From 228fef7d21d9d7f8cddca1dc7e0f4a7e5221bcae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leandro=20Ant=C3=B4nio=20Farias=20Machado?= Date: Wed, 17 May 2023 23:23:44 -0300 Subject: [PATCH] chore(security): broker with tls config + cloud env --- backend/services/controller/.gitignore | 3 +- backend/services/controller/run.sh | 1 + backend/services/mochi/.gitignore | 2 + backend/services/mochi/cmd/main.go | 120 +++++++++++++++---------- 4 files changed, 80 insertions(+), 46 deletions(-) create mode 100644 backend/services/controller/run.sh diff --git a/backend/services/controller/.gitignore b/backend/services/controller/.gitignore index 95e8d9f..92289df 100644 --- a/backend/services/controller/.gitignore +++ b/backend/services/controller/.gitignore @@ -1 +1,2 @@ -/.env.local \ No newline at end of file +/.env.local +run.prod.sh \ No newline at end of file diff --git a/backend/services/controller/run.sh b/backend/services/controller/run.sh new file mode 100644 index 0000000..bb0a11c --- /dev/null +++ b/backend/services/controller/run.sh @@ -0,0 +1 @@ +go run cmd/oktopus/main.go -u root -P root -mongo mongodb://172.16.238.3:27017/ \ No newline at end of file diff --git a/backend/services/mochi/.gitignore b/backend/services/mochi/.gitignore index 35dc156..2170bcb 100644 --- a/backend/services/mochi/.gitignore +++ b/backend/services/mochi/.gitignore @@ -1,3 +1,5 @@ cmd/mqtt .DS_Store *.db +auth.prod.json +run.prod.sh diff --git a/backend/services/mochi/cmd/main.go b/backend/services/mochi/cmd/main.go index d4fb654..0f3594f 100644 --- a/backend/services/mochi/cmd/main.go +++ b/backend/services/mochi/cmd/main.go @@ -6,9 +6,11 @@ package main import ( "bytes" + "crypto/tls" "flag" "github.com/mochi-co/mqtt/v2/packets" "github.com/rs/zerolog" + "io/ioutil" "log" "os" "os/signal" @@ -23,35 +25,35 @@ import ( ) var ( - testCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIB/zCCAWgCCQDm3jV+lSF1AzANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJB -VTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28xDTALBgNV -BAsMBE1RVFQwHhcNMjAwMTA0MjAzMzQyWhcNMjEwMTAzMjAzMzQyWjBEMQswCQYD -VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28x -DTALBgNVBAsMBE1RVFQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKz2bUz3 -AOymssVLuvSOEbQ/sF8C/Ill8nRTd7sX9WBIxHJZf+gVn8lQ4BTQ0NchLDRIlpbi -OuZgktpd6ba8sIfVM4jbVprctky5tGsyHRFwL/GAycCtKwvuXkvcwSwLvB8b29EI -MLQ/3vNnYuC3eZ4qqxlODJgRsfQ7mUNB8zkLAgMBAAEwDQYJKoZIhvcNAQELBQAD -gYEAiMoKnQaD0F/J332arGvcmtbHmF2XZp/rGy3dooPug8+OPUSAJY9vTfxJwOsQ -qN1EcI+kIgrGxzA3VRfVYV8gr7IX+fUYfVCaPGcDCfPvo/Ihu757afJRVvpafWgy -zSpDZYu6C62h3KSzMJxffDjy7/2t8oYbTzkLSamsHJJjLZw= ------END CERTIFICATE-----`) - - testPrivateKey = []byte(`-----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQCs9m1M9wDsprLFS7r0jhG0P7BfAvyJZfJ0U3e7F/VgSMRyWX/o -FZ/JUOAU0NDXISw0SJaW4jrmYJLaXem2vLCH1TOI21aa3LZMubRrMh0RcC/xgMnA -rSsL7l5L3MEsC7wfG9vRCDC0P97zZ2Lgt3meKqsZTgyYEbH0O5lDQfM5CwIDAQAB -AoGBAKlmVVirFqmw/qhDaqD4wBg0xI3Zw/Lh+Vu7ICoK5hVeT6DbTW3GOBAY+M8K -UXBSGhQ+/9ZZTmyyK0JZ9nw2RAG3lONU6wS41pZhB7F4siatZfP/JJfU6p+ohe8m -n22hTw4brY/8E/tjuki9T5e2GeiUPBhjbdECkkVXMYBPKDZhAkEA5h/b/HBcsIZZ -mL2d3dyWkXR/IxngQa4NH3124M8MfBqCYXPLgD7RDI+3oT/uVe+N0vu6+7CSMVx6 -INM67CuE0QJBAMBpKW54cfMsMya3CM1BfdPEBzDT5kTMqxJ7ez164PHv9CJCnL0Z -AuWgM/p2WNbAF1yHNxw1eEfNbUWwVX2yhxsCQEtnMQvcPWLSAtWbe/jQaL2scGQt -/F9JCp/A2oz7Cto3TXVlHc8dxh3ZkY/ShOO/pLb3KOODjcOCy7mpvOrZr6ECQH32 -WoFPqImhrfryaHi3H0C7XFnC30S7GGOJIy0kfI7mn9St9x50eUkKj/yv7YjpSGHy -w0lcV9npyleNEOqxLXECQBL3VRGCfZfhfFpL8z+5+HPKXw6FxWr+p5h8o3CZ6Yi3 -OJVN3Mfo6mbz34wswrEdMXn25MzAwbhFQvCVpPZrFwc= ------END RSA PRIVATE KEY-----`) + // testCertificate = []byte(`-----BEGIN CERTIFICATE----- + //MIIB/zCCAWgCCQDm3jV+lSF1AzANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJB + //VTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28xDTALBgNV + //BAsMBE1RVFQwHhcNMjAwMTA0MjAzMzQyWhcNMjEwMTAzMjAzMzQyWjBEMQswCQYD + //VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTERMA8GA1UECgwITW9jaGkgQ28x + //DTALBgNVBAsMBE1RVFQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKz2bUz3 + //AOymssVLuvSOEbQ/sF8C/Ill8nRTd7sX9WBIxHJZf+gVn8lQ4BTQ0NchLDRIlpbi + //OuZgktpd6ba8sIfVM4jbVprctky5tGsyHRFwL/GAycCtKwvuXkvcwSwLvB8b29EI + //MLQ/3vNnYuC3eZ4qqxlODJgRsfQ7mUNB8zkLAgMBAAEwDQYJKoZIhvcNAQELBQAD + //gYEAiMoKnQaD0F/J332arGvcmtbHmF2XZp/rGy3dooPug8+OPUSAJY9vTfxJwOsQ + //qN1EcI+kIgrGxzA3VRfVYV8gr7IX+fUYfVCaPGcDCfPvo/Ihu757afJRVvpafWgy + //zSpDZYu6C62h3KSzMJxffDjy7/2t8oYbTzkLSamsHJJjLZw= + //-----END CERTIFICATE-----`) + // + // testPrivateKey = []byte(`-----BEGIN RSA PRIVATE KEY----- + //MIICXAIBAAKBgQCs9m1M9wDsprLFS7r0jhG0P7BfAvyJZfJ0U3e7F/VgSMRyWX/o + //FZ/JUOAU0NDXISw0SJaW4jrmYJLaXem2vLCH1TOI21aa3LZMubRrMh0RcC/xgMnA + //rSsL7l5L3MEsC7wfG9vRCDC0P97zZ2Lgt3meKqsZTgyYEbH0O5lDQfM5CwIDAQAB + //AoGBAKlmVVirFqmw/qhDaqD4wBg0xI3Zw/Lh+Vu7ICoK5hVeT6DbTW3GOBAY+M8K + //UXBSGhQ+/9ZZTmyyK0JZ9nw2RAG3lONU6wS41pZhB7F4siatZfP/JJfU6p+ohe8m + //n22hTw4brY/8E/tjuki9T5e2GeiUPBhjbdECkkVXMYBPKDZhAkEA5h/b/HBcsIZZ + //mL2d3dyWkXR/IxngQa4NH3124M8MfBqCYXPLgD7RDI+3oT/uVe+N0vu6+7CSMVx6 + //INM67CuE0QJBAMBpKW54cfMsMya3CM1BfdPEBzDT5kTMqxJ7ez164PHv9CJCnL0Z + //AuWgM/p2WNbAF1yHNxw1eEfNbUWwVX2yhxsCQEtnMQvcPWLSAtWbe/jQaL2scGQt + ///F9JCp/A2oz7Cto3TXVlHc8dxh3ZkY/ShOO/pLb3KOODjcOCy7mpvOrZr6ECQH32 + //WoFPqImhrfryaHi3H0C7XFnC30S7GGOJIy0kfI7mn9St9x50eUkKj/yv7YjpSGHy + //w0lcV9npyleNEOqxLXECQBL3VRGCfZfhfFpL8z+5+HPKXw6FxWr+p5h8o3CZ6Yi3 + //OJVN3Mfo6mbz34wswrEdMXn25MzAwbhFQvCVpPZrFwc= + //-----END RSA PRIVATE KEY-----`) server = mqtt.New(&mqtt.Options{ //Capabilities: &mqtt.Capabilities{ @@ -72,6 +74,9 @@ func main() { wsAddr := flag.String("ws", "", "network address for Websocket listener") infoAddr := flag.String("info", ":8080", "network address for web info dashboard listener") path := flag.String("path", "", "path to data auth file") + fullchain := flag.String("full_chain_path", "", "path to fullchain.pem certificate") + privkey := flag.String("private_key_path", "", "path to privkey.pem certificate") + flag.Parse() sigs := make(chan os.Signal, 1) @@ -104,25 +109,50 @@ func main() { } } - //cert, err := tls.X509KeyPair(testCertificate, testPrivateKey) - //if err != nil { - // log.Fatal(err) - //} - - // Basic TLS Config - //tlsConfig := &tls.Config{ - // Certificates: []tls.Certificate{cert}, - //} - - if *tcpAddr != "" { - //tcp := listeners.NewTCP("t1", *tcpAddr, &listeners.Config{ - // TLSConfig: tlsConfig, - //}) - tcp := listeners.NewTCP("t1", *tcpAddr, nil) - err := server.AddListener(tcp) + if *fullchain != "" && *privkey != "" { + chain, err := ioutil.ReadFile(*fullchain) if err != nil { log.Fatal(err) } + + priv, err := ioutil.ReadFile(*fullchain) + if err != nil { + log.Fatal(err) + } + + cert, err := tls.X509KeyPair(chain, priv) + if err != nil { + log.Fatal(err) + } + + //Basic TLS Config + tlsConfig := &tls.Config{ + Certificates: []tls.Certificate{cert}, + } + + if *tcpAddr != "" { + tcp := listeners.NewTCP("t1", *tcpAddr, &listeners.Config{ + TLSConfig: tlsConfig, + }) + err := server.AddListener(tcp) + if err != nil { + log.Fatal(err) + } + } + + log.Println("Mqtt Broker is running with TLS") + } else { + if *tcpAddr != "" { + //tcp := listeners.NewTCP("t1", *tcpAddr, &listeners.Config{ + // TLSConfig: tlsConfig, + //}) + tcp := listeners.NewTCP("t1", *tcpAddr, nil) + err := server.AddListener(tcp) + if err != nil { + log.Fatal(err) + } + } + log.Println("Mqtt Broker is running without TLS, (it's dangerous)") } if *wsAddr != "" {