#688 Support SSL DB Connections (#692)

* #688 Add DB_SSL ENVs

* #688 Fix Typo

* #688 SSL for connect-pg-simple

Author: tariqksoliman

API/connection.js

@@ -1,5 +1,6 @@
 const Sequelize = require("sequelize");
 const logger = require("./logger");
+const fs = require("fs");
 require("dotenv").config();
 
 // create a sequelize instance with our local postgres database information.
@@ -11,6 +12,26 @@ const sequelize = new Sequelize(
     host: process.env.DB_HOST,
     port: process.env.DB_PORT || "5432",
     dialect: "postgres",
+    dialectOptions: {
+      ssl:
+        process.env.DB_SSL === "true"
+          ? {
+              require: true,
+              rejectUnauthorized: true,
+              ca:
+                process.env.DB_SSL_CERT_BASE64 != null &&
+                process.env.DB_SSL_CERT_BASE64 !== ""
+                  ? Buffer.from(
+                      process.env.DB_SSL_CERT_BASE64,
+                      "base64"
+                    ).toString("utf-8")
+                  : process.env.DB_SSL_CERT != null &&
+                    process.env.DB_SSL_CERT !== ""
+                  ? fs.readFileSync(process.env.DB_SSL_CERT)
+                  : false,
+            }
+          : false,
+    },
     logging: process.env.VERBOSE_LOGGING == "true" || false,
     pool: {
       max:
@@ -37,6 +58,26 @@ const sequelizeSTAC =
         host: process.env.DB_HOST,
         port: process.env.DB_PORT || "5432",
         dialect: "postgres",
+        dialectOptions: {
+          ssl:
+            process.env.DB_SSL === "true"
+              ? {
+                  require: true,
+                  rejectUnauthorized: true,
+                  ca:
+                    process.env.DB_SSL_CERT_BASE64 != null &&
+                    process.env.DB_SSL_CERT_BASE64 !== ""
+                      ? Buffer.from(
+                          process.env.DB_SSL_CERT_BASE64,
+                          "base64"
+                        ).toString("utf-8")
+                      : process.env.DB_SSL_CERT != null &&
+                        process.env.DB_SSL_CERT !== ""
+                      ? fs.readFileSync(process.env.DB_SSL_CERT)
+                      : false,
+                }
+              : false,
+        },
         logging: process.env.VERBOSE_LOGGING == "true" || false,
         pool: {
           max:

docs/pages/Setup/ENVs/ENVs.md

@@ -89,6 +89,18 @@ How many milliseconds until a DB connection times out | integer | default `30000
 
 How many milliseconds for an incoming connection to wait for a DB connection before getting kicked away | integer | default `10000` (10 sec)
 
+#### `DB_SSL=`
+
+If the Postgres DB instance is enforcing SSL, set to true to have MMGIS connect to it via SSL | boolean | default `false`
+
+#### `DB_SSL_CERT=`
+
+If `DB_SSL=true` and if needed, the path to a certificate for ssl | string | default `null`
+
+#### `DB_SSL_CERT_BASE64=`
+
+Alternatively, if `DB_SSL=true` and if needed, a base64 encoded certificate for ssl. `DB_SSL_CERT_BASE64` will take priority over `DB_SSL_CERT` | string | default `null`
+
 #### `CSSO_GROUPS=`
 
 A list of CSSO LDAP groups that have access | string[] | default `[]`

sample.env

@@ -96,6 +96,12 @@ DB_POOL_MAX=
 DB_POOL_TIMEOUT=
 # How many milliseconds for an incoming connection to wait for a DB connection before getting kicked away. Default is 10000 (10 sec)
 DB_POOL_IDLE=
+# If the Postgres DB instance is enforcing SSL, set to true to have MMGIS connect to it via SSL | boolean | default false
+DB_SSL=false
+# If DB_SSL=true and if needed, the path to a certificate for ssl | string
+DB_SSL_CERT=
+# Alternatively, if DB_SSL=true and if needed, a base64 encoded certificate for ssl. DB_SSL_CERT_BASE64 will take priority over DB_SSL_CERT | string
+DB_SSL_CERT_BASE64=
 
 #CONFIG
 # Disable the configure page

scripts/init-db.js

@@ -1,3 +1,4 @@
+const fs = require("fs");
 const Sequelize = require("sequelize");
 const logger = require("../API/logger");
 const utils = require("../API/utils");
@@ -26,6 +27,26 @@ async function initializeDatabase() {
         host: process.env.DB_HOST,
         port: process.env.DB_PORT || "5432",
         dialect: "postgres",
+        dialectOptions: {
+          ssl:
+            process.env.DB_SSL === "true"
+              ? {
+                  require: true,
+                  rejectUnauthorized: true,
+                  ca:
+                    process.env.DB_SSL_CERT_BASE64 != null &&
+                    process.env.DB_SSL_CERT_BASE64 !== ""
+                      ? Buffer.from(
+                          process.env.DB_SSL_CERT_BASE64,
+                          "base64"
+                        ).toString("utf-8")
+                      : process.env.DB_SSL_CERT != null &&
+                        process.env.DB_SSL_CERT !== ""
+                      ? fs.readFileSync(process.env.DB_SSL_CERT)
+                      : false,
+                }
+              : false,
+        },
         logging: process.env.VERBOSE_LOGGING == "true" || false,
         pool: {
           max: 10,
@@ -123,6 +144,26 @@ async function initializeDatabase() {
           host: process.env.DB_HOST,
           port: process.env.DB_PORT || "5432",
           dialect: "postgres",
+          dialectOptions: {
+            ssl:
+              process.env.DB_SSL === "true"
+                ? {
+                    require: true,
+                    rejectUnauthorized: true,
+                    ca:
+                      process.env.DB_SSL_CERT_BASE64 != null &&
+                      process.env.DB_SSL_CERT_BASE64 !== ""
+                        ? Buffer.from(
+                            process.env.DB_SSL_CERT_BASE64,
+                            "base64"
+                          ).toString("utf-8")
+                        : process.env.DB_SSL_CERT != null &&
+                          process.env.DB_SSL_CERT !== ""
+                        ? fs.readFileSync(process.env.DB_SSL_CERT)
+                        : false,
+                  }
+                : false,
+          },
           logging: process.env.VERBOSE_LOGGING == "true" || false,
           pool: {
             max: 10,

scripts/server.js

@@ -107,6 +107,23 @@ const pool = new Pool({
   database: process.env.DB_NAME,
   password: process.env.DB_PASS,
   port: process.env.DB_PORT || "5432",
+  ssl:
+    process.env.DB_SSL === "true"
+      ? {
+          require: true,
+          rejectUnauthorized: true,
+          ca:
+            process.env.DB_SSL_CERT_BASE64 != null &&
+            process.env.DB_SSL_CERT_BASE64 !== ""
+              ? Buffer.from(process.env.DB_SSL_CERT_BASE64, "base64").toString(
+                  "utf-8"
+                )
+              : process.env.DB_SSL_CERT != null &&
+                process.env.DB_SSL_CERT !== ""
+              ? fs.readFileSync(process.env.DB_SSL_CERT)
+              : false,
+        }
+      : false,
 });
 app.use(
   session({