NATS TLS specify CA and client TLS authentication (#8389)

- added ability to specify CA for self-signed certificates
- added option to authenticate using client certificates
- added unit tests for nats connections

cmd/config/notify/help.go

@@ -145,6 +145,9 @@ var (
 		target.NATSStreamingClusterID:          "Unique ID for the NATS streaming cluster",
 		target.NATSQueueLimit:                  "Enable persistent event store queue limit, defaults to '10000'",
 		target.NATSQueueDir:                    "Local directory where events are stored eg: '/home/events'",
+		target.NATSCertAuthority:               "Certificate chain of the target NATS server if self signed certs were used",
+		target.NATSClientCert:                  "TLS Cert used to authenticate against NATS configured to require client certificates",
+		target.NATSClientKey:                   "TLS Key used to authenticate against NATS configured to require client certificates",
 	}
 
 	HelpNSQ = config.HelpKV{

cmd/config/notify/legacy.go

@@ -204,17 +204,20 @@ func SetNotifyNATS(s config.Config, natsName string, cfg target.NATSArgs) error
 	}
 
 	s[config.NotifyNATSSubSys][natsName] = config.KVS{
-		config.State:            config.StateOn,
-		config.Comment:          "Settings for NATS notification, after migrating config",
-		target.NATSAddress:      cfg.Address.String(),
-		target.NATSSubject:      cfg.Subject,
-		target.NATSUsername:     cfg.Username,
-		target.NATSPassword:     cfg.Password,
-		target.NATSToken:        cfg.Token,
-		target.NATSSecure:       config.FormatBool(cfg.Secure),
-		target.NATSPingInterval: strconv.FormatInt(cfg.PingInterval, 10),
-		target.NATSQueueDir:     cfg.QueueDir,
-		target.NATSQueueLimit:   strconv.Itoa(int(cfg.QueueLimit)),
+		config.State:             config.StateOn,
+		config.Comment:           "Settings for NATS notification, after migrating config",
+		target.NATSAddress:       cfg.Address.String(),
+		target.NATSSubject:       cfg.Subject,
+		target.NATSUsername:      cfg.Username,
+		target.NATSPassword:      cfg.Password,
+		target.NATSToken:         cfg.Token,
+		target.NATSCertAuthority: cfg.CertAuthority,
+		target.NATSClientCert:    cfg.ClientCert,
+		target.NATSClientKey:     cfg.ClientKey,
+		target.NATSSecure:        config.FormatBool(cfg.Secure),
+		target.NATSPingInterval:  strconv.FormatInt(cfg.PingInterval, 10),
+		target.NATSQueueDir:      cfg.QueueDir,
+		target.NATSQueueLimit:    strconv.Itoa(int(cfg.QueueLimit)),
 		target.NATSStreaming: func() string {
 			if cfg.Streaming.Enable {
 				return config.StateOn

cmd/config/notify/parse.go

@@ -707,6 +707,9 @@ var (
 		target.NATSUsername:                    "",
 		target.NATSPassword:                    "",
 		target.NATSToken:                       "",
+		target.NATSCertAuthority:               "",
+		target.NATSClientCert:                  "",
+		target.NATSClientKey:                   "",
 		target.NATSSecure:                      config.StateOff,
 		target.NATSPingInterval:                "0",
 		target.NATSQueueLimit:                  "0",
@@ -795,17 +798,35 @@ func GetNotifyNATS(natsKVS map[string]config.KVS) (map[string]target.NATSArgs, e
 			queueDirEnv = queueDirEnv + config.Default + k
 		}
 
