summaryrefslogtreecommitdiffstats
path: root/zmqauth
diff options
context:
space:
mode:
authorCorentin LABBE <clabbe@baylibre.com>2018-07-04 14:45:58 +0200
committerCorentin LABBE <clabbe@baylibre.com>2018-07-23 16:20:48 +0200
commitd42030d39800b930634dba1efafcf43959c40205 (patch)
treedd9bc68db2a8e763fc1032503a85ec9342568185 /zmqauth
parent0f09e5c9b89cee21a6ee39db9daf8e17525dd493 (diff)
Handle ZMQ auth
This patch add support for using ZMQ auth. Basicly adding "zmq_auth: True" to a master is sufficient to enable it. Since "ZMQ certificates" are using a custom format (vs X509 classic), we need to use the custom generator. For helping with that a temporary docker is generated which handle generating thoses files.
Diffstat (limited to 'zmqauth')
-rw-r--r--zmqauth/docker-compose.yml6
-rwxr-xr-xzmqauth/zmq_auth_fill.sh7
-rw-r--r--zmqauth/zmq_auth_gen/Dockerfile17
-rwxr-xr-xzmqauth/zmq_auth_gen/create_certificate.py46
-rw-r--r--zmqauth/zmq_auth_gen/zmq_gen.sh23
5 files changed, 99 insertions, 0 deletions
diff --git a/zmqauth/docker-compose.yml b/zmqauth/docker-compose.yml
new file mode 100644
index 0000000..a7147e1
--- /dev/null
+++ b/zmqauth/docker-compose.yml
@@ -0,0 +1,6 @@
+services:
+ master1:
+ build: {context: zmq_auth_gen }
+ hostname: zmqauth_builder
+ volumes: ['../output:/root/output']
+version: '2.0'
diff --git a/zmqauth/zmq_auth_fill.sh b/zmqauth/zmq_auth_fill.sh
new file mode 100755
index 0000000..31d406f
--- /dev/null
+++ b/zmqauth/zmq_auth_fill.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+cd $(dirname $0)
+id -u > zmq_auth_gen/id
+docker-compose build || exit $?
+docker-compose up || exit $?
+docker-compose down --rmi all
diff --git a/zmqauth/zmq_auth_gen/Dockerfile b/zmqauth/zmq_auth_gen/Dockerfile
new file mode 100644
index 0000000..46ae47a
--- /dev/null
+++ b/zmqauth/zmq_auth_gen/Dockerfile
@@ -0,0 +1,17 @@
+FROM bitnami/minideb:stretch
+
+RUN apt-get update
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install python3-zmq
+
+COPY create_certificate.py /root/
+RUN chmod 750 /root/create_certificate.py
+RUN mkdir /root/output
+
+COPY id /root/
+
+COPY zmq_gen.sh /root/
+RUN chmod 755 /root/zmq_gen.sh
+COPY zmq_genlist /root/
+
+CMD /root/zmq_gen.sh
diff --git a/zmqauth/zmq_auth_gen/create_certificate.py b/zmqauth/zmq_auth_gen/create_certificate.py
new file mode 100755
index 0000000..2c4445d
--- /dev/null
+++ b/zmqauth/zmq_auth_gen/create_certificate.py
@@ -0,0 +1,46 @@
+#! /usr/bin/python3
+# -*- coding: utf-8 -*-
+#
+# Copyright 2016 RĂ©mi Duraffort <remi.duraffort@linaro.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+#
+
+import argparse
+import zmq.auth
+
+
+def main():
+ """
+ Parse options and create the certificate
+ """
+ parser = argparse.ArgumentParser(description="")
+ parser.add_argument("--directory", type=str,
+ default="/etc/lava-dispatcher/certificates.d",
+ help="Directory where to store the certificates")
+ parser.add_argument(type=str, dest="name",
+ help="Name of the certificate")
+ args = parser.parse_args()
+
+ # Create the certificate
+ print("Creating the certificate in %s" % args.directory)
+ zmq.auth.create_certificates(args.directory, args.name)
+ print(" - %s.key" % args.name)
+ print(" - %s.key_secret" % args.name)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/zmqauth/zmq_auth_gen/zmq_gen.sh b/zmqauth/zmq_auth_gen/zmq_gen.sh
new file mode 100644
index 0000000..8b67280
--- /dev/null
+++ b/zmqauth/zmq_auth_gen/zmq_gen.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+#rm /root/output/*
+while read line
+do
+ NAME=$(echo $line | cut -d' ' -f1 | sed 's,.*/,,')
+ DIR=$(echo $line | cut -d' ' -f1)
+ MASTERDIR=$(echo $line | cut -d' ' -f2)
+ echo "DEBUG: $LINE NAME=$NAME DIR=$DIR"
+ if [ ! -e /root/output/$DIR/zmq_auth/${NAME}.key ];then
+ /root/create_certificate.py $NAME --directory /root/output/$DIR/zmq_auth/ || exit $?
+ else
+ echo "DEBUG: ZMQ files for $NAME already exists"
+ fi
+ if [ ! -z "$MASTERDIR" -a "$MASTERDIR" != "$DIR" ];then
+ MASTERNAME=$(echo $MASTERDIR | sed 's,.*/,,')
+ cp /root/output/$MASTERDIR/zmq_auth/$MASTERNAME.key /root/output/$DIR/zmq_auth/master.key || exit $?
+ cp /root/output/$DIR/zmq_auth/$NAME.key /root/output/$MASTERDIR/zmq_auth/ || exit $?
+ chown $(cat /root/id) /root/output/$MASTERDIR/zmq_auth/* || exit $?
+ fi
+ # All files are generated by root, chown them to the user using the docker
+ chown $(cat /root/id) /root/output/$DIR/zmq_auth/* || exit $?
+done < /root/zmq_genlist