Skip to content

fix(nats): validate cert+key parity at config time#459

Merged
mvillmow merged 1 commit into
mainfrom
276-auto-impl
Apr 26, 2026
Merged

fix(nats): validate cert+key parity at config time#459
mvillmow merged 1 commit into
mainfrom
276-auto-impl

Conversation

@mvillmow
Copy link
Copy Markdown
Collaborator

@mvillmow mvillmow commented Apr 26, 2026

Summary

Addresses issue #276 — validate that cert+key are both set or both empty at config time.

Added NatsTlsConfig::validate() method that ensures client_cert_path and client_key_path are either both set or both empty, throwing std::invalid_argument if misconfiguration is detected.

Validation now occurs in NatsConfig constructors and assignment operators to catch errors at construction time rather than during connect().

Changes

  • Added NatsTlsConfig::validate() method with comprehensive validation logic that checks env vars and config fields
  • Added explicit NatsConfig default, copy, and move constructors/operators that call tls.validate()
  • Updated applyTlsOptions() to remove duplicate validation check (now guaranteed by constructor)
  • Added 8 comprehensive unit tests covering all validation scenarios

Test Coverage

  • ✓ Both cert and key set (valid)
  • ✓ Both cert and key empty (valid)
  • ✓ Cert without key (throws std::invalid_argument)
  • ✓ Key without cert (throws std::invalid_argument)
  • ✓ Copy constructor validation
  • ✓ Copy assignment validation
  • ✓ Move semantics preserved

🤖 Generated with Claude Code

@mvillmow mvillmow enabled auto-merge (rebase) April 26, 2026 00:23
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 26, 2026

✅ Dependency Audit

Severity Count
Critical 0
High 0
Medium 0
Low 0

See the Security tab for detailed findings.

Workflow: Dependency Audit

@mvillmow mvillmow mentioned this pull request Apr 26, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 26, 2026

Security Scan Results

  • ❌ Secret Scanning: Potential secrets found
  • ✅ SAST: Completed (check Security tab for details)
  • ✅ Dependency Scanning: Completed
  • ✅ C++ Static Analysis: Completed
  • ✅ Docker Image Scanning: 0 high, 22 medium vulnerabilities (acceptable)

Recommendations

  • Review findings in the GitHub Security tab
  • Check artifact uploads for detailed reports
  • Address critical Docker vulnerabilities immediately

Workflow: Security Scanning

@mvillmow @claude
fix(nats): validate cert+key parity at config construction time (issue
1f2d492 
…#276)

Add NatsTlsConfig::validate() method that ensures client_cert_path and
client_key_path are either both set or both empty, throwing
std::invalid_argument if misconfiguration is detected. Call validate() in
NatsConfig constructors and assignment operators to catch errors at
construction time rather than during connect().

Updated applyTlsOptions() to remove duplicate validation check since
parity is now guaranteed by constructor validation.

Added comprehensive unit tests covering all validation scenarios:
- both cert and key set (valid)
- both cert and key empty (valid)
- cert without key (throws)
- key without cert (throws)
- copy constructor validation
- copy assignment validation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mvillmow mvillmow merged commit 811a56a into main Apr 26, 2026
8 of 9 checks passed
@mvillmow mvillmow deleted the 276-auto-impl branch April 26, 2026 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mvillmow