+		certAuthorityEnv := target.EnvNATSCertAuthority
+		if k != config.Default {
+			certAuthorityEnv = certAuthorityEnv + config.Default + k
+		}
+
+		clientCertEnv := target.EnvNATSClientCert
+		if k != config.Default {
+			clientCertEnv = clientCertEnv + config.Default + k
+		}
+
+		clientKeyEnv := target.EnvNATSClientKey
+		if k != config.Default {
+			clientKeyEnv = clientKeyEnv + config.Default + k
+		}
+
 		natsArgs := target.NATSArgs{
-			Enable:       true,
-			Address:      *address,
-			Subject:      env.Get(subjectEnv, kv.Get(target.NATSSubject)),
-			Username:     env.Get(usernameEnv, kv.Get(target.NATSUsername)),
-			Password:     env.Get(passwordEnv, kv.Get(target.NATSPassword)),
-			Token:        env.Get(tokenEnv, kv.Get(target.NATSToken)),
-			Secure:       env.Get(secureEnv, kv.Get(target.NATSSecure)) == config.StateOn,
-			PingInterval: pingInterval,
-			QueueDir:     env.Get(queueDirEnv, kv.Get(target.NATSQueueDir)),
-			QueueLimit:   queueLimit,
+			Enable:        true,
+			Address:       *address,
+			Subject:       env.Get(subjectEnv, kv.Get(target.NATSSubject)),
+			Username:      env.Get(usernameEnv, kv.Get(target.NATSUsername)),
+			Password:      env.Get(passwordEnv, kv.Get(target.NATSPassword)),
+			CertAuthority: env.Get(certAuthorityEnv, kv.Get(target.NATSCertAuthority)),
+			ClientCert:    env.Get(clientCertEnv, kv.Get(target.NATSClientCert)),
+			ClientKey:     env.Get(clientKeyEnv, kv.Get(target.NATSClientKey)),
+			Token:         env.Get(tokenEnv, kv.Get(target.NATSToken)),
+			Secure:        env.Get(secureEnv, kv.Get(target.NATSSecure)) == config.StateOn,
+			PingInterval:  pingInterval,
+			QueueDir:      env.Get(queueDirEnv, kv.Get(target.NATSQueueDir)),
+			QueueLimit:    queueLimit,
 		}
 
 		streamingEnableEnv := target.EnvNATSStreaming

pkg/event/target/nats.go

@@ -32,15 +32,18 @@ import (
 
 // NATS related constants
 const (
-	NATSAddress      = "address"
-	NATSSubject      = "subject"
-	NATSUsername     = "username"
-	NATSPassword     = "password"
-	NATSToken        = "token"
-	NATSSecure       = "secure"
-	NATSPingInterval = "ping_interval"
-	NATSQueueDir     = "queue_dir"
-	NATSQueueLimit   = "queue_limit"
+	NATSAddress       = "address"
+	NATSSubject       = "subject"
+	NATSUsername      = "username"
+	NATSPassword      = "password"
+	NATSToken         = "token"
+	NATSSecure        = "secure"
+	NATSPingInterval  = "ping_interval"
+	NATSQueueDir      = "queue_dir"
+	NATSQueueLimit    = "queue_limit"
+	NATSCertAuthority = "cert_authority"
+	NATSClientCert    = "client_cert"
+	NATSClientKey     = "client_key"
 
 	// Streaming constants
 	NATSStreaming                   = "streaming"
@@ -48,16 +51,19 @@ const (
 	NATSStreamingAsync              = "streaming_async"
 	NATSStreamingMaxPubAcksInFlight = "streaming_max_pub_acks_in_flight"
 
-	EnvNATSState        = "MINIO_NOTIFY_NATS_STATE"
-	EnvNATSAddress      = "MINIO_NOTIFY_NATS_ADDRESS"
-	EnvNATSSubject      = "MINIO_NOTIFY_NATS_SUBJECT"
-	EnvNATSUsername     = "MINIO_NOTIFY_NATS_USERNAME"
-	EnvNATSPassword     = "MINIO_NOTIFY_NATS_PASSWORD"
-	EnvNATSToken        = "MINIO_NOTIFY_NATS_TOKEN"
-	EnvNATSSecure       = "MINIO_NOTIFY_NATS_SECURE"
-	EnvNATSPingInterval = "MINIO_NOTIFY_NATS_PING_INTERVAL"
-	EnvNATSQueueDir     = "MINIO_NOTIFY_NATS_QUEUE_DIR"
-	EnvNATSQueueLimit   = "MINIO_NOTIFY_NATS_QUEUE_LIMIT"
+	EnvNATSState         = "MINIO_NOTIFY_NATS_STATE"
+	EnvNATSAddress       = "MINIO_NOTIFY_NATS_ADDRESS"
+	EnvNATSSubject       = "MINIO_NOTIFY_NATS_SUBJECT"
+	EnvNATSUsername      = "MINIO_NOTIFY_NATS_USERNAME"
+	EnvNATSPassword      = "MINIO_NOTIFY_NATS_PASSWORD"
+	EnvNATSToken         = "MINIO_NOTIFY_NATS_TOKEN"
+	EnvNATSSecure        = "MINIO_NOTIFY_NATS_SECURE"
+	EnvNATSPingInterval  = "MINIO_NOTIFY_NATS_PING_INTERVAL"
+	EnvNATSQueueDir      = "MINIO_NOTIFY_NATS_QUEUE_DIR"
+	EnvNATSQueueLimit    = "MINIO_NOTIFY_NATS_QUEUE_LIMIT"
+	EnvNATSCertAuthority = "MINIO_NOTIFY_NATS_CERT_AUTHORITY"
+	EnvNATSClientCert    = "MINIO_NOTIFY_NATS_CLIENT_CERT"
+	EnvNATSClientKey     = "MINIO_NOTIFY_NATS_CLIENT_KEY"
 
