From fd0712398d14baf54f8773b4f22b297d54be30e4 Mon Sep 17 00:00:00 2001
From: Tobie Morgan Hitchcock <tobie@abcum.com>
Date: Fri, 6 Apr 2018 01:15:19 +0100
Subject: [PATCH] Enable mysql tls and remove cloudsqlproxy

---
 cli/setup.go      | 57 ++++++++++++-----------------------------------
 glide.lock        | 45 ++-----------------------------------
 glide.yaml        |  4 ----
 kvs/mysql/main.go | 32 ++++++++++++++++++++++----
 4 files changed, 44 insertions(+), 94 deletions(-)

diff --git a/cli/setup.go b/cli/setup.go
index 79d721ca..942d8f6a 100644
--- a/cli/setup.go
+++ b/cli/setup.go
@@ -22,6 +22,8 @@ import (
 	"regexp"
 	"strings"
 
+	"encoding/pem"
+
 	"github.com/abcum/surreal/cnf"
 	"github.com/abcum/surreal/log"
 	"github.com/abcum/surreal/util/rand"
@@ -56,7 +58,7 @@ func setup() {
 	}
 
 	if opts.DB.Path != "memory" {
-		if ok, _ := regexp.MatchString(`^(s3|gcs|logr|file|mysql|rixxdb|dendrodb)://(.+)$`, opts.DB.Path); !ok {
+		if ok, _ := regexp.MatchString(`^(logr|file|mysql|dendrodb)://(.+)$`, opts.DB.Path); !ok {
 			log.Fatalf("Invalid path %s. Specify a valid data store configuration path", opts.DB.Path)
 		}
 	}
@@ -69,53 +71,22 @@ func setup() {
 		log.Fatal("Specify a valid data file size policy. Valid sizes are greater than 0 and are specified in MB.")
 	}
 
-	if strings.HasPrefix(opts.DB.Cert.CA, "-----") {
-		var err error
-		var doc *os.File
-		if doc, err = os.Create("db.ca"); err != nil {
-			log.Fatal("Can not decode PEM encoded CA into db.ca")
-		}
-		doc.Write([]byte(opts.DB.Cert.CA))
-		doc.Close()
-		opts.Cert.Crt = "db.ca"
-	}
-
-	if strings.HasPrefix(opts.DB.Cert.Crt, "-----") {
-		var err error
-		var doc *os.File
-		if doc, err = os.Create("db.key"); err != nil {
-			log.Fatal("Can not decode PEM encoded certificate into db.crt")
-		}
-		doc.Write([]byte(opts.DB.Cert.Crt))
-		doc.Close()
-		opts.Cert.Crt = "db.crt"
-	}
-
-	if strings.HasPrefix(opts.DB.Cert.Key, "-----") {
-		var err error
-		var doc *os.File
-		if doc, err = os.Create("db.crt"); err != nil {
-			log.Fatal("Can not decode PEM encoded private key into db.key")
-		}
-		doc.Write([]byte(opts.DB.Cert.Key))
-		doc.Close()
-		opts.Cert.Crt = "db.key"
-	}
-
 	if opts.DB.Cert.CA != "" || opts.DB.Cert.Crt != "" || opts.DB.Cert.Key != "" {
+
 		opts.DB.Cert.SSL = true
-	}
 
-	if opts.DB.Cert.CA == "" && opts.DB.Cert.SSL {
-		log.Fatal("Specify a valid PEM encoded CA file.")
-	}
+		if dec, _ := pem.Decode([]byte(opts.DB.Cert.CA)); dec == nil || dec.Type != "CERTIFICATE" {
+			log.Fatal("Specify a valid PEM encoded CA file.")
+		}
 
-	if opts.DB.Cert.Crt == "" && opts.DB.Cert.SSL {
-		log.Fatal("Specify a valid PEM encoded certificate file.")
-	}
+		if dec, _ := pem.Decode([]byte(opts.DB.Cert.Crt)); dec == nil || dec.Type != "CERTIFICATE" {
+			log.Fatal("Specify a valid PEM encoded certificate file.")
+		}
+
+		if dec, _ := pem.Decode([]byte(opts.DB.Cert.Key)); dec == nil || dec.Type != "RSA PRIVATE KEY" {
+			log.Fatal("Specify a valid PEM encoded private key file.")
+		}
 
-	if opts.DB.Cert.Key == "" && opts.DB.Cert.SSL {
-		log.Fatal("Specify a valid PEM encoded private key file.")
 	}
 
