From 0f305ccc0f25f0b1da1f3a588add1cf64e6144b7 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Fri, 15 Dec 2023 15:15:08 +0100 Subject: [PATCH 1/2] allow authentication for nats stores Signed-off-by: jkoberg --- changelog/unreleased/nats-authentication.md | 5 +++++ pkg/storage/cache/cache.go | 3 +++ pkg/storage/utils/decomposedfs/decomposedfs.go | 1 + pkg/store/options.go | 14 ++++++++++++++ pkg/store/store.go | 8 ++++++++ 5 files changed, 31 insertions(+) create mode 100644 changelog/unreleased/nats-authentication.md diff --git a/changelog/unreleased/nats-authentication.md b/changelog/unreleased/nats-authentication.md new file mode 100644 index 0000000000..36daa6dbb0 --- /dev/null +++ b/changelog/unreleased/nats-authentication.md @@ -0,0 +1,5 @@ +Enhancement: Allow authentication for nats connections + +Allows configuring username/password for nats connections + +https://github.com/cs3org/reva/pull/4412 diff --git a/pkg/storage/cache/cache.go b/pkg/storage/cache/cache.go index c02d246242..0ff7229c42 100644 --- a/pkg/storage/cache/cache.go +++ b/pkg/storage/cache/cache.go @@ -51,6 +51,8 @@ type Config struct { TTL time.Duration `mapstructure:"cache_ttl"` Size int `mapstructure:"cache_size"` DisablePersistence bool `mapstructure:"cache_disable_persistence"` + AuthUsername string `mapstructure:"cache_auth_username"` + AuthPassword string `mapstructure:"cache_auth_password"` } // Cache handles key value operations on caches @@ -240,5 +242,6 @@ func getStore(cfg Config) microstore.Store { store.TTL(cfg.TTL), store.Size(cfg.Size), store.DisablePersistence(cfg.DisablePersistence), + store.Authentication(cfg.AuthUsername, cfg.AuthPassword), ) } diff --git a/pkg/storage/utils/decomposedfs/decomposedfs.go b/pkg/storage/utils/decomposedfs/decomposedfs.go index 23384d5536..b6ee40d295 100644 --- a/pkg/storage/utils/decomposedfs/decomposedfs.go +++ b/pkg/storage/utils/decomposedfs/decomposedfs.go @@ -145,6 +145,7 @@ func NewDefault(m map[string]interface{}, bs tree.Blobstore, es events.Stream) ( microstore.Database(o.IDCache.Database), microstore.Table(o.IDCache.Table), store.DisablePersistence(o.IDCache.DisablePersistence), + store.Authentication(o.IDCache.AuthUsername, o.IDCache.AuthPassword), )) permissionsSelector, err := pool.PermissionsSelector(o.PermissionsSVC, pool.WithTLSMode(o.PermTLSMode)) diff --git a/pkg/store/options.go b/pkg/store/options.go index c4e177e546..75ba99c6bb 100644 --- a/pkg/store/options.go +++ b/pkg/store/options.go @@ -89,3 +89,17 @@ func DisablePersistence(val bool) store.Option { o.Context = context.WithValue(o.Context, disablePersistanceContextKey{}, val) } } + +type authenticationContextKey struct{} + +// Authentication configures the username and password to use for authentication. +// Only supported by the `natsjskv` implementation. +func Authentication(username, password string) store.Option { + return func(o *store.Options) { + if o.Context == nil { + o.Context = context.Background() + } + + o.Context = context.WithValue(o.Context, authenticationContextKey{}, []string{username, password}) + } +} diff --git a/pkg/store/store.go b/pkg/store/store.go index 67ef00dd2b..f26edff2e2 100644 --- a/pkg/store/store.go +++ b/pkg/store/store.go @@ -127,6 +127,10 @@ func Create(opts ...microstore.Option) microstore.Store { // host, port, clusterid natsOptions := nats.GetDefaultOptions() natsOptions.Name = "TODO" // we can pass in the service name to allow identifying the client, but that requires adding a custom context option + if auth, ok := options.Context.Value(authenticationContextKey{}).