async def run(self):
authenticator = AsyncioAuthenticator(self.context)
authenticator.start()
asyncio.create_task(
self.monitor_certificates(authenticator, self.public_keys_dir))
self.socket = self.context.socket(zmq.ROUTER)
self.socket.curve_secretkey = self.secret_key
self.socket.curve_publickey = self.public_key
self.socket.curve_server = True
self.socket.bind(f'tcp://0.0.0.0:{self.port}')
logging.info(f'Listening on tunnel port {self.port}')
while True:
msg = await self.socket.recv_multipart()
addr = msg[0]
request = msg[2:]
cmd = request[0]
if addr not in self.liveness:
asyncio.create_task(self.create_session(addr))
if cmd == RELAY:
asyncio.create_task(self.to_client(addr, *request[1:]))
self.liveness[addr] = self.heartbeat_liveness
authenticator.stop()
class SocketAuthenticator:
def __init__(self,
ctx: zmq.asyncio.Context,
loop=asyncio.get_event_loop(),
domain='*',
cert_dir=CERT_DIR,
debug=True):
# Create the directory if it doesn't exist
self.cert_dir = pathlib.Path.home() / cert_dir
self.cert_dir.mkdir(parents=True, exist_ok=True)
self.ctx = ctx
self.domain = domain
self.loop = loop
self.log = get_logger('zmq.auth')
self.log.propagate = debug
# This should throw an exception if the socket already exist
try:
self.authenticator = AsyncioAuthenticator(context=self.ctx,
loop=self.loop)
self.authenticator.start()
self.authenticator.configure_curve(domain=self.domain,
location=self.cert_dir)
except ZMQBaseError:
pass
#raise Exception('AsyncioAuthenicator could not be started. Is it already running?')
def add_governance_sockets(self, masternode_list, on_deck_masternode,
delegate_list, on_deck_delegate):
self.flush_all_keys()
for mn in masternode_list:
self.add_verifying_key(mn)
for dl in delegate_list:
self.add_verifying_key(dl)
if on_deck_masternode is not None:
self.add_verifying_key(on_deck_masternode)
if on_deck_delegate is not None:
self.add_verifying_key(on_deck_delegate)
self.authenticator.configure_curve(domain=self.domain,
location=self.cert_dir)
def add_verifying_key(self, vk: bytes):
# Convert to bytes if hex string
if isinstance(vk, str):
vk = bytes.fromhex(vk)
try:
pk = crypto_sign_ed25519_pk_to_curve25519(vk)
# Error is thrown if the VK is not within the possibility space of the ED25519 algorithm
except RuntimeError:
print('no go')
return
zvk = z85.encode(pk).decode('utf-8')
_write_key_file(self.cert_dir / f'{vk.hex()}.key',
banner=_cert_public_banner,
public_key=zvk)
def flush_all_keys(self):
shutil.rmtree(str(self.cert_dir))
self.cert_dir.mkdir(parents=True, exist_ok=True)
class SocketAuthenticator:
def __init__(self, client: ContractingClient, ctx: zmq.asyncio.Context, bootnodes: dict={},
loop=asyncio.get_event_loop(), domain='*', cert_dir=CERT_DIR, debug=False):
# Create the directory if it doesn't exist
self.client = client
self.cert_dir = pathlib.Path.home() / cert_dir
self.cert_dir.mkdir(parents=True, exist_ok=True)
self.ctx = ctx
self.domain = domain
self.loop = loop
self.log = get_logger('zmq.auth')
self.log.propagate = debug
self.bootnodes = bootnodes
# This should throw an exception if the socket already exist
try:
self.authenticator = AsyncioAuthenticator(context=self.ctx, loop=self.loop)
self.authenticator.start()
except ZMQBaseError:
self.log.error('Error starting ZMQ Authenticator. Is it already running?')
finally:
for node in bootnodes.keys():
self.add_verifying_key(node)
self.authenticator.configure_curve(domain=self.domain, location=self.cert_dir)
def refresh_governance_sockets(self):
masternode_list = self.client.get_var(
contract='masternodes',
variable='S',
arguments=['members']
)
delegate_list = self.client.get_var(
contract='delegates',
variable='S',
arguments=['members']
)
self.flush_all_keys()
for mn in masternode_list:
self.add_verifying_key(mn)
for dl in delegate_list:
self.add_verifying_key(dl)
self.log.info(f'Refreshing keys for {len(masternode_list)} masters and {len(delegate_list)} delegates.')
self.authenticator.configure_curve(domain=self.domain, location=self.cert_dir)
def add_verifying_key(self, vk: str):
# Convert to bytes if hex string
bvk = bytes.fromhex(vk)
try:
pk = crypto_sign_ed25519_pk_to_curve25519(bvk)
# Error is thrown if the VK is not within the possibility space of the ED25519 algorithm
except RuntimeError:
self.log.error('ED25519 Cryptographic error. The key provided is not within the cryptographic key space.')
return
zvk = z85.encode(pk).decode('utf-8')
_write_key_file(self.cert_dir / f'{vk}.key', banner=_cert_public_banner, public_key=zvk)
def flush_all_keys(self):
shutil.rmtree(str(self.cert_dir))
self.cert_dir.mkdir(parents=True, exist_ok=True)
def configure(self):
self.authenticator.configure_curve(domain=self.domain, location=self.cert_dir)
class Server:
"""
Server that accepts JSON RPC calls through a socket.
