Make gosec linter pass

conduitio-labs · Feb 14, 2024 · ec845f5 · ec845f5
1 parent 4d82cdc
commit ec845f5
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -14,22 +14,36 @@ The source connector extracts data from RabbitMQ and sends it to downstream syst
 
 ### Configuration Parameters
 
-| Name        | Description                                             | Required | Default Value |
-|-------------|---------------------------------------------------------|----------|---------------|
-| `url`       | The RabbitMQ server's URL.                              | Yes      |               |
-| `queueName` | The name of the RabbitMQ queue to consume messages from.| Yes      |               |
+| Name                   | Description                                                  | Required | Default Value |
+|------------------------|--------------------------------------------------------------|----------|---------------|
+| `url`                  | The RabbitMQ server's URL.                                   | Yes      |               |
+| `queueName`            | The name of the RabbitMQ queue to consume messages from.     | Yes      |               |
+| `clientCert`           | Path to the client certificate for TLS.                      | No       |               |
+| `clientKey`            | Path to the client's key for TLS.                            | No       |               |
+| `caCert`               | Path to the CA (Certificate Authority) certificate for TLS.  | No       |               |
+
 
 ## Destination Connector
 The destination connector sends data from upstream systems to RabbitMQ via Conduit.
 
 ### Configuration Parameters
 
-| Name           | Description                                                          | Required | Default Value |
-|----------------|----------------------------------------------------------------------|----------|---------------|
-| `url`          | The RabbitMQ server's URL.                                           | Yes      |               |
-| `queueName`    | The name of the RabbitMQ queue where messages will be published to.  | Yes      |               |
-| `exchangeName` | The name of the exchange to publish to                               | No       |               |
-| `exchangeType` | The type of the exchange to publish to                               | No       |               |
-| `routingKey`   | The routing key to use when publishing to an exchange                | No       |               |
-| `contentType`  | The MIME content type of the messages written to RabbitMQ.           | No       | `text/plain`  |
+| Name                   | Description                                                     | Required | Default Value |
+|------------------------|-----------------------------------------------------------------|----------|---------------|
+| `url`                  | The RabbitMQ server's URL.                                      | Yes      |               |
+| `queueName`            | The name of the RabbitMQ queue where messages will be published to.| Yes   |               |
+| `clientCert`           | Path to the client certificate for TLS.                         | No       |               |
+| `clientKey`            | Path to the client's key for TLS.                               | No       |               |
+| `caCert`               | Path to the CA (Certificate Authority) certificate for TLS.     | No       |               |
+| `tlsInsecureSkipVerify`| Skip TLS verification.                                          | No       |               |
+| `contentType`          | The MIME content type of the messages written to RabbitMQ.      | No       | `text/plain`  |
+| `exchangeName`         | The name of the exchange to publish to.                         | No       |               |
+| `exchangeType`         | The type of the exchange to publish to.                         | No       | `direct`      |
+| `routingKey`           | The routing key to use when publishing to an exchange.          | No       |               |
+
+
+## TLS setup
+
+Keep in mind that 
+
 
diff --git a/acceptance_test.go b/acceptance_test.go
@@ -60,12 +60,11 @@ func TestAcceptance_TLS(t *testing.T) {
 	is := is.New(t)
 
 	sharedCfg := Config{
-		URL:                   testURLTLS,
-		QueueName:             "test-queue",
-		ClientCert:            "./test/client.cert.pem",
-		ClientKey:             "./test/client.key.pem",
-		CACert:                "./test/ca.cert.pem",
-		TLSInsecureSkipVerify: true,
+		URL:        testURLTLS,
+		QueueName:  "test-queue",
+		ClientCert: "./test/client.cert.pem",
+		ClientKey:  "./test/client.key.pem",
+		CACert:     "./test/ca.cert.pem",
 	}
 	cfg := cfgToMap(sharedCfg)
 	ctx := context.Background()

diff --git a/config.go b/config.go
@@ -30,11 +30,11 @@ type Config struct {
 	// QueueName is the name of the queue to consume from / publish to
 	QueueName string `json:"queueName" validate:"required"`
 
+	// ClientCert, ClientKey, and CACert are the paths to the client certificate,
+	// client key, and CA certificate to use for TLS
 	ClientCert string `json:"clientCert"`
 	ClientKey  string `json:"clientKey"`
 	CACert     string `json:"caCert"`
-
-	TLSInsecureSkipVerify bool `json:"tlsInsecureSkipVerify"`
 }
 
 type SourceConfig struct {

diff --git a/utils.go b/utils.go
@@ -108,9 +108,18 @@ func parseTLSConfig(ctx context.Context, cfg Config) (*tls.Config, error) {
 	caCertPool.AppendCertsFromPEM(caCert)
 
 	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		MaxVersion: tls.VersionTLS13,
+
 		Certificates:       []tls.Certificate{cert},
 		RootCAs:            caCertPool,
-		InsecureSkipVerify: cfg.TLSInsecureSkipVerify,
+		InsecureSkipVerify: false,
+	}
+
+	// version will be overwritten at compile time when building a release,
+	// so this should only be true when running in development mode.
+	if version == "(devel)" {
+		tlsConfig.InsecureSkipVerify = true
 	}
 
 	return tlsConfig, nil