Merge pull request #1473 from intellitrend-team/fix-nsqauth-tls-root-ca-file

mreiferson · web-flow · commit c3941e19d4f3 · 2023-12-26T10:17:47.000-08:00
nsqd: use --tls-root-ca-file in nsqauth request
diff --git a/internal/auth/authorizations.go b/internal/auth/authorizations.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"math/rand"
@@ -75,13 +76,13 @@ func (a *State) IsExpired() bool {
 }
 
 func QueryAnyAuthd(authd []string, remoteIP string, tlsEnabled bool, commonName string, authSecret string,
-	connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
+	clientTLSConfig *tls.Config, connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
 	var retErr error
 	start := rand.Int()
 	n := len(authd)
 	for i := 0; i < n; i++ {
 		a := authd[(i+start)%n]
-		authState, err := QueryAuthd(a, remoteIP, tlsEnabled, commonName, authSecret, connectTimeout, requestTimeout)
+		authState, err := QueryAuthd(a, remoteIP, tlsEnabled, commonName, authSecret, clientTLSConfig, connectTimeout, requestTimeout)
 		if err != nil {
 			es := fmt.Sprintf("failed to auth against %s - %s", a, err)
 			if retErr != nil {
@@ -96,7 +97,7 @@ func QueryAnyAuthd(authd []string, remoteIP string, tlsEnabled bool, commonName
 }
 
 func QueryAuthd(authd string, remoteIP string, tlsEnabled bool, commonName string, authSecret string,
-	connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
+	clientTLSConfig *tls.Config, connectTimeout time.Duration, requestTimeout time.Duration) (*State, error) {
 	v := url.Values{}
 	v.Set("remote_ip", remoteIP)
 	if tlsEnabled {
@@ -115,7 +116,7 @@ func QueryAuthd(authd string, remoteIP string, tlsEnabled bool, commonName strin
 	}
 
 	var authState State
-	client := http_api.NewClient(nil, connectTimeout, requestTimeout)
+	client := http_api.NewClient(clientTLSConfig, connectTimeout, requestTimeout)
 	if err := client.GETV1(endpoint, &authState); err != nil {
 		return nil, err
 	}
diff --git a/nsqd/client_v2.go b/nsqd/client_v2.go
@@ -657,6 +657,7 @@ func (c *clientV2) QueryAuthd() error {
 
 	authState, err := auth.QueryAnyAuthd(c.nsqd.getOpts().AuthHTTPAddresses,
 		remoteIP, tlsEnabled, commonName, c.AuthSecret,
+		c.nsqd.clientTLSConfig,
 		c.nsqd.getOpts().HTTPClientConnectTimeout,
 		c.nsqd.getOpts().HTTPClientRequestTimeout)
 	if err != nil {
diff --git a/nsqd/nsqd.go b/nsqd/nsqd.go
@@ -57,11 +57,12 @@ type NSQD struct {
 
 	lookupPeers atomic.Value
 
-	tcpServer     *tcpServer
-	tcpListener   net.Listener
-	httpListener  net.Listener
-	httpsListener net.Listener
-	tlsConfig     *tls.Config
+	tcpServer       *tcpServer
+	tcpListener     net.Listener
+	httpListener    net.Listener
+	httpsListener   net.Listener
+	tlsConfig       *tls.Config
+	clientTLSConfig *tls.Config
 
 	poolSize int
 
@@ -128,6 +129,12 @@ func New(opts *Options) (*NSQD, error) {
 	}
 	n.tlsConfig = tlsConfig
 
+	clientTLSConfig, err := buildClientTLSConfig(opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build client TLS config - %s", err)
+	}
+	n.clientTLSConfig = clientTLSConfig
+
 	for _, v := range opts.E2EProcessingLatencyPercentiles {
 		if v <= 0 || v > 1 {
 			return nil, fmt.Errorf("invalid E2E processing latency percentile: %v", v)
@@ -759,6 +766,26 @@ func buildTLSConfig(opts *Options) (*tls.Config, error) {
 	return tlsConfig, nil
 }
 
+func buildClientTLSConfig(opts *Options) (*tls.Config, error) {
+	tlsConfig := &tls.Config{
+		MinVersion: opts.TLSMinVersion,
+	}
+
+	if opts.TLSRootCAFile != "" {
+		tlsCertPool := x509.NewCertPool()
+		caCertFile, err := os.ReadFile(opts.TLSRootCAFile)
+		if err != nil {
+			return nil, err
+		}
+		if !tlsCertPool.AppendCertsFromPEM(caCertFile) {
+			return nil, errors.New("failed to append certificate to pool")
+		}
+		tlsConfig.RootCAs = tlsCertPool
+	}
+
+	return tlsConfig, nil
+}
+
 func (n *NSQD) IsAuthEnabled() bool {
 	return len(n.getOpts().AuthHTTPAddresses) != 0
 }
