@google-cloud/cloud-sql-connector/dist/cjs/socket.js

A JavaScript library for connecting securely to your Cloud SQL instances

"use strict";
// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.validateCertificate = validateCertificate;
exports.getSocket = getSocket;
const node_tls_1 = __importDefault(require("node:tls"));
const errors_1 = require("./errors");
const DEFAULT_KEEP_ALIVE_DELAY_MS = 30 * 1000;
function validateCertificate(instanceInfo, instanceDnsName, serverName) {
    return (hostname, cert) => {
        if (!instanceDnsName) {
            // Legacy CA Mode
            if (!cert || !cert.subject) {
                return new errors_1.CloudSQLConnectorError({
                    message: 'No certificate to verify',
                    code: 'ENOSQLADMINVERIFYCERT',
                });
            }
            const expectedCN = `${instanceInfo.projectId}:${instanceInfo.instanceId}`;
            if (cert.subject.CN !== expectedCN) {
                return new errors_1.CloudSQLConnectorError({
                    message: `Certificate had CN ${cert.subject.CN}, expected ${expectedCN}`,
                    code: 'EBADSQLADMINVERIFYCERT',
                });
            }
            return undefined;
        }
        else {
            // Standard TLS Verify Full hostname verification using SAN
            return node_tls_1.default.checkServerIdentity(serverName, cert);
        }
    };
}
function getSocket({ ephemeralCert, host, port, instanceInfo, privateKey, serverCaCert, instanceDnsName, serverName, }) {
    const socketOpts = {
        host,
        port,
        secureContext: node_tls_1.default.createSecureContext({
            ca: serverCaCert.cert,
            cert: ephemeralCert.cert,
            key: privateKey,
            minVersion: 'TLSv1.3',
        }),
        checkServerIdentity: validateCertificate(instanceInfo, instanceDnsName, serverName),
    };
    const tlsSocket = node_tls_1.default.connect(socketOpts);
    tlsSocket.setKeepAlive(true, DEFAULT_KEEP_ALIVE_DELAY_MS);
    // overrides the stream.connect method since the stream is already
    // connected and some drivers might try to call it internally
    tlsSocket.connect = () => tlsSocket;
    return tlsSocket;
}
//# sourceMappingURL=socket.js.map