Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Support TLS for elasticsearch #5134

Merged
merged 18 commits into from
Dec 6, 2023
Merged

Support TLS for elasticsearch #5134

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
93d040a
Support TLS for elasticsearch
tuyenpthust Nov 18, 2023
0cc2d34
Merge branch 'main' into tuyenpthust/elasticsearch-tls-support
tuyenpthust Nov 21, 2023
6cd8cc1
Merge branch 'main' into tuyenpthust/elasticsearch-tls-support
tuyenpthust Nov 21, 2023
4b4432a
Merge branch 'main' into tuyenpthust/elasticsearch-tls-support
tuyenpthust Nov 22, 2023
91e1289
Merge branch 'main' into tuyenpthust/elasticsearch-tls-support
tuyenpthust Nov 25, 2023
2d8b226
fix return error message
tuyenpthust Nov 27, 2023
5f5525a
add unittest
tuyenpthust Dec 1, 2023
61573fa
validate ca certificate
tuyenpthust Dec 1, 2023
11bdc38
Merge branch 'main' into tuyenpthust/elasticsearch-tls-support
tuyenpthust Dec 1, 2023
5a426c3
remove redundant
tuyenpthust Dec 1, 2023
a83b44a
outdated unittest
tuyenpthust Dec 1, 2023
2cb0d93
reduce code complexity
tuyenpthust Dec 4, 2023
90c68e0
reduce code complexity, fix golangci-lint
tuyenpthust Dec 5, 2023
722b550
Merge branch 'main' into tuyenpthust/elasticsearch-tls-support
tuyenpthust Dec 5, 2023
465a251
Update common/auth/tls_config_helper_test.go
tuyenpthust Dec 6, 2023
a616f14
validate cert or key missing
tuyenpthust Dec 6, 2023
a63e209
Merge branch 'main' into tuyenpthust/elasticsearch-tls-support
tuyenpthust Dec 6, 2023
eb0624f
assert NoError
tuyenpthust Dec 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions common/auth/testdata/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUKDtHndnyZJWPWmN6pDbf6i6YaYgwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzExMzAwNTA0MDlaFw0yMzEy
MzAwNTA0MDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDVdCQkheGyNKVsbolQ1Ae+LN6bxxssB3/qcDZgCrUe
L1lAzXrX7QIOi81A96NKQd396N7uQDMcigCjMeKjV54CC3pz0WiZfYWGK0b1u74u
GXaz7QkMC1qrEjRZ8hbiw3Z+lluLleAy3vJMRkw8GjpqxyWk4VMwisGS3UvAWJjJ
