gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-02 11:48:43 -07:00
Code Issues Packages Projects Releases Wiki Activity

Only fetch account jwt if the name is a proper public account key

Browse Source 
Signed-off-by: Matthias Hanel <mh@synadia.com>
This commit is contained in:
Matthias Hanel
2020-11-17 17:18:47 -05:00
parent 68416d291b
commit f69dc5cfd6
2 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/accounts.go
View File

@@ -3125,6 +3125,13 @@ func buildInternalNkeyUser(uc *jwt.UserClaims, acts map[string]struct{}, acc *Ac
const fetchTimeout = 2 * time.Second
func FetchAccount(res AccountResolver, name string) (string, error) {
if !nkeys.IsValidPublicAccountKey(name) {
return "", fmt.Errorf("will only fetch valid account keys")
}
return res.Fetch(name)
}
// AccountResolver interface. This is to fetch Account JWTs by public nkeys
type AccountResolver interface {
Fetch(name string) (string, error)

13
server/server.go
View File

@@ -397,7 +397,7 @@ func NewServer(opts *Options) (*Server, error) {
s.mu.Unlock()
var a *Account
// perform direct lookup to avoid warning trace
if _, err := ar.Fetch(s.opts.SystemAccount); err == nil {
if _, err := FetchAccount(ar, s.opts.SystemAccount); err == nil {
a, _ = s.fetchAccount(s.opts.SystemAccount)
}
s.mu.Lock()
@@ -1284,7 +1284,7 @@ func (s *Server) fetchRawAccountClaims(name string) (string, error) {
}
// Need to do actual Fetch
start := time.Now()
claimJWT, err := accResolver.Fetch(name)
claimJWT, err := FetchAccount(accResolver, name)
fetchTime := time.Since(start)
if fetchTime > time.Second {
s.Warnf("Account [%s] fetch took %v", name, fetchTime)
@@ -1305,7 +1305,12 @@ func (s *Server) fetchAccountClaims(name string) (*jwt.AccountClaims, string, er
if err != nil {
return nil, _EMPTY_, err
}
return s.verifyAccountClaims(claimJWT)
var claim *jwt.AccountClaims
claim, claimJWT, err = s.verifyAccountClaims(claimJWT)
if claim != nil && claim.Subject != name {
return nil, _EMPTY_, ErrAccountValidation
}
return claim, claimJWT, err
}
// verifyAccountClaims will decode and validate any account claims.
@@ -1447,7 +1452,7 @@ func (s *Server) Start() {
case <-s.quitCh:
return
case <-t.C:
if _, err := ar.Fetch(s.opts.SystemAccount); err != nil {
if _, err := FetchAccount(ar, s.opts.SystemAccount); err != nil {
continue
}
if _, err := s.fetchAccount(s.opts.SystemAccount); err != nil {