get.pme.sh/pnats@v0.0.0-20240304004023-26bb5a137ed0/test/user_authorization_test.go (about) 1 // Copyright 2016-2019 The NATS Authors 2 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // you may not use this file except in compliance with the License. 4 // You may obtain a copy of the License at 5 // 6 // http://www.apache.org/licenses/LICENSE-2.0 7 // 8 // Unless required by applicable law or agreed to in writing, software 9 // distributed under the License is distributed on an "AS IS" BASIS, 10 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 // See the License for the specific language governing permissions and 12 // limitations under the License. 13 14 package test 15 16 import ( 17 "regexp" 18 "testing" 19 "time" 20 ) 21 22 const DefaultPass = "foo" 23 24 var permErrRe = regexp.MustCompile(`\A\-ERR\s+'Permissions Violation([^\r\n]+)\r\n`) 25 26 func TestUserAuthorizationProto(t *testing.T) { 27 srv, opts := RunServerWithConfig("./configs/authorization.conf") 28 defer srv.Shutdown() 29 30 // Alice can do anything, check a few for OK result. 31 c := createClientConn(t, opts.Host, opts.Port) 32 defer c.Close() 33 expectAuthRequired(t, c) 34 doAuthConnect(t, c, "", "alice", DefaultPass) 35 expectResult(t, c, okRe) 36 sendProto(t, c, "PUB foo 2\r\nok\r\n") 37 expectResult(t, c, okRe) 38 sendProto(t, c, "SUB foo 1\r\n") 39 expectResult(t, c, okRe) 40 41 // Check that _ is ok 42 sendProto(t, c, "PUB _ 2\r\nok\r\n") 43 expectResult(t, c, okRe) 44 45 c.Close() 46 47 // Bob is a requestor only, e.g. req.foo, req.bar for publish, subscribe only to INBOXes. 48 c = createClientConn(t, opts.Host, opts.Port) 49 defer c.Close() 50 expectAuthRequired(t, c) 51 doAuthConnect(t, c, "", "bob", DefaultPass) 52 expectResult(t, c, okRe) 53 54 // These should error. 55 sendProto(t, c, "SUB foo 1\r\n") 56 expectResult(t, c, permErrRe) 57 sendProto(t, c, "PUB foo 2\r\nok\r\n") 58 expectResult(t, c, permErrRe) 59 60 // These should work ok. 61 sendProto(t, c, "SUB _INBOX.abcd 1\r\n") 62 expectResult(t, c, okRe) 63 sendProto(t, c, "PUB req.foo 2\r\nok\r\n") 64 expectResult(t, c, okRe) 65 sendProto(t, c, "PUB req.bar 2\r\nok\r\n") 66 expectResult(t, c, okRe) 67 c.Close() 68 69 // Joe is a default user 70 c = createClientConn(t, opts.Host, opts.Port) 71 defer c.Close() 72 expectAuthRequired(t, c) 73 doAuthConnect(t, c, "", "joe", DefaultPass) 74 expectResult(t, c, okRe) 75 76 // These should error. 77 sendProto(t, c, "SUB foo.bar.* 1\r\n") 78 expectResult(t, c, permErrRe) 79 sendProto(t, c, "PUB foo.bar.baz 2\r\nok\r\n") 80 expectResult(t, c, permErrRe) 81 82 // These should work ok. 83 sendProto(t, c, "SUB _INBOX.abcd 1\r\n") 84 expectResult(t, c, okRe) 85 sendProto(t, c, "SUB PUBLIC.abcd 1\r\n") 86 expectResult(t, c, okRe) 87 88 sendProto(t, c, "PUB SANDBOX.foo 2\r\nok\r\n") 89 expectResult(t, c, okRe) 90 sendProto(t, c, "PUB SANDBOX.bar 2\r\nok\r\n") 91 expectResult(t, c, okRe) 92 93 // Since only PWC, this should fail (too many tokens). 94 sendProto(t, c, "PUB SANDBOX.foo.bar 2\r\nok\r\n") 95 expectResult(t, c, permErrRe) 96 97 c.Close() 98 99 // This is the new style permissions with allow and deny clauses. 100 c = createClientConn(t, opts.Host, opts.Port) 101 defer c.Close() 102 expectAuthRequired(t, c) 103 doAuthConnect(t, c, "", "ns", DefaultPass) 104 expectResult(t, c, okRe) 105 106 // These should work 107 sendProto(t, c, "PUB SANDBOX.foo 2\r\nok\r\n") 108 expectResult(t, c, okRe) 109 sendProto(t, c, "PUB baz.bar 2\r\nok\r\n") 110 expectResult(t, c, okRe) 111 sendProto(t, c, "PUB baz.foo 2\r\nok\r\n") 112 expectResult(t, c, okRe) 113 114 // These should error. 