From 50a4645b6dbce665756b1276753610e121efc576 Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Mon, 23 Sep 2024 13:30:32 +0000 Subject: [PATCH 1/7] ci: add CAS instance to CI config --- .github/workflows/tests.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d315e55c..8f867449 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -181,6 +181,8 @@ jobs: POSTGRES_IAM_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_USER_IAM_NODE POSTGRES_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_PASS POSTGRES_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_DB + POSTGRES_CAS_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CAS_CONNECTION_NAME + POSTGRES_CAS_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CAS_PASS SQLSERVER_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_CONNECTION_NAME SQLSERVER_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_USER SQLSERVER_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_PASS @@ -212,6 +214,8 @@ jobs: POSTGRES_IAM_USER: "${{ steps.secrets.outputs.POSTGRES_IAM_USER }}" POSTGRES_PASS: "${{ steps.secrets.outputs.POSTGRES_PASS }}" POSTGRES_DB: "${{ steps.secrets.outputs.POSTGRES_DB }}" + POSTGRES_CAS_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CAS_CONNECTION_NAME }}" + POSTGRES_CAS_PASS: "${{ steps.secrets.outputs.POSTGRES_CAS_PASS }}" SQLSERVER_CONNECTION_NAME: "${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}" SQLSERVER_USER: "${{ steps.secrets.outputs.SQLSERVER_USER }}" SQLSERVER_PASS: "${{ steps.secrets.outputs.SQLSERVER_PASS }}" @@ -234,6 +238,8 @@ jobs: POSTGRES_IAM_USER: "${{ steps.secrets.outputs.POSTGRES_IAM_USER }}" POSTGRES_PASS: "${{ steps.secrets.outputs.POSTGRES_PASS }}" POSTGRES_DB: "${{ steps.secrets.outputs.POSTGRES_DB }}" + POSTGRES_CAS_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CAS_CONNECTION_NAME }}" + POSTGRES_CAS_PASS: "${{ steps.secrets.outputs.POSTGRES_CAS_PASS }}" SQLSERVER_CONNECTION_NAME: "${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}" SQLSERVER_USER: "${{ steps.secrets.outputs.SQLSERVER_USER }}" SQLSERVER_PASS: "${{ steps.secrets.outputs.SQLSERVER_PASS }}" From faedae584ace78b4acc22983ea6348b1c612b7dc Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Fri, 27 Sep 2024 13:27:24 +0000 Subject: [PATCH 2/7] feat: support CAS-based instances --- src/cloud-sql-instance.ts | 4 ++++ src/connector.ts | 4 ++++ src/socket.ts | 19 +++++++++++++++++-- src/sqladmin-fetcher.ts | 4 ++++ system-test/pg-connect.ts | 26 ++++++++++++++++++++++++++ test/sqladmin-fetcher.ts | 3 +++ 6 files changed, 58 insertions(+), 2 deletions(-) diff --git a/src/cloud-sql-instance.ts b/src/cloud-sql-instance.ts index 877cf59c..bd9aafb5 100644 --- a/src/cloud-sql-instance.ts +++ b/src/cloud-sql-instance.ts @@ -75,6 +75,8 @@ export class CloudSQLInstance { public port = 3307; public privateKey?: string; public serverCaCert?: SslCert; + public serverCaMode?: string | null | undefined; + public dnsName?: string | null | undefined; constructor({ ipType, @@ -193,6 +195,8 @@ export class CloudSQLInstance { const host = selectIpAddress(metadata.ipAddresses, this.ipType); const privateKey = rsaKeys.privateKey; const serverCaCert = metadata.serverCaCert; + this.serverCaMode = metadata.serverCaMode; + this.dnsName = metadata.dnsName; const currentValues = { ephemeralCert: this.ephemeralCert, diff --git a/src/connector.ts b/src/connector.ts index fc85466c..4c306618 100644 --- a/src/connector.ts +++ b/src/connector.ts @@ -206,6 +206,8 @@ export class Connector { port, privateKey, serverCaCert, + serverCaMode, + dnsName, } = cloudSqlInstance; if ( @@ -223,6 +225,8 @@ export class Connector { port, privateKey, serverCaCert, + serverCaMode, + dnsName, }); tlsSocket.once('error', async () => { await cloudSqlInstance.forceRefresh(); diff --git a/src/socket.ts b/src/socket.ts index cc90c4b4..b446ac59 100644 --- a/src/socket.ts +++ b/src/socket.ts @@ -26,10 +26,19 @@ interface SocketOptions { instanceInfo: InstanceConnectionInfo; privateKey: string; serverCaCert: SslCert; + serverCaMode?: string | null | undefined; + dnsName?: string | null | undefined; } -export function validateCertificate(instanceInfo: InstanceConnectionInfo) { +export function validateCertificate( + instanceInfo: InstanceConnectionInfo, + serverCaMode?: string | null | undefined, + dnsName?: string | null | undefined +) { return (hostname: string, cert: tls.PeerCertificate): Error | undefined => { + if (serverCaMode == 'GOOGLE_MANAGED_CAS_CA') { + return tls.checkServerIdentity(dnsName, cert); + } if (!cert || !cert.subject) { return new CloudSQLConnectorError({ message: 'No certificate to verify', @@ -54,6 +63,8 @@ export function getSocket({ instanceInfo, privateKey, serverCaCert, + serverCaMode, + dnsName, }: SocketOptions): tls.TLSSocket { const socketOpts = { host, @@ -64,7 +75,11 @@ export function getSocket({ key: privateKey, minVersion: 'TLSv1.3', }), - checkServerIdentity: validateCertificate(instanceInfo), + checkServerIdentity: validateCertificate( + instanceInfo, + serverCaMode, + dnsName + ), }; const tlsSocket = tls.connect(socketOpts); tlsSocket.setKeepAlive(true, DEFAULT_KEEP_ALIVE_DELAY_MS); diff --git a/src/sqladmin-fetcher.ts b/src/sqladmin-fetcher.ts index 394dc390..90944f65 100644 --- a/src/sqladmin-fetcher.ts +++ b/src/sqladmin-fetcher.ts @@ -27,6 +27,8 @@ import {AuthTypes} from './auth-types'; export interface InstanceMetadata { ipAddresses: IpAddresses; serverCaCert: SslCert; + serverCaMode?: string | null | undefined; + dnsName?: string | null | undefined; } interface RequestBody { @@ -216,6 +218,8 @@ export class SQLAdminFetcher { cert: serverCaCert.cert, expirationTime: serverCaCert.expirationTime, }, + serverCaMode: res.data.serverCaMode, + dnsName: res.data.dnsName, }; } diff --git a/system-test/pg-connect.ts b/system-test/pg-connect.ts index 3371c393..de10d0b2 100644 --- a/system-test/pg-connect.ts +++ b/system-test/pg-connect.ts @@ -67,3 +67,29 @@ t.test('open IAM connection and retrieves standard pg tables', async t => { await client.end(); connector.close(); }); + +t.test( + 'open connection to CAS-based CA instance and retrieves standard pg tables', + async t => { + const connector = new Connector(); + const clientOpts = await connector.getOptions({ + instanceConnectionName: String(process.env.POSTGRES_CAS_CONNECTION_NAME), + }); + const client = new Client({ + ...clientOpts, + user: String(process.env.POSTGRES_USER), + password: String(process.env.POSTGRES_CAS_PASS), + database: String(process.env.POSTGRES_DB), + }); + client.connect(); + + const { + rows: [result], + } = await client.query('SELECT NOW();'); + const returnedDate = result['now']; + t.ok(returnedDate.getTime(), 'should have valid returned date object'); + + await client.end(); + connector.close(); + } +); diff --git a/test/sqladmin-fetcher.ts b/test/sqladmin-fetcher.ts index 7b53071a..f3ba2545 100644 --- a/test/sqladmin-fetcher.ts +++ b/test/sqladmin-fetcher.ts @@ -116,6 +116,7 @@ const mockSQLAdminGetInstanceMetadata = ( pscEnabled: true, region: regionId, serverCaCert: serverCaCertResponse(instanceId), + serverCaMode: 'GOOGLE_MANAGED_INTERNAL_CA', ...overrides, }, }); @@ -189,6 +190,8 @@ t.test('getInstanceMetadata', async t => { cert: '-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----', expirationTime: '2033-01-06T10:00:00.232Z', }, + serverCaMode: 'GOOGLE_MANAGED_INTERNAL_CA', + dnsName: 'abcde.12345.us-central1.sql.goog', }, 'should return expected instance metadata object' ); From a536813d8f457f572400acbcf8cf0dc5eba5ec81 Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Fri, 27 Sep 2024 13:52:40 +0000 Subject: [PATCH 3/7] chore: default dnsName and serverCaMode --- src/cloud-sql-instance.ts | 4 ++-- src/socket.ts | 8 ++++---- src/sqladmin-fetcher.ts | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/cloud-sql-instance.ts b/src/cloud-sql-instance.ts index bd9aafb5..496cab57 100644 --- a/src/cloud-sql-instance.ts +++ b/src/cloud-sql-instance.ts @@ -75,8 +75,8 @@ export class CloudSQLInstance { public port = 3307; public privateKey?: string; public serverCaCert?: SslCert; - public serverCaMode?: string | null | undefined; - public dnsName?: string | null | undefined; + public serverCaMode = ''; + public dnsName = ''; constructor({ ipType, diff --git a/src/socket.ts b/src/socket.ts index b446ac59..df9a026b 100644 --- a/src/socket.ts +++ b/src/socket.ts @@ -26,14 +26,14 @@ interface SocketOptions { instanceInfo: InstanceConnectionInfo; privateKey: string; serverCaCert: SslCert; - serverCaMode?: string | null | undefined; - dnsName?: string | null | undefined; + serverCaMode: string; + dnsName: string; } export function validateCertificate( instanceInfo: InstanceConnectionInfo, - serverCaMode?: string | null | undefined, - dnsName?: string | null | undefined + serverCaMode: string, + dnsName: string ) { return (hostname: string, cert: tls.PeerCertificate): Error | undefined => { if (serverCaMode == 'GOOGLE_MANAGED_CAS_CA') { diff --git a/src/sqladmin-fetcher.ts b/src/sqladmin-fetcher.ts index 90944f65..152e011e 100644 --- a/src/sqladmin-fetcher.ts +++ b/src/sqladmin-fetcher.ts @@ -27,8 +27,8 @@ import {AuthTypes} from './auth-types'; export interface InstanceMetadata { ipAddresses: IpAddresses; serverCaCert: SslCert; - serverCaMode?: string | null | undefined; - dnsName?: string | null | undefined; + serverCaMode: string; + dnsName: string; } interface RequestBody { @@ -218,8 +218,8 @@ export class SQLAdminFetcher { cert: serverCaCert.cert, expirationTime: serverCaCert.expirationTime, }, - serverCaMode: res.data.serverCaMode, - dnsName: res.data.dnsName, + serverCaMode: res.data.serverCaMode || '', + dnsName: res.data.dnsName || '', }; } From d20f1ca4fb32eab5ce934ed98b24e3dfe6a79146 Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Fri, 27 Sep 2024 13:57:41 +0000 Subject: [PATCH 4/7] chore: add additional tests --- src/socket.ts | 2 +- system-test/pg-connect.cjs | 28 ++++++++++++++++++++++++++++ system-test/pg-connect.mjs | 28 ++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 1 deletion(-) diff --git a/src/socket.ts b/src/socket.ts index df9a026b..6c757ad4 100644 --- a/src/socket.ts +++ b/src/socket.ts @@ -36,7 +36,7 @@ export function validateCertificate( dnsName: string ) { return (hostname: string, cert: tls.PeerCertificate): Error | undefined => { - if (serverCaMode == 'GOOGLE_MANAGED_CAS_CA') { + if (serverCaMode === 'GOOGLE_MANAGED_CAS_CA') { return tls.checkServerIdentity(dnsName, cert); } if (!cert || !cert.subject) { diff --git a/system-test/pg-connect.cjs b/system-test/pg-connect.cjs index f397b22f..601b07ce 100644 --- a/system-test/pg-connect.cjs +++ b/system-test/pg-connect.cjs @@ -65,3 +65,31 @@ t.test('open IAM connection and retrieves standard pg tables', async t => { await client.end(); connector.close(); }); + +t.test( + 'open connection to CAS-based CA instance and retrieves standard pg tables', + async t => { + const connector = new Connector(); + const clientOpts = await connector.getOptions({ + instanceConnectionName: process.env.POSTGRES_CAS_CONNECTION_NAME, + ipType: 'PUBLIC', + authType: 'PASSWORD', + }); + const client = new Client({ + ...clientOpts, + user: process.env.POSTGRES_USER, + password: process.env.POSTGRES_CAS_PASS, + database: process.env.POSTGRES_DB, + }); + client.connect(); + + const { + rows: [result], + } = await client.query('SELECT NOW();'); + const returnedDate = result['now']; + t.ok(returnedDate.getTime(), 'should have valid returned date object'); + + await client.end(); + connector.close(); + } +); diff --git a/system-test/pg-connect.mjs b/system-test/pg-connect.mjs index ff91bac0..4b7fec05 100644 --- a/system-test/pg-connect.mjs +++ b/system-test/pg-connect.mjs @@ -65,3 +65,31 @@ t.test('open IAM connection and retrieves standard pg tables', async t => { await client.end(); connector.close(); }); + +t.test( + 'open connection to CAS-based CA instance and retrieves standard pg tables', + async t => { + const connector = new Connector(); + const clientOpts = await connector.getOptions({ + instanceConnectionName: process.env.POSTGRES_CAS_CONNECTION_NAME, + ipType: 'PUBLIC', + authType: 'PASSWORD', + }); + const client = new Client({ + ...clientOpts, + user: process.env.POSTGRES_USER, + password: process.env.POSTGRES_CAS_PASS, + database: process.env.POSTGRES_DB, + }); + client.connect(); + + const { + rows: [result], + } = await client.query('SELECT NOW();'); + const returnedDate = result['now']; + t.ok(returnedDate.getTime(), 'should have valid returned date object'); + + await client.end(); + connector.close(); + } +); From a91a1c5f2b01d5d9a11b6fdf2a9a9db7419cfa8e Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Fri, 27 Sep 2024 14:06:07 +0000 Subject: [PATCH 5/7] chore: update socket test --- test/socket.ts | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/test/socket.ts b/test/socket.ts index c7748591..5e5ab1c3 100644 --- a/test/socket.ts +++ b/test/socket.ts @@ -41,6 +41,8 @@ t.test('getSocket', async t => { cert: CA_CERT, expirationTime: '2033-01-06T10:00:00.232Z', }, + serverCaMode: 'GOOGLE_MANAGED_INTERNAL_CA', + dnsName: 'abcde.12345.us-central1.sql.goog', }); socket.on('secureConnect', () => { @@ -61,11 +63,15 @@ t.test('getSocket', async t => { t.test('validateCertificate no cert', async t => { t.match( - validateCertificate({ - projectId: 'my-project', - regionId: 'region-id', - instanceId: 'my-instance', - })('hostname', {} as tls.PeerCertificate), + validateCertificate( + { + projectId: 'my-project', + regionId: 'region-id', + instanceId: 'my-instance', + }, + 'GOOGLE_MANAGED_INTERNAL_CA', + 'abcde.12345.us-central1.sql.goog' + )('hostname', {} as tls.PeerCertificate), {code: 'ENOSQLADMINVERIFYCERT'}, 'should return a missing cert to verify error' ); @@ -78,11 +84,15 @@ t.test('validateCertificate mismatch', async t => { }, } as tls.PeerCertificate; t.match( - validateCertificate({ - projectId: 'my-project', - regionId: 'region-id', - instanceId: 'my-instance', - })('hostname', cert), + validateCertificate( + { + projectId: 'my-project', + regionId: 'region-id', + instanceId: 'my-instance', + }, + 'GOOGLE_MANAGED_INTERNAL_CA', + 'abcde.12345.us-central1.sql.goog' + )('hostname', cert), { message: 'Certificate had CN other-project:other-instance, expected my-project:my-instance', From c1bfd67e88c254a25897c07d1056bd4052a0d99c Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Mon, 30 Sep 2024 15:23:26 +0000 Subject: [PATCH 6/7] chore: add test for altname mismatch --- test/socket.ts | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/test/socket.ts b/test/socket.ts index 5e5ab1c3..29df2072 100644 --- a/test/socket.ts +++ b/test/socket.ts @@ -101,3 +101,26 @@ t.test('validateCertificate mismatch', async t => { 'should return a missing cert to verify error' ); }); + +t.test('validateCertificate mismatch CAS CA', async t => { + const cert = { + subjectaltname: 'DNS:abcde.12345.us-central1.sql.goog', + } as tls.PeerCertificate; + t.match( + validateCertificate( + { + projectId: 'my-project', + regionId: 'region-id', + instanceId: 'my-instance', + }, + 'GOOGLE_MANAGED_CAS_CA', + 'bad.dns.us-central1.sql.goog' + )('hostname', cert), + { + message: + "Hostname/IP does not match certificate's altnames: Host: bad.dns.us-central1.sql.goog. is not in the cert's altnames: DNS:abcde.12345.us-central1.sql.goog", + code: 'ERR_TLS_CERT_ALTNAME_INVALID', + }, + 'should return an invalid altname error' + ); +}); From 3c3becaaa64dbc94ea79ed17317ad255f92e3843 Mon Sep 17 00:00:00 2001 From: jackwotherspoon Date: Mon, 30 Sep 2024 15:39:49 +0000 Subject: [PATCH 7/7] chore: add valid CAS CAS test --- test/socket.ts | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/test/socket.ts b/test/socket.ts index 29df2072..1c97b8ab 100644 --- a/test/socket.ts +++ b/test/socket.ts @@ -124,3 +124,22 @@ t.test('validateCertificate mismatch CAS CA', async t => { 'should return an invalid altname error' ); }); + +t.test('validateCertificate valid CAS CA', async t => { + const cert = { + subjectaltname: 'DNS:abcde.12345.us-central1.sql.goog', + } as tls.PeerCertificate; + t.match( + validateCertificate( + { + projectId: 'my-project', + regionId: 'region-id', + instanceId: 'my-instance', + }, + 'GOOGLE_MANAGED_CAS_CA', + 'abcde.12345.us-central1.sql.goog' + )('hostname', cert), + undefined, + 'DNS name matches SAN in cert' + ); +});