Skip to content

Commit

Permalink
Support using TLS cert subject to auth user
Browse files Browse the repository at this point in the history 
Signed-off-by: Waldemar Quevedo <wally@synadia.com>
  • Loading branch information
@wallyqs
wallyqs committed Feb 6, 2019
1 parent 46a2661 commit 7645d95
Show file tree
Hide file tree
Showing 11 changed files with 305 additions and 7 deletions.
29 changes: 24 additions & 5 deletions server/auth.go
View file
Expand Up @@ -144,6 +144,12 @@ func (s *Server) checkAuthforWarnings() {
warn = true
}
for _, u := range s.users {
// Skip warn if using TLS certs based auth
// unless a password has been left in the config.
if u.Password == "" && s.opts.TLSMap {
continue
}

if !isBcrypt(u.Password) {
warn = true
break
Expand Down Expand Up @@ -319,24 +325,37 @@ func (s *Server) isClientAuthorized(c *client) bool {
if len(tlsState.PeerCertificates) > 1 {
c.Debugf("Multiple peer certificates found, selecting first")
}
if len(cert.EmailAddresses) == 0 {

hasEmailAddresses := len(cert.EmailAddresses) > 0
hasSubject := len(cert.Subject.String()) > 0
if !hasEmailAddresses && !hasSubject {
c.Debugf("User required in cert, none found")
s.mu.Unlock()
return false
}
euser := cert.EmailAddresses[0]

var euser string
if hasEmailAddresses {
euser = cert.EmailAddresses[0]
if len(cert.EmailAddresses) > 1 {
c.Debugf("Multiple users found in cert, selecting first [%q]", euser)
}
} else {
euser = cert.Subject.String()
}
user, ok = s.users[euser]
if !ok {
c.Debugf("User in cert [%q], not found", euser)
s.mu.Unlock()
return false
}
if len(cert.EmailAddresses) > 1 {
c.Debugf("Multiple users found in cert, selecting first [%q]", euser)
}

