gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-02 03:38:42 -07:00
Code Issues Packages Projects Releases Wiki Activity

Updated jwt library and check (account/token) issuer prior to jwt Validate

Browse Source 
Signed-off-by: Matthias Hanel <mh@synadia.com>
This commit is contained in:
Matthias Hanel
2020-09-29 20:23:37 -04:00
parent 53b5fa8302
commit 08e37e0d94
8 changed files with 27 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@@ -2,7 +2,7 @@ module github.com/nats-io/nats-server/v2
require ( require (
github.com/minio/highwayhash v1.0.0 github.com/minio/highwayhash v1.0.0
github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02 github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545
github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a
github.com/nats-io/nkeys v0.2.0 github.com/nats-io/nkeys v0.2.0
github.com/nats-io/nuid v1.0.1 github.com/nats-io/nuid v1.0.1

4
go.sum
View File

@@ -14,8 +14,8 @@ github.com/minio/highwayhash v1.0.0/go.mod h1:xQboMTeM9nY9v/LlAOxFctujiv5+Aq2hR5
github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU=
github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7 h1:RnGotxlghqR5D2KDAu4TyuLqyjuylOsJiAFhXvMvQIc= github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7 h1:RnGotxlghqR5D2KDAu4TyuLqyjuylOsJiAFhXvMvQIc=
github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7/go.mod h1:n3cvmLfBfnpV4JJRN7lRYCyZnw48ksGsbThGXEk4w9M= github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7/go.mod h1:n3cvmLfBfnpV4JJRN7lRYCyZnw48ksGsbThGXEk4w9M=
github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02 h1:WloZv3SCb55D/rOHYy1rWBXLrj3BYc9zw8VIq6X54lI= github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545 h1:RhEai4U9Ax2izzNupSdputRLZcJU1fpP1CE2zgwuTRI=
github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02/go.mod h1:vs+ZEjP+XKy8szkBmQwCB7RjYdIlMaPsFPs4VdS4bTQ= github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545/go.mod h1:vs+ZEjP+XKy8szkBmQwCB7RjYdIlMaPsFPs4VdS4bTQ=
github.com/nats-io/nats-server/v2 v2.1.8-0.20200524125952-51ebd92a9093/go.mod h1:rQnBf2Rv4P9adtAs/Ti6LfFmVtFG6HLhl/H7cVshcJU= github.com/nats-io/nats-server/v2 v2.1.8-0.20200524125952-51ebd92a9093/go.mod h1:rQnBf2Rv4P9adtAs/Ti6LfFmVtFG6HLhl/H7cVshcJU=
github.com/nats-io/nats-server/v2 v2.1.8-0.20200601203034-f8d6dd992b71/go.mod h1:Nan/1L5Sa1JRW+Thm4HNYcIDcVRFc5zK9OpSZeI2kk4= github.com/nats-io/nats-server/v2 v2.1.8-0.20200601203034-f8d6dd992b71/go.mod h1:Nan/1L5Sa1JRW+Thm4HNYcIDcVRFc5zK9OpSZeI2kk4=
github.com/nats-io/nats.go v1.10.0/go.mod h1:AjGArbfyR50+afOUotNX2Xs5SYHf+CoOa5HH1eEl2HE= github.com/nats-io/nats.go v1.10.0/go.mod h1:AjGArbfyR50+afOUotNX2Xs5SYHf+CoOa5HH1eEl2HE=

6
server/accounts.go
View File

@@ -2089,14 +2089,14 @@ func (a *Account) checkActivation(importAcc *Account, claim *jwt.Import, expTime
if err != nil { if err != nil {
return false return false
} }
if !a.isIssuerClaimTrusted(act) {
return false
}
vr = jwt.CreateValidationResults() vr = jwt.CreateValidationResults()
act.Validate(vr) act.Validate(vr)
if vr.IsBlocking(true) { if vr.IsBlocking(true) {
return false return false
} }
if !a.isIssuerClaimTrusted(act) {
return false
}
if act.Expires != 0 { if act.Expires != 0 {
tn := time.Now().Unix() tn := time.Now().Unix()
if act.Expires <= tn { if act.Expires <= tn {

