search

nats-io / nats-server

High-Performance server for NATS.io, the cloud and edge native messaging system.
https://nats.io
Apache License 2.0
15.97k stars 1.41k forks source link

Credential file with Windows style EOL chars not working #1280

Closed wutkemtt closed 4 years ago

wutkemtt commented 4 years ago

Defects

Credential file with Windows-style EOL chars (CRLF) can not be used for authentication against NATS server.

Versions of nats-server and affected client libraries used:

NATS-Server v2.1.0

OS/Container environment:

OS: Windows Server 2016

Steps or code to reproduce the issue:

Configure NATS to use credential files for authentication. Change EOL chars in credentials file to Windows-Style CRLF.

Expected result:

Authentication with credentials file succeeds.

Actual result:

No authentication possible, connection failed.

Workaround

Always check the credentials file has Unix-style EOL chars LF only.

ColinSullivan1 commented 4 years ago

FYI, I'm looking into this.

ColinSullivan1 commented 4 years ago

With a small test I was able to reproduce the issue.

func TestUserCredentialsChainedFileWithCRLF(t *testing.T) {
    if server.VERSION[0] == '1' {
        t.Skip()
    }
    ts := runTrustServer()
    defer ts.Shutdown()

    crlfFile := strings.Replace(chained, "\n", "\r\n", -1)
    chainedFile := createTmpFile(t, []byte(crlfFile))
    defer os.Remove(chainedFile)

    url := fmt.Sprintf("nats://127.0.0.1:%d", TEST_PORT)
    nc, err := Connect(url, UserCredentials(chainedFile))
    if err != nil {
        t.Fatalf("Expected to connect, got %v", err)
    }
    nc.Close()
}

The issue seems to stem from the regex here, so will look at the JWT package.

derekcollison commented 4 years ago

Maybe loop in @aricart

ColinSullivan1 commented 4 years ago

We're looking into this, and @aricart will be evaluating the code used to parse the file.

It looks like\n was replaced with \r\n somewhere outside of the NATS nsc tooling. @wutkemtt, Is there a place in your environment this could have happened?

Generally, we don't support direct modification of NATS generated credentials; they should be treated as binary files and only edited though nsc.

wutkemtt commented 4 years ago

Thank you for looking into this. We are using a server repo for the configuration and installation of our nats servers and clusters. Maybe this happened while checkin it in or out. Our desktops are running under Windows 10 and we are using a Gitlab repo.

aricart commented 4 years ago

@wutkemtt which client are you using to connect to the server?

While we have a fix for the JWT library, clients may parse the creds file directly and not use this library (thus the error may have to be corrected there as well). As a workaround, while we normalize this, just regenerate your credential files, and ensure that the line endings are not converted from UNIX.

wutkemtt commented 4 years ago

We are using .net and springboot java clients with the standard libraries nats.java and stan.java and the corresponding nuget packages for .net. Lately i discovered the issue when setting up a new nats server with a leafnode connection authenticated via credentials file. Perhaps due to repo checkins and checkouts the line endings of the credentials file got transformed, resulting in a leafnode connection error. The nats server was setup on Windows Server 2016.

derekcollison commented 4 years ago

Do we have this resolved?

derekcollison commented 4 years ago

Pinging this again for @aricart

aricart commented 4 years ago

@derekcollison This was resolved long ago: https://github.com/nats-io/jwt/pull/72