feat: support nats tls handshake first (#21008)

2025-04-24 04:10:43 -04:00 · 2025-04-22 23:12:26 +01:00 · 2025-04-22 23:12:26 +01:00 · 0d7408fc99
commit 0d7408fc99
parent 864f80e226
5 changed files with 109 additions and 61 deletions
--- a/internal/config/notify/legacy.go
+++ b/internal/config/notify/legacy.go
@ -482,6 +482,10 @@ func SetNotifyNATS(s config.Config, natsName string, cfg target.NATSArgs) error
 			Key:   target.NATSTLSSkipVerify,
 			Value: config.FormatBool(cfg.Secure),
 		},
+		config.KV{
+			Key:   target.NATSTLSHandshakeFirst,
+			Value: config.FormatBool(cfg.TLSHandshakeFirst),
+		},
 		config.KV{
 			Key:   target.NATSPingInterval,
 			Value: strconv.FormatInt(cfg.PingInterval, 10),
--- a/internal/config/notify/parse.go
+++ b/internal/config/notify/parse.go
@ -959,6 +959,11 @@ func GetNotifyNATS(natsKVS map[string]config.KVS, rootCAs *x509.CertPool) (map[s
 			tlsSkipVerifyEnv = tlsSkipVerifyEnv + config.Default + k
 		}

+		tlsHandshakeFirstEnv := target.EnvNatsTLSHandshakeFirst
+		if k != config.Default {
+			tlsHandshakeFirstEnv = tlsHandshakeFirstEnv + config.Default + k
+		}
+
 		subjectEnv := target.EnvNATSSubject
 		if k != config.Default {
 			subjectEnv = subjectEnv + config.Default + k
@ -1022,6 +1027,7 @@ func GetNotifyNATS(natsKVS map[string]config.KVS, rootCAs *x509.CertPool) (map[s
 			Token:             env.Get(tokenEnv, kv.Get(target.NATSToken)),
 			TLS:               env.Get(tlsEnv, kv.Get(target.NATSTLS)) == config.EnableOn,
 			TLSSkipVerify:     env.Get(tlsSkipVerifyEnv, kv.Get(target.NATSTLSSkipVerify)) == config.EnableOn,
+			TLSHandshakeFirst: env.Get(tlsHandshakeFirstEnv, kv.Get(target.NATSTLSHandshakeFirst)) == config.EnableOn,
 			PingInterval:      pingInterval,
 			QueueDir:          env.Get(queueDirEnv, kv.Get(target.NATSQueueDir)),
 			QueueLimit:        queueLimit,
--- a/internal/event/target/nats.go
+++ b/internal/event/target/nats.go
@ -47,6 +47,7 @@ const (
 	NATSToken             = "token"
 	NATSTLS               = "tls"
 	NATSTLSSkipVerify     = "tls_skip_verify"
+	NATSTLSHandshakeFirst = "tls_handshake_first"
 	NATSPingInterval      = "ping_interval"
 	NATSQueueDir          = "queue_dir"
 	NATSQueueLimit        = "queue_limit"
@ -72,6 +73,7 @@ const (
 	EnvNATSToken             = "MINIO_NOTIFY_NATS_TOKEN"
 	EnvNATSTLS               = "MINIO_NOTIFY_NATS_TLS"
 	EnvNATSTLSSkipVerify     = "MINIO_NOTIFY_NATS_TLS_SKIP_VERIFY"
+	EnvNatsTLSHandshakeFirst = "MINIO_NOTIFY_NATS_TLS_HANDSHAKE_FIRST"
 	EnvNATSPingInterval      = "MINIO_NOTIFY_NATS_PING_INTERVAL"
 	EnvNATSQueueDir          = "MINIO_NOTIFY_NATS_QUEUE_DIR"
 	EnvNATSQueueLimit        = "MINIO_NOTIFY_NATS_QUEUE_LIMIT"
@ -100,6 +102,7 @@ type NATSArgs struct {
 	Token             string    `json:"token"`
 	TLS               bool      `json:"tls"`
 	TLSSkipVerify     bool      `json:"tlsSkipVerify"`
+	TLSHandshakeFirst bool      `json:"tlsHandshakeFirst"`
 	Secure            bool      `json:"secure"`
 	CertAuthority     string    `json:"certAuthority"`
 	ClientCert        string    `json:"clientCert"`
@ -180,6 +183,9 @@ func (n NATSArgs) connectNats() (*nats.Conn, error) {
 	} else if n.TLS {
 		connOpts = append(connOpts, nats.Secure(&tls.Config{RootCAs: n.RootCAs}))
 	}
+	if n.TLSHandshakeFirst {
+		connOpts = append(connOpts, nats.TLSHandshakeFirst())
+	}
 	if n.CertAuthority != "" {
 		connOpts = append(connOpts, nats.RootCAs(n.CertAuthority))
 	}
--- a/internal/event/target/nats_tls_contrib_test.go
+++ b/internal/event/target/nats_tls_contrib_test.go
@ -48,6 +48,30 @@ func TestNatsConnTLSCustomCA(t *testing.T) {
 	defer con.Close()
 }

+func TestNatsConnTLSCustomCAHandshakeFirst(t *testing.T) {
+	s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "contrib", "nats_tls_handshake_first.conf"))
+	defer s.Shutdown()
+
+	clientConfig := &NATSArgs{
+		Enable: true,
+		Address: xnet.Host{
+			Name:      "localhost",
+			Port:      (xnet.Port(opts.Port)),
+			IsPortSet: true,
+		},
+		Subject:           "test",
+		Secure:            true,
+		CertAuthority:     path.Join("testdata", "contrib", "certs", "root_ca_cert.pem"),
+		TLSHandshakeFirst: true,
+	}
+
+	con, err := clientConfig.connectNats()
+	if err != nil {
+		t.Errorf("Could not connect to nats: %v", err)
+	}
+	defer con.Close()
+}
+
 func TestNatsConnTLSClientAuthorization(t *testing.T) {
 	s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "contrib", "nats_tls_client_cert.conf"))
 	defer s.Shutdown()
--- a/internal/event/target/testdata/contrib/nats_tls_handshake_first.conf
+++ b/internal/event/target/testdata/contrib/nats_tls_handshake_first.conf
@ -0,0 +1,8 @@
+port: 14227
+net: localhost
+
+tls {
+    cert_file:  "./testdata/contrib/certs/nats_server_cert.pem"
+    key_file:   "./testdata/contrib/certs/nats_server_key.pem"
+    handshake_first: true
+}