Add example for jwt user perms

Signed-off-by: Byron Ruth <b@devel.io>

Author: bruth

examples/auth/jwt-perms/cli/Dockerfile

@@ -0,0 +1,9 @@
+FROM natsio/nats-box:0.13.1
+
+# Copy nats-server from source image.
+COPY --from=nats:2.9.6-alpine /usr/local/bin/nats-server /usr/local/bin/
+
+COPY . .
+
+CMD ["main.sh"]
+

examples/auth/jwt-perms/cli/main.sh

@@ -0,0 +1,80 @@
+#!/bin/sh
+
+set -uo pipefail
+
+NATS_URL="${NATS_URL:-nats://localhost:4222}"
+
+# Create the operator, generate a signing key (which is a best practice),
+# and initialize the default SYS account and sys user.
+nsc add operator --generate-signing-key --sys --name local
+
+# A follow-up edit of the operator enforces signing keys are used for
+# accounts as well. Setting the server URL is a convenience so that
+# it does not need to be specified with call `nsc push`.
+nsc edit operator --require-signing-keys \
+  --account-jwt-server-url "$NATS_URL"
+
+# Next we need to create an account intended for application usage. It is
+# currently a two-step process to create the account, followed by
+# generating the signing key.
+nsc add account APP
+nsc edit account APP --sk generate
+
+# This command generates the bit of configuration to be used by the server
+# to setup the embedded JWT resolver.
+nsc generate config --nats-resolver --sys-account SYS > resolver.conf
+
+# Create the most basic config that simply include the generated
+# resolver config.
+cat <<- EOF > server.conf
+include resolver.conf
+EOF
+
+# Start the server.
+nats-server -c server.conf 2> /dev/null &
+SERVER_PID=$!
+
+sleep 1
+
+# Push the account up to the server.
+nsc push -a APP
+
+# The next two users emulate consumers of the service. They can publish
+# on their own prefixed subject as well as publish to services scoped the
+# their respective name.
+nsc add user --account APP joe \
+  --allow-pub 'joe' \
+  --allow-sub 'joe' \
+
+nsc add user --account APP pam \
+  --allow-pub 'pam' \
+  --allow-sub 'pam'
+
+# A nice side effect of this is that now, joe and pam can't subscribe
+# to each other's subjects, however, what about `_INBOX.>`? Let's observe
+# the current behavior and then see how we can address this.
+
+# First, let's save a few contexts for easier reference.
+nats context save joe \
+  --nsc nsc://local/APP/joe
+
+nats context save pam \
+  --nsc nsc://local/APP/pam
+
+# Attempt to subscribe to the other user.. should get permission violation.
+echo 'Attempting to subscribe to pam by joe..'
+nats --context joe sub 'pam'
+echo 'Attempting to subscribe to joe by pam..'
+nats --context pam sub 'joe'
+
+# Subscribe to the correct user..
+nats --context joe sub 'joe' &
+nats --context pam sub 'pam' &
+
+# Publish to the wrong user..
+nats --context joe pub 'pam' ''
+nats --context pam pub 'sue' ''
+
+# Publish to the right user..
+nats --context joe pub 'joe' ''
+nats --context pam pub 'pam' ''

