fix(rbac): handle postgres ssl connection for rbac backend plugin (#923)

AndrienkoAleksandr · web-flow · commit deb202642f45 · 2023-11-10T09:46:10.000+02:00
Signed-off-by: Oleksandr Andriienko &lt;oandriie@redhat.com&gt;
diff --git a/plugins/rbac-backend/src/database/casbin-adapter-factory.test.ts b/plugins/rbac-backend/src/database/casbin-adapter-factory.test.ts
@@ -1,3 +1,4 @@
+import { DatabaseService } from '@backstage/backend-plugin-api';
 import { ConfigReader } from '@backstage/config';
 
 import * as Knex from 'knex';
@@ -44,38 +45,146 @@ describe('CasbinAdapterFactory', () => {
     expect(newAdapterMock).toHaveBeenCalled();
   });
 
-  it('test building an adapter using a PostgreSQL configuration.', async () => {
-    const db = Knex.knex({ client: MockClient });
-    db.client = {
-      config: {
-        connection: {
-          database: 'test-database',
-        },
-      },
-    };
-    const mockDatabaseManager = {
-      getClient: jest.fn().mockImplementation(async (): Promise<Knex.Knex> => {
-        return db;
-      }),
-    };
-    process.env.TEST = 'test';
-    const config = new ConfigReader({
-      backend: {
-        database: {
-          client: 'pg',
+  describe('build adapter with postgres configuration', () => {
+    let mockDatabaseManager: DatabaseService;
+
+    beforeEach(() => {
+      const db = Knex.knex({ client: MockClient });
+      db.client = {
+        config: {
           connection: {
-            host: 'localhost',
-            port: '5432',
-            user: 'postgresUser',
-            password: process.env.TEST,
+            database: 'test-database',
           },
         },
-      },
+      };
+      mockDatabaseManager = {
+        getClient: jest
+          .fn()
+          .mockImplementation(async (): Promise<Knex.Knex> => {
+            return db;
+          }),
+      };
+      process.env.TEST = 'test';
+    });
+
+    it('test building an adapter using a PostgreSQL configuration.', async () => {
+      const config = new ConfigReader({
+        backend: {
+          database: {
+            client: 'pg',
+            connection: {
+              host: 'localhost',
+              port: '5432',
+              user: 'postgresUser',
+              password: process.env.TEST,
+            },
+          },
+        },
+      });
+      const factory = new CasbinDBAdapterFactory(config, mockDatabaseManager);
+      const adapter = await factory.createAdapter();
+      expect(adapter).not.toBeNull();
+      expect(newAdapterMock).toHaveBeenCalledWith({
+        type: 'postgres',
+        host: 'localhost',
+        port: 5432,
+        username: 'postgresUser',
+        password: process.env.TEST,
+        database: 'test-database',
+        ssl: undefined,
+      });
+    });
+
+    it('test building an adapter using a PostgreSQL configuration with enabled ssl.', async () => {
+      const config = new ConfigReader({
+        backend: {
+          database: {
+            client: 'pg',
+            connection: {
+              host: 'localhost',
+              port: '5432',
+              user: 'postgresUser',
+              password: process.env.TEST,
+              ssl: true,
+            },
+          },
+        },
+      });
+      const factory = new CasbinDBAdapterFactory(config, mockDatabaseManager);
+      const adapter = await factory.createAdapter();
+      expect(adapter).not.toBeNull();
+      expect(newAdapterMock).toHaveBeenCalledWith({
+        type: 'postgres',
+        host: 'localhost',
+        port: 5432,
+        username: 'postgresUser',
+        password: process.env.TEST,
+        database: 'test-database',
+        ssl: true,
+      });
+    });
+
+    it('test building an adapter using a PostgreSQL configuration with intentionally disabled ssl.', async () => {
+      const config = new ConfigReader({
+        backend: {
+          database: {
+            client: 'pg',
+            connection: {
+              host: 'localhost',
+              port: '5432',
+              user: 'postgresUser',
+              password: process.env.TEST,
+              ssl: false,
+            },
+          },
+        },
+      });
+      const factory = new CasbinDBAdapterFactory(config, mockDatabaseManager);
+      const adapter = await factory.createAdapter();
+      expect(adapter).not.toBeNull();
+      expect(newAdapterMock).toHaveBeenCalledWith({
+        type: 'postgres',
+        host: 'localhost',
+        port: 5432,
+        username: 'postgresUser',
+        password: process.env.TEST,
+        database: 'test-database',
+        ssl: false,
+      });
+    });
+
+    it('test building an adapter using a PostgreSQL configuration with intentionally ssl and ca cert.', async () => {
+      const config = new ConfigReader({
+        backend: {
+          database: {
+            client: 'pg',
+            connection: {
+              host: 'localhost',
+              port: '5432',
+              user: 'postgresUser',
+              password: process.env.TEST,
+              ssl: {
+                ca: 'abc',
+              },
+            },
+          },
+        },
+      });
+      const factory = new CasbinDBAdapterFactory(config, mockDatabaseManager);
+      const adapter = await factory.createAdapter();
+      expect(adapter).not.toBeNull();
+      expect(newAdapterMock).toHaveBeenCalledWith({
+        type: 'postgres',
+        host: 'localhost',
+        port: 5432,
+        username: 'postgresUser',
+        password: process.env.TEST,
+        database: 'test-database',
+        ssl: {
+          ca: 'abc',
+        },
+      });
     });
-    const factory = new CasbinDBAdapterFactory(config, mockDatabaseManager);
-    const adapter = await factory.createAdapter();
-    expect(adapter).not.toBeNull();
-    expect(newAdapterMock).toHaveBeenCalled();
   });
 
