static zap_request_t *
zap_request_new (void *handler)
{
#if (ZMQ_VERSION_MAJOR == 4)
zap_request_t *self = (zap_request_t *) zmalloc (sizeof (zap_request_t));
if (!self)
return NULL;
// Store handler socket so we can send a reply easily
self->handler = handler;
zmsg_t *request = zmsg_recv (handler);
if (!request) {
zap_request_destroy (&self);
return NULL;
}
// Get all standard frames off the handler socket
self->version = zmsg_popstr (request);
self->sequence = zmsg_popstr (request);
self->domain = zmsg_popstr (request);
self->address = zmsg_popstr (request);
self->identity = zmsg_popstr (request);
self->mechanism = zmsg_popstr (request);
// If the version is wrong, we're linked with a bogus libzmq, so die
assert (streq (self->version, "1.0"));
// Get mechanism-specific frames
if (streq (self->mechanism, "PLAIN")) {
self->username = zmsg_popstr (request);
self->password = zmsg_popstr (request);
}
else
if (streq (self->mechanism, "CURVE")) {
zframe_t *frame = zmsg_pop (request);
assert (zframe_size (frame) == 32);
self->client_key = (char *) zmalloc (41);
zmq_z85_encode (self->client_key, zframe_data (frame), 32);
zframe_destroy (&frame);
}
else
if (streq (self->mechanism, "GSSAPI"))
self->principal = zmsg_popstr (request);
zmsg_destroy (&request);
return self;
#else
return NULL;
#endif
}
static int
s_agent_authenticate (agent_t *self)
{
zap_request_t *request = zap_request_new (self->handler);
if (request) {
// Is address explicitly whitelisted or blacklisted?
bool allowed = false;
bool denied = false;
if (zhash_size (self->whitelist)) {
if (zhash_lookup (self->whitelist, request->address)) {
allowed = true;
if (self->verbose)
printf ("I: PASSED (whitelist) address=%s\n", request->address);
}
else {
denied = true;
if (self->verbose)
printf ("I: DENIED (not in whitelist) address=%s\n", request->address);
}
}
else
if (zhash_size (self->blacklist)) {
if (zhash_lookup (self->blacklist, request->address)) {
denied = true;
if (self->verbose)
printf ("I: DENIED (blacklist) address=%s\n", request->address);
}
else {
allowed = true;
if (self->verbose)
printf ("I: PASSED (not in blacklist) address=%s\n", request->address);
}
}
// Mechanism-specific checks
if (!denied) {
if (streq (request->mechanism, "NULL") && !allowed) {
// For NULL, we allow if the address wasn't blacklisted
if (self->verbose)
printf ("I: ALLOWED (NULL)\n");
allowed = true;
}
else
if (streq (request->mechanism, "PLAIN"))
// For PLAIN, even a whitelisted address must authenticate
allowed = s_authenticate_plain (self, request);
else
if (streq (request->mechanism, "CURVE"))
// For CURVE, even a whitelisted address must authenticate
allowed = s_authenticate_curve (self, request);
}
if (allowed)
zap_request_reply (request, "200", "OK");
else
zap_request_reply (request, "400", "NO ACCESS");
zap_request_destroy (&request);
}
else
zap_request_reply (request, "500", "Internal error");
return 0;
}