examples/auth/jwt-perms/cli/output.cast

@@ -0,0 +1,52 @@
+{"version": 2, "width": 0, "height": 0, "timestamp": 1659460868, "env": {"SHELL": null, "TERM": null}, "title": "NATS by Example: auth/private-inbox-jwt/cli"}
+[0.534395, "o", "Network b7bfbec0_default  Creating\r\n"]
+[0.582083, "o", "Network b7bfbec0_default  Created\r\n"]
+[0.978432, "o", "             _             _               \r\n _ __   __ _| |_ ___      | |__   _____  __\r\n| '_ \\ / _` | __/ __|_____| '_ \\ / _ \\ \\/ /\r\n| | | | (_| | |_\\__ \\_____| |_) | (_) >  < \r\n|_| |_|\\__,_|\\__|___/     |_.__/ \\___/_/\\_\\\r\n                                           \r\n"]
+[0.982063, "o", "nats-box v0.12.0\r\n"]
+[0.989531, "o", "[ OK ] generated and stored operator key \"ODFMSKLO5IXEZEYGRURAIXESSKTOITJY6J5ENUZM2DOPODARGAMRCBYE\"\r\n[ OK ] added operator \"local\"\r\n[ OK ] When running your own nats-server, make sure they run at least version 2.2.0\r\n[ OK ] created operator signing key: OBVV4SZH4LGW2DTKN75CFDKPI3EAPG2JY55R3YOOKYPVOPTW6QLLKRSV\r\n[ OK ] created system_account: name:SYS id:ABBGTNCV4YW7PFBT6J5DCT4E7MFJPINFPAKZKYX3YEDOBD2B2CKJNYJI\r\n[ OK ] created system account user: name:sys id:UAX4G37MYJSFKJZAYW4DCBPZNWYUQSFHEJTJVDICYXTSFWFU4OSM76RD\r\n[ OK ] system account user creds file stored in `/nsc/nkeys/creds/local/SYS/sys.creds`\r\n"]
+[0.998342, "o", "[ OK ] strict signing key usage set to: true\r\n[ OK ] set account jwt server url to \"nats://localhost:4222\"\r\n[ OK ] edited operator \"local\"\r\n"]
+[1.006799, "o", "[ OK ] generated and stored account key \"AB5MLX47CDR6HLNI7CGRRAOPHZXHA5WLLZBCM3Y5M5ITSBZWT66HBDUZ\"\r\n[ OK ] added account \"APP\"\r\n"]
+[1.015887, "o", "[ OK ] added signing key \"AAT6RZPFDH5Y4HRDO554REFLEZXC7OC6YLI6ED3SCYNFZ4NDMYY7WB65\"\r\n[ OK ] edited account \"APP\"\r\n"]
+[3.035293, "o", "[ OK ] push to nats-server \"nats://localhost:4222\" using system account \"SYS\":\r\n       [ OK ] push APP to nats-server with nats account resolver:\r\n              [ OK ] pushed \"APP\" to nats-server NCXGMGNQBBKCTS3LO2SLVRCZP7CJGO6GWSR6KADR4Y3D6LG7TQS2S6AB: jwt updated\r\n              [ OK ] pushed to a total of 1 nats-server\r\n"]
+[3.045105, "o", "[ OK ] set max responses to 1"]
+[3.045266, "o", "\r\n[ OK ] added sub \"services.greet\"\r\n[ OK ] generated and stored user key \"UBAK6JLWQMHXEJ4WCFGVRKZYCBHLCNI6JGFHFMUODPNL27ZHOYOCHOO3\"\r\n[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/greeter.creds`\r\n[ OK ] added user \"greeter\" to account \"APP\"\r\n"]
+[3.054862, "o", "[ OK ] added pub pub \"joe.>\"\r\n[ OK ] added pub pub \"services.*\"\r\n[ OK ] generated and stored user key \"UARFKBJRTAZM4OW3WZIPOXAV5BCS3JH6BCCUARVFHJDFJ7IY2HXJUXLJ\"\r\n[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/joe.creds`\r\n[ OK ] added user \"joe\" to account \"APP\"\r\n"]
+[3.064655, "o", "[ OK ] added pub pub \"pam.>\"\r\n[ OK ] added pub pub \"services.*\"\r\n[ OK ] generated and stored user key \"UBYSMJ3Y366XN5H6JP5IHNQ3M76CTXK2BRXSTK2C75HY7LFRUASGT3OV\"\r\n[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/pam.creds`\r\n[ OK ] added user \"pam\" to account \"APP\"\r\n"]
+[3.073656, "o", "[ OK ] added sub \"_INBOX.>\"\r\n[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/joe.creds`\r\n[ OK ] edited user \"joe\"\r\n"]
+[3.081963, "o", "[ OK ] added sub \"_INBOX.>\"\r\n[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/pam.creds`\r\n[ OK ] edited user \"pam\"\r\n"]