([]string); ok && len(auth) == 2 { + natsOptions.User = auth[0] + natsOptions.Password = auth[1] + } return natsjs.NewStore( append(opts, natsjs.NatsOptions(natsOptions), // always pass in properly initialized default nats options @@ -141,6 +145,10 @@ func Create(opts ...microstore.Option) microstore.Store { natsOptions := nats.GetDefaultOptions() natsOptions.Name = "TODO" // we can pass in the service name to allow identifying the client, but that requires adding a custom context option + if auth, ok := options.Context.Value(authenticationContextKey{}).([]string); ok && len(auth) == 2 { + natsOptions.User = auth[0] + natsOptions.Password = auth[1] + } return natsjskv.NewStore( append(opts, natsjs.NatsOptions(natsOptions), // always pass in properly initialized default nats options From 84e060ec0f08675040eb618749b41cd090f5c5f6 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Fri, 15 Dec 2023 15:25:04 +0100 Subject: [PATCH 2/2] allow authentication for nats events Signed-off-by: jkoberg --- go.sum | 2 -- .../interceptors/eventsmiddleware/events.go | 17 ++++++----------- .../services/storageprovider/storageprovider.go | 2 ++ .../http/services/dataprovider/dataprovider.go | 4 ++++ pkg/events/stream/nats.go | 15 +++++++++------ pkg/share/manager/jsoncs3/jsoncs3.go | 2 ++ 6 files changed, 23 insertions(+), 19 deletions(-) diff --git a/go.sum b/go.sum index 44aac726d7..2658248580 100644 --- a/go.sum +++ b/go.sum @@ -616,8 +616,6 @@ github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20230807070816-bc05fb076ce7 h1:/RpJVLKmKT2OcEnKCPaS6n+zygNzYDzwoYgPQEgcEiQ= -github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20230807070816-bc05fb076ce7/go.mod h1:lYuiEYKQTpbE2LA8HEcC8D6kQ29M7ILfEak3dzeucEg= github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20231215124540-f7f8d3274bf9 h1:YOIavj+ZgO9HzukpdXZCvQv+AahjW/fTVFVF4QFRabw= github.com/go-micro/plugins/v4/events/natsjs v1.2.2-0.20231215124540-f7f8d3274bf9/go.mod h1:cL0O63th39fZ+M/aRJvajz7Qnmv+UTXugOq1k3qrYiQ= github.com/go-micro/plugins/v4/registry/consul v1.2.1 h1:3wctYMtstwQLCjoJ1HA6mKGGFF1hcdKDv5MzHakB1jE= diff --git a/internal/grpc/interceptors/eventsmiddleware/events.go b/internal/grpc/interceptors/eventsmiddleware/events.go index 4162503d1d..6b0f9da9b4 100644 --- a/internal/grpc/interceptors/eventsmiddleware/events.go +++ b/internal/grpc/interceptors/eventsmiddleware/events.go @@ -37,6 +37,7 @@ import ( "github.com/cs3org/reva/v2/pkg/rgrpc" "github.com/cs3org/reva/v2/pkg/storagespace" "github.com/cs3org/reva/v2/pkg/utils" + "github.com/mitchellh/mapstructure" ) const ( @@ -223,17 +224,11 @@ func publisherFromConfig(m map[string]interface{}) (events.Publisher, error) { default: return nil, fmt.Errorf("stream type '%s' not supported", typ) case "nats": - var tlsCert string - val, ok := m["tls-root-ca-cert"] - if ok { - tlsCert = val.(string) + var cfg stream.NatsConfig + if err := mapstructure.Decode(m, &cfg); err != nil { + return nil, err } - return stream.NatsFromConfig(m["name"].(string), false, stream.NatsConfig{ - Endpoint: m["address"].(string), - Cluster: m["clusterID"].(string), - EnableTLS: m["enable-tls"].(bool), - TLSInsecure: m["tls-insecure"].(bool), - TLSRootCACertificate: tlsCert, - }) + name, _ := m["name"].(string) + return stream.NatsFromConfig(name, false, cfg) } } diff --git a/internal/grpc/services/storageprovider/storageprovider.go b/internal/grpc/services/storageprovider/storageprovider.go index 5b1274c0e4..532854a290 100644 --- a/internal/grpc/services/storageprovider/storageprovider.go +++ b/internal/grpc/services/storageprovider/storageprovider.go @@ -76,6 +76,8 @@ type eventconfig struct { TLSInsecure bool `mapstructure:"tls_insecure" docs:"Whether to verify the server TLS certificates."