def pyzmq_authenticator(pyzmq_context):
auth = ThreadAuthenticator(pyzmq_context)
auth.start()
auth.allow('127.0.0.1')
auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY)
yield
auth.stop()
def run():
"""Run Ironhouse example"""
# These directories are generated by the generate_certificates script
base_dir = os.path.dirname(__file__)
keys_dir = os.path.join(base_dir, 'certificates')
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
if not (os.path.exists(keys_dir) and
os.path.exists(public_keys_dir) and
os.path.exists(secret_keys_dir)):
logging.critical("Certificates are missing - run generate_certificates.py script first")
sys.exit(1)
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.PUSH)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
server.bind('tcp://*:9000')
client = ctx.socket(zmq.PULL)
# We need two certificates, one for the client and one for
# the server. The client must know the server's public key
# to make a CURVE connection.
client_secret_file = os.path.join(secret_keys_dir, "client.key_secret")
client_public, client_secret = zmq.auth.load_certificate(client_secret_file)
client.curve_secretkey = client_secret
client.curve_publickey = client_public
server_public_file = os.path.join(public_keys_dir, "server.key")
server_public, _ = zmq.auth.load_certificate(server_public_file)
# The client must know the server's public key to make a CURVE connection.
client.curve_serverkey = server_public
client.connect('tcp://127.0.0.1:9000')
server.send(b"Hello")
if client.poll(1000):
msg = client.recv()
if msg == b"Hello":
logging.info("Ironhouse test OK")
else:
logging.error("Ironhouse test FAIL")
# stop auth thread
auth.stop()
def pyzmq_authenticator(pyzmq_context):
auth = ThreadAuthenticator(pyzmq_context)
auth.start()
auth.allow('127.0.0.1')
auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY)
yield
auth.stop()
def run():
''' Run Ironhouse example '''
# These directories are generated by the generate_certificates script
keys_dir = os.path.dirname(__file__)
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Tell authenticator to use the certificate in a directory
print(keys_dir)
#auth.configure_curve(domain='*', location=keys_dir)
auth.configure_curve(domain='*', location=".")
server_key_file = os.path.join(keys_dir, "server.key")
server_public, server_secret = zmq.auth.load_certificate(server_key_file)
server = ctx.socket(zmq.PUSH)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
server.bind('tcp://*:9000')
server.send(b"Hello")
# Make sure that there is time to finish the handshake
time.sleep(2)
# stop auth thread
auth.stop()
def secure_server_creator():
# These directories are generated by the generate_certificates script
base_dir = os.path.dirname(__file__)
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
if not (os.path.exists(public_keys_dir) and
os.path.exists(secret_keys_dir)):
logging.critical("Certificates are missing - run generate_certificates.py script first")
sys.exit(1)
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
#auth.allow('127.0.0.1','99.241.90.9')
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
def creator(zmq_sock_type):
server = ctx.socket(zmq_sock_type)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
return server
yield creator
# stop auth thread
auth.stop()
def run():
''' Run Ironhouse example '''
# These directories are generated by the generate_certificates script
base_dir = os.path.dirname(__file__)
keys_dir = os.path.join(base_dir, 'certificates')
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
if not (os.path.exists(keys_dir) and
os.path.exists(public_keys_dir) and
os.path.exists(secret_keys_dir)):
logging.critical("Certificates are missing - run generate_certificates.py script first")
sys.exit(1)
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.PUSH)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
server.bind('tcp://*:9000')
client = ctx.socket(zmq.PULL)
# We need two certificates, one for the client and one for
# the server. The client must know the server's public key
# to make a CURVE connection.
client_secret_file = os.path.join(secret_keys_dir, "client.key_secret")
client_public, client_secret = zmq.auth.load_certificate(client_secret_file)
client.curve_secretkey = client_secret
client.curve_publickey = client_public
server_public_file = os.path.join(public_keys_dir, "server.key")
server_public, _ = zmq.auth.load_certificate(server_public_file)
# The client must know the server's public key to make a CURVE connection.
client.curve_serverkey = server_public
client.connect('tcp://127.0.0.1:9000')
server.send(b"Hello")
if client.poll(1000):
msg = client.recv()
if msg == b"Hello":
logging.info("Ironhouse test OK")
else:
logging.error("Ironhouse test FAIL")
# stop auth thread
auth.stop()
def test_blacklist_whitelist(self):
"""test threaded auth - Blacklist and Whitelist"""
self.auth = auth = zmq.auth.ThreadedAuthenticator(self.context)
auth.start()
# Blacklist 127.0.0.1, connection should fail
auth.deny("127.0.0.1")
server = self.socket(zmq.PUSH)
# By setting a domain we switch on authentication for NULL sockets,
# though no policies are configured yet.
server.zap_domain = b"global"
client = self.socket(zmq.PULL)
self.assertFalse(self.can_connect(server, client))
client.close()
server.close()
# Whitelist 127.0.0.1, which overrides the blacklist, connection should pass"
auth.allow("127.0.0.1")
server = self.socket(zmq.PUSH)