+[3.130207, "o", "NATS Configuration Context \"greeter\"\r\n\r\n      Server URLs: nats://127.0.0.1:4222\r\n      Credentials: /nsc/nkeys/creds/local/APP/greeter.creds (OK)\r\n       NSC Lookup: nsc://local/APP/greeter\r\n             Path: /nsc/.config/nats/context/greeter.json\r\n\r\n"]
+[3.181706, "o", "NATS Configuration Context \"joe\"\r\n\r\n      Server URLs: nats://127.0.0.1:4222\r\n      Credentials: /nsc/nkeys/creds/local/APP/joe.creds (OK)\r\n       NSC Lookup: nsc://local/APP/joe\r\n             Path: /nsc/.config/nats/context/joe.json\r\n\r\n"]
+[3.236577, "o", "NATS Configuration Context \"pam\"\r\n\r\n      Server URLs: nats://127.0.0.1:4222\r\n      Credentials: /nsc/nkeys/creds/local/APP/pam.creds (OK)\r\n       NSC Lookup: nsc://local/APP/pam\r\n             Path: /nsc/.config/nats/context/pam.json\r\n\r\n"]
+[3.290534, "o", "17:21:11 Listening on \"services.greet\" in group \"NATS-RPLY-22\"\r\n"]
+[3.790941, "o", "17:21:11 Sending request on \"services.greet\"\r\n"]
+[3.791691, "o", "\r\n\r\n17:21:11 [#0] Received on subject \"services.greet\":\r\n"]
+[3.792571, "o", "17:21:11 Received with rtt 1.421611ms\r\nReply EiaIxD2O9zht77dHYbTZfN\r\n\r\n"]
+[3.834159, "o", "17:21:11 Sending request on \"services.greet\"\r\n"]
+[3.834882, "o", "17:21:11 [#1] Received on subject \"services.greet\":\r\n"]
+[3.835287, "o", "\r\n\r\n"]
+[3.835725, "o", "17:21:11 Received with rtt 1.089909ms\r\n"]
+[3.836015, "o", "Reply EiaIxD2O9zht77dHYbTZk4\r\n\r\n"]
+[3.88255, "o", "17:21:12 Subscribing on _INBOX.>\r\n"]
+[3.892191, "o", "17:21:12 Sending request on \"services.greet\"\r\n"]
+[3.893543, "o", "17:21:12 [#2] Received on subject \"services.greet\":"]
+[3.893662, "o", "\r\n\r\n\r\n"]
+[3.894649, "o", "Reply EiaIxD2O9zht77dHYbTZol\r\n\r\n17:21:12 Received with rtt 681.706µs\r\n"]
+[3.895325, "o", "[#1] Received on \"_INBOX.ZYAAExoXcyDKsFDdxuFgQb.PIt1MPL3\"\r\nReply EiaIxD2O9zht77dHYbTZol\r\n\r\n"]
+[3.944688, "o", "17:21:12 Sending request on \"services.greet\"\r\n"]
+[3.945738, "o", "17:21:12 [#3] Received on subject \"services.greet\":\r\n17:21:12 Unexpected NATS error from server nats://127.0.0.1:4222: nats: Permissions Violation for Subscription to \"_INBOX_joe.fNg5JF7k4bT2VSUa4Ep6wD.7tIj5Fxs\"\r\n\r\n"]
+[3.946382, "o", "\r\n"]
+[8.95523, "o", "[ OK ] added sub \"_INBOX_joe.>\"\r\n[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/joe.creds`\r\n[ OK ] edited user \"joe\"\r\n"]
+[8.964557, "o", "[ OK ] added sub \"_INBOX_pam.>\"\r\n[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/pam.creds`\r\n[ OK ] edited user \"pam\"\r\n"]
+[9.016086, "o", "17:21:17 Subscribing on _INBOX.>\r\n"]
+[9.017507, "o", "17:21:17 Unexpected NATS error from server nats://127.0.0.1:4222: nats: Permissions Violation for Subscription to \"_INBOX.>\"\r\n"]
+[9.018267, "o", "nats: error: nats: Permissions Violation for Subscription to \"_INBOX.>\", try --help\r\n"]
+[9.069782, "o", "17:21:17 Subscribing on _INBOX_joe.>\r\n"]
+[9.070286, "o", "nats: error: nats: Permissions Violation for Subscription to \"_INBOX_joe.>\", try --help\r\n"]
+[9.121882, "o", "17:21:17 Sending request on \"services.greet\"\r\n"]
+[9.122746, "o", "\r\n\r\n17:21:17 [#4] Received on subject \"services.greet\":\r\n"]
+[9.123573, "o", "17:21:17 Received with rtt 1.093234ms\r\nReply EiaIxD2O9zht77dHYbTZy9\r\n\r\n"]
+[9.173329, "o", "17:21:17 Sending request on \"services.greet\"\r\n"]
+[9.17416, "o", "17:21:17 [#5] Received on subject \"services.greet\":\r\n"]
+[9.174298, "o", "\r\n"]
+[9.17484, "o", "\r\n"]
+[9.176812, "o", "17:21:17 Received with rtt 2.893689ms\r\nReply EiaIxD2O9zht77dHYbTa2q\r\n\r\n"]

