search

pebbe / zmq4

A Go interface to ZeroMQ version 4
BSD 2-Clause "Simplified" License
1.17k stars 163 forks source link

zmq auth get denied status at the client #107

Closed agnivade closed 7 years ago

agnivade commented 7 years ago

Hi,

I am looking to get some sort of indication at the client socket that it was unable to authenticate with the server. But what I am seeing is that it is able to send messages perfectly well through the socket and only at the server end, it is being rejected. Is there a way for the client to know that it is not authenticated anymore ?

Sample code -

//  The Woodhouse Pattern
//
//  It may keep some malicious people out but all it takes is a bit
//  of network sniffing, and they'll be able to fake their way in.

package main

import (
    zmq "github.com/pebbe/zmq4"

    "fmt"
    "log"
    "runtime"
)

func main() {

    //  Start authentication engine
    zmq.AuthSetVerbose(true)
    zmq.AuthStart()
    zmq.AuthAllow("*", "127.0.0.1")

    //  Tell the authenticator how to handle PLAIN requests
    zmq.AuthPlainAdd("*", "admin", "secret")

    //  Create and bind server socket
    server, _ := zmq.NewSocket(zmq.PULL)
    server.ServerAuthPlain("*")
    server.Bind("tcp://*:9000")
        defer server.Close()

    //  Create and connect client socket
    client, _ := zmq.NewSocket(zmq.PUSH)
    client.SetPlainUsername("admin")
    client.SetPlainPassword("blabla")
    err := client.Connect("tcp://127.0.0.1:9000")
    checkErr(err)
        defer client.Close()

    //  Send a single message from server to client
    n, err := client.Send("Hello", 0)
    checkErr(err)
    log.Printf("client sent %d bytes\n", n)

    message, err := server.Recv(0)
    checkErr(err)
    log.Println("Received ", message)
    if message != "Hello" {
        log.Fatalln(message, "!= Hello")
    }

    zmq.AuthStop()

    fmt.Println("Woodhouse test OK")

}

func checkErr(err error) {
    if err != nil {
        log.SetFlags(0)
        _, filename, lineno, ok := runtime.Caller(1)
        if ok {
            log.Fatalf("%v:%v: %v", filename, lineno, err)
        } else {
            log.Fatalln(err)
        }
    }
}

And here is the output - 

2017/07/11 11:26:17 AUTH: Starting
2017/07/11 11:26:17 client sent 5 bytes
2017/07/11 11:26:17 AUTH: PASSED (whitelist) domain="*" address="127.0.0.1"
2017/07/11 11:26:17 AUTH: DENIED (PLAIN) domain="*" username="admin" password="blabla"

So, as you can see, the client successfully sent 5 bytes and has no idea that it has been blocked by the server.

Is this by design ? Or is there a way to find this ?

pebbe commented 7 years ago

You better ask this on the mailing list http://zeromq.org/docs:mailing-lists

agnivade commented 7 years ago

Thanks !