gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-17 11:24:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

changing the option name verify_and_implicit_allow to verify_and_accept_known_urls

Browse Source 
This follows the suggestion by phil. I added the and to be similar to verify_and_map.
I fixed a minor issue where the implicit verify could be overwriting an
explicitly configured one.

Signed-off-by: Matthias Hanel <mh@synadia.com>
This commit is contained in:
Matthias Hanel
2020-11-20 14:27:24 -05:00
parent 06e4e93185
commit eda80ff7b5
4 changed files with 59 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/auth.go
View File

@@ -777,8 +777,8 @@ URLS:
continue URLS
}
hostLabels := strings.Split(strings.ToLower(url.Hostname()), ".")
// following https://tools.ietf.org/html/rfc6125#section-6.4.3, should not => will not, may => will not
// wilcard does not match multiple labels
// Following https://tools.ietf.org/html/rfc6125#section-6.4.3, should not => will not, may => will not
// The wilcard * never matches multiple label and only matches the left most label.
if len(hostLabels) != len(dnsAltNameLabels) {
continue URLS
}
@@ -808,12 +808,12 @@ func (s *Server) isRouterAuthorized(c *client) bool {
return s.opts.CustomRouterAuthentication.Check(c)
}
if opts.Cluster.TLSMap || opts.Cluster.TLSImplicitAllow {
if opts.Cluster.TLSMap || opts.Cluster.TLSAcceptKnownUrls {
return checkClientTLSCertSubject(c, func(user string, _ *ldap.DN, isDNSAltName bool) (string, bool) {
if user == "" {
return "", false
}
if opts.Cluster.TLSImplicitAllow && isDNSAltName {
if opts.Cluster.TLSAcceptKnownUrls && isDNSAltName {
if dnsAltNameMatches(dnsAltNameLabels(user), opts.Routes) {
return "", true
}
@@ -844,12 +844,12 @@ func (s *Server) isGatewayAuthorized(c *client) bool {
opts := s.getOpts()
// Check whether TLS map is enabled, otherwise use single user/pass.
if opts.Gateway.TLSMap || opts.Gateway.TLSImplicitAllow {
if opts.Gateway.TLSMap || opts.Gateway.TLSAcceptKnownUrls {
return checkClientTLSCertSubject(c, func(user string, _ *ldap.DN, isDNSAltName bool) (string, bool) {
if user == "" {
return "", false
}
if opts.Gateway.TLSImplicitAllow && isDNSAltName {
if opts.Gateway.TLSAcceptKnownUrls && isDNSAltName {
labels := dnsAltNameLabels(user)
for _, gw := range opts.Gateway.Gateways {
if gw != nil && dnsAltNameMatches(labels, gw.URLs) {

18
server/config_check_test.go
View File

@@ -361,15 +361,15 @@ func TestConfigCheck(t *testing.T) {
errorPos: 5,
},
{
name: "verify_and_implicit_allow not support for clients",
name: "verify_and_accept_known_urls not support for clients",
config: `
tls = {
cert_file: "configs/certs/server.pem"
key_file: "configs/certs/key.pem"
verify_and_implicit_allow: true
verify_and_accept_known_urls: true
}
`,
err: errors.New("verify_and_implicit_allow not supported in this context"),
err: errors.New("verify_and_accept_known_urls not supported in this context"),
errorLine: 5,
errorPos: 10,
},
@@ -1154,7 +1154,7 @@ func TestConfigCheck(t *testing.T) {
errorPos: 0,
},
{
name: "verify_and_implicit_allow do not work for leaf nodes",
name: "verify_and_accept_known_urls do not work for leaf nodes",
config: `
leafnodes {
remotes = [
@@ -1162,13 +1162,13 @@ func TestConfigCheck(t *testing.T) {
url: "tls://nats:7422"
tls {
timeout: 0.01
verify_and_implicit_allow: true
verify_and_accept_known_urls: true
}
}
]
}`,
//Unexpected error after processing config: /var/folders/9h/6g_c9l6n6bb8gp331d_9y0_w0000gn/T/057996446:8:5:
err: errors.New("verify_and_implicit_allow not supported in this context"),
err: errors.New("verify_and_accept_known_urls not supported in this context"),
errorLine: 8,
errorPos: 5,
},
@@ -1393,17 +1393,17 @@ func TestConfigCheck(t *testing.T) {
errorPos: 21,
},
{
name: "verify_and_implicit_allow not support for websockets",
name: "verify_and_accept_known_urls not support for websockets",
config: `
websocket {
tls {
cert_file: "configs/certs/server.pem"
key_file: "configs/certs/key.pem"
verify_and_implicit_allow: true
verify_and_accept_known_urls: true
}
}
`,
err: fmt.Errorf("verify_and_implicit_allow not supported in this context"),
err: fmt.Errorf("verify_and_accept_known_urls not supported in this context"),
errorLine: 6,
errorPos: 10,
},

