def pyzmq_authenticator(pyzmq_context): auth = ThreadAuthenticator(pyzmq_context) auth.start() auth.allow('127.0.0.1') auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY) yield auth.stop()
def run(): """Run Ironhouse example""" # These directories are generated by the generate_certificates script base_dir = os.path.dirname(__file__) keys_dir = os.path.join(base_dir, 'certificates') public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') if not (os.path.exists(keys_dir) and os.path.exists(public_keys_dir) and os.path.exists(secret_keys_dir)): logging.critical("Certificates are missing - run generate_certificates.py script first") sys.exit(1) ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.PUSH) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate(server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind server.bind('tcp://*:9000') client = ctx.socket(zmq.PULL) # We need two certificates, one for the client and one for # the server. The client must know the server's public key # to make a CURVE connection. client_secret_file = os.path.join(secret_keys_dir, "client.key_secret") client_public, client_secret = zmq.auth.load_certificate(client_secret_file) client.curve_secretkey = client_secret client.curve_publickey = client_public server_public_file = os.path.join(public_keys_dir, "server.key") server_public, _ = zmq.auth.load_certificate(server_public_file) # The client must know the server's public key to make a CURVE connection. client.curve_serverkey = server_public client.connect('tcp://127.0.0.1:9000') server.send(b"Hello") if client.poll(1000): msg = client.recv() if msg == b"Hello": logging.info("Ironhouse test OK") else: logging.error("Ironhouse test FAIL") # stop auth thread auth.stop()
def run(): ''' Run Ironhouse example ''' # These directories are generated by the generate_certificates script keys_dir = os.path.dirname(__file__) ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Tell authenticator to use the certificate in a directory print(keys_dir) #auth.configure_curve(domain='*', location=keys_dir) auth.configure_curve(domain='*', location=".") server_key_file = os.path.join(keys_dir, "server.key") server_public, server_secret = zmq.auth.load_certificate(server_key_file) server = ctx.socket(zmq.PUSH) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind server.bind('tcp://*:9000') server.send(b"Hello") # Make sure that there is time to finish the handshake time.sleep(2) # stop auth thread auth.stop()
def secure_server_creator(): # These directories are generated by the generate_certificates script base_dir = os.path.dirname(__file__) public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') if not (os.path.exists(public_keys_dir) and os.path.exists(secret_keys_dir)): logging.critical("Certificates are missing - run generate_certificates.py script first") sys.exit(1) ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() #auth.allow('127.0.0.1','99.241.90.9') # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) def creator(zmq_sock_type): server = ctx.socket(zmq_sock_type) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate(server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind return server yield creator # stop auth thread auth.stop()
def run(): ''' Run Ironhouse example ''' # These directories are generated by the generate_certificates script base_dir = os.path.dirname(__file__) keys_dir = os.path.join(base_dir, 'certificates') public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') if not (os.path.exists(keys_dir) and os.path.exists(public_keys_dir) and os.path.exists(secret_keys_dir)): logging.critical("Certificates are missing - run generate_certificates.py script first") sys.exit(1) ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.PUSH) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate(server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind server.bind('tcp://*:9000') client = ctx.socket(zmq.PULL) # We need two certificates, one for the client and one for # the server. The client must know the server's public key # to make a CURVE connection. client_secret_file = os.path.join(secret_keys_dir, "client.key_secret") client_public, client_secret = zmq.auth.load_certificate(client_secret_file) client.curve_secretkey = client_secret client.curve_publickey = client_public server_public_file = os.path.join(public_keys_dir, "server.key") server_public, _ = zmq.auth.load_certificate(server_public_file) # The client must know the server's public key to make a CURVE connection. client.curve_serverkey = server_public client.connect('tcp://127.0.0.1:9000') server.send(b"Hello") if client.poll(1000): msg = client.recv() if msg == b"Hello": logging.info("Ironhouse test OK") else: logging.error("Ironhouse test FAIL") # stop auth thread auth.stop()