if c.opts.Username != "" {
s.Warnf("User found in connect proto, but user required from cert - %v", c)
}
// Already checked that the client didn't send a user in connect
// but we set it here to be able to identify it in the logs.
c.opts.Username = euser
} else if c.opts.Username != "" {
user, ok = s.users[c.opts.Username]
if !ok {
Expand Down
4 changes: 2 additions & 2 deletions server/client.go
View file
Expand Up @@ -203,8 +203,8 @@ type outbound struct {
pb int32 // Total pending/queued bytes.
pm int32 // Total pending/queued messages.
sg *sync.Cond // Flusher conditional for signaling.
wdl time.Duration // Snapshot fo write deadline.
mp int32 // snapshot of max pending.
wdl time.Duration // Snapshot of write deadline.
mp int32 // Snapshot of max pending.
fsp int32 // Flush signals that are pending from readLoop's pcd.
lft time.Duration // Last flush time.
sgw bool // Indicate flusher is waiting on condition wait.
Expand Down
21 changes: 21 additions & 0 deletions test/configs/certs/tlsauth/ca.pem
View file
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDaDCCAlCgAwIBAgIUWyR/qbLooFMu+VcvmQhLAjokntQwDQYJKoZIhvcNAQEL
BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD
VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1MDAw
WhcNMjQwMjAzMTk1MDAwWjBMMSQwIgYDVQQKExtTeW5hZGlhIENvbW11bmljYXRp
b25zIEluYy4xEDAOBgNVBAsTB05BVFMuaW8xEjAQBgNVBAMTCWxvY2FsaG9zdDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9ryA3PTdAPjC2VQkjy9JXJ
bOq2GpvGU+2/gC3TNRXOPJ5ZVy4svV8C9VA9t8gIbQHTYMzBFxyGz0+a/9+DEXot
crcVvsqaE5mewU9yjifDqUCGqOn9fo/zsYwD96KYtukEZ73D1Pyv+7EmkHNYqBKB
4/1gY/7AuuBcNp5bSpC4isGySZlL0wDjURyjfInrbDdMZi3QK2lPZP1okLZG5SCX
7pQM9riHwnzN94HINTzLTUdjxDBrm0Av9HCEeGT+iXwtXIhNaTkxjEy3a6b2saVl
wcaqcZbdGmJVgoncNlA3+277BPOAfbw4X5nGATaWPWxStkqeuhSaxahbCLNJGJcC
AwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFG8G2+G/R8ovyXZoCjtIco9u9hrLMA0GCSqGSIb3DQEBCwUAA4IBAQBmuKij
sa+RKEoSVrdUWYwAhQJd17I1crhyLjzk3c5k4cXSIUM0XlGK81GZdPRV5EVym7FN
n8rhjAYizFykFbIcmiUrNa73jm2QTdMiL8WEzywNB0/X+XSJd+I1VeWOvYJMPTiY
KH/vcNYugVeWUzn6EF+iWnlpS9IHxcDvm6yjMJ242+KQWO7DGkHzbadB/BcryAdz
v6oBlHTJoPqgHUwaHfnTfqCQPTaTACUSFGNEnLuuXvLbbhZlpmLHRoqBiwpa0YQW
1EAICjLa6q5vSDSBrYJL2tIZz2vv/powIWMU1tdGFSALtpMucUH5Opi0Eaa+3cQB
fvl1Mck/CPY8e4/j
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions test/configs/certs/tlsauth/client-key.pem
View file
