Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't require TLS for in-process connection #4323

Merged
merged 3 commits into from Jul 20, 2023
Merged

Don't require TLS for in-process connection #4323

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ed9fafc
Don't require TLS for in-process connection
neilalexander Jul 19, 2023
7993547
Adjust in-process server info tls_required to tls_available
caleblloyd Jul 19, 2023
b7d6b7e
Add unit test to prove connection works
neilalexander Jul 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
22 changes: 19 additions & 3 deletions server/server.go
View file
Open in desktop
Expand Up @@ -2217,7 +2217,7 @@ func (s *Server) AcceptLoop(clr chan struct{}) {
func (s *Server) InProcessConn() (net.Conn, error) {
pl, pr := net.Pipe()
if !s.startGoRoutine(func() {
s.createClient(pl)
s.createClientInProcess(pl)
s.grWG.Done()
}) {
pl.Close()
Expand Down Expand Up @@ -2572,6 +2572,14 @@ func (c *tlsMixConn) Read(b []byte) (int, error) {
}

func (s *Server) createClient(conn net.Conn) *client {
return s.createClientEx(conn, false)
}

func (s *Server) createClientInProcess(conn net.Conn) *client {
return s.createClientEx(conn, true)
}

func (s *Server) createClientEx(conn net.Conn, inProcess bool) *client {
// Snapshot server options.
opts := s.getOpts()

Expand Down Expand Up @@ -2609,6 +2617,13 @@ func (s *Server) createClient(conn net.Conn) *client {
info.AuthRequired = false
}

// Check to see if this is an in-process connection with tls_required.
// If so, set as not required, but available.
if inProcess && info.TLSRequired {
info.TLSRequired = false
info.TLSAvailable = true
}

s.totalClients++
s.mu.Unlock()

Expand Down Expand Up @@ -2670,8 +2685,9 @@ func (s *Server) createClient(conn net.Conn) *client {

var pre []byte
// If we have both TLS and non-TLS allowed we need to see which
// one the client wants.
if !isClosed && opts.TLSConfig != nil && opts.AllowNonTLS {
// one the client wants. We'll always allow this for in-process
// connections.
if !isClosed && opts.TLSConfig != nil && (inProcess || opts.AllowNonTLS) {
pre = make([]byte, 4)
c.nc.SetReadDeadline(time.Now().Add(secondsToDuration(opts.TLSTimeout)))
n, _ := io.ReadFull(c.nc, pre[:])
Expand Down
20 changes: 20 additions & 0 deletions test/tls_test.go
View file
Open in desktop
Expand Up @@ -72,6 +72,26 @@ func TestTLSConnection(t *testing.T) {
}
}

// TestTLSInProcessConnection checks that even if TLS is enabled on the server,
// that an in-process connection that does *not* use TLS still connects successfully.
func TestTLSInProcessConnection(t *testing.T) {
srv, opts := RunServerWithConfig("./configs/tls.conf")
defer srv.Shutdown()

nc, err := nats.Connect("", nats.InProcessServer(srv), nats.UserInfo(opts.Username, opts.Password))
derekcollison marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
t.Fatal(err)
}

if nc.TLSRequired() {
t.Fatalf("Shouldn't have required TLS for in-process connection")
}

if _, err = nc.TLSConnectionState(); err == nil {
t.Fatal("Should have got an error retrieving TLS connection state")
}
}

func TestTLSClientCertificate(t *testing.T) {
srv, opts := RunServerWithConfig("./configs/tlsverify.conf")
defer srv.Shutdown()
Expand Down