Skip to content

Commit 8d8ef30

Browse files
tuan-phantuan-phan
committed
Support Azure/AWS DB
1 parent c8104c9 commit 8d8ef30

File tree

1 file changed

+40
-21
lines changed

1 file changed

+40
-21
lines changed

app/persistence/postgreSQL/PgService.ts

Lines changed: 40 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -55,33 +55,47 @@ export class PgService {
5555
this.userModel = null;
5656

5757
const isPostgresSslEnabled = process.env.DATABASE_SSL_ENABLED || false;
58+
const isDatabaseCertEnabled = process.env.DATABASE_CERT_ENABLED !== 'false'; // default true if unset
5859

5960
if (isPostgresSslEnabled) {
60-
const dbCertsPath =
61-
process.env.DATABASE_CERTS_PATH ||
62-
`${process.env.EXPLORER_APP_PATH}/db-certs`;
63-
64-
this.pgconfig.ssl = {
65-
rejectUnauthorized: false,
66-
requestCert: true,
67-
ca: fs.readFileSync(`${dbCertsPath}/db-certs/server-ca.pem`).toString(),
68-
key: fs.readFileSync(`${dbCertsPath}/db-certs/client-key.pem`).toString(),
69-
cert: fs.readFileSync(`${dbCertsPath}/db-certs/client-cert.pem`).toString()
70-
};
61+
if (isDatabaseCertEnabled) {
62+
const dbCertsPath =
63+
process.env.DATABASE_CERTS_PATH ||
64+
`${process.env.EXPLORER_APP_PATH}/db-certs`;
65+
66+
this.pgconfig.ssl = {
67+
rejectUnauthorized: false,
68+
requestCert: true,
69+
ca: fs.readFileSync(`${dbCertsPath}/db-certs/server-ca.pem`).toString(),
70+
key: fs.readFileSync(`${dbCertsPath}/db-certs/client-key.pem`).toString(),
71+
cert: fs.readFileSync(`${dbCertsPath}/db-certs/client-cert.pem`).toString()
72+
};
7173

72-
/*
73-
* don't log entire config, it contains sensitive information!
74-
* Value this.pgconfig.ssl.key is private key
75-
*/
76-
const { rejectUnauthorized, requestCert } = this.pgconfig.ssl;
77-
const printConfig = { rejectUnauthorized, requestCert };
78-
logger.info('SSL to Postgresql enabled with settings: ', printConfig);
74+
/*
75+
* don't log entire config, it contains sensitive information!
76+
* Value this.pgconfig.ssl.key is private key
77+
*/
78+
const { rejectUnauthorized, requestCert } = this.pgconfig.ssl;
79+
const printConfig = { rejectUnauthorized, requestCert };
80+
logger.info('SSL to Postgresql enabled with certificates (controlled by DATABASE_CERT_ENABLED): ', printConfig);
81+
} else {
82+
// For Azure/AWS RDS: SSL enabled, accept self-signed certs
83+
this.pgconfig.ssl = { rejectUnauthorized: false };
84+
logger.info('SSL to Postgresql enabled (accept self-signed certificates, e.g., for Azure/AWS RDS, controlled by DATABASE_CERT_ENABLED)');
85+
}
7986
} else {
8087
logger.info('SSL to Postgresql disabled');
8188
}
8289

90+
// don't log password or private key
91+
const safePgConfig = { ...this.pgconfig };
92+
if (safePgConfig.password) safePgConfig.password = '******';
93+
if (safePgConfig.passwd) safePgConfig.passwd = '******';
94+
if (safePgConfig.ssl && safePgConfig.ssl.key) safePgConfig.ssl.key = '******';
95+
logger.info('PgService effective pgconfig:', safePgConfig);
96+
8397
// don't log password
84-
const connectionString = `postgres://${this.pgconfig.username}:******@${this.pgconfig.host}:${this.pgconfig.port}/${this.pgconfig.database}`;
98+
const connectionString = `postgres://${this.pgconfig.user}:******@${this.pgconfig.host}:${this.pgconfig.port}/${this.pgconfig.database}`;
8599

86100
logger.info(`connecting to Postgresql ${connectionString}`);
87101

@@ -99,7 +113,12 @@ export class PgService {
99113
getUserModel(attributes, options) {
100114
const sequelize = new Sequelize(
101115
`postgres://${this.pgconfig.user}:${this.pgconfig.password}@${this.pgconfig.host}:${this.pgconfig.port}/${this.pgconfig.database}`,
102-
{ logging: false }
116+
{
117+
logging: false,
118+
dialectOptions: {
119+
ssl: this.pgconfig.ssl
120+
}
121+
}
103122
);
104123
this.userModel = sequelize.define('users', attributes, options);
105124
return this.userModel;
@@ -585,5 +604,5 @@ export class PgService {
585604
});
586605
});
587606
}
588-
607+
589608
}

0 commit comments

Comments
 (0)