres ACLs count for it.

2. Same backend multiple times: allow to have different instances of the same type of backend. This means that I can have 2 Postgres instances that checks against 2 different DBs and with their own queries. It's an alternative to running multiple instances of mosquitto when multiple applications need to auth against it with same backend.

3. Anonymous users: handle anonymous users gracefully instead of just rejecting them.

Hi!,

I have a problem in my server (Debian GNU/Linux 10 (buster)), I put the plugin in the mosquitto configuration, at this moment It shows high cpu usage.

we have the plugin in another server and it is working, but the connection plugin-mosquitto has a delay of 10 seconds.

I do not know if the problem is with the mosquitto or with our own servers,
I have described the problem and the configurations as follows:

My mosquitto configuration is:

mosquitto.conf:

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log

include_dir /etc/mosquitto/conf.d

/conf.d/mosquitto-go-auth:
auth_plugin /var/mosquitto-go-auth/go-auth.so
auth_opt_backends mongo
auth_opt_check_prefix false
allow_anonymous false

debug

auth_opt_log_level debug

#Mongo:
auth_opt_mongo_host localhost
auth_opt_mongo_port 21017
auth_opt_mongo_dbname mosquitto
auth_opt_mongo_username mosquitto

auth_opt_mongo_password mosquitto_auth
auth_opt_mongo_users users
auth_opt_mongo_acls acls

I use Mosquitto 1.6.0 Version and protocol mqtt 3.1.1

Thank you in advance for your attention.

Hi all

is there any option to uncheck username start with S character

Usernames with this fnmatch(3) (a.k.a glob(3)) pattern are exempt from the

module's ACL checking

auth_opt_superusers S*

thank you

Hello,

Would it be possible to have an official docker image published on dockerhub ?

I will use what I found in #5 for now but it could be great to have an official image instead.

Best regards

Hi,
I have an issue when I check the connection with mongoDB in mosquitto.

My configuration is described as follows:

mosquitto.conf:

pid_file /var/run/mosquitto.pid

persistence true
persistence_location /var/lib/mosquitto/

log_dest file /var/log/mosquitto/mosquitto.log
log_type all

include_dir /etc/mosquitto/conf.d

/etc/mosquitto/conf.d/mosquitto-go-auth.conf:

auth_plugin /var/mosquitto-go-auth/go-auth.so
auth_opt_backends mongo
auth_opt_check_prefix false
allow_anonymous false

*debug
auth_opt_log_level debug

*MongoDB:
auth_opt_mongo_host localhost
auth_opt_mongo_port 27017
auth_opt_mongo_dbname mosquitto
auth_opt_mongo_username mosquitto
auth_opt_mongo_password mosquitto_auth
auth_opt_mongo_users users
auth_opt_mongo_acls acls

I check it with:

mosquitto_pub -h localhost -p 1883 -u user -P 1234.pass -t 'test' -m 'hola'

Connection error: Connection Refused: not authorised.

journalctl -u mosquitto -f -n 50

abr 01 15:39:14 debian Mosquitto[420]: time="2020-04-01T15:39:14+02:00" level=debug msg="Mongo get user error: connection() : auth error: sasl conversation error: unable to authenticate using mechanism "SCRAM-SHA-1": Authentication failed

sudo tail -f mosquitto.log

1585748345: Config loaded from /etc/mosquitto/mosquitto.conf.
1585748345: Loading plugin: /var/mosquitto-go-auth/go-auth.so
1585748345: ├── Username/password checking enabled.
1585748345: ├── TLS-PSK checking enabled.
1585748345: └── Extended authentication not enabled.
1585748345: Opening ipv4 listen socket on port 1883.
1585748345: Error: Address already in use
1585748014: Sending CONNACK to ::1 (0, 5)
1585748014: Socket error on client , disconnecting.
1585748354: New connection from ::1 on port 1883.

where is the problem??

Hi,
I am using the JWT backend to authorize clients with OAuth2 tokens. The authorization backend is build with Spring. Actually, everything is running fine, but:

Is there any reason why the jwt backend is checking the resp.Status for "200 OK"? Would it not be sufficient to check the resp.StatusCode to be equal 200?
Why I am asking this: for any reason, the resp.Status in my case is always just "200" instead of "200 OK". So the backend fails to authorize a client, but the actual authorization is successful.
And in the logs, this error message appears: "Error code: 200"

This is the location, where my authorization fails:

I don't really understand how the plugin works.

When and how is the postgres queries executed? Lets say "select password_hash from "user" where username = $1 and is_active = true limit 1". Is this plugin purly for limiting users when subbing to a topic via MQTT?

