void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
JNIEXPORT jlong JNICALL
Java_org_zeromq_czmq_Zcertstore__1_1new (JNIEnv *env, jclass c, jstring location)
{
char *location_ = (char *) (*env)->GetStringUTFChars (env, location, NULL);
// Disable CZMQ signal handling; allow Java to deal with it
zsys_handler_set (NULL);
jlong new_ = (jlong) (intptr_t) zcertstore_new (location_);
(*env)->ReleaseStringUTFChars (env, location, location_);
return new_;
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zcertstore"
zsys_dir_create (TESTDIR);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (TESTDIR);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, TESTDIR "/mycert.txt");
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
free (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
printf ("OK\n");
}
static int
s_self_handle_pipe (self_t *self)
{
// Get the whole message off the pipe in one go
zmsg_t *request = zmsg_recv (self->pipe);
if (!request)
return -1; // Interrupted
char *command = zmsg_popstr (request);
if (self->verbose)
zsys_info ("zauth: API command=%s", command);
if (streq (command, "ALLOW")) {
char *address = zmsg_popstr (request);
while (address) {
if (self->verbose)
zsys_info ("zauth: - whitelisting ipaddress=%s", address);
zhashx_insert (self->whitelist, address, "OK");
zstr_free (&address);
address = zmsg_popstr (request);
}
zsock_signal (self->pipe, 0);
}
else
if (streq (command, "DENY")) {
char *address = zmsg_popstr (request);
while (address) {
if (self->verbose)
zsys_info ("zauth: - blacklisting ipaddress=%s", address);
zhashx_insert (self->blacklist, address, "OK");
zstr_free (&address);
address = zmsg_popstr (request);
}
zsock_signal (self->pipe, 0);
}
else
if (streq (command, "PLAIN")) {
// Get password file and load into zhash table
// If the file doesn't exist we'll get an empty table
char *filename = zmsg_popstr (request);
zhashx_destroy (&self->passwords);
self->passwords = zhashx_new ();
if (zhashx_load (self->passwords, filename) && self->verbose)
zsys_info ("zauth: could not load file=%s", filename);
zstr_free (&filename);
zsock_signal (self->pipe, 0);
}
else
if (streq (command, "CURVE")) {
// If location is CURVE_ALLOW_ANY, allow all clients. Otherwise
// treat location as a directory that holds the certificates.
char *location = zmsg_popstr (request);
if (streq (location, CURVE_ALLOW_ANY))
self->allow_any = true;
else {
zcertstore_destroy (&self->certstore);
// FIXME: what if this fails?
self->certstore = zcertstore_new (location);
self->allow_any = false;
}
zstr_free (&location);
zsock_signal (self->pipe, 0);
}
else
if (streq (command, "GSSAPI"))
// GSSAPI authentication is not yet implemented here
zsock_signal (self->pipe, 0);
else
if (streq (command, "VERBOSE")) {
self->verbose = true;
zsock_signal (self->pipe, 0);
}
else
if (streq (command, "$TERM"))
self->terminated = true;
else {
zsys_error ("zauth: - invalid command: %s", command);
assert (false);
}
zstr_free (&command);
zmsg_destroy (&request);
return 0;
}
static int
s_agent_handle_pipe (agent_t *self)
{
// Get the whole message off the pipe in one go
zmsg_t *request = zmsg_recv (self->pipe);
char *command = zmsg_popstr (request);
if (!command)
return -1; // Interrupted
if (streq (command, "ALLOW")) {
char *address = zmsg_popstr (request);
zhash_insert (self->whitelist, address, "OK");
zstr_free (&address);
zstr_send (self->pipe, "OK");
}
else
if (streq (command, "DENY")) {
char *address = zmsg_popstr (request);
zhash_insert (self->blacklist, address, "OK");
zstr_free (&address);
zstr_send (self->pipe, "OK");
}
else
if (streq (command, "PLAIN")) {
// For now we don't do anything with domains
char *domain = zmsg_popstr (request);
zstr_free (&domain);
// Get password file and load into zhash table
// If the file doesn't exist we'll get an empty table
char *filename = zmsg_popstr (request);
zhash_destroy (&self->passwords);
self->passwords = zhash_new ();
zhash_load (self->passwords, filename);
zstr_free (&filename);
zstr_send (self->pipe, "OK");
}
else
if (streq (command, "CURVE")) {
// For now we don't do anything with domains
char *domain = zmsg_popstr (request);
zstr_free (&domain);
// If location is CURVE_ALLOW_ANY, allow all clients. Otherwise
// treat location as a directory that holds the certificates.
