From 7645d95c18f8c30a21ee7f23d0bd799600cd9e1a Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Mon, 4 Feb 2019 10:23:56 -0800 Subject: [PATCH] Support using TLS cert subject to auth user Signed-off-by: Waldemar Quevedo --- server/auth.go | 29 ++++++-- server/client.go | 4 +- test/configs/certs/tlsauth/ca.pem | 21 ++++++ test/configs/certs/tlsauth/client-key.pem | 27 ++++++++ test/configs/certs/tlsauth/client.pem | 21 ++++++ test/configs/certs/tlsauth/client2-key.pem | 27 ++++++++ test/configs/certs/tlsauth/client2.pem | 21 ++++++ test/configs/certs/tlsauth/server-key.pem | 27 ++++++++ test/configs/certs/tlsauth/server.pem | 22 ++++++ test/configs/tls_cert_cn.conf | 35 ++++++++++ test/tls_test.go | 78 ++++++++++++++++++++++ 11 files changed, 305 insertions(+), 7 deletions(-) create mode 100644 test/configs/certs/tlsauth/ca.pem create mode 100644 test/configs/certs/tlsauth/client-key.pem create mode 100644 test/configs/certs/tlsauth/client.pem create mode 100644 test/configs/certs/tlsauth/client2-key.pem create mode 100644 test/configs/certs/tlsauth/client2.pem create mode 100644 test/configs/certs/tlsauth/server-key.pem create mode 100644 test/configs/certs/tlsauth/server.pem create mode 100644 test/configs/tls_cert_cn.conf diff --git a/server/auth.go b/server/auth.go index c6ba22f794..86f279d80c 100644 --- a/server/auth.go +++ b/server/auth.go @@ -144,6 +144,12 @@ func (s *Server) checkAuthforWarnings() { warn = true } for _, u := range s.users { + // Skip warn if using TLS certs based auth + // unless a password has been left in the config. + if u.Password == "" && s.opts.TLSMap { + continue + } + if !isBcrypt(u.Password) { warn = true break @@ -319,24 +325,37 @@ func (s *Server) isClientAuthorized(c *client) bool { if len(tlsState.PeerCertificates) > 1 { c.Debugf("Multiple peer certificates found, selecting first") } - if len(cert.EmailAddresses) == 0 { + + hasEmailAddresses := len(cert.EmailAddresses) > 0 + hasSubject := len(cert.Subject.String()) > 0 + if !hasEmailAddresses && !hasSubject { c.Debugf("User required in cert, none found") s.mu.Unlock() return false } - euser := cert.EmailAddresses[0] + + var euser string + if hasEmailAddresses { + euser = cert.EmailAddresses[0] + if len(cert.EmailAddresses) > 1 { + c.Debugf("Multiple users found in cert, selecting first [%q]", euser) + } + } else { + euser = cert.Subject.String() + } user, ok = s.users[euser] if !ok { c.Debugf("User in cert [%q], not found", euser) s.mu.Unlock() return false } - if len(cert.EmailAddresses) > 1 { - c.Debugf("Multiple users found in cert, selecting first [%q]", euser) - } + if c.opts.Username != "" { s.Warnf("User found in connect proto, but user required from cert - %v", c) } + // Already checked that the client didn't send a user in connect + // but we set it here to be able to identify it in the logs. + c.opts.Username = euser } else if c.opts.Username != "" { user, ok = s.users[c.opts.Username] if !ok { diff --git a/server/client.go b/server/client.go index 2ed4bda9df..d04389f9e9 100644 --- a/server/client.go +++ b/server/client.go @@ -203,8 +203,8 @@ type outbound struct { pb int32 // Total pending/queued bytes. pm int32 // Total pending/queued messages. sg *sync.Cond // Flusher conditional for signaling. - wdl time.Duration // Snapshot fo write deadline. - mp int32 // snapshot of max pending. + wdl time.Duration // Snapshot of write deadline. + mp int32 // Snapshot of max pending. fsp int32 // Flush signals that are pending from readLoop's pcd. lft time.Duration // Last flush time. sgw bool // Indicate flusher is waiting on condition wait. diff --git a/test/configs/certs/tlsauth/ca.pem b/test/configs/certs/tlsauth/ca.pem new file mode 100644 index 0000000000..3355302700 --- /dev/null +++ b/test/configs/certs/tlsauth/ca.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIUWyR/qbLooFMu+VcvmQhLAjokntQwDQYJKoZIhvcNAQEL +BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD +VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1MDAw +WhcNMjQwMjAzMTk1MDAwWjBMMSQwIgYDVQQKExtTeW5hZGlhIENvbW11bmljYXRp +b25zIEluYy4xEDAOBgNVBAsTB05BVFMuaW8xEjAQBgNVBAMTCWxvY2FsaG9zdDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN9ryA3PTdAPjC2VQkjy9JXJ +bOq2GpvGU+2/gC3TNRXOPJ5ZVy4svV8C9VA9t8gIbQHTYMzBFxyGz0+a/9+DEXot +crcVvsqaE5mewU9yjifDqUCGqOn9fo/zsYwD96KYtukEZ73D1Pyv+7EmkHNYqBKB +4/1gY/7AuuBcNp5bSpC4isGySZlL0wDjURyjfInrbDdMZi3QK2lPZP1okLZG5SCX +7pQM9riHwnzN94HINTzLTUdjxDBrm0Av9HCEeGT+iXwtXIhNaTkxjEy3a6b2saVl +wcaqcZbdGmJVgoncNlA3+277BPOAfbw4X5nGATaWPWxStkqeuhSaxahbCLNJGJcC +AwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O +BBYEFG8G2+G/R8ovyXZoCjtIco9u9hrLMA0GCSqGSIb3DQEBCwUAA4IBAQBmuKij +sa+RKEoSVrdUWYwAhQJd17I1crhyLjzk3c5k4cXSIUM0XlGK81GZdPRV5EVym7FN +n8rhjAYizFykFbIcmiUrNa73jm2QTdMiL8WEzywNB0/X+XSJd+I1VeWOvYJMPTiY +KH/vcNYugVeWUzn6EF+iWnlpS9IHxcDvm6yjMJ242+KQWO7DGkHzbadB/BcryAdz +v6oBlHTJoPqgHUwaHfnTfqCQPTaTACUSFGNEnLuuXvLbbhZlpmLHRoqBiwpa0YQW +1EAICjLa6q5vSDSBrYJL2tIZz2vv/powIWMU1tdGFSALtpMucUH5Opi0Eaa+3cQB +fvl1Mck/CPY8e4/j +-----END CERTIFICATE----- diff --git a/test/configs/certs/tlsauth/client-key.pem b/test/configs/certs/tlsauth/client-key.pem new file mode 100644 index 0000000000..bf17876337 --- /dev/null +++ b/test/configs/certs/tlsauth/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAr5QLVY0FeeEO+mPQDSGZSael1cO0cfABww7r5fNkxFRipJL0 +4uOKsP359dGo/Ay8MWS2mlAooX1jRA28YWghNjgZwv05bbmcQ2cGo9/7TTWKxusk +zHYgYLc9WNbgJnSGNceykQxIgnI4S/pF+fxpoJbxTOu71tviky5SAP93IU8JpfB4 +aIpSo0KfA0wDpauYD1orjrXY7JMvL/NRLLYvkTvJaMeuEAWuW3UacCV1wfT91oQW +FBaFupsatNT0UPJ+eMrfG0Gg6cM9bfU+ZNZROQOOR0gAM9XD4knuOYQsvdKWrEku +N8bBqCPOhCIYYCtUan607phtQoIBuwyxrEkSJQIDAQABAoIBAFn+IJ0V7gOdVmcC +d+XzHbWB518cs0VfBhgrcr/nM/PpaLH/3OLaTAER/GeBsgKWqHMMswd/JIQ5V4LP +I4otrDA1KwclcaUK6MwnZ2DhcdYOJnZ0meTuewP3h8scP8GWIiA4ng74Y8Xws2hF +/E34kU9NbprFjP7Ar25O5Js8VZxNJBWZXZqd4znTj8d4eqbZghM12RaUNQ1YSgB9 +dC9a4siubAWw3mZXX9T8te/uWbo7gY52vaMlO1nV+waZzkqdF7xizAYzYW+woAu5 +lMRnUylRFKtuAUZGsDATElVKeirWT/kkAjslRzLw0daOYfe+c321bE9fFwFi5b3e +DHSwpbUCgYEAyydwejT59DHvrQ1HRnKCL4+rvrCtFlHoJiSOKX8F38tVjCwFstHO +on+AxJMU8Om528aJ2RDPDzy1Cqn+cRAmgIsvAwa2JyBGqkN9nXq4Ji8eBL42ZNzK +wbnnFfm+qkBNXXon1gSnMN+8w9zX1dmIsoGmunZ/Ew0EB1bDsBEcI1cCgYEA3UBD +QkvFu6SlYq8ts5RcIn5bGgPkvudbRTb2IDYVMtLmPdDQP1X6s4NFdHErqvfwyIez +2WQLjLjUfU8fylEKxZL9cdHF/FAa5brnr3DAVT1Gsthv8WFFUkuZ52uAte4mGTL0 +FnGaz6mqoIrM/uNGKAgozMZPrDFobqsh5maepOMCgYAO3rMn7srA6grOEuO9r1IC +IzUB/zKcKKCichiJxwdqCxsW6H3+SccjM8v8F3v36lO1V4HthoJxbhMeVbUPF4yJ +6iYlxY79rCof+lKufTYPbXF4DWgz18lrhqz4edBP6+b9yZwy2SJXvHi3qWmO+J49 +2qmWimfgwBokY2BtecMifwKBgHiiMknycISIGBi/dQamDLpN9LQxjUY9dPk/J2GW +u2YzsY/gy7rM0V2RZIxBrFKSz3k27GvKbbWzjUAppSa1m07wfznQ68dPkerSRsLU +kjmnqGWZNygAJkDhsa+JYOtRRvqUWpvmI0e4tazFIVKUbssi78P/GK/FXLCCpIAw +Ua2LAoGABl1qtut/+NyOXZHJVl8tZIzeJOWkuMoKf0dOWmOsQl0Si2tGeB/ExI+O +mnhqozoV3nBGE8AyzMnUh/C6/tH5be3w/y3pTJ4rayffnYsYgf7mySAopjIbpW7w +iORnunwB7qnzx8yIS6rK0kpyvfp0P+bIOTwT1nEbw9wnBSjmCO4= +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/tlsauth/client.pem b/test/configs/certs/tlsauth/client.pem new file mode 100644 index 0000000000..9a6222fe04 --- /dev/null +++ b/test/configs/certs/tlsauth/client.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIUfLE3jBpwGplOUDcpbxIsvRInDGQwDQYJKoZIhvcNAQEL +BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD +VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1MTAw +WhcNMjQwMjAzMTk1MTAwWjAoMRAwDgYDVQQLEwdOQVRTLmlvMRQwEgYDVQQDEwtl +eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+UC1WN +BXnhDvpj0A0hmUmnpdXDtHHwAcMO6+XzZMRUYqSS9OLjirD9+fXRqPwMvDFktppQ +KKF9Y0QNvGFoITY4GcL9OW25nENnBqPf+001isbrJMx2IGC3PVjW4CZ0hjXHspEM +SIJyOEv6Rfn8aaCW8Uzru9bb4pMuUgD/dyFPCaXweGiKUqNCnwNMA6WrmA9aK461 +2OyTLy/zUSy2L5E7yWjHrhAFrlt1GnAldcH0/daEFhQWhbqbGrTU9FDyfnjK3xtB +oOnDPW31PmTWUTkDjkdIADPVw+JJ7jmELL3SlqxJLjfGwagjzoQiGGArVGp+tO6Y +bUKCAbsMsaxJEiUCAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww +CgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUa1+2h/uPRLo1o6Ee +qOTA1hKmUlcwHwYDVR0jBBgwFoAUbwbb4b9Hyi/JdmgKO0hyj272GsswCwYDVR0R +BAQwAoIAMA0GCSqGSIb3DQEBCwUAA4IBAQBr50msBYEhIMj6b8QoBAbvdBhE9TeF +76k4PZpGVF6EoGVdyTXvO0LBNT7BFysIVgy51Bv5kyz7z9B6iOwnnTDhZIj0kGMA +KPkgyMHHRlL9iOXC/fCuf9dfBuq7u2oykILCI8VY6yzTvHtIWg0/wk6/2e13WmtU +nkI9ySxJGzaZJaVjV7UWkzzR1anwJ6Q0IaRohIByWcE43uIzNi1sA1U8cZ70C43t +JNSXp9mBodV2jLCM3bU9jpSyz8thH3ghogioG8obYSS22a+Ei4SRsmHK1B2fu6Uh +z8UJCtjq5lbVlPgZQlmIHAJaq/cK8nSccv/2KBHx5hOR8rIqwsAL6p46 +-----END CERTIFICATE----- diff --git a/test/configs/certs/tlsauth/client2-key.pem b/test/configs/certs/tlsauth/client2-key.pem new file mode 100644 index 0000000000..bbe3361e16 --- /dev/null +++ b/test/configs/certs/tlsauth/client2-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEApRvhQ78kWi/gN1DWuTrk0vhS6Zva1U1TdHvtp0lvzgYqy7Z7 +mIEkX6tVZxIV7RXrOWu+CGWtkCb83upQudYdsFqbtOSbhsmeupAsKPePYSRJuYaf +BShNOEQ+UP+xEQJOv9LCHGFz8ukcF9XXJAlo0c5e6PDLmLPbMM7NmyZlqLGkXEgZ +cZEEG+BaxfR75gYoODnxkmvpx8F9nXKpDlIRNP9A2iTIWna0AX/r7fsivvBJCwj9 +j3j9g5gmEurT5oVeCaya6N60NVSbMug4UF70NF2EAtw8TKIat73ATdgf+EFY4wO2 +xdceM9OMiurrnV3FMOHMfU148rdFbHb99zIupwIDAQABAoIBAQCRxUSj8Gzi5yP5 +EnkRPorqLG3fbEfPTJ7i18thh7ebWNyN0IXchiAcCwOypUgQcuqjXpl/hm2vOIzH +Lm6pM/4wRj70fWVGolluc31Zif/fjw88KjvZbNSIWc/+6VBmKPhn6WaRcgTRsLep +35U7bsdJfP9Uf8vw/NIHjH4Afe0A+rJQ5aX17PLvlBH44WBOGvMq2qPPWfb5PzX6 +mne+a4M0FdTjfyL3qiJW2LF8OOVVDM9p9roQfZ15eKzxzQy4EhU7jtB0Bp9oGsu+ +nh0Pwvev0VQ1PPvZoxKP8FgwHSt/wekuht4bbQT0rQRNgKuJ+H1zwVe9mFDYslLh +bnfoFwQZAoGBANVIPdzEDx3op9n4RBQ7zBSwQUG2xRg42VrbjYdFkTB52a8m553I +4XrUb6QMCqFo1Va3BpZvEXfQIHXYSssakC1b1R/FVcRqlg27wKyFdW4B0UierBjt +iUjUfto4+CZzjpmEJJJcYduLigLqC2/hzFcUFs3paDHXJJfZfmlbhtd9AoGBAMYt +nhnZzgxRfzB05zaqw/hiR+X9lDMElOYKz8GUoygLlQYzsBnoQ+YD4ZRvETL1WhgN +M2Kc3BHjPdMFNZyvoRXgrqg018KDjzCqlHH1iWXVfUgnOlTi9kX3UdEhR4HcYi8Z +EnilkBseLgpC0byOXSiPVAUt34qy++D27OlwYZ/zAoGAU2Fjtev8EPBEtqUlUFe0 +SB5D1MH0Oaz35FpS8SBUS4RHgv8Nq5S9+bwVTSfb/BA03yq8a5FOXe3C0u9VBiQD +W4g8QKhwCFK3CPVutMOUDgat39sQYspyUkOot/1vnfCtPfz4IzP0mdTqhosjH4FB +1oUnCScHsfxu9OJ1VhEPHS0CgYB+lYLIFlRDkAbC59kMFRVp4TT1lfyEfeex7LP5 +fTyeBo/gz0Eruy0rjc0X572/o/IxLLVmxrTXBCRoVoqBE7m75LELJf2u9CORPVPm +WqSxlCUa4lui/vm5hRkQkMZBD4jzdntS7sXWXHeh/D5Fx1V/49USHdQMnvi+IFsB +XNQuuwKBgE48AdaUfWoqbkR+vfMbqeTyAXOg7VfmT1m8dc8mNPTeaEjUwb4M3EaQ +fT2B+tIASHfIaqLWPqjCrLxCBz4P4+4dkTLlWN+7BTVgK4Ecie/pEg8+q3CEVV2n +Bt5/z4xQCUmj24eiZogRIZmK9OsXEy4vQk4YH09tFSpFa+WwjoVX +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/tlsauth/client2.pem b/test/configs/certs/tlsauth/client2.pem new file mode 100644 index 0000000000..35d6257006 --- /dev/null +++ b/test/configs/certs/tlsauth/client2.