Need to reproduce this error and fix any ecaping/encoding issues related:

PG check acl error: pq: invalid message format

hi,could you please give us more introductions about this plugin.Now I could not run it exactly,but there are little ducuments to find.
I build it successfully and connect it to mysql backend.
now i have to build password with pw and inert it into the database to work. how can I put it in my java application to manage it automatically?

Hello,
This is more of a question then an issue.

I am using the files backend
While adding new users and acls, does mosquitto need to be restarted on every new addition or change ?

I tried changing acl's but they didnt get picked up until I restarted mosquitto

Hi,
I'm having problems compiling on an Odroid C2 running ubuntu 18.04. I'm getting
$go build -buildmode=c-shared -o go-auth.so

github.com/iegomez/mosquitto-go-auth

/tmp/go-build779123523/b001/_x003.o: In function mosquitto_auth_acl_check': auth-plugin.c:(.text+0x430): undefined reference to mosquitto_client_id'
auth-plugin.c:(.text+0x43c): undefined reference to `mosquitto_client_username'
collect2: error: ld returned 1 exit status

This is with mosquitto version 1.6.4

Here is my go env:
go env
GOARCH="arm"
GOBIN=""
GOCACHE="/home/odroid/.cache/go-build"
GOEXE=""
GOHOSTARCH="arm"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/odroid/go"
GORACE=""
GOROOT="/usr/lib/go-1.10"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.10/pkg/tool/linux_arm"
GCCGO="gccgo"
GOARM="6"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-I/usr/local/include -fPIC"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-shared"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -marm -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build292861759=/tmp/go-build -gno-record-gcc-switches"

Here is the mosquitto libs:
ls -al /usr/local/lib/
total 1572
drwxr-xr-x 5 root root 4096 Aug 17 05:19 .
drwxr-xr-x 10 root root 4096 Jul 13 2016 ..
-rwxr-xr-x 1 root root 1014964 Aug 17 05:19 libmosquitto.a
lrwxrwxrwx 1 root root 17 Aug 17 05:19 libmosquitto.so -> libmosquitto.so.1
-rwxr-xr-x 1 root root 520840 Aug 17 05:19 libmosquitto.so.1
-rwxr-xr-x 1 root root 20400 Aug 17 05:19 libmosquittopp.a
lrwxrwxrwx 1 root root 19 Aug 17 05:19 libmosquittopp.so -> libmosquittopp.so.1
-rwxr-xr-x 1 root root 27540 Aug 17 05:19 libmosquittopp.so.1

And the includes:
ls -al /usr/local/include/
total 152
drwxr-xr-x 2 root root 4096 Aug 17 05:19 .
drwxr-xr-x 10 root root 4096 Jul 13 2016 ..
-rwxr-xr-x 1 root root 116034 Aug 17 05:19 mosquitto.h
-rwxr-xr-x 1 root root 4382 Aug 17 05:19 mosquitto_broker.h
-rwxr-xr-x 1 root root 11617 Aug 17 05:19 mosquitto_plugin.h
-rwxr-xr-x 1 root root 5949 Aug 17 05:19 mosquittopp.h

$ldconfig -v | grep mosquitto
libmosquittopp.so.1 -> libmosquittopp.so.1
libmosquitto.so.1 -> libmosquitto.so.1

I built it on Fedora30 yesterday with no problems.
Any hints on why it can't find the shared libs would be most welcome.

Thanks for your help.

James

Trying to build the current master (commit_id: d53b09a41d38209781645ed9b9a62838823ffde3) the process fails with a go error.
Trying instead to build the commit associated with #52 (commit_id: 0e39a99963755636a20ce54b973d4892cad66248) it works.

The error is the following, it seems related to #53:

./go-auth.go:178:52: undefined: plErr
./go-auth.go:186:58: undefined: plErr
./go-auth.go:195:45: undefined: ipErr
./go-auth.go:205:61: undefined: gErr
./go-auth.go:273:98: undefined: bErr
./go-auth.go:281:98: undefined: bErr
./go-auth.go:289:98: undefined: bErr
./go-auth.go:297:98: undefined: bErr
./go-auth.go:305:98: undefined: bErr
./go-auth.go:313:98: undefined: bErr
./go-auth.go:313:98: too many errors
make: *** [Makefile:2: all] Error 2

dep ensure (as executed by make requirements) autogenerates/updates Gopkg.lock.
This leads to an unclean checkout for basically every user of make requirements.
Maybe Gopkg.lock should be removed from the repository and added to .gitignore?

