config, live: Add live backend vars to config, use mTLS for AMQP prod connection

Author: justinclift

api/main.go

@@ -81,7 +81,8 @@ func main() {
 	}
 
 	// Connect to MQ server
-	com.AmqpChan, err = com.ConnectMQ("api server")
+	com.NodeName = "API server"
+	com.AmqpChan, err = com.ConnectMQ()
 	if err != nil {
 		log.Fatal(err)
 	}

build_dbhub.sh

@@ -53,10 +53,14 @@ if [ -d "${GOBIN}" ]; then
   cd api
   go install .
   cd ..
-  echo "Compiling DBHub.io DB4S API executable"
+  echo "Compiling DBHub.io DB4S end point executable"
   cd db4s
   go install .
   cd ..
+  echo "Compiling DBHub.io Live executable"
+  cd live
+  go install .
+  cd ..
   echo "Compiling DBHub.io web User Interface executable"
   cd webui
   go install .

common/config_types.go

@@ -0,0 +1,134 @@
+package common
+
+import "time"
+
+// TomlConfig is a top level structure containing the server configuration information
+type TomlConfig struct {
+	Api         ApiInfo
+	Auth0       Auth0Info
+	DB4S        DB4SInfo
+	Environment EnvInfo
+	DiskCache   DiskCacheInfo
+	Event       EventProcessingInfo
+	Licence     LicenceInfo
+	Live        LiveInfo
+	Memcache    MemcacheInfo
+	Minio       MinioInfo
+	MQ          MQInfo
+	Pg          PGInfo
+	Sign        SigningInfo
+	Web         WebInfo
+}
+
+// ApiInfo contains configuration info for the API daemon
+type ApiInfo struct {
+	BaseDir        string `toml:"base_dir"`
+	BindAddress    string `toml:"bind_address"`
+	Certificate    string `toml:"certificate"`
+	CertificateKey string `toml:"certificate_key"`
+	RequestLog     string `toml:"request_log"`
+	ServerName     string `toml:"server_name"`
+}
+
+// Auth0Info contains the Auth0 connection info used authenticating webUI users
+type Auth0Info struct {
+	ClientID     string
+	ClientSecret string
+	Domain       string
+}
+
+// DB4SInfo contains configuration info for the DB4S end point daemon
+type DB4SInfo struct {
+	CAChain        string `toml:"ca_chain"`
+	Certificate    string
+	CertificateKey string `toml:"certificate_key"`
+	Debug          bool
+	Port           int
+	Server         string
+}
+
+// DiskCacheInfo contains the path to the root of the local disk cache
+type DiskCacheInfo struct {
+	Directory string
+}
+
+// EnvInfo holds information about the purpose of the running server.  eg "is this a production, docker,
+// or development" instance?
+type EnvInfo struct {
+	Environment       string
+	UserOverride      string   `toml:"user_override"`
+	SizeOverrideUsers []string `toml:"size_override_users"` // List of users allowed to override the database upload size limits
+}
+
+// EventProcessingInfo hold configuration for the event processing loop
+type EventProcessingInfo struct {
+	Delay                     time.Duration `toml:"delay"`
+	EmailQueueProcessingDelay time.Duration `toml:"email_queue_processing_delay"`
+	Smtp2GoKey                string        `toml:"smtp2go_key"` // The SMTP2GO API key
+}
+
+// LicenceInfo -> LicenceDir holds the path to the licence files
+type LicenceInfo struct {
+	LicenceDir string `toml:"licence_dir"`
+}
+
+// LiveInfo holds configuration info for the Live database daemon
+type LiveInfo struct {
+	Nodename   string `toml:"node_name"`
+	StorageDir string `toml:"storage_dir"`
+}
+
+// MemcacheInfo contains the Memcached configuration parameters
+type MemcacheInfo struct {
+	DefaultCacheTime    int           `toml:"default_cache_time"`
+	Server              string        `toml:"server"`
+	ViewCountFlushDelay time.Duration `toml:"view_count_flush_delay"`
+}
+
+// MinioInfo contains the Minio connection parameters
+type MinioInfo struct {
+	AccessKey string `toml:"access_key"`
+	HTTPS     bool
+	Secret    string
+	Server    string
+}
+
+// MQInfo contains the AMQP backend connection configuration info
+type MQInfo struct {
+	CertFile string `toml:"cert_file"`
+	KeyFile  string `toml:"key_file"`
+	Password string `toml:"password"`
+	Port     int    `toml:"port"`
+	Server   string `toml:"server"`
+	Username string `toml:"username"`
+}
+
+// PGInfo contains the PostgreSQL connection parameters
+type PGInfo struct {
+	Database       string
+	NumConnections int `toml:"num_connections"`
+	Port           int
+	Password       string
+	Server         string
+	SSL            bool
+	Username       string
+}
+
+// SigningInfo contains the info used for signing DB4S client certificates
+type SigningInfo struct {
+	CertDaysValid    int    `toml:"cert_days_valid"`
+	Enabled          bool   `toml:"enabled"`
+	IntermediateCert string `toml:"intermediate_cert"`
+	IntermediateKey  string `toml:"intermediate_key"`
+}
+
+// WebInfo contains configuration info for the webUI daemon
+type WebInfo struct {
+	BaseDir              string `toml:"base_dir"`
+	BindAddress          string `toml:"bind_address"`
+	Certificate          string `toml:"certificate"`
+	CertificateKey       string `toml:"certificate_key"`
+	RequestLog           string `toml:"request_log"`
+	ServerName           string `toml:"server_name"`
+	SessionStorePassword string `toml:"session_store_password"`
+}

