From 5690059dac98912fdfd396bf37afd78b88368d71 Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Wed, 6 Jul 2022 13:16:13 -0700 Subject: [PATCH] Reserve a system queue group Signed-off-by: Derek Collison --- server/client.go | 3 ++- server/client_test.go | 16 ++++++++++++++++ server/stream.go | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/server/client.go b/server/client.go index 3b86af09..601078f6 100644 --- a/server/client.go +++ b/server/client.go @@ -361,6 +361,7 @@ type readCacheFlag uint16 const ( hasMappings readCacheFlag = 1 << iota // For account subject mappings. + sysGroup = "_sys_" ) // Used in readloop to cache hot subject lookups and group statistics. @@ -2459,7 +2460,7 @@ func (c *client) processSubEx(subject, queue, bsid []byte, cb msgHandler, noForw // allow = ["foo", "foo v1"] -> can subscribe to 'foo' but can only queue subscribe to 'foo v1' // if sub.queue != nil { - if !c.canSubscribe(string(sub.subject), string(sub.queue)) { + if !c.canSubscribe(string(sub.subject), string(sub.queue)) || string(sub.queue) == sysGroup { c.mu.Unlock() c.subPermissionViolation(sub) return nil, ErrSubscribePermissionViolation diff --git a/server/client_test.go b/server/client_test.go index 66312fc9..5cf994ec 100644 --- a/server/client_test.go +++ b/server/client_test.go @@ -2567,3 +2567,19 @@ func TestClientClampMaxSubsErrReport(t *testing.T) { natsSubSync(t, nc, "bat") check() } + +func TestClientDenySysGroupSub(t *testing.T) { + s := RunServer(DefaultOptions()) + defer s.Shutdown() + + nc, err := nats.Connect(s.ClientURL(), nats.ErrorHandler(func(*nats.Conn, *nats.Subscription, error) {})) + require_NoError(t, err) + defer nc.Close() + + _, err = nc.QueueSubscribeSync("foo", sysGroup) + require_NoError(t, err) + nc.Flush() + err = nc.LastError() + require_Error(t, err) + require_Contains(t, err.Error(), "Permissions Violation") +} diff --git a/server/stream.go b/server/stream.go index 94110685..f4b81859 100644 --- a/server/stream.go +++ b/server/stream.go @@ -260,7 +260,7 @@ type sourceInfo struct { // For mirrors and direct get const ( - dgetGroup = "_zz_" + dgetGroup = sysGroup dgetCaughtUpThresh = 10 )