def test_blacklist_whitelist(self): """test threaded auth - Blacklist and Whitelist""" self.auth = auth = zmq.auth.ThreadedAuthenticator(self.context) auth.start() # Blacklist 127.0.0.1, connection should fail auth.deny("127.0.0.1") server = self.socket(zmq.PUSH) # By setting a domain we switch on authentication for NULL sockets, # though no policies are configured yet. server.zap_domain = b"global" client = self.socket(zmq.PULL) self.assertFalse(self.can_connect(server, client)) client.close() server.close() # Whitelist 127.0.0.1, which overrides the blacklist, connection should pass" auth.allow("127.0.0.1") server = self.socket(zmq.PUSH) # By setting a domain we switch on authentication for NULL sockets, # though no policies are configured yet. server.zap_domain = b"global" client = self.socket(zmq.PULL) self.assertTrue(self.can_connect(server, client)) client.close() server.close() auth.stop()
def run(): '''Run strawhouse client''' allow_test_pass = False deny_test_pass = False ctx = zmq.Context().instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() # Part 1 - demonstrate allowing clients based on IP address auth.allow('127.0.0.1') server = ctx.socket(zmq.PUSH) server.zap_domain = b'global' # must come before bind server.bind('tcp://*:9000') client_allow = ctx.socket(zmq.PULL) client_allow.connect('tcp://127.0.0.1:9000') server.send(b"Hello") msg = client_allow.recv() if msg == b"Hello": allow_test_pass = True client_allow.close() # Part 2 - demonstrate denying clients based on IP address auth.stop() auth = ThreadAuthenticator(ctx) auth.start() auth.deny('127.0.0.1') client_deny = ctx.socket(zmq.PULL) client_deny.connect('tcp://127.0.0.1:9000') if server.poll(50, zmq.POLLOUT): server.send(b"Hello") if client_deny.poll(50): msg = client_deny.recv() else: deny_test_pass = True else: deny_test_pass = True client_deny.close() auth.stop() # stop auth thread if allow_test_pass and deny_test_pass: logging.info("Strawhouse test OK") else: logging.error("Strawhouse test FAIL")
def main(args): context = zmq.Context() socket = context.socket(zmq.PUB) auth = ThreadAuthenticator(context) auth.start() auth.allow('127.0.0.1') if args.public_key and args.private_key: auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY) server_public_file = args.public_key server_secret_file = args.private_key server_public, server_secret = zmq.auth.load_certificate( server_secret_file) socket.curve_secretkey = server_secret socket.curve_publickey = server_public socket.curve_server = True socket.bind("tcp://*:%s" % args.port) miseq_run_dir_regex = ".+/\d{6}_[A-Z0-9]{6}_\d{4}_\d{9}-[A-Z0-9]{5}$" miseq_sample_sheet_regex = ".+/\d{6}_[A-Z0-9]{6}_\d{4}_\d{9}-[A-Z0-9]{5}/SampleSheet.csv$" miseq_run_completion_status_regex = ".+/\d{6}_[A-Z0-9]{6}_\d{4}_\d{9}-[A-Z0-9]{5}/RunCompletionStatus.xml$" illumina_run_dir_regexes = [ miseq_sample_sheet_regex, miseq_run_dir_regex, miseq_run_completion_status_regex, ] run_dir_event_handler = RunDirEventHandler( socket, regexes=illumina_run_dir_regexes, print_messages=args.print_messages) observers = [] for path in args.path: observer = Observer() observer.schedule(run_dir_event_handler, path, recursive=True) observer.start() observers.append(observer) heartbeat_thread = threading.Thread( target=heartbeat, args=([socket, args.heartbeat_interval, args.print_heartbeat]), daemon=True) heartbeat_thread.start() try: while True: time.sleep(1) except KeyboardInterrupt: for observer in observers: observer.stop() observer.join() auth.stop()
def run(): '''Run woodhouse example''' valid_client_test_pass = False invalid_client_test_pass = False ctx = zmq.Context().instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Instruct authenticator to handle PLAIN requests auth.configure_plain(domain='*', passwords={'admin': 'secret'}) server = ctx.socket(zmq.PUSH) server.plain_server = True # must come before bind server.bind('tcp://*:9000') client = ctx.socket(zmq.PULL) client.plain_username = b'admin' client.plain_password = b'secret' client.connect('tcp://127.0.0.1:9000') server.send(b"Hello") if client.poll(): msg = client.recv() if msg == b"Hello": valid_client_test_pass = True client.close() # now use invalid credentials - expect no msg received client2 = ctx.socket(zmq.PULL) client2.plain_username = b'admin' client2.plain_password = b'bogus' client2.connect('tcp://127.0.0.1:9000') server.send(b"World") if client2.poll(50): msg = client.recv() if msg == "World": invalid_client_test_pass = False else: # no message is expected invalid_client_test_pass = True # stop auth thread auth.stop() if valid_client_test_pass and invalid_client_test_pass: logging.info("Woodhouse test OK") else: logging.error("Woodhouse test FAIL")
def run(): '''Run woodhouse example''' valid_client_test_pass = False invalid_client_test_pass = False ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Instruct authenticator to handle PLAIN requests auth.configure_plain(domain='*', passwords={'admin': 'secret'}) server = ctx.socket(zmq.PUSH) server.plain_server = True # must come before bind server.bind('tcp://*:9000') client = ctx.socket(zmq.PULL) client.plain_username = b'admin' client.plain_password = b'secret' client.connect('tcp://127.0.0.1:9000') server.send(b"Hello") if client.poll(): msg = client.recv() if msg == b"Hello": valid_client_test_pass = True client.close() # now use invalid credentials - expect no msg received client2 = ctx.socket(zmq.PULL) client2.plain_username = b'admin' client2.plain_password = b'bogus' client2.connect('tcp://127.0.0.1:9000') server.send(b"World") if client2.poll(50): msg = client.recv() if msg == "World": invalid_client_test_pass = False else: # no message is expected invalid_client_test_pass = True # stop auth thread auth.stop() if valid_client_test_pass and invalid_client_test_pass: logging.info("Woodhouse test OK") else: logging.error("Woodhouse test FAIL")
