示例#1
0
zauth_t *
zauth_new (zctx_t *ctx)
{
    zauth_t *self = (zauth_t *) zmalloc (sizeof (zauth_t));
    if (!self)
        return NULL;

    //  Start background agent and wait for it to initialize
    assert (ctx);
    self->pipe = zthread_fork (ctx, s_agent_task, NULL);
    if (self->pipe) {
        char *status = zstr_recv (self->pipe);
        if (strneq (status, "OK"))
            zauth_destroy (&self);
        zstr_free (&status);
    }
    else {
        zauth_destroy (&self);
    }
    return self;
}
示例#2
0
int main (void)
{
    //  Create context
    zctx_t *ctx = zctx_new ();

    //  Start an authentication engine for this context. This engine
    //  allows or denies incoming connections (talking to the libzmq
    //  core over a protocol called ZAP).
    zauth_t *auth = zauth_new (ctx);

    //  Get some indication of what the authenticator is deciding
    zauth_set_verbose (auth, true);

    //  Whitelist our address; any other address will be rejected
    zauth_allow (auth, "127.0.0.1");

    //  Create and bind server socket
    void *server = zsocket_new (ctx, ZMQ_PUSH);
    zsocket_set_zap_domain (server, "global");
    zsocket_bind (server, "tcp://*:9000");

    //  Create and connect client socket
    void *client = zsocket_new (ctx, ZMQ_PULL);
    zsocket_connect (client, "tcp://127.0.0.1:9000");

    //  Send a single message from server to client
    zstr_send (server, "Hello");
    char *message = zstr_recv (client);
    assert (streq (message, "Hello"));
    free (message);
    puts ("Strawhouse test OK");

    zauth_destroy (&auth);
    zctx_destroy (&ctx);
    return 0;
}
示例#3
0
int
zauth_test (bool verbose)
{
    printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)

    //  @selftest
    //  Create temporary directory for test files
#   define TESTDIR ".test_zauth"
    zsys_dir_create (TESTDIR);
    
    //  Install the authenticator
    zctx_t *ctx = zctx_new ();
    zauth_t *auth = zauth_new (ctx);
    assert (auth);
    zauth_set_verbose (auth, verbose);
    
    //  A default NULL connection should always success, and not 
    //  go through our authentication infrastructure at all.
    void *server = zsocket_new (ctx, ZMQ_PUSH);
    void *client = zsocket_new (ctx, ZMQ_PULL);
    bool success = s_can_connect (ctx, &server, &client);
    assert (success);
    
    //  When we set a domain on the server, we switch on authentication
    //  for NULL sockets, but with no policies, the client connection 
    //  will be allowed.
    zsocket_set_zap_domain (server, "global");
    success = s_can_connect (ctx, &server, &client);
    assert (success);
    
    //  Blacklist 127.0.0.1, connection should fail
    zsocket_set_zap_domain (server, "global");
    zauth_deny (auth, "127.0.0.1");
    success = s_can_connect (ctx, &server, &client);
    assert (!success);

    //  Whitelist our address, which overrides the blacklist
    zsocket_set_zap_domain (server, "global");
    zauth_allow (auth, "127.0.0.1");
    success = s_can_connect (ctx, &server, &client);
    assert (success);

    //  Try PLAIN authentication
    zsocket_set_plain_server (server, 1);
    zsocket_set_plain_username (client, "admin");
    zsocket_set_plain_password (client, "Password");
    success = s_can_connect (ctx, &server, &client);
    assert (!success);
    
    FILE *password = fopen (TESTDIR "/password-file", "w");
    assert (password);
    fprintf (password, "admin=Password\n");
    fclose (password);
    zsocket_set_plain_server (server, 1);
    zsocket_set_plain_username (client, "admin");
    zsocket_set_plain_password (client, "Password");
    zauth_configure_plain (auth, "*", TESTDIR "/password-file");
    success = s_can_connect (ctx, &server, &client);
    assert (success);

    zsocket_set_plain_server (server, 1);
    zsocket_set_plain_username (client, "admin");
    zsocket_set_plain_password (client, "Bogus");
    success = s_can_connect (ctx, &server, &client);
    assert (!success);

#   if defined (HAVE_LIBSODIUM)
    //  Try CURVE authentication
    //  We'll create two new certificates and save the client public
    //  certificate on disk; in a real case we'd transfer this securely
    //  from the client machine to the server machine.
    zcert_t *server_cert = zcert_new ();
    zcert_t *client_cert = zcert_new ();
    char *server_key = zcert_public_txt (server_cert);
    
    //  Test without setting-up any authentication
    zcert_apply (server_cert, server);
    zcert_apply (client_cert, client);
    zsocket_set_curve_server (server, 1);
    zsocket_set_curve_serverkey (client, server_key);
    success = s_can_connect (ctx, &server, &client);
    assert (!success);

