Add CA cert option for MQTT TLS connection (#103)

Author: siscia

cmd/lora-app-server/main.go

@@ -175,7 +175,7 @@ func mustGetContext(c *cli.Context) common.Context {
 	rp := storage.NewRedisPool(c.String("redis-url"))
 
 	// setup mqtt handler
-	h, err := handler.NewMQTTHandler(rp, c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"))
+	h, err := handler.NewMQTTHandler(rp, c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert"))
 	if err != nil {
 		log.Fatalf("setup mqtt handler error: %s", err)
 	}
@@ -400,6 +400,11 @@ func main() {
 			Usage:  "mqtt server password (optional)",
 			EnvVar: "MQTT_PASSWORD",
 		},
+		cli.StringFlag{
+			Name:   "mqtt-ca-cert",
+			Usage:  "mqtt CA certificate file used by the gateway backend (optional)",
+			EnvVar: "MQTT_CA_CERT",
+		},
 		cli.StringFlag{
 			Name:   "ca-cert",
 			Usage:  "ca certificate used by the api server (optional)",

docs/content/install/config.md

@@ -19,6 +19,7 @@ GLOBAL OPTIONS:
    --mqtt-server value         mqtt server (e.g. scheme://host:port where scheme is tcp, ssl or ws) (default: "tcp://localhost:1883") [$MQTT_SERVER]
    --mqtt-username value       mqtt server username (optional) [$MQTT_USERNAME]
    --mqtt-password value       mqtt server password (optional) [$MQTT_PASSWORD]
+   --mqtt-ca-cert              mqtt CA certificate file used by the gateway backend (optional) [$MQTT_CA_CERT]
    --ca-cert value             ca certificate used by the api server (optional) [$CA_CERT]
    --tls-cert value            tls certificate used by the api server (optional) [$TLS_CERT]
    --tls-key value             tls key used by the api server (optional) [$TLS_KEY]

internal/handler/mqtt_handler.go

@@ -2,9 +2,12 @@ package handler
 
 import (
 	"bytes"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"regexp"
 	"strconv"
 	"sync"
@@ -53,7 +56,7 @@ type ErrorNotification struct {
 }
 
 // NewMQTTHandler creates a new MQTTHandler.
-func NewMQTTHandler(p *redis.Pool, server, username, password string) (Handler, error) {
+func NewMQTTHandler(p *redis.Pool, server, username, password, cafile string) (Handler, error) {
 	h := MQTTHandler{
 		dataDownChan: make(chan DataDownPayload),
 		redisPool:    p,
@@ -66,6 +69,15 @@ func NewMQTTHandler(p *redis.Pool, server, username, password string) (Handler,
 	opts.SetOnConnectHandler(h.onConnected)
 	opts.SetConnectionLostHandler(h.onConnectionLost)
 
+	if cafile != "" {
+		tlsconfig, err := newTLSConfig(cafile)
+		if err != nil {
+			log.Fatalf("Error with the mqtt CA certificate: %s", err)
+		} else {
+			opts.SetTLSConfig(tlsconfig)
+		}
+	}
+
 	log.WithField("server", server).Info("handler/mqtt: connecting to mqtt broker")
 	h.conn = mqtt.NewClient(opts)
 	for {
@@ -79,6 +91,25 @@ func NewMQTTHandler(p *redis.Pool, server, username, password string) (Handler,
 	return &h, nil
 }
 
+func newTLSConfig(cafile string) (*tls.Config, error) {
+	// Import trusted certificates from CAfile.pem.
+
+	cert, err := ioutil.ReadFile(cafile)
+	if err != nil {
+		log.Errorf("backend: couldn't load cafile: %s", err)
+		return nil, err
+	}
+
+	certpool := x509.NewCertPool()
+	certpool.AppendCertsFromPEM(cert)
+
+	// Create tls.Config with desired tls properties
+	return &tls.Config{
+		// RootCAs = certs used to verify server cert.
+		RootCAs: certpool,
+	}, nil
+}
+
 // Close stops the handler.
 func (h *MQTTHandler) Close() error {
 	log.Info("handler/mqtt: closing handler")

internal/handler/mqtt_handler_test.go

@@ -26,7 +26,7 @@ func TestMQTTHandler(t *testing.T) {
 		test.MustFlushRedis(p)
 
 		Convey("Given a new MQTTHandler", func() {
-			handler, err := NewMQTTHandler(p, conf.MQTTServer, conf.MQTTUsername, conf.MQTTPassword)
+			handler, err := NewMQTTHandler(p, conf.MQTTServer, conf.MQTTUsername, conf.MQTTPassword, "")
 			So(err, ShouldBeNil)
 			defer handler.Close()
 			time.Sleep(time.Millisecond * 100) // give the backend some time to connect