...

Source file src/go.mongodb.org/mongo-driver/mongo/options/clientencryptionoptions.go

Documentation: go.mongodb.org/mongo-driver/mongo/options 

     1  // Copyright (C) MongoDB, Inc. 2017-present.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License"); you may
     4  // not use this file except in compliance with the License. You may obtain
     5  // a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
     6  
     7  package options
     8  
     9  import (
    10  	"crypto/tls"
    11  	"fmt"
    12  	"net/http"
    13  
    14  	"go.mongodb.org/mongo-driver/internal/httputil"
    15  )
    16  
    17  // ClientEncryptionOptions represents all possible options used to configure a ClientEncryption instance.
    18  type ClientEncryptionOptions struct {
    19  	KeyVaultNamespace string
    20  	KmsProviders      map[string]map[string]interface{}
    21  	TLSConfig         map[string]*tls.Config
    22  	HTTPClient        *http.Client
    23  }
    24  
    25  // ClientEncryption creates a new ClientEncryptionOptions instance.
    26  func ClientEncryption() *ClientEncryptionOptions {
    27  	return &ClientEncryptionOptions{
    28  		HTTPClient: httputil.DefaultHTTPClient,
    29  	}
    30  }
    31  
    32  // SetKeyVaultNamespace specifies the namespace of the key vault collection. This is required.
    33  func (c *ClientEncryptionOptions) SetKeyVaultNamespace(ns string) *ClientEncryptionOptions {
    34  	c.KeyVaultNamespace = ns
    35  	return c
    36  }
    37  
    38  // SetKmsProviders specifies options for KMS providers. This is required.
    39  func (c *ClientEncryptionOptions) SetKmsProviders(providers map[string]map[string]interface{}) *ClientEncryptionOptions {
    40  	c.KmsProviders = providers
    41  	return c
    42  }
    43  
    44  // SetTLSConfig specifies tls.Config instances for each KMS provider to use to configure TLS on all connections created
    45  // to the KMS provider.
    46  //
    47  // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
    48  func (c *ClientEncryptionOptions) SetTLSConfig(tlsOpts map[string]*tls.Config) *ClientEncryptionOptions {
    49  	tlsConfigs := make(map[string]*tls.Config)
    50  	for provider, config := range tlsOpts {
    51  		// use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites
    52  		if config.MinVersion == 0 {
    53  			config.MinVersion = tls.VersionTLS12
    54  		}
    55  		tlsConfigs[provider] = config
    56  	}
    57  	c.TLSConfig = tlsConfigs
    58  	return c
    59  }
    60  
    61  // BuildTLSConfig specifies tls.Config options for each KMS provider to use to configure TLS on all connections created
    62  // to the KMS provider. The input map should contain a mapping from each KMS provider to a document containing the necessary
    63  // options, as follows:
    64  //
    65  //	{
    66  //			"kmip": {
    67  //				"tlsCertificateKeyFile": "foo.pem",
    68  //				"tlsCAFile": "fooCA.pem"
    69  //			}
    70  //	}
    71  //
    72  // Currently, the following TLS options are supported:
    73  //
    74  // 1. "tlsCertificateKeyFile" (or "sslClientCertificateKeyFile"): The "tlsCertificateKeyFile" option specifies a path to
    75  // the client certificate and private key, which must be concatenated into one file.
    76  //
    77  // 2. "tlsCertificateKeyFilePassword" (or "sslClientCertificateKeyPassword"): Specify the password to decrypt the client
    78  // private key file (e.g. "tlsCertificateKeyFilePassword=password").
    79  //
    80  // 3. "tlsCaFile" (or "sslCertificateAuthorityFile"): Specify the path to a single or bundle of certificate authorities
    81  // to be considered trusted when making a TLS connection (e.g. "tlsCaFile=/path/to/caFile").
    82  //
    83  // This should only be used to set custom TLS options. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12.
    84  func BuildTLSConfig(tlsOpts map[string]interface{}) (*tls.Config, error) {
    85  	// use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites
    86  	cfg := &tls.Config{MinVersion: tls.VersionTLS12}
    87  
    88  	for name := range tlsOpts {
    89  		var err error
    90  		switch name {
    91  		case "tlsCertificateKeyFile", "sslClientCertificateKeyFile":
    92  			clientCertPath, ok := tlsOpts[name].(string)
    93  			if !ok {
    94  				return nil, fmt.Errorf("expected %q value to be of type string, got %T", name, tlsOpts[name])
    95  			}
    96  			// apply custom key file password if found, otherwise use empty string
    97  			if keyPwd, found := tlsOpts["tlsCertificateKeyFilePassword"].(string); found {
    98  				_, err = addClientCertFromConcatenatedFile(cfg, clientCertPath, keyPwd)
    99  			} else if keyPwd, found := tlsOpts["sslClientCertificateKeyPassword"].(string); found {
   100  				_, err = addClientCertFromConcatenatedFile(cfg, clientCertPath, keyPwd)
   101  			} else {
   102  				_, err = addClientCertFromConcatenatedFile(cfg, clientCertPath, "")
   103  			}
   104  		case "tlsCertificateKeyFilePassword", "sslClientCertificateKeyPassword":
   105  			continue
   106  		case "tlsCAFile", "sslCertificateAuthorityFile":
   107  			caPath, ok := tlsOpts[name].(string)
   108  			if !ok {
   109  				return nil, fmt.Errorf("expected %q value to be of type string, got %T", name, tlsOpts[name])
   110  			}
   111  			err = addCACertFromFile(cfg, caPath)
   112  		default:
   113  			return nil, fmt.Errorf("unrecognized TLS option %v", name)
   114  		}
   115  
   116  		if err != nil {
   117  			return nil, err
   118  		}
   119  	}
   120  
   121  	return cfg, nil
   122  }
   123  
   124  // MergeClientEncryptionOptions combines the argued ClientEncryptionOptions in a last-one wins fashion.
   125  //
   126  // Deprecated: Merging options structs will not be supported in Go Driver 2.0. Users should create a
   127  // single options struct instead.
   128  func MergeClientEncryptionOptions(opts ...*ClientEncryptionOptions) *ClientEncryptionOptions {
   129  	ceo := ClientEncryption()
   130  	for _, opt := range opts {
   131  		if opt == nil {
   132  			continue
   133  		}
   134  
   135  		if opt.KeyVaultNamespace != "" {
   136  			ceo.KeyVaultNamespace = opt.KeyVaultNamespace
   137  		}
   138  		if opt.KmsProviders != nil {
   139  			ceo.KmsProviders = opt.KmsProviders
   140  		}
   141  		if opt.TLSConfig != nil {
   142  			ceo.TLSConfig = opt.TLSConfig
   143  		}
   144  		if opt.HTTPClient != nil {
   145  			ceo.HTTPClient = opt.HTTPClient
   146  		}
   147  	}
   148  
   149  	return ceo
   150  }
   151  

View as plain text