diff --git a/main.go b/main.go index e0d625a..3e1fff5 100644 --- a/main.go +++ b/main.go @@ -56,7 +56,11 @@ func realMain() int { var tlshandler *redisdump.TlsHandler = nil if c.Tls == true { - tlshandler = redisdump.NewTlsHandler(c.CaCert, c.Cert, c.Key) + tlshandler, err = redisdump.NewTlsHandler(c.CaCert, c.Cert, c.Key, c.Insecure) + if err != nil { + fmt.Fprintln(os.Stderr, err.Error()) + return 1 + } } var serializer func([]string) string diff --git a/pkg/config/config.go b/pkg/config/config.go index 221c38a..cbacef7 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -19,6 +19,7 @@ type Config struct { Output string Silent bool Tls bool + Insecure bool CaCert string Cert string Key string @@ -54,6 +55,7 @@ func FromFlags(progName string, args []string) (Config, string, error) { flags.StringVar(&c.Output, "output", "resp", "Output type - can be resp or commands") flags.BoolVar(&c.Silent, "s", false, "Silent mode (disable logging of progress / stats)") flags.BoolVar(&c.Tls, "tls", false, "Establish a secure TLS connection") + flags.BoolVar(&c.Insecure, "insecure", false, "Allow insecure TLS connection by skipping cert validation") flags.StringVar(&c.CaCert, "cacert", "", "CA Certificate file to verify with") flags.StringVar(&c.Cert, "cert", "", "Private key file to authenticate with") flags.StringVar(&c.Key, "key", "", "SSL private key file path") diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 967e864..b7939e2 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -21,6 +21,7 @@ func TestFromFlags(t *testing.T) { NWorkers: 10, WithTTL: true, Output: "resp", + Insecure: false, }, }, { @@ -34,6 +35,7 @@ func TestFromFlags(t *testing.T) { NWorkers: 10, WithTTL: true, Output: "resp", + Insecure: false, }, }, { @@ -47,6 +49,7 @@ func TestFromFlags(t *testing.T) { NWorkers: 10, WithTTL: false, Output: "resp", + Insecure: false, }, }, { @@ -60,6 +63,22 @@ func TestFromFlags(t *testing.T) { NWorkers: 5, WithTTL: true, Output: "commands", + Insecure: false, + }, + }, + { + []string{"-host", "redis", "-port", "1234", "-batchSize", "10", "-user", "test", "-insecure"}, + Config{ + Db: -1, + Host: "redis", + Port: 1234, + Filter: "*", + BatchSize: 10, + NWorkers: 10, + WithTTL: true, + Output: "resp", + Username: "test", + Insecure: true, }, }, { @@ -87,6 +106,7 @@ func TestFromFlags(t *testing.T) { NWorkers: 10, WithTTL: true, Output: "resp", + Insecure: false, }, }, { @@ -101,6 +121,7 @@ func TestFromFlags(t *testing.T) { WithTTL: true, Output: "resp", Help: true, + Insecure: false, }, }, } diff --git a/pkg/redisdump/tlsutils.go b/pkg/redisdump/tlsutils.go index 0340104..3aa3804 100644 --- a/pkg/redisdump/tlsutils.go +++ b/pkg/redisdump/tlsutils.go @@ -3,26 +3,35 @@ package redisdump import ( "crypto/tls" "crypto/x509" + "errors" "fmt" "io/ioutil" ) type TlsHandler struct { + skipVerify bool caCertPath string certPath string keyPath string } -func NewTlsHandler(caCertPath, certPath, keyPath string) *TlsHandler { +func NewTlsHandler(caCertPath, certPath, keyPath string, insecure bool) (*TlsHandler, error) { if caCertPath == "" && certPath == "" && keyPath == "" { - return nil + if insecure { + return &TlsHandler{ + skipVerify: true, + }, nil + } else { + return nil, errors.New("no cert is set. if skip cert validation to set -insecure option") + } } return &TlsHandler{ + skipVerify: false, caCertPath: caCertPath, certPath: certPath, keyPath: keyPath, - } + }, nil } func tlsConfig(tlsHandler *TlsHandler) (*tls.Config, error) { @@ -30,6 +39,12 @@ func tlsConfig(tlsHandler *TlsHandler) (*tls.Config, error) { return nil, nil } + if tlsHandler.skipVerify { + return &tls.Config{ + InsecureSkipVerify: true, + }, nil + } + certPool := x509.NewCertPool() // ca cert is optional if tlsHandler.caCertPath != "" {