From d42030d39800b930634dba1efafcf43959c40205 Mon Sep 17 00:00:00 2001 From: Corentin LABBE Date: Wed, 4 Jul 2018 14:45:58 +0200 Subject: Handle ZMQ auth This patch add support for using ZMQ auth. Basicly adding "zmq_auth: True" to a master is sufficient to enable it. Since "ZMQ certificates" are using a custom format (vs X509 classic), we need to use the custom generator. For helping with that a temporary docker is generated which handle generating thoses files. --- lavalab-gen.py | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) (limited to 'lavalab-gen.py') diff --git a/lavalab-gen.py b/lavalab-gen.py index e0c1c16..a642400 100755 --- a/lavalab-gen.py +++ b/lavalab-gen.py @@ -12,7 +12,7 @@ import shutil boards_yaml = "boards.yaml" tokens_yaml = "tokens.yaml" baud_default = 115200 - + template_conmux = string.Template("""# # auto-generated by lavalab-gen.py for ${board} # @@ -74,18 +74,20 @@ template_settings_conf = string.Template(""" """) def main(): + need_zmq_auth_gen = False fp = open(boards_yaml, "r") workers = yaml.load(fp) fp.close() os.mkdir("output") + zmq_auth_genlist = open("zmqauth/zmq_auth_gen/zmq_genlist", 'w') if "masters" not in workers: print("Missing masters entry in boards.yaml") sys.exit(1) masters = workers["masters"] for master in masters: - keywords_master = [ "name", "type", "host", "users", "tokens", "webadmin_https", "persistent_db" ] + keywords_master = [ "name", "type", "host", "users", "tokens", "webadmin_https", "persistent_db", "zmq_auth", "zmq_auth_key", "zmq_auth_key_secret" ] for keyword in master: if not keyword in keywords_master: print("WARNING: unknown keyword %s" % keyword) @@ -139,6 +141,16 @@ def main(): fsettings = open("%s/settings.conf" % workerdir, 'w') fsettings.write(template_settings_conf.substitute(cookie_secure=cookie_secure, session_cookie_secure=session_cookie_secure)) fsettings.close() + master_use_zmq_auth = False + if "zmq_auth" in worker: + master_use_zmq_auth = True + if master_use_zmq_auth: + if "zmq_auth_key" in worker: + shutil.copy(worker["zmq_auth_key"], "%s/zmq_auth/" % workerdir) + shutil.copy(worker["zmq_auth_key_secret"], "%s/zmq_auth/" % workerdir) + else: + zmq_auth_genlist.write("%s/%s\n" % (host, name)) + need_zmq_auth_gen = True if "users" in worker: for user in worker["users"]: keywords_users = [ "name", "staff", "superuser", "password", "token" ] @@ -195,7 +207,7 @@ def main(): sys.exit(1) slaves = workers["slaves"] for slave in slaves: - keywords_slaves = [ "name", "host", "dispatcher_ip", "remote_user", "remote_master", "remote_address", "remote_rpc_port", "remote_proto", "extra_actions" ] + keywords_slaves = [ "name", "host", "dispatcher_ip", "remote_user", "remote_master", "remote_address", "remote_rpc_port", "remote_proto", "extra_actions", "zmq_auth_key", "zmq_auth_key_secret" ] for keyword in slave: if not keyword in keywords_slaves: print("WARNING: unknown keyword %s" % keyword) @@ -264,6 +276,17 @@ def main(): for fuser in fm["users"]: if fuser["name"] == remote_user: remote_token = fuser["token"] + if "zmq_auth" in fm: + if "zmq_auth_key" in fm: + shutil.copy(fm["zmq_auth_key"], "%s/zmq_auth/" % workerdir) + if "zmq_auth_key" in worker: + shutil.copy(worker["zmq_auth_key"], "%s/zmq_auth/" % workerdir) + shutil.copy(worker["zmq_auth_key_secret"], "%s/zmq_auth/" % workerdir) + if "zmq_auth_key" in fm: + shutil.copy(worker["zmq_auth_key"], "output/%s/%s/zmq_auth/" % (fm["host"], fm["name"])) + else: + zmq_auth_genlist.write("%s/%s %s/%s\n" % (host, name, fm["host"], fm["name"])) + need_zmq_auth_gen = True if remote_token is "BAD": print("Cannot find %s on %s" % (remote_user, remote_master)) sys.exit(1) @@ -416,6 +439,10 @@ def main(): fp.close() with open(dockcomposeymlpath, 'w') as f: yaml.dump(dockcomp, f) + zmq_auth_genlist.close() + if need_zmq_auth_gen: + print("Gen ZMQ auth files") + subprocess.check_call(["./zmqauth/zmq_auth_fill.sh"], stdin=None) if __name__ == "__main__": -- cgit 1.2.3-korg