BE-685 Add options for TLS connection to Postgresql

Change-Id: I7d066cad0c2c28268a635b1c65c017d31347dc0e Signed-off-by: plap <plap@softserveinc.com> BE-685 Put markdown to describe Postgres TLS Change-Id: I7d066cad0c2c28268a635b1c65c017d31347dc0e Signed-off-by: plap <plap@softserveinc.com> BE-685 Fix README.md link to Postgres TLS markdown Change-Id: I7d066cad0c2c28268a635b1c65c017d31347dc0e Signed-off-by: plap <plap@softserveinc.com>
hyperledger-labs · Aug 2, 2019 · f24a57c · f24a57c
1 parent 863278a
commit f24a57c
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -168,6 +168,8 @@ Connect to the PostgreSQL database and run DB status commands:
 - `\l`  View created fabricexplorer database.
 - `\d`  View created tables.
 
+If your Postgresql configured with TLS, read link [how to configure connection to Postgresql with TLS](./app/persistence/postgreSQL/CONFIGURE-TLS-CONNECTION-TO-POSTGRESQL.md) 
+
 <a name="Authorization-Configuration" />
 
 # 5.1 Authorization Configuration    <!-- do not remove this comment, ensure there is a blank line before each heading -->

diff --git a/app/persistence/postgreSQL/CONFIGURE-TLS-CONNECTION-TO-POSTGRESQL.md b/app/persistence/postgreSQL/CONFIGURE-TLS-CONNECTION-TO-POSTGRESQL.md
@@ -0,0 +1,16 @@
+
+<!-- (SPDX-License-Identifier: CC-BY-4.0) -->  <!-- Ensure there is a newline before, and after, this line -->
+
+# TLS connection to Postgresql
+
+In order to configure TLS connection to Postgresql take next steps:
+
+- [Optional] pass environment variable `DATABASE_CERTS_PATH`, default is `/opt/explorer/db-certs` 
+
+- put certificates into folder specified by `DATABASE_CERTS_PATH`. There should be three files:
+
+    - `client-cert.pem`
+    - `client-key.pem`
+    - `server-ca.pem`
+
+- pass environment variable `DATABASE_SSL_ENABLED=true`
diff --git a/app/persistence/postgreSQL/PgService.js b/app/persistence/postgreSQL/PgService.js
@@ -20,6 +20,8 @@
 
 const { Client } = require('pg');
 
+const fs = require('fs');
+
 const helper = require('../../common/helper');
 
 const logger = helper.getLogger('PgService');
@@ -40,18 +42,36 @@ class PgService {
 		this.pgconfig.host = process.env.DATABASE_HOST || pgconfig.host;
 		this.pgconfig.port = process.env.DATABASE_PORT || pgconfig.port;
 		this.pgconfig.database = process.env.DATABASE_DATABASE || pgconfig.database;
-		this.pgconfig.username = process.env.DATABASE_USERNAME || pgconfig.username;
-		this.pgconfig.passwd = process.env.DATABASE_PASSWD || pgconfig.passwd;
+		this.pgconfig.user = process.env.DATABASE_USERNAME || pgconfig.username;
+		this.pgconfig.password = process.env.DATABASE_PASSWD || pgconfig.passwd;
+
+		const isPostgresSslEnabled = process.env.DATABASE_SSL_ENABLED || false;
+
+		if (isPostgresSslEnabled) {
+			const dbCertsPath =
+				process.env.DATABASE_CERTS_PATH ||
+				`${process.env.EXPLORER_APP_PATH}/db-certs`;
+
+			this.pgconfig.ssl = {
+				rejectUnauthorized: false,
+				requestCert: true,
+				ca: fs.readFileSync(`${dbCertsPath}/db-certs/server-ca.pem`).toString(),
+				key: fs.readFileSync(`${dbCertsPath}/db-certs/client-key.pem`).toString(),
+				cert: fs.readFileSync(`${dbCertsPath}/db-certs/client-cert.pem`).toString()
+			};
+		}
 
-		this.connectionString = `postgres://${this.pgconfig.username}:${
-			this.pgconfig.passwd
-		}@${this.pgconfig.host}:${this.pgconfig.port}/${this.pgconfig.database}`;
+		const connectionString = `postgres://${this.pgconfig.username}:******@${
+			this.pgconfig.host
+		}:${this.pgconfig.port}/${this.pgconfig.database}`;
 
-		console.log(this.connectionString);
+		logger.info(
+			`connecting to Postgresql ${connectionString} ssl details: ${
+				this.pgconfig.ssl
+			}`
+		);
 
-		this.client = new Client({
-			connectionString: this.connectionString
-		});
+		this.client = new Client(this.pgconfig);
 
 		logger.info(
 			'Please set logger.setLevel to DEBUG in ./app/helper.js to log the debugging.'