feat(qseow): Add control of rejectUnauthorized cert to QSEoW server c…

…onfig Better control when connecting to Sense servers
ptarmiganlabs · Sep 17, 2023 · 435a479 · 435a479
1 parent 0f18a5c
commit 435a479
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/src/config/qseow-server-config-nr.html b/src/config/qseow-server-config-nr.html
@@ -14,6 +14,7 @@
             certFile: { value: '', required: false },
             keyFile: { value: '', required: false },
             certCaFile: { value: '', required: false },
+            rejectUnauthorized: { value: true, required: true },
             jwt: { value: '', required: false },
         },
         label() {
@@ -32,18 +33,24 @@
             const keyFileRow = $('#node-config-input-keyFile').parent();
             // eslint-disable-next-line no-undef
             const certCaFileRow = $('#node-config-input-certCaFile').parent();
+            // eslint-disable-next-line no-undef
+            const rejectUnauthorizedRow = $('#node-config-input-rejectUnauthorized-row');
+
             // eslint-disable-next-line no-undef
             const jwtRow = $('#node-config-input-jwt-row');
+
             function updateAuthType() {
                 if (authTypeInput.val() === 'cert') {
                     certFileRow.show();
                     keyFileRow.show();
                     certCaFileRow.show();
+                    rejectUnauthorizedRow.show();
                     jwtRow.hide();
                 } else {
                     certFileRow.hide();
                     keyFileRow.hide();
                     certCaFileRow.hide();
+                    rejectUnauthorizedRow.hide();
                     jwtRow.show();
                 }
             }
@@ -111,6 +118,11 @@
     <div class="form-row" id="node-config-input-certCaFile-row" style="display:none">
         <label for="node-config-input-certCaFile"><i class="fa fa-file"></i> Certificate authority file</label>
         <input type="text" id="node-config-input-certCaFile" placeholder="/path/to/root.pem" value="">
+    </div>
+    <div class="form-row" id="node-config-input-rejectUnauthorized-row" style="display:none">
+        <label for="node-config-input-rejectUnauthorized"><i class="fa fa-lock"></i> Reject unauthorized certificate</label>
+        <input type="checkbox" id="node-config-input-rejectUnauthorized" value="true">
+    </div>
 </script>
 
 <script type="text/html" data-help-name="qseow-sense-server">
@@ -132,6 +144,7 @@ <h2>Properties</h2>
                             <li><strong>Certificate file:</strong> The location of the certificate file.</li>
                             <li><strong>Key file:</strong> The location of the key file.</li>
                             <li><strong>Certificate authority file:</strong> The location of the root CA file. Only needed if that certificate is not already in the system's certificate store.</li>
+                            <li><strong>Reject unauthorized certificate:</strong> If set to true, the server certificate is verified against the list of supplied CAs. An error is thrown if verification fails. If set to false, no verification is performed. This is useful for self-signed certificates.</li>
                         </ul>
                     </li>
                 </ul>

diff --git a/src/config/qseow-server-config-nr.js b/src/config/qseow-server-config-nr.js
@@ -16,6 +16,7 @@ module.exports = function (RED) {
             node.certFile = config.certFile;
             node.keyFile = config.keyFile;
             node.certCaFile = config.certCaFile;
+            node.rejectUnauthorized = config.rejectUnauthorized;
         } else if (node.authType === 'jwt') {
             node.jwt = config.jwt || '';
         }

diff --git a/src/lib/qseow/auth.js b/src/lib/qseow/auth.js
@@ -96,7 +96,7 @@ function getAuth(node) {
                 cert: clientCert,
                 key: clientKey,
                 ca: rootCert,
-                rejectUnauthorized: true,
+                rejectUnauthorized: node.senseServer.rejectUnauthorized,
             });
         } else {
             node.log('Not using root CA file');
@@ -119,7 +119,7 @@ function getAuth(node) {
             httpsAgent = new https.Agent({
                 cert: clientCert,
                 key: clientKey,
-                rejectUnauthorized: false,
+                rejectUnauthorized: node.senseServer.rejectUnauthorized,
             });
         }
     } else if (authType === 'jwt') {
@@ -217,7 +217,7 @@ function getEnigmaAuth(node) {
                     headers: {
                         'X-Qlik-User': 'UserDirectory=Internal;UserId=sa_api',
                     },
-                    rejectUnauthorized: false,
+                    rejectUnauthorized: node.senseServer.rejectUnauthorized,
                 }),
         };
     } else {
@@ -249,7 +249,7 @@ function getEnigmaAuth(node) {
                     headers: {
                         'X-Qlik-User': 'UserDirectory=Internal;UserId=sa_api',
                     },
-                    rejectUnauthorized: false,
+                    rejectUnauthorized: node.senseServer.rejectUnauthorized,
                 }),
         };
     }