public void Test20SecurityHandlers() { string userJWT = "eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.e" + "yJqdGkiOiJFU1VQS1NSNFhGR0pLN0FHUk5ZRjc0STVQNTZHMkFGWER" + "YQ01CUUdHSklKUEVNUVhMSDJBIiwiaWF0IjoxNTQ0MjE3NzU3LCJpc" + "3MiOiJBQ1pTV0JKNFNZSUxLN1FWREVMTzY0VlgzRUZXQjZDWENQTUV" + "CVUtBMzZNSkpRUlBYR0VFUTJXSiIsInN1YiI6IlVBSDQyVUc2UFY1N" + "TJQNVNXTFdUQlAzSDNTNUJIQVZDTzJJRUtFWFVBTkpYUjc1SjYzUlE" + "1V002IiwidHlwZSI6InVzZXIiLCJuYXRzIjp7InB1YiI6e30sInN1Y" + "iI6e319fQ.kCR9Erm9zzux4G6M-V2bp7wKMKgnSNqMBACX05nwePRW" + "Qa37aO_yObbhcJWFGYjo1Ix-oepOkoyVLxOJeuD8Bw"; string userSeed = "SUAIBDPBAUTWCWBKIO6XHQNINK5FWJW4OHLXC3HQ" + "2KFE4PEJUA44CNHTC4"; using (utils.CreateServerWithConfig("operator.conf")) { EventHandler <UserJWTEventArgs> jwtEh = (sender, args) => { //just return a jwt args.JWT = userJWT; }; EventHandler <UserSignatureEventArgs> sigEh = (sender, args) => { // generate a nats key pair from a private key. // NEVER EVER handle a real private key/seed like this. var kp = Nkeys.FromSeed(userSeed); args.SignedNonce = kp.Sign(args.ServerNonce); }; Options opts = ConnectionFactory.GetDefaultOptions(); opts.SetUserCredentialHandlers(jwtEh, sigEh); new ConnectionFactory().CreateConnection(opts).Close(); } }
public void TestNKEYCreateOperatorSeed() { string op = Nkeys.CreateOperatorSeed(); Assert.NotEmpty(op); Assert.NotNull(Nkeys.FromSeed(op)); string pk = Nkeys.PublicKeyFromSeed(op); Assert.Equal('O', pk[0]); }
public void TestNKEYCreateAccountSeed() { string acc = Nkeys.CreateAccountSeed(); Assert.NotEmpty(acc); Assert.NotNull(Nkeys.FromSeed(acc)); string pk = Nkeys.PublicKeyFromSeed(acc); Assert.Equal('A', pk[0]); }
public void TestNKEYCreateUserSeed() { string user = Nkeys.CreateUserSeed(); Assert.NotEmpty(user); Assert.NotNull(Nkeys.FromSeed(user)); string pk = Nkeys.PublicKeyFromSeed(user); Assert.Equal('U', pk[0]); }
public void TestNKEYCreateOperatorSeed() { string op = Nkeys.CreateOperatorSeed(); Assert.NotEmpty(op); Assert.False(op.EndsWith("=", StringComparison.Ordinal)); Assert.NotNull(Nkeys.FromSeed(op)); string pk = Nkeys.PublicKeyFromSeed(op); Assert.Equal('O', pk[0]); }
public void TestNKEYCreateAccountSeed() { string acc = Nkeys.CreateAccountSeed(); Assert.NotEmpty(acc); Assert.False(acc.EndsWith("=", StringComparison.Ordinal)); Assert.NotNull(Nkeys.FromSeed(acc)); string pk = Nkeys.PublicKeyFromSeed(acc); Assert.Equal('A', pk[0]); }
public void TestNKEYCreateUserSeed() { string user = Nkeys.CreateUserSeed(); Assert.NotEmpty(user); Assert.False(user.EndsWith("=", StringComparison.Ordinal)); Assert.NotNull(Nkeys.FromSeed(user)); string pk = Nkeys.PublicKeyFromSeed(user); Assert.Equal('U', pk[0]); }
public void TestNKEYEncodeDecode() { byte[] a = new Byte[32]; byte[] b = Nkeys.DecodeSeed(Nkeys.Encode(20 << 3, true, a)); Assert.Equal(a, b); Random rnd = new Random(); rnd.NextBytes(a); b = Nkeys.DecodeSeed(Nkeys.Encode(20 << 3, true, a)); Assert.Equal(a, b); }
