Make sure to merge with local deny clauses

Signed-off-by: Derek Collison <derek@nats.io>
2026-04-17 03:24:40 -07:00 · 2020-06-16 11:56:24 -07:00
parent 3541e3f0f9
commit 98f84bdbc8
2 changed files with 41 additions and 3 deletions
--- a/server/leafnode.go
+++ b/server/leafnode.go
@@ -909,10 +909,20 @@ func (c *client) processLeafnodeInfo(info *Info) error {

 	// Check to see if we have permissions updates here.
 	if info.Import != nil || info.Export != nil {
-		c.setPermissions(&Permissions{
+		perms := &Permissions{
 			Publish:   info.Export,
 			Subscribe: info.Import,
-		})
+		}
+		// Check if we have local deny clauses that we need to merge.
+		if remote := c.leaf.remote; remote != nil {
+			if len(remote.DenyExports) > 0 {
+				perms.Publish.Deny = append(perms.Publish.Deny, remote.DenyExports...)
+			}
+			if len(remote.DenyImports) > 0 {
+				perms.Subscribe.Deny = append(perms.Subscribe.Deny, remote.DenyImports...)
+			}
+		}
+		c.setPermissions(perms)
 	}

 	return nil
--- a/test/leafnode_test.go
+++ b/test/leafnode_test.go
@@ -1386,8 +1386,23 @@ func TestLeafNodeUserPermsForConnection(t *testing.T) {
 	mycreds := genCredsFile(t, ujwt, seed)
 	defer os.Remove(mycreds)

-	sl, _, lnconf := runSolicitWithCredentials(t, opts, mycreds)
+	content := `
+		port: -1
+		leafnodes {
+			remotes = [
+				{
+					url: nats-leaf://127.0.0.1:%d
+					credentials: '%s'
+					deny_import: "foo.33"
+					deny_export: "foo.33"
+				}
+			]
+		}
+		`
+	config := fmt.Sprintf(content, opts.LeafNode.Port, mycreds)
+	lnconf := createConfFile(t, []byte(config))
 	defer os.Remove(lnconf)
+	sl, _ := RunServerWithConfig(lnconf)
 	defer sl.Shutdown()

 	checkLeafNodeConnected(t, s)
@@ -1429,6 +1444,19 @@ func TestLeafNodeUserPermsForConnection(t *testing.T) {
 	if _, err := sub.NextMsg(100 * time.Millisecond); err == nil {
 		t.Fatalf("Did not expect to receive this message")
 	}
+
+	// Check local overrides work.
+	nc2.Publish("foo.33", nil)
+	if _, err := sub.NextMsg(100 * time.Millisecond); err == nil {
+		t.Fatalf("Did not expect to receive this message")
+	}
+
+	// This would trigger the sub interest below.
+	sub.Unsubscribe()
+	nc.Flush()
+
+	nc2.SubscribeSync("foo.33")
+	checkNoSubInterest(t, s, acc.GetName(), "foo.33", 20*time.Millisecond)
 }

 func TestLeafNodeMultipleAccounts(t *testing.T) {