From 42cb71e301c9e7c87e1e068ad9352dc4cfe05218 Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Mon, 19 Nov 2018 09:00:36 -0800 Subject: [PATCH 1/5] libflux/security: avoid flux_strerror() Problem: libflux/security calls flux_strerror() which creates an unnecessary dependency on libflux. Switch to zmq_strerror() or strerror() where appropriate. --- src/common/libflux/security.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/common/libflux/security.c b/src/common/libflux/security.c index fe753972de6e..77c8775077df 100644 --- a/src/common/libflux/security.c +++ b/src/common/libflux/security.c @@ -35,7 +35,6 @@ #include #include "security.h" -#include "flog.h" #include "src/common/libutil/log.h" #include "src/common/libutil/oom.h" @@ -175,7 +174,7 @@ int flux_sec_comms_init (flux_sec_t *c) if (checksecdirs (c, false) < 0) goto error; if (!(c->auth = zactor_new (zauth, NULL))) { - seterrstr (c, "zactor_new (zauth): %s", flux_strerror (errno)); + seterrstr (c, "zactor_new (zauth): %s", zmq_strerror (errno)); goto error; } if ((c->typemask & FLUX_SEC_VERBOSE)) { @@ -401,7 +400,7 @@ static int gencurve (flux_sec_t *c, const char *role) printf ("Saving %s\n", priv); } if (zcert_save (cert, path) < 0) { - seterrstr (c, "zcert_save %s: %s", path, strerror (errno)); + seterrstr (c, "zcert_save %s: %s", path, zmq_strerror (errno)); goto done; } rc = 0; @@ -425,7 +424,7 @@ static zcert_t *getcurve (flux_sec_t *c, const char *role) goto error; } if (!(cert = zcert_load (s))) - seterrstr (c, "zcert_load %s: %s", s, flux_strerror (errno)); + seterrstr (c, "zcert_load %s: %s", s, zmq_strerror (errno)); return cert; error: return NULL; @@ -485,7 +484,7 @@ static int genpasswd (flux_sec_t *c, const char *user) rc = zhash_save (passwds, c->passwd_file); umask (old_mask); if (rc < 0) { - seterrstr (c, "zhash_save %s: %s", c->passwd_file, flux_strerror (errno)); + seterrstr (c, "zhash_save %s: %s", c->passwd_file, zmq_strerror (errno)); goto done; } /* FIXME: check created file mode */ From 08f2e31d8c3cf02b17483a55fef653ac8319fc65 Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Mon, 19 Nov 2018 09:11:11 -0800 Subject: [PATCH 2/5] bindings/python: drop sec.py Problem: flux_sec_t is being removed from the public API. Drop the python wrapper for it. --- src/bindings/python/flux/Makefile.am | 1 - src/bindings/python/flux/sec.py | 15 --------------- 2 files changed, 16 deletions(-) delete mode 100644 src/bindings/python/flux/sec.py diff --git a/src/bindings/python/flux/Makefile.am b/src/bindings/python/flux/Makefile.am index 2fb0ac65f349..03148eb206bc 100644 --- a/src/bindings/python/flux/Makefile.am +++ b/src/bindings/python/flux/Makefile.am @@ -7,7 +7,6 @@ fluxpy_PYTHON=\ constants.py\ jsc.py\ kz.py\ - sec.py \ job.py \ mrpc.py \ util.py diff --git a/src/bindings/python/flux/sec.py b/src/bindings/python/flux/sec.py deleted file mode 100644 index 725f9c67e6b2..000000000000 --- a/src/bindings/python/flux/sec.py +++ /dev/null @@ -1,15 +0,0 @@ -from _flux._core import ffi, lib -from flux.wrapper import Wrapper - - -class Sec(Wrapper): - - def __init__(self, handle=None): - super(Sec, self).__init__(ffi, lib, - handle=handle, - match=ffi.typeof( - lib.flux_sec_create).result, - prefixes=['flux_sec_'], - destructor=lib.flux_sec_destroy,) - if handle is None: - self.handle = lib.flux_sec_create() From e098c8bb6e7447e239ff720c351f4351730b381f Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Mon, 19 Nov 2018 09:08:37 -0800 Subject: [PATCH 3/5] libutil/zsecurity: make zmq security class private Problem: the flux_sec_t "class" is only used by the broker and flux-keygen, and should be removed from the public API. Relocate to libutil/zsecurity. Fixes #1843 --- src/broker/broker.c | 1 + src/broker/overlay.c | 1 + src/broker/overlay.h | 1 + src/cmd/flux-keygen.c | 1 + src/common/libflux/Makefile.am | 7 ------- src/common/libflux/flux.h | 1 - src/common/libflux/message.h | 1 - src/common/libutil/Makefile.am | 11 +++++++++-- .../test/security.c => libutil/test/zsecurity.c} | 2 +- .../{libflux/security.c => libutil/zsecurity.c} | 4 ++-- .../{libflux/security.h => libutil/zsecurity.h} | 6 +++--- 11 files changed, 19 insertions(+), 17 deletions(-) rename src/common/{libflux/test/security.c => libutil/test/zsecurity.c} (99%) rename src/common/{libflux/security.c => libutil/zsecurity.c} (99%) rename src/common/{libflux/security.h => libutil/zsecurity.h} (98%) diff --git a/src/broker/broker.c b/src/broker/broker.c index 2b1fed20c6da..3845ad04021c 100644 --- a/src/broker/broker.c +++ b/src/broker/broker.c @@ -64,6 +64,7 @@ #include "src/common/libutil/ipaddr.h" #include "src/common/libutil/kary.h" #include "src/common/libutil/monotime.h" +#include "src/common/libutil/zsecurity.h" #include "src/common/libpmi/pmi.h" #include "src/common/libpmi/pmi_strerror.h" diff --git a/src/broker/overlay.c b/src/broker/overlay.c index d5fbf0848c3f..3f563432a011 100644 --- a/src/broker/overlay.c +++ b/src/broker/overlay.c @@ -37,6 +37,7 @@ #include "src/common/libutil/iterators.h" #include "src/common/libutil/kary.h" #include "src/common/libutil/cleanup.h" +#include "src/common/libutil/zsecurity.h" #include "heartbeat.h" #include "overlay.h" diff --git a/src/broker/overlay.h b/src/broker/overlay.h index ded520c7fc29..ac97a9eab4d9 100644 --- a/src/broker/overlay.h +++ b/src/broker/overlay.h @@ -2,6 +2,7 @@ #define _BROKER_OVERLAY_H #include "attr.h" +#include "src/common/libutil/zsecurity.h" typedef struct overlay_struct overlay_t; typedef void (*overlay_cb_f)(overlay_t *ov, void *sock, void *arg); diff --git a/src/cmd/flux-keygen.c b/src/cmd/flux-keygen.c index 742214d14313..ec1ed21e43e3 100644 --- a/src/cmd/flux-keygen.c +++ b/src/cmd/flux-keygen.c @@ -29,6 +29,7 @@ #include #include "src/common/libutil/log.h" +#include "src/common/libutil/zsecurity.h" #define OPTIONS "hfpd:" diff --git a/src/common/libflux/Makefile.am b/src/common/libflux/Makefile.am index af2abef38d71..ed0e2a8d899c 100644 --- a/src/common/libflux/Makefile.am +++ b/src/common/libflux/Makefile.am @@ -58,7 +58,6 @@ fluxcoreinclude_HEADERS = \ connector.h \ reactor.h \ msg_handler.h \ - security.h \ message.h \ request.h \ keepalive.h \ @@ -90,7 +89,6 @@ libflux_la_SOURCES = \ handle.c \ reactor.c \ msg_handler.c \ - security.c \ message.c \ request.c \ response.c \ @@ -130,7 +128,6 @@ TESTS = test_message.t \ test_response.t \ test_event.t \ test_tagpool.t \ - test_security.t \ test_future.t \ test_composite_future.t \ test_reactor.t \ @@ -199,10 +196,6 @@ test_reactor_t_SOURCES = test/reactor.c test_reactor_t_CPPFLAGS = $(test_cppflags) test_reactor_t_LDADD = $(test_ldadd) $(LIBDL) -test_security_t_SOURCES = test/security.c -test_security_t_CPPFLAGS = $(test_cppflags) -test_security_t_LDADD = $(test_ldadd) $(LIBDL) - test_future_t_SOURCES = test/future.c test_future_t_CPPFLAGS = $(test_cppflags) test_future_t_LDADD = $(test_ldadd) $(LIBDL) diff --git a/src/common/libflux/flux.h b/src/common/libflux/flux.h index 0c9a0ca4396a..9c8a7660ac18 100644 --- a/src/common/libflux/flux.h +++ b/src/common/libflux/flux.h @@ -30,7 +30,6 @@ #include "reactor.h" #include "msg_handler.h" #include "connector.h" -#include "security.h" #include "message.h" #include "request.h" #include "response.h" diff --git a/src/common/libflux/message.h b/src/common/libflux/message.h index b490284b3ea7..de7cdbbb6dac 100644 --- a/src/common/libflux/message.h +++ b/src/common/libflux/message.h @@ -30,7 +30,6 @@ #include #include #include "types.h" -#include "security.h" #ifdef __cplusplus extern "C" { diff --git a/src/common/libutil/Makefile.am b/src/common/libutil/Makefile.am index 301ee20c776d..ee1682c6b474 100644 --- a/src/common/libutil/Makefile.am +++ b/src/common/libutil/Makefile.am @@ -86,7 +86,9 @@ libutil_la_SOURCES = \ aux.c \ aux.h \ fdutils.c \ - fdutils.h + fdutils.h \ + zsecurity.c \ + zsecurity.h EXTRA_DIST = veb_mach.c @@ -112,7 +114,8 @@ TESTS = test_nodeset.t \ test_ipaddr.t \ test_fluid.t \ test_aux.t \ - test_fdutils.t + test_fdutils.t \ + test_zsecurity.t test_ldadd = \ @@ -224,3 +227,7 @@ test_aux_t_LDADD = $(test_ldadd) test_fdutils_t_SOURCES = test/fdutils.c test_fdutils_t_CPPFLAGS = $(test_cppflags) test_fdutils_t_LDADD = $(test_ldadd) + +test_zsecurity_t_SOURCES = test/zsecurity.c +test_zsecurity_t_CPPFLAGS = $(test_cppflags) +test_zsecurity_t_LDADD = $(test_ldadd) diff --git a/src/common/libflux/test/security.c b/src/common/libutil/test/zsecurity.c similarity index 99% rename from src/common/libflux/test/security.c rename to src/common/libutil/test/zsecurity.c index 858537239963..680f9b8e1728 100644 --- a/src/common/libflux/test/security.c +++ b/src/common/libutil/test/zsecurity.c @@ -12,7 +12,7 @@ #include #include -#include "src/common/libflux/security.h" +#include "src/common/libutil/zsecurity.h" #include "src/common/libtap/tap.h" #include "src/common/libutil/unlink_recursive.h" diff --git a/src/common/libflux/security.c b/src/common/libutil/zsecurity.c similarity index 99% rename from src/common/libflux/security.c rename to src/common/libutil/zsecurity.c index 77c8775077df..6c3f9189390a 100644 --- a/src/common/libflux/security.c +++ b/src/common/libutil/zsecurity.c @@ -22,7 +22,7 @@ * See also: http://www.gnu.org/licenses/ \*****************************************************************************/ -/* security.c - flux security functions */ +/* zsecurity.c - flux zeromq security functions */ #if HAVE_CONFIG_H #include "config.h" @@ -34,7 +34,7 @@ #include #include -#include "security.h" +#include "zsecurity.h" #include "src/common/libutil/log.h" #include "src/common/libutil/oom.h" diff --git a/src/common/libflux/security.h b/src/common/libutil/zsecurity.h similarity index 98% rename from src/common/libflux/security.h rename to src/common/libutil/zsecurity.h index 15e47ba67b1b..80a161d2e7a9 100644 --- a/src/common/libflux/security.h +++ b/src/common/libutil/zsecurity.h @@ -22,8 +22,8 @@ * See also: http://www.gnu.org/licenses/ \*****************************************************************************/ -#ifndef _FLUX_CORE_SECURITY_H -#define _FLUX_CORE_SECURITY_H +#ifndef _UTIL_ZSECURITY_H +#define _UTIL_ZSECURITY_H #include @@ -127,7 +127,7 @@ const char *flux_sec_confstr (flux_sec_t *c); } #endif -#endif /* _FLUX_CORE_SECURITY_H */ +#endif /* !_UTIL_ZSECURITY_H */ /* * vi:tabstop=4 shiftwidth=4 expandtab From eb3350c44d3e8146d1cd428fb3a69e18d814d587 Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Mon, 19 Nov 2018 09:34:14 -0800 Subject: [PATCH 4/5] libutil/zsecurity: namespace with zsecurity_ Problem: flux_sec_ functions, now intended to be private to flux-core, still leak out because of flux_ prefix. Rename flux_sec_* to zsecurity_*. Rneame FLUX_SEC_* to ZSECURITY_*. Leave the FLUX_SEC_DIRECTORY environment variable that points to the location of certs as is. Update valgrind.supp. --- src/broker/broker.c | 22 +-- src/broker/overlay.c | 16 +- src/broker/overlay.h | 2 +- src/cmd/flux-keygen.c | 20 +-- src/common/libutil/test/zsecurity.c | 240 ++++++++++++++-------------- src/common/libutil/zsecurity.c | 90 +++++------ src/common/libutil/zsecurity.h | 36 ++--- t/valgrind/valgrind.supp | 2 +- 8 files changed, 214 insertions(+), 214 deletions(-) diff --git a/src/broker/broker.c b/src/broker/broker.c index 3845ad04021c..1352f699818d 100644 --- a/src/broker/broker.c +++ b/src/broker/broker.c @@ -98,7 +98,7 @@ typedef enum { typedef struct { /* 0MQ */ - flux_sec_t *sec; /* security context (MT-safe) */ + zsecurity_t *sec; /* security context (MT-safe) */ /* Reactor */ @@ -222,11 +222,11 @@ void parse_command_line_arguments(int argc, char *argv[], if (!strcmp (optarg, "none")) { *sec_typemask = 0; } else if (!strcmp (optarg, "plain")) { - *sec_typemask |= FLUX_SEC_TYPE_PLAIN; - *sec_typemask &= ~FLUX_SEC_TYPE_CURVE; + *sec_typemask |= ZSECURITY_TYPE_PLAIN; + *sec_typemask &= ~ZSECURITY_TYPE_CURVE; } else if (!strcmp (optarg, "curve")) { - *sec_typemask |= FLUX_SEC_TYPE_CURVE; - *sec_typemask &= ~FLUX_SEC_TYPE_PLAIN; + *sec_typemask |= ZSECURITY_TYPE_CURVE; + *sec_typemask &= ~ZSECURITY_TYPE_PLAIN; } else { log_msg_exit ("--security arg must be none|plain|curve"); } @@ -299,7 +299,7 @@ int main (int argc, char *argv[]) { broker_ctx_t ctx; zlist_t *sigwatchers; - int sec_typemask = FLUX_SEC_TYPE_CURVE; + int sec_typemask = ZSECURITY_TYPE_CURVE; sigset_t old_sigmask; struct sigaction old_sigact_int; struct sigaction old_sigact_term; @@ -384,17 +384,17 @@ int main (int argc, char *argv[]) broker_handle_signals (&ctx, sigwatchers); /* Initialize security context. - * Delay calling flux_sec_comms_init() so that we can defer creating + * Delay calling zsecurity_comms_init() so that we can defer creating * the libzmq work thread until we are ready to communicate. */ const char *keydir; if (attr_get (ctx.attrs, "security.keydir", &keydir, NULL) < 0) log_err_exit ("getattr security.keydir"); - if (!(ctx.sec = flux_sec_create (sec_typemask, keydir))) - log_err_exit ("flux_sec_create"); + if (!(ctx.sec = zsecurity_create (sec_typemask, keydir))) + log_err_exit ("zsecurity_create"); /* The first call to overlay_bind() or overlay_connect() calls - * flux_sec_comms_init(). + * zsecurity_comms_init(). */ overlay_set_sec (ctx.overlay, ctx.sec); overlay_set_flux (ctx.overlay, ctx.h); @@ -663,7 +663,7 @@ int main (int argc, char *argv[]) if (ctx.verbose) log_msg ("cleaning up"); if (ctx.sec) - flux_sec_destroy (ctx.sec); + zsecurity_destroy (ctx.sec); overlay_destroy (ctx.overlay); heartbeat_destroy (ctx.heartbeat); service_switch_destroy (ctx.services); diff --git a/src/broker/overlay.c b/src/broker/overlay.c index 3f563432a011..5e0c55765779 100644 --- a/src/broker/overlay.c +++ b/src/broker/overlay.c @@ -50,7 +50,7 @@ struct endpoint { }; struct overlay_struct { - flux_sec_t *sec; + zsecurity_t *sec; bool sec_initialized; flux_t *h; zhash_t *children; /* child_t - by uuid */ @@ -136,7 +136,7 @@ void overlay_init (overlay_t *overlay, overlay->tbon_descendants = kary_sum_descendants (tbon_k, size, rank); } -void overlay_set_sec (overlay_t *ov, flux_sec_t *sec) +void overlay_set_sec (overlay_t *ov, zsecurity_t *sec) { ov->sec = sec; } @@ -369,8 +369,8 @@ static int bind_child (overlay_t *ov, struct endpoint *ep) { if (!(ep->zs = zsock_new_router (NULL))) log_err_exit ("zsock_new_router"); - if (flux_sec_ssockinit (ov->sec, ep->zs) < 0) - log_msg_exit ("flux_sec_ssockinit: %s", flux_sec_errstr (ov->sec)); + if (zsecurity_ssockinit (ov->sec, ep->zs) < 0) + log_msg_exit ("zsecurity_ssockinit: %s", zsecurity_errstr (ov->sec)); if (zsock_bind (ep->zs, "%s", ep->uri) < 0) log_err_exit ("%s", ep->uri); if (strchr (ep->uri, '*')) { /* capture dynamically assigned port */ @@ -405,9 +405,9 @@ static int connect_parent (overlay_t *ov, struct endpoint *ep) if (!(ep->zs = zsock_new_dealer (NULL))) goto error; - if (flux_sec_csockinit (ov->sec, ep->zs) < 0) { + if (zsecurity_csockinit (ov->sec, ep->zs) < 0) { savederr = errno; - log_msg ("flux_sec_csockinit: %s", flux_sec_errstr (ov->sec)); + log_msg ("zsecurity_csockinit: %s", zsecurity_errstr (ov->sec)); errno = savederr; goto error; } @@ -432,8 +432,8 @@ static int connect_parent (overlay_t *ov, struct endpoint *ep) static int overlay_sec_init (overlay_t *ov) { if (!ov->sec_initialized) { - if (flux_sec_comms_init (ov->sec) < 0) { - log_msg ("flux_sec_comms_init: %s", flux_sec_errstr (ov->sec)); + if (zsecurity_comms_init (ov->sec) < 0) { + log_msg ("zsecurity_comms_init: %s", zsecurity_errstr (ov->sec)); return -1; } ov->sec_initialized = true; diff --git a/src/broker/overlay.h b/src/broker/overlay.h index ac97a9eab4d9..76ee3fccc13f 100644 --- a/src/broker/overlay.h +++ b/src/broker/overlay.h @@ -12,7 +12,7 @@ void overlay_destroy (overlay_t *ov); /* These need to be called before connect/bind. */ -void overlay_set_sec (overlay_t *ov, flux_sec_t *sec); +void overlay_set_sec (overlay_t *ov, zsecurity_t *sec); void overlay_set_flux (overlay_t *ov, flux_t *h); void overlay_init (overlay_t *ov, uint32_t size, uint32_t rank, int tbon_k); void overlay_set_idle_warning (overlay_t *ov, int heartbeats); diff --git a/src/cmd/flux-keygen.c b/src/cmd/flux-keygen.c index ec1ed21e43e3..a39e8b97e046 100644 --- a/src/cmd/flux-keygen.c +++ b/src/cmd/flux-keygen.c @@ -52,8 +52,8 @@ void usage (void) int main (int argc, char *argv[]) { int ch; - flux_sec_t *sec; - int typemask = FLUX_SEC_TYPE_CURVE | FLUX_SEC_VERBOSE; + zsecurity_t *sec; + int typemask = ZSECURITY_TYPE_CURVE | ZSECURITY_VERBOSE; const char *secdir = getenv ("FLUX_SEC_DIRECTORY"); log_init ("flux-keygen"); @@ -64,11 +64,11 @@ int main (int argc, char *argv[]) usage (); break; case 'f': /* --force */ - typemask |= FLUX_SEC_KEYGEN_FORCE; + typemask |= ZSECURITY_KEYGEN_FORCE; break; case 'p': /* --plain */ - typemask |= FLUX_SEC_TYPE_PLAIN; - typemask &= ~FLUX_SEC_TYPE_CURVE; + typemask |= ZSECURITY_TYPE_PLAIN; + typemask &= ~ZSECURITY_TYPE_CURVE; break; case 'd': /* --secdir */ secdir = optarg; @@ -81,11 +81,11 @@ int main (int argc, char *argv[]) if (optind < argc) usage (); - if (!(sec = flux_sec_create (typemask, secdir))) - log_err_exit ("flux_sec_create"); - if (flux_sec_keygen (sec) < 0) - log_msg_exit ("%s", flux_sec_errstr (sec)); - flux_sec_destroy (sec); + if (!