fix: fix mongo tls argument (#334)

Author: kleyow

src/lib/config.js

@@ -106,14 +106,14 @@ const _getSecretsFromEnvironment = () => {
     process.env.REPORTING_DB_CONNECTION_STRING ||
     process.env.REPORTING_DB_SSL_ENABLED ||
     process.env.REPORTING_DB_SSL_VERIFY ||
-    process.env.REPORTING_DB_SSL_CA
+    process.env.REPORTING_DB_SSL_CA_FILE_PATH
   ) {
     try {
       const reportingDbConnectionPassword = process.env.REPORTING_DB_CONNECTION_PASSWORD
       const reportingDbConnectionString = process.env.REPORTING_DB_CONNECTION_STRING
       const reportingDbSslEnabled = process.env.REPORTING_DB_SSL_ENABLED === 'true'
       const reportingDbSslVerify = process.env.REPORTING_DB_SSL_VERIFY !== 'false'
-      const reportingDbSslCa = process.env.REPORTING_DB_SSL_CA
+      const reportingDbSslCa = process.env.REPORTING_DB_SSL_CA_FILE_PATH
 
       secretsFromEnvironment.DB = {
         PASSWORD: reportingDbConnectionPassword,
@@ -123,18 +123,18 @@ const _getSecretsFromEnvironment = () => {
       if (
         process.env.REPORTING_DB_SSL_ENABLED ||
         process.env.REPORTING_DB_SSL_VERIFY ||
-        process.env.REPORTING_DB_SSL_CA
+        process.env.REPORTING_DB_SSL_CA_FILE_PATH
       ) {
         secretsFromEnvironment.DB.SSL_ENABLED = reportingDbSslEnabled
         secretsFromEnvironment.DB.SSL_VERIFY = reportingDbSslVerify
         if (reportingDbSslCa) {
-          secretsFromEnvironment.DB.SSL_CA = reportingDbSslCa
+          secretsFromEnvironment.DB.SSL_CA_FILE_PATH = reportingDbSslCa
         }
       }
 
       // Hide CA from being logged
       const logSecrets = _.cloneDeep(secretsFromEnvironment)
-      if (logSecrets.DB && logSecrets.DB.SSL_CA) logSecrets.DB.SSL_CA = mask(logSecrets.DB.SSL_CA)
+      if (logSecrets.DB && logSecrets.DB.SSL_CA_FILE_PATH) logSecrets.DB.SSL_CA_FILE_PATH = mask(logSecrets.DB.SSL_CA_FILE_PATH)
       if (logSecrets.DB && logSecrets.DB.PASSWORD) logSecrets.DB.PASSWORD = mask(logSecrets.DB.PASSWORD)
       if (logSecrets.DB && logSecrets.DB.CONNECTION_STRING) logSecrets.DB.CONNECTION_STRING = mask(logSecrets.DB.CONNECTION_STRING)
       console.log('Secrets retrieved from environment to be merged into system config', logSecrets)

src/lib/db/adapters/dbAdapter.js

@@ -59,23 +59,8 @@ const getConnection = async () => {
         console.log(`SSL_VERIFY is set to ${systemConfig.DB.SSL_VERIFY} (type: ${typeof systemConfig.DB.SSL_VERIFY})`)
         mongoOptions.tlsAllowInvalidCertificates = !systemConfig.DB.SSL_VERIFY
       }
-      if (systemConfig.DB.SSL_CA) {
-      // SSL_CA is a string (from kube secret), may be PEM or comma-separated PEMs
-        let ca = systemConfig.DB.SSL_CA
-        if (typeof ca === 'string') {
-        // If comma-separated, split into array
-          if (ca.includes(',')) {
-            ca = ca.split(',').map(s => s.trim())
-          }
-        }
-        // Convert to Buffer(s) if needed
-        if (Array.isArray(ca)) {
-          ca = ca.map(item => Buffer.isBuffer(item) ? item : Buffer.from(item))
-        } else if (!Buffer.isBuffer(ca)) {
-          ca = Buffer.from(ca)
-        }
-        // Mongoose expects tlsCAFile as a Buffer or array of Buffers
-        mongoOptions.tlsCAFile = ca
+      if (systemConfig.DB.SSL_CA_FILE_PATH) {
+        mongoOptions.tlsCAFile = systemConfig.DB.SSL_CA_FILE_PATH
       }
     }
 