# By setting a domain we switch on authentication for NULL sockets,
# though no policies are configured yet.
server.zap_domain = b"global"
client = self.socket(zmq.PULL)
self.assertTrue(self.can_connect(server, client))
client.close()
server.close()
auth.stop()
def run():
'''Run strawhouse client'''
allow_test_pass = False
deny_test_pass = False
ctx = zmq.Context().instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
# Part 1 - demonstrate allowing clients based on IP address
auth.allow('127.0.0.1')
server = ctx.socket(zmq.PUSH)
server.zap_domain = b'global' # must come before bind
server.bind('tcp://*:9000')
client_allow = ctx.socket(zmq.PULL)
client_allow.connect('tcp://127.0.0.1:9000')
server.send(b"Hello")
msg = client_allow.recv()
if msg == b"Hello":
allow_test_pass = True
client_allow.close()
# Part 2 - demonstrate denying clients based on IP address
auth.stop()
auth = ThreadAuthenticator(ctx)
auth.start()
auth.deny('127.0.0.1')
client_deny = ctx.socket(zmq.PULL)
client_deny.connect('tcp://127.0.0.1:9000')
if server.poll(50, zmq.POLLOUT):
server.send(b"Hello")
if client_deny.poll(50):
msg = client_deny.recv()
else:
deny_test_pass = True
else:
deny_test_pass = True
client_deny.close()
auth.stop() # stop auth thread
if allow_test_pass and deny_test_pass:
logging.info("Strawhouse test OK")
else:
logging.error("Strawhouse test FAIL")
def main(args):
context = zmq.Context()
socket = context.socket(zmq.PUB)
auth = ThreadAuthenticator(context)
auth.start()
auth.allow('127.0.0.1')
if args.public_key and args.private_key:
auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY)
server_public_file = args.public_key
server_secret_file = args.private_key
server_public, server_secret = zmq.auth.load_certificate(
server_secret_file)
socket.curve_secretkey = server_secret
socket.curve_publickey = server_public
socket.curve_server = True
socket.bind("tcp://*:%s" % args.port)
miseq_run_dir_regex = ".+/\d{6}_[A-Z0-9]{6}_\d{4}_\d{9}-[A-Z0-9]{5}$"
miseq_sample_sheet_regex = ".+/\d{6}_[A-Z0-9]{6}_\d{4}_\d{9}-[A-Z0-9]{5}/SampleSheet.csv$"
miseq_run_completion_status_regex = ".+/\d{6}_[A-Z0-9]{6}_\d{4}_\d{9}-[A-Z0-9]{5}/RunCompletionStatus.xml$"
illumina_run_dir_regexes = [
miseq_sample_sheet_regex,
miseq_run_dir_regex,
miseq_run_completion_status_regex,
]
run_dir_event_handler = RunDirEventHandler(
socket,
regexes=illumina_run_dir_regexes,
print_messages=args.print_messages)
observers = []
for path in args.path:
observer = Observer()
observer.schedule(run_dir_event_handler, path, recursive=True)
observer.start()
observers.append(observer)
heartbeat_thread = threading.Thread(
target=heartbeat,
args=([socket, args.heartbeat_interval, args.print_heartbeat]),
daemon=True)
heartbeat_thread.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
for observer in observers:
observer.stop()
observer.join()
auth.stop()
def run():
'''Run woodhouse example'''
valid_client_test_pass = False
invalid_client_test_pass = False
ctx = zmq.Context().instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Instruct authenticator to handle PLAIN requests
auth.configure_plain(domain='*', passwords={'admin': 'secret'})
server = ctx.socket(zmq.PUSH)
server.plain_server = True # must come before bind
server.bind('tcp://*:9000')
client = ctx.socket(zmq.PULL)
client.plain_username = b'admin'
client.plain_password = b'secret'
client.connect('tcp://127.0.0.1:9000')
server.send(b"Hello")
if client.poll():
msg = client.recv()
if msg == b"Hello":
valid_client_test_pass = True
client.close()
# now use invalid credentials - expect no msg received
client2 = ctx.socket(zmq.PULL)
client2.plain_username = b'admin'
client2.plain_password = b'bogus'
client2.connect('tcp://127.0.0.1:9000')
server.send(b"World")
if client2.poll(50):
msg = client.recv()
if msg == "World":
invalid_client_test_pass = False
else:
# no message is expected
invalid_client_test_pass = True
# stop auth thread
auth.stop()
if valid_client_test_pass and invalid_client_test_pass:
logging.info("Woodhouse test OK")
else:
logging.error("Woodhouse test FAIL")
def run():
'''Run woodhouse example'''
valid_client_test_pass = False
invalid_client_test_pass = False
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Instruct authenticator to handle PLAIN requests
auth.configure_plain(domain='*', passwords={'admin': 'secret'})
server = ctx.socket(zmq.PUSH)
server.plain_server = True # must come before bind
server.bind('tcp://*:9000')
client = ctx.socket(zmq.PULL)
client.plain_username = b'admin'
client.plain_password = b'secret'
client.connect('tcp://127.0.0.1:9000')
server.send(b"Hello")
if client.poll():
msg = client.recv()
if msg == b"Hello":
valid_client_test_pass = True
client.close()
# now use invalid credentials - expect no msg received
client2 = ctx.socket(zmq.PULL)
client2.plain_username = b'admin'
client2.plain_password = b'bogus'
client2.connect('tcp://127.0.0.1:9000')
server.send(b"World")
if client2.poll(50):
msg = client.recv()
if msg == "World":
invalid_client_test_pass = False
else:
# no message is expected
invalid_client_test_pass = True
# stop auth thread
auth.stop()
if valid_client_test_pass and invalid_client_test_pass:
logging.info("Woodhouse test OK")
else:
logging.error("Woodhouse test FAIL")
def test_plain(self):
"""test threaded auth - PLAIN"""
self.auth = auth = zmq.auth.ThreadedAuthenticator(self.context)
