search

OS2iot / OS2iot-backend

This repository contains the backend to the project OS2iot.
Mozilla Public License 2.0
10 stars 7 forks source link

SSL off despite DATABASE_ENABLE_SSL set to true #191

Closed ppiorkow closed 1 year ago

ppiorkow commented 2 years ago

DATABASE_ENABLE_SSL parameter has been set to true on deployment (and propagated to pod) level: $ kubectl -n my-project get pod os2iot-backend-779874f6b4-nm64j -o yaml | grep -i ssl -A 1

Despite of this fact os2iot-backend still tries to establish non-ssl connection with Postrges (SSL off entry in logs): $ kubectl -n my-project logs os2iot-backend-779874f6b4-nm64j

os2iot-backend@0.0.1 prestart:prod /tmp/os2iot/backend npm run run-migrations

os2iot-backend@0.0.1 run-migrations /tmp/os2iot/backend npm run typeorm migration:run

os2iot-backend@0.0.1 typeorm /tmp/os2iot/backend ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js --config ./ormconfig.js "migration:run"

Error during migration run: error: no pg_hba.conf entry for host "10.1.0.130", user "psqladmin", database "os2iot", SSL off at Parser.parseErrorMessage (/tmp/os2iot/backend/node_modules/pg-protocol/src/parser.ts:357:11) at Parser.handlePacket (/tmp/os2iot/backend/node_modules/pg-protocol/src/parser.ts:186:21) at Parser.parse (/tmp/os2iot/backend/node_modules/pg-protocol/src/parser.ts:101:30) at Socket. (/tmp/os2iot/backend/node_modules/pg-protocol/src/index.ts:7:48) at Socket.emit (events.js:314:20) at Socket.EventEmitter.emit (domain.js:483:12) at addChunk (_stream_readable.js:297:12) at readableAddChunk (_stream_readable.js:272:9) at Socket.Readable.push (_stream_readable.js:213:10) at TCP.onStreamRead (internal/stream_base_commons.js:188:23) { length: 151, severity: 'FATAL', code: '28000', detail: undefined, hint: undefined, position: undefined, internalPosition: undefined, internalQuery: undefined, where: undefined, schema: undefined, table: undefined, column: undefined, dataType: undefined, constraint: undefined, file: 'auth.c', line: '597', routine: 'ClientAuthentication' } npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! os2iot-backend@0.0.1 typeorm: ts-node -r tsconfig-paths/register ./node_modules/typeorm/cli.js --config ./ormconfig.js "migration:run" npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the os2iot-backend@0.0.1 typeorm script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in: npm ERR! /home/node/.npm/_logs/2022-08-03T07_28_53_504Z-debug.log npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! os2iot-backend@0.0.1 run-migrations: npm run typeorm migration:run npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the os2iot-backend@0.0.1 run-migrations script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in: npm ERR! /home/node/.npm/_logs/2022-08-03T07_28_53_602Z-debug.log npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! os2iot-backend@0.0.1 prestart:prod: npm run run-migrations npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the os2iot-backend@0.0.1 prestart:prod script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in: npm ERR! /home/node/.npm/_logs/2022-08-03T07_28_53_619Z-debug.log $

Ps. I have disabled ssl mode on Postrges server, just for testing purposes. Then connection between os2iot-backend and Postgres was established.

ramogens commented 2 years ago

Hello @ppiorkow Thank you for reporting this bug. Could you be so kind to tell a bit more about the consequences of it? And did you find it in the latest version (1.2.0) of OS2iot? Best, Mogens - OS2iot product coordinator

ppiorkow commented 2 years ago

Hello @ramogens The problem has been identified in the latest, 1.2.0, version of os2iot-backend. What are the consequences - I need to use ssl between os2iot-backend and postgresql database server in order to encrypt traffic, fulfill business requirements, etc. But os2iot-backedn doesn't support ssl (or DATABASE_ENABLE_SSL=true is simply not enough and some additional settings are needed), so this traffic is unencrypted right now. Regards, Paweł

ramogens commented 2 years ago

Hi @ppiorkow Thank you for the clarification. I'll create an issue and have someone look into it. Best, Mogens

GufCab commented 2 years ago

Hi @ppiorkow,

I think I see the issue. If you have a test setup, can you try and add "ssl": "true" to your ormconfig.js? (qoutes around true are intentional)

So it becomes something like:

module.exports = {
    "type": "postgres",
    "host": process.env.DATABASE_HOSTNAME || "host.docker.internal",
    "port": parseInt(process.env.DATABASE_PORT, 10) || 5433,
    "username": process.env.DATABASE_USERNAME || "os2iot",
    "password": process.env.DATABASE_PASSWORD || "toi2so",
    "database": "os2iot",
    "synchronize": false,
    "logging": false,
    "entities": ["src/entities/*.ts", "src/entities/permissions/*.ts"],
    "migrations": ["src/migration/*.ts"],
    "cli": {
        "migrationsDir": "src/migration"
    },
    "ssl": "true"
}
ppiorkow commented 2 years ago

Hi @GufCab,

I have just tested "ssl": "true" in ormconfig.js - it works :) Thanks for support.

Ps. My intention is not to use locally copied OS2IoT-backend, so would "ssl": "true" be applied to OS2IoT-backend public repo as well?

ramogens commented 1 year ago

Hi @ppiorkow I understand your point. Yes, "ssl": "true" will be applied to the OS2IoT-backend public repo in the next release.