From bc13eab9d6d293ec5f05a859b578749d18364bc5 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Thu, 8 Mar 2018 22:03:25 +0000
Subject: [PATCH] Add per_listener_settings, which isn't used yet.

---
 ChangeLog.txt                   |  2 ++
 man/mosquitto.conf.5.xml        | 28 +++++++++++++++++++++++++---
 mosquitto.conf                  | 12 ++++++++++++
 src/conf.c                      |  3 +++
 src/mosquitto_broker_internal.h |  1 +
 5 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 05110cfc..3cb79d0d 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -2,6 +2,8 @@
 ==============
 
 Broker:
+- Add per_listener_settings to allow authentication and access control to be
+  per listener.
 - Fix UNSUBSCRIBE with no topic is accepted on MQTT 3.1.1. Closes #665.
 - Add ability to deny access to SUBSCRIBE messages as well as the current
   read/write accesses. Currently for auth plugins only.
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index 36c829b1..f8673198 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -51,7 +51,9 @@
 			protocol. Use the password_file option to define the valid
 			usernames and passwords. Be sure to use network encryption if you
 			are using this option otherwise the username and password will be
-			vulnerable to interception.</para>
+			vulnerable to interception. Use the
+			<option>per_listener_settings</option> to control whether passwords
+			are required globally or on a per-listener basis.</para>
 		<para>When using certificate based encryption there are three options
 			that affect authentication. The first is require_certificate, which
 			may be set to true or false. If false, the SSL/TLS component of the
@@ -79,7 +81,8 @@
 			If use_identity_as_username is false, the client may still
 			authenticate using the MQTT username/password if using the
 			password_file option.</para>
-		<para>Both certificate and PSK based encryption are configured on a per-listener basis.</para>
+		<para>Both certificate and PSK based encryption are configured on a
+			per-listener basis.</para>
 		<para>Authentication plugins can be created to augment the
 			password_file, acl_file and psk_file options with e.g. SQL based
 			lookups.</para>
@@ -470,7 +473,26 @@
 						affected.</para>
 					<para>See also
 						<citerefentry><refentrytitle>mosquitto_passwd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
-				</listitem> </varlistentry>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term><option>per_listener_settings</option> [ true | false ]</term>
+				<listitem>
+					<para>If <replaceable>true</replaceable>, then
+						authentication and access control settings will be
+						controlled on a per-listener basis. The following
+						options are affected:</para>
+					<para><option>password_file</option>,
+						<option>acl_file</option>, <option>psk_file</option>,
+						<option>auth_plugin</option>,
+						<option>auth_opt_*</option>.</para>
+					<para>The default behaviour is for this to be set to
+						<replaceable>false</replaceable>, which maintains the
+						settings behaviour from previous versions of
+						mosquitto.</para>
+					<para>Reloaded on reload signal.</para>
+				</listitem>
+			</varlistentry>
 			<varlistentry>
 				<term><option>persistence</option> [ true | false ]</term>
 				<listitem>
diff --git a/mosquitto.conf b/mosquitto.conf
index b383c0a9..a71e5519 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -136,6 +136,18 @@
 # of packets being sent.
 #set_tcp_nodelay false
 
+# Use per listener security settings.
+# If this option is set to true, then all authentication and access control
+# options are controlled on a per listener basis. The following options are
+# affected:
+#
+# password_file acl_file psk_file auth_plugin auth_opt_*
+#
+# The default behaviour is for this to be set to false, which maintains the 
+# setting behaviour from previous versions of mosquitto.
+#per_listener_settings false
+
+
 # =================================================================
 # Default listener
 # =================================================================
diff --git a/src/conf.c b/src/conf.c
index 44207d43..53ea4046 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -151,6 +151,7 @@ static void config__init_reload(struct mosquitto__config *config)
 	mosquitto__free(config->clientid_prefixes);
 	config->connection_messages = true;
 	config->clientid_prefixes = NULL;
+	config->per_listener_settings = false;
 	if(config->log_fptr){
 		fclose(config->log_fptr);
 		config->log_fptr = NULL;
@@ -1446,6 +1447,8 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 						config->password_file = NULL;
 					}
 					if(conf__parse_string(&token, "password_file", &config->password_file, saveptr)) return MOSQ_ERR_INVAL;
+				}else if(!strcmp(token, "per_listener_settings")){
+					if(conf__parse_bool(&token, "per_listener_settings", &config->per_listener_settings, saveptr)) return MOSQ_ERR_INVAL;
 				}else if(!strcmp(token, "persistence") || !strcmp(token, "retained_persistence")){
 					if(conf__parse_bool(&token, token, &config->persistence, saveptr)) return MOSQ_ERR_INVAL;
 				}else if(!strcmp(token, "persistence_file")){
diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h
index 92fac93b..19e0c340 100644
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@@ -210,6 +210,7 @@ struct mosquitto__config {
 	char *pid_file;
 	char *psk_file;
 	bool queue_qos0_messages;
+	bool per_listener_settings;
 	bool set_tcp_nodelay;
 	int sys_interval;
 	bool upgrade_outgoing_qos;