common/live.go

@@ -2,6 +2,7 @@ package common
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -106,30 +107,46 @@ func CloseMQConnection(connection *amqp.Connection) (err error) {
 }
 
 // ConnectMQ creates a connection to the backend MQ server
-func ConnectMQ(nodeName string) (channel *amqp.Channel, err error) {
+func ConnectMQ() (channel *amqp.Channel, err error) {
 	var conn *amqp.Connection
 	if Conf.Environment.Environment == "production" {
-		// Force use of TLS in production
-		conn, err = amqp.Dial(fmt.Sprintf("amqps://%s:%s@%s:%d/", Conf.MQ.Username, Conf.MQ.Password, Conf.MQ.Server, Conf.MQ.Port))
+		// If certificate/key files have been provided, then we can use mutual TLS (mTLS)
+		// TODO: Getting mTLS working was pretty easy with Lets Encrypt certs.  Do we still need the server-only TLS
+		//       fallback below?
+		if Conf.MQ.CertFile != "" && Conf.MQ.KeyFile != "" {
+			var cert tls.Certificate
+			cert, err = tls.LoadX509KeyPair(Conf.MQ.CertFile, Conf.MQ.KeyFile)
+			if err != nil {
+				return
+			}
+			cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
+			conn, err = amqp.DialTLS(fmt.Sprintf("amqps://%s:%s@%s:%d/", Conf.MQ.Username, Conf.MQ.Password, Conf.MQ.Server, Conf.MQ.Port), cfg)
+			if err != nil {
+				return
+			}
+			log.Printf("%s connected to AMQP server using mutual TLS (mTLS): %v:%d\n", NodeName, Conf.MQ.Server, Conf.MQ.Port)
+		} else {
+			// Fallback to just verifying the server certs for TLS
+			conn, err = amqp.Dial(fmt.Sprintf("amqps://%s:%s@%s:%d/", Conf.MQ.Username, Conf.MQ.Password, Conf.MQ.Server, Conf.MQ.Port))
+			if err != nil {
+				return
+			}
+			log.Printf("%s connected to AMQP server with server-only TLS: %v:%d\n", NodeName, Conf.MQ.Server, Conf.MQ.Port)
+		}
 	} else {
 		// Everywhere else (eg docker container) doesn't *have* to use TLS
 		conn, err = amqp.Dial(fmt.Sprintf("amqp://%s:%s@%s:%d/", Conf.MQ.Username, Conf.MQ.Password, Conf.MQ.Server, Conf.MQ.Port))
-	}
-	if err != nil {
-		return
+		if err != nil {
+			return
+		}
+		log.Printf("%s connected to AMQP server without encryption: %v:%d\n", NodeName, Conf.MQ.Server, Conf.MQ.Port)
 	}
 
 	channel, err = conn.Channel()
-	if err != nil {
-		return
-	}
-
-	// Log successful connection
-	log.Printf("'%s' connected to AMQP server: %v:%d\n", nodeName, Conf.MQ.Server, Conf.MQ.Port)
 	return
 }
 
-// LiveCreateDB requests the AMQP backend to create a new live SQLite database
+// LiveCreateDB requests the AMQP backend create a new live SQLite database
 func LiveCreateDB(channel *amqp.Channel, dbOwner, dbName string) (err error) {
 	// Send the database setup request to our AMQP backend
 	var rawResponse []byte

common/types.go

@@ -87,134 +87,6 @@ const (
 	DBTypeLive
 )
 
