Merge pull request #83 from netlify/nats-basic-auth

[nats] Implement more auth methods

Author: sgirones

messaging/nats.go

@@ -1,8 +1,10 @@
 package messaging
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
+	"strings"
 	"time"
 
 	"github.com/nats-io/go-nats"
@@ -24,11 +26,16 @@ func ConfigureNatsConnection(config *nconf.NatsConfig, log logrus.FieldLogger) (
 	if log == nil {
 		log = silent
 	}
+
 	if config == nil {
 		log.Debug("Skipping nats connection because there is no config")
 		return nil, nil
 	}
 
+	if !config.TLS.Enabled {
+		log.Warn("Connection to NATS servers is not using TLS")
+	}
+
 	if err := config.LoadServerNames(); err != nil {
 		return nil, errors.Wrap(err, "Failed to discover new servers")
 	}
@@ -43,14 +50,29 @@ func ConfigureNatsConnection(config *nconf.NatsConfig, log logrus.FieldLogger) (
 }
 
 func ConnectToNats(config *nconf.NatsConfig, opts ...nats.Option) (*nats.Conn, error) {
-	if config.TLS != nil {
-		tlsConfig, err := config.TLS.TLSConfig()
-		if err != nil {
-			return nil, errors.Wrap(err, "Failed to configure TLS")
-		}
-		if tlsConfig != nil {
-			opts = append(opts, nats.Secure(tlsConfig))
+	tlsConfig, err := config.TLS.TLSConfig()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to configure TLS")
+	}
+
+	// If TLS is enabled, make the connection to NATS secure
+	if config.TLS.Enabled {
+		opts = append(opts, NatsRootCAs(tlsConfig))
+	}
+
+	switch strings.ToLower(config.Auth.Method) {
+	case nconf.NatsAuthMethodUser:
+		opts = append(opts, nats.UserInfo(config.Auth.User, config.Auth.Password))
+	case nconf.NatsAuthMethodToken:
+		opts = append(opts, nats.Token(config.Auth.Token))
+	case nconf.NatsAuthMethodTLS:
+		// if using TLS auth, make sure the client certificate is loaded
+		if tlsConfig == nil || len(tlsConfig.Certificates) == 0 {
+			return nil, fmt.Errorf("TLS auth method is configured but no certificate was loaded")
 		}
+		opts = append(opts, nats.Secure(tlsConfig))
+	default:
+		return nil, fmt.Errorf("Invalid auth method: '%s'", config.Auth.Method)
 	}
 
 	return nats.Connect(config.ServerString(), opts...)
@@ -109,3 +131,25 @@ func ErrorHandler(log logrus.FieldLogger) nats.Option {
 	}
 	return nats.ErrorHandler(handler)
 }
+
+// NatsRootCAs is a NATS helper option to provide the RootCAs pool from a tls.Config struct. If Secure is
+// not already set this will set it as well.
+func NatsRootCAs(tlsConf *tls.Config) nats.Option {
+	return func(o *nats.Options) error {
+		if tlsConf.RootCAs == nil {
+			return fmt.Errorf("nats: the RootCAs pool from the given tls.Config is nil")
+		}
+
+		if o.TLSConfig == nil {
+			o.TLSConfig = &tls.Config{
+				MinVersion:         tls.VersionTLS12,
+				InsecureSkipVerify: tlsConf.InsecureSkipVerify,
+			}
+		}
+
+		o.TLSConfig.RootCAs = tlsConf.RootCAs
+		o.Secure = true
+
+		return nil
+	}
+}

nconf/nats.go

@@ -8,14 +8,28 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const (
+	NatsAuthMethodUser  = "user"
+	NatsAuthMethodToken = "token"
+	NatsAuthMethodTLS   = "tls"
+)
+
+type NatsAuth struct {
+	Method   string `mapstructure:"method"`
+	User     string `mapstructure:"user"`
+	Password string `mapstructure:"password"`
+	Token    string `mapstructure:"token"`
+}
+
 type NatsConfig struct {
 	TLS           *TLSConfig `mapstructure:"tls_conf"`
-	DiscoveryName string     `split_words:"true" mapstructure:"discovery_name"`
+	DiscoveryName string     `mapstructure:"discovery_name" split_words:"true"`
 	Servers       []string   `mapstructure:"servers"`
+	Auth          NatsAuth   `mapstructure:"auth"`
 
 	// for streaming
-	ClusterID string `mapstructure:"cluster_id" envconfig:"cluster_id"`
-	ClientID  string `mapstructure:"client_id" envconfig:"client_id"`
+	ClusterID string `mapstructure:"cluster_id" split_words:"true"`
+	ClientID  string `mapstructure:"client_id" split_words:"true"`
 	StartPos  string `mapstructure:"start_pos" split_words:"true"`
 }
 
@@ -48,6 +62,10 @@ func (config *NatsConfig) Fields() logrus.Fields {
 		"servers": strings.Join(config.Servers, ","),
 	}
 