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAr5QLVY0FeeEO+mPQDSGZSael1cO0cfABww7r5fNkxFRipJL0
4uOKsP359dGo/Ay8MWS2mlAooX1jRA28YWghNjgZwv05bbmcQ2cGo9/7TTWKxusk
zHYgYLc9WNbgJnSGNceykQxIgnI4S/pF+fxpoJbxTOu71tviky5SAP93IU8JpfB4
aIpSo0KfA0wDpauYD1orjrXY7JMvL/NRLLYvkTvJaMeuEAWuW3UacCV1wfT91oQW
FBaFupsatNT0UPJ+eMrfG0Gg6cM9bfU+ZNZROQOOR0gAM9XD4knuOYQsvdKWrEku
N8bBqCPOhCIYYCtUan607phtQoIBuwyxrEkSJQIDAQABAoIBAFn+IJ0V7gOdVmcC
d+XzHbWB518cs0VfBhgrcr/nM/PpaLH/3OLaTAER/GeBsgKWqHMMswd/JIQ5V4LP
I4otrDA1KwclcaUK6MwnZ2DhcdYOJnZ0meTuewP3h8scP8GWIiA4ng74Y8Xws2hF
/E34kU9NbprFjP7Ar25O5Js8VZxNJBWZXZqd4znTj8d4eqbZghM12RaUNQ1YSgB9
dC9a4siubAWw3mZXX9T8te/uWbo7gY52vaMlO1nV+waZzkqdF7xizAYzYW+woAu5
lMRnUylRFKtuAUZGsDATElVKeirWT/kkAjslRzLw0daOYfe+c321bE9fFwFi5b3e
DHSwpbUCgYEAyydwejT59DHvrQ1HRnKCL4+rvrCtFlHoJiSOKX8F38tVjCwFstHO
on+AxJMU8Om528aJ2RDPDzy1Cqn+cRAmgIsvAwa2JyBGqkN9nXq4Ji8eBL42ZNzK
wbnnFfm+qkBNXXon1gSnMN+8w9zX1dmIsoGmunZ/Ew0EB1bDsBEcI1cCgYEA3UBD
QkvFu6SlYq8ts5RcIn5bGgPkvudbRTb2IDYVMtLmPdDQP1X6s4NFdHErqvfwyIez
2WQLjLjUfU8fylEKxZL9cdHF/FAa5brnr3DAVT1Gsthv8WFFUkuZ52uAte4mGTL0
FnGaz6mqoIrM/uNGKAgozMZPrDFobqsh5maepOMCgYAO3rMn7srA6grOEuO9r1IC
IzUB/zKcKKCichiJxwdqCxsW6H3+SccjM8v8F3v36lO1V4HthoJxbhMeVbUPF4yJ
6iYlxY79rCof+lKufTYPbXF4DWgz18lrhqz4edBP6+b9yZwy2SJXvHi3qWmO+J49
2qmWimfgwBokY2BtecMifwKBgHiiMknycISIGBi/dQamDLpN9LQxjUY9dPk/J2GW
u2YzsY/gy7rM0V2RZIxBrFKSz3k27GvKbbWzjUAppSa1m07wfznQ68dPkerSRsLU
kjmnqGWZNygAJkDhsa+JYOtRRvqUWpvmI0e4tazFIVKUbssi78P/GK/FXLCCpIAw
Ua2LAoGABl1qtut/+NyOXZHJVl8tZIzeJOWkuMoKf0dOWmOsQl0Si2tGeB/ExI+O
mnhqozoV3nBGE8AyzMnUh/C6/tH5be3w/y3pTJ4rayffnYsYgf7mySAopjIbpW7w
iORnunwB7qnzx8yIS6rK0kpyvfp0P+bIOTwT1nEbw9wnBSjmCO4=
-----END RSA PRIVATE KEY-----
21 changes: 21 additions & 0 deletions test/configs/certs/tlsauth/client.pem
View file
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIUfLE3jBpwGplOUDcpbxIsvRInDGQwDQYJKoZIhvcNAQEL
BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD
VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1MTAw
WhcNMjQwMjAzMTk1MTAwWjAoMRAwDgYDVQQLEwdOQVRTLmlvMRQwEgYDVQQDEwtl
eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+UC1WN
BXnhDvpj0A0hmUmnpdXDtHHwAcMO6+XzZMRUYqSS9OLjirD9+fXRqPwMvDFktppQ
KKF9Y0QNvGFoITY4GcL9OW25nENnBqPf+001isbrJMx2IGC3PVjW4CZ0hjXHspEM
SIJyOEv6Rfn8aaCW8Uzru9bb4pMuUgD/dyFPCaXweGiKUqNCnwNMA6WrmA9aK461
2OyTLy/zUSy2L5E7yWjHrhAFrlt1GnAldcH0/daEFhQWhbqbGrTU9FDyfnjK3xtB
