int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not
// go through our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (ctx, &server, &client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection
// will be allowed.
zsocket_set_zap_domain (server, "global");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zsocket_set_zap_domain (server, "global");
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zsocket_set_zap_domain (server, "global");
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (ctx, &server, &client);
assert (success);
// Try PLAIN authentication
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (ctx, &server, &client);
assert (!success);
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (ctx, &server, &client);
assert (success);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (ctx, &server, &client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_t *client_cert = zcert_new ();
char *server_key = zcert_public_txt (server_cert);
// Test without setting-up any authentication
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
success = s_can_connect (ctx, &server, &client);
assert (!success);
// Test CURVE_ALLOW_ANY
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (ctx, &server, &client);
assert (success);
// Test full client authentication using certificates
zcert_apply (server_cert, server);
zcert_apply (client_cert, client);
zsocket_set_curve_server (server, 1);
zsocket_set_curve_serverkey (client, server_key);
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (ctx, &server, &client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (ctx, &server, &client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}
int
zauth_test (bool verbose)
{
printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)
// @selftest
// Create temporary directory for test files
# define TESTDIR ".test_zauth"
zsys_dir_create (TESTDIR);
// Install the authenticator
zctx_t *ctx = zctx_new ();
zauth_t *auth = zauth_new (ctx);
assert (auth);
zauth_set_verbose (auth, verbose);
// A default NULL connection should always success, and not go through
// our authentication infrastructure at all.
void *server = zsocket_new (ctx, ZMQ_PUSH);
void *client = zsocket_new (ctx, ZMQ_PULL);
bool success = s_can_connect (server, client);
assert (success);
// When we set a domain on the server, we switch on authentication
// for NULL sockets, but with no policies, the client connection will
// be allowed.
//
// TODO: libzmq should accept new security options after unbind/bind
// but for now we have to create a new server socket each time.
server = zsocket_new (ctx, ZMQ_PUSH);
zsocket_set_zap_domain (server, "global");
success = s_can_connect (server, client);
assert (success);
// Blacklist 127.0.0.1, connection should fail
zauth_deny (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (!success);
// Whitelist our address, which overrides the blacklist
zauth_allow (auth, "127.0.0.1");
success = s_can_connect (server, client);
assert (success);
// Try PLAIN authentication
FILE *password = fopen (TESTDIR "/password-file", "w");
assert (password);
fprintf (password, "admin=Password\n");
fclose (password);
zsocket_set_plain_server (server, 1);
zsocket_set_plain_username (client, "admin");
zsocket_set_plain_password (client, "Password");
success = s_can_connect (server, client);
assert (!success);
zauth_configure_plain (auth, "*", TESTDIR "/password-file");
success = s_can_connect (server, client);
assert (success);
zsocket_set_plain_password (client, "Bogus");
success = s_can_connect (server, client);
assert (!success);
# if defined (HAVE_LIBSODIUM)
// Try CURVE authentication
// We'll create two new certificates and save the client public
// certificate on disk; in a real case we'd transfer this securely
// from the client machine to the server machine.
zcert_t *server_cert = zcert_new ();
zcert_apply (server_cert, server);
zsocket_set_curve_server (server, 1);
zcert_t *client_cert = zcert_new ();
zcert_apply (client_cert, client);
char *server_key = zcert_public_txt (server_cert);
zsocket_set_curve_serverkey (client, server_key);
// We've not set-up any authentication, connection will fail
success = s_can_connect (server, client);
assert (!success);
// PH: 2013/09/18
// There's an issue with libzmq where it sometimes fails to
// connect even if the ZAP handler allows it. It's timing
// dependent, so this is a voodoo hack. To be removed, I've
// no idea this even applies to all boxes.
sleep (1);
// Test CURVE_ALLOW_ANY
zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
success = s_can_connect (server, client);
assert (success);
// Test full client authentication using certificates
zcert_save_public (client_cert, TESTDIR "/mycert.txt");
zauth_configure_curve (auth, "*", TESTDIR);
success = s_can_connect (server, client);
assert (success);
zcert_destroy (&server_cert);
zcert_destroy (&client_cert);
# endif
// Remove the authenticator and check a normal connection works
zauth_destroy (&auth);
success = s_can_connect (server, client);
assert (success);
zctx_destroy (&ctx);
// Delete all test files
zdir_t *dir = zdir_new (TESTDIR, NULL);
zdir_remove (dir, true);
zdir_destroy (&dir);
// @end
#endif
printf ("OK\n");
return 0;
}