diff --git a/README.md b/README.md index 97a2fb4..e6c66c5 100644 --- a/README.md +++ b/README.md @@ -283,11 +283,16 @@ Required fields: - `mode`: This needs to be set to `TLS-1way` +Optional fields: + + - `ca-certificate`: Path to your CA certificate + + Example: { - "mode": "TLS-1way", + "mode": "TLS-1way" } ### Other modes diff --git a/common.go b/common.go index d8fa054..9767dfa 100644 --- a/common.go +++ b/common.go @@ -9,6 +9,7 @@ import ( "io/ioutil" "math/rand" "os" + "path/filepath" "regexp" "strings" "syscall" @@ -238,6 +239,26 @@ func setupSASL(auth authConfig, saramaCfg *sarama.Config) error { func setupAuthTLS1Way(auth authConfig, saramaCfg *sarama.Config) error { saramaCfg.Net.TLS.Enable = true saramaCfg.Net.TLS.Config = &tls.Config{} + + if auth.CACert == "" { + return nil + } + + caString, err := ioutil.ReadFile(auth.CACert) + if err != nil { + return fmt.Errorf("failed to read ca-certificate err=%v", err) + } + + caPool := x509.NewCertPool() + ok := caPool.AppendCertsFromPEM(caString) + if !ok { + failf("unable to add ca-certificate at %s to certificate pool", auth.CACert) + } + + tlsCfg := &tls.Config{RootCAs: caPool} + tlsCfg.BuildNameToCertificate() + + saramaCfg.Net.TLS.Config = tlsCfg return nil } @@ -271,6 +292,12 @@ func setupAuthTLS(auth authConfig, saramaCfg *sarama.Config) error { return nil } +func qualifyPath(argFN string, target *string) { + if *target != "" && !filepath.IsAbs(*target) { + *target = filepath.Join(filepath.Dir(argFN), *target) + } +} + func readAuthFile(argFN string, envFN string, target *authConfig) { if argFN == "" && envFN == "" { return @@ -289,4 +316,8 @@ func readAuthFile(argFN string, envFN string, target *authConfig) { if err := json.Unmarshal(byts, target); err != nil { failf("failed to unmarshal auth file err=%v", err) } + + qualifyPath(fn, &target.CACert) + qualifyPath(fn, &target.ClientCert) + qualifyPath(fn, &target.ClientCertKey) } diff --git a/group.go b/group.go index 79fba43..fa6c930 100644 --- a/group.go +++ b/group.go @@ -323,7 +323,9 @@ func (cmd *groupCmd) saramaConfig() *sarama.Config { cfg.ClientID = "kt-group-" + sanitizeUsername(usr.Username) cmd.infof("sarama client configuration %#v\n", cfg) - setupAuth(cmd.auth, cfg) + if err = setupAuth(cmd.auth, cfg); err != nil { + failf("failed to setup auth err=%v", err) + } return cfg } diff --git a/topic.go b/topic.go index 26ccfcf..5c87397 100644 --- a/topic.go +++ b/topic.go @@ -147,7 +147,9 @@ func (cmd *topicCmd) connect() { cfg.ClientID = "kt-topic-" + sanitizeUsername(usr.Username) cmd.infof("sarama client configuration %#v\n", cfg) - setupAuth(cmd.auth, cfg) + if err = setupAuth(cmd.auth, cfg); err != nil { + failf("failed to setup auth err=%v", err) + } if cmd.client, err = sarama.NewClient(cmd.brokers, cfg); err != nil { failf("failed to create client err=%v", err)