@google-cloud/cloud-sql-connector/dist/mjs/socket.js

A JavaScript library for connecting securely to your Cloud SQL instances

// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
import tls from 'node:tls';
import { CloudSQLConnectorError } from './errors.js';
const DEFAULT_KEEP_ALIVE_DELAY_MS = 30 * 1000;
export function validateCertificate(instanceInfo, instanceDnsName, serverName) {
    return (hostname, cert) => {
        if (!instanceDnsName) {
            // Legacy CA Mode
            if (!cert || !cert.subject) {
                return new CloudSQLConnectorError({
                    message: 'No certificate to verify',
                    code: 'ENOSQLADMINVERIFYCERT',
                });
            }
            const expectedCN = `${instanceInfo.projectId}:${instanceInfo.instanceId}`;
            if (cert.subject.CN !== expectedCN) {
                return new CloudSQLConnectorError({
                    message: `Certificate had CN ${cert.subject.CN}, expected ${expectedCN}`,
                    code: 'EBADSQLADMINVERIFYCERT',
                });
            }
            return undefined;
        }
        else {
            // Standard TLS Verify Full hostname verification using SAN
            return tls.checkServerIdentity(serverName, cert);
        }
    };
}
export function getSocket({ ephemeralCert, host, port, instanceInfo, privateKey, serverCaCert, instanceDnsName, serverName, }) {
    const socketOpts = {
        host,
        port,
        secureContext: tls.createSecureContext({
            ca: serverCaCert.cert,
            cert: ephemeralCert.cert,
            key: privateKey,
            minVersion: 'TLSv1.3',
        }),
        checkServerIdentity: validateCertificate(instanceInfo, instanceDnsName, serverName),
    };
    const tlsSocket = tls.connect(socketOpts);
    tlsSocket.setKeepAlive(true, DEFAULT_KEEP_ALIVE_DELAY_MS);
    // overrides the stream.connect method since the stream is already
    // connected and some drivers might try to call it internally
    tlsSocket.connect = () => tlsSocket;
    return tlsSocket;
}
//# sourceMappingURL=socket.js.map