Compare commits
5 Commits
e435c51b6c
...
2dfcf784b8
Author | SHA1 | Date |
---|---|---|
Saharat Saengsawang | 2dfcf784b8 | |
Ignacio Gómez | 59681181c0 | |
dependabot[bot] | 4668815a2c | |
Saharat | 17c5f1e372 | |
Saharat | e2c3930ebf |
|
@ -1275,8 +1275,11 @@ Options for `mongo` are the following:
|
|||
| auth_opt_mongo_users | users | N | User collection |
|
||||
| auth_opt_mongo_acls | acls | N | ACL collection |
|
||||
| auth_opt_mongo_disable_superuser | true | N | Disable query to check for superuser |
|
||||
| auth_opt_mongo_with_tls | false | N | Connect with TLS |
|
||||
| auth_opt_mongo_insecure_skip_verify | false | N | Verify server's certificate chain |
|
||||
| auth_opt_mongo_with_tls | false | N | Connect with TLS |
|
||||
| auth_opt_mongo_tlsca | "" | N | TLS Certificate Authority (CA) |
|
||||
| auth_opt_mongo_tlscert | "" | N | TLS Client Certificate |
|
||||
| auth_opt_mongo_tlskey | "" | N | TLS Client Certificate Private Key |
|
||||
|
||||
|
||||
If you experience any problem connecting to a replica set, please refer to [this issue](https://github.com/iegomez/mosquitto-go-auth/issues/32).
|
||||
|
|
|
@ -3,9 +3,11 @@ package backends
|
|||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
"os"
|
||||
|
||||
. "github.com/iegomez/mosquitto-go-auth/backends/constants"
|
||||
"github.com/iegomez/mosquitto-go-auth/backends/topics"
|
||||
|
@ -30,8 +32,11 @@ type Mongo struct {
|
|||
Conn *mongo.Client
|
||||
disableSuperuser bool
|
||||
hasher hashing.HashComparer
|
||||
withTLS bool
|
||||
insecureSkipVerify bool
|
||||
withTLS bool
|
||||
TLSCa string
|
||||
TLSCert string
|
||||
TLSKey string
|
||||
}
|
||||
|
||||
type MongoAcl struct {
|
||||
|
@ -60,8 +65,11 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
|
|||
UsersCollection: "users",
|
||||
AclsCollection: "acls",
|
||||
hasher: hasher,
|
||||
withTLS: false,
|
||||
insecureSkipVerify: false,
|
||||
withTLS: false,
|
||||
TLSCa: "",
|
||||
TLSCert: "",
|
||||
TLSKey: "",
|
||||
}
|
||||
|
||||
if authOpts["mongo_disable_superuser"] == "true" {
|
||||
|
@ -100,14 +108,32 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
|
|||
m.AclsCollection = aclsCollection
|
||||
}
|
||||
|
||||
if authOpts["mongo_use_tls"] == "true" {
|
||||
m.withTLS = true
|
||||
}
|
||||
|
||||
if authOpts["mongo_insecure_skip_verify"] == "true" {
|
||||
m.insecureSkipVerify = true
|
||||
}
|
||||
|
||||
useTlsClientCertificate := false
|
||||
|
||||
if authOpts["mongo_with_tls"] == "true" {
|
||||
m.withTLS = true
|
||||
}
|
||||
|
||||
if TLSCa, ok := authOpts["mongo_tlsca"]; ok {
|
||||
m.TLSCa = TLSCa
|
||||
useTlsClientCertificate = true
|
||||
}
|
||||
|
||||
if TLSCert, ok := authOpts["mongo_tlscert"]; ok {
|
||||
m.TLSCert = TLSCert
|
||||
useTlsClientCertificate = true
|
||||
}
|
||||
|
||||
if TLSKey, ok := authOpts["mongo_tlskey"]; ok {
|
||||
m.TLSKey = TLSKey
|
||||
useTlsClientCertificate = true
|
||||
}
|
||||
|
||||
|
||||
addr := fmt.Sprintf("mongodb://%s:%s", m.Host, m.Port)
|
||||
|
||||
to := 60 * time.Second
|
||||
|
@ -117,7 +143,34 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
|
|||
}
|
||||
|
||||
if m.withTLS {
|
||||
opts.TLSConfig = &tls.Config{}
|
||||
log.Info("mongo backend: tls enabled")
|
||||
opts.TLSConfig = &tls.Config{
|
||||
InsecureSkipVerify: m.insecureSkipVerify,
|
||||
}
|
||||
|
||||
if useTlsClientCertificate {
|
||||
caCert, err := os.ReadFile(m.TLSCa)
|
||||
|
||||
if err != nil {
|
||||
log.Errorf("mongo backend: tls error: %s", err)
|
||||
}
|
||||
|
||||
caCertPool := x509.NewCertPool()
|
||||
if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
|
||||
log.Error("mongo backend: tls error: CA file must be in PEM format")
|
||||
}
|
||||
|
||||
cert, err := tls.LoadX509KeyPair(m.TLSCert, m.TLSKey)
|
||||
if err != nil {
|
||||
log.Errorf("mongo backend: tls error: %s", err)
|
||||
}
|
||||
|
||||
opts.TLSConfig = &tls.Config{
|
||||
RootCAs: caCertPool,
|
||||
Certificates: []tls.Certificate{cert},
|
||||
InsecureSkipVerify: m.insecureSkipVerify,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
opts.ApplyURI(addr)
|
||||
|
|
2
go.mod
2
go.mod
|
@ -42,7 +42,7 @@ require (
|
|||
golang.org/x/sys v0.15.0 // indirect
|
||||
golang.org/x/text v0.14.0 // indirect
|
||||
google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
|
||||
google.golang.org/protobuf v1.30.0 // indirect
|
||||
google.golang.org/protobuf v1.33.0 // indirect
|
||||
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
|
||||
gopkg.in/sourcemap.v1 v1.0.5 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
|
|
4
go.sum
4
go.sum
|
@ -222,8 +222,8 @@ google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc=
|
|||
google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
|
||||
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
|
||||
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
|
||||
google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
|
||||
google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
|
||||
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
|
||||
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
|
||||
|
|
Loading…
Reference in New Issue