feat: Use standard TLS hostname validation for instances with DNS names (#428)

When the the Cloud SQL Instance reports that it has a DNS Name, the connector will use standard TLS hostname validation when checking the server certificate. Now, the server's TLS certificate must contain a SAN record with the instance's DNS name.

The ConnectSettings API added a field dns_names which contains all of the valid DNS names for
an instance.

See also: GoogleCloudPlatform/cloud-sql-go-connector#954

Author: hessjcg

package-lock.json

@@ -83,9 +83,9 @@
     "url": "git+https://github.com/GoogleCloudPlatform/cloud-sql-nodejs-connector"
   },
   "dependencies": {
-    "@googleapis/sqladmin": "^24.0.0",
+    "@googleapis/sqladmin": "^27.0.0",
     "gaxios": "^6.1.1",
     "google-auth-library": "^9.2.0",
     "p-throttle": "^7.0.0"
   }
-}
+}

package.json

@@ -232,7 +232,6 @@ export class Connector {
           port,
           privateKey,
           serverCaCert,
-          serverCaMode,
           dnsName,
         } = cloudSqlInstance;
 
@@ -251,8 +250,8 @@ export class Connector {
             port,
             privateKey,
             serverCaCert,
-            serverCaMode,
-            dnsName: instanceInfo.domainName || dnsName, // use the configured domain name, or the instance dnsName.
+            instanceDnsName: dnsName,
+            serverName: instanceInfo.domainName || dnsName, // use the configured domain name, or the instance dnsName.
           });
           tlsSocket.once('error', () => {
             cloudSqlInstance.forceRefresh();

src/connector.ts

@@ -26,17 +26,17 @@ interface SocketOptions {
   instanceInfo: InstanceConnectionInfo;
   privateKey: string;
   serverCaCert: SslCert;
-  serverCaMode: string;
-  dnsName: string;
+  instanceDnsName: string;
+  serverName: string;
 }
 
 export function validateCertificate(
   instanceInfo: InstanceConnectionInfo,
-  serverCaMode: string,
-  dnsName: string
+  instanceDnsName: string,
+  serverName: string
 ) {
   return (hostname: string, cert: tls.PeerCertificate): Error | undefined => {
-    if (!serverCaMode || serverCaMode === 'GOOGLE_MANAGED_INTERNAL_CA') {
+    if (!instanceDnsName) {
       // Legacy CA Mode
       if (!cert || !cert.subject) {
         return new CloudSQLConnectorError({
@@ -54,7 +54,7 @@ export function validateCertificate(
       return undefined;
     } else {
       // Standard TLS Verify Full hostname verification using SAN
-      return tls.checkServerIdentity(dnsName, cert);
+      return tls.checkServerIdentity(serverName, cert);
     }
   };
 }
@@ -66,8 +66,8 @@ export function getSocket({
   instanceInfo,
   privateKey,
   serverCaCert,
-  serverCaMode,
-  dnsName,
+  instanceDnsName,
+  serverName,
 }: SocketOptions): tls.TLSSocket {
   const socketOpts = {
     host,
@@ -80,8 +80,8 @@ export function getSocket({
     }),
     checkServerIdentity: validateCertificate(
       instanceInfo,
-      serverCaMode,
-      dnsName
+      instanceDnsName,
+      serverName
     ),
   };
   const tlsSocket = tls.connect(socketOpts);

src/socket.ts

@@ -132,6 +132,7 @@ export class SQLAdminFetcher {
   private parseIpAddresses(
     ipResponse: sqladmin_v1beta4.Schema$IpMapping[] | undefined,
     dnsName: string | null | undefined,
+    dnsNames: sqladmin_v1beta4.Schema$DnsNameMapping[] | null | undefined,
     pscEnabled: boolean | null | undefined
   ): IpAddresses {
     const ipAddresses: IpAddresses = {};
@@ -149,7 +150,23 @@ export class SQLAdminFetcher {
     // Resolve dnsName into IP address for PSC enabled instances.
     // Note that we have to check for PSC enablement because CAS instances
     // also set the dnsName field.
-    if (dnsName && pscEnabled) {
+
+    // Search the dns_names field for the PSC DNS Name.
+    if (dnsNames) {
+      for (const dnm of dnsNames) {
+        if (
+          dnm.name &&
+          dnm.connectionType === 'PRIVATE_SERVICE_CONNECT' &&
+          dnm.dnsScope === 'INSTANCE'
+        ) {
+          ipAddresses.psc = dnm.name;
+          break;
+        }
+      }
+    }
+
+    // If the psc dns name was not found, use the legacy dns_name field
+    if (!ipAddresses.psc && dnsName && pscEnabled) {
       ipAddresses.psc = dnsName;
     }
 
