diff options
author | Corentin LABBE <clabbe@baylibre.com> | 2018-07-04 14:45:58 +0200 |
---|---|---|
committer | Corentin LABBE <clabbe@baylibre.com> | 2018-07-23 16:20:48 +0200 |
commit | d42030d39800b930634dba1efafcf43959c40205 (patch) | |
tree | dd9bc68db2a8e763fc1032503a85ec9342568185 /zmqauth | |
parent | 0f09e5c9b89cee21a6ee39db9daf8e17525dd493 (diff) |
Handle ZMQ auth
This patch add support for using ZMQ auth.
Basicly adding "zmq_auth: True" to a master is sufficient to enable it.
Since "ZMQ certificates" are using a custom format (vs X509 classic), we need to use the custom generator.
For helping with that a temporary docker is generated which handle generating thoses files.
Diffstat (limited to 'zmqauth')
-rw-r--r-- | zmqauth/docker-compose.yml | 6 | ||||
-rwxr-xr-x | zmqauth/zmq_auth_fill.sh | 7 | ||||
-rw-r--r-- | zmqauth/zmq_auth_gen/Dockerfile | 17 | ||||
-rwxr-xr-x | zmqauth/zmq_auth_gen/create_certificate.py | 46 | ||||
-rw-r--r-- | zmqauth/zmq_auth_gen/zmq_gen.sh | 23 |
5 files changed, 99 insertions, 0 deletions
diff --git a/zmqauth/docker-compose.yml b/zmqauth/docker-compose.yml new file mode 100644 index 0000000..a7147e1 --- /dev/null +++ b/zmqauth/docker-compose.yml @@ -0,0 +1,6 @@ +services: + master1: + build: {context: zmq_auth_gen } + hostname: zmqauth_builder + volumes: ['../output:/root/output'] +version: '2.0' diff --git a/zmqauth/zmq_auth_fill.sh b/zmqauth/zmq_auth_fill.sh new file mode 100755 index 0000000..31d406f --- /dev/null +++ b/zmqauth/zmq_auth_fill.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +cd $(dirname $0) +id -u > zmq_auth_gen/id +docker-compose build || exit $? +docker-compose up || exit $? +docker-compose down --rmi all diff --git a/zmqauth/zmq_auth_gen/Dockerfile b/zmqauth/zmq_auth_gen/Dockerfile new file mode 100644 index 0000000..46ae47a --- /dev/null +++ b/zmqauth/zmq_auth_gen/Dockerfile @@ -0,0 +1,17 @@ +FROM bitnami/minideb:stretch + +RUN apt-get update + +RUN DEBIAN_FRONTEND=noninteractive apt-get -y install python3-zmq + +COPY create_certificate.py /root/ +RUN chmod 750 /root/create_certificate.py +RUN mkdir /root/output + +COPY id /root/ + +COPY zmq_gen.sh /root/ +RUN chmod 755 /root/zmq_gen.sh +COPY zmq_genlist /root/ + +CMD /root/zmq_gen.sh diff --git a/zmqauth/zmq_auth_gen/create_certificate.py b/zmqauth/zmq_auth_gen/create_certificate.py new file mode 100755 index 0000000..2c4445d --- /dev/null +++ b/zmqauth/zmq_auth_gen/create_certificate.py @@ -0,0 +1,46 @@ +#! /usr/bin/python3 +# -*- coding: utf-8 -*- +# +# Copyright 2016 RĂ©mi Duraffort <remi.duraffort@linaro.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. +# + +import argparse +import zmq.auth + + +def main(): + """ + Parse options and create the certificate + """ + parser = argparse.ArgumentParser(description="") + parser.add_argument("--directory", type=str, + default="/etc/lava-dispatcher/certificates.d", + help="Directory where to store the certificates") + parser.add_argument(type=str, dest="name", + help="Name of the certificate") + args = parser.parse_args() + + # Create the certificate + print("Creating the certificate in %s" % args.directory) + zmq.auth.create_certificates(args.directory, args.name) + print(" - %s.key" % args.name) + print(" - %s.key_secret" % args.name) + + +if __name__ == '__main__': + main() diff --git a/zmqauth/zmq_auth_gen/zmq_gen.sh b/zmqauth/zmq_auth_gen/zmq_gen.sh new file mode 100644 index 0000000..8b67280 --- /dev/null +++ b/zmqauth/zmq_auth_gen/zmq_gen.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +#rm /root/output/* +while read line +do + NAME=$(echo $line | cut -d' ' -f1 | sed 's,.*/,,') + DIR=$(echo $line | cut -d' ' -f1) + MASTERDIR=$(echo $line | cut -d' ' -f2) + echo "DEBUG: $LINE NAME=$NAME DIR=$DIR" + if [ ! -e /root/output/$DIR/zmq_auth/${NAME}.key ];then + /root/create_certificate.py $NAME --directory /root/output/$DIR/zmq_auth/ || exit $? + else + echo "DEBUG: ZMQ files for $NAME already exists" + fi + if [ ! -z "$MASTERDIR" -a "$MASTERDIR" != "$DIR" ];then + MASTERNAME=$(echo $MASTERDIR | sed 's,.*/,,') + cp /root/output/$MASTERDIR/zmq_auth/$MASTERNAME.key /root/output/$DIR/zmq_auth/master.key || exit $? + cp /root/output/$DIR/zmq_auth/$NAME.key /root/output/$MASTERDIR/zmq_auth/ || exit $? + chown $(cat /root/id) /root/output/$MASTERDIR/zmq_auth/* || exit $? + fi + # All files are generated by root, chown them to the user using the docker + chown $(cat /root/id) /root/output/$DIR/zmq_auth/* || exit $? +done < /root/zmq_genlist |