 	// Streaming constants
 	EnvNATSStreaming                   = "MINIO_NOTIFY_NATS_STREAMING"
@@ -68,17 +74,20 @@ const (
 
 // NATSArgs - NATS target arguments.
 type NATSArgs struct {
-	Enable       bool      `json:"enable"`
-	Address      xnet.Host `json:"address"`
-	Subject      string    `json:"subject"`
-	Username     string    `json:"username"`
-	Password     string    `json:"password"`
-	Token        string    `json:"token"`
-	Secure       bool      `json:"secure"`
-	PingInterval int64     `json:"pingInterval"`
-	QueueDir     string    `json:"queueDir"`
-	QueueLimit   uint64    `json:"queueLimit"`
-	Streaming    struct {
+	Enable        bool      `json:"enable"`
+	Address       xnet.Host `json:"address"`
+	Subject       string    `json:"subject"`
+	Username      string    `json:"username"`
+	Password      string    `json:"password"`
+	Token         string    `json:"token"`
+	Secure        bool      `json:"secure"`
+	CertAuthority string    `json:"certAuthority"`
+	ClientCert    string    `json:"clientCert"`
+	ClientKey     string    `json:"clientKey"`
+	PingInterval  int64     `json:"pingInterval"`
+	QueueDir      string    `json:"queueDir"`
+	QueueLimit    uint64    `json:"queueLimit"`
+	Streaming     struct {
 		Enable             bool   `json:"enable"`
 		ClusterID          string `json:"clusterID"`
 		Async              bool   `json:"async"`
@@ -100,6 +109,10 @@ func (n NATSArgs) Validate() error {
 		return errors.New("empty subject")
 	}
 
+	if n.ClientCert != "" && n.ClientKey == "" || n.ClientCert == "" && n.ClientKey != "" {
+		return errors.New("cert and key must be specified as a pair")
+	}
+
 	if n.Streaming.Enable {
 		if n.Streaming.ClusterID == "" {
 			return errors.New("empty cluster id")
@@ -120,13 +133,23 @@ func (n NATSArgs) Validate() error {
 
 // To obtain a nats connection from args.
 func (n NATSArgs) connectNats() (*nats.Conn, error) {
-	options := nats.DefaultOptions
-	options.Url = "nats://" + n.Address.String()
-	options.User = n.Username
-	options.Password = n.Password
-	options.Token = n.Token
-	options.Secure = n.Secure
-	return options.Connect()
+	connOpts := []nats.Option{nats.Name("Minio Notification")}
+	if n.Username != "" && n.Password != "" {
+		connOpts = append(connOpts, nats.UserInfo(n.Username, n.Password))
+	}
+	if n.Token != "" {
+		connOpts = append(connOpts, nats.Token(n.Token))
+	}
+	if n.Secure {
+		connOpts = append(connOpts, nats.Secure(nil))
+	}
+	if n.CertAuthority != "" {
+		connOpts = append(connOpts, nats.RootCAs(n.CertAuthority))
+	}
+	if n.ClientCert != "" && n.ClientKey != "" {
+		connOpts = append(connOpts, nats.ClientCert(n.ClientCert, n.ClientKey))
+	}
+	return nats.Connect(n.Address.String(), connOpts...)
 }
 
 // To obtain a streaming connection from args.

