api/adapter/tls_config.go

package adapter

import (
	"crypto/tls"
	"crypto/x509"
	"errors"
	"os"

	"github.com/apache/pulsar-client-go/pulsar"
	"github.com/apache/pulsar-client-go/pulsar/auth"

	"go.yandata.net/iod/iod/trustlog-sdk/api/logger"
)

// tlsConfigProvider defines the interface for TLS configuration.
type tlsConfigProvider interface {
	GetTLSTrustCertsFilePath() string
	GetTLSCertificateFilePath() string
	GetTLSKeyFilePath() string
	GetTLSAllowInsecureConnection() bool
}

// configureTLSForClient configures TLS/mTLS settings for the Pulsar client.
func configureTLSForClient(opts *pulsar.ClientOptions, config tlsConfigProvider, logger logger.Logger) error {
	// If no TLS configuration is provided, skip TLS setup
	if config.GetTLSTrustCertsFilePath() == "" &&
		config.GetTLSCertificateFilePath() == "" &&
		config.GetTLSKeyFilePath() == "" {
		return nil
	}

	// Configure TLS trust certificates
	if config.GetTLSTrustCertsFilePath() != "" {
		if _, err := os.ReadFile(config.GetTLSTrustCertsFilePath()); err != nil {
			return errors.Join(err, errors.New("failed to read TLS trust certificates file"))
		}
		opts.TLSTrustCertsFilePath = config.GetTLSTrustCertsFilePath()
		logger.Debug(
			"TLS trust certificates configured",
			"path", config.GetTLSTrustCertsFilePath(),
		)
	}

	// Configure TLS allow insecure connection
	opts.TLSAllowInsecureConnection = config.GetTLSAllowInsecureConnection()

	// Configure mTLS authentication if both certificate and key are provided
	if config.GetTLSCertificateFilePath() != "" && config.GetTLSKeyFilePath() != "" {
		// Load client certificate and key
		cert, err := tls.LoadX509KeyPair(
			config.GetTLSCertificateFilePath(),
			config.GetTLSKeyFilePath(),
		)
		if err != nil {
			return errors.Join(err, errors.New("failed to load client certificate and key"))
		}

		// Create TLS authentication provider
		// Pulsar Go client uses auth.NewAuthenticationTLS with certificate and key file paths
		tlsAuth := auth.NewAuthenticationTLS(
			config.GetTLSCertificateFilePath(),
			config.GetTLSKeyFilePath(),
		)

		opts.Authentication = tlsAuth
		logger.Debug(
			"mTLS authentication configured",
			"cert", config.GetTLSCertificateFilePath(),
			"key", config.GetTLSKeyFilePath(),
		)

		// Verify the certificate is valid
		if _, parseErr := x509.ParseCertificate(cert.Certificate[0]); parseErr != nil {
			return errors.Join(parseErr, errors.New("invalid client certificate"))
		}
	} else if config.GetTLSCertificateFilePath() != "" || config.GetTLSKeyFilePath() != "" {
		return errors.New(
			"both TLS certificate and key file paths must be provided for mTLS authentication",
		)
	}

	return nil
}

// GetTLSTrustCertsFilePath returns the TLS trust certificates file path for PublisherConfig.
func (c PublisherConfig) GetTLSTrustCertsFilePath() string {
	return c.TLSTrustCertsFilePath
}

// GetTLSCertificateFilePath returns the TLS certificate file path for PublisherConfig.
func (c PublisherConfig) GetTLSCertificateFilePath() string {
	return c.TLSCertificateFilePath
}

// GetTLSKeyFilePath returns the TLS key file path for PublisherConfig.
func (c PublisherConfig) GetTLSKeyFilePath() string {
	return c.TLSKeyFilePath
}

// GetTLSAllowInsecureConnection returns whether to allow insecure TLS connections for PublisherConfig.
func (c PublisherConfig) GetTLSAllowInsecureConnection() bool {
	return c.TLSAllowInsecureConnection
}

// GetTLSTrustCertsFilePath returns the TLS trust certificates file path for SubscriberConfig.
func (c SubscriberConfig) GetTLSTrustCertsFilePath() string {
	return c.TLSTrustCertsFilePath
}

// GetTLSCertificateFilePath returns the TLS certificate file path for SubscriberConfig.
func (c SubscriberConfig) GetTLSCertificateFilePath() string {
	return c.TLSCertificateFilePath
}

// GetTLSKeyFilePath returns the TLS key file path for SubscriberConfig.
func (c SubscriberConfig) GetTLSKeyFilePath() string {
	return c.TLSKeyFilePath
}

// GetTLSAllowInsecureConnection returns whether to allow insecure TLS connections for SubscriberConfig.
func (c SubscriberConfig) GetTLSAllowInsecureConnection() bool {
	return c.TLSAllowInsecureConnection
}
refactor: 重构trustlog-sdk目录结构到trustlog/go-trustlog - 将所有trustlog-sdk文件移动到trustlog/go-trustlog/目录 - 更新README中所有import路径从trustlog-sdk改为go-trustlog - 更新cookiecutter配置文件中的项目名称 - 更新根目录.lefthook.yml以引用新位置的配置 - 添加go.sum文件到版本控制 - 删除过时的示例文件这次重构与trustlog-server保持一致的目录结构，为未来支持多语言SDK（Python、Java等）预留空间。 2025-12-22 13:37:57 +08:00			`package adapter`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"errors"`
			`"os"`

