From e509ec59a16f4c1214654e05e4a7cdb1a786151b Mon Sep 17 00:00:00 2001 From: Matthias Hanel Date: Mon, 18 May 2020 23:29:21 -0400 Subject: [PATCH] Raise error when system_account in config and operator jwt do not match Signed-off-by: Matthias Hanel --- server/opts.go | 18 ++++++++++++++++++ server/opts_test.go | 32 ++++++++++++++++++++++++++++---- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/server/opts.go b/server/opts.go index 151885ae..c231d60c 100644 --- a/server/opts.go +++ b/server/opts.go @@ -718,6 +718,24 @@ func (o *Options) processConfigFileLine(k string, v interface{}, errors *[]error o.SystemAccount = o.TrustedOperators[0].SystemAccount } } + if o.SystemAccount != "" { + foundSys := false + foundNonEmpty := false + for _, op := range o.TrustedOperators { + if op.SystemAccount != "" { + foundNonEmpty = true + } + if op.SystemAccount == o.SystemAccount { + foundSys = true + break + } + } + if foundNonEmpty && !foundSys { + err := &configErr{tk, "system_account in config and operator JWT must be identical"} + *errors = append(*errors, err) + return + } + } case "resolver", "account_resolver", "accounts_resolver": // "resolver" takes precedence over value obtained from "operator". // Clear so that parsing errors are not silently ignored. diff --git a/server/opts_test.go b/server/opts_test.go index b235c213..35a009ed 100644 --- a/server/opts_test.go +++ b/server/opts_test.go @@ -2593,11 +2593,13 @@ func TestNoAuthUserCode(t *testing.T) { } +const operatorJwt = ` + listen: "127.0.0.1:-1" + operator: eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJqdGkiOiJJVEdJNjNCUUszM1VNN1pBSzZWT1RXNUZEU01ESlNQU1pRQ0RMNUlLUzZQTVhBU0ROQ01RIiwiaWF0IjoxNTg5ODM5MjA1LCJpc3MiOiJPQ1k2REUyRVRTTjNVT0RGVFlFWEJaTFFMSTdYNEdTWFI1NE5aQzRCQkxJNlFDVFpVVDY1T0lWTiIsIm5hbWUiOiJPUCIsInN1YiI6Ik9DWTZERTJFVFNOM1VPREZUWUVYQlpMUUxJN1g0R1NYUjU0TlpDNEJCTEk2UUNUWlVUNjVPSVZOIiwidHlwZSI6Im9wZXJhdG9yIiwibmF0cyI6eyJhY2NvdW50X3NlcnZlcl91cmwiOiJodHRwOi8vbG9jYWxob3N0OjgwMDAvand0L3YxIiwib3BlcmF0b3Jfc2VydmljZV91cmxzIjpbIm5hdHM6Ly9sb2NhbGhvc3Q6NDIyMiJdLCJzeXN0ZW1fYWNjb3VudCI6IkFEWjU0N0IyNFdIUExXT0s3VE1MTkJTQTdGUUZYUjZVTTJOWjRISE5JQjdSREZWWlFGT1o0R1FRIn19.3u710KqMLwgXwsMvhxfEp9xzK84XyAZ-4dd6QY0T6hGj8Bw9mS-HcQ7HbvDDNU01S61tNFfpma_JR6LtB3ixBg +` + func TestReadOperatorJWT(t *testing.T) { - confFileName := createConfFile(t, []byte(` - listen: "127.0.0.1:-1" - operator: eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJqdGkiOiJJVEdJNjNCUUszM1VNN1pBSzZWT1RXNUZEU01ESlNQU1pRQ0RMNUlLUzZQTVhBU0ROQ01RIiwiaWF0IjoxNTg5ODM5MjA1LCJpc3MiOiJPQ1k2REUyRVRTTjNVT0RGVFlFWEJaTFFMSTdYNEdTWFI1NE5aQzRCQkxJNlFDVFpVVDY1T0lWTiIsIm5hbWUiOiJPUCIsInN1YiI6Ik9DWTZERTJFVFNOM1VPREZUWUVYQlpMUUxJN1g0R1NYUjU0TlpDNEJCTEk2UUNUWlVUNjVPSVZOIiwidHlwZSI6Im9wZXJhdG9yIiwibmF0cyI6eyJhY2NvdW50X3NlcnZlcl91cmwiOiJodHRwOi8vbG9jYWxob3N0OjgwMDAvand0L3YxIiwib3BlcmF0b3Jfc2VydmljZV91cmxzIjpbIm5hdHM6Ly9sb2NhbGhvc3Q6NDIyMiJdLCJzeXN0ZW1fYWNjb3VudCI6IkFEWjU0N0IyNFdIUExXT0s3VE1MTkJTQTdGUUZYUjZVTTJOWjRISE5JQjdSREZWWlFGT1o0R1FRIn19.3u710KqMLwgXwsMvhxfEp9xzK84XyAZ-4dd6QY0T6hGj8Bw9mS-HcQ7HbvDDNU01S61tNFfpma_JR6LtB3ixBg - `)) + confFileName := createConfFile(t, []byte(operatorJwt)) defer os.Remove(confFileName) opts, err := ProcessConfigFile(confFileName) if err != nil { @@ -2612,3 +2614,25 @@ func TestReadOperatorJWT(t *testing.T) { t.Fatalf("Expected different SystemAccount: %s", r.url) } } + +func TestReadOperatorJWTSystemAccountMatch(t *testing.T) { + confFileName := createConfFile(t, []byte(operatorJwt+` + system_account: ADZ547B24WHPLWOK7TMLNBSA7FQFXR6UM2NZ4HHNIB7RDFVZQFOZ4GQQ + `)) + defer os.Remove(confFileName) + if _, err := ProcessConfigFile(confFileName); err != nil { + t.Fatalf("Received unexpected error %s", err) + } +} + +func TestReadOperatorJWTSystemAccountMismatch(t *testing.T) { + confFileName := createConfFile(t, []byte(operatorJwt+` + system_account: ADXJJCDCSRSMCOV25FXQW7R4QOG7R763TVEXBNWJHLBMBGWOJYG5XZBG + `)) + defer os.Remove(confFileName) + if _, err := ProcessConfigFile(confFileName); err == nil { + t.Fatalf("Received no error") + } else if !strings.Contains(err.Error(), "system_account in config and operator JWT must be identical") { + t.Fatalf("Received unexpected error %s", err) + } +}