pkg/event/target/nats_test.go

@@ -0,0 +1,138 @@
+/*
+ * MinIO Cloud Storage, (C) 2019 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package target
+
+import (
+	"path"
+	"path/filepath"
+	"testing"
+
+	xnet "github.com/minio/minio/pkg/net"
+	natsserver "github.com/nats-io/nats-server/v2/test"
+)
+
+func TestNatsConnPlain(t *testing.T) {
+	opts := natsserver.DefaultTestOptions
+	opts.Port = 14222
+	s := natsserver.RunServer(&opts)
+	defer s.Shutdown()
+
+	clientConfig := &NATSArgs{
+		Enable: true,
+		Address: xnet.Host{Name: "localhost",
+			Port:      (xnet.Port(opts.Port)),
+			IsPortSet: true},
+		Subject: "test",
+	}
+	con, err := clientConfig.connectNats()
+	if err != nil {
+		t.Errorf("Could not connect to nats: %v", err)
+	}
+	defer con.Close()
+}
+
+func TestNatsConnUserPass(t *testing.T) {
+	opts := natsserver.DefaultTestOptions
+	opts.Port = 14223
+	opts.Username = "testminio"
+	opts.Password = "miniotest"
+	s := natsserver.RunServer(&opts)
+	defer s.Shutdown()
+
+	clientConfig := &NATSArgs{
+		Enable: true,
+		Address: xnet.Host{Name: "localhost",
+			Port:      (xnet.Port(opts.Port)),
+			IsPortSet: true},
+		Subject:  "test",
+		Username: opts.Username,
+		Password: opts.Password,
+	}
+
+	con, err := clientConfig.connectNats()
+	if err != nil {
+		t.Errorf("Could not connect to nats: %v", err)
+	}
+	defer con.Close()
+}
+
+func TestNatsConnToken(t *testing.T) {
+	opts := natsserver.DefaultTestOptions
+	opts.Port = 14223
+	opts.Authorization = "s3cr3t"
+	s := natsserver.RunServer(&opts)
+	defer s.Shutdown()
+
+	clientConfig := &NATSArgs{
+		Enable: true,
+		Address: xnet.Host{Name: "localhost",
+			Port:      (xnet.Port(opts.Port)),
+			IsPortSet: true},
+		Subject: "test",
+		Token:   opts.Authorization,
+	}
+
+	con, err := clientConfig.connectNats()
+	if err != nil {
+		t.Errorf("Could not connect to nats: %v", err)
+	}
+	defer con.Close()
+}
+
+func TestNatsConnTLSCustomCA(t *testing.T) {
+	s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls.conf"))
+	defer s.Shutdown()
+
+	clientConfig := &NATSArgs{
+		Enable: true,
+		Address: xnet.Host{Name: "localhost",
+			Port:      (xnet.Port(opts.Port)),
+			IsPortSet: true},
+		Subject:       "test",
+		Secure:        true,
+		CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"),
+	}
+
+	con, err := clientConfig.connectNats()
+	if err != nil {
+		t.Errorf("Could not connect to nats: %v", err)
+	}
+	defer con.Close()
+}
+
+func TestNatsConnTLSClientAuthorization(t *testing.T) {
+	s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls_client_cert.conf"))
+	defer s.Shutdown()
+
+	clientConfig := &NATSArgs{
+		Enable: true,
+		Address: xnet.Host{Name: "localhost",
+			Port:      (xnet.Port(opts.Port)),
+			IsPortSet: true},
+		Subject:       "test",
+		Secure:        true,
+		CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"),
+		ClientCert:    path.Join("testdata", "certs", "nats_client_cert.pem"),
+		ClientKey:     path.Join("testdata", "certs", "nats_client_key.pem"),
+	}
+
+	con, err := clientConfig.connectNats()
+	if err != nil {
+		t.Errorf("Could not connect to nats: %v", err)
+	}
+	defer con.Close()
+}

pkg/event/target/testdata/certs/nats_client_cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf0CFHzIPe2CTpos6fYYVcZD4xAMYD0FMA0GCSqGSIb3DQEBCwUAMEox
+CzAJBgNVBAYTAkNBMRMwEQYDVQQIDApTb21lLVN0YXRlMQ4wDAYDVQQKDAVNaW5p
+bzEWMBQGA1UECwwNTWluaW8gUm9vdCBDQTAgFw0xOTEwMTEyMDE4NTJaGA8yMTE5
+MDkxNzIwMTg1MlowQjELMAkGA1UEBhMCQ0ExDjAMBgNVBAoMBU1pbmlvMQ8wDQYD
+VQQLDAZDbGllbnQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBANsLgS7C0BDsfhWQVyuFGrpl9IWGyAQvSECzepdvxcUz
+CJ5QTSjtMq+2XbkozsmJ0WKtXY+c2vYuNMcthfNzLmn8KMxDoCqMwLXNMO8lLuF5
+94pH0DmTvEngjEDIOPM9aNbfmLU9Lbeiplkjt0izYObg+MzsTS0lIR2yKtSoVFOV
+zzSGRvMfUO/rOlRgBio9Hhx8fL0cckr7SzwJcYtttr+1cySNkGVI8/E5Pe0T3fVW
+7kiCHtUbbST0sQWorDDMkwTYyd2TvB8B8BzfSRNUavnb37bp8woqJottYXXEcLff
+HL7kOhnmqvOSLSnG9ynF+WlE7ZykHw+VsIrRsl/5NwkCAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEASfRN6esWr68ieeODFuiyhMaZ3kHKWiyvT3MDrFPcBgTIbi4CvFmb
++ynT7aDKxBpO8Ttl208QyLZxn9YeiFCZVVy8+o1JaQd30cjewX6A9dCd16yi3lva
+tbVLVl+pJqKwr/wdEwrJ23bUYpFNrex38dxaRUOQ4Zaj6QzCXvB+IR/RvYZ2U23o
+pW0BEYdi+V3M0tuAvmX4NOrLvGUF1D93WRQuiueaMF8yNhiwuT/eCcpct3FLqacC
++NvdK0aiBdUgDvdA7OroXy0Ow768wHpLvfsxqepiXXK/9748hMQxgeaUzDE6SRFF
+FqgnBuFgIu4MH7ki1EnH+KekFepsPF7BIA==
+-----END CERTIFICATE-----

