zhangyuqing
/
mosquitto-go-auth
mirror of https://github.com/iegomez/mosquitto-go-auth.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Postgres tls/sslmode "verify-full" as default (#248) 

* Make `verify-full` to default postgres sslmode instead of `disable`.

* Adding documentation about postgres sslmode changes to readme

* Change default of sslmode in postgres auth opt table

* Add sslmode to auth opts to fix tests.
This commit is contained in:
maab 2022-11-11 12:27:55 +01:00 committed by GitHub
parent 821a58ec71
commit fb6a5b89e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
README.md
View File

@ -594,22 +594,22 @@ The `postgres` backend allows to specify queries for user, superuser and acl ch
The following `auth_opt_` options are supported: The following `auth_opt_` options are supported:
| Option | default | Mandatory | Meaning | | Option | default | Mandatory | Meaning |
| --------------------- | ----------------- | :---------: | ----------------------------------------------------------- | |------------------|-------------|:---------:|----------------------------------------|
| pg_host | localhost | | hostname/address | | pg_host | localhost | | hostname/address |
| pg_port | 5432 | | TCP port | | pg_port | 5432 | | TCP port |
| pg_user | | Y | username | | pg_user | | Y | username |
| pg_password | | Y | password | | pg_password | | Y | password |
| pg_dbname | | Y | database name | | pg_dbname | | Y | database name |
| pg_userquery | | Y | SQL for users | | pg_userquery | | Y | SQL for users |
| pg_superquery | | N | SQL for superusers | | pg_superquery | | N | SQL for superusers |
| pg_aclquery | | N | SQL for ACLs | | pg_aclquery | | N | SQL for ACLs |
| pg_sslmode | disable | N | SSL/TLS mode. | | pg_sslmode | verify-full | N | SSL/TLS mode. |
| pg_sslcert | | N | SSL/TLS Client Cert. | | pg_sslcert | | N | SSL/TLS Client Cert. |
| pg_sslkey | | N | SSL/TLS Client Cert. Key | | pg_sslkey | | N | SSL/TLS Client Cert. Key |
| pg_sslrootcert | | N | SSL/TLS Root Cert | | pg_sslrootcert | | N | SSL/TLS Root Cert |
| pg_connect_tries | -1 | N | x < 0: try forever, x > 0: try x times | | pg_connect_tries | -1 | N | x < 0: try forever, x > 0: try x times |
| pg_max_life_time | | N | connection max life time in seconds | | pg_max_life_time | | N | connection max life time in seconds |
Depending on the sslmode given, sslcert, sslkey and sslrootcert will be used. Options for sslmode are: Depending on the sslmode given, sslcert, sslkey and sslrootcert will be used. Options for sslmode are:
@ -617,6 +617,10 @@ Depending on the sslmode given, sslcert, sslkey and sslrootcert will be used. Op
require - Always SSL (skip verification) require - Always SSL (skip verification)
verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA) verify-ca - Always SSL (verify that the certificate presented by the server was signed by a trusted CA)
verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate) verify-full - Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate)
From *mosquitto go auth* version 2.0.0 on `verify-full` will be the default sslmode instead of `disable`. You may have
to disable transport layer security if the postgres database server doesn't support encryption and has a certificate
signed by a trusted CA.
Queries work pretty much the same as in jpmen's plugin, so here's his discription (with some little changes) about them: Queries work pretty much the same as in jpmen's plugin, so here's his discription (with some little changes) about them:

2
backends/jwt_test.go
View File

@ -254,6 +254,7 @@ func TestLocalPostgresJWT(t *testing.T) {
// Give necessary postgres options. // Give necessary postgres options.
authOpts["jwt_pg_host"] = "localhost" authOpts["jwt_pg_host"] = "localhost"
authOpts["jwt_pg_port"] = "5432" authOpts["jwt_pg_port"] = "5432"
authOpts["jwt_pg_sslmode"] = "disable"
authOpts["jwt_pg_dbname"] = "go_auth_test" authOpts["jwt_pg_dbname"] = "go_auth_test"
authOpts["jwt_pg_user"] = "go_auth_test" authOpts["jwt_pg_user"] = "go_auth_test"
authOpts["jwt_pg_password"] = "go_auth_test" authOpts["jwt_pg_password"] = "go_auth_test"
@ -265,6 +266,7 @@ func TestLocalPostgresJWT(t *testing.T) {
pgAuthOpts := make(map[string]string) pgAuthOpts := make(map[string]string)
pgAuthOpts["pg_host"] = "localhost" pgAuthOpts["pg_host"] = "localhost"
pgAuthOpts["pg_port"] = "5432" pgAuthOpts["pg_port"] = "5432"
pgAuthOpts["pg_sslmode"] = "disable"
pgAuthOpts["pg_dbname"] = "go_auth_test" pgAuthOpts["pg_dbname"] = "go_auth_test"
pgAuthOpts["pg_user"] = "go_auth_test" pgAuthOpts["pg_user"] = "go_auth_test"
pgAuthOpts["pg_password"] = "go_auth_test" pgAuthOpts["pg_password"] = "go_auth_test"