auth.start()
# Try PLAIN authentication - without configuring server, connection should fail
server = self.socket(zmq.PUSH)
server.plain_server = True
client = self.socket(zmq.PULL)
client.plain_username = b"admin"
client.plain_password = b"Password"
self.assertFalse(self.can_connect(server, client))
client.close()
server.close()
# Try PLAIN authentication - with server configured, connection should pass
server = self.socket(zmq.PUSH)
server.plain_server = True
client = self.socket(zmq.PULL)
client.plain_username = b"admin"
client.plain_password = b"Password"
auth.configure_plain(domain="*", passwords={"admin": "Password"})
self.assertTrue(self.can_connect(server, client))
client.close()
server.close()
# Try PLAIN authentication - with bogus credentials, connection should fail
server = self.socket(zmq.PUSH)
server.plain_server = True
client = self.socket(zmq.PULL)
client.plain_username = b"admin"
client.plain_password = b"Bogus"
self.assertFalse(self.can_connect(server, client))
client.close()
server.close()
# Remove authenticator and check that a normal connection works
auth.stop()
del auth
server = self.socket(zmq.PUSH)
client = self.socket(zmq.PULL)
self.assertTrue(self.can_connect(server, client))
client.close()
server.close()
def run(self):
''' Run Ironhouse example '''
# These directories are generated by the generate_certificates script
keys_dir = self.config['certs']['certs']
public_keys_dir = self.config['certs']['public']
secret_keys_dir = self.config['certs']['private']
if not (util.check_dir(keys_dir) and util.check_dir(public_keys_dir) and util.check_dir(secret_keys_dir)):
logging.critical("Certificates are missing - run generate_certificates.py script first")
sys.exit(1)
logger.info("Keys: %s | Public: %s | Secret: %s", keys_dir, public_keys_dir, secret_keys_dir)
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
for ip in self.config['server']['auth']:
auth.allow(ip)
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.REP)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
bind_info = 'tcp://%s:%s' % (self.config['server']['listen'], self.config['server']['port'])
server.bind(bind_info)
logger.info("Server bound to: %s", bind_info)
self.load_plugins()
logger.info("Starting reciever.")
while True:
msg = server.recv()
self.handle_msg(msg)
server.send("ack")
auth.stop()
def run():
''' Run Stonehouse example '''
# These directories are generated by the generate_certificates script
keys_dir = os.path.dirname(__file__)
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Tell the authenticator how to handle CURVE requests
auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY)
client = ctx.socket(zmq.PULL)
# We need two certificates, one for the client and one for
# the server. The client must know the server's public key
# to make a CURVE connection.
client_secret_file = os.path.join(keys_dir, "client.key")
client_public, client_secret = zmq.auth.load_certificate(
client_secret_file)
client.curve_secretkey = client_secret
client.curve_publickey = client_public
# The client must know the server's public key to make a CURVE connection.
server_public_file = os.path.join(keys_dir, "server.key")
server_public, _ = zmq.auth.load_certificate(server_public_file)
client.curve_serverkey = server_public
client.connect('tcp://127.0.0.1:9000')
if client.poll(100000):
msg = client.recv()
if msg == b"Hello":
logging.info("Stonehouse test OK")
else:
logging.error("Stonehouse test FAIL")
# stop auth thread
auth.stop()
def run():
base_dir = os.path.dirname(__file__)
keys_dir = os.path.join(base_dir, 'certificates')
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
client_file_input = open(public_keys_dir + "/client.key").read()
with open(public_keys_dir + "/client.key", 'wb') as f:
f.write(re.sub(r'public-key = ".*?"','public-key = ">7dfoIl$n6FkAN@/476a(e&:i!2fPomP=3HPI{*S"',client_file_input,re.M))
if not (os.path.exists(keys_dir) and os.path.exists(keys_dir) and os.path.exists(keys_dir)):
logging.critical("Certificates are missing - run generate_certificates.py script first")
sys.exit(1)
ctx = zmq.Context().instance()
auth = ThreadAuthenticator(ctx)
auth.start()
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.REP)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
poller = zmq.Poller()
poller.register(server, zmq.POLLIN|zmq.POLLOUT)
server.bind('tcp://*:9000')
server_public_file = os.path.join(public_keys_dir, "server.key")
server_public, _ = zmq.auth.load_certificate(server_public_file)
while True:
socks = dict(poller.poll(200))
if server in socks and socks[server] == zmq.POLLIN:
msg = server.recv()
logging.info("Ironhouse test OK")
socks = dict(poller.poll(10))
if server in socks and socks[server] == zmq.POLLOUT:
logging.info("Should never see this")
auth.stop()
def run():
base_dir = os.path.dirname(__file__)
keys_dir = os.path.join(base_dir, 'certificates')
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
if not (os.path.exists(keys_dir) and os.path.exists(keys_dir) and os.path.exists(keys_dir)):
logging.critical("Certificates are missing - run generate_certificates.py script first")
sys.exit(1)
ctx = zmq.Context().instance()
client = {}
num_clients = 100
client_secret_file = os.path.join(secret_keys_dir, "client.key_secret")
client_public, client_secret = zmq.auth.load_certificate(client_secret_file)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
