Jsonata: Support creating TLS server

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

Author: pierDipi

transform-jsonata/README.md

@@ -15,9 +15,12 @@ broker <- trigger <- (response) <-
 Assuming current working directory is `transform-jsonata`
 
 ```shell
-npm dev
+npm run dev
 
-# or npm dev-kubevirt to inject a different example transformation
+npm run dev-kubevirt # to inject a different example transformation
+
+npm run dev-tls      # to start the HTTP and HTTPS Servers
+npm run dev-tls-only # to start the HTTPS Server only
 ```
 
 ### Tracing

transform-jsonata/jsonata.js

@@ -2,6 +2,8 @@ const express = require('express');
 const {HTTP} = require("cloudevents");
 const jsonata = require('jsonata');
 const fs = require('node:fs');
+const http = require('http');
+const https = require('https');
 const fsPromises = require('node:fs').promises;
 const {buffer} = require('node:stream/consumers');
 
@@ -31,10 +33,18 @@ const {ZipkinExporter} = require('@opentelemetry/exporter-zipkin');
 const {W3CTraceContextPropagator, CompositePropagator} = require("@opentelemetry/core");
 const {B3InjectEncoding, B3Propagator} = require("@opentelemetry/propagator-b3");
 
-const port = process.env.PORT = process.env.PORT || 8080;
+const httpPort = process.env.HTTP_PORT || 8080;
+const httpsPort = process.env.HTTPS_PORT || 8443;
+const httpsCertPath = process.env.HTTPS_CERT_PATH;
+const httpsKeyPath = process.env.HTTPS_KEY_PATH;
+const disableHTTPServer = process.env.DISABLE_HTTP_SERVER === 'true';
 const k_sink = process.env.K_SINK || undefined;
 const jsonata_transform_file_name = process.env.JSONATA_TRANSFORM_FILE_NAME || undefined;
 
+if (disableHTTPServer && (!httpsKeyPath || !fs.existsSync(httpsKeyPath) || !httpsCertPath || !fs.existsSync(httpsCertPath))) {
+   throw new Error(`HTTP and HTTPS server are both disabled, disableHTTPServer='${disableHTTPServer}', httpsKeyPath='${httpsKeyPath}', httpsCertPath=${httpsCertPath}`);
+}
+
 // Allow transforming the response received by the endpoint defined by K_SINK
 const jsonata_response_transform_file_name = process.env.JSONATA_RESPONSE_TRANSFORM_FILE_NAME || undefined;
 
@@ -250,7 +260,7 @@ app.post("/", async (req, res) => {
         const k_sink_url = new URL(k_sink)
         const kSinkSendSpan = tracer.startSpan('k_sink_send', {
             attributes: {
-                [ATTR_URL_SCHEME]: k_sink_url.protocol.endsWith(':') ? k_sink_url.protocol.substring(0, k_sink_url.protocol.length-1) : k_sink_url.protocol,
+                [ATTR_URL_SCHEME]: k_sink_url.protocol.endsWith(':') ? k_sink_url.protocol.substring(0, k_sink_url.protocol.length - 1) : k_sink_url.protocol,
                 [ATTR_SERVER_ADDRESS]: k_sink_url.hostname,
                 [ATTR_SERVER_PORT]: k_sink_url.port,
             }
@@ -267,6 +277,7 @@ app.post("/", async (req, res) => {
                         headers: k_sink_request_headers,
                         body: JSON.stringify(transformed),
                         redirect: 'error',
+                        signal: req.signal,
                     })
                     kSinkSendSpan.setAttributes({
                         'http.status_code': result.status,
@@ -384,19 +395,71 @@ app.get('/readyz', (req, res) => {
 
 app.disable('x-powered-by');
 
