zyre 0.6.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dec6f1a89c5683ac88460dc3cc156b79156e318052a7ea81494336e0686ec522
-  data.tar.gz: f1fd6cb1ba63bf1ea8054823faa26afaa0646f063da940ee3e6e1e12ead7161a
+  metadata.gz: e5ed839568df209af8c75bddfe0be453af7219319c31848556261888e3b6ee39
+  data.tar.gz: 778239dec2e83ac60efbccdccffa55916ff6365f82a6bc9869a796b6e0484223
 SHA512:
-  metadata.gz: f98b88495f675531470868a0c4e7f7ec94970fd3e9415d771a3ad0d1c27bea34c7badd3e7e3a084e147611871fc45439bbb495abda72f5a6962eaf11beeb7992
-  data.tar.gz: a442f583bd320bf642794d6b0136057473d8a9abafef5fd1570213ee4d564dc4aa1bca48c4f3d36696c534cdba51b0ba645c68926b6f2eea072bf21a0623e818
+  metadata.gz: 6bbf929517d6375ed0f27b7eac8b413a200fda2af90d0493e2d246a4e232862bcd97cb00961b7118ff617bc00c278b92af2ffeba978756d64fb56d6171a2342f
+  data.tar.gz: 7613fd948161ec855ab2042401304e381866b7eef9aeaf166898912e24c9fa0ede81c91a35f54075f269855322219880e972d3a712b498935786e66b48c17860

checksums.yaml.gz.sig

@@ -1 +1,4 @@
-\���wO):��"Y�Pw)}f(q��
N�
+oii�bS��Sy��
+�km��%0��t���1�l	�g��hbq��2��<<�q�|�`wRkQZ��1��l�A^7D���1���/��#m�&�t;=U��b�D��f��j*��EEݕ����-[BȽ�Ä�-��h�U"rp+}k`�-S"�{sK�19/�?���j;@�&q��q�n�4��k��:N i�6r�S<�,��!�Y]*&Sς��~V�@*���e�N��+��^�w
+����2+��2�v�_���W�����{l6)^UJ��;���r�IHM�(���х�9�����ɼw[+{�9W�
2l^NWg7Y����F7L�j�Z\*c��ͮV�	����J
+��0v�V������`�l
�����

data/Authentication.md

@@ -1,30 +1,30 @@
 # Authenticated \Zyre
 
-Note that authentication requires API that is still in Draft, so it requires
-that your libzyre be built with --enable-drafts. Also, since draft APIs are
-subject to change, this documentation may be out of date. A good place to check
-for the latest info is the built-in test suites in the Zyre source itself.
+Note that authentication requires a Draft API, so it requires that your libzyre
+be built with `--enable-drafts`. Also, since draft APIs are subject to change,
+this documentation may be out of date. A good place to check for the latest
+info is the built-in test suites in the Zyre source itself.
 
-Authentication isn't done yet, but when it is it'll look something like:
+Authentication in Zyre is done using the mechanism built into ZeroMQ. To enable it, you start the authenticator actor ([zauth][]) and then configure the authentication you wish to use.
 
-    cert = Zyre::Cert.new
-    cert.save( "/usr/local/var/certs/server" )
+## Curve Authentication
 
-    Zyre.allow( "127.0.0.1", "10.0.12.2" )
-    Zyre.start_authenticator( :CURVE, "/usr/local/var/certs" )
+To enable secure connections, you tell Zyre to enable Curve. You can either call this method with no argument, in which case any node that presents a valid cert will be allowed to connect, or you pass in the path to a [zcertstore][] that contains all the certificates of nodes which will be allowed to connect.
 
-    node = Zyre::Node.new
-    node.zap_domain = 'application_name'
-    node.zcert = cert
-    node.start
+To document:
 
-    # later...
-
-    node.stop
-    Zyre.stop_authenticator
+- Creating a certstore
+- Enabling the authenticator
+- Enabling curve authentication
 
 
 ## References
 
 - ZAP (ZeroMQ Authentication Protocol) - https://rfc.zeromq.org/spec/27/
 - Using ZeroMQ Security (Part 2) - https://jaxenter.com/using-zeromq-security-part-2-119353.html
+
+
+[zauth]: http://api.zeromq.org/czmq3-0:zauth
+[zcertstore]: http://api.zeromq.org/czmq3-0:zcertstore
+
+

data/History.md

@@ -1,6 +1,24 @@
 # Release History for zyre
 
 ---
+## v0.8.0 [2026-02-02] Michael Granger <ged@faeriemud.org>
+
+Improvements:
+
+- Add Zyre::Certstore for managing zcertstores
+- Add convenience method for making public certs
+
+
+## v0.7.0 [2025-08-05] Michael Granger <ged@faeriemud.org>
+
+Improvements:
+
+- Add ZAUTH
+
+Fixes:
+
+- Move the interface method setting to the Zyre toplevel since it's actually global
+
 
 ## v0.6.0 [2023-08-08] Michael Granger <ged@faeriemud.org>
 

data/ext/zyre_ext/cert.c

@@ -15,6 +15,14 @@ VALUE rzyre_cZyreCert;
 static void rzyre_cert_free( void *ptr );
 
 
+static const byte EMPTY_KEY[32] = {
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+static const char *Z85_EMPTY_KEY = "0000000000000000000000000000000000000000";
+
+
 static const rb_data_type_t rzyre_cert_t = {
 	.wrap_struct_name = "Zyre::Cert",
 	.function = {
@@ -68,6 +76,24 @@ rzyre_get_cert( VALUE self )
 }
 
