Class: Protobuf::Nats::Config

Inherits:

Object

• Object
• Protobuf::Nats::Config

Defined in:

lib/protobuf/nats/config.rb

Constant Summary

CONFIG_MUTEX =

::Mutex.new

DEFAULTS =

{
  :connect_timeout => nil,
  :max_reconnect_attempts => 60_000,
  :servers => nil,
  :tls_client_cert => nil,
  :tls_client_key => nil,
  :tls_ca_cert => nil,
  :uses_tls => false,
  :server_subscription_key_do_not_subscribe_to_when_includes_any_of => [],
  :server_subscription_key_only_subscribe_to_when_includes_any_of => [],
  :subscription_key_replacements => [],
}.freeze

Instance Attribute Summary

• #connect_timeout ⇒ Object

  Returns the value of attribute connect_timeout.

• #max_reconnect_attempts ⇒ Object

  Returns the value of attribute max_reconnect_attempts.

• #server_subscription_key_do_not_subscribe_to_when_includes_any_of ⇒ Object

  Returns the value of attribute server_subscription_key_do_not_subscribe_to_when_includes_any_of.

• #server_subscription_key_only_subscribe_to_when_includes_any_of ⇒ Object

  Returns the value of attribute server_subscription_key_only_subscribe_to_when_includes_any_of.

• #servers ⇒ Object

  Returns the value of attribute servers.

• #subscription_key_replacements ⇒ Object

  Returns the value of attribute subscription_key_replacements.

• #tls_ca_cert ⇒ Object

  Returns the value of attribute tls_ca_cert.

• #tls_client_cert ⇒ Object

  Returns the value of attribute tls_client_cert.

• #tls_client_key ⇒ Object

  Returns the value of attribute tls_client_key.

• #uses_tls ⇒ Object

  Returns the value of attribute uses_tls.

Instance Method Summary

• #connection_options(reload = false) ⇒ Object

  Only the keys nats-pure’s ‘connect` actually consumes.

• #initialize ⇒ Config constructor

  A new instance of Config.

• #load_from_yml(reload = false) ⇒ Object
• #make_subscription_key_replacements(subscription_key) ⇒ Object
• #new_tls_context ⇒ Object

Constructor Details

#initialize ⇒ Config

Returns a new instance of Config.

# File 'lib/protobuf/nats/config.rb', line 28

def initialize
  DEFAULTS.each_pair do |key, value|
    __send__("#{key}=", value)
  end
end

Instance Attribute Details

#connect_timeout ⇒ Object

Returns the value of attribute connect_timeout.

# File 'lib/protobuf/nats/config.rb', line 8

def connect_timeout
  @connect_timeout
end

#max_reconnect_attempts ⇒ Object

Returns the value of attribute max_reconnect_attempts.

# File 'lib/protobuf/nats/config.rb', line 8

def max_reconnect_attempts
  @max_reconnect_attempts
end

#server_subscription_key_do_not_subscribe_to_when_includes_any_of ⇒ Object

Returns the value of attribute server_subscription_key_do_not_subscribe_to_when_includes_any_of.

# File 'lib/protobuf/nats/config.rb', line 9

def server_subscription_key_do_not_subscribe_to_when_includes_any_of
  @server_subscription_key_do_not_subscribe_to_when_includes_any_of
end

#server_subscription_key_only_subscribe_to_when_includes_any_of ⇒ Object

Returns the value of attribute server_subscription_key_only_subscribe_to_when_includes_any_of.

# File 'lib/protobuf/nats/config.rb', line 9

def server_subscription_key_only_subscribe_to_when_includes_any_of
  @server_subscription_key_only_subscribe_to_when_includes_any_of
end

#servers ⇒ Object

Returns the value of attribute servers.

# File 'lib/protobuf/nats/config.rb', line 8

def servers
  @servers
end

#subscription_key_replacements ⇒ Object

Returns the value of attribute subscription_key_replacements.

# File 'lib/protobuf/nats/config.rb', line 9

def subscription_key_replacements
  @subscription_key_replacements
end

#tls_ca_cert ⇒ Object

Returns the value of attribute tls_ca_cert.

# File 'lib/protobuf/nats/config.rb', line 8

def tls_ca_cert
  @tls_ca_cert
end

#tls_client_cert ⇒ Object

Returns the value of attribute tls_client_cert.

# File 'lib/protobuf/nats/config.rb', line 8

def tls_client_cert
  @tls_client_cert
end

#tls_client_key ⇒ Object

Returns the value of attribute tls_client_key.

# File 'lib/protobuf/nats/config.rb', line 8

def tls_client_key
  @tls_client_key
end

#uses_tls ⇒ Object

Returns the value of attribute uses_tls.

