search

ravendb / ravendb-go-client

MIT License
39 stars 16 forks source link

Connecting to Document Store using a x509 PFX certificate and password #158

Closed david-bergman closed 3 years ago

david-bergman commented 3 years ago

Hi,

I am looking for how to connect to a raven 5 instance using a x509 pfx certificate. I cant find any examples on how to achieve this.

The closest I could get was the below, yet I am getting an error session.SaveChanges() failed with Forbidden access to

Any assistance here would be greatly appreciated.

func getDocumentStore(databaseName string) (*ravendb.DocumentStore, error) { serverNodes := []string{nodeA, nodeB, nodeC}

store := ravendb.NewDocumentStore(serverNodes, databaseName)

bytes, err := ioutil.ReadFile("{FILENAME}.pfx")
if err != nil {
    panic("error reading document store certificate")
}
certificate, err := x509.ParseCertificate(bytes)
store.TrustStore = certificate

if err := store.Initialize(); err != nil {
    return nil, err
}
return store, nil

}

ayende commented 3 years ago

What was the full error that you got?

david-bergman commented 3 years ago

the API would have returned the forbidden status code case http.StatusForbidden: err = newAuthorizationError("Forbidden access to " + chosenNode.Database + "@" + chosenNode.URL + ", " + request.Method + " " + request.URL.String())

this is my full error.

session.SaveChanges() failed with Forbidden access to tm-gatekeeper@https://c.trackmatic.ravendb.run, GET https://c.trackmatic.ravendb.run/topology?name=tm-gatekeeper

ayende commented 3 years ago

There is still missing details. It should also tell you why it failed. Something like no certificate, unfamiliar certificate, etc.

david-bergman commented 3 years ago

I modified the request_executor.go, in order to just output the response body of the request made.

This is the error in the body

{"Type":"InvalidAuth","Message":"This server requires client certificate for authentication, but none was provided by the client."}

ayende commented 3 years ago

Thanks, that is very helpful. Can you also send a PR for your change?

Your code is missing the setting of this field, no?

https://github.com/ravendb/ravendb-go-client/blob/master/document_store.go#L30

ayende commented 3 years ago

Here is the full code that you need to run this:


func getDocumentStore(databaseName string) (*ravendb.DocumentStore, error) {
    cerPath := "/path/to/client.certificate.crt"
    keyPath := "/path/to/certificate.key"
    cer, err := tls.LoadX509KeyPair(cerPath, keyPath)
    if err != nil {
        return nil, err
    }
    serverNodes := []string{"https://your-instance-url"}
    store := ravendb.NewDocumentStore(serverNodes, databaseName)
    store.Certificate = &cer
    x509cert, err :=  x509.ParseCertificate(cer.Certificate[0])
    if err != nil {
        return nil, err
    }
    store.TrustStore = x509cert
    if store.TrustStore == nil {
        panic("nil trust store");
    }
    if err := store.Initialize(); err != nil {
        return nil, err
    }
    return store, nil
}
david-bergman commented 3 years ago

Thanks so much Ayende!

That is exactly what I was looking for, working now.

ayende commented 3 years ago

I also added this to the readme.

On Wed, Sep 16, 2020 at 7:19 PM David Bergman notifications@github.com wrote:

Closed #158 https://github.com/ravendb/ravendb-go-client/issues/158.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ravendb/ravendb-go-client/issues/158#event-3774038187, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4RMYTNNN7ZLDMIO44SJDSGDQRNANCNFSM4RNJWZGQ .

-- https://ravendb.net/ Oren Eini CEO / Hibernating Rhinos LTD https://hibernatingrhinos.com/ Mobile: 972-52-548-6969 Sales: sales@ravendb.net Skype: ayenderahien Support: support@ravendb.net https://www.facebook.com/pages/RavenDB/265907650186374 https://twitter.com/ravendb https://www.linkedin.com/company/hibernating-rhinos-ltd-/ https://ravendb.net/emailsignature/displayeventpage

david-bergman commented 3 years ago

great, one thing I did notice, is if there is a passphrase on the certificate, the code will fail.

It will require an override of the loadX509KeyPair function that passes in the passphrase, I was able to implement a working solution for this scenario with the help of the following snippet.

https://play.golang.org/p/8OYTuZtZIQ

ayende commented 3 years ago

Thanks, very useful and added to the readme as well

On Fri, Sep 18, 2020 at 4:39 PM David Bergman notifications@github.com wrote:

great, one thing I did notice, is if there is a passphrase on the certificate, the code will fail.

It will require an override of the loadX509KeyPair function that passes in the passphrase, I was able to implement a working solution for this scenario with the help of the following snippet.

https://play.golang.org/p/8OYTuZtZIQ

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ravendb/ravendb-go-client/issues/158#issuecomment-694873675, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA4RMYBIKB7COZPWATTCRDSGNPKBANCNFSM4RNJWZGQ .

-- https://ravendb.net/ Oren Eini CEO / Hibernating Rhinos LTD https://hibernatingrhinos.com/ Mobile: 972-52-548-6969 Sales: sales@ravendb.net Skype: ayenderahien Support: support@ravendb.net https://www.facebook.com/pages/RavenDB/265907650186374 https://twitter.com/ravendb https://www.linkedin.com/company/hibernating-rhinos-ltd-/ https://ravendb.net/emailsignature/displayeventpage