static zap_request_t * zap_request_new (void *handler) { #if (ZMQ_VERSION_MAJOR == 4) zap_request_t *self = (zap_request_t *) zmalloc (sizeof (zap_request_t)); if (!self) return NULL; // Store handler socket so we can send a reply easily self->handler = handler; zmsg_t *request = zmsg_recv (handler); if (!request) { zap_request_destroy (&self); return NULL; } // Get all standard frames off the handler socket self->version = zmsg_popstr (request); self->sequence = zmsg_popstr (request); self->domain = zmsg_popstr (request); self->address = zmsg_popstr (request); self->identity = zmsg_popstr (request); self->mechanism = zmsg_popstr (request); // If the version is wrong, we're linked with a bogus libzmq, so die assert (streq (self->version, "1.0")); // Get mechanism-specific frames if (streq (self->mechanism, "PLAIN")) { self->username = zmsg_popstr (request); self->password = zmsg_popstr (request); } else if (streq (self->mechanism, "CURVE")) { zframe_t *frame = zmsg_pop (request); assert (zframe_size (frame) == 32); self->client_key = (char *) zmalloc (41); zmq_z85_encode (self->client_key, zframe_data (frame), 32); zframe_destroy (&frame); } else if (streq (self->mechanism, "GSSAPI")) self->principal = zmsg_popstr (request); zmsg_destroy (&request); return self; #else return NULL; #endif }
static int s_agent_authenticate (agent_t *self) { zap_request_t *request = zap_request_new (self->handler); if (request) { // Is address explicitly whitelisted or blacklisted? bool allowed = false; bool denied = false; if (zhash_size (self->whitelist)) { if (zhash_lookup (self->whitelist, request->address)) { allowed = true; if (self->verbose) printf ("I: PASSED (whitelist) address=%s\n", request->address); } else { denied = true; if (self->verbose) printf ("I: DENIED (not in whitelist) address=%s\n", request->address); } } else if (zhash_size (self->blacklist)) { if (zhash_lookup (self->blacklist, request->address)) { denied = true; if (self->verbose) printf ("I: DENIED (blacklist) address=%s\n", request->address); } else { allowed = true; if (self->verbose) printf ("I: PASSED (not in blacklist) address=%s\n", request->address); } } // Mechanism-specific checks if (!denied) { if (streq (request->mechanism, "NULL") && !allowed) { // For NULL, we allow if the address wasn't blacklisted if (self->verbose) printf ("I: ALLOWED (NULL)\n"); allowed = true; } else if (streq (request->mechanism, "PLAIN")) // For PLAIN, even a whitelisted address must authenticate allowed = s_authenticate_plain (self, request); else if (streq (request->mechanism, "CURVE")) // For CURVE, even a whitelisted address must authenticate allowed = s_authenticate_curve (self, request); } if (allowed) zap_request_reply (request, "200", "OK"); else zap_request_reply (request, "400", "NO ACCESS"); zap_request_destroy (&request); } else zap_request_reply (request, "500", "Internal error"); return 0; }