Connect Enhancements #833

scottf · 2023-10-26T22:57:11Z

Reconnect On Connect
Authentication Expired support
Ensuring not failing on Authentication Or Authorization Error
Support 2.10.3 TLS (Handshake) First

src/NATS.Client/Connection.cs

src/NATS.Client/ConnectionFactory.cs

src/NATS.Client/Exceptions.cs

src/NATS.Client/IConnectionFactory.cs

scottf · 2023-10-27T17:02:33Z

src/NATS.Client/Internals/JwtUtils.cs

-            "    NKEY Seed printed below can be used to sign and prove identity.\n" +
-            "    NKEYs are sensitive and should be treated as secrets.\n" +
+            "NKEY Seed printed below can be used to sign and prove identity.\n" +
+            "NKEYs are sensitive and should be treated as secrets.\n" +


Obsessive formatting done here, nothing functional, although I had to change unit tests.

src/NATS.Client/Internals/JwtUtils.cs

src/NATS.Client/Options.cs

src/NATS.Client/ServerPool.cs

src/NATS.Client/Srv.cs

src/Tests/IntegrationTests/IntegrationTests.csproj

scottf · 2023-10-27T17:09:03Z

src/Tests/IntegrationTests/TestAuthorization.cs

@@ -240,6 +240,46 @@ var expiredUserJwt
                Assert.Equal("'Authorization Violation'", ex.Message, StringComparer.OrdinalIgnoreCase);
            }
        }
+
+        [Fact]
+        public void TestRealUserAuthenticationExpired()


This test uses a JWT that will expire quickly. The user connects to the server while the jwt is valid, and then the server disconnects the connection when the jwt expires.

src/Tests/IntegrationTests/TestJetStreamPull.cs

src/Tests/IntegrationTests/TestSuite.cs

src/Tests/IntegrationTestsInternal/TestConnectionBehavior.cs

src/Tests/UnitTests/TestJwtUtils.cs

mtmk

LGTM

src/NATS.Client/Connection.cs

scottf · 2023-10-28T13:19:52Z

src/NATS.Client/Connection.cs

+                if (opts.TlsFirst)
+                {
+                    processExpectedInfo();
+                }


tls first, don't check/process the server info. checkForSecure used to be the last thing in processExpectedInfo. I moved it out so I could do it on either side. I supposed I could have done the change inside processExpectedInfo but this matches the java code

scottf · 2023-10-28T13:20:54Z

src/NATS.Client/Connection.cs

-                throw new NATSSecureConnWantedException();
-            }
-            else if (info.TlsRequired && !Opts.Secure)
+            if (!Opts.TlsFirst)


if tlsFirst, it will always be secure

scottf · 2023-10-28T13:21:33Z

src/NATS.Client/Connection.cs

-                Opts.Secure = true;
+                // Check to see if we need to engage TLS
+                // Check for mismatch in setups
+                if (Opts.Secure && !info.TlsRequired)


Opts.Secure now returns true if TlsFirst is set. This explains the 2 tests later on

scottf · 2023-10-28T13:22:02Z

src/NATS.Client/Connection.cs

@@ -1272,10 +1296,9 @@ private void checkForSecure(Srv s)
        // processExpectedInfo will look for the expected first INFO message
        // sent when a connection is established. The lock should be held entering.
        // Caller must lock.
-        private void processExpectedInfo(Srv s)
+        private void processExpectedInfo()


don't need the Srv parameter since that work is now done outside this function

scottf added 3 commits October 26, 2023 18:56

Reconnect On Connect and Auth Error Handling

180c53e

fixed api docs

d8cfdcb

fixed encoding test - remove unecessary

90b8440

scottf requested a review from mtmk October 27, 2023 15:36