From b93df8992303ed4a8f33c9994f306f5784e9fbb6 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Wed, 6 Mar 2019 12:10:25 -0600 Subject: [PATCH] Add support for allow/deny permissions (#136) * Add support for allow/deny in permissions * Add example with allow/deny in auth * Fix for logtime default Signed-off-by: Waldemar Quevedo --- example/clients-auth-permissions.json | 21 +++++--- pkg/conf/natsconf.go | 5 +- pkg/conf/natsconf_test.go | 74 +++++++++++++++++++++++---- pkg/util/kubernetes/kubernetes.go | 4 ++ 4 files changed, 85 insertions(+), 19 deletions(-) diff --git a/example/clients-auth-permissions.json b/example/clients-auth-permissions.json index b9594c6f..c5dbae17 100644 --- a/example/clients-auth-permissions.json +++ b/example/clients-auth-permissions.json @@ -1,12 +1,21 @@ { "users": [ - { "username": "user1", "password": "user1secret" }, - { "username": "user2", "password": "user2secret", - "permissions": { - "publish": ["hello.*"], - "subscribe": ["hello.world"] + { "username": "user0", "password": "user0secret", + "permissions": { + "publish": { + "allow": ["public.>"], + "deny": ["private.>"] + } + } + }, + { "username": "user1", "password": "user1secret" + }, + { "username": "user2", "password": "user2secret", + "permissions": { + "publish": ["hello.*"], + "subscribe": ["hello.world"] + } } - } ], "default_permissions": { "publish": ["SANDBOX.*"], diff --git a/pkg/conf/natsconf.go b/pkg/conf/natsconf.go index adc9ff4c..993145c4 100644 --- a/pkg/conf/natsconf.go +++ b/pkg/conf/natsconf.go @@ -63,8 +63,9 @@ type User struct { // Permissions are the allowed subjects on a per // publish or subscribe basis. type Permissions struct { - Publish []string `json:"publish,omitempty"` - Subscribe []string `json:"subscribe,omitempty"` + // Can be either a map with allow/deny or an array. + Publish interface{} `json:"publish,omitempty"` + Subscribe interface{} `json:"subscribe,omitempty"` } // Marshal takes a server configuration and returns its diff --git a/pkg/conf/natsconf_test.go b/pkg/conf/natsconf_test.go index 8c9fc676..bacb4035 100644 --- a/pkg/conf/natsconf_test.go +++ b/pkg/conf/natsconf_test.go @@ -12,16 +12,19 @@ func TestConfMarshal(t *testing.T) { err error }{ { - input: &ServerConfig{}, - output: "{}", - err: nil, + input: &ServerConfig{}, + output: `{ + "logtime": false +}`, + err: nil, }, { input: &ServerConfig{ HTTPPort: 8222, }, output: `{ - "http_port": 8222 + "http_port": 8222, + "logtime": false }`, err: nil, }, @@ -30,7 +33,8 @@ func TestConfMarshal(t *testing.T) { Port: 4222, }, output: `{ - "port": 4222 + "port": 4222, + "logtime": false }`, err: nil, }, @@ -41,15 +45,18 @@ func TestConfMarshal(t *testing.T) { }, output: `{ "port": 4222, - "http_port": 8222 + "http_port": 8222, + "logtime": false }`, err: nil, }, { input: &ServerConfig{ LameDuckDuration: "2m", + Logtime: true, }, output: `{ + "logtime": true, "lame_duck_duration": "2m" }`, }, @@ -66,7 +73,8 @@ func TestConfMarshal(t *testing.T) { "http_port": 8222, "cluster": { "port": 6222 - } + }, + "logtime": false }`, err: nil, }, @@ -93,7 +101,8 @@ func TestConfMarshal(t *testing.T) { "nats://nats-2.default.svc:6222", "nats://nats-3.default.svc:6222" ] - } + }, + "logtime": false }`, err: nil, }, @@ -124,7 +133,8 @@ func TestConfMarshal(t *testing.T) { ] }, "debug": true, - "trace": true + "trace": true, + "logtime": false }`, err: nil, }, @@ -161,7 +171,8 @@ func TestConfMarshal(t *testing.T) { "cert_file": "/etc/nats-tls/server.pem", "key_file": "/etc/nats-tls/server-key.pem" } - } + }, + "logtime": false }`, err: nil, }, @@ -179,6 +190,7 @@ func TestConfMarshal(t *testing.T) { output: `{ "port": 4222, "http_port": 8222, + "logtime": false, "authorization": { "default_permissions": { "publish": [ @@ -192,6 +204,46 @@ func TestConfMarshal(t *testing.T) { }`, err: nil, }, + { + input: &ServerConfig{ + Authorization: &AuthorizationConfig{ + DefaultPermissions: &Permissions{ + Publish: map[string][]string{ + "allow": []string{"hello", "world"}, + "deny": []string{"foo.*", "bar.>"}, + }, + Subscribe: map[string][]string{ + "allow": []string{"hi", "everyone"}, + }, + }, + }, + }, + output: `{ + "logtime": false, + "authorization": { + "default_permissions": { + "publish": { + "allow": [ + "hello", + "world" + ], + "deny": [ + "foo.*", + "bar.>" + ] + }, + "subscribe": { + "allow": [ + "hi", + "everyone" + ] + } + } + } +}`, + + err: nil, + }, } for _, tt := range tests { @@ -202,7 +254,7 @@ func TestConfMarshal(t *testing.T) { } o := strings.TrimSpace(string(res)) if o != tt.output { - t.Errorf("Unexpected output: %v", o) + t.Errorf("Expected %+v, got: %+v", tt.output, o) } }) } diff --git a/pkg/util/kubernetes/kubernetes.go b/pkg/util/kubernetes/kubernetes.go index ddc153f5..aa9accdb 100644 --- a/pkg/util/kubernetes/kubernetes.go +++ b/pkg/util/kubernetes/kubernetes.go @@ -378,6 +378,8 @@ func CreateConfigSecret(kubecli corev1client.CoreV1Interface, operatorcli natsal sconfig.MaxSubscriptions = cluster.ServerConfig.MaxSubscriptions sconfig.MaxControlLine = cluster.ServerConfig.MaxControlLine sconfig.Logtime = !cluster.ServerConfig.DisableLogtime + } else { + sconfig.Logtime = true } if cluster.ExtraRoutes != nil { @@ -507,6 +509,8 @@ func UpdateConfigSecret( sconfig.MaxSubscriptions = cluster.ServerConfig.MaxSubscriptions sconfig.MaxControlLine = cluster.ServerConfig.MaxControlLine sconfig.Logtime = !cluster.ServerConfig.DisableLogtime + } else { + sconfig.Logtime = true } if cluster.Pod != nil && cluster.Pod.AdvertiseExternalIP {