"""
def __init__(self,
rpc_spec: RPCSpec = None,
announce_timing: bool = False,
serialize_exceptions: bool = True,
auth_config: Optional[ServerAuthConfig] = None):
"""
Create a server that will be linked to a socket
:param rpc_spec: JSON RPC spec
:param announce_timing:
:param serialize_exceptions: If set to True, this Server will catch all exceptions occurring
internally to it and, when possible, communicate them to the interrogating Client. If
set to False, this Server will re-raise any exceptions it encounters (including, but not
limited to, those which might occur through method calls to rpc_spec) for Server's
local owner to handle.
IMPORTANT NOTE: When set to False, this *almost definitely* means an unrecoverable
crash, and the Server should then be _shutdown().
:param auth_config: The configuration values necessary to enable Curve ZeroMQ authentication.
These must be provided at instantiation, so they are available between the creation of the
context and socket.
"""
self.announce_timing = announce_timing
self.serialize_exceptions = serialize_exceptions
self.rpc_spec = rpc_spec if rpc_spec else RPCSpec(
serialize_exceptions=serialize_exceptions)
self._exit_handlers = []
self._socket = None
self._auth_config = auth_config
self._authenticator = None
self._preloaded_keys = None
def rpc_handler(self, f: Callable):
"""
Add a function to the server. It will respond to JSON RPC requests with the corresponding method name.
This can be used as both a side-effecting function or as a decorator.
:param f: Function to add
:return: Function wrapper (so it can be used as a decorator)
"""
return self.rpc_spec.add_handler(f)
def exit_handler(self, f: Callable):
"""
Add an exit handler - a function which will be called when the server shuts down.
:param f: Function to add
"""
self._exit_handlers.append(f)
async def recv_multipart(self):
if self.auth_enabled:
return await self.recv_multipart_with_auth()
else:
# If auth is not enabled, then the client "User-Id" will not be retrieved from
# the frames received, and we return None for that value.
return (*await self._socket.recv_multipart(), None)
async def recv_multipart_with_auth(self) -> Tuple[bytes, list, bytes]:
"""
Code taken from pyzmq itself: https://github.com/zeromq/pyzmq/blob/master/zmq/sugar/socket.py#L449
and then adapted to allow us to access the information in the frames.
When copy=True, only the contents of the messages are returned, rather than the messages themselves.
The message is necessary to be able to fetch the "User-Id", which is the public key the client used
to connect to this socket.
When using auth, knowing which client sent which message is important for authentication, and so
we reimplement recv_multipart here, and return the client key as the final member of a tuple
"""
copy = False
# Given a ROUTER socket, the first frame will be the sender's identity.
# While, per the docs, this _should_ be retrievable from any frame with
# frame.get('Identity'), in practice this value was always blank.
# If we don't record the identity value, messages cannot be returned to
# the correct client.
identity_frame = await self._socket.recv(0, copy=copy, track=False)
identity = identity_frame.bytes
# The client_id is the public key the client used to establish this connection
# It can be retrieved from all frames after the first. Here, we assume it
# is the same among all frames, and set it to the value from the first frame
client_key = None
# After the identity frame, we assemble all further frames in a single buffer.
parts = bytearray(b'')
while self._socket.getsockopt(zmq.RCVMORE):
part = await self._socket.recv(0, copy=copy, track=False)
data = part.bytes
if client_key is None:
client_key = part.get('User-Id')
if not isinstance(client_key,
bytes) and client_key is not None:
client_key = client_key.encode('utf-8')
parts += data
_log.debug(
f'Received authenticated request from client_key {client_key}')
return (identity, parts, client_key)
async def run_async(self, endpoint: str):
"""
Run server main task (asynchronously).