(sec = zsecurity_create (typemask, secdir))) + log_err_exit ("zsecurity_create"); + if (zsecurity_keygen (sec) < 0) + log_msg_exit ("%s", zsecurity_errstr (sec)); + zsecurity_destroy (sec); log_fini (); diff --git a/src/common/libutil/test/zsecurity.c b/src/common/libutil/test/zsecurity.c index 680f9b8e1728..ab1f61e1eac6 100644 --- a/src/common/libutil/test/zsecurity.c +++ b/src/common/libutil/test/zsecurity.c @@ -18,218 +18,218 @@ void test_ctor_dtor (void) { - flux_sec_t *sec; + zsecurity_t *sec; const char *s; - lives_ok ({flux_sec_destroy (NULL);}, - "flux_sec_destroy accepts a NULL argument"); - - ok ((sec = flux_sec_create (0, "/tmp")) != NULL, - "flux_sec_create with no selected method works"); - ok ((s = flux_sec_errstr (sec)) != NULL && !strcmp (s, "Success"), - "flux_sec_errstr returns 'Success'"); - ok ((s = flux_sec_get_directory (sec)) != NULL && !strcmp (s, "/tmp"), - "flux_sec_get_directory returns configured confdir"); - ok (flux_sec_type_enabled (sec, FLUX_SEC_TYPE_PLAIN) == false, - "flux_sec_type_enabled FLUX_SEC_TYPE_PLAIN false"); - ok (flux_sec_type_enabled (sec, FLUX_SEC_TYPE_CURVE) == false, - "flux_sec_type_enabled FLUX_SEC_TYPE_CURVE false"); - flux_sec_destroy (sec); - - ok ((sec = flux_sec_create (0, NULL)) != NULL, - "flux_sec_create with NULL confdir works"); - ok (flux_sec_get_directory (sec) == NULL, - "flux_sec_get_directory returns configured NULL"); - flux_sec_destroy (sec); + lives_ok ({zsecurity_destroy (NULL);}, + "zsecurity_destroy accepts a NULL argument"); + + ok ((sec = zsecurity_create (0, "/tmp")) != NULL, + "zsecurity_create with no selected method works"); + ok ((s = zsecurity_errstr (sec)) != NULL && !strcmp (s, "Success"), + "zsecurity_errstr returns 'Success'"); + ok ((s = zsecurity_get_directory (sec)) != NULL && !strcmp (s, "/tmp"), + "zsecurity_get_directory returns configured confdir"); + ok (zsecurity_type_enabled (sec, ZSECURITY_TYPE_PLAIN) == false, + "zsecurity_type_enabled ZSECURITY_TYPE_PLAIN false"); + ok (zsecurity_type_enabled (sec, ZSECURITY_TYPE_CURVE) == false, + "zsecurity_type_enabled ZSECURITY_TYPE_CURVE false"); + zsecurity_destroy (sec); + + ok ((sec = zsecurity_create (0, NULL)) != NULL, + "zsecurity_create with NULL confdir works"); + ok (zsecurity_get_directory (sec) == NULL, + "zsecurity_get_directory returns configured NULL"); + zsecurity_destroy (sec); errno = 0; - sec = flux_sec_create (FLUX_SEC_TYPE_CURVE | FLUX_SEC_TYPE_PLAIN, NULL); + sec = zsecurity_create (ZSECURITY_TYPE_CURVE | ZSECURITY_TYPE_PLAIN, NULL); ok (sec == NULL && errno == EINVAL, - "flux_sec_create PLAIN|CURVE returns EINVAL"); - - ok ((sec = flux_sec_create (FLUX_SEC_TYPE_PLAIN, NULL)) != NULL, - "flux_sec_create PLAIN works"); - ok (flux_sec_type_enabled (sec, FLUX_SEC_TYPE_PLAIN) == true, - "flux_sec_type_enabled FLUX_SEC_TYPE_PLAIN true"); - ok (flux_sec_type_enabled (sec, FLUX_SEC_TYPE_CURVE) == false, - "flux_sec_type_enabled FLUX_SEC_TYPE_CURVE false"); - flux_sec_destroy (sec); + "zsecurity_create PLAIN|CURVE returns EINVAL"); + + ok ((sec = zsecurity_create (ZSECURITY_TYPE_PLAIN, NULL)) != NULL, + "zsecurity_create PLAIN works"); + ok (zsecurity_type_enabled (sec, ZSECURITY_TYPE_PLAIN) == true, + "zsecurity_type_enabled ZSECURITY_TYPE_PLAIN true"); + ok (zsecurity_type_enabled (sec, ZSECURITY_TYPE_CURVE) == false, + "zsecurity_type_enabled ZSECURITY_TYPE_CURVE false"); + zsecurity_destroy (sec); } void test_keygen (void) { - flux_sec_t *sec; + zsecurity_t *sec; const char *tmp = getenv ("TMPDIR"); char path[PATH_MAX]; struct stat sb; /* NULL confdir. */ - sec = flux_sec_create (0, NULL); + sec = zsecurity_create (0, NULL); if (!sec) - BAIL_OUT ("flux_sec_create failed"); + BAIL_OUT ("zsecurity_create failed"); errno = 0; - ok (flux_sec_keygen (sec) < 0 && errno == EINVAL, - "flux_sec_keygen fails with EINVAL if confdir not set"); - flux_sec_destroy (sec); + ok (zsecurity_keygen (sec) < 0 && errno == EINVAL, + "zsecurity_keygen fails with EINVAL if confdir not set"); + zsecurity_destroy (sec); /* Nonexistent confdir. * * errno has multiple possibilities depending on system, EACCES, * EROFS, EPERM, etc. Simply check for failure and errno != 0. */ - sec = flux_sec_create (0, "/noexist"); + sec = zsecurity_create (0, "/noexist"); if (!sec) - BAIL_OUT ("flux_sec_create failed"); + BAIL_OUT ("zsecurity_create failed"); errno = 0; - ok (flux_sec_keygen (sec) < 0 && errno != 0, - "flux_sec_keygen fails with errno != 0 if confdir does not exist"); - flux_sec_destroy (sec); + ok (zsecurity_keygen (sec) < 0 && errno != 0, + "zsecurity_keygen fails with errno != 0 if confdir does not exist"); + zsecurity_destroy (sec); /* Same with FORCE flag. */ - sec = flux_sec_create (FLUX_SEC_KEYGEN_FORCE, "/noexist"); + sec = zsecurity_create (ZSECURITY_KEYGEN_FORCE, "/noexist"); if (!sec) - BAIL_OUT ("flux_sec_create failed"); + BAIL_OUT ("zsecurity_create failed"); errno = 0; - ok (flux_sec_keygen (sec) < 0 && errno != 0, - "flux_sec_keygen (force) fails with errno != 0 if confdir does not exist"); - flux_sec_destroy (sec); + ok (zsecurity_keygen (sec) < 0 && errno != 0, + "zsecurity_keygen (force) fails with errno != 0 if confdir does not exist"); + zsecurity_destroy (sec); /* No security modes selected. */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (0, path); + sec = zsecurity_create (0, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); - ok (flux_sec_keygen (sec) == 0, - "flux_sec_keygen with no security modes works"); + BAIL_OUT ("zsecurity_create failed"); + ok (zsecurity_keygen (sec) == 0, + "zsecurity_keygen with no security modes works"); ok ((stat (path, &sb) == 0 && S_ISDIR (sb.st_mode) && (sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) == 0700), "confdir