 	// --------------------------------------------------
diff --git a/glide.lock b/glide.lock
index c2623d0e..616ea0ae 100644
--- a/glide.lock
+++ b/glide.lock
@@ -1,10 +1,6 @@
-hash: f40320fa34bbb59afd3c5b8720098d0639557fb70bea37d0b564b8a8d09c13e2
-updated: 2018-04-05T20:42:38.104761+01:00
+hash: cc325edb4f8ae4bfdaac8b068e01dfc5ed0d632d070c9d41181c32799e5449d3
+updated: 2018-04-06T00:06:11.90235+01:00
 imports:
-- name: cloud.google.com/go
-  version: 01301d1df8060594708d76bda9062b0205b77e8b
-  subpackages:
-  - compute/metadata
 - name: github.com/abcum/bump
   version: 526934c541e071b5a330671c76434b9e32d55638
 - name: github.com/abcum/cork
@@ -32,17 +28,6 @@ imports:
   version: d150773194090feb6c897805a7bcea8d49544e2c
 - name: github.com/go-sql-driver/mysql
   version: a0583e0143b1624142adab07e0e97fe106d99561
-- name: github.com/golang/protobuf
-  version: e09c5db296004fbe3f74490e84dcd62c3c5ddb1b
-  subpackages:
-  - proto
-- name: github.com/GoogleCloudPlatform/cloudsql-proxy
-  version: 61590edac4c769d295cc5f48140ebeff88ccc5bf
-  subpackages:
-  - logging
-  - proxy/certs
-  - proxy/proxy
-  - proxy/util
 - name: github.com/gorilla/websocket
   version: ea4d1f681babbce9545c9c5f3d5194a789c89f5b
 - name: github.com/hashicorp/errwrap
@@ -135,13 +120,6 @@ imports:
   - internal/socket
   - ipv4
   - ipv6
-- name: golang.org/x/oauth2
-  version: 921ae394b9430ed4fb549668d7b087601bd60a81
-  subpackages:
-  - google
-  - internal
-  - jws
-  - jwt
 - name: golang.org/x/sys
   version: 1d206c9fa8975fb4cf00df1dc8bf3283dc24ba0e
   subpackages:
@@ -156,25 +134,6 @@ imports:
   - language
   - transform
   - unicode/norm
-- name: google.golang.org/api
-  version: 3097bf831ede4a24e08a3316254e29ca726383e3
-  subpackages:
-  - gensupport
-  - googleapi
-  - googleapi/internal/uritemplates
-  - sqladmin/v1beta4
-- name: google.golang.org/appengine
-  version: ad39d7fab7c60b2493fdc318c3d2cdb2128f92a4
-  subpackages:
-  - internal
-  - internal/app_identity
-  - internal/base
-  - internal/datastore
-  - internal/log
-  - internal/modules
-  - internal/remote_api
-  - internal/urlfetch
-  - urlfetch
 - name: gopkg.in/tylerb/graceful.v1
   version: 4654dfbb6ad53cb5e27f37d99b02e16c1872fbbb
 testImports:
diff --git a/glide.yaml b/glide.yaml
index a554129a..dbde39aa 100644
--- a/glide.yaml
+++ b/glide.yaml
@@ -1,9 +1,5 @@
 package: github.com/abcum/surreal
 import:
-- package: github.com/GoogleCloudPlatform/cloudsql-proxy
-  version: ^1.11.0
-  subpackages:
-  - proxy/proxy
 - package: github.com/Sirupsen/logrus
   version: ^1.0.5
 - package: github.com/abcum/bump
diff --git a/kvs/mysql/main.go b/kvs/mysql/main.go
index 0d40d4e1..3f7b56c0 100644
--- a/kvs/mysql/main.go
+++ b/kvs/mysql/main.go
@@ -17,6 +17,9 @@ package mysql
 import (
 	"strings"
 
+	"crypto/tls"
+	"crypto/x509"
+
 	"database/sql"
 
 	"github.com/abcum/surreal/cnf"
@@ -24,20 +27,41 @@ import (
 	"github.com/abcum/surreal/log"
 
 	"github.com/go-sql-driver/mysql"
-
-	"github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/proxy"
 )
 
 func init() {
 
-	mysql.RegisterDial("cloudsql", proxy.Dial)
-
 	kvs.Register("mysql", func(opts *cnf.Options) (db kvs.DB, err error) {
 
 		var pntr *sql.DB
 
 		path := strings.TrimPrefix(opts.DB.Path, "mysql://")
 
+		if cnf.Settings.DB.Cert.SSL {
+
+			cas := x509.NewCertPool()
+			all := make([]tls.Certificate, 0, 1)
+			car := []byte(cnf.Settings.DB.Cert.CA)
+			crt := []byte(cnf.Settings.DB.Cert.Crt)
+			key := []byte(cnf.Settings.DB.Cert.Key)
+
+			if ok := cas.AppendCertsFromPEM(car); !ok {
+				log.WithPrefix("kvs").Errorln("Failed to append CA file.")
+			}
+
+			par, err := tls.X509KeyPair(crt, key)
+			if err != nil {
+				log.WithPrefix("kvs").Errorln(err)
+			}
+
+			mysql.RegisterTLSConfig("default", &tls.Config{
+				InsecureSkipVerify: true,
+				RootCAs:            cas,
+				Certificates:       append(all, par),
+			})
+
+		}
+
 		pntr, err = sql.Open("mysql", path)
 		if err != nil {
 			log.WithPrefix("kvs").Errorln(err)