[FEAT] import operator

FIX #9
synadia-io · Nov 7, 2023 · 912eb9a · 912eb9a
1 parent 962c04d
commit 912eb9a
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 1 deletion.
diff --git a/auth.go b/auth.go
@@ -1,6 +1,7 @@
 package nats_auth
 
 import (
+	"fmt"
 	"github.com/nats-io/jwt/v2"
 	"github.com/nats-io/nkeys"
 )
@@ -79,6 +80,51 @@ func (a *OperatorsImpl) Delete(name string) error {
 	return nil
 }
 
+func (a *OperatorsImpl) Import(token []byte, keys []string) (Operator, error) {
+	claim, err := jwt.DecodeOperatorClaims(string(token))
+	if err != nil {
+		return nil, err
+	}
+
+	// we require all the keys? - new NGS will not allow you to
+	// edit configs via CLI, so this is not a problem?
+	m := make(map[string]*Key, len(keys))
+	for i, k := range keys {
+		key, err := KeyFrom(k, nkeys.PrefixByteOperator, nkeys.PrefixByteSeed)
+		if err != nil {
+			return nil, fmt.Errorf("invalid seed at %d: %w", i, err)
+		}
+		if key.Public != claim.Subject && !claim.SigningKeys.Contains(key.Public) {
+			return nil, fmt.Errorf("invalid seed %s: is not referenced by the operator", k)
+		}
+		m[key.Public] = key
+	}
+	if len(keys) != len(claim.SigningKeys)+1 {
+		return nil, fmt.Errorf("not all keys are provided: %d", len(keys))
+	}
+
+	var ok bool
+	data := &OperatorData{}
+	data.Claim = claim
+	data.EntityName = claim.Name
+	data.Key, ok = m[claim.Subject]
+	if !ok {
+		return nil, fmt.Errorf("%s was not provided", claim.Subject)
+	}
+	for _, k := range claim.SigningKeys {
+		key, ok := m[k]
+		if !ok {
+			return nil, fmt.Errorf("%s was not provided", k)
+		}
+		data.OperatorSigningKeys = append(data.OperatorSigningKeys, key)
+	}
+	a.auth.operators = append(a.auth.operators, data)
+	if err := data.update(); err != nil {
+		return nil, err
+	}
+	return data, nil
+}
+
 func (a *AuthImpl) Commit() error {
 	return a.provider.Store(a.operators)
 }

diff --git a/tests/operator_test.go b/tests/operator_test.go
@@ -1,6 +1,8 @@
 package tests
 
 import (
+	"github.com/nats-io/jwt/v2"
+	"github.com/nats-io/nkeys"
 	"github.com/stretchr/testify/require"
 	"github.com/synadia-io/jwt-auth-builder.go"
 )
@@ -11,7 +13,6 @@ func (suite *ProviderSuite) Test_OperatorBasics() {
 	require.NoError(t, err)
 
 	operators := auth.Operators()
-	require.NoError(t, err)
 	require.Empty(t, operators.List())
 
 	o := auth.Operators().Get("O")
@@ -210,3 +211,34 @@ func (suite *ProviderSuite) Test_OperatorSystemAccount() {
 	require.Nil(t, o.SystemAccount())
 	require.NoError(t, o.Accounts().Delete("SYS"))
 }
+
+func (suite *ProviderSuite) Test_OperatorImport() {
+	t := suite.T()
+	auth, err := nats_auth.NewAuth(suite.Provider)
+	require.NoError(t, err)
+
+	kp, err := nats_auth.KeyFor(nkeys.PrefixByteOperator)
+	require.NoError(t, err)
+
+	oc := jwt.NewOperatorClaims(kp.Public)
+	oc.Name = "O"
+	skp, err := nats_auth.KeyFor(nkeys.PrefixByteOperator)
+	require.NoError(t, err)
+	oc.SigningKeys.Add(skp.Public)
+
+	token, err := oc.Encode(kp.Pair)
+	require.NoError(t, err)
+
+	o, err := auth.Operators().Import(
+		[]byte(token),
+		[]string{string(kp.Seed), string(skp.Seed)})
+	require.NoError(t, err)
+	require.NotNil(t, o)
+
+	require.NoError(t, auth.Commit())
+	require.NoError(t, auth.Reload())
+	o = auth.Operators().Get("O")
+	require.NotNil(t, o)
+	require.Equal(t, kp.Public, o.Subject())
+	require.Equal(t, skp.Public, o.SigningKeys().List()[0])
+}
diff --git a/types.go b/types.go
@@ -97,6 +97,8 @@ type Operators interface {
 	Get(name string) Operator
 	// Delete an Operator by name or matching the specified ID
 	Delete(name string) error
+	// Import an Operator from JWT bytes and keys
+	Import(jwt []byte, keys []string) (Operator, error)
 }
 
 // Operator is an interface for editing the operator