is a directory with mode 0700"); ok (unlink_recursive (path) == 1, "unlinked 1 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); /* Wrong confdir perms */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (0, path); + sec = zsecurity_create (0, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); + BAIL_OUT ("zsecurity_create failed"); if (chmod (path, 0755) < 0) BAIL_OUT ("chmod %s: %s", path, strerror (errno)); errno = 0; - ok (flux_sec_keygen (sec) < 0 && errno == EPERM, - "flux_sec_keygen with bad mode confdir fails with EPERM"); + ok (zsecurity_keygen (sec) < 0 && errno == EPERM, + "zsecurity_keygen with bad mode confdir fails with EPERM"); ok (unlink_recursive (path) == 1, "unlinked 1 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); /* PLAIN */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_PLAIN, path); + sec = zsecurity_create (ZSECURITY_TYPE_PLAIN, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); - ok (flux_sec_keygen (sec) == 0, - "flux_sec_keygen PLAIN works"); + BAIL_OUT ("zsecurity_create failed"); + ok (zsecurity_keygen (sec) == 0, + "zsecurity_keygen PLAIN works"); ok (unlink_recursive (path) == 2, "unlinked 2 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); /* CURVE */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_CURVE, path); + sec = zsecurity_create (ZSECURITY_TYPE_CURVE, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); - ok (flux_sec_keygen (sec) == 0, - "flux_sec_keygen CURVE works"); + BAIL_OUT ("zsecurity_create failed"); + ok (zsecurity_keygen (sec) == 0, + "zsecurity_keygen CURVE works"); ok (unlink_recursive (path) == 6, "unlinked 6 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); /* CURVE overwrite */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_CURVE, path); + sec = zsecurity_create (ZSECURITY_TYPE_CURVE, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); - if (flux_sec_keygen (sec) < 0) - BAIL_OUT ("flux_sec_keygen CURVE failed"); + BAIL_OUT ("zsecurity_create failed"); + if (zsecurity_keygen (sec) < 0) + BAIL_OUT ("zsecurity_keygen CURVE failed"); errno = 0; - ok (flux_sec_keygen (sec) < 0 && errno == EEXIST, - "flux_sec_keygen CURVE-overwrite fails with EEXIST"); + ok (zsecurity_keygen (sec) < 0 && errno == EEXIST, + "zsecurity_keygen CURVE-overwrite fails with EEXIST"); ok (unlink_recursive (path) == 6, "unlinked 6 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); /* Same with FORCE */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_CURVE | FLUX_SEC_KEYGEN_FORCE, path); + sec = zsecurity_create (ZSECURITY_TYPE_CURVE | ZSECURITY_KEYGEN_FORCE, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); - if (flux_sec_keygen (sec) < 0) - BAIL_OUT ("flux_sec_keygen CURVE failed"); + BAIL_OUT ("zsecurity_create failed"); + if (zsecurity_keygen (sec) < 0) + BAIL_OUT ("zsecurity_keygen CURVE failed"); errno = 0; - ok (flux_sec_keygen (sec) == 0, - "flux_sec_keygen (force) CURVE-overwrite works"); + ok (zsecurity_keygen (sec) == 0, + "zsecurity_keygen (force) CURVE-overwrite works"); ok (unlink_recursive (path) == 6, "unlinked 6 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); /* PLAIN overwrite */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_PLAIN, path); + sec = zsecurity_create (ZSECURITY_TYPE_PLAIN, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); - if (flux_sec_keygen (sec) < 0) - BAIL_OUT ("flux_sec_keygen PLAIN failed"); + BAIL_OUT ("zsecurity_create failed"); + if (zsecurity_keygen (sec) < 0) + BAIL_OUT ("zsecurity_keygen PLAIN failed"); errno = 0; - ok (flux_sec_keygen (sec) < 0 && errno == EEXIST, - "flux_sec_keygen PLAIN-overwrite fails with EEXIST"); + ok (zsecurity_keygen (sec) < 0 && errno == EEXIST, + "zsecurity_keygen PLAIN-overwrite fails with EEXIST"); ok (unlink_recursive (path) == 2, "unlinked 2 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); /* Same with FORCE */ snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_PLAIN | FLUX_SEC_KEYGEN_FORCE, path); + sec = zsecurity_create (ZSECURITY_TYPE_PLAIN | ZSECURITY_KEYGEN_FORCE, path); if (!sec) - BAIL_OUT ("flux_sec_create failed"); - if (flux_sec_keygen (sec) < 0) - BAIL_OUT ("flux_sec_keygen PLAIN failed"); + BAIL_OUT ("zsecurity_create failed"); + if (zsecurity_keygen (sec) < 0) + BAIL_OUT ("zsecurity_keygen PLAIN failed"); errno = 0; - ok (flux_sec_keygen (sec) == 0, - "flux_sec_keygen (force) PLAIN-overwrite works"); + ok (zsecurity_keygen (sec) == 0, + "zsecurity_keygen (force) PLAIN-overwrite works"); ok (unlink_recursive (path) == 2, "unlinked 2 file/dir"); - flux_sec_destroy (sec); + zsecurity_destroy (sec); } void test_plain (void) { - flux_sec_t *sec; + zsecurity_t *sec; const char *tmp = getenv ("TMPDIR"); char path[PATH_MAX]; zsock_t *cli, *srv, *rdy, *rogue; @@ -240,19 +240,19 @@ void test_plain (void) snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_PLAIN | FLUX_SEC_VERBOSE, path); + sec = zsecurity_create (ZSECURITY_TYPE_PLAIN | ZSECURITY_VERBOSE, path); if (!sec) - BAIL_OUT ("flux_sec_create PLAIN failed"); - if (flux_sec_keygen (sec) < 0) - BAIL_OUT ("flux_sec_keygen PLAIN failed"); - ok (flux_sec_comms_init (sec) == 0, - "flux_sec_comms_init PLAIN works"); + BAIL_OUT ("zsecurity_create PLAIN failed"); + if (zsecurity_keygen (sec) < 0) + BAIL_OUT ("zsecurity_keygen PLAIN failed"); + ok (zsecurity_comms_init (sec) == 0, + "zsecurity_comms_init PLAIN works"); /* set up server */ if (!(srv = zsock_new_pull (NULL))) BAIL_OUT ("zsock_new: %s", zmq_strerror (errno)); - ok (flux_sec_ssockinit (sec, srv) == 0, - "flux_sec_ssockinit works"); + ok (zsecurity_ssockinit (sec, srv) == 0, + "zsecurity_ssockinit works"); srv_port = zsock_bind (srv, "tcp://127.0.0.1:*"); ok (srv_port >= 0, "server bound to localhost on port %d", srv_port); @@ -262,8 +262,8 @@ void test_plain (void) /* set up client */ if (!