/* ========================================================================= zauth - authentication for ZeroMQ security mechanisms Copyright (c) the Contributors as noted in the AUTHORS file. This file is part of CZMQ, the high-level C binding for 0MQ: http://czmq.zeromq.org. This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. ========================================================================= */ #ifndef __ZAUTH_H_INCLUDED__ #define __ZAUTH_H_INCLUDED__ #ifdef __cplusplus extern "C" { #endif // @interface #define CURVE_ALLOW_ANY "*" // CZMQ v3 API (for use with zsock, not zsocket, which is deprecated). // // Create new zauth actor instance. This installs authentication on all // zsock sockets. Until you add policies, all incoming NULL connections are // allowed (classic ZeroMQ behaviour), and all PLAIN and CURVE connections // are denied: // // zactor_t *auth = zactor_new (zauth, NULL); // // Destroy zauth instance. This removes authentication and allows all // connections to pass, without authentication: // // zactor_destroy (&auth); // // Note that all zauth commands are synchronous, so your application always // waits for a signal from the actor after each command. // // Enable verbose logging of commands and activity. Verbose logging can help // debug non-trivial authentication policies: // // zstr_send (auth, "VERBOSE"); // zsock_wait (auth); // // Allow (whitelist) a list of IP addresses. For NULL, all clients from // these addresses will be accepted. For PLAIN and CURVE, they will be // allowed to continue with authentication. You can call this method // multiple times to whitelist more IP addresses. If you whitelist one // or more addresses, any non-whitelisted addresses are treated as // blacklisted: // // zstr_sendx (auth, "ALLOW", "127.0.0.1", "127.0.0.2", NULL); // zsock_wait (auth); // // Deny (blacklist) a list of IP addresses. For all security mechanisms, // this rejects the connection without any further authentication. Use // either a whitelist, or a blacklist, not not both. If you define both // a whitelist and a blacklist, only the whitelist takes effect: // // zstr_sendx (auth, "DENY", "192.168.0.1", "192.168.0.2", NULL); // zsock_wait (auth); // // Configure PLAIN authentication using a plain-text password file. You can // modify the password file at any time; zauth will reload it automatically // if modified externally: // // zstr_sendx (auth, "PLAIN", filename, NULL); // zsock_wait (auth); // // Configure CURVE authentication, using a directory that holds all public // client certificates, i.e. their public keys. The certificates must be in // zcert_save format. You can add and remove certificates in that directory // at any time. To allow all client keys without checking, specify // CURVE_ALLOW_ANY for the directory name: // // zstr_sendx (auth, "CURVE", directory, NULL); // zsock_wait (auth); // // Configure GSSAPI authentication, using an underlying mechanism (usually // Kerberos) to establish a secure context and perform mutual authentication: // // zstr_sendx (auth, "GSSAPI", NULL); // zsock_wait (auth); // // This is the zauth constructor as a zactor_fn: CZMQ_EXPORT void zauth (zsock_t *pipe, void *certstore); // Selftest CZMQ_EXPORT void zauth_test (bool verbose); // @end #ifdef __cplusplus } #endif #endif