diff --git a/plugins/Makefile b/plugins/Makefile index 5e8745ac..f039b2c4 100644 --- a/plugins/Makefile +++ b/plugins/Makefile @@ -1,4 +1,5 @@ DIRS= \ + auth-by-ip \ dynamic-security \ message-timestamp \ payload-modification diff --git a/plugins/README.md b/plugins/README.md index 3053eb90..e407d40e 100644 --- a/plugins/README.md +++ b/plugins/README.md @@ -18,3 +18,6 @@ This is an **example** plugin to demonstrate how it is possible to modify the pa If you are considering using this feature, you should be very certain you have verified the payload is the correct format before modifying it. This plugin adds the text string "hello " to the beginning of each payload, so with anything other than simple plain text messages it will corrupt the payload contents. + +## Authenticate by IP address +This is an **example** plugin that demonstrates a basic authentication callback that allows clients based on their IP address. Password based authentication is preferred over this very simple type of access control. diff --git a/plugins/auth-by-ip/CMakeLists.txt b/plugins/auth-by-ip/CMakeLists.txt new file mode 100644 index 00000000..ce856715 --- /dev/null +++ b/plugins/auth-by-ip/CMakeLists.txt @@ -0,0 +1,11 @@ +include_directories(${mosquitto_SOURCE_DIR} ${mosquitto_SOURCE_DIR}/include + ${STDBOOL_H_PATH} ${STDINT_H_PATH}) + +add_library(mosquitto_auth_by_ip SHARED mosquitto_auth_by_ip.c) +set_target_properties(mosquitto_auth_by_ip PROPERTIES + POSITION_INDEPENDENT_CODE 1 +) +set_target_properties(mosquitto_auth_by_ip PROPERTIES PREFIX "") + +# Don't install, these are example plugins only. +#install(TARGETS mosquitto_auth_by_ip RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}") diff --git a/plugins/auth-by-ip/Makefile b/plugins/auth-by-ip/Makefile new file mode 100644 index 00000000..a0ffe6a6 --- /dev/null +++ b/plugins/auth-by-ip/Makefile @@ -0,0 +1,27 @@ +include ../../config.mk + +.PHONY : all binary check clean reallyclean test install uninstall + +PLUGIN_NAME=mosquitto_auth_by_ip + +all : binary + +binary : ${PLUGIN_NAME}.so + +${PLUGIN_NAME}.so : ${PLUGIN_NAME}.c + $(CROSS_COMPILE)$(CC) $(PLUGIN_CPPFLAGS) $(PLUGIN_CFLAGS) $(PLUGIN_LDFLAGS) -fPIC -shared $< -o $@ + +reallyclean : clean +clean: + -rm -f *.o ${PLUGIN_NAME}.so *.gcda *.gcno + +check: test +test: + +install: ${PLUGIN_NAME}.so + # Don't install, these are examples only. + #$(INSTALL) -d "${DESTDIR}$(libdir)" + #$(INSTALL) ${STRIP_OPTS} ${PLUGIN_NAME}.so "${DESTDIR}${libdir}/${PLUGIN_NAME}.so" + +uninstall : + -rm -f "${DESTDIR}${libdir}/${PLUGIN_NAME}.so" diff --git a/plugins/auth-by-ip/mosquitto_auth_by_ip.c b/plugins/auth-by-ip/mosquitto_auth_by_ip.c new file mode 100644 index 00000000..6a6f6289 --- /dev/null +++ b/plugins/auth-by-ip/mosquitto_auth_by_ip.c @@ -0,0 +1,82 @@ +/* +Copyright (c) 2021 Roger Light + +All rights reserved. This program and the accompanying materials +are made available under the terms of the Eclipse Public License 2.0 +and Eclipse Distribution License v1.0 which accompany this distribution. + +The Eclipse Public License is available at + https://www.eclipse.org/legal/epl-2.0/ +and the Eclipse Distribution License is available at + http://www.eclipse.org/org/documents/edl-v10.php. + +SPDX-License-Identifier: EPL-2.0 OR EDL-1.0 + +Contributors: + Roger Light - initial implementation and documentation. +*/ + +/* + * This is an example plugin showing how to use the basic authentication + * callback to allow/disallow client connections based on client IP addresses. + * + * This is an extremely basic type of access control, password based or similar + * authentication is preferred. + * + * Compile with: + * gcc -I -fPIC -shared mosquitto_auth_by_ip.c -o mosquitto_auth_by_ip.so + * + * Use in config with: + * + * plugin /path/to/mosquitto_auth_by_ip.so + * + * Note that this only works on Mosquitto 2.0 or later. + */ + + +#include +#include + +#include "mosquitto_broker.h" +#include "mosquitto_plugin.h" +#include "mosquitto.h" +#include "mqtt_protocol.h" + +static mosquitto_plugin_id_t *mosq_pid = NULL; + +static int basic_auth_callback(int event, void *event_data, void *userdata) +{ + struct mosquitto_evt_basic_auth *ed = event_data; + const char *ip_address; + + ip_address = mosquitto_client_address(ed->client); + if(!strcmp(ip_address, "127.0.0.1")){ + /* Only allow connections from localhost */ + return MOSQ_ERR_SUCCESS; + }else{ + return MOSQ_ERR_AUTH; + } +} + +int mosquitto_plugin_version(int supported_version_count, const int *supported_versions) +{ + int i; + + for(i=0; i