73EQkE2/OHkNmmq0MiEqNIUgTdSBGwjIhuRkpT9TBHV53op7nN2shx31FVjR2pGl
F4oNV8itESRURs8tChrMZW2CBK7YRG4JmPJ/cXCx+1mZNbHwbC9grIWQB+9mCTd/
auzUo9chWw/q64NWPNBvlvuuHXMQY2fHdiNiTmWlwK0zAgMBAAGjUzBRMB0GA1Ud
DgQWBBQ8VDnJd6HequH6Mq+3GWt1Xo1UKjAfBgNVHSMEGDAWgBQ8VDnJd6HequH6
Mq+3GWt1Xo1UKjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCl
wCCE+mRZxycA+JH87n7Ngj+RB05jNVNZBoe3ACYFl+/sElDLsu3Fdwf4G9ou/Lvm
CUTShsEBd8bFiZUJ7GKJihLwDJ4XKiArCGKJxwwhTKYP9sh02QsXWI0sZ+7W8nYy
RK3d44ZrIg3ArChPWpGjRkVW/XY7SjlsYLQHSEGkL/9RymTYR2pd9s8Feqkzadlr
JmcEIEdSmmscp3P4I71n7lqWE22T9nRALs9J+Xd2oHnHKk4dq55AzlSp8837iOEO
v/nQg1MR2O8Ocpp2SRlbilmYfxdIk+KesYJeCwSbiLnrcIxwmubAgA7N5V7ZEkZZ
uEcg7LezqBLiETRmFkMN
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions common/auth/testdata/ca.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVdCQkheGyNKVs
bolQ1Ae+LN6bxxssB3/qcDZgCrUeL1lAzXrX7QIOi81A96NKQd396N7uQDMcigCj
MeKjV54CC3pz0WiZfYWGK0b1u74uGXaz7QkMC1qrEjRZ8hbiw3Z+lluLleAy3vJM
Rkw8GjpqxyWk4VMwisGS3UvAWJjJ73EQkE2/OHkNmmq0MiEqNIUgTdSBGwjIhuRk
pT9TBHV53op7nN2shx31FVjR2pGlF4oNV8itESRURs8tChrMZW2CBK7YRG4JmPJ/
cXCx+1mZNbHwbC9grIWQB+9mCTd/auzUo9chWw/q64NWPNBvlvuuHXMQY2fHdiNi
TmWlwK0zAgMBAAECggEAAUnDpBLIw2YM74QVQQ8egtfLeh4v/EqJS5VkxpyZ7jYz
8C+tQ5tTDVproS49ZofSOqOKoN5zUINGsLVu3DR9qB6AnS1Q18hJo38kXPxGkAmo
TTqreM6iu/COr1JGMBUk5Gus3sFHSpdM2Af+kshHvPg5sm6HrX3Q4D2EpQMD3QgZ
kCkkpvnX6ISkbE1ZrqIKLv86mmFyCsJIqiCIGnI4snNRPtq0nSqMr5Y4iluBX1rP
Wq+haLvSe+16rmLEIELONMK+q2aL33q6SZj3tgbFzJPqPzG+c5QASZgE1xW42L6G
6NF21yX/regwLDe/FKwpFo2rNgKTkd5XStM0u1Gg8QKBgQDzvREgx5PVp0YDtN7K
0If8CF75iyMVyvBwj2Jbb+J8pau9hZFeftez9M0FH2JJCcWcY+CgeyT6QzNnuRLT
ZDzTnR7jrnKVzk+0GwxdMRA5sLR5ZnL9ntG5z/wx34hfN+iCZbpuVneokAGOwzU3
RKR/JPuVax2iJNX+JGixs3bzgwKBgQDgMQ6rbxHHvLWIXkyNDnITQ65i0bB5fi+V
jKOCfFQLKkcQKtR/lcqyFbQEWrvGl/csc21i3Ke8MND8vSSUvVIMa5BlxQcRf9U1
HqWayhJl6VZKRLhfLqDzfx6N4g2sSTWdBXyQNCz7UfANjjo3ew3Tx8CaNma7UHp/
wPkVq4BAkQKBgQCtAy/9TK2roykXyHO9E3jzdh20lQc6mOtDewQeU7U5NYBK71zY
7sC+hK5jTHu/zKfw8xSn1cHRw5HhtoWeeDCVJZqfk1zS6be56NlF7WXPDZeN9SL6
