Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed MongoDB insecureSkipVerify, Added MongoDB TLS certificate, ca, key #309

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1275,8 +1275,11 @@ Options for `mongo` are the following:
| auth_opt_mongo_users | users | N | User collection |
| auth_opt_mongo_acls | acls | N | ACL collection |
| auth_opt_mongo_disable_superuser | true | N | Disable query to check for superuser |
| auth_opt_mongo_with_tls | false | N | Connect with TLS |
| auth_opt_mongo_insecure_skip_verify | false | N | Verify server's certificate chain |
| auth_opt_mongo_with_tls | false | N | Connect with TLS |
| auth_opt_mongo_tlsca | "" | N | TLS Certificate Authority (CA) |
| auth_opt_mongo_tlscert | "" | N | TLS Client Certificate |
| auth_opt_mongo_tlskey | "" | N | TLS Client Certificate Private Key |


If you experience any problem connecting to a replica set, please refer to [this issue](https://github.com/iegomez/mosquitto-go-auth/issues/32).
Expand Down
65 changes: 59 additions & 6 deletions backends/mongo.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@ package backends
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"strings"
"time"
"os"

. "github.com/iegomez/mosquitto-go-auth/backends/constants"
"github.com/iegomez/mosquitto-go-auth/backends/topics"
Expand All @@ -30,8 +32,11 @@ type Mongo struct {
Conn *mongo.Client
disableSuperuser bool
hasher hashing.HashComparer
withTLS bool
insecureSkipVerify bool
withTLS bool
TLSCa string
TLSCert string
TLSKey string
}

type MongoAcl struct {
Expand Down Expand Up @@ -60,8 +65,11 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
UsersCollection: "users",
AclsCollection: "acls",
hasher: hasher,
withTLS: false,
insecureSkipVerify: false,
withTLS: false,
TLSCa: "",
TLSCert: "",
TLSKey: "",
}

if authOpts["mongo_disable_superuser"] == "true" {
Expand Down Expand Up @@ -100,14 +108,32 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
m.AclsCollection = aclsCollection
}

if authOpts["mongo_use_tls"] == "true" {
if authOpts["mongo_insecure_skip_verify"] == "true" {
m.insecureSkipVerify = true
}

useTlsClientCertificate := false

if authOpts["mongo_with_tls"] == "true" {
m.withTLS = true
}

if authOpts["mongo_insecure_skip_verify"] == "true" {
m.insecureSkipVerify = true
if TLSCa, ok := authOpts["mongo_tlsca"]; ok {
m.TLSCa = TLSCa
useTlsClientCertificate = true
}

if TLSCert, ok := authOpts["mongo_tlscert"]; ok {
m.TLSCert = TLSCert
useTlsClientCertificate = true
}

if TLSKey, ok := authOpts["mongo_tlskey"]; ok {
m.TLSKey = TLSKey
useTlsClientCertificate = true
}


addr := fmt.Sprintf("mongodb://%s:%s", m.Host, m.Port)

to := 60 * time.Second
Expand All @@ -117,7 +143,34 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
}

if m.withTLS {
opts.TLSConfig = &tls.Config{}
log.Info("mongo backend: tls enabled")
opts.TLSConfig = &tls.Config{
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add new empty lines here and between following if checks to aid readability?

InsecureSkipVerify: m.insecureSkipVerify,
}

if useTlsClientCertificate {
caCert, err := os.ReadFile(m.TLSCa)

if err != nil {
log.Errorf("mongo backend: tls error: %s", err)
}

caCertPool := x509.NewCertPool()
if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
log.Error("mongo backend: tls error: CA file must be in PEM format")
}

cert, err := tls.LoadX509KeyPair(m.TLSCert, m.TLSKey)
if err != nil {
log.Errorf("mongo backend: tls error: %s", err)
}

opts.TLSConfig = &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
InsecureSkipVerify: m.insecureSkipVerify,
}
}
}

opts.ApplyURI(addr)
Expand Down