chore(security): broker with tls config + cloud env

2023-05-17 23:23:44 -03:00 · 2023-05-17 23:23:44 -03:00 · 228fef7d21
commit 228fef7d21
parent 3953a0d09f
4 changed files with 80 additions and 46 deletions
--- a/backend/services/controller/.gitignore
+++ b/backend/services/controller/.gitignore
@ -1 +1,2 @@
-/.env.local
+/.env.local
+run.prod.sh
--- a/backend/services/controller/run.sh
+++ b/backend/services/controller/run.sh
@ -0,0 +1 @@
+go run cmd/oktopus/main.go -u root -P root -mongo mongodb://172.16.238.3:27017/
--- a/backend/services/mochi/.gitignore
+++ b/backend/services/mochi/.gitignore
@ -1,3 +1,5 @@
 cmd/mqtt
 .DS_Store
 *.db
+auth.prod.json
+run.prod.sh
--- a/backend/services/mochi/cmd/main.go
+++ b/backend/services/mochi/cmd/main.go
@ -6,9 +6,11 @@ package main

 import (
 	"bytes"
+	"crypto/tls"
 	"flag"
 	"github.com/mochi-co/mqtt/v2/packets"
 	"github.com/rs/zerolog"
+	"io/ioutil"
 	"log"
 	"os"
 	"os/signal"
@ -23,35 +25,35 @@ import (
 )

 var (
-	testCertificate = []byte(`-----BEGIN CERTIFICATE-----
-MIIB/zCCAWgCCQDm3jV+lSF1AzANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJB
-VTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28xDTALBgNV
-BAsMBE1RVFQwHhcNMjAwMTA0MjAzMzQyWhcNMjEwMTAzMjAzMzQyWjBEMQswCQYD
-VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28x
-DTALBgNVBAsMBE1RVFQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKz2bUz3
-AOymssVLuvSOEbQ/sF8C/Ill8nRTd7sX9WBIxHJZf+gVn8lQ4BTQ0NchLDRIlpbi
-OuZgktpd6ba8sIfVM4jbVprctky5tGsyHRFwL/GAycCtKwvuXkvcwSwLvB8b29EI
-MLQ/3vNnYuC3eZ4qqxlODJgRsfQ7mUNB8zkLAgMBAAEwDQYJKoZIhvcNAQELBQAD
-gYEAiMoKnQaD0F/J332arGvcmtbHmF2XZp/rGy3dooPug8+OPUSAJY9vTfxJwOsQ
-qN1EcI+kIgrGxzA3VRfVYV8gr7IX+fUYfVCaPGcDCfPvo/Ihu757afJRVvpafWgy
-zSpDZYu6C62h3KSzMJxffDjy7/2t8oYbTzkLSamsHJJjLZw=
-----END CERTIFICATE-----`)
-
-	testPrivateKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCs9m1M9wDsprLFS7r0jhG0P7BfAvyJZfJ0U3e7F/VgSMRyWX/o
-FZ/JUOAU0NDXISw0SJaW4jrmYJLaXem2vLCH1TOI21aa3LZMubRrMh0RcC/xgMnA
-rSsL7l5L3MEsC7wfG9vRCDC0P97zZ2Lgt3meKqsZTgyYEbH0O5lDQfM5CwIDAQAB
-AoGBAKlmVVirFqmw/qhDaqD4wBg0xI3Zw/Lh+Vu7ICoK5hVeT6DbTW3GOBAY+M8K
-UXBSGhQ+/9ZZTmyyK0JZ9nw2RAG3lONU6wS41pZhB7F4siatZfP/JJfU6p+ohe8m
-n22hTw4brY/8E/tjuki9T5e2GeiUPBhjbdECkkVXMYBPKDZhAkEA5h/b/HBcsIZZ
-mL2d3dyWkXR/IxngQa4NH3124M8MfBqCYXPLgD7RDI+3oT/uVe+N0vu6+7CSMVx6
-INM67CuE0QJBAMBpKW54cfMsMya3CM1BfdPEBzDT5kTMqxJ7ez164PHv9CJCnL0Z
-AuWgM/p2WNbAF1yHNxw1eEfNbUWwVX2yhxsCQEtnMQvcPWLSAtWbe/jQaL2scGQt
-/F9JCp/A2oz7Cto3TXVlHc8dxh3ZkY/ShOO/pLb3KOODjcOCy7mpvOrZr6ECQH32
-WoFPqImhrfryaHi3H0C7XFnC30S7GGOJIy0kfI7mn9St9x50eUkKj/yv7YjpSGHy
-w0lcV9npyleNEOqxLXECQBL3VRGCfZfhfFpL8z+5+HPKXw6FxWr+p5h8o3CZ6Yi3
-OJVN3Mfo6mbz34wswrEdMXn25MzAwbhFQvCVpPZrFwc=
-----END RSA PRIVATE KEY-----`)
+	//	testCertificate = []byte(`-----BEGIN CERTIFICATE-----
+	//MIIB/zCCAWgCCQDm3jV+lSF1AzANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJB
+	//VTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28xDTALBgNV
+	//BAsMBE1RVFQwHhcNMjAwMTA0MjAzMzQyWhcNMjEwMTAzMjAzMzQyWjBEMQswCQYD
+	//VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28x
+	//DTALBgNVBAsMBE1RVFQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKz2bUz3
+	//AOymssVLuvSOEbQ/sF8C/Ill8nRTd7sX9WBIxHJZf+gVn8lQ4BTQ0NchLDRIlpbi
+	//OuZgktpd6ba8sIfVM4jbVprctky5tGsyHRFwL/GAycCtKwvuXkvcwSwLvB8b29EI
+	//MLQ/3vNnYuC3eZ4qqxlODJgRsfQ7mUNB8zkLAgMBAAEwDQYJKoZIhvcNAQELBQAD
+	//gYEAiMoKnQaD0F/J332arGvcmtbHmF2XZp/rGy3dooPug8+OPUSAJY9vTfxJwOsQ
+	//qN1EcI+kIgrGxzA3VRfVYV8gr7IX+fUYfVCaPGcDCfPvo/Ihu757afJRVvpafWgy
+	//zSpDZYu6C62h3KSzMJxffDjy7/2t8oYbTzkLSamsHJJjLZw=
+	//-----END CERTIFICATE-----`)
+	//
+	//	testPrivateKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+	//MIICXAIBAAKBgQCs9m1M9wDsprLFS7r0jhG0P7BfAvyJZfJ0U3e7F/VgSMRyWX/o
+	//FZ/JUOAU0NDXISw0SJaW4jrmYJLaXem2vLCH1TOI21aa3LZMubRrMh0RcC/xgMnA
+	//rSsL7l5L3MEsC7wfG9vRCDC0P97zZ2Lgt3meKqsZTgyYEbH0O5lDQfM5CwIDAQAB
+	//AoGBAKlmVVirFqmw/qhDaqD4wBg0xI3Zw/Lh+Vu7ICoK5hVeT6DbTW3GOBAY+M8K
+	//UXBSGhQ+/9ZZTmyyK0JZ9nw2RAG3lONU6wS41pZhB7F4siatZfP/JJfU6p+ohe8m
+	//n22hTw4brY/8E/tjuki9T5e2GeiUPBhjbdECkkVXMYBPKDZhAkEA5h/b/HBcsIZZ
+	//mL2d3dyWkXR/IxngQa4NH3124M8MfBqCYXPLgD7RDI+3oT/uVe+N0vu6+7CSMVx6
+	//INM67CuE0QJBAMBpKW54cfMsMya3CM1BfdPEBzDT5kTMqxJ7ez164PHv9CJCnL0Z
+	//AuWgM/p2WNbAF1yHNxw1eEfNbUWwVX2yhxsCQEtnMQvcPWLSAtWbe/jQaL2scGQt
+	///F9JCp/A2oz7Cto3TXVlHc8dxh3ZkY/ShOO/pLb3KOODjcOCy7mpvOrZr6ECQH32
+	//WoFPqImhrfryaHi3H0C7XFnC30S7GGOJIy0kfI7mn9St9x50eUkKj/yv7YjpSGHy
+	//w0lcV9npyleNEOqxLXECQBL3VRGCfZfhfFpL8z+5+HPKXw6FxWr+p5h8o3CZ6Yi3
+	//OJVN3Mfo6mbz34wswrEdMXn25MzAwbhFQvCVpPZrFwc=
+	//-----END RSA PRIVATE KEY-----`)