80
server/opts.go
View File

@@ -57,21 +57,21 @@ func NoErrOnUnknownFields(noError bool) {
// NOTE: This structure is no longer used for monitoring endpoints
// and json tags are deprecated and may be removed in the future.
type ClusterOpts struct {
Name string `json:"-"`
Host string `json:"addr,omitempty"`
Port int `json:"cluster_port,omitempty"`
Username string `json:"-"`
Password string `json:"-"`
AuthTimeout float64 `json:"auth_timeout,omitempty"`
Permissions *RoutePermissions `json:"-"`
TLSTimeout float64 `json:"-"`
TLSConfig *tls.Config `json:"-"`
TLSMap bool `json:"-"`
TLSImplicitAllow bool `json:"-"`
ListenStr string `json:"-"`
Advertise string `json:"-"`
NoAdvertise bool `json:"-"`
ConnectRetries int `json:"-"`
Name string `json:"-"`
Host string `json:"addr,omitempty"`
Port int `json:"cluster_port,omitempty"`
Username string `json:"-"`
Password string `json:"-"`
AuthTimeout float64 `json:"auth_timeout,omitempty"`
Permissions *RoutePermissions `json:"-"`
TLSTimeout float64 `json:"-"`
TLSConfig *tls.Config `json:"-"`
TLSMap bool `json:"-"`
TLSAcceptKnownUrls bool `json:"-"`
ListenStr string `json:"-"`
Advertise string `json:"-"`
NoAdvertise bool `json:"-"`
ConnectRetries int `json:"-"`
// Not exported (used in tests)
resolver netResolver
@@ -81,20 +81,20 @@ type ClusterOpts struct {
// NOTE: This structure is no longer used for monitoring endpoints
// and json tags are deprecated and may be removed in the future.
type GatewayOpts struct {
Name string `json:"name"`
Host string `json:"addr,omitempty"`
Port int `json:"port,omitempty"`
Username string `json:"-"`
Password string `json:"-"`
AuthTimeout float64 `json:"auth_timeout,omitempty"`
TLSConfig *tls.Config `json:"-"`
TLSTimeout float64 `json:"tls_timeout,omitempty"`
TLSMap bool `json:"-"`
TLSImplicitAllow bool `json:"-"`
Advertise string `json:"advertise,omitempty"`
ConnectRetries int `json:"connect_retries,omitempty"`
Gateways []*RemoteGatewayOpts `json:"gateways,omitempty"`
RejectUnknown bool `json:"reject_unknown,omitempty"` // config got renamed to reject_unknown_cluster
Name string `json:"name"`
Host string `json:"addr,omitempty"`
Port int `json:"port,omitempty"`
Username string `json:"-"`
Password string `json:"-"`
AuthTimeout float64 `json:"auth_timeout,omitempty"`
TLSConfig *tls.Config `json:"-"`
TLSTimeout float64 `json:"tls_timeout,omitempty"`
TLSMap bool `json:"-"`
TLSAcceptKnownUrls bool `json:"-"`
Advertise string `json:"advertise,omitempty"`
ConnectRetries int `json:"connect_retries,omitempty"`
Gateways []*RemoteGatewayOpts `json:"gateways,omitempty"`
RejectUnknown bool `json:"reject_unknown,omitempty"` // config got renamed to reject_unknown_cluster
// Not exported, for tests.
resolver netResolver
@@ -399,7 +399,7 @@ type TLSConfigOpts struct {
Verify bool
Insecure bool
Map bool
ImplicitAllow bool
AcceptKnownUrls bool
Timeout float64
Ciphers []uint16
CurvePreferences []tls.CurveID
@@ -1163,7 +1163,7 @@ func parseCluster(v interface{}, opts *Options, errors *[]error, warnings *[]err
opts.Cluster.TLSConfig = config
opts.Cluster.TLSTimeout = tlsopts.Timeout
opts.Cluster.TLSMap = tlsopts.Map
opts.Cluster.TLSImplicitAllow = tlsopts.ImplicitAllow
opts.Cluster.TLSAcceptKnownUrls = tlsopts.AcceptKnownUrls
case "cluster_advertise", "advertise":
opts.Cluster.Advertise = mv.(string)
case "no_advertise":
@@ -1279,7 +1279,7 @@ func parseGateway(v interface{}, o *Options, errors *[]error, warnings *[]error)
o.Gateway.TLSConfig = config
o.Gateway.TLSTimeout = tlsopts.Timeout
o.Gateway.TLSMap = tlsopts.Map
o.Gateway.TLSImplicitAllow = tlsopts.ImplicitAllow
o.Gateway.TLSAcceptKnownUrls = tlsopts.AcceptKnownUrls
case "advertise":
o.Gateway.Advertise = mv.(string)
case "connect_retries":
@@ -3256,18 +3256,22 @@ func parseTLS(v interface{}, isClientCtx bool) (t *TLSConfigOpts, retErr error)
if !ok {
return nil, &configErr{tk, "error parsing tls config, expected 'verify_and_map' to be a boolean"}
}
tc.Verify = verify
if verify {
tc.Verify = verify
}
tc.Map = verify
case "verify_and_implicit_allow":
case "verify_and_accept_known_urls":
verify, ok := mv.(bool)
if !ok {
return nil, &configErr{tk, "error parsing tls config, expected 'verify_and_implicit_allow' to be a boolean"}
return nil, &configErr{tk, "error parsing tls config, expected 'verify_and_accept_known_urls' to be a boolean"}
}
if verify && isClientCtx {
return nil, &configErr{tk, "verify_and_implicit_allow not supported in this context"}
return nil, &configErr{tk, "verify_and_accept_known_urls not supported in this context"}
}
tc.Verify = verify
tc.ImplicitAllow = verify
if verify {
tc.Verify = verify
}
tc.AcceptKnownUrls = verify
case "cipher_suites":
ra := mv.([]interface{})
if len(ra) == 0 {