Proposed changes to the PR

kozlovic · kozlovic · commit e827e775543b · 2025-08-20T10:41:13.000-06:00
Signed-off-by: Ivan Kozlovic &lt;ivan@synadia.com&gt;
diff --git a/src/opts.c b/src/opts.c
@@ -563,9 +563,7 @@ _sslCertCallback(SSL* ssl, void* arg)
 {
     natsSSLCtx *ctx = (natsSSLCtx*)arg;
     if (ctx == NULL)
-    {
         return 0;
-    }
 
     // delete any certificates associated with the SSL object
     SSL_certs_clear(ssl);
@@ -598,8 +596,7 @@ natsOptions_LoadCertificatesChainDynamic(natsOptions *opts,
 {
     natsStatus s = NATS_OK;
 
-    if ((certFileName == NULL) || (certFileName[0] == '\0')
-        || (keyFileName == NULL) || (keyFileName[0] == '\0'))
+    if (nats_IsStringEmpty(certFileName) || nats_IsStringEmpty(keyFileName))
     {
         return nats_setError(NATS_INVALID_ARG, "%s",
                              "certificate and key file names can't be NULL nor empty");
@@ -613,25 +610,18 @@ natsOptions_LoadCertificatesChainDynamic(natsOptions *opts,
         NATS_FREE(opts->sslCtx->certFileName);
         opts->sslCtx->certFileName = NATS_STRDUP(certFileName);
         if (opts->sslCtx->certFileName == NULL)
-        {
             s = nats_setDefaultError(NATS_NO_MEMORY);
-        }
     }
-
     if (s == NATS_OK)
     {
         NATS_FREE(opts->sslCtx->keyFileName);
         opts->sslCtx->keyFileName = NATS_STRDUP(keyFileName);
         if (opts->sslCtx->keyFileName == NULL)
-        {
             s = nats_setDefaultError(NATS_NO_MEMORY);
-        }
     }
-
     if (s == NATS_OK)
     {
         nats_sslRegisterThreadForCleanup();
-
         SSL_CTX_set_cert_cb(opts->sslCtx->ctx, _sslCertCallback, opts->sslCtx);
     }
 
diff --git a/test/test.c b/test/test.c
@@ -21347,69 +21347,16 @@ void test_SSLVerifyHostname(void)
 #endif
 }
 
-static char*
-_getAccountName(natsConnection *nc)
-{
-    natsStatus s = NATS_OK;
-    natsSubscription *inboxSub = NULL;
-    natsMsg *userInfoMsg = NULL;
-    natsInbox *inbox = NULL;
-    char *accountName = NULL;
-
-    s = natsConn_newInbox(nc, &inbox);
-
-    // Subscribe to inbox for response
-    IFOK(s, natsConnection_SubscribeSync(&inboxSub, nc, inbox));
-    IFOK(s, natsConnection_Flush(nc));
-
-    // Publish account request with inbox as reply subject
-    IFOK(s, natsConnection_PublishRequestString(nc, "$SYS.REQ.USER.INFO", inbox, ""));
-    IFOK(s, natsConnection_Flush(nc));
-
-    // Wait for response
-    IFOK(s, natsSubscription_NextMsg(&userInfoMsg, inboxSub, 2000));
-
-    if (s == NATS_OK && userInfoMsg != NULL)
-    {
-        // Parse JSON response and extract account information
-        nats_JSON *json = NULL;
-        nats_JSON *data = NULL;
-        const char *account = NULL;
-
-        s = nats_JSONParse(&json, natsMsg_GetData(userInfoMsg), (int)natsMsg_GetDataLength(userInfoMsg));
-        if (s == NATS_OK)
-        {
-            s = nats_JSONGetObject(json, "data", &data);
-            if (s == NATS_OK)
-            {
-                s = nats_JSONGetStr(data, "account", &account);
-                if (s == NATS_OK && account != NULL)
-                {
-                    accountName = NATS_STRDUP(account);
-                }
-            }
-        }
-
-        // Cleanup
-        nats_JSONDestroy(json);
-        natsMsg_Destroy(userInfoMsg);
-    }
-
-    natsSubscription_Destroy(inboxSub);
-    NATS_FREE(inbox);
-
-    return accountName;
-}
-
 void test_SSLVerifyDynamic(void)
 {
 #if defined(NATS_HAS_TLS)
     natsStatus          s;
     natsConnection      *nc          = NULL;
     natsOptions         *opts        = NULL;
+    natsSubscription    *sub         = NULL;
+    natsMsg             *msg         = NULL;
     natsPid             serverPid    = NATS_INVALID_PID;
     struct threadArg    args;
-    char                *accountName = NULL;
 
