Merge 72a1a68 into 8dfce4b

conf/parse.go

@@ -57,6 +57,9 @@ type parser struct {
 
 	// pedantic reports error when configuration is not correct.
 	pedantic bool
+
+	// includes is the list of files that have been included.
+	includes []string
 }
 
 // Parse will return a map of keys to interface{}, although concrete types
@@ -84,18 +87,18 @@ func ParseFile(fp string) (map[string]interface{}, error) {
 	return p.mapping, nil
 }
 
-func ParseFileWithChecks(fp string) (map[string]interface{}, error) {
+func ParseFileWithChecks(fp string) (map[string]interface{}, []string, error) {
 	data, err := ioutil.ReadFile(fp)
 	if err != nil {
-		return nil, fmt.Errorf("error opening config file: %v", err)
+		return nil, nil, fmt.Errorf("error opening config file: %v", err)
 	}
 
 	p, err := parse(string(data), fp, true)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
-	return p.mapping, nil
+	return p.mapping, p.includes, nil
 }
 
 type token struct {
@@ -319,11 +322,17 @@ func (p *parser) processItem(it item, fp string) error {
 		}
 	case itemInclude:
 		var (
-			m   map[string]interface{}
-			err error
+			m        map[string]interface{}
+			includes []string
+			err      error
 		)
 		if p.pedantic {
-			m, err = ParseFileWithChecks(filepath.Join(p.fp, it.val))
+			p.includes = append(p.includes, it.val)
+
+			m, includes, err = ParseFileWithChecks(filepath.Join(p.fp, it.val))
+			if len(includes) > 0 {
+				p.includes = append(p.includes, includes...)
+			}
 		} else {
 			m, err = ParseFile(filepath.Join(p.fp, it.val))
 		}

main.go

@@ -31,6 +31,8 @@ Server Options:
     -m, --http_port <port>           Use port for http monitoring
     -ms,--https_port <port>          Use port for https monitoring
     -c, --config <file>              Configuration file
+    -key, --config_key <file>        Server nkey used to verify config signatures
+    -sig, --config_sig <file>        File with signatures to verify configuration
     -sl,--signal <signal>[=<pid>]    Send signal to gnatsd process (stop, quit, reopen, reload)
         --client_advertise <string>  Client URL to advertise to other servers
     -t                               Test configuration and exit

server/config_sign_test.go

@@ -0,0 +1,127 @@
+// Copyright 2018 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"os"
+	"testing"
+
+	"github.com/nats-io/nkeys"
+)
+
+func TestSignedConfigSingleFile(t *testing.T) {
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: "./configs/single_file_signed.sig",
+	}
+	err := opts.ProcessConfigFile("./configs/single_file_signed.conf")
+	if err != nil {
+		t.Fatalf("Unexpected error: %s", err)
+	}
+}
+
+func TestSignedConfigSingleFileBadSignature(t *testing.T) {
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: "./configs/single_file_signed_bad.sig",
+	}
+	err := opts.ProcessConfigFile("./configs/single_file_signed.conf")
+	if err == nil {
+		t.Fatalf("Expected error when using config with wrong signature")
+	}
+	if err != nkeys.ErrInvalidSignature {
+		t.Errorf("Expected invalid signature error, got: %s'", err)
+	}
+}
+
+func TestSignedConfigIncludes(t *testing.T) {
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: "./configs/included_files.sig",
+	}
+	err := opts.ProcessConfigFile("./configs/included_files.conf")
+	if err != nil {
+		t.Fatalf("Unexpected error: %s", err)
+	}
+}
+
+func TestSignedConfigIncludesBadSignature(t *testing.T) {
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: "./configs/included_files_bad.sig",
+	}
+	err := opts.ProcessConfigFile("./configs/included_files.conf")
+	if err != nkeys.ErrInvalidSignature {
+		t.Errorf("Expected invalid signature error, got: %s'", err)
+	}
+}
+
+func TestSignedConfigIncludesWithIncludes(t *testing.T) {
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: "./configs/included_files_with_includes.sig",
+	}
+	err := opts.ProcessConfigFile("./configs/included_files_with_includes.conf")
+	if err != nil {
+		t.Fatalf("Unexpected error: %s", err)
+	}
+}
+
+func TestSignedConfigIncludesWithIncludesBadSignature(t *testing.T) {
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: "./configs/included_files_with_includes_bad.sig",
+	}
+	err := opts.ProcessConfigFile("./configs/included_files_with_includes.conf")
+	if err != nkeys.ErrInvalidSignature {
+		t.Errorf("Expected invalid signature error, got: %s'", err)
+	}
+}
+
+func TestSignedConfigIncludesWithMissingSignature(t *testing.T) {
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: "./configs/included_files_with_missing_signature.sig",
+	}
+	err := opts.ProcessConfigFile("./configs/included_files_with_includes.conf")
+	if err == nil {
+		t.Fatalf("Expected error about file with missing signature")
+	}
+
+	got := err.Error()
+	expected := `nats: found included file without signature: "configs/cncf_includes.conf"`
+	if got != expected {
+		t.Errorf("Expected error about missing file, got: %s'", err)
+	}
+}
+
+func TestSignedConfigIncludesWithInvalidSigfile(t *testing.T) {
+	conf := createConfFile(t, []byte("foo bar quux"))
+	defer os.Remove(conf)
+
+	opts := &Options{
+		ConfigKey:     "./configs/config.nkey",
+		ConfigSigFile: conf,
+	}
+	err := opts.ProcessConfigFile("./configs/single_file_signed.conf")
+	if err == nil {
+		t.Fatalf("Expected error about file with missing signature")
+	}
+
+	got := err.Error()
+	expected := `nats: invalid sigfile`
+	if got != expected {
+		t.Errorf("Expected error about invalid signature, got: %s'", err)
+	}
+}

