feat: inherit oAuth configuration

+ respect custom SSL certificate for C8 SaaS connections Closes #319
camunda-community-hub · Jun 8, 2023 · e9a3f7a · e9a3f7a
1 parent eb95a56
commit e9a3f7a
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 0 deletions.
diff --git a/src/__tests__/ConfigurationHydrator.spec.ts b/src/__tests__/ConfigurationHydrator.spec.ts
@@ -360,6 +360,91 @@ test('Uses the explicit region passed in a CamundaCloudConfig', () => {
 	)
 })
 
+describe('Configures secure connection with custom root certs', () => {
+	test('to Camunda Cloud, oAuth inherits <customSSL.rootCerts>', () => {
+		delete process.env.ZEEBE_CAMUNDA_CLOUD_CLUSTER_ID
+		delete process.env.ZEEBE_CLIENT_SECRET
+		delete process.env.ZEEBE_CLIENT_ID
+		delete process.env.ZEEBE_GATEWAY_ADDRESS
+
+		const rootCerts = Buffer.from('CERT', 'utf8')
+
+		// process.env.ZEEBE_GATEWAY_ADDRESS = 'zeebe://localhost:26500'
+		const conf = ConfigurationHydrator.configure('localhost:26600', {
+			camundaCloud: {
+				clientId: 'CLIENT_ID',
+				clientSecret: 'CLIENT_SECRET',
+				clusterId: 'CLUSTER_ID',
+				clusterRegion: 'CLUSTER_REGION',
+			},
+			useTLS: true,
+			customSSL: {
+				rootCerts,
+			},
+		})
+
+		expect(conf.oAuth!.url).toBe(
+			'https://login.cloud.camunda.io/oauth/token'
+		)
+		expect(conf.oAuth!.customRootCert).toBe(rootCerts)
+	})
+
+	test('to Self-managed, oAuth uses <oAuth.customRootCert>', () => {
+		delete process.env.ZEEBE_CAMUNDA_CLOUD_CLUSTER_ID
+		delete process.env.ZEEBE_CLIENT_SECRET
+		delete process.env.ZEEBE_CLIENT_ID
+		delete process.env.ZEEBE_GATEWAY_ADDRESS
+
+		const rootCerts = Buffer.from('CERT', 'utf8')
+		const oAuthRootCerts = Buffer.from('C_CERT', 'utf8')
+
+		// process.env.ZEEBE_GATEWAY_ADDRESS = 'zeebe://localhost:26500'
+		const conf = ConfigurationHydrator.configure('localhost:26600', {
+			oAuth: {
+				audience: 'OAUTH_AUDIENCE',
+				clientId: 'CLIENT_ID',
+				clientSecret: 'CLIENT_SECRET',
+				url: 'OAUTH_URL',
+				customRootCert: oAuthRootCerts,
+			},
+			useTLS: true,
+			customSSL: {
+				rootCerts,
+			},
+		})
+
+		expect(conf.oAuth!.url).toBe('OAUTH_URL')
+		expect(conf.oAuth!.customRootCert).toBe(oAuthRootCerts)
+		expect(conf.customSSL?.rootCerts).toBe(rootCerts)
+	})
+
+	test('to Self-managed, oAuth inherits <customSSL.rootCerts>', () => {
+		delete process.env.ZEEBE_CAMUNDA_CLOUD_CLUSTER_ID
+		delete process.env.ZEEBE_CLIENT_SECRET
+		delete process.env.ZEEBE_CLIENT_ID
+		delete process.env.ZEEBE_GATEWAY_ADDRESS
+
+		const rootCerts = Buffer.from('CERT', 'utf8')
+
+		// process.env.ZEEBE_GATEWAY_ADDRESS = 'zeebe://localhost:26500'
+		const conf = ConfigurationHydrator.configure('localhost:26600', {
+			oAuth: {
+				audience: 'OAUTH_AUDIENCE',
+				clientId: 'CLIENT_ID',
+				clientSecret: 'CLIENT_SECRET',
+				url: 'OAUTH_URL',
+			},
+			useTLS: true,
+			customSSL: {
+				rootCerts,
+			},
+		})
+
+		expect(conf.oAuth!.url).toBe('OAUTH_URL')
+		expect(conf.oAuth!.customRootCert).toBe(rootCerts)
+	})
+})
+
 test('Is insecure by default', () => {
 	delete process.env.ZEEBE_INSECURE_CONNECTION
 	const conf = ConfigurationHydrator.configure('localhost:26600', {})

diff --git a/src/lib/ConfigurationHydrator.ts b/src/lib/ConfigurationHydrator.ts
@@ -52,6 +52,18 @@ export class ConfigurationHydrator {
 			...ConfigurationHydrator.getEagerStatus(options),
 			...ConfigurationHydrator.getRetryConfiguration(options),
 		}
+
+		// inherit oAuth custom root certificates, unless
+		// others are explicitly provided
+		if (
+			configuration?.oAuth &&
+			!configuration.oAuth.customRootCert &&
+			configuration.customSSL?.rootCerts
+		) {
+			configuration.oAuth.customRootCert =
+				configuration.customSSL.rootCerts
+		}
+
 		return configuration
 	}
 	public static readonly getLogLevelFromEnv = () =>