			`"github.com/apache/pulsar-client-go/pulsar"`
			`"github.com/apache/pulsar-client-go/pulsar/auth"`

			`"go.yandata.net/iod/iod/trustlog-sdk/api/logger"`
			`)`

			`// tlsConfigProvider defines the interface for TLS configuration.`
			`type tlsConfigProvider interface {`
			`GetTLSTrustCertsFilePath() string`
			`GetTLSCertificateFilePath() string`
			`GetTLSKeyFilePath() string`
			`GetTLSAllowInsecureConnection() bool`
			`}`

			`// configureTLSForClient configures TLS/mTLS settings for the Pulsar client.`
			`func configureTLSForClient(opts *pulsar.ClientOptions, config tlsConfigProvider, logger logger.Logger) error {`
			`// If no TLS configuration is provided, skip TLS setup`
			`if config.GetTLSTrustCertsFilePath() == "" &&`
			`config.GetTLSCertificateFilePath() == "" &&`
			`config.GetTLSKeyFilePath() == "" {`
			`return nil`
			`}`

			`// Configure TLS trust certificates`
			`if config.GetTLSTrustCertsFilePath() != "" {`
			`if _, err := os.ReadFile(config.GetTLSTrustCertsFilePath()); err != nil {`
			`return errors.Join(err, errors.New("failed to read TLS trust certificates file"))`
			`}`
			`opts.TLSTrustCertsFilePath = config.GetTLSTrustCertsFilePath()`
			`logger.Debug(`
			`"TLS trust certificates configured",`
			`"path", config.GetTLSTrustCertsFilePath(),`
			`)`
			`}`

			`// Configure TLS allow insecure connection`
			`opts.TLSAllowInsecureConnection = config.GetTLSAllowInsecureConnection()`

			`// Configure mTLS authentication if both certificate and key are provided`
			`if config.GetTLSCertificateFilePath() != "" && config.GetTLSKeyFilePath() != "" {`
			`// Load client certificate and key`
			`cert, err := tls.LoadX509KeyPair(`
			`config.GetTLSCertificateFilePath(),`
			`config.GetTLSKeyFilePath(),`
			`)`
			`if err != nil {`
			`return errors.Join(err, errors.New("failed to load client certificate and key"))`
			`}`

			`// Create TLS authentication provider`
			`// Pulsar Go client uses auth.NewAuthenticationTLS with certificate and key file paths`
			`tlsAuth := auth.NewAuthenticationTLS(`
			`config.GetTLSCertificateFilePath(),`
			`config.GetTLSKeyFilePath(),`
			`)`

			`opts.Authentication = tlsAuth`
			`logger.Debug(`
			`"mTLS authentication configured",`
			`"cert", config.GetTLSCertificateFilePath(),`
			`"key", config.GetTLSKeyFilePath(),`
			`)`

			`// Verify the certificate is valid`
			`if _, parseErr := x509.ParseCertificate(cert.Certificate[0]); parseErr != nil {`
			`return errors.Join(parseErr, errors.New("invalid client certificate"))`
			`}`
			`} else if config.GetTLSCertificateFilePath() != "" \|\| config.GetTLSKeyFilePath() != "" {`
			`return errors.New(`
			`"both TLS certificate and key file paths must be provided for mTLS authentication",`
			`)`
			`}`

			`return nil`
			`}`

			`// GetTLSTrustCertsFilePath returns the TLS trust certificates file path for PublisherConfig.`
			`func (c PublisherConfig) GetTLSTrustCertsFilePath() string {`
			`return c.TLSTrustCertsFilePath`
			`}`

			`// GetTLSCertificateFilePath returns the TLS certificate file path for PublisherConfig.`
			`func (c PublisherConfig) GetTLSCertificateFilePath() string {`
			`return c.TLSCertificateFilePath`
			`}`

			`// GetTLSKeyFilePath returns the TLS key file path for PublisherConfig.`
			`func (c PublisherConfig) GetTLSKeyFilePath() string {`
			`return c.TLSKeyFilePath`
			`}`

			`// GetTLSAllowInsecureConnection returns whether to allow insecure TLS connections for PublisherConfig.`
			`func (c PublisherConfig) GetTLSAllowInsecureConnection() bool {`
			`return c.TLSAllowInsecureConnection`
			`}`

			`// GetTLSTrustCertsFilePath returns the TLS trust certificates file path for SubscriberConfig.`
			`func (c SubscriberConfig) GetTLSTrustCertsFilePath() string {`
			`return c.TLSTrustCertsFilePath`
			`}`

			`// GetTLSCertificateFilePath returns the TLS certificate file path for SubscriberConfig.`
			`func (c SubscriberConfig) GetTLSCertificateFilePath() string {`
			`return c.TLSCertificateFilePath`
			`}`

			`// GetTLSKeyFilePath returns the TLS key file path for SubscriberConfig.`
			`func (c SubscriberConfig) GetTLSKeyFilePath() string {`
			`return c.TLSKeyFilePath`
			`}`

			`// GetTLSAllowInsecureConnection returns whether to allow insecure TLS connections for SubscriberConfig.`
			`func (c SubscriberConfig) GetTLSAllowInsecureConnection() bool {`
			`return c.TLSAllowInsecureConnection`
			`}`