Only use passwd auth if NATS requires it

cloudfoundry · Dec 3, 2021 · 4c86d55 · 4c86d55
1 parent 5ec2bff
commit 4c86d55
Show file tree

Hide file tree

Showing 5 changed files with 98 additions and 16 deletions.
diff --git a/jobs/gorouter/templates/gorouter.yml.erb b/jobs/gorouter/templates/gorouter.yml.erb
@@ -1,14 +1,19 @@
 ---
 <%=
-def property_or_link(description, property, link_path, link_name=nil)
+def property_or_link(description, property, link_path, link_name=nil, optional=false)
   link_name ||= link_path.split('.').first
   if_p(property) do |prop|
     return prop
   end.else do
     if_link(link_name) do |link_object|
-      return link_object.p(link_path)
+      link_object.if_p(link_path) do |prop|
+        return prop
+      end
     end
   end
+  if optional
+    return nil
+  end
   raise RuntimeError, "#{description} not found in properties nor in \"#{link_name}\" link. This value can be specified using the \"#{property}\" property."
 end
 
@@ -128,18 +133,26 @@ end.else do
 end
 nats['hosts'] = nats_machines.map { |hostname| {'hostname' => hostname, 'port' => nats_port} }
 
-nats['user'] = property_or_link(
+nats_user = property_or_link(
   'NATS server username',
   'nats.user',
   "nats.user",
   link_name=nats_link_name,
+  optional=true,
 )
-nats['pass'] = property_or_link(
+if nats_user
+  nats['user'] = nats_user
+end
+nats_pass = property_or_link(
   'NATS server username',
   'nats.password',
   "nats.password",
   link_name=nats_link_name,
+  optional=true,
 )
+if nats_pass
+  nats['pass'] = nats_pass
+end
 
 params['nats'] = nats
 

diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
@@ -50,9 +50,9 @@ properties:
     description: Enable connecting to NATS server via TLS.
     default: false
   nats.tls.client_cert:
-    description: "PEM-encoded certificate for the route-emitter to present to NATS for verification when connecting via TLS."
+    description: "PEM-encoded certificate for the route-registrar to present to NATS for verification when connecting via TLS."
   nats.tls.client_key:
-    description: "PEM-encoded private key for the route-emitter to present to NATS for verification when connecting via TLS."
+    description: "PEM-encoded private key for the route-registrar to present to NATS for verification when connecting via TLS."
 
   host:
     description: (string, optional) By default, route_registrar will detect the IP of the VM and use it, in combination with port as the backend destination for each uri being registered. This property enables overriding the destination hostname or IP.

diff --git a/jobs/route_registrar/templates/registrar_settings.json.erb b/jobs/route_registrar/templates/registrar_settings.json.erb
@@ -28,22 +28,35 @@
   if_p('nats.user') do |prop|
     nats_user = prop
   end.else_if_link(nats_link_name) do |nats_link|
-    nats_user = nats_link.p("nats.user")
+    nats_link.if_p("nats.user") do |prop|
+      nats_user = prop
+    end
   end
 
   nats_password = nil
   if_p('nats.password') do |prop|
     nats_password = prop
   end.else_if_link(nats_link_name) do |nats_link|
-    nats_password = nats_link.p("nats.password")
+    nats_link.if_p("nats.password") do |prop|
+      nats_password = prop
+    end
   end
 
-  message_bus_servers = nats_machines.map do |host|
-    {
-      host: "#{host}:#{nats_port}",
-      user: "#{nats_user}",
-      password: "#{nats_password}"
-    }
+  message_bus_servers = nil
+  if nats_user and nats_password
+    message_bus_servers = nats_machines.map do |host|
+      {
+        host: "#{host}:#{nats_port}",
+        user: "#{nats_user}",
+        password: "#{nats_password}"
+      }
+    end
+  else
+    message_bus_servers = nats_machines.map do |host|
+      {
+        host: "#{host}:#{nats_port}"
+      }
+    end
   end
 
   routes = p('route_registrar.routes')

diff --git a/spec/gorouter_templates_spec.rb b/spec/gorouter_templates_spec.rb
@@ -509,7 +509,7 @@
         end
       end
 
-      context 'certficate authorities' do
+      context 'certificate authorities' do
         context 'client_ca_certs' do
           context 'are not provided' do
             before do
@@ -610,7 +610,7 @@
             before do
               deployment_manifest_fragment['router']['ca_certs'] = test_certs
             end
-            it 'suceessfully configures the property' do
+            it 'successfully configures the property' do
               expect(parsed_yaml['ca_certs']).to eq(test_certs)
             end
           end
@@ -765,6 +765,33 @@
           )
         end
 
+        describe 'optional authentication' do
+          let(:nats) { parsed_yaml['nats'] }
+
+          context 'when username and password are provided' do
+            before do
+              deployment_manifest_fragment['nats']['user'] = 'nats'
+              deployment_manifest_fragment['nats']['password'] = 'stan'
+            end
+
+            it 'contains auth information' do
+              expect(nats['user']).to eq('nats')
+              expect(nats['pass']).to eq('stan')
+            end
+          end
+          context 'when username and password are not provided' do
+            before do
+              deployment_manifest_fragment['nats']['user'] = nil
+              deployment_manifest_fragment['nats']['password'] = nil
+            end
+
+            it 'omits auth information' do
+              expect(nats['user']).to be_nil
+              expect(nats['pass']).to be_nil
+            end
+          end
+        end
+
         describe 'ca_certs' do
           let(:ca_certs) { parsed_yaml['nats']['ca_certs'] }
 

diff --git a/spec/route_registar_templates_spec.rb b/spec/route_registar_templates_spec.rb
@@ -269,6 +269,35 @@
       end
     end
 
+    context 'when nats-tls link is present with mTLS authentication only' do
+      let(:links) do
+        [
+          Bosh::Template::Test::Link.new(
+            name: 'nats-tls',
+            properties: {
+              'nats' => {
+                'hostname' => 'nats-tls-host', 'port' => 9090
+              }
+            },
+            instances: [Bosh::Template::Test::LinkInstance.new(address: 'my-nats-tls-ip')]
+          )
+        ]
+      end
+
+      context 'when mTLS is enabled for NATS' do
+        it 'renders with the nats-tls properties without password authentication' do
+          merged_manifest_properties['nats'] = { 'tls' => { 'enabled' => true } }
+
+          rendered_hash = JSON.parse(template.render(merged_manifest_properties, consumes: links))
+          expect(rendered_hash['nats_mtls_config']['enabled']).to be true
+          expect(rendered_hash['message_bus_servers'].length).to eq(1)
+          expect(rendered_hash['message_bus_servers'][0]['host']).to eq('nats-tls-host:9090')
+          expect(rendered_hash['message_bus_servers'][0]['user']).to be_nil
+          expect(rendered_hash['message_bus_servers'][0]['password']).to be_nil
+        end
+      end
+    end
+
     describe 'routing_api' do
       context 'when routing_api is mtls only' do
         let(:links) do