server/configs/cncf_includes.conf

@@ -0,0 +1,11 @@
+  # + cncf < synadia
+  cncf {
+    # SAAFHDZX7SGZ2SWHPS22JRPPK5WX44NPLNXQHR5C5RIF6QRI3U65VFY6C4
+    nkey = "AD4YRVUJF2KASKPGRMNXTYKIYSCB3IHHB4Y2ME6B2PDIV5QJ23C2ZRIT"
+
+    imports = [
+      { stream: { account: "synadia", subject: "synadia.>" }, prefix: "imports.cncf" }
+    ]
+
+    include "users/cncf_users.conf"
+  }

server/configs/cncf_single_file.conf

@@ -0,0 +1,16 @@
+# + cncf < synadia
+cncf {
+  # SAAFHDZX7SGZ2SWHPS22JRPPK5WX44NPLNXQHR5C5RIF6QRI3U65VFY6C4
+  nkey = "AD4YRVUJF2KASKPGRMNXTYKIYSCB3IHHB4Y2ME6B2PDIV5QJ23C2ZRIT"
+
+  imports = [
+    { stream: { account: "synadia", subject: "synadia.>" }, prefix: "imports.cncf" }
+  ]
+
+ users [
+   {
+     # SUAKINP3Z2BPUXWOFSW2FZC7TFJCMMU7DHKP2C62IJQUDASOCDSTDTRMJQ
+     nkey = "UB57IEMPG4KOTPFV5A66QKE2HZ3XBXFHVRCCVMJEWKECMVN2HSH3VTSJ"
+   }
+ ]
+}

server/configs/config.nkey

@@ -0,0 +1 @@
+SNANNISEGYRTQSLTFQGOS5U34CXMGYENXZVNUMME2R3BVOLK6FH44OXP24

server/configs/included_files.conf

@@ -0,0 +1,14 @@
+authorization {
+  timeout = 5
+}
+
+http_port = 8222
+
+debug = true
+trace = true
+
+accounts {
+  include "synadia_single_file.conf"
+  include "nats_io_single_file.conf"
+  include "cncf_single_file.conf"
+}