:param endpoint: Socket endpoint to listen to, e.g. "tcp://*:1234"
"""
self._connect(endpoint)
# spawn an initial listen task
listen_task = asyncio.ensure_future(self.recv_multipart())
task_list = [listen_task]
while True:
dones, pendings = await asyncio.wait(
task_list, return_when=asyncio.FIRST_COMPLETED)
# grab one "done" task to handle
task_list, done_list = list(pendings), list(dones)
done = done_list.pop()
task_list += done_list
if done == listen_task:
try:
# empty_frame may either be:
# 1. a single null frame if the client is a REQ socket
# 2. an empty list (ie. no frames) if the client is a DEALER socket
identity, *empty_frame, msg, client_key = done.result()
request = from_msgpack(msg)
request.params['client_key'] = client_key
# spawn a processing task
task_list.append(
asyncio.ensure_future(
self._process_request(identity, empty_frame,
request)))
except Exception as e:
if self.serialize_exceptions:
_log.exception(
'Exception thrown in Server run loop during request '
'reception: {}'.format(repr(e)))
else:
raise e
finally:
# spawn a new listen task
listen_task = asyncio.ensure_future(self.recv_multipart())
task_list.append(listen_task)
else:
# if there's been an exception during processing, consider reraising it
try:
done.result()
except Exception as e:
if self.serialize_exceptions:
_log.exception(
'Exception thrown in Server run loop during request '
'dispatch: {}'.format(repr(e)))
else:
raise e
def run(self, endpoint: str, loop: AbstractEventLoop = None):
"""
Run server main task.
:param endpoint: Socket endpoint to listen to, e.g. "tcp://*:1234"
:param loop: Event loop to run server in (alternatively just use run_async method)
"""
if not loop:
loop = asyncio.get_event_loop()
try:
loop.run_until_complete(self.run_async(endpoint))
except KeyboardInterrupt:
self._shutdown()
def stop(self):
"""
DEPRECATED
"""
pass
def _shutdown(self):
"""
Shut down the server.
"""
for exit_handler in self._exit_handlers:
exit_handler()
if self._socket:
self._socket.close()
self._socket = None
def _connect(self, endpoint: str):
"""
Connect the server to an endpoint. Creates a ZMQ ROUTER socket for the given endpoint.
:param endpoint: Socket endpoint, e.g. "tcp://*:1234"
"""
if self._socket:
raise RuntimeError(
'Cannot run multiple Servers on the same socket')
context = zmq.asyncio.Context()
self._socket = context.socket(zmq.ROUTER)
self.start_auth(context)
self._socket.bind(endpoint)
_log.info("Starting server, listening on endpoint {}".format(endpoint))
async def _process_request(self, identity: bytes, empty_frame: list,
request: RPCRequest):
"""
Executes the method specified in a JSON RPC request and then sends the reply to the socket.
:param identity: Client identity provided by ZeroMQ
:param empty_frame: Either an empty list or a single null frame depending on the client type
:param request: JSON RPC request
"""
try:
_log.debug("Client %s sent request: %s", identity, request)
start_time = datetime.now()
reply = await self.rpc_spec.run_handler(request)
if self.announce_timing:
_log.info("Request {} for {} lasted {} seconds".format(
request.id, request.method,
(datetime.now() - start_time).total_seconds()))
_log.debug("Sending client %s reply: %s", identity, reply)
await self._socket.send_multipart(
[identity, *empty_frame,
to_msgpack(reply)])
except Exception as e:
if self.serialize_exceptions:
_log.exception('Exception thrown in _process_request')
else:
raise e
@property
def auth_configured(self) -> bool:
return (self._auth_config is not None) and isinstance(
self._auth_config.server_secret_key, bytes) and isinstance(
self._auth_config.server_public_key, bytes)
@property
def auth_enabled(self) -> bool:
return bool(self._socket and self._socket.curve_server)
def start_auth(self, context: zmq.Context) -> bool:
"""
Starts the ZMQ auth service thread, enabling authorization on all sockets within this context
"""
if not self.auth_configured:
return False
self._socket.curve_secretkey = self._auth_config.server_secret_key
self._socket.curve_publickey = self._auth_config.server_public_key
self._socket.curve_server = True
self._authenticator = AsyncioAuthenticator(context)
if self._preloaded_keys:
self.set_client_keys(self._preloaded_keys)
else:
self.load_client_keys_from_directory()
self._authenticator.start()
return True
def stop_auth(self) -> bool:
"""
Stops the ZMQ auth service thread, allowing NULL authenticated clients (only) to connect to
all threads within its context
"""
if self._authenticator:
self._socket.curve_server = False
self._authenticator.stop()
return True
else:
return False
def load_client_keys_from_directory(self,
directory: Optional[str] = None
) -> bool:
"""
Reset authorized public key list to those present in the specified directory
"""
# The directory must either be specified at class creation or on each method call
if directory is None:
if self._auth_config.client_keys_directory:
directory = self._auth_config.client_keys_directory
if not directory or not self.auth_configured:
return False
self._authenticator.configure_curve(domain='*', location=directory)
return True
def set_client_keys(self, client_keys: List[bytes]):
"""
Reset authorized public key list to this set. Avoids the disk read required by configure_curve,
and allows keys to be managed externally.
In some cases, keys may be preloaded before the authenticator is started. In this case, we
cache those preloaded keys
"""
if self._authenticator:
_log.debug(f"Authorizer: Setting client keys to {client_keys}")
self._authenticator.certs['*'] = {key: True for key in client_keys}
else:
_log.debug(f"Authorizer: Preloading client keys to {client_keys}")
self._preloaded_keys = client_keys