10
backends/postgres.go
View File

@ -47,7 +47,7 @@ func NewPostgres(authOpts map[string]string, logLevel log.Level, hasher hashing.
var postgres = Postgres{ var postgres = Postgres{
Host: "localhost", Host: "localhost",
Port: "5432", Port: "5432",
SSLMode: "disable", SSLMode: "verify-full",
SuperuserQuery: "", SuperuserQuery: "",
AclQuery: "", AclQuery: "",
hasher: hasher, hasher: hasher,
@ -105,7 +105,7 @@ func NewPostgres(authOpts map[string]string, logLevel log.Level, hasher hashing.
} }
postgres.SSLMode = sslmode postgres.SSLMode = sslmode
} else { } else {
postgres.SSLMode = "disable" postgres.SSLMode = "verify-full"
} }
if sslCert, ok := authOpts["pg_sslcert"]; ok { if sslCert, ok := authOpts["pg_sslcert"]; ok {
@ -129,16 +129,16 @@ func NewPostgres(authOpts map[string]string, logLevel log.Level, hasher hashing.
connStr := fmt.Sprintf("user=%s password=%s dbname=%s host=%s port=%s", postgres.User, postgres.Password, postgres.DBName, postgres.Host, postgres.Port) connStr := fmt.Sprintf("user=%s password=%s dbname=%s host=%s port=%s", postgres.User, postgres.Password, postgres.DBName, postgres.Host, postgres.Port)
switch postgres.SSLMode { switch postgres.SSLMode {
case "disable":
connStr = fmt.Sprintf("%s sslmode=disable", connStr)
case "require": case "require":
connStr = fmt.Sprintf("%s sslmode=require", connStr) connStr = fmt.Sprintf("%s sslmode=require", connStr)
case "verify-ca": case "verify-ca":
connStr = fmt.Sprintf("%s sslmode=verify-ca", connStr) connStr = fmt.Sprintf("%s sslmode=verify-ca", connStr)
case "verify-full": case "verify-full":
connStr = fmt.Sprintf("%s sslmode=verify-full", connStr)
case "disable":
fallthrough fallthrough
default: default:
connStr = fmt.Sprintf("%s sslmode=disable", connStr) connStr = fmt.Sprintf("%s sslmode=verify-full", connStr)
} }
if postgres.SSLRootCert != "" { if postgres.SSLRootCert != "" {

2
backends/postgres_test.go
View File

@ -24,6 +24,7 @@ func TestPostgres(t *testing.T) {
//Initialize Postgres with some test values (omit tls). //Initialize Postgres with some test values (omit tls).
authOpts["pg_dbname"] = "go_auth_test" authOpts["pg_dbname"] = "go_auth_test"
authOpts["pg_user"] = "go_auth_test" authOpts["pg_user"] = "go_auth_test"
authOpts["pg_sslmode"] = "disable"
authOpts["pg_password"] = "go_auth_test" authOpts["pg_password"] = "go_auth_test"
authOpts["pg_userquery"] = "SELECT password_hash FROM test_user WHERE username = $1 limit 1" authOpts["pg_userquery"] = "SELECT password_hash FROM test_user WHERE username = $1 limit 1"
authOpts["pg_superquery"] = "select count(*) from test_user where username = $1 and is_admin = true" authOpts["pg_superquery"] = "select count(*) from test_user where username = $1 and is_admin = true"
@ -204,6 +205,7 @@ func TestPostgresTls(t *testing.T) {
authOpts := make(map[string]string) authOpts := make(map[string]string)
authOpts["pg_host"] = "localhost" authOpts["pg_host"] = "localhost"
authOpts["pg_port"] = "5432" authOpts["pg_port"] = "5432"
authOpts["pg_sslmode"] = "disable"
authOpts["pg_dbname"] = "go_auth_test" authOpts["pg_dbname"] = "go_auth_test"
authOpts["pg_user"] = "go_auth_test_tls" authOpts["pg_user"] = "go_auth_test_tls"
authOpts["pg_password"] = "go_auth_test_tls" authOpts["pg_password"] = "go_auth_test_tls"