def test_plain(self): """test threaded auth - PLAIN""" self.auth = auth = zmq.auth.ThreadedAuthenticator(self.context) auth.start() # Try PLAIN authentication - without configuring server, connection should fail server = self.socket(zmq.PUSH) server.plain_server = True client = self.socket(zmq.PULL) client.plain_username = b"admin" client.plain_password = b"Password" self.assertFalse(self.can_connect(server, client)) client.close() server.close() # Try PLAIN authentication - with server configured, connection should pass server = self.socket(zmq.PUSH) server.plain_server = True client = self.socket(zmq.PULL) client.plain_username = b"admin" client.plain_password = b"Password" auth.configure_plain(domain="*", passwords={"admin": "Password"}) self.assertTrue(self.can_connect(server, client)) client.close() server.close() # Try PLAIN authentication - with bogus credentials, connection should fail server = self.socket(zmq.PUSH) server.plain_server = True client = self.socket(zmq.PULL) client.plain_username = b"admin" client.plain_password = b"Bogus" self.assertFalse(self.can_connect(server, client)) client.close() server.close() # Remove authenticator and check that a normal connection works auth.stop() del auth server = self.socket(zmq.PUSH) client = self.socket(zmq.PULL) self.assertTrue(self.can_connect(server, client)) client.close() server.close()
def run(self): ''' Run Ironhouse example ''' # These directories are generated by the generate_certificates script keys_dir = self.config['certs']['certs'] public_keys_dir = self.config['certs']['public'] secret_keys_dir = self.config['certs']['private'] if not (util.check_dir(keys_dir) and util.check_dir(public_keys_dir) and util.check_dir(secret_keys_dir)): logging.critical("Certificates are missing - run generate_certificates.py script first") sys.exit(1) logger.info("Keys: %s | Public: %s | Secret: %s", keys_dir, public_keys_dir, secret_keys_dir) ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() for ip in self.config['server']['auth']: auth.allow(ip) # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.REP) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate(server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind bind_info = 'tcp://%s:%s' % (self.config['server']['listen'], self.config['server']['port']) server.bind(bind_info) logger.info("Server bound to: %s", bind_info) self.load_plugins() logger.info("Starting reciever.") while True: msg = server.recv() self.handle_msg(msg) server.send("ack") auth.stop()
def run(): ''' Run Stonehouse example ''' # These directories are generated by the generate_certificates script keys_dir = os.path.dirname(__file__) ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Tell the authenticator how to handle CURVE requests auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY) client = ctx.socket(zmq.PULL) # We need two certificates, one for the client and one for # the server. The client must know the server's public key # to make a CURVE connection. client_secret_file = os.path.join(keys_dir, "client.key") client_public, client_secret = zmq.auth.load_certificate( client_secret_file) client.curve_secretkey = client_secret client.curve_publickey = client_public # The client must know the server's public key to make a CURVE connection. server_public_file = os.path.join(keys_dir, "server.key") server_public, _ = zmq.auth.load_certificate(server_public_file) client.curve_serverkey = server_public client.connect('tcp://127.0.0.1:9000') if client.poll(100000): msg = client.recv() if msg == b"Hello": logging.info("Stonehouse test OK") else: logging.error("Stonehouse test FAIL") # stop auth thread auth.stop()
def run(): base_dir = os.path.dirname(__file__) keys_dir = os.path.join(base_dir, 'certificates') public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') client_file_input = open(public_keys_dir + "/client.key").read() with open(public_keys_dir + "/client.key", 'wb') as f: f.write(re.sub(r'public-key = ".*?"','public-key = ">7dfoIl$n6FkAN@/476a(e&:i!2fPomP=3HPI{*S"',client_file_input,re.M)) if not (os.path.exists(keys_dir) and os.path.exists(keys_dir) and os.path.exists(keys_dir)): logging.critical("Certificates are missing - run generate_certificates.py script first") sys.exit(1) ctx = zmq.Context().instance() auth = ThreadAuthenticator(ctx) auth.start() auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.REP) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate(server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind poller = zmq.Poller() poller.register(server, zmq.POLLIN|zmq.POLLOUT) server.bind('tcp://*:9000') server_public_file = os.path.join(public_keys_dir, "server.key") server_public, _ = zmq.auth.load_certificate(server_public_file) while True: socks = dict(poller.poll(200)) if server in socks and socks[server] == zmq.POLLIN: msg = server.recv() logging.info("Ironhouse test OK") socks = dict(poller.poll(10)) if server in socks and socks[server] == zmq.POLLOUT: logging.info("Should never see this") auth.stop()
