nats-io / nats-server / 13322664385

func (c *client) isSolicitedLeafNode() bool {

        return c.kind == LEAF && c.leaf.remote != nil

}

func (c *client) isSpokeLeafNode() bool {

        return c.kind == LEAF && c.leaf.isSpoke

}

func (c *client) isHubLeafNode() bool {

        return c.kind == LEAF && !c.leaf.isSpoke

}

func (s *Server) solicitLeafNodeRemotes(remotes []*RemoteLeafOpts) {

        sysAccName := _EMPTY_

        sAcc := s.SystemAccount()

        if sAcc != nil {

                sysAccName = sAcc.Name

        }

        addRemote := func(r *RemoteLeafOpts, isSysAccRemote bool) *leafNodeCfg {

                s.mu.Lock()

                remote := newLeafNodeCfg(r)

                creds := remote.Credentials

                accName := remote.LocalAccount

                s.leafRemoteCfgs = append(s.leafRemoteCfgs, remote)

                // Print notice if

                if isSysAccRemote {

                        if len(remote.DenyExports) > 0 {

                                s.Noticef("Remote for System Account uses restricted export permissions")

                        }

                        if len(remote.DenyImports) > 0 {

                                s.Noticef("Remote for System Account uses restricted import permissions")

                        }

                s.mu.Unlock()

                if creds != _EMPTY_ {

                        contents, err := os.ReadFile(creds)

                        defer wipeSlice(contents)

                        if err != nil {

                        } else if items := credsRe.FindAllSubmatch(contents, -1); len(items) < 2 {

                        } else if _, err := nkeys.FromSeed(items[1][1]); err != nil {

                        } else if uc, err := jwt.DecodeUserClaims(string(items[0][1])); err != nil {

                        } else if isSysAccRemote {

                                if !uc.Permissions.Pub.Empty() || !uc.Permissions.Sub.Empty() || uc.Permissions.Resp != nil {

                                        s.Noticef("LeafNode Remote for System Account uses credentials file %q with restricted permissions", creds)

                                }

                        } else {

                                if !uc.Permissions.Pub.Empty() || !uc.Permissions.Sub.Empty() || uc.Permissions.Resp != nil {

                                        s.Noticef("LeafNode Remote for Account %s uses credentials file %q with restricted permissions", accName, creds)

                                }

                return remote

        for _, r := range remotes {

                remote := addRemote(r, r.LocalAccount == sysAccName)

                s.startGoRoutine(func() { s.connectToRemoteLeafNode(remote, true) })

func (s *Server) remoteLeafNodeStillValid(remote *leafNodeCfg) bool {

        for _, ri := range s.getOpts().LeafNode.Remotes {

                // FIXME(dlc) - What about auth changes?

                if reflect.DeepEqual(ri.URLs, remote.URLs) {

                        return true

                }

func validateLeafNode(o *Options) error {

        if err := validateLeafNodeAuthOptions(o); err != nil {

                return err

        }

        for _, r := range o.LeafNode.Remotes {

                if r.LocalAccount == _EMPTY_ {

                        r.LocalAccount = globalAccountName

                }

        if len(o.TrustedOperators) == 0 {

                accNames := map[string]struct{}{}

                for _, a := range o.Accounts {

                        accNames[a.Name] = struct{}{}

                }

                accNames[DEFAULT_GLOBAL_ACCOUNT] = struct{}{}

                // in the context of leaf nodes, empty account means global account

                accNames[_EMPTY_] = struct{}{}

                // system account either exists or, if not disabled, will be created

                if o.SystemAccount == _EMPTY_ && !o.NoSystemAccount {

                        accNames[DEFAULT_SYSTEM_ACCOUNT] = struct{}{}

                }

                checkAccountExists := func(accName string, cfgType string) error {

                        if _, ok := accNames[accName]; !ok {

                                return fmt.Errorf("cannot find local account %q specified in leafnode %s", accName, cfgType)