 
+
+/*
+ * Wrap a zcert_t in a Zyre::Cert object.
+ */
+VALUE
+rzyre_wrap_cert( zcert_t *ptr )
+{
+	VALUE wrapper = rzyre_cert_alloc( rzyre_cZyreCert );
+	zcert_t *copy = zcert_dup( ptr );
+
+	RTYPEDDATA_DATA( wrapper ) = copy;
+
+	return wrapper;
+}
+
+
+
+
 /*
  * call-seq:
  *   Zyre::Cert.from( public_key, secret_key )    -> cert
@@ -104,6 +130,42 @@ rzyre_cert_s_from( VALUE class, VALUE public_key, VALUE secret_key )
 }
 
 
+
+/*
+ * call-seq:
+ *   Zyre::Cert.from_public( public_key )    -> cert
+ *
+ * Create a public certificate from a +public_key+ string.
+ *
+ */
+static VALUE
+rzyre_cert_s_from_public( VALUE class, VALUE public_key )
+{
+	VALUE self = rzyre_cert_alloc( class );
+	zcert_t *ptr = NULL;
+	const char *pub_str = StringValuePtr( public_key );
+
+	if ( RSTRING_LEN(public_key) == 32 ) {
+		ptr = zcert_new_from( (const byte *)pub_str, EMPTY_KEY );
+	} else if ( RSTRING_LEN(public_key) == 40 ) {
+#ifdef HAVE_ZCERT_NEW_FROM_TXT
+		ptr = zcert_new_from_txt( pub_str, Z85_EMPTY_KEY );
+#else
+		rb_raise( rb_eNotImpError,
+			"can't create a key from encoded keys: Czmq is too old!" );
+#endif
+	}
+
+	if ( !ptr ) {
+		rb_raise( rb_eArgError, "invalid key" );
+	}
+
+	RTYPEDDATA_DATA( self ) = ptr;
+
+	return self;
+}
+
+
 /*
  * call-seq:
  *   Zyre::Cert.load( filename )    -> cert
@@ -262,7 +324,7 @@ rzyre_cert_meta( VALUE self, VALUE name )
 	const char *name_str = StringValuePtr( name );
 	const char *value = zcert_meta( ptr, name_str );
 
-	if ( value ) rval = rb_str_new_cstr( value );
+	if ( value ) rval = rb_utf8_str_new_cstr( value );
 
 	return rval;
 }
@@ -357,7 +419,8 @@ static VALUE
 rzyre_cert_save_public( VALUE self, VALUE filename )
 {
 	zcert_t *ptr = rzyre_get_cert( self );
-	const char *filename_str = StringValueCStr( filename );
+	VALUE filename_s = rb_funcall( filename, rb_intern("to_s"), 0 );
+	const char *filename_str = StringValueCStr( filename_s );
 	int result;
 
 	result = zcert_save_public( ptr, filename_str );
@@ -477,6 +540,7 @@ rzyre_init_cert( void ) {
 	rb_define_alloc_func( rzyre_cZyreCert, rzyre_cert_alloc );
 
 	rb_define_singleton_method( rzyre_cZyreCert, "from", rzyre_cert_s_from, 2 );
+	rb_define_singleton_method( rzyre_cZyreCert, "from_public", rzyre_cert_s_from_public, 1 );
 	rb_define_singleton_method( rzyre_cZyreCert, "load", rzyre_cert_s_load, 1 );
 
 	rb_define_protected_method( rzyre_cZyreCert, "initialize", rzyre_cert_initialize, 0 );