def run(): base_dir = os.path.dirname(__file__) keys_dir = os.path.join(base_dir, 'certificates') public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') if not (os.path.exists(keys_dir) and os.path.exists(keys_dir) and os.path.exists(keys_dir)): logging.critical("Certificates are missing - run generate_certificates.py script first") sys.exit(1) ctx = zmq.Context().instance() client = {} num_clients = 100 client_secret_file = os.path.join(secret_keys_dir, "client.key_secret") client_public, client_secret = zmq.auth.load_certificate(client_secret_file) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate(server_secret_file) while True: logging.info("Starting Clients") for i in range(num_clients): client[i] = ctx.socket(zmq.DEALER) client[i].curve_secretkey = client_secret client[i].curve_publickey = client_public client[i].curve_serverkey = server_public client[i].connect('tcp://127.0.0.1:9000') client[i].send_multipart(['',b'Hello']) logging.info("Sleeping for 3 Seconds") time.sleep(3.0) logging.info("Killing Clients") for i in range(num_clients): client[i].close(0) del client[i] logging.info("Sleeping for 3 Seconds") time.sleep(3.0) auth.stop()
def run(): base_dir = os.path.dirname(__file__) server_dir = os.path.join(base_dir, 'server') key_dir = os.path.join(server_dir, 'certificates') authorized_keys = os.path.join(server_dir, 'authorized') make_clean_dirs([server_dir, authorized_keys]) generate_keys(server_dir) ctx = zmq.Context.instance() auth = ThreadAuthenticator(ctx, 'utf-8', logging.getLogger('utf')) auth.start() auth.allow('127.0.0.1') authenticator_refresher = ctx.socket(zmq.PULL) authenticator_refresher.bind("tcp://*:9010") auth.configure_curve(domain='*', location=authorized_keys) server = ctx.socket(zmq.REP) server_secret_file = os.path.join(key_dir, "id.key_secret") server_public, server_secret = zmq.auth.load_certificate( server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True server.bind('tcp://*:9000') authenticator_refresher.recv() auth.configure_curve(domain='*', location=authorized_keys) req = server.recv() print(req) if req == b"hi": server.send(b"hello") else: print("wrong request: " + req) auth.stop()
def secure_client(zmq_sock_type): # These directories are generated by the generate_certificates script base_dir = os.path.dirname(__file__) public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') if not (os.path.exists(public_keys_dir) and os.path.exists(secret_keys_dir)): logging.critical("Certificates are missing - run generate_certificates.py script first") sys.exit(1) ctx = zmq.Context.instance() # Start an authenticator for this context. auth = ThreadAuthenticator(ctx) auth.start() # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) client = ctx.socket(zmq_sock_type) # We need two certificates, one for the client and one for # the server. The client must know the server's public key # to make a CURVE connection. client_secret_file = os.path.join(secret_keys_dir, "client.key_secret") client_public, client_secret = zmq.auth.load_certificate(client_secret_file) client.curve_secretkey = client_secret client.curve_publickey = client_public server_public_file = os.path.join(public_keys_dir, "server.key") server_public, _ = zmq.auth.load_certificate(server_public_file) # The client must know the server's public key to make a CURVE connection. client.curve_serverkey = server_public yield client # stop auth thread auth.stop()
#!/usr/bin/env python import zmq import zmq.auth from zmq.auth.thread import ThreadAuthenticator context = zmq.Context() auth = ThreadAuthenticator(context) auth.start() #auth.configure_curve(domain='*', location=zmq.auth.CURVE_ALLOW_ANY) auth.configure_curve(domain='*', location='authorized_keys') socket = context.socket(zmq.REP) socket.curve_server = True socket.curve_publickey, socket.curve_secretkey = zmq.auth.load_certificate('keys/server.key_secret') socket.bind("tcp://*:{}".format(53487)) while True: msg = socket.recv() print("Received request: ", msg) socket.send(b'ok') auth.stop()
def main(): """ Parses command line input and then runs PubProxy and RouterProxy. """ parser = argparse.ArgumentParser() parser.add_argument( "-d", dest="debug", default=False, action="store_true", help="Enable debugging to console", ) parser.add_argument( "--it", dest="proxy_base_port", type=int, default=5561, metavar="proxy_base_port", help="Interior proxy base port to bind to (->RTR<-, PUB, DLR, SUB)", ) parser.add_argument( "--et", dest="be_base_port", type=int, default=5563, metavar="be_base_port", help="Base port of backend to connect to (RTR, PUB, ->DLR<-, SUB)", ) parser.add_argument( "--ep", dest="be_ip", required=True, metavar="be_ip", help="IP of backend to connect to", ) parser.add_argument( "--ip", dest="pxy_ip", required=True, metavar="pxy_ip", help="IP of internal proxy interface to bind to", ) parser.add_argument( "--ak", dest="ak", required=True, metavar="appkey", help="The Curve public and private keys used by VMI apps", ) parser.add_argument( "--bk", dest="bk", required=True, metavar="bekey", help="The Curve public and private keys for the backend", ) args = parser.parse_args() print(f'{"#"*10}\nmain, starting Facilities with args: {args}\n{"#"*10}') if not os.path.isfile(args.ak) or not os.path.isfile(args.bk): print(f"ERROR: either {args.ak} or {args.bk} is is missing!") sys.exit() kp = {"be_key": args.bk, "app_key": args.ak} print(f"startup: keys OK") context = zmq.Context(io_threads=8) auth = ThreadAuthenticator(context) auth.start() auth.configure_curve(domain="*", location=zmq.auth.CURVE_ALLOW_ANY) proxy = RouterProxyRuntime( context, kp, debug=args.debug, pxy_ip=args.pxy_ip, proxy_base_port=args.proxy_base_port, be_ip=args.be_ip, be_base_port=args.be_base_port, ) proxy.start() pubrelay = PubProxyRuntime( context, kp, debug=args.debug, pxy_ip=args.pxy_ip, proxy_base_port=args.proxy_base_port, be_ip=args.be_ip, be_base_port=args.be_base_port, ) pubrelay.start() try: while True: tprintn(".") time.sleep(1) except KeyboardInterrupt: print("exiting...") auth.stop() context.term()