     s = _createDefaultThreadArgsForCbTests(&args);
     if (s == NATS_OK)
@@ -21428,6 +21375,18 @@ void test_SSLVerifyDynamic(void)
     IFOK(s, natsOptions_SetReconnectedCB(opts, _reconnectedCb, &args));
     IFOK(s, natsConnection_Connect(&nc, opts));
     testCond(s != NATS_OK);
+    nats_clearLastError();
+
+    test("Check load certs (bad args): ");
+    s = natsOptions_LoadCertificatesChainDynamic(opts, "certs/client-cert.pem", "");
+    if (s == NATS_INVALID_ARG)
+        s = natsOptions_LoadCertificatesChainDynamic(opts, "certs/client-cert.pem", NULL);
+    if (s == NATS_INVALID_ARG)
+        s = natsOptions_LoadCertificatesChainDynamic(opts, "", "certs/client-key.pem");
+    if (s == NATS_INVALID_ARG)
+        s = natsOptions_LoadCertificatesChainDynamic(opts, NULL, "certs/client-key.pem");
+    testCond(s == NATS_INVALID_ARG);
+    nats_clearLastError();
 
     test("Check that connect succeeds with dynamic cert loading: ");
     // Create temporary certificate files for dynamic loading
@@ -21443,21 +21402,19 @@ void test_SSLVerifyDynamic(void)
     if ((s == NATS_OK) && (system("copy certs\\client-key.pem certs\\key-dynamic.pem") != 0))
         s = NATS_ERR;
 #endif
-    
     IFOK(s, natsOptions_LoadCertificatesChainDynamic(opts,
                                                      "certs/cert-dynamic.pem",
                                                      "certs/key-dynamic.pem"));
     s = natsConnection_Connect(&nc, opts);
+    IFOK(s, natsConnection_SubscribeSync(&sub, nc, "*"));
     IFOK(s, natsConnection_PublishString(nc, "foo", "test"));
     IFOK(s, natsConnection_Flush(nc));
-    testCond(s == NATS_OK);
-
-    test("Check account name equals \"DEREK\": ");
-    accountName = _getAccountName(nc);
-    testCond(accountName != NULL && !strcmp(accountName, "DEREK"));
-    NATS_FREE(accountName);
+    IFOK(s, natsSubscription_NextMsg(&msg, sub, 1000));
+    testCond((s == NATS_OK) && (msg != NULL) && (strcmp(natsMsg_GetData(msg), "test") == 0));
+    natsMsg_Destroy(msg);
+    msg = NULL;
 
-    test("Check reconnects with different cert is OK: ");
+    test("Change certs: ");
     _stopServer(serverPid);
 
     nats_Sleep(100);
@@ -21474,24 +21431,34 @@ void test_SSLVerifyDynamic(void)
     if ((s == NATS_OK) && (system("copy certs\\server-key.pem certs\\key-dynamic.pem") != 0))
         s = NATS_ERR;
 #endif
+    testCond(s == NATS_OK);
 
     serverPid = _startServer("nats://127.0.0.1:4443", "-config tlsverify.conf", true);
     CHECK_SERVER_STARTED(serverPid);
 
+    test("Wait for reconnect: ");
     natsMutex_Lock(args.m);
     while ((s != NATS_TIMEOUT) && !(args.reconnected))
         s = natsCondition_TimedWait(args.c, args.m, 2000);
     natsMutex_Unlock(args.m);
+    testCond(s == NATS_OK);
 
+    test("Check not able to publish on foo: ");
     IFOK(s, natsConnection_PublishString(nc, "foo", "test"));
     IFOK(s, natsConnection_Flush(nc));
-    testCond(s == NATS_OK);
+    IFOK(s, natsSubscription_NextMsg(&msg, sub, 250));
+    testCond((s == NATS_TIMEOUT) && (msg == NULL));
+    nats_clearLastError();
 
