Security Manager¶
Security related settings and actions are grouped in a distinct class. Current implementation merges the manager into the application class.
The security manager is initialized using start_auth()
which is a no-op if no_encryption
is True.
It’s main role is to start the
authenticator thread.
While start_auth()
will initialize the thread to read
existing certificates in public_cert_dir
, please
note that any certificates added later will not be acknowledged until
SecurityManager.auth_thread.configure_curve()
gets called.
Terminating the manager through terminate_auth()
will stop the authenticator thread, if any.
Cert Store¶
Certificates on the file system are organized in a “store”. Public directory stores the certificates of other peers while the private directory contains certificates of peers running on the local machine.
The names of the certificates are always the same as the uuid of the peer, with the extension being either key for public certificates or key_secret for private certificates.
The class implements some helper methods for dealing with the certificates store:
prepare_cert_store()
creates the directory structure and usescert_pair_check_gen()
to either read or create certificates for current peer;cert_file_by_uuid()
will compute the path towards the certificate corresponding to that uuid; it is used incert_key_by_uuid()
which parses the content of the file and reads the key;exchange_certificates()
is mostly of use for testing but offers some hints about what the user should do to securely connect two peers using certificates.
-
class
p2p0mq.security.
SecurityManager
(private_cert_dir, public_cert_dir, temp_cert_dir=None, no_encryption=False, *args, **kwargs)[source]¶ Manages the security related settings and actions.
-
private_cert_dir
¶ The path towards the directory that stores private certificates.
Type: str
-
public_cert_dir
¶ The path towards the directory that stores public certificates.
Type: str
-
temp_cert_dir
¶ The path towards the temporary directory (used for generating new certificates). If not provided, it defaults to system’s temporary directory.
Type: str
-
no_encryption
¶ Enable or disable encryption at peer level. Peers that use encryption can only connect to other peers that use encryption and vice-versa.
Type: bool
-
public_file
¶ The path towards the public certificate of this peer.
Type: str
-
private_file
¶ The path towards the private certificate of this peer.
Type: str
-
auth_thread
¶ A separate thread used by zmq to authenticate our peers.
Type: ThreadAuthenticator
-
cert_file_by_uuid
(uuid, public=True)[source]¶ Computes the path of a certificate inside the certificate store based on the name of the peer.
Parameters: - uuid – The unique identification of the peer. Usually, this is the local peer.
- public (bool) – If True it retrieves the path of the public certificate, if False it retrieves the path of the private certificate.
-
cert_key_by_uuid
(uuid, public=True)[source]¶ Reads the key from corresponding certificate file.
Parameters: - uuid – The unique identification of the peer. Usually, this is the local peer.
- public (bool) – If True it retrieves the public key, if False it retrieves the private key.
-
cert_pair_check_gen
(uuid)[source]¶ Checks if the certificates exist. Generates them if they don’t.
Parameters: uuid – The unique identification of the peer. Usually, this is the local peer.
-
exchange_certificates
(other)[source]¶ Copies the certificates so that the two instances can authenticate themselves to each other.
Parameters: other (SecurityManager) – The security manager of the other peer.
-
prepare_cert_store
(uuid)[source]¶ Prepares the directory structure before it can be used by our authentication system.
Parameters: uuid – The unique identification of local peer.
-