feat: add authenticators, Account, and ClientPermissions (Tasks 3-7, 9)

- Account: per-account SubList and client tracking - IAuthenticator interface, AuthResult, ClientAuthContext - TokenAuthenticator: constant-time token comparison - UserPasswordAuthenticator: multi-user with bcrypt/plain support - SimpleUserPasswordAuthenticator: single user/pass config - NKeyAuthenticator: Ed25519 nonce signature verification - ClientPermissions: SubList-based publish/subscribe authorization
2026-02-22 22:41:45 -05:00
parent 562f89744d
commit 6ebe791c6d
8 changed files with 787 additions and 0 deletions
--- a/src/NATS.Server/Auth/ClientPermissions.cs
+++ b/src/NATS.Server/Auth/ClientPermissions.cs
@@ -0,0 +1,121 @@
+using System.Collections.Concurrent;
+using NATS.Server.Subscriptions;
+
+namespace NATS.Server.Auth;
+
+public sealed class ClientPermissions : IDisposable
+{
+    private readonly PermissionSet? _publish;
+    private readonly PermissionSet? _subscribe;
+    private readonly ConcurrentDictionary<string, bool> _pubCache = new(StringComparer.Ordinal);
+
+    private ClientPermissions(PermissionSet? publish, PermissionSet? subscribe)
+    {
+        _publish = publish;
+        _subscribe = subscribe;
+    }
+
+    public static ClientPermissions? Build(Permissions? permissions)
+    {
+        if (permissions == null)
+            return null;
+
+        var pub = PermissionSet.Build(permissions.Publish);
+        var sub = PermissionSet.Build(permissions.Subscribe);
+
+        if (pub == null && sub == null)
+            return null;
+
+        return new ClientPermissions(pub, sub);
+    }
+
+    public bool IsPublishAllowed(string subject)
+    {
+        if (_publish == null)
+            return true;
+
+        return _pubCache.GetOrAdd(subject, s => _publish.IsAllowed(s));
+    }
+
+    public bool IsSubscribeAllowed(string subject, string? queue = null)
+    {
+        if (_subscribe == null)
+            return true;
+
+        return _subscribe.IsAllowed(subject);
+    }
+
+    public void Dispose()
+    {
+        _publish?.Dispose();
+        _subscribe?.Dispose();
+    }
+}
+
+public sealed class PermissionSet : IDisposable
+{
+    private readonly SubList? _allow;
+    private readonly SubList? _deny;
+
+    private PermissionSet(SubList? allow, SubList? deny)
+    {
+        _allow = allow;
+        _deny = deny;
+    }
+
+    public static PermissionSet? Build(SubjectPermission? permission)
+    {
+        if (permission == null)
+            return null;
+
+        bool hasAllow = permission.Allow is { Count: > 0 };
+        bool hasDeny = permission.Deny is { Count: > 0 };
+
+        if (!hasAllow && !hasDeny)
+            return null;
+
+        SubList? allow = null;
+        SubList? deny = null;
+
+        if (hasAllow)
+        {
+            allow = new SubList();
+            foreach (var subject in permission.Allow!)
+                allow.Insert(new Subscription { Subject = subject, Sid = "_perm_" });
+        }
+
+        if (hasDeny)
+        {
+            deny = new SubList();
+            foreach (var subject in permission.Deny!)
+                deny.Insert(new Subscription { Subject = subject, Sid = "_perm_" });
+        }
+
+        return new PermissionSet(allow, deny);
+    }
+
+    public bool IsAllowed(string subject)
+    {
+        bool allowed = true;
+
+        if (_allow != null)
+        {
+            var result = _allow.Match(subject);
+            allowed = result.PlainSubs.Length > 0 || result.QueueSubs.Length > 0;
+        }
+
+        if (allowed && _deny != null)
+        {
+            var result = _deny.Match(subject);
+            allowed = result.PlainSubs.Length == 0 && result.QueueSubs.Length == 0;
+        }
+
+        return allowed;
+    }
+
+    public void Dispose()
+    {
+        _allow?.Dispose();
+        _deny?.Dispose();
+    }
+}