This is basically how nsc creates an operator account + system account + system user really only need to keep track of the seeds, as they can be used to make public/private keys
JWT claims aren't that bad to make, just a lot of options in there basic operation is that:
- you create an operator KP and claims
- operator has a signing KP
- you create an account KP and claims, and sign the account with the operator signing KP
- account has a signing KP
- you create a user KP and claims, and sign the user with the account signing KP
- operator claims are signed with the operator KP (self signed)
operatorKP, _ := nkeys.CreateOperator()
operatorPK, _ := operatorKP.PublicKey()
operatorK, _ := operatorKP.PrivateKey()
operatorSeed, _ := operatorKP.Seed()
parsedKP, _ := nkeys.FromSeed(operatorSeed)
parsedPK, _ := parsedKP.PublicKey()
parsedK, _ := parsedKP.PrivateKey()
fmt.Fprintf(os.Stdout, "Parsed Public: %q; Previous: %q; Equal: %v\n", parsedPK, operatorPK, parsedPK == operatorPK)
fmt.Fprintf(os.Stdout, "Parsed Privat: %q; Previous: %q; Equal: %v\n", string(parsedK), string(operatorK), string(parsedK) == string(operatorK))
fmt.Fprintln(os.Stdout)
var operatorClaims = jwt.NewOperatorClaims(operatorPK)
operatorClaims.Name = "conservator"
operatorSigningKeyKP, _ := nkeys.CreateOperator()
operatorSigningKeyPK, _ := operatorSigningKeyKP.PublicKey()
operatorClaims.SigningKeys.Add(operatorSigningKeyPK)
// create system account
systemAccountKP, _ := nkeys.CreateAccount()
systemAccountPK, _ := systemAccountKP.PublicKey()
accountSignerKP, _ := nkeys.CreateAccount()
accountSignerPK, _ := accountSignerKP.PublicKey()
systemAccountClaims := jwt.NewAccountClaims(systemAccountPK)
systemAccountClaims.Name = "SYS"
systemAccountClaims.SigningKeys.Add(accountSignerPK)
systemAccountClaims.Exports = jwt.Exports{
&jwt.Export{
Name: "account-monitoring-services",
Subject: "$SYS.REQ.ACCOUNT.*.*",
Type: jwt.Service,
ResponseType: jwt.ResponseTypeStream,
AccountTokenPosition: 4,
Info: jwt.Info{
Description: "Custom account made by conservator",
InfoURL: "https://github.com/renevo/conservator",
},
},
&jwt.Export{
Name: "account-monitoring-streams",
Subject: "$SYS.ACCOUNT.*.>",
Type: jwt.Stream,
AccountTokenPosition: 3,
Info: jwt.Info{
Description: "Custom account made by conservator",
InfoURL: "https://github.com/renevo/conservator",
},
},
}
systemAccountToken, _ := systemAccountClaims.Encode(operatorSigningKeyKP)
systemUserKP, _ := nkeys.CreateUser()
systemUserPK, _ := systemUserKP.PublicKey()
systemUserClaims := jwt.NewUserClaims(systemUserPK)
systemUserClaims.Name = "sys"
systemUserClaims.IssuerAccount = systemAccountPK
systemUserToken, _ := systemUserClaims.Encode(accountSignerKP)
operatorClaims.SystemAccount = systemAccountPK
token, _ := operatorClaims.Encode(operatorKP)
fmt.Fprintf(os.Stdout, "Operator Token: %s\n\n", token)
fmt.Fprintf(os.Stdout, "System Account Token: %s\n\n", systemAccountToken)
fmt.Fprintf(os.Stdout, "System User Token: %s\n\n", systemUserToken)