pkg/event/target/testdata/certs/nats_client_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA2wuBLsLQEOx+FZBXK4UaumX0hYbIBC9IQLN6l2/FxTMInlBN
+KO0yr7ZduSjOyYnRYq1dj5za9i40xy2F83MuafwozEOgKozAtc0w7yUu4Xn3ikfQ
+OZO8SeCMQMg48z1o1t+YtT0tt6KmWSO3SLNg5uD4zOxNLSUhHbIq1KhUU5XPNIZG
+8x9Q7+s6VGAGKj0eHHx8vRxySvtLPAlxi222v7VzJI2QZUjz8Tk97RPd9VbuSIIe
+1RttJPSxBaisMMyTBNjJ3ZO8HwHwHN9JE1Rq+dvftunzCiomi21hdcRwt98cvuQ6
+Geaq85ItKcb3KcX5aUTtnKQfD5WwitGyX/k3CQIDAQABAoIBACrO7Mg+unsUPO/p
+7Z9LvBWBp3ARDzYCJ5S9fs/pwDTx7FVETFAbSzSb52UwXHl2vb0TNJ3EgeZq0VW7
+x9n0QLXl2fNRpBOsvlzJZS7XjXnzZDVaI4+dF8c4YzCl8LtY3QxhVm7VLgIdf3Uc
+Tc2fgOiePwGNjOetwfMTxtsYqqJK4Ang/nop6WIZtJxlq/H4D/OueDScv8yM96WP
+Lb+5YMrlTtA79TTn44hdd/IVJBV74UK335bWaV2gqop/r/kymYcmIS6eQ8Fx8Au8
+FhqjL38r6H5mnyH/euBJDf+B9aPej44m093j/gy8C6PFdVHXOw4h3su+RJkV7J+x
+JzSCYiECgYEA/0e1h7XVHVjRI/hzlpZlHomw4SYXc1R5DBljsD+0baNWdgwShdiA
+qZyhVl1/WJEK6r+tT/a0rGcIz1CkjPvjOf66+FVwukqp4UDdeZA28CC6GvbAlBW7
+Gz3wWjbC3quR8OCcGbNrRIUegeN3KxIpyzTXKv2PRUnkkj2z2+clf1sCgYEA26mj
+AiynCFZH2DIk36y1Qvn2Yh/LgO+JrZNmh0YlDENstLXEU5tkLyRxhbYDsDFKHr7a
+1pHZZa2SLKMQEKNZ3OgP5osvl4BxSt5SrusGQHACb1FeWN3BdIWI5S0ZIgBih46G
+IKA1ce4CnLo3oWm1L9tEFnTtMEqEtkECMnYTtGsCgYAsDgYH65thuygsmv3nqQC+
+ami6EkbNwnA5ZFBN5FCQ8zVCnga8Toa1vrAhJXWKpU1LAdU5DYxUjFt626HqKrYm
+Fg3SOXyAyc3Tb8xI5Fh2zE8RxC+r3qwxoVjPWM/8eYNwHHMUBGCorIh9RfIU3seT
+qATSCHwnKv9lNXzKoHNaLQKBgGURdkkn1mrFmCTnXYP06Sm57R1U18Opc0WEDqar
+JZyw4TF8eKqnUr9GG12UU7ob06i10+bqEIbyB9G17UxafJxhwf8nh2xD0tzJ0m1d
+AfFgGB6z558n2T0Nu+EGkQvN9Ye9kgUs8apMArOuEq6X/p/YWUmj3wZbIxjgbGxf
+W82lAoGATTwJCXE6y+D5Vc5I9BTPgJd6Wg/6n+BAmadt3lG/VbPxndQBudCNii0Z
+C7uyMrbK0RVY+DZAFuZWLskIoU+t82HgIsQNAH5KPz27PCWq+DznrARp+maKXj5f
+f5Vsvz6KBzM8Lnts3m20AYcRP4meBa6HNHLnYGedTbRLKYobOgg=
+-----END RSA PRIVATE KEY-----

