From c9be60198883fbb5270032cf8e05daeb2d9a684f Mon Sep 17 00:00:00 2001 From: svistoi <47987757+svistoi@users.noreply.github.com> Date: Fri, 15 Nov 2019 12:13:23 -0500 Subject: [PATCH] NATS TLS specify CA and client TLS authentication (#8389) - added ability to specify CA for self-signed certificates - added option to authenticate using client certificates - added unit tests for nats connections --- cmd/config/notify/help.go | 3 + cmd/config/notify/legacy.go | 25 ++-- cmd/config/notify/parse.go | 41 ++++-- pkg/event/target/nats.go | 97 +++++++----- pkg/event/target/nats_test.go | 138 ++++++++++++++++++ .../testdata/certs/nats_client_cert.pem | 19 +++ .../target/testdata/certs/nats_client_key.pem | 27 ++++ .../testdata/certs/nats_server_cert.pem | 19 +++ .../target/testdata/certs/nats_server_key.pem | 27 ++++ .../target/testdata/certs/root_ca_cert.pem | 21 +++ .../target/testdata/certs/root_ca_key.pem | 27 ++++ pkg/event/target/testdata/nats_tls.conf | 7 + .../target/testdata/nats_tls_client_cert.conf | 18 +++ 13 files changed, 411 insertions(+), 58 deletions(-) create mode 100644 pkg/event/target/nats_test.go create mode 100644 pkg/event/target/testdata/certs/nats_client_cert.pem create mode 100644 pkg/event/target/testdata/certs/nats_client_key.pem create mode 100644 pkg/event/target/testdata/certs/nats_server_cert.pem create mode 100644 pkg/event/target/testdata/certs/nats_server_key.pem create mode 100644 pkg/event/target/testdata/certs/root_ca_cert.pem create mode 100644 pkg/event/target/testdata/certs/root_ca_key.pem create mode 100644 pkg/event/target/testdata/nats_tls.conf create mode 100644 pkg/event/target/testdata/nats_tls_client_cert.conf diff --git a/cmd/config/notify/help.go b/cmd/config/notify/help.go index 1eafee25f..7f8546130 100644 --- a/cmd/config/notify/help.go +++ b/cmd/config/notify/help.go @@ -145,6 +145,9 @@ var ( target.NATSStreamingClusterID: "Unique ID for the NATS streaming cluster", target.NATSQueueLimit: "Enable persistent event store queue limit, defaults to '10000'", target.NATSQueueDir: "Local directory where events are stored eg: '/home/events'", + target.NATSCertAuthority: "Certificate chain of the target NATS server if self signed certs were used", + target.NATSClientCert: "TLS Cert used to authenticate against NATS configured to require client certificates", + target.NATSClientKey: "TLS Key used to authenticate against NATS configured to require client certificates", } HelpNSQ = config.HelpKV{ diff --git a/cmd/config/notify/legacy.go b/cmd/config/notify/legacy.go index d7b433f63..a12ef9326 100644 --- a/cmd/config/notify/legacy.go +++ b/cmd/config/notify/legacy.go @@ -204,17 +204,20 @@ func SetNotifyNATS(s config.Config, natsName string, cfg target.NATSArgs) error } s[config.NotifyNATSSubSys][natsName] = config.KVS{ - config.State: config.StateOn, - config.Comment: "Settings for NATS notification, after migrating config", - target.NATSAddress: cfg.Address.String(), - target.NATSSubject: cfg.Subject, - target.NATSUsername: cfg.Username, - target.NATSPassword: cfg.Password, - target.NATSToken: cfg.Token, - target.NATSSecure: config.FormatBool(cfg.Secure), - target.NATSPingInterval: strconv.FormatInt(cfg.PingInterval, 10), - target.NATSQueueDir: cfg.QueueDir, - target.NATSQueueLimit: strconv.Itoa(int(cfg.QueueLimit)), + config.State: config.StateOn, + config.Comment: "Settings for NATS notification, after migrating config", + target.NATSAddress: cfg.Address.String(), + target.NATSSubject: cfg.Subject, + target.NATSUsername: cfg.Username, + target.NATSPassword: cfg.Password, + target.NATSToken: cfg.Token, + target.NATSCertAuthority: cfg.CertAuthority, + target.NATSClientCert: cfg.ClientCert, + target.NATSClientKey: cfg.ClientKey, + target.NATSSecure: config.FormatBool(cfg.Secure), + target.NATSPingInterval: strconv.FormatInt(cfg.PingInterval, 10), + target.NATSQueueDir: cfg.QueueDir, + target.NATSQueueLimit: strconv.Itoa(int(cfg.QueueLimit)), target.NATSStreaming: func() string { if cfg.Streaming.Enable { return config.StateOn diff --git a/cmd/config/notify/parse.go b/cmd/config/notify/parse.go index d4a7ddc0a..fa7e9b266 100644 --- a/cmd/config/notify/parse.go +++ b/cmd/config/notify/parse.go @@ -707,6 +707,9 @@ var ( target.NATSUsername: "", target.NATSPassword: "", target.NATSToken: "", + target.NATSCertAuthority: "", + target.NATSClientCert: "", + target.NATSClientKey: "", target.NATSSecure: config.StateOff, target.NATSPingInterval: "0", target.NATSQueueLimit: "0", @@ -795,17 +798,35 @@ func GetNotifyNATS(natsKVS map[string]config.KVS) (map[string]target.NATSArgs, e queueDirEnv = queueDirEnv + config.Default + k } + certAuthorityEnv := target.EnvNATSCertAuthority + if k != config.Default { + certAuthorityEnv = certAuthorityEnv + config.Default + k + } + + clientCertEnv := target.EnvNATSClientCert + if k != config.Default { + clientCertEnv = clientCertEnv + config.Default + k + } + + clientKeyEnv := target.EnvNATSClientKey + if k != config.Default { + clientKeyEnv = clientKeyEnv + config.Default + k + } + natsArgs := target.NATSArgs{ - Enable: true, - Address: *address, - Subject: env.Get(subjectEnv, kv.Get(target.NATSSubject)), - Username: env.Get(usernameEnv, kv.Get(target.NATSUsername)), - Password: env.Get(passwordEnv, kv.Get(target.NATSPassword)), - Token: env.Get(tokenEnv, kv.Get(target.NATSToken)), - Secure: env.Get(secureEnv, kv.Get(target.NATSSecure)) == config.StateOn, - PingInterval: pingInterval, - QueueDir: env.Get(queueDirEnv, kv.Get(target.NATSQueueDir)), - QueueLimit: queueLimit, + Enable: true, + Address: *address, + Subject: env.Get(subjectEnv, kv.Get(target.NATSSubject)), + Username: env.Get(usernameEnv, kv.Get(target.NATSUsername)), + Password: env.Get(passwordEnv, kv.Get(target.NATSPassword)), + CertAuthority: env.Get(certAuthorityEnv, kv.Get(target.NATSCertAuthority)), + ClientCert: env.Get(clientCertEnv, kv.Get(target.NATSClientCert)), + ClientKey: env.Get(clientKeyEnv, kv.Get(target.NATSClientKey)), + Token: env.Get(tokenEnv, kv.Get(target.NATSToken)), + Secure: env.Get(secureEnv, kv.Get(target.NATSSecure)) == config.StateOn, + PingInterval: pingInterval, + QueueDir: env.Get(queueDirEnv, kv.Get(target.NATSQueueDir)), + QueueLimit: queueLimit, } streamingEnableEnv := target.EnvNATSStreaming diff --git a/pkg/event/target/nats.go