This is based on branch_2_1_x and includes the following fixes:
- Possible panic if server receives a maliciously crafted JWT.
- User and claims activation revocation checks.
- Panic on shutdown while accepting TLS client connections.
- Added defensive code for handling of Leafnode connections.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
This is based on branch_2_1_x and includes the following fixes:
[FIXED] Allow response permissions to work across accounts
[FIXED] Race condition during implicit Gateway reconnection
[FIXED] Possible stall on shutdown with leafnode setup
[FIXED] Possible removal of interest on queue subs with leaf nodes
[FIXED] Unsubscribe may not be propagated through a leaf node
[FIXED] LeafNode solicit failure race could leave conn registered
[FIXED] Handling or real duplicate subscription
[FIXED] Log file size limit not honored after re-open signal
[FIXED] Connection name in log statement for some IPv6 addresses
[FIXED] Better support for distinguishedNameMatch in TLS Auth
[FIXED] Error when importing an account results in an error
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
- Call flushOutbound() for SYSTEM connections
- Flush in place in internalSendLoop when sending the shutdown event
- Fix some tests:
- missing defer client connection Close()
- ensure subs are registered and messages received before shutdown
of leafnode server to check disconnected event's stats.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
When a duplicate route is detected and closed, we need to clear
the route's hash in order to prevent the removal from the
server's routeByHash map.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
Currently, the config file doesn't recognize the latency config block in
account exports. This change exposes those settings in the config file.
Signed-off-by: Jaime Piña <jaime@synadia.com>
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
This was introduced in PR#930. The first commit had the route's
check if the flushOutbound() returned false, and if so would
locally unlock/lock the connection's lock. Unfortunately, this
was replaced in the second commit (a6aeed3a6b)
to the flushOutbound() function itself.
This causes the function closeConnection() to possibly unlock
the connection while calling flushOutbound(), which if the
connection is closed due to both a tls timeout for instance
and explicitly, it would result in the connection being scheduled
for a reconnect (if explicit gateway connection, possibly route).
Added defensive code in Gateway to register a unique outbound gateway.
Fixed a test that was now failing with newer Go version in which
they fixed url.Parse()
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
Take into account tracking of response maps that are created and do proper cleanup.
Also fixes#1089 which was discovered while working on this.
Signed-off-by: Derek Collison <derek@nats.io>
Bump default TLS timeout for leafnode connections
Add checks for when cert_file or key_file are missing in TLS config
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
Changed the introduced new option and added a new one. The idea
is to be able to differentiate between never connected and reconnected
event. The never connected situation will be logged at first attempt
and every hour (by default, configurable).
However, once connected and if trying to reconnect, will report every
attempts by default, but this is configurable too.
These two options are supported for config reload.
Related to #1000
Related to #1001Resolves#969
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
If the first protocol for an inbound gateway connection is not
CONNECT, reject with auth violation.
Fixes#1006
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
This is a continuation of #1000. Added a configuration to specify
the number of attempts at which the repeated error is reported.
The algo is now to print only the 1st attempt and when current
attempt % <this config param> == 0.
Resolves#969
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