                        }

                        return nil

                if err := checkAccountExists(o.LeafNode.Account, "authorization"); err != nil {

                        return err

                }

                for _, lu := range o.LeafNode.Users {

                        if lu.Account == nil { // means global account

                                continue

                        if err := checkAccountExists(lu.Account.Name, "authorization"); err != nil {

                for _, r := range o.LeafNode.Remotes {

                        if err := checkAccountExists(r.LocalAccount, "remote"); err != nil {

                                return err

                        }

        } else {

                if len(o.LeafNode.Users) != 0 {

                        return fmt.Errorf("operator mode does not allow specifying users in leafnode config")

                }

                for _, r := range o.LeafNode.Remotes {

                        if !nkeys.IsValidPublicAccountKey(r.LocalAccount) {

                                return fmt.Errorf(

                                        "operator mode requires account nkeys in remotes. " +

                                                "Please add an `account` key to each remote in your `leafnodes` section, to assign it to an account. " +

                                                "Each account value should be a 56 character public key, starting with the letter 'A'")

                        }

                if o.LeafNode.Port != 0 && o.LeafNode.Account != "" && !nkeys.IsValidPublicAccountKey(o.LeafNode.Account) {

                        return fmt.Errorf("operator mode and non account nkeys are incompatible")

                }

        if o.LeafNode.Compression.Mode != _EMPTY_ {

                if err := validateAndNormalizeCompressionOption(&o.LeafNode.Compression, CompressionS2Auto); err != nil {

                        return err

                }

        for _, rcfg := range o.LeafNode.Remotes {

                if len(rcfg.URLs) >= 2 {

                        firstIsWS, ok := isWSURL(rcfg.URLs[0]), true

                        for i := 1; i < len(rcfg.URLs); i++ {

                                u := rcfg.URLs[i]

                                if isWS := isWSURL(u); isWS && !firstIsWS || !isWS && firstIsWS {

                                        ok = false

                                        break

                        if !ok {

                                return fmt.Errorf("remote leaf node configuration cannot have a mix of websocket and non-websocket urls: %q", redactURLList(rcfg.URLs))

                        }

                if rcfg.Compression.Mode != _EMPTY_ {

                        if err := validateAndNormalizeCompressionOption(&rcfg.Compression, CompressionS2Auto); err != nil {

                                return err

                        }

        if o.LeafNode.Port == 0 {

                return nil

        }

        if mv := o.LeafNode.MinVersion; mv != _EMPTY_ {

                if err := checkLeafMinVersionConfig(mv); err != nil {

                        return err

                }

        if o.Gateway.Name == _EMPTY_ && o.Gateway.Port == 0 {

                return nil

        }

        if o.SystemAccount == _EMPTY_ {

                return fmt.Errorf("leaf nodes and gateways (both being defined) require a system account to also be configured")

        }

        if err := validatePinnedCerts(o.LeafNode.TLSPinnedCerts); err != nil {

        return nil

func checkLeafMinVersionConfig(mv string) error {

        if ok, err := versionAtLeastCheckError(mv, 2, 8, 0); !ok || err != nil {

                if err != nil {

                        return fmt.Errorf("invalid leafnode's minimum version: %v", err)

                } else {

                        return fmt.Errorf("the minimum version should be at least 2.8.0")

                }

        return nil

func validateLeafNodeAuthOptions(o *Options) error {

        if len(o.LeafNode.Users) == 0 {

                return nil

        }

        if o.LeafNode.Username != _EMPTY_ {

                return fmt.Errorf("can not have a single user/pass and a users array")

        }

        if o.LeafNode.Nkey != _EMPTY_ {

        users := map[string]struct{}{}

        for _, u := range o.LeafNode.Users {

                if _, exists := users[u.Username]; exists {

                        return fmt.Errorf("duplicate user %q detected in leafnode authorization", u.Username)

                }

                users[u.Username] = struct{}{}

        return nil

func (s *Server) updateRemoteLeafNodesTLSConfig(opts *Options) {

        max := len(opts.LeafNode.Remotes)

        if max == 0 {

        s.mu.RLock()

        defer s.mu.RUnlock()

        // Changes in the list of remote leaf nodes is not supported.