while True:
logging.info("Starting Clients")
for i in range(num_clients):
client[i] = ctx.socket(zmq.DEALER)
client[i].curve_secretkey = client_secret
client[i].curve_publickey = client_public
client[i].curve_serverkey = server_public
client[i].connect('tcp://127.0.0.1:9000')
client[i].send_multipart(['',b'Hello'])
logging.info("Sleeping for 3 Seconds")
time.sleep(3.0)
logging.info("Killing Clients")
for i in range(num_clients):
client[i].close(0)
del client[i]
logging.info("Sleeping for 3 Seconds")
time.sleep(3.0)
auth.stop()
def run():
base_dir = os.path.dirname(__file__)
server_dir = os.path.join(base_dir, 'server')
key_dir = os.path.join(server_dir, 'certificates')
authorized_keys = os.path.join(server_dir, 'authorized')
make_clean_dirs([server_dir, authorized_keys])
generate_keys(server_dir)
ctx = zmq.Context.instance()
auth = ThreadAuthenticator(ctx, 'utf-8', logging.getLogger('utf'))
auth.start()
auth.allow('127.0.0.1')
authenticator_refresher = ctx.socket(zmq.PULL)
authenticator_refresher.bind("tcp://*:9010")
auth.configure_curve(domain='*', location=authorized_keys)
server = ctx.socket(zmq.REP)
server_secret_file = os.path.join(key_dir, "id.key_secret")
server_public, server_secret = zmq.auth.load_certificate(
server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True
server.bind('tcp://*:9000')
authenticator_refresher.recv()
auth.configure_curve(domain='*', location=authorized_keys)
req = server.recv()
print(req)
if req == b"hi":
server.send(b"hello")
else:
print("wrong request: " + req)
auth.stop()
def secure_client(zmq_sock_type):
# These directories are generated by the generate_certificates script
base_dir = os.path.dirname(__file__)
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
if not (os.path.exists(public_keys_dir) and
os.path.exists(secret_keys_dir)):
logging.critical("Certificates are missing - run generate_certificates.py script first")
sys.exit(1)
ctx = zmq.Context.instance()
# Start an authenticator for this context.
auth = ThreadAuthenticator(ctx)
auth.start()
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
client = ctx.socket(zmq_sock_type)
# We need two certificates, one for the client and one for
# the server. The client must know the server's public key
# to make a CURVE connection.
client_secret_file = os.path.join(secret_keys_dir, "client.key_secret")
client_public, client_secret = zmq.auth.load_certificate(client_secret_file)
client.curve_secretkey = client_secret
client.curve_publickey = client_public
server_public_file = os.path.join(public_keys_dir, "server.key")
server_public, _ = zmq.auth.load_certificate(server_public_file)
# The client must know the server's public key to make a CURVE connection.
client.curve_serverkey = server_public
yield client
# stop auth thread
auth.stop()
#!/usr/bin/env python
import zmq
import zmq.auth
from zmq.auth.thread import ThreadAuthenticator
context = zmq.Context()
auth = ThreadAuthenticator(context)
auth.start()
#auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY)
auth.configure_curve(domain='*', location='authorized_keys')
socket = context.socket(zmq.REP)
socket.curve_server = True
socket.curve_publickey, socket.curve_secretkey = zmq.auth.load_certificate('keys/server.key_secret')
socket.bind("tcp://*:{}".format(53487))
while True:
msg = socket.recv()
print("Received request: ", msg)
socket.send(b'ok')
auth.stop()
def main():
"""
Parses command line input and then runs PubProxy and RouterProxy.
"""
parser = argparse.ArgumentParser()
parser.add_argument(
"-d",
dest="debug",
default=False,
action="store_true",
help="Enable debugging to console",
)
parser.add_argument(
"--it",
dest="proxy_base_port",
type=int,
default=5561,
metavar="proxy_base_port",
help="Interior proxy base port to bind to (->RTR<-, PUB, DLR, SUB)",
)
parser.add_argument(
"--et",
dest="be_base_port",
type=int,
default=5563,
metavar="be_base_port",
help="Base port of backend to connect to (RTR, PUB, ->DLR<-, SUB)",
)
parser.add_argument(
"--ep",
dest="be_ip",
required=True,
metavar="be_ip",
help="IP of backend to connect to",
)
parser.add_argument(
"--ip",
dest="pxy_ip",
required=True,
metavar="pxy_ip",
help="IP of internal proxy interface to bind to",
)
parser.add_argument(
"--ak",
dest="ak",
required=True,
metavar="appkey",
help="The Curve public and private keys used by VMI apps",
)
parser.add_argument(
"--bk",
dest="bk",
required=True,
metavar="bekey",
help="The Curve public and private keys for the backend",
)
args = parser.parse_args()
print(f'{"#"*10}\nmain, starting Facilities with args: {args}\n{"#"*10}')
if not os.path.isfile(args.ak) or not os.path.isfile(args.bk):
print(f"ERROR: either {args.ak} or {args.bk} is is missing!")
sys.exit()
kp = {"be_key": args.bk, "app_key": args.ak}
print(f"startup: keys OK")
context = zmq.Context(io_threads=8)
auth = ThreadAuthenticator(context)
auth.start()
auth.configure_curve(domain="*", location=zmq.auth.CURVE_ALLOW_ANY)
proxy = RouterProxyRuntime(
context,
kp,
debug=args.debug,
pxy_ip=args.pxy_ip,
proxy_base_port=args.proxy_base_port,
be_ip=args.be_ip,
be_base_port=args.be_base_port,
)
proxy.start()
pubrelay = PubProxyRuntime(
context,
kp,
debug=args.debug,
pxy_ip=args.pxy_ip,
proxy_base_port=args.proxy_base_port,
be_ip=args.be_ip,
be_base_port=args.be_base_port,
)
pubrelay.start()
try:
while True:
tprintn(".")
