Merge pull request #2744 from nats-io/fix_no_auth_check

[FIXED] Check for no_auth_user
2026-04-14 10:10:42 -07:00 · 2021-12-14 16:13:23 -07:00
parent de3e7cab50 69525f3083
commit ad4e14ffb0
3 changed files with 123 additions and 1 deletions
--- a/server/auth.go
+++ b/server/auth.go
@@ -538,7 +538,8 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) boo
 			// but we set it here to be able to identify it in the logs.
 			c.opts.Username = user.Username
 		} else {
-			if (c.kind == CLIENT || c.kind == LEAF) && c.opts.Username == _EMPTY_ && noAuthUser != _EMPTY_ {
+			if (c.kind == CLIENT || c.kind == LEAF) && noAuthUser != _EMPTY_ &&
+				c.opts.Username == _EMPTY_ && c.opts.Password == _EMPTY_ && c.opts.Token == _EMPTY_ {
 				if u, exists := s.users[noAuthUser]; exists {
 					c.mu.Lock()
 					c.opts.Username = u.Username
--- a/server/auth_test.go
+++ b/server/auth_test.go
@@ -14,12 +14,15 @@
 package server

 import (
+	"fmt"
 	"net/url"
+	"os"
 	"reflect"
 	"strings"
 	"testing"

 	"github.com/nats-io/jwt/v2"
+	"github.com/nats-io/nats.go"
 )

 func TestUserCloneNilPermissions(t *testing.T) {
@@ -212,3 +215,61 @@ func TestDNSAltNameMatching(t *testing.T) {
 		}
 	}
 }
+
+func TestNoAuthUser(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+		listen: "127.0.0.1:-1"
+		accounts {
+			FOO { users [{user: "foo", password: "pwd1"}] }
+			BAR { users [{user: "bar", password: "pwd2"}] }
+		}
+		no_auth_user: "foo"
+	`))
+	defer os.Remove(conf)
+	s, o := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	for _, test := range []struct {
+		name    string
+		usrInfo string
+		ok      bool
+		account string
+	}{
+		{"valid user/pwd", "bar:pwd2@", true, "BAR"},
+		{"invalid pwd", "bar:wrong@", false, _EMPTY_},
+		{"some token", "sometoken@", false, _EMPTY_},
+		{"user used without pwd", "bar@", false, _EMPTY_}, // will be treated as a token
+		{"user with empty password", "bar:@", false, _EMPTY_},
+		{"no user", _EMPTY_, true, "FOO"},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			url := fmt.Sprintf("nats://%s127.0.0.1:%d", test.usrInfo, o.Port)
+			nc, err := nats.Connect(url)
+			if err != nil {
+				if test.ok {
+					t.Fatalf("Unexpected error: %v", err)
+				}
+				return
+			} else if !test.ok {
+				nc.Close()
+				t.Fatalf("Should have failed, did not")
+			}
+			var accName string
+			s.mu.Lock()
+			for _, c := range s.clients {
+				c.mu.Lock()
+				if c.acc != nil {
+					accName = c.acc.Name
+				}
+				c.mu.Unlock()
+				break
+			}
+			s.mu.Unlock()
+			nc.Close()
+			checkClientsCount(t, s, 0)
+			if accName != test.account {
+				t.Fatalf("The account should have been %q, got %q", test.account, accName)
+			}
+		})
+	}
+}
--- a/server/events_test.go
+++ b/server/events_test.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -1661,6 +1662,65 @@ func TestSystemAccountWithGateways(t *testing.T) {
 		t.Fatal("Expected a message")
 	}
 }
+
+func TestSystemAccountNoAuthUser(t *testing.T) {
+	conf := createConfFile(t, []byte(`
+		listen: "127.0.0.1:-1"
+		accounts {
+			$SYS {
+				users [{user: "admin", password: "pwd"}]
+			}
+		}
+	`))
+	defer os.Remove(conf)
+	s, o := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	for _, test := range []struct {
+		name    string
+		usrInfo string
+		ok      bool
+		account string
+	}{
+		{"valid user/pwd", "admin:pwd@", true, "$SYS"},
+		{"invalid pwd", "admin:wrong@", false, _EMPTY_},
+		{"some token", "sometoken@", false, _EMPTY_},
+		{"user used without pwd", "admin@", false, _EMPTY_}, // will be treated as a token
+		{"user with empty password", "admin:@", false, _EMPTY_},
+		{"no user means global account", _EMPTY_, true, globalAccountName},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			url := fmt.Sprintf("nats://%s127.0.0.1:%d", test.usrInfo, o.Port)
+			nc, err := nats.Connect(url)
+			if err != nil {
+				if test.ok {
+					t.Fatalf("Unexpected error: %v", err)
+				}
+				return
+			} else if !test.ok {
+				nc.Close()
+				t.Fatalf("Should have failed, did not")
+			}
+			var accName string
+			s.mu.Lock()
+			for _, c := range s.clients {
+				c.mu.Lock()
+				if c.acc != nil {
+					accName = c.acc.Name
+				}
+				c.mu.Unlock()
+				break
+			}
+			s.mu.Unlock()
+			nc.Close()
+			checkClientsCount(t, s, 0)
+			if accName != test.account {
+				t.Fatalf("The account should have been %q, got %q", test.account, accName)
+			}
+		})
+	}
+}
+
 func TestServerEventsStatsZ(t *testing.T) {
 	serverStatsReqSubj := "$SYS.REQ.SERVER.%s.STATSZ"
 	preStart := time.Now().UTC()