(cli = zsock_new_push (NULL))) BAIL_OUT ("zsock_new: %s", zmq_strerror (errno)); - ok (flux_sec_csockinit (sec, cli) == 0, - "flux_sec_csockinit works"); + ok (zsecurity_csockinit (sec, cli) == 0, + "zsecurity_csockinit works"); ok (zsock_connect (cli, "tcp://127.0.0.1:%d", srv_port) >= 0, "client connected to server"); ok (zstr_sendx (cli, "Hi", NULL) == 0, @@ -306,13 +306,13 @@ void test_plain (void) zsock_destroy (&cli); zpoller_destroy (&srv_poller); zsock_destroy (&srv); - flux_sec_destroy (sec); + zsecurity_destroy (sec); unlink_recursive (path); } void test_curve (void) { - flux_sec_t *sec; + zsecurity_t *sec; const char *tmp = getenv ("TMPDIR"); char path[PATH_MAX]; zsock_t *cli, *srv, *rdy, *rogue; @@ -324,19 +324,19 @@ void test_curve (void) snprintf (path, sizeof (path), "%s/sectest.XXXXXX", tmp ? tmp : "/tmp"); if (!mkdtemp (path)) BAIL_OUT ("could not create tmp directory"); - sec = flux_sec_create (FLUX_SEC_TYPE_CURVE | FLUX_SEC_VERBOSE, path); + sec = zsecurity_create (ZSECURITY_TYPE_CURVE | ZSECURITY_VERBOSE, path); if (!sec) - BAIL_OUT ("flux_sec_create CURVE failed"); - if (flux_sec_keygen (sec) < 0) - BAIL_OUT ("flux_sec_keygen CURVE failed"); - ok (flux_sec_comms_init (sec) == 0, - "flux_sec_comms_init CURVE works"); + BAIL_OUT ("zsecurity_create CURVE failed"); + if (zsecurity_keygen (sec) < 0) + BAIL_OUT ("zsecurity_keygen CURVE failed"); + ok (zsecurity_comms_init (sec) == 0, + "zsecurity_comms_init CURVE works"); /* set up server */ if (!(srv = zsock_new_pull (NULL))) BAIL_OUT ("zsock_new: %s", zmq_strerror (errno)); - ok (flux_sec_ssockinit (sec, srv) == 0, - "flux_sec_ssockinit works"); + ok (zsecurity_ssockinit (sec, srv) == 0, + "zsecurity_ssockinit works"); srv_port = zsock_bind (srv, "tcp://127.0.0.1:*"); ok (srv_port >= 0, "server bound to localhost on port %d", srv_port); @@ -346,8 +346,8 @@ void test_curve (void) /* set up client */ if (!(cli = zsock_new_push (NULL))) BAIL_OUT ("zsock_new: %s", zmq_strerror (errno)); - ok (flux_sec_csockinit (sec, cli) == 0, - "flux_sec_csockinit works"); + ok (zsecurity_csockinit (sec, cli) == 0, + "zsecurity_csockinit works"); ok (zsock_connect (cli, "tcp://127.0.0.1:%d", srv_port) >= 0, "client connected to server"); @@ -382,7 +382,7 @@ void test_curve (void) BAIL_OUT ("zcert_new: %s", zmq_strerror (errno)); if (!(rogue = zsock_new_push (NULL))) BAIL_OUT ("zsock_new: %s", zmq_strerror (errno)); - zsock_set_zap_domain (rogue, "flux"); // same as flux_sec_t hardwired + zsock_set_zap_domain (rogue, "flux"); // same as zsecurity_t hardwired zcert_apply (rogue_cert, rogue); /* read server public key from file */ char server_file[PATH_MAX]; @@ -410,7 +410,7 @@ void test_curve (void) zsock_destroy (&cli); zpoller_destroy (&srv_poller); zsock_destroy (&srv); - flux_sec_destroy (sec); + zsecurity_destroy (sec); unlink_recursive (path); } diff --git a/src/common/libutil/zsecurity.c b/src/common/libutil/zsecurity.c index 6c3f9189390a..003797456177 100644 --- a/src/common/libutil/zsecurity.c +++ b/src/common/libutil/zsecurity.c @@ -43,7 +43,7 @@ #define FLUX_ZAP_DOMAIN "flux" -struct flux_sec_struct { +struct zsecurity_struct { zactor_t *auth; int typemask; zcert_t *srv_cert; @@ -57,29 +57,29 @@ struct flux_sec_struct { uid_t gid; }; -static int checksecdirs (flux_sec_t *c, bool create); -static zcert_t *getcurve (flux_sec_t *c, const char *role); -static int gencurve (flux_sec_t *c, const char *role); -static char *getpasswd (flux_sec_t *c, const char *user); -static int genpasswd (flux_sec_t *c, const char *user); +static int checksecdirs (zsecurity_t *c, bool create); +static zcert_t *getcurve (zsecurity_t *c, const char *role); +static int gencurve (zsecurity_t *c, const char *role); +static char *getpasswd (zsecurity_t *c, const char *user); +static int genpasswd (zsecurity_t *c, const char *user); -const char *flux_sec_errstr (flux_sec_t *c) +const char *zsecurity_errstr (zsecurity_t *c) { return (c->errstr ? c->errstr : "Success"); } -const char *flux_sec_confstr (flux_sec_t *c) +const char *zsecurity_confstr (zsecurity_t *c) { if (c->confstr) free (c->confstr); if (asprintf (&c->confstr, "Security: epgm=off, tcp/ipc=%s", - (c->typemask & FLUX_SEC_TYPE_PLAIN) ? "PLAIN" - : (c->typemask & FLUX_SEC_TYPE_CURVE) ? "CURVE" : "off") < 0) + (c->typemask & ZSECURITY_TYPE_PLAIN) ? "PLAIN" + : (c->typemask & ZSECURITY_TYPE_CURVE) ? "CURVE" : "off") < 0) oom (); return c->confstr; } -static void seterrstr (flux_sec_t *c, const char *fmt, ...) +static void seterrstr (zsecurity_t *c, const char *fmt, ...) { va_list ap; @@ -91,7 +91,7 @@ static void seterrstr (flux_sec_t *c, const char *fmt, ...) va_end (ap); } -void flux_sec_destroy (flux_sec_t *c) +void zsecurity_destroy (zsecurity_t *c) { if (c) { free (c->conf_dir); @@ -106,11 +106,11 @@ void flux_sec_destroy (flux_sec_t *c) } } -flux_sec_t *flux_sec_create (int typemask, const char *confdir) +zsecurity_t *zsecurity_create (int typemask, const char *confdir) { - flux_sec_t *c = calloc (1, sizeof (*c)); + zsecurity_t *c = calloc (1, sizeof (*c)); - if ((typemask & FLUX_SEC_TYPE_CURVE) && (typemask & FLUX_SEC_TYPE_PLAIN)) { + if ((typemask & ZSECURITY_TYPE_CURVE) && (typemask & ZSECURITY_TYPE_PLAIN)) { errno = EINVAL; goto error; } @@ -135,30 +135,30 @@ flux_sec_t *flux_sec_create (int typemask, const char *confdir) return NULL; } -const char *flux_sec_get_directory (flux_sec_t *c) +const char *zsecurity_get_directory (zsecurity_t *c) { return c->conf_dir; } -bool flux_sec_type_enabled (flux_sec_t *c, int tm) +bool zsecurity_type_enabled (zsecurity_t *c, int tm) { bool ret; ret = ((c->typemask & tm) == tm); return ret; } -int