1JmahABIhpuOu2jX5s4HNGmLxWzVoctMh/UcK2xKC9blGbCszbtjKDjvcQKBgG4g
iwU5dTF5iG7pa48q1mySJZqTSK4Vh0heIn/ZlOs7JFdTwri9mykpshklfPIL+jYS
qVwT6i1uiWptewe5jBFf0Tm8tEErW09Rs6W6t5jqKyImaa8P165k9lxZ+79y4uw0
IsEvcB0wXcw63mwcfWlXyUu3h3ViDhqtb23upfyRAoGAEe/uw3ZO1PWKCvSBdiZ8
ocBEjWGS1WO5rooZQT/wvOCCJS+Dr9jag0j+jqmiTgX87beBanNu6x6kKazTBPbN
iqsHC/XuwfYQ0Q7vfsLb5+X652GrT1R4xTYKxKgO6iTRdHF6stMuMJHcTbf+pmGr
LbIRficccAExEnzju0VjK5g=
-----END PRIVATE KEY-----
22 changes: 22 additions & 0 deletions common/auth/testdata/invalid_ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIUL1JuLt+GQqcn3JCdcbiLbn0fJ8AwDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1NlYXR0bGUxDTALBgNVBAoTBFVuaXQxDTALBgNVBAsTBFRlc3QxFDASBgNVBAMT
C1VuaXRUZXN0IENBMB4XDTIwMDkxNzE3MzUwMFoXDTI1MDkxNjE3MzUwMFowaDEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0
bGUxDTALBgNVBAoTBFVuaXQxDTALBgNVBAsTBFRlc3QxFDASBgNVBAMTC1VuaXRU
ZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtg59He605eb2
q8FaJrpphESOfrbTGHBXWFN5gCuAIY2eMMGJJqpXDkR3FZJ6LVZaqdVokZi3yTH9
kYnnLHAD2I+7y3Ags0tYfnrlt0hmZ3eyYQHi4cWtVGwiZ2qm2BvLo2U0CdytRJ4Q
3eAT2yTkNvxZoWyHG+Obr6xPPr28vmj7CKqVsKCAHVyjuyrmtIpwdmeiU9Em1SMH
IPKGJICoMxix5sCtujfdRMbSShHDYnRgf2Lvzr1VNffGZKMXzBZzI2gpIfoXhfUS
dvceQ5hYz8zgDchC8mehC7mMv3+zCwz9kFnbibpoIWFq+Fo63xsgsnytYPMv4rim
X0IdpfP6UQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUe3cC/2YkMdfEFTmIb1o83U4Uh1cwDQYJKoZIhvcNAQELBQAD
ggEBACvM5TDoA3AEDYkpYnyl0VZfD7JEXVHByY12xocPs8Lbs4KMKSmPeewGHSnV
++AWEto/ZQcRuUroRGfED4SSy2OKr4hx3BtRcFFFktX8Se0rNkJ+ZHuhTPVud9/M
QtAzyvQedp0WBW2t0oZHCqSNZc/IaXXcqy7hpzK8pKe3NQv2RGGVA2mdCGZ1PNk2
EMxLVxhQDdm3JEbxHBO4+UZn90uCwPFsnkTQf6nwY1+23LsyaxY1YqdyvGO8ctG4
z3RdSm5I3nWi3DDWwNxngYi0+A/MUCAAb0Nz9nIr7w0yRRiXrakXTb9Z8/FXMItq
tnprBs+xac8AUlspL7p+TZdT0WM=
-----END CERTIFICATE-----
20 changes: 20 additions & 0 deletions common/auth/testdata/invalid_localhost.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIUfqTjOyjzNUgjAVuBnuTUa6HLXy0wDQYJKoZIhvcNAQEL
BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
cmF0ZWQgQ0EwHhcNMjMxMTE4MDc1NjE0WhcNMjYxMTE3MDc1NjE0WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCD
CskLZV02cYzXgmhF8ONylTFZNGbFeAHm0zt2TrDHIMIH8nO2ZnqbE5LGkdrzTmRS
JLEJMCgWjCAlL2KKw4Y5m5vw7bZmYE5T8DyvCdew/XRnVKumGPXfwG9IA1IXjlu+
OUiTuzefdDzwy/Nd+uYQnAr2BwhT8orQfySFSF+fNGYeqhxN70iePKzTQMf/JpgS
aBoWatY7JLTLX/XMmuukrk+CMI6AMRYae5A8RcVfpnow9sn2q8oek9psbLrlYDgx
4o/X2nXbHOHkkLLsXwRG3Kub3gdL7PPqH7EXaIoR9Ftds7c1u5hbuZWEydQavUul
oc2iFX0V86hiYaP3u2KJAgMBAAGjYzBhMB0GA1UdDgQWBBSRVLi3tsILeNVwSc3H
DttvrGYR1DAfBgNVHSMEGDAWgBRR/1/f5vyVpI6WVXYMOADpFzFbfTAUBgNVHREE
DTALgglsb2NhbGhvc3QwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAa6sC
6y0MfxWkF0DR8YV9RvdbgK/s1azp8dw2vbL/JeLLZ4RtzAVMo34yqj6fmbIcF2OX
L+FPCCavo3J1P6ZvJZeKMvd84KHS2PUV/DF1EuVBHI0O9Eff3PCKESVfTKoPnylI
c+69/CzocJL1H6ZiCTG1ePOmZfSX5Gg7x9rc9JxWfiVuHcpRZu34iHiOlB194caR
L1/TwdbxrcoyAMParADE/mvt4jMt8dY7jz0Ga46NyFE2JVkzqK2ZFlFxQ61t6oYc
ei777qLYpQPulDGVEo3gtwHvNjXCCGq2MC6G3Bc0leVQPFAuTOavB8sQQ6txzWJ8
+7BE/QZfkrIFO8aJgA==
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions common/auth/testdata/invalid_localhost.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAgwrJC2VdNnGM14JoRfDjcpUxWTRmxXgB5tM7dk6wxyDCB/Jz
tmZ6mxOSxpHa805kUiSxCTAoFowgJS9iisOGOZub8O22ZmBOU/A8rwnXsP10Z1Sr
phj138BvSANSF45bvjlIk7s3n3Q88MvzXfrmEJwK9gcIU/KK0H8khUhfnzRmHqoc
Te9Injys00DH/yaYEmgaFmrWOyS0y1/1zJrrpK5PgjCOgDEWGnuQPEXFX6Z6MPbJ
9qvKHpPabGy65WA4MeKP19p12xzh5JCy7F8ERtyrm94HS+zz6h+xF2iKEfRbXbO3
NbuYW7mVhMnUGr1LpaHNohV9FfOoYmGj97tiiQIDAQABAoIBAH50B/HRTRPem3TT
yN/FRxcpVUepw4rG9b7TE8xkvz5JJDQbCQJ4/dNsHfU0hr7HZRPHiHc/W0/2xIZd
pZAWgg5RVTg3jA5a3PsvFsAqlVOcIZodIM7Vw166CijJ24wTugBkst6siU58Etqj
VSPZm+1nR0SHIMgxgzcTmiBr6KptumYxe/6OS4A5Fac54hVQaHr3LpEi2EofZpOH
EPBp6fMqMGc6w5YbI6n+3md0xjLtuZtLPz6EgWC0Dm8EgnsJHif3hd4AAflAfEtL
hsma041FuP9Ty/lhHnDxGVD/Q2Jp9xnDf+GkDDJlDPogl0ezXthg0wWryWLTW/xP
MfGrPKECgYEAvkEA52sQc3as6Iw8F4S9dvnmhBqQXlg7q7CZg3/+wcMqH+NM7gw9
IL8hqgHm0kR0WpBHLWewha6SbvS9DQ0zinOSJjnxpel6toEOshGNn8eBzcHj3ajg