server/configs/included_files.sig

@@ -0,0 +1,4 @@
+tVKrG/8xsL04ugE/PSmA0XL6vxHwac2poCPDIrlKrqsxVlipuK+++ZGguudqRf35uPYJ6q7coCH8yBf5xH5BBA== included_files.conf
+ag0blntFme4s5v2saTcIKNsq3cW975JeTjSYa+K4PHPssWbzx/ZZWvSgmTyzYbl1YaqYI2SR6Rmd5Pf49DK5DA== synadia_single_file.conf
+URMDSgplaAOgm1A0bFzAaQHNe2LC4EbyEUa9DeDqJKYDxiE4OktX8uvpPIxopXyYgzPmnhIsurbhSX7sX187DA== nats_io_single_file.conf
+R9C13yikP5+nYMyuo/I6wpfMIpn6pMfB/mKB2PlNBddnnuaTliaxlOUodXp1bA/4Fu7Xuj3+6fhxnNlh6tusAw== cncf_single_file.conf

server/configs/included_files_bad.sig

@@ -0,0 +1,4 @@
+cgJAA0KXziprluSd4fGSxFfq0y5c1t2hfE9VXojDQ6hVy5Lj1aNyevhr4vKhvnqEsDbCQBVYZKBeTLDY2oIZCQ== included_files.conf
+InXG1vldPuqnpEw++b7fh7pmeqggWnM8s/YSwfMbx94jWMJ/4tC2V/MywufrpuuBVzlFjSLuyPuNIuvNO0GFCA== synadia_single_file.conf
+BXj8RlXhQGO/RA4aB1UVQMDXr0Z3QuJZK6UrmgkZEAq9uTuhg1ls1RRdv9fsrIMs2vZgWTgpPbl5HMMJf+i0Dw== nats_io_single_file.conf
+OWnHvUSK1FD14HGVufsHQlh2T28ci7NCJYXpI5k98WBL8H01BZoFtrWGlbqN/8YCvNPm6lADhLbWLI4BgnE7AA== cncf_single_file.conf

server/configs/included_files_with_includes.conf

@@ -0,0 +1,14 @@
+authorization {
+  timeout = 5
+}
+
+http_port = 8222
+
+debug = true
+trace = true
+
+accounts {
+  include "synadia_includes.conf"
+  include "nats_io_includes.conf"
+  include "cncf_includes.conf"
+}

server/configs/included_files_with_includes.sig

@@ -0,0 +1,7 @@
+1v7lJAm2HH158M6cEw8xFGYRIYGfeEQ5nUL2bhEOpFWoJudk26AekhKfAHYNhRzEC7cmd7nPFuJh//rirEHiAw== included_files_with_includes.conf
+9C4nB9rPQtuZgehmFEcPfx0Mylv5isuy94bH8B5k2Yt+mmdZMklU8dAfou1nek8Wzk5kBAxqKZIy6FxvbDN1DQ== synadia_includes.conf
+IjHvhvU3cw8K05BGJfCzOxt5b3XfpID/W6PuJjgtDwugqzM83DG4ch3iviT0biQR673bIc2nfrmh9L7lEo73BQ== nats_io_includes.conf
+/HpsO0iinOImVQ3bc0auCnns8F7fA9bMc4KookFsD6ku/ZPVndPE9eN4obhK470Jc2mqvu+jENGtRpfhcyQsAQ== cncf_includes.conf
+2SFjs3jfrHhlQHsIvNCmaMDYnynT+ifCU9xGGxMlmXTRAipSjy/PHKw0xCB9QHwzjsAu7cSeNhvfUX0cZa1UAQ== users/synadia_users.conf
+V+7Q6CZ8/q28EUXXtlOGZIR3bS+aiGowT2YlnQ8sYZhLQH0n1RTnNRxcPKwtJl8vc/ia2uXMW6rbXzznW77GCQ== users/nats_io_users.conf
+bSinepe191bpbNVrjJPiIjUtYwDt4j2OSAQKA/AOF6hXlXDwXC1RbZFHJe0CwiupK4Gas5NjuIevBuhdisZoBQ== users/cncf_users.conf