   it('ensure that building an adapter with an unknown configuration fails.', async () => {
diff --git a/plugins/rbac-backend/src/database/casbin-adapter-factory.ts b/plugins/rbac-backend/src/database/casbin-adapter-factory.ts
@@ -1,9 +1,11 @@
 import { PluginDatabaseManager } from '@backstage/backend-common';
+import { Config } from '@backstage/config';
 import { ConfigApi } from '@backstage/core-plugin-api';
 
 import TypeORMAdapter from 'typeorm-adapter';
 
 import { resolve } from 'path';
+import { TlsOptions } from 'tls';
 
 const DEFAULT_SQLITE3_STORAGE_FILE_NAME = 'rbac.sqlite';
 
@@ -20,14 +22,18 @@ export class CasbinDBAdapterFactory {
     let adapter;
     if (client === 'pg') {
       const knexClient = await this.databaseManager.getClient();
-      const database = await knexClient.client.config.connection.database;
+      const dbName = await knexClient.client.config.connection.database;
+
+      const ssl = this.handleSSL(databaseConfig!);
+
       adapter = await TypeORMAdapter.newAdapter({
         type: 'postgres',
         host: databaseConfig?.getString('connection.host'),
         port: databaseConfig?.getNumber('connection.port'),
         username: databaseConfig?.getString('connection.user'),
         password: databaseConfig?.getString('connection.password'),
-        database,
+        ssl,
+        database: dbName,
       });
     }
 
@@ -53,4 +59,31 @@ export class CasbinDBAdapterFactory {
 
     return adapter;
   }
+
+  private handleSSL(dbConfig: Config): boolean | TlsOptions | undefined {
+    const connection = dbConfig.getOptional('connection');
+    if (!connection) {
+      return undefined;
+    }
+    const ssl = (connection as { ssl: Object | boolean | undefined }).ssl;
+
+    if (ssl === undefined) {
+      return undefined;
+    }
+
+    if (typeof ssl.valueOf() === 'boolean') {
+      return ssl;
+    }
+
+    if (typeof ssl.valueOf() === 'object') {
+      const ca = (ssl as { ca: string }).ca;
+      if (ca) {
+        return { ca };
+      }
+      // SSL object was defined with some options that we don't support yet.
+      return true;
+    }
+
+    return undefined;
+  }
 }