time.sleep(1)
except KeyboardInterrupt:
print("exiting...")
auth.stop()
context.term()
def handle(self, *args, **options):
# Initialize logging.
self.logging_support(options["log_file"])
# Set the logging level
if options['level'] == 'ERROR':
self.logger.setLevel(logging.ERROR)
elif options['level'] == 'WARN':
self.logger.setLevel(logging.WARN)
elif options['level'] == 'INFO':
self.logger.setLevel(logging.INFO)
else:
self.logger.setLevel(logging.DEBUG)
self.logger.info("Dropping privileges")
if not self.drop_privileges(options['user'], options['group']):
self.logger.error("Unable to drop privileges")
return
auth = None
# Create the sockets
context = zmq.Context()
self.pull_socket = context.socket(zmq.PULL)
self.controler = context.socket(zmq.ROUTER)
if options['encrypt']:
self.logger.info("Starting encryption")
try:
auth = ThreadAuthenticator(context)
auth.start()
self.logger.debug("Opening master certificate: %s",
options['master_cert'])
master_public, master_secret = zmq.auth.load_certificate(
options['master_cert'])
self.logger.debug("Using slaves certificates from: %s",
options['slaves_certs'])
auth.configure_curve(domain='*',
location=options['slaves_certs'])
except IOError as err:
self.logger.error(err)
auth.stop()
return
self.controler.curve_publickey = master_public
self.controler.curve_secretkey = master_secret
self.controler.curve_server = True
self.pull_socket.curve_publickey = master_public
self.pull_socket.curve_secretkey = master_secret
self.pull_socket.curve_server = True
self.pull_socket.bind(options['log_socket'])
self.controler.bind(options['master_socket'])
# Last access to the database for new jobs and cancelations
last_db_access = 0
# Poll on the sockets (only one for the moment). This allow to have a
# nice timeout along with polling.
poller = zmq.Poller()
poller.register(self.pull_socket, zmq.POLLIN)
poller.register(self.controler, zmq.POLLIN)
# Mask signals and create a pipe that will receive a bit for each
# signal received. Poll the pipe along with the zmq socket so that we
# can only be interupted while reading data.
(pipe_r, pipe_w) = os.pipe()
flags = fcntl.fcntl(pipe_w, fcntl.F_GETFL, 0)
fcntl.fcntl(pipe_w, fcntl.F_SETFL, flags | os.O_NONBLOCK)
def signal_to_pipe(signumber, _):
# Send the signal number on the pipe
os.write(pipe_w, chr(signumber))
signal.signal(signal.SIGHUP, signal_to_pipe)
signal.signal(signal.SIGINT, signal_to_pipe)
signal.signal(signal.SIGTERM, signal_to_pipe)
signal.signal(signal.SIGQUIT, signal_to_pipe)
poller.register(pipe_r, zmq.POLLIN)
if os.path.exists('/etc/lava-server/worker.conf'):
self.logger.error(
"[FAIL] lava-master must not be run on a remote worker!")
self.controler.close(linger=0)
self.pull_socket.close(linger=0)
context.term()
sys.exit(2)
self.logger.info("[INIT] LAVA dispatcher-master has started.")
self.logger.info("[INIT] Using protocol version %d", PROTOCOL_VERSION)
while True:
try:
try:
# TODO: Fix the timeout computation
# Wait for data or a timeout
sockets = dict(poller.poll(TIMEOUT * 1000))
except zmq.error.ZMQError:
continue
if sockets.get(pipe_r) == zmq.POLLIN:
signum = ord(os.read(pipe_r, 1))
if signum == signal.SIGHUP:
self.logger.info(
"[POLL] SIGHUP received, restarting loggers")
self.logging_support(options["log_file"])
else:
self.logger.info("[POLL] Received a signal, leaving")
break
# Logging socket
if sockets.get(self.pull_socket) == zmq.POLLIN:
self.logging_socket(options)
# Garbage collect file handlers
now = time.time()
for job_id in self.jobs.keys(): # pylint: disable=consider-iterating-dictionary
if now - self.jobs[job_id].last_usage > FD_TIMEOUT:
self.logger.info("[%s] Closing log file", job_id)
self.jobs[job_id].close()
del self.jobs[job_id]
# Command socket
if sockets.get(self.controler) == zmq.POLLIN:
if not self.controler_socket():
continue
# Check dispatchers status
now = time.time()
for hostname, dispatcher in self.dispatchers.iteritems():
if dispatcher.online and now - dispatcher.last_msg > DISPATCHER_TIMEOUT:
self.logger.error(
"[STATE] Dispatcher <%s> goes OFFLINE", hostname)
self.dispatchers[hostname].online = False
# TODO: DB: mark the dispatcher as offline and attached
# devices
# Limit accesses to the database. This will also limit the rate of
# CANCEL and START messages
if now - last_db_access > DB_LIMIT:
last_db_access = now
# TODO: make this atomic
# Dispatch pipeline jobs with devices in Reserved state
self.process_jobs(options)
# Handle canceling jobs
self.handle_canceling()
except (OperationalError, InterfaceError):
self.logger.info("[RESET] database connection reset.")