    //  Test CURVE_ALLOW_ANY
    zcert_apply (server_cert, server);
    zcert_apply (client_cert, client);
    zsocket_set_curve_server (server, 1);
    zsocket_set_curve_serverkey (client, server_key);
    zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
    success = s_can_connect (ctx, &server, &client);
    assert (success);

    //  Test full client authentication using certificates
    zcert_apply (server_cert, server);
    zcert_apply (client_cert, client);
    zsocket_set_curve_server (server, 1);
    zsocket_set_curve_serverkey (client, server_key);
    zcert_save_public (client_cert, TESTDIR "/mycert.txt");
    zauth_configure_curve (auth, "*", TESTDIR);
    success = s_can_connect (ctx, &server, &client);
    assert (success);
    
    zcert_destroy (&server_cert);
    zcert_destroy (&client_cert);
#   endif

    //  Remove the authenticator and check a normal connection works
    zauth_destroy (&auth);
    success = s_can_connect (ctx, &server, &client);
    assert (success);

    zctx_destroy (&ctx);
    
    //  Delete all test files
    zdir_t *dir = zdir_new (TESTDIR, NULL);
    zdir_remove (dir, true);
    zdir_destroy (&dir);
    //  @end
#endif    

    printf ("OK\n");
    return 0;
}
示例#4
0
int
zauth_test (bool verbose)
{
    printf (" * zauth: ");
#if (ZMQ_VERSION_MAJOR == 4)

    //  @selftest
    //  Create temporary directory for test files
#   define TESTDIR ".test_zauth"
    zsys_dir_create (TESTDIR);
    
    //  Install the authenticator
    zctx_t *ctx = zctx_new ();
    zauth_t *auth = zauth_new (ctx);
    assert (auth);
    zauth_set_verbose (auth, verbose);
    
    //  A default NULL connection should always success, and not go through
    //  our authentication infrastructure at all.
    void *server = zsocket_new (ctx, ZMQ_PUSH);
    void *client = zsocket_new (ctx, ZMQ_PULL);
    bool success = s_can_connect (server, client);
    assert (success);
    
    //  When we set a domain on the server, we switch on authentication 
    //  for NULL sockets, but with no policies, the client connection will 
    //  be allowed.
    //
    //  TODO: libzmq should accept new security options after unbind/bind
    //  but for now we have to create a new server socket each time.
    server = zsocket_new (ctx, ZMQ_PUSH);
    zsocket_set_zap_domain (server, "global");
    success = s_can_connect (server, client);
    assert (success);
        
    //  Blacklist 127.0.0.1, connection should fail
    zauth_deny (auth, "127.0.0.1");
    success = s_can_connect (server, client);
    assert (!success);
    
    //  Whitelist our address, which overrides the blacklist
    zauth_allow (auth, "127.0.0.1");
    success = s_can_connect (server, client);
    assert (success);

    //  Try PLAIN authentication
    FILE *password = fopen (TESTDIR "/password-file", "w");
    assert (password);
    fprintf (password, "admin=Password\n");
    fclose (password);
    
    zsocket_set_plain_server (server, 1);
    zsocket_set_plain_username (client, "admin");
    zsocket_set_plain_password (client, "Password");
    success = s_can_connect (server, client);
    assert (!success);

    zauth_configure_plain (auth, "*", TESTDIR "/password-file");
    success = s_can_connect (server, client);
    assert (success);

    zsocket_set_plain_password (client, "Bogus");
    success = s_can_connect (server, client);
    assert (!success);

#   if defined (HAVE_LIBSODIUM)
    //  Try CURVE authentication
    //  We'll create two new certificates and save the client public 
    //  certificate on disk; in a real case we'd transfer this securely
    //  from the client machine to the server machine.
    zcert_t *server_cert = zcert_new ();
    zcert_apply (server_cert, server);
    zsocket_set_curve_server (server, 1);

    zcert_t *client_cert = zcert_new ();
    zcert_apply (client_cert, client);
    char *server_key = zcert_public_txt (server_cert);
    zsocket_set_curve_serverkey (client, server_key);

    //  We've not set-up any authentication, connection will fail
    success = s_can_connect (server, client);
    assert (!success);

    //  PH: 2013/09/18
    //  There's an issue with libzmq where it sometimes fails to 
    //  connect even if the ZAP handler allows it. It's timing
    //  dependent, so this is a voodoo hack. To be removed, I've
    //  no idea this even applies to all boxes.
    sleep (1);

    //  Test CURVE_ALLOW_ANY
    zauth_configure_curve (auth, "*", CURVE_ALLOW_ANY);
    success = s_can_connect (server, client);
    assert (success);
    
    //  Test full client authentication using certificates
    zcert_save_public (client_cert, TESTDIR "/mycert.txt");
    zauth_configure_curve (auth, "*", TESTDIR);
    success = s_can_connect (server, client);
    assert (success);
    zcert_destroy (&server_cert);
    zcert_destroy (&client_cert);
#   endif

    //  Remove the authenticator and check a normal connection works
    zauth_destroy (&auth);
    success = s_can_connect (server, client);
    assert (success);

    zctx_destroy (&ctx);
    
