Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed MongoDB insecureSkipVerify, Added MongoDB TLS certificate, ca, key #309

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

saharatss
Copy link

1. Inconsistent TLS configuration: To configure TLS for MongoDB, the readme.md said change the auth_opt_mongo_with_tls option to enable TLS, but in the backends/mongo.go file read mongo_use_tls which means auth_opt_mongo_use_tls

So I changed the configuration option key from mongo_use_tls to mongo_tls to be related to other TLS settings.

2. insecureSkipVerify defined but never used: It was defined in both doc (readme.md) and backends/mongo.go, but it was never called to be a part of connection configuration.

lead to the error below when trying to connect with self-signed SSL certificate:

time="2024-01-19T03:11:08Z" level=info msg="mongo backend: set authentication db to: mqtt"
time="2024-01-19T03:11:08Z" level=info msg="Backend registered: Mongo"
time="2024-01-19T03:11:08Z" level=info msg="registered acl checker: mongo"
time="2024-01-19T03:11:08Z" level=info msg="registered user checker: mongo"
time="2024-01-19T03:11:08Z" level=info msg="registered superuser checker: mongo"
time="2024-01-19T03:11:08Z" level=info msg="No cache set."
time="2024-01-19T03:16:02Z" level=debug msg="checking user C01103BDFF964C6B9004D5F33EB26208 with backend Mongo"
time="2024-01-19T03:16:32Z" level=debug msg="Mongo get user error: server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: localhost:27017, Type: Unknown, Last error: x509: certificate is not valid for any names, but wanted to match localhost }, ] }"
time="2024-01-19T03:16:32Z" level=error msg="server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: localhost:27017, Type: Unknown, Last error: x509: certificate is not valid for any names, but wanted to match localhost }, ] }"

3. MongoDB Custom Certificates:

From the document MongoDB - Go Driver:

"To successfully initiate a TLS request, your application must present cryptographic certificates to prove its identity. Your application's certificates must be stored as PEM files to enable TLS when connecting."

So, I added the options to pass certificate paths to the module to complete a TLS connection through:
auth_opt_mongo_tlsca for TLS Certificate Authority (CA)
auth_opt_mongo_tlscert for TLS Client Certificate
auth_opt_mongo_tlskey for TLS Client Certificate Private Key

Copy link
Owner

@iegomez iegomez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR!
Could you add some tests to ensure changes are working?

README.md Outdated Show resolved Hide resolved
backends/mongo.go Outdated Show resolved Hide resolved
@@ -117,7 +143,29 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
}

if m.withTLS {
opts.TLSConfig = &tls.Config{}
log.Infof("mongo backend: tls enabled")
opts.TLSConfig = &tls.Config{
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add new empty lines here and between following if checks to aid readability?

@saharatss
Copy link
Author

I updated the code regarding your comments. It's in my second commit. please check.

Now, I am working on the testing script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants