feat: add import/export support to Account with ACCOUNT client lazy creation

2026-02-23 05:54:31 -05:00
parent 591833adbb
commit 4c2b7fa3de
3 changed files with 137 additions and 0 deletions
--- a/src/NATS.Server/Auth/Account.cs
+++ b/src/NATS.Server/Auth/Account.cs
@@ -1,4 +1,5 @@
 using System.Collections.Concurrent;
+using NATS.Server.Imports;
 using NATS.Server.Subscriptions;

 namespace NATS.Server.Auth;
@@ -12,6 +13,8 @@ public sealed class Account : IDisposable
    public Permissions? DefaultPermissions { get; set; }
    public int MaxConnections { get; set; } // 0 = unlimited
    public int MaxSubscriptions { get; set; } // 0 = unlimited
+    public ExportMap Exports { get; } = new();
+    public ImportMap Imports { get; } = new();

    // JWT fields
    public string? Nkey { get; set; }
@@ -89,5 +92,77 @@ public sealed class Account : IDisposable
        Interlocked.Add(ref _outBytes, bytes);
    }

+    // Internal (ACCOUNT) client for import/export message routing
+    private InternalClient? _internalClient;
+
+    public InternalClient GetOrCreateInternalClient(ulong clientId)
+    {
+        if (_internalClient != null) return _internalClient;
+        _internalClient = new InternalClient(clientId, ClientKind.Account, this);
+        return _internalClient;
+    }
+
+    public void AddServiceExport(string subject, ServiceResponseType responseType, IEnumerable<Account>? approved)
+    {
+        var auth = new ExportAuth
+        {
+            ApprovedAccounts = approved != null ? new HashSet<string>(approved.Select(a => a.Name)) : null,
+        };
+        Exports.Services[subject] = new ServiceExport
+        {
+            Auth = auth,
+            Account = this,
+            ResponseType = responseType,
+        };
+    }
+
+    public void AddStreamExport(string subject, IEnumerable<Account>? approved)
+    {
+        var auth = new ExportAuth
+        {
+            ApprovedAccounts = approved != null ? new HashSet<string>(approved.Select(a => a.Name)) : null,
+        };
+        Exports.Streams[subject] = new StreamExport { Auth = auth };
+    }
+
+    public ServiceImport AddServiceImport(Account destination, string from, string to)
+    {
+        if (!destination.Exports.Services.TryGetValue(to, out var export))
+            throw new InvalidOperationException($"No service export found for '{to}' on account '{destination.Name}'");
+
+        if (!export.Auth.IsAuthorized(this))
+            throw new UnauthorizedAccessException($"Account '{Name}' not authorized to import '{to}' from '{destination.Name}'");
+
+        var si = new ServiceImport
+        {
+            DestinationAccount = destination,
+            From = from,
+            To = to,
+            Export = export,
+            ResponseType = export.ResponseType,
+        };
+
+        Imports.AddServiceImport(si);
+        return si;
+    }
+
+    public void AddStreamImport(Account source, string from, string to)
+    {
+        if (!source.Exports.Streams.TryGetValue(from, out var export))
+            throw new InvalidOperationException($"No stream export found for '{from}' on account '{source.Name}'");
+
+        if (!export.Auth.IsAuthorized(this))
+            throw new UnauthorizedAccessException($"Account '{Name}' not authorized to import '{from}' from '{source.Name}'");
+
+        var si = new StreamImport
+        {
+            SourceAccount = source,
+            From = from,
+            To = to,
+        };
+
+        Imports.Streams.Add(si);
+    }
+
    public void Dispose() => SubList.Dispose();
 }