data/ext/zyre_ext/certstore.c

@@ -0,0 +1,208 @@
+/*
+ *  certstore.c - A curve certificate store for use with Zyre.
+ *  $Id$
+ *
+ *  Authors:
+ *    * Michael Granger <ged@FaerieMUD.org>
+ *
+ */
+
+#include "zyre_ext.h"
+
+VALUE rzyre_cZyreCertstore;
+
+// Forward declarations
+static void rzyre_certstore_free( void *ptr );
+
+
+static const rb_data_type_t rzyre_certstore_t = {
+	.wrap_struct_name = "Zyre::Certstore",
+	.function = {
+		.dmark = NULL,
+		.dfree = rzyre_certstore_free,
+	},
+	.data = NULL,
+	.flags = RUBY_TYPED_FREE_IMMEDIATELY,
+};
+
+
+/*
+ * Free function
+ */
+static void
+rzyre_certstore_free( void *ptr )
+{
+	if ( ptr ) {
+		zcertstore_destroy( (zcertstore_t **)&ptr );
+	}
+}
+
+
+/*
+ * Alloc function
+ */
+static VALUE
+rzyre_certstore_alloc( VALUE klass )
+{
+	return TypedData_Wrap_Struct( klass, &rzyre_certstore_t, NULL );
+}
+
+
+/*
+ * Fetch the data pointer and check it for sanity.
+ */
+inline zcertstore_t *
+rzyre_get_certstore( VALUE self )
+{
+	zcertstore_t *ptr;
+
+	if ( !IsZyreCertstore(self) ) {
+		rb_raise( rb_eTypeError, "wrong argument type %s (expected Zyre::Certstore)",
+			rb_class2name(CLASS_OF( self )) );
+	}
+
+	ptr = DATA_PTR( self );
+	assert( ptr );
+
+	return ptr;
+}
+
+
+
+/*
+ * call-seq:
+ *    Zyre::Certstore.new                -> certstore
+ *    Zyre::Certstore.new( directory )   -> certstore
+ *
+ * Create a new certificate store. If not +directory+ is given, creates an
+ * in-memory store.
+ *
+ */
+static VALUE
+rzyre_certstore_initialize( int argc, VALUE *argv, VALUE self )
+{
+	VALUE directory = Qnil;
+	zcertstore_t *ptr;
+
+	TypedData_Get_Struct( self, zcertstore_t, &rzyre_certstore_t, ptr );
+	if ( !ptr ) {
+		rb_scan_args( argc, argv, "01", &directory );
+
+		if ( RTEST(directory) ) {
+			VALUE dir_string = rb_funcall( directory, rb_intern("to_s"), 0 );
+			const char *location = StringValueCStr( dir_string );
+			ptr = zcertstore_new( location );
+		} else {
+			ptr = zcertstore_new( NULL );
+		}
+
+		assert( ptr );
+		RTYPEDDATA_DATA( self ) = ptr;
+	}
+
+	return self;
+}
+
+
+
+/*
+ * call-seq:
+ *    certstore.lookup( public_key )
+ *
+ * Look up certificate by public key, returns Zyre::Cert object if found,
+ * else returns `nil`. The +public_key+ should be a String in Z85 text format.
+ *
+ */
+static VALUE
+rzyre_certstore_lookup( VALUE self, VALUE public_key )
+{
+	zcertstore_t *ptr = rzyre_get_certstore( self );
+	const char *key_txt = StringValueCStr( public_key );
+	zcert_t *cert = zcertstore_lookup( ptr, key_txt );
+
+	if ( cert ) {
+		VALUE zyre_cert = rzyre_wrap_cert( cert );
+		return zyre_cert;
+	}
+
+	return Qnil;
+}
+
+
+
+/*
+ * call-seq:
+ *    certstore.insert( certificate )
+ *
+ * Insert +certificate+ (a Zyre::Cert) into certificate store in memory. Note
+ * that this does not save the certificate to disk. To do that, use Zyre::Cert#save
+ * directly on the certificate.
+ *
+ */
+static VALUE
+rzyre_certstore_insert( VALUE self, VALUE cert )
+{
+	zcertstore_t *ptr = rzyre_get_certstore( self );
+	zcert_t *zcert = rzyre_get_cert( cert );
+	zcert_t *zcert_owned = zcert_dup( zcert );
+
+	assert( zcert_owned );
+	zcertstore_insert( ptr, &zcert_owned );
+
+	return Qtrue;
+}
+
+
+/*
+ * call-seq:
+ *    certstore.print
+ *
+ * Print list of certificates in store to logging facility.
+ *
+ */
+static VALUE
+rzyre_certstore_print( VALUE self )
+{
+	zcertstore_t *ptr = rzyre_get_certstore( self );
+
+	zcertstore_print( ptr );
+
+	return Qtrue;
+}
+
+
+
+/*
+ * Initialize the Cert class.
+ */
+void
+rzyre_init_certstore( void ) {
+
+#ifdef FOR_RDOC
+	rb_cData = rb_define_class( "Data" );
+	rzyre_mZyre = rb_define_module( "Zyre" );
+#endif
+
+	/*
+	 * Document-class: Zyre::Certstore
+	 *
+	 * A certificate store for Zyre curve authentication.
+	 *
+	 * Refs:
+	 * - http://api.zeromq.org/czmq4-0:zcertstore
+	 *
+	 */
+	rzyre_cZyreCertstore = rb_define_class_under( rzyre_mZyre, "Certstore", rb_cObject );
+
+	rb_define_alloc_func( rzyre_cZyreCertstore, rzyre_certstore_alloc );
+
+	rb_define_protected_method( rzyre_cZyreCertstore, "initialize", rzyre_certstore_initialize, -1 );
+
+	rb_define_method( rzyre_cZyreCertstore, "lookup", rzyre_certstore_lookup, 1 );
+	rb_define_method( rzyre_cZyreCertstore, "insert", rzyre_certstore_insert, 1 );
+
+	rb_define_method( rzyre_cZyreCertstore, "print", rzyre_certstore_print, 0 );
+
+	rb_require( "zyre/certstore" );
+}
+

data/ext/zyre_ext/extconf.rb

@@ -31,6 +31,7 @@ have_func( 'zmq_z85_encode', 'zmq.h' )
 have_func( 'zmq_z85_decode', 'zmq.h' )
 
 have_func( 'zcert_unset_meta', 'czmq.h' )
+have_func( 'zcert_new_from_txt', 'czmq.h' )
 
 create_header()
 create_makefile( 'zyre_ext' )

data/ext/zyre_ext/node.c

@@ -286,6 +286,7 @@ rzyre_node_interface_eq( VALUE self, VALUE interface )
 	zyre_t *ptr = rzyre_get_node( self );
 	const char *interface_str = StringValueCStr( interface );
 
+	rb_warn( "Setting #interface on a Node sets it globally." );
 	zyre_set_interface( ptr, interface_str );
 
 	return Qtrue;

data/ext/zyre_ext/zyre_ext.c

@@ -17,6 +17,8 @@
 
 VALUE rzyre_mZyre;
 