server/configs/included_files_with_includes_bad.sig

@@ -0,0 +1,7 @@
+Av7lJAm2HH158M6cEw8xFGYRIYGfeEQ5nUL2bhEOpFWoJudk26AekhKfAHYNhRzEC7cmd7nPFuJh//rirEHiAw== included_files_with_includes.conf
+9C4nB9rPQtuZgehmFEcPfx0Mylv5isuy94bH8B5k2Yt+mmdZMklU8dAfou1nek8Wzk5kBAxqKZIy6FxvbDN1DQ== synadia_includes.conf
+fs0iOrlaUqmqZwoTksWDxwrk4EcYKj2m9K9P24/9ACD5C+0P3nc5pzsxIYmXQLUJHgIo/XhZe8BCukJyIrBsBg== nats_io_includes.conf
+/HpsO0iinOImVQ3bc0auCnns8F7fA9bMc4KookFsD6ku/ZPVndPE9eN4obhK470Jc2mqvu+jENGtRpfhcyQsAQ== cncf_includes.conf
+2SFjs3jfrHhlQHsIvNCmaMDYnynT+ifCU9xGGxMlmXTRAipSjy/PHKw0xCB9QHwzjsAu7cSeNhvfUX0cZa1UAQ== users/synadia_users.conf
+V+7Q6CZ8/q28EUXXtlOGZIR3bS+aiGowT2YlnQ8sYZhLQH0n1RTnNRxcPKwtJl8vc/ia2uXMW6rbXzznW77GCQ== users/nats_io_users.conf
+bSinepe191bpbNVrjJPiIjUtYwDt4j2OSAQKA/AOF6hXlXDwXC1RbZFHJe0CwiupK4Gas5NjuIevBuhdisZoBQ== users/cncf_users.conf

server/configs/included_files_with_missing_signature.sig

@@ -0,0 +1,7 @@
+1v7lJAm2HH158M6cEw8xFGYRIYGfeEQ5nUL2bhEOpFWoJudk26AekhKfAHYNhRzEC7cmd7nPFuJh//rirEHiAw== included_files_with_includes.conf
+9C4nB9rPQtuZgehmFEcPfx0Mylv5isuy94bH8B5k2Yt+mmdZMklU8dAfou1nek8Wzk5kBAxqKZIy6FxvbDN1DQ== synadia_includes.conf
+IjHvhvU3cw8K05BGJfCzOxt5b3XfpID/W6PuJjgtDwugqzM83DG4ch3iviT0biQR673bIc2nfrmh9L7lEo73BQ== nats_io_includes.conf
+# /HpsO0iinOImVQ3bc0auCnns8F7fA9bMc4KookFsD6ku/ZPVndPE9eN4obhK470Jc2mqvu+jENGtRpfhcyQsAQ== cncf_includes.conf
+2SFjs3jfrHhlQHsIvNCmaMDYnynT+ifCU9xGGxMlmXTRAipSjy/PHKw0xCB9QHwzjsAu7cSeNhvfUX0cZa1UAQ== users/synadia_users.conf
+V+7Q6CZ8/q28EUXXtlOGZIR3bS+aiGowT2YlnQ8sYZhLQH0n1RTnNRxcPKwtJl8vc/ia2uXMW6rbXzznW77GCQ== users/nats_io_users.conf
+bSinepe191bpbNVrjJPiIjUtYwDt4j2OSAQKA/AOF6hXlXDwXC1RbZFHJe0CwiupK4Gas5NjuIevBuhdisZoBQ== users/cncf_users.conf

server/configs/nats_io_includes.conf

@@ -0,0 +1,13 @@
+#
+# + nats < synadia
+#
+nats {
+  # SUAJTM55JH4BNYDA22DMDZJSRBRKVDGSLYK2HDIOCM3LPWCDXIDV5Q4CIE
+  nkey = "ADRZ42QBM7SXQDXXTSVWT2WLLFYOQGAFC4TO6WOAXHEKQHIXR4HFYJDS"
+
+  imports = [
+    { stream: { account: "synadia", subject: "synadia.>" }, prefix: "imports.nats" }
+  ]
+
+ include "users/nats_io_users.conf"
+}