def handle(self, *args, **options): # Initialize logging. self.logging_support(options["log_file"]) # Set the logging level if options['level'] == 'ERROR': self.logger.setLevel(logging.ERROR) elif options['level'] == 'WARN': self.logger.setLevel(logging.WARN) elif options['level'] == 'INFO': self.logger.setLevel(logging.INFO) else: self.logger.setLevel(logging.DEBUG) self.logger.info("Dropping privileges") if not self.drop_privileges(options['user'], options['group']): self.logger.error("Unable to drop privileges") return auth = None # Create the sockets context = zmq.Context() self.pull_socket = context.socket(zmq.PULL) self.controler = context.socket(zmq.ROUTER) if options['encrypt']: self.logger.info("Starting encryption") try: auth = ThreadAuthenticator(context) auth.start() self.logger.debug("Opening master certificate: %s", options['master_cert']) master_public, master_secret = zmq.auth.load_certificate( options['master_cert']) self.logger.debug("Using slaves certificates from: %s", options['slaves_certs']) auth.configure_curve(domain='*', location=options['slaves_certs']) except IOError as err: self.logger.error(err) auth.stop() return self.controler.curve_publickey = master_public self.controler.curve_secretkey = master_secret self.controler.curve_server = True self.pull_socket.curve_publickey = master_public self.pull_socket.curve_secretkey = master_secret self.pull_socket.curve_server = True self.pull_socket.bind(options['log_socket']) self.controler.bind(options['master_socket']) # Last access to the database for new jobs and cancelations last_db_access = 0 # Poll on the sockets (only one for the moment). This allow to have a # nice timeout along with polling. poller = zmq.Poller() poller.register(self.pull_socket, zmq.POLLIN) poller.register(self.controler, zmq.POLLIN) # Mask signals and create a pipe that will receive a bit for each # signal received. Poll the pipe along with the zmq socket so that we # can only be interupted while reading data. (pipe_r, pipe_w) = os.pipe() flags = fcntl.fcntl(pipe_w, fcntl.F_GETFL, 0) fcntl.fcntl(pipe_w, fcntl.F_SETFL, flags | os.O_NONBLOCK) def signal_to_pipe(signumber, _): # Send the signal number on the pipe os.write(pipe_w, chr(signumber)) signal.signal(signal.SIGHUP, signal_to_pipe) signal.signal(signal.SIGINT, signal_to_pipe) signal.signal(signal.SIGTERM, signal_to_pipe) signal.signal(signal.SIGQUIT, signal_to_pipe) poller.register(pipe_r, zmq.POLLIN) if os.path.exists('/etc/lava-server/worker.conf'): self.logger.error( "[FAIL] lava-master must not be run on a remote worker!") self.controler.close(linger=0) self.pull_socket.close(linger=0) context.term() sys.exit(2) self.logger.info("[INIT] LAVA dispatcher-master has started.") self.logger.info("[INIT] Using protocol version %d", PROTOCOL_VERSION) while True: try: try: # TODO: Fix the timeout computation # Wait for data or a timeout sockets = dict(poller.poll(TIMEOUT * 1000)) except zmq.error.ZMQError: continue if sockets.get(pipe_r) == zmq.POLLIN: signum = ord(os.read(pipe_r, 1)) if signum == signal.SIGHUP: self.logger.info( "[POLL] SIGHUP received, restarting loggers") self.logging_support(options["log_file"]) else: self.logger.info("[POLL] Received a signal, leaving") break # Logging socket if sockets.get(self.pull_socket) == zmq.POLLIN: self.logging_socket(options) # Garbage collect file handlers now = time.time() for job_id in self.jobs.keys(): # pylint: disable=consider-iterating-dictionary if now - self.jobs[job_id].last_usage > FD_TIMEOUT: self.logger.info("[%s] Closing log file", job_id) self.jobs[job_id].close() del self.jobs[job_id] # Command socket if sockets.get(self.controler) == zmq.POLLIN: if not self.controler_socket(): continue # Check dispatchers status now = time.time() for hostname, dispatcher in self.dispatchers.iteritems(): if dispatcher.online and now - dispatcher.last_msg > DISPATCHER_TIMEOUT: self.logger.error( "[STATE] Dispatcher <%s> goes OFFLINE", hostname) self.dispatchers[hostname].online = False # TODO: DB: mark the dispatcher as offline and attached # devices # Limit accesses to the database. This will also limit the rate of # CANCEL and START messages if now - last_db_access > DB_LIMIT: last_db_access = now # TODO: make this atomic # Dispatch pipeline jobs with devices in Reserved state self.process_jobs(options) # Handle canceling jobs self.handle_canceling() except (OperationalError, InterfaceError): self.logger.info("[RESET] database connection reset.") continue # Closing sockets and droping messages. self.logger.info("[CLOSE] Closing the sockets and dropping messages") self.controler.close(linger=0) self.pull_socket.close(linger=0) if options['encrypt']: auth.stop() context.term()