pkg/event/target/testdata/certs/nats_server_cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf0CFHzIPe2CTpos6fYYVcZD4xAMYD0EMA0GCSqGSIb3DQEBCwUAMEox
+CzAJBgNVBAYTAkNBMRMwEQYDVQQIDApTb21lLVN0YXRlMQ4wDAYDVQQKDAVNaW5p
+bzEWMBQGA1UECwwNTWluaW8gUm9vdCBDQTAgFw0xOTEwMTEyMDE1NTRaGA8yMTE5
+MDkxNzIwMTU1NFowQjELMAkGA1UEBhMCQ0ExDjAMBgNVBAoMBU1pbmlvMQ8wDQYD
+VQQLDAZTZXJ2ZXIxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAMxbKHUPlW4wIX0G45jRG84o5viXtu7E044QpTGwDS+u
+KCG3w4pWUwnor/uCjkzKSmg+6Sx/889de7QySPwt4TA+F7qy7TrUnIUiaVFcPmeQ
+YsI68JM857nk4ScxK4C4NzJ78DlQreyPwIMx4rAGfEZpdQbAE0LWyOJ9rfMK1uF/
+PFdyNKOUw/fy5iA/DOUeoUqFATIjj5KUWojnt9QZ+M1pGbQsLWc7fzDuavVrAvR7
+wt386bayzLftzHr6rLWWzPoA70ltzvu6JxKU5xZSY5nA2Pip+le6q997+Sm5Dt5L
+VZuSTzjKVNDV9l329eZJnozROdlSURVvg6fK5J8vUIsCAwEAATANBgkqhkiG9w0B
+AQsFAAOCAQEAg6kLnBrjT4agClF94Rc2y6fOTWWzz7C4Ao6iQp3Tcr/YraY7FEEM
+kkZT0osn1JSvut9f2gy2py3+FLAk4OdAt9NBIpjIMDmbIyiQYw+2w3IHJYwdHBXj
+HapyjU2zFQvD6PNUUV4YukR28MmMk0UEizXxkEDm+Qf5t4Bpnv7tFiysMWmA6cCJ
+1fvGOtCPazi0hZc0VkfTnl5OY/Msi+sYCh4gnCqYWICszMm37QKOJrJbY8mTSzAk
+p/0dxAUDDKTuf+UPDqJ2I6o9/XEEwmPGOFovoS9iQhdyWWonRDL3+gCeE2cxEeu5
+QEOwxMQz08XRSsgxag9R3tcywXbaamgQYw==
+-----END CERTIFICATE-----

pkg/event/target/testdata/certs/nats_server_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzFsodQ+VbjAhfQbjmNEbzijm+Je27sTTjhClMbANL64oIbfD
+ilZTCeiv+4KOTMpKaD7pLH/zz117tDJI/C3hMD4XurLtOtSchSJpUVw+Z5Biwjrw
+kzznueThJzErgLg3MnvwOVCt7I/AgzHisAZ8Rml1BsATQtbI4n2t8wrW4X88V3I0
+o5TD9/LmID8M5R6hSoUBMiOPkpRaiOe31Bn4zWkZtCwtZzt/MO5q9WsC9HvC3fzp
+trLMt+3MevqstZbM+gDvSW3O+7onEpTnFlJjmcDY+Kn6V7qr33v5KbkO3ktVm5JP
+OMpU0NX2Xfb15kmejNE52VJRFW+Dp8rkny9QiwIDAQABAoIBABPVsTqTdaSJRWbW
+OVcGzNUYwTpVt2q7bfE3CmGlPdJn6/tB09fkgxDOJe6agGdRpyExIf6wuKBi6XPX
+AaCAb3/4NuNnJIF2S27cpS5BbsksiXlisSEJY1B2t6fPLPLEbo8W2n0lqIvyc/QH
+7oG5T2yiJbqu/++X202ody7E2ZBvVXgwjBJuzxeQ9PPiPyjH2lAgciA0HtmXiHSj
+pIz6V6XmN5CkyawvExA3F1wxIxf2CNRHLpls/DFGkVIz6pUlleKe7fBKVqeLuwnd
+Lnjt9lrCrEozXcwUQnw5KVccB2+0xU8pIl78tPf9EHOHf5Bx1WCFl/YL5qEmfSsL
+x3WM/WkCgYEA+7wdzK2M3LSJ6tat+eM9DT8bqSFhFAA41Jv1UdhTJZb8AKPs+6wX
+13rUcjTnSI75KqApGaIbe3dF7640VmD9eyLNkc2SHr/yNPKV96sEiWk7TVgIWa0J
+vBqPB9UWrkzqBov5VJEpeKlKuCCZGOxN7nkMtH93XmX9Nm3BxmMCQ8cCgYEAz9GK
+FS1pwjj8DpyLW5GEFbcwGugkb/4ebc/OK4W93YvAYwoyJF7oSI9WzKG/R5Ko/0G7
+ESHt0d2pfRDR5XCkoJee4MFFIheLeVM4HDUoIY42I7gl/op+H9fGSNplBYDpVk7O
+FNl9NFgUDytMbuh14SmAU3Yc7EjGruFgoZUPRR0CgYEAimwNos/HxlDMCcMUlXT7
+zD3oct7056+bkGVVxzSBvAjC94MsO9OMpKNZEJfAmehsYKEDGKJIJGMYpMwQ4XKh
+z8T6bvMwJxJ7F9xQ1IhIjVq9DjGbHdyFntan0bG9sAiBIypy5qqPuFa2zHq4VLkT
+vU74yoPQ2qqQSw6dX/5vb18CgYEAnLlZeT8WUvLGo/5K2nOTOQ09qg0H7a2nJQli
+YlAqL7oFDKvTxLoOUypGO2x/5GomKNpZSUJdJ7gS6c6VfILGpJWzq6wVhvBartSj
+rCIqcaPeEHH/tUacd0cysh6BsPTXA8/Kes7KLX9/ITF2Iu4MeBHkRQz+IvN/YsN1
+LGZNbcECgYAqWDnPa2GwFOgTrVwB1AfsCD1PVhSM+AnWnL7avHwD6WIDKB5qb9Ip
+cF83o5bhLrLYVlpZNI1ESKgONyWlYOssBNb0KP51kgkBbtr+5qcCFoKzf5inyve2
+MTE1g+maOLtfRaVrlsGcirWSZdIk8dQmDX8nNM+Rg5hahF2l0/zopg==
+-----END RSA PRIVATE KEY-----

