feat(backend/mongo): add support for TLS/SSL connection

cray0000 · cray0000 · commit 336c048bf560 · 2024-10-18T18:09:47.000+03:00
diff --git a/packages/backend/db/mongo.js b/packages/backend/db/mongo.js
@@ -2,27 +2,32 @@ import fs from 'fs'
 import { MongoClient } from 'mongodb'
 import ShareDbMongo from 'sharedb-mongo'
 
-export const { db, mongo, mongoClient, createMongoIndex } = getMongoDb({
-  url: process.env.MONGO_URL,
-  optsString: process.env.MONGO_OPTS,
-  sslKeyPath: process.env.MONGO_SSL_KEY_PATH,
-  sslCertPath: process.env.MONGO_SSL_CERT_PATH,
-  sslCaPath: process.env.MONGO_SSL_CA_PATH
+export const { db, mongo, mongoClient, createMongoIndex } = getMongoDb(process.env.MONGO_URL, {
+  // ssl key, cert and ca can be provided as paths or base64 or directly as strings
+
+  // ssl as string
+  key: process.env.MONGO_SSL_KEY,
+  cert: process.env.MONGO_SSL_CERT,
+  ca: process.env.MONGO_SSL_CA,
+
+  // ssl as path to the file
+  keyPath: process.env.MONGO_SSL_KEY_PATH,
+  certPath: process.env.MONGO_SSL_CERT_PATH,
+  caPath: process.env.MONGO_SSL_CA_PATH,
+
+  // ssl as base64
+  keyBase64: process.env.MONGO_SSL_KEY_BASE64,
+  certBase64: process.env.MONGO_SSL_CERT_BASE64,
+  caBase64: process.env.MONGO_SSL_CA_BASE64,
+
+  ...(process.env.MONGO_OPTIONS ? JSON.parse(process.env.MONGO_OPTIONS) : undefined)
 })
 
-function getMongoDb ({ url, optsString, sslKeyPath, sslCertPath, sslCaPath }) {
-  const options = { useUnifiedTopology: true }
-
-  if (typeof optsString === 'string') {
-    const { key, cert, ca } = JSON.parse(optsString)
-    options.sslKey = fs.readFileSync(key)
-    options.sslCert = fs.readFileSync(cert)
-    options.sslCA = fs.readFileSync(ca)
-  } else if (sslKeyPath) {
-    options.sslKey = fs.readFileSync(sslKeyPath)
-    options.sslCert = fs.readFileSync(sslCertPath)
-    options.sslCA = fs.readFileSync(sslCaPath)
-  }
+function getMongoDb (url, options = {}) {
+  options = { ...options }
+  options = processSslOptions(options)
+
+  options.useUnifiedTopology ??= true
 
   const mongoClient = new MongoClient(url, options)
   const mongo = mongoClient.db()
@@ -38,3 +43,68 @@ function getMongoDb ({ url, optsString, sslKeyPath, sslCertPath, sslCaPath }) {
     }
   }
 }
+
+function processSslOptions (options = {}) {
+  options = { ...options }
+  let initialized = false
+  if (options.key || options.cert || options.ca) {
+    if (!(options.key && options.cert && options.ca)) {
+      throw Error('[teamplay/mongo] SSL: All 3 strings must be provided: key, cert, ca')
+    }
+    if (!(typeof options.key === 'string' && typeof options.cert === 'string' && typeof options.ca === 'string')) {
+      throw Error('[teamplay/mongo] SSL: All 3 strings must be provided as strings')
+    }
+    options = {
+      ...options,
+      key: Buffer.from(options.key),
+      cert: Buffer.from(options.cert),
+      ca: Buffer.from(options.ca)
+    }
+    initialized = true
+  }
+  if (options.keyPath || options.certPath || options.caPath) {
+    if (initialized) {
+      throw Error('[teamplay/mongo] SSL: Cannot mix paths and strings or base64')
+    }
+    if (!(options.keyPath && options.certPath && options.caPath)) {
+      throw Error('[teamplay/mongo] SSL: All 3 paths to files must be provided: keyPath, certPath, caPath')
+    }
+    options = {
+      ...options,
+      key: fs.readFileSync(options.keyPath),
+      cert: fs.readFileSync(options.certPath),
+      ca: fs.readFileSync(options.caPath)
+    }
+    initialized = true
+  }
+  if (options.keyBase64 || options.certBase64 || options.caBase64) {
+    if (initialized) {
+      throw Error('[teamplay/mongo] SSL: Cannot mix base64 and strings or paths')
+    }
+    if (!(options.keyBase64 && options.certBase64 && options.caBase64)) {
+      throw Error('[teamplay/mongo] SSL: All 3 base64 strings must be provided: keyBase64, certBase64, caBase64')
+    }
+    options = {
+      ...options,
+      key: Buffer.from(options.keyBase64, 'base64'),
+      cert: Buffer.from(options.certBase64, 'base64'),
+      ca: Buffer.from(options.caBase64, 'base64')
+    }
+  }
+  // enable tls mode if certificates are provided (unless explicitly disabled)
+  if (options.key && options.cert && options.ca) {
+    options.tls ??= true
+  }
+  // cleanup options object from the processed keys
+  delete options.keyPath
+  delete options.certPath
+  delete options.caPath
+  delete options.keyBase64
+  delete options.certBase64
+  delete options.caBase64
+  // delete the undefined values if they were not provided
+  if (!options.key) delete options.key
+  if (!options.cert) delete options.cert
+  if (!options.ca) delete options.ca
+  return options
+}
