From ee72ad07da0ddb3eafbba271fd3e33e16c309e98 Mon Sep 17 00:00:00 2001
From: Johan Schuijt <johan.schuijt@ftm.nl>
Date: Wed, 8 Jun 2022 12:09:27 +0200
Subject: [PATCH] Restore concatenated CA string logic for db connnections,
 make rejectUnauthorized configurable through environment variable

---
 dev/helm/templates/deployment.yaml |  2 ++
 dev/helm/values.yaml               | 10 ++++++++--
 server/core/db.js                  | 17 ++++++++++++++---
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/dev/helm/templates/deployment.yaml b/dev/helm/templates/deployment.yaml
index 24910f2b..cd637feb 100644
--- a/dev/helm/templates/deployment.yaml
+++ b/dev/helm/templates/deployment.yaml
@@ -53,6 +53,8 @@ spec:
               value: "{{ default "false" .Values.postgresql.ssl }}"
             - name: DB_SSL_CA
               value: "{{ default "" .Values.postgresql.ca }}"
+            - name: DB_SSL_REJECTUNAUTHORIZED
+              value: "{{ default "true" .Values.postgresql.rejectUnauthorized }}"
             - name: DB_PASS
               valueFrom:
                 secretKeyRef:
diff --git a/dev/helm/values.yaml b/dev/helm/values.yaml
index 6b7296a7..ce5c9ba4 100644
--- a/dev/helm/values.yaml
+++ b/dev/helm/values.yaml
@@ -115,9 +115,15 @@ postgresql:
   ##
   # ssl: false
   ## ca Certificate of Authority
-  ## Default to empty, point to location of CA
+  ## this can either be a single line string (without spaces or new lines)
+  ## without the prefix and suffix lines, or a path to a certificate file.
+  ## Default to empty
   ##
-  # ca: "path to ca"
+  # ca: "single line or path to ca"
+  ## rejectUnauthorized reject self-signed certificates
+  ## Default to true
+  ##
+  # rejectUnauthorized: true
   ## postgresqlHost override postgres database host
   ## Default to postgres
   ##
diff --git a/server/core/db.js b/server/core/db.js
index 2f42aefb..6e900c9d 100644
--- a/server/core/db.js
+++ b/server/core/db.js
@@ -60,13 +60,24 @@ module.exports = {
       sslOptions = true
     }
 
-    // Handle self-signed CA file
+    // Handle self-signed CA file or concatenated string
     // https://node-postgres.com/features/ssl
     if (!_.isEmpty(process.env.DB_SSL_CA)) {
+      try {
+        ca = fs.readFileSync(process.env.DB_SSL_CA).toString()
+      } catch(_) {
+        const chunks = []
+        for (let i = 0, charsLength = process.env.DB_SSL_CA.length; i < charsLength; i += 64) {
+          chunks.push(process.env.DB_SSL_CA.substring(i, i + 64))
+        }
+
+        ca = '-----BEGIN CERTIFICATE-----\n' + chunks.join('\n') + '\n-----END CERTIFICATE-----\n'
+      }
+
       dbUseSSL = true
       sslOptions = {
-        rejectUnauthorized: false,
-        ca: fs.readFileSync(process.env.DB_SSL_CA).toString(),
+        rejectUnauthorized: [true, 'true', 1, '1'].includes(process.env.DB_SSL_REJECTUNAUTHORIZED),
+        ca,
       }
     }