examples/auth/jwt-perms/cli/output.txt

@@ -0,0 +1,125 @@
+Network b7bfbec0_default  Creating
+Network b7bfbec0_default  Created
+             _             _               
+ _ __   __ _| |_ ___      | |__   _____  __
+| '_ \ / _` | __/ __|_____| '_ \ / _ \ \/ /
+| | | | (_| | |_\__ \_____| |_) | (_) >  < 
+|_| |_|\__,_|\__|___/     |_.__/ \___/_/\_\
+                                           
+nats-box v0.12.0
+[ OK ] generated and stored operator key "ODFMSKLO5IXEZEYGRURAIXESSKTOITJY6J5ENUZM2DOPODARGAMRCBYE"
+[ OK ] added operator "local"
+[ OK ] When running your own nats-server, make sure they run at least version 2.2.0
+[ OK ] created operator signing key: OBVV4SZH4LGW2DTKN75CFDKPI3EAPG2JY55R3YOOKYPVOPTW6QLLKRSV
+[ OK ] created system_account: name:SYS id:ABBGTNCV4YW7PFBT6J5DCT4E7MFJPINFPAKZKYX3YEDOBD2B2CKJNYJI
+[ OK ] created system account user: name:sys id:UAX4G37MYJSFKJZAYW4DCBPZNWYUQSFHEJTJVDICYXTSFWFU4OSM76RD
+[ OK ] system account user creds file stored in `/nsc/nkeys/creds/local/SYS/sys.creds`
+[ OK ] strict signing key usage set to: true
+[ OK ] set account jwt server url to "nats://localhost:4222"
+[ OK ] edited operator "local"
+[ OK ] generated and stored account key "AB5MLX47CDR6HLNI7CGRRAOPHZXHA5WLLZBCM3Y5M5ITSBZWT66HBDUZ"
+[ OK ] added account "APP"
+[ OK ] added signing key "AAT6RZPFDH5Y4HRDO554REFLEZXC7OC6YLI6ED3SCYNFZ4NDMYY7WB65"
+[ OK ] edited account "APP"
+[ OK ] push to nats-server "nats://localhost:4222" using system account "SYS":
+       [ OK ] push APP to nats-server with nats account resolver:
+              [ OK ] pushed "APP" to nats-server NCXGMGNQBBKCTS3LO2SLVRCZP7CJGO6GWSR6KADR4Y3D6LG7TQS2S6AB: jwt updated
+              [ OK ] pushed to a total of 1 nats-server
+[ OK ] set max responses to 1
+[ OK ] added sub "services.greet"
+[ OK ] generated and stored user key "UBAK6JLWQMHXEJ4WCFGVRKZYCBHLCNI6JGFHFMUODPNL27ZHOYOCHOO3"
+[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/greeter.creds`
+[ OK ] added user "greeter" to account "APP"
+[ OK ] added pub pub "joe.>"
+[ OK ] added pub pub "services.*"
+[ OK ] generated and stored user key "UARFKBJRTAZM4OW3WZIPOXAV5BCS3JH6BCCUARVFHJDFJ7IY2HXJUXLJ"
+[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/joe.creds`
+[ OK ] added user "joe" to account "APP"
+[ OK ] added pub pub "pam.>"
+[ OK ] added pub pub "services.*"
+[ OK ] generated and stored user key "UBYSMJ3Y366XN5H6JP5IHNQ3M76CTXK2BRXSTK2C75HY7LFRUASGT3OV"
+[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/pam.creds`
+[ OK ] added user "pam" to account "APP"
+[ OK ] added sub "_INBOX.>"
+[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/joe.creds`
+[ OK ] edited user "joe"
+[ OK ] added sub "_INBOX.>"
+[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/pam.creds`
+[ OK ] edited user "pam"
+NATS Configuration Context "greeter"
+
+      Server URLs: nats://127.0.0.1:4222
