diff --git a/backend/src/db/instance.ts b/backend/src/db/instance.ts index b1ecf7d659..112def0b3d 100644 --- a/backend/src/db/instance.ts +++ b/backend/src/db/instance.ts @@ -1,5 +1,27 @@ import knex, { Knex } from "knex"; +const parseSslConfig = (dbConnectionUri: string, dbRootCert?: string) => { + let modifiedDbConnectionUri = dbConnectionUri; + let sslConfig: { rejectUnauthorized: boolean; ca: string } | boolean = false; + + if (dbRootCert) { + const url = new URL(dbConnectionUri); + const sslMode = url.searchParams.get("sslmode"); + + if (sslMode && sslMode !== "disable") { + url.searchParams.delete("sslmode"); + modifiedDbConnectionUri = url.toString(); + + sslConfig = { + rejectUnauthorized: ["verify-ca", "verify-full"].includes(sslMode), + ca: Buffer.from(dbRootCert, "base64").toString("ascii") + }; + } + } + + return { modifiedDbConnectionUri, sslConfig }; +}; + export type TDbClient = Knex; export const initDbConnection = ({ dbConnectionUri, @@ -32,23 +54,18 @@ export const initDbConnection = ({ return selectedReplica; }); + const { modifiedDbConnectionUri, sslConfig } = parseSslConfig(dbConnectionUri, dbRootCert); + db = knex({ client: "pg", connection: { - connectionString: dbConnectionUri, + connectionString: modifiedDbConnectionUri, host: process.env.DB_HOST, - // @ts-expect-error I have no clue why only for the port there is a type error - // eslint-disable-next-line - port: process.env.DB_PORT, + port: process.env.DB_PORT ? parseInt(process.env.DB_PORT, 10) : undefined, user: process.env.DB_USER, database: process.env.DB_NAME, password: process.env.DB_PASSWORD, - ssl: dbRootCert - ? { - rejectUnauthorized: true, - ca: Buffer.from(dbRootCert, "base64").toString("ascii") - } - : false + ssl: sslConfig }, // https://knexjs.org/guide/#pool pool: { min: 0, max: 10 }, @@ -59,16 +76,16 @@ export const initDbConnection = ({ readReplicaDbs = readReplicas.map((el) => { const replicaDbCertificate = el.dbRootCert || dbRootCert; + const { modifiedDbConnectionUri: replicaUri, sslConfig: replicaSslConfig } = parseSslConfig( + el.dbConnectionUri, + replicaDbCertificate + ); + return knex({ client: "pg", connection: { - connectionString: el.dbConnectionUri, - ssl: replicaDbCertificate - ? { - rejectUnauthorized: true, - ca: Buffer.from(replicaDbCertificate, "base64").toString("ascii") - } - : false + connectionString: replicaUri, + ssl: replicaSslConfig }, migrations: { tableName: "infisical_migrations" @@ -87,26 +104,21 @@ export const initAuditLogDbConnection = ({ dbConnectionUri: string; dbRootCert?: string; }) => { + const { modifiedDbConnectionUri, sslConfig } = parseSslConfig(dbConnectionUri, dbRootCert); + // akhilmhdh: the default Knex is knex.Knex. but when assigned with knex({}) the value is knex.Knex // this was causing issue with files like `snapshot-dal` `findRecursivelySnapshots` this i am explicitly putting the any and unknown[] // eslint-disable-next-line const db: Knex = knex({ client: "pg", connection: { - connectionString: dbConnectionUri, + connectionString: modifiedDbConnectionUri, host: process.env.AUDIT_LOGS_DB_HOST, - // @ts-expect-error I have no clue why only for the port there is a type error - // eslint-disable-next-line - port: process.env.AUDIT_LOGS_DB_PORT, + port: process.env.AUDIT_LOGS_DB_PORT ? parseInt(process.env.AUDIT_LOGS_DB_PORT, 10) : undefined, user: process.env.AUDIT_LOGS_DB_USER, database: process.env.AUDIT_LOGS_DB_NAME, password: process.env.AUDIT_LOGS_DB_PASSWORD, - ssl: dbRootCert - ? { - rejectUnauthorized: true, - ca: Buffer.from(dbRootCert, "base64").toString("ascii") - } - : false + ssl: sslConfig }, migrations: { tableName: "infisical_migrations"