Exportlimits

account_claims.go

@@ -8,12 +8,13 @@ import (
 
 // OperatorLimits are used to limit access by an account
 type OperatorLimits struct {
-	Subs    int64 `json:"subs,omitempty"`    // Max number of subscriptions
-	Conn    int64 `json:"conn,omitempty"`    // Max number of active connections
-	Imports int64 `json:"imports,omitempty"` // Max number of imports
-	Exports int64 `json:"exports,omitempty"` // Max number of exports
-	Data    int64 `json:"data,omitempty"`    // Max number of bytes
-	Payload int64 `json:"payload,omitempty"` // Max message payload
+	Subs            int64 `json:"subs,omitempty"`      // Max number of subscriptions
+	Conn            int64 `json:"conn,omitempty"`      // Max number of active connections
+	Imports         int64 `json:"imports,omitempty"`   // Max number of imports
+	Exports         int64 `json:"exports,omitempty"`   // Max number of exports
+	WildcardExports bool  `json:"wildcards,omitempty"` // Are wildcards allowed in exports
+	Data            int64 `json:"data,omitempty"`      // Max number of bytes
+	Payload         int64 `json:"payload,omitempty"`   // Max message payload
 }
 
 // IsEmpty returns true if all of the limits are 0
@@ -48,8 +49,18 @@ func (a *Account) Validate(acct *AccountClaims, vr *ValidationResults) {
 		vr.AddError("the account contains more imports than allowed by the operator limits")
 	}
 
-	if !a.Limits.IsEmpty() && a.Limits.Exports >= 0 && int64(len(a.Exports)) > a.Limits.Exports {
-		vr.AddError("the account contains more exports than allowed by the operator limits")
+	if !a.Limits.IsEmpty() && len(a.Exports) > 0 {
+		if a.Limits.Exports >= 0 && int64(len(a.Exports)) > a.Limits.Exports {
+			vr.AddError("the account contains more exports than allowed by the operator limits")
+		}
+
+		if !a.Limits.WildcardExports {
+			for _, ex := range a.Exports {
+				if ex.Subject.HasWildCards() {
+					vr.AddError("the account contains an export, %s, with wildcards that are not allowed by the operator limts", ex.Subject)
+				}
+			}
+		}
 	}
 }
 

account_claims_test.go

@@ -214,6 +214,7 @@ func TestLimitValidationInAccount(t *testing.T) {
 	account.Limits.Data = 1024
 	account.Limits.Payload = 1024
 	account.Limits.Subs = 10
+	account.Limits.WildcardExports = true
 	account.Identities = []Identity{
 		{
 			ID:    "stephen",
@@ -285,3 +286,43 @@ func TestLimitValidationInAccount(t *testing.T) {
 		t.Fatal("account can encode without limits and identity")
 	}
 }
+
+func TestWildcardExportLimit(t *testing.T) {
+	akp := createAccountNKey(t)
+	apk := publicKey(akp, t)
+
+	account := NewAccountClaims(apk)
+	account.Expires = time.Now().Add(time.Duration(time.Hour * 24 * 365)).Unix()
+	account.Limits.Conn = 10
+	account.Limits.Imports = 10
+	account.Limits.Exports = 10
+	account.Limits.WildcardExports = true
+	account.Exports = Exports{
+		&Export{Subject: "foo", Type: Stream},
+		&Export{Subject: "bar.*", Type: Stream},
+	}
+
+	vr := CreateValidationResults()
+	account.Validate(vr)
+
+	if !vr.IsEmpty() {
+		t.Fatal("valid account should have no validation issues")
+	}
+
+	account.Limits.WildcardExports = false
+	vr = CreateValidationResults()
+	account.Validate(vr)
+
+	if vr.IsEmpty() || !vr.IsBlocking(true) {
+		t.Fatal("invalid account should have validation issues")
+	}
+
+	account.Limits.WildcardExports = true
+	account.Limits.Exports = 1
+	vr = CreateValidationResults()
+	account.Validate(vr)
+
+	if vr.IsEmpty() || !vr.IsBlocking(true) {
+		t.Fatal("invalid account should have validation issues")
+	}
+}