6
server/server.go
View File

@@ -1283,14 +1283,14 @@ func (s *Server) verifyAccountClaims(claimJWT string) (*jwt.AccountClaims, strin
if err != nil { if err != nil {
return nil, _EMPTY_, err return nil, _EMPTY_, err
} }
if !s.isTrustedIssuer(accClaims.Issuer) {
return nil, _EMPTY_, ErrAccountValidation
}
vr := jwt.CreateValidationResults() vr := jwt.CreateValidationResults()
accClaims.Validate(vr) accClaims.Validate(vr)
if vr.IsBlocking(true) { if vr.IsBlocking(true) {
return nil, _EMPTY_, ErrAccountValidation return nil, _EMPTY_, ErrAccountValidation
} }
if !s.isTrustedIssuer(accClaims.Issuer) {
return nil, _EMPTY_, ErrAccountValidation
}
return accClaims, claimJWT, nil return accClaims, claimJWT, nil
} }

8
vendor/github.com/nats-io/jwt/v2/exports.go generated vendored
View File

@@ -111,6 +111,10 @@ func (e *Export) IsStreamResponse() bool {
// Validate appends validation issues to the passed in results list // Validate appends validation issues to the passed in results list
func (e *Export) Validate(vr *ValidationResults) { func (e *Export) Validate(vr *ValidationResults) {
if e == nil {
vr.AddError("null export is not allowed")
return
}
if !e.IsService() && !e.IsStream() { if !e.IsService() && !e.IsStream() {
vr.AddError("invalid export type: %q", e.Type) vr.AddError("invalid export type: %q", e.Type)
} }
@@ -224,6 +228,10 @@ func (e *Exports) Validate(vr *ValidationResults) error {
var streamSubjects []Subject var streamSubjects []Subject
for _, v := range *e { for _, v := range *e {
if v == nil {
vr.AddError("null export is not allowed")
continue
}
if v.IsService() { if v.IsService() {
serviceSubjects = append(serviceSubjects, v.Subject) serviceSubjects = append(serviceSubjects, v.Subject)
} else { } else {

8
vendor/github.com/nats-io/jwt/v2/imports.go generated vendored
View File

@@ -53,6 +53,10 @@ func (i *Import) IsStream() bool {
// Validate checks if an import is valid for the wrapping account // Validate checks if an import is valid for the wrapping account
func (i *Import) Validate(actPubKey string, vr *ValidationResults) { func (i *Import) Validate(actPubKey string, vr *ValidationResults) {
if i == nil {
vr.AddError("null import is not allowed")
return
}
if !i.IsService() && !i.IsStream() { if !i.IsService() && !i.IsStream() {
vr.AddError("invalid import type: %q", i.Type) vr.AddError("invalid import type: %q", i.Type)
} }
@@ -123,6 +127,10 @@ type Imports []*Import
func (i *Imports) Validate(acctPubKey string, vr *ValidationResults) { func (i *Imports) Validate(acctPubKey string, vr *ValidationResults) {
toSet := make(map[Subject]bool, len(*i)) toSet := make(map[Subject]bool, len(*i))
for _, v := range *i { for _, v := range *i {
if v == nil {
vr.AddError("null import is not allowed")
continue
}
if v.Type == Service { if v.Type == Service {
if _, ok := toSet[v.To]; ok { if _, ok := toSet[v.To]; ok {
vr.AddError("Duplicate To subjects for %q", v.To) vr.AddError("Duplicate To subjects for %q", v.To)

1
vendor/github.com/nats-io/jwt/v2/user_claims.go generated vendored
View File

@@ -25,6 +25,7 @@ const (
ConnectionTypeStandard = "STANDARD" ConnectionTypeStandard = "STANDARD"
ConnectionTypeWebsocket = "WEBSOCKET" ConnectionTypeWebsocket = "WEBSOCKET"
ConnectionTypeLeafnode = "LEAFNODE" ConnectionTypeLeafnode = "LEAFNODE"
ConnectionTypeMqtt = "MQTT"
) )
// User defines the user specific data in a user JWT // User defines the user specific data in a user JWT

2
vendor/modules.txt vendored
View File

@@ -1,6 +1,6 @@
# github.com/minio/highwayhash v1.0.0 # github.com/minio/highwayhash v1.0.0
github.com/minio/highwayhash github.com/minio/highwayhash
# github.com/nats-io/jwt/v2 v2.0.0-20200916203241-1f8ce17dff02 # github.com/nats-io/jwt/v2 v2.0.0-20200930010033-c4fd08d85545
github.com/nats-io/jwt/v2 github.com/nats-io/jwt/v2
# github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a # github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a
github.com/nats-io/nats.go github.com/nats-io/nats.go