Added validation to cluster traffic - as downstream tools like nsc wi…

…ll need to perform some level of validation (#224) * Added validation to cluster traffic - as downstream tools like nsc will need to perform some level of validation * removed parsing of account for cluster traffic as that option will be delayed.
nats-io · Sep 13, 2024 · 2d9ece2 · 2d9ece2
1 parent 4445fcd
commit 2d9ece2
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/v2/account_claims.go b/v2/account_claims.go
@@ -230,6 +230,20 @@ func (ac *ExternalAuthorization) Validate(vr *ValidationResults) {
 	}
 }
 
+const (
+	ClusterTrafficSystem = "system"
+	ClusterTrafficOwner  = "owner"
+)
+
+type ClusterTraffic string
+
+func (ct ClusterTraffic) Valid() error {
+	if ct == "" || ct == ClusterTrafficSystem || ct == ClusterTrafficOwner {
+		return nil
+	}
+	return fmt.Errorf("unknown cluster traffic option: %q", ct)
+}
+
 // Account holds account specific claims data
 type Account struct {
 	Imports            Imports               `json:"imports,omitempty"`
@@ -241,7 +255,7 @@ type Account struct {
 	Mappings           Mapping               `json:"mappings,omitempty"`
 	Authorization      ExternalAuthorization `json:"authorization,omitempty"`
 	Trace              *MsgTrace             `json:"trace,omitempty"`
-	ClusterTraffic     string                `json:"cluster_traffic,omitempty"`
+	ClusterTraffic     ClusterTraffic        `json:"cluster_traffic,omitempty"`
 	Info
 	GenericFields
 }
@@ -309,6 +323,10 @@ func (a *Account) Validate(acct *AccountClaims, vr *ValidationResults) {
 	}
 	a.SigningKeys.Validate(vr)
 	a.Info.Validate(vr)
+
+	if err := a.ClusterTraffic.Valid(); err != nil {
+		vr.AddError(err.Error())
+	}
 }
 
 // AccountClaims defines the body of an account JWT

diff --git a/v2/account_claims_test.go b/v2/account_claims_test.go
@@ -990,3 +990,31 @@ func TestAccountClaimsTraceDestSampling(t *testing.T) {
 		})
 	}
 }
+
+func TestClusterTraffic_Valid(t *testing.T) {
+	type clustertest struct {
+		input string
+		ok    bool
+	}
+
+	tests := []clustertest{
+		{input: "", ok: true},
+		{input: "system", ok: true},
+		{input: "SYSTEM", ok: false},
+		{input: "owner", ok: true},
+		{input: "OWNER", ok: false},
+		{input: "unknown", ok: false},
+		{input: "account", ok: false},
+	}
+
+	for _, test := range tests {
+		ct := ClusterTraffic(test.input)
+		err := ct.Valid()
+		if test.ok && err != nil {
+			t.Fatalf("unexpected err for input %q: %v", test.input, err)
+		}
+		if !test.ok && err == nil {
+			t.Fatalf("expected to fail input %q", test.input)
+		}
+	}
+}