+static zactor_t *auth;
+
 
 /* --------------------------------------------------------------
  * Logging Functions
@@ -148,7 +150,7 @@ rzyre_make_zmsg_from( VALUE messages )
  *
  */
 static VALUE
-rzyre_s_zyre_version()
+rzyre_s_zyre_version( VALUE _mod )
 {
 	static uint64_t version;
 
@@ -293,10 +295,172 @@ rzyre_s_z85_decode( VALUE module, VALUE string )
 }
 
 
+
+/*
+ * call-seq:
+ *    Zyre.start_authenticator   -> true
+ *
+ * Start the ZAUTH authenticator actor. If it's already running, this
+ * call is silently ignored.
+ *
+ */
 static VALUE
 rzyre_s_start_authenticator( VALUE module )
 {
-	return Qnil;
+	if ( !auth ) {
+		rzyre_log_obj( rzyre_mZyre, "info", "starting up the ZAUTH actor." );
+		auth = zactor_new( zauth, NULL );
+		assert( auth );
+	}
+
+	return Qtrue;
+}
+
+
+/*
+ * call-seq:
+ *    Zyre.authenticator_started?   -> true or false
+ *
+ * Returns `true` if the ZAUTH authenticator actor is running.
+ *
+ */
+static VALUE
+rzyre_s_authenticator_started_p( VALUE module )
+{
+	if ( auth ) {
+		return Qtrue;
+	} else {
+		return Qfalse;
+	}
+}
+
+
+/*
+ * call-seq:
+ *    Zyre.stop_authenticator   -> true
+ *
+ * Stop the ZAUTH authenticator actor if it is running. If it's not running, this
+ * call is silently ignored.
+ *
+ */
+static VALUE
+rzyre_s_stop_authenticator( VALUE module )
+{
+	if ( auth ) {
+		rzyre_log_obj( rzyre_mZyre, "info", "shutting down the ZAUTH actor." );
+		zactor_destroy( &auth );
+	}
+
+	return Qtrue;
+}
+
+
+/*
+ * Async wait function; called without the GVL.
+ */
+static void *
+rzyre_wait_for_auth_without_gvl( void *_unused )
+{
+	zsock_wait( auth );
+	return NULL;
+}
+
+
+/*
+ * call-seq:
+ *    Zyre.verbose_auth!
+ *
+ * Enable the ZAUTH actor's verbose logging.
+ *
+ */
+static VALUE
+rzyre_s_verbose_auth_bang( VALUE module )
+{
+	if ( auth ) {
+		zstr_sendx( auth, "VERBOSE", NULL );
+		rb_thread_call_without_gvl2( rzyre_wait_for_auth_without_gvl, 0, RUBY_UBF_IO, 0 );
+	} else {
+		rb_raise( rb_eRuntimeError, "can't enable verbose auth: authenticator is not started." );
+	}
+
+	return Qtrue;
+}
+
+
+/*
+ * call-seq:
+ *    Zyre.enable_curve_auth( cert_dir=nil )
+ *
+ * Enable CURVE authentication, using the specified +cert_dir+ for allowed
+ * public certificates. If no +cert_dir+ is given, any connection presenting a valid CURVE
+ * certificate will be allowed.
+ *
+ */
+static VALUE
+rzyre_s_enable_curve_auth( int argc, VALUE *argv, VALUE module )
+{
+	VALUE cert_dir = Qnil;
+	char *cert_dir_s;
+
+	rb_scan_args( argc, argv, "01", &cert_dir );
+
+	if ( argc ) {
+		cert_dir_s = StringValueCStr( cert_dir );
+		zstr_sendx( auth, "CURVE", cert_dir_s, NULL );
+	} else {
+		zstr_sendx( auth, "CURVE", CURVE_ALLOW_ANY, NULL );
+	}
+
+	rb_thread_call_without_gvl2( rzyre_wait_for_auth_without_gvl, 0, RUBY_UBF_IO, 0 );
+
+	return Qtrue;
+}
+
+
+/*
+ * call-seq:
+ *    Zyre.interface   -> string
+ *
+ * Return network interface to use for broadcasts, or nil if none was set.
+ *
+ */
+static VALUE
+rzyre_s_interface( VALUE module )
+{
+	const char *interface = zsys_interface();
+
+	if ( strnlen(interface, 1) == 0 ) {
+		return Qnil;
+	}
+
+	return rb_utf8_str_new_cstr( interface );
+}
+
+
+/*
+ * call-seq:
+ *    Zyre.interface = string
+ *
+ * Set network interface name to use for broadcasts.
+ *
+ * This lets the interface be configured for test environments where required.
+ * For example, on Mac OS X, zbeacon cannot bind to 255.255.255.255 which is
+ * the default when there is no specified interface. If the environment
+ * variable ZSYS_INTERFACE is set, use that as the default interface name.
+ * Setting the interface to "*" means "use all available interfaces".
+ *
+ */
+static VALUE
+rzyre_s_interface_eq( VALUE module, VALUE new_interface )
+{
+	if ( NIL_P(new_interface) ) {
+		zsys_set_interface( "" );
+	} else {
+		const char *new_interface_s = StringValueCStr( new_interface );
+		zsys_set_interface( new_interface_s );
+	}
+
+	return Qtrue;
 }
 