        // However, make sure that we don't go over the arrays.

        if len(s.leafRemoteCfgs) < max {

        for i := 0; i < max; i++ {

                ro := opts.LeafNode.Remotes[i]

                cfg := s.leafRemoteCfgs[i]

                if ro.TLSConfig != nil {

                        cfg.Lock()

                        cfg.TLSConfig = ro.TLSConfig.Clone()

                        cfg.TLSHandshakeFirst = ro.TLSHandshakeFirst

                        cfg.Unlock()

                }

func (s *Server) reConnectToRemoteLeafNode(remote *leafNodeCfg) {

        delay := s.getOpts().LeafNode.ReconnectInterval

        select {

        case <-time.After(delay):

        case <-s.quitCh:

                s.grWG.Done()

                return

        s.connectToRemoteLeafNode(remote, false)

func newLeafNodeCfg(remote *RemoteLeafOpts) *leafNodeCfg {

        cfg := &leafNodeCfg{

                RemoteLeafOpts: remote,

                urls:           make([]*url.URL, 0, len(remote.URLs)),

        }

        if len(remote.DenyExports) > 0 || len(remote.DenyImports) > 0 {

                perms := &Permissions{}

                if len(remote.DenyExports) > 0 {

                        perms.Publish = &SubjectPermission{Deny: remote.DenyExports}

                }

                if len(remote.DenyImports) > 0 {

                        perms.Subscribe = &SubjectPermission{Deny: remote.DenyImports}

                }

                cfg.perms = perms

        cfg.urls = append(cfg.urls, cfg.URLs...)

        // If allowed to randomize, do it on our copy of URLs

        if !remote.NoRandomize {

                rand.Shuffle(len(cfg.urls), func(i, j int) {

                        cfg.urls[i], cfg.urls[j] = cfg.urls[j], cfg.urls[i]

                })

        for _, u := range cfg.urls {

                cfg.saveTLSHostname(u)

                cfg.saveUserPassword(u)

                // If the url(s) have the "wss://" scheme, and we don't have a TLS

                // config, mark that we should be using TLS anyway.

                if !cfg.TLS && isWSSURL(u) {

                        cfg.TLS = true

                }

        return cfg

func (cfg *leafNodeCfg) pickNextURL() *url.URL {

        cfg.Lock()

        defer cfg.Unlock()

        // If the current URL is the first in the list and we have more than

        // one URL, then move that one to end of the list.

        if cfg.curURL != nil && len(cfg.urls) > 1 && urlsAreEqual(cfg.curURL, cfg.urls[0]) {

                first := cfg.urls[0]

                copy(cfg.urls, cfg.urls[1:])

                cfg.urls[len(cfg.urls)-1] = first

        }

        cfg.curURL = cfg.urls[0]

        return cfg.curURL

func (cfg *leafNodeCfg) getCurrentURL() *url.URL {

        cfg.RLock()

        defer cfg.RUnlock()

        return cfg.curURL

}

func (cfg *leafNodeCfg) getConnectDelay() time.Duration {

        cfg.RLock()

        delay := cfg.connDelay

        cfg.RUnlock()

        return delay

}

func (cfg *leafNodeCfg) setConnectDelay(delay time.Duration) {

        cfg.Lock()

        cfg.connDelay = delay

        cfg.Unlock()

}

func (s *Server) setLeafNodeNonExportedOptions() {

        opts := s.getOpts()

        s.leafNodeOpts.dialTimeout = opts.LeafNode.dialTimeout

        if s.leafNodeOpts.dialTimeout == 0 {

                // Use same timeouts as routes for now.

                s.leafNodeOpts.dialTimeout = DEFAULT_ROUTE_DIAL

        }

        s.leafNodeOpts.resolver = opts.LeafNode.resolver

        if s.leafNodeOpts.resolver == nil {

                s.leafNodeOpts.resolver = net.DefaultResolver

        }

func (s *Server) connectToRemoteLeafNode(remote *leafNodeCfg, firstConnect bool) {

        defer s.grWG.Done()

        if remote == nil || len(remote.URLs) == 0 {

        opts := s.getOpts()

        reconnectDelay := opts.LeafNode.ReconnectInterval

        s.mu.RLock()

        dialTimeout := s.leafNodeOpts.dialTimeout

        resolver := s.leafNodeOpts.resolver

        var isSysAcc bool

        if s.eventsEnabled() {

                isSysAcc = remote.LocalAccount == s.sys.account.Name

        }

        jetstreamMigrateDelay := remote.JetStreamClusterMigrateDelay

        s.mu.RUnlock()