CQhbb14LJlhdUkE2hzH56YPk6SrkCTOx0gRWfNs5SF6VZ6ieE6QqdP0CgYEAsFON
wK+QzePzUoNFEANLPXdb5LDStvtWOuP5v4tROgL780CCvXDXWTcJ+aHtvwr0rHGB
/0XJocMSVel0M10WGCz2PcNrDQfECVJ1Z+LyoSz9hy5GxMxDHsSn2vZuAkSbaMog
jDr0YUyFEaZ0Pfnr+tuLobWYsrnsZ7ujK83uP30CgYAZ3OJPkzlYSOC2eCHPHKdY
3h3dBXNsr9fkvgwQWTz7gBlg3lhd3+ILapAb+Ug0e0PJ7+UNIhRYB+Q2GyT7+jhw
cMeEVMopwLSCzMZ/pG05NDjMDLh6MHPMJouvdvxTCR4eiWjtNfkAKoLaw47eRV29
7AMJ1A9UbC8pOT3L87wlzQKBgFN7q9DADwo8U/cMKcW0GYqHmZ2ETq/N/fyx9YxH
9PRHd2yrbXsuEvethG6JyVu7Xy7KKydmrlmFV4gPmTG8b/qQRyHlBSlNNPbI8Md3
/zJqb7ryIRWKNHk72NFl/Z3bR81sbc6XFx9+MD60FbNGQgEqs0ikByEPwCs4/r99
p8CtAoGBAJ72FQFEZxFNdNOCt1KUtU6RP0nH+13LiYdkghcB/xTjjeZMzFitXzVQ
wd/F9Es63pKHZ0RC682wYY998P3osUYy6WxHpCT+sweAPEFBOQl4OELnG5eJnA4P
OOaZlUJYZq6k+sORTMFtngSFP9cKIw5XvIkWZ38EvHlbxTkYCpRj
-----END RSA PRIVATE KEY-----
20 changes: 20 additions & 0 deletions common/auth/testdata/localhost.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIUJEH/lvfvYxNKFBI0M9IQ5UxjAHwwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzExMzAwODM4MDRaFw0yNjAy
MDcwODM4MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOw8p3Tctq5ZfWfROoe2iOToaOwVrZQnH0sCekCQ2UsH
iGy8sNxCo+Zvkffn9BzfRV5RcRNwGYzTEUNmMNxTv7evQAVYtM2QcIGXinH0uk+e
P/LZ9nLmQgculsfxGZXv/QGHoK9Rzn4ZmGRgvwC7R9UPOI5alrFNkNbkdvqNndVz
WqWpAaIsSfCn3A4fPKzg5HZSbfMIw4b2lknOvMWMv9/84b+csddHW/MvMruWAFa/
1WIJVZ3NYcNoyZNBp8vTLY4ByUVLWiBEvaY8v9j4vEexiWCK9SJUrwhJVy9b9raa
TcmyzEBKosSQh1zbC8pnA+pQaDEpJbggpGsf3yhRnYkCAwEAAaNeMFwwGgYDVR0R
BBMwEYIJbG9jYWxob3N0hwR/AAABMB0GA1UdDgQWBBSOaKT91dwYEWYu/227BYcq
/I0YhTAfBgNVHSMEGDAWgBQ8VDnJd6HequH6Mq+3GWt1Xo1UKjANBgkqhkiG9w0B
AQsFAAOCAQEAIHOkBrzW/7cnLu/BOCNhcKvbPU4aWG6aNHVsgprZcVMmhXi4Ss35
8OdjTcLeIeznYRE5fPvzXpyLIzpSqMO925tSTuv89uwpGRyVyIVqRAzM5rT/lg99
tR03kT3EYJyS7JWVsuC2H3uHDC15EpfgiIKCVrACQz1KPEeVrNyugCeXSDYxhF4S
xpEDsCZ2AhJ64RA6znh61LJSS7muPwNnbf3O5HzLw1Oxj1DpUduO+5Q0S53wn5gI
riHGoaVqMPXD3bINnVJ3qzQLbnMaVQqJFaJl8asRuoznO7lNX7fcU/7ArQP2h8VU
