New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Added] account name checks for leaf nodes in operator mode #1739
Conversation
Rules out implausible ones. Signed-off-by: Matthias Hanel <mh@synadia.com>
server/server.go
Outdated
@@ -451,6 +451,18 @@ func NewServer(opts *Options) (*Server, error) { | |||
return nil, fmt.Errorf("no local account %q for remote leafnode", r.LocalAccount) | |||
} | |||
} | |||
} else { | |||
if len(opts.LeafNode.Users) != 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would that be possible to move those checks in validateLeafNode()
which checks for options?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
absolutely, I placed them here because of the non operator mode checks. Ok to move all those checks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That being said, I am not sure since we call this in NewServer()
if err := validateOptions(opts); err != nil {
return nil, err
}
but before we actually process the trusted keys:
// Trusted root operator keys.
if !s.processTrustedKeys() {
return nil, fmt.Errorf("Error processing trusted operator keys")
}
would have to make sure that the validation of leafnode would still work if you move them there.
Signed-off-by: Matthias Hanel <mh@synadia.com>
Signed-off-by: Matthias Hanel <mh@synadia.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost there :-)
Signed-off-by: Matthias Hanel <mh@synadia.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Rules out implausible ones
Signed-off-by: Matthias Hanel mh@synadia.com