        // If we are sharing a system account and we are not standalone delay to gather some info prior.

        if firstConnect && isSysAcc && !s.standAloneMode() {

                s.Debugf("Will delay first leafnode connect to shared system account due to clustering")

                remote.setConnectDelay(sharedSysAccDelay)

        }

        if connDelay := remote.getConnectDelay(); connDelay > 0 {

                select {

                case <-time.After(connDelay):

                case <-s.quitCh:

                        return

                remote.setConnectDelay(0)

        var conn net.Conn

        const connErrFmt = "Error trying to connect as leafnode to remote server %q (attempt %v): %v"

        attempts := 0

        for s.isRunning() && s.remoteLeafNodeStillValid(remote) {

                rURL := remote.pickNextURL()

                url, err := s.getRandomIP(resolver, rURL.Host, nil)

                if err == nil {

                        var ipStr string

                        if url != rURL.Host {

                                ipStr = fmt.Sprintf(" (%s)", url)

                        }

                        if s.isLeafConnectDisabled() {

                                s.Debugf("Will not attempt to connect to remote server on %q%s, leafnodes currently disabled", rURL.Host, ipStr)

                                err = ErrLeafNodeDisabled

                        } else {

                                s.Debugf("Trying to connect as leafnode to remote server on %q%s", rURL.Host, ipStr)

                                conn, err = natsDialTimeout("tcp", url, dialTimeout)

                        }

                if err != nil {

                        jitter := time.Duration(rand.Int63n(int64(reconnectDelay)))

                        delay := reconnectDelay + jitter

                        attempts++

                        if s.shouldReportConnectErr(firstConnect, attempts) {

                                s.Errorf(connErrFmt, rURL.Host, attempts, err)

                        } else {

                                s.Debugf(connErrFmt, rURL.Host, attempts, err)

                        }

                        remote.Lock()

                        // if we are using a delay to start migrating assets, kick off a migrate timer.

                        if remote.jsMigrateTimer == nil && jetstreamMigrateDelay > 0 {

                                remote.jsMigrateTimer = time.AfterFunc(jetstreamMigrateDelay, func() {

                                        s.checkJetStreamMigrate(remote)

                                })

                        remote.Unlock()

                        select {

                        case <-s.quitCh:

                                remote.cancelMigrateTimer()

                                return

                        case <-time.After(delay):

                                // Check if we should migrate any JetStream assets immediately while this remote is down.

                                // This will be used if JetStreamClusterMigrateDelay was not set

                                if jetstreamMigrateDelay == 0 {

                                        s.checkJetStreamMigrate(remote)

                                }

                                continue

                remote.cancelMigrateTimer()

                if !s.remoteLeafNodeStillValid(remote) {

                s.createLeafNode(conn, rURL, remote, nil)

                // Clear any observer states if we had them.

                s.clearObserverState(remote)

                return

func (cfg *leafNodeCfg) cancelMigrateTimer() {

        cfg.Lock()

        stopAndClearTimer(&cfg.jsMigrateTimer)

        cfg.Unlock()

}

func (s *Server) clearObserverState(remote *leafNodeCfg) {

        s.mu.RLock()

        accName := remote.LocalAccount

        s.mu.RUnlock()

        acc, err := s.LookupAccount(accName)

        if err != nil {

                s.Warnf("Error looking up account [%s] checking for JetStream clear observer state on a leafnode", accName)

                return

        }

        acc.jscmMu.Lock()

        defer acc.jscmMu.Unlock()

        // Walk all streams looking for any clustered stream, skip otherwise.

        for _, mset := range acc.streams() {

                node := mset.raftNode()

                if node == nil {

                        // Not R>1

                        continue

                for _, o := range mset.getConsumers() {

                        if n := o.raftNode(); n != nil {

                                // Ensure we can become a leader again.

