From 08e37e0d94f60be89ecbfc80bad65558ce0f2aa4 Mon Sep 17 00:00:00 2001 From: Matthias Hanel Date: Tue, 29 Sep 2020 20:23:37 -0400 Subject: [PATCH] Updated jwt library and check (account/token) issuer prior to jwt Validate Signed-off-by: Matthias Hanel --- go.mod | 2 +- go.sum | 4 ++-- server/accounts.go | 6 +++--- server/server.go | 6 +++--- vendor/github.com/nats-io/jwt/v2/exports.go | 8 ++++++++ vendor/github.com/nats-io/jwt/v2/imports.go | 8 ++++++++ vendor/github.com/nats-io/jwt/v2/user_claims.go | 1 + vendor/modules.txt | 2 +- 8 files changed, 27 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 20a7f33a..0af0e89a 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/nats-io/nats-server/v2 require ( github.com/minio/highwayhash v1.0.0 - github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02 + github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545 github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a github.com/nats-io/nkeys v0.2.0 github.com/nats-io/nuid v1.0.1 diff --git a/go.sum b/go.sum index 3bf1f39a..ffe56d43 100644 --- a/go.sum +++ b/go.sum @@ -14,8 +14,8 @@ github.com/minio/highwayhash v1.0.0/go.mod h1:xQboMTeM9nY9v/LlAOxFctujiv5+Aq2hR5 github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7 h1:RnGotxlghqR5D2KDAu4TyuLqyjuylOsJiAFhXvMvQIc= github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7/go.mod h1:n3cvmLfBfnpV4JJRN7lRYCyZnw48ksGsbThGXEk4w9M= -github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02 h1:WloZv3SCb55D/rOHYy1rWBXLrj3BYc9zw8VIq6X54lI= -github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02/go.mod h1:vs+ZEjP+XKy8szkBmQwCB7RjYdIlMaPsFPs4VdS4bTQ= +github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545 h1:RhEai4U9Ax2izzNupSdputRLZcJU1fpP1CE2zgwuTRI= +github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545/go.mod h1:vs+ZEjP+XKy8szkBmQwCB7RjYdIlMaPsFPs4VdS4bTQ= github.com/nats-io/nats-server/v2 v2.1.8-0.20200524125952-51ebd92a9093/go.mod h1:rQnBf2Rv4P9adtAs/Ti6LfFmVtFG6HLhl/H7cVshcJU= github.com/nats-io/nats-server/v2 v2.1.8-0.20200601203034-f8d6dd992b71/go.mod h1:Nan/1L5Sa1JRW+Thm4HNYcIDcVRFc5zK9OpSZeI2kk4= github.com/nats-io/nats.go v1.10.0/go.mod h1:AjGArbfyR50+afOUotNX2Xs5SYHf+CoOa5HH1eEl2HE= diff --git a/server/accounts.go b/server/accounts.go index 7b1826e0..1d1a16aa 100644 --- a/server/accounts.go +++ b/server/accounts.go @@ -2089,14 +2089,14 @@ func (a *Account) checkActivation(importAcc *Account, claim *jwt.Import, expTime if err != nil { return false } + if !a.isIssuerClaimTrusted(act) { + return false + } vr = jwt.CreateValidationResults() act.Validate(vr) if vr.IsBlocking(true) { return false } - if !a.isIssuerClaimTrusted(act) { - return false - } if act.Expires != 0 { tn := time.Now().Unix() if act.Expires <= tn { diff --git a/server/server.go b/server/server.go index fa6b77e8..591115f7 100644 --- a/server/server.go +++ b/server/server.go @@ -1283,14 +1283,14 @@ func (s *Server) verifyAccountClaims(claimJWT string) (*jwt.AccountClaims, strin if err != nil { return nil, _EMPTY_, err } + if !s.isTrustedIssuer(accClaims.Issuer) { + return nil, _EMPTY_, ErrAccountValidation + } vr := jwt.CreateValidationResults() accClaims.Validate(vr) if vr.IsBlocking(true) { return nil, _EMPTY_, ErrAccountValidation } - if !s.isTrustedIssuer(accClaims.Issuer) { - return nil, _EMPTY_, ErrAccountValidation - } return accClaims, claimJWT, nil } diff --git a/vendor/github.com/nats-io/jwt/v2/exports.go b/vendor/github.com/nats-io/jwt/v2/exports.go index 8e3ee485..c6a26735 100644 --- a/vendor/github.com/nats-io/jwt/v2/exports.go +++ b/vendor/github.com/nats-io/jwt/v2/exports.go @@ -111,6 +111,10 @@ func (e *Export) IsStreamResponse() bool { // Validate appends validation issues to the passed in results list func (e *Export) Validate(vr *ValidationResults) { + if e == nil { + vr.AddError("null export is not allowed") + return + } if !e.IsService() && !e.IsStream() { vr.AddError("invalid export type: %q", e.Type) } @@ -224,6 +228,10 @@ func (e *Exports) Validate(vr *ValidationResults) error { var streamSubjects []Subject for _, v := range *e { + if v == nil { + vr.AddError("null export is not allowed") + continue + } if v.IsService() { serviceSubjects = append(serviceSubjects, v.Subject) } else { diff --git a/vendor/github.com/nats-io/jwt/v2/imports.go b/vendor/github.com/nats-io/jwt/v2/imports.go index de993429..04a9e361 100644 --- a/vendor/github.com/nats-io/jwt/v2/imports.go +++ b/vendor/github.com/nats-io/jwt/v2/imports.go @@ -53,6 +53,10 @@ func (i *Import) IsStream() bool { // Validate checks if an import is valid for the wrapping account func (i *Import) Validate(actPubKey string, vr *ValidationResults) { + if i == nil { + vr.AddError("null import is not allowed") + return + } if !i.IsService() && !i.IsStream() { vr.AddError("invalid import type: %q", i.Type) } @@ -123,6 +127,10 @@ type Imports []*Import func (i *Imports) Validate(acctPubKey string, vr *ValidationResults) { toSet := make(map[Subject]bool, len(*i)) for _, v := range *i { + if v == nil { + vr.AddError("null import is not allowed") + continue + } if v.Type == Service { if _, ok := toSet[v.To]; ok { vr.AddError("Duplicate To subjects for %q", v.To) diff --git a/vendor/github.com/nats-io/jwt/v2/user_claims.go b/vendor/github.com/nats-io/jwt/v2/user_claims.go index ad4a261e..f36c74c8 100644 --- a/vendor/github.com/nats-io/jwt/v2/user_claims.go +++ b/vendor/github.com/nats-io/jwt/v2/user_claims.go @@ -25,6 +25,7 @@ const ( ConnectionTypeStandard = "STANDARD" ConnectionTypeWebsocket = "WEBSOCKET" ConnectionTypeLeafnode = "LEAFNODE" + ConnectionTypeMqtt = "MQTT" ) // User defines the user specific data in a user JWT diff --git a/vendor/modules.txt b/vendor/modules.txt index 4703d75a..e596228a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/minio/highwayhash v1.0.0 github.com/minio/highwayhash -# github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02 +# github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545 github.com/nats-io/jwt/v2 # github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a github.com/nats-io/nats.go