oOnDPW31PmTWUTkDjkdIADPVw+JJ7jmELL3SlqxJLjfGwagjzoQiGGArVGp+tO6Y
bUKCAbsMsaxJEiUCAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww
CgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUa1+2h/uPRLo1o6Ee
qOTA1hKmUlcwHwYDVR0jBBgwFoAUbwbb4b9Hyi/JdmgKO0hyj272GsswCwYDVR0R
BAQwAoIAMA0GCSqGSIb3DQEBCwUAA4IBAQBr50msBYEhIMj6b8QoBAbvdBhE9TeF
76k4PZpGVF6EoGVdyTXvO0LBNT7BFysIVgy51Bv5kyz7z9B6iOwnnTDhZIj0kGMA
KPkgyMHHRlL9iOXC/fCuf9dfBuq7u2oykILCI8VY6yzTvHtIWg0/wk6/2e13WmtU
nkI9ySxJGzaZJaVjV7UWkzzR1anwJ6Q0IaRohIByWcE43uIzNi1sA1U8cZ70C43t
JNSXp9mBodV2jLCM3bU9jpSyz8thH3ghogioG8obYSS22a+Ei4SRsmHK1B2fu6Uh
z8UJCtjq5lbVlPgZQlmIHAJaq/cK8nSccv/2KBHx5hOR8rIqwsAL6p46
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions test/configs/certs/tlsauth/client2-key.pem
View file
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEApRvhQ78kWi/gN1DWuTrk0vhS6Zva1U1TdHvtp0lvzgYqy7Z7
mIEkX6tVZxIV7RXrOWu+CGWtkCb83upQudYdsFqbtOSbhsmeupAsKPePYSRJuYaf
BShNOEQ+UP+xEQJOv9LCHGFz8ukcF9XXJAlo0c5e6PDLmLPbMM7NmyZlqLGkXEgZ
cZEEG+BaxfR75gYoODnxkmvpx8F9nXKpDlIRNP9A2iTIWna0AX/r7fsivvBJCwj9
j3j9g5gmEurT5oVeCaya6N60NVSbMug4UF70NF2EAtw8TKIat73ATdgf+EFY4wO2
xdceM9OMiurrnV3FMOHMfU148rdFbHb99zIupwIDAQABAoIBAQCRxUSj8Gzi5yP5
EnkRPorqLG3fbEfPTJ7i18thh7ebWNyN0IXchiAcCwOypUgQcuqjXpl/hm2vOIzH
Lm6pM/4wRj70fWVGolluc31Zif/fjw88KjvZbNSIWc/+6VBmKPhn6WaRcgTRsLep
35U7bsdJfP9Uf8vw/NIHjH4Afe0A+rJQ5aX17PLvlBH44WBOGvMq2qPPWfb5PzX6
mne+a4M0FdTjfyL3qiJW2LF8OOVVDM9p9roQfZ15eKzxzQy4EhU7jtB0Bp9oGsu+
nh0Pwvev0VQ1PPvZoxKP8FgwHSt/wekuht4bbQT0rQRNgKuJ+H1zwVe9mFDYslLh
bnfoFwQZAoGBANVIPdzEDx3op9n4RBQ7zBSwQUG2xRg42VrbjYdFkTB52a8m553I
4XrUb6QMCqFo1Va3BpZvEXfQIHXYSssakC1b1R/FVcRqlg27wKyFdW4B0UierBjt
iUjUfto4+CZzjpmEJJJcYduLigLqC2/hzFcUFs3paDHXJJfZfmlbhtd9AoGBAMYt
nhnZzgxRfzB05zaqw/hiR+X9lDMElOYKz8GUoygLlQYzsBnoQ+YD4ZRvETL1WhgN
M2Kc3BHjPdMFNZyvoRXgrqg018KDjzCqlHH1iWXVfUgnOlTi9kX3UdEhR4HcYi8Z
EnilkBseLgpC0byOXSiPVAUt34qy++D27OlwYZ/zAoGAU2Fjtev8EPBEtqUlUFe0
SB5D1MH0Oaz35FpS8SBUS4RHgv8Nq5S9+bwVTSfb/BA03yq8a5FOXe3C0u9VBiQD
W4g8QKhwCFK3CPVutMOUDgat39sQYspyUkOot/1vnfCtPfz4IzP0mdTqhosjH4FB
1oUnCScHsfxu9OJ1VhEPHS0CgYB+lYLIFlRDkAbC59kMFRVp4TT1lfyEfeex7LP5
fTyeBo/gz0Eruy0rjc0X572/o/IxLLVmxrTXBCRoVoqBE7m75LELJf2u9CORPVPm
WqSxlCUa4lui/vm5hRkQkMZBD4jzdntS7sXWXHeh/D5Fx1V/49USHdQMnvi+IFsB
XNQuuwKBgE48AdaUfWoqbkR+vfMbqeTyAXOg7VfmT1m8dc8mNPTeaEjUwb4M3EaQ
fT2B+tIASHfIaqLWPqjCrLxCBz4P4+4dkTLlWN+7BTVgK4Ecie/pEg8+q3CEVV2n
