Add multiple password encryption verification

1. Add the password encryption algorithm and compare authentication 2. Configure whether to enable pprof
wind-c · Aug 23, 2023 · 75fa2ea · 75fa2ea
1 parent 4bf22e9
commit 75fa2ea
Show file tree

Hide file tree

Showing 21 changed files with 199 additions and 36 deletions.
diff --git a/cmd/cluster/main.go b/cmd/cluster/main.go
@@ -39,8 +39,7 @@ import (
 var agent *cs.Agent
 var logger *zerolog.Logger
 
-// init for pprof:
-func init() {
+func pprof() {
 	go func() {
 		log.Println(http.ListenAndServe(":6060", nil))
 	}()
@@ -100,6 +99,11 @@ func realMain(ctx context.Context) error {
 		}
 	}
 
+	//enable pprof
+	if cfg.PprofEnable {
+		pprof()
+	}
+
 	//init log
 	if cfg.Cluster.NodeName == "" {
 		if hn, err := os.Hostname(); err == nil {

diff --git a/cmd/config/auth-mysql.yml b/cmd/config/auth-mysql.yml
@@ -16,6 +16,8 @@ auth:
   user-column: username
   password-column: password
   allow-column: allow
+  password-hash: 0 # 0 no encrypt, 1 bcrypt(cost=10), 2 md5, 3 sha1, 4 sha256, 5 sha512, 6 hmac-sha1, 7 hmac-sha256, 8 hmac-sha512
+  hash-key:  #The key is required for the HMAC algorithm
 
 acl:
   table: acl

diff --git a/cmd/config/auth-postgresql.yml b/cmd/config/auth-postgresql.yml
@@ -16,6 +16,8 @@ auth:
   user-column: username
   password-column: password
   allow-column: allow
+  password-hash: 0 # 0 no encrypt, 1 bcrypt(cost=10), 2 md5, 3 sha1, 4 sha256, 5 sha512, 6 hmac-sha1, 7 hmac-sha256, 8 hmac-sha512
+  hash-key:  #The key is required for the HMAC algorithm
 
 acl:
   table: acl

diff --git a/cmd/config/auth-redis.yml b/cmd/config/auth-redis.yml
@@ -8,4 +8,6 @@ redis-options:
 auth-mode: 1  # 0 Anonymous, 1 Username, 2 ClientID
 auth-prefix: comqtt-auth
 acl-mode: 2  # 0 Anonymous, 1 Username, 2 ClientID
-acl-prefix: comqtt-acl
+acl-prefix: comqtt-acl
+password-hash: 0 # 0 no encrypt, 1 bcrypt(cost=10), 2 md5, 3 sha1, 4 sha256, 5 sha512, 6 hmac-sha1, 7 hmac-sha256, 8 hmac-sha512
+hash-key:  #The key is required for the HMAC algorithm
diff --git a/cmd/config/node1.yml b/cmd/config/node1.yml
@@ -1,6 +1,7 @@
 storage-way: 3  #Storage way optional items:0 memory、1 bolt、2 badger、3 redis;Only redis can be used in cluster mode.
 bridge-way: 0  #Bridge way optional items:0 disable、1 kafka
 bridge-path: ./cmd/config/bridge-kafka.yml  #The bridge config file path
+pprof-enable: false #Whether to enable the performance analysis tool http://ip:6060
 
 auth:
   way: 0  #Authentication way: 0 anonymous, 1 username and password, 2 clientid
@@ -36,8 +37,8 @@ mqtt:
     server-cert:   #Server certificate file path
     server-key:   #server rsa private key file path
   options:
-    client-write-buffer-size: 2048 #It is the number of individual workers and queues to initialize.
-    client-read-buffer-size: 2048  #It is the size of the queue per worker.
+    client-write-buffer-size: 1024 #It is the number of individual workers and queues to initialize.
+    client-read-buffer-size: 1024  #It is the size of the queue per worker.
     sys-topic-resend-interval: 1 #It specifies the interval between $SYS topic updates in seconds.
     capabilities:
       compatibilities:

