MB-49178: Changes to handling security config within cbdatasource

+ cbgt already handles private key parsing, so simplifying the code here in go-couchbase/cbdatasource. Change-Id: Ic6e2b221c9d168429ee6a91346e11289758af96b Reviewed-on: http://review.couchbase.org/c/go-couchbase/+/164480 Tested-by: Abhinav Dangeti <abhinav@couchbase.com> Reviewed-by: Sitaram Vemulapalli <sitaram.vemulapalli@couchbase.com>
couchbase · Oct 27, 2021 · ee102fb · ee102fb
1 parent 118e3f0
commit ee102fb
Showing 1 changed file with 15 additions and 50 deletions.
diff --git a/cbdatasource/cbdatasource.go b/cbdatasource/cbdatasource.go
@@ -26,7 +26,6 @@ import (
 	"encoding/binary"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"math/rand"
 	"reflect"
 	"sort"
@@ -54,78 +53,44 @@ var ErrXAttrsNotSupported = fmt.Errorf("xattrs not supported by server")
 type SecurityConfig struct {
 	EncryptData        bool
 	DisableNonSSLPorts bool
-	CertFile           string
-	KeyFile            string
+	Certificates       []tls.Certificate
+	RootCAs            *x509.CertPool
 }
 
-type securitySetting struct {
-	config       *SecurityConfig
-	rootCAs      *x509.CertPool
-	certificates []tls.Certificate
-}
-
-var currSecuritySettingMutex sync.RWMutex
-var currSecuritySetting *securitySetting
+var currSecurityConfigMutex sync.RWMutex
+var currSecurityConfig *SecurityConfig
 
 func init() {
-	currSecuritySetting = &securitySetting{
-		config: &SecurityConfig{},
-	}
+	currSecurityConfig = &SecurityConfig{}
 }
 
 func UpdateSecurityConfig(newConfig *SecurityConfig) error {
 	if newConfig == nil {
 		return fmt.Errorf("security config provided is nil")
 	}
 
-	currSecuritySettingMutex.Lock()
-	defer currSecuritySettingMutex.Unlock()
-
-	var roots *x509.CertPool
-	var certificates []tls.Certificate
-	if newConfig.EncryptData && newConfig.CertFile != "" {
-		if newConfig.KeyFile != "" {
-			tlsCert, err := tls.LoadX509KeyPair(newConfig.CertFile, newConfig.KeyFile)
-			if err != nil {
-				return err
-			}
-
-			certificates = []tls.Certificate{tlsCert}
-		}
-
-		certInBytes, err := ioutil.ReadFile(newConfig.CertFile)
-		if err != nil {
-			return err
-		}
-
-		roots = x509.NewCertPool()
-		ok := roots.AppendCertsFromPEM(certInBytes)
-		if !ok {
-			return fmt.Errorf("Error appending certificates")
-		}
-	}
+	currSecurityConfigMutex.Lock()
+	defer currSecurityConfigMutex.Unlock()
 
-	currSecuritySetting.config = newConfig
-	currSecuritySetting.rootCAs = roots
-	currSecuritySetting.certificates = certificates
+	currSecurityConfig = newConfig
 
 	return nil
 }
 
 func fetchGlobalTLSConfig() *tls.Config {
 	var tlsConfig *tls.Config
-	currSecuritySettingMutex.RLock()
+	currSecurityConfigMutex.RLock()
 
-	if currSecuritySetting.config.EncryptData &&
-		(currSecuritySetting.rootCAs != nil ||
-			currSecuritySetting.certificates != nil) {
+	if currSecurityConfig.EncryptData &&
+		(currSecurityConfig.RootCAs != nil ||
+			currSecurityConfig.Certificates != nil) {
 		tlsConfig = &tls.Config{
-			RootCAs:      currSecuritySetting.rootCAs,
-			Certificates: currSecuritySetting.certificates,
+			RootCAs:      currSecurityConfig.RootCAs,
+			Certificates: currSecurityConfig.Certificates,
 		}
 	}
 
-	currSecuritySettingMutex.RUnlock()
+	currSecurityConfigMutex.RUnlock()
 	return tlsConfig
 }