Support Client Certificates for Authentication #147
Description
I noticed that mongodb supports certificate authentication for clients. It would be nice to support this in lectern.
This would give a convenient (for those who are comfortable managing tls certificate chains anyways), secure, standard, portable way of managing mongodb client credentials.
Detailed Description
The native mongodb node client supports authenticating with tls certificates:
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
http://mongodb.github.io/node-mongodb-native/3.1/tutorials/connect/ssl/
From what I can tell in the code, certificate authentication doesn't appear to be supported in lectern:
https://github.com/overture-stack/lectern/blob/develop/src/config/appConfig.ts#L59
Possible Implementation
Given that mongoose (which I believe you are using) is just an odm abstraction layer on top of the native mongodb client, it stands to reason that it should be supportable.
I'm looking at the doc here and it says you can pass extra options directly to the mongodb native driver: https://mongoosejs.com/docs/connections.html#connection-string-options
You'd want to:
- Support the following TLS method & environment variables (here: https://github.com/overture-stack/lectern/blob/develop/src/config/appConfig.ts#L59): mongoTlsCa() -> MONGO_TLS_CA, mongoTlsKey() -> MONGO_TLS_KEY, mongoTlsCert() -> MONGO_TLS_CERT . Here, it would be reasonable (I think) to make the environment variables be the path to a file and return the content of the files in the methods (caching may nice, though realistically, I believe this will only be called when the container launches)
- I don't know much about Typescript, but not defining username and password would have to be supported, so you might need to return the empty string in the following methods when the environment variable is undefined if returning undefined causes a problem:
- In the constructMongodbUri (here: https://github.com/overture-stack/lectern/blob/develop/src/utils/mongo.ts#L25), refrain from passing the user and password to the connection string if they are not defined (either undefined or the empty string)
- In the constructMongodbUri, pass a "ssl=true" and "authMechanism=MONGODB-X509" if the mongoTlsCert() method returns something
- If defined, you would need to map the tls methods to properties (here: https://github.com/overture-stack/lectern/blob/develop/src/server.ts#L64) as follows:
- sslValidate (true if mongoTlsCert() returns something)
- sslCA (defined by mongoTlsCa() if it returns something)
- sslKey (defined by mongoTlsKey() if it returns something)
- sslCert (defined by mongoTlsCert() if it returns something)
I don't know all the nooks and crannies in your codebase, but I believe that's about it.