Reword ocsp routes/gateways terminology to 'peers' instead

Add test for verify_and_map usage with ocsp Signed-off-by: Waldemar Quevedo <wally@nats.io>
2026-04-02 03:38:42 -07:00 · 2023-03-14 17:01:42 -07:00
parent f8914788f5
commit da7a8b63bc
2 changed files with 133 additions and 11 deletions
--- a/server/ocsp.go
+++ b/server/ocsp.go
@@ -433,18 +433,18 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
 			}, nil
 		}

-		// Check whether need to verify staples from a client connection depending on the type.
+		// Check whether need to verify staples from a peer router or gateway connection.
 		switch kind {
 		case kindStringMap[ROUTER], kindStringMap[GATEWAY]:
 			tc.VerifyConnection = func(s tls.ConnectionState) error {
 				oresp := s.OCSPResponse
 				if oresp == nil {
-					return fmt.Errorf("%s client missing OCSP Staple", kind)
+					return fmt.Errorf("%s peer missing OCSP Staple", kind)
 				}

-				// Client route connections will verify the response of the staple.
+				// Peer connections will verify the response of the staple.
 				if len(s.VerifiedChains) == 0 {
-					return fmt.Errorf("%s client missing TLS verified chains", kind)
+					return fmt.Errorf("%s peer missing TLS verified chains", kind)
 				}

 				chain := s.VerifiedChains[0]
@@ -453,7 +453,7 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni

 				resp, err := ocsp.ParseResponseForCert(oresp, leaf, parent)
 				if err != nil {
-					return fmt.Errorf("failed to parse OCSP response from %s client: %w", kind, err)
+					return fmt.Errorf("failed to parse OCSP response from %s peer: %w", kind, err)
 				}
 				if resp.Certificate == nil {
 					if err := resp.CheckSignatureFrom(parent); err != nil {
@@ -475,13 +475,13 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
 					}
 				}
 				if resp.Status != ocsp.Good {
-					return fmt.Errorf("bad status for OCSP Staple from %s client: %s", kind, ocspStatusString(resp.Status))
+					return fmt.Errorf("bad status for OCSP Staple from %s peer: %s", kind, ocspStatusString(resp.Status))
 				}

 				return nil
 			}

-			// When server makes a client connection, need to also present an OCSP Staple.
+			// When server makes a peer connection, need to also present an OCSP Staple.
 			tc.GetClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
 				raw, _, err := mon.getStatus()
 				if err != nil {
@@ -563,8 +563,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
 				if opts.Verify {
 					tc.ClientAuth = tls.RequireAndVerifyClientCert
 				}
-				// GetClientCertificate is used by a client to send the client cert
-				// to a server. We're a server, so we must not set this.
+				// We're a leaf hub server, so we must not set this.
 				tc.GetClientCertificate = nil
 				sopts.LeafNode.TLSConfig = tc
 			},
@@ -581,8 +580,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
 				tlsConfig: config,
 				tlsOpts:   opts,
 				apply: func(tc *tls.Config) {
-					// GetCertificate is used by a server to send the server cert to a
-					// client. We're a client, so we must not set this.
+					// We're a leaf client, so we must not set this.
 					tc.GetCertificate = nil
 					r.TLSConfig = tc
 				},
--- a/test/ocsp_test.go
+++ b/test/ocsp_test.go
@@ -1886,9 +1886,133 @@ func TestOCSPLeafVerifyLeafRemote(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer cA.Close()
+
+	// Should not have been able to connect.
 	checkLeafNodeConnections(t, srvA, 0)
 }

+func TestOCSPLeafVerifyAndMapLeafRemote(t *testing.T) {
+	const (
+		caCert = "configs/certs/ocsp/ca-cert.pem"
+		caKey  = "configs/certs/ocsp/ca-key.pem"
+	)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	ocspr := newOCSPResponder(t, caCert, caKey)
+	defer ocspr.Shutdown(ctx)
+	addr := fmt.Sprintf("http://%s", ocspr.Addr)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
+	setOCSPStatus(t, addr, "configs/certs/ocsp/client-cert.pem", ocsp.Good)
+
+	// Store Dirs
+	storeDirA := t.TempDir()
+	storeDirB := t.TempDir()
+
+	// LeafNode server configuration
+	srvConfA := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "AAA"
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+			verify_and_map: true
+		}
+		store_dir: '%s'
+
+		leafnodes {
+			host: "127.0.0.1"
+			port: -1
+			advertise: "127.0.0.1"
+
+			tls {
+				cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
+				key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
+				ca_file: "configs/certs/ocsp/ca-cert.pem"
+				timeout: 5
+				verify_and_map: true
+			}
+		}
+
+		accounts: {
+			leaf: {
+			  users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost server-status-request-url-04"} ]
+			}
+			client: {
+			  users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost client"} ]
+			}
+		}
+
+	`
+	srvConfA = fmt.Sprintf(srvConfA, storeDirA)
+	sconfA := createConfFile(t, []byte(srvConfA))
+	srvA, optsA := RunServerWithConfig(sconfA)
+	defer srvA.Shutdown()
+
+	// LeafNode remote that will connect to A and will not present certs.
+	srvConfB := `
+		host: "127.0.0.1"
+		port: -1
+
+		server_name: "BBB"
+
+		tls {
+			cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
+			key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
+			ca_file: "configs/certs/ocsp/ca-cert.pem"
+			timeout: 5
+		}
+		store_dir: '%s'
+
+		leafnodes {
+			remotes: [ {
+				url: "tls://127.0.0.1:%d"
+				tls {
+					cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
+					key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
+					ca_file: "configs/certs/ocsp/ca-cert.pem"
+					timeout: 5
+				}
+			} ]
+		}
+	`
+	srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.LeafNode.Port)
+	conf := createConfFile(t, []byte(srvConfB))
+	srvB, _ := RunServerWithConfig(conf)
+	defer srvB.Shutdown()
+
+	// Client connects to server A.
+	cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port),
+		nats.Secure(&tls.Config{
+			VerifyConnection: func(s tls.ConnectionState) error {
+				if s.OCSPResponse == nil {
+					return fmt.Errorf("missing OCSP Staple from server")
+				}
+				return nil
+			},
+		}),
+		nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
+		nats.RootCAs(caCert),
+		nats.ErrorHandler(noOpErrHandler),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cA.Close()
+	checkLeafNodeConnections(t, srvA, 1)
+}
+
 func TestOCSPGateway(t *testing.T) {
 	const (
 		caCert = "configs/certs/ocsp/ca-cert.pem"