115 sendProto(t, c, "PUB foo 2\r\nok\r\n") 116 expectResult(t, c, permErrRe) 117 sendProto(t, c, "PUB bar 2\r\nok\r\n") 118 expectResult(t, c, permErrRe) 119 sendProto(t, c, "PUB foo.bar 2\r\nok\r\n") 120 expectResult(t, c, permErrRe) 121 sendProto(t, c, "PUB foo.bar.baz 2\r\nok\r\n") 122 expectResult(t, c, permErrRe) 123 sendProto(t, c, "PUB SYS.1 2\r\nok\r\n") 124 expectResult(t, c, permErrRe) 125 126 // Subscriptions 127 128 // These should work ok. 129 sendProto(t, c, "SUB foo.bar 1\r\n") 130 expectResult(t, c, okRe) 131 sendProto(t, c, "SUB foo.foo 1\r\n") 132 expectResult(t, c, okRe) 133 134 // These should error. 135 sendProto(t, c, "SUB foo 1\r\n") 136 expectResult(t, c, permErrRe) 137 sendProto(t, c, "SUB foo.baz 1\r\n") 138 expectResult(t, c, permErrRe) 139 sendProto(t, c, "SUB foo.baz 1\r\n") 140 expectResult(t, c, permErrRe) 141 sendProto(t, c, "SUB foo.baz 1\r\n") 142 expectResult(t, c, permErrRe) 143 144 // Deny clauses for subscriptions need to be able to allow subscriptions 145 // on larger scoped wildcards, but prevent delivery of a message whose 146 // subject matches a deny clause. 147 148 // Clear old stuff 149 c.Close() 150 151 c = createClientConn(t, opts.Host, opts.Port) 152 defer c.Close() 153 expectAuthRequired(t, c) 154 doAuthConnect(t, c, "", "ns", DefaultPass) 155 expectResult(t, c, okRe) 156 157 sendProto(t, c, "SUB foo.* 1\r\n") 158 expectResult(t, c, okRe) 159 160 sendProto(t, c, "SUB foo.* bar 2\r\n") 161 expectResult(t, c, okRe) 162 163 // Now send on foo.baz which should not be received on first client. 164 // Joe is a default user 165 nc := createClientConn(t, opts.Host, opts.Port) 166 defer nc.Close() 167 expectAuthRequired(t, nc) 168 doAuthConnect(t, nc, "", "ns-pub", DefaultPass) 169 expectResult(t, nc, okRe) 170 171 sendProto(t, nc, "PUB foo.baz 2\r\nok\r\n") 172 expectResult(t, nc, okRe) 173 174 // Expect nothing from the wildcard subscription. 175 expectNothing(t, c) 176 177 sendProto(t, c, "PING\r\n") 178 expectResult(t, c, pongRe) 179 180 // Now create a queue sub on our ns-pub user. We want to test that 181 // queue subscribers can be denied and delivery will route around. 182 sendProto(t, nc, "SUB foo.baz bar 2\r\n") 183 expectResult(t, nc, okRe) 184 185 // Make sure we always get the message on our queue subscriber. 186 // Do this several times since we should select the other subscriber 187 // but get permission denied.. 188 for i := 0; i < 20; i++ { 189 sendProto(t, nc, "PUB foo.baz 2\r\nok\r\n") 190 buf := expectResult(t, nc, okRe) 191 if msgRe.Match(buf) { 192 continue 193 } else { 194 expectResult(t, nc, msgRe) 195 } 196 } 197 198 // Clear old stuff 199 c.Close() 200 201 c = createClientConn(t, opts.Host, opts.Port) 202 defer c.Close() 203 expectAuthRequired(t, c) 204 doAuthConnect(t, c, "", "ns", DefaultPass) 205 expectResult(t, c, okRe) 206 207 sendProto(t, c, "SUB foo.bar 1\r\n") 208 expectResult(t, c, okRe) 209 210 sendProto(t, c, "SUB foo.bar.baz 2\r\n") 211 expectResult(t, c, errRe) 212 213 sendProto(t, c, "SUB > 3\r\n") 214 expectResult(t, c, errRe) 215 216 sendProto(t, c, "SUB SYS.