diff --git a/cmd/config/node2.yml b/cmd/config/node2.yml
@@ -1,6 +1,7 @@
 storage-way: 3  #Storage way optional items:0 memory、1 bolt、2 badger、3 redis;Only redis can be used in cluster mode.
 bridge-way: 0  #Bridge way optional items:0 disable、1 kafka
 bridge-path: ./cmd/config/bridge-kafka.yml  #The bridge config file path
+pprof-enable: false #Whether to enable the performance analysis tool http://ip:6060
 
 auth:
   way: 0  #Authentication way: 0 anonymous, 1 username and password, 2 clientid
@@ -36,8 +37,8 @@ mqtt:
     server-cert:   #Server certificate file path
     server-key:   #server rsa private key file path
   options:
-    client-write-buffer-size: 2048 #It is the number of individual workers and queues to initialize.
-    client-read-buffer-size: 2048  #It is the size of the queue per worker.
+    client-write-buffer-size: 1024 #It is the number of individual workers and queues to initialize.
+    client-read-buffer-size: 1024  #It is the size of the queue per worker.
     sys-topic-resend-interval: 1 #It specifies the interval between $SYS topic updates in seconds.
     capabilities:
       compatibilities:

diff --git a/cmd/config/node3.yml b/cmd/config/node3.yml
@@ -1,6 +1,7 @@
 storage-way: 3  #Storage way optional items:0 memory、1 bolt、2 badger、3 redis;Only redis can be used in cluster mode.
 bridge-way: 0  #Bridge way optional items:0 disable、1 kafka
 bridge-path: ./cmd/config/bridge-kafka.yml  #The bridge config file path
+pprof-enable: false #Whether to enable the performance analysis tool http://ip:6060
 
 auth:
   way: 0  #Authentication way: 0 anonymous, 1 username and password, 2 clientid
@@ -36,8 +37,8 @@ mqtt:
     server-cert:   #Server certificate file path
     server-key:   #server rsa private key file path
   options:
-    client-write-buffer-size: 2048 #It is the number of individual workers and queues to initialize.
-    client-read-buffer-size: 2048  #It is the size of the queue per worker.
+    client-write-buffer-size: 1024 #It is the number of individual workers and queues to initialize.
+    client-read-buffer-size: 1024  #It is the size of the queue per worker.
     sys-topic-resend-interval: 1 #It specifies the interval between $SYS topic updates in seconds.
     capabilities:
       compatibilities:

diff --git a/cmd/config/single.yml b/cmd/config/single.yml
@@ -5,6 +5,7 @@ bridge-path: ./cmd/config/bridge-kafka.yml  #The bridge config file path
 auth-way: 1  #Authentication way: 0 anonymous, 1 username and password, 2 clientid
 auth-datasource: 1   #Optional items:0 free、1 redis、2 mysql、3 postgresql、4 http ...
 auth-path: ./config/auth-redis.yml  #The config file path should correspond to the auth-datasource
+pprof-enable: false #Whether to enable the performance analysis tool http://ip:6060
 
 mqtt:
   tcp: :1883
@@ -15,8 +16,8 @@ mqtt:
     server-cert:   #Server certificate file path
     server-key:   #server rsa private key file path
   options:
-    client-write-buffer-size: 2048 #It is the number of individual workers and queues to initialize.
-    client-read-buffer-size: 2048  #It is the size of the queue per worker.
+    client-write-buffer-size: 1024 #It is the number of individual workers and queues to initialize.
+    client-read-buffer-size: 1024  #It is the size of the queue per worker.
     sys-topic-resend-interval: 1 #It specifies the interval between $SYS topic updates in seconds.
     capabilities:
       compatibilities:

diff --git a/cmd/single/main.go b/cmd/single/main.go
@@ -25,6 +25,7 @@ import (
 	cokafka "github.com/wind-c/comqtt/v2/plugin/bridge/kafka"
 	"go.etcd.io/bbolt"
 	"log"
+	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
@@ -33,6 +34,12 @@ import (
 
 var logger *zerolog.Logger
 
+func pprof() {
+	go func() {
+		log.Println(http.ListenAndServe(":6060", nil))
+	}()
+}
+
 func main() {
 	sigCtx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer cancel()
@@ -69,6 +76,11 @@ func realMain(ctx context.Context) error {
 		}
 	}
 