    //  Delete all test files
    zdir_t *dir = zdir_new (TESTDIR, NULL);
    zdir_remove (dir, true);
    zdir_destroy (&dir);
    //  @end
#endif    

    printf ("OK\n");
    return 0;
}
示例#5
0
void
curve_server_test (bool verbose)
{
    printf (" * curve_server: ");

    //  @selftest
    //  Create temporary directory for test files
    srand (time (NULL));
    zsys_dir_create (TESTDIR);
    
    zcert_t *server_cert = zcert_new ();
    zcert_save (server_cert, TESTDIR "/server.cert");

    //  Install the authenticator
    zctx_t *ctx = zctx_new ();
    zauth_t *auth = zauth_new (ctx);
    assert (auth);
    zauth_set_verbose (auth, verbose);
    zauth_configure_curve (auth, "*", TESTDIR);

    //  We'll run a set of clients as background tasks, and the
    //  server in this foreground thread. Don't pass verbose to
    //  the clients as the results are unreadable.
    int live_clients;
    for (live_clients = 0; live_clients < 5; live_clients++)
        zthread_new (client_task, &verbose);

    curve_server_t *server = curve_server_new (ctx, &server_cert);
    curve_server_set_verbose (server, verbose);
    curve_server_bind (server, "tcp://127.0.0.1:9006");
    
    while (live_clients > 0) {
        zmsg_t *msg = curve_server_recv (server);
        if (memcmp (zframe_data (zmsg_last (msg)), "END", 3) == 0)
            live_clients--;
        curve_server_send (server, &msg);
    }

    //  Try an invalid client/server combination
    byte bad_server_key [32] = { 0 };
    zcert_t *unknown = zcert_new ();
    curve_client_t *client = curve_client_new (&unknown);
    curve_client_set_verbose (client, true);
    curve_client_connect (client, "tcp://127.0.0.1:9006", bad_server_key);
    curve_client_sendstr (client, "Hello, World");

    //  Expect no reply after 250msec
    zmq_pollitem_t pollitems [] = {
        { curve_client_handle (client), 0, ZMQ_POLLIN, 0 }
    };
    assert (zmq_poll (pollitems, 1, 250) == 0);
    curve_client_destroy (&client);

    //  Delete all test files
    zdir_t *dir = zdir_new (TESTDIR, NULL);
    zdir_remove (dir, true);
    zdir_destroy (&dir);

    curve_server_destroy (&server);
    zauth_destroy (&auth);
    zctx_destroy (&ctx);
    //  @end
   
    //  Ensure client threads have exited before we do
    zclock_sleep (100);
    printf ("OK\n");
}
示例#6
0
static void *
server_task (void *args)
{
    bool verbose = *((bool *) args);

    //  Install the authenticator
    zctx_t *ctx = zctx_new ();
    zauth_t *auth = zauth_new (ctx);
    assert (auth);
    zauth_set_verbose (auth, verbose);
    zauth_configure_curve (auth, "*", TESTDIR);

    void *router = zsocket_new (ctx, ZMQ_ROUTER);
    int rc = zsocket_bind (router, "tcp://127.0.0.1:9005");
    assert (rc != -1);

    zcert_t *server_cert = zcert_load (TESTDIR "/server.cert");
    assert (server_cert);
    curve_codec_t *server = curve_codec_new_server (server_cert, ctx);
    assert (server);
    zcert_destroy (&server_cert);
    curve_codec_set_verbose (server, verbose);

    //  Set some metadata properties
    curve_codec_set_metadata (server, "Server", "CURVEZMQ/curve_codec");

    //  Execute incoming frames until ready or exception
    //  In practice we'd want a server instance per unique client
    while (!curve_codec_connected (server)) {
        zframe_t *sender = zframe_recv (router);
        zframe_t *input = zframe_recv (router);
        assert (input);
        zframe_t *output = curve_codec_execute (server, &input);
        assert (output);
        zframe_send (&sender, router, ZFRAME_MORE);
        zframe_send (&output, router, 0);
    }
    //  Check client metadata
    char *client_name = (char *) zhash_lookup (curve_codec_metadata (server), "client");
    assert (client_name);
    assert (streq (client_name, "CURVEZMQ/curve_client"));

    bool finished = false;
    while (!finished) {
        //  Now act as echo service doing a full decode and encode
        zframe_t *sender = zframe_recv (router);
        zframe_t *encrypted = zframe_recv (router);
        assert (encrypted);
        zframe_t *cleartext = curve_codec_decode (server, &encrypted);
        assert (cleartext);
        if (memcmp (cleartext, "END", 3) == 0)
            finished = true;
        //  Echo message back
        encrypted = curve_codec_encode (server, &cleartext);
        assert (encrypted);
        zframe_send (&sender, router, ZFRAME_MORE);
        zframe_send (&encrypted, router, 0);
    }
    curve_codec_destroy (&server);
    zauth_destroy (&auth);
    zctx_destroy (&ctx);
    return NULL;
}