Include Nkey in remote identity matching

Signed-off-by: Ivan Kozlovic <ivan@synadia.com>

Author: kozlovic

server/opts.go

@@ -331,17 +331,24 @@ func generateRemoteLeafOptsName(r *RemoteLeafOpts, redacted bool) string {
 	if acc == _EMPTY_ {
 		acc = globalAccountName
 	}
-	var creds string
+	var optional string
+	// There could be Credentials or NKey, not both (would be caught as a misconfig)
 	if c := r.Credentials; c != _EMPTY_ {
-		creds = fmt.Sprintf(", credentials=%q", c)
+		optional = fmt.Sprintf(", credentials=%q", c)
+	} else if nk := r.Nkey; nk != _EMPTY_ {
+		if redacted {
+			optional = ", nkey=\"[REDACTED]\""
+		} else {
+			optional = fmt.Sprintf(", nkey=%q", nk)
+		}
 	}
 	var urls []*url.URL
 	if redacted {
 		urls = redactURLList(r.URLs)
 	} else {
 		urls = r.URLs
 	}
-	return fmt.Sprintf("urls=%q, account=%q%s", urls, acc, creds)
+	return fmt.Sprintf("urls=%q, account=%q%s", urls, acc, optional)
 }
 
 // JSLimitOpts are active limits for the meta cluster

server/opts_test.go

@@ -4506,6 +4506,8 @@ func TestOptionsRemoteLeafNodeName(t *testing.T) {
 	// With unredacted versions of the URLs
 	urls := []*url.URL{u1, u2}
 	safeURLs := redactURLList(urls)
+	// Some Nkey
+	nkey := "SUACJN3OSKWWPQXME4JUNFJ3PARXPO657GGNWNU7PK7G3AUQQYHLW26XH4"
 	for _, test := range []struct {
 		name       string
 		input      *RemoteLeafOpts
@@ -4535,6 +4537,14 @@ func TestOptionsRemoteLeafNodeName(t *testing.T) {
 			fmt.Sprintf("urls=%q, account=%q, credentials=%q", urls, globalAccountName, "credsfile"),
 			fmt.Sprintf("urls=%q, account=%q, credentials=%q", safeURLs, globalAccountName, "credsfile"),
 		},
+		{
+			"url with nkey", &RemoteLeafOpts{
+				URLs: []*url.URL{u1, u2},
+				Nkey: nkey,
+			},
+			fmt.Sprintf("urls=%q, account=%q, nkey=%q", urls, globalAccountName, nkey),
+			fmt.Sprintf("urls=%q, account=%q, nkey=%q", safeURLs, globalAccountName, "[REDACTED]"),
+		},
 		{
 			"url with account and credentials", &RemoteLeafOpts{
 				URLs:         []*url.URL{u1, u2},
@@ -4544,6 +4554,15 @@ func TestOptionsRemoteLeafNodeName(t *testing.T) {
 			fmt.Sprintf("urls=%q, account=%q, credentials=%q", urls, "A", "credsfile"),
 			fmt.Sprintf("urls=%q, account=%q, credentials=%q", safeURLs, "A", "credsfile"),
 		},
+		{
+			"url with account and nkey", &RemoteLeafOpts{
+				URLs:         []*url.URL{u1, u2},
+				LocalAccount: "A",
+				Nkey:         nkey,
+			},
+			fmt.Sprintf("urls=%q, account=%q, nkey=%q", urls, "A", nkey),
+			fmt.Sprintf("urls=%q, account=%q, nkey=%q", safeURLs, "A", "[REDACTED]"),
+		},
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			name := test.input.name()

server/reload.go

@@ -960,7 +960,6 @@ forLoop:
 			err := checkConfigsEqual(lrc.RemoteLeafOpts, rlo, []string{
 				"Compression",
 				"Disabled",
-				"LocalAccount",
 				"TLS",
 				"TLSHandshakeFirst",
 				"TLSConfig",

server/reload_test.go

@@ -6539,6 +6539,22 @@ func TestConfigReloadGetLeafNodeOptionsChanges(t *testing.T) {
 		LocalAccount: "A",
 	}
 
+	addedRemoteDueToDifferentAccount := &RemoteLeafOpts{
+		URLs:         []*url.URL{u},
+		Compression:  CompressionOpts{Mode: CompressionS2Fast},
+		LocalAccount: "A",
+	}
+	addedRemoteDueToDifferentCreds := &RemoteLeafOpts{
+		URLs:        []*url.URL{u},
+		Compression: CompressionOpts{Mode: CompressionS2Fast},
+		Credentials: "credsfile",
+	}
+	addedRemoteDueToDifferentNkey := &RemoteLeafOpts{
+		URLs:        []*url.URL{u},
+		Compression: CompressionOpts{Mode: CompressionS2Fast},
+		Credentials: "SUACJN3OSKWWPQXME4JUNFJ3PARXPO657GGNWNU7PK7G3AUQQYHLW26XH4",
+	}
+
 	acc1 := &Account{Name: "A1"}
 	acc2 := &Account{Name: "A2"}
 
