diff --git a/server/jwt_test.go b/server/jwt_test.go index 9126d346..e00d3248 100644 --- a/server/jwt_test.go +++ b/server/jwt_test.go @@ -3512,6 +3512,7 @@ func TestJWTAccountNATSResolverFetch(t *testing.T) { system_account: %s resolver: { type: full + dir: '%s' interval: "200ms" limit: 4 @@ -6647,3 +6648,54 @@ func TestAccountWeightedMappingInSuperCluster(t *testing.T) { t.Fatalf("Expected v2 to receive 40%%, got %v/1000", v2) } } + +func TestServerOperatorModeNoAuthRequired(t *testing.T) { + _, spub := createKey(t) + sysClaim := jwt.NewAccountClaims(spub) + sysClaim.Name = "$SYS" + sysJwt, err := sysClaim.Encode(oKp) + require_NoError(t, err) + + akp, apub := createKey(t) + accClaim := jwt.NewAccountClaims(apub) + accClaim.Name = "TEST" + accJwt, err := accClaim.Encode(oKp) + require_NoError(t, err) + + ukp, _ := nkeys.CreateUser() + seed, _ := ukp.Seed() + upub, _ := ukp.PublicKey() + nuc := jwt.NewUserClaims(upub) + ujwt, err := nuc.Encode(akp) + require_NoError(t, err) + creds := genCredsFile(t, ujwt, seed) + + dirSrv := createDir(t, "srv") + defer removeDir(t, dirSrv) + + conf := createConfFile(t, []byte(fmt.Sprintf(` + listen: 127.0.0.1:-1 + server_name: srv-A + operator: %s + system_account: %s + resolver: { + type: full + dir: '%s' + interval: "200ms" + limit: 4 + } + resolver_preload: { + %s: %s + %s: %s + } + `, ojwt, spub, dirSrv, spub, sysJwt, apub, accJwt))) + defer removeFile(t, conf) + + s, _ := RunServerWithConfig(conf) + defer s.Shutdown() + + nc := natsConnect(t, s.ClientURL(), nats.UserCredentials(creds)) + defer nc.Close() + + require_True(t, nc.AuthRequired()) +} diff --git a/server/server.go b/server/server.go index 2b2edfc3..d39604ce 100644 --- a/server/server.go +++ b/server/server.go @@ -455,7 +455,7 @@ func NewServer(opts *Options) (*Server, error) { s.setLeafNodeNonExportedOptions() // Setup OCSP Stapling. This will abort server from starting if there - // are no valid staples and OCSP policy is to Always or MustStaple. + // are no valid staples and OCSP policy is set to Always or MustStaple. if err := s.enableOCSP(); err != nil { return nil, err } @@ -517,7 +517,7 @@ func NewServer(opts *Options) (*Server, error) { // If there is an URL account resolver, do basic test to see if anyone is home. if ar := opts.AccountResolver; ar != nil { if ur, ok := ar.(*URLAccResolver); ok { - if _, err := ur.Fetch(""); err != nil { + if _, err := ur.Fetch(_EMPTY_); err != nil { return nil, err } } @@ -852,7 +852,8 @@ func (s *Server) configureAccounts() error { // If we have defined a system account here check to see if its just us and the $G account. // We would do this to add user/pass to the system account. If this is the case add in // no-auth-user for $G. - if numAccounts == 2 && s.opts.NoAuthUser == _EMPTY_ { + // Only do this if non-operator mode. + if len(opts.TrustedOperators) == 0 && numAccounts == 2 && s.opts.NoAuthUser == _EMPTY_ { // If we come here from config reload, let's not recreate the fake user name otherwise // it will cause currently clients to be disconnected. uname := s.sysAccOnlyNoAuthUser @@ -1001,7 +1002,7 @@ func (s *Server) isTrustedIssuer(issuer string) bool { // options-based trusted nkeys. Returns success. func (s *Server) processTrustedKeys() bool { s.strictSigningKeyUsage = map[string]struct{}{} - if trustedKeys != "" && !s.initStampedTrustedKeys() { + if trustedKeys != _EMPTY_ && !s.initStampedTrustedKeys() { return false } else if s.opts.TrustedKeys != nil { for _, key := range s.opts.TrustedKeys { @@ -2527,7 +2528,7 @@ func (s *Server) createClient(conn net.Conn) *client { // Check to see if we have auth_required set but we also have a no_auth_user. // If so set back to false. - if info.AuthRequired && opts.NoAuthUser != _EMPTY_ { + if info.AuthRequired && opts.NoAuthUser != _EMPTY_ && opts.NoAuthUser != s.sysAccOnlyNoAuthUser { info.AuthRequired = false }