b/pkg/event/target/nats.go index 7cf26fe0f..4a0c7d273 100644 --- a/pkg/event/target/nats.go +++ b/pkg/event/target/nats.go @@ -32,15 +32,18 @@ import ( // NATS related constants const ( - NATSAddress = "address" - NATSSubject = "subject" - NATSUsername = "username" - NATSPassword = "password" - NATSToken = "token" - NATSSecure = "secure" - NATSPingInterval = "ping_interval" - NATSQueueDir = "queue_dir" - NATSQueueLimit = "queue_limit" + NATSAddress = "address" + NATSSubject = "subject" + NATSUsername = "username" + NATSPassword = "password" + NATSToken = "token" + NATSSecure = "secure" + NATSPingInterval = "ping_interval" + NATSQueueDir = "queue_dir" + NATSQueueLimit = "queue_limit" + NATSCertAuthority = "cert_authority" + NATSClientCert = "client_cert" + NATSClientKey = "client_key" // Streaming constants NATSStreaming = "streaming" @@ -48,16 +51,19 @@ const ( NATSStreamingAsync = "streaming_async" NATSStreamingMaxPubAcksInFlight = "streaming_max_pub_acks_in_flight" - EnvNATSState = "MINIO_NOTIFY_NATS_STATE" - EnvNATSAddress = "MINIO_NOTIFY_NATS_ADDRESS" - EnvNATSSubject = "MINIO_NOTIFY_NATS_SUBJECT" - EnvNATSUsername = "MINIO_NOTIFY_NATS_USERNAME" - EnvNATSPassword = "MINIO_NOTIFY_NATS_PASSWORD" - EnvNATSToken = "MINIO_NOTIFY_NATS_TOKEN" - EnvNATSSecure = "MINIO_NOTIFY_NATS_SECURE" - EnvNATSPingInterval = "MINIO_NOTIFY_NATS_PING_INTERVAL" - EnvNATSQueueDir = "MINIO_NOTIFY_NATS_QUEUE_DIR" - EnvNATSQueueLimit = "MINIO_NOTIFY_NATS_QUEUE_LIMIT" + EnvNATSState = "MINIO_NOTIFY_NATS_STATE" + EnvNATSAddress = "MINIO_NOTIFY_NATS_ADDRESS" + EnvNATSSubject = "MINIO_NOTIFY_NATS_SUBJECT" + EnvNATSUsername = "MINIO_NOTIFY_NATS_USERNAME" + EnvNATSPassword = "MINIO_NOTIFY_NATS_PASSWORD" + EnvNATSToken = "MINIO_NOTIFY_NATS_TOKEN" + EnvNATSSecure = "MINIO_NOTIFY_NATS_SECURE" + EnvNATSPingInterval = "MINIO_NOTIFY_NATS_PING_INTERVAL" + EnvNATSQueueDir = "MINIO_NOTIFY_NATS_QUEUE_DIR" + EnvNATSQueueLimit = "MINIO_NOTIFY_NATS_QUEUE_LIMIT" + EnvNATSCertAuthority = "MINIO_NOTIFY_NATS_CERT_AUTHORITY" + EnvNATSClientCert = "MINIO_NOTIFY_NATS_CLIENT_CERT" + EnvNATSClientKey = "MINIO_NOTIFY_NATS_CLIENT_KEY" // Streaming constants EnvNATSStreaming = "MINIO_NOTIFY_NATS_STREAMING" @@ -68,17 +74,20 @@ const ( // NATSArgs - NATS target arguments. type NATSArgs struct { - Enable bool `json:"enable"` - Address xnet.Host `json:"address"` - Subject string `json:"subject"` - Username string `json:"username"` - Password string `json:"password"` - Token string `json:"token"` - Secure bool `json:"secure"` - PingInterval int64 `json:"pingInterval"` - QueueDir string `json:"queueDir"` - QueueLimit uint64 `json:"queueLimit"` - Streaming struct { + Enable bool `json:"enable"` + Address xnet.Host `json:"address"` + Subject string `json:"subject"` + Username string `json:"username"` + Password string `json:"password"` + Token string `json:"token"` + Secure bool `json:"secure"` + CertAuthority string `json:"certAuthority"` + ClientCert string `json:"clientCert"` + ClientKey string `json:"clientKey"` + PingInterval int64 `json:"pingInterval"` + QueueDir string `json:"queueDir"` + QueueLimit uint64 `json:"queueLimit"` + Streaming struct { Enable bool `json:"enable"` ClusterID string `json:"clusterID"` Async bool `json:"async"` @@ -100,6 +109,10 @@ func (n NATSArgs) Validate() error { return errors.New("empty subject") } + if n.ClientCert != "" && n.ClientKey == "" || n.ClientCert == "" && n.ClientKey != "" { + return errors.New("cert and key must be specified as a pair") + } + if n.Streaming.Enable { if n.Streaming.ClusterID == "" { return errors.New("empty cluster id") @@ -120,13 +133,23 @@ func (n NATSArgs) Validate() error { // To obtain a nats connection from args. func (n NATSArgs) connectNats() (*nats.Conn, error) { - options := nats.DefaultOptions - options.Url = "nats://" + n.Address.String() - options.User = n.Username - options.Password = n.Password - options.Token = n.Token - options.Secure = n.Secure - return options.Connect() + connOpts := []nats.Option{nats.Name("Minio Notification")} + if n.Username != "" && n.Password != "" { + connOpts = append(connOpts, nats.UserInfo(n.Username, n.Password)) + } + if n.Token != "" { + connOpts = append(connOpts, nats.Token(n.Token)) + } + if n.Secure { + connOpts = append(connOpts, nats.Secure(nil)) + } + if n.CertAuthority != "" { + connOpts = append(connOpts, nats.RootCAs(n.CertAuthority)) + } + if n.ClientCert != "" && n.ClientKey != "" { + connOpts = append(connOpts, nats.ClientCert(n.ClientCert, n.ClientKey)) + } + return nats.Connect(n.Address.String(), connOpts...) } // To obtain a streaming connection from args. diff --git a/pkg/event/target/nats_test.go b/pkg/event/target/nats_test.go new file mode 100644 index 000000000..c75cf615b --- /dev/null +++ b/pkg/event/target/nats_test.go @@ -0,0 +1,138 @@ +/* + * MinIO Cloud Storage, (C) 2019 MinIO, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package target + +import ( + "path" + "path/filepath" + "testing" + + xnet "github.com/minio/minio/pkg/net" + natsserver "github.com/nats-io/nats-server/v2/test" +) + +func TestNatsConnPlain(t *testing.T) { + opts := natsserver.DefaultTestOptions + opts.Port = 14222 + s := natsserver.RunServer(&opts) + defer s.Shutdown() + + clientConfig := &NATSArgs{ + Enable: true, + Address: xnet.Host{Name: "localhost", + Port: (xnet.Port(opts.Port)), + IsPortSet: true}, + Subject: "test", + } + con, err := clientConfig.connectNats() + if err != nil { + t.Errorf("Could not connect to nats: %v", err) + } + defer con.Close() +} + +func TestNatsConnUserPass(t *testing.T) { + opts := natsserver.DefaultTestOptions + opts.Port = 14223 + opts.Username = "testminio" + opts.Password = "miniotest" + s := natsserver.RunServer(&opts) + defer s.Shutdown() + + clientConfig := &NATSArgs{ + Enable: true, + Address: xnet.Host{Name: "localhost", + Port: (xnet.Port(opts.Port)), + IsPortSet: true}, + Subject: "test", + Username: opts.Username, + Password: opts.Password, + } + + con, err := clientConfig.connectNats() + if err != nil { + t.Errorf("Could not connect to nats: %v", err) + } + defer con.Close() +} + +func TestNatsConnToken(t *testing.T) { + opts := natsserver.DefaultTestOptions + opts.Port = 14223 + opts.Authorization = "s3cr3t" + s := natsserver.RunServer(&opts) + defer s.Shutdown() + + clientConfig := &NATSArgs{ + Enable: true, + Address: xnet.Host{Name: "localhost", + Port: (xnet.Port(opts.Port)), + IsPortSet: true}, + Subject: "test", + Token: opts.Authorization, + } + + con, err := clientConfig.connectNats() + if err != nil { + t.Errorf("Could not connect to nats: %v", err) + } + defer con.Close() +} + +func TestNatsConnTLSCustomCA(t *testing.T) { + s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls.conf")) + defer s.Shutdown() + + clientConfig := &NATSArgs{ + Enable: true, + Address: xnet.Host{Name: "localhost", + Port: (xnet.Port(opts.Port)), + IsPortSet: true}, + Subject: "test", + Secure: true, + CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"), + } + + con, err := clientConfig.connectNats() + if err != nil { + t.Errorf("Could not connect to nats: %v", err) + } + defer con.Close() +} + +func TestNatsConnTLSClientAuthorization(t *testing.T) { + s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls_client_cert.conf")) + defer s.Shutdown() + + clientConfig := &NATSArgs{ + Enable: true, + Address: xnet.Host{Name: "localhost", + Port: (xnet.Port(opts.Port)), + IsPortSet: true}, + Subject: "test", + Secure: true, + CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"), + ClientCert: path.Join("testdata", "certs", "nats_client_cert.pem"), + ClientKey: path.Join("testdata", "certs", "nats_client_key.pem"), + } + + con, err := clientConfig.connectNats() + if err != nil { + t.Errorf("Could not connect to nats: %v", err) + } + defer con.Close() +} diff --git a/pkg/event/target/testdata/certs/nats_client_cert.pem b/pkg/event/target/testdata/certs/nats_client_cert.pem new file mode 100644 index 000000000..e3efc2566 --- /dev/null +++ b/pkg/event/target/testdata/certs/nats_client_cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf0CFHzIPe2CTpos6fYYVcZD4xAMYD0FMA0GCSqGSIb3DQEBCwUAMEox +CzAJBgNVBAYTAkNBMRMwEQYDVQQIDApTb21lLVN0YXRlMQ4wDAYDVQQKDAVNaW5p +bzEWMBQGA1UECwwNTWluaW8gUm9vdCBDQTAgFw0xOTEwMTEyMDE4NTJaGA8yMTE5 +MDkxNzIwMTg1MlowQjELMAkGA1UEBhMCQ0ExDjAMBgNVBAoMBU1pbmlvMQ8wDQYD +VQQLDAZDbGllbnQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANsLgS7C0BDsfhWQVyuFGrpl9IWGyAQvSECzepdvxcUz +CJ5QTSjtMq+2XbkozsmJ0WKtXY+c2vYuNMcthfNzLmn8KMxDoCqMwLXNMO8lLuF5 +94pH0DmTvEngjEDIOPM9aNbfmLU9Lbeiplkjt0izYObg+MzsTS0lIR2yKtSoVFOV +zzSGRvMfUO/rOlRgBio9Hhx8fL0cckr7SzwJcYtttr+1cySNkGVI8/E5Pe0T3fVW +7kiCHtUbbST0sQWorDDMkwTYyd2TvB8B8BzfSRNUavnb37bp8woqJottYXXEcLff +HL7kOhnmqvOSLSnG9ynF+WlE7ZykHw+VsIrRsl/5NwkCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEASfRN6esWr68ieeODFuiyhMaZ3kHKWiyvT3MDrFPcBgTIbi4CvFmb ++ynT7aDKxBpO8Ttl208QyLZxn9YeiFCZVVy8+o1JaQd30cjewX6A9dCd16yi3lva +tbVLVl+pJqKwr/wdEwrJ23bUYpFNrex38dxaRUOQ4Zaj6QzCXvB+IR/RvYZ2U23o +pW0BEYdi+V3M0tuAvmX4NOrLvGUF1D93WRQuiueaMF8yNhiwuT/eCcpct3FLqacC ++NvdK0aiBdUgDvdA7OroXy0Ow768wHpLvfsxqepiXXK/9748hMQxgeaUzDE6SRFF +FqgnBuFgIu4MH7ki1EnH+KekFepsPF7BIA== +-----END CERTIFICATE----- diff --git a/pkg/event/target/testdata/certs/nats_client_key.pem b/pkg/event/target/testdata/certs/nats_client_key.pem new file mode 100644 index 000000000..1ce7a4251 --- /dev/null +++ b/pkg/event/target/testdata/certs/nats_client_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA2wuBLsLQEOx+FZBXK4UaumX0hYbIBC9IQLN6l2/FxTMInlBN +KO0yr7ZduSjOyYnRYq1dj5za9i40xy2F83MuafwozEOgKozAtc0w7yUu4Xn3ikfQ +OZO8SeCMQMg48z1o1t+YtT0tt6KmWSO3SLNg5uD4zOxNLSUhHbIq1KhUU5XPNIZG +8x9Q7+s6VGAGKj0eHHx8vRxySvtLPAlxi222v7VzJI2QZUjz8Tk97RPd9VbuSIIe +1RttJPSxBaisMMyTBNjJ3ZO8HwHwHN9JE1Rq+dvftunzCiomi21hdcRwt98cvuQ6 +Geaq85ItKcb3KcX5aUTtnKQfD5WwitGyX/k3CQIDAQABAoIBACrO7Mg+unsUPO/p +7Z9LvBWBp3ARDzYCJ5S9fs/pwDTx7FVETFAbSzSb52UwXHl2vb0TNJ3EgeZq0VW7 +x9n0QLXl2fNRpBOsvlzJZS7XjXnzZDVaI4+dF8c4YzCl8LtY3QxhVm7VLgIdf3Uc +Tc2fgOiePwGNjOetwfMTxtsYqqJK4Ang/nop6WIZtJxlq/H4D/OueDScv8yM96WP +Lb+5YMrlTtA79TTn44hdd/IVJBV74UK335bWaV2gqop/r/kymYcmIS6eQ8Fx8Au8 +FhqjL38r6H5mnyH/euBJDf+B9aPej44m093j/gy8C6PFdVHXOw4h3su+RJkV7J+x +JzSCYiECgYEA/0e1h7XVHVjRI/hzlpZlHomw4SYXc1R5DBljsD+0baNWdgwShdiA +qZyhVl1/WJEK6r+tT/a0rGcIz1CkjPvjOf66+FVwukqp4UDdeZA28CC6GvbAlBW7 +Gz3wWjbC3quR8OCcGbNrRIUegeN3KxIpyzTXKv2PRUnkkj2z2+clf1sCgYEA26mj +AiynCFZH2DIk36y1Qvn2Yh/LgO+JrZNmh0YlDENstLXEU5tkLyRxhbYDsDFKHr7a +1pHZZa2SLKMQEKNZ3OgP5osvl4BxSt5SrusGQHACb1FeWN3BdIWI5S0ZIgBih46G +IKA1ce4CnLo3oWm1L9tEFnTtMEqEtkECMnYTtGsCgYAsDgYH65thuygsmv3nqQC+ +ami6EkbNwnA5ZFBN5FCQ8zVCnga8Toa1vrAhJXWKpU1LAdU5DYxUjFt626HqKrYm +Fg3SOXyAyc3Tb8xI5Fh2zE8RxC+r3qwxoVjPWM/8eYNwHHMUBGCorIh9RfIU3seT +qATSCHwnKv9lNXzKoHNaLQKBgGURdkkn1mrFmCTnXYP06Sm57R1U18Opc0WEDqar +JZyw4TF8eKqnUr9GG12UU7ob06i10+bqEIbyB9G17UxafJxhwf8nh2xD0tzJ0m1d +AfFgGB6z558n2T0Nu+EGkQvN9Ye9kgUs8apMArOuEq6X/p/YWUmj3wZbIxjgbGxf +W82lAoGATTwJCXE6y+D5Vc5I9BTPgJd6Wg/6n+BAmadt3lG/VbPxndQBudCNii0Z +C7uyMrbK0RVY+DZAFuZWLskIoU+t82HgIsQNAH5KPz27PCWq+DznrARp+maKXj5f +f5Vsvz6KBzM8Lnts3m20AYcRP4meBa6HNHLnYGedTbRLKYobOgg= +-----END RSA PRIVATE KEY----- diff --git a/pkg/event/target/testdata/certs/nats_server_cert.pem b/pkg/event/target/testdata/certs/nats_server_cert.pem new file mode 100644 index 000000000..43d9ecc57 --- /dev/null +++ b/pkg/event/target/testdata/certs/nats_server_cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf0CFHzIPe2CTpos6fYYVcZD4xAMYD0EMA0GCSqGSIb3DQEBCwUAMEox +CzAJBgNVBAYTAkNBMRMwEQYDVQQIDApTb21lLVN0YXRlMQ4wDAYDVQQKDAVNaW5p +bzEWMBQGA1UECwwNTWluaW8gUm9vdCBDQTAgFw0xOTEwMTEyMDE1NTRaGA8yMTE5 +MDkxNzIwMTU1NFowQjELMAkGA1UEBhMCQ0ExDjAMBgNVBAoMBU1pbmlvMQ8wDQYD +VQQLDAZTZXJ2ZXIxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMxbKHUPlW4wIX0G45jRG84o5viXtu7E044QpTGwDS+u +KCG3w4pWUwnor/uCjkzKSmg+6Sx/889de7QySPwt4TA+F7qy7TrUnIUiaVFcPmeQ +YsI68JM857nk4ScxK4C4NzJ78DlQreyPwIMx4rAGfEZpdQbAE0LWyOJ9rfMK1uF/ +PFdyNKOUw/fy5iA/DOUeoUqFATIjj5KUWojnt9QZ+M1pGbQsLWc7fzDuavVrAvR7 +wt386bayzLftzHr6rLWWzPoA70ltzvu6JxKU5xZSY5nA2Pip+le6q997+Sm5Dt5L +VZuSTzjKVNDV9l329eZJnozROdlSURVvg6fK5J8vUIsCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEAg6kLnBrjT4agClF94Rc2y6fOTWWzz7C4Ao6iQp3Tcr/YraY7FEEM +kkZT0osn1JSvut9f2gy2py3+FLAk4OdAt9NBIpjIMDmbIyiQYw+2w3IHJYwdHBXj +HapyjU2zFQvD6PNUUV4YukR28MmMk0UEizXxkEDm+Qf5t4Bpnv7tFiysMWmA6cCJ +1fvGOtCPazi0hZc0VkfTnl5OY/Msi+sYCh4gnCqYWICszMm37QKOJrJbY8mTSzAk +p/0dxAUDDKTuf+UPDqJ2I6o9/XEEwmPGOFovoS9iQhdyWWonRDL3+gCeE2cxEeu5 +QEOwxMQz08XRSsgxag9R3tcywXbaamgQYw== +-----END CERTIFICATE----- diff --git a/pkg/event/target/testdata/certs/nats_server_key.pem