From d42030d39800b930634dba1efafcf43959c40205 Mon Sep 17 00:00:00 2001
From: Corentin LABBE <clabbe@baylibre.com>
Date: Wed, 4 Jul 2018 14:45:58 +0200
Subject: Handle ZMQ auth

This patch add support for using ZMQ auth.
Basicly adding "zmq_auth: True" to a master is sufficient to enable it.
Since "ZMQ certificates" are using a custom format (vs X509 classic), we need to use the custom generator.
For helping with that a temporary docker is generated which handle generating thoses files.
---
 zmqauth/zmq_auth_gen/Dockerfile            | 17 +++++++++++
 zmqauth/zmq_auth_gen/create_certificate.py | 46 ++++++++++++++++++++++++++++++
 zmqauth/zmq_auth_gen/zmq_gen.sh            | 23 +++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100644 zmqauth/zmq_auth_gen/Dockerfile
 create mode 100755 zmqauth/zmq_auth_gen/create_certificate.py
 create mode 100644 zmqauth/zmq_auth_gen/zmq_gen.sh

(limited to 'zmqauth/zmq_auth_gen')

diff --git a/zmqauth/zmq_auth_gen/Dockerfile b/zmqauth/zmq_auth_gen/Dockerfile
new file mode 100644
index 0000000..46ae47a
--- /dev/null
+++ b/zmqauth/zmq_auth_gen/Dockerfile
@@ -0,0 +1,17 @@
+FROM bitnami/minideb:stretch
+
+RUN apt-get update
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get -y install python3-zmq
+
+COPY create_certificate.py /root/
+RUN chmod 750 /root/create_certificate.py
+RUN mkdir /root/output
+
+COPY id /root/
+
+COPY zmq_gen.sh /root/
+RUN chmod 755 /root/zmq_gen.sh
+COPY zmq_genlist /root/
+
+CMD /root/zmq_gen.sh
diff --git a/zmqauth/zmq_auth_gen/create_certificate.py b/zmqauth/zmq_auth_gen/create_certificate.py
new file mode 100755
index 0000000..2c4445d
--- /dev/null
+++ b/zmqauth/zmq_auth_gen/create_certificate.py
@@ -0,0 +1,46 @@
+#! /usr/bin/python3
+# -*- coding: utf-8 -*-
+#
+#  Copyright 2016 Rémi Duraffort <remi.duraffort@linaro.org>
+#
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+#  MA 02110-1301, USA.
+#
+
+import argparse
+import zmq.auth
+
+
+def main():
+    """
+    Parse options and create the certificate
+    """
+    parser = argparse.ArgumentParser(description="")
+    parser.add_argument("--directory", type=str,
+                        default="/etc/lava-dispatcher/certificates.d",
+                        help="Directory where to store the certificates")
+    parser.add_argument(type=str, dest="name",
+                        help="Name of the certificate")
+    args = parser.parse_args()
+
+    # Create the certificate
+    print("Creating the certificate in %s" % args.directory)
+    zmq.auth.create_certificates(args.directory, args.name)
+    print(" - %s.key" % args.name)
+    print(" - %s.key_secret" % args.name)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/zmqauth/zmq_auth_gen/zmq_gen.sh b/zmqauth/zmq_auth_gen/zmq_gen.sh
new file mode 100644
index 0000000..8b67280
--- /dev/null
+++ b/zmqauth/zmq_auth_gen/zmq_gen.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+#rm /root/output/*
+while read line
+do
+	NAME=$(echo $line | cut -d' ' -f1 | sed 's,.*/,,')
+	DIR=$(echo $line | cut -d' ' -f1)
+	MASTERDIR=$(echo $line | cut -d' ' -f2)
+	echo "DEBUG: $LINE NAME=$NAME DIR=$DIR"
+	if [ ! -e /root/output/$DIR/zmq_auth/${NAME}.key ];then
+		/root/create_certificate.py $NAME --directory /root/output/$DIR/zmq_auth/ || exit $?
+	else
+		echo "DEBUG: ZMQ files for $NAME already exists"
+	fi
+	if [ ! -z "$MASTERDIR" -a "$MASTERDIR" != "$DIR" ];then
+		MASTERNAME=$(echo $MASTERDIR | sed 's,.*/,,')
+		cp /root/output/$MASTERDIR/zmq_auth/$MASTERNAME.key /root/output/$DIR/zmq_auth/master.key || exit $?
+		cp /root/output/$DIR/zmq_auth/$NAME.key /root/output/$MASTERDIR/zmq_auth/ || exit $?
+		chown $(cat /root/id) /root/output/$MASTERDIR/zmq_auth/* || exit $?
+	fi
+	# All files are generated by root, chown them to the user using the docker
+	chown $(cat /root/id) /root/output/$DIR/zmq_auth/* || exit $?
+done < /root/zmq_genlist
-- 
cgit 1.2.3-korg