-const server = app.listen(port, () => {
-    console.log(`Jsonata server listening on port ${port}`)
-})
+let httpServer = null
+let httpsServer = null
+
+if (!disableHTTPServer) {
+    httpServer = http.createServer(app)
+        .listen(httpPort, () => {
+            console.log(`Jsonata HTTP server listening on port ${httpPort}`)
+        })
+}
+
+if (httpsCertPath && httpsKeyPath) {
+    const httpsServerOptions = {
+        cert: fs.readFileSync(httpsCertPath),
+        key: fs.readFileSync(httpsKeyPath),
+
+        // TLS Versions
+        minVersion: 'TLSv1.2', // Minimum TLS version (avoid older, less secure protocols)
+        maxVersion: 'TLSv1.3', // Maximum TLS version
+
+        // Cipher Suites
+        ciphers: [
+            'ECDHE-ECDSA-AES128-GCM-SHA256',
+            'ECDHE-RSA-AES128-GCM-SHA256',
+            'ECDHE-ECDSA-AES256-GCM-SHA384',
+            'ECDHE-RSA-AES256-GCM-SHA384',
+            'ECDHE-ECDSA-CHACHA20-POLY1305',
+            'ECDHE-RSA-CHACHA20-POLY1305',
+            'DHE-RSA-AES128-GCM-SHA256',
+            'DHE-RSA-AES256-GCM-SHA384'
+        ].join(':'),
+
+        // Attempt to use server cipher suite preference instead of clients
+        honorCipherOrder: true,
+
+        // Additional security options
+        secureOptions:
+            require('constants').SSL_OP_NO_TLSv1 |
+            require('constants').SSL_OP_NO_TLSv1_1 |
+            require('constants').SSL_OP_NO_COMPRESSION,
+    }
+
+    httpsServer = https.createServer(httpsServerOptions, app)
+        .listen(httpsPort, () => {
+            console.log(`Jsonata HTTPS server listening on port ${httpsPort}`)
+        })
+}
 
 process.on('SIGINT', shutDown);
 process.on('SIGTERM', shutDownNow);
 
 let connections = [];
 
-server.on('connection', connection => {
-    connections.push(connection);
-    connection.on('close', () => connections = connections.filter(curr => curr !== connection));
-});
+if (httpServer) {
+    httpServer.on('connection', connection => {
+        connections.push(connection);
+        connection.on('close', () => connections = connections.filter(curr => curr !== connection));
+    });
+}
+
+if (httpsServer) {
+    httpsServer.on('connection', connection => {
+        connections.push(connection);
+        connection.on('close', () => connections = connections.filter(curr => curr !== connection));
+    });
+}
 
 function shutDown() {
     console.log('Received interrupt signal, shutting down gracefully');
@@ -413,14 +476,30 @@ function shutDown() {
 function shutDownNow() {
     console.log('Shutting down gracefully');
 
-    server.close(() => {
-        console.log('Closed out remaining connections');
+    const closePromises = []
+    if (httpServer) {
+        closePromises.push(new Promise((resolve, _) => {
+            httpServer.close(() => {
+                console.log('Closed out remaining HTTP connections');
+                resolve()
+            });
+        }))
+    }
+    if (httpsServer) {
+        closePromises.push(new Promise((resolve, _) => {
+            httpsServer.close(() => {
+                console.log('Closed out remaining HTTPS connections');
+                resolve()
+            });
+        }))
+    }
 
+    Promise.all(closePromises).then(() => {
         console.log('Shutting down tracing...');
         batchSpanProcessor.shutdown().then(() => {
             process.exit(0);
         });
-    });
+    })
 
     setTimeout(() => {
         console.error('Could not close connections in time, forcefully shutting down');

