feat(batch1): implement jwt wipe and nonce-required internal logic

2026-02-28 06:30:23 -05:00
parent f9b582dcca
commit d8d71eab95
8 changed files with 161 additions and 9 deletions
--- a/dotnet/src/ZB.MOM.NatsNet.Server/Auth/AuthHandler.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/Auth/AuthHandler.cs
@@ -269,7 +269,7 @@ public static partial class AuthHandler
    /// </summary>
    public static void WipeSlice(Span<byte> buf)
    {
-        buf.Fill((byte)'x');
+        JwtProcessor.WipeSlice(buf);
    }

    /// <summary>
--- a/dotnet/src/ZB.MOM.NatsNet.Server/Auth/JwtProcessor.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/Auth/JwtProcessor.cs
@@ -31,6 +31,15 @@ public static class JwtProcessor
    /// </summary>
    public const string JwtPrefix = "eyJ";

+    /// <summary>
+    /// Wipes a byte slice by filling with <c>'x'</c>.
+    /// Mirrors Go <c>wipeSlice</c>.
+    /// </summary>
+    public static void WipeSlice(Span<byte> buf)
+    {
+        buf.Fill((byte)'x');
+    }
+
    /// <summary>
    /// Validates that the given IP host address is allowed by the user claims source CIDRs.
    /// Returns true if the host is within any of the allowed CIDRs, or if no CIDRs are specified.
--- a/dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Listeners.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/NatsServer.Listeners.cs
@@ -61,10 +61,29 @@ public sealed partial class NatsServer

    /// <summary>
    /// Returns true if this server requires clients to send a nonce for auth.
-    /// Stub — full implementation in session 11.
+    /// Mirrors Go <c>Server.NonceRequired()</c>.
    /// Mirrors Go <c>Server.nonceRequired()</c>.
    /// </summary>
-    private bool NonceRequired() => false;
+    private bool NonceRequired()
+    {
+        _mu.EnterReadLock();
+        try
+        {
+            return NonceRequiredInternal();
+        }
+        finally
+        {
+            _mu.ExitReadLock();
+        }
+    }
+
+    /// <summary>
+    /// Returns true if this server requires clients to send a nonce for auth.
+    /// Lock should be held by caller for strict Go parity.
+    /// Mirrors Go <c>Server.nonceRequired()</c>.
+    /// </summary>
+    internal bool NonceRequiredInternal()
+        => GetOpts().AlwaysEnableNonce || (_nkeys?.Count > 0) || _trustedKeys != null || _proxiesKeyPairs.Count > 0;

    /// <summary>
    /// Fills <paramref name="nonce"/> with random bytes.
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/JwtProcessorTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/JwtProcessorTests.cs
@@ -40,7 +40,7 @@ public class JwtProcessorTests
    public void WipeSlice_FillsWithX()
    {
        var buf = new byte[] { 0x01, 0x02, 0x03 };
-        AuthHandler.WipeSlice(buf);
+        JwtProcessor.WipeSlice(buf);
        buf.ShouldAllBe(b => b == (byte)'x');
    }

@@ -48,7 +48,7 @@ public class JwtProcessorTests
    public void WipeSlice_EmptyBuffer_NoOp()
    {
        var buf = Array.Empty<byte>();
-        AuthHandler.WipeSlice(buf);
+        JwtProcessor.WipeSlice(buf);
    }

