added system cert pool to configuration

z5labs · Aug 4, 2021 · 78ffef3 · 78ffef3
1 parent c77ef06
commit 78ffef3
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 8 deletions.
diff --git a/config.go b/config.go
@@ -53,6 +53,8 @@ type Config struct {
 
 	Realm string `yaml:"realm" json:"realm" mapstructure:"realm"`
 
+	// these security configurations will be ignored if the protocol does not contain +s
+	UseSystemCertPool bool `yaml:"use_system_cert_pool" mapstructure:"use_system_cert_pool"`
 	CAFileLocation string `yaml:"ca_file_location" mapstructure:"ca_file_location"`
 
 	// Index Strategy defines the index strategy for GoGM

diff --git a/gogm.go b/gogm.go
@@ -161,25 +161,38 @@ func (g *Gogm) parseOgmTypes() error {
 
 func (g *Gogm) initDriver() error {
 	var certPool *x509.CertPool
-
-	if g.config.CAFileLocation != "" {
-		certPool = x509.NewCertPool()
-		bytes, err := ioutil.ReadFile(g.config.CAFileLocation)
-		if err != nil {
-			return fmt.Errorf("failed to open ca file, %w", err)
+	isEncrypted := strings.Contains(g.config.Protocol, "+s")
+
+	if isEncrypted {
+		if g.config.UseSystemCertPool {
+			var err error
+			certPool, err = x509.SystemCertPool()
+			if err != nil {
+				return fmt.Errorf("failed to get system cert pool")
+			}
+		} else {
+			certPool = x509.NewCertPool()
 		}
 
-		certPool.AppendCertsFromPEM(bytes)
+		if g.config.CAFileLocation != "" {
+			bytes, err := ioutil.ReadFile(g.config.CAFileLocation)
+			if err != nil {
+				return fmt.Errorf("failed to open ca file, %w", err)
+			}
+
+			certPool.AppendCertsFromPEM(bytes)
+		}
 	}
 
+
 	neoConfig := func(neoConf *neo4j.Config) {
 		if g.config.EnableDriverLogs {
 			neoConf.Log = wrapLogger(g.logger)
 		}
 
 		neoConf.MaxConnectionPoolSize = g.config.PoolSize
 
-		if g.config.CAFileLocation != "" {
+		if isEncrypted {
 			neoConf.RootCAs = certPool
 		}
 	}