[FIXED] default_permissions apply to nkey users as well

Fixes 1390 Signed-off-by: Matthias Hanel <mh@synadia.com>
2026-04-02 03:38:42 -07:00 · 2020-05-12 17:13:25 -04:00
parent db5c8aec8a
commit 04b81abdde
2 changed files with 72 additions and 5 deletions
--- a/server/opts.go
+++ b/server/opts.go
@@ -2254,14 +2254,22 @@ func parseAuthorization(v interface{}, opts *Options, errors *[]error, warnings
 		}

 		// Now check for permission defaults with multiple users, etc.
-		if auth.users != nil && auth.defaultPermissions != nil {
-			for _, user := range auth.users {
-				if user.Permissions == nil {
-					user.Permissions = auth.defaultPermissions
+		if auth.defaultPermissions != nil {
+			if auth.users != nil {
+				for _, user := range auth.users {
+					if user.Permissions == nil {
+						user.Permissions = auth.defaultPermissions
+					}
+				}
+			}
+			if auth.nkeys != nil {
+				for _, user := range auth.nkeys {
+					if user.Permissions == nil {
+						user.Permissions = auth.defaultPermissions
+					}
 				}
 			}
 		}
-
 	}
 	return auth, nil
 }
--- a/server/opts_test.go
+++ b/server/opts_test.go
@@ -876,6 +876,65 @@ func TestNkeyUsersConfig(t *testing.T) {
 	}
 }

+func TestNkeyUsersDefaultPermissionsConfig(t *testing.T) {
+	confFileName := createConfFile(t, []byte(`
+	authorization {
+		default_permissions = {
+			publish = "foo"
+		}
+		users = [
+			{ user: "user", password: "pwd"}
+			{ user: "other", password: "pwd",
+				permissions = {
+					subscribe = "bar"
+				}
+			}
+			{ nkey: "UDKTV7HZVYJFJN64LLMYQBUR6MTNNYCDC3LAZH4VHURW3GZLL3FULBXV" }
+			{ nkey: "UA3C5TBZYK5GJQJRWPMU6NFY5JNAEVQB2V2TUZFZDHFJFUYVKTTUOFKZ",
+				permissions = {
+					subscribe = "bar"
+				}
+			}
+		]
+	}`))
+	checkPerms := func(permsDef *Permissions, permsNonDef *Permissions) {
+		if permsDef.Publish.Allow[0] != "foo" {
+			t.Fatal("Publish allow foo missing")
+		} else if permsDef.Subscribe != nil {
+			t.Fatal("Has unexpected Subscribe permission")
+		} else if permsNonDef.Subscribe.Allow[0] != "bar" {
+			t.Fatal("Subscribe allow bar missing")
+		} else if permsNonDef.Publish != nil {
+			t.Fatal("Has unexpected Publish permission")
+		}
+	}
+	defer os.Remove(confFileName)
+	opts, err := ProcessConfigFile(confFileName)
+	if err != nil {
+		t.Fatalf("Received an error reading config file: %v", err)
+	}
+	if lu := len(opts.Users); lu != 2 {
+		t.Fatalf("Expected 2 nkey users, got %d", lu)
+	}
+	userDefault := opts.Users[0]
+	userNonDef := opts.Users[1]
+	if !strings.HasPrefix(userDefault.Username, "user") {
+		userDefault = opts.Users[1]
+		userNonDef = opts.Users[0]
+	}
+	checkPerms(userDefault.Permissions, userNonDef.Permissions)
+	if lu := len(opts.Nkeys); lu != 2 {
+		t.Fatalf("Expected 2 nkey users, got %d", lu)
+	}
+	nkeyDefault := opts.Nkeys[0]
+	nkeyNonDef := opts.Nkeys[1]
+	if !strings.HasPrefix(nkeyDefault.Nkey, "UDK") {
+		nkeyDefault = opts.Nkeys[1]
+		nkeyNonDef = opts.Nkeys[0]
+	}
+	checkPerms(nkeyDefault.Permissions, nkeyNonDef.Permissions)
+}
+
 func TestNkeyUsersWithPermsConfig(t *testing.T) {
 	confFileName := createConfFile(t, []byte(`
    authorization {