Mqtt auth

.dockerignore

@@ -0,0 +1,2 @@
+nhmesh-mqtt-auth/target
+nhmesh-mqtt-auth/auth-db.sqlite

docker/docker-compose.yml

@@ -43,7 +43,27 @@ services:
       - xpack.security.enabled=false
     ports:
       - "5601:5601"
+
+  mqtt:
+    image: rmqtt/rmqtt:latest
+    ports:
+      - "1883:1883"
+      - "8883:8883"
+      - "11883:11883"
+      - "6060:6060"
+    volumes:
+      - mqttdata:/var/log/rmqtt
+      - ./rmqtt/rmqtt/rmqtt-plugins:/app/rmqtt/rmqtt-plugins:ro
+      - ./rmqtt/rmqtt/rmqtt.toml:/app/rmqtt/rmqtt.toml:ro
+
+  auth:
+    build:
+      context: ..
+      dockerfile: docker/nhmesh-auth/Dockerfile
+    ports:
+      - "8000:8000"
 
 volumes:
   esdata:
+  mqttdata:
 

docker/nhmesh-auth/Dockerfile

@@ -0,0 +1,21 @@
+FROM rust AS builder
+
+COPY ./nhmesh-mqtt-auth ./nhmesh-mqtt-auth
+
+WORKDIR /nhmesh-mqtt-auth
+
+RUN cargo build --release
+
+FROM debian:trixie-slim
+
+RUN mkdir -p /app/bin
+WORKDIR /app
+
+RUN apt-get update && apt-get install -y ca-certificates
+
+COPY --from=builder /nhmesh-mqtt-auth/target/release/nhmesh-mqtt-auth /app/bin/nhmesh-mqtt-auth
+COPY --from=builder /nhmesh-mqtt-auth/config.yaml /app/config.yaml
+
+EXPOSE 8000
+
+CMD ["/app/bin/nhmesh-mqtt-auth"]

docker/rmqtt/rmqtt/rmqtt-plugins/rmqtt-acl.toml

@@ -0,0 +1,18 @@
+##--------------------------------------------------------------------
+## rmqtt-acl
+##--------------------------------------------------------------------
+
+# See more keys and their definitions at https://github.com/rmqtt/rmqtt/blob/master/docs/en_US/acl.md
+
+#Disconnect if publishing is rejected
+disconnect_if_pub_rejected = true
+
+rules = [
+    #["deny", "all", "subscribe", ["test/nosubscribe"]],
+    ["allow", { user = "dashboard" }, "subscribe", ["$SYS/#"]],
+    ["allow", { ipaddr = "127.0.0.1" }, "pubsub", ["$SYS/#", "#"]],
+    ["deny", "all", "subscribe", ["$SYS/#", { eq = "#" }]],
+    ["allow", "all"]
+#    ["deny", "all"]
+]
+

docker/rmqtt/rmqtt/rmqtt-plugins/rmqtt-auth-http.toml

@@ -0,0 +1,69 @@
+##--------------------------------------------------------------------
+## rmqtt-auth-http
+##--------------------------------------------------------------------
+
+# See more keys and their definitions at https://github.com/rmqtt/rmqtt/blob/master/docs/en_US/auth-http.md
+
+http_timeout = "5s"
+http_headers.accept = "*/*"
+http_headers.Cache-Control = "no-cache"
+http_headers.User-Agent = "RMQTT/0.8.0"
+http_headers.Connection = "keep-alive"
+
+## Disconnect if publishing is rejected
+##
+## Value: true | false
+## Default: true
+disconnect_if_pub_rejected = true
+
+## Disconnect After Expiration
+##
+## Value: true | false
+## Default: false
+disconnect_if_expiry = false
+
+## Return 'Deny' if http request error otherwise 'Ignore'
+##
+## Value: true | false
+## Default: true
+deny_if_error = true
+
+##--------------------------------------------------------------------
+## Authentication request.
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##
+## Value: URL
+http_auth_req.url = "http://172.20.0.1:8000/mqtt/auth"
+## Value: post | get | put
+http_auth_req.method = "post"
+## HTTP request header of authentication request
+## Content-Type Currently supported values: application/x-www-form-urlencoded, application/json
+http_auth_req.headers = { content-type = "application/json" }
+#http_auth_req.headers.content-type="application/json"
+## Value: Params
+http_auth_req.params = { clientid = "%c", username = "%u", password = "%P", ipaddr = "%a" }
+
+
+##--------------------------------------------------------------------
+## ACL request.
+##
+## Variables:
+##  - %A: 1 | 2, 1 = sub, 2 = pub
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %t: topic
+##
+## Value: URL
+http_acl_req.url = "http://172.20.0.1:8000/mqtt/acl"
+## Value: post | get | put
+http_acl_req.method = "post"
+## Value: Params
+http_acl_req.params = { access = "%A", username = "%u", clientid = "%c", ipaddr = "%a", topic = "%t", protocol = "%r" }

