From e2c3930ebf6f97c420da85cb11c6e4c36363b232 Mon Sep 17 00:00:00 2001
From: Saharat <saharat.earth@gmail.com>
Date: Thu, 18 Jan 2024 21:33:57 -0800
Subject: [PATCH 1/2] Fixed MongoDB insecureSkipVerify, Added MongoDB tls
 certificate, ca, key

---
 README.md         |  5 +++-
 backends/mongo.go | 60 ++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 58 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 2c00cf21..48b4826b 100644
--- a/README.md
+++ b/README.md
@@ -1275,8 +1275,11 @@ Options for `mongo` are the following:
 | auth_opt_mongo_users                 | users        |     N     | User collection                      |
 | auth_opt_mongo_acls                  | acls         |     N     | ACL collection                       |
 | auth_opt_mongo_disable_superuser     | true         |     N     | Disable query to check for superuser |
-| auth_opt_mongo_with_tls              | false        |     N     | Connect with TLS                     |
 | auth_opt_mongo_insecure_skip_verify  | false        |     N     | Verify server's certificate chain    |
+| auth_opt_mongo_tls                   | false        |     N     | Connect with TLS                     |
+| auth_opt_mongo_tlsca                 | ""           |     N     | TLS Certificate Authority (CA)       |
+| auth_opt_mongo_tlscert               | ""           |     N     | TLS Client Certificate               |
+| auth_opt_mongo_tlskey                | ""           |     N     | TLS Client Certificate Private Key   |
 
 
 If you experience any problem connecting to a replica set, please refer to [this issue](https://github.com/iegomez/mosquitto-go-auth/issues/32).
diff --git a/backends/mongo.go b/backends/mongo.go
index cc1f99a8..27d9637c 100644
--- a/backends/mongo.go
+++ b/backends/mongo.go
@@ -3,9 +3,11 @@ package backends
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"strings"
 	"time"
+	"os"
 
 	. "github.com/iegomez/mosquitto-go-auth/backends/constants"
 	"github.com/iegomez/mosquitto-go-auth/backends/topics"
@@ -30,8 +32,11 @@ type Mongo struct {
 	Conn               *mongo.Client
 	disableSuperuser   bool
 	hasher             hashing.HashComparer
-	withTLS            bool
 	insecureSkipVerify bool
+	withTLS            bool
+	TLSCa              string
+	TLSCert            string
+	TLSKey             string
 }
 
 type MongoAcl struct {
@@ -60,8 +65,11 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 		UsersCollection:    "users",
 		AclsCollection:     "acls",
 		hasher:             hasher,
-		withTLS:            false,
 		insecureSkipVerify: false,
+		withTLS:            false,
+		TLSCa:              "",
+		TLSCert:            "",
+		TLSKey:             "",
 	}
 
 	if authOpts["mongo_disable_superuser"] == "true" {
@@ -100,14 +108,32 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 		m.AclsCollection = aclsCollection
 	}
 
-	if authOpts["mongo_use_tls"] == "true" {
+	if authOpts["mongo_insecure_skip_verify"] == "true" {
+		m.insecureSkipVerify = true
+	}
+
+	useTlsClientCertificate := false
+
+	if authOpts["mongo_tls"] == "true" {
 		m.withTLS = true
 	}
 
-	if authOpts["mongo_insecure_skip_verify"] == "true" {
-		m.insecureSkipVerify = true
+	if TLSCa, ok := authOpts["mongo_tlsca"]; ok {
+		m.TLSCa = TLSCa
+		useTlsClientCertificate = true
 	}
 
