Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support MQTT certificate and the key for the gateway backend #201

Merged
merged 8 commits into from Jan 29, 2018
Merged

Support MQTT certificate and the key for the gateway backend #201

merged 8 commits into from Jan 29, 2018

Conversation

moznion
Copy link
Contributor

@moznion moznion commented Jan 17, 2018

brocaar/chirpstack-network-server#284 is the same motivation.

brocaar
brocaar reviewed Jan 22, 2018
View reviewed changes
Copy link
Owner

@brocaar brocaar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work!

I have a couple of comments to make these config options consistent with the other TLS related config options.

Could you update these and apply these changes to to lora-gateway-bridge and loraserver? Then these changes should be good to merge :-)

docs/content/install/config.md Outdated
@@ -20,6 +20,8 @@ GLOBAL OPTIONS:
--mqtt-username value mqtt server username (optional) [$MQTT_USERNAME]
--mqtt-password value mqtt server password (optional) [$MQTT_PASSWORD]
--mqtt-ca-cert value mqtt CA certificate file used by the gateway backend (optional) [$MQTT_CA_CERT]
--mqtt-cert value mqtt certificate file used by the gateway backend (optional) [$MQTT_CERT]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment (--mqtt-tls-cert and --mqtt-tls-key)

internal/handler/mqtthandler/mqtt_handler.go Outdated
}
tlsconfig, err := newTLSConfig(cafile, certFile, certKeyFile)
if err != nil {
log.Fatalf("Error with the mqtt CA certificate: %s", err)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this would print more debugging information:

log.WithError(err).WithFields(log.Fields{
    "ca_cert": cafile,
    "tls_cert": certFile,
    "tls_key": certKeyFile,
}).Fatal("error loading mqtt certificate files")

internal/handler/mqtthandler/mqtt_handler.go Outdated
@@ -70,23 +69,47 @@ func NewHandler(server, username, password, cafile string) (handler.Handler, err
return &h, nil
}

func newTLSConfig(cafile string) (*tls.Config, error) {
func newTLSConfig(cafile, certFile, certKeyFile string) (*tls.Config, error) {
if cafile == "" && (certFile == "" || certKeyFile == "") {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there are three valid options:

  • Only CA
  • TLS cert + key
  • CA, TLS + key

If in this case the CA cert is set + only the TLS cert or TLS key, it would pass this check, but the config is invalid I believe.

internal/handler/mqtthandler/mqtt_handler.go Outdated
return nil, err
}

kp, err := tls.X509KeyPair(cert, certKey)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use https://golang.org/pkg/crypto/tls/#LoadX509KeyPair. It allows you to directly load the files by passing the paths to these files. Saves a couple of lines ;-)

@moznion
Copy link
Contributor Author

moznion commented Jan 23, 2018
edited

@brocaar
Thank you for your reviewing! I've just corrected the pointed out.
If you seem this change is good, I will apply the same patch to other components.

But Travis CI is failing... I wonder why. Can it be rebuilt?

@moznion
Copy link
Contributor Author

moznion commented Jan 23, 2018

After rebuilding, fixed it :)

@moznion
Copy link
Contributor Author

moznion commented Jan 26, 2018

@brocaar How about this?

brocaar
brocaar reviewed Jan 26, 2018
View reviewed changes
Copy link
Owner

@brocaar brocaar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for also adding tests 👍

I've added some small comments (I think you might have missed some renames). Let me know what you think.

cmd/lora-app-server/main.go Outdated
@@ -174,7 +174,7 @@ func setRedisPool(c *cli.Context) error {
}

func setHandler(c *cli.Context) error {
h, err := mqtthandler.NewHandler(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert"))
h, err := mqtthandler.NewHandler(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert"), c.String("mqtt-cert"), c.String("mqtt-cert-key"))
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c.String("mqtt-cert"), c.String("mqtt-cert-key")

That should be mqtt-tls-cert an mqtt-tls-key I think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uh oh, I missed... Sorry.

docs/content/install/config.md Outdated
@@ -20,6 +20,8 @@ GLOBAL OPTIONS:
--mqtt-username value mqtt server username (optional) [$MQTT_USERNAME]
--mqtt-password value mqtt server password (optional) [$MQTT_PASSWORD]
--mqtt-ca-cert value mqtt CA certificate file used by the gateway backend (optional) [$MQTT_CA_CERT]
--mqtt-tls-cert value mqtt certificate file used by the gateway backend (optional) [$MQTT_CERT]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$MQTT_CERT --> $MQTT_TLS_CERT, same for $MQTT_CERT_KEY.

internal/handler/mqtthandler/mqtt_handler.go
@@ -70,23 +75,57 @@ func NewHandler(server, username, password, cafile string) (handler.Handler, err
return &h, nil
}

func newTLSConfig(cafile string) (*tls.Config, error) {
func newTLSConfig(cafile, certFile, certKeyFile string) (*tls.Config, error) {
// Here are three valid options:
Copy link
Owner

@brocaar brocaar Jan 26, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for commenting on this again, but maybe it is better to remove the whole check at all. E.g. when the user does only provide a tls cert or only a tls key, tls.LoadX509KeyPair(certFile, certKeyFile) will also handle this as an error.

@moznion
Copy link
Contributor Author

moznion commented Jan 28, 2018

I'm sorry for my late reply (I was lost the Internet connection...).

I fixed some typos and redundant MQTT TLS argument validation. Could you review this patch again?

@brocaar brocaar merged commit cce7403 into brocaar:master Jan 29, 2018
@brocaar
Copy link
Owner

brocaar commented Jan 29, 2018

Thanks for your contribution! I've merged your pull-request :-)

@moznion
Copy link
Contributor Author

moznion commented Jan 29, 2018

Thank you so much for your merging!
May I apply the same patch to loraserver and gateway-bridge?

@brocaar
Copy link
Owner

brocaar commented Jan 29, 2018

Yes, please do! That would be much appreciated :-)

@moznion
Copy link
Contributor Author

moznion commented Jan 29, 2018

Sure, I'll do that!

@moznion moznion deleted the support_mqtt_cert branch January 30, 2018 01:47
This was referenced Jan 30, 2018
Merged
Closed
brocaar added a commit that referenced this pull request Feb 8, 2018
@brocaar
Update changelog with #201.
708d68a
brocaar added a commit that referenced this pull request Feb 8, 2018
@brocaar
Update changelog with #201.
0df3e84
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brocaar brocaar brocaar left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@moznion @brocaar