* Make `verify-full` to default postgres sslmode instead of `disable`.
* Adding documentation about postgres sslmode changes to readme
* Change default of sslmode in postgres auth opt table
* Add sslmode to auth opts to fix tests.
* feat: makes mutual TLS optional for postgres and mysql
* feat: makes mutual TLS optional for gRPC
* refactor: replaces deprecated grpc.WithInsecure()
* docs: changes meaning of grpc tls option to client cert
* chore: updates test go version to same as project version (1.18)
* test: adds TLS and mutual TLS support to db and grpc test environments
* chore: adds generated test certificates to .gitignore
* chore: reduces test certificates to minimum key usage
* chore: adds second client certificate which acts as unauthorized
* test: adds mysql tls and mutual tls tests
* refactor: postgres ssl config check
* refactor: change connectTries to 0 for postgres to only have 1 retry by default like mysql
* refactor: postgres sslmode and sslrootcert code
* test: adds postgres tls and mutual tls tests
* fix: treat grpc authOpts grpc_ca_cert, grpc_tls_cert, grpc_tls_key as file paths instead of actual file contents
refactor: improves error logging
* test: adds grpc tls and mutual tls tests
* Fix postgres ssl modes `require`, ``verify-ca` and `verify-full` to work without explicit root certificate.
* refactor: adds warning for unknown pg_sslmode
style: removes empty lines
* style: compress switch case
Co-authored-by: Martin Abbrent <martin.abbrent@ufz.de>
* Don't bubble up grpc client error, just keep it nil and derive it again on checking.
Add option to check if we should faild on gRCP dial error or not.
Add timeout option.
* Instead of attempting on each check, remove with block when fail on dial error is not set to true so gRPC takes care of the connection itself.
Add tests to check that auth fails with dial errors, but works once the service is back up.
* Fix docker files missing libwebsockets8 by building from source, fix docker test run by starting maridb service instead of mysql one.
Co-authored-by: Ignacio Gómez <ignacio_gomez@apple.com>
* Add default 'mosquitto' user-agent to http/jwt requests
* Add libmosquitto version ofr http and jwt remote user agent.
Add more room for extended versions.
Co-authored-by: Ignacio Gómez <iegomez@uc.cl>
Files should be able to check ACLs only.
Clen setPrefixes method.
Fix test-backends by building custom plugin too, fix files only acls by checking if a user was seen before creating a general record.
* No longer cache response from backend when the backend fail.
* Reply to Mosquitto using "MOSQ_ERR_UNKNOWN" which will disconnect
client and avoid silent data loss when the error occure for ACL
checks.
guoguangwu