Revise auth apply w/ip address config, optimize as possible.

include/bitcoin/protocol/zmq/authenticator.hpp

@@ -62,9 +62,10 @@ class BCP_API authenticator
     /// Stop the router (optional).
     virtual bool stop();
 
-    // This must be called on the socket thread.
+    /// This must be called on the socket thread, empty domain allowed.
+    /// Set secure false to enable NULL mechanism, otherwise curve is required.
+    /// By not applying this method authentication is bypassed altogether.
     /// Apply authentication to the socket for the given arbitrary domain.
-    /// Set secure false to enable null security, otherwise curve is required.
     virtual bool apply(socket& socket, const std::string& domain, bool secure);
 
     /// Set the server private key (required for curve security).

include/bitcoin/protocol/zmq/socket.hpp

@@ -33,6 +33,7 @@ namespace protocol {
 namespace zmq {
 
 class message;
+class authenticator;
 
 /// This class is thread safe except as noted.
 /// Because the socket is only set on construct, sockets are not restartable.
@@ -60,8 +61,10 @@ class BCP_API socket
     /// A shared socket pointer.
     typedef std::shared_ptr<socket> ptr;
 
-    /// Construct a socket.
+    /// Construct a socket from an existing zeromq socket.
     socket(void* zmq_socket);
+
+    /// Construct a socket of the given context and role.
     socket(context& context, role socket_role);
 
     /// This class is not copyable.

src/zmq/authenticator.cpp

@@ -229,18 +229,17 @@ void authenticator::work()
 }
 
 // This must be called on the socket thread.
+// Addresses and client keys may be updated after this is applied.
+// The configuration at the time of this call determines the mode of security.
 bool authenticator::apply(socket& socket, const std::string& domain,
     bool secure)
 {
-    // ZAP authentication will not occur with an empty domain.
-    if (domain.empty() || !socket.set_authentication_domain(domain))
-        return false;
-
     ///////////////////////////////////////////////////////////////////////////
     // Critical Section
     mutex_.lock_shared();
     const auto private_key = private_key_;
     const auto have_public_keys = !keys_.empty();
+    const auto require_address = require_address_;
     mutex_.unlock_shared();
     ///////////////////////////////////////////////////////////////////////////
 
@@ -250,15 +249,23 @@ bool authenticator::apply(socket& socket, const std::string& domain,
 
     if (!secure)
     {
-        // This persists after a socket closes so don't reuse domain names.
-        weak_domains_.emplace(domain);
+        if (require_address)
+        {
+            // These persist after a socket closes so don't reuse domain names.
+            weak_domains_.emplace(domain);
+            return socket.set_authentication_domain(domain);
+        }
+
+        // There are no address or curve rules to apply so bypass ZAP.
         return true;
     }
 
     if (private_key)
     {
-        return socket.set_private_key(private_key) &&
-            socket.set_curve_server();
+        return
+            socket.set_private_key(private_key) &&
+            socket.set_curve_server() &&
+            socket.set_authentication_domain(domain);
     }
 
     // We do not have a private key to set so we cannot set secure.

src/zmq/socket.cpp

@@ -23,6 +23,7 @@
 #include <string>
 #include <zmq.h>
 #include <bitcoin/bitcoin.hpp>
+#include <bitcoin/protocol/zmq/authenticator.hpp>
 #include <bitcoin/protocol/zmq/certificate.hpp>
 #include <bitcoin/protocol/zmq/identifiers.hpp>
 #include <bitcoin/protocol/zmq/message.hpp>