You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2022/10/01 15:29:08 UTC

[pulsar-client-go] branch master updated: Add TLS transport config (#855)

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar-client-go.git


The following commit(s) were added to refs/heads/master by this push:
     new fce0cb0  Add TLS transport config (#855)
fce0cb0 is described below

commit fce0cb0695b5c2c22133f912395762b2ff33a9d4
Author: Zixuan Liu <no...@gmail.com>
AuthorDate: Sat Oct 1 23:29:02 2022 +0800

    Add TLS transport config (#855)
    
    * Add TLS transport config
    
    Signed-off-by: Zixuan Liu <no...@gmail.com>
    
    * Fix style
    
    Signed-off-by: Zixuan Liu <no...@gmail.com>
    
    Signed-off-by: Zixuan Liu <no...@gmail.com>
---
 pulsar/client.go               |  6 ++++++
 pulsar/client_impl.go          |  2 ++
 pulsar/client_impl_test.go     | 35 +++++++++++++++++++++++++++++++++++
 pulsar/internal/connection.go  | 10 ++++++++++
 pulsar/internal/http_client.go |  8 ++++++++
 5 files changed, 61 insertions(+)

diff --git a/pulsar/client.go b/pulsar/client.go
index 22b12ef..29a582f 100644
--- a/pulsar/client.go
+++ b/pulsar/client.go
@@ -105,6 +105,12 @@ type ClientOptions struct {
 	// Example: `Authentication: NewAuthenticationTLS("my-cert.pem", "my-key.pem")`
 	Authentication
 
+	// Set the path to the TLS key file
+	TLSKeyFilePath string
+
+	// Set the path to the TLS certificate file
+	TLSCertificateFile string
+
 	// Set the path to the trusted TLS certificate file
 	TLSTrustCertsFilePath string
 
diff --git a/pulsar/client_impl.go b/pulsar/client_impl.go
index e7fa642..712e197 100644
--- a/pulsar/client_impl.go
+++ b/pulsar/client_impl.go
@@ -71,6 +71,8 @@ func newClient(options ClientOptions) (Client, error) {
 	case "pulsar+ssl", "https":
 		tlsConfig = &internal.TLSOptions{
 			AllowInsecureConnection: options.TLSAllowInsecureConnection,
+			KeyFile:                 options.TLSKeyFilePath,
+			CertFile:                options.TLSCertificateFile,
 			TrustCertsFilePath:      options.TLSTrustCertsFilePath,
 			ValidateHostname:        options.TLSValidateHostname,
 		}
diff --git a/pulsar/client_impl_test.go b/pulsar/client_impl_test.go
index ba8f6eb..c98a542 100644
--- a/pulsar/client_impl_test.go
+++ b/pulsar/client_impl_test.go
@@ -1066,3 +1066,38 @@ func TestHTTPSBasicAuth(t *testing.T) {
 
 	client.Close()
 }
+
+func testTLSTransportWithBasicAuth(t *testing.T, url string) {
+	t.Helper()
+
+	basicAuth, err := NewAuthenticationBasic("admin", "123456")
+	require.NoError(t, err)
+	require.NotNil(t, basicAuth)
+
+	client, err := NewClient(ClientOptions{
+		URL:                   url,
+		TLSCertificateFile:    tlsClientCertPath,
+		TLSKeyFilePath:        tlsClientKeyPath,
+		TLSTrustCertsFilePath: caCertsPath,
+		Authentication:        basicAuth,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, client)
+
+	producer, err := client.CreateProducer(ProducerOptions{
+		Topic: newTopicName(),
+	})
+
+	require.NoError(t, err)
+	require.NotNil(t, producer)
+
+	client.Close()
+}
+
+func TestServiceUrlTLSWithTLSTransportWithBasicAuth(t *testing.T) {
+	testTLSTransportWithBasicAuth(t, serviceURLTLS)
+}
+
+func TestWebServiceUrlTLSWithTLSTransportWithBasicAuth(t *testing.T) {
+	testTLSTransportWithBasicAuth(t, webServiceURLTLS)
+}
diff --git a/pulsar/internal/connection.go b/pulsar/internal/connection.go
index 4196396..6a410a2 100644
--- a/pulsar/internal/connection.go
+++ b/pulsar/internal/connection.go
@@ -47,6 +47,8 @@ const (
 )
 
 type TLSOptions struct {
+	KeyFile                 string
+	CertFile                string
 	TrustCertsFilePath      string
 	AllowInsecureConnection bool
 	ValidateHostname        bool
@@ -982,6 +984,14 @@ func (c *connection) getTLSConfig() (*tls.Config, error) {
 		tlsConfig.ServerName = c.physicalAddr.Hostname()
 	}
 
+	if c.tlsOptions.CertFile != "" || c.tlsOptions.KeyFile != "" {
+		cert, err := tls.LoadX509KeyPair(c.tlsOptions.CertFile, c.tlsOptions.KeyFile)
+		if err != nil {
+			return nil, errors.New(err.Error())
+		}
+		tlsConfig.Certificates = []tls.Certificate{cert}
+	}
+
 	cert, err := c.auth.GetTLSCertificate()
 	if err != nil {
 		return nil, err
diff --git a/pulsar/internal/http_client.go b/pulsar/internal/http_client.go
index 8c494dc..3c68dac 100644
--- a/pulsar/internal/http_client.go
+++ b/pulsar/internal/http_client.go
@@ -345,6 +345,14 @@ func getDefaultTransport(tlsConfig *TLSOptions) (http.RoundTripper, error) {
 			cfg.RootCAs = x509.NewCertPool()
 			cfg.RootCAs.AppendCertsFromPEM(rootCA)
 		}
+
+		if tlsConfig.CertFile != "" || tlsConfig.KeyFile != "" {
+			cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
+			if err != nil {
+				return nil, errors.New(err.Error())
+			}
+			cfg.Certificates = []tls.Certificate{cert}
+		}
 		transport.TLSClientConfig = cfg
 	}
 	transport.MaxIdleConnsPerHost = 10