github.com/mdaxf/iac@v0.0.0-20240519030858-58a061660378/vendor_skip/go.mongodb.org/mongo-driver/mongo/options/clientencryptionoptions.go (about) 1 // Copyright (C) MongoDB, Inc. 2017-present. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); you may 4 // not use this file except in compliance with the License. You may obtain 5 // a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 6 7 package options 8 9 import ( 10 "crypto/tls" 11 "fmt" 12 "net/http" 13 14 "go.mongodb.org/mongo-driver/internal" 15 ) 16 17 // ClientEncryptionOptions represents all possible options used to configure a ClientEncryption instance. 18 type ClientEncryptionOptions struct { 19 KeyVaultNamespace string 20 KmsProviders map[string]map[string]interface{} 21 TLSConfig map[string]*tls.Config 22 HTTPClient *http.Client 23 } 24 25 // ClientEncryption creates a new ClientEncryptionOptions instance. 26 func ClientEncryption() *ClientEncryptionOptions { 27 return &ClientEncryptionOptions{ 28 HTTPClient: internal.DefaultHTTPClient, 29 } 30 } 31 32 // SetKeyVaultNamespace specifies the namespace of the key vault collection. This is required. 33 func (c *ClientEncryptionOptions) SetKeyVaultNamespace(ns string) *ClientEncryptionOptions { 34 c.KeyVaultNamespace = ns 35 return c 36 } 37 38 // SetKmsProviders specifies options for KMS providers. This is required. 39 func (c *ClientEncryptionOptions) SetKmsProviders(providers map[string]map[string]interface{}) *ClientEncryptionOptions { 40 c.KmsProviders = providers 41 return c 42 } 43 44 // SetTLSConfig specifies tls.Config instances for each KMS provider to use to configure TLS on all connections created 45 // to the KMS provider. 46 // 47 // This should only be used to set custom TLS configurations. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12. 48 func (c *ClientEncryptionOptions) SetTLSConfig(tlsOpts map[string]*tls.Config) *ClientEncryptionOptions { 49 tlsConfigs := make(map[string]*tls.Config) 50 for provider, config := range tlsOpts { 51 // use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites 52 if config.MinVersion == 0 { 53 config.MinVersion = tls.VersionTLS12 54 } 55 tlsConfigs[provider] = config 56 } 57 c.TLSConfig = tlsConfigs 58 return c 59 } 60 61 // BuildTLSConfig specifies tls.Config options for each KMS provider to use to configure TLS on all connections created 62 // to the KMS provider. The input map should contain a mapping from each KMS provider to a document containing the necessary 63 // options, as follows: 64 // 65 // { 66 // "kmip": { 67 // "tlsCertificateKeyFile": "foo.pem", 68 // "tlsCAFile": "fooCA.pem" 69 // } 70 // } 71 // 72 // Currently, the following TLS options are supported: 73 // 74 // 1. "tlsCertificateKeyFile" (or "sslClientCertificateKeyFile"): The "tlsCertificateKeyFile" option specifies a path to 75 // the client certificate and private key, which must be concatenated into one file. 76 // 77 // 2. "tlsCertificateKeyFilePassword" (or "sslClientCertificateKeyPassword"): Specify the password to decrypt the client 78 // private key file (e.g. "tlsCertificateKeyFilePassword=password"). 79 // 80 // 3. "tlsCaFile" (or "sslCertificateAuthorityFile"): Specify the path to a single or bundle of certificate authorities 81 // to be considered trusted when making a TLS connection (e.g. "tlsCaFile=/path/to/caFile"). 82 // 83 // This should only be used to set custom TLS options. By default, the connection will use an empty tls.Config{} with MinVersion set to tls.VersionTLS12. 84 func BuildTLSConfig(tlsOpts map[string]interface{}) (*tls.Config, error) { 85 // use TLS min version 1.2 to enforce more secure hash algorithms and advanced cipher suites 86 cfg := &tls.Config{MinVersion: tls.VersionTLS12} 87 88 for name := range tlsOpts { 89 var err error 90 switch name { 91 case "tlsCertificateKeyFile", "sslClientCertificateKeyFile": 92 clientCertPath, ok := tlsOpts[name].(string) 93 if !ok { 94 return nil, fmt.Errorf("expected %q value to be of type string, got %T", name, tlsOpts[name]) 95 } 96 // apply custom key file password if found, otherwise use empty string 97 if keyPwd, found := tlsOpts["tlsCertificateKeyFilePassword"].(string); found { 98 _, err = addClientCertFromConcatenatedFile(cfg, clientCertPath, keyPwd) 99 } else if keyPwd, found := tlsOpts["sslClientCertificateKeyPassword"].(string); found { 100 _, err = addClientCertFromConcatenatedFile(cfg, clientCertPath, keyPwd) 101 } else { 102 _, err = addClientCertFromConcatenatedFile(cfg, clientCertPath, "") 103 } 104 case "tlsCertificateKeyFilePassword", "sslClientCertificateKeyPassword": 105 continue 106 case "tlsCAFile", "sslCertificateAuthorityFile": 107 caPath, ok := tlsOpts[name].(string) 108 if !ok { 109 return nil, fmt.Errorf("expected %q value to be of type string, got %T", name, tlsOpts[name]) 110 } 111 err = addCACertFromFile(cfg, caPath) 112 default: 113 return nil, fmt.Errorf("unrecognized TLS option %v", name) 114 } 115 116 if err != nil { 117 return nil, err 118 } 119 } 120 121 return cfg, nil 122 } 123 124 // MergeClientEncryptionOptions combines the argued ClientEncryptionOptions in a last-one wins fashion. 125 // 126 // Deprecated: Merging options structs will not be supported in Go Driver 2.0. Users should create a 127 // single options struct instead. 128 func MergeClientEncryptionOptions(opts ...*ClientEncryptionOptions) *ClientEncryptionOptions { 129 ceo := ClientEncryption() 130 for _, opt := range opts { 131 if opt == nil { 132 continue 133 } 134 135 if opt.KeyVaultNamespace != "" { 136 ceo.KeyVaultNamespace = opt.KeyVaultNamespace 137 } 138 if opt.KmsProviders != nil { 139 ceo.KmsProviders = opt.KmsProviders 140 } 141 if opt.TLSConfig != nil { 142 ceo.TLSConfig = opt.TLSConfig 143 } 144 if opt.HTTPClient != nil { 145 ceo.HTTPClient = opt.HTTPClient 146 } 147 } 148 149 return ceo 150 }