Merge pull request #63 from haohanyang/add-tls-support

Add TLS support

Author: haohanyang

.github/workflows/ci.yml

@@ -142,9 +142,19 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+      - name: Create fake plugin metadata
+        id: create-fake-metadata
+        run: |
+          tmpfile=$(mktemp -d)
+          sed 's/>=10.4.0/\^11.x/g' src/plugin.json > $tmpfile/plugin.json
+          echo "fake_plugin_dir=$tmpfile" >> $GITHUB_OUTPUT
       - name: Resolve Grafana E2E versions
         id: resolve-versions
         uses: grafana/plugin-actions/e2e-version@main
+        with:
+          skip-grafana-dev-image: true
+          limit: 1
+          plugin-directory: ${{ steps.create-fake-metadata.outputs.fake_plugin_dir }}
 
   playwright-tests:
     needs: [resolve-versions, build]
@@ -180,6 +190,7 @@ jobs:
 
       - name: Start Grafana
         run: |
+          bash scripts/cert-gen.sh mongo-tls-auth
           docker compose -f docker-compose.test.yaml pull
           DEVELOPMENT=false GRAFANA_VERSION=${{ matrix.GRAFANA_IMAGE.VERSION }} GRAFANA_IMAGE=${{ matrix.GRAFANA_IMAGE.NAME }} docker compose -f docker-compose.test.yaml up -d
 

.gitignore

@@ -43,4 +43,5 @@ venv/
 mongodb-datasource/
 grafana-storage/
 
-mongo-docs/
+mongo-docs/
+certs/

docker-compose.test.yaml

@@ -20,6 +20,7 @@ services:
       - ./dist:/var/lib/grafana/plugins/haohanyang-mongodb-datasource
       - ./provisioning:/etc/grafana/provisioning
       - .:/root/haohanyang-mongodb-datasource
+      - ./certs:/certs
 
     environment:
       NODE_ENV: development
@@ -49,6 +50,18 @@ services:
     networks:
       - mongodb-datasource
 
+  mongo-tls-auth:
+    image: mongo
+    container_name: mongodb-datasource-mongo-tls-auth
+    command: [--config, /etc/mongo/mongod.conf]
+    ports:
+      - 27020:27017
+    volumes:
+      - ./certs:/certs
+      - ./mongod.conf:/etc/mongo/mongod.conf
+    networks:
+      - mongodb-datasource
+
 networks:
   mongodb-datasource:
     driver: bridge

mongod.conf

@@ -0,0 +1,6 @@
+# TLS/SSL Configuration
+net:
+   tls:
+      mode: requireTLS
+      certificateKeyFile: /certs/mongodb.pem
+      CAFile: /certs/ca.pem

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "mongodb-datasource",
-  "version": "0.3.2",
+  "version": "0.4.0-alpha.0",
   "scripts": {
     "build": "webpack -c ./webpack.config.ts --env production",
     "dev": "webpack -w -c ./webpack.config.ts --env development",
@@ -32,6 +32,7 @@
     "@types/react-router-dom": "^5.2.0",
     "@types/testing-library__jest-dom": "5.14.8",
     "@types/validator": "^13.15.0",
+    "bson": "^6.10.4",
     "copy-webpack-plugin": "^11.0.0",
     "css-loader": "^6.7.3",
     "eslint-plugin-deprecation": "^2.0.0",

package.json

@@ -15,11 +15,15 @@ type PluginSettings struct {
 	Username               string                `json:"username"`
 	ConnectionStringScheme string                `json:"connectionStringScheme"`
 	ConnectionParameters   string                `json:"connectionParameters"`
+	CaCertPath             string                `json:"caCertPath"`
+	ClientCertPath         string                `json:"clientCertPath"` // public client certificate
+	ClientKeyPath          string                `json:"clientKeyPath"`  // private client key
 	Secrets                *SecretPluginSettings `json:"-"`
 }
 
 type SecretPluginSettings struct {
-	Password string `json:"password"`
+	Password          string `json:"password"`
+	ClientKeyPassword string `json:"clientKeyPassword"`
 }
 
 func LoadPluginSettings(source backend.DataSourceInstanceSettings) (*PluginSettings, error) {
@@ -36,6 +40,7 @@ func LoadPluginSettings(source backend.DataSourceInstanceSettings) (*PluginSetti
 
 func loadSecretPluginSettings(source map[string]string) *SecretPluginSettings {
 	return &SecretPluginSettings{
-		Password: source["password"],
+		Password:          source["password"],
+		ClientKeyPassword: source["clientKeyPassword"],
 	}
 }

pkg/models/settings.go

@@ -2,8 +2,12 @@ package plugin
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
@@ -44,6 +48,16 @@ func NewDatasource(ctx context.Context, source backend.DataSourceInstanceSetting
 
 	opts := options.Client().ApplyURI(uri)
 