 
@@ -326,15 +490,23 @@ Init_zyre_ext()
 
 	rb_define_singleton_method( rzyre_mZyre, "zyre_version", rzyre_s_zyre_version, 0 );
 	rb_define_singleton_method( rzyre_mZyre, "interfaces", rzyre_s_interfaces, 0 );
-	rb_define_singleton_method( rzyre_mZyre, "disable_zsys_handler", rzyre_s_disable_zsys_handler, 0 );
+	rb_define_singleton_method( rzyre_mZyre, "disable_zsys_handler",
+		rzyre_s_disable_zsys_handler, 0 );
 
 	rb_define_singleton_method( rzyre_mZyre, "z85_encode", rzyre_s_z85_encode, 1 );
 	rb_define_singleton_method( rzyre_mZyre, "z85_decode", rzyre_s_z85_decode, 1 );
 
-	// :TODO: Allow for startup of the zauth agent. This will require enough of a
-	// subset of CZMQ that I hesitate to do it in Zyre. Maybe better to just write a
-	// decent CZMQ library instead?
-	rb_define_singleton_method( rzyre_mZyre, "start_authenticator", rzyre_s_start_authenticator, 0 );
+	rb_define_singleton_method( rzyre_mZyre, "start_authenticator",
+		rzyre_s_start_authenticator, 0 );
+	rb_define_singleton_method( rzyre_mZyre, "authenticator_started?",
+		rzyre_s_authenticator_started_p, 0 );
+	rb_define_singleton_method( rzyre_mZyre, "stop_authenticator", rzyre_s_stop_authenticator, 0 );
+
+	rb_define_singleton_method( rzyre_mZyre, "verbose_auth!", rzyre_s_verbose_auth_bang, 0 );
+	rb_define_singleton_method( rzyre_mZyre, "enable_curve_auth", rzyre_s_enable_curve_auth, -1 );
+
+	rb_define_singleton_method( rzyre_mZyre, "interface", rzyre_s_interface, 0 );
+	rb_define_singleton_method( rzyre_mZyre, "interface=", rzyre_s_interface_eq, 1 );
 
 	// :TODO: set up zsys_set_logsender()
 
@@ -342,5 +514,6 @@ Init_zyre_ext()
 	rzyre_init_event();
 	rzyre_init_poller();
 	rzyre_init_cert();
+	rzyre_init_certstore();
 }
 

data/ext/zyre_ext/zyre_ext.h

@@ -87,6 +87,7 @@ extern VALUE rzyre_cZyreNode;
 extern VALUE rzyre_cZyreEvent;
 extern VALUE rzyre_cZyrePoller;
 extern VALUE rzyre_cZyreCert;
+extern VALUE rzyre_cZyreCertstore;
 
 extern zactor_t *auth_actor;
 
@@ -99,6 +100,7 @@ extern zactor_t *auth_actor;
 #define IsZyreEvent( obj ) rb_obj_is_kind_of( (obj), rzyre_cZyreEvent )
 #define IsZyrePoller( obj ) rb_obj_is_kind_of( (obj), rzyre_cZyrePoller )
 #define IsZyreCert( obj ) rb_obj_is_kind_of( (obj), rzyre_cZyreCert )
+#define IsZyreCertstore( obj ) rb_obj_is_kind_of( (obj), rzyre_cZyreCertstore )
 
 /* --------------------------------------------------------------
  * Utility functions
@@ -115,9 +117,11 @@ extern void rzyre_init_node _(( void ));
 extern void rzyre_init_event _(( void ));
 extern void rzyre_init_poller _(( void ));
 extern void rzyre_init_cert _(( void ));
+extern void rzyre_init_certstore _(( void ));
 
 extern zyre_t * rzyre_get_node _(( VALUE ));
 extern zcert_t * rzyre_get_cert _(( VALUE ));
+extern VALUE rzyre_wrap_cert _(( zcert_t * ));
 
 #endif /* end of include guard: ZYRE_EXT_H_90322ABD */
 

data/lib/zyre/cert.rb

@@ -13,6 +13,7 @@ class Zyre::Cert
 
 	# The placeholder key that is set as the secret key for a public certificate.
 	EMPTY_KEY = "\x00" * 32
+	Z85_EMPTY_KEY = Zyre.z85_encode( EMPTY_KEY )
 
 
 	# Use the Zyre module's logger

data/lib/zyre/certstore.rb

@@ -0,0 +1,14 @@
+# -*- ruby -*-
+
+require 'loggability'
+
+require 'zyre' unless defined?( Zyre )
+
+
+#--
+# See also: ext/zyre_ext/certstore.c
+class Zyre::Certstore
+	extend Loggability
+
+
+end # class Zyre::Certstore

data/lib/zyre.rb

@@ -13,7 +13,7 @@ module Zyre
 
 
 	# Gem version (semver)
-	VERSION = '0.6.0'
+	VERSION = '0.8.0'
 
 	# Set up a logger for Zyre classes
 	log_as :zyre

data/spec/zyre/cert_spec.rb

@@ -27,6 +27,17 @@ RSpec.describe( Zyre::Cert ) do
 	end
 
 
+	it "can be created from public key" do
+		cert = described_class.new
+
+		result = described_class.from_public( cert.public_key )
+
+		expect( result ).to be_a( described_class )
+		expect( result.public_txt ).to eq( cert.public_txt )
+		expect( result.secret_txt ).to eq( Zyre::Cert::Z85_EMPTY_KEY )
+	end
+
+
 	it "can be saved to and loaded from a file" do
 		cert = described_class.new
 		cert.save( cert_file.path )
@@ -46,7 +57,7 @@ RSpec.describe( Zyre::Cert ) do
 
 		expect( result ).to be_a( described_class )
 		expect( result.public_key ).to eq( cert.public_key )
-		expect( result.secret_key ).to eq( Zyre::Cert::EMPTY_KEY )
+		expect( result.secret_key ).to eq( described_class::EMPTY_KEY )
 	end
 