public void TestNKEYPublicKeyFromSeed() { // using nsc generated seeds for testing string pk = Nkeys.PublicKeyFromSeed("SOAELH6NJCEK4HST5644G4HK7TOAFZGRRJHNM4EUKUY7PPNDLIKO5IH4JM"); Assert.Equal("ODPWIBQJVIQ42462QAFI2RKJC4RZHCQSIVPRDDHWFCJAP52NRZK6Z2YC", pk); pk = Nkeys.PublicKeyFromSeed("SAANWFZ3JINNPERWT3ALE45U7GYT2ZDW6GJUIVPDKUF6GKAX6AISZJMAS4"); Assert.Equal("AATEJXG7UX4HFJ6ZPRTP22P6OYZER36YYD3GVBOVW7QHLU32P4QFFTZJ", pk); pk = Nkeys.PublicKeyFromSeed("SUAGDLNBWI2SGHDRYBHD63NH5FGZSVJUW2J7GAJZXWANQFLDW6G5SXZESU"); Assert.Equal("UBICBTHDKQRB4LIYA6BMIJ7EA2G7YS7FIWMMVKZJE6M3HS5IVCOLKDY2", pk); }
public void TestExpiredJwt() { var expiredUserJwt = "eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJleHAiOjE1NDg5NzkyMDAs" + "Imp0aSI6IlhURFdZUVc3QldDNzJSR0RaVzNWMlNGQUxFRklCWlRKRkZLWDRTVEpa" + "TVZYWFFBSk01WVEiLCJpYXQiOjE1NzM1NDMyNjYsImlzcyI6IkFBNTVENUw1S0sz" + "WElJNklLSDc0Vk5CUDNTVjNKWUxVQlRKTkxTVEM2NjJKTDZWN0FPWk9GT0NIIiwi" + "bmFtZSI6IlRlc3RVc2VyIiwibmJmIjoxNTQ2MzAwODAwLCJzdWIiOiJVRDZPVUNS" + "T1VEQTZBTTdZMjMySTRLTFVGWU40TTNPWUxJWFhVU0FNTzVQT1RVMkpaVjNVNzY3" + "SiIsInR5cGUiOiJ1c2VyIiwibmF0cyI6eyJwdWIiOnt9LCJzdWIiOnt9fX0.n81V" + "bNLwtYMRYfUDbLgnn0MzFL3imxlEk0PQSzOxQpB_nBkVKvRUtbnd22iS8S9i_HRO" + "FJXfk26xEoOhYtCACg"; var userSeed = "SUAIBDPBAUTWCWBKIO6XHQNINK5FWJW4OHLXC3HQ2KFE4PEJUA44CNHTC4A"; using (NATSServer.CreateWithConfig(Context.Server1.Port, "operator.conf")) { EventHandler <UserJWTEventArgs> jwtEh = (sender, args) => args.JWT = expiredUserJwt; EventHandler <UserSignatureEventArgs> sigEh = (sender, args) => { // generate a nats key pair from a private key. // NEVER EVER handle a real private key/seed like this. var kp = Nkeys.FromSeed(userSeed); args.SignedNonce = kp.Sign(args.ServerNonce); }; var opts = Context.GetTestOptionsWithDefaultTimeout(Context.Server1.Port); opts.SetUserCredentialHandlers(jwtEh, sigEh); var ex = Assert.Throws <NATSConnectionException>(() => { using (Context.ConnectionFactory.CreateConnection(opts)){ } }); Assert.Equal("'Authorization Violation'", ex.Message, StringComparer.OrdinalIgnoreCase); } }
public override async Task <AwsIamAuthReply> AwsIamAuth(AwsIamAuthRequest request, ServerCallContext context) { if (_config.AwsIamMapping == null) { throw new Exception("missing AWS IAM configuration -- AWS IAM mapping is unsupported"); } var nowUtc = DateTime.UtcNow; var amzDateMin = nowUtc.AddMinutes(-5); var amzDateMax = nowUtc.AddMinutes(5); var amzDate = DateTime.ParseExact(request.StsAmzIso8601Date, AwsIamConstants.ISO8601DateTimeFormat, null).ToUniversalTime(); if (amzDate < amzDateMin || amzDate > amzDateMax) { throw new Exception("AMZ Date outside of valid range"); } using var httpBody = new StringContent( AwsIamConstants.AwsIamRequestContent, AwsIamConstants.AwsIamRequestContentEncoding, AwsIamConstants.AwsIamRequestContentMediaType); using var httpRequ = new HttpRequestMessage( AwsIamConstants.AwsIamRequestHttpMethod, AwsIamConstants.AwsIamRequestEndpoint) { Content = httpBody, }; foreach (var h in request.StsAdditionalHeaders) { httpRequ.Headers.Add(h.Key, h.Value.Values); } if (!httpRequ.Headers.TryAddWithoutValidation("Authorization", request.StsAuthorization)) { throw new Exception("could not add AWSv4 Authorization header"); } using var http = new HttpClient(); using var httpResp = await http.SendAsync(httpRequ); httpResp.EnsureSuccessStatusCode(); using var httpRespStream = await httpResp.Content.ReadAsStreamAsync(); var httpRespResult = AwsStsGetCallerIdentityResponse.ParseXml(httpRespStream); var identityArn = httpRespResult?.GetCallerIdentityResult?.Arn; if (string.IsNullOrEmpty(identityArn)) { throw new Exception("could not authenticate or resolve IAM Identity ARN"); } var userMap = _config.AwsIamMapping.Users.FirstOrDefault(u => u.Arn == identityArn || (u.Arn.EndsWith("*") && identityArn.StartsWith(u.Arn.Substring(0, u.Arn.Length - 1)))); if (userMap == null) { throw new Exception("user has no mapping"); } ByteString sig = ByteString.Empty; if (!(request.Nonce?.IsEmpty ?? true)) { var nonce = request.Nonce.ToByteArray(); var nkeys = Nkeys.FromSeed(userMap.NKey); sig = ByteString.CopyFrom(nkeys.Sign(nonce)); } return(new AwsIamAuthReply { Jwt = userMap.JWT, NonceSigned = sig, IdentityArn = httpRespResult.GetCallerIdentityResult?.Arn, }); }
public override async Task <KerberosAuthReply> KerberosAuth(KerberosAuthRequest request, ServerCallContext context) { if (_config.KerberosMapping == null) { throw new Exception("missing Kerberos configuration -- Kerberos mapping is unsupported"); } if (request.ServiceToken?.IsEmpty ?? true) { throw new Exception("invalid or missing Kerberos authentication token"); } var tokenBytes = request.ServiceToken.ToByteArray(); var kKey = new KerberosKey( _config.KerberosMapping.Password, principalName: new PrincipalName( PrincipalNameType.NT_PRINCIPAL, _config.KerberosMapping.Realm, new[] { _config.KerberosMapping.Spn } ), saltType: SaltType.ActiveDirectoryUser); var kValidator = new KerberosValidator(kKey); var auth = new KerberosAuthenticator(kValidator); var claims = await auth.Authenticate(tokenBytes); if (claims == null) { throw new Exception("could not resolve identity"); } if (string.IsNullOrEmpty(claims.Name)) { throw new Exception("identity name is unresolved"); } var userMap = _config.KerberosMapping.Users.FirstOrDefault(u => u.Name == claims.Name); if (userMap == null) { throw new Exception("user has no mapping"); } ByteString sig = ByteString.Empty; if (!(request.Nonce?.IsEmpty ?? true)) { var nonce = request.Nonce.ToByteArray(); var nkeys = Nkeys.FromSeed(userMap.NKey); sig = ByteString.CopyFrom(nkeys.Sign(nonce)); } _logger.LogInformation("Reploy:"); var reply = new KerberosAuthReply { Jwt = userMap.JWT, NonceSigned = sig, IdentityName = claims.Name, }; _logger.LogInformation(JsonSerializer.Serialize(reply)); return(reply); }