From eb27dd5c0102d641c758ce59297eb2a17e955ff0 Mon Sep 17 00:00:00 2001 From: IntelliTrend Team <43295941+intellitrend-team@users.noreply.github.com> Date: Mon, 6 Nov 2023 12:56:53 +0100 Subject: [PATCH] nsqd: use --tls-root-ca-file in nsqauth request Fix #1464 --- internal/auth/authorizations.go | 9 ++++---- nsqd/client_v2.go | 1 + nsqd/nsqd.go | 37 ++++++++++++++++++++++++++++----- 3 files changed, 38 insertions(+), 9 deletions(-) diff --git a/internal/auth/authorizations.go b/internal/auth/authorizations.go index 449ebc9aa..0105d41f8 100644 --- a/internal/auth/authorizations.go +++ b/internal/auth/authorizations.go @@ -1,6 +1,7 @@ package auth import ( + "crypto/tls" "errors" "fmt" "math/rand" @@ -75,13 +76,13 @@ func (a *State) IsExpired() bool { } func QueryAnyAuthd(authd []string, remoteIP string, tlsEnabled bool, commonName string, authSecret string, - connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) { + clientTLSConfig *tls.Config, connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) { var retErr error start := rand.Int() n := len(authd) for i := 0; i < n; i++ { a := authd[(i+start)%n] - authState, err := QueryAuthd(a, remoteIP, tlsEnabled, commonName, authSecret, connectTimeout, requestTimeout) + authState, err := QueryAuthd(a, remoteIP, tlsEnabled, commonName, authSecret, clientTLSConfig, connectTimeout, requestTimeout) if err != nil { es := fmt.Sprintf("failed to auth against %s - %s", a, err) if retErr != nil { @@ -96,7 +97,7 @@ func QueryAnyAuthd(authd []string, remoteIP string, tlsEnabled bool, commonName } func QueryAuthd(authd string, remoteIP string, tlsEnabled bool, commonName string, authSecret string, - connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) { + clientTLSConfig *tls.Config, connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) { v := url.Values{} v.Set("remote_ip", remoteIP) if tlsEnabled { @@ -115,7 +116,7 @@ func QueryAuthd(authd string, remoteIP string, tlsEnabled bool, commonName strin } var authState State - client := http_api.NewClient(nil, connectTimeout, requestTimeout) + client := http_api.NewClient(clientTLSConfig, connectTimeout, requestTimeout) if err := client.GETV1(endpoint, &authState); err != nil { return nil, err } diff --git a/nsqd/client_v2.go b/nsqd/client_v2.go index ec2f65e20..32250e72c 100644 --- a/nsqd/client_v2.go +++ b/nsqd/client_v2.go @@ -657,6 +657,7 @@ func (c *clientV2) QueryAuthd() error { authState, err := auth.QueryAnyAuthd(c.nsqd.getOpts().AuthHTTPAddresses, remoteIP, tlsEnabled, commonName, c.AuthSecret, + c.nsqd.clientTLSConfig, c.nsqd.getOpts().HTTPClientConnectTimeout, c.nsqd.getOpts().HTTPClientRequestTimeout) if err != nil { diff --git a/nsqd/nsqd.go b/nsqd/nsqd.go index 372b23f84..04404c5cc 100644 --- a/nsqd/nsqd.go +++ b/nsqd/nsqd.go @@ -57,11 +57,12 @@ type NSQD struct { lookupPeers atomic.Value - tcpServer *tcpServer - tcpListener net.Listener - httpListener net.Listener - httpsListener net.Listener - tlsConfig *tls.Config + tcpServer *tcpServer + tcpListener net.Listener + httpListener net.Listener + httpsListener net.Listener + tlsConfig *tls.Config + clientTLSConfig *tls.Config poolSize int @@ -128,6 +129,12 @@ func New(opts *Options) (*NSQD, error) { } n.tlsConfig = tlsConfig + clientTLSConfig, err := buildClientTLSConfig(opts) + if err != nil { + return nil, fmt.Errorf("failed to build client TLS config - %s", err) + } + n.clientTLSConfig = clientTLSConfig + for _, v := range opts.E2EProcessingLatencyPercentiles { if v <= 0 || v > 1 { return nil, fmt.Errorf("invalid E2E processing latency percentile: %v", v) @@ -759,6 +766,26 @@ func buildTLSConfig(opts *Options) (*tls.Config, error) { return tlsConfig, nil } +func buildClientTLSConfig(opts *Options) (*tls.Config, error) { + tlsConfig := &tls.Config{ + MinVersion: opts.TLSMinVersion, + } + + if opts.TLSRootCAFile != "" { + tlsCertPool := x509.NewCertPool() + caCertFile, err := os.ReadFile(opts.TLSRootCAFile) + if err != nil { + return nil, err + } + if !tlsCertPool.AppendCertsFromPEM(caCertFile) { + return nil, errors.New("failed to append certificate to pool") + } + tlsConfig.RootCAs = tlsCertPool + } + + return tlsConfig, nil +} + func (n *NSQD) IsAuthEnabled() bool { return len(n.getOpts().AuthHTTPAddresses) != 0 }