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmugAwIBAgIUXSH0jKq+6x2WG4RHqN8tATdptokwDQYJKoZIhvcNAQEL +BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD +VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1ODAw +WhcNMjQwMjAzMTk1ODAwWjAlMQ0wCwYDVQQLEwRDTkNGMRQwEgYDVQQDEwtleGFt +cGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKUb4UO/JFov +4DdQ1rk65NL4Uumb2tVNU3R77adJb84GKsu2e5iBJF+rVWcSFe0V6zlrvghlrZAm +/N7qULnWHbBam7Tkm4bJnrqQLCj3j2EkSbmGnwUoTThEPlD/sRECTr/Swhxhc/Lp +HBfV1yQJaNHOXujwy5iz2zDOzZsmZaixpFxIGXGRBBvgWsX0e+YGKDg58ZJr6cfB +fZ1yqQ5SETT/QNokyFp2tAF/6+37Ir7wSQsI/Y94/YOYJhLq0+aFXgmsmujetDVU +mzLoOFBe9DRdhALcPEyiGre9wE3YH/hBWOMDtsXXHjPTjIrq651dxTDhzH1NePK3 +RWx2/fcyLqcCAwEAAaOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI +KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUoS4dpE8Slaffykf+cVSc +g7IXvcYwHwYDVR0jBBgwFoAUbwbb4b9Hyi/JdmgKO0hyj272GsswCwYDVR0RBAQw +AoIAMA0GCSqGSIb3DQEBCwUAA4IBAQChjRkAiIuEXco4AkdoLO4wSN0i0b/toZ9b +U6X91UPCOQMYGLqe81DFYh3JE/+YjrwQYZz5Yb/vRVBC2HmTYkBXdP/74kRu4LCz +cdiVimz4GF2cBfFdxadNEJTQ8GW0fPtOIVwDZtJlNwi7ep58uR9Zld6Zo7FLRSzx +PtzBP6eEtwMJtVCk6PFluA7MY7k4c/TUW8bK0m9ybHIB8nqKuSWhZQBLdOhISyBz +/12xzX3An1NUpUaJnnD6ypEyfd8nZC0oAFC6+SAUMBWxcWYvhE5zcMaZQ3YtJUiC +0gR5d0Z1sjPYsq4KPow7IaTnzu3+0nLjZUHdU9RMfehJAxgBm3x0 +-----END CERTIFICATE----- diff --git a/test/configs/certs/tlsauth/server-key.pem b/test/configs/certs/tlsauth/server-key.pem new file mode 100644 index 0000000000..12f7835589 --- /dev/null +++ b/test/configs/certs/tlsauth/server-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5glzHylOTx5b8kapeSim3xvGZ7yM46xbLWIKHqiJSvFldWPC +cdk5Yr+lkREEsUlE6HtaUYWTZelMVrsvQL/YWgYj2VJTnvCRC+pIXAdL3Mf8Bxbd +2tlP2VOuUiMpe9JN6LX+P9d1dW1uWkanixFnPcAj60bTuAcdwr/ZxKUO0ayyu+hH +Myj0QoLZkDW08AGZl8Df8sEPm9Jfsj9g62OvLerv3LACYhzpiZxPlzXLHKg+Yozg +oJI0E+NI0kl2SFAuIwWaN43LGToqOlNvMOvZVg7XNX3EreTULxEE2T9A8nImisQA +CaSQh9I3RLIv9++uIMSPnxj8HMVp7NwkjhjSrQIDAQABAoIBAQDcDQYXNQg4Hy6N +oJLV19Fpc8Rjz7ZmxKWj0DkmAsry6eDIXtnO1qFSmUnkb4cxoIlOa1GG0mSiBH6G +KSGWqu5nj6ATb/GWBUJ7R25YupITbSrmDTXE+ESt/KKw5/ny/MaSaiYBJDa0Ui5S +JWx4V/mO1JKHqoU1cXlCpwvGVK7MWruA5c9+WofOfBn4XqdRfafgVsJvPawVno+r +k8TOytZOPdk6t+EUEnEf3PRnvQJN2q79+6k06IzoLzyybqWDhzSXn5XnzvT/F807 +mMvqX8qWt9L6U7kJOppP0YNSf8c+8VBjDjERiOHK40T/rOyofiIOf+Tgsl8qxIO5 +FvKMgt7xAoGBAPVDkvdgrLF2TV4KewbxROdLSob3Moqsgl+Js5FGy851Y73fHxm4 +2G505fVQ3Sy9/WF3Eklij5vIpRgX3K6qwjkxNzLAcvoXOtjsqjM2MCBY2Ag3eP/0 +N9BDT7dnTVURQDU+n2dgibXgIOTUlgLWWuLeLHXzycMnfFtrW70HmZmjAoGBAPAb +Pc5LWPA53+Q0NF4v+saX7hy4EJ71HdWNERfxO6cO2grmvkCaSpWyFIhIylvpgDpt +odxQzZ3tE+5fmF/8G6snM2gBufQd/YDSJxrPDs8P7DzccQxHpqFzZFFMwa41WDtW +TvMNlSXwRp0WeoC0n4wtI85VzhJOw2tjx4onwUdvAoGAJZiMKLt6/WEDDw1QOoo1 +Y7cY34N5DeTPv1FeY0CU8TrxZSOUot7A3n2w2l/g54DgHFaiSPmAxgKFvCG8RFIM +n7O5oF/7v/ZboPD2Tg9aZTr5Mpk+RQ3smFIZICYHpqiUTRUiXjhgI68Nm8YykJDH +McuYySPro6yj1Wepklpd4z0CgYBpI+Sqoz/s4cryyRFtdSEhOYJhPRC6KqfHzaAA +lfgDLXO5dlU1QNsMNhDbpNRH7zXhYASSzyda0mf56A53aZRMHDxcfPUKut85O803 +5hecAGL4O6edMvr6k+cH2s6tFFrwkNi9geMf29lwDFnUZkO/RDz7q4MzbR4Rtn24 +N7RhLQKBgQDGnFZXlEncxff9H61A5dYMC3iRJLx440iWInETjviU2qy1gAsxtb6i +NXk+TOmKVthRf8iI18ycJoQxuwDwZjnsej1A2Pskb7WwPwJixj9V1IPgDHnM9iVG +DA0wZAxcfXASxqFVbnZTrLy+7HCoqCa+UFrw6yKVK+acOCG/VzRq0A== +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/tlsauth/server.pem b/test/configs/certs/tlsauth/server.pem new file mode 100644 index 0000000000..f18f2f66cb --- /dev/null +++ b/test/configs/certs/tlsauth/server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDrTCCApWgAwIBAgIUbz8YLNhcMjAR+b57pJZu4yodtvMwDQYJKoZIhvcNAQEL +BQAwTDEkMCIGA1UEChMbU3luYWRpYSBDb21tdW5pY2F0aW9ucyBJbmMuMRAwDgYD +VQQLEwdOQVRTLmlvMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTkwMjA0MTk1MDAw +WhcNMjQwMjAzMTk1MDAwWjBGMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNU2FuIEZy +YW5jaXNjbzELMAkGA1UEBxMCQ0ExEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYJcx8pTk8eW/JGqXkopt8bxme8jOOs +Wy1iCh6oiUrxZXVjwnHZOWK/pZERBLFJROh7WlGFk2XpTFa7L0C/2FoGI9lSU57w +kQvqSFwHS9zH/AcW3drZT9lTrlIjKXvSTei1/j/XdXVtblpGp4sRZz3AI+tG07gH +HcK/2cSlDtGssrvoRzMo9EKC2ZA1tPABmZfA3/LBD5vSX7I/YOtjry3q79ywAmIc +6YmcT5c1yxyoPmKM4KCSNBPjSNJJdkhQLiMFmjeNyxk6KjpTbzDr2VYO1zV9xK3k +1C8RBNk/QPJyJorEAAmkkIfSN0SyL/fvriDEj58Y/BzFaezcJI4Y0q0CAwEAAaOB +jDCBiTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T +AQH/BAIwADAdBgNVHQ4EFgQUUyukKfpCfv7k38/n4m2M0x2V5dEwHwYDVR0jBBgw +FoAUbwbb4b9Hyi/JdmgKO0hyj272GsswFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0G +CSqGSIb3DQEBCwUAA4IBAQC+ahw47ljulw54ZobENNHEQd3xWraXuzWCCS+4+Cwj +zXKSSwa2DvJT8IvdMIQgOaA4JzsJh6m7KBtB20lJwnd38rpigfEXlS8R/uC8Jvg6 +IYiIqhzirdOJJT8nXXgPWRgPsXYneZpDWk0G0MeX9fMb0BD9odGFGYX7+pSZl59K +hCZGuRKAbjDQYf76P22i0m0DhcGwbNFcZZOQkUkXNN06hXa8vNZ1v4+/jCOHco4W +0vl1WgW9YXjOtMmc7XVA46G6h1SuwkzeqBGICoSuuOvxohQocpYI6tGXv/4Fs4D8 +oFTF7rTV1pYyXRiNWBS14znS4LfKeQkqHsBi8ACUU/Gd +-----END CERTIFICATE----- diff --git a/test/configs/tls_cert_cn.conf b/test/configs/tls_cert_cn.conf new file mode 100644 index 0000000000..d64653d55a --- /dev/null +++ b/test/configs/tls_cert_cn.conf @@ -0,0 +1,35 @@ + +listen: localhost:9334 + +tls { + cert_file = "./configs/certs/tlsauth/server.pem" + key_file = "./configs/certs/tlsauth/server-key.pem" + ca_file = "./configs/certs/tlsauth/ca.pem" + verify = true + verify_and_map = true +} + +authorization { + # Default permissions + permissions { + publish { + allow = ["public.