Fixed MongoDB insecureSkipVerify, Added MongoDB TLS certificate, ca, key

README.md

@@ -1275,8 +1275,11 @@ Options for `mongo` are the following:
 | auth_opt_mongo_users | users | N | User collection |
 | auth_opt_mongo_acls | acls | N | ACL collection |
 | auth_opt_mongo_disable_superuser | true | N | Disable query to check for superuser |
-| auth_opt_mongo_with_tls | false | N | Connect with TLS |
 | auth_opt_mongo_insecure_skip_verify | false | N | Verify server's certificate chain |
+| auth_opt_mongo_tls | false | N | Connect with TLS |
+| auth_opt_mongo_tlsca | "" | N | TLS Certificate Authority (CA) |
+| auth_opt_mongo_tlscert | "" | N | TLS Client Certificate |
+| auth_opt_mongo_tlskey | "" | N | TLS Client Certificate Private Key |
 
 
 If you experience any problem connecting to a replica set, please refer to [this issue](https://github.com/iegomez/mosquitto-go-auth/issues/32).

backends/mongo.go

@@ -3,9 +3,11 @@ package backends
 import (
  "context"
  "crypto/tls"
+ "crypto/x509"
  "fmt"
  "strings"
  "time"
+ "os"
 
  . "github.com/iegomez/mosquitto-go-auth/backends/constants"
  "github.com/iegomez/mosquitto-go-auth/backends/topics"
@@ -30,8 +32,11 @@ type Mongo struct {
  Conn *mongo.Client
  disableSuperuser bool
  hasher hashing.HashComparer
- withTLS bool
  insecureSkipVerify bool
+ withTLS bool
+ TLSCa string
+ TLSCert string
+ TLSKey string
 }
 
 type MongoAcl struct {
@@ -60,8 +65,11 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
  UsersCollection: "users",
  AclsCollection: "acls",
  hasher: hasher,
- withTLS: false,
  insecureSkipVerify: false,
+ withTLS: false,
+ TLSCa: "",
+ TLSCert: "",
+ TLSKey: "",
  }
 
  if authOpts["mongo_disable_superuser"] == "true" {
@@ -100,14 +108,32 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
  m.AclsCollection = aclsCollection
  }
 
- if authOpts["mongo_use_tls"] == "true" {
+ if authOpts["mongo_insecure_skip_verify"] == "true" {
+ m.insecureSkipVerify = true
+ }
+
+ useTlsClientCertificate := false
+
+ if authOpts["mongo_tls"] == "true" {
  m.withTLS = true
  }
 
- if authOpts["mongo_insecure_skip_verify"] == "true" {
- m.insecureSkipVerify = true
+ if TLSCa, ok := authOpts["mongo_tlsca"]; ok {
+ m.TLSCa = TLSCa
+ useTlsClientCertificate = true
  }
 
+ if TLSCert, ok := authOpts["mongo_tlscert"]; ok {
+ m.TLSCert = TLSCert
+ useTlsClientCertificate = true
+ }
+
+ if TLSKey, ok := authOpts["mongo_tlskey"]; ok {
+ m.TLSKey = TLSKey
+ useTlsClientCertificate = true
+ }
+
+
  addr := fmt.Sprintf("mongodb:https://%s:%s", m.Host, m.Port)
 
  to := 60 * time.Second
@@ -117,7 +143,29 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
  }
 
  if m.withTLS {
- opts.TLSConfig = &tls.Config{}
+ log.Infof("mongo backend: tls enabled")
+ opts.TLSConfig = &tls.Config{
+ InsecureSkipVerify: m.insecureSkipVerify,
+ }
+ if useTlsClientCertificate {
+ caCert, err := os.ReadFile(m.TLSCa)
+ if err != nil {
+ log.Errorf("mongo backend: tls error: %s", err)
+ }
+ caCertPool := x509.NewCertPool()
+ if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+ log.Errorf("mongo backend: tls error: CA file must be in PEM format")
+ }
+ cert, err := tls.LoadX509KeyPair(m.TLSCert, m.TLSKey)
+ if err != nil {
+ log.Errorf("mongo backend: tls error: %s", err)
+ }
+ opts.TLSConfig = &tls.Config{
+ RootCAs: caCertPool,
+ Certificates: []tls.Certificate{cert},
+ InsecureSkipVerify: m.insecureSkipVerify,
+ }
+ }
  }
 
  opts.ApplyURI(addr)