server/configs/nats_io_single_file.conf

@@ -0,0 +1,18 @@
+#
+# + nats < synadia
+#
+nats {
+  # SUAJTM55JH4BNYDA22DMDZJSRBRKVDGSLYK2HDIOCM3LPWCDXIDV5Q4CIE
+  nkey = "ADRZ42QBM7SXQDXXTSVWT2WLLFYOQGAFC4TO6WOAXHEKQHIXR4HFYJDS"
+
+  imports = [
+    { stream: { account: "synadia", subject: "synadia.>" }, prefix: "imports.nats" }
+  ]
+
+ users [
+   {
+     # SUADZTYQAKTY5NQM7XRB5XR3C24M6ROGZLBZ6P5HJJSSOFUGC5YXOOECOM
+     nkey = "UD6AYQSOIN2IN5OGC6VQZCR4H3UFMIOXSW6NNS6N53CLJA4PB56CEJJI"
+   }
+ ]
+}

server/configs/single_file_signed.conf

@@ -0,0 +1,6 @@
+port = 4242
+
+http_port = 8282
+
+debug = true
+trace = true

server/configs/single_file_signed.sig

@@ -0,0 +1 @@
+KYZF6QegDbMmdUeh+D8gx/hYr4XO+91+xUTiXLRYa8tyiqifbRgrMo/r1TacP46d8iOTW1jz60PTXL3iwRCWBQ==

server/configs/single_file_signed_bad.sig

@@ -0,0 +1 @@
+AYZF6QegDbMmdUeh+D8gx/hYr4XO+91+xUTiXLRYa8tyiqifbRgrMo/r1TacP46d8iOTW1jz60PTXL3iwRCWBQ==

server/configs/synadia_includes.conf

@@ -0,0 +1,14 @@
+  #
+  # + synadia > nats.io, cncf
+  #
+  synadia {
+    # SAADJL5XAEM6BDYSWDTGVILJVY54CQXZM5ZLG4FRUAKB62HWRTPNSGXOHA
+    nkey = "AC5GRL36RQV7MJ2GT6WQSCKDKJKYTK4T2LGLWJ2SEJKRDHFOQQWGGFQL"
+
+    exports = [
+      # All events on synadia.> are public events
+      { stream: "synadia.>" }
+    ]
+
+    include "users/synadia_users.conf"
+  }

server/configs/synadia_single_file.conf

@@ -0,0 +1,19 @@
+#
+# + synadia > nats.io, cncf
+#
+synadia {
+  # SAADJL5XAEM6BDYSWDTGVILJVY54CQXZM5ZLG4FRUAKB62HWRTPNSGXOHA
+  nkey = "AC5GRL36RQV7MJ2GT6WQSCKDKJKYTK4T2LGLWJ2SEJKRDHFOQQWGGFQL"
+
+  exports = [
+    # All events on synadia.> are public events
+    { stream: "synadia.>" }
+  ]
+
+  users [
+    {
+      # SUAEL6RU3BSDAFKOHNTEOK5Q6FTM5FTAMWVIKBET6FHPO4JRII3CYELVNM
+      nkey = "UCARKS2E3KVB7YORL2DG34XLT7PUCOL2SVM7YXV6ETHLW6Z46UUJ2VZ3"
+    }
+  ]
+}

server/configs/users/cncf_users.conf

@@ -0,0 +1,6 @@
+users [
+  {
+    # SUAKINP3Z2BPUXWOFSW2FZC7TFJCMMU7DHKP2C62IJQUDASOCDSTDTRMJQ
+    nkey = "UB57IEMPG4KOTPFV5A66QKE2HZ3XBXFHVRCCVMJEWKECMVN2HSH3VTSJ"
+  }
+]

server/configs/users/nats_io_users.conf

@@ -0,0 +1,6 @@
+users [
+  {
+    # SUADZTYQAKTY5NQM7XRB5XR3C24M6ROGZLBZ6P5HJJSSOFUGC5YXOOECOM
+    nkey = "UD6AYQSOIN2IN5OGC6VQZCR4H3UFMIOXSW6NNS6N53CLJA4PB56CEJJI"
+  }
+]

server/configs/users/synadia_users.conf

@@ -0,0 +1,6 @@
+users [
+ {
+   # SUAEL6RU3BSDAFKOHNTEOK5Q6FTM5FTAMWVIKBET6FHPO4JRII3CYELVNM
+   nkey = "UCARKS2E3KVB7YORL2DG34XLT7PUCOL2SVM7YXV6ETHLW6Z46UUJ2VZ3"
+ }
+]