Merge pull request #43 from hsshss/insecure_tls

Insecure TLS connection

Author: yannh

main.go

@@ -56,7 +56,11 @@ func realMain() int {
 
 	var tlshandler *redisdump.TlsHandler = nil
 	if c.Tls == true {
-		tlshandler = redisdump.NewTlsHandler(c.CaCert, c.Cert, c.Key)
+		tlshandler, err = redisdump.NewTlsHandler(c.CaCert, c.Cert, c.Key, c.Insecure)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err.Error())
+			return 1
+		}
 	}
 
 	var serializer func([]string) string

pkg/config/config.go

@@ -19,6 +19,7 @@ type Config struct {
 	Output    string
 	Silent    bool
 	Tls       bool
+	Insecure  bool
 	CaCert    string
 	Cert      string
 	Key       string
@@ -54,6 +55,7 @@ func FromFlags(progName string, args []string) (Config, string, error) {
 	flags.StringVar(&c.Output, "output", "resp", "Output type - can be resp or commands")
 	flags.BoolVar(&c.Silent, "s", false, "Silent mode (disable logging of progress / stats)")
 	flags.BoolVar(&c.Tls, "tls", false, "Establish a secure TLS connection")
+	flags.BoolVar(&c.Insecure, "insecure", false, "Allow insecure TLS connection by skipping cert validation")
 	flags.StringVar(&c.CaCert, "cacert", "", "CA Certificate file to verify with")
 	flags.StringVar(&c.Cert, "cert", "", "Private key file to authenticate with")
 	flags.StringVar(&c.Key, "key", "", "SSL private key file path")

pkg/config/config_test.go

@@ -21,6 +21,7 @@ func TestFromFlags(t *testing.T) {
 				NWorkers:  10,
 				WithTTL:   true,
 				Output:    "resp",
+				Insecure:  false,
 			},
 		},
 		{
@@ -34,6 +35,7 @@ func TestFromFlags(t *testing.T) {
 				NWorkers:  10,
 				WithTTL:   true,
 				Output:    "resp",
+				Insecure:  false,
 			},
 		},
 		{
@@ -47,6 +49,7 @@ func TestFromFlags(t *testing.T) {
 				NWorkers:  10,
 				WithTTL:   false,
 				Output:    "resp",
+				Insecure:  false,
 			},
 		},
 		{
@@ -60,6 +63,22 @@ func TestFromFlags(t *testing.T) {
 				NWorkers:  5,
 				WithTTL:   true,
 				Output:    "commands",
+				Insecure:  false,
+			},
+		},
+		{
+			[]string{"-host", "redis", "-port", "1234", "-batchSize", "10", "-user", "test", "-insecure"},
+			Config{
+				Db:        -1,
+				Host:      "redis",
+				Port:      1234,
+				Filter:    "*",
+				BatchSize: 10,
+				NWorkers:  10,
+				WithTTL:   true,
+				Output:    "resp",
+				Username:  "test",
+				Insecure:  true,
 			},
 		},
 		{
@@ -87,6 +106,7 @@ func TestFromFlags(t *testing.T) {
 				NWorkers:  10,
 				WithTTL:   true,
 				Output:    "resp",
+				Insecure:  false,
 			},
 		},
 		{
@@ -101,6 +121,7 @@ func TestFromFlags(t *testing.T) {
 				WithTTL:   true,
 				Output:    "resp",
 				Help:      true,
+				Insecure:  false,
 			},
 		},
 	}

pkg/redisdump/tlsutils.go

@@ -3,33 +3,48 @@ package redisdump
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
 )
 
 type TlsHandler struct {
+	skipVerify bool
 	caCertPath string
 	certPath   string
 	keyPath    string
 }
 
-func NewTlsHandler(caCertPath, certPath, keyPath string) *TlsHandler {
+func NewTlsHandler(caCertPath, certPath, keyPath string, insecure bool) (*TlsHandler, error) {
 	if caCertPath == "" && certPath == "" && keyPath == "" {
-		return nil
+		if insecure {
+			return &TlsHandler{
+				skipVerify: true,
+			}, nil
+		} else {
+			return nil, errors.New("no cert is set. if skip cert validation to set -insecure option")
+		}
 	}
 
 	return &TlsHandler{
+		skipVerify: false,
 		caCertPath: caCertPath,
 		certPath:   certPath,
 		keyPath:    keyPath,
-	}
+	}, nil
 }
 
 func tlsConfig(tlsHandler *TlsHandler) (*tls.Config, error) {
 	if tlsHandler == nil {
 		return nil, nil
 	}
 
+	if tlsHandler.skipVerify {
+		return &tls.Config{
+			InsecureSkipVerify: true,
+		}, nil
+	}
+
 	certPool := x509.NewCertPool()
 	// ca cert is optional
 	if tlsHandler.caCertPath != "" {