pkg/event/target/testdata/certs/root_ca_cert.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIUTuCjkiDWaSa3X747ybs/SnZ6aHQwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCQ0ExEzARBgNVBAgMClNvbWUtU3RhdGUxDjAMBgNVBAoM
+BU1pbmlvMRYwFAYDVQQLDA1NaW5pbyBSb290IENBMCAXDTE5MTAxMTE5NTIxOFoY
+DzIxMTkwOTE3MTk1MjE4WjBKMQswCQYDVQQGEwJDQTETMBEGA1UECAwKU29tZS1T
+dGF0ZTEOMAwGA1UECgwFTWluaW8xFjAUBgNVBAsMDU1pbmlvIFJvb3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDAOyo76TMpltNUXiRAGaxaVMG
+E2cf/JudJ+2ve7lxXo1Zz9PaJUOa5wl2b5ebwhXYP7lxdRRz488TfM4YmAm1fkgS
+fhBHP337aeUCeW4mybv7P0jBDHYasiDy92YqX5tv2zPifRaoQ/jkUmEyY29VdTQq
+LyuUCo4hmY3tO5daXN+x9DdnZj8VDkC235UpEe9vgvtY62m7w+guV/XdwKBvQKpa
+248qaqUxvJ8l9sXCnLjNMWwm/6ZpPPcQvYW95P2bhwGH8KrdKeSutW8vVeUa2DN+
+E7QsEopVvg48t/dSVol9xXVQ2QMlNYBsrPQS04GX3aakVREI0r/krRl11Kf7AgMB
+AAGjUzBRMB0GA1UdDgQWBBQtvCicVaNfZaLEXW7sgZYlTyjuuzAfBgNVHSMEGDAW
+gBQtvCicVaNfZaLEXW7sgZYlTyjuuzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQC9LflSKc6l8j280aTQyjjTdMysmKqb8Rs7dtSSaFXQK9nuzOhD
+FGtahhsJFv/GnUu0weZoEMYySeNzaUoW0ICc3+iI2KMWcUlF/K3/P47tYrVMGJKW
+YbuUS7lTxtra9xbFhxGCF8NwM6JG9TrP7JT9b/tn2Xb+UNsxWTH8pf1plusiOvQl
+2JFc+BJzhooLP9sK0YGrb7i3CdQj5QcZjxVCDKAuosvMY/shoW4aEIEECSEtJ9mY
+Rrfft0bOQ7ZKhDgu2ou+lyeyyWFS/19wr5LMvy+lUYG9H100peCpv5tHdGUF1lLR
+m4g6eQK57EI6BoPpNomYtXkoRKP9MXiZ7InC
+-----END CERTIFICATE-----

