search

iegomez / mosquitto-go-auth

Auth plugin for mosquitto.
MIT License
495 stars 165 forks source link

Fixed MongoDB insecureSkipVerify, Added MongoDB TLS certificate, ca, key #309

Open saharatss opened 6 months ago

saharatss commented 6 months ago

1. Inconsistent TLS configuration: To configure TLS for MongoDB, the readme.md said change the auth_opt_mongo_with_tls option to enable TLS, but in the backends/mongo.go file read mongo_use_tls which means auth_opt_mongo_use_tls

So I changed the configuration option key from mongo_use_tls to mongo_tls to be related to other TLS settings.

2. insecureSkipVerify defined but never used: It was defined in both doc (readme.md) and backends/mongo.go, but it was never called to be a part of connection configuration.

lead to the error below when trying to connect with self-signed SSL certificate:

time="2024-01-19T03:11:08Z" level=info msg="mongo backend: set authentication db to: mqtt"
time="2024-01-19T03:11:08Z" level=info msg="Backend registered: Mongo"
time="2024-01-19T03:11:08Z" level=info msg="registered acl checker: mongo"
time="2024-01-19T03:11:08Z" level=info msg="registered user checker: mongo"
time="2024-01-19T03:11:08Z" level=info msg="registered superuser checker: mongo"
time="2024-01-19T03:11:08Z" level=info msg="No cache set."
time="2024-01-19T03:16:02Z" level=debug msg="checking user C01103BDFF964C6B9004D5F33EB26208 with backend Mongo"
time="2024-01-19T03:16:32Z" level=debug msg="Mongo get user error: server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: localhost:27017, Type: Unknown, Last error: x509: certificate is not valid for any names, but wanted to match localhost }, ] }"
time="2024-01-19T03:16:32Z" level=error msg="server selection error: server selection timeout, current topology: { Type: Unknown, Servers: [{ Addr: localhost:27017, Type: Unknown, Last error: x509: certificate is not valid for any names, but wanted to match localhost }, ] }"

3. MongoDB Custom Certificates:

From the document MongoDB - Go Driver:

"To successfully initiate a TLS request, your application must present cryptographic certificates to prove its identity. Your application's certificates must be stored as PEM files to enable TLS when connecting."

So, I added the options to pass certificate paths to the module to complete a TLS connection through: auth_opt_mongo_tlsca for TLS Certificate Authority (CA) auth_opt_mongo_tlscert for TLS Client Certificate auth_opt_mongo_tlskey for TLS Client Certificate Private Key

saharatss commented 6 months ago

I updated the code regarding your comments. It's in my second commit. please check.

Now, I am working on the testing script.