Skip to content

Commit 31bb80f

Browse files
maxarndtmaxarndt
authored
[FIX] edit signing-key was unable to remove a connection type when in lowercase (#665)
fix comments
1 parent fc68a87 commit 31bb80f

File tree

2 files changed

+136
-1
lines changed

2 files changed

+136
-1
lines changed

cmd/editscopedsk.go

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ package cmd
1717

1818
import (
1919
"fmt"
20+
"strings"
2021

2122
"github.com/nats-io/jwt/v2"
2223
"github.com/nats-io/nkeys"
@@ -70,6 +71,11 @@ func (p *EditScopedSkParams) SetDefaults(ctx ActionCtx) error {
7071
}
7172
p.SignerParams.SetDefaults(nkeys.PrefixByteOperator, true, ctx)
7273

74+
// allow the user to enter inputs in lc
75+
for i, v := range p.connTypes {
76+
p.connTypes[i] = strings.ToUpper(v)
77+
}
78+
7379
return nil
7480
}
7581

@@ -153,6 +159,12 @@ func (p *EditScopedSkParams) Load(ctx ActionCtx) error {
153159
if s == nil {
154160
s = &jwt.UserScope{}
155161
}
162+
163+
// if the signing key has an allowed connection type in lowercase fix it
164+
for i, v := range s.(*jwt.UserScope).Template.AllowedConnectionTypes {
165+
s.(*jwt.UserScope).Template.AllowedConnectionTypes[i] = strings.ToUpper(v)
166+
}
167+
156168
return p.UserPermissionLimits.Load(ctx, s.(*jwt.UserScope).Template)
157169
}
158170

@@ -161,7 +173,9 @@ func (p *EditScopedSkParams) PostInteractive(ctx ActionCtx) error {
161173
}
162174

163175
func (p *EditScopedSkParams) Validate(ctx ActionCtx) error {
164-
p.UserPermissionLimits.Validate(ctx)
176+
if err := p.UserPermissionLimits.Validate(ctx); err != nil {
177+
return err
178+
}
165179

166180
if err := p.SignerParams.ResolveWithPriority(ctx, p.claim.Issuer); err != nil {
167181
return err