Bt5/z4xQCUmj24eiZogRIZmK9OsXEy4vQk4YH09tFSpFa+WwjoVX
-----END RSA PRIVATE KEY-----
21 changes: 21 additions & 0 deletions test/configs/certs/tlsauth/client2.pem
View file
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDgzCCAmugAwIBAgIUXSH0jKq+6x2WG4RHqN8tATdptokwDQYJKoZIhvcNAQEL
BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD
VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1ODAw
WhcNMjQwMjAzMTk1ODAwWjAlMQ0wCwYDVQQLEwRDTkNGMRQwEgYDVQQDEwtleGFt
cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUb4UO/JFov
4DdQ1rk65NL4Uumb2tVNU3R77adJb84GKsu2e5iBJF+rVWcSFe0V6zlrvghlrZAm
/N7qULnWHbBam7Tkm4bJnrqQLCj3j2EkSbmGnwUoTThEPlD/sRECTr/Swhxhc/Lp
HBfV1yQJaNHOXujwy5iz2zDOzZsmZaixpFxIGXGRBBvgWsX0e+YGKDg58ZJr6cfB
fZ1yqQ5SETT/QNokyFp2tAF/6+37Ir7wSQsI/Y94/YOYJhLq0+aFXgmsmujetDVU
mzLoOFBe9DRdhALcPEyiGre9wE3YH/hBWOMDtsXXHjPTjIrq651dxTDhzH1NePK3
RWx2/fcyLqcCAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUoS4dpE8Slaffykf+cVSc
g7IXvcYwHwYDVR0jBBgwFoAUbwbb4b9Hyi/JdmgKO0hyj272GsswCwYDVR0RBAQw
AoIAMA0GCSqGSIb3DQEBCwUAA4IBAQChjRkAiIuEXco4AkdoLO4wSN0i0b/toZ9b
U6X91UPCOQMYGLqe81DFYh3JE/+YjrwQYZz5Yb/vRVBC2HmTYkBXdP/74kRu4LCz
cdiVimz4GF2cBfFdxadNEJTQ8GW0fPtOIVwDZtJlNwi7ep58uR9Zld6Zo7FLRSzx
PtzBP6eEtwMJtVCk6PFluA7MY7k4c/TUW8bK0m9ybHIB8nqKuSWhZQBLdOhISyBz
/12xzX3An1NUpUaJnnD6ypEyfd8nZC0oAFC6+SAUMBWxcWYvhE5zcMaZQ3YtJUiC
0gR5d0Z1sjPYsq4KPow7IaTnzu3+0nLjZUHdU9RMfehJAxgBm3x0
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions test/configs/certs/tlsauth/server-key.pem
View file
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5glzHylOTx5b8kapeSim3xvGZ7yM46xbLWIKHqiJSvFldWPC
cdk5Yr+lkREEsUlE6HtaUYWTZelMVrsvQL/YWgYj2VJTnvCRC+pIXAdL3Mf8Bxbd
2tlP2VOuUiMpe9JN6LX+P9d1dW1uWkanixFnPcAj60bTuAcdwr/ZxKUO0ayyu+hH
Myj0QoLZkDW08AGZl8Df8sEPm9Jfsj9g62OvLerv3LACYhzpiZxPlzXLHKg+Yozg
oJI0E+NI0kl2SFAuIwWaN43LGToqOlNvMOvZVg7XNX3EreTULxEE2T9A8nImisQA
CaSQh9I3RLIv9++uIMSPnxj8HMVp7NwkjhjSrQIDAQABAoIBAQDcDQYXNQg4Hy6N
oJLV19Fpc8Rjz7ZmxKWj0DkmAsry6eDIXtnO1qFSmUnkb4cxoIlOa1GG0mSiBH6G
KSGWqu5nj6ATb/GWBUJ7R25YupITbSrmDTXE+ESt/KKw5/ny/MaSaiYBJDa0Ui5S
JWx4V/mO1JKHqoU1cXlCpwvGVK7MWruA5c9+WofOfBn4XqdRfafgVsJvPawVno+r
k8TOytZOPdk6t+EUEnEf3PRnvQJN2q79+6k06IzoLzyybqWDhzSXn5XnzvT/F807
mMvqX8qWt9L6U7kJOppP0YNSf8c+8VBjDjERiOHK40T/rOyofiIOf+Tgsl8qxIO5
FvKMgt7xAoGBAPVDkvdgrLF2TV4KewbxROdLSob3Moqsgl+Js5FGy851Y73fHxm4