+	if config.Auth.Method != "" {
+		f["auth_method"] = config.Auth.Method
+	}
+
 	if config.TLS != nil {
 		f["ca_files"] = strings.Join(config.TLS.CAFiles, ",")
 		f["key_file"] = config.TLS.KeyFile

nconf/tls.go

@@ -5,6 +5,8 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
+
+	"github.com/pkg/errors"
 )
 
 type TLSConfig struct {
@@ -21,88 +23,78 @@ type TLSConfig struct {
 }
 
 func (cfg TLSConfig) TLSConfig() (*tls.Config, error) {
-	var tlsconf *tls.Config
 	var err error
-	if cfg.Cert != "" && cfg.Key != "" {
-		tlsconf, err = LoadFromValues(cfg.Cert, cfg.Key, cfg.CA)
-	} else if cfg.CertFile != "" && cfg.KeyFile != "" {
-		tlsconf, err = LoadFromFiles(cfg.CertFile, cfg.KeyFile, cfg.CAFiles)
-	}
 
-	if err != nil {
-		return nil, err
+	tlsConf := &tls.Config{
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: cfg.Insecure,
 	}
 
-	if tlsconf != nil {
-		tlsconf.InsecureSkipVerify = cfg.Insecure
+	// Load CA
+	if cfg.CA != "" {
+		tlsConf.RootCAs, err = LoadCAFromValue(cfg.CA)
+	} else if len(cfg.CAFiles) > 0 {
+		tlsConf.RootCAs, err = LoadCAFromFiles(cfg.CAFiles)
+	} else {
+		tlsConf.RootCAs, err = x509.SystemCertPool()
 	}
 
-	return tlsconf, nil
-}
+	if err != nil {
+		return nil, errors.Wrap(err, "Error setting up Root CA pool")
+	}
 
-func LoadFromValues(certPEM, keyPEM, ca string) (*tls.Config, error) {
-	var pool *x509.CertPool
-	// If no CA cert if provided, use system pool
-	if ca == "" {
-		p, err := x509.SystemCertPool()
-		if err != nil {
-			return nil, err
-		}
-		pool = p
-	} else {
-		pool = x509.NewCertPool()
-		if !pool.AppendCertsFromPEM([]byte(ca)) {
-			return nil, fmt.Errorf("Failed to add CA cert")
-		}
+	// Load Certs if any
+	var cert tls.Certificate
+	if cfg.Cert != "" && cfg.Key != "" {
+		cert, err = LoadCertFromValues(cfg.Cert, cfg.Key)
+		tlsConf.Certificates = append(tlsConf.Certificates, cert)
+	} else if cfg.CertFile != "" && cfg.KeyFile != "" {
+		cert, err = LoadCertFromFiles(cfg.CertFile, cfg.KeyFile)
+		tlsConf.Certificates = append(tlsConf.Certificates, cert)
 	}
 
-	cert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
 	if err != nil {
-		return nil, err
+		return nil, errors.Wrap(err, "Error loading certificate KeyPair")
 	}
 
-	tlsConfig := &tls.Config{
-		RootCAs:      pool,
-		Certificates: []tls.Certificate{cert},
-		MinVersion:   tls.VersionTLS12,
+	// Backwards compatibility: if TLS is not explicitly enabled, return nil if no certificate was provided
+	// Old code disabled TLS by not providing a certificate, which returned nil when calling TLSConfig()
+	if !cfg.Enabled && len(tlsConf.Certificates) == 0 {
+		return nil, nil
 	}
 
-	return tlsConfig, nil
+	return tlsConf, nil
+}
+
+func LoadCertFromValues(certPEM, keyPEM string) (tls.Certificate, error) {
+	return tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
 }
 
-func LoadFromFiles(certFile, keyFile string, cafiles []string) (*tls.Config, error) {
-	var pool *x509.CertPool
-	if len(cafiles) == 0 {
-		p, err := x509.SystemCertPool()
+func LoadCertFromFiles(certFile, keyFile string) (tls.Certificate, error) {
+	return tls.LoadX509KeyPair(certFile, keyFile)
+}
+
+func LoadCAFromFiles(cafiles []string) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+
+	for _, caFile := range cafiles {
+		caData, err := ioutil.ReadFile(caFile)
 		if err != nil {
 			return nil, err
 		}
-		pool = p
-	} else {
-		pool = x509.NewCertPool()
-
-		for _, caFile := range cafiles {
-			caData, err := ioutil.ReadFile(caFile)
-			if err != nil {
-				return nil, err
-			}
 
-			if !pool.AppendCertsFromPEM(caData) {
-				return nil, fmt.Errorf("Failed to add CA cert at %s", caFile)
-			}
+		if !pool.AppendCertsFromPEM(caData) {
+			return nil, fmt.Errorf("Failed to add CA cert at %s", caFile)
 		}
 	}
 
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, err
-	}
+	return pool, nil
+}
 
-	tlsConfig := &tls.Config{
-		RootCAs:      pool,
-		Certificates: []tls.Certificate{cert},
-		MinVersion:   tls.VersionTLS12,
+func LoadCAFromValue(ca string) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+	if !pool.AppendCertsFromPEM([]byte(ca)) {
+		return nil, fmt.Errorf("Failed to add CA cert")
 	}
-
-	return tlsConfig, nil
+	return pool, nil
 }