Files
wehub-resource-sync 1b8708893a
Security Scan / tests (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:12:26 +08:00

67 lines
2.2 KiB
Go

package natsauth
import (
"fmt"
"time"
"github.com/mudler/xlog"
)
// DefaultWorkerJWTTTL is how long a worker may use a minted NATS user JWT before re-registering.
const DefaultWorkerJWTTTL = 24 * time.Hour
// Config holds NATS JWT authentication settings for distributed mode.
type Config struct {
// AccountSeed is the NATS account signing seed (SU...). Used to mint per-node worker JWTs.
AccountSeed string
// ServiceUserJWT is a pre-generated user JWT for frontends and agent workers (broad publish).
ServiceUserJWT string
// ServiceUserSeed is the signing seed (SU...) paired with ServiceUserJWT.
ServiceUserSeed string
// WorkerJWTTTL sets expiry on minted worker JWTs. Zero uses DefaultWorkerJWTTTL.
WorkerJWTTTL time.Duration
// RequireAuth rejects anonymous NATS when true (both ServiceUserJWT and AccountSeed expected).
RequireAuth bool
}
// Enabled reports whether any NATS credential material is configured.
func (c Config) Enabled() bool {
return c.AccountSeed != "" || c.ServiceUserJWT != ""
}
// CanMintWorkers reports whether per-node JWTs can be issued at registration.
func (c Config) CanMintWorkers() bool {
return c.AccountSeed != ""
}
// WorkerTTL returns the configured worker JWT lifetime.
func (c Config) WorkerTTL() time.Duration {
if c.WorkerJWTTTL > 0 {
return c.WorkerJWTTTL
}
return DefaultWorkerJWTTTL
}
// Validate checks consistency when distributed NATS auth is required.
func (c Config) Validate() error {
if !c.RequireAuth {
return nil
}
if c.ServiceUserJWT == "" || c.ServiceUserSeed == "" {
return fmt.Errorf("LOCALAI_NATS_REQUIRE_AUTH requires LOCALAI_NATS_SERVICE_JWT and LOCALAI_NATS_SERVICE_SEED")
}
if c.AccountSeed == "" {
return fmt.Errorf("LOCALAI_NATS_REQUIRE_AUTH is set but LOCALAI_NATS_ACCOUNT_SEED is empty")
}
return nil
}
// WarnIfInsecure logs when distributed NATS is reachable without credentials.
func (c Config) WarnIfInsecure(distributed bool) {
if !distributed || c.Enabled() {
return
}
xlog.Warn("NATS is used without JWT credentials — any client on the bus can publish backend.install. " +
"Set LOCALAI_NATS_ACCOUNT_SEED + LOCALAI_NATS_SERVICE_JWT (see docs/features/distributed-mode.md).")
}