` TLSRootCACertificate string `mapstructure:"tls_root_ca_cert" docs:"The root CA certificate used to validate the server's TLS certificate."` EnableTLS bool `mapstructure:"nats_enable_tls" docs:"events tls switch"` + AuthUsername string `mapstructure:"nats_username" docs:"event stream username"` + AuthPassword string `mapstructure:"nats_password" docs:"event stream password"` } func (c *config) init() { diff --git a/internal/http/services/dataprovider/dataprovider.go b/internal/http/services/dataprovider/dataprovider.go index cb930b95a7..f9c14e7b88 100644 --- a/internal/http/services/dataprovider/dataprovider.go +++ b/internal/http/services/dataprovider/dataprovider.go @@ -48,6 +48,8 @@ type config struct { NatsTLSInsecure bool `mapstructure:"nats_tls_insecure"` NatsRootCACertPath string `mapstructure:"nats_root_ca_cert_path"` NatsEnableTLS bool `mapstructure:"nats_enable_tls"` + NatsUsername string `mapstructure:"nats_username"` + NatsPassword string `mapstructure:"nats_password"` } func (c *config) init() { @@ -86,6 +88,8 @@ func New(m map[string]interface{}, log *zerolog.Logger) (global.Service, error) EnableTLS: conf.NatsEnableTLS, TLSInsecure: conf.NatsTLSInsecure, TLSRootCACertificate: conf.NatsRootCACertPath, + AuthUsername: conf.NatsUsername, + AuthPassword: conf.NatsPassword, }) if err != nil { return nil, err diff --git a/pkg/events/stream/nats.go b/pkg/events/stream/nats.go index 4910d694e2..30ffec7ca0 100644 --- a/pkg/events/stream/nats.go +++ b/pkg/events/stream/nats.go @@ -17,11 +17,14 @@ import ( // NatsConfig is the configuration needed for a NATS event stream type NatsConfig struct { - Endpoint string // Endpoint of the nats server - Cluster string // CluserID of the nats cluster - TLSInsecure bool // Whether to verify TLS certificates - TLSRootCACertificate string // The root CA certificate used to validate the TLS certificate - EnableTLS bool // Enable TLS + Endpoint string `mapstructure:"address"` // Endpoint of the nats server + Cluster string `mapstructure:"clusterID"` // CluserID of the nats cluster + TLSInsecure bool `mapstructure:"tls-insecure"` // Whether to verify TLS certificates + TLSRootCACertificate string `mapstructure:"tls-root-ca-cert"` // The root CA certificate used to validate the TLS certificate + EnableTLS bool `mapstructure:"enable-tls"` // Enable TLS + AuthUsername string `mapstructure:"username"` // Username for authentication + AuthPassword string `mapstructure:"password"` // Password for authentication + } // NatsFromConfig returns a nats stream from the given config @@ -55,6 +58,7 @@ func NatsFromConfig(connName string, disableDurability bool, cfg NatsConfig) (ev natsjs.ClusterID(cfg.Cluster), natsjs.SynchronousPublish(true), natsjs.Name(connName), + natsjs.Authenticate(cfg.AuthUsername, cfg.AuthPassword), } if disableDurability { @@ -62,7 +66,6 @@ func NatsFromConfig(connName string, disableDurability bool, cfg NatsConfig) (ev } return Nats(opts...) - } // nats returns a nats streaming client diff --git a/pkg/share/manager/jsoncs3/jsoncs3.go b/pkg/share/manager/jsoncs3/jsoncs3.go index f0fa2cbd51..be1629119b 100644 --- a/pkg/share/manager/jsoncs3/jsoncs3.go +++ b/pkg/share/manager/jsoncs3/jsoncs3.go @@ -133,6 +133,8 @@ type EventOptions struct { TLSInsecure bool `mapstructure:"tlsinsecure"` TLSRootCACertificate string `mapstructure:"tlsrootcacertificate"` EnableTLS bool `mapstructure:"enabletls"` + AuthUsername string `mapstructure:"authusername"` + AuthPassword string `mapstructure:"authpassword"` } // Manager implements a share manager using a cs3 storage backend with local caching