diff --git a/go.mod b/go.mod index 9290366a..3744c01f 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/nats-io/nats-server/v2 require ( github.com/minio/highwayhash v1.0.0 - github.com/nats-io/jwt/v2 v2.0.0-20201006231922-e00ffcea7738 + github.com/nats-io/jwt/v2 v2.0.0-20201015190852-e11ce317263c github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a github.com/nats-io/nkeys v0.2.0 github.com/nats-io/nuid v1.0.1 diff --git a/go.sum b/go.sum index 51f2f862..a41b8040 100644 --- a/go.sum +++ b/go.sum @@ -14,8 +14,8 @@ github.com/minio/highwayhash v1.0.0/go.mod h1:xQboMTeM9nY9v/LlAOxFctujiv5+Aq2hR5 github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7 h1:RnGotxlghqR5D2KDAu4TyuLqyjuylOsJiAFhXvMvQIc= github.com/nats-io/jwt v0.3.3-0.20200519195258-f2bf5ce574c7/go.mod h1:n3cvmLfBfnpV4JJRN7lRYCyZnw48ksGsbThGXEk4w9M= -github.com/nats-io/jwt/v2 v2.0.0-20201006231922-e00ffcea7738 h1:MlwwastrhUZSIvSs4M70vT0fOWTCF6WxOu9S4/NtY9U= -github.com/nats-io/jwt/v2 v2.0.0-20201006231922-e00ffcea7738/go.mod h1:vs+ZEjP+XKy8szkBmQwCB7RjYdIlMaPsFPs4VdS4bTQ= +github.com/nats-io/jwt/v2 v2.0.0-20201015190852-e11ce317263c h1:Hc1D9ChlsCMVwCxJ6QT5xqfk2zJ4XNea+LtdfaYhd20= +github.com/nats-io/jwt/v2 v2.0.0-20201015190852-e11ce317263c/go.mod h1:vs+ZEjP+XKy8szkBmQwCB7RjYdIlMaPsFPs4VdS4bTQ= github.com/nats-io/nats-server/v2 v2.1.8-0.20200524125952-51ebd92a9093/go.mod h1:rQnBf2Rv4P9adtAs/Ti6LfFmVtFG6HLhl/H7cVshcJU= github.com/nats-io/nats-server/v2 v2.1.8-0.20200601203034-f8d6dd992b71/go.mod h1:Nan/1L5Sa1JRW+Thm4HNYcIDcVRFc5zK9OpSZeI2kk4= github.com/nats-io/nats.go v1.10.0/go.mod h1:AjGArbfyR50+afOUotNX2Xs5SYHf+CoOa5HH1eEl2HE= diff --git a/server/accounts.go b/server/accounts.go index ad8e73b8..7b42c1dd 100644 --- a/server/accounts.go +++ b/server/accounts.go @@ -2068,6 +2068,16 @@ func (a *Account) activationExpired(exportAcc *Account, subject string, kind jwt } } +func isRevoked(revocations map[string]int64, subject string, issuedAt int64) bool { + if revocations == nil { + return false + } + if t, ok := revocations[subject]; !ok || t < issuedAt { + return false + } + return true +} + // checkActivation will check the activation token for validity. func (a *Account) checkActivation(importAcc *Account, claim *jwt.Import, expTimer bool) bool { if claim == nil || claim.Token == "" { @@ -2110,13 +2120,7 @@ func (a *Account) checkActivation(importAcc *Account, claim *jwt.Import, expTime } } // Check for token revocation.. - if a.actsRevoked != nil { - if t, ok := a.actsRevoked[act.Subject]; ok && t <= time.Now().Unix() { - return false - } - } - - return true + return !isRevoked(a.actsRevoked, act.Subject, act.IssuedAt) } // Returns true if the activation claim is trusted. That is the issuer matches @@ -2256,13 +2260,7 @@ func (a *Account) clearExpirationTimer() bool { func (a *Account) checkUserRevoked(nkey string, issuedAt int64) bool { a.mu.RLock() defer a.mu.RUnlock() - if a.usersRevoked == nil { - return false - } - if t, ok := a.usersRevoked[nkey]; !ok || t < issuedAt { - return false - } - return true + return isRevoked(a.usersRevoked, nkey, issuedAt) } // Check expiration and set the proper state as needed. diff --git a/vendor/github.com/nats-io/jwt/v2/exports.go b/vendor/github.com/nats-io/jwt/v2/exports.go index c6a26735..c43b9a30 100644 --- a/vendor/github.com/nats-io/jwt/v2/exports.go +++ b/vendor/github.com/nats-io/jwt/v2/exports.go @@ -175,16 +175,20 @@ func (e *Export) ClearRevocation(pubKey string) { e.Revocations.ClearRevocation(pubKey) } -// IsRevokedAt checks if the public key is in the revoked list with a timestamp later than -// the one passed in. Generally this method is called with time.Now() but other time's can -// be used for testing. -func (e *Export) IsRevokedAt(pubKey string, timestamp time.Time) bool { - return e.Revocations.IsRevoked(pubKey, timestamp) +// isRevoked checks if the public key is in the revoked list with a timestamp later than the one passed in. +// Generally this method is called with the subject and issue time of the jwt to be tested. +// DO NOT pass time.Now(), it will not produce a stable/expected response. +func (e *Export) isRevoked(pubKey string, claimIssuedAt time.Time) bool { + return e.Revocations.IsRevoked(pubKey, claimIssuedAt) } -// IsRevoked checks if the public key is in the revoked list with time.Now() -func (e *Export) IsRevoked(pubKey string) bool { - return e.Revocations.IsRevoked(pubKey, time.Now()) +// IsClaimRevoked checks if the activation revoked the claim passed in. +// Invalid claims (nil, no Subject or IssuedAt) will return true. +func (e *Export) IsClaimRevoked(claim *ActivationClaims) bool { + if claim == nil || claim.IssuedAt == 0 || claim.Subject == "" { + return true + } + return e.isRevoked(claim.Subject, time.Unix(claim.IssuedAt, 0)) } // Exports is a slice of exports diff --git a/vendor/modules.txt b/vendor/modules.txt index 2bfcf382..0a54e824 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/minio/highwayhash v1.0.0 github.com/minio/highwayhash -# github.com/nats-io/jwt/v2 v2.0.0-20201006231922-e00ffcea7738 +# github.com/nats-io/jwt/v2 v2.0.0-20201015190852-e11ce317263c github.com/nats-io/jwt/v2 # github.com/nats-io/nats.go v1.10.1-0.20200606002146-fc6fed82929a github.com/nats-io/nats.go