skip import authorization check when internal

Signed-off-by: Matthias Hanel <mh@synadia.com>
nats-io · Aug 19, 2022 · e11a8cc · e11a8cc
1 parent ee66082
commit e11a8cc
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/server/accounts.go b/server/accounts.go
@@ -1440,6 +1440,12 @@ func (a *Account) lowestServiceExportResponseTime() time.Duration {
 
 // AddServiceImportWithClaim will add in the service import via the jwt claim.
 func (a *Account) AddServiceImportWithClaim(destination *Account, from, to string, imClaim *jwt.Import) error {
+	return a.addServiceImportWithClaim(destination, from, to, imClaim, false)
+}
+
+// addServiceImportWithClaim will add in the service import via the jwt claim.
+// It will also skip the authorization check in cases where internal is true
+func (a *Account) addServiceImportWithClaim(destination *Account, from, to string, imClaim *jwt.Import, internal bool) error {
 	if destination == nil {
 		return ErrMissingAccount
 	}
@@ -1452,7 +1458,7 @@ func (a *Account) AddServiceImportWithClaim(destination *Account, from, to strin
 	}
 
 	// First check to see if the account has authorized us to route to the "to" subject.
-	if !destination.checkServiceImportAuthorized(a, to, imClaim) {
+	if !internal && !destination.checkServiceImportAuthorized(a, to, imClaim) {
 		return ErrServiceImportAuthorization
 	}
 

diff --git a/server/events.go b/server/events.go
@@ -1643,7 +1643,7 @@ func (s *Server) registerSystemImports(a *Account) {
 
 	importSrvc := func(subj, mappedSubj string) {
 		if !a.serviceImportExists(subj) {
-			if err := a.AddServiceImport(sacc, subj, mappedSubj); err != nil {
+			if err := a.addServiceImportWithClaim(sacc, subj, mappedSubj, nil, true); err != nil {
 				s.Errorf("Error setting up system service import %s -> %s for account: %v",
 					subj, mappedSubj, err)
 			}

diff --git a/server/jwt_test.go b/server/jwt_test.go
@@ -4280,7 +4280,7 @@ func TestJWTSysImportOverwritePublic(t *testing.T) {
 
 func TestJWTSysImportOverwriteToken(t *testing.T) {
 	_, sysPub, sysClaim := NewJwtAccountClaim("SYS")
-	// this changes the export permissions in a way that the internal imports can't be added any longer
+	// this changes the export permissions in a way that the internal imports can't satisfy
 	sysClaim.Exports.Add(&jwt.Export{
 		Type:     jwt.Service,
 		Subject:  "$SYS.REQ.>",
@@ -4310,10 +4310,9 @@ func TestJWTSysImportOverwriteToken(t *testing.T) {
 	defer sA.Shutdown()
 
 	nc := natsConnect(t, sA.ClientURL(), createUserCreds(t, nil, aKp))
+	// make sure the internal import still got added
 	_, err = nc.Request("$SYS.REQ.ACCOUNT.PING.CONNZ", nil, time.Second)
-	// This is expected to fail as the internal import could not be added
-	require_Error(t, err)
-	require_Contains(t, err.Error(), "no responders")
+	require_NoError(t, err)
 }
 
 func TestJWTLimits(t *testing.T) {