 	server = mqtt.New(&mqtt.Options{
 		//Capabilities: &mqtt.Capabilities{
@ -72,6 +74,9 @@ func main() {
 	wsAddr := flag.String("ws", "", "network address for Websocket listener")
 	infoAddr := flag.String("info", ":8080", "network address for web info dashboard listener")
 	path := flag.String("path", "", "path to data auth file")
+	fullchain := flag.String("full_chain_path", "", "path to fullchain.pem certificate")
+	privkey := flag.String("private_key_path", "", "path to privkey.pem certificate")
+
 	flag.Parse()

 	sigs := make(chan os.Signal, 1)
@ -104,25 +109,50 @@ func main() {
 		}
 	}

-	//cert, err := tls.X509KeyPair(testCertificate, testPrivateKey)
-	//if err != nil {
-	//	log.Fatal(err)
-	//}
-
-	// Basic TLS Config
-	//tlsConfig := &tls.Config{
-	//	Certificates: []tls.Certificate{cert},
-	//}
-
-	if *tcpAddr != "" {
-		//tcp := listeners.NewTCP("t1", *tcpAddr, &listeners.Config{
-		//	TLSConfig: tlsConfig,
-		//})
-		tcp := listeners.NewTCP("t1", *tcpAddr, nil)
-		err := server.AddListener(tcp)
+	if *fullchain != "" && *privkey != "" {
+		chain, err := ioutil.ReadFile(*fullchain)
 		if err != nil {
 			log.Fatal(err)
 		}
+
+		priv, err := ioutil.ReadFile(*fullchain)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		cert, err := tls.X509KeyPair(chain, priv)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		//Basic TLS Config
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+		}
+
+		if *tcpAddr != "" {
+			tcp := listeners.NewTCP("t1", *tcpAddr, &listeners.Config{
+				TLSConfig: tlsConfig,
+			})
+			err := server.AddListener(tcp)
+			if err != nil {
+				log.Fatal(err)
+			}
+		}
+
+		log.Println("Mqtt Broker is running with TLS")
+	} else {
+		if *tcpAddr != "" {
+			//tcp := listeners.NewTCP("t1", *tcpAddr, &listeners.Config{
+			//	TLSConfig: tlsConfig,
+			//})
+			tcp := listeners.NewTCP("t1", *tcpAddr, nil)
+			err := server.AddListener(tcp)
+			if err != nil {
+				log.Fatal(err)
+			}
+		}
+		log.Println("Mqtt Broker is running without TLS, (it's dangerous)")
 	}

 	if *wsAddr != "" {
				`@ -0,0 +1 @@`
				`go run cmd/oktopus/main.go -u root -P root -mongo mongodb://172.16.238.3:27017/`