grafana/pkg/services/sqlstore/tls_mysql.go

package sqlstore

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"os"

	"github.com/grafana/grafana/pkg/infra/log"
)

var tlslog = log.New("tls_mysql")

func makeCert(config DatabaseConfig) (*tls.Config, error) {
	rootCertPool := x509.NewCertPool()
	pem, err := os.ReadFile(config.CaCertPath)
	if err != nil {
		return nil, fmt.Errorf("could not read DB CA Cert path %q: %w", config.CaCertPath, err)
	}
	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
		return nil, err
	}

	tlsConfig := &tls.Config{
		RootCAs: rootCertPool,
	}
	if config.ClientCertPath != "" && config.ClientKeyPath != "" {
		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
			tlslog.Debug("Loading client certificate")
			cert, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
			return &cert, err
		}
	}
	tlsConfig.ServerName = config.ServerCertName
	if config.SslMode == "skip-verify" {
		tlsConfig.InsecureSkipVerify = true
	}
	// Return more meaningful error before it is too late
	if config.ServerCertName == "" && !tlsConfig.InsecureSkipVerify {
		return nil, fmt.Errorf("server_cert_name is missing. Consider using ssl_mode = skip-verify")
	}
	return tlsConfig, nil
}
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`package sqlstore`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"fmt"`
Handle ioutil deprecations (#53526) * replace ioutil.ReadFile -> os.ReadFile * replace ioutil.ReadAll -> io.ReadAll * replace ioutil.TempFile -> os.CreateTemp * replace ioutil.NopCloser -> io.NopCloser * replace ioutil.WriteFile -> os.WriteFile * replace ioutil.TempDir -> os.MkdirTemp * replace ioutil.Discard -> io.Discard 2022-08-10 21:37:51 +08:00			`"os"`
add support for periodically reloading mysql client certs (#14892) 2019-05-16 19:45:23 +08:00
			`"github.com/grafana/grafana/pkg/infra/log"`
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`)`

add support for periodically reloading mysql client certs (#14892) 2019-05-16 19:45:23 +08:00			`var tlslog = log.New("tls_mysql")`

			`func makeCert(config DatabaseConfig) (*tls.Config, error) {`
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`rootCertPool := x509.NewCertPool()`
Handle ioutil deprecations (#53526) * replace ioutil.ReadFile -> os.ReadFile * replace ioutil.ReadAll -> io.ReadAll * replace ioutil.TempFile -> os.CreateTemp * replace ioutil.NopCloser -> io.NopCloser * replace ioutil.WriteFile -> os.WriteFile * replace ioutil.TempDir -> os.MkdirTemp * replace ioutil.Discard -> io.Discard 2022-08-10 21:37:51 +08:00			`pem, err := os.ReadFile(config.CaCertPath)`
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`if err != nil {`
Chore: Fix staticcheck issues (#28854) * Chore: Fix issues reported by staticcheck Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-05 18:57:20 +08:00			`return nil, fmt.Errorf("could not read DB CA Cert path %q: %w", config.CaCertPath, err)`
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`}`
			`if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {`
			`return nil, err`
			`}`

			`tlsConfig := &tls.Config{`
add support for periodically reloading mysql client certs (#14892) 2019-05-16 19:45:23 +08:00			`RootCAs: rootCertPool,`
			`}`
			`if config.ClientCertPath != "" && config.ClientKeyPath != "" {`
			`tlsConfig.GetClientCertificate = func(tls.CertificateRequestInfo) (tls.Certificate, error) {`
			`tlslog.Debug("Loading client certificate")`
			`cert, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)`
			`return &cert, err`
			`}`
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`}`
			`tlsConfig.ServerName = config.ServerCertName`
			`if config.SslMode == "skip-verify" {`
			`tlsConfig.InsecureSkipVerify = true`
			`}`
			`// Return more meaningful error before it is too late`
gofmt 2015-12-22 21:10:34 +08:00			`if config.ServerCertName == "" && !tlsConfig.InsecureSkipVerify {`
Chore: a bit of spring cleaning (#16710) * Chore: use early return technic everywhere And enable "indent-error-flow" revive rule * Chore: remove if-return rule from revive config * Chore: improve error messages And enable "error-strings" revive rule * Chore: enable "error-naming" revive rule * Chore: make linter happy * Chore: do not duplicate gofmt execution * Chore: make linter happy * Chore: address the pull review comments 2019-04-23 16:24:47 +08:00			`return nil, fmt.Errorf("server_cert_name is missing. Consider using ssl_mode = skip-verify")`
Add TLS for mysql Use ssl_mode for mysql and add docs add docs for the new parameters in config Tolerate ssl_mode without client authentication Client cert is not necessary for a SSL connection. So we tolerate failure if client cert is not provided. Improve error message if missing server_cert_name and mode is not skip-verify. 2015-11-25 00:17:21 +08:00			`}`
			`return tlsConfig, nil`
			`}`