# File 'lib/protobuf/nats/config.rb', line 8

def uses_tls
  @uses_tls
end

Instance Method Details

#connection_options(reload = false) ⇒ Object

Only the keys nats-pure’s ‘connect` actually consumes. App-level settings (uses_tls, tls_client_cert, tls_client_key, tls_ca_cert, server_subscription_key_*, subscription_key_replacements) are read directly via their accessors elsewhere and must NOT be forwarded to nats-pure (it ignores unknown keys today, but that is brittle). The TLS cert/key/CA are folded into the :tls context by #new_tls_context.

# File 'lib/protobuf/nats/config.rb', line 74

def connection_options(reload = false)
  @connection_options = false if reload
  @connection_options ||= begin
    options = {
      servers: servers,
      max_reconnect_attempts: max_reconnect_attempts,
      connect_timeout: connect_timeout,
    }
    options[:tls] = {:context => new_tls_context} if uses_tls
    options
  end
end

#load_from_yml(reload = false) ⇒ Object

# File 'lib/protobuf/nats/config.rb', line 34

def load_from_yml(reload = false)
  CONFIG_MUTEX.synchronize do
    @load_from_yml = nil if reload
    @load_from_yml ||= begin
      env = ENV["RAILS_ENV"] || ENV["RACK_ENV"] || ENV["APP_ENV"] || "development"

      yaml_config = {}
      config_path = ENV["PROTOBUF_NATS_CONFIG_PATH"] || ::File.join("config", "protobuf_nats.yml")
      absolute_config_path = ::File.expand_path(config_path)
      if ::File.exist?(absolute_config_path)
        yaml_string = ::ERB.new(::File.read(absolute_config_path)).result
        # safe_load (no arbitrary object deserialization) with aliases
        # enabled so the common `&defaults` / `<<: *defaults` pattern works.
        parsed = ::YAML.safe_load(yaml_string, :aliases => true)

        # An empty file parses to nil/false, and a file without a section
        # for the current env yields nil on lookup -- guard both so we
        # don't blow up with NoMethodError below.
        yaml_config = (parsed && parsed[env]) || {}
      end

      DEFAULTS.each_pair do |key, value|
        setting = yaml_config[key.to_s]
        __send__("#{key}=", setting) if setting
      end

      # Reload the connection options hash
      connection_options(true)

      true
    end
  end
end

#make_subscription_key_replacements(subscription_key) ⇒ Object

# File 'lib/protobuf/nats/config.rb', line 129

def make_subscription_key_replacements(subscription_key)
  subscription_key_replacements.each do |replacement|
    match = replacement.keys.first
    replacement = replacement[match]

    if subscription_key.include?(match)
      return subscription_key.gsub(match, replacement)
    end
  end

  subscription_key
end

#new_tls_context ⇒ Object

# File 'lib/protobuf/nats/config.rb', line 87

def new_tls_context
  tls_context = ::OpenSSL::SSL::SSLContext.new
  # Floor at TLS 1.2, ceiling at TLS 1.3 (replaces the deprecated
  # ssl_version=:TLSv1_2 hard pin). The client offers 1.2 and 1.3 and
  # negotiates the highest the server also supports, so a TLS-1.2-only
  # transport still connects (verified on JRuby 9.4 and 10.0).
  #
  # NOTE (#7): this assumes the OpenSSL build defines TLS1_3_VERSION. That
  # holds on the JRuby targets above, but an older MRI/OpenSSL build without
  # the constant would raise NameError here. Not guarded yet -- revisit if
  # CRuby-on-old-OpenSSL becomes a supported target.
  tls_context.min_version = ::OpenSSL::SSL::TLS1_2_VERSION
  tls_context.max_version = ::OpenSSL::SSL::TLS1_3_VERSION
  tls_context.cert = ::OpenSSL::X509::Certificate.new(::File.read(tls_client_cert)) if tls_client_cert
  tls_context.key = ::OpenSSL::PKey::RSA.new(::File.read(tls_client_key)) if tls_client_key

  # Verify the NATS server's certificate chain. This context is handed to
  # nats-pure as :tls => {:context => ...}; nats-pure uses a supplied
  # context verbatim and does NOT call #set_params, so verification has to
  # be configured here. Without this the OpenSSL default (VERIFY_NONE)
  # stood and any certificate -- including an attacker's -- was accepted.
  tls_context.verify_mode = ::OpenSSL::SSL::VERIFY_PEER
  cert_store = ::OpenSSL::X509::Store.new
  if tls_ca_cert
    # Trust the configured CA bundle (the private-CA deployment case).
    cert_store.add_file(tls_ca_cert)
  else
    # No CA configured: fall back to the system trust store.
    cert_store.set_default_paths
  end
  tls_context.cert_store = cert_store

  # NOTE: hostname (SAN/CN) verification is NOT enabled here. nats-pure only
  # sets the SSLSocket hostname from @tls[:hostname], which it populates
  # itself only when it builds the context; for a supplied context it stays
  # nil, and a single static hostname would be wrong for a multi-server
  # cluster that reconnects across hosts. Chain verification above still
  # ensures the cert is signed by the trusted CA. Plumbing per-connection
  # hostname verification is tracked separately.
  tls_context
end