feat: add support for self-signed SSL certificates

pozil · pozil · commit 68e77930a257 · 2025-04-23T23:59:33.000+02:00
diff --git a/README.md b/README.md
@@ -746,17 +746,18 @@ Holds the information related to an event parsing error. This class attempts to
 
 Check out the [authentication](#authentication) section for more information on how to provide the right values.
 
-| Name             | Type   | Description                                                                                                               |
-| ---------------- | ------ | ------------------------------------------------------------------------------------------------------------------------- |
-| `authType`       | string | Authentication type. One of `user-supplied`, `username-password`, `oauth-client-credentials` or `oauth-jwt-bearer`.       |
-| `pubSubEndpoint` | string | A custom Pub/Sub API endpoint. The default endpoint `api.pubsub.salesforce.com:7443` is used if none is supplied.         |
-| `accessToken`    | string | Salesforce access token.                                                                                                  |
-| `instanceUrl`    | string | Salesforce instance URL.                                                                                                  |
-| `organizationId` | string | Optional organization ID. If you don't provide one, we'll attempt to parse it from the accessToken.                       |
-| `loginUrl`       | string | Salesforce login host. One of `https://login.salesforce.com`, `https://test.salesforce.com` or your domain specific host. |
-| `clientId`       | string | Connected app client ID.                                                                                                  |
-| `clientSecret`   | string | Connected app client secret.                                                                                              |
-| `privateKey`     | string | Private key content.                                                                                                      |
-| `username`       | string | Salesforce username.                                                                                                      |
-| `password`       | string | Salesforce user password.                                                                                                 |
-| `userToken`      | string | Salesforce user security token.                                                                                           |
+| Name                    | Type    | Description                                                                                                                                                          |
+| ----------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `authType`              | string  | Authentication type. One of `user-supplied`, `username-password`, `oauth-client-credentials` or `oauth-jwt-bearer`.                                                  |
+| `pubSubEndpoint`        | string  | A custom Pub/Sub API endpoint. The default endpoint `api.pubsub.salesforce.com:7443` is used if none is supplied.                                                    |
+| `accessToken`           | string  | Salesforce access token.                                                                                                                                             |
+| `instanceUrl`           | string  | Salesforce instance URL.                                                                                                                                             |
+| `organizationId`        | string  | Optional organization ID. If you don't provide one, we'll attempt to parse it from the accessToken.                                                                  |
+| `loginUrl`              | string  | Salesforce login host. One of `https://login.salesforce.com`, `https://test.salesforce.com` or your domain specific host.                                            |
+| `clientId`              | string  | Connected app client ID.                                                                                                                                             |
+| `clientSecret`          | string  | Connected app client secret.                                                                                                                                         |
+| `privateKey`            | string  | Private key content.                                                                                                                                                 |
+| `username`              | string  | Salesforce username.                                                                                                                                                 |
+| `password`              | string  | Salesforce user password.                                                                                                                                            |
+| `userToken`             | string  | Salesforce user security token.                                                                                                                                      |
+| `rejectUnauthorizedSsl` | boolean | Optional flag used to accept self-signed SSL certificates for testing purposes when set to `false`. Default is `true` (client rejects self-signed SSL certificates). |
diff --git a/src/client.js b/src/client.js
@@ -167,7 +167,9 @@ export default class PubSubApiClient {
             const callCreds =
                 grpc.credentials.createFromMetadataGenerator(metaCallback);
             const combCreds = grpc.credentials.combineChannelCredentials(
-                grpc.credentials.createSsl(rootCert),
+                grpc.credentials.createSsl(rootCert, null, null, {
+                    rejectUnauthorized: this.#config.rejectUnauthorizedSsl
+                }),
                 callCreds
             );
 
diff --git a/src/utils/configurationLoader.js b/src/utils/configurationLoader.js
@@ -1,6 +1,7 @@
 import { AuthType } from './types.js';
 
 const DEFAULT_PUB_SUB_ENDPOINT = 'api.pubsub.salesforce.com:7443';
+const DEFAULT_REJECT_UNAUTHORIZED_SSL = true;
 
 export default class ConfigurationLoader {
     /**
@@ -45,9 +46,63 @@ export default class ConfigurationLoader {
                     `Unsupported authType value: ${config.authType}`
                 );
         }
+        // Sanitize rejectUnauthorizedSsl property
+        ConfigurationLoader.#loadBooleanValue(
+            config,
+            'rejectUnauthorizedSsl',
+            DEFAULT_REJECT_UNAUTHORIZED_SSL
+        );
         return config;
     }
 
+    /**
+     * Loads a boolean value from a config key.
+     * Falls back to the provided default value if no value is specified.
+     * Errors out if the config value can't be converted to a boolean value.
+     * @param {Configuration} config
+     * @param {string} key
+     * @param {boolean} defaultValue
+     */
+    static #loadBooleanValue(config, key, defaultValue) {
+        // Load the default value if no value is specified
+        if (
+            !Object.hasOwn(config, key) ||
+            config[key] === undefined ||
+            config[key] === null
+        ) {
+            config[key] = defaultValue;
+            return;
+        }
+
+        const value = config[key];
+        const type = typeof value;
+        switch (type) {
+            case 'boolean':
+                // Do nothing, value is valid
+                break;
+            case 'string':
+                {
+                    switch (value.toUppercase()) {
+                        case 'TRUE':
+                            config[key] = true;
+                            break;
+                        case 'FALSE':
+                            config[key] = false;
+                            break;
+                        default:
+                            throw new Error(
+                                `Expected boolean value for ${key}, found ${type} with value ${value}`
+                            );
+                    }
+                }
+                break;
+            default:
+                throw new Error(
+                    `Expected boolean value for ${key}, found ${type} with value ${value}`
+                );
+        }
+    }
+
     /**
      * @param {Configuration} config the client configuration
      * @returns {Configuration} sanitized configuration
diff --git a/src/utils/types.js b/src/utils/types.js
@@ -122,6 +122,7 @@ export const EventSubscriptionAdminState = {
  * @property {string} [accessToken] Salesforce access token.
  * @property {string} [instanceUrl] Salesforce instance URL.
  * @property {string} [organizationId] Optional organization ID. If you don't provide one, we'll attempt to parse it from the accessToken.
+ * @property {boolean} [rejectUnauthorizedSsl] Optional flag used to accept self-signed SSL certificates for testing purposes when set to `false`. Default is `true` (client rejects self-signed SSL certificates).
  */
 
 /**