    // =========================================================================
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Server/NonceRequiredTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Server/NonceRequiredTests.cs
@@ -0,0 +1,87 @@
+// Copyright 2012-2026 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using System.Reflection;
+using Shouldly;
+using ZB.MOM.NatsNet.Server.Auth;
+
+namespace ZB.MOM.NatsNet.Server.Tests.Server;
+
+public sealed class NonceRequiredTests
+{
+    [Fact]
+    public void NonceRequiredInternal_NoConditions_ReturnsFalse()
+    {
+        var server = CreateServer();
+        server.NonceRequiredInternal().ShouldBeFalse();
+    }
+
+    [Fact]
+    public void NonceRequiredInternal_AlwaysEnableNonceOptionSet_ReturnsTrue()
+    {
+        var server = CreateServer();
+        var opts = server.GetOpts();
+        opts.AlwaysEnableNonce = true;
+        server.SetOpts(opts);
+
+        server.NonceRequiredInternal().ShouldBeTrue();
+    }
+
+    [Fact]
+    public void NonceRequiredInternal_NkeysConfigured_ReturnsTrue()
+    {
+        var server = CreateServer();
+        SetPrivateField(server, "_nkeys", new Dictionary<string, NkeyUser>
+        {
+            ["UAEXAMPLE"] = new() { Nkey = "UAEXAMPLE" },
+        });
+
+        server.NonceRequiredInternal().ShouldBeTrue();
+    }
+
+    [Fact]
+    public void NonceRequiredInternal_TrustedKeysPresent_ReturnsTrue()
+    {
+        var server = CreateServer();
+        SetPrivateField(server, "_trustedKeys", new List<string> { "OPKEY" });
+
+        server.NonceRequiredInternal().ShouldBeTrue();
+    }
+
+    [Fact]
+    public void NonceRequiredInternal_ProxiesKeyPairsPresent_ReturnsTrue()
+    {
+        var server = CreateServer();
+        var proxiesField = typeof(NatsServer).GetField("_proxiesKeyPairs", BindingFlags.Instance | BindingFlags.NonPublic);
+        proxiesField.ShouldNotBeNull();
+        var proxies = proxiesField!.GetValue(server).ShouldBeOfType<List<object>>();
+        proxies.Add(new object());
+
+        server.NonceRequiredInternal().ShouldBeTrue();
+    }
+
+    private static NatsServer CreateServer()
+    {
+        var (server, error) = NatsServer.NewServer(new ServerOptions());
+        error.ShouldBeNull();
+        server.ShouldNotBeNull();
+        return server!;
+    }
+
+    private static void SetPrivateField<T>(NatsServer server, string fieldName, T value)
+    {
+        var field = typeof(NatsServer).GetField(fieldName, BindingFlags.Instance | BindingFlags.NonPublic);
+        field.ShouldNotBeNull();
+        field!.SetValue(server, value);
+    }
+}
--- a/porting.db
+++ b/porting.db
--- a/reports/current.md
+++ b/reports/current.md
@@ -1,6 +1,6 @@
 # NATS .NET Porting Status Report

-Generated: 2026-02-28 11:05:07 UTC
+Generated: 2026-02-28 11:30:24 UTC

 ## Modules (12 total)

@@ -12,10 +12,10 @@ Generated: 2026-02-28 11:05:07 UTC

 | Status | Count |
 |--------|-------|
-| deferred | 2375 |
+| deferred | 2373 |
 | n_a | 24 |
 | stub | 1 |
-| verified | 1273 |
+| verified | 1275 |

 ## Unit Tests (3257 total)

@@ -34,4 +34,4 @@ Generated: 2026-02-28 11:05:07 UTC

 ## Overall Progress

-**2475/6942 items complete (35.7%)**
+**2477/6942 items complete (35.7%)**
--- a/reports/report_f9b582d.md
+++ b/reports/report_f9b582d.md
@@ -0,0 +1,37 @@
+# NATS .NET Porting Status Report
+
+Generated: 2026-02-28 11:30:24 UTC
+
+## Modules (12 total)
+
+| Status | Count |
+|--------|-------|
+| verified | 12 |
+
+## Features (3673 total)
+
+| Status | Count |
+|--------|-------|
+| deferred | 2373 |
+| n_a | 24 |
+| stub | 1 |
+| verified | 1275 |
+
+## Unit Tests (3257 total)
+
+| Status | Count |
+|--------|-------|
+| deferred | 2091 |
+| n_a | 187 |
+| verified | 979 |
+
+## Library Mappings (36 total)
+
+| Status | Count |
+|--------|-------|
+| mapped | 36 |
+
+
+## Overall Progress
+
+**2477/6942 items complete (35.7%)**