You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by ti...@apache.org on 2021/02/19 07:25:00 UTC

[servicecomb-service-center] branch master updated: [SCB-2094]Mongo supports CA certificate verification (#856)

This is an automated email from the ASF dual-hosted git repository.

tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git


The following commit(s) were added to refs/heads/master by this push:
     new dae6b80  [SCB-2094]Mongo supports CA certificate verification (#856)
dae6b80 is described below

commit dae6b806ec1dae0be3c7a8aef1cd0c4482cc2618
Author: robotLJW <79...@qq.com>
AuthorDate: Fri Feb 19 15:24:48 2021 +0800

    [SCB-2094]Mongo supports CA certificate verification (#856)
---
 datasource/mongo/client/common.go |  1 +
 datasource/mongo/client/mongo.go  | 37 +++++++++++++++++++++++++++++++++++--
 datasource/mongo/mongo.go         |  9 +++++++--
 etc/conf/app.yaml                 |  5 +++++
 go.mod                            |  5 +++--
 scripts/build/local.sh            |  1 -
 6 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/datasource/mongo/client/common.go b/datasource/mongo/client/common.go
index e71706a..1fa44d5 100644
--- a/datasource/mongo/client/common.go
+++ b/datasource/mongo/client/common.go
@@ -22,4 +22,5 @@ import (
 var (
 	ErrCollectionsNil = errors.New("collection is nil")
 	ErrOpenDbFailed   = errors.New("open db failed")
+	ErrRootCAMissing  = errors.New("rootCAFile is empty in config file")
 )
diff --git a/datasource/mongo/client/mongo.go b/datasource/mongo/client/mongo.go
index b0739be..3c27476 100644
--- a/datasource/mongo/client/mongo.go
+++ b/datasource/mongo/client/mongo.go
@@ -17,7 +17,10 @@ package client
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"io/ioutil"
 	"time"
 
 	"github.com/apache/servicecomb-service-center/pkg/gopool"
@@ -125,8 +128,38 @@ func (mc *MongoClient) HealthCheck(ctx context.Context) {
 }
 
 func (mc *MongoClient) newClient(ctx context.Context) (err error) {
-	clientOptions := options.Client().ApplyURI(mc.dbconfig.URI)
-	mc.client, err = mongo.Connect(ctx, clientOptions)
+	clientOptions := []*options.ClientOptions{options.Client().ApplyURI(mc.dbconfig.URI)}
+	if mc.dbconfig.SSLEnabled {
+		if mc.dbconfig.RootCA == "" {
+			err = ErrRootCAMissing
+			return
+		}
+		pool := x509.NewCertPool()
+		caCert, err := ioutil.ReadFile(mc.dbconfig.RootCA)
+		if err != nil {
+			err = fmt.Errorf("read ca cert file %s failed", mc.dbconfig.RootCA)
+			log.Error("ca cert :", err)
+			return err
+		}
+		pool.AppendCertsFromPEM(caCert)
+		clientCerts := make([]tls.Certificate, 0)
+		if mc.dbconfig.CertFile != "" && mc.dbconfig.KeyFile != "" {
+			cert, err := tls.LoadX509KeyPair(mc.dbconfig.CertFile, mc.dbconfig.KeyFile)
+			if err != nil {
+				log.Error("load X509 keyPair failed: ", err)
+				return err
+			}
+			clientCerts = append(clientCerts, cert)
+		}
+		tc := &tls.Config{
+			RootCAs:            pool,
+			InsecureSkipVerify: !mc.dbconfig.VerifyPeer,
+			Certificates:       clientCerts,
+		}
+		clientOptions = append(clientOptions, options.Client().SetTLSConfig(tc))
+		log.Info("enabled ssl communication to mongodb")
+	}
+	mc.client, err = mongo.Connect(ctx, clientOptions...)
 	if err != nil {
 		log.Error("failed to connect to mongo", err)
 		if derr := mc.client.Disconnect(ctx); derr != nil {
diff --git a/datasource/mongo/mongo.go b/datasource/mongo/mongo.go
index 731704c..b4a8ce1 100644
--- a/datasource/mongo/mongo.go
+++ b/datasource/mongo/mongo.go
@@ -86,8 +86,13 @@ func (ds *DataSource) initPlugins() error {
 }
 
