Allow pre-hashed passwords in mosquitto logins config. (home-assistan…

…t#3183) * Allow pre-hashed passwords in mosquitto logins config. This change adds the ability to pass already-hashed passwords in the logins array. If the password begins 'PBKDF2$sha512$' and has length 134, it is not hashed again and is incorporated directly into the `pw` file. Otherwise, the existing logic is used. * Use `password_pre_hashed` boolean config instead of heuristic based on string prefix for pre-hashed passwords. * Documentation updates for clarity to pre-hashed passwords feature. * Fix max line length in English translation.
perjonas · Sep 6, 2023 · 07d6425 · 07d6425
1 parent 2583767
commit 07d6425
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 5 deletions.
diff --git a/mosquitto/CHANGELOG.md b/mosquitto/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 6.3.1
+
+- Add ability to use a pre-hashed password for custom logins
+
 ## 6.3.0
 
 - Update mosquitto to 2.0.17

diff --git a/mosquitto/DOCS.md b/mosquitto/DOCS.md
@@ -54,6 +54,20 @@ logins:
     password: passwd
 ```
 
+You can also optionally set a `password` value using the hashed password obtained from the `pw` command (which is present inside the Mosquitto container). If doing so, you must also specify `password_pre_hashed: true` alongside the `username` and `password` values:
+
+```console
+$ pw -p "foo"
+PBKDF2$sha512$100000$qsU7xQ8YCV/9nRuBBJVTxA==$jqw94Ej3aEr97UofY6rClmVCRkTdDiubQW0A6ZYmUI+pZjW9Hax+2w2FeYB3y5ut1SliB7+HAwIl2iONLKkohw==
+```
+
+```yaml
+logins:
+  - username: user
+    password: "PBKDF2$sha512$100000$qsU7xQ8YCV/9nRuBBJVTxA==$jqw94Ej3aEr97UofY6rClmVCRkTdDiubQW0A6ZYmUI+pZjW9Hax+2w2FeYB3y5ut1SliB7+HAwIl2iONLKkohw=="
+    password_pre_hashed: true
+```
+
 #### Option: `customize.active`
 
 If set to `true` additional configuration files will be read, see the next option.

diff --git a/mosquitto/config.yaml b/mosquitto/config.yaml
@@ -1,5 +1,5 @@
 ---
-version: 6.3.0
+version: 6.3.1
 slug: mosquitto
 name: Mosquitto broker
 description: An Open Source MQTT broker
@@ -35,6 +35,7 @@ schema:
   logins:
     - username: str
       password: password
+      password_pre_hashed: "bool?"
   require_certificate: bool
   certfile: str
   cafile: str?

diff --git a/mosquitto/rootfs/etc/cont-init.d/mosquitto.sh b/mosquitto/rootfs/etc/cont-init.d/mosquitto.sh
@@ -49,7 +49,12 @@ for login in $(bashio::config 'logins|keys'); do
   password=$(bashio::config "logins[${login}].password")
 
   bashio::log.info "Setting up user ${username}"
-  password=$(pw -p "${password}")
+  if ! bashio::config.true "logins[${login}].password_pre_hashed"
+  then
+      password=$(pw -p "${password}")
+  else
+      bashio::log.info "Using pre-hashed password for ${username}"
+  fi
   echo "${username}:${password}" >> "${PW}"
   echo "user ${username}" >> "${ACL}"
 done

diff --git a/mosquitto/translations/en.yaml b/mosquitto/translations/en.yaml
@@ -3,9 +3,11 @@ configuration:
   logins:
     name: Logins
     description: >-
-      A list of local users that will be created with username and password. You
-      don't need to do this because you can use Home Assistant users too,
-      without any configuration.
+      A list of local users that will be created with username and password.
+      You don't need to do this because you can use Home Assistant users too,
+      without any configuration. You can also specify
+      `password_pre_hashed: true` to utilize a pre-hashed password from the
+      output of the `pw` command (which is present inside the container).
   require_certificate:
     name: Require Client Certificate
     description: >-