From 625dd189746332b170615bc7061230378ccef14f Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Mon, 11 May 2020 17:19:57 -0700 Subject: [PATCH] Add support for SPIFFE x.509 SVIDs for auth This can be enabled by using `verify_and_map`. ``` tls { cert_file: "server.pem" key_file: "server.key" ca_file: "ca.pem" timeout: 5 verify_and_map: true } authorization { users = [ { user = "spiffe://localhost/my-nats-service/user-a" }, { user = "spiffe://localhost/my-nats-service/user-b", permissions = { subscribe = { deny = ">" }} }, ] } ``` Signed-off-by: Waldemar Quevedo --- server/auth.go | 10 +- test/configs/certs/svid/ca.key | 27 +++++ test/configs/certs/svid/ca.pem | 22 ++++ test/configs/certs/svid/server.key | 27 +++++ test/configs/certs/svid/server.pem | 20 ++++ test/configs/certs/svid/svid-user-a.key | 5 + test/configs/certs/svid/svid-user-a.pem | 31 ++++++ test/configs/certs/svid/svid-user-b.key | 5 + test/configs/certs/svid/svid-user-b.pem | 31 ++++++ test/tls_test.go | 133 ++++++++++++++++++++++++ 10 files changed, 310 insertions(+), 1 deletion(-) create mode 100644 test/configs/certs/svid/ca.key create mode 100644 test/configs/certs/svid/ca.pem create mode 100644 test/configs/certs/svid/server.key create mode 100644 test/configs/certs/svid/server.pem create mode 100644 test/configs/certs/svid/svid-user-a.key create mode 100644 test/configs/certs/svid/svid-user-a.pem create mode 100644 test/configs/certs/svid/svid-user-b.key create mode 100644 test/configs/certs/svid/svid-user-b.pem diff --git a/server/auth.go b/server/auth.go index 99673c3c..724e2c74 100644 --- a/server/auth.go +++ b/server/auth.go @@ -573,7 +573,8 @@ func checkClientTLSCertSubject(c *client, fn func(string) bool) bool { hasSANs := len(cert.DNSNames) > 0 hasEmailAddresses := len(cert.EmailAddresses) > 0 hasSubject := len(cert.Subject.String()) > 0 - if !hasEmailAddresses && !hasSubject { + hasURIs := len(cert.URIs) > 0 + if !hasEmailAddresses && !hasSubject && !hasURIs { c.Debugf("User required in cert, none found") return false } @@ -594,6 +595,13 @@ func checkClientTLSCertSubject(c *client, fn func(string) bool) bool { return true } } + case hasURIs: + for _, u := range cert.URIs { + if fn(u.String()) { + c.Debugf("Using URI found in cert for auth [%q]", u) + return true + } + } } // Try to get the full RDN Sequence that includes the domain components. diff --git a/test/configs/certs/svid/ca.key b/test/configs/certs/svid/ca.key new file mode 100644 index 00000000..887e9972 --- /dev/null +++ b/test/configs/certs/svid/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAwIYeRgshZUbWnsnVFYqJvMlRwmYKpHGq1cxG2HIKJZMMJO4c +Tipguyt0bPJMQiGzsPUpzUIi3m1tNlQnQhmpBo4C1NSSRhx8My4z1796OkzerCMV +MKEP8weC9Vhz2mUMBQbrRvAcNJhoPksWJ2kSGxdUdKIqoFGDMu40ir5zxHyCA410 +vG7IIJlaDKpwuXl1IFjEaI5DWnDUAvSxciG86yZVaekRYEJNSPSPL1Er5ee40ukP +C66JCYas9a+4Lk5rQhlYSoUsimPebagKP99T+oNVyQSSQ0rqaNNV+7i0uEx9KH+7 +OC8B8+fUlE891hjnAJ20P0wJnMC/pFzzsvI8rQIDAQABAoIBAQCrKJFRhCO0fj3f +/V/LPtclV3WwdjeP6t4OJQX296u9q/Vn/6h6dYJ55DAli2PwhzXRZKQ9L0cAqBgn +7LjaMyXqBebOgA1q93gTqEe+zyRDIIP2VVpJWWdskIkExhZ5WsxMy9HvxxfMSpKi +ju6rKuZF33/eES4ESXNynANqNdeGHf5ZWI2BI8ekPLbS6EE+PcJPq2vK8gkhFFyb +ie9qqgU9DthSwJhqT7dilTllLz6gOj3dtYODaji4yLNkalRWe6JGO1v/ZxqWgpnk +ZHTATxgiyjWJ0AJGH1tqxHBU1MmKHEEsc3lXdxC+FWbAnfbMgQq+BZSBjcyAOip6 +0FHdrvKhAoGBAPWI7b1Yo2Ov2iJtH4VJh2vqX5q+EQchO9XCKW82lOfoXXCGrG7g +n5uuQuCAfEHzkeHDMVzDvoLJAHUz74eLuYm1voKLW+CjT+L9LYZMvLs3ygJvq5g9 +5pYPZbP2bax2sV2coXs/tv2gyMIYyrsPtln6ngW9y/SrC13j7ibffaJ/AoGBAMi6 +xzH8n2Fz2y76Vw3/JwFQNJY3qZy7jjcFd3KCTSzbDAHzMOpwRjSrecacF//G/bn+ +BaeOWowFZSh6ps7g3jyLWIpWS1Azk9t9+8sbt4bcX5XV92GeCu91X5gjSfwiXfJ7 +Ar7itX5zFMl74jBoJcd7ikS1BUZozcOon6x2F7LTAoGBAOqXYU4/mhxsr+WkjTE0 +B4c77wxR/MLrJdgeIqh3Zd4NTPluMuHdC6Ia5RrKp+37Ya5qaIdRHnymvyE79edz +wFmqo9Lmg2olnvYpH43pU4kszH13ZGOZAO7u1yUSlcbpwJzIQiEXxyacsDOCrG/9 +myRtJv4lUPD7W2jhlXDep5LRAoGBAKuEJXcJ9CnyNCRVFpPIJM0Teous7koVXPSY +wDLhMg6U8RKteWupGeQhbYGOmVcd8mm9q5k7oxUn+wL2opf9PwgezT4PdHUITVvs +r30iptQec7J1TNdlktR/x3oZFTvTJdFu2K7AyvJMZUOwjlpsc3OblU8WGnbKUJ/R +8vYLRj6vAoGBANoD3vrUz4Zq0tAfn31X4iNBe8TF6c0lx+NOcQ4IJHKHulxx+rHS +h8UjublG5rx8qL62D4SiVp+m12ibSrLaJpC5IqSy6cFjHNUzXcok4Oou7dpMsMkn +2uHsmL4iJJkUBIowADJ2mAyPnnOj0yQilna9o+pDqoW+bG0+7NoyHcV0 +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/svid/ca.pem b/test/configs/certs/svid/ca.pem new file mode 100644 index 00000000..97526cf8 --- /dev/null +++ b/test/configs/certs/svid/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUd2k/q8WQFq6AZFyTtYu651Ds+cgwDQYJKoZIhvcNAQEL +BQAwajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcM +C0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYD +VQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5MjEwNTExWhcNMjUwNTA5MjEwNTExWjBq +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9z +IEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMxDTALBgNVBAsMBE5BVFMxEjAQBgNVBAMM +CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCGHkYL +IWVG1p7J1RWKibzJUcJmCqRxqtXMRthyCiWTDCTuHE4qYLsrdGzyTEIhs7D1Kc1C +It5tbTZUJ0IZqQaOAtTUkkYcfDMuM9e/ejpM3qwjFTChD/MHgvVYc9plDAUG60bw +HDSYaD5LFidpEhsXVHSiKqBRgzLuNIq+c8R8ggONdLxuyCCZWgyqcLl5dSBYxGiO +Q1pw1AL0sXIhvOsmVWnpEWBCTUj0jy9RK+XnuNLpDwuuiQmGrPWvuC5Oa0IZWEqF +LIpj3m2oCj/fU/qDVckEkkNK6mjTVfu4tLhMfSh/uzgvAfPn1JRPPdYY5wCdtD9M +CZzAv6Rc87LyPK0CAwEAAaNTMFEwHQYDVR0OBBYEFJQ0pEcUeNZleMh6GxA51NW4 +7MsIMB8GA1UdIwQYMBaAFJQ0pEcUeNZleMh6GxA51NW47MsIMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABluyDWCpMpIZxCO223YsqVLCFAA+3Ns +ZAFLRyurMfZrBp7lJdrcZzkPcp6Hea0WJ9Rif/7gBGSYdVqlyPNj4W8nfJfys9Vr +X9xfO4PyWE89Sa8aH1JQUifDeK0SMsj9HBRAiFqNuLdC6a2plQvQHhIyN/mnfQZs +a0EVC09zEBrlZaXlZpf/cUok6VLEPmBqL4Y4IJFAFHPSMZRigXL/We7x+Dsumzkh +5szEvBbktZNteZZcxnikBcS1ezmbGnz3l5OI65KM5JSkyxlvX5LnCNUl84z4dk/i +1CTi8YUaJtSfe1lfUlDZY/QKPCLKgwz/DQqhnwsWC8uplJtiN9lIOtU= +-----END CERTIFICATE----- diff --git a/test/configs/certs/svid/server.key b/test/configs/certs/svid/server.key new file mode 100644 index 00000000..a782f3fd --- /dev/null +++ b/test/configs/certs/svid/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxFbauT5Ge2uniUGkZwu3/3pH03DbIjZe7FfukBnD7DbEcOJT +M1w9uTzh6bOIpX7VLVifWk64w62bELCX+g7Bp1zKy0htsdmnDh6OH4m0lOwcpT77 +ZxCbnRNrwzLoia+hSIyyyMIPUPPJMm3BblGasU1K5P4c957wLbPal+83ipTa4anM +IQWcqPpoPGlcxJcB5Xw6rb8cLlju5hZLlaKkmxZrmuEu4KX3waKeNsY0eoDJwpSn +nbfuyOxVreHE/GclxPzODnx0UZh8zGKcxL/Yq+YaF+OsL/oPfh0igPARMmOua25V +n0Ra+f9CsvM4lt3giZ3mKLHJ2TsObohIw6qUzQIDAQABAoIBAGppqKI93nWGI4eA +zFoNP+x3mfY/dIVWcpwmDGaNkGK2TEHiaLWtiMac+NRxOd54n5G0Nqn7gKiNrz2c +eMJOvSa4ZDFJUCrUjHZamSz+taEBV4U4XYm+tpirrfxd2yrExeVMXJnyk9qMRr/O +PMhN8kmmWrFCCPEsc4BRumgefzvb/W+4CqmY1CYCEV+Lmwwr+ur6ADDfz2dAfHtr +UGkixUrzFO684qSTGTyn5oUdc4qN1XR63V/o411zbVfXIWMmiiVKv5ctq/RfshHD +h9700/RAo0j08iwqDtLXyx1eolnIO6AfLzYcLrPzHFv460HPa3AIoQVfBs0IM2TJ +8aAyFQECgYEA+L+5FvywmVKUJBc9XHJ/sTkGVL4i4I6TWbGTSN0urlAe1IEgq8Cq +VYLZiOZkuh47uJ76HjFJMo7SQrLot92ofhz3506ZSa4d3LVLEAbaxKgOHDHfM9XP +U4ZHEZdzj2s1IdW3v73NnIv2gnKVbL7gpIpeX0rhxHeFgAFwzykSolcCgYEAyhAG +43yjcZZay/mavjBeTFtbwaYKAtaMIP8uDaS2DJCsLMRKTda3YgQydWSlzC02E22/ +xTHOp2ytI4Eq6pEUlZT08+Gxyf1XStyWNjzD9jK+c+mIbQsWeZGef7FfcxKFksBq +0/9dG/MYUPqQBYoTDH24QR13XwKUzcGFjg6S83sCgYEAp+dZ+08zsTqRbk8Vhypu +UOTqBheVmTgD9D4t6bgKw3Snas+CiwxwrWm2hnbltM+lhjghInIoM20+NfFnrnx7 +OC07lLF0PMy/sXPaKAZIcwfxBk0PmYCQApQXsqMlSMCXy6/j6RQoDqxXB7Rqck3h +eo8/plj4TdJTlZTjXaIext8CgYEAxqcRDq+nxHFMXMLNlnPZEXqz7+M8bmPdqkcW +UMWBUUMecnickIArFEsKDI3hzqUYR+ubINSB1eorIf/IYIo30YN7exWFhA70th29 +9B6zjaV/xldvD71Z4DUAvYt1Sp2IAqn3nOqu8F6DpoFf/IItjhc/gYzlodvYzZyX +n/zGDmcCgYAumnP2HqQr0fFrHc/p+KWP3+YXi9b/gUiMK/i7k2r/vf4SbStogKJf +SlFD2S+H+FJxVRxUhssz4SH3PYZJwAMX0DP9ZNpwa5rwSbx0a7H72u0O3r42nFXi +LNt+4To/VB7frJsNKl4Oh46gUHMsMyoqsF5FNQpPQ4zTEio3U0FASQ== +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/svid/server.pem b/test/configs/certs/svid/server.pem new file mode 100644 index 00000000..823f34fe --- /dev/null +++ b/test/configs/certs/svid/server.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNTI0WhcNMzAwNTA3MjEwNTI0WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK +Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx +DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMRW2rk+Rntrp4lBpGcLt/96R9Nw2yI2XuxX7pAZ +w+w2xHDiUzNcPbk84emziKV+1S1Yn1pOuMOtmxCwl/oOwadcystIbbHZpw4ejh+J +tJTsHKU++2cQm50Ta8My6ImvoUiMssjCD1DzyTJtwW5RmrFNSuT+HPee8C2z2pfv +N4qU2uGpzCEFnKj6aDxpXMSXAeV8Oq2/HC5Y7uYWS5WipJsWa5rhLuCl98GinjbG +NHqAycKUp5237sjsVa3hxPxnJcT8zg58dFGYfMxinMS/2KvmGhfjrC/6D34dIoDw +ETJjrmtuVZ9EWvn/QrLzOJbd4Imd5iixydk7Dm6ISMOqlM0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEArl6zUvvu+RF6tqAiHqN5d/mmuhiczsaRReNXe1yJ7llXuDzl +jS/GAYu4nkDX/ejyWAwEnNOhjqNI5LMKNVJo+ZfOVH4jgiGZHaHzL6tY8tI6RYdO +ZUL5aLLDIGNYgR4BWFP2b6dk767iBOsmzB/gjGNi/ROAPQOw72vdXuxFL0xVwIG7 +Dk2u5f3B9nVdJz5gWFMHTE/cSSbyYJ1zZhwauzDaeploSTFlDsjPWUpCWCiE1jKh +jsgeF+HtlHcWlLhAAX/181SUoUilb9FBFCRLpPOuGYiKZ3KSQYzISkzvfE0u6/bs +uGL3UWDsGNQe6AhKMp9V2LxDq+fRIa9pTklb7g== +-----END CERTIFICATE----- diff --git a/test/configs/certs/svid/svid-user-a.key b/test/configs/certs/svid/svid-user-a.key new file mode 100644 index 00000000..12bddfc8 --- /dev/null +++ b/test/configs/certs/svid/svid-user-a.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgST6YP9hyfw/Vmoxo +MFp6MJFZu4xaYK3OweYcANEFTkmhRANCAAQCY7xD5sWZDVSRmBu2l4sjJYzpGVqg +d7M8I6LnFjkhkJFc0h9n8jPud8POip9BfXJyLBzmtW+CfZC84zlFSknN +-----END PRIVATE KEY----- diff --git a/test/configs/certs/svid/svid-user-a.pem b/test/configs/certs/svid/svid-user-a.pem new file mode 100644 index 00000000..6f4c57e9 --- /dev/null +++ b/test/configs/certs/svid/svid-user-a.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIICAzCCAamgAwIBAgIRAJXUSiQv6UVx+RHn17gl6xswCgYIKoZIzj0EAwIwMDEL +MAkGA1UEBhMCVVMxDTALBgNVBAoTBE5BVFMxEjAQBgNVBAMTCWxvY2FsaG9zdDAe +Fw0yMDA1MjcxODI3MTRaFw0yNTA1MDkyMTA1MTFaMB0xCzAJBgNVBAYTAlVTMQ4w +DAYDVQQKEwVTUElSRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJjvEPmxZkN +VJGYG7aXiyMljOkZWqB3szwjoucWOSGQkVzSH2fyM+53w86Kn0F9cnIsHOa1b4J9 +kLzjOUVKSc2jgbYwgbMwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUF +BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS9gO5XK6fzpkTH +DuhPV7lB2AAbNjAfBgNVHSMEGDAWgBSeUg2uZMN8Eio3bHcxv7zJIzclhzA0BgNV +HREELTArhilzcGlmZmU6Ly9sb2NhbGhvc3QvbXktbmF0cy1zZXJ2aWNlL3VzZXIt +YTAKBggqhkjOPQQDAgNIADBFAiA2TvD3xhOCvn9E2QF42o7gTjqGicTeNInKTEKe +A6AMzgIhAKdpmH5367YqHijKhtfklnM7g8WhdPhn38xWL7jG+5+a +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC3jCCAcagAwIBAgIRAP6sMTwSA5gCsJWO5fSCokUwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xv +cyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQD +DAlsb2NhbGhvc3QwHhcNMjAwNTI3MTgxNzAyWhcNMjUwNTA5MjEwNTExWjAwMQsw +CQYDVQQGEwJVUzENMAsGA1UEChMETkFUUzESMBAGA1UEAxMJbG9jYWxob3N0MFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJhF2UV33hUpg53uGmy/GkXEI2ZR8EQmp +EHxG1GWbjHR7FBdVP/HmPyVKu5vfegXZp/hD3H7UYHjiNeKMYyGT4qOBgzCBgDAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnlINrmTD +fBIqN2x3Mb+8ySM3JYcwHwYDVR0jBBgwFoAUlDSkRxR41mV4yHobEDnU1bjsywgw +HQYDVR0RBBYwFIYSc3BpZmZlOi8vbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB +AQA7nxOrNqGZ4U72qkB9YYXSi89HNgYoz1R0sLdRuh0BDpSPLASNymZrzbw1CuZm +pOJ6b6blxDlLKBx+tDBgYejRmVCZq+hD8mIVBT0Vg3uZhmPOo2URQmUcfsas9UXK +dXGh/9FIqq4u3dBA1bCHlKk/bDIu/VkGMkTaHaDXNEcLBSWLdVkMOuuF6YHgKJh5 +UQEsbWt+kfL3MzeMuAQYVuskKWE19+oLfY41jTQUzPY83r9nJkEZaUyVBShj8CAw +K8QHfKrQ1BE6ALrM1zvMS9zMopoalMtNJ1ILL1nYLD2teVv4iSRGyD7JgHUYYax6 +rnloUNEr2o9DlZp8EvK2I4dU +-----END CERTIFICATE----- diff --git a/test/configs/certs/svid/svid-user-b.key b/test/configs/certs/svid/svid-user-b.key new file mode 100644 index 00000000..ff979e2f --- /dev/null +++ b/test/configs/certs/svid/svid-user-b.