2G505fVQ3Sy9/WF3Eklij5vIpRgX3K6qwjkxNzLAcvoXOtjsqjM2MCBY2Ag3eP/0
N9BDT7dnTVURQDU+n2dgibXgIOTUlgLWWuLeLHXzycMnfFtrW70HmZmjAoGBAPAb
Pc5LWPA53+Q0NF4v+saX7hy4EJ71HdWNERfxO6cO2grmvkCaSpWyFIhIylvpgDpt
odxQzZ3tE+5fmF/8G6snM2gBufQd/YDSJxrPDs8P7DzccQxHpqFzZFFMwa41WDtW
TvMNlSXwRp0WeoC0n4wtI85VzhJOw2tjx4onwUdvAoGAJZiMKLt6/WEDDw1QOoo1
Y7cY34N5DeTPv1FeY0CU8TrxZSOUot7A3n2w2l/g54DgHFaiSPmAxgKFvCG8RFIM
n7O5oF/7v/ZboPD2Tg9aZTr5Mpk+RQ3smFIZICYHpqiUTRUiXjhgI68Nm8YykJDH
McuYySPro6yj1Wepklpd4z0CgYBpI+Sqoz/s4cryyRFtdSEhOYJhPRC6KqfHzaAA
lfgDLXO5dlU1QNsMNhDbpNRH7zXhYASSzyda0mf56A53aZRMHDxcfPUKut85O803
5hecAGL4O6edMvr6k+cH2s6tFFrwkNi9geMf29lwDFnUZkO/RDz7q4MzbR4Rtn24
N7RhLQKBgQDGnFZXlEncxff9H61A5dYMC3iRJLx440iWInETjviU2qy1gAsxtb6i
NXk+TOmKVthRf8iI18ycJoQxuwDwZjnsej1A2Pskb7WwPwJixj9V1IPgDHnM9iVG
DA0wZAxcfXASxqFVbnZTrLy+7HCoqCa+UFrw6yKVK+acOCG/VzRq0A==
-----END RSA PRIVATE KEY-----
22 changes: 22 additions & 0 deletions test/configs/certs/tlsauth/server.pem
View file
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIUbz8YLNhcMjAR+b57pJZu4yodtvMwDQYJKoZIhvcNAQEL
BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD
VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1MDAw
WhcNMjQwMjAzMTk1MDAwWjBGMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNU2FuIEZy
YW5jaXNjbzELMAkGA1UEBxMCQ0ExEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYJcx8pTk8eW/JGqXkopt8bxme8jOOs
Wy1iCh6oiUrxZXVjwnHZOWK/pZERBLFJROh7WlGFk2XpTFa7L0C/2FoGI9lSU57w
kQvqSFwHS9zH/AcW3drZT9lTrlIjKXvSTei1/j/XdXVtblpGp4sRZz3AI+tG07gH
HcK/2cSlDtGssrvoRzMo9EKC2ZA1tPABmZfA3/LBD5vSX7I/YOtjry3q79ywAmIc
6YmcT5c1yxyoPmKM4KCSNBPjSNJJdkhQLiMFmjeNyxk6KjpTbzDr2VYO1zV9xK3k
1C8RBNk/QPJyJorEAAmkkIfSN0SyL/fvriDEj58Y/BzFaezcJI4Y0q0CAwEAAaOB
jDCBiTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUUyukKfpCfv7k38/n4m2M0x2V5dEwHwYDVR0jBBgw
FoAUbwbb4b9Hyi/JdmgKO0hyj272GsswFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0G
CSqGSIb3DQEBCwUAA4IBAQC+ahw47ljulw54ZobENNHEQd3xWraXuzWCCS+4+Cwj
zXKSSwa2DvJT8IvdMIQgOaA4JzsJh6m7KBtB20lJwnd38rpigfEXlS8R/uC8Jvg6
IYiIqhzirdOJJT8nXXgPWRgPsXYneZpDWk0G0MeX9fMb0BD9odGFGYX7+pSZl59K
hCZGuRKAbjDQYf76P22i0m0DhcGwbNFcZZOQkUkXNN06hXa8vNZ1v4+/jCOHco4W
0vl1WgW9YXjOtMmc7XVA46G6h1SuwkzeqBGICoSuuOvxohQocpYI6tGXv/4Fs4D8
oFTF7rTV1pYyXRiNWBS14znS4LfKeQkqHsBi8ACUU/Gd
-----END CERTIFICATE-----
35 changes: 35 additions & 0 deletions test/configs/tls_cert_cn.conf
View file
@@ -0,0 +1,35 @@

