lidavidm commented on code in PR #381:
URL: https://github.com/apache/arrow-adbc/pull/381#discussion_r1085734621
##########
go/adbc/driver/flightsql/flightsql_adbc.go:
##########
@@ -116,47 +122,81 @@ type database struct {
}
func (d *database) SetOptions(cnOptions map[string]string) error {
- if d.uri.Scheme == "grpc+tls" {
- d.creds = credentials.NewTLS(&tls.Config{})
- } else {
- d.creds = insecure.NewCredentials()
- }
+ var tlsConfig tls.Config
- if val, ok := cnOptions[OptionSSLSkipVerify]; ok && val ==
adbc.OptionValueEnabled {
- if d.uri.Scheme != "grpc+tls" {
+ mtlsCert := cnOptions[OptionMTLSCertChain]
+ mtlsKey := cnOptions[OptionMTLSPrivateKey]
+ if mtlsCert != "" && mtlsKey != "" {
+ cert, err := tls.X509KeyPair([]byte(mtlsCert), []byte(mtlsKey))
+ if err != nil {
return adbc.Error{
- Msg: "Connection is not TLS-enabled",
+ Msg: fmt.Sprintf("Invalid mTLS certificate:
%#v", err),
Code: adbc.StatusInvalidArgument,
}
}
- d.creds = credentials.NewTLS(&tls.Config{InsecureSkipVerify:
true})
+ tlsConfig.Certificates = []tls.Certificate{cert}
+ delete(cnOptions, OptionMTLSCertChain)
+ delete(cnOptions, OptionMTLSPrivateKey)
+ } else if mtlsCert != "" {
+ return adbc.Error{
+ Msg: fmt.Sprintf("Must provide both '%s' and '%s',
only provided '%s'", OptionMTLSCertChain, OptionMTLSPrivateKey,
OptionMTLSCertChain),
+ Code: adbc.StatusInvalidArgument,
+ }
+ } else if mtlsKey != "" {
+ return adbc.Error{
+ Msg: fmt.Sprintf("Must provide both '%s' and '%s',
only provided '%s'", OptionMTLSCertChain, OptionMTLSPrivateKey,
OptionMTLSPrivateKey),
+ Code: adbc.StatusInvalidArgument,
+ }
+ }
+
+ if hostname, ok := cnOptions[OptionSSLOverrideHostname]; ok {
+ tlsConfig.ServerName = hostname
+ delete(cnOptions, OptionSSLOverrideHostname)
}
- // option specified path to certificate file
- if cert, ok := cnOptions[OptionSSLCertFile]; ok {
- if d.uri.Scheme != "grpc+tls" {
+ if val, ok := cnOptions[OptionSSLSkipVerify]; ok {
+ if val == adbc.OptionValueEnabled {
+ tlsConfig.InsecureSkipVerify = true
+ } else if val == adbc.OptionValueDisabled {
+ tlsConfig.InsecureSkipVerify = false
+ } else {
return adbc.Error{
- Msg: "Connection is not TLS-enabled",
+ Msg: fmt.Sprintf("Invalid value for database
option '%s': '%s'", OptionSSLSkipVerify, val),
Code: adbc.StatusInvalidArgument,
}
}
+ delete(cnOptions, OptionSSLSkipVerify)
+ }
- c, err := credentials.NewClientTLSFromFile(cert, "")
- if err != nil {
+ if cert, ok := cnOptions[OptionSSLRootCerts]; ok {
+ cp := x509.NewCertPool()
+ if !cp.AppendCertsFromPEM([]byte(cert)) {
return adbc.Error{
- Msg: "invalid SSL certificate passed",
+ Msg: fmt.Sprintf("Invalid value for database
option '%s': failed to append certificates", OptionSSLRootCerts),
Code: adbc.StatusInvalidArgument,
}
}
- d.creds = c
+ tlsConfig.RootCAs = cp
+ delete(cnOptions, OptionSSLRootCerts)
Review Comment:
I changed the option to take the contents, not the filename - so the former
is out - and the latter still requires you to build the cert pool yourself.
Also, I want these options to apply cumulatively, so NewFoo makes it hard
because then we have to carefully order how we process options
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