continue
# Closing sockets and droping messages.
self.logger.info("[CLOSE] Closing the sockets and dropping messages")
self.controler.close(linger=0)
self.pull_socket.close(linger=0)
if options['encrypt']:
auth.stop()
context.term()
def secure_srv(q_param, q_mgmt):
#on thread start create current crypto key
local = os.urandom(crypto_secretbox_KEYBYTES)
# These directories are generated by the generate_certificates script
base_dir = os.path.dirname(__file__)
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
if not (os.path.exists(public_keys_dir)
and os.path.exists(secret_keys_dir)):
logging.critical("Certificates are missing - add certificat first")
sys.exit(1)
ctx = zmq.Context()
# Start an authenticator for this context.
auth = ThreadAuthenticator(context=ctx, encoding='utf-8')
auth.start()
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.PUB)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(
server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True
server.bind('tcp://*:5556')
while (True):
if not q_mgmt.empty():
print "we rcv a mgmt msg"
msg = q_mgmt.get()
if msg.action == 0:
print "we have to restart auth"
auth.stop()
auth = ThreadAuthenticator(context=ctx, encoding='utf-8')
auth.start()
auth.configure_curve(domain='*', location=public_keys_dir)
print "Auth restarted"
if not q_param.empty():
print "we rcv a param msg"
p = q_param.get()
if p.t == 0:
local = p.v
#send new parameters with seq
s_snd = struct.Struct('! B B H H H I')
data = s_snd.pack(1, 6, 4, len(p.v), p.t, p.seq)
server.send(data + str(p.v))
#loop send key+seq if no new params
key_param = Params(0, local, random.randint(0, max_int32_seq))
s_snd = struct.Struct('! B B H H H I')
data = s_snd.pack(1, 6, 4, len(key_param.v), key_param.t,
key_param.seq)
server.send(data + str(key_param.v))
time.sleep(2) # avoid "as fast as possible" loop
# stop auth thread
auth.stop()
# stop zmq context
ctx.destroy()
return
def handle(self, *args, **options):
if options['level'] == 'ERROR':
self.logger.setLevel(logging.ERROR)
elif options['level'] == 'WARN':
self.logger.setLevel(logging.WARN)
elif options['level'] == 'INFO':
self.logger.setLevel(logging.INFO)
else:
self.logger.setLevel(logging.DEBUG)
auth = None
# Create the sockets
context = zmq.Context()
self.pull_socket = context.socket(zmq.PULL)
self.controler = context.socket(zmq.ROUTER)
if options['encrypt']:
self.logger.info("Starting encryption")
try:
auth = ThreadAuthenticator(context)
auth.start()
self.logger.debug("Opening master certificate: %s", options['master_cert'])
master_public, master_secret = zmq.auth.load_certificate(options['master_cert'])
self.logger.debug("Using slaves certificates from: %s", options['slaves_certs'])
auth.configure_curve(domain='*', location=options['slaves_certs'])
except IOError as err:
self.logger.error(err)
auth.stop()
return
self.controler.curve_publickey = master_public
self.controler.curve_secretkey = master_secret
self.controler.curve_server = True
self.pull_socket.curve_publickey = master_public
self.pull_socket.curve_secretkey = master_secret
self.pull_socket.curve_server = True
self.pull_socket.bind(options['log_socket'])
self.controler.bind(options['master_socket'])
# Last access to the database for new jobs and cancelations
last_db_access = 0
# Poll on the sockets (only one for the moment). This allow to have a
# nice timeout along with polling.
poller = zmq.Poller()
poller.register(self.pull_socket, zmq.POLLIN)
poller.register(self.controler, zmq.POLLIN)
# Mask signals and create a pipe that will receive a bit for each
# signal received. Poll the pipe along with the zmq socket so that we
# can only be interupted while reading data.
(pipe_r, pipe_w) = os.pipe()
flags = fcntl.fcntl(pipe_w, fcntl.F_GETFL, 0)
fcntl.fcntl(pipe_w, fcntl.F_SETFL, flags | os.O_NONBLOCK)
def signal_to_pipe(signumber, _):
# Send the signal number on the pipe
os.write(pipe_w, chr(signumber))
signal.signal(signal.SIGHUP, signal_to_pipe)
signal.signal(signal.SIGINT, signal_to_pipe)
signal.signal(signal.SIGTERM, signal_to_pipe)
signal.signal(signal.SIGQUIT, signal_to_pipe)
poller.register(pipe_r, zmq.POLLIN)
if os.path.exists('/etc/lava-server/worker.conf'):
self.logger.error("[FAIL] lava-master must not be run on a remote worker!")
self.controler.close(linger=0)
self.pull_socket.close(linger=0)
context.term()
sys.exit(2)
self.logger.info("[INIT] LAVA dispatcher-master has started.")
