ml-testing-toolkit 18.13.2-rorfs.2 → 18.14.0

package/src/lib/config.js

@@ -90,7 +90,6 @@ const loadSystemConfig = async (filename = SYSTEM_CONFIG_FILE) => {
     const systemConfigFromEnvironment = _getSystemConfigFromEnvironment()
     _.merge(SYSTEM_CONFIG, systemConfigFromEnvironment)
     const secretsFromEnvironment = _getSecretsFromEnvironment()
-    console.log(secretsFromEnvironment)
     _.merge(SYSTEM_CONFIG, secretsFromEnvironment)
   } catch (err) {
     console.log(`Can not read the file ${filename}`, err)
@@ -98,22 +97,50 @@ const loadSystemConfig = async (filename = SYSTEM_CONFIG_FILE) => {
   return true
 }
 
+const mask = value => (value && value.length > 4) ? `${value.slice(0, 2)}***${value.slice(-2)}` : value
+
 const _getSecretsFromEnvironment = () => {
   const secretsFromEnvironment = {}
-  if (process.env.REPORTING_DB_CONNECTION_PASSWORD || process.env.REPORTING_DB_CONNECTION_STRING) {
+  if (
+    process.env.REPORTING_DB_CONNECTION_PASSWORD ||
+    process.env.REPORTING_DB_CONNECTION_STRING ||
+    process.env.REPORTING_DB_SSL_ENABLED ||
+    process.env.REPORTING_DB_SSL_VERIFY ||
+    process.env.REPORTING_DB_SSL_CA
+  ) {
     try {
       const reportingDbConnectionPassword = process.env.REPORTING_DB_CONNECTION_PASSWORD
       const reportingDbConnectionString = process.env.REPORTING_DB_CONNECTION_STRING
-      console.log(`Retrieved reporting database password in environment '${process.env.REPORTING_DB_CONNECTION_PASSWORD}'`)
-      console.log(`Retrieved reporting database connection string in environment '${process.env.REPORTING_DB_CONNECTION_STRING}'`)
+      const reportingDbSslEnabled = process.env.REPORTING_DB_SSL_ENABLED === 'true'
+      const reportingDbSslVerify = process.env.REPORTING_DB_SSL_VERIFY !== 'false'
+      const reportingDbSslCa = process.env.REPORTING_DB_SSL_CA
+
       secretsFromEnvironment.DB = {
         PASSWORD: reportingDbConnectionPassword,
         CONNECTION_STRING: reportingDbConnectionString
       }
-      console.log(`Secrets retrieved from environment to be merged into system config ${secretsFromEnvironment}`)
+
+      if (
+        process.env.REPORTING_DB_SSL_ENABLED ||
+        process.env.REPORTING_DB_SSL_VERIFY ||
+        process.env.REPORTING_DB_SSL_CA
+      ) {
+        secretsFromEnvironment.DB.SSL_ENABLED = reportingDbSslEnabled
+        secretsFromEnvironment.DB.SSL_VERIFY = reportingDbSslVerify
+        if (reportingDbSslCa) {
+          secretsFromEnvironment.DB.SSL_CA = reportingDbSslCa
+        }
+      }
+
+      // Hide CA from being logged
+      const logSecrets = _.cloneDeep(secretsFromEnvironment)
+      if (logSecrets.DB && logSecrets.DB.SSL_CA) logSecrets.DB.SSL_CA = mask(logSecrets.DB.SSL_CA)
+      if (logSecrets.DB && logSecrets.DB.PASSWORD) logSecrets.DB.PASSWORD = mask(logSecrets.DB.PASSWORD)
+      if (logSecrets.DB && logSecrets.DB.CONNECTION_STRING) logSecrets.DB.CONNECTION_STRING = mask(logSecrets.DB.CONNECTION_STRING)
+      console.log('Secrets retrieved from environment to be merged into system config', logSecrets)
     } catch (err) {
       console.log(err)
-      console.log('Failed to retrieve reporting database password or connection string in environment')
+      console.log('Failed to retrieve reporting database secrets or SSL/TLS settings from environment')
     }
   }
   return secretsFromEnvironment

package/src/lib/db/adapters/dbAdapter.js

@@ -46,6 +46,39 @@ const getConnection = async () => {
         params = {}
       }
     }
+
+    // TLS/SSL support
+    const mongoOptions = {
+      useNewUrlParser: true,
+      useUnifiedTopology: true
+    }
+
+    if (systemConfig.DB.SSL_ENABLED) {
+      mongoOptions.tls = true
+      if (typeof systemConfig.DB.SSL_VERIFY !== 'undefined') {
+        console.log(`SSL_VERIFY is set to ${systemConfig.DB.SSL_VERIFY} (type: ${typeof systemConfig.DB.SSL_VERIFY})`)
+        mongoOptions.tlsAllowInvalidCertificates = !systemConfig.DB.SSL_VERIFY
+      }
+      if (systemConfig.DB.SSL_CA) {
+      // SSL_CA is a string (from kube secret), may be PEM or comma-separated PEMs
+        let ca = systemConfig.DB.SSL_CA
+        if (typeof ca === 'string') {
+        // If comma-separated, split into array
+          if (ca.includes(',')) {
+            ca = ca.split(',').map(s => s.trim())
+          }
+        }
+        // Convert to Buffer(s) if needed
+        if (Array.isArray(ca)) {
+          ca = ca.map(item => Buffer.isBuffer(item) ? item : Buffer.from(item))
+        } else if (!Buffer.isBuffer(ca)) {
+          ca = Buffer.from(ca)
+        }
+        // Mongoose expects tlsCAFile as a Buffer or array of Buffers
+        mongoOptions.tlsCAFile = ca
+      }
+    }
+
     const csMongoDBObj = new ConnectionString()
     csMongoDBObj.setDefaults({
       protocol: 'mongodb',
@@ -59,10 +92,7 @@ const getConnection = async () => {
     const safeConnectionString = connectionString.replace(/(\/\/)(.*):(.*)@/, '$1****:****@')
     Logger.info(`Connecting to MongoDB with connection string: ${safeConnectionString}`)
 
-    conn = await mongoDBWrapper.connect(connectionString, {
-      useNewUrlParser: true,
-      useUnifiedTopology: true
-    })
+    conn = await mongoDBWrapper.connect(connectionString, mongoOptions)
   }
   return conn
 }
@@ -188,6 +218,13 @@ const getReport = async (reportId) => {
   return await MyModel.findById(reportId)
 }
 
+const _deleteConn = async () => {
+  if (conn) {
+    await conn.disconnect()
+    conn = undefined
+  }
+}
+
 module.exports = {
   read,
   find,
@@ -195,5 +232,6 @@ module.exports = {
   remove,
   upsertReport,
   listReports,
-  getReport
+  getReport,
+  _deleteConn
 }