Hi!
I've made k8s deployment of mosquitto with auth plugin and redis cache. I'm using redis-cluster from bitnami: https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster

And I've got following error:

1588272769: New connection from 10.244.0.130 on port 1883.
1588272769: Socket error on client <unknown>, disconnecting.
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 2996 10.244.0.129:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 15623 10.244.0.205:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 11261 10.244.0.205:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 14839 10.244.0.205:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 4048 10.244.0.129:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 795 10.244.0.129:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 11246 10.244.0.205:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 376 10.244.0.129:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 4978 10.244.0.129:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 2224 10.244.0.129:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 15146 10.244.0.205:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 3029 10.244.0.129:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 11178 10.244.0.205:6379"
time="2020-04-30T18:52:49Z" level=error msg="set acl cache: MOVED 2421 10.244.0.129:6379"

After search in the internet I have found this:
https://serverfault.com/questions/812156/redis-cluster-error-moved

So could you add support for redis cluster configuration?

Hello,
Amazing work on the plugin.
I am trying to test the setup with mosquitto and the plugin.
When I try to subscribe to a topic that a particular user is not authorized, I get a SUBACK. Should the client not get disconnected since the subscription is not authorized ?

Details:
Mosquitto version 1.5.7

I have set it up password and acls for 2 users.

user admin
topic readwrite #

user test
topic subscribe test/#

user test1
topic read test/#

User test and test1 are only allowed to subscribe and read from topic test/#.

However when I subscribe user test to a seperate topic, I get a SUBACK

mosquitto_sub -u test -P test -d  -p 1883 -t admin 
Client mosqsub|81657 sending CONNECT
Client mosqsub|81657 received CONNACK (0)
Client mosqsub|81657 sending SUBSCRIBE (Mid: 1, Topic: admin, QoS: 0)
Client mosqsub|81657 received SUBACK
Subscribed (mid: 1): 128

In the system log, I do see that "Acl is false for user test"

I would like to disconnect the client for unauthorized topic if possible.

On a seperate note, is it possible to move the log files out of system logs into a seperate log file ?

Thanks a lot.

Hello

Thank you very much for making mosquitto go auth, I'm using the Remote JWT and everything works fine for all those request that have JWT, speccially the ones from the frontend. My problem comes for a couple of devices that connect to the same broker but they use normla user and password, they are able to connect without a problem, but the broker keep sending req to the backend to check if this users are superusers, is there any way to avoid this? So if a user is on passwords file to not be checked against superuser uri.

there is no easy way for me to check if static user is valid or not from the backend.

Could you please advice?

One solution will be to give this devices a JWT as well but since they are in remote locations I don't want to be changing them all the time, and if I make them last for years they will be basically a user with no password!

Thanks
Have a nice weekend
Pedro

Hi, I encountered a strange behavior with mysql backend.

When the anonymous user tries to connect to the broker, anonymous user can successfully connect to the broker but anonymous user can't publish or subscribe any messages.

Is this a normal behavior or a bug?

Thank you

Hi Ignacio,

First thanks for the new plugin, I have being using JPMens auth plugin for a while now however that doesn't seems to work with newer versions of mosquitto.

You'll have to forgive now, because I am neither a linux or go developer. Because of project constraints I don't have time to sit a learn really learn both, so hopefully you can help me out.

I am running on Amazon Linux 2 AMI centos image.

I have installed mosquitto.1.6.7 and created a service which is running (currently using pwfile for testing).

I installed go, here is the go-env output:

ec2-user@ip-172-27-0-231:~$ go version
go version go1.13.1 linux/amd64
ec2-user@ip-172-27-0-231:~$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/ec2-user/.cache/go-build"
GOENV="/home/ec2-user/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/ec2-user/mqtt167/mosquitto-go-auth"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-I/usr/local/include -fPIC"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-shared"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build003155464=/tmp/go-build -gno-record-gcc-switches"

installed your plugin via github
git clone https://github.com/iegomez/mosquitto-go-auth.git

cd mosquitto-go-auth
make

I get the following error

go build -buildmode=c-archive go-auth.go
$GOPATH/go.mod exists but should not
make: *** [all] Error 1

I tried different workarounds no luck.
################################################################
Next i uninstalled the plugin folder and ran the following command

go get https://github.com/iegomez/mosquitto-go-auth

which produced the following error:

auth-plugin.c:11:10: fatal error: go-auth.h: No such file or directory
#include "go-auth.h"
^~~~~~~~~~~
compilation terminated.

As you can probably I just swinging and missing at this stage, so any help would be greatly appreciated.

Thanks you.

Hi,
I want deploy mosquitto-go-auth in docker.

version: "3"

services:
  mosquitto:
    image: iegomez/mosquitto-go-auth:0.5.0
    volumes:
      - ./conf:/etc/mosquitto
    ports:
      - 1883:1883

Once container is spin up , doing docker exec -it <container_name> /bin/bash and try to execute this '/opt/mosquitto-auth-plug/n' to generate the password so getting error saying 'there no such file/directory ' . Cant identity what i am doing wrong here ?

