trainer/labs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add labs

Browse Source
This commit is contained in:
Thomas Kruse
2026-02-03 22:29:46 +01:00
commit 8fdf5827e4
156 changed files with 23069 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
03-security/lab08/acl.txt Normal file
View File

@ -0,0 +1,8 @@
user rw
topic readwrite #
user wo
topic write /test
user ro
topic read #

10
03-security/lab08/docker-compose.yml Normal file
View File

@ -0,0 +1,10 @@
services:
mosquitto:
image: eclipse-mosquitto
ports:
- "1883:1883"
volumes:
- ./mosquitto.conf:/mosquitto/config/mosquitto.conf:ro
- ./users.txt:/mosquitto/config/users.txt:ro
- ./acl.txt:/mosquitto/config/acl.txt:ro
- ./dynamic-config.json:/mosquitto/config/dynamic-config.json:rw

87
03-security/lab08/dynamic-config.json Normal file
View File

@ -0,0 +1,87 @@
{
"roles": [
{
"rolename": "admin",
"acls": [{
"acltype": "publishClientSend",
"topic": "$CONTROL/dynamic-security/#",
"allow": true
}, {
"acltype": "publishClientReceive",
"topic": "$CONTROL/dynamic-security/#",
"allow": true
}, {
"acltype": "subscribePattern",
"topic": "$CONTROL/dynamic-security/#",
"allow": true
}, {
"acltype": "publishClientReceive",
"topic": "$SYS/#",
"allow": true
}, {
"acltype": "subscribePattern",
"topic": "$SYS/#",
"allow": true
}, {
"acltype": "publishClientReceive",
"topic": "#",
"allow": true
}, {
"acltype": "subscribePattern",
"topic": "#",
"allow": true
}, {
"acltype": "unsubscribePattern",
"topic": "#",
"allow": true
}]
},
{
"rolename": "read-write-role",
"acls": [
{ "acltype": "publishClientSend", "topic": "#", "priority": 0, "allow": true },
{ "acltype": "subscribeLiteral", "topic": "#", "priority": 0, "allow": true },
{ "acltype": "unsubscribeLiteral", "topic": "#", "priority": 0, "allow": true }
]
},
{
"rolename": "write-only-role",
"acls": [
{ "acltype": "publishClientSend", "topic": "#", "priority": 0, "allow": true },
{ "acltype": "subscribeLiteral", "topic": "#", "priority": 0, "allow": false },
{ "acltype": "subscribePattern", "topic": "#", "priority": 0, "allow": false }
]
},
{
"rolename": "read-only-role",
"acls": [
{ "acltype": "subscribeLiteral", "topic": "#", "priority": 0, "allow": true },
{ "acltype": "publishClientSend", "topic": "#", "priority": 0, "allow": false }
]
}
],
"clients": [
{
"username": "admin-user",
"textName": "Dynsec admin user, password geheim",
"password": "qFa1Zzq4SXwI1aGJq9rJm14m6LWiv+7p4mbDfsQK1x15NOBdZke4GO6zxSBfOXinRgVKES/tlyfmVJhq0N6rKw==",
"salt": "Qv02Q1Ngia2GacTB",
"iterations": 101,
"roles": [{
"rolename": "admin"
}]
},
{ "username": "rw", "roles": [ { "rolename": "read-write-role" } ] },
{ "username": "wo", "roles": [ { "rolename": "write-only-role" } ] },
{ "username": "ro", "roles": [ { "rolename": "read-only-role" } ] }
],
"default_access": {
"publishClientSend": false,
"publishClientReceive": true,
"subscribeLiteral": false,
"subscribePattern": false,
"unsubscribeLiteral": false,
"subscribe": false,
"unsubscribe": true
}
}

42
03-security/lab08/lab.txt Normal file
View File

@ -0,0 +1,42 @@
= Berechtigungen
Verwenden Sie `mosquitto_sub` mit dem Host `test.mosquitto.org`, MQTT 5,
Port `1884`, Usernamen "ro" und Passwort (`-P`) "readonly"
$ docker run --rm -it --init --net host eclipse-mosquitto \
mosquitto_sub --host test.mosquitto.org --port 1884 -V 5 --qos 1 --topic "demotopic" \
--username ro -P readonly -W 2 --debug
Was passiert, wenn Sie "wo" und Passwort "writeonly" nutzen?
$ docker run --rm -it --init --net host eclipse-mosquitto \
mosquitto_sub --host test.mosquitto.org --port 1884 -V 5 --qos 1 --topic "demotopic" \
--username wo -P writeonly -W 2 --debug
Was passiert, wenn Sie mit den 'ro' User etwas publishen wollen?
$ docker run --rm -it --init --net host eclipse-mosquitto \
mosquitto_pub --host test.mosquitto.org --port 1884 -V 5 --qos 1 --topic "demotopic" \
--username ro -P readonly --message "demo message" --debug
Alternativ kann mittels `docker compose up` gleichartiges lokales Setup verwendet werden:
$ docker compose up
$ docker run --rm -it --init --net host eclipse-mosquitto \
mosquitto_sub -V 5 --qos 1 --topic "demotopic" \
--username ro -P readonly -W 2 --debug
$ docker run --rm -it --init --net host eclipse-mosquitto \
mosquitto_sub -V 5 --qos 1 --topic "demotopic" \
--username wo -P writeonly -W 2 --debug
$ docker run --rm -it --init --net host eclipse-mosquitto \
mosquitto_pub -V 5 --qos 1 --topic "demotopic" \
--username ro -P readonly --message "demo message" --debug

13
03-security/lab08/mosquitto.conf Normal file
View File

@ -0,0 +1,13 @@
listener 1883
allow_anonymous false
# this works but does not support expected feedback,
# see this issue comment:
# https://github.com/eclipse-mosquitto/mosquitto/issues/2296#issuecomment-924423566
# The ACLs in an ACL file are currently exclusively related to publishing - write indicates whether the client is allowed to send a publish to a topic, and read indicates whether a client is allowed to receive a publish on a topic.
password_file /mosquitto/config/users.txt
acl_file mosquitto/config/acl.txt
plugin /usr/lib/mosquitto_dynamic_security.so
plugin_opt_config_file /mosquitto/config/dynamic-config.json

3
03-security/lab08/users.txt Normal file
View File

@ -0,0 +1,3 @@
ro:$7$101$FPVn7s0SIqjbFLYS$wMHGMiFqSlGwHAP23kFoUgdkd8NH1J70mDdXlQPVxGxoC8wQz0lY8Wsoqf8O8JNjzZxyVmrNlG1n/mLxlf2i7g==
rw:$7$101$nayIsCxTb05m2LY6$jIJbztZr2r/ZWUyM1Qfo2QC390OPgcd6AbtuG9wadDXex/+tWjNhVEoTRs746KIeBmNiJbnwZ9kts2L6gn3MBA==
wo:$7$101$dIqbFuwPghjophX4$8U6EeHb7mBI4NWb9/J+wTW+WzvhN8ipWdA1UBK/ePs/Me/HfmvhiAcIpxcUsMvDjwWFc0UXlAkjFkoeEkPQ+cw==