-    test("Check account name equals \"JOHN\": ");
-    accountName = _getAccountName(nc);
-    testCond(accountName != NULL && !strcmp(accountName, "JOHN"));
-    NATS_FREE(accountName);
+    test("Send to right subject: ");
+    s = natsConnection_PublishString(nc, "bar", "test2");
+    IFOK(s, natsConnection_Flush(nc));
+    IFOK(s, natsSubscription_NextMsg(&msg, sub, 1000));
+    testCond((s == NATS_OK) && (msg != NULL) && (strcmp(natsMsg_GetData(msg), "test2") == 0));
+    natsMsg_Destroy(msg);
+    msg = NULL;
 
+    natsSubscription_Destroy(sub);
     natsConnection_Destroy(nc);
     natsOptions_Destroy(opts);
 
diff --git a/test/tlsverify.conf b/test/tlsverify.conf
@@ -21,12 +21,12 @@ tls {
 accounts {
   DEREK: {
     users: [
-      { user: "derek@nats.io" }
+      { user: "derek@nats.io", permissions: { publish: "foo" } }
     ]
   }
   JOHN: {
     users: [
-      { user: "localhost" }
+      { user: "localhost", permissions: { publish: "bar" } }
     ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -563,9 +563,7 @@ _sslCertCallback(SSL* ssl, void* arg)`
`563`	`563`	`{`
`564`	`564`	`natsSSLCtx ctx = (natsSSLCtx)arg;`
`565`	`565`	`if (ctx == NULL)`
`566`		`- {`
`567`	`566`	`return 0;`
`568`		`- }`
`569`	`567`
`570`	`568`	`// delete any certificates associated with the SSL object`
`571`	`569`	`SSL_certs_clear(ssl);`
`@@ -598,8 +596,7 @@ natsOptions_LoadCertificatesChainDynamic(natsOptions *opts,`
`598`	`596`	`{`
`599`	`597`	`natsStatus s = NATS_OK;`
`600`	`598`
`601`		`- if ((certFileName == NULL) \|\| (certFileName[0] == '\0')`
`602`		`- \|\| (keyFileName == NULL) \|\| (keyFileName[0] == '\0'))`
	`599`	`+ if (nats_IsStringEmpty(certFileName) \|\| nats_IsStringEmpty(keyFileName))`
`603`	`600`	`{`
`604`	`601`	`return nats_setError(NATS_INVALID_ARG, "%s",`
`605`	`602`	`"certificate and key file names can't be NULL nor empty");`
`@@ -613,25 +610,18 @@ natsOptions_LoadCertificatesChainDynamic(natsOptions *opts,`
`613`	`610`	`NATS_FREE(opts->sslCtx->certFileName);`
`614`	`611`	`opts->sslCtx->certFileName = NATS_STRDUP(certFileName);`
`615`	`612`	`if (opts->sslCtx->certFileName == NULL)`
`616`		`- {`
`617`	`613`	`s = nats_setDefaultError(NATS_NO_MEMORY);`
`618`		`- }`
`619`	`614`	`}`
`620`		`-`
`621`	`615`	`if (s == NATS_OK)`
`622`	`616`	`{`
`623`	`617`	`NATS_FREE(opts->sslCtx->keyFileName);`
`624`	`618`	`opts->sslCtx->keyFileName = NATS_STRDUP(keyFileName);`
`625`	`619`	`if (opts->sslCtx->keyFileName == NULL)`
`626`		`- {`
`627`	`620`	`s = nats_setDefaultError(NATS_NO_MEMORY);`
`628`		`- }`
`629`	`621`	`}`
`630`		`-`
`631`	`622`	`if (s == NATS_OK)`
`632`	`623`	`{`
`633`	`624`	`nats_sslRegisterThreadForCleanup();`
`634`		`-`
`635`	`625`	`SSL_CTX_set_cert_cb(opts->sslCtx->ctx, _sslCertCallback, opts->sslCtx);`
`636`	`626`	`}`
`637`	`627`
Original file line number	Diff line number	Diff line change
`@@ -21,12 +21,12 @@ tls {`
`21`	`21`	`accounts {`
`22`	`22`	`DEREK: {`
`23`	`23`	`users: [`
`24`		`- { user: "derek@nats.io" }`
	`24`	`+ { user: "derek@nats.io", permissions: { publish: "foo" } }`
`25`	`25`	`]`
`26`	`26`	`}`
`27`	`27`	`JOHN: {`
`28`	`28`	`users: [`
`29`		`- { user: "localhost" }`
	`29`	`+ { user: "localhost", permissions: { publish: "bar" } }`
`30`	`30`	`]`
`31`	`31`	`}`
`32`	`32`	`}`