From d42030d39800b930634dba1efafcf43959c40205 Mon Sep 17 00:00:00 2001 From: Corentin LABBE Date: Wed, 4 Jul 2018 14:45:58 +0200 Subject: Handle ZMQ auth This patch add support for using ZMQ auth. Basicly adding "zmq_auth: True" to a master is sufficient to enable it. Since "ZMQ certificates" are using a custom format (vs X509 classic), we need to use the custom generator. For helping with that a temporary docker is generated which handle generating thoses files. --- zmqauth/zmq_auth_gen/Dockerfile | 17 +++++++++++ zmqauth/zmq_auth_gen/create_certificate.py | 46 ++++++++++++++++++++++++++++++ zmqauth/zmq_auth_gen/zmq_gen.sh | 23 +++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 zmqauth/zmq_auth_gen/Dockerfile create mode 100755 zmqauth/zmq_auth_gen/create_certificate.py create mode 100644 zmqauth/zmq_auth_gen/zmq_gen.sh (limited to 'zmqauth/zmq_auth_gen') diff --git a/zmqauth/zmq_auth_gen/Dockerfile b/zmqauth/zmq_auth_gen/Dockerfile new file mode 100644 index 0000000..46ae47a --- /dev/null +++ b/zmqauth/zmq_auth_gen/Dockerfile @@ -0,0 +1,17 @@ +FROM bitnami/minideb:stretch + +RUN apt-get update + +RUN DEBIAN_FRONTEND=noninteractive apt-get -y install python3-zmq + +COPY create_certificate.py /root/ +RUN chmod 750 /root/create_certificate.py +RUN mkdir /root/output + +COPY id /root/ + +COPY zmq_gen.sh /root/ +RUN chmod 755 /root/zmq_gen.sh +COPY zmq_genlist /root/ + +CMD /root/zmq_gen.sh diff --git a/zmqauth/zmq_auth_gen/create_certificate.py b/zmqauth/zmq_auth_gen/create_certificate.py new file mode 100755 index 0000000..2c4445d --- /dev/null +++ b/zmqauth/zmq_auth_gen/create_certificate.py @@ -0,0 +1,46 @@ +#! /usr/bin/python3 +# -*- coding: utf-8 -*- +# +# Copyright 2016 RĂ©mi Duraffort +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. +# + +import argparse +import zmq.auth + + +def main(): + """ + Parse options and create the certificate + """ + parser = argparse.ArgumentParser(description="") + parser.add_argument("--directory", type=str, + default="/etc/lava-dispatcher/certificates.d", + help="Directory where to store the certificates") + parser.add_argument(type=str, dest="name", + help="Name of the certificate") + args = parser.parse_args() + + # Create the certificate + print("Creating the certificate in %s" % args.directory) + zmq.auth.create_certificates(args.directory, args.name) + print(" - %s.key" % args.name) + print(" - %s.key_secret" % args.name) + + +if __name__ == '__main__': + main() diff --git a/zmqauth/zmq_auth_gen/zmq_gen.sh b/zmqauth/zmq_auth_gen/zmq_gen.sh new file mode 100644 index 0000000..8b67280 --- /dev/null +++ b/zmqauth/zmq_auth_gen/zmq_gen.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +#rm /root/output/* +while read line +do + NAME=$(echo $line | cut -d' ' -f1 | sed 's,.*/,,') + DIR=$(echo $line | cut -d' ' -f1) + MASTERDIR=$(echo $line | cut -d' ' -f2) + echo "DEBUG: $LINE NAME=$NAME DIR=$DIR" + if [ ! -e /root/output/$DIR/zmq_auth/${NAME}.key ];then + /root/create_certificate.py $NAME --directory /root/output/$DIR/zmq_auth/ || exit $? + else + echo "DEBUG: ZMQ files for $NAME already exists" + fi + if [ ! -z "$MASTERDIR" -a "$MASTERDIR" != "$DIR" ];then + MASTERNAME=$(echo $MASTERDIR | sed 's,.*/,,') + cp /root/output/$MASTERDIR/zmq_auth/$MASTERNAME.key /root/output/$DIR/zmq_auth/master.key || exit $? + cp /root/output/$DIR/zmq_auth/$NAME.key /root/output/$MASTERDIR/zmq_auth/ || exit $? + chown $(cat /root/id) /root/output/$MASTERDIR/zmq_auth/* || exit $? + fi + # All files are generated by root, chown them to the user using the docker + chown $(cat /root/id) /root/output/$DIR/zmq_auth/* || exit $? +done < /root/zmq_genlist -- cgit 1.2.3-korg