+	if TLSCert, ok := authOpts["mongo_tlscert"]; ok {
+		m.TLSCert = TLSCert
+		useTlsClientCertificate = true
+	}
+
+	if TLSKey, ok := authOpts["mongo_tlskey"]; ok {
+		m.TLSKey = TLSKey
+		useTlsClientCertificate = true
+	}
+
+
 	addr := fmt.Sprintf("mongodb://%s:%s", m.Host, m.Port)
 
 	to := 60 * time.Second
@@ -117,7 +143,29 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 	}
 
 	if m.withTLS {
-		opts.TLSConfig = &tls.Config{}
+		log.Infof("mongo backend: tls enabled")
+		opts.TLSConfig = &tls.Config{
+			InsecureSkipVerify: m.insecureSkipVerify,
+		}
+		if useTlsClientCertificate {
+			caCert, err := os.ReadFile(m.TLSCa)
+			if err != nil {
+				log.Errorf("mongo backend: tls error: %s", err)
+			}
+			caCertPool := x509.NewCertPool()
+			if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+				log.Errorf("mongo backend: tls error: CA file must be in PEM format")
+			}
+			cert, err := tls.LoadX509KeyPair(m.TLSCert, m.TLSKey)
+			if err != nil {
+				log.Errorf("mongo backend: tls error: %s", err)
+			}
+			opts.TLSConfig = &tls.Config{
+				RootCAs:            caCertPool,
+				Certificates:       []tls.Certificate{cert},
+				InsecureSkipVerify: m.insecureSkipVerify,
+			}
+		}
 	}
 
 	opts.ApplyURI(addr)

From 17c5f1e37231773cbba31c7ac6be3ed0d0c7ccdd Mon Sep 17 00:00:00 2001
From: Saharat <saharat.earth@gmail.com>
Date: Thu, 25 Jan 2024 15:38:36 -0800
Subject: [PATCH 2/2] fixed log format for MongoDB, and tls config

---
 README.md         |  2 +-
 backends/mongo.go | 11 ++++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 48b4826b..bf4d725c 100644
--- a/README.md
+++ b/README.md
@@ -1276,7 +1276,7 @@ Options for `mongo` are the following:
 | auth_opt_mongo_acls                  | acls         |     N     | ACL collection                       |
 | auth_opt_mongo_disable_superuser     | true         |     N     | Disable query to check for superuser |
 | auth_opt_mongo_insecure_skip_verify  | false        |     N     | Verify server's certificate chain    |
-| auth_opt_mongo_tls                   | false        |     N     | Connect with TLS                     |
+| auth_opt_mongo_with_tls              | false        |     N     | Connect with TLS                     |
 | auth_opt_mongo_tlsca                 | ""           |     N     | TLS Certificate Authority (CA)       |
 | auth_opt_mongo_tlscert               | ""           |     N     | TLS Client Certificate               |
 | auth_opt_mongo_tlskey                | ""           |     N     | TLS Client Certificate Private Key   |
diff --git a/backends/mongo.go b/backends/mongo.go
index 27d9637c..89574043 100644
--- a/backends/mongo.go
+++ b/backends/mongo.go
@@ -114,7 +114,7 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 
 	useTlsClientCertificate := false
 
-	if authOpts["mongo_tls"] == "true" {
+	if authOpts["mongo_with_tls"] == "true" {
 		m.withTLS = true
 	}
 
@@ -143,23 +143,28 @@ func NewMongo(authOpts map[string]string, logLevel log.Level, hasher hashing.Has
 	}
 
 	if m.withTLS {
-		log.Infof("mongo backend: tls enabled")
+		log.Info("mongo backend: tls enabled")
 		opts.TLSConfig = &tls.Config{
 			InsecureSkipVerify: m.insecureSkipVerify,
 		}
+
 		if useTlsClientCertificate {
 			caCert, err := os.ReadFile(m.TLSCa)
+
 			if err != nil {
 				log.Errorf("mongo backend: tls error: %s", err)
 			}
+
 			caCertPool := x509.NewCertPool()
 			if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
-				log.Errorf("mongo backend: tls error: CA file must be in PEM format")
+				log.Error("mongo backend: tls error: CA file must be in PEM format")
 			}
+
 			cert, err := tls.LoadX509KeyPair(m.TLSCert, m.TLSKey)
 			if err != nil {
 				log.Errorf("mongo backend: tls error: %s", err)
 			}
+
 			opts.TLSConfig = &tls.Config{
 				RootCAs:            caCertPool,
 				Certificates:       []tls.Certificate{cert},