>"] + } + subscribe { + allow = ["public.>"] + } + } + + users [ + { user = "CN=example.com,OU=NATS.io" } + { user = "CN=example.com,OU=CNCF", permissions = { + publish { + allow = [">"] + } + subscribe { + allow = [">"] + } + } + } + ] +} diff --git a/test/tls_test.go b/test/tls_test.go index dc25efaa3a..ee64a1ddeb 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -131,6 +131,84 @@ func TestTLSClientCertificateHasUserID(t *testing.T) { defer nc.Close() } +func TestTLSClientCertificateCNBasedAuth(t *testing.T) { + srv, opts := RunServerWithConfig("./configs/tls_cert_cn.conf") + defer srv.Shutdown() + nurl := fmt.Sprintf("tls://%s:%d", opts.Host, opts.Port) + errCh1 := make(chan error) + errCh2 := make(chan error) + + // Using the default permissions + nc1, err := nats.Connect(nurl, + nats.ClientCert("./configs/certs/tlsauth/client.pem", "./configs/certs/tlsauth/client-key.pem"), + nats.RootCAs("./configs/certs/tlsauth/ca.pem"), + nats.ErrorHandler(func(_ *nats.Conn, _ *nats.Subscription, err error) { + errCh1 <- err + }), + ) + if err != nil { + t.Fatalf("Expected to connect, got %v", err) + } + defer nc1.Close() + + // Admin permissions can publish to '>' + nc2, err := nats.Connect(nurl, + nats.ClientCert("./configs/certs/tlsauth/client2.pem", "./configs/certs/tlsauth/client2-key.pem"), + nats.RootCAs("./configs/certs/tlsauth/ca.pem"), + nats.ErrorHandler(func(_ *nats.Conn, _ *nats.Subscription, err error) { + errCh2 <- err + }), + ) + if err != nil { + t.Fatalf("Expected to connect, got %v", err) + } + defer nc2.Close() + + err = nc1.Publish("foo.bar", []byte("hi")) + if err != nil { + t.Fatal(err) + } + _, err = nc1.SubscribeSync("foo.>") + if err != nil { + t.Fatal(err) + } + nc1.Flush() + + sub, err := nc2.SubscribeSync(">") + if err != nil { + t.Fatal(err) + } + nc2.Flush() + err = nc2.Publish("hello", []byte("hi")) + if err != nil { + t.Fatal(err) + } + nc2.Flush() + + _, err = sub.NextMsg(1 * time.Second) + if err != nil { + t.Fatalf("Error during wait for next message: %s", err) + } + + // Wait for a couple of errors + var count int + select { + case err := <-errCh1: + if err != nil { + count++ + } + if count == 2 { + break + } + case err := <-errCh2: + if err != nil { + t.Fatalf("Received unexpected auth error from client: %s", err) + } + case <-time.After(2 * time.Second): + t.Fatalf("Timed out expecting auth errors") + } +} + func TestTLSVerifyClientCertificate(t *testing.T) { srv, opts := RunServerWithConfig("./configs/tlsverify_noca.conf") defer srv.Shutdown()