flux_sec_keygen (flux_sec_t *c) +int zsecurity_keygen (zsecurity_t *c) { int rc = -1; if (checksecdirs (c, true) < 0) goto done; - if ((c->typemask & FLUX_SEC_TYPE_CURVE)) { + if ((c->typemask & ZSECURITY_TYPE_CURVE)) { if (gencurve (c, "client") < 0) goto done; if (gencurve (c, "server") < 0) goto done; } - if ((c->typemask & FLUX_SEC_TYPE_PLAIN)) { + if ((c->typemask & ZSECURITY_TYPE_PLAIN)) { if (genpasswd (c, "client") < 0) goto done; } @@ -167,23 +167,23 @@ int flux_sec_keygen (flux_sec_t *c) return rc; } -int flux_sec_comms_init (flux_sec_t *c) +int zsecurity_comms_init (zsecurity_t *c) { - if (c->auth == NULL && ((c->typemask & FLUX_SEC_TYPE_CURVE) - || (c->typemask & FLUX_SEC_TYPE_PLAIN))) { + if (c->auth == NULL && ((c->typemask & ZSECURITY_TYPE_CURVE) + || (c->typemask & ZSECURITY_TYPE_PLAIN))) { if (checksecdirs (c, false) < 0) goto error; if (!(c->auth = zactor_new (zauth, NULL))) { seterrstr (c, "zactor_new (zauth): %s", zmq_strerror (errno)); goto error; } - if ((c->typemask & FLUX_SEC_VERBOSE)) { + if ((c->typemask & ZSECURITY_VERBOSE)) { if (zstr_sendx (c->auth, "VERBOSE", NULL) < 0) goto error; if (zsock_wait (c->auth) < 0) goto error; } - if ((c->typemask & FLUX_SEC_TYPE_CURVE)) { + if ((c->typemask & ZSECURITY_TYPE_CURVE)) { if (!zsys_has_curve ()) { seterrstr (c, "libczmq was not built with CURVE support!"); errno = EINVAL; @@ -201,7 +201,7 @@ int flux_sec_comms_init (flux_sec_t *c) if (zsock_wait (c->auth) < 0) goto error; } - if ((c->typemask & FLUX_SEC_TYPE_PLAIN)) { + if ((c->typemask & ZSECURITY_TYPE_PLAIN)) { if (zstr_sendx (c->auth, "PLAIN", c->passwd_file, NULL) < 0) goto error; if (zsock_wait (c->auth) < 0) @@ -213,15 +213,15 @@ int flux_sec_comms_init (flux_sec_t *c) return -1; } -int flux_sec_csockinit (flux_sec_t *c, void *sock) +int zsecurity_csockinit (zsecurity_t *c, void *sock) { int rc = -1; - if ((c->typemask & FLUX_SEC_TYPE_CURVE)) { + if ((c->typemask & ZSECURITY_TYPE_CURVE)) { zsock_set_zap_domain (sock, FLUX_ZAP_DOMAIN); zcert_apply (c->cli_cert, sock); zsock_set_curve_serverkey (sock, zcert_public_txt (c->srv_cert)); - } else if ((c->typemask & FLUX_SEC_TYPE_PLAIN)) { + } else if ((c->typemask & ZSECURITY_TYPE_PLAIN)) { char *passwd = NULL; if (!(passwd = getpasswd (c, "client"))) { seterrstr (c, "client not found in %s", c->passwd_file); @@ -236,19 +236,19 @@ int flux_sec_csockinit (flux_sec_t *c, void *sock) return rc; } -int flux_sec_ssockinit (flux_sec_t *c, void *sock) +int zsecurity_ssockinit (zsecurity_t *c, void *sock) { - if ((c->typemask & (FLUX_SEC_TYPE_CURVE))) { + if ((c->typemask & (ZSECURITY_TYPE_CURVE))) { zsock_set_zap_domain (sock, FLUX_ZAP_DOMAIN); zcert_apply (c->srv_cert, sock); zsock_set_curve_server (sock, 1); - } else if ((c->typemask & (FLUX_SEC_TYPE_PLAIN))) { + } else if ((c->typemask & (ZSECURITY_TYPE_PLAIN))) { zsock_set_plain_server (sock, 1); } return 0; } -static int checksecdir (flux_sec_t *c, const char *path, bool create) +static int checksecdir (zsecurity_t *c, const char *path, bool create) { struct stat sb; int rc = -1; @@ -290,7 +290,7 @@ static int checksecdir (flux_sec_t *c, const char *path, bool create) return rc; } -static int checksecdirs (flux_sec_t *c, bool create) +static int checksecdirs (zsecurity_t *c, bool create) { if (!c->conf_dir) { seterrstr (c, "config directory is not set"); @@ -299,7 +299,7 @@ static int checksecdirs (flux_sec_t *c, bool create) } if (checksecdir (c, c->conf_dir, create) < 0) return -1; - if ((c->typemask & FLUX_SEC_TYPE_CURVE)) { + if ((c->typemask & ZSECURITY_TYPE_CURVE)) { if (!c->curve_dir) { if (asprintf (&c->curve_dir, "%s/curve", c->conf_dir) < 0) { errno = ENOMEM; @@ -309,7 +309,7 @@ static int checksecdirs (flux_sec_t *c, bool create) if (checksecdir (c, c->curve_dir, create) < 0) return -1; } - if ((c->typemask & FLUX_SEC_TYPE_PLAIN)) { + if ((c->typemask & ZSECURITY_TYPE_PLAIN)) { if (!c->passwd_file) { if (asprintf (&c->passwd_file, "%s/passwd", c->conf_dir) < 0) { errno = ENOMEM; @@ -334,7 +334,7 @@ static char * ctime_iso8601_now (char *buf, size_t sz) return (buf); } -static zcert_t *zcert_curve_new (flux_sec_t *c) +static zcert_t *zcert_curve_new (zsecurity_t *c) { zcert_t *new; char sec[41]; @@ -363,7 +363,7 @@ static zcert_t *zcert_curve_new (flux_sec_t *c) return new; } -static int gencurve (flux_sec_t *c, const char *role) +static int gencurve (zsecurity_t *c, const char *role) { char *path = NULL, *priv = NULL;; zcert_t *cert = NULL; @@ -375,7 +375,7 @@ static int gencurve (flux_sec_t *c, const char *role) oom (); if (asprintf (&priv, "%s/%s_private", c->curve_dir, role) < 0) oom (); - if ((c->typemask & FLUX_SEC_KEYGEN_FORCE)) { + if ((c->typemask & ZSECURITY_KEYGEN_FORCE)) { (void)unlink (path); (void)unlink (priv); } @@ -395,7 +395,7 @@ static int gencurve (flux_sec_t *c, const char *role) zcert_set_meta (cert, "time", "%s", ctime_iso8601_now (buf, sizeof (buf))); zcert_set_meta (cert, "role", "%s", role); - if ((c->typemask & FLUX_SEC_VERBOSE)) { + if ((c->typemask & ZSECURITY_VERBOSE)) { printf ("Saving %s\n", path); printf ("Saving %s\n", priv); } @@ -414,7 +414,7 @@ static int gencurve (flux_sec_t *c, const char *role) return rc; } -static zcert_t *getcurve (flux_sec_t *c, const char *role) +static zcert_t *getcurve (zsecurity_t *c, const char *role) { char s[PATH_MAX]; zcert_t *cert = NULL; @@ -430,7 +430,7 @@ static zcert_t *getcurve (flux_sec_t *c, const char *role) return NULL; } -static char *getpasswd (flux_sec_t *c, const char *user) +static char *getpasswd (zsecurity_t *c, const char *user) { zhash_t *passwds = NULL; const char *pass; @@ -458,7 +458,7 @@ static char *getpasswd (flux_sec_t *c, const char *user) return NULL; } -static int genpasswd (flux_sec_t *c, const char *user) +static int genpasswd (zsecurity_t *c, const char *user) { struct stat sb; zhash_t *passwds = NULL; @@ -468,7 +468,7 @@ static int genpasswd (flux_sec_t *c, const char *user) if (!