docker/rmqtt/rmqtt/rmqtt-plugins/rmqtt-auth-jwt.toml

@@ -0,0 +1,78 @@
+##--------------------------------------------------------------------
+## rmqtt-auth-jwt
+##--------------------------------------------------------------------
+
+# See more keys and their definitions at https://github.com/rmqtt/rmqtt/blob/master/docs/en_US/auth-jwt.md
+
+## Disconnect if publishing is rejected
+##
+## Value: true | false
+## Default: true
+disconnect_if_pub_rejected = true
+
+## Disconnect After Expiration
+##
+## Value: true | false
+## Default: false
+disconnect_if_expiry = false
+
+## From where the JWT string can be got
+## Value: username | password
+## Default: password
+from = "password"
+
+## Encryption method
+## Value: hmac-based | public-key
+## Default: hmac-based
+encrypt = "hmac-based"
+
+## HMAC Hash Secret.
+##
+## Value: String
+hmac_secret = "rmqttsecret"
+#hmac_secret = "cm1xdHRzZWNyZXQ="
+
+## Secret Base64 Encode
+##
+## Value: true | false
+## Default: false
+hmac_base64 = false
+
+## RSA or ECDSA public key file.
+##
+## Value: File
+#public_key = "./rmqtt-bin/jwt_public_key_rsa.pem"
+#public_key = "./rmqtt-bin/jwt_public_key_es256.pem"
+#public_key = "./rmqtt-bin/jwt_public_key_es384.pem"
+
+
+## The checklist of claims to validate
+##
+## Value: String
+## validate_claims.$name = expected
+##
+## Placeholder:
+##  - ${username}: username
+##  - ${clientid}: clientid
+##  - ${ipaddr}: client ip addr
+##  - ${protocol}: MQTT protocol version: 3 = 3.1, 4 = 3.1.1, or 5 = 5.0
+
+### Basic Validation
+## > Validate the token's expiration by comparing the exp claim to the current UTC time.
+validate_claims.exp = true
+## < Ensure the token is not used before its nbf claim.
+#validate_claims.nbf = true
+## Ensure the token's subject (sub claim) is as expected.
+#validate_claims.sub = "user@rmqtt.com"
+## Validate the token's issuer by comparing the iss claim to the known issuer.
+#validate_claims.iss = ["https://rmqtt.com1", "https://rmqtt.com"]
+## Verify that the token's audience (aud claim) matches the intended recipient.
+#validate_claims.aud = ["https://your-api.com", "mobile_app", "web_app"]
+
+### Extended Validation
+#validate_claims.clientid = "${clientid}"
+#validate_claims.username = "${username}"
+#validate_claims.ipaddr = "${ipaddr}"
+#validate_claims.protocol = "${protocol}"
+
+

docker/rmqtt/rmqtt/rmqtt-plugins/rmqtt-auto-subscription.toml

@@ -0,0 +1,14 @@
+##--------------------------------------------------------------------
+## rmqtt-auto-subscription
+##--------------------------------------------------------------------
+
+# See more keys and their definitions at https://github.com/rmqtt/rmqtt/blob/master/docs/en_US/auto-subscription.md
+
+# Expressions can use ${clientid} to represent the client ID and ${username} to represent the client username.
+
+subscribes = [
+#    { topic_filter = "x/+/#", qos = 1, no_local = false, retain_as_published = false, retain_handling = 0 },
+#    { topic_filter = "foo/${clientid}/#", qos = 1, no_local = false, retain_as_published = false, retain_handling = 0 },
+#    { topic_filter = "iot/${username}/#", qos = 1 }
+]
+

docker/rmqtt/rmqtt/rmqtt-plugins/rmqtt-bridge-egress-kafka.toml

@@ -0,0 +1,43 @@
+##--------------------------------------------------------------------
+## rmqtt-bridge-egress-kafka
+##--------------------------------------------------------------------
+
+# See more keys and their definitions at https://github.com/rmqtt/rmqtt/blob/master/docs/en_US/bridge-egress-kafka.md
+
+[[bridges]]
+# Whether to enable
+enable = true
+# Bridge name
+name = "bridge_kafka_1"
+
+# The list of broker (server) addresses for the Kafka cluster.
+#servers = "127.0.0.1:9092,127.0.0.1:9093,127.0.0.1:9094"
+servers = "127.0.0.1:9092"
+# client.id
+client_id_prefix = "kafka_001"
+
+# Maximum limit of clients connected to the remote kafka broker
+concurrent_client_limit = 3
+
+# See more properties and their definitions at https://github.com/confluentinc/librdkafka/blob/master/CONFIGURATION.md
+[bridges.properties]
+"message.timeout.ms" = "5000"
+
+[[bridges.entries]]
+#Local topic filter: All messages matching this topic filter will be forwarded.
+local.topic_filter = "local/topic1/egress/#"
+
+remote.topic = "remote-topic1-egress-${local.topic}"
+#The queue_timeout parameter controls how long to retry for if the librdkafka producer queue is full. 0 to never block.
+remote.queue_timeout = "0m"
+#Sets the destination partition of the record.
+#remote.partition = 0
+
+[[bridges.entries]]
+#Local topic filter: All messages matching this topic filter will be forwarded.
+local.topic_filter = "local/topic2/egress/#"
+
+remote.topic = "remote-topic2-egress"
+#remote.queue_timeout = "0m"
+#remote.partition = 0
+