enable mTLS

.gitignore

@@ -20,4 +20,4 @@
 # Go workspace file
 go.work
 
-eenergy
+dev-certs

Dockerfile

@@ -11,7 +11,7 @@ COPY --from=builder /app/main .
 COPY app.env .
 COPY start.sh .
 COPY db/migrations ./db/migrations
-COPY certs ./certs
+COPY dev-certs ./dev-certs
 
 EXPOSE 8080
 

Makefile

@@ -1,6 +1,10 @@
 
 DB_SOURCE = "postgresql://root:secret@localhost:5432/eenergy?sslmode=disable"
 MIGRATIONS_PATH = db/migrations
+CONFIG_PATH=dev-certs/
+
+init:
+	mkdir -p ${CONFIG_PATH}
 
 createdb:
 	docker exec -it postgres15 createdb --username=root --owner=root eenergy
@@ -51,13 +55,26 @@ evans:
 	evans --host localhost --port 9090 -r repl
 
 # certs to be added to certs directory for local development purposes
-create-server-cert:
-	openssl req -newkey rsa:2048 -nodes -keyout server.key -x509 -days 365 -out server.crt
-create-ca-cert:
-	openssl genrsa -out ca.key 2048
-	openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
-	openssl x509 -in ca.crt -text -noout
-
-
-.PHONEY: createdb dropdb migrateup migrateup1 migratedown migratedown1 test server protoc evans create-certs create-ca-cert
+gen-cert:
+# Create the CA private key
+	openssl genrsa -out ca-key.pem 2048
+# Create a self-signed CA certificate
+	openssl req -x509 -new -nodes -key ca-key.pem -days 3650 -out ca.pem -subj "/C=US/ST=NY/L=NYC/O=eenergy/CN=CA"
+# Create the server private key
+	openssl genrsa -out server.key 2048
+# Create the server CSR
+	openssl req -new -key server.key -out server.csr -subj "/C=US/ST=NY/L=NYC/O=eenergy/CN=server"
+# Sign the server CSR with the CA certificate
+	openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server.crt -days 365 -sha256
+# Create the client private key
+	openssl genrsa -out client.key 2048
+# Create the client CSR
+	openssl req -new -key client.key -out client.csr -subj "/C=US/ST=NY/L=NYC/O=eenergy/CN=client"
+# Sign the client CSR with the CA certificate
+	openssl x509 -req -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client.crt -days 365 -sha256
+
+	mv *.pem *.csr *.crt *.srl *.key ${CONFIG_PATH}
+
+
+.PHONEY: createdb dropdb migrateup migrateup1 migratedown migratedown1 test server protoc evans gen-cert init
 

README.md

@@ -40,9 +40,16 @@ To contribute to eEnergy, you will need to set up your development environment w
 
 2. **Set Up Your Local Development Environment**
     - Ensure all required tools are installed.
-    - Set up the local database using migrations.
 
-3. **Build and Run Using Docker**
+3. **Generate Certificates For Local Use**
+  - ```bash
+      make init
+      ```
+  - ```bash
+      make gen-cert
+      ```
+
+4. **Build and Run Using Docker**
     - Build the Docker images:
 
       ```bash
@@ -55,6 +62,10 @@ To contribute to eEnergy, you will need to set up your development environment w
       docker compose up
       ```
 
+### using postman with mTLS enabled
+1. add CA pem
+2. add client certificate with crt, key files and localhost:9090 as domain
+
 4. **Access the Application**
     - The application and its services are now accessible on your local machine.
 
@@ -73,3 +84,10 @@ eEnergy is open-sourced under the [MIT license](LICENSE).
 ---
 
 By contributing to eEnergy, you're helping to create a more sustainable and efficient future for energy consumption and distribution. Let's make a difference together!
+
+<!-- TODO : 
+- add account balance endpoint for admin only (or make it smart meter responsibility)
+- improve logging and configure graphana
+- explore pprof
+- impl nearest energy source endpoint (input: current location, output: nearest energy source details)
+- watch kubernetes section and understand it -->

app.env

@@ -10,4 +10,7 @@ REFRESH_TOKEN_DURATION=24h
 REDIS_ADDRESS=0.0.0.0:6379
 EMAIL_SENDER_NAME=eenergy
 EMAIL_SENDER_ADDRESS=ahmedradwan9966@gmail.com
-EMAIL_SENDER_PASSWORD=
+EMAIL_SENDER_PASSWORD=
+SERVER_CRT_PATH=dev-certs/server.crt
+SERVER_KEY_PATH=dev-certs/server.key
+CA_CRT_PATH=dev-certs/ca.pem

main.go

@@ -84,14 +84,14 @@ func runDBMigrations(dbConn *sql.DB, migrationsURL string) {
 
 func runGrpcServer(config util.Config, store db.Store, taskDistributor worker.TaskDistributor) {
 
-	cert, err := tls.LoadX509KeyPair("certs/server.crt", "certs/server.key")
+	cert, err := tls.LoadX509KeyPair(config.ServerCrtPath, config.ServerKeyPath)
 	if err != nil {
 		handleError("cannot load server key pair", err)
 	}
 
 	// Create a certificate pool from the certificate authority
 	certPool := x509.NewCertPool()
-	ca, err := os.ReadFile("certs/ca.crt") // If you have a CA certificate, otherwise skip this part
+	ca, err := os.ReadFile(config.CACrtPath) // If you have a CA certificate, otherwise skip this part
 	if err != nil {
 		handleError("cannot read ca certificate", err)
 	}
@@ -103,7 +103,7 @@ func runGrpcServer(config util.Config, store db.Store, taskDistributor worker.Ta
 
 	// Create the TLS credentials for the server
 	creds := credentials.NewTLS(&tls.Config{
-		// ClientAuth:   tls.RequireAndVerifyClientCert, // This requires and verifies client certificate
+		ClientAuth:   tls.RequireAndVerifyClientCert, // This requires and verifies client certificate
 		Certificates: []tls.Certificate{cert},
 		ClientCAs:    certPool,
 	})

util/config.go

@@ -22,6 +22,9 @@ type Config struct {
 	EmailSenderName      string        `mapstructure:"EMAIL_SENDER_NAME"`
 	EmailSenderAddress   string        `mapstructure:"EMAIL_SENDER_ADDRESS"`
 	EmailSenderPassword  string        `mapstructure:"EMAIL_SENDER_PASSWORD"`
+	ServerCrtPath        string        `mapstructure:"SERVER_CRT_PATH"`
+	ServerKeyPath        string        `mapstructure:"SERVER_KEY_PATH"`
+	CACrtPath            string        `mapstructure:"CA_CRT_PATH"`
 }
 
 // LoadConfig read configuration from the file or environment variables