If the subscription was foo. > but the server also had an import deny of foo.bar
It was legal to send the subscription. But the other server was unaware
of the restriction and sent the message anyway. The check of the
incoming message did not happen.
Fixing by ignoring messages the server is not supposed to receive.
And exchange deny_import so that the non soliciting leaf node knows to not
send these messages in the first place.
NB. merging of deny_ export/import with perms from INFO happens in processLeafnodeInfo
Signed-off-by: Matthias Hanel <mh@synadia.com>
Before 2.2 series, the TERM signal used to not be handled
by the server, so it would not have been a clean exit.
In 2.2, it was changed to process TERM signal as a clean exit
but this affects the behavior of some tools that were expecting
TERM to be exit 1.
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
1. When in mixed mode and only running the global account we now will check the account for JS.
2. Added code to decrease the cluster set size if we guessed wrong in mixed mode setup.
Signed-off-by: Derek Collison <derek@nats.io>
On connect all subscription where sent by the soliciting leaf node.
If creds contains sub deny permissions, the leaf node would be
disconnected.
This waits for the permissions to be exchanged and checks permissions
before sending subscriptions.
Signed-off-by: Matthias Hanel <mh@synadia.com>
This was introduced by PR #2071.
On some tests, options are loaded based on a config file that has
the pid set to "/tm/nats-server/nats-server.pid", however, the
expected option's pid path was set based on tmpRoot. The problem
is that on macOS, that value would be "/var/folders/xxx" which
would not match.
So this PR simply reverts the changes to the expected pid file
name: it simply needs to match was in the test.conf file.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
We were setting the ping timer in the accepting server as soon
as the leafnode connection is created, just after sending
the INFO and setting the auth timer.
Sending a PING too soon may cause the solicit side to process
this PING and send a PONG in response, possibly before sending
the CONNECT, which the accepting side would fail as an authentication
error, since first protocol is expected to be a CONNECT.
Since LeafNode always expect a CONNECT, we always set the auth
timer. So now on accept, instead of starting the ping timer just
after sending the INFO, we will delay setting this timer only
after receiving the CONNECT.
The auth timer will take care of a stale connection in the time
it takes to receives the CONNECT.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
Although we do not support websocket configuration changes, we usually
try to support changes to TLS certificates, etc..
The way websocket is handled (using an http server), the TLS config
was given on startup and updates following a configuration reload
would not be reflected.
Using a tls.Config function that allows passing the tls config
prior to handshake seem to workaround this issue.
I have added a test that demonstrate that the TLS configuration
is really updated after the reload.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
