zauth_t * zauth_new (zctx_t *ctx) { zauth_t *self = (zauth_t *) zmalloc (sizeof (zauth_t)); if (!self) return NULL; // Start background agent and wait for it to initialize assert (ctx); self->pipe = zthread_fork (ctx, s_agent_task, NULL); if (self->pipe) { char *status = zstr_recv (self->pipe); if (strneq (status, "OK")) zauth_destroy (&self); zstr_free (&status); } else { zauth_destroy (&self); } return self; }
int main (void) { // Create context zctx_t *ctx = zctx_new (); // Start an authentication engine for this context. This engine // allows or denies incoming connections (talking to the libzmq // core over a protocol called ZAP). zauth_t *auth = zauth_new (ctx); // Get some indication of what the authenticator is deciding zauth_set_verbose (auth, true); // Whitelist our address; any other address will be rejected zauth_allow (auth, "127.0.0.1"); // Create and bind server socket void *server = zsocket_new (ctx, ZMQ_PUSH); zsocket_set_zap_domain (server, "global"); zsocket_bind (server, "tcp://*:9000"); // Create and connect client socket void *client = zsocket_new (ctx, ZMQ_PULL); zsocket_connect (client, "tcp://127.0.0.1:9000"); // Send a single message from server to client zstr_send (server, "Hello"); char *message = zstr_recv (client); assert (streq (message, "Hello")); free (message); puts ("Strawhouse test OK"); zauth_destroy (&auth); zctx_destroy (&ctx); return 0; }
int zauth_test (bool verbose) { printf (" * zauth: "); #if (ZMQ_VERSION_MAJOR == 4) // @selftest // Create temporary directory for test files # define TESTDIR ".test_zauth" zsys_dir_create (TESTDIR); // Install the authenticator zctx_t *ctx = zctx_new (); zauth_t *auth = zauth_new (ctx); assert (auth); zauth_set_verbose (auth, verbose); // A default NULL connection should always success, and not // go through our authentication infrastructure at all. void *server = zsocket_new (ctx, ZMQ_PUSH); void *client = zsocket_new (ctx, ZMQ_PULL); bool success = s_can_connect (ctx, &server, &client); assert (success); // When we set a domain on the server, we switch on authentication // for NULL sockets, but with no policies, the client connection // will be allowed. zsocket_set_zap_domain (server, "global"); success = s_can_connect (ctx, &server, &client); assert (success); // Blacklist 127.0.0.1, connection should fail zsocket_set_zap_domain (server, "global"); zauth_deny (auth, "127.0.0.1"); success = s_can_connect (ctx, &server, &client); assert (!success); // Whitelist our address, which overrides the blacklist zsocket_set_zap_domain (server, "global"); zauth_allow (auth, "127.0.0.1"); success = s_can_connect (ctx, &server, &client); assert (success); // Try PLAIN authentication zsocket_set_plain_server (server, 1); zsocket_set_plain_username (client, "admin"); zsocket_set_plain_password (client, "Password"); success = s_can_connect (ctx, &server, &client); assert (!success); FILE *password = fopen (TESTDIR "/password-file", "w"); assert (password); fprintf (password, "admin=Password\n"); fclose (password); zsocket_set_plain_server (server, 1); zsocket_set_plain_username (client, "admin"); zsocket_set_plain_password (client, "Password"); zauth_configure_plain (auth, "*", TESTDIR "/password-file"); success = s_can_connect (ctx, &server, &client); assert (success); zsocket_set_plain_server (server, 1); zsocket_set_plain_username (client, "admin"); zsocket_set_plain_password (client, "Bogus"); success = s_can_connect (ctx, &server, &client); assert (!success); # if defined (HAVE_LIBSODIUM) // Try CURVE authentication // We'll create two new certificates and save the client public // certificate on disk; in a real case we'd transfer this securely // from the client machine to the server machine. zcert_t *server_cert = zcert_new (); zcert_t *client_cert = zcert_new (); char *server_key = zcert_public_txt (server_cert); // Test without setting-up any authentication zcert_apply (server_cert, server); zcert_apply (client_cert, client); zsocket_set_curve_server (server, 1); zsocket_set_curve_serverkey (client, server_key); success = s_can_connect (ctx, &server, &client); assert (!success); // Test CURVE_ALLOW_ANY zcert_apply (server_cert, server); zcert_apply (client_cert, client); zsocket_set_curve_server (server, 1); zsocket_set_curve_serverkey (client, server_key); zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY); success = s_can_connect (ctx, &server, &client); assert (success); // Test full client authentication using certificates zcert_apply (server_cert, server); zcert_apply (client_cert, client); zsocket_set_curve_server (server, 1); zsocket_set_curve_serverkey (client, server_key); zcert_save_public (client_cert, TESTDIR "/mycert.txt"); zauth_configure_curve (auth, "*", TESTDIR); success = s_can_connect (ctx, &server, &client); assert (success); zcert_destroy (&server_cert); zcert_destroy (&client_cert); # endif // Remove the authenticator and check a normal connection works zauth_destroy (&auth); success = s_can_connect (ctx, &server, &client); assert (success); zctx_destroy (&ctx); // Delete all test files zdir_t *dir = zdir_new (TESTDIR, NULL); zdir_remove (dir, true); zdir_destroy (&dir); // @end #endif printf ("OK\n"); return 0; }
int zauth_test (bool verbose) { printf (" * zauth: "); #if (ZMQ_VERSION_MAJOR == 4) // @selftest // Create temporary directory for test files # define TESTDIR ".test_zauth" zsys_dir_create (TESTDIR); // Install the authenticator zctx_t *ctx = zctx_new (); zauth_t *auth = zauth_new (ctx); assert (auth); zauth_set_verbose (auth, verbose); // A default NULL connection should always success, and not go through // our authentication infrastructure at all. void *server = zsocket_new (ctx, ZMQ_PUSH); void *client = zsocket_new (ctx, ZMQ_PULL); bool success = s_can_connect (server, client); assert (success); // When we set a domain on the server, we switch on authentication // for NULL sockets, but with no policies, the client connection will // be allowed. // // TODO: libzmq should accept new security options after unbind/bind // but for now we have to create a new server socket each time. server = zsocket_new (ctx, ZMQ_PUSH); zsocket_set_zap_domain (server, "global"); success = s_can_connect (server, client); assert (success); // Blacklist 127.0.0.1, connection should fail zauth_deny (auth, "127.0.0.1"); success = s_can_connect (server, client); assert (!success); // Whitelist our address, which overrides the blacklist zauth_allow (auth, "127.0.0.1"); success = s_can_connect (server, client); assert (success); // Try PLAIN authentication FILE *password = fopen (TESTDIR "/password-file", "w"); assert (password); fprintf (password, "admin=Password\n"); fclose (password); zsocket_set_plain_server (server, 1); zsocket_set_plain_username (client, "admin"); zsocket_set_plain_password (client, "Password"); success = s_can_connect (server, client); assert (!success); zauth_configure_plain (auth, "*", TESTDIR "/password-file"); success = s_can_connect (server, client); assert (success); zsocket_set_plain_password (client, "Bogus"); success = s_can_connect (server, client); assert (!success); # if defined (HAVE_LIBSODIUM) // Try CURVE authentication // We'll create two new certificates and save the client public // certificate on disk; in a real case we'd transfer this securely // from the client machine to the server machine. zcert_t *server_cert = zcert_new (); zcert_apply (server_cert, server); zsocket_set_curve_server (server, 1); zcert_t *client_cert = zcert_new (); zcert_apply (client_cert, client); char *server_key = zcert_public_txt (server_cert); zsocket_set_curve_serverkey (client, server_key); // We've not set-up any authentication, connection will fail success = s_can_connect (server, client); assert (!success); // PH: 2013/09/18 // There's an issue with libzmq where it sometimes fails to // connect even if the ZAP handler allows it. It's timing // dependent, so this is a voodoo hack. To be removed, I've // no idea this even applies to all boxes. sleep (1); // Test CURVE_ALLOW_ANY zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY); success = s_can_connect (server, client); assert (success); // Test full client authentication using certificates zcert_save_public (client_cert, TESTDIR "/mycert.txt"); zauth_configure_curve (auth, "*", TESTDIR); success = s_can_connect (server, client); assert (success); zcert_destroy (&server_cert); zcert_destroy (&client_cert); # endif // Remove the authenticator and check a normal connection works zauth_destroy (&auth); success = s_can_connect (server, client); assert (success); zctx_destroy (&ctx); // Delete all test files zdir_t *dir = zdir_new (TESTDIR, NULL); zdir_remove (dir, true); zdir_destroy (&dir); // @end #endif printf ("OK\n"); return 0; }
