From 374840fba3de901d7ab6f122eff83393581740b1 Mon Sep 17 00:00:00 2001
From: Till Faelligen <2353100+S7evinK@users.noreply.github.com>
Date: Tue, 2 Aug 2022 12:28:05 +0200
Subject: [PATCH] Add option to disable TLS validation for NATS

---
 dendrite-sample.monolith.yaml    | 5 +++++
 dendrite-sample.polylith.yaml    | 5 +++++
 setup/config/config_jetstream.go | 3 +++
 setup/jetstream/nats.go          | 9 ++++++++-
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/dendrite-sample.monolith.yaml b/dendrite-sample.monolith.yaml
index cc6c173e8..a34b8af55 100644
--- a/dendrite-sample.monolith.yaml
+++ b/dendrite-sample.monolith.yaml
@@ -113,6 +113,11 @@ global:
     addresses:
     # - localhost:4222
 
+    # Disable the validation of TLS certificates of NATS. This is
+    # not recommended in production since it may allow NATS traffic
+    # to be sent to an insecure endpoint.
+    disable_tls_validation: false
+
     # Persistent directory to store JetStream streams in. This directory should be
     # preserved across Dendrite restarts.
     storage_path: ./
diff --git a/dendrite-sample.polylith.yaml b/dendrite-sample.polylith.yaml
index 92cab19b1..550611229 100644
--- a/dendrite-sample.polylith.yaml
+++ b/dendrite-sample.polylith.yaml
@@ -103,6 +103,11 @@ global:
     addresses:
       - hostname:4222
 
+    # Disable the validation of TLS certificates of NATS. This is
+    # not recommended in production since it may allow NATS traffic
+    # to be sent to an insecure endpoint.
+    disable_tls_validation: false
+
     # The prefix to use for stream names for this homeserver - really only useful
     # if you are running more than one Dendrite server on the same NATS deployment.
     topic_prefix: Dendrite
diff --git a/setup/config/config_jetstream.go b/setup/config/config_jetstream.go
index 49d2a5dcc..a7827597e 100644
--- a/setup/config/config_jetstream.go
+++ b/setup/config/config_jetstream.go
@@ -19,6 +19,8 @@ type JetStream struct {
 	InMemory bool `yaml:"in_memory"`
 	// Disable logging. This is mostly useful for unit tests.
 	NoLog bool `yaml:"-"`
+	// Disables TLS validation. This should NOT be used in production
+	DisableTLSValidation bool `yaml:"disable_tls_validation"`
 }
 
 func (c *JetStream) Prefixed(name string) string {
@@ -35,6 +37,7 @@ func (c *JetStream) Defaults(generate bool) {
 	if generate {
 		c.StoragePath = Path("./")
 		c.NoLog = true
+		c.DisableTLSValidation = true
 	}
 }
 
diff --git a/setup/jetstream/nats.go b/setup/jetstream/nats.go
index 5d6a54ec3..be216a02a 100644
--- a/setup/jetstream/nats.go
+++ b/setup/jetstream/nats.go
@@ -1,6 +1,7 @@
 package jetstream
 
 import (
+	"crypto/tls"
 	"fmt"
 	"reflect"
 	"strings"
@@ -76,7 +77,13 @@ func (s *NATSInstance) Prepare(process *process.ProcessContext, cfg *config.JetS
 func setupNATS(process *process.ProcessContext, cfg *config.JetStream, nc *natsclient.Conn) (natsclient.JetStreamContext, *natsclient.Conn) {
 	if nc == nil {
 		var err error
-		nc, err = natsclient.Connect(strings.Join(cfg.Addresses, ","))
+		opts := []nats.Option{}
+		if cfg.DisableTLSValidation {
+			opts = append(opts, nats.Secure(&tls.Config{
+				InsecureSkipVerify: true,
+			}))
+		}
+		nc, err = natsclient.Connect(strings.Join(cfg.Addresses, ","), opts...)
 		if err != nil {
 			logrus.WithError(err).Panic("Unable to connect to NATS")
 			return nil, nil