Merge pull request #439 from geckoboard/feature-tls-mysql

Using SSL to encrypt connections to MYSQL
This commit is contained in:
Armon Dadgar 2015-08-05 14:52:43 -07:00
commit f58f46c243
2 changed files with 47 additions and 2 deletions

View file

@ -1,16 +1,24 @@
package physical
import (
"crypto/tls"
"crypto/x509"
"database/sql"
"fmt"
"io/ioutil"
"net/url"
"sort"
"strings"
"time"
"github.com/armon/go-metrics"
_ "github.com/go-sql-driver/mysql"
mysql "github.com/go-sql-driver/mysql"
)
// Unreserved tls key
// Reserved values are "true", "false", "skip-verify"
const mysqlTLSKey = "default"
// MySQLBackend is a physical backend that stores data
// within MySQL database.
type MySQLBackend struct {
@ -49,8 +57,18 @@ func newMySQLBackend(conf map[string]string) (Backend, error) {
}
dbTable := database + "." + table
dsnParams := url.Values{}
tlsCaFile, ok := conf["tls_ca_file"]
if ok {
if err := setupMySQLTLSConfig(tlsCaFile); err != nil {
return nil, fmt.Errorf("failed register TLS config: %v", err)
}
dsnParams.Add("tls", mysqlTLSKey)
}
// Create MySQL handle for the database.
dsn := username + ":" + password + "@tcp(" + address + ")/"
dsn := username + ":" + password + "@tcp(" + address + ")/?" + dsnParams.Encode()
db, err := sql.Open("mysql", dsn)
if err != nil {
return nil, fmt.Errorf("failed to connect to mysql: %v", err)
@ -173,3 +191,28 @@ func (m *MySQLBackend) List(prefix string) ([]string, error) {
sort.Strings(keys)
return keys, nil
}
// Establish a TLS connection with a given CA certificate
// Register a tsl.Config associted with the same key as the dns param from sql.Open
// foo:bar@tcp(127.0.0.1:3306)/dbname?tls=default
func setupMySQLTLSConfig(tlsCaFile string) error {
rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile(tlsCaFile)
if err != nil {
return err
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return err
}
err = mysql.RegisterTLSConfig(mysqlTLSKey, &tls.Config{
RootCAs: rootCertPool,
})
if err != nil {
return err
}
return nil
}

View file

@ -188,6 +188,8 @@ The MySQL backend has the following options:
* `table` (optional) - The name of the table to use. Defaults to "vault".
* `tls_ca_file` (optional) - The path to the CA certificate to connect using TLS
#### Backend Reference: Inmem
The in-memory backend has no configuration options.