 
@@ -197,7 +208,7 @@ RSpec.describe( Zyre::Cert ) do
 
 	it "can be applied to a Zyre node", :draft_apis do
 		node = instance_double( Zyre::Node )
-		cert = Zyre::Cert.new
+		cert = described_class.new
 
 		expect( node ).to receive( :zcert= ).with( cert )
 		cert.apply( node )
@@ -212,6 +223,8 @@ RSpec.describe( Zyre::Cert ) do
 		other = cert.dup
 
 		expect( other.object_id ).not_to eq( cert.object_id )
+		expect( other[:node_id] ).to eq( cert[:node_id] )
+		expect( other[:node_order] ).to eq( cert[:node_order] )
 	end
 
 

data/spec/zyre/certstore_spec.rb

@@ -0,0 +1,60 @@
+# -*- ruby -*-
+
+require_relative '../spec_helper'
+
+require 'pathname'
+require 'tmpdir'
+require 'zyre/certstore'
+
+
+RSpec.describe( Zyre::Certstore ) do
+
+	let( :certstore_location ) { Pathname(Dir::Tmpname.create(['zyre-cerstore-', '-spec']) {}) }
+
+
+	it "can be created as an in-memory store" do
+		instance = described_class.new
+
+		expect( instance ).to be_a( described_class )
+	end
+
+
+	it "can be created with a directory name" do
+		instance = described_class.new( certstore_location )
+
+		expect( instance ).to be_a( described_class )
+	end
+
+
+	it "can have certs added to it" do
+		instance = described_class.new
+
+		cert = Zyre::Cert.new
+		cert[:name] = 'test1'
+
+		instance.insert( cert )
+
+		res = instance.lookup( cert.public_txt )
+		expect( res ).to be_a( Zyre::Cert )
+		expect( res.public_txt ).to eq( cert.public_txt )
+		expect( res[:name] ).to eq( 'test1' )
+	end
+
+
+	it "can lookup certs added to a directory certstore" do
+		certstore_location.mkpath
+		instance = described_class.new( certstore_location )
+
+		cert = Zyre::Cert.new
+		cert[:name] = 'test23'
+		cert.save_public( certstore_location / 'mykey.txt' )
+
+		res = instance.lookup( cert.public_txt )
+
+		expect( res ).to be_a( Zyre::Cert )
+		expect( res.public_txt ).to eq( cert.public_txt )
+		expect( res[:name] ).to eq( 'test23' )
+	end
+
+end
+

data/spec/zyre/node_spec.rb

@@ -26,6 +26,14 @@ RSpec.describe( Zyre::Node ) do
 	TEST_BINARY_STRING = TEST_BINARY_STRING_PARTS.join( '' )
 
 
+	before( :each ) do
+		@interface = Zyre.interface
+	end
+	after( :each ) do
+		Zyre.interface = @interface
+	end
+
+
 	it "can be created anonymously" do
 		node = described_class.new
 
@@ -108,11 +116,11 @@ RSpec.describe( Zyre::Node ) do
 	end
 
 
-	it "can be set to communicate on a particular network interface" do
+	it "has a backward-compatible method for setting the interface on a Node" do
 		node = described_class.new
 		expect {
 			node.interface = 'lo0'
-		}.to_not raise_error
+		}.to change { Zyre.interface }.to( 'lo0' )
 	end
 
 
@@ -530,8 +538,6 @@ RSpec.describe( Zyre::Node ) do
 		end
 
 
-		it "supports CURVE authentication"
-
 		it "supports advertised_endpoint="
 		it "supports gossip_connect_curve"
 		it "supports gossip_unpublish"

data/spec/zyre_spec.rb

@@ -7,6 +7,14 @@ require 'zyre'
 
 RSpec.describe( Zyre ) do
 
+	before( :each ) do
+		@interface = described_class.interface
+	end
+	after( :each ) do
+		described_class.interface = @interface
+		described_class.stop_authenticator
+	end
+
 
 	# Pattern for matching IPv4 addresses
 	IPV4_ADDRESS = /^((?:(?:^|\.)(?:\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])){4})$/
@@ -64,6 +72,21 @@ RSpec.describe( Zyre ) do
 	end
 
 
+	it "can set the interface used by all nodes" do
+		expect {
+			described_class.interface = 'LENNY'
+		}.to change { described_class.interface }.to( 'LENNY' )
+	end
+
+
+	it "clears the interface setting if set to `nil`" do
+		described_class.interface = "eth0"
+		expect {
+			described_class.interface = nil
+		}.to change { described_class.interface }.to( nil )
+	end
+
+
 	describe "Z85 encoding/decoding" do
 
