Merge pull request #5147 from anynines/jetstream-Consume-SSL-certs-for-database-connection-via-VCAP-ENV-variable

krutten · web-flow · commit 0314940cc7d7 · 2025-08-12T19:30:58.000-07:00
Consume SSL certs provided as VCAP ENV var for secure db connection
Weill provide in a dev release
diff --git a/src/jetstream/datastore/database_cf_config.go b/src/jetstream/datastore/database_cf_config.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -77,13 +78,35 @@ func findDatabaseConfig(vcapServices map[string][]VCAPService, db *DatabaseConfi
 		// 1) Check db config in credentials
 		db.Username = getDBCredentialsValue(dbCredentials["username"])
 		db.Password = getDBCredentialsValue(dbCredentials["password"])
-		db.Host = getDBCredentialsValue(dbCredentials["hostname"])
+		db.Host = getDBCredentialsValue(dbCredentials["host"])
 		db.SSLMode = env.String("DB_SSL_MODE", "disable")
 		db.Port, _ = strconv.Atoi(getDBCredentialsValue(dbCredentials["port"]))
 		// Note - Both isPostgresService and isMySQLService look at the credentials uri & tags
 		if isPostgresService(service) {
 			db.DatabaseProvider = "pgsql"
-			db.Database = getDBCredentialsValue(dbCredentials["dbname"])
+			db.Database = getDBCredentialsValue(dbCredentials["name"])
+			if db.SSLMode == string(SSLVerifyCA) {
+				log.Infof("Attempting to use SSL for database connection")
+				tempFile, err := os.CreateTemp("", "postgres-ssl-*.crt")
+				if err != nil {
+					log.Warnf("Failed store Cloud Foundry service certificate in temp file; could not create temp file: %s", err.Error())
+					return false
+				}
+
+				_, err = tempFile.WriteString(getDBCredentialsValue(dbCredentials["cacrt"]))
+				if err != nil {
+					log.Warnf("Failed store Cloud Foundry service certificate in temp file; could not write to temp file: %s", err.Error())
+					return false
+				}
+
+				err = tempFile.Close()
+				if err != nil {
+					log.Warnf("Failed store Cloud Foundry service certificate in temp file; could not save temp file after writing: %s", err.Error())
+					return false
+				}
+
+				db.SSLRootCertificate = tempFile.Name()
+			}
 		} else if isMySQLService(service) {
 			db.DatabaseProvider = "mysql"
 			db.Database = getDBCredentialsValue(dbCredentials["name"])
diff --git a/src/jetstream/datastore/datastore_test.go b/src/jetstream/datastore/datastore_test.go
@@ -10,6 +10,7 @@ import (
 
 	"gopkg.in/DATA-DOG/go-sqlmock.v1"
 
+	"github.com/govau/cf-common/env"
 	. "github.com/smartystreets/goconvey/convey"
 )
 
@@ -24,6 +25,7 @@ func TestDatastore(t *testing.T) {
 		mockPort               = 5432
 		mockSSLModeDisable     = "disable"
 		mockSSLModeRequire     = "require"
+		mockSSLModeVerifyCA    = "verify-ca"
 		mockConnTimeout        = 5
 		mockSSLCertificate     = "ssl-certificate-related-stuff"
 		mockSSLKey             = "ssl-key-related-stuff"
@@ -411,4 +413,45 @@ func TestDatastore(t *testing.T) {
 			})
 		})
 	})
+
+	Convey("Given the requirement for the connection to be TLS secured", t, func() {
+		var mockDatabaseConfigSSL = DatabaseConfig{
+			DatabaseProvider:        mockDatabaseProvider,
+			Username:                mockUsername,
+			Password:                mockPassword,
+			Database:                mockDatabase,
+			Host:                    mockHost,
+			Port:                    mockPort,
+			SSLMode:                 mockSSLModeRequire,
+			ConnectionTimeoutInSecs: mockConnTimeout,
+			SSLRootCertificate:      mockSSLRootCertificate,
+		}
+
+		mockEnvVarsMap := make(map[string]string)
+		mockEnvVarsMap["DB_SSL_MODE"] = mockSSLModeVerifyCA
+		mockEnvVarsMap["VCAP_SERVICES"] = `{"cf-postgresql-service": [ { "name": "mock-stratos-ssl", "credentials": { "cacrt": "mockcert", "host": "mockhost", "name": "mockname", "password": "mockpassword", "port": 5432, "username": "mockusername", "uri": "postgres://mockuser:mockpassword@mockhost:5432/mockname" } } ] }`
+
+		mockVarSet := env.NewVarSet(env.WithMapLookup(mockEnvVarsMap))
+
+		db, _, err := sqlmock.New()
+		if err != nil {
+			t.Errorf("an error '%s' was not expected when opening a stub database connection", err)
+		}
+		defer db.Close()
+
+		Convey("when the cloudfoundry database config is present", func() {
+
+			Convey("err will be nil", func() {
+				_, err := ParseCFEnvs(&mockDatabaseConfigSSL, mockVarSet)
+				So(err, ShouldBeNil)
+				So(mockDatabaseConfigSSL.SSLRootCertificate, ShouldContainSubstring, "postgres-ssl-")
+				So(mockDatabaseConfigSSL.SSLRootCertificate, ShouldEndWith, ".crt")
+				So(mockDatabaseConfigSSL.Username, ShouldEqual, "mockusername")
+				So(mockDatabaseConfigSSL.Password, ShouldEqual, "mockpassword")
+				So(mockDatabaseConfigSSL.Database, ShouldEqual, "mockname")
+				So(mockDatabaseConfigSSL.Host, ShouldEqual, "mockhost")
+				So(mockDatabaseConfigSSL.SSLMode, ShouldEqual, mockSSLModeVerifyCA)
+			})
+		})
+	})
 }
