Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Added] account name checks for leaf nodes in operator mode #1739

Merged
merged 4 commits into from
Nov 24, 2020
Merged

[Added] account name checks for leaf nodes in operator mode #1739

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e2e69b6
[Added] account name checks for leaf nodes in operator mode
matthiashanel Nov 23, 2020
a8390b7
Incorporating comments and moving code
matthiashanel Nov 24, 2020
a0dc9ea
Reducing complexity of lookup
matthiashanel Nov 24, 2020
b0461e3
Fixed comment
matthiashanel Nov 24, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
52 changes: 52 additions & 0 deletions server/leafnode.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,58 @@ func validateLeafNode(o *Options) error {
if err := validateLeafNodeAuthOptions(o); err != nil {
return err
}
// In local config mode, check that leafnode configuration refers to accounts that exist.
if len(o.TrustedOperators) == 0 {
kozlovic marked this conversation as resolved.
Show resolved Hide resolved
checkAccountExists := func(accName string, cfgType string) error {
found := false
if accName == "$G" || accName == _EMPTY_ {
matthiashanel marked this conversation as resolved.
Show resolved Hide resolved
found = true
} else {
for _, a := range o.Accounts {
if a.Name == accName {
found = true
break
}
}
}
if !found {
if accName == DEFAULT_SYSTEM_ACCOUNT && o.SystemAccount == _EMPTY_ && !o.NoSystemAccount {
return nil
}
return fmt.Errorf("cannot find local account %q specified in leafnode %s", accName, cfgType)
kozlovic marked this conversation as resolved.
Show resolved Hide resolved
}
return nil
}
if err := checkAccountExists(o.LeafNode.Account, "authorization"); err != nil {
return err
}
for _, lu := range o.LeafNode.Users {
if lu.Account == nil {
continue
}
if err := checkAccountExists(lu.Account.Name, "authorization"); err != nil {
return err
}
}
for _, r := range o.LeafNode.Remotes {
if err := checkAccountExists(r.LocalAccount, "remote"); err != nil {
return err
}
}
} else {
if len(o.LeafNode.Users) != 0 {
return fmt.Errorf("operator mode does not allow specifying user in leafnode config")
}
for _, r := range o.LeafNode.Remotes {
if !nkeys.IsValidPublicAccountKey(r.LocalAccount) {
return fmt.Errorf("operator mode requires account nkeys in remotes")
}
}
if o.LeafNode.Port != 0 && o.LeafNode.Account != "" && !nkeys.IsValidPublicAccountKey(o.LeafNode.Account) {
return fmt.Errorf("operator mode and non account nkeys are incompatible")
}
}

if o.LeafNode.Port == 0 {
return nil
}
Expand Down
46 changes: 46 additions & 0 deletions server/leafnode_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"context"
"crypto/tls"
"fmt"
"io/ioutil"
"net"
"net/url"
"os"
Expand Down Expand Up @@ -1883,3 +1884,48 @@ func TestLeafNodeNoDuplicateWithinCluster(t *testing.T) {
}
}
}

func TestLeafNodeOperatorBadCfg(t *testing.T) {
tmpDir, err := ioutil.TempDir("", "_nats-server")
if err != nil {
t.Fatal("Could not create tmp dir")
}
defer os.RemoveAll(tmpDir)
for errorText, cfg := range map[string]string{
"operator mode does not allow specifying user in leafnode config": `
port: -1
authorization {
users = [{user: "u", password: "p"}]}
}`,
`operator mode and non account nkeys are incompatible`: `
port: -1
authorization {
account: notankey
}`,
`operator mode requires account nkeys in remotes`: `remotes: [{url: u}]`,
} {
t.Run(errorText, func(t *testing.T) {
conf := createConfFile(t, []byte(fmt.Sprintf(`
port: -1
operator: %s
resolver: {
type: cache
dir: %s
}
leafnodes: {
%s
}
`, ojwt, tmpDir, cfg)))
defer os.Remove(conf)
opts := LoadConfig(conf)
s, err := NewServer(opts)
if err == nil {
s.Shutdown()
t.Fatal("Expected an error")
}
if err.Error() != errorText {
t.Fatalf("Expected error %s but got %s", errorText, err)
}
})
}
}
39 changes: 0 additions & 39 deletions server/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -414,45 +414,6 @@ func NewServer(opts *Options) (*Server, error) {
return nil, err
}

// In local config mode, check that leafnode configuration
// refers to account that exist.
if len(opts.TrustedOperators) == 0 {
checkAccountExists := func(accName string) error {
if accName == _EMPTY_ {
return nil
}
if _, ok := s.accounts.Load(accName); !ok {
if accName == DEFAULT_SYSTEM_ACCOUNT && opts.SystemAccount == _EMPTY_ && !opts.NoSystemAccount {
return nil
}
return fmt.Errorf("cannot find account %q specified in leafnode authorization", accName)
}
return nil
}
if err := checkAccountExists(opts.LeafNode.Account); err != nil {
return nil, err
}
for _, lu := range opts.LeafNode.Users {
if lu.Account == nil {
continue
}
if err := checkAccountExists(lu.Account.Name); err != nil {
return nil, err
}
}
for _, r := range opts.LeafNode.Remotes {
if r.LocalAccount == _EMPTY_ {
continue
}
if _, ok := s.accounts.Load(r.LocalAccount); !ok {
if r.LocalAccount == DEFAULT_SYSTEM_ACCOUNT && opts.SystemAccount == _EMPTY_ && !opts.NoSystemAccount {
continue
}
return nil, fmt.Errorf("no local account %q for remote leafnode", r.LocalAccount)
}
}
}

// Used to setup Authorization.
s.configureAuthorization()

Expand Down