void curve_server_test (bool verbose) { printf (" * curve_server: "); // @selftest // Create temporary directory for test files srand (time (NULL)); zsys_dir_create (TESTDIR); zcert_t *server_cert = zcert_new (); zcert_save (server_cert, TESTDIR "/server.cert"); // Install the authenticator zctx_t *ctx = zctx_new (); zauth_t *auth = zauth_new (ctx); assert (auth); zauth_set_verbose (auth, verbose); zauth_configure_curve (auth, "*", TESTDIR); // We'll run a set of clients as background tasks, and the // server in this foreground thread. Don't pass verbose to // the clients as the results are unreadable. int live_clients; for (live_clients = 0; live_clients < 5; live_clients++) zthread_new (client_task, &verbose); curve_server_t *server = curve_server_new (ctx, &server_cert); curve_server_set_verbose (server, verbose); curve_server_bind (server, "tcp://127.0.0.1:9006"); while (live_clients > 0) { zmsg_t *msg = curve_server_recv (server); if (memcmp (zframe_data (zmsg_last (msg)), "END", 3) == 0) live_clients--; curve_server_send (server, &msg); } // Try an invalid client/server combination byte bad_server_key [32] = { 0 }; zcert_t *unknown = zcert_new (); curve_client_t *client = curve_client_new (&unknown); curve_client_set_verbose (client, true); curve_client_connect (client, "tcp://127.0.0.1:9006", bad_server_key); curve_client_sendstr (client, "Hello, World"); // Expect no reply after 250msec zmq_pollitem_t pollitems [] = { { curve_client_handle (client), 0, ZMQ_POLLIN, 0 } }; assert (zmq_poll (pollitems, 1, 250) == 0); curve_client_destroy (&client); // Delete all test files zdir_t *dir = zdir_new (TESTDIR, NULL); zdir_remove (dir, true); zdir_destroy (&dir); curve_server_destroy (&server); zauth_destroy (&auth); zctx_destroy (&ctx); // @end // Ensure client threads have exited before we do zclock_sleep (100); printf ("OK\n"); }
static void * server_task (void *args) { bool verbose = *((bool *) args); // Install the authenticator zctx_t *ctx = zctx_new (); zauth_t *auth = zauth_new (ctx); assert (auth); zauth_set_verbose (auth, verbose); zauth_configure_curve (auth, "*", TESTDIR); void *router = zsocket_new (ctx, ZMQ_ROUTER); int rc = zsocket_bind (router, "tcp://127.0.0.1:9005"); assert (rc != -1); zcert_t *server_cert = zcert_load (TESTDIR "/server.cert"); assert (server_cert); curve_codec_t *server = curve_codec_new_server (server_cert, ctx); assert (server); zcert_destroy (&server_cert); curve_codec_set_verbose (server, verbose); // Set some metadata properties curve_codec_set_metadata (server, "Server", "CURVEZMQ/curve_codec"); // Execute incoming frames until ready or exception // In practice we'd want a server instance per unique client while (!curve_codec_connected (server)) { zframe_t *sender = zframe_recv (router); zframe_t *input = zframe_recv (router); assert (input); zframe_t *output = curve_codec_execute (server, &input); assert (output); zframe_send (&sender, router, ZFRAME_MORE); zframe_send (&output, router, 0); } // Check client metadata char *client_name = (char *) zhash_lookup (curve_codec_metadata (server), "client"); assert (client_name); assert (streq (client_name, "CURVEZMQ/curve_client")); bool finished = false; while (!finished) { // Now act as echo service doing a full decode and encode zframe_t *sender = zframe_recv (router); zframe_t *encrypted = zframe_recv (router); assert (encrypted); zframe_t *cleartext = curve_codec_decode (server, &encrypted); assert (cleartext); if (memcmp (cleartext, "END", 3) == 0) finished = true; // Echo message back encrypted = curve_codec_encode (server, &cleartext); assert (encrypted); zframe_send (&sender, router, ZFRAME_MORE); zframe_send (&encrypted, router, 0); } curve_codec_destroy (&server); zauth_destroy (&auth); zctx_destroy (&ctx); return NULL; }