-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added tls config #5530
base: develop
Are you sure you want to change the base?
feat: added tls config #5530
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution!
I haven't tested the code yet, these are just some things I saw when having a look at the code.
bf90dbd
to
92f2d0d
Compare
Erik, I have added an env flag
Tested joi validation for following condition
Screen.Recording.2024-03-08.at.6.07.25.PM.mov |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This gets in the right direction! :)
What still surprises me is the reason we need completely separate environment variables for postgres and maraidb/mysql? I get that you intended to make explicit which options are only relevant for the chosen database type. But having for example both HD_SQL_SSL_CA_PATH
and HD_PG_SSL_CA_PATH
seems a bit unnecessary to me. For changing that the code doesn't need greater changes, it's more a thing of renaming the variables and updating the documentation.
const databaseSchema = Joi.object({ | ||
type: Joi.string() | ||
.valid(...Object.values(DatabaseType)) | ||
.label('HD_DATABASE_TYPE'), | ||
needsSSL: Joi.string().valid('0', '1').label('HD_DATABASE_SSL'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why isn't this just a boolean (Joi.boolean().default(false)
)?
const getTlsConfig = (dbType: DatabaseType, needsSSL: boolean) => { | ||
if (!needsSSL) return; | ||
|
||
const postgresTlsConfig = dbType === DatabaseType.POSTGRES && { | ||
ssl: { | ||
ca: getSecret(process.env.HD_PG_SSL_CA_PATH), | ||
rejectUnauthorized: process.env.HD_PG_SSL_REJECT_UNAUTHORIZED === 'true', | ||
key: getSecret(process.env.HD_PG_SSL_KEY_PATH), | ||
cert: getSecret(process.env.HD_PG_SSL_CERT_PATH), | ||
}, | ||
}; | ||
|
||
const sqlTlsConfig = [DatabaseType.MARIADB, DatabaseType.MYSQL].includes( | ||
dbType, | ||
) && { | ||
ssl: { | ||
ca: getSecret(process.env.HD_SQL_SSL_CA_PATH), | ||
key: getSecret(process.env.HD_SQL_SSL_KEY_PATH), | ||
cert: getSecret(process.env.HD_SQL_SSL_CERT_PATH), | ||
rejectUnauthorized: process.env.HD_SQL_SSL_REJECT_UNAUTHORIZED === 'true', | ||
ciphers: process.env.HD_SQL_SSL_CIPHERS, | ||
maxVersion: process.env.HD_SQL_SSL_MAX_VERSION, | ||
minVersion: process.env.HD_SQL_SSL_MIN_VERSION, | ||
passphrase: process.env.HD_SQL_SSL_PASSPHRASE, | ||
}, | ||
}; | ||
|
||
return sqlTlsConfig || postgresTlsConfig; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this method is rather crucial to database security options, it should be unit-tested. The getSecret
method could be mocked for that.
}); | ||
|
||
const getTlsConfig = (dbType: DatabaseType, needsSSL: boolean) => { | ||
if (!needsSSL) return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (!needsSSL) return; | |
if (!needsSSL) { | |
return; | |
} |
Although it may seem unnecessary, please use explicit closures for if statements. By being explicit in all places, we should be avoiding things like apple's gotofail bug.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #5530 +/- ##
============================================
+ Coverage 57.66% 87.65% +29.99%
============================================
Files 418 173 -245
Lines 12058 4561 -7497
Branches 1007 492 -515
============================================
- Hits 6953 3998 -2955
+ Misses 5048 538 -4510
+ Partials 57 25 -32
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: Avinash <avinash.kumar.cs92@gmail.com>
Component/Part
backend -> Database cofig
Description
This PR fixes #3063
Steps
made sure that:
master
for 1.x & docs,develop
for 2.x