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgEiQo4GXKbViodiF2 +LltOkXLauMoyKJu01c/FUoGpnXahRANCAASiSiVhimnedxcnXY1ffLWV6Ez9XIkq +3pXxtk6q6jvDfn3OPPjIB47OH4KCqNaMoIsKxwK/mtOEETb0/gFqeQWa +-----END PRIVATE KEY----- diff --git a/test/configs/certs/svid/svid-user-b.pem b/test/configs/certs/svid/svid-user-b.pem new file mode 100644 index 00000000..e628f30f --- /dev/null +++ b/test/configs/certs/svid/svid-user-b.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIICAjCCAaigAwIBAgIQUGwbDXAjCmdvfiGGjS/+PzAKBggqhkjOPQQDAjAwMQsw +CQYDVQQGEwJVUzENMAsGA1UEChMETkFUUzESMBAGA1UEAxMJbG9jYWxob3N0MB4X +DTIwMDUyNzE4MjkxMFoXDTI1MDUwOTIxMDUxMVowHTELMAkGA1UEBhMCVVMxDjAM +BgNVBAoTBVNQSVJFMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEokolYYpp3ncX +J12NX3y1lehM/VyJKt6V8bZOquo7w359zjz4yAeOzh+CgqjWjKCLCscCv5rThBE2 +9P4BankFmqOBtjCBszAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOZVW2w2T+3afeJU +JMuZg6Q8FXc/MB8GA1UdIwQYMBaAFJ5SDa5kw3wSKjdsdzG/vMkjNyWHMDQGA1Ud +EQQtMCuGKXNwaWZmZTovL2xvY2FsaG9zdC9teS1uYXRzLXNlcnZpY2UvdXNlci1i +MAoGCCqGSM49BAMCA0gAMEUCIQD81ueLXy2MerMclzKoMnP9VDjOLuHVHf7RkLYb +OdqBigIgH0XT2q5pVmDQgCBP2bKaWZndvXlb5kkPw17XcSD2cKs= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC3jCCAcagAwIBAgIRAP6sMTwSA5gCsJWO5fSCokUwDQYJKoZIhvcNAQELBQAw +ajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xv +cyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQD +DAlsb2NhbGhvc3QwHhcNMjAwNTI3MTgxNzAyWhcNMjUwNTA5MjEwNTExWjAwMQsw +CQYDVQQGEwJVUzENMAsGA1UEChMETkFUUzESMBAGA1UEAxMJbG9jYWxob3N0MFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJhF2UV33hUpg53uGmy/GkXEI2ZR8EQmp +EHxG1GWbjHR7FBdVP/HmPyVKu5vfegXZp/hD3H7UYHjiNeKMYyGT4qOBgzCBgDAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnlINrmTD +fBIqN2x3Mb+8ySM3JYcwHwYDVR0jBBgwFoAUlDSkRxR41mV4yHobEDnU1bjsywgw +HQYDVR0RBBYwFIYSc3BpZmZlOi8vbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB +AQA7nxOrNqGZ4U72qkB9YYXSi89HNgYoz1R0sLdRuh0BDpSPLASNymZrzbw1CuZm +pOJ6b6blxDlLKBx+tDBgYejRmVCZq+hD8mIVBT0Vg3uZhmPOo2URQmUcfsas9UXK +dXGh/9FIqq4u3dBA1bCHlKk/bDIu/VkGMkTaHaDXNEcLBSWLdVkMOuuF6YHgKJh5 +UQEsbWt+kfL3MzeMuAQYVuskKWE19+oLfY41jTQUzPY83r9nJkEZaUyVBShj8CAw +K8QHfKrQ1BE6ALrM1zvMS9zMopoalMtNJ1ILL1nYLD2teVv4iSRGyD7JgHUYYax6 +rnloUNEr2o9DlZp8EvK2I4dU +-----END CERTIFICATE----- diff --git a/test/tls_test.go b/test/tls_test.go index 7a0ed1bc..c34c1a9a 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -1263,3 +1263,136 @@ func TestTLSClientAuthWithRDNSequence(t *testing.T) { }) } } + +func TestTLSClientSVIDAuth(t *testing.T) { + for _, test := range []struct { + name string + config string + certs nats.Option + err error + rerr error + }{ + { + "connect with tls using certificate with URIs", + ` + port: -1 + %s + + authorization { + users = [ + { + user = "spiffe://localhost/my-nats-service/user-a" + } + ] + } + `, + nats.ClientCert("./configs/certs/svid/svid-user-a.pem", "./configs/certs/svid/svid-user-a.key"), + nil, + nil, + }, + { + "connect with tls using certificate with limited different permissions", + ` + port: -1 + %s + + authorization { + users = [ + { + user = "spiffe://localhost/my-nats-service/user-a" + }, + { + user = "spiffe://localhost/my-nats-service/user-b" + permissions = { subscribe = { deny = ">" }} + } + ] + } + `, + nats.ClientCert("./configs/certs/svid/svid-user-b.pem", "./configs/certs/svid/svid-user-b.key"), + nil, + errors.New("nats: timeout"), + }, + { + "connect with tls without URIs in permissions will still match SAN", + ` + port: -1 + %s + + authorization { + users = [ + { + user = "O=SPIRE,C=US" + } + ] + } + `, + nats.ClientCert("./configs/certs/svid/svid-user-a.pem", "./configs/certs/svid/svid-user-a.key"), + nil, + nil, + }, + { + "connect with tls but no permissions", + ` + port: -1 + %s + + authorization { + users = [ + { + user = "spiffe://localhost/my-nats-service/user-c" + } + ] + } + `, + nats.ClientCert("./configs/certs/svid/svid-user-a.pem", "./configs/certs/svid/svid-user-a.key"), + errors.New("nats: Authorization Violation"), + nil, + }, + } { + t.Run(test.name, func(t *testing.T) { + content := fmt.Sprintf(test.config, ` + tls { + cert_file: "configs/certs/svid/server.pem" + key_file: "configs/certs/svid/server.key" + ca_file: "configs/certs/svid/ca.pem" + timeout: 5 + insecure: true + verify_and_map: true + } + `) + conf := createConfFile(t, []byte(content)) + defer os.Remove(conf) + s, opts := RunServerWithConfig(conf) + defer s.Shutdown() + + nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), + test.certs, + nats.RootCAs("./configs/certs/svid/ca.pem"), + ) + if test.err == nil && err != nil { + t.Errorf("Expected to connect, got %v", err) + } else if test.err != nil && err == nil { + t.Errorf("Expected error on connect") + } else if test.err != nil && err != nil { + // Error on connect was expected + if test.err.Error() != err.Error() { + t.Errorf("Expected error %s, got: %s", test.err, err) + } + return + } + defer nc.Close() + + nc.Subscribe("ping", func(m *nats.Msg) { + m.Respond([]byte("pong")) + }) + nc.Flush() + + _, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond) + if test.rerr != nil && err == nil { + t.Errorf("Expected error getting response") + } else if test.rerr == nil && err != nil { + t.Errorf("Expected response") + } + }) + } +}