refactor(pkg/server): tls configuration is moved in command package f…

…rom server Signed-off-by: Michele Meloni <[email protected]>
codenotary · May 7, 2021 · 1819a10 · 1819a10
1 parent 0d3d91e
commit 1819a10
Show file tree

Hide file tree

Showing 14 changed files with 110 additions and 217 deletions.
diff --git a/cmd/immudb/command/cmd_test.go b/cmd/immudb/command/cmd_test.go
@@ -35,7 +35,6 @@ func DefaultTestOptions() (o *server.Options) {
 	o.Pidfile = "tmp/immudbtest/immudbtest.pid"
 	o.Logfile = "immudbtest.log"
 	o.Dir = "tmp/immudbtest/data"
-	o.MTLs = false
 	return o
 }
 
@@ -55,12 +54,12 @@ func TestImmudbCommandFlagParser(t *testing.T) {
 		},
 	}
 	cl := Commandline{}
-	cl.setupFlags(cmd, server.DefaultOptions(), server.DefaultMTLsOptions())
+	cl.setupFlags(cmd, server.DefaultOptions())
 
 	err = viper.BindPFlags(cmd.Flags())
 	assert.Nil(t, err)
 
-	setupDefaults(server.DefaultOptions(), server.DefaultMTLsOptions())
+	setupDefaults(server.DefaultOptions())
 
 	_, err = executeCommand(cmd, "--logfile="+o.Logfile)
 	assert.NoError(t, err)
@@ -91,12 +90,12 @@ func TestImmudbCommandFlagParserPriority(t *testing.T) {
 			return nil
 		},
 	}
-	cl.setupFlags(cmd, server.DefaultOptions(), server.DefaultMTLsOptions())
+	cl.setupFlags(cmd, server.DefaultOptions())
 
 	err = viper.BindPFlags(cmd.Flags())
 	assert.Nil(t, err)
 
-	setupDefaults(server.DefaultOptions(), server.DefaultMTLsOptions())
+	setupDefaults(server.DefaultOptions())
 
 	// 4. config file
 	_, err = executeCommand(cmd)

diff --git a/cmd/immudb/command/init.go b/cmd/immudb/command/init.go
@@ -68,14 +68,19 @@ func parseOptions() (options *server.Options, err error) {
 
 	storeOpts := server.DefaultStoreOptions().WithSynced(synced)
 
+	tlsConfig, err := setUpTLS(pkey, certificate, clientcas, mtls)
+	if err != nil {
+		return options, err
+	}
+
 	options = server.
 		DefaultOptions().
 		WithDir(dir).
 		WithPort(port).
 		WithAddress(address).
 		WithPidfile(pidfile).
 		WithLogfile(logfile).
-		WithMTLs(mtls).
+		WithTls(tlsConfig).
 		WithAuth(auth).
 		WithMaxRecvMsgSize(maxRecvMsgSize).
 		WithNoHistograms(noHistograms).
@@ -87,32 +92,24 @@ func parseOptions() (options *server.Options, err error) {
 		WithStoreOptions(storeOpts).
 		WithTokenExpiryTime(tokenExpTime)
 
-	if mtls {
-		// todo https://golang.org/src/crypto/x509/root_linux.go
-		options.MTLsOptions = server.DefaultMTLsOptions().
-			WithCertificate(certificate).
-			WithPkey(pkey).
-			WithClientCAs(clientcas)
-	}
-
 	return options, nil
 }
 
