[FIX] added validation where auth user is required if accounts are sp…

…ecified (#181)
nats-io · Dec 2, 2022 · 83b58fd · 83b58fd
1 parent 31baa55
commit 83b58fd
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/v2/account_claims.go b/v2/account_claims.go
@@ -191,6 +191,9 @@ func (a *Account) EnableExternalAuthorization(users ...string) {
 }
 
 func (ac *ExternalAuthorization) Validate(vr *ValidationResults) {
+	if len(ac.AllowedAccounts) > 0 && len(ac.AuthUsers) == 0 {
+		vr.AddError("External authorization cannot have accounts without users specified")
+	}
 	// Make sure users are all valid user nkeys.
 	// Make sure allowed accounts are all valid account nkeys.
 	for _, u := range ac.AuthUsers {

diff --git a/v2/account_claims_test.go b/v2/account_claims_test.go
@@ -745,3 +745,19 @@ func TestAccountExternalAuthorization(t *testing.T) {
 		t.Fatalf("Expected not to have authorization enabled")
 	}
 }
+
+func TestAccountExternalAuthorizationRequiresOneUser(t *testing.T) {
+	akp := createAccountNKey(t)
+	apk := publicKey(akp, t)
+
+	account := NewAccountClaims(apk)
+	account.Authorization.AllowedAccounts.Add(publicKey(createAccountNKey(t), t))
+
+	vr := &ValidationResults{}
+	account.Validate(vr)
+
+	AssertEquals(len(vr.Errors()), 1, t)
+	AssertEquals("External authorization cannot have accounts without users specified",
+		vr.Errors()[0].Error(),
+		t)
+}