Add in route permission support

Signed-off-by: Derek Collison <derek@nats.io>
gokugong · Aug 23, 2018 · 5955f22 · 5955f22
1 parent a79806e
commit 5955f22
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 9 deletions.
diff --git a/server/auth.go b/server/auth.go
@@ -74,8 +74,8 @@ type Permissions struct {
 // but describe what a server can import/export from and to
 // another server.
 type RoutePermissions struct {
-	Import []string `json:"import"`
-	Export []string `json:"export"`
+	Import *SubjectPermission `json:"import"`
+	Export *SubjectPermission `json:"export"`
 }
 
 // clone will clone an individual subject permission.

diff --git a/server/opts.go b/server/opts.go
@@ -395,8 +395,14 @@ func parseCluster(cm map[string]interface{}, opts *Options) error {
 				// The parsing sets Import into Publish and Export into Subscribe, convert
 				// accordingly.
 				opts.Cluster.Permissions = &RoutePermissions{
-					Import: auth.defaultPermissions.Publish.Allow,
-					Export: auth.defaultPermissions.Subscribe.Allow,
+					Import: &SubjectPermission{
+						Allow: auth.defaultPermissions.Publish.Allow,
+						Deny:  auth.defaultPermissions.Publish.Deny,
+					},
+					Export: &SubjectPermission{
+						Allow: auth.defaultPermissions.Subscribe.Allow,
+						Deny:  auth.defaultPermissions.Subscribe.Deny,
+					},
 				}
 			}
 		case "routes":

diff --git a/server/route.go b/server/route.go
@@ -499,8 +499,14 @@ func (c *client) setRoutePermissions(perms *RoutePermissions) {
 	// and Export permission is mapped to Subscribe.
 	// For meaning of Import/Export, see canImport and canExport.
 	p := &Permissions{}
-	p.Publish = &SubjectPermission{Allow: perms.Import}
-	p.Subscribe = &SubjectPermission{Allow: perms.Export}
+	p.Publish = &SubjectPermission{
+		Allow: perms.Import.Allow,
+		Deny:  perms.Import.Deny,
+	}
+	p.Subscribe = &SubjectPermission{
+		Allow: perms.Export.Allow,
+		Deny:  perms.Export.Deny,
+	}
 	c.setPermissions(p)
 }
 

diff --git a/test/configs/srv_a_perms.conf b/test/configs/srv_a_perms.conf
@@ -1,4 +1,4 @@
-# Cluster Server A
+# Cluster Server A with Permissions
 
 listen: 127.0.0.1:5222
 
@@ -11,7 +11,10 @@ cluster {
     timeout: 0.5
     permissions {
       import: "foo"
-      export: ["bar", "baz"]
+      export: {
+        allow: "*"
+        deny: ["foo", "nats"]
+      }
     }
   }
 

diff --git a/test/routes_test.go b/test/routes_test.go
@@ -878,7 +878,8 @@ func TestRouteBasicPermissions(t *testing.T) {
 	cb := func(_ *nats.Msg) {
 		ch <- true
 	}
-	// Subscribe on on "bar" and "baz", which should be accepted by server A
+	// Subscribe on Server B on "bar" and "baz", which should be accepted by server A across the route
+	// Due to allowing "*"
 	subBbar, err := ncb.Subscribe("bar", cb)
 	if err != nil {
 		t.Fatalf("Error on subscribe: %v", err)