-func (cl *Commandline) setupFlags(cmd *cobra.Command, options *server.Options, mtlsOptions *server.MTLsOptions) {
+func (cl *Commandline) setupFlags(cmd *cobra.Command, options *server.Options) {
 	cmd.Flags().String("dir", options.Dir, "data folder")
 	cmd.Flags().IntP("port", "p", options.Port, "port number")
 	cmd.Flags().StringP("address", "a", options.Address, "bind address")
 	cmd.PersistentFlags().StringVar(&cl.config.CfgFn, "config", "", "config file (default path are configs or $HOME. Default filename is immudb.toml)")
 	cmd.Flags().String("pidfile", options.Pidfile, "pid path with filename. E.g. /var/run/immudb.pid")
 	cmd.Flags().String("logfile", options.Logfile, "log path with filename. E.g. /tmp/immudb/immudb.log")
-	cmd.Flags().BoolP("mtls", "m", options.MTLs, "enable mutual tls")
-	cmd.Flags().BoolP("auth", "s", options.MTLs, "enable auth")
+	cmd.Flags().BoolP("mtls", "m", false, "enable mutual tls")
+	cmd.Flags().BoolP("auth", "s", false, "enable auth")
 	cmd.Flags().Int("max-recv-msg-size", options.MaxRecvMsgSize, "max message size in bytes the server can receive")
-	cmd.Flags().Bool("no-histograms", options.MTLs, "disable collection of histogram metrics like query durations")
+	cmd.Flags().Bool("no-histograms", false, "disable collection of histogram metrics like query durations")
 	cmd.Flags().BoolP(c.DetachedFlag, c.DetachedShortFlag, options.Detached, "run immudb in background")
-	cmd.Flags().String("certificate", mtlsOptions.Certificate, "server certificate file path")
-	cmd.Flags().String("pkey", mtlsOptions.Pkey, "server private key path")
-	cmd.Flags().String("clientcas", mtlsOptions.ClientCAs, "clients certificates list. Aka certificate authority")
+	cmd.Flags().String("certificate", "", "server certificate file path")
+	cmd.Flags().String("pkey", "", "server private key path")
+	cmd.Flags().String("clientcas", "", "clients certificates list. Aka certificate authority")
 	cmd.Flags().Bool("devmode", options.DevMode, "enable dev mode: accept remote connections without auth")
 	cmd.Flags().String("admin-password", options.AdminPassword, "admin password (default is 'immudb') as plain-text or base64 encoded (must be prefixed with 'enc:' if it is encoded)")
 	cmd.Flags().Bool("maintenance", options.GetMaintenance(), "override the authentication flag")
@@ -121,20 +118,20 @@ func (cl *Commandline) setupFlags(cmd *cobra.Command, options *server.Options, m
 	cmd.Flags().Int("token-expiry-time", options.TokenExpiryTimeMin, "client authentication token expiration time. Minutes")
 }
 
-func setupDefaults(options *server.Options, mtlsOptions *server.MTLsOptions) {
+func setupDefaults(options *server.Options) {
 	viper.SetDefault("dir", options.Dir)
 	viper.SetDefault("port", options.Port)
 	viper.SetDefault("address", options.Address)
 	viper.SetDefault("pidfile", options.Pidfile)
 	viper.SetDefault("logfile", options.Logfile)
-	viper.SetDefault("mtls", options.MTLs)
+	viper.SetDefault("mtls", false)
 	viper.SetDefault("auth", options.GetAuth())
 	viper.SetDefault("max-recv-msg-size", options.MaxRecvMsgSize)
 	viper.SetDefault("no-histograms", options.NoHistograms)
 	viper.SetDefault("detached", options.Detached)
-	viper.SetDefault("certificate", mtlsOptions.Certificate)
-	viper.SetDefault("pkey", mtlsOptions.Pkey)
-	viper.SetDefault("clientcas", mtlsOptions.ClientCAs)
+	viper.SetDefault("certificate", "")
+	viper.SetDefault("pkey", "")
+	viper.SetDefault("clientcas", "")
 	viper.SetDefault("devmode", options.DevMode)
 	viper.SetDefault("admin-password", options.AdminPassword)
 	viper.SetDefault("maintenance", options.GetMaintenance())

diff --git a/cmd/immudb/command/root.go b/cmd/immudb/command/root.go
@@ -44,9 +44,9 @@ Environment variables:
   IMMUDB_MAX_RECV_MSG_SIZE=4194304
   IMMUDB_DETACHED=false
   IMMUDB_CONSISTENCY_CHECK=true
-  IMMUDB_PKEY=./tools/mtls/3_application/private/localhost.key.pem
-  IMMUDB_CERTIFICATE=./tools/mtls/3_application/certs/localhost.cert.pem
-  IMMUDB_CLIENTCAS=./tools/mtls/2_intermediate/certs/ca-chain.cert.pem
+  IMMUDB_PKEY=
+  IMMUDB_CERTIFICATE=
+  IMMUDB_CLIENTCAS=
   IMMUDB_DEVMODE=true
   IMMUDB_MAINTENANCE=false
   IMMUDB_ADMIN_PASSWORD=immudb
@@ -59,13 +59,13 @@ Environment variables:
 		PersistentPreRunE: cl.ConfigChain(nil),
 	}
 
-	cl.setupFlags(cmd, server.DefaultOptions(), server.DefaultMTLsOptions())
+	cl.setupFlags(cmd, server.DefaultOptions())
 
 	if err := viper.BindPFlags(cmd.Flags()); err != nil {
 		return nil, err
 	}
 
-	setupDefaults(server.DefaultOptions(), server.DefaultMTLsOptions())
+	setupDefaults(server.DefaultOptions())
 