transform-jsonata/package-lock.json

@@ -3,25 +3,28 @@
   "author": "Knative authors",
   "scripts": {
     "dev": "NODE_ENV=development OIDC_TOKEN_FILE=./examples/example-token.txt JSONATA_TRANSFORM_FILE_NAME=./examples/jsonata_transform_identity.jsonata nodemon ./jsonata.js",
+    "dev-tls": "HTTPS_CERT_PATH=./ssl/server.crt HTTPS_KEY_PATH=./ssl/server.key npm run dev",
+    "dev-tls-only": "DISABLE_HTTP_SERVER=true HTTPS_CERT_PATH=./ssl/server.crt HTTPS_KEY_PATH=./ssl/server.key npm run dev",
     "dev-kubevirt": "NODE_ENV=development OIDC_TOKEN_FILE=./examples/example-token.txt JSONATA_TRANSFORM_FILE_NAME=./examples/ce_apiserversource_kubevirt.jsonata nodemon ./jsonata.js",
     "dev-zipkin": "NODE_ENV=development K_TRACING_CONFIG='{\"backend\":\"zipkin\", \"zipkin-endpoint\": \"http://localhost:9411/api/v2/spans\", \"sample-rate\":\"1\"}' OIDC_TOKEN_FILE=./examples/example-token.txt JSONATA_TRANSFORM_FILE_NAME=./examples/jsonata_transform_identity.jsonata nodemon ./jsonata.js"
   },
   "dependencies": {
-    "jsonata": "^2.0.6",
-    "cloudevents": "^8.0.2",
-    "express": "^4.21.2",
     "@opentelemetry/api": "1.9.0",
     "@opentelemetry/core": "^1.30.1",
-    "@opentelemetry/sdk-trace-node": "^1.30.1",
+    "@opentelemetry/exporter-zipkin": "^1.30.1",
+    "@opentelemetry/propagator-b3": "^1.30.1",
     "@opentelemetry/resources": "^1.30.1",
-    "@opentelemetry/semantic-conventions": "^1.30.0",
     "@opentelemetry/sdk-trace-base": "^1.30.1",
-    "@opentelemetry/exporter-zipkin": "^1.30.1",
-    "@opentelemetry/propagator-b3": "^1.30.1"
+    "@opentelemetry/sdk-trace-node": "^1.30.1",
+    "@opentelemetry/semantic-conventions": "^1.30.0",
+    "cloudevents": "^8.0.2",
+    "constants": "^0.0.2",
+    "express": "^4.21.2",
+    "jsonata": "^2.0.6"
   },
   "devDependencies": {
-    "nodemon": "^3.1.9",
+    "@types/express": "^4.17.21",
     "@types/node": "^22.13.1",
-    "@types/express": "^4.17.21"
+    "nodemon": "^3.1.9"
   }
 }

transform-jsonata/package.json

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIUJiHToGug5ZT3z3Gw4vSVem5U9FYwDQYJKoZIhvcNAQEL
+BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNTAzMDQxNDQwNDhaFw0yNjAzMDQx
+NDQwNDhaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC6I8jX2OPxGA0ZaGWx2OQ/pkrfNit2m6AbrgcOUKV/5DXt6Ixz
+6zPZCDf6J1vglZMDIwEmfFsQGjNA8UJwOBhUw//hXJVXEl8coBCsBySlhUmSZdrl
+19IWZwM4qE3qhWVbOgUZVQoCZn1aZezg3uh5XknTNh7rQImvgx7bo9OD5zKfkKLT
+3uET7dBYWJkKxuNPNbIz5rbSBzaVGnGxTNlp2xvPgUUCeEQfVtFNIqjLHk4Gi4lM
+YsqJpLptGGCx9xJDcqg0uoFWxNn8i1bBp+YK4IsjqgnIhCKRWmo6gUnBILZuUyvt
+pWMxD+9USxn7b3DvPKinIluYzFG1BaqVeYa7AgMBAAGjUzBRMB0GA1UdDgQWBBQZ
++uCFRmib6b2cg2a+20//Iva92TAfBgNVHSMEGDAWgBQZ+uCFRmib6b2cg2a+20//
+Iva92TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCFywZPNVZk
+qx83Hm15O0KZ7qI4VfQI895dtuQrTMIxtu/GhdZq5P8Gc4Rt0cxfldZSNtVADXCM
+LFWk9EjBTUZUGavT/okoFPM5cMWrp3FYInYJJEfIvhvVeOcVLwaxvrKQLM8llj66
+OC7OTzvkKFBu4LYJIIg/4ZGOwSa1n7Sjo2jmbZMmij8cQjI7xNfLRV3mpkw5lHzY
+ZF/SrvBElOU3oqXV3P78TGqJe5Ji9k08aBuzJZcijYQ9IFP9bz6JK+BDZUxIicAD
+1ftC0b+S3Ni+qV84NV40SKGpgPQVn4XxKz96zJCehjGjkXGCzJEcK5tJtu5dXPm5
+Sy7ybr6/xnt3
+-----END CERTIFICATE-----