 		# From the 32/Z85 reference code:
@@ -126,5 +149,95 @@ RSpec.describe( Zyre ) do
 
 	end
 
+
+	describe "ZAUTH authenticator" do
+
+		it "can be started" do
+			expect {
+				described_class.start_authenticator
+			}.to change { described_class.authenticator_started? }.to( true )
+		end
+
+
+		it "ignores call to start if it's already started" do
+			described_class.start_authenticator
+
+			expect {
+				described_class.start_authenticator
+			}.not_to raise_error
+		end
+
+
+		it "can be stopped" do
+			described_class.start_authenticator
+
+			expect {
+				described_class.stop_authenticator
+			}.to change { described_class.authenticator_started? }.to( false )
+		end
+
+
+		it "ignores calls to stop if it's not started" do
+			expect {
+				described_class.stop_authenticator
+			}.not_to raise_error
+		end
+
+
+		it "can enable verbose auth logging" do
+			described_class.start_authenticator
+			expect {
+				described_class.verbose_auth!
+			}.not_to raise_error
+		end
+
+
+		it "raises an error if verbose auth logging is enabled before the authenticator is started" do
+			expect {
+				described_class.verbose_auth!
+			}.to raise_error( /authenticator is not started/i )
+		end
+
+
+		it "supports any-cert style authentication" do
+			described_class.start_authenticator
+			# described_class.verbose_auth!
+			described_class.enable_curve_auth
+
+			server_cert = Zyre::Cert.new
+			server = Zyre::Node.new( 'server' )
+			# server.verbose!
+			server.zap_domain = 'TEST'
+			server.zcert = server_cert
+			server.set_header( 'X-PUBLICKEY', server_cert.public_txt )
+			server.join( 'TEST' )
+			server.start
+
+			client_cert = Zyre::Cert.new
+			authed_client = Zyre::Node.new( 'authed_client' )
+			# authed_client.verbose!
+			authed_client.zap_domain = 'TEST'
+			authed_client.zcert = client_cert
+			authed_client.set_header( 'X-PUBLICKEY', client_cert.public_txt )
+			authed_client.join( 'TEST' )
+			authed_client.start
+			authed_client.shout( 'TEST', 'authed_client hello' )
+
+			result = server.wait_for( :JOIN, timeout: 0.2 )
+			expect( result ).to be_a( Zyre::Event::Join )
+
+			noauth_client = Zyre::Node.new( 'noauth_client' )
+			# noauth_client.verbose!
+			noauth_client.zap_domain = 'TEST'
+			noauth_client.join( 'TEST' )
+			noauth_client.start
+			noauth_client.shout( 'TEST', 'noauth_client hello' )
+
+			result = server.wait_for( :JOIN, timeout: 0.2 )
+			expect( result ).to be_nil
+		end
+
+	end
+
 end
 

