Reserve a system queue group

Signed-off-by: Derek Collison <derek@nats.io>

server/client.go

@@ -361,6 +361,7 @@ type readCacheFlag uint16
 
 const (
 	hasMappings readCacheFlag = 1 << iota // For account subject mappings.
+	sysGroup                  = "_sys_"
 )
 
 // Used in readloop to cache hot subject lookups and group statistics.
@@ -2459,7 +2460,7 @@ func (c *client) processSubEx(subject, queue, bsid []byte, cb msgHandler, noForw
 		// allow = ["foo", "foo v1"]  -> can subscribe to 'foo' but can only queue subscribe to 'foo v1'
 		//
 		if sub.queue != nil {
-			if !c.canSubscribe(string(sub.subject), string(sub.queue)) {
+			if !c.canSubscribe(string(sub.subject), string(sub.queue)) || string(sub.queue) == sysGroup {
 				c.mu.Unlock()
 				c.subPermissionViolation(sub)
 				return nil, ErrSubscribePermissionViolation

server/client_test.go

@@ -2567,3 +2567,19 @@ func TestClientClampMaxSubsErrReport(t *testing.T) {
 	natsSubSync(t, nc, "bat")
 	check()
 }
+
+func TestClientDenySysGroupSub(t *testing.T) {
+	s := RunServer(DefaultOptions())
+	defer s.Shutdown()
+
+	nc, err := nats.Connect(s.ClientURL(), nats.ErrorHandler(func(*nats.Conn, *nats.Subscription, error) {}))
+	require_NoError(t, err)
+	defer nc.Close()
+
+	_, err = nc.QueueSubscribeSync("foo", sysGroup)
+	require_NoError(t, err)
+	nc.Flush()
+	err = nc.LastError()
+	require_Error(t, err)
+	require_Contains(t, err.Error(), "Permissions Violation")
+}

server/stream.go

@@ -260,7 +260,7 @@ type sourceInfo struct {
 
 // For mirrors and direct get
 const (
-	dgetGroup          = "_zz_"
+	dgetGroup          = sysGroup
 	dgetCaughtUpThresh = 10
 )