cmd/editscopedsk_test.go

Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ package cmd
1717

1818
import (
1919
"os"
20+
"strings"
2021
"testing"
2122

2223
"github.com/nats-io/jwt/v2"
@@ -221,3 +222,123 @@ func Test_EditScopedSkByRole(t *testing.T) {
221222
require.Equal(t, us.Role, "foo")
222223
require.Len(t, us.Template.Sub.Allow, 1)
223224
}
225+
226+
func Test_EditScopedSkConnType(t *testing.T) {
227+
ts := NewTestStore(t, "edit scope")
228+
defer ts.Done(t)
229+
230+
_, err := ts.Store.ReadOperatorClaim()
231+
require.NoError(t, err)
232+
233+
ts.AddAccount(t, "A")
234+
235+
// add the scope with a generate
236+
_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--sk", "generate", "--role", "foo")
237+
require.NoError(t, err)
238+
239+
// try to add invalid conn type
240+
_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--sk", "foo", "--conn-type", "bar")
241+
require.Error(t, err)
242+
243+
// add lower case conn type - this is prevented now, but worked in the past
244+
ac, err := ts.Store.ReadAccountClaim("A")
245+
require.NoError(t, err)
246+
scope, ok := ac.SigningKeys.GetScope(ac.SigningKeys.Keys()[0])
247+
require.True(t, ok)
248+
scope.(*jwt.UserScope).Template.AllowedConnectionTypes.Add(strings.ToLower(jwt.ConnectionTypeStandard))
249+
ac.SigningKeys.AddScopedSigner(scope)
250+
token, err := ac.Encode(ts.OperatorKey)
251+
require.NoError(t, err)
252+
ts.Store.StoreClaim([]byte(token))
253+
// test if lower case conn type was added correctly to the sk
254+
ac, err = ts.Store.ReadAccountClaim("A")
255+
require.NoError(t, err)
256+
require.Len(t, ac.SigningKeys.Keys(), 1)
257+
scope, ok = ac.SigningKeys.GetScope(ac.SigningKeys.Keys()[0])
258+
require.True(t, ok)
259+
us, ok := scope.(*jwt.UserScope)
260+
require.True(t, ok)
261+
require.NotNil(t, us)
262+
require.Len(t, us.Template.AllowedConnectionTypes, 1)
263+
require.Equal(t, strings.ToLower(jwt.ConnectionTypeStandard), us.Template.AllowedConnectionTypes[0])
264+
265+
// add lower case conn type - should be transformed upper case
266+
_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--sk", "foo", "--conn-type", strings.ToLower(jwt.ConnectionTypeMqtt))
267+
require.NoError(t, err)
268+
ac, err = ts.Store.ReadAccountClaim("A")
269+
require.NoError(t, err)
270+
require.Len(t, ac.SigningKeys.Keys(), 1)
271+
scope, ok = ac.SigningKeys.GetScope(ac.SigningKeys.Keys()[0])
272+
require.True(t, ok)
273+
us, ok = scope.(*jwt.UserScope)
274+
require.True(t, ok)
275+
require.NotNil(t, us)
276+
require.Len(t, us.Template.AllowedConnectionTypes, 2)
277+
require.Equal(t, jwt.ConnectionTypeMqtt, us.Template.AllowedConnectionTypes[1])
278+
279+
// test if the set above fixed the lower case conn type added before
280+
require.Equal(t, jwt.ConnectionTypeStandard, us.Template.AllowedConnectionTypes[0])
281+
}
282+
283+
func Test_EditScopedSkRmConnType(t *testing.T) {
284+
ts := NewTestStore(t, "edit scope")
285+
defer ts.Done(t)
286+
287+
_, err := ts.Store.ReadOperatorClaim()
288+
require.NoError(t, err)
289+
290+
ts.AddAccount(t, "A")
291+
292+
// add the scope with a generate
293+
_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--sk", "generate", "--role", "foo")
294+
require.NoError(t, err)
295+
296+
// add lower case conn types - this is prevented now, but worked in the past
297+
ac, err := ts.Store.ReadAccountClaim("A")
298+
require.NoError(t, err)
299+
scope, ok := ac.SigningKeys.GetScope(ac.SigningKeys.Keys()[0])
300+
require.True(t, ok)
301+
scope.(*jwt.UserScope).Template.AllowedConnectionTypes.Add(strings.ToLower(jwt.ConnectionTypeStandard))
302+
scope.(*jwt.UserScope).Template.AllowedConnectionTypes.Add(strings.ToLower(jwt.ConnectionTypeWebsocket))
303+
ac.SigningKeys.AddScopedSigner(scope)
304+
token, err := ac.Encode(ts.OperatorKey)
305+
require.NoError(t, err)
306+
ts.Store.StoreClaim([]byte(token))
307+
// test if lower case conn type was added correctly to the sk
308+
ac, err = ts.Store.ReadAccountClaim("A")
309+
require.NoError(t, err)
310+
require.Len(t, ac.SigningKeys.Keys(), 1)
311+
scope, ok = ac.SigningKeys.GetScope(ac.SigningKeys.Keys()[0])
312+
require.True(t, ok)
313+
us, ok := scope.(*jwt.UserScope)
314+
require.True(t, ok)
315+
require.NotNil(t, us)
316+
require.Len(t, us.Template.AllowedConnectionTypes, 2)
317+
require.Equal(t, strings.ToLower(jwt.ConnectionTypeStandard), us.Template.AllowedConnectionTypes[0])
318+
require.Equal(t, strings.ToLower(jwt.ConnectionTypeWebsocket), us.Template.AllowedConnectionTypes[1])
319+
320+
// remove first conn type via lower cased input
321+
_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--sk", "foo", "--rm-conn-type", strings.ToLower(jwt.ConnectionTypeStandard))
322+
require.NoError(t, err)
323+
ac, err = ts.Store.ReadAccountClaim("A")
324+
require.NoError(t, err)
325+
require.Len(t, ac.SigningKeys.Keys(), 1)
326+
scope, ok = ac.SigningKeys.GetScope(ac.SigningKeys.Keys()[0])
327+
require.True(t, ok)
328+
us, ok = scope.(*jwt.UserScope)
329+
require.True(t, ok)
330+
require.NotNil(t, us)
331+
require.Len(t, us.Template.AllowedConnectionTypes, 1)
332+
// remove second conn type via upper cased input
333+
_, _, err = ExecuteCmd(createEditSkopedSkCmd(), "--sk", "foo", "--rm-conn-type", jwt.ConnectionTypeWebsocket)
334+
require.NoError(t, err)
335+
ac, err = ts.Store.ReadAccountClaim("A")
336+
require.NoError(t, err)
337+
require.Len(t, ac.SigningKeys.Keys(), 1)
338+
scope, ok = ac.SigningKeys.GetScope(ac.SigningKeys.Keys()[0])
339+
require.True(t, ok)
340+
us, ok = scope.(*jwt.UserScope)
341+
require.True(t, ok)
342+
require.NotNil(t, us)
343+
require.Len(t, us.Template.AllowedConnectionTypes, 0)
344+
}

0 commit comments

Comments
 (0)