feat: Support Private CA for server certificates. (#408)

Support TLS validation on instances configured with a customer-managed private CA. Includes integration test.

.github/workflows/tests.yml

@@ -161,6 +161,8 @@ jobs:
             POSTGRES_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_DB
             POSTGRES_CAS_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CAS_CONNECTION_NAME
             POSTGRES_CAS_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CAS_PASS
+            POSTGRES_CUSTOMER_CAS_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CUSTOMER_CAS_CONNECTION_NAME
+            POSTGRES_CUSTOMER_CAS_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CUSTOMER_CAS_PASS
             SQLSERVER_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_CONNECTION_NAME
             SQLSERVER_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_USER
             SQLSERVER_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_PASS
@@ -188,6 +190,8 @@ jobs:
           POSTGRES_DB: "${{ steps.secrets.outputs.POSTGRES_DB }}"
           POSTGRES_CAS_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CAS_CONNECTION_NAME }}"
           POSTGRES_CAS_PASS: "${{ steps.secrets.outputs.POSTGRES_CAS_PASS }}"
+          POSTGRES_CUSTOMER_CAS_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CUSTOMER_CAS_CONNECTION_NAME }}"
+          POSTGRES_CUSTOMER_CAS_PASS: "${{ steps.secrets.outputs.POSTGRES_CUSTOMER_CAS_PASS }}"
           SQLSERVER_CONNECTION_NAME: "${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}"
           SQLSERVER_USER: "${{ steps.secrets.outputs.SQLSERVER_USER }}"
           SQLSERVER_PASS: "${{ steps.secrets.outputs.SQLSERVER_PASS }}"

src/socket.ts

@@ -36,23 +36,26 @@ export function validateCertificate(
   dnsName: string
 ) {
   return (hostname: string, cert: tls.PeerCertificate): Error | undefined => {
-    if (serverCaMode === 'GOOGLE_MANAGED_CAS_CA') {
+    if (!serverCaMode || serverCaMode === 'GOOGLE_MANAGED_INTERNAL_CA') {
+      // Legacy CA Mode
+      if (!cert || !cert.subject) {
+        return new CloudSQLConnectorError({
+          message: 'No certificate to verify',
+          code: 'ENOSQLADMINVERIFYCERT',
+        });
+      }
+      const expectedCN = `${instanceInfo.projectId}:${instanceInfo.instanceId}`;
+      if (cert.subject.CN !== expectedCN) {
+        return new CloudSQLConnectorError({
+          message: `Certificate had CN ${cert.subject.CN}, expected ${expectedCN}`,
+          code: 'EBADSQLADMINVERIFYCERT',
+        });
+      }
+      return undefined;
+    } else {
+      // Standard TLS Verify Full hostname verification using SAN
       return tls.checkServerIdentity(dnsName, cert);
     }
-    if (!cert || !cert.subject) {
-      return new CloudSQLConnectorError({
-        message: 'No certificate to verify',
-        code: 'ENOSQLADMINVERIFYCERT',
-      });
-    }
-    const expectedCN = `${instanceInfo.projectId}:${instanceInfo.instanceId}`;
-    if (cert.subject.CN !== expectedCN) {
-      return new CloudSQLConnectorError({
-        message: `Certificate had CN ${cert.subject.CN}, expected ${expectedCN}`,
-        code: 'EBADSQLADMINVERIFYCERT',
-      });
-    }
-    return undefined;
   };
 }
 

system-test/pg-connect.cjs

@@ -93,3 +93,29 @@ t.test(
     connector.close();
   }
 );
+
+t.test(
+  'open connection to Customer Private CAS-based CA instance and retrieves standard pg tables',
+  async t => {
+    const connector = new Connector();
+    const clientOpts = await connector.getOptions({
+      instanceConnectionName: String(
+        process.env.POSTGRES_CUSTOMER_CAS_CONNECTION_NAME
+      ),
+    });
+    const client = new Client({
+      ...clientOpts,
+      user: String(process.env.POSTGRES_USER),
+      password: String(process.env.POSTGRES_CUSTOMER_CAS_PASS),
+      database: String(process.env.POSTGRES_DB),
+    });
+    client.connect();
+    const {
+      rows: [result],
+    } = await client.query('SELECT NOW();');
+    const returnedDate = result['now'];
+    t.ok(returnedDate.getTime(), 'should have valid returned date object');
+    await client.end();
+    connector.close();
+  }
+);

system-test/pg-connect.mjs

@@ -93,3 +93,29 @@ t.test(
     connector.close();
   }
 );
+
+t.test(
+  'open connection to Customer Private CAS-based CA instance and retrieves standard pg tables',
+  async t => {
+    const connector = new Connector();
+    const clientOpts = await connector.getOptions({
+      instanceConnectionName: String(
+        process.env.POSTGRES_CUSTOMER_CAS_CONNECTION_NAME
+      ),
+    });
+    const client = new Client({
+      ...clientOpts,
+      user: String(process.env.POSTGRES_USER),
+      password: String(process.env.POSTGRES_CUSTOMER_CAS_PASS),
+      database: String(process.env.POSTGRES_DB),
+    });
+    client.connect();
+    const {
+      rows: [result],
+    } = await client.query('SELECT NOW();');
+    const returnedDate = result['now'];
+    t.ok(returnedDate.getTime(), 'should have valid returned date object');
+    await client.end();
+    connector.close();
+  }
+);

system-test/pg-connect.ts

@@ -93,3 +93,29 @@ t.test(
     connector.close();
   }
 );
+
+t.test(
+  'open connection to Customer Private CAS-based CA instance and retrieves standard pg tables',
+  async t => {
+    const connector = new Connector();
+    const clientOpts = await connector.getOptions({
+      instanceConnectionName: String(
+        process.env.POSTGRES_CUSTOMER_CAS_CONNECTION_NAME
+      ),
+    });
+    const client = new Client({
+      ...clientOpts,
+      user: String(process.env.POSTGRES_USER),
+      password: String(process.env.POSTGRES_CUSTOMER_CAS_PASS),
+      database: String(process.env.POSTGRES_DB),
+    });
+    client.connect();
+    const {
+      rows: [result],
+    } = await client.query('SELECT NOW();');
+    const returnedDate = result['now'];
+    t.ok(returnedDate.getTime(), 'should have valid returned date object');
+    await client.end();
+    connector.close();
+  }
+);