> 4\r\n") 217 expectResult(t, c, errRe) 218 219 sendProto(t, c, "SUB SYS.TEST.foo 5\r\n") 220 expectResult(t, c, okRe) 221 222 sendProto(t, c, "SUB SYS.bar 5\r\n") 223 expectResult(t, c, errRe) 224 } 225 226 func TestUserAuthorizationAllowResponses(t *testing.T) { 227 srv, opts := RunServerWithConfig("./configs/authorization.conf") 228 defer srv.Shutdown() 229 230 // Alice can do anything, so she will be our requestor 231 rc := createClientConn(t, opts.Host, opts.Port) 232 defer rc.Close() 233 expectAuthRequired(t, rc) 234 doAuthConnect(t, rc, "", "alice", DefaultPass) 235 expectResult(t, rc, okRe) 236 237 // MY_SERVICE can subscribe to a single request subject but can 238 // respond to any reply subject that it receives, but only 239 // for one response. 240 c := createClientConn(t, opts.Host, opts.Port) 241 defer c.Close() 242 expectAuthRequired(t, c) 243 doAuthConnect(t, c, "", "svca", DefaultPass) 244 expectResult(t, c, okRe) 245 246 sendProto(t, c, "SUB my.service.req 1\r\n") 247 expectResult(t, c, okRe) 248 249 sendProto(t, rc, "PUB my.service.req resp.bar.22 2\r\nok\r\n") 250 expectResult(t, rc, okRe) 251 252 matches := msgRe.FindAllSubmatch(expectResult(t, c, msgRe), -1) 253 checkMsg(t, matches[0], "my.service.req", "1", "resp.bar.22", "2", "ok") 254 255 // This should be allowed 256 sendProto(t, c, "PUB resp.bar.22 2\r\nok\r\n") 257 expectResult(t, c, okRe) 258 259 // This should not be allowed 260 sendProto(t, c, "PUB resp.bar.33 2\r\nok\r\n") 261 expectResult(t, c, errRe) 262 263 // This should also not be allowed now since we already sent a response and max is 1. 264 sendProto(t, c, "PUB resp.bar.22 2\r\nok\r\n") 265 expectResult(t, c, errRe) 266 267 c.Close() // from MY_SERVICE 268 269 // MY_STREAM_SERVICE can subscribe to a single request subject but can 270 // respond to any reply subject that it receives, and send up to 10 responses. 271 // Each permission for a response can last up to 10ms. 272 c = createClientConn(t, opts.Host, opts.Port) 273 defer c.Close() 274 expectAuthRequired(t, c) 275 doAuthConnect(t, c, "", "svcb", DefaultPass) 276 expectResult(t, c, okRe) 277 278 sendProto(t, c, "SUB my.service.req 1\r\n") 279 expectResult(t, c, okRe) 280 281 // Same rules as above. 282 sendProto(t, rc, "PUB my.service.req resp.bar.22 2\r\nok\r\n") 283 expectResult(t, rc, okRe) 284 285 matches = msgRe.FindAllSubmatch(expectResult(t, c, msgRe), -1) 286 checkMsg(t, matches[0], "my.service.req", "1", "resp.bar.22", "2", "ok") 287 288 // This should be allowed 289 sendProto(t, c, "PUB resp.bar.22 2\r\nok\r\n") 290 expectResult(t, c, okRe) 291 292 // This should not be allowed 293 sendProto(t, c, "PUB resp.bar.33 2\r\nok\r\n") 294 expectResult(t, c, errRe) 295 296 // We should be able to send 9 more here since we are allowed 10 total 297 for i := 0; i < 9; i++ { 298 sendProto(t, c, "PUB resp.bar.22 2\r\nok\r\n") 299 expectResult(t, c, okRe) 300 } 301 // Now this should fail since we already sent 10 responses. 302 sendProto(t, c, "PUB resp.bar.22 2\r\nok\r\n") 303 expectResult(t, c, errRe) 304 305 // Now test timeout. 306 sendProto(t, rc, "PUB my.service.req resp.bar.11 2\r\nok\r\n") 307 expectResult(t, rc, okRe) 308 309 matches = msgRe.FindAllSubmatch(expectResult(t, c, msgRe), -1) 310 checkMsg(t, matches[0], "my.service.req", "1", "resp.bar.11", "2", "ok") 311 312 time.Sleep(100 * time.Millisecond) 313 314 sendProto(t, c, "PUB resp.bar.11 2\r\nok\r\n") 315 expectResult(t, c, errRe) 316 }