Merge 17c5f1e372 into 59681181c0

Bump google.golang.org/protobuf from 1.30.0 to 1.33.0

README.md

@@ -1275,8 +1275,11 @@ Options for `mongo` are the following:
 | auth_opt_mongo_users                 | users        |     N     | User collection                      |
 | auth_opt_mongo_acls                  | acls         |     N     | ACL collection                       |
 | auth_opt_mongo_disable_superuser     | true         |     N     | Disable query to check for superuser |
-| auth_opt_mongo_with_tls              | false        |     N     | Connect with TLS                     |
 | auth_opt_mongo_insecure_skip_verify  | false        |     N     | Verify server's certificate chain    |
+| auth_opt_mongo_with_tls              | false        |     N     | Connect with TLS                     |
+| auth_opt_mongo_tlsca                 | ""           |     N     | TLS Certificate Authority (CA)       |
+| auth_opt_mongo_tlscert               | ""           |     N     | TLS Client Certificate               |
+| auth_opt_mongo_tlskey                | ""           |     N     | TLS Client Certificate Private Key   |
 
 
 If you experience any problem connecting to a replica set, please refer to [this issue](https://github.com/iegomez/mosquitto-go-auth/issues/32).

backends/mongo.go

@@ -3,9 +3,11 @@ package backends
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"strings"
 	"time"
+	"os"
 
 	. "github.com/iegomez/mosquitto-go-auth/backends/constants"
 	"github.com/iegomez/mosquitto-go-auth/backends/topics"
@@ -30,8 +32,11 @@ type Mongo struct {
 	Conn               *mongo.Client
 	disableSuperuser   bool
 	hasher             hashing.HashComparer
-	withTLS            bool
 	insecureSkipVerify bool
+	withTLS            bool
+	TLSCa              string
+	TLSCert            string
+	TLSKey             string
 }
 
 type MongoAcl struct {
@@ -60,8 +65,11 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 		UsersCollection:    "users",
 		AclsCollection:     "acls",
 		hasher:             hasher,
-		withTLS:            false,
 		insecureSkipVerify: false,
+		withTLS:            false,
+		TLSCa:              "",
+		TLSCert:            "",
+		TLSKey:             "",
 	}
 
 	if authOpts["mongo_disable_superuser"] == "true" {
@@ -100,14 +108,32 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 		m.AclsCollection = aclsCollection
 	}
 
-	if authOpts["mongo_use_tls"] == "true" {
-		m.withTLS = true
-	}
-
 	if authOpts["mongo_insecure_skip_verify"] == "true" {
 		m.insecureSkipVerify = true
 	}
 
+	useTlsClientCertificate := false
+
+	if authOpts["mongo_with_tls"] == "true" {
+		m.withTLS = true
+	}
+
+	if TLSCa, ok := authOpts["mongo_tlsca"]; ok {
+		m.TLSCa = TLSCa
+		useTlsClientCertificate = true
+	}
+
+	if TLSCert, ok := authOpts["mongo_tlscert"]; ok {
+		m.TLSCert = TLSCert
+		useTlsClientCertificate = true
+	}
+
+	if TLSKey, ok := authOpts["mongo_tlskey"]; ok {
+		m.TLSKey = TLSKey
+		useTlsClientCertificate = true
+	}
+
+
 	addr := fmt.Sprintf("mongodb://%s:%s", m.Host, m.Port)
 
 	to := 60 * time.Second
@@ -117,7 +143,34 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 	}
 
 	if m.withTLS {
-		opts.TLSConfig = &tls.Config{}
+		log.Info("mongo backend: tls enabled")
+		opts.TLSConfig = &tls.Config{
+			InsecureSkipVerify: m.insecureSkipVerify,
+		}
+
+		if useTlsClientCertificate {
+			caCert, err := os.ReadFile(m.TLSCa)
+
+			if err != nil {
+				log.Errorf("mongo backend: tls error: %s", err)
+			}
+
+			caCertPool := x509.NewCertPool()
+			if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+				log.Error("mongo backend: tls error: CA file must be in PEM format")
+			}
+
+			cert, err := tls.LoadX509KeyPair(m.TLSCert, m.TLSKey)
+			if err != nil {
+				log.Errorf("mongo backend: tls error: %s", err)
+			}
+
+			opts.TLSConfig = &tls.Config{
+				RootCAs:            caCertPool,
+				Certificates:       []tls.Certificate{cert},
+				InsecureSkipVerify: m.insecureSkipVerify,
+			}
+		}
 	}
 
 	opts.ApplyURI(addr)

go.mod

@@ -42,7 +42,7 @@ require (
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/sourcemap.v1 v1.0.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -222,8 +222,8 @@ google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc=
 google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=