listen: localhost:9334

tls {
cert_file = "./configs/certs/tlsauth/server.pem"
key_file = "./configs/certs/tlsauth/server-key.pem"
ca_file = "./configs/certs/tlsauth/ca.pem"
verify = true
verify_and_map = true
}

authorization {
# Default permissions
permissions {
publish {
allow = ["public.>"]
}
subscribe {
allow = ["public.>"]
}
}

users [
{ user = "CN=example.com,OU=NATS.io" }
{ user = "CN=example.com,OU=CNCF", permissions = {
publish {
allow = [">"]
}
subscribe {
allow = [">"]
}
}
}
]
}
78 changes: 78 additions & 0 deletions test/tls_test.go
View file
Expand Up @@ -131,6 +131,84 @@ func TestTLSClientCertificateHasUserID(t *testing.T) {
defer nc.Close()
}

func TestTLSClientCertificateCNBasedAuth(t *testing.T) {
srv, opts := RunServerWithConfig("./configs/tls_cert_cn.conf")
defer srv.Shutdown()
nurl := fmt.Sprintf("tls://%s:%d", opts.Host, opts.Port)
errCh1 := make(chan error)
errCh2 := make(chan error)

// Using the default permissions
nc1, err := nats.Connect(nurl,
nats.ClientCert("./configs/certs/tlsauth/client.pem", "./configs/certs/tlsauth/client-key.pem"),
nats.RootCAs("./configs/certs/tlsauth/ca.pem"),
nats.ErrorHandler(func(_ *nats.Conn, _ *nats.Subscription, err error) {
errCh1 <- err
}),
)
if err != nil {
t.Fatalf("Expected to connect, got %v", err)
}
defer nc1.Close()

// Admin permissions can publish to '>'
nc2, err := nats.Connect(nurl,
nats.ClientCert("./configs/certs/tlsauth/client2.pem", "./configs/certs/tlsauth/client2-key.pem"),
nats.RootCAs("./configs/certs/tlsauth/ca.pem"),
nats.ErrorHandler(func(_ *nats.Conn, _ *nats.Subscription, err error) {
errCh2 <- err
}),
)
if err != nil {
t.Fatalf("Expected to connect, got %v", err)
}
defer nc2.Close()

err = nc1.Publish("foo.bar", []byte("hi"))
if err != nil {
t.Fatal(err)
}
_, err = nc1.SubscribeSync("foo.>")
if err != nil {
t.Fatal(err)
}
nc1.Flush()

sub, err := nc2.SubscribeSync(">")
if err != nil {
t.Fatal(err)
}
nc2.Flush()
err = nc2.Publish("hello", []byte("hi"))
if err != nil {
t.Fatal(err)
}
nc2.Flush()

_, err = sub.NextMsg(1 * time.Second)
if err != nil {
t.Fatalf("Error during wait for next message: %s", err)
}

// Wait for a couple of errors
var count int
select {
case err := <-errCh1:
if err != nil {
count++
}
if count == 2 {
break
}
case err := <-errCh2:
if err != nil {
t.Fatalf("Received unexpected auth error from client: %s", err)
}
case <-time.After(2 * time.Second):
t.Fatalf("Timed out expecting auth errors")
}
}

func TestTLSVerifyClientCertificate(t *testing.T) {
srv, opts := RunServerWithConfig("./configs/tlsverify_noca.conf")
defer srv.Shutdown()
Expand Down

0 comments on commit 7645d95

Please sign in to comment.