Update PostgreSQL TLS config (#853)

* Allow CA or key / cert to be separately set for PostgreSQL
* Add support of host name verification & fix existing issue

common/auth/tlsConfigHelper.go

@@ -37,20 +37,33 @@ func NewEmptyTLSConfig() *tls.Config {
 	}
 }
 
-func NewTLSConfigForServer(serverName string) *tls.Config {
+func NewTLSConfigForServer(
+	serverName string,
+	enableHostVerification bool,
+) *tls.Config {
 	c := NewEmptyTLSConfig()
 	c.ServerName = serverName
+	c.InsecureSkipVerify = !enableHostVerification
 	return c
 }
 
-func NewTLSConfigWithCertsAndCAs(certificates []tls.Certificate, rootCAs *x509.CertPool, serverName string) *tls.Config {
-	c := NewTLSConfigForServer(serverName)
+func NewTLSConfigWithCertsAndCAs(
+	certificates []tls.Certificate,
+	rootCAs *x509.CertPool,
+	serverName string,
+	enableHostVerification bool,
+) *tls.Config {
+	c := NewTLSConfigForServer(serverName, enableHostVerification)
 	c.Certificates = certificates
 	c.RootCAs = rootCAs
 	return c
 }
 
-func NewTLSConfigWithClientAuthAndCAs(clientAuth tls.ClientAuthType, certificates []tls.Certificate, clientCAs *x509.CertPool) *tls.Config {
+func NewTLSConfigWithClientAuthAndCAs(
+	clientAuth tls.ClientAuthType,
+	certificates []tls.Certificate,
+	clientCAs *x509.CertPool,
+) *tls.Config {
 	c := NewEmptyTLSConfig()
 	c.ClientAuth = clientAuth
 	c.Certificates = certificates

common/cassandra/cassandraCluster.go

@@ -66,7 +66,7 @@ func NewCassandraCluster(cfg config.Cassandra) (*gocql.ClusterConfig, error) {
 			CaPath:                 cfg.TLS.CaFile,
 			EnableHostVerification: cfg.TLS.EnableHostVerification,
 
-			Config: auth.NewTLSConfigForServer(cfg.TLS.ServerName),
+			Config: auth.NewTLSConfigForServer(cfg.TLS.ServerName, cfg.TLS.EnableHostVerification),
 		}
 
 		if cfg.TLS.CertData != "" {

common/messaging/kafkaClient.go

@@ -195,5 +195,5 @@ func CreateTLSConfig(tlsConfig auth.TLS) (*tls.Config, error) {
 	}
 	caCertPool.AppendCertsFromPEM(pemData)
 
-	return auth.NewTLSConfigWithCertsAndCAs([]tls.Certificate{cert}, caCertPool, ""), nil
+	return auth.NewTLSConfigWithCertsAndCAs([]tls.Certificate{cert}, caCertPool, "", true), nil
 }

common/persistence/sql/sqlplugin/mysql/tls.go

@@ -29,7 +29,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
-	"net"
 
 	"github.com/go-sql-driver/mysql"
 
@@ -42,13 +41,8 @@ func registerTLSConfig(cfg *config.SQL) error {
 		return nil
 	}
 
-	host, _, err := net.SplitHostPort(cfg.ConnectAddr)
-	if err != nil {
-		return fmt.Errorf("error in host port from ConnectAddr: %v", err)
-	}
-
 	// TODO: create a way to set MinVersion and CipherSuites via cfg.
-	tlsConfig := auth.NewTLSConfigForServer(host)
+	tlsConfig := auth.NewTLSConfigForServer(cfg.TLS.ServerName, cfg.TLS.EnableHostVerification)
 
 	if cfg.TLS.CaFile != "" {
 		rootCertPool := x509.NewCertPool()
@@ -77,7 +71,7 @@ func registerTLSConfig(cfg *config.SQL) error {
 