z7FQc8hQyUwmTr9OjtF3jNd/gPQXq1e/AA==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions common/auth/testdata/localhost.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDsPKd03LauWX1n
0TqHtojk6GjsFa2UJx9LAnpAkNlLB4hsvLDcQqPmb5H35/Qc30VeUXETcBmM0xFD
ZjDcU7+3r0AFWLTNkHCBl4px9LpPnj/y2fZy5kIHLpbH8RmV7/0Bh6CvUc5+GZhk
YL8Au0fVDziOWpaxTZDW5Hb6jZ3Vc1qlqQGiLEnwp9wOHzys4OR2Um3zCMOG9pZJ
zrzFjL/f/OG/nLHXR1vzLzK7lgBWv9ViCVWdzWHDaMmTQafL0y2OAclFS1ogRL2m
PL/Y+LxHsYlgivUiVK8ISVcvW/a2mk3JssxASqLEkIdc2wvKZwPqUGgxKSW4IKRr
H98oUZ2JAgMBAAECggEACmgzI9iv0w818TeETbN+xR/QdHsRgCX3kNNBfbvr2Kxy
qACphXCJniaS3oIZTNbQrGKn2bh95ahsOaUEOMaXOvE1X67sWyR2cl0R0Cqc9RI2
hL0xqFbouH6GzbTbQNHXWmSGUYbn8wHvZtekvnRhqhsPLaVDv3iYbYEX1TqdJgim
2mqpfmHxVih5iaTlcgvTyCK7fSg7QjQd+wuZOHg6oxLiSrxXTYNi7QIS+nh5i4v7
1gxpAjkbLxVm4OSeQZc5ZDE4aMqS8zJ9vUsQDgnPz+m+R8hVlZD+QHVexNa6+FiI
GlGAjq/1uxaNAbE/PCnw79OM8h5dhYesFSqeFsd0wQKBgQD/F9uiAoktkKrouEla
Xur/QMkrANJXq3JrBgJATLT5UlRidsmDyTI1tTmqNUVSHP74nQaU/D8MWvtauA32
SzD8BsNcFJPvF0hZdQ/mOWWtzU8hTPGvZsm5zN8bGXulKqApHod/JqPaTrndFOIR
nZG7JtefUK7wzpF6v3B7VipOyQKBgQDtE6LuUneQ1VvjG/wGr7HKTRwkglB0CwKE
kBSvGKbow5buLWGJEKX5avhRBlBTEkgjW9aDK9kcyWQdcUws0sEeWY7c6bGT6O0O
olAZPu+9lJeoWT0LtQp4QbX14o8PDIlktmBkWRql61V8yH+sNZLZysbvDmcbrx6y
mg4tWo54wQKBgD1L+lbfzR7J2Ie7YMT6cfWMF8rhk6nFZOUauIfC5unSQry2Vo34
VrxZI9YmntWwagRLlz1Nr8jERAn0mEZKoyasaV1DBJk7OwNkAcIMoMY2w4D5AEpp
pKek9yeH5BI4P+whjeWb31uh9z+MuRYKiu4x0zZRKPhsasDYJ6s7dUchAoGBAJhG
x52KjNATq0yqGex1h54of04YAfM3ayuYnCCHlhXmI5jiv0ZZ0jHteogYpRlmob1M
bPGeBXuPA+ZBcqtLx81luvS8ilo1/6YprYc5vKWpvuvcPfC6HXp2wpioKDmDVPDC
kBGEhjBSg3t+ETucwbFwpOzB9Ip8phwUBc0t4FtBAoGAGcUGBMNXnTfy98GjO+Dx
vy4cMtauq6G2cPK7CQWrh+n6UqH+gTcwcq9BXkCHU81+CT9APE5siHDfVlhrvnnK
2Wl8wGZ7due+yiVqIlVwqK0rcmFgNNWpo/3sOz2qRocVk47Ot5n8UeW41GIWk0AW
55n1QieOvXAN2pPotqwEd54=
-----END PRIVATE KEY-----
152 changes: 152 additions & 0 deletions common/auth/tls_config_helper.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,18 @@ package auth
import (
"crypto/tls"
"crypto/x509"
"encoding/base64"
"encoding/pem"
"errors"
"fmt"
"os"