I have set up mosquitto-go-auth with mosquitto 1.6.0 and user checks are successful, however I have issues with the ACL checks. I took my knowledge from the Postgres part of the documentation and just transfered it to MySQL Queries:

and a single '$2' is
replaced with the integer value 1 signifying a read-only access attempt
(SUB) or 2 signifying a read-write access attempt (PUB).

(See https://github.com/iegomez/mosquitto-go-auth#postgresql )

Now I have a Table with 3 different Topics:

`MariaDB [mosquitto]> select * from acl;

+----+------+-------------+----+

| id | user | topic | rw |

+----+------+-------------+----+

| 1 | 2 | test/1/test | 2 |

| 2 | 2 | test/2/test | 1 |

| 3 | 2 | test/3/test | 3 |

+----+------+-------------+----+

3 rows in set (0.00 sec)
`

Now if I want to publish to topic "test/2/test", I get ACL deny which is correct.
If I want to publish to the other 2 topics, I get ACL allow which is also correct.
If I want to publish to any topic that is not existent, I get ACL deny which is what I expected.

Now my Issue is with subscribing.
If I want to subscribe to "test/3/test" I get ACL allow which is fine.
If I want to subscribe to the other 2 Topics I get ACL deny which is not what I expected.

My Query looks like this:
SELECT topic FROM acl INNER JOIN account ON account.id=acl.user WHERE (username = ?) AND (rw = ? OR rw=3)

Usually this should allow a user to subscribe to topics where the Query return 1 or 3 and publish to a topic where the Query returns 2 or 3. The second seems to work but for subscribe there seems to be some issue I don't understand.

In a different issue I read about MOSQ_ACL_SUBSCRIBE but don't see how that would be related?

Best Regards,
Nils

After a test witeeh incomplete password hashes in db, mosquitto service crashed with SIGABRT.
In the logs:

gen 31 12:55:39 jdev6 mosquitto[27775]: panic: runtime error: index out of range
gen 31 12:55:39 jdev6 mosquitto[27775]: goroutine 17 [running, locked to thread]:
gen 31 12:55:39 jdev6 mosquitto[27775]: github.com/iegomez/mosquitto-go-auth/common.HashCompare(0x55a41daccea0, 0x5, 0xc000124500, 0x38, 0x46)
gen 31 12:55:39 jdev6 mosquitto[27775]:         /home/andrea/mosquitto-go-auth-0.6.1/common/utils.go:134 +0x17c
gen 31 12:55:39 jdev6 mosquitto[27775]: github.com/iegomez/mosquitto-go-auth/backends.Postgres.GetUser(0xc00012d560, 0x55a41dac3e90, 0x9, 0x55a41dac3f80, 0x4, 0x55a41dac4010, 0x7, 0x55a41dac40b0, 0x7, 0x55a41dac4160, ...)
gen 31 12:55:39 jdev6 mosquitto[27775]:         /home/andrea/mosquitto-go-auth-0.6.1/backends/postgres.go:164 +0x1c5
gen 31 12:55:39 jdev6 mosquitto[27775]: main.CheckBackendsAuth(0x55a41dacc720, 0x5, 0x55a41daccea0, 0x5, 0x7f1369251c20)
gen 31 12:55:39 jdev6 mosquitto[27775]:         /home/andrea/mosquitto-go-auth-0.6.1/go-auth.go:672 +0x20c
gen 31 12:55:39 jdev6 mosquitto[27775]: main.AuthUnpwdCheck(0x55a41dacc720, 0x5, 0x55a41daccea0, 0x5, 0x38)
gen 31 12:55:39 jdev6 mosquitto[27775]:         /home/andrea/mosquitto-go-auth-0.6.1/go-auth.go:494 +0x462
gen 31 12:55:39 jdev6 mosquitto[27775]: main._cgoexpwrap_ebd210e0adf1_AuthUnpwdCheck(0x55a41dacc720, 0x5, 0x55a41daccea0, 0x5, 0x2525252525252525)
gen 31 12:55:39 jdev6 mosquitto[27775]:         _cgo_gotypes.go:59 +0x4b
gen 31 12:55:39 jdev6 systemd[1]: mosquitto.service: Main process exited, code=killed, status=6/ABRT
gen 31 12:55:39 jdev6 systemd[1]: mosquitto.service: Failed with result 'signal'.

So I realized that passwordHash in HashCompare() is not validated. This issue can simply solved checking the len of resulting slice after the Split:

func HashCompare(password string, passwordHash string) bool {
        hashSplit := strings.Split(passwordHash, "$")
	if len(hashSplit) < 5 {
		return false
	}