feat: implement TLS cert-to-user mapping via X500 DN matching

2026-02-23 00:55:29 -05:00
parent 1269ae8275
commit 1f13269447
5 changed files with 211 additions and 0 deletions
--- a/src/NATS.Server/Auth/AuthService.cs
+++ b/src/NATS.Server/Auth/AuthService.cs
@@ -34,6 +34,13 @@ public sealed class AuthService
        var nonceRequired = false;
        Dictionary<string, User>? usersMap = null;

+        // TLS certificate mapping (highest priority when enabled)
+        if (options.TlsMap && options.TlsVerify && options.Users is { Count: > 0 })
+        {
+            authenticators.Add(new TlsMapAuthenticator(options.Users));
+            authRequired = true;
+        }
+
        // Priority order (matching Go): NKeys > Users > Token > SimpleUserPassword

        if (options.NKeys is { Count: > 0 })
--- a/src/NATS.Server/Auth/IAuthenticator.cs
+++ b/src/NATS.Server/Auth/IAuthenticator.cs
@@ -1,3 +1,4 @@
+using System.Security.Cryptography.X509Certificates;
 using NATS.Server.Protocol;

 namespace NATS.Server.Auth;
@@ -11,4 +12,5 @@ public sealed class ClientAuthContext
 {
    public required ClientOptions Opts { get; init; }
    public required byte[] Nonce { get; init; }
+    public X509Certificate2? ClientCertificate { get; init; }
 }
--- a/src/NATS.Server/Auth/TlsMapAuthenticator.cs
+++ b/src/NATS.Server/Auth/TlsMapAuthenticator.cs
@@ -0,0 +1,67 @@
+using System.Security.Cryptography.X509Certificates;
+
+namespace NATS.Server.Auth;
+
+/// <summary>
+/// Authenticates clients by mapping TLS certificate subject DN to configured users.
+/// Corresponds to Go server/auth.go checkClientTLSCertSubject.
+/// </summary>
+public sealed class TlsMapAuthenticator : IAuthenticator
+{
+    private readonly Dictionary<string, User> _usersByDn;
+    private readonly Dictionary<string, User> _usersByCn;
+
+    public TlsMapAuthenticator(IReadOnlyList<User> users)
+    {
+        _usersByDn = new Dictionary<string, User>(StringComparer.OrdinalIgnoreCase);
+        _usersByCn = new Dictionary<string, User>(StringComparer.OrdinalIgnoreCase);
+        foreach (var user in users)
+        {
+            _usersByDn[user.Username] = user;
+            _usersByCn[user.Username] = user;
+        }
+    }
+
+    public AuthResult? Authenticate(ClientAuthContext context)
+    {
+        var cert = context.ClientCertificate;
+        if (cert == null)
+            return null;
+
+        var dn = cert.SubjectName;
+        var dnString = dn.Name; // RFC 2253 format
+
+        // Try exact DN match first
+        if (_usersByDn.TryGetValue(dnString, out var user))
+            return BuildResult(user);
+
+        // Try CN extraction
+        var cn = ExtractCn(dn);
+        if (cn != null && _usersByCn.TryGetValue(cn, out user))
+            return BuildResult(user);
+
+        return null;
+    }
+
+    private static string? ExtractCn(X500DistinguishedName dn)
+    {
+        var dnString = dn.Name;
+        foreach (var rdn in dnString.Split(',', StringSplitOptions.TrimEntries))
+        {
+            if (rdn.StartsWith("CN=", StringComparison.OrdinalIgnoreCase))
+                return rdn[3..];
+        }
+        return null;
+    }
+
+    private static AuthResult BuildResult(User user)
+    {
+        return new AuthResult
+        {
+            Identity = user.Username,
+            AccountName = user.Account,
+            Permissions = user.Permissions,
+            Expiry = user.ConnectionDeadline,
+        };
+    }
+}