From ee102fbc8ed6bbe8b67f2fed641f8a20785c2587 Mon Sep 17 00:00:00 2001 From: Abhinav Dangeti Date: Wed, 27 Oct 2021 14:51:53 -0600 Subject: [PATCH] MB-49178: Changes to handling security config within cbdatasource + cbgt already handles private key parsing, so simplifying the code here in go-couchbase/cbdatasource. Change-Id: Ic6e2b221c9d168429ee6a91346e11289758af96b Reviewed-on: http://review.couchbase.org/c/go-couchbase/+/164480 Tested-by: Abhinav Dangeti Reviewed-by: Sitaram Vemulapalli --- cbdatasource/cbdatasource.go | 65 +++++++++--------------------------- 1 file changed, 15 insertions(+), 50 deletions(-) diff --git a/cbdatasource/cbdatasource.go b/cbdatasource/cbdatasource.go index 775b1d0..7d6f79e 100644 --- a/cbdatasource/cbdatasource.go +++ b/cbdatasource/cbdatasource.go @@ -26,7 +26,6 @@ import ( "encoding/binary" "encoding/json" "fmt" - "io/ioutil" "math/rand" "reflect" "sort" @@ -54,23 +53,15 @@ var ErrXAttrsNotSupported = fmt.Errorf("xattrs not supported by server") type SecurityConfig struct { EncryptData bool DisableNonSSLPorts bool - CertFile string - KeyFile string + Certificates []tls.Certificate + RootCAs *x509.CertPool } -type securitySetting struct { - config *SecurityConfig - rootCAs *x509.CertPool - certificates []tls.Certificate -} - -var currSecuritySettingMutex sync.RWMutex -var currSecuritySetting *securitySetting +var currSecurityConfigMutex sync.RWMutex +var currSecurityConfig *SecurityConfig func init() { - currSecuritySetting = &securitySetting{ - config: &SecurityConfig{}, - } + currSecurityConfig = &SecurityConfig{} } func UpdateSecurityConfig(newConfig *SecurityConfig) error { @@ -78,54 +69,28 @@ func UpdateSecurityConfig(newConfig *SecurityConfig) error { return fmt.Errorf("security config provided is nil") } - currSecuritySettingMutex.Lock() - defer currSecuritySettingMutex.Unlock() - - var roots *x509.CertPool - var certificates []tls.Certificate - if newConfig.EncryptData && newConfig.CertFile != "" { - if newConfig.KeyFile != "" { - tlsCert, err := tls.LoadX509KeyPair(newConfig.CertFile, newConfig.KeyFile) - if err != nil { - return err - } - - certificates = []tls.Certificate{tlsCert} - } - - certInBytes, err := ioutil.ReadFile(newConfig.CertFile) - if err != nil { - return err - } - - roots = x509.NewCertPool() - ok := roots.AppendCertsFromPEM(certInBytes) - if !ok { - return fmt.Errorf("Error appending certificates") - } - } + currSecurityConfigMutex.Lock() + defer currSecurityConfigMutex.Unlock() - currSecuritySetting.config = newConfig - currSecuritySetting.rootCAs = roots - currSecuritySetting.certificates = certificates + currSecurityConfig = newConfig return nil } func fetchGlobalTLSConfig() *tls.Config { var tlsConfig *tls.Config - currSecuritySettingMutex.RLock() + currSecurityConfigMutex.RLock() - if currSecuritySetting.config.EncryptData && - (currSecuritySetting.rootCAs != nil || - currSecuritySetting.certificates != nil) { + if currSecurityConfig.EncryptData && + (currSecurityConfig.RootCAs != nil || + currSecurityConfig.Certificates != nil) { tlsConfig = &tls.Config{ - RootCAs: currSecuritySetting.rootCAs, - Certificates: currSecuritySetting.certificates, + RootCAs: currSecurityConfig.RootCAs, + Certificates: currSecurityConfig.Certificates, } } - currSecuritySettingMutex.RUnlock() + currSecurityConfigMutex.RUnlock() return tlsConfig }