feat: support MutualTLS. (#254)

* feat: support MutualTLS.

* chore: fix clippy warnings

Author: MikuSugar

lib/src/auth/mod.rs

@@ -5,6 +5,7 @@ pub enum ConnectionTLSConfig {
     None,
     ClientCACertificate(ClientCertificate),
     NoSSLValidation,
+    MutualTLS(MutualTLS),
 }
 
 #[derive(Debug, Clone, PartialEq)]
@@ -19,3 +20,24 @@ impl ClientCertificate {
         }
     }
 }
+
+#[derive(Debug, Clone, PartialEq)]
+pub struct MutualTLS {
+    pub(crate) cert_file: Option<PathBuf>,
+    pub(crate) client_cert: PathBuf,
+    pub(crate) client_key: PathBuf,
+}
+
+impl MutualTLS {
+    pub fn new(
+        cert_file: Option<impl AsRef<Path>>,
+        client_cert: impl AsRef<Path>,
+        client_key: impl AsRef<Path>,
+    ) -> Self {
+        MutualTLS {
+            cert_file: cert_file.map(|p| p.as_ref().to_path_buf()),
+            client_cert: client_cert.as_ref().to_path_buf(),
+            client_key: client_key.as_ref().to_path_buf(),
+        }
+    }
+}

lib/src/config.rs

@@ -1,4 +1,4 @@
-use crate::auth::{ClientCertificate, ConnectionTLSConfig};
+use crate::auth::{ClientCertificate, ConnectionTLSConfig, MutualTLS};
 use crate::errors::{Error, Result};
 #[cfg(feature = "unstable-bolt-protocol-impl-v2")]
 use serde::{Deserialize, Deserializer, Serialize};
@@ -159,6 +159,18 @@ impl ConfigBuilder {
         self
     }
 
+    //Used for bidirectional authentication
+    pub fn with_mutual_tls_validation(
+        mut self,
+        client_cert: Option<impl AsRef<Path>>,
+        ssl_cert: impl AsRef<Path>,
+        ssl_key: impl AsRef<Path>,
+    ) -> Self {
+        self.tls_config =
+            ConnectionTLSConfig::MutualTLS(MutualTLS::new(client_cert, ssl_cert, ssl_key));
+        self
+    }
+
     /// Skip SSL validation. This is not recommended for production use.
     /// This is true by default when connecting to the server using `neo4j+ssc` or 'bolt+ssc' schemes.
     pub fn skip_ssl_validation(mut self) -> Self {

lib/src/connection.rs

@@ -401,7 +401,10 @@ impl ConnectionInfo {
             .then(|| {
                 // do not apply validation if using a self-signed certificate,as the documentation suggests
                 let config = if !validation {
-                    &ConnectionTLSConfig::NoSSLValidation
+                    match tls_config {
+                        ConnectionTLSConfig::MutualTLS(_) => tls_config,
+                        _ => &ConnectionTLSConfig::NoSSLValidation,
+                    }
                 } else {
                     tls_config
                 };
@@ -477,6 +480,31 @@ impl ConnectionInfo {
                 .dangerous()
                 .with_custom_certificate_verifier(Arc::new(NoCertificateVerification))
                 .with_no_client_auth(),
+            ConnectionTLSConfig::MutualTLS(mutual) => {
+                let cert_file = File::open(&mutual.client_cert)?;
+                let mut cert_reader = BufReader::new(cert_file);
+                let cert_certs = rustls_pemfile::certs(&mut cert_reader).flatten();
+
+                let cert_key = File::open(&mutual.client_key)?;
+                let mut key_reader = BufReader::new(cert_key);
+                let keys = rustls_pemfile::private_key(&mut key_reader);
+                let keys = keys?.unwrap();
+                if mutual.cert_file.is_some() {
+                    let root_cert_file = File::open(mutual.cert_file.as_ref().unwrap())?;
+                    let mut root_reader = BufReader::new(root_cert_file);
+                    let root_certs = rustls_pemfile::certs(&mut root_reader).flatten();
+                    root_cert_store.add_parsable_certificates(root_certs);
+                    builder
+                        .with_root_certificates(root_cert_store)
+                        .with_client_auth_cert(cert_certs.collect(), keys)
+                        .map_err(|_e| Error::ConnectionError)?
+                } else {
+                    builder
+                        .with_root_certificates(RootCertStore::empty())
+                        .with_client_auth_cert(cert_certs.collect(), keys)
+                        .map_err(|_e| Error::ConnectionError)?
+                }
+            }
         };
 
         let config = Arc::new(config);