-// ************************
-// Configuration file types
-
-// TomlConfig is a top level structure containing the server configuration info
-type TomlConfig struct {
-	Api         ApiInfo
-	Auth0       Auth0Info
-	DB4S        DB4SInfo
-	Environment EnvInfo
-	DiskCache   DiskCacheInfo
-	Event       EventProcessingInfo
-	Licence     LicenceInfo
-	Memcache    MemcacheInfo
-	Minio       MinioInfo
-	MQ          MQInfo
-	Pg          PGInfo
-	Sign        SigningInfo
-	Web         WebInfo
-}
-
-// ApiInfo contains configuration info for the API daemon
-type ApiInfo struct {
-	BaseDir        string `toml:"base_dir"`
-	BindAddress    string `toml:"bind_address"`
-	Certificate    string `toml:"certificate"`
-	CertificateKey string `toml:"certificate_key"`
-	RequestLog     string `toml:"request_log"`
-	ServerName     string `toml:"server_name"`
-}
-
-// Auth0Info contains the Auth0 connection info used authenticating webUI users
-type Auth0Info struct {
-	ClientID     string
-	ClientSecret string
-	Domain       string
-}
-
-// DB4SInfo contains configuration info for the DB4S end point daemon
-type DB4SInfo struct {
-	CAChain        string `toml:"ca_chain"`
-	Certificate    string
-	CertificateKey string `toml:"certificate_key"`
-	Debug          bool
-	Port           int
-	Server         string
-}
-
-// DiskCacheInfo contains the path to the root of the local disk cache
-type DiskCacheInfo struct {
-	Directory string
-}
-
-// EnvInfo holds information about the purpose of the running server.  eg "is this a production, docker,
-// or development" instance?
-type EnvInfo struct {
-	Environment       string
-	UserOverride      string   `toml:"user_override"`
-	SizeOverrideUsers []string `toml:"size_override_users"` // List of users allowed to override the database upload size limits
-}
-
-// EventProcessingInfo hold configuration for the event processing loop
-type EventProcessingInfo struct {
-	Delay                     time.Duration `toml:"delay"`
-	EmailQueueProcessingDelay time.Duration `toml:"email_queue_processing_delay"`
-	Smtp2GoKey                string        `toml:"smtp2go_key"` // The SMTP2GO API key
-}
-
-// LicenceDir holds the path to the licence files
-type LicenceInfo struct {
-	LicenceDir string `toml:"licence_dir"`
-}
-
-// MemcacheInfo contains the Memcached configuration parameters
-type MemcacheInfo struct {
-	DefaultCacheTime    int           `toml:"default_cache_time"`
-	Server              string        `toml:"server"`
-	ViewCountFlushDelay time.Duration `toml:"view_count_flush_delay"`
-}
-
-// MinioInfo contains the Minio connection parameters
-type MinioInfo struct {
-	AccessKey string `toml:"access_key"`
-	HTTPS     bool
-	Secret    string
-	Server    string
-}
-
-// MQInfo contains the AMQP backend connection parameters
-type MQInfo struct {
-	Password string `toml:"password"`
-	Port     int    `toml:"port"`
-	Server   string `toml:"server"`
-	Username string `toml:"username"`
-}
-
-// PGInfo contains the PostgreSQL connection parameters
-type PGInfo struct {
-	Database       string
-	NumConnections int `toml:"num_connections"`
-	Port           int
-	Password       string
-	Server         string
-	SSL            bool
-	Username       string
-}
-
-// SigningInfo contains the info used for signing DB4S client certificates
-type SigningInfo struct {
-	CertDaysValid    int    `toml:"cert_days_valid"`
-	Enabled          bool   `toml:"enabled"`
-	IntermediateCert string `toml:"intermediate_cert"`
-	IntermediateKey  string `toml:"intermediate_key"`
-}
-
-// WebInfo contains configuration info for the webUI daemon
-type WebInfo struct {
-	BaseDir              string `toml:"base_dir"`
-	BindAddress          string `toml:"bind_address"`
-	Certificate          string `toml:"certificate"`
-	CertificateKey       string `toml:"certificate_key"`
-	RequestLog           string `toml:"request_log"`
-	ServerName           string `toml:"server_name"`
-	SessionStorePassword string `toml:"session_store_password"`
-}
-
-// End of configuration file types
-// *******************************
-
 type ActivityRow struct {
 	Count  int    `json:"count"`
 	DBName string `json:"dbname"`

docker/config.toml

@@ -21,6 +21,10 @@ smtp2go_key = ""
 [licence]
 licence_dir = "/dbhub.io/default_licences"
 
+[live]
+node_name = ""
+storage_dir = ""
+
 [memcache]
 default_cache_time = 2592000
 server = "localhost:11211"
@@ -33,6 +37,8 @@ secret = "minio123"
 https = false
 
 [mq]
+cert_file = ""
+key_file = ""
 password = "guest"
 port = 5672
 server = "localhost"