Add tls conn in datasource

Author: haohanyang

pkg/models/settings.go

@@ -15,11 +15,15 @@ type PluginSettings struct {
 	Username               string                `json:"username"`
 	ConnectionStringScheme string                `json:"connectionStringScheme"`
 	ConnectionParameters   string                `json:"connectionParameters"`
+	CaCertPath             string                `json:"caCertPath"`
+	ClientCertPath         string                `json:"clientCertPath"` // public client certificate
+	ClientKeyPath          string                `json:"clientKeyPath"`  // private client key
 	Secrets                *SecretPluginSettings `json:"-"`
 }
 
 type SecretPluginSettings struct {
-	Password string `json:"password"`
+	Password          string `json:"password"`
+	ClientKeyPassword string `json:"clientKeyPassword"`
 }
 
 func LoadPluginSettings(source backend.DataSourceInstanceSettings) (*PluginSettings, error) {
@@ -36,6 +40,7 @@ func LoadPluginSettings(source backend.DataSourceInstanceSettings) (*PluginSetti
 
 func loadSecretPluginSettings(source map[string]string) *SecretPluginSettings {
 	return &SecretPluginSettings{
-		Password: source["password"],
+		Password:          source["password"],
+		ClientKeyPassword: source["clientKeyPassword"],
 	}
 }

pkg/plugin/datasource.go

@@ -2,8 +2,12 @@ package plugin
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"time"
 
@@ -44,6 +48,16 @@ func NewDatasource(ctx context.Context, source backend.DataSourceInstanceSetting
 
 	opts := options.Client().ApplyURI(uri)
 
+	if config.AuthMethod == "auth-tls-ssl" {
+		// TLS setup
+		tlsConfig, err := tlsSetup(config)
+		if err != nil {
+			backend.Logger.Error("Failed to setup TLS", "error", err)
+			return nil, err
+		}
+		opts.SetTLSConfig(tlsConfig)
+	}
+
 	client, err := mongo.Connect(ctx, opts)
 	if err != nil {
 		backend.Logger.Error(fmt.Sprintf("Failed to connect to db: %s", err.Error()))
@@ -63,6 +77,35 @@ func (d *Datasource) Dispose() {
 	d.client.Disconnect(context.TODO())
 }
 
+func tlsSetup(config *models.PluginSettings) (*tls.Config, error) {
+	caFile := config.CaCertPath
+	certFile := config.ClientCertPath
+	keyFile := config.ClientKeyPath
+
+	// Loads CA certificate file
+	caCert, err := os.ReadFile(caFile)
+	if err != nil {
+		return nil, err
+	}
+	caCertPool := x509.NewCertPool()
+	if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+		return nil, errors.New("CA file must be in PEM format")
+	}
+	// Loads client certificate files
+	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+
+	if err != nil {
+		return nil, err
+	}
+
+	tlsConfig := &tls.Config{
+		RootCAs:      caCertPool,
+		Certificates: []tls.Certificate{cert},
+	}
+
+	return tlsConfig, nil
+}
+
 // QueryData handles multiple queries and returns multiple responses.
 // req contains the queries []DataQuery (where each query contains RefID as a unique identifier).
 // The QueryDataResponse contains a map of RefID to the response for each query, and each response

pkg/plugin/utils.go

@@ -87,6 +87,11 @@ func MongoUri(config *models.PluginSettings) (string, error) {
 		params = "?" + config.ConnectionParameters
 	}
 