+	//enable pprof
+	if cfg.PprofEnable {
+		pprof()
+	}
+
 	//init log
 	if hn, err := os.Hostname(); err == nil {
 		cfg.Log.NodeName = hn

diff --git a/config/conf.yml b/config/conf.yml
@@ -2,6 +2,7 @@ storage-way: 3  #Storage way optional items:0 memory、1 bolt、2 badger、3 red
 storage-path: comqtt.db  #Local storage path in single node mode.
 bridge-way: 1  #Bridge way optional items:0 disable、1 kafka
 bridge-path: ./cmd/config/bridge-kafka.yml  #The bridge config file path
+pprof-enable: false #Whether to enable the performance analysis tool http://ip:6060
 
 auth:
   way: 1  #Authentication way: 0 anonymous, 1 username and password, 2 clientid

diff --git a/config/config.go b/config/config.go
@@ -91,6 +91,7 @@ type Config struct {
 	Cluster     Cluster `yaml:"cluster"`
 	Redis       redis   `yaml:"redis"`
 	Log         Log     `yaml:"log"`
+	PprofEnable bool    `yaml:"pprof-enable"`
 }
 
 type auth struct {

diff --git a/plugin/auth/auth.go b/plugin/auth/auth.go
@@ -6,6 +6,20 @@ import (
 	"github.com/wind-c/comqtt/v2/mqtt/packets"
 )
 
+type HashType int
+
+const (
+	HashNone HashType = iota
+	HashBcrypt
+	HashMd5
+	HashSha1
+	HashSha256
+	HashSha512
+	HashHmacSha1
+	HashHmacSha256
+	HashHmacSha512
+)
+
 func CheckAcl(tam map[string]auth.Access, write bool) bool {
 	// access 0 = deny, 1 = read only, 2 = write only, 3 = read and write
 	rm := make(map[string]bool)

diff --git a/plugin/auth/crypto.go b/plugin/auth/crypto.go
@@ -0,0 +1,100 @@
+package auth
+
+import (
+	"crypto/hmac"
+	"crypto/md5"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/base64"
+	"encoding/hex"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func CompareHash(hashed, plain, key string, ht HashType) bool {
+	var tmp string
+	switch ht {
+	case HashBcrypt:
+		if err := bcrypt.CompareHashAndPassword([]byte(hashed), []byte(plain)); err != nil {
+			return false
+		} else {
+			return true
+		}
+	case HashNone:
+		tmp = plain
+	case HashMd5:
+		tmp = Md5(plain)
+	case HashSha1:
+		tmp = Sha1(plain)
+	case HashSha256:
+		tmp = Sha256(plain)
+	case HashSha512:
+		tmp = Sha512(plain)
+	case HashHmacSha1:
+		tmp = HmacSha1(plain, key)
+	case HashHmacSha256:
+		tmp = HmacSha256(plain, key)
+	case HashHmacSha512:
+		tmp = HmacSha512(plain, key)
+	}
+
+	if tmp == hashed {
+		return true
+	}
+
+	return false
+}
+
+func Bcrypt(src string) string {
+	hashed, err := bcrypt.GenerateFromPassword([]byte(src), bcrypt.DefaultCost)
+	if err != nil {
+		return ""
+	}
+	return string(hashed)
+}
+
+func Md5(src string) string {
+	h := md5.New()
+	h.Write([]byte(src))
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+func Sha1(src string) string {
+	h := sha1.New()
+	h.Write([]byte(src))
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+func Sha256(src string) string {
+	h := sha256.New()
+	h.Write([]byte(src))
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+func Sha512(src string) string {
+	h := sha512.New()
+	h.Write([]byte(src))
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+func Base64(src string) string {
+	return string(base64.StdEncoding.EncodeToString([]byte(src)))
+}
+
+func HmacSha1(src, key string) string {
+	m := hmac.New(sha1.New, []byte(key))
+	m.Write([]byte(src))
+	return hex.EncodeToString(m.Sum(nil))
+}
+
+func HmacSha256(src, key string) string {
+	m := hmac.New(sha256.New, []byte(key))
+	m.Write([]byte(src))
+	return hex.EncodeToString(m.Sum(nil))
+}
+
+func HmacSha512(src, key string) string {
+	m := hmac.New(sha512.New, []byte(key))
+	m.Write([]byte(src))
+	return hex.EncodeToString(m.Sum(nil))
+}
diff --git a/plugin/auth/crypto_test.go b/plugin/auth/crypto_test.go
@@ -0,0 +1,19 @@
+package auth
+
+import (
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/bcrypt"
+	"testing"
+)
+
+func TestBcrypt(t *testing.T) {
+	pwd := "123456"
+	hashed1 := Bcrypt(pwd)
+	hashed2 := Bcrypt(pwd)
+	println(hashed1)
+	require.NotEqual(t, hashed1, hashed2)
+	err := bcrypt.CompareHashAndPassword([]byte(hashed1), []byte(pwd))
+	require.NoError(t, err)
+	err = bcrypt.CompareHashAndPassword([]byte(hashed2), []byte(pwd))
+	require.NoError(t, err)
+}
diff --git a/plugin/auth/mysql/conf.yml b/plugin/auth/mysql/conf.yml
@@ -16,6 +16,8 @@ auth:
   user-column: username
   password-column: password
   allow-column: allow
+  password-hash: 0 # 0 no encrypt, 1 bcrypt(cost=10), 2 md5, 3 sha1, 4 sha256, 5 sha512, 6 hmac-sha1, 7 hmac-sha256, 8 hmac-sha512
+  hash-key:  #The key is required for the HMAC algorithm
 