pkg/event/target/testdata/certs/root_ca_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAwwDsqO+kzKZbTVF4kQBmsWlTBhNnH/ybnSftr3u5cV6NWc/T
+2iVDmucJdm+Xm8IV2D+5cXUUc+PPE3zOGJgJtX5IEn4QRz99+2nlAnluJsm7+z9I
+wQx2GrIg8vdmKl+bb9sz4n0WqEP45FJhMmNvVXU0Ki8rlAqOIZmN7TuXWlzfsfQ3
+Z2Y/FQ5Att+VKRHvb4L7WOtpu8PoLlf13cCgb0CqWtuPKmqlMbyfJfbFwpy4zTFs
+Jv+maTz3EL2FveT9m4cBh/Cq3SnkrrVvL1XlGtgzfhO0LBKKVb4OPLf3UlaJfcV1
+UNkDJTWAbKz0EtOBl92mpFURCNK/5K0ZddSn+wIDAQABAoIBABcVbu54n9uR/dDj
+ShBwKbfqredUOKryrkEmTt6tGMCw3q65CW0TaDNYEiixARNxIEDfGkayA1/MoeC+
+r2794HhZoJJ/1dF5VKKEYJWwZje1Pcl6LlSb8wcp+viIDNILS00sd7Hh+OKmWTo9
+/j+GwdEt9KThvJjjvvt/P+vLWBlcHD2zKFJnq826jKFESkUkY8P6e0cRzOuwGY+E
+LYXAwZC+j7wS3c7tW7PyhGAXkTxohtNNYZ6vOGnGetnTxQDICZ9hCIZMA+7hrtK8
+TAGWtWvwx/5SgEl2+b7M0q70I/2LQSB4ACgOfkhm38z7FwqkvTMl9YhR8E4qvZsZ
+2fv4hoECgYEA5GG8W1H82Z8fxY4AMKwbvlZ5pZGuIwwm+ABsg5BlSMfXZS2APJuP
+wUUOW2gcjDXq/m+7HphgJADpkf+j6NhTks2gWF32VPCfp1EnxOrjOkrZqtBcud+A
+1d0HeWvUMYl4iq9+3haILyfN4nQkFeYO1X0wD2kgrEeIkgipjG//tlsCgYEA2pXd
+PvXugREkt+HladpCQXPnxHgS+QZuPNBYcDFMlOpC6RdcLzDWcqGzmYROM9/sbI+c
+0H3l9ROOkqkA1jq8K2apOKmH9NBOZAaIfi+A450rnJK0trhMsuUgY/xrj+BBO1Vm
+LrAIJ6TMpp8DntO/EVitLBwjR6WrM4pUB9kRxuECgYEA3vEp1luq4SYc9dUxClJ4
+os334lDcFQp/4AlJ5QTIWsv60KIiVQfmxVyML17qv1TDGa4olC1bbMoXOJa9g0fq
+DZz9skXHehOLRuJKWEiTmQwIgF72pdwxAJTL/xPsCI+SRJAc4OBOAPpyWWXW9Cmo
+wW97ww90/bi28RfTq2yJy5ECgYARPXq6yYjrMx/zROTkSWuqX+rqyxGsBH7TWxdu
+meTRZfyrB8WkjzSKzAgvVokYfFPYaCdVJmjpwIYhOSUwwGcxASLdrjlj7L4SE5XW
+ZgbDbRUQf12zf6vE/F9mo3UUXvqmJGEv04CBJ/VgOvB9KXRLePQHo5yAvSdYpFNm
+Xw+Q4QKBgHbV9YV+b1D+8SKNgpCZcrgTmvXIS4ibHdIYT2cxqGbkYS9T1UuJ1kWd
+PBeeYsF3CeCBi1PGKI9eYO85W0aS3fZyrekBOyOVDUqQNpXQPQVdCZtB1l6dtRbD
+3hARd9eQ1Gq1XofKX6Lbc+7tQcmZbAKJbr3JjHJMDUORYk+o8hdK
+-----END RSA PRIVATE KEY-----

pkg/event/target/testdata/nats_tls.conf

@@ -0,0 +1,7 @@
+port: 14225
+net: localhost
+
+tls {
+    cert_file:  "./testdata/certs/nats_server_cert.pem"
+    key_file:   "./testdata/certs/nats_server_key.pem"
+}

pkg/event/target/testdata/nats_tls_client_cert.conf

@@ -0,0 +1,18 @@
+port: 14226
+net: localhost
+
+tls {
+    cert_file:  "./testdata/certs/nats_server_cert.pem"
+    key_file:   "./testdata/certs/nats_server_key.pem"
+    ca_file:   "./testdata/certs/root_ca_cert.pem"
+    verify_and_map: true
+}
+authorization {
+    ADMIN = {
+        publish = ">"
+        subscribe = ">"
+    }
+    users = [
+        {user: "CN=localhost,OU=Client,O=Minio,C=CA", permissions: $ADMIN}
+    ]
+}