b/pkg/event/target/testdata/certs/nats_server_key.pem new file mode 100644 index 000000000..815690c26 --- /dev/null +++ b/pkg/event/target/testdata/certs/nats_server_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAzFsodQ+VbjAhfQbjmNEbzijm+Je27sTTjhClMbANL64oIbfD +ilZTCeiv+4KOTMpKaD7pLH/zz117tDJI/C3hMD4XurLtOtSchSJpUVw+Z5Biwjrw +kzznueThJzErgLg3MnvwOVCt7I/AgzHisAZ8Rml1BsATQtbI4n2t8wrW4X88V3I0 +o5TD9/LmID8M5R6hSoUBMiOPkpRaiOe31Bn4zWkZtCwtZzt/MO5q9WsC9HvC3fzp +trLMt+3MevqstZbM+gDvSW3O+7onEpTnFlJjmcDY+Kn6V7qr33v5KbkO3ktVm5JP +OMpU0NX2Xfb15kmejNE52VJRFW+Dp8rkny9QiwIDAQABAoIBABPVsTqTdaSJRWbW +OVcGzNUYwTpVt2q7bfE3CmGlPdJn6/tB09fkgxDOJe6agGdRpyExIf6wuKBi6XPX +AaCAb3/4NuNnJIF2S27cpS5BbsksiXlisSEJY1B2t6fPLPLEbo8W2n0lqIvyc/QH +7oG5T2yiJbqu/++X202ody7E2ZBvVXgwjBJuzxeQ9PPiPyjH2lAgciA0HtmXiHSj +pIz6V6XmN5CkyawvExA3F1wxIxf2CNRHLpls/DFGkVIz6pUlleKe7fBKVqeLuwnd +Lnjt9lrCrEozXcwUQnw5KVccB2+0xU8pIl78tPf9EHOHf5Bx1WCFl/YL5qEmfSsL +x3WM/WkCgYEA+7wdzK2M3LSJ6tat+eM9DT8bqSFhFAA41Jv1UdhTJZb8AKPs+6wX +13rUcjTnSI75KqApGaIbe3dF7640VmD9eyLNkc2SHr/yNPKV96sEiWk7TVgIWa0J +vBqPB9UWrkzqBov5VJEpeKlKuCCZGOxN7nkMtH93XmX9Nm3BxmMCQ8cCgYEAz9GK +FS1pwjj8DpyLW5GEFbcwGugkb/4ebc/OK4W93YvAYwoyJF7oSI9WzKG/R5Ko/0G7 +ESHt0d2pfRDR5XCkoJee4MFFIheLeVM4HDUoIY42I7gl/op+H9fGSNplBYDpVk7O +FNl9NFgUDytMbuh14SmAU3Yc7EjGruFgoZUPRR0CgYEAimwNos/HxlDMCcMUlXT7 +zD3oct7056+bkGVVxzSBvAjC94MsO9OMpKNZEJfAmehsYKEDGKJIJGMYpMwQ4XKh +z8T6bvMwJxJ7F9xQ1IhIjVq9DjGbHdyFntan0bG9sAiBIypy5qqPuFa2zHq4VLkT +vU74yoPQ2qqQSw6dX/5vb18CgYEAnLlZeT8WUvLGo/5K2nOTOQ09qg0H7a2nJQli +YlAqL7oFDKvTxLoOUypGO2x/5GomKNpZSUJdJ7gS6c6VfILGpJWzq6wVhvBartSj +rCIqcaPeEHH/tUacd0cysh6BsPTXA8/Kes7KLX9/ITF2Iu4MeBHkRQz+IvN/YsN1 +LGZNbcECgYAqWDnPa2GwFOgTrVwB1AfsCD1PVhSM+AnWnL7avHwD6WIDKB5qb9Ip +cF83o5bhLrLYVlpZNI1ESKgONyWlYOssBNb0KP51kgkBbtr+5qcCFoKzf5inyve2 +MTE1g+maOLtfRaVrlsGcirWSZdIk8dQmDX8nNM+Rg5hahF2l0/zopg== +-----END RSA PRIVATE KEY----- diff --git a/pkg/event/target/testdata/certs/root_ca_cert.pem b/pkg/event/target/testdata/certs/root_ca_cert.pem new file mode 100644 index 000000000..c8d61dd1b --- /dev/null +++ b/pkg/event/target/testdata/certs/root_ca_cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIUTuCjkiDWaSa3X747ybs/SnZ6aHQwDQYJKoZIhvcNAQEL +BQAwSjELMAkGA1UEBhMCQ0ExEzARBgNVBAgMClNvbWUtU3RhdGUxDjAMBgNVBAoM +BU1pbmlvMRYwFAYDVQQLDA1NaW5pbyBSb290IENBMCAXDTE5MTAxMTE5NTIxOFoY +DzIxMTkwOTE3MTk1MjE4WjBKMQswCQYDVQQGEwJDQTETMBEGA1UECAwKU29tZS1T +dGF0ZTEOMAwGA1UECgwFTWluaW8xFjAUBgNVBAsMDU1pbmlvIFJvb3QgQ0EwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDAOyo76TMpltNUXiRAGaxaVMG +E2cf/JudJ+2ve7lxXo1Zz9PaJUOa5wl2b5ebwhXYP7lxdRRz488TfM4YmAm1fkgS +fhBHP337aeUCeW4mybv7P0jBDHYasiDy92YqX5tv2zPifRaoQ/jkUmEyY29VdTQq +LyuUCo4hmY3tO5daXN+x9DdnZj8VDkC235UpEe9vgvtY62m7w+guV/XdwKBvQKpa +248qaqUxvJ8l9sXCnLjNMWwm/6ZpPPcQvYW95P2bhwGH8KrdKeSutW8vVeUa2DN+ +E7QsEopVvg48t/dSVol9xXVQ2QMlNYBsrPQS04GX3aakVREI0r/krRl11Kf7AgMB +AAGjUzBRMB0GA1UdDgQWBBQtvCicVaNfZaLEXW7sgZYlTyjuuzAfBgNVHSMEGDAW +gBQtvCicVaNfZaLEXW7sgZYlTyjuuzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQC9LflSKc6l8j280aTQyjjTdMysmKqb8Rs7dtSSaFXQK9nuzOhD +FGtahhsJFv/GnUu0weZoEMYySeNzaUoW0ICc3+iI2KMWcUlF/K3/P47tYrVMGJKW +YbuUS7lTxtra9xbFhxGCF8NwM6JG9TrP7JT9b/tn2Xb+UNsxWTH8pf1plusiOvQl +2JFc+BJzhooLP9sK0YGrb7i3CdQj5QcZjxVCDKAuosvMY/shoW4aEIEECSEtJ9mY +Rrfft0bOQ7ZKhDgu2ou+lyeyyWFS/19wr5LMvy+lUYG9H100peCpv5tHdGUF1lLR +m4g6eQK57EI6BoPpNomYtXkoRKP9MXiZ7InC +-----END CERTIFICATE----- diff --git a/pkg/event/target/testdata/certs/root_ca_key.pem b/pkg/event/target/testdata/certs/root_ca_key.pem new file mode 100644 index 000000000..a3fa97842 --- /dev/null +++ b/pkg/event/target/testdata/certs/root_ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwwDsqO+kzKZbTVF4kQBmsWlTBhNnH/ybnSftr3u5cV6NWc/T +2iVDmucJdm+Xm8IV2D+5cXUUc+PPE3zOGJgJtX5IEn4QRz99+2nlAnluJsm7+z9I +wQx2GrIg8vdmKl+bb9sz4n0WqEP45FJhMmNvVXU0Ki8rlAqOIZmN7TuXWlzfsfQ3 +Z2Y/FQ5Att+VKRHvb4L7WOtpu8PoLlf13cCgb0CqWtuPKmqlMbyfJfbFwpy4zTFs +Jv+maTz3EL2FveT9m4cBh/Cq3SnkrrVvL1XlGtgzfhO0LBKKVb4OPLf3UlaJfcV1 +UNkDJTWAbKz0EtOBl92mpFURCNK/5K0ZddSn+wIDAQABAoIBABcVbu54n9uR/dDj +ShBwKbfqredUOKryrkEmTt6tGMCw3q65CW0TaDNYEiixARNxIEDfGkayA1/MoeC+ +r2794HhZoJJ/1dF5VKKEYJWwZje1Pcl6LlSb8wcp+viIDNILS00sd7Hh+OKmWTo9 +/j+GwdEt9KThvJjjvvt/P+vLWBlcHD2zKFJnq826jKFESkUkY8P6e0cRzOuwGY+E +LYXAwZC+j7wS3c7tW7PyhGAXkTxohtNNYZ6vOGnGetnTxQDICZ9hCIZMA+7hrtK8 +TAGWtWvwx/5SgEl2+b7M0q70I/2LQSB4ACgOfkhm38z7FwqkvTMl9YhR8E4qvZsZ +2fv4hoECgYEA5GG8W1H82Z8fxY4AMKwbvlZ5pZGuIwwm+ABsg5BlSMfXZS2APJuP +wUUOW2gcjDXq/m+7HphgJADpkf+j6NhTks2gWF32VPCfp1EnxOrjOkrZqtBcud+A +1d0HeWvUMYl4iq9+3haILyfN4nQkFeYO1X0wD2kgrEeIkgipjG//tlsCgYEA2pXd +PvXugREkt+HladpCQXPnxHgS+QZuPNBYcDFMlOpC6RdcLzDWcqGzmYROM9/sbI+c +0H3l9ROOkqkA1jq8K2apOKmH9NBOZAaIfi+A450rnJK0trhMsuUgY/xrj+BBO1Vm +LrAIJ6TMpp8DntO/EVitLBwjR6WrM4pUB9kRxuECgYEA3vEp1luq4SYc9dUxClJ4 +os334lDcFQp/4AlJ5QTIWsv60KIiVQfmxVyML17qv1TDGa4olC1bbMoXOJa9g0fq +DZz9skXHehOLRuJKWEiTmQwIgF72pdwxAJTL/xPsCI+SRJAc4OBOAPpyWWXW9Cmo +wW97ww90/bi28RfTq2yJy5ECgYARPXq6yYjrMx/zROTkSWuqX+rqyxGsBH7TWxdu +meTRZfyrB8WkjzSKzAgvVokYfFPYaCdVJmjpwIYhOSUwwGcxASLdrjlj7L4SE5XW +ZgbDbRUQf12zf6vE/F9mo3UUXvqmJGEv04CBJ/VgOvB9KXRLePQHo5yAvSdYpFNm +Xw+Q4QKBgHbV9YV+b1D+8SKNgpCZcrgTmvXIS4ibHdIYT2cxqGbkYS9T1UuJ1kWd +PBeeYsF3CeCBi1PGKI9eYO85W0aS3fZyrekBOyOVDUqQNpXQPQVdCZtB1l6dtRbD +3hARd9eQ1Gq1XofKX6Lbc+7tQcmZbAKJbr3JjHJMDUORYk+o8hdK +-----END RSA PRIVATE KEY----- diff --git a/pkg/event/target/testdata/nats_tls.conf b/pkg/event/target/testdata/nats_tls.conf new file mode 100644 index 000000000..2ca45f6ef --- /dev/null +++ b/pkg/event/target/testdata/nats_tls.conf @@ -0,0 +1,7 @@ +port: 14225 +net: localhost + +tls { + cert_file: "./testdata/certs/nats_server_cert.pem" + key_file: "./testdata/certs/nats_server_key.pem" +} diff --git a/pkg/event/target/testdata/nats_tls_client_cert.conf b/pkg/event/target/testdata/nats_tls_client_cert.conf new file mode 100644 index 000000000..f0a7d0751 --- /dev/null +++ b/pkg/event/target/testdata/nats_tls_client_cert.conf @@ -0,0 +1,18 @@ +port: 14226 +net: localhost + +tls { + cert_file: "./testdata/certs/nats_server_cert.pem" + key_file: "./testdata/certs/nats_server_key.pem" + ca_file: "./testdata/certs/root_ca_cert.pem" + verify_and_map: true +} +authorization { + ADMIN = { + publish = ">" + subscribe = ">" + } + users = [ + {user: "CN=localhost,OU=Client,O=Minio,C=CA", permissions: $ADMIN} + ] +}