@@ -6919,6 +6935,81 @@ func TestConfigReloadGetLeafNodeOptionsChanges(t *testing.T) {
 			},
 			_EMPTY_,
 		},
+		{
+			"remote added due to different account",
+			func() (*Server, *LeafNodeOpts, *LeafNodeOpts) {
+				ts := &Server{}
+				ts.leafRemoteCfgs = maps.Clone(s.leafRemoteCfgs)
+				old := &LeafNodeOpts{
+					Users:       []*User{{Username: "a", Password: "pwd"}},
+					Compression: CompressionOpts{Mode: CompressionS2Fast},
+					Remotes:     []*RemoteLeafOpts{remote},
+				}
+				new := &LeafNodeOpts{
+					Users:       []*User{{Username: "a", Password: "pwd"}},
+					Compression: CompressionOpts{Mode: CompressionS2Fast},
+					// At the same time, change tls first for the LeafNodeOpts block.
+					TLSHandshakeFirst: true,
+					Remotes:           []*RemoteLeafOpts{addedRemoteDueToDifferentAccount},
+				}
+				return ts, old, new
+			},
+			&leafNodeOption{
+				tlsFirstChanged: true,
+				added:           []*RemoteLeafOpts{addedRemoteDueToDifferentAccount},
+			},
+			_EMPTY_,
+		},
+		{
+			"remote added due to different creds",
+			func() (*Server, *LeafNodeOpts, *LeafNodeOpts) {
+				ts := &Server{}
+				ts.leafRemoteCfgs = maps.Clone(s.leafRemoteCfgs)
+				old := &LeafNodeOpts{
+					Users:       []*User{{Username: "a", Password: "pwd"}},
+					Compression: CompressionOpts{Mode: CompressionS2Fast},
+					Remotes:     []*RemoteLeafOpts{remote},
+				}
+				new := &LeafNodeOpts{
+					Users:       []*User{{Username: "a", Password: "pwd"}},
+					Compression: CompressionOpts{Mode: CompressionS2Fast},
+					// At the same time, change tls first for the LeafNodeOpts block.
+					TLSHandshakeFirst: true,
+					Remotes:           []*RemoteLeafOpts{addedRemoteDueToDifferentCreds},
+				}
+				return ts, old, new
+			},
+			&leafNodeOption{
+				tlsFirstChanged: true,
+				added:           []*RemoteLeafOpts{addedRemoteDueToDifferentCreds},
+			},
+			_EMPTY_,
+		},
+		{
+			"remote added due to different nkey",
+			func() (*Server, *LeafNodeOpts, *LeafNodeOpts) {
+				ts := &Server{}
+				ts.leafRemoteCfgs = maps.Clone(s.leafRemoteCfgs)
+				old := &LeafNodeOpts{
+					Users:       []*User{{Username: "a", Password: "pwd"}},
+					Compression: CompressionOpts{Mode: CompressionS2Fast},
+					Remotes:     []*RemoteLeafOpts{remote},
+				}
+				new := &LeafNodeOpts{
+					Users:       []*User{{Username: "a", Password: "pwd"}},
+					Compression: CompressionOpts{Mode: CompressionS2Fast},
+					// At the same time, change tls first for the LeafNodeOpts block.
+					TLSHandshakeFirst: true,
+					Remotes:           []*RemoteLeafOpts{addedRemoteDueToDifferentNkey},
+				}
+				return ts, old, new
+			},
+			&leafNodeOption{
+				tlsFirstChanged: true,
+				added:           []*RemoteLeafOpts{addedRemoteDueToDifferentNkey},
+			},
+			_EMPTY_,
+		},
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			s, old, new := test.genCfg()
@@ -7122,7 +7213,7 @@ func TestConfigReloadAddRemoveRemoteLeafNodes(t *testing.T) {
 	accA := fmt.Sprintf(remoteTmpl, "A")
 	accB := fmt.Sprintf(remoteTmpl, "B")
 	accC := fmt.Sprintf(remoteTmpl, "C")
-	conf2 := createConfFile(t, []byte(fmt.Sprintf(tmpl2, accA, _EMPTY_, _EMPTY_)))
+	conf2 := createConfFile(t, fmt.Appendf(nil, tmpl2, accA, _EMPTY_, _EMPTY_))
 	s2, _ := RunServerWithConfig(conf2)
 	defer s2.Shutdown()
 
@@ -7168,6 +7259,46 @@ func TestConfigReloadAddRemoveRemoteLeafNodes(t *testing.T) {
 	checkLeafs(nil)
 }
 
+func TestConfigReloadRemoteLeafNodeNkeyChange(t *testing.T) {
+	conf1 := createConfFile(t, []byte(`
+		listen: "127.0.0.1:-1"
+		server_name: "A"
+		leaf {
+			listen: 127.0.0.1:-1
+			authorization: { nkey: UCSTG5CRF5GEJERAFKUUYRODGABTBVWY2NPE4GGKRQVQOH74PIAKTVKO }
+		}
+	`))
+	s1, o1 := RunServerWithConfig(conf1)
+	defer s1.Shutdown()
+
+	tmpl2 := `
+		listen: "127.0.0.1:-1"
+		server_name: "B"
+		leaf {
+			reconnect_interval: "50ms"
+			remotes: [
+				{
+					url:  "nats-leaf://127.0.0.1:%d"
+					nkey: %s
+				}
+			]
+		}
+	`
+	conf2 := createConfFile(t, fmt.Appendf(nil, tmpl2, o1.LeafNode.Port,
+		"SUAPM67TC4RHQLKBX55NIQXSMATZDOZK6FNEOSS36CAYA7F7TY66LP4BOM"))
+	s2, _ := RunServerWithConfig(conf2)
+	defer s2.Shutdown()
+
+	// Should not be able to connect...
+	time.Sleep(70 * time.Millisecond)
+	checkLeafNodeConnectedCount(t, s2, 0)
+
+	reloadUpdateConfig(t, s2, conf2, fmt.Sprintf(tmpl2, o1.LeafNode.Port,
+		"SUACJN3OSKWWPQXME4JUNFJ3PARXPO657GGNWNU7PK7G3AUQQYHLW26XH4"))
+
+	checkLeafNodeConnectedCount(t, s2, 1)
+}
+
 func TestConfigReloadNoPanicOnShutdown(t *testing.T) {
 	tmpl := `
 		port: -1