                                n.SetObserver(false)

                        }

                node.SetObserver(false)

func (s *Server) checkJetStreamMigrate(remote *leafNodeCfg) {

        s.mu.RLock()

        accName, shouldMigrate := remote.LocalAccount, remote.JetStreamClusterMigrate

        s.mu.RUnlock()

        if !shouldMigrate {

                return

        }

        acc, err := s.LookupAccount(accName)

        if err != nil {

        acc.jscmMu.Lock()

        defer acc.jscmMu.Unlock()

        // Walk all streams looking for any clustered stream, skip otherwise.

        // If we are the leader force stepdown.

        for _, mset := range acc.streams() {

                node := mset.raftNode()

                if node == nil {

                for _, o := range mset.getConsumers() {

                        if n := o.raftNode(); n != nil {

                                if n.Leader() {

                                        n.StepDown()

                                }

                                n.SetObserver(true)

                if node.Leader() {

                        node.StepDown()

                }

                node.SetObserver(true)

func (s *Server) isLeafConnectDisabled() bool {

        s.mu.RLock()

        defer s.mu.RUnlock()

        return s.leafDisableConnect

}

func (cfg *leafNodeCfg) saveTLSHostname(u *url.URL) {

        if cfg.tlsName == _EMPTY_ && net.ParseIP(u.Hostname()) == nil {

                cfg.tlsName = u.Hostname()

        }

func (cfg *leafNodeCfg) saveUserPassword(u *url.URL) {

        if cfg.username == _EMPTY_ && u.User != nil {

                cfg.username = u.User.Username()

                cfg.password, _ = u.User.Password()

        }

func (s *Server) startLeafNodeAcceptLoop() {

        // Snapshot server options.

        opts := s.getOpts()

        port := opts.LeafNode.Port

        if port == -1 {

                port = 0

        }

        if s.isShuttingDown() {

                return

        }

        s.mu.Lock()

        hp := net.JoinHostPort(opts.LeafNode.Host, strconv.Itoa(port))

        l, e := natsListen("tcp", hp)

        s.leafNodeListenerErr = e

        if e != nil {

        s.Noticef("Listening for leafnode connections on %s",

                net.JoinHostPort(opts.LeafNode.Host, strconv.Itoa(l.Addr().(*net.TCPAddr).Port)))

        tlsRequired := opts.LeafNode.TLSConfig != nil

        tlsVerify := tlsRequired && opts.LeafNode.TLSConfig.ClientAuth == tls.RequireAndVerifyClientCert

        // Do not set compression in this Info object, it would possibly cause

        // issues when sending asynchronous INFO to the remote.

        info := Info{

                ID:            s.info.ID,

                Name:          s.info.Name,

                Version:       s.info.Version,

                GitCommit:     gitCommit,

                GoVersion:     runtime.Version(),

                AuthRequired:  true,

                TLSRequired:   tlsRequired,

                TLSVerify:     tlsVerify,

                MaxPayload:    s.info.MaxPayload, // TODO(dlc) - Allow override?

                Headers:       s.supportsHeaders(),

                JetStream:     opts.JetStream,

                Domain:        opts.JetStreamDomain,

                Proto:         s.getServerProto(),

                InfoOnConnect: true,

        }

        // If we have selected a random port...

        if port == 0 {

                // Write resolved port back to options.

                opts.LeafNode.Port = l.Addr().(*net.TCPAddr).Port

        }

        s.leafNodeInfo = info

        // Possibly override Host/Port and set IP based on Cluster.Advertise

        if err := s.setLeafNodeInfoHostPortAndIP(); err != nil {

        s.leafURLsMap[s.leafNodeInfo.IP]++

        s.generateLeafNodeInfoJSON()

        // Setup state that can enable shutdown

        s.leafNodeListener = l

        // As of now, a server that does not have remotes configured would

        // never solicit a connection, so we should not have to warn if

        // InsecureSkipVerify is set in main LeafNodes config (since

        // this TLS setting matters only when soliciting a connection).