 acl:
   table: acl

diff --git a/plugin/auth/mysql/mysql.go b/plugin/auth/mysql/mysql.go
@@ -33,10 +33,12 @@ type DsnInfo struct {
 }
 
 type AuthTable struct {
-	Table          string `json:"table" yaml:"table"`
-	UserColumn     string `json:"user-column" yaml:"user-column"`
-	PasswordColumn string `json:"password-column" yaml:"password-column"`
-	AllowColumn    string `json:"allow-column" yaml:"allow-column"`
+	Table          string      `json:"table" yaml:"table"`
+	UserColumn     string      `json:"user-column" yaml:"user-column"`
+	PasswordColumn string      `json:"password-column" yaml:"password-column"`
+	AllowColumn    string      `json:"allow-column" yaml:"allow-column"`
+	PasswordHash   pa.HashType `json:"password-hash" yaml:"password-hash"`
+	HashKey        string      `json:"hash-key" yaml:"hash-key"`
 }
 
 type AclTable struct {
@@ -137,11 +139,7 @@ func (a *Auth) OnConnectAuthenticate(cl *mqtt.Client, pk packets.Packet) bool {
 		return false
 	}
 
-	if password == string(pk.Connect.Password) {
-		return true
-	} else {
-		return false
-	}
+	return pa.CompareHash(password, string(pk.Connect.Password), a.config.Auth.HashKey, a.config.Auth.PasswordHash)
 }
 
 // OnACLCheck returns true if the connecting client has matching read or write access to subscribe

diff --git a/plugin/auth/mysql/mysql_test.go b/plugin/auth/mysql/mysql_test.go
@@ -31,7 +31,7 @@ var (
 
 	//pkf = packets.Packet{Filters: packets.Subscriptions{{Filter: "a/b/c"}}}
 
-	pkc = packets.Packet{Connect: packets.ConnectParams{Password: []byte("321654")}}
+	pkc = packets.Packet{Connect: packets.ConnectParams{Password: []byte("123456")}}
 )
 
 func teardown(a *Auth, t *testing.T) {
@@ -60,6 +60,8 @@ func newAuth(t *testing.T) *Auth {
 			UserColumn:     "username",
 			PasswordColumn: "password",
 			AllowColumn:    "allow",
+			PasswordHash:   1,
+			HashKey:        "",
 		},
 		Acl: AclTable{
 			Table:        "acl",

diff --git a/plugin/auth/postgresql/conf.yml b/plugin/auth/postgresql/conf.yml
@@ -16,6 +16,8 @@ auth:
   user-column: username
   password-column: password
   allow-column: allow
+  password-hash: 0 # 0 no encrypt, 1 bcrypt(cost=10), 2 md5, 3 sha1, 4 sha256, 5 sha512, 6 hmac-sha1, 7 hmac-sha256, 8 hmac-sha512
+  hash-key:  #The key is required for the HMAC algorithm
 
 acl:
   table: acl