Skip to content

Commit 232322a

Browse files
mmaxim-zoommmaxim-zoom
committed
add support for TLS on database connections
1 parent a3a3950 commit 232322a

File tree

1 file changed

+42
-0
lines changed

1 file changed

+42
-0
lines changed

base/options.go

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,16 @@
11
package base
22

33
import (
4+
"crypto/tls"
5+
"crypto/x509"
6+
"errors"
47
"flag"
8+
"fmt"
59
"os"
610
"os/exec"
11+
"strings"
712

13+
"github.com/go-sql-driver/mysql"
814
"github.com/keybase/go-keybase-chat-bot/kbchat"
915
)
1016

@@ -40,6 +46,7 @@ func NewOptions() *Options {
4046
}
4147

4248
func (o *Options) Parse(fs *flag.FlagSet, argv []string) error {
49+
var mysqlTLSCA string
4350
fs.StringVar(&o.KeybaseLocation, "keybase", "keybase", "keybase command")
4451
fs.StringVar(&o.Home, "home", "", "Home directory")
4552
fs.StringVar(&o.Announcement, "announcement", os.Getenv("BOT_ANNOUNCEMENT"),
@@ -48,6 +55,7 @@ func (o *Options) Parse(fs *flag.FlagSet, argv []string) error {
4855
"Conversation name or ID to report errors to")
4956
fs.StringVar(&o.DSN, "dsn", os.Getenv("BOT_DSN"), "Bot database DSN")
5057
fs.StringVar(&o.MultiDSN, "multi-dsn", os.Getenv("BOT_MULTI_DSN"), "Bot multi coordination database DSN")
58+
fs.StringVar(&mysqlTLSCA, "mysql-tls-ca", os.Getenv("BOT_MYSQL_TLS_CA"), "Bot MySQL TLS CA")
5159
fs.StringVar(&o.StathatEZKey, "stathat-ezkey", os.Getenv("BOT_STATHAT_EZKEY"), "Bot stathat ezkey")
5260
fs.BoolVar(&o.ReadSelf, "read-self", false, "Allow the bot to read it's own messages")
5361

@@ -60,6 +68,40 @@ func (o *Options) Parse(fs *flag.FlagSet, argv []string) error {
6068
if err := fs.Parse(argv[1:]); err != nil {
6169
return err
6270
}
71+
72+
// configure TLS CAs if specified
73+
if mysqlTLSCA != "" {
74+
if err := o.configureMySQLTLS(mysqlTLSCA); err != nil {
75+
return err
76+
}
77+
}
78+
return nil
79+
}
80+
81+
func (o *Options) addTLSToDSN(dsn string, tlsConfigName string) string {
82+
if strings.Contains(dsn, "?") {
83+
return dsn + "&tls=" + tlsConfigName
84+
}
85+
return dsn + "?tls=" + tlsConfigName
86+
}
87+
88+
func (o *Options) configureMySQLTLS(mysqlTLSCA string) error {
89+
rootCAs := x509.NewCertPool()
90+
if !rootCAs.AppendCertsFromPEM([]byte(mysqlTLSCA)) {
91+
return errors.New("unable to load MySQL TLS CAs")
92+
}
93+
tlsConfig := &tls.Config{
94+
RootCAs: rootCAs,
95+
MinVersion: tls.VersionTLS12,
96+
}
97+
configName := "bot-mysql-tls"
98+
if err := mysql.RegisterTLSConfig(configName, tlsConfig); err != nil {
99+
return fmt.Errorf("error registering MySQL TLS config: %s", err)
100+
}
101+
102+
o.DSN = o.addTLSToDSN(o.DSN, configName)
103+
o.MultiDSN = o.addTLSToDSN(o.MultiDSN, configName)
104+
63105
return nil
64106
}
65107

0 commit comments

Comments
 (0)