metadata

@@ -1,39 +1,39 @@
 --- !ruby/object:Gem::Specification
 name: zyre
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Michael Granger
-autorequire:
 bindir: bin
 cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
-  MIID+DCCAmCgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdnZWQv
-  REM9RmFlcmllTVVEL0RDPW9yZzAeFw0yMzAxMTYxNzE2MDlaFw0yNDAxMTYxNzE2
-  MDlaMCIxIDAeBgNVBAMMF2dlZC9EQz1GYWVyaWVNVUQvREM9b3JnMIIBojANBgkq
-  hkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvyVhkRzvlEs0fe7145BYLfN6njX9ih5H
-  L60U0p0euIurpv84op9CNKF9tx+1WKwyQvQP7qFGuZxkSUuWcP/sFhDXL1lWUuIl
-  M4uHbGCRmOshDrF4dgnBeOvkHr1fIhPlJm5FO+Vew8tSQmlDsosxLUx+VB7DrVFO
-  5PU2AEbf04GGSrmqADGWXeaslaoRdb1fu/0M5qfPTRn5V39sWD9umuDAF9qqil/x
-  Sl6phTvgBrG8GExHbNZpLARd3xrBYLEFsX7RvBn2UPfgsrtvpdXjsHGfpT3IPN+B
-  vQ66lts4alKC69TE5cuKasWBm+16A4aEe3XdZBRNmtOu/g81gvwA7fkJHKllJuaI
-  dXzdHqq+zbGZVSQ7pRYHYomD0IiDe1DbIouFnPWmagaBnGHwXkDT2bKKP+s2v21m
-  ozilJg4aar2okb/RA6VS87o+d7g6LpDDMMQjH4G9OPnJENLdhu8KnPw/ivSVvQw7
-  N2I4L/ZOIe2DIVuYH7aLHfjZDQv/mNgpAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYD
-  VR0PBAQDAgSwMB0GA1UdDgQWBBRyjf55EbrHagiRLqt5YAd3yb8k4DANBgkqhkiG
-  9w0BAQsFAAOCAYEARYCeUVBWARNKqF0cvNnLJvFf4hdW2+Rtc7NfC5jQvX9a1oom
-  sfVvS96eER/9cbrphu+vc59EELw4zT+RY3/IesnoE7CaX6zIOFmSmG7K61OHsSLR
-  KqMygcWwyuPXT2JG7JsGHuxbzgaRWe29HbSjBbLYxiMH8Zxh4tKutxzKF7jb0Ggq
-  KAf9MH5LwG8IHVIfV5drT14PvgR3tcvmrn1timPyJl+eZ3LNnm9ofOCweuZCq1cy
-  4Q8LV3vP2Cofy9q+az3DHdaUGlmMiZZZqKixDr1KSS9nvh0ZrKMOUL1sWj/IaxrQ
-  RV3y6td14q49t+xnbj00hPlbW7uE2nLJLt2NAoXiE1Nonndz1seB2c6HL79W9fps
-  E/O12pQjCp/aPUZMt8/8tKW31RIy/KP8XO6OTJNWA8A/oNEI0g5p/LmmEtJKWYr1
-  WmEdESlpWhzFECctefIF2lsN9vaOuof57RM77t2otrtcscDtNarIqjZsIyqtDvtL
-  DttITiit0Vwz7bY0
+  MIIEMDCCApigAwIBAgIBAjANBgkqhkiG9w0BAQsFADA+MQwwCgYDVQQDDANnZWQx
+  GTAXBgoJkiaJk/IsZAEZFglGYWVyaWVNVUQxEzARBgoJkiaJk/IsZAEZFgNvcmcw
+  HhcNMjYwMjAyMjExMjQ0WhcNMjcwMjAyMjExMjQ0WjA+MQwwCgYDVQQDDANnZWQx
+  GTAXBgoJkiaJk/IsZAEZFglGYWVyaWVNVUQxEzARBgoJkiaJk/IsZAEZFgNvcmcw
+  ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC/JWGRHO+USzR97vXjkFgt
+  83qeNf2KHkcvrRTSnR64i6um/ziin0I0oX23H7VYrDJC9A/uoUa5nGRJS5Zw/+wW
+  ENcvWVZS4iUzi4dsYJGY6yEOsXh2CcF46+QevV8iE+UmbkU75V7Dy1JCaUOyizEt
+  TH5UHsOtUU7k9TYARt/TgYZKuaoAMZZd5qyVqhF1vV+7/Qzmp89NGflXf2xYP26a
+  4MAX2qqKX/FKXqmFO+AGsbwYTEds1mksBF3fGsFgsQWxftG8GfZQ9+Cyu2+l1eOw
+  cZ+lPcg834G9DrqW2zhqUoLr1MTly4pqxYGb7XoDhoR7dd1kFE2a067+DzWC/ADt
+  +QkcqWUm5oh1fN0eqr7NsZlVJDulFgdiiYPQiIN7UNsii4Wc9aZqBoGcYfBeQNPZ
+  soo/6za/bWajOKUmDhpqvaiRv9EDpVLzuj53uDoukMMwxCMfgb04+ckQ0t2G7wqc
+  /D+K9JW9DDs3Yjgv9k4h7YMhW5gftosd+NkNC/+Y2CkCAwEAAaM5MDcwCQYDVR0T
+  BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFHKN/nkRusdqCJEuq3lgB3fJvyTg
+  MA0GCSqGSIb3DQEBCwUAA4IBgQAQwvsRIJ8FV1bYadOnOg2jcSzZXjt0FVPbOQG9
+  eQ9UM7+bTPU0eRCGZuOPrEp8ROc1s5zwZNFv7qHWv/zWWC6sIj4gEnCZkUugK03k
+  bYDsSlkyjiQ4ApVV00+h/Vhxcw+RLIZuqy2QFl8YAfMJm+JS8G7SuoqpFjbv3UUF
+  vrObIiO7LbhJxpYzTGkGzMFigcnm6vIGMex4AgtArc2RpWOvtAXQrU7CZHUkcdQM
+  4n5eVK+m3IZlD7dd4HoPT2jF2cOGmk8XFclT0GcPVYmEWFFmotN2aiMj4sqVm/Ob
+  V+FmyTUy4gVtcNOFO/sBnFRiQW0fxV9/97Dog9ciYesfiAhm4EpcuTmatdAuMrZR
+  WBmf+jXIub5S7RBw+m0mk2xhmcSkg1vY5w6IEIhSo2e2gE9rA0rIkZO5wP4sCouE
+  XdaRMEnt/AVHUzroBR3CWAz/6ZnDF8GS7EK1bOfM+YWqJL30g7PoxpT+UJTqWJtM
+  CCC1LSoBD7OEUiaIMWUo4h7xWIs=
   -----END CERTIFICATE-----
-date: 2023-08-08 00:00:00.000000000 Z
+date: 2026-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: loggability
@@ -168,6 +168,7 @@ files:
 - LICENSE.txt
 - README.md
 - ext/zyre_ext/cert.c
+- ext/zyre_ext/certstore.c
 - ext/zyre_ext/event.c
 - ext/zyre_ext/extconf.rb
 - ext/zyre_ext/node.c
@@ -177,6 +178,7 @@ files:
 - lib/observability/instrumentation/zyre.rb
 - lib/zyre.rb
 - lib/zyre/cert.rb
+- lib/zyre/certstore.rb
 - lib/zyre/event.rb
 - lib/zyre/event/enter.rb
 - lib/zyre/event/evasive.rb
@@ -194,6 +196,7 @@ files:
 - spec/observability/instrumentation/zyre_spec.rb
 - spec/spec_helper.rb
 - spec/zyre/cert_spec.rb
+- spec/zyre/certstore_spec.rb
 - spec/zyre/event_spec.rb
 - spec/zyre/node_spec.rb
 - spec/zyre/poller_spec.rb
@@ -207,7 +210,6 @@ metadata:
   documentation_uri: https://deveiate.org/code/zyre
   changelog_uri: https://deveiate.org/code/zyre/History_md.html
   source_uri: https://gitlab.com/ravngroup/open-source/ruby-zyre/-/tree/master
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -222,8 +224,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: A ZRE library for Ruby.
 test_files: []