From 8e5dff3e3017747a4cdb9f358762a9e96e650d6b Mon Sep 17 00:00:00 2001 From: Ivan Kozlovic Date: Wed, 15 Dec 2021 10:09:18 -0700 Subject: [PATCH] [FIXED] TLS map: panic for existing user but conn type not allowed For TLS configuration with `verify_and_map` set to true, if a connection connects and has a certificate with ID that matches a user, but that user's `allowed_connection_types` is specified and does not have the connection type in its list, then the server will panic. Signed-off-by: Ivan Kozlovic --- server/auth.go | 4 ++-- test/tls_test.go | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/server/auth.go b/server/auth.go index c322777d..05d35afa 100644 --- a/server/auth.go +++ b/server/auth.go @@ -485,10 +485,10 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) boo if u != _EMPTY_ { usr, ok := s.users[u] if !ok || !c.connectionTypeAllowed(usr.AllowedConnectionTypes) { - return _EMPTY_, ok + return _EMPTY_, false } user = usr - return usr.Username, ok + return usr.Username, true } if certDN == nil { diff --git a/test/tls_test.go b/test/tls_test.go index f80f1eb9..6e92f827 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -134,6 +134,39 @@ func TestTLSClientCertificateHasUserID(t *testing.T) { defer nc.Close() } +func TestTLSClientCertificateCheckWithAllowedConnectionTypes(t *testing.T) { + conf := createConfFile(t, []byte( + ` + listen: "127.0.0.1:-1" + tls { + cert_file: "./configs/certs/server-cert.pem" + key_file: "./configs/certs/server-key.pem" + timeout: 2 + ca_file: "./configs/certs/ca.pem" + verify_and_map: true + } + authorization { + users = [ + {user: derek@nats.io, permissions: { publish:"foo" }, allowed_connection_types: ["WEBSOCKET"]} + ] + } + `)) + defer removeFile(t, conf) + s, o := RunServerWithConfig(conf) + defer s.Shutdown() + + nurl := fmt.Sprintf("tls://%s:%d", o.Host, o.Port) + nc, err := nats.Connect(nurl, + nats.ClientCert("./configs/certs/client-id-auth-cert.pem", "./configs/certs/client-id-auth-key.pem"), + nats.RootCAs("./configs/certs/ca.pem")) + if err == nil { + if nc != nil { + nc.Close() + } + t.Fatal("Expected connection to fail, it did not") + } +} + func TestTLSClientCertificateCNBasedAuth(t *testing.T) { srv, opts := RunServerWithConfig("./configs/tls_cert_cn.conf") defer srv.Shutdown()