        // Still, warn if insecure is set in any of LeafNode block.

        // We need to check remotes, even if tls is not required on accept.

        warn := tlsRequired && opts.LeafNode.TLSConfig.InsecureSkipVerify

        if !warn {

                for _, r := range opts.LeafNode.Remotes {

                        if r.TLSConfig != nil && r.TLSConfig.InsecureSkipVerify {

                                warn = true

                                break

        if warn {

                s.Warnf(leafnodeTLSInsecureWarning)

        }

        go s.acceptConnections(l, "Leafnode", func(conn net.Conn) { s.createLeafNode(conn, nil, nil, nil) }, nil)

        s.mu.Unlock()

func (c *client) sendLeafConnect(clusterName string, headers bool) error {

        // We support basic user/pass and operator based user JWT with signatures.

        cinfo := leafConnectInfo{

                Version:       VERSION,

                ID:            c.srv.info.ID,

                Domain:        c.srv.info.Domain,

                Name:          c.srv.info.Name,

                Hub:           c.leaf.remote.Hub,

                Cluster:       clusterName,

                Headers:       headers,

                JetStream:     c.acc.jetStreamConfigured(),

                DenyPub:       c.leaf.remote.DenyImports,

                Compression:   c.leaf.compression,

                RemoteAccount: c.acc.GetName(),

                Proto:         c.srv.getServerProto(),

        }

        // If a signature callback is specified, this takes precedence over anything else.

        if cb := c.leaf.remote.SignatureCB; cb != nil {

                nonce := c.nonce

                c.mu.Unlock()

                jwt, sigraw, err := cb(nonce)

                c.mu.Lock()

                if err == nil && c.isClosed() {

                        err = ErrConnectionClosed

                }

                if err != nil {

                        c.Errorf("Error signing the nonce: %v", err)

                        return err

                }

                sig := base64.RawURLEncoding.EncodeToString(sigraw)

                cinfo.JWT, cinfo.Sig = jwt, sig

        } else if creds := c.leaf.remote.Credentials; creds != _EMPTY_ {

                // Check for credentials first, that will take precedence..

                c.Debugf("Authenticating with credentials file %q", c.leaf.remote.Credentials)

                contents, err := os.ReadFile(creds)

                if err != nil {

                defer wipeSlice(contents)

                items := credsRe.FindAllSubmatch(contents, -1)

                if len(items) < 2 {

                raw := items[0][1]

                tmp := make([]byte, len(raw))

                copy(tmp, raw)

                // Seed is second item.

                kp, err := nkeys.FromSeed(items[1][1])

                if err != nil {

                defer kp.Wipe()

                sigraw, _ := kp.Sign(c.nonce)

                sig := base64.RawURLEncoding.EncodeToString(sigraw)

                cinfo.JWT = bytesToString(tmp)

                cinfo.Sig = sig

        } else if nkey := c.leaf.remote.Nkey; nkey != _EMPTY_ {

                kp, err := nkeys.FromSeed([]byte(nkey))

                if err != nil {

                defer kp.Wipe()

                sigraw, _ := kp.Sign(c.nonce)

                sig := base64.RawURLEncoding.EncodeToString(sigraw)

                pkey, _ := kp.PublicKey()

                cinfo.Nkey = pkey

                cinfo.Sig = sig

        if userInfo := c.leaf.remote.curURL.User; userInfo != nil {

                // For backward compatibility, if only username is provided, set both

                // Token and User, not just Token.

                cinfo.User = userInfo.Username()

                var ok bool

                cinfo.Pass, ok = userInfo.Password()

                if !ok {

                        cinfo.Token = cinfo.User

                }

        } else if c.leaf.remote.username != _EMPTY_ {

                cinfo.User = c.leaf.remote.username

                cinfo.Pass = c.leaf.remote.password

        }

        b, err := json.Marshal(cinfo)

        if err != nil {

        c.enqueueProto([]byte(fmt.Sprintf(ConProto, b)))

        return nil

func (s *Server) copyLeafNodeInfo() *Info {

        clone := s.leafNodeInfo

        // Copy the array of urls.