From 5955f22d65e1d2452bed01b9813190587d835ce3 Mon Sep 17 00:00:00 2001 From: Derek Collison Date: Thu, 23 Aug 2018 14:42:43 -0700 Subject: [PATCH] Add in route permission support Signed-off-by: Derek Collison --- server/auth.go | 4 ++-- server/opts.go | 10 ++++++++-- server/route.go | 10 ++++++++-- test/configs/srv_a_perms.conf | 7 +++++-- test/routes_test.go | 3 ++- 5 files changed, 25 insertions(+), 9 deletions(-) diff --git a/server/auth.go b/server/auth.go index f14d7039194..724e0cb77cc 100644 --- a/server/auth.go +++ b/server/auth.go @@ -74,8 +74,8 @@ type Permissions struct { // but describe what a server can import/export from and to // another server. type RoutePermissions struct { - Import []string `json:"import"` - Export []string `json:"export"` + Import *SubjectPermission `json:"import"` + Export *SubjectPermission `json:"export"` } // clone will clone an individual subject permission. diff --git a/server/opts.go b/server/opts.go index 1f62387258d..c8452f68c3c 100644 --- a/server/opts.go +++ b/server/opts.go @@ -395,8 +395,14 @@ func parseCluster(cm map[string]interface{}, opts *Options) error { // The parsing sets Import into Publish and Export into Subscribe, convert // accordingly. opts.Cluster.Permissions = &RoutePermissions{ - Import: auth.defaultPermissions.Publish.Allow, - Export: auth.defaultPermissions.Subscribe.Allow, + Import: &SubjectPermission{ + Allow: auth.defaultPermissions.Publish.Allow, + Deny: auth.defaultPermissions.Publish.Deny, + }, + Export: &SubjectPermission{ + Allow: auth.defaultPermissions.Subscribe.Allow, + Deny: auth.defaultPermissions.Subscribe.Deny, + }, } } case "routes": diff --git a/server/route.go b/server/route.go index be9ccfc7a58..c70e8792e1f 100644 --- a/server/route.go +++ b/server/route.go @@ -499,8 +499,14 @@ func (c *client) setRoutePermissions(perms *RoutePermissions) { // and Export permission is mapped to Subscribe. // For meaning of Import/Export, see canImport and canExport. p := &Permissions{} - p.Publish = &SubjectPermission{Allow: perms.Import} - p.Subscribe = &SubjectPermission{Allow: perms.Export} + p.Publish = &SubjectPermission{ + Allow: perms.Import.Allow, + Deny: perms.Import.Deny, + } + p.Subscribe = &SubjectPermission{ + Allow: perms.Export.Allow, + Deny: perms.Export.Deny, + } c.setPermissions(p) } diff --git a/test/configs/srv_a_perms.conf b/test/configs/srv_a_perms.conf index 736f9bf70b7..1399df55f2c 100644 --- a/test/configs/srv_a_perms.conf +++ b/test/configs/srv_a_perms.conf @@ -1,4 +1,4 @@ -# Cluster Server A +# Cluster Server A with Permissions listen: 127.0.0.1:5222 @@ -11,7 +11,10 @@ cluster { timeout: 0.5 permissions { import: "foo" - export: ["bar", "baz"] + export: { + allow: "*" + deny: ["foo", "nats"] + } } } diff --git a/test/routes_test.go b/test/routes_test.go index 3328f649a7d..9c7662c7301 100644 --- a/test/routes_test.go +++ b/test/routes_test.go @@ -878,7 +878,8 @@ func TestRouteBasicPermissions(t *testing.T) { cb := func(_ *nats.Msg) { ch <- true } - // Subscribe on on "bar" and "baz", which should be accepted by server A + // Subscribe on Server B on "bar" and "baz", which should be accepted by server A across the route + // Due to allowing "*" subBbar, err := ncb.Subscribe("bar", cb) if err != nil { t.Fatalf("Error on subscribe: %v", err)