transform-jsonata/ssl/server.crt

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6I8jX2OPxGA0Z
+aGWx2OQ/pkrfNit2m6AbrgcOUKV/5DXt6Ixz6zPZCDf6J1vglZMDIwEmfFsQGjNA
+8UJwOBhUw//hXJVXEl8coBCsBySlhUmSZdrl19IWZwM4qE3qhWVbOgUZVQoCZn1a
+Zezg3uh5XknTNh7rQImvgx7bo9OD5zKfkKLT3uET7dBYWJkKxuNPNbIz5rbSBzaV
+GnGxTNlp2xvPgUUCeEQfVtFNIqjLHk4Gi4lMYsqJpLptGGCx9xJDcqg0uoFWxNn8
+i1bBp+YK4IsjqgnIhCKRWmo6gUnBILZuUyvtpWMxD+9USxn7b3DvPKinIluYzFG1
+BaqVeYa7AgMBAAECggEAMI+MYq9tTCUrqbDAMyUz6t0N1GzT6vYPz5jXs2bbvmFB
+pocQOV+nn5vSyrrA7/blqyBTOQChWzKSo4Mtg4xG4Lpfg6I9PcGHubaSkuasK1h6
+CKz07hifcQO/5eSWqzPQ7PtWgDTczyKA2ngT09ijiqJMHUOVzmcAZJ8PClsTn+nb
+VbkN4/oCm1OAU8gIxhVLNr0vBQrLfL4Yu+gq4C+yX02Nq/Hzr0prGQcNl6ynwzoD
+RbGhsi0HMYdICxA3Ojevfv8D0F5xvVYKS+VQf+YX8Auo7wCla4CkeNsSMMvmX71S
+INyER9oLuXoElIlx4agKdqoiOLO7JQgZlu8o131Y9QKBgQDs5kHxOTFWaNMXTS8+
+4Va4snGRl58mMvVwCpjzC43WvdSz6J2q73dTgQqWl08eemn/m6/AUMppBbk6y9g/
+9dp9ZY2wCR1+aq1l8LPoy+1hueEvwE8Ob5JdQhTHKlG1KUVwr/IKP54xjRnUApOG
+Mk28Gps7DSdslWOIi8jUmbFY/wKBgQDJJdFp1LbrxTkbrmBRKzn1vg1yL+xP1TXa
+bNDiccBhLHqkKRrnCf7zPzW1Tiwg8eQ4QwgsjkgoZnBFJdrDnnlX3UAa6MrsoXwV
+oqHnHid2ZZ8LNohdse1/EGhOXuegGQpMBaft1JfxmdBE67S9uxppqc52AuGjnt6q
+fvgRh1l2RQKBgQCpIVbw5lkwDNSwLR3O8cgdQuDMBgjMl9Mcs6Qw2Q3hw1OJQkjW
+kfKKPnWVv97vrovgvoECd2ubAUgWDxSLzXW40vkONePFrlmvjuKTEIygmbmIgu6u
+Kr+/Lv9wlekRwq5d3m+aG4NQcyF+eHxkcaOH6SLsTN7ZqeoOwWWXS0cPdwKBgA4Q
+LNH/Y0KcqV98E5PZN9YskXgYTadPOtKopPoQBelFWNW9YfohQsfy9WhVrNQo1VHx
+rdKfp//bGaJcAS2IGOfBukenWvisWaaRlkw4WX33oOUBzQrv87Dcjs5b6EnTNlsW
+UiVYpb7oiB0pdZuGR1R34M1zah8sbljxQ5rGIcUZAoGAMTTYP9KpoUwm4Qcb+eGI
+n2NoAF3IDXpnZe/IOZlB9obGQUbW7Orn6SquhsITZ/dRVkRsPidsglBV6YxaM7xE
+Y5E31b3SAxcbV7c2YhD9Fb+H88JJx7lIhEe8pU+c5T6iIWQRmkwBfLp/P2c29U/v
+650+8LA12K/y9WHMNhtgx6s=
+-----END PRIVATE KEY-----