+	if config.AuthMethod == "auth-tls" {
+		// TLS setup
+		tlsConfig, err := tlsSetup(config)
+		if err != nil {
+			backend.Logger.Error("Failed to setup TLS", "error", err)
+			return nil, err
+		}
+		opts.SetTLSConfig(tlsConfig)
+	}
+
 	client, err := mongo.Connect(ctx, opts)
 	if err != nil {
 		backend.Logger.Error(fmt.Sprintf("Failed to connect to db: %s", err.Error()))
@@ -63,6 +77,39 @@ func (d *Datasource) Dispose() {
 	d.client.Disconnect(context.TODO())
 }
 
+func tlsSetup(config *models.PluginSettings) (*tls.Config, error) {
+	caFile := config.CaCertPath
+	certFile := config.ClientCertPath
+	keyFile := config.ClientKeyPath
+
+	if caFile == "" || certFile == "" || keyFile == "" {
+		return nil, errors.New("CA certificate, client certificate or client key file path is missing")
+	}
+
+	// Loads CA certificate file
+	caCert, err := os.ReadFile(caFile)
+	if err != nil {
+		return nil, err
+	}
+	caCertPool := x509.NewCertPool()
+	if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+		return nil, errors.New("CA file must be in PEM format")
+	}
+	// Loads client certificate files
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConfig := &tls.Config{
+		RootCAs:      caCertPool,
+		Certificates: []tls.Certificate{cert},
+	}
+
+	return tlsConfig, nil
+}
+
 // QueryData handles multiple queries and returns multiple responses.
 // req contains the queries []DataQuery (where each query contains RefID as a unique identifier).
 // The QueryDataResponse contains a map of RefID to the response for each query, and each response
@@ -206,6 +253,20 @@ func (d *Datasource) CheckHealth(ctx context.Context, req *backend.CheckHealthRe
 	}
 
 	opts := options.Client().ApplyURI(uri).SetTimeout(5 * time.Second)
+
+	if config.AuthMethod == "auth-tls" {
+		// TLS setup
+		tlsConfig, err := tlsSetup(config)
+		if err != nil {
+			backend.Logger.Error("Failed to setup TLS", "error", err)
+
+			res.Status = backend.HealthStatusError
+			res.Message = err.Error()
+			return res, nil
+		}
+		opts.SetTLSConfig(tlsConfig)
+	}
+
 	client, err := mongo.Connect(ctx, opts)
 	if err != nil {
 		res.Status = backend.HealthStatusError

pkg/plugin/datasource.go

@@ -79,14 +79,17 @@ func MongoUri(config *models.PluginSettings) (string, error) {
 			return uri, errors.New("missing MongoDB username or password")
 		}
 		creds = fmt.Sprintf("%s:%s@", config.Username, config.Secrets.Password)
-	} else if config.AuthMethod != "auth-none" {
-		return uri, errors.New("unsupported auth method")
 	}
 
 	if config.ConnectionParameters != "" {
 		params = "?" + config.ConnectionParameters
 	}
 
+	// TLS passphrase
+	if config.AuthMethod == "auth-tls" && config.Secrets.ClientKeyPassword != "" {
+		params += "&sslClientCertificateKeyPassword=" + config.Secrets.ClientKeyPassword
+	}
+
 	if config.ConnectionStringScheme == "dns_seed_list" {
 		uri = fmt.Sprintf("mongodb+srv://%s%s/%s", creds, config.Host, params)
 	} else {

pkg/plugin/utils.go

@@ -0,0 +1,59 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+func main() {
+
+	caFile := "certs/ca.pem"
+	certFile := "certs/mongodb.crt" // public client certificate
+	keyFile := "certs/mongodb.pem"  // private client key
+	passPhrase := "123"             // private client key passphrase
+
+	// Loads CA certificate file
+	caCert, err := os.ReadFile(caFile)
+	if err != nil {
+		panic(err)
+	}
+	caCertPool := x509.NewCertPool()
+	if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+		panic("Error: CA file must be in PEM format")
+	}
+	// Loads client certificate files
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+
+	if err != nil {
+		panic(err)
+	}
+	// Instantiates a Config instance
+	tlsConfig := &tls.Config{
+		RootCAs:      caCertPool,
+		Certificates: []tls.Certificate{cert},
+	}
+	uri := "mongodb://localhost:27017/?tls=true&tlsAllowInvalidCertificates=true&sslClientCertificateKeyPassword=" + passPhrase
+	// Sets TLS options in options instance
+	opts := options.Client().ApplyURI(uri).SetTLSConfig(tlsConfig)
+
+	ctx := context.TODO()
+	client, err := mongo.Connect(ctx, opts)
+
+	if err != nil {
+		panic(err)
+	}
+	defer client.Disconnect(ctx)
+
+	err = client.Ping(ctx, nil)
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println("Connected to MongoDB!")
+}