@@ -188,6 +205,7 @@ export class SQLAdminFetcher {
     const ipAddresses = this.parseIpAddresses(
       res.data.ipAddresses,
       res.data.dnsName,
+      res.data.dnsNames,
       res.data.pscEnabled
     );
 
@@ -214,6 +232,16 @@ export class SQLAdminFetcher {
     }
 
     cleanGaxiosConfig();
+    // Find a DNS name to use to validate the certificate from the dns_names field. Any
+    // name in the list may be used to validate the server TLS certificate.
+    // Fall back to legacy dns_name field if necessary.
+    let serverName = null;
+    if (res.data.dnsNames && res.data.dnsNames.length > 0) {
+      serverName = res.data.dnsNames[0].name;
+    }
+    if (serverName === null) {
+      serverName = res.data.dnsName;
+    }
 
     return {
       ipAddresses,
@@ -222,7 +250,7 @@ export class SQLAdminFetcher {
         expirationTime: serverCaCert.expirationTime,
       },
       serverCaMode: res.data.serverCaMode || '',
-      dnsName: res.data.dnsName || '',
+      dnsName: serverName || '',
     };
   }
 

src/sqladmin-fetcher.ts

@@ -69,7 +69,7 @@ t.test('validateCertificate no cert', async t => {
         regionId: 'region-id',
         instanceId: 'my-instance',
       },
-      'GOOGLE_MANAGED_INTERNAL_CA',
+      null,
       'abcde.12345.us-central1.sql.goog'
     )('hostname', {} as tls.PeerCertificate),
     {code: 'ENOSQLADMINVERIFYCERT'},
@@ -90,7 +90,7 @@ t.test('validateCertificate mismatch', async t => {
         regionId: 'region-id',
         instanceId: 'my-instance',
       },
-      'GOOGLE_MANAGED_INTERNAL_CA',
+      null,
       'abcde.12345.us-central1.sql.goog'
     )('hostname', cert),
     {

test/socket.ts

@@ -16,6 +16,8 @@ import t from 'tap';
 import {InstanceConnectionInfo} from '../src/instance-connection-info';
 import {CLIENT_CERT} from './fixtures/certs';
 import {AuthTypes} from '../src/auth-types';
+import {sqladmin_v1beta4} from '@googleapis/sqladmin';
+import Schema$DnsNameMapping = sqladmin_v1beta4.Schema$DnsNameMapping;
 
 // Mocks the @googleapis/sqladmin interface
 interface SQLAdminOptions {
@@ -27,6 +29,7 @@ interface IpAddress {
 }
 interface SQLAdminClientGetResponse {
   dnsName?: string;
+  dnsNames?: Schema$DnsNameMapping[];
   ipAddresses?: IpAddress[];
   pscEnabled?: boolean;
   region?: string;
@@ -98,7 +101,13 @@ const mockSQLAdminGetInstanceMetadata = (
 
   sqlAdminClient.get = () => ({
     data: {
-      dnsName: 'abcde.12345.us-central1.sql.goog',
+      dnsNames: [
+        {
+          name: 'abcde.12345.us-central1.sql.goog',
+          connectionType: 'PRIVATE_SERVICE_CONNECT',
+          dnsScope: 'INSTANCE',
+        },
+      ],
       ipAddresses: [
         {
           type: 'PRIMARY',
@@ -216,6 +225,7 @@ t.test('getInstanceMetadata no ip', async t => {
   };
   mockSQLAdminGetInstanceMetadata(instanceConnectionInfo, {
     dnsName: 'abcde.12345.us-central1.sql.goog',
+    dnsNames: null,
     ipAddresses: [],
     pscEnabled: false,
   });