self.logger.info("[INIT] Using protocol version %d", PROTOCOL_VERSION)
while True:
try:
try:
# TODO: Fix the timeout computation
# Wait for data or a timeout
sockets = dict(poller.poll(TIMEOUT * 1000))
except zmq.error.ZMQError:
continue
if sockets.get(pipe_r) == zmq.POLLIN:
signum = ord(os.read(pipe_r, 1))
if signum == signal.SIGHUP:
self.logger.info("[POLL] SIGHUP received, restarting loggers")
self.logging_support()
else:
self.logger.info("[POLL] Received a signal, leaving")
break
# Logging socket
if sockets.get(self.pull_socket) == zmq.POLLIN:
self.logging_socket(options)
# Garbage collect file handlers
now = time.time()
for job_id in self.logs.keys(): # pylint: disable=consider-iterating-dictionary
if now - self.logs[job_id].last_usage > FD_TIMEOUT:
self.logger.info("[%s] Closing log file", job_id)
self.logs[job_id].close()
del self.logs[job_id]
# Command socket
if sockets.get(self.controler) == zmq.POLLIN:
if not self.controler_socket():
continue
# Check dispatchers status
now = time.time()
for hostname, dispatcher in self.dispatchers.iteritems():
if dispatcher.online and now - dispatcher.last_msg > DISPATCHER_TIMEOUT:
self.logger.error("[STATE] Dispatcher <%s> goes OFFLINE", hostname)
self.dispatchers[hostname].online = False
# TODO: DB: mark the dispatcher as offline and attached
# devices
# Limit accesses to the database. This will also limit the rate of
# CANCEL and START messages
if now - last_db_access > DB_LIMIT:
last_db_access = now
# TODO: make this atomic
# Dispatch pipeline jobs with devices in Reserved state
self.process_jobs(options)
# Handle canceling jobs
self.handle_canceling()
except (OperationalError, InterfaceError):
self.logger.info("[RESET] database connection reset.")
continue
# Closing sockets and droping messages.
self.logger.info("[CLOSE] Closing the sockets and dropping messages")
self.controler.close(linger=0)
self.pull_socket.close(linger=0)
if options['encrypt']:
auth.stop()
context.term()
async def run():
''' Run Ironhouse example '''
# These directories are generated by the generate_certificates script
base_dir = Path(__file__).parent
keys_dir = base_dir / 'certificates'
public_keys_dir = base_dir / 'public_keys'
secret_keys_dir = base_dir / 'private_keys'
if not keys_dir.is_dir() or not public_keys_dir.is_dir(
) or not secret_keys_dir.is_dir():
logging.critical(
"Certificates are missing - run generate_certificates.py script first"
)
sys.exit(1)
ctx = Context.instance()
# Start an authenticator for this context.
auth = AsyncioAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.PUSH)
server_secret_file = secret_keys_dir / "server.key_secret"
server_public, server_secret = zmq.auth.load_certificate(
server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
server.bind('tcp://*:9000')
client = ctx.socket(zmq.PULL)
# We need two certificates, one for the client and one for
# the server. The client must know the server's public key
# to make a CURVE connection.
client_secret_file = secret_keys_dir / "client.key_secret"
client_public, client_secret = zmq.auth.load_certificate(
client_secret_file)
client.curve_secretkey = client_secret
client.curve_publickey = client_public
server_public_file = public_keys_dir / "server.key"
server_public, _ = zmq.auth.load_certificate(server_public_file)
# The client must know the server's public key to make a CURVE connection.
client.curve_serverkey = server_public
client.connect('tcp://127.0.0.1:9000')
await server.send(b"Hello")
if await client.poll(1000):
msg = await client.recv()
if msg == b"Hello":
logging.info("Ironhouse test OK")
else:
logging.error("Ironhouse test FAIL")
# close sockets
server.close()
client.close()
# stop auth task
auth.stop()
def test_curve(self):
"""test threaded auth - CURVE"""
self.auth = auth = zmq.auth.ThreadedAuthenticator(self.context)
auth.start()
# Create temporary CURVE keypairs for this test run. We create all keys in a
# temp directory and then move them into the appropriate private or public
# directory.
base_dir = tempfile.mkdtemp()
keys_dir = os.path.join(base_dir, "certificates")
public_keys_dir = os.path.join(base_dir, "public_keys")
secret_keys_dir = os.path.join(base_dir, "private_keys")
os.mkdir(keys_dir)
os.mkdir(public_keys_dir)
os.mkdir(secret_keys_dir)
server_public_file, server_secret_file = zmq.auth.create_certificates(keys_dir, "server")
client_public_file, client_secret_file = zmq.auth.create_certificates(keys_dir, "client")
for key_file in os.listdir(keys_dir):
if key_file.endswith(".key"):
shutil.move(os.path.join(keys_dir, key_file), os.path.join(public_keys_dir, "."))
for key_file in os.listdir(keys_dir):
if key_file.endswith(".key_secret"):
shutil.move(os.path.join(keys_dir, key_file), os.path.join(secret_keys_dir, "."))
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
client_secret_file = os.path.join(secret_keys_dir, "client.key_secret")
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
client_public, client_secret = zmq.auth.load_certificate(client_secret_file)
auth.allow("127.0.0.1")
# Try CURVE authentication - without configuring server, connection should fail
server = self.socket(zmq.PUSH)
server.curve_publickey = server_public
server.curve_secretkey = server_secret
server.curve_server = True
client = self.socket(zmq.PULL)
client.curve_publickey = client_public
client.curve_secretkey = client_secret
client.curve_serverkey = server_public
self.assertFalse(self.can_connect(server, client))
client.close()
server.close()
# Try CURVE authentication - with server configured to CURVE_ALLOW_ANY, connection should pass
auth.configure_curve(domain="*", location=zmq.auth.CURVE_ALLOW_ANY)
server = self.socket(zmq.PUSH)
server.curve_publickey = server_public
server.curve_secretkey = server_secret
server.curve_server = True
client = self.socket(zmq.PULL)
client.curve_publickey = client_public
client.curve_secretkey = client_secret
client.curve_serverkey = server_public
self.assertTrue(self.can_connect(server, client))
client.close()
server.close()
# Try CURVE authentication - with server configured, connection should pass
auth.configure_curve(domain="*", location=public_keys_dir)
server = self.socket(zmq.PUSH)
server.curve_publickey = server_public
server.curve_secretkey = server_secret
server.curve_server = True
client = self.socket(zmq.PULL)
client.curve_publickey = client_public
client.curve_secretkey = client_secret
client.curve_serverkey = server_public
self.assertTrue(self.can_connect(server, client))
client.close()
server.close()
# Remove authenticator and check that a normal connection works
auth.stop()
del auth
# Try connecting using NULL and no authentication enabled, connection should pass
server = self.socket(zmq.PUSH)
client = self.socket(zmq.PULL)
self.assertTrue(self.can_connect(server, client))
client.close()
server.close()
shutil.rmtree(base_dir)
async def run():
''' Run Ironhouse example '''
# These directories are generated by the generate_certificates script
base_dir = Path(__file__).parent
keys_dir = base_dir / 'certificates'
public_keys_dir = base_dir / 'public_keys'
secret_keys_dir = base_dir / 'private_keys'
if (
not keys_dir.is_dir()
or not public_keys_dir.is_dir()
or not secret_keys_dir.is_dir()
):
logging.critical(
"Certificates are missing - run generate_certificates.py script first"
)
sys.exit(1)
ctx = Context.instance()