+      Credentials: /nsc/nkeys/creds/local/APP/greeter.creds (OK)
+       NSC Lookup: nsc://local/APP/greeter
+             Path: /nsc/.config/nats/context/greeter.json
+
+NATS Configuration Context "joe"
+
+      Server URLs: nats://127.0.0.1:4222
+      Credentials: /nsc/nkeys/creds/local/APP/joe.creds (OK)
+       NSC Lookup: nsc://local/APP/joe
+             Path: /nsc/.config/nats/context/joe.json
+
+NATS Configuration Context "pam"
+
+      Server URLs: nats://127.0.0.1:4222
+      Credentials: /nsc/nkeys/creds/local/APP/pam.creds (OK)
+       NSC Lookup: nsc://local/APP/pam
+             Path: /nsc/.config/nats/context/pam.json
+
+17:21:11 Listening on "services.greet" in group "NATS-RPLY-22"
+17:21:11 Sending request on "services.greet"
+
+
+17:21:11 [#0] Received on subject "services.greet":
+17:21:11 Received with rtt 1.421611ms
+Reply EiaIxD2O9zht77dHYbTZfN
+
+17:21:11 Sending request on "services.greet"
+17:21:11 [#1] Received on subject "services.greet":
+
+
+17:21:11 Received with rtt 1.089909ms
+Reply EiaIxD2O9zht77dHYbTZk4
+
+17:21:12 Subscribing on _INBOX.>
+17:21:12 Sending request on "services.greet"
+17:21:12 [#2] Received on subject "services.greet":
+
+
+Reply EiaIxD2O9zht77dHYbTZol
+
+17:21:12 Received with rtt 681.706µs
+[#1] Received on "_INBOX.ZYAAExoXcyDKsFDdxuFgQb.PIt1MPL3"
+Reply EiaIxD2O9zht77dHYbTZol
+
+17:21:12 Sending request on "services.greet"
+17:21:12 [#3] Received on subject "services.greet":
+17:21:12 Unexpected NATS error from server nats://127.0.0.1:4222: nats: Permissions Violation for Subscription to "_INBOX_joe.fNg5JF7k4bT2VSUa4Ep6wD.7tIj5Fxs"
+
+
+[ OK ] added sub "_INBOX_joe.>"
+[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/joe.creds`
+[ OK ] edited user "joe"
+[ OK ] added sub "_INBOX_pam.>"
+[ OK ] generated user creds file `/nsc/nkeys/creds/local/APP/pam.creds`
+[ OK ] edited user "pam"
+17:21:17 Subscribing on _INBOX.>
+17:21:17 Unexpected NATS error from server nats://127.0.0.1:4222: nats: Permissions Violation for Subscription to "_INBOX.>"
+nats: error: nats: Permissions Violation for Subscription to "_INBOX.>", try --help
+17:21:17 Subscribing on _INBOX_joe.>
+nats: error: nats: Permissions Violation for Subscription to "_INBOX_joe.>", try --help
+17:21:17 Sending request on "services.greet"
+
+
+17:21:17 [#4] Received on subject "services.greet":
+17:21:17 Received with rtt 1.093234ms
+Reply EiaIxD2O9zht77dHYbTZy9
+
+17:21:17 Sending request on "services.greet"
+17:21:17 [#5] Received on subject "services.greet":
+
+
+17:21:17 Received with rtt 2.893689ms
+Reply EiaIxD2O9zht77dHYbTa2q
+

examples/auth/jwt-perms/docker-compose.yaml

@@ -0,0 +1,7 @@
+version: '3.9'
+services:
+  app:
+    image: ${IMAGE_TAG}
+    ports:
+      - "14222:4222"
+      - "14223:4223"

examples/auth/jwt-perms/meta.yaml

@@ -0,0 +1,2 @@
+title: JWT user perms
+description: |-