Skip to content

Commit

Permalink
[FIXED] LeafNode: queue interest on leaf not propagated with permissi…
Browse files Browse the repository at this point in the history
…ons on hub (#6291)

If the hub has a user with subscribe permissions on a literal subject
that the leaf is trying to create a queue subscription on, the interest
may not be propagated.

The issue was caused by the fact that we were checking the permissions
on the key (that includes subject and queue name) instead of the subject
itself.

Resolves #6281

Signed-off-by: Ivan Kozlovic <[email protected]>
  • Loading branch information
derekcollison authored Dec 20, 2024
2 parents e1ff049 + 69f9847 commit 87e32fe
Show file tree
Hide file tree
Showing 2 changed files with 76 additions and 11 deletions.
12 changes: 10 additions & 2 deletions server/leafnode.go
Original file line number Diff line number Diff line change
Expand Up @@ -2329,8 +2329,16 @@ func (c *client) sendLeafNodeSubUpdate(key string, n int32) {
checkPerms = false
}
}
if checkPerms && !c.canSubscribe(key) {
return
if checkPerms {
var subject string
if sep := strings.IndexByte(key, ' '); sep != -1 {
subject = key[:sep]
} else {
subject = key
}
if !c.canSubscribe(subject) {
return
}
}
}
// If we are here we can send over to the other side.
Expand Down
75 changes: 66 additions & 9 deletions server/leafnode_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9077,7 +9077,7 @@ func TestLeafNodeBannerNoClusterNameIfNoCluster(t *testing.T) {
l.Unlock()
}

func TestLeafCredFormatting(t *testing.T) {
func TestLeafNodeCredFormatting(t *testing.T) {
//create the operator/sys/account tree
oKP, err := nkeys.CreateOperator()
require_NoError(t, err)
Expand Down Expand Up @@ -9151,14 +9151,15 @@ func TestLeafCredFormatting(t *testing.T) {
require_NoError(t, file.Close())

template := fmt.Sprintf(`
listen: 127.0.0.1:-1
leaf { remotes: [
{
urls: [ nats-leaf://127.0.0.1:%d ]
credentials: "%s"
}
] }`, o.LeafNode.Port, file.Name())

listen: 127.0.0.1:-1
leafnodes {
remotes: [
{
urls: [ nats-leaf://127.0.0.1:%d ]
credentials: "%s"
}
]
}`, o.LeafNode.Port, file.Name())
conf := createConfFile(t, []byte(template))
leaf, _ := RunServerWithConfig(conf)
defer leaf.Shutdown()
Expand All @@ -9172,3 +9173,59 @@ func TestLeafCredFormatting(t *testing.T) {
runLeaf(t, creds)
runLeaf(t, bytes.ReplaceAll(creds, []byte{'\n'}, []byte{'\r', '\n'}))
}

func TestLeafNodePermissionWithLiteralSubjectAndQueueInterest(t *testing.T) {
hconf := createConfFile(t, []byte(`
server_name: "HUB"
listen: "127.0.0.1:-1"
leafnodes {
listen: "127.0.0.1:-1"
}
accounts {
A {
users: [
{ user: "user", password: "pwd",
permissions: {
subscribe: { allow: ["_INBOX.>", "my.subject"] }
publish: {allow: [">"]}
}
}
]
}
}
`))
hub, ohub := RunServerWithConfig(hconf)
defer hub.Shutdown()

lconf := createConfFile(t, []byte(fmt.Sprintf(`
server_name: "LEAF"
listen: "127.0.0.1:-1"
leafnodes {
remotes: [
{url: "nats://user:[email protected]:%d", account: A}
]
}
accounts {
A { users: [{user: user, password: pwd}] }
}
`, ohub.LeafNode.Port)))
leaf, _ := RunServerWithConfig(lconf)
defer leaf.Shutdown()

checkLeafNodeConnected(t, hub)
checkLeafNodeConnected(t, leaf)

ncLeaf := natsConnect(t, leaf.ClientURL(), nats.UserInfo("user", "pwd"))
defer ncLeaf.Close()
natsQueueSub(t, ncLeaf, "my.subject", "queue", func(m *nats.Msg) {
m.Respond([]byte("OK"))
})
natsFlush(t, ncLeaf)

ncHub := natsConnect(t, hub.ClientURL(), nats.UserInfo("user", "pwd"))
defer ncHub.Close()

resp, err := ncHub.Request("my.subject", []byte("hello"), time.Second)
require_NoError(t, err)
require_Equal(t, "OK", string(resp.Data))
}

0 comments on commit 87e32fe

Please sign in to comment.