dohertj2/natsnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: session B — Go-faithful auth error states, NKey padding, permissions, signal disposal

Browse Source
This commit is contained in:
Joseph Doherty
2026-02-26 17:49:13 -05:00
parent 8c380e7ca6
commit a0c9c0094c
12 changed files with 97 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
dotnet/src/ZB.MOM.NatsNet.Server/Auth/AuthHandler.cs
View File

@@ -278,16 +278,19 @@ public static partial class AuthHandler
/// </summary>
public static ClosedState GetAuthErrClosedState(Exception? err)
{
if (err == null) return ClosedState.AuthenticationTimeout;
var msg = err.Message;
if (msg.Contains("expired", StringComparison.OrdinalIgnoreCase)) return ClosedState.AuthenticationExpired;
if (msg.Contains("revoked", StringComparison.OrdinalIgnoreCase)) return ClosedState.AuthRevoked;
return ClosedState.AuthenticationViolation;
return err switch
{
AuthProxyNotTrustedException => ClosedState.ProxyNotTrusted,
AuthProxyRequiredException => ClosedState.ProxyRequired,
_ => ClosedState.AuthenticationViolation,
};
}
/// <summary>
/// Validates proxy configuration entries in options.
/// Mirrors Go <c>validateProxies</c> in server/auth.go.
/// Validates that proxy protocol configuration is consistent.
/// If <see cref="ServerOptions.ProxyRequired"/> is set, <see cref="ServerOptions.ProxyProtocol"/> must also be enabled.
/// Note: Full NKey-format validation of trusted proxy keys is deferred until proxy auth is fully implemented.
/// Partially mirrors Go <c>validateProxies</c> in server/auth.go.
/// </summary>
public static Exception? ValidateProxies(ServerOptions opts)
{

18
dotnet/src/ZB.MOM.NatsNet.Server/Auth/AuthTypes.cs
View File

@@ -170,3 +170,21 @@ public class RoutePermissions
// Account stub removed — full implementation is in Accounts/Account.cs
// in the ZB.MOM.NatsNet.Server namespace.
/// <summary>
/// Sentinel exception representing a proxy-auth "not trusted" error.
/// Mirrors Go <c>ErrAuthProxyNotTrusted</c> in server/auth.go.
/// </summary>
public sealed class AuthProxyNotTrustedException : InvalidOperationException
{
public AuthProxyNotTrustedException() : base("proxy not trusted") { }
}
/// <summary>
/// Sentinel exception representing a proxy-auth "required" error.
/// Mirrors Go <c>ErrAuthProxyRequired</c> in server/auth.go.
/// </summary>
public sealed class AuthProxyRequiredException : InvalidOperationException
{
public AuthProxyRequiredException() : base("proxy required") { }
}

23
dotnet/src/ZB.MOM.NatsNet.Server/Auth/JwtProcessor.cs
View File

@@ -31,15 +31,6 @@ public static class JwtProcessor
/// </summary>
public const string JwtPrefix = "eyJ";
/// <summary>
/// Wipes a byte slice by filling with 'x', for clearing nkey seed data.
/// Mirrors Go <c>wipeSlice</c>.
/// </summary>
public static void WipeSlice(Span<byte> buf)
{
buf.Fill((byte)'x');
}
/// <summary>
/// Validates that the given IP host address is allowed by the user claims source CIDRs.
/// Returns true if the host is within any of the allowed CIDRs, or if no CIDRs are specified.
@@ -227,17 +218,9 @@ public static class JwtProcessor
if (opts.TrustedOperators == null || opts.TrustedOperators.Count == 0)
return null;
// Each operator should be a well-formed JWT.
foreach (var op in opts.TrustedOperators)
{
var jwtStr = op?.ToString() ?? string.Empty;
var (_, err) = ReadOperatorJwtInternal(jwtStr);
// Allow the "not implemented" case through — structure validated up to prefix check.
if (err is FormatException fe && fe.Message.Contains("not fully implemented"))
continue;
if (err is ArgumentException)
return new InvalidOperationException($"invalid trusted operator JWT: {err.Message}");
}
// TODO: Full trusted operator JWT validation requires a NATS JWT library.
// Each operator JWT should be decoded and its signing key chain verified.
// For now, we accept any non-empty operator list and validate at connect time.
return null;
}
}

4
dotnet/src/ZB.MOM.NatsNet.Server/ClientConnection.cs
View File

@@ -872,12 +872,10 @@ public sealed partial class ClientConnection
internal void SetPermissions(Auth.Permissions? perms)
{
// Full permission installation deferred to later session.
// Store in Perms for now.
lock (_mu)
{
if (perms != null)
Perms ??= new ClientPermissions();
Perms = BuildPermissions(perms);
}
}

1
dotnet/src/ZB.MOM.NatsNet.Server/ClientTypes.cs
View File

@@ -166,7 +166,6 @@ public enum ClosedState
Kicked,
ProxyNotTrusted,
ProxyRequired,
AuthRevoked,
}
// ============================================================================

10
dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Auth.cs
View File

@@ -169,9 +169,13 @@ public sealed partial class NatsServer
{
try
{
var kp = NATS.NKeys.KeyPair.FromPublicKey(nkeyPub.AsSpan());
// Sig is base64url-encoded; nonce is raw bytes.
var sigBytes = Convert.FromBase64String(sig.Replace('-', '+').Replace('_', '/'));
var kp = NATS.NKeys.KeyPair.FromPublicKey(nkeyPub.AsSpan());
// Sig is raw URL-safe base64; convert to standard base64 with padding.
var padded = sig.Replace('-', '+').Replace('_', '/');
var rem = padded.Length % 4;
if (rem == 2) padded += "==";
else if (rem == 3) padded += "=";
var sigBytes = Convert.FromBase64String(padded);
var verified = kp.Verify(
new ReadOnlyMemory<byte>(nonce),
new ReadOnlyMemory<byte>(sigBytes));

2
dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Lifecycle.cs
View File

@@ -141,6 +141,8 @@ public sealed partial class NatsServer
if (_ocsprc != null) { /* stub — stop OCSP cache in session 23 */ }
DisposeSignalHandlers();
_shutdownComplete.TrySetResult();
}

2
dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Signals.cs
View File

@@ -73,7 +73,7 @@ public sealed partial class NatsServer
});
}
private void DisposeSignalHandlers()
internal void DisposeSignalHandlers()
{
_sigHup?.Dispose();
_sigTerm?.Dispose();