 func (ds *DataSource) initClient() error {
-	uri := config.GetString("registry.mongo.cluster.uri", "mongodb://localhost:27017", config.WithStandby("manager_cluster"))
-	cfg := storage.NewConfig(uri)
+	uri := config.GetString("registry.mongo.cluster.uri", "mongodb://localhost:27017")
+	sslEnable := config.GetBool("registry.mongo.cluster.sslEnabled", false)
+	rootCA := config.GetString("registry.mongo.cluster.rootCAFile", "/opt/ssl/ca.crt")
+	verifyPeer := config.GetBool("registry.mongo.cluster.verifyPeer", false)
+	certFile := config.GetString("registry.mongo.cluster.certFile", "")
+	keyFile := config.GetString("registry.mongo.cluster.keyFile", "")
+	cfg := storage.NewConfig(uri, storage.SSLEnabled(sslEnable), storage.RootCA(rootCA), storage.VerifyPeer(verifyPeer), storage.CertFile(certFile), storage.KeyFile(keyFile))
 	client.NewMongoClient(cfg)
 	select {
 	case err := <-client.GetMongoClient().Err():
diff --git a/etc/conf/app.yaml b/etc/conf/app.yaml
index 82b2f50..1bd7719 100644
--- a/etc/conf/app.yaml
+++ b/etc/conf/app.yaml
@@ -96,6 +96,11 @@ registry:
       timeout: 10
     cluster:
       uri: mongodb://localhost:27017
+      sslEnabled: false
+      rootCAFile: /opt/ssl/ca.crt
+      verifyPeer: false
+      certFile: /opt/ssl/client.crt
+      keyFile: /opt/ssl/client.key
 
   service:
     # enable the job clear the microservices which deploy no instance
diff --git a/go.mod b/go.mod
index 552ce00..1f1de6c 100644
--- a/go.mod
+++ b/go.mod
@@ -19,8 +19,8 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-chassis/cari v0.0.2-0.20210208095358-3bccdf2ce456
 	github.com/go-chassis/foundation v0.2.2
-	github.com/go-chassis/go-archaius v1.3.6-0.20201130023516-387922b408d0
-	github.com/go-chassis/go-chassis/v2 v2.1.1-0.20201208095114-93feb76fd997
+	github.com/go-chassis/go-archaius v1.3.6-0.20201210061741-7450779aaeb8
+	github.com/go-chassis/go-chassis/v2 v2.1.1-0.20210218100404-85e04ad6bd31
 	github.com/go-chassis/kie-client v0.0.0-20210122061843-eee856b0a9af
 	github.com/golang/protobuf v1.4.2
 	github.com/gorilla/websocket v1.4.2
@@ -34,6 +34,7 @@ require (
 	github.com/karlseguin/expect v1.0.7 // indirect
 	github.com/labstack/echo/v4 v4.1.18-0.20201218141459-936c48a17e97
 	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/mitchellh/mapstructure v1.3.3 // indirect
 	github.com/natefinch/lumberjack v0.0.0-20170531160350-a96e63847dc3
 	github.com/olekukonko/tablewriter v0.0.0-20180506121414-d4647c9c7a84
 	github.com/onsi/ginkgo v1.14.0
diff --git a/scripts/build/local.sh b/scripts/build/local.sh
index 2dfb536..ba76d94 100644
--- a/scripts/build/local.sh
+++ b/scripts/build/local.sh
@@ -16,7 +16,6 @@
 # limitations under the License.
 
 set -e
-export GOPROXY=https://goproxy.io
 export GOOS=${1:-"linux"}
 export GOARCH=${4:-"amd64"}
 export CGO_ENABLED=${CGO_ENABLED:-0} # prevent to compile cgo file