gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-14 02:07:59 -07:00
Code Issues Packages Projects Releases Wiki Activity

Make sure to suppress dupes on JS deny all for system account

Browse Source 
Signed-off-by: Derek Collison <derek@nats.io>
This commit is contained in:
Derek Collison
2021-09-08 17:09:25 -07:00
parent 309856da4e
commit c841269f71
2 changed files with 65 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
server/jetstream_cluster_test.go
View File

@@ -6240,6 +6240,46 @@ func TestJetStreamClusterSuperClusterAndSingleLeafNodeWithSharedSystemAccount(t
}
}
func TestJetStreamClusterLeafNodeDenyNoDupe(t *testing.T) {
tmpl := strings.Replace(jsClusterAccountsTempl, "store_dir:", "domain: CORE, store_dir:", 1)
c := createJetStreamCluster(t, tmpl, "CORE", _EMPTY_, 3, 18033, true)
defer c.shutdown()
tmpl = strings.Replace(jsClusterTemplWithSingleLeafNode, "store_dir:", "domain: SPOKE, store_dir:", 1)
ln := c.createLeafNodeWithTemplate("LN-SPOKE", tmpl)
defer ln.Shutdown()
checkLeafNodeConnectedCount(t, ln, 2)
// Now disconnect our leafnode connections by restarting the server we are connected to..
for _, s := range c.servers {
if s.ClusterName() != c.name {
continue
}
if nln := s.NumLeafNodes(); nln > 0 {
s.Shutdown()
c.restartServer(s)
}
}
// Make sure we are back connected.
checkLeafNodeConnectedCount(t, ln, 2)
// Now grab leaf varz and make sure we have no dupe deny clauses.
vz, err := ln.Varz(nil)
if err != nil {
t.Fatalf("Unexpected error: %v", err)
}
// Grab the correct remote.
for _, remote := range vz.LeafNode.Remotes {
if remote.LocalAccount == ln.SystemAccount().Name {
if len(remote.Deny.Exports) > 3 { // denyAll := []string{jscAllSubj, raftAllSubj, jsAllAPI}
t.Fatalf("Dupe entries found: %+v", remote.Deny)
}
break
}
}
}
// Multiple JS domains.
func TestJetStreamClusterSingleLeafNodeWithoutSharedSystemAccount(t *testing.T) {
c := createJetStreamCluster(t, jsClusterAccountsTempl, "HUB", _EMPTY_, 3, 14333, true)

29
server/leafnode.go
View File

@@ -170,14 +170,35 @@ func (s *Server) addInJSDenyAll(r *leafNodeCfg) {
s.Noticef("Sharing system account but utilizing separate JetStream Domains")
s.Noticef("Adding deny of %+v for leafnode configuration that bridges system account", denyAll)
r.DenyExports = append(r.DenyExports, denyAll...)
r.DenyImports = append(r.DenyImports, denyAll...)
hasDeny := func(deny string, l []string) bool {
for _, le := range l {
if le == deny {
return true
}
}
return false
}
var exportAdded, importAdded bool
for _, deny := range denyAll {
if !hasDeny(deny, r.DenyExports) {
r.DenyExports = append(r.DenyExports, deny)
exportAdded = true
}
if !hasDeny(deny, r.DenyImports) {
r.DenyImports = append(r.DenyImports, deny)
importAdded = true
}
}
if !exportAdded && !importAdded {
return
}
perms := &Permissions{}
if len(r.DenyExports) > 0 {
if exportAdded {
perms.Publish = &SubjectPermission{Deny: r.DenyExports}
}
if len(r.DenyImports) > 0 {
if importAdded {
perms.Subscribe = &SubjectPermission{Deny: r.DenyImports}
}
r.perms = perms