Picking up jwt branch corresponding to this change

Signed-off-by: Matthias Hanel <mh@synadia.com>

go.mod

@@ -1,7 +1,9 @@
 module github.com/nats-io/nats-server/v2
 
+go 1.14
+
 require (
-	github.com/nats-io/jwt v0.3.2
+	github.com/nats-io/jwt v0.3.3-0.20200518170137-30f114e718e5
 	github.com/nats-io/nats.go v1.10.0
 	github.com/nats-io/nkeys v0.1.4
 	github.com/nats-io/nuid v1.0.1

go.sum

@@ -10,6 +10,8 @@ github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/nats-io/jwt v0.3.2 h1:+RB5hMpXUUA2dfxuhBTEkMOrYmM+gKIZYS1KjSostMI=
 github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU=
+github.com/nats-io/jwt v0.3.3-0.20200518170137-30f114e718e5 h1:40V9gdHmRGIdq9noIWniB/nUugi/YF8+mdbkYEBBc5A=
+github.com/nats-io/jwt v0.3.3-0.20200518170137-30f114e718e5/go.mod h1:n3cvmLfBfnpV4JJRN7lRYCyZnw48ksGsbThGXEk4w9M=
 github.com/nats-io/nats.go v1.10.0 h1:L8qnKaofSfNFbXg0C5F71LdjPRnmQwSsA4ukmkt1TvY=
 github.com/nats-io/nats.go v1.10.0/go.mod h1:AjGArbfyR50+afOUotNX2Xs5SYHf+CoOa5HH1eEl2HE=
 github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=

vendor/github.com/nats-io/jwt/creds_utils.go

@@ -82,7 +82,7 @@ NKEYs are sensitive and should be treated as secrets.
 	return w.Bytes(), nil
 }
 
-var userConfigRE = regexp.MustCompile(`\s*(?:(?:[-]{3,}[^\n]*[-]{3,}\n)(.+)(?:\n\s*[-]{3,}[^\n]*[-]{3,}\n))`)
+var userConfigRE = regexp.MustCompile(`\s*(?:(?:[-]{3,}.*[-]{3,}\r?\n)([\w\-.=]+)(?:\r?\n[-]{3,}.*[-]{3,}\r?\n))`)
 
 // An user config file looks like this:
 //  -----BEGIN NATS USER JWT-----

vendor/github.com/nats-io/jwt/go.mod

@@ -1,3 +1,5 @@
 module github.com/nats-io/jwt
 
-require github.com/nats-io/nkeys v0.1.3
+require github.com/nats-io/nkeys v0.1.4
+
+go 1.13

vendor/github.com/nats-io/jwt/go.sum

@@ -1,8 +1,8 @@
-github.com/nats-io/nkeys v0.1.3 h1:6JrEfig+HzTH85yxzhSVbjHRJv9cn0p6n3IngIcM5/k=
-github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
+github.com/nats-io/nkeys v0.1.4 h1:aEsHIssIk6ETN5m2/MD8Y4B2X7FfXrBAUdkyRvbVYzA=
+github.com/nats-io/nkeys v0.1.4/go.mod h1:XdZpAbhgyyODYqjTawOnIOI7VlbKSarI9Gfy1tqEu/s=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 h1:3zb4D3T4G8jdExgVU/95+vQXfpEPiMdCaZgmGVxjNHM=
+golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

vendor/github.com/nats-io/jwt/operator_claims.go

@@ -40,6 +40,8 @@ type Operator struct {
 	// A list of NATS urls (tls://host:port) where tools can connect to the server
 	// using proper credentials.
 	OperatorServiceURLs StringList `json:"operator_service_urls,omitempty"`
+	// Identity of the system account
+	SystemAccount string `json:"system_account,omitempty"`
 }
 
 // Validate checks the validity of the operators contents
@@ -63,6 +65,12 @@ func (o *Operator) Validate(vr *ValidationResults) {
 			vr.AddError("%s is not an operator public key", k)
 		}
 	}
+
+	if o.SystemAccount != "" {
+		if !nkeys.IsValidPublicAccountKey(o.SystemAccount) {
+			vr.AddError("%s is not an account public key", o.SystemAccount)
+		}
+	}
 }
 
 func (o *Operator) validateAccountServerURL() error {

vendor/github.com/nats-io/jwt/types.go

@@ -241,8 +241,6 @@ type Permissions struct {
 
 // Validate the pub and sub fields in the permissions list
 func (p *Permissions) Validate(vr *ValidationResults) {
-	p.Pub.Validate(vr)
-	p.Sub.Validate(vr)
 	if p.Resp != nil {
 		p.Resp.Validate(vr)
 	}

vendor/github.com/nats-io/jwt/user_claims.go

@@ -25,12 +25,14 @@ import (
 type User struct {
 	Permissions
 	Limits
+	BearerToken bool `json:"bearer_token,omitempty"`
 }
 
 // Validate checks the permissions and limits in a User jwt
 func (u *User) Validate(vr *ValidationResults) {
 	u.Permissions.Validate(vr)
 	u.Limits.Validate(vr)
+	// When BearerToken is true server will ignore any nonce-signing verification
 }
 
 // UserClaims defines a user JWT
@@ -97,3 +99,8 @@ func (u *UserClaims) Payload() interface{} {
 func (u *UserClaims) String() string {
 	return u.ClaimsData.String(u)
 }
+
+// IsBearerToken returns true if nonce-signing requirements should be skipped
+func (u *UserClaims) IsBearerToken() bool {
+	return u.BearerToken
+}

vendor/modules.txt

@@ -1,6 +1,4 @@
-# github.com/golang/protobuf v1.3.5
-## explicit
-# github.com/nats-io/jwt v0.3.2
+# github.com/nats-io/jwt v0.3.3-0.20200518170137-30f114e718e5
 ## explicit
 github.com/nats-io/jwt
 # github.com/nats-io/nats.go v1.10.0
@@ -27,3 +25,5 @@ golang.org/x/sys/windows/registry
 golang.org/x/sys/windows/svc
 golang.org/x/sys/windows/svc/eventlog
 golang.org/x/sys/windows/svc/mgr
+# google.golang.org/protobuf v1.22.0
+## explicit