gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-02 03:38:42 -07:00
Code Issues Packages Projects Releases Wiki Activity

[added] support for StrictSigningKeyUsage and updated jwt library (#1845)

Browse Source 
This will cause the server to not trust accounts/user signed by an
identity key

The boot strapping system account will assume the account is issued by
the operator.
If this is not desirable, the system account can be provided right away
as resolver_preload.

[fixes] crash when the system account uses signing keys and an update changes that key set.

Signed-off-by: Matthias Hanel <mh@synadia.com>
This commit is contained in:
Matthias Hanel
2021-01-26 17:49:58 -05:00
committed by GitHub
parent 695539c922
commit dea9effa8d
12 changed files with 188 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
server/auth.go
View File

@@ -238,7 +238,7 @@ func (s *Server) configureAuthorization() {
// This just checks and sets up the user map if we have multiple users.
if opts.CustomClientAuthentication != nil {
s.info.AuthRequired = true
} else if len(s.trustedKeys) > 0 {
} else if s.trustedKeys != nil {
s.info.AuthRequired = true
} else if opts.Nkeys != nil || opts.Users != nil {
s.nkeys, s.users = s.buildNkeysAndUsersFromOptions(opts.Nkeys, opts.Users)
@@ -560,21 +560,18 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) boo
c.Debugf("Account JWT not signed by trusted operator")
return false
}
// this only executes IF there's an issuer on the Juc - otherwise the account is already vetted
if juc.IssuerAccount != _EMPTY_ {
if scope, ok := acc.hasIssuer(juc.Issuer); !ok {
c.Debugf("User JWT issuer is not known")
if scope, ok := acc.hasIssuer(juc.Issuer); !ok {
c.Debugf("User JWT issuer is not known")
return false
} else if scope != nil {
if err := scope.ValidateScopedSigner(juc); err != nil {
c.Debugf("User JWT is not valid: %v", err)
return false
} else if scope != nil {
if err := scope.ValidateScopedSigner(juc); err != nil {
c.Debugf("User JWT is not valid: %v", err)
return false
} else if uSc, ok := scope.(*jwt.UserScope); !ok {
c.Debugf("User JWT is not valid")
return false
} else {
juc.UserPermissionLimits = uSc.Template
}
} else if uSc, ok := scope.(*jwt.UserScope); !ok {
c.Debugf("User JWT is not valid")
return false
} else {
juc.UserPermissionLimits = uSc.Template
}
}
if acc.IsExpired() {