char *location = zmsg_popstr (request);
if (streq (location, CURVE_ALLOW_ANY))
self->allow_any = true;
else {
zcertstore_destroy (&self->certstore);
self->certstore = zcertstore_new (location);
self->allow_any = false;
}
zstr_free (&location);
zstr_send (self->pipe, "OK");
}
else
if (streq (command, "VERBOSE")) {
char *verbose = zmsg_popstr (request);
self->verbose = *verbose == '1';
zstr_free (&verbose);
zstr_send (self->pipe, "OK");
}
else
if (streq (command, "TERMINATE")) {
self->terminated = true;
zstr_send (self->pipe, "OK");
}
else {
printf ("E: invalid command from API: %s\n", command);
assert (false);
}
zstr_free (&command);
zmsg_destroy (&request);
return 0;
}
void
zcertstore_test (bool verbose)
{
printf (" * zcertstore: ");
if (verbose)
printf ("\n");
// @selftest
const char *SELFTEST_DIR_RW = "src/selftest-rw";
const char *testbasedir = ".test_zcertstore";
const char *testfile = "mycert.txt";
char *basedirpath = NULL; // subdir in a test, under SELFTEST_DIR_RW
char *filepath = NULL; // pathname to testfile in a test, in dirpath
basedirpath = zsys_sprintf ("%s/%s", SELFTEST_DIR_RW, testbasedir);
assert (basedirpath);
filepath = zsys_sprintf ("%s/%s", basedirpath, testfile);
assert (filepath);
// Make sure old aborted tests do not hinder us
zdir_t *dir = zdir_new (basedirpath, NULL);
if (dir) {
zdir_remove (dir, true);
zdir_destroy (&dir);
}
zsys_file_delete (filepath);
zsys_dir_delete (basedirpath);
// Create temporary directory for test files
zsys_dir_create (basedirpath);
// Load certificate store from disk; it will be empty
zcertstore_t *certstore = zcertstore_new (basedirpath);
assert (certstore);
// Create a single new certificate and save to disk
zcert_t *cert = zcert_new ();
assert (cert);
char *client_key = strdup (zcert_public_txt (cert));
assert (client_key);
zcert_set_meta (cert, "name", "John Doe");
zcert_save (cert, filepath);
zcert_destroy (&cert);
// Check that certificate store refreshes as expected
cert = zcertstore_lookup (certstore, client_key);
assert (cert);
assert (streq (zcert_meta (cert, "name"), "John Doe"));
#ifdef CZMQ_BUILD_DRAFT_API
// DRAFT-API: Security
// Iterate through certs
zlistx_t *certs = zcertstore_certs(certstore);
cert = (zcert_t *) zlistx_first(certs);
int cert_count = 0;
while (cert) {
assert (streq (zcert_meta (cert, "name"), "John Doe"));
cert = (zcert_t *) zlistx_next(certs);
cert_count++;
}
assert(cert_count==1);
zlistx_destroy(&certs);
#endif
// Test custom loader
test_loader_state *state = (test_loader_state *) zmalloc (sizeof (test_loader_state));
state->index = 0;
zcertstore_set_loader (certstore, s_test_loader, s_test_destructor, (void *)state);
#if (ZMQ_VERSION_MAJOR >= 4)
cert = zcertstore_lookup (certstore, client_key);
assert (cert == NULL);
cert = zcertstore_lookup (certstore, "abcdefghijklmnopqrstuvwxyzabcdefghijklmn");
assert (cert);
#endif
freen (client_key);
if (verbose)
zcertstore_print (certstore);
zcertstore_destroy (&certstore);
// Delete all test files
dir = zdir_new (basedirpath, NULL);
assert (dir);
zdir_remove (dir, true);
zdir_destroy (&dir);
zstr_free (&basedirpath);
zstr_free (&filepath);
#if defined (__WINDOWS__)
zsys_shutdown();
#endif
// @end
printf ("OK\n");
}
///
// Create a new certificate store from a disk directory, loading and
// indexing all certificates in that location. The directory itself may be
// absent, and created later, or modified at any time. The certificate store
// is automatically refreshed on any zcertstore_lookup() call. If the
// location is specified as NULL, creates a pure-memory store, which you
// can work with by inserting certificates at runtime.
QmlZcertstore *QmlZcertstoreAttached::construct (const QString &location) {
QmlZcertstore *qmlSelf = new QmlZcertstore ();
qmlSelf->self = zcertstore_new (location.toUtf8().data());
return qmlSelf;
};
///
// Create a new certificate store from a disk directory, loading and
// indexing all certificates in that location. The directory itself may be
// absent, and created later, or modified at any time. The certificate store
// is automatically refreshed on any zcertstore_lookup() call. If the
// location is specified as NULL, creates a pure-memory store, which you
// can work with by inserting certificates at runtime.
QZcertstore::QZcertstore (const QString &location, QObject *qObjParent) : QObject (qObjParent)
{
this->self = zcertstore_new (location.toUtf8().data());
}