(uuid = zuuid_new ())) oom (); - if ((c->typemask & FLUX_SEC_KEYGEN_FORCE)) + if ((c->typemask & ZSECURITY_KEYGEN_FORCE)) (void)unlink (c->passwd_file); if (stat (c->passwd_file, &sb) == 0) { seterrstr (c, "%s exists, try --force", c->passwd_file); @@ -478,7 +478,7 @@ static int genpasswd (flux_sec_t *c, const char *user) if (!(passwds = zhash_new ())) oom (); zhash_update (passwds, user, (char *)zuuid_str (uuid)); - if ((c->typemask & FLUX_SEC_VERBOSE)) + if ((c->typemask & ZSECURITY_VERBOSE)) printf ("Saving %s\n", c->passwd_file); old_mask = umask (077); rc = zhash_save (passwds, c->passwd_file); diff --git a/src/common/libutil/zsecurity.h b/src/common/libutil/zsecurity.h index 80a161d2e7a9..10069434d6f1 100644 --- a/src/common/libutil/zsecurity.h +++ b/src/common/libutil/zsecurity.h @@ -31,48 +31,48 @@ extern "C" { #endif -typedef struct flux_sec_struct flux_sec_t; +typedef struct zsecurity_struct zsecurity_t; enum { /* enabled security modes */ - FLUX_SEC_TYPE_PLAIN = 1, // cannot be used with CURVE - FLUX_SEC_TYPE_CURVE = 2, // cannot be used with PLAIN + ZSECURITY_TYPE_PLAIN = 1, // cannot be used with CURVE + ZSECURITY_TYPE_CURVE = 2, // cannot be used with PLAIN /* flags */ - FLUX_SEC_VERBOSE = 0x20, - FLUX_SEC_KEYGEN_FORCE = 0x40, + ZSECURITY_VERBOSE = 0x20, + ZSECURITY_KEYGEN_FORCE = 0x40, }; /* Create a security context. * 'typemask' (may be 0) selects the security mode and optional flags. * 'confdir' (may be NULL) selects a key directory. * This function only allocates the context and does not do anything - * to initialize the selected security modes. flux_sec_keygen() - * or flux_sec_comms_init() may be called next. + * to initialize the selected security modes. zsecurity_keygen() + * or zsecurity_comms_init() may be called next. * Returns context on success, or NULL on failure with errno set. */ -flux_sec_t *flux_sec_create (int typemask, const char *confdir); -void flux_sec_destroy (flux_sec_t *c); +zsecurity_t *zsecurity_create (int typemask, const char *confdir); +void zsecurity_destroy (zsecurity_t *c); /* Test whether a particular security mode is enabled * in the security context. */ -bool flux_sec_type_enabled (flux_sec_t *c, int typemask); +bool zsecurity_type_enabled (zsecurity_t *c, int typemask); /* Get config directory used by security context. * May be NULL if none was configured. */ -const char *flux_sec_get_directory (flux_sec_t *c); +const char *zsecurity_get_directory (zsecurity_t *c); /* Generate a user's keys for the configured security modes, * storing them in the security context's 'confdir'. - * If the FLUX_SEC_KEYGEN_FORCE flag is set, existing keys + * If the ZSECURITY_KEYGEN_FORCE flag is set, existing keys * are overwritten; otherwise the existence of keys is treated as * an error. This function is a no-op if no keys are required * by the configured security modes. * Returns 0 on success, or -1 on failure with errno set. */ -int flux_sec_keygen (flux_sec_t *c); +int zsecurity_keygen (zsecurity_t *c); /* Initialize the security context for communication. * For PLAIN and CURVE, a zauth @@ -86,7 +86,7 @@ int flux_sec_keygen (flux_sec_t *c); * at this point all security contexts are both client and server capable. * Returns 0 on success, or -1 on failure with errno set. */ -int flux_sec_comms_init (flux_sec_t *c); +int zsecurity_comms_init (zsecurity_t *c); /* Enable the configured security mode (client role) on a * zeromq socket. For PLAIN, the client password is @@ -98,7 +98,7 @@ int flux_sec_comms_init (flux_sec_t *c); * hard requirement for the SMTP security handshake. * Returns 0 on success, or -1 on failure with errno set. */ -int flux_sec_csockinit (flux_sec_t *c, void *sock); +int zsecurity_csockinit (zsecurity_t *c, void *sock); /* Enable the configured security mode (server role) on a * zeromq socket. For PLAIN, plain auth is enabled for the @@ -110,18 +110,18 @@ int flux_sec_csockinit (flux_sec_t *c, void *sock); * hard requirement for the ZMTP security handshake. * Returns 0 on success, or -1 on failure with errno set. */ -int flux_sec_ssockinit (flux_sec_t *c, void *sock); +int zsecurity_ssockinit (zsecurity_t *c, void *sock); /* Retrieve a string describing the last error. * This value is valid after one of the above calls returns -1. * The caller should not free this string. */ -const char *flux_sec_errstr (flux_sec_t *c); +const char *zsecurity_errstr (zsecurity_t *c); /* Retrieve a string describing the security modes selected. * The caller should not free this string. */ -const char *flux_sec_confstr (flux_sec_t *c); +const char *zsecurity_confstr (zsecurity_t *c); #ifdef __cplusplus } diff --git a/t/valgrind/valgrind.supp b/t/valgrind/valgrind.supp index df76f3390caf..3a10ceffc19b 100644 --- a/t/valgrind/valgrind.supp +++ b/t/valgrind/valgrind.supp @@ -67,7 +67,7 @@ fun:calloc ... fun:zactor_new - fun:flux_sec_comms_init + fun:zsecurity_comms_init fun:overlay_sec_init fun:overlay_bind fun:boot_pmi From 9d5e24aeef82517e7b1c23f00d2cbb044a521d80 Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Mon, 19 Nov 2018 18:03:51 -0800 Subject: [PATCH 5/5] bindings/python: remove 'sec' from flux/__init__.py --- src/bindings/python/flux/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/bindings/python/flux/__init__.py b/src/bindings/python/flux/__init__.py index b3c6be6cb1d5..dc31fb77a31e 100644 --- a/src/bindings/python/flux/__init__.py +++ b/src/bindings/python/flux/__init__.py @@ -12,6 +12,5 @@ def Flux(*args, **kwargs): 'jsc', 'rpc', 'mrpc', - 'sec', 'constants', 'Flux', ]