wallyqs/nats-server-and-spiffe.md

## nats-server-and-spiffe.md

      
    Raw
  

              nats-server-and-spiffe.md
            
          
    Start the server with SPIFFE SVID Auth enabled:
git clone https://github.com/nats-io/nats-server
cd nats-server/test/configs/certs/svid

wget https://gist.githubusercontent.com/wallyqs/f2479312079afb04b83ad6b90aa8bca1/raw/c2ae6949807bb9cd090ebff0bcff3fc1b62c42e3/svid-auth.conf
wget https://gist.githubusercontent.com/wallyqs/f2479312079afb04b83ad6b90aa8bca1/raw/747a3a5fe74887f0b9a23d2ac9e99182fa9dd971/svid-a.go
docker run -v $(pwd):/conf -p 4222:4222 wallyqs/nats-server:2.1.7-spiffe --config /conf/svid-auth.conf -DV

go run svid-a.go 
Results:
[1] 2020/05/27 21:23:08.286412 [INF] Starting nats-server version 2.1.6
[1] 2020/05/27 21:23:08.286502 [DBG] Go build version go1.13.9
[1] 2020/05/27 21:23:08.286523 [INF] Git commit [c2735e78]
[1] 2020/05/27 21:23:08.286898 [INF] Listening for client connections on 0.0.0.0:4222
[1] 2020/05/27 21:23:08.286923 [INF] TLS required for client connections
[1] 2020/05/27 21:23:08.286940 [INF] Server id is NBSTT2AXPSF7Y2ZTL5VAARSTALKSAHVJSD3TDMMOJQOJJKZ72WIL4ZYH
[1] 2020/05/27 21:23:08.286960 [INF] Server is ready
[1] 2020/05/27 21:23:08.286986 [DBG] Get non local IPs for "0.0.0.0"
[1] 2020/05/27 21:23:08.287214 [DBG]  ip=172.17.0.2
[1] 2020/05/27 21:23:58.371921 [DBG] 172.17.0.1:52470 - cid:1 - Client connection created
[1] 2020/05/27 21:23:58.373010 [DBG] 172.17.0.1:52470 - cid:1 - Starting TLS client connection handshake
[1] 2020/05/27 21:23:58.411052 [DBG] 172.17.0.1:52470 - cid:1 - TLS handshake complete
[1] 2020/05/27 21:23:58.411500 [DBG] 172.17.0.1:52470 - cid:1 - TLS version 1.3, cipher suite TLS_AES_128_GCM_SHA256
[1] 2020/05/27 21:23:58.413216 [TRC] 172.17.0.1:52470 - cid:1 - <<- [CONNECT {"verbose":false,"pedantic":false,"tls_required":true,"name":"","lang":"go","version":"1.10.0","protocol":1,"echo":true}]
[1] 2020/05/27 21:23:58.413630 [DBG] 172.17.0.1:52470 - cid:1 - Multiple peer certificates found, selecting first
[1] 2020/05/27 21:23:58.414019 [DBG] 172.17.0.1:52470 - cid:1 - Using URI found in cert for auth ["spiffe://localhost/my-nats-service/user-a"]
[1] 2020/05/27 21:23:58.414463 [TRC] 172.17.0.1:52470 - cid:1 - <<- [PING]
[1] 2020/05/27 21:23:58.414500 [TRC] 172.17.0.1:52470 - cid:1 - ->> [PONG]
[1] 2020/05/27 21:23:58.422207 [TRC] 172.17.0.1:52470 - cid:1 - <<- [SUB foo  1]
[1] 2020/05/27 21:23:58.422267 [TRC] 172.17.0.1:52470 - cid:1 - <<- [PUB foo 12]
[1] 2020/05/27 21:23:58.422305 [TRC] 172.17.0.1:52470 - cid:1 - <<- MSG_PAYLOAD: ["Hello World!"]
[1] 2020/05/27 21:23:58.422411 [TRC] 172.17.0.1:52470 - cid:1 - ->> [MSG foo 1 12]
[1] 2020/05/27 21:23:58.441859 [DBG] 172.17.0.1:52470 - cid:1 - Client connection closed
[1] 2020/05/27 21:23:58.442003 [TRC] 172.17.0.1:52470 - cid:1 - <-> [DELSUB 1]

  
## svid-a-insecure.go
package main

import (
	"crypto/tls"
	"crypto/x509"
	"log"

	"github.com/nats-io/nats.go"
)

func main() {
	cert, err := tls.LoadX509KeyPair("svid-user-a.pem", "svid-user-a.key")
	if err != nil {
		log.Fatal(err)
	}
	cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
	if err != nil {
		log.Fatal(err)
	}
	tlsopts := &tls.Config{
		Certificates:       []tls.Certificate{cert},
		InsecureSkipVerify: true,
	}
	nc, err := nats.Connect("nats.example.com", nats.Secure(tlsopts))
	if err != nil {
		log.Fatal(err)
	}

	wait := make(chan struct{}, 0)
	nc.Subscribe("foo", func(m *nats.Msg) {
		log.Println("[Received]", string(m.Data))
		close(wait)
	})
	nc.Publish("foo", []byte("Hello World!"))

	<-wait
	nc.Drain()
}

## svid-a.go
package main

import (
	"log"

	"github.com/nats-io/nats.go"
)

func main() {
	opts := []nats.Option{}
	opts = append(opts, nats.ClientCert("svid-user-a.pem", "svid-user-a.key"))
	opts = append(opts, nats.RootCAs("ca.pem"))
	nc, err := nats.Connect("localhost:4222", opts...)
	if err != nil {
		log.Fatal(err)
	}
	wait := make(chan struct{}, 0)
	nc.Subscribe("foo", func(m *nats.Msg) {
		log.Println("[Received]", string(m.Data))
		close(wait)
	})
	nc.Publish("foo", []byte("Hello World!"))

	<-wait
	nc.Drain()
}

## svid-auth.conf
tls {
 cert_file: "/conf/server.pem"
 key_file: "/conf/server.key"
 ca_file: "/conf/ca.pem"
 timeout: 5
 insecure: true
 verify_and_map: true
}

authorization {
  users = [
    {
      user = "spiffe://localhost/my-nats-service/user-a"
    },
    {
      user = "spiffe://localhost/my-nats-service/user-b"
    },
  ]
}
	package main

	import (
	"crypto/tls"
	"crypto/x509"
	"log"

	"github.com/nats-io/nats.go"
	)

	func main() {
	cert, err := tls.LoadX509KeyPair("svid-user-a.pem", "svid-user-a.key")
	if err != nil {
	log.Fatal(err)
	}
	cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
	if err != nil {
	log.Fatal(err)
	}
	tlsopts := &tls.Config{
	Certificates: []tls.Certificate{cert},
	InsecureSkipVerify: true,
	}
	nc, err := nats.Connect("nats.example.com", nats.Secure(tlsopts))
	if err != nil {
	log.Fatal(err)
	}

	wait := make(chan struct{}, 0)
	nc.Subscribe("foo", func(m *nats.Msg) {
	log.Println("[Received]", string(m.Data))
	close(wait)
	})
	nc.Publish("foo", []byte("Hello World!"))

	<-wait
	nc.Drain()
	}
	tls {
	cert_file: "/conf/server.pem"
	key_file: "/conf/server.key"
	ca_file: "/conf/ca.pem"
	timeout: 5
	insecure: true
	verify_and_map: true
	}

	authorization {
	users = [
	{
	user = "spiffe://localhost/my-nats-service/user-a"
	},
	{
	user = "spiffe://localhost/my-nats-service/user-b"
	},
	]
	}