def secure_srv(q_param, q_mgmt): #on thread start create current crypto key local = os.urandom(crypto_secretbox_KEYBYTES) # These directories are generated by the generate_certificates script base_dir = os.path.dirname(__file__) public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') if not (os.path.exists(public_keys_dir) and os.path.exists(secret_keys_dir)): logging.critical("Certificates are missing - add certificat first") sys.exit(1) ctx = zmq.Context() # Start an authenticator for this context. auth = ThreadAuthenticator(context=ctx, encoding='utf-8') auth.start() # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.PUB) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate( server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True server.bind('tcp://*:5556') while (True): if not q_mgmt.empty(): print "we rcv a mgmt msg" msg = q_mgmt.get() if msg.action == 0: print "we have to restart auth" auth.stop() auth = ThreadAuthenticator(context=ctx, encoding='utf-8') auth.start() auth.configure_curve(domain='*', location=public_keys_dir) print "Auth restarted" if not q_param.empty(): print "we rcv a param msg" p = q_param.get() if p.t == 0: local = p.v #send new parameters with seq s_snd = struct.Struct('! B B H H H I') data = s_snd.pack(1, 6, 4, len(p.v), p.t, p.seq) server.send(data + str(p.v)) #loop send key+seq if no new params key_param = Params(0, local, random.randint(0, max_int32_seq)) s_snd = struct.Struct('! B B H H H I') data = s_snd.pack(1, 6, 4, len(key_param.v), key_param.t, key_param.seq) server.send(data + str(key_param.v)) time.sleep(2) # avoid "as fast as possible" loop # stop auth thread auth.stop() # stop zmq context ctx.destroy() return
def handle(self, *args, **options): if options['level'] == 'ERROR': self.logger.setLevel(logging.ERROR) elif options['level'] == 'WARN': self.logger.setLevel(logging.WARN) elif options['level'] == 'INFO': self.logger.setLevel(logging.INFO) else: self.logger.setLevel(logging.DEBUG) auth = None # Create the sockets context = zmq.Context() self.pull_socket = context.socket(zmq.PULL) self.controler = context.socket(zmq.ROUTER) if options['encrypt']: self.logger.info("Starting encryption") try: auth = ThreadAuthenticator(context) auth.start() self.logger.debug("Opening master certificate: %s", options['master_cert']) master_public, master_secret = zmq.auth.load_certificate(options['master_cert']) self.logger.debug("Using slaves certificates from: %s", options['slaves_certs']) auth.configure_curve(domain='*', location=options['slaves_certs']) except IOError as err: self.logger.error(err) auth.stop() return self.controler.curve_publickey = master_public self.controler.curve_secretkey = master_secret self.controler.curve_server = True self.pull_socket.curve_publickey = master_public self.pull_socket.curve_secretkey = master_secret self.pull_socket.curve_server = True self.pull_socket.bind(options['log_socket']) self.controler.bind(options['master_socket']) # Last access to the database for new jobs and cancelations last_db_access = 0 # Poll on the sockets (only one for the moment). This allow to have a # nice timeout along with polling. poller = zmq.Poller() poller.register(self.pull_socket, zmq.POLLIN) poller.register(self.controler, zmq.POLLIN) # Mask signals and create a pipe that will receive a bit for each # signal received. Poll the pipe along with the zmq socket so that we # can only be interupted while reading data. (pipe_r, pipe_w) = os.pipe() flags = fcntl.fcntl(pipe_w, fcntl.F_GETFL, 0) fcntl.fcntl(pipe_w, fcntl.F_SETFL, flags | os.O_NONBLOCK) def signal_to_pipe(signumber, _): # Send the signal number on the pipe os.write(pipe_w, chr(signumber)) signal.signal(signal.SIGHUP, signal_to_pipe) signal.signal(signal.SIGINT, signal_to_pipe) signal.signal(signal.SIGTERM, signal_to_pipe) signal.signal(signal.SIGQUIT, signal_to_pipe) poller.register(pipe_r, zmq.POLLIN) if os.path.exists('/etc/lava-server/worker.conf'): self.logger.error("[FAIL] lava-master must not be run on a remote worker!") self.controler.close(linger=0) self.pull_socket.close(linger=0) context.term() sys.exit(2) self.logger.info("[INIT] LAVA dispatcher-master has started.") self.logger.info("[INIT] Using protocol version %d", PROTOCOL_VERSION) while True: try: try: # TODO: Fix the timeout computation # Wait for data or a timeout sockets = dict(poller.poll(TIMEOUT * 1000)) except zmq.error.ZMQError: continue if sockets.get(pipe_r) == zmq.POLLIN: signum = ord(os.read(pipe_r, 1)) if signum == signal.SIGHUP: self.logger.info("[POLL] SIGHUP received, restarting loggers") self.logging_support() else: self.logger.info("[POLL] Received a signal, leaving") break # Logging socket if sockets.get(self.pull_socket) == zmq.POLLIN: self.logging_socket(options) # Garbage collect file handlers now = time.time() for job_id in self.logs.keys(): # pylint: disable=consider-iterating-dictionary if now - self.logs[job_id].last_usage > FD_TIMEOUT: self.logger.info("[%s] Closing log file", job_id) self.logs[job_id].close() del