+	// TLS passphrase
+	if config.AuthMethod == "auth-tls-ssl" && config.Secrets.ClientKeyPassword != "" {
+		params += "&sslClientCertificateKeyPassword=" + config.Secrets.ClientKeyPassword
+	}
+
 	if config.ConnectionStringScheme == "dns_seed_list" {
 		uri = fmt.Sprintf("mongodb+srv://%s%s/%s", creds, config.Host, params)
 	} else {

src/components/ConfigEditor.tsx

@@ -8,10 +8,6 @@ import {
   Input,
   RadioButtonGroup,
   SecretInput,
-  FileUpload,
-  FileDropzone,
-  InlineLabel,
-  Label,
   Checkbox,
 } from '@grafana/ui';
 import { DataSourcePluginOptionsEditorProps, SelectableValue } from '@grafana/data';
@@ -22,7 +18,7 @@ import {
   ConnectionStringScheme,
 } from '../types';
 
-interface Props extends DataSourcePluginOptionsEditorProps<MongoDataSourceOptions, MongoDataSourceSecureJsonData> {}
+interface Props extends DataSourcePluginOptionsEditorProps<MongoDataSourceOptions, MongoDataSourceSecureJsonData> { }
 
 const mongoDBAuthMethods: SelectableValue[] = [
   { label: 'None', value: MongoDBAuthMethod.NONE },
@@ -231,10 +227,50 @@ export function ConfigEditor(props: Props) {
 
       {jsonData.authType === MongoDBAuthMethod.TLS_SSL && (
         <>
-          <Label>Certificate Authority (.pem)</Label>
-          <FileDropzone options={{ multiple: false }} onLoad={(result) => console.log(result)} />
-          <Label>Client Certificate and Key (.pem)</Label>
-          <FileDropzone options={{ multiple: false }} onLoad={(result) => console.log(result)} />
+          <Field label="Certificate Authority">
+            <Input
+              required
+              id="config-editor-tls-ca"
+              value={jsonData.caCertPath}
+              onChange={(evt: ChangeEvent<HTMLInputElement>) => onOptionsChange({
+                ...options,
+                jsonData: {
+                  ...jsonData,
+                  caCertPath: evt.target.value,
+                },
+              })}
+
+            ></Input>
+          </Field>
+          <Field label="Client Certificate" description="Path to public client certificate (.pem)">
+            <Input
+              required
+              id="config-editor-tls-cc"
+              value={jsonData.clientCertPath}
+              onChange={(evt: ChangeEvent<HTMLInputElement>) => onOptionsChange({
+                ...options,
+                jsonData: {
+                  ...jsonData,
+                  clientCertPath: evt.target.value,
+                },
+              })}
+
+            ></Input>
+          </Field>
+          <Field label="Client Key" description="Path to private client key (.pem)">
+            <Input
+              required
+              id="config-editor-tls-ck"
+              value={jsonData.clientKeyPath}
+              onChange={(evt: ChangeEvent<HTMLInputElement>) => onOptionsChange({
+                ...options,
+                jsonData: {
+                  ...jsonData,
+                  clientKeyPath: evt.target.value,
+                },
+              })}
+            ></Input>
+          </Field>
           <Field label="Client Key Password">
             <SecretInput
               required
@@ -286,7 +322,8 @@ export function ConfigEditor(props: Props) {
             description="Disable the validation of the server certificates."
           />
         </>
-      )}
+      )
+      }
     </>
   );
 }

src/types.ts

@@ -50,22 +50,24 @@ export interface JsQueryResult {
 export const MongoDBAuthMethod = {
   NONE: 'auth-none',
   USERNAME_PASSWORD: 'auth-username-password',
-  TLS_SSL: 'auto-tls-ssl'
+  TLS_SSL: 'auth-tls-ssl',
 };
 
 export const ConnectionStringScheme = {
   STANDARD: 'standard',
   DNS_SEED_LIST: 'dns_seed_list',
 };
 
-
 export interface MongoDataSourceOptions extends DataSourceJsonData {
   connectionStringScheme?: string;
   host?: string;
   port?: number;
   database?: string;
   username?: string;
   connectionParameters?: string;
+  caCertPath?: string;
+  clientCertPath?: string;
+  clientKeyPath?: string;
 }
 
 export interface MongoDataSourceSecureJsonData {