MCPcopy
hub / github.com/dgraph-io/dgraph / LoadClientTLSConfig

Function LoadClientTLSConfig

x/tls_helper.go:166–214  ·  view source on GitHub ↗

LoadClientTLSConfig loads the TLS config into the client with the given parameters.

(v *viper.Viper)

Source from the content-addressed store, hash-verified

164
165// LoadClientTLSConfig loads the TLS config into the client with the given parameters.
166func LoadClientTLSConfig(v *viper.Viper) (*tls.Config, error) {
167 if v.GetString("slash_grpc_endpoint") != "" {
168 return SlashTLSConfig(v.GetString("slash_grpc_endpoint"))
169 }
170
171 tlsFlag := z.NewSuperFlag(v.GetString("tls")).MergeAndCheckDefault(TLSDefaults)
172
173 // When the --tls ca-cert="..."; option is specified, the connection will be set up using TLS
174 // instead of plaintext. However the client cert files are optional, depending on whether the
175 // server requires a client certificate.
176 caCert := tlsFlag.GetPath("ca-cert")
177 if caCert != "" {
178 tlsCfg := tls.Config{
179 MinVersion: tls.VersionTLS12,
180 }
181
182 // 1. set up the root CA
183 pool, err := generateCertPool(caCert, tlsFlag.GetBool("use-system-ca"))
184 if err != nil {
185 return nil, err
186 }
187 tlsCfg.RootCAs = pool
188
189 // 2. set up the server name for verification
190 tlsCfg.ServerName = tlsFlag.GetString("server-name")
191
192 // 3. optionally load the client cert files
193 certFile := tlsFlag.GetPath("client-cert")
194 keyFile := tlsFlag.GetPath("client-key")
195 if certFile != "" && keyFile != "" {
196 cert, err := tls.LoadX509KeyPair(certFile, keyFile)
197 if err != nil {
198 return nil, err
199 }
200 tlsCfg.Certificates = []tls.Certificate{cert}
201 }
202
203 return &tlsCfg, nil
204 } else
205 // Attempt to determine if user specified *any* TLS option. Unfortunately and contrary to
206 // Viper's own documentation, there's no way to tell whether an option value came from a
207 // command-line option or a built-it default.
208 if tlsFlag.GetString("server-name") != "" ||
209 tlsFlag.GetPath("client-cert") != "" ||
210 tlsFlag.GetPath("client-key") != "" {
211 return nil, errors.Errorf(`--tls "ca-cert=...;" is required for enabling TLS`)
212 }
213 return nil, nil
214}
215
216func generateCertPool(certPath string, useSystemCA bool) (*x509.CertPool, error) {
217 var pool *x509.CertPool

Callers 3

DgraphClientWithCertsFunction · 0.92
runGQLRequestFunction · 0.92
GetDgraphClientFunction · 0.85

Calls 3

SlashTLSConfigFunction · 0.85
generateCertPoolFunction · 0.70
ErrorfMethod · 0.45

Tested by

no test coverage detected