 	return cmd, nil
 }

diff --git a/cmd/immudb/command/tls_config.go b/cmd/immudb/command/tls_config.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2021 CodeNotary, Inc. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package immudb
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io/ioutil"
+)
+
+func setUpTLS(pkey, cert, ca string, mtls bool) (*tls.Config, error) {
+	var c *tls.Config
+
+	if cert != "" && pkey != "" {
+		certs, err := tls.LoadX509KeyPair(cert, pkey)
+		if err != nil {
+			return nil, errors.New(fmt.Sprintf("failed to read client certificate or private key: %v", err))
+		}
+		c = &tls.Config{
+			Certificates: []tls.Certificate{certs},
+			ClientAuth:   tls.VerifyClientCertIfGiven,
+		}
+	}
+
+	if mtls {
+		certPool := x509.NewCertPool()
+		// Trusted store, contain the list of trusted certificates. client has to use one of this certificate to be trusted by this server
+		bs, err := ioutil.ReadFile(ca)
+		if err != nil {
+			return nil, errors.New(fmt.Sprintf("failed to read client ca cert: %v", err))
+		}
+
+		ok := certPool.AppendCertsFromPEM(bs)
+		if !ok {
+			return nil, errors.New(fmt.Sprintf("failed to append client certs: %v", err))
+		}
+		c.ClientCAs = certPool
+	}
+
+	return c, nil
+}
diff --git a/configs/immuadmin.toml b/configs/immuadmin.toml
@@ -3,6 +3,6 @@ immudb-port = 3322
 tokenfile = "token_admin"
 mtls = false
 servername = "localhost"
-pkey = "./tools/mtls/4_client/private/localhost.key.pem"
-certificate = "./tools/mtls/4_client/certs/localhost.cert.pem"
-clientcas = "./tools/mtls/2_intermediate/certs/ca-chain.cert.pem"
+pkey = ""
+certificate = ""
+clientcas = ""
diff --git a/configs/immuclient.toml b/configs/immuclient.toml
@@ -4,8 +4,8 @@ auth = true
 tokenfile = "token-0.7.0"
 mtls = false
 servername = "localhost"
-pkey = "./tools/mtls/4_client/private/localhost.key.pem"
-certificate = "./tools/mtls/4_client/certs/localhost.cert.pem"
-clientcas = "./tools/mtls/2_intermediate/certs/ca-chain.cert.pem"
+pkey = ""
+certificate = ""
+clientcas = ""
 audit-signature = "ignore"
 server-signing-pub-key = "" #used to verify signatures
diff --git a/configs/immudb.toml b/configs/immudb.toml
@@ -10,9 +10,9 @@ detached = false
 auth = true
 no-histograms = false
 consistency-check = true
-pkey = "./tools/mtls/3_application/private/localhost.key.pem"
-certificate = "./tools/mtls/3_application/certs/localhost.cert.pem"
-clientcas = "./tools/mtls/2_intermediate/certs/ca-chain.cert.pem"
+pkey = ""
+certificate = ""
+clientcas = ""
 devmode = true
 admin-password = "immudb" # this password is only used once to initialize immudb and can be ignored
 maintenance = false

diff --git a/pkg/server/mtls_options.go b/pkg/server/mtls_options.go
diff --git a/pkg/server/mtls_options_test.go b/pkg/server/mtls_options_test.go
diff --git a/pkg/server/options.go b/pkg/server/options.go
@@ -17,6 +17,7 @@ limitations under the License.
 package server
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net"
 	"strconv"
@@ -41,8 +42,7 @@ type Options struct {
 	Config              string
 	Pidfile             string
 	Logfile             string
-	MTLs                bool
-	MTLsOptions         *MTLsOptions
+	TlsConfig           *tls.Config
 	auth                bool
 	MaxRecvMsgSize      int
 	NoHistograms        bool
@@ -72,8 +72,7 @@ func DefaultOptions() *Options {
 		Config:              "configs/immudb.toml",
 		Pidfile:             "",
 		Logfile:             "",
-		MTLs:                false,
-		MTLsOptions:         &MTLsOptions{},
+		TlsConfig:           &tls.Config{},
 		auth:                true,
 		MaxRecvMsgSize:      1024 * 1024 * 32, // 32Mb
 		NoHistograms:        false,
@@ -144,15 +143,9 @@ func (o *Options) WithLogfile(logfile string) *Options {
 	return o
 }
 
-// WithMTLs sets mtls
-func (o *Options) WithMTLs(MTLs bool) *Options {
-	o.MTLs = MTLs
-	return o
-}
-
-// WithMTLsOptions sets WithMTLsOptions
-func (o *Options) WithMTLsOptions(MTLsOptions *MTLsOptions) *Options {
-	o.MTLsOptions = MTLsOptions
+// WithTls sets tls config
+func (o *Options) WithTls(tls *tls.Config) *Options {
+	o.TlsConfig = tls
 	return o
 }
 
@@ -223,7 +216,6 @@ func (o *Options) String() string {
 	if o.Logfile != "" {
 		opts = append(opts, rightPad("Log file", o.Logfile))
 	}
-	opts = append(opts, rightPad("MTLS enabled", o.MTLs))
 	opts = append(opts, rightPad("Max recv msg size", o.MaxRecvMsgSize))
 	opts = append(opts, rightPad("Auth enabled", o.auth))
 	opts = append(opts, rightPad("Dev mode", o.DevMode))