 	// In order to use the TLS configuration you need to register it. Once registered you use it by specifying
 	// `tls` in the connect attributes.
-	err = mysql.RegisterTLSConfig(customTLSName, tlsConfig)
+	err := mysql.RegisterTLSConfig(customTLSName, tlsConfig)
 	if err != nil {
 		return fmt.Errorf("failed to register tls config: %v", err)
 	}

common/persistence/sql/sqlplugin/postgresql/plugin.go

@@ -107,7 +107,6 @@ func buildDSN(cfg *config.SQL) string {
 		databaseName(cfg.DatabaseName),
 		tlsAttrs,
 	)
-	fmt.Println(dsn)
 	return dsn
 }
 

common/persistence/sql/sqlplugin/postgresql/tls.go

@@ -30,15 +30,38 @@ import (
 	"go.temporal.io/server/common/service/config"
 )
 
+const (
+	postgreSQLSSLMode     = "sslmode"
+	postgreSQLSSLModeNoop = "disable"
+	postgreSQLSSLModeCA   = "verify-ca"
+	postgreSQLSSLModeFull = "verify-full"
+
+	postgreSQLSSLHost = "host"
+
+	postgreSQLCA   = "sslrootcert"
+	postgreSQLKey  = "sslkey"
+	postgreSQLCert = "sslcert"
+)
+
 func dsnTSL(cfg *config.SQL) url.Values {
 	sslParams := url.Values{}
 	if cfg.TLS != nil && cfg.TLS.Enabled {
-		sslParams.Set("sslmode", "verify-ca")
-		sslParams.Set("sslrootcert", cfg.TLS.CaFile)
-		sslParams.Set("sslkey", cfg.TLS.KeyFile)
-		sslParams.Set("sslcert", cfg.TLS.CertFile)
+		if !cfg.TLS.EnableHostVerification {
+			sslParams.Set(postgreSQLSSLMode, postgreSQLSSLModeCA)
+		} else {
+			sslParams.Set(postgreSQLSSLMode, postgreSQLSSLModeFull)
+			sslParams.Set(postgreSQLSSLHost, cfg.TLS.ServerName)
+		}
+
+		if cfg.TLS.CaFile != "" {
+			sslParams.Set(postgreSQLCA, cfg.TLS.CaFile)
+		}
+		if cfg.TLS.KeyFile != "" && cfg.TLS.CertFile != "" {
+			sslParams.Set(postgreSQLKey, cfg.TLS.KeyFile)
+			sslParams.Set(postgreSQLCert, cfg.TLS.CertFile)
+		}
 	} else {
-		sslParams.Set("sslmode", "disable")
+		sslParams.Set(postgreSQLSSLMode, postgreSQLSSLModeNoop)
 	}
 	return sslParams
 }

common/rpc/encryption/localStoreTlsFactory.go

@@ -166,5 +166,6 @@ func newClientTLSConfig(localProvider CertProvider, remoteProvider CertProvider)
 		clientCerts,
 		serverCa,
 		remoteProvider.GetSettings().Client.ServerName,
+		true,
 	), nil
 }

tools/cli/factory.go

@@ -113,6 +113,7 @@ func (b *clientFactory) createGRPCConnection(c *cli.Context) (*grpc.ClientConn,
 	certPath := c.GlobalString(FlagTLSCertPath)
 	keyPath := c.GlobalString(FlagTLSKeyPath)
 	caPath := c.GlobalString(FlagTLSCaPath)
+	hostNameVerification := c.GlobalBool(FlagTLSEnableHostVerification)
 
 	grpcSecurityOptions := grpc.WithInsecure()
 	var cert *tls.Certificate
@@ -136,7 +137,7 @@ func (b *clientFactory) createGRPCConnection(c *cli.Context) (*grpc.ClientConn,
 	}
 	// If we are given arguments to verify either server or client, configure TLS
 	if caPool != nil || cert != nil {
-		tlsConfig := auth.NewTLSConfigForServer(host)
+		tlsConfig := auth.NewTLSConfigForServer(host, hostNameVerification)
 		if caPool != nil {
 			tlsConfig.RootCAs = caPool
 		}