Skip to content

Commit

Permalink
nsqd: use --tls-root-ca-file in nsqauth request
Browse files Browse the repository at this point in the history
Fix #1464
  • Loading branch information
intellitrend-team committed Nov 6, 2023
1 parent 1d183d9 commit eb27dd5
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 9 deletions.
9 changes: 5 additions & 4 deletions internal/auth/authorizations.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package auth

import (
"crypto/tls"
"errors"
"fmt"
"math/rand"
Expand Down Expand Up @@ -75,13 +76,13 @@ func (a *State) IsExpired() bool {
}

func QueryAnyAuthd(authd []string, remoteIP string, tlsEnabled bool, commonName string, authSecret string,
connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
clientTLSConfig *tls.Config, connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
var retErr error
start := rand.Int()
n := len(authd)
for i := 0; i < n; i++ {
a := authd[(i+start)%n]
authState, err := QueryAuthd(a, remoteIP, tlsEnabled, commonName, authSecret, connectTimeout, requestTimeout)
authState, err := QueryAuthd(a, remoteIP, tlsEnabled, commonName, authSecret, clientTLSConfig, connectTimeout, requestTimeout)
if err != nil {
es := fmt.Sprintf("failed to auth against %s - %s", a, err)
if retErr != nil {
Expand All @@ -96,7 +97,7 @@ func QueryAnyAuthd(authd []string, remoteIP string, tlsEnabled bool, commonName
}

func QueryAuthd(authd string, remoteIP string, tlsEnabled bool, commonName string, authSecret string,
connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
clientTLSConfig *tls.Config, connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
v := url.Values{}
v.Set("remote_ip", remoteIP)
if tlsEnabled {
Expand All @@ -115,7 +116,7 @@ func QueryAuthd(authd string, remoteIP string, tlsEnabled bool, commonName strin
}

var authState State
client := http_api.NewClient(nil, connectTimeout, requestTimeout)
client := http_api.NewClient(clientTLSConfig, connectTimeout, requestTimeout)
if err := client.GETV1(endpoint, &authState); err != nil {
return nil, err
}
Expand Down
1 change: 1 addition & 0 deletions nsqd/client_v2.go
Original file line number Diff line number Diff line change
Expand Up @@ -657,6 +657,7 @@ func (c *clientV2) QueryAuthd() error {

authState, err := auth.QueryAnyAuthd(c.nsqd.getOpts().AuthHTTPAddresses,
remoteIP, tlsEnabled, commonName, c.AuthSecret,
c.nsqd.clientTLSConfig,
c.nsqd.getOpts().HTTPClientConnectTimeout,
c.nsqd.getOpts().HTTPClientRequestTimeout)
if err != nil {
Expand Down
37 changes: 32 additions & 5 deletions nsqd/nsqd.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,12 @@ type NSQD struct {

lookupPeers atomic.Value

tcpServer *tcpServer
tcpListener net.Listener
httpListener net.Listener
httpsListener net.Listener
tlsConfig *tls.Config
tcpServer *tcpServer
tcpListener net.Listener
httpListener net.Listener
httpsListener net.Listener
tlsConfig *tls.Config
clientTLSConfig *tls.Config

poolSize int

Expand Down Expand Up @@ -128,6 +129,12 @@ func New(opts *Options) (*NSQD, error) {
}
n.tlsConfig = tlsConfig

clientTLSConfig, err := buildClientTLSConfig(opts)
if err != nil {
return nil, fmt.Errorf("failed to build client TLS config - %s", err)
}
n.clientTLSConfig = clientTLSConfig

for _, v := range opts.E2EProcessingLatencyPercentiles {
if v <= 0 || v > 1 {
return nil, fmt.Errorf("invalid E2E processing latency percentile: %v", v)
Expand Down Expand Up @@ -759,6 +766,26 @@ func buildTLSConfig(opts *Options) (*tls.Config, error) {
return tlsConfig, nil
}

func buildClientTLSConfig(opts *Options) (*tls.Config, error) {
tlsConfig := &tls.Config{
MinVersion: opts.TLSMinVersion,
}

if opts.TLSRootCAFile != "" {
tlsCertPool := x509.NewCertPool()
caCertFile, err := os.ReadFile(opts.TLSRootCAFile)
if err != nil {
return nil, err
}
if !tlsCertPool.AppendCertsFromPEM(caCertFile) {
return nil, errors.New("failed to append certificate to pool")
}
tlsConfig.RootCAs = tlsCertPool
}

return tlsConfig, nil
}

func (n *NSQD) IsAuthEnabled() bool {
return len(n.getOpts().AuthHTTPAddresses) != 0
}
Expand Down

0 comments on commit eb27dd5

Please sign in to comment.