test/unit/lib/config.test.js

@@ -179,7 +179,7 @@ describe('Config', () => {
       })
       process.env.REPORTING_DB_CONNECTION_PASSWORD = '123'
       process.env.REPORTING_DB_CONNECTION_STRING = 'connection_string'
-      process.env.REPORTING_DB_SSL_CA = 'ssl_ca'
+      process.env.REPORTING_DB_SSL_CA_FILE_PATH = 'ssl_ca'
       process.env.REPORTING_DB_SSL_ENABLED = 'true'
       process.env.REPORTING_DB_SSL_VERIFY = 'true'
 
@@ -188,7 +188,7 @@ describe('Config', () => {
         DB: {
           PASSWORD: '123',
           CONNECTION_STRING: 'connection_string',
-          SSL_CA: 'ssl_ca',
+          SSL_CA_FILE_PATH: 'ssl_ca',
           SSL_ENABLED: true,
           SSL_VERIFY: true
         }
@@ -207,7 +207,7 @@ describe('Config', () => {
 
       delete process.env.REPORTING_DB_CONNECTION_PASSWORD
       delete process.env.REPORTING_DB_CONNECTION_STRING
-      delete process.env.REPORTING_DB_SSL_CA
+      delete process.env.REPORTING_DB_SSL_CA_FILE_PATH
       delete process.env.REPORTING_DB_SSL_ENABLED
       process.env.REPORTING_DB_SSL_VERIFY = 'true'
       await Config.loadSystemConfig()

test/unit/lib/db/dbAdapter.test.js

@@ -359,54 +359,5 @@ describe('dbAdapter', () => {
       )
       await dbAdapterModule._deleteConn()
     })
-
-    it('should set tlsCAFile as Buffer if SSL_CA is string', async () => {
-      const pem = '-----BEGIN CERTIFICATE-----\nabc\n-----END CERTIFICATE-----'
-      jest.doMock('../../../../src/lib/config', () => ({
-        getSystemConfig: () => ({
-          DB: {
-            HOST: "localhost",
-            PORT: 27017,
-            USER: "ttk",
-            PASSWORD: "ttk",
-            DATABASE: "ttk",
-            SSL_ENABLED: true,
-            SSL_CA: pem
-          }
-        })
-      }))
-      dbAdapterModule = require('../../../../src/lib/db/adapters/dbAdapter')
-      await dbAdapterModule.read('id1', { dfspId: 'test' })
-      expect(mockConnect).toHaveBeenCalledWith(
-        expect.any(String),
-        expect.objectContaining({ tlsCAFile: expect.any(Buffer) })
-      )
-      await dbAdapterModule._deleteConn()
-    })
-
-    it('should set tlsCAFile as array of Buffers if SSL_CA is comma-separated string', async () => {
-      const pem1 = '-----BEGIN CERTIFICATE-----\nabc\n-----END CERTIFICATE-----'
-      const pem2 = '-----BEGIN CERTIFICATE-----\ndef\n-----END CERTIFICATE-----'
-      jest.doMock('../../../../src/lib/config', () => ({
-        getSystemConfig: () => ({
-          DB: {
-            HOST: "localhost",
-            PORT: 27017,
-            USER: "ttk",
-            PASSWORD: "ttk",
-            DATABASE: "ttk",
-            SSL_ENABLED: true,
-            SSL_CA: `${pem1},${pem2}`
-          }
-        })
-      }))
-      dbAdapterModule = require('../../../../src/lib/db/adapters/dbAdapter')
-      await dbAdapterModule.read('id1', { dfspId: 'test' })
-      expect(mockConnect).toHaveBeenCalledWith(
-        expect.any(String),
-        expect.objectContaining({ tlsCAFile: expect.any(Array) })
-      )
-      await dbAdapterModule._deleteConn()
-    })
   })
 })