"go.temporal.io/server/common/log"
"go.temporal.io/server/common/log/tag"
)

var ErrTLSConfig = errors.New("unable to config TLS")

// Helper methods for creating tls.Config structs to ensure MinVersion is 1.3

func NewEmptyTLSConfig() *tls.Config {
Expand Down Expand Up @@ -95,3 +102,148 @@ func tlsCN(state tls.ConnectionState) string {
}
return state.PeerCertificates[0].Subject.CommonName
}

func NewTLSConfig(temporalTls *TLS) (*tls.Config, error) {
tuyenpthust marked this conversation as resolved.
Show resolved Hide resolved
if temporalTls == nil || !temporalTls.Enabled {
return nil, nil
}
err := validateTemporalTls(temporalTls)
if err != nil {
return nil, err
}

tlsConfig := &tls.Config{
InsecureSkipVerify: !temporalTls.EnableHostVerification,
}
if temporalTls.ServerName != "" {
tlsConfig.ServerName = temporalTls.ServerName
}

// Load CA cert
caCertPool, err := parseCAs(temporalTls)
if err != nil {
return nil, err
}
if caCertPool != nil {
tlsConfig.RootCAs = caCertPool
}

// Load client cert
clientCert, err := parseClientCert(temporalTls)
if err != nil {
return nil, err
}
if clientCert != nil {
tlsConfig.Certificates = []tls.Certificate{*clientCert}
}

return tlsConfig, nil
}

func validateTemporalTls(temporalTls *TLS) error {
if temporalTls.CertData != "" && temporalTls.CertFile != "" {
return fmt.Errorf("%w: %s", ErrTLSConfig, "only one of certData or certFile properties should be specified")
}

if temporalTls.KeyData != "" && temporalTls.KeyFile != "" {
return fmt.Errorf("%w: %s", ErrTLSConfig, "only one of keyData or keyFile properties should be specified")
}

certProvided := temporalTls.CertData != "" || temporalTls.CertFile != ""
keyProvided := temporalTls.KeyData != "" || temporalTls.KeyFile != ""
if certProvided != keyProvided {
return fmt.Errorf("%w: %s", ErrTLSConfig, "cert or key is missing")
}

if temporalTls.CaData != "" && temporalTls.CaFile != "" {
return fmt.Errorf("%w: %s", ErrTLSConfig, "only one of caData or caFile properties should be specified")
}
return nil
}

func parseCAs(temporalTls *TLS) (*x509.CertPool, error) {
var caBytes []byte
var err error
if temporalTls.CaFile != "" {
caBytes, err = os.ReadFile(temporalTls.CaFile)
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to read client ca file", err)
}
} else if temporalTls.CaData != "" {
caBytes, err = base64.StdEncoding.DecodeString(temporalTls.CaData)
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to decode client ca data", err)
}
}
if len(caBytes) > 0 {
caCertPool := x509.NewCertPool()
caCerts, err := parseCertsFromPEM(caBytes)
if len(caCerts) == 0 {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to parse certs as PEM", err)
}
for _, cert := range caCerts {
caCertPool.AddCert(cert)
}
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to load decoded CA Cert as PEM", err)
}
return caCertPool, nil
}
return nil, nil
}

func parseCertsFromPEM(pemCerts []byte) ([]*x509.Certificate, error) {
for len(pemCerts) > 0 {
var block *pem.Block
block, pemCerts = pem.Decode(pemCerts)
if block == nil {
break
}
if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
continue
}

certBytes := block.Bytes
return x509.ParseCertificates(certBytes)
}
return nil, nil
}

func parseClientCert(temporalTls *TLS) (*tls.Certificate, error) {
var certBytes []byte
var keyBytes []byte
var err error
if temporalTls.CertFile != "" {
certBytes, err = os.ReadFile(temporalTls.CertFile)
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to read client certificate file", err)
}
} else if temporalTls.CertData != "" {
certBytes, err = base64.StdEncoding.DecodeString(temporalTls.CertData)
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to decode client certificate", err)
}
}

if temporalTls.KeyFile != "" {
keyBytes, err = os.ReadFile(temporalTls.KeyFile)
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to read client certificate private key file", err)
}
} else if temporalTls.KeyData != "" {
keyBytes, err = base64.StdEncoding.DecodeString(temporalTls.KeyData)
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to decode client certificate private key", err)
}
}

if len(certBytes) > 0 {
clientCert, err := tls.X509KeyPair(certBytes, keyBytes)
if err != nil {
return nil, fmt.Errorf("%w: %s (%w)", ErrTLSConfig, "unable to generate x509 key pair", err)
}

return &clientCert, nil
}
return nil, nil
}
Loading
Loading