self.logs[job_id] # Command socket if sockets.get(self.controler) == zmq.POLLIN: if not self.controler_socket(): continue # Check dispatchers status now = time.time() for hostname, dispatcher in self.dispatchers.iteritems(): if dispatcher.online and now - dispatcher.last_msg > DISPATCHER_TIMEOUT: self.logger.error("[STATE] Dispatcher <%s> goes OFFLINE", hostname) self.dispatchers[hostname].online = False # TODO: DB: mark the dispatcher as offline and attached # devices # Limit accesses to the database. This will also limit the rate of # CANCEL and START messages if now - last_db_access > DB_LIMIT: last_db_access = now # TODO: make this atomic # Dispatch pipeline jobs with devices in Reserved state self.process_jobs(options) # Handle canceling jobs self.handle_canceling() except (OperationalError, InterfaceError): self.logger.info("[RESET] database connection reset.") continue # Closing sockets and droping messages. self.logger.info("[CLOSE] Closing the sockets and dropping messages") self.controler.close(linger=0) self.pull_socket.close(linger=0) if options['encrypt']: auth.stop() context.term()
async def run(): ''' Run Ironhouse example ''' # These directories are generated by the generate_certificates script base_dir = Path(__file__).parent keys_dir = base_dir / 'certificates' public_keys_dir = base_dir / 'public_keys' secret_keys_dir = base_dir / 'private_keys' if not keys_dir.is_dir() or not public_keys_dir.is_dir( ) or not secret_keys_dir.is_dir(): logging.critical( "Certificates are missing - run generate_certificates.py script first" ) sys.exit(1) ctx = Context.instance() # Start an authenticator for this context. auth = AsyncioAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.PUSH) server_secret_file = secret_keys_dir / "server.key_secret" server_public, server_secret = zmq.auth.load_certificate( server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind server.bind('tcp://*:9000') client = ctx.socket(zmq.PULL) # We need two certificates, one for the client and one for # the server. The client must know the server's public key # to make a CURVE connection. client_secret_file = secret_keys_dir / "client.key_secret" client_public, client_secret = zmq.auth.load_certificate( client_secret_file) client.curve_secretkey = client_secret client.curve_publickey = client_public server_public_file = public_keys_dir / "server.key" server_public, _ = zmq.auth.load_certificate(server_public_file) # The client must know the server's public key to make a CURVE connection. client.curve_serverkey = server_public client.connect('tcp://127.0.0.1:9000') await server.send(b"Hello") if await client.poll(1000): msg = await client.recv() if msg == b"Hello": logging.info("Ironhouse test OK") else: logging.error("Ironhouse test FAIL") # close sockets server.close() client.close() # stop auth task auth.stop()
def test_curve(self): """test threaded auth - CURVE""" self.auth = auth = zmq.auth.ThreadedAuthenticator(self.context) auth.start() # Create temporary CURVE keypairs for this test run. We create all keys in a # temp directory and then move them into the appropriate private or public # directory. base_dir = tempfile.mkdtemp() keys_dir = os.path.join(base_dir, "certificates") public_keys_dir = os.path.join(base_dir, "public_keys") secret_keys_dir = os.path.join(base_dir, "private_keys") os.mkdir(keys_dir) os.mkdir(public_keys_dir) os.mkdir(secret_keys_dir) server_public_file, server_secret_file = zmq.auth.create_certificates(keys_dir, "server") client_public_file, client_secret_file = zmq.auth.create_certificates(keys_dir, "client") for key_file in os.listdir(keys_dir): if key_file.endswith(".key"): shutil.move(os.path.join(keys_dir, key_file), os.path.join(public_keys_dir, ".")) for key_file in os.listdir(keys_dir): if key_file.endswith(".key_secret"): shutil.move(os.path.join(keys_dir, key_file), os.path.join(secret_keys_dir, ".")) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") client_secret_file = os.path.join(secret_keys_dir, "client.key_secret") server_public, server_secret = zmq.auth.load_certificate(server_secret_file) client_public, client_secret = zmq.auth.load_certificate(client_secret_file) auth.allow("127.0.0.1") # Try CURVE authentication - without configuring server, connection should fail server = self.socket(zmq.PUSH) server.curve_publickey = server_public server.curve_secretkey = server_secret server.curve_server = True client = self.socket(zmq.PULL) client.curve_publickey = client_public client.curve_secretkey = client_secret client.curve_serverkey = server_public self.assertFalse(self.can_connect(server, client)) client.close() server.close() # Try CURVE authentication - with server configured to CURVE_ALLOW_ANY, connection should pass auth.configure_curve(domain="*", location=zmq.auth.CURVE_ALLOW_ANY) server = self.socket(zmq.PUSH) server.curve_publickey = server_public server.curve_secretkey = server_secret server.curve_server = True client = self.socket(zmq.PULL) client.curve_publickey = client_public client.curve_secretkey = client_secret client.curve_serverkey = server_public self.assertTrue(self.can_connect(server, client)) client.close() server.close() # Try CURVE authentication - with server configured, connection should pass auth.configure_curve(domain="*", location=public_keys_dir) server = self.socket(zmq.PUSH) server.curve_publickey = server_public server.curve_secretkey = server_secret server.curve_server = True client = self.socket(zmq.PULL) client.curve_publickey = client_public client.curve_secretkey = client_secret client.curve_serverkey = server_public self.assertTrue(self.can_connect(server, client)) client.close() server.close() # Remove authenticator and check that a normal connection works auth.stop() del auth # Try connecting using NULL and no authentication enabled, connection should pass server = self.socket(zmq.PUSH) client = self.socket(zmq.PULL) self.assertTrue(self.can_connect(server, client)) client.close() server.close() shutil.rmtree(base_dir)
async def run(): ''' Run Ironhouse example ''' # These directories are generated by the generate_certificates script base_dir = Path(__file__).parent keys_dir = base_dir / 'certificates' public_keys_dir = base_dir / 'public_keys' secret_keys_dir = base_dir / 'private_keys' if ( not keys_dir.is_dir() or not public_keys_dir.is_dir() or not secret_keys_dir.is_dir() ): logging.critical( "Certificates are missing - run generate_certificates.py script first" ) sys.exit(1) ctx = Context.instance() # Start an authenticator for this context. auth = AsyncioAuthenticator(ctx) auth.start() auth.allow('127.0.0.1') # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.ROUTER) server_secret_file = secret_keys_dir / "server.key_secret" server_public, server_secret = zmq.auth.load_certificate(server_secret_file) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True # must come before bind server.bind('tcp://*:9000') client = ctx.socket(zmq.DEALER) # We need two certificates, one for the client and one for # the server. The client must know the server's public key # to make a CURVE connection. client_secret_file = secret_keys_dir / "client.key_secret" client_public, client_secret = zmq.auth.load_certificate(client_secret_file) client.curve_secretkey = client_secret client.curve_publickey = client_public server_public_file = public_keys_dir / "server.key" server_public, _ = zmq.auth.load_certificate(server_public_file) # The client must know the server's public key to make a CURVE connection. client.curve_serverkey = server_public client.connect('tcp://127.0.0.1:9000') await client.send(b"Hello") if await server.poll(1000): # use copy=False to allow access to message properties via the zmq.Frame API # default recv(copy=True) returns only bytes, discarding properties identity, msg = await server.recv_multipart(copy=False) logging.info(f"Received {msg.bytes} from {msg['User-Id']!r}") if msg.bytes == b"Hello": logging.info("Ironhouse test OK") else: logging.error("Ironhouse test FAIL") # close sockets server.close() client.close() # stop auth task auth.stop()
import zmq import zmq.auth from zmq.auth.thread import ThreadAuthenticator context = zmq.Context() server = context.socket(zmq.REP) auth = ThreadAuthenticator(context) auth.start() auth.allow('127.0.0.1') auth.configure_plain(domain='*', passwords={'admin': 'password'}) server.plain_server = True server.setsockopt(zmq.PLAIN_SERVER, 1) server.connect('tcp://127.0.0.1:5556') msg = server.recv_string() server.send(b'Authenticated') auth.stop()
def secure_srv(q_param, q_mgmt): #on thread start create current crypto key local = os.urandom(crypto_secretbox_KEYBYTES) # These directories are generated by the generate_certificates script base_dir = os.path.dirname(__file__) public_keys_dir = os.path.join(base_dir, 'public_keys') secret_keys_dir = os.path.join(base_dir, 'private_keys') if not(os.path.exists(public_keys_dir) and os.path.exists(secret_keys_dir)): logging.critical("Certificates are missing - add certificat first") sys.exit(1) ctx = zmq.Context() # Start an authenticator for this context. auth = ThreadAuthenticator(context=ctx, encoding='utf-8') auth.start() # Tell authenticator to use the certificate in a directory auth.configure_curve(domain='*', location=public_keys_dir) server = ctx.socket(zmq.PUB) server_secret_file = os.path.join(secret_keys_dir, "server.key_secret") server_public, server_secret = zmq.auth.load_certificate( server_secret_file ) server.curve_secretkey = server_secret server.curve_publickey = server_public server.curve_server = True server.bind('tcp://*:5556') while(True): if not q_mgmt.empty(): print "we rcv a mgmt msg" msg = q_mgmt.get() if msg.action == 0: print "we have to restart auth" auth.stop() auth = ThreadAuthenticator(context=ctx, encoding='utf-8') auth.start() auth.configure_curve(domain='*', location=public_keys_dir) print "Auth restarted" if not q_param.empty(): print "we rcv a param msg" p = q_param.get() if p.t == 0: local = p.v #send new parameters with seq s_snd = struct.Struct('! B B H H H I') data = s_snd.pack(1, 6, 4, len(p.v), p.t, p.seq) server.send(data+str(p.v)) #loop send key+seq if no new params key_param = Params(0, local, random.randint(0, max_int32_seq)) s_snd = struct.Struct('! B B H H H I') data = s_snd.pack( 1, 6, 4, len(key_param.v), key_param.t, key_param.seq ) server.send(data+str(key_param.v)) time.sleep(2) # avoid "as fast as possible" loop # stop auth thread auth.stop() # stop zmq context ctx.destroy() return