search

input-output-hk / cardano-js-sdk

JavaScript SDK for interacting with Cardano, providing various key management options, with support for popular hardware wallets
https://input-output-hk.github.io/cardano-js-sdk/
Apache License 2.0
212 stars 57 forks source link

fix: allow unauthorized postgres connections #1320

Closed gytis-ivaskevicius closed 2 months ago

gytis-ivaskevicius commented 2 months ago

Context

We would like to avoid force-specifying certificates in deployments since it is causing us some headaches, this change fixes our issue

This PR points to the release branch, but since the next release is coming soon I would be okay with changing it to the master

Tested on ops-preview-1 I noticed that cardano-services tests were failing, I think it's because I don't have Postgres running locally. I will see how CI run goes

gytis-ivaskevicius commented 2 months ago

Without changes to postgres.ts application crashes with such error:

{"name":"provider-server","hostname":"ops-preview-1-cardanojs-backend-66fb5fb5bd-w8qlr","pid":1,"level":30,"msg":"[HttpServer] Started","time":"2024-06-05T16:09:20.519Z","v":0}
/nix/store/18121rn89iz0iihmpvki39nlb1kp22l5-cardano-sdk/libexec/incl/packages/cardano-services/dist/cjs/cli.js:38
    throw reason;
    ^

error: pg_hba.conf rejects connection for host "10.0.31.193", user "cardano_owner_user", database "cardano", no encryption
    at Parser.parseErrorMessage (/nix/store/18121rn89iz0iihmpvki39nlb1kp22l5-cardano-sdk/libexec/incl/node_modules/pg-protocol/dist/parser.js:287:98)
    at Parser.handlePacket (/nix/store/18121rn89iz0iihmpvki39nlb1kp22l5-cardano-sdk/libexec/incl/node_modules/pg-protocol/dist/parser.js:126:29)
    at Parser.parse (/nix/store/18121rn89iz0iihmpvki39nlb1kp22l5-cardano-sdk/libexec/incl/node_modules/pg-protocol/dist/parser.js:39:38)
    at Socket.<anonymous> (/nix/store/18121rn89iz0iihmpvki39nlb1kp22l5-cardano-sdk/libexec/incl/node_modules/pg-protocol/dist/index.js:11:42)
    at Socket.emit (node:events:513:28)
    at addChunk (node:internal/streams/readable:324:12)
    at readableAddChunk (node:internal/streams/readable:297:9)
    at Readable.push (node:internal/streams/readable:234:10)
    at TCP.onStreamRead (node:internal/stream_base_commons:190:23) {
  length: 178,
  severity: 'FATAL',
  code: '28000',
  detail: undefined,
  hint: undefined,
  position: undefined,
  internalPosition: undefined,
  internalQuery: undefined,
  where: undefined,
  schema: undefined,
  table: undefined,
  column: undefined,
  dataType: undefined,
  constraint: undefined,
  file: 'auth.c',
  line: '477',
  routine: 'ClientAuthentication'
}

I believe this way traffic is still encrypted but certificate is not checked