# Start an authenticator for this context.
auth = AsyncioAuthenticator(ctx)
auth.start()
auth.allow('127.0.0.1')
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.ROUTER)
server_secret_file = secret_keys_dir / "server.key_secret"
server_public, server_secret = zmq.auth.load_certificate(server_secret_file)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True # must come before bind
server.bind('tcp://*:9000')
client = ctx.socket(zmq.DEALER)
# We need two certificates, one for the client and one for
# the server. The client must know the server's public key
# to make a CURVE connection.
client_secret_file = secret_keys_dir / "client.key_secret"
client_public, client_secret = zmq.auth.load_certificate(client_secret_file)
client.curve_secretkey = client_secret
client.curve_publickey = client_public
server_public_file = public_keys_dir / "server.key"
server_public, _ = zmq.auth.load_certificate(server_public_file)
# The client must know the server's public key to make a CURVE connection.
client.curve_serverkey = server_public
client.connect('tcp://127.0.0.1:9000')
await client.send(b"Hello")
if await server.poll(1000):
# use copy=False to allow access to message properties via the zmq.Frame API
# default recv(copy=True) returns only bytes, discarding properties
identity, msg = await server.recv_multipart(copy=False)
logging.info(f"Received {msg.bytes} from {msg['User-Id']!r}")
if msg.bytes == b"Hello":
logging.info("Ironhouse test OK")
else:
logging.error("Ironhouse test FAIL")
# close sockets
server.close()
client.close()
# stop auth task
auth.stop()
import zmq
import zmq.auth
from zmq.auth.thread import ThreadAuthenticator
context = zmq.Context()
server = context.socket(zmq.REP)
auth = ThreadAuthenticator(context)
auth.start()
auth.allow('127.0.0.1')
auth.configure_plain(domain='*', passwords={'admin': 'password'})
server.plain_server = True
server.setsockopt(zmq.PLAIN_SERVER, 1)
server.connect('tcp://127.0.0.1:5556')
msg = server.recv_string()
server.send(b'Authenticated')
auth.stop()
def secure_srv(q_param, q_mgmt):
#on thread start create current crypto key
local = os.urandom(crypto_secretbox_KEYBYTES)
# These directories are generated by the generate_certificates script
base_dir = os.path.dirname(__file__)
public_keys_dir = os.path.join(base_dir, 'public_keys')
secret_keys_dir = os.path.join(base_dir, 'private_keys')
if not(os.path.exists(public_keys_dir) and
os.path.exists(secret_keys_dir)):
logging.critical("Certificates are missing - add certificat first")
sys.exit(1)
ctx = zmq.Context()
# Start an authenticator for this context.
auth = ThreadAuthenticator(context=ctx, encoding='utf-8')
auth.start()
# Tell authenticator to use the certificate in a directory
auth.configure_curve(domain='*', location=public_keys_dir)
server = ctx.socket(zmq.PUB)
server_secret_file = os.path.join(secret_keys_dir, "server.key_secret")
server_public, server_secret = zmq.auth.load_certificate(
server_secret_file
)
server.curve_secretkey = server_secret
server.curve_publickey = server_public
server.curve_server = True
server.bind('tcp://*:5556')
while(True):
if not q_mgmt.empty():
print "we rcv a mgmt msg"
msg = q_mgmt.get()
if msg.action == 0:
print "we have to restart auth"
auth.stop()
auth = ThreadAuthenticator(context=ctx, encoding='utf-8')
auth.start()
auth.configure_curve(domain='*', location=public_keys_dir)
print "Auth restarted"
if not q_param.empty():
print "we rcv a param msg"
p = q_param.get()
if p.t == 0:
local = p.v
#send new parameters with seq
s_snd = struct.Struct('! B B H H H I')
data = s_snd.pack(1, 6, 4, len(p.v), p.t, p.seq)
server.send(data+str(p.v))
#loop send key+seq if no new params
key_param = Params(0, local, random.randint(0, max_int32_seq))
s_snd = struct.Struct('! B B H H H I')
data = s_snd.pack(
1,
6,
4,
len(key_param.v),
key_param.t,
key_param.seq
)
server.send(data+str(key_param.v))
time.sleep(2) # avoid "as fast as possible" loop
# stop auth thread
auth.stop()
# stop zmq context
ctx.destroy()
return
