Configurable server_ca contents

4 years ago · 6dd3397f5e
parent b0539a8c8f
commit 6dd3397f5e
4 changed files with 27 additions and 3 deletions
--- a/app/controllers/carto/api/dbdirect_certificates_controller.rb
+++ b/app/controllers/carto/api/dbdirect_certificates_controller.rb
@ -93,7 +93,8 @@ module Carto
          certificate_name: certificate_name,
          username: username,
          dbproxy_host: dbproxy_host,
-          dbproxy_port: dbproxy_port
+          dbproxy_port: dbproxy_port,
+          server_ca_present: server_ca.present?
        )
        filename = "#{certificate_name}.zip"

--- a/app/views/carto/api/dbdirect_certificates/README.txt.erb
+++ b/app/views/carto/api/dbdirect_certificates/README.txt.erb
@ -15,10 +15,12 @@ Contents:
 * client.key. Matching private key file in RSA PEM format. On UNIX-like systems (Linux, Mac OS, ...)
 this file should be protected with: `chmod 0600 client.key`.
 * client.key.pk8. Matching private key file in DER PKCS #8 format.
+<% if server_ca_present %>
 * server_ca.pem. This certificate allows you to check the identity of CARTO's database server.
+<% end %>

 You'll need to configure your application to use TLS with client.key and client.crt
-(and optionally server_ca.pem) when connecting to your database.
+<% if server_ca_present %>(and optionally server_ca.pem)<% end %> when connecting to your database.

 Your database address (host server) is: <%= dbproxy_host %>
 And the TCP port is: <%= dbproxy_port %>
@ -31,11 +33,19 @@ We advise you to generate specific keys and not to use your master API key.
 We advise against exposing your Master API Key since it allows unrestricted access to your database.

 Example: connect using psql:
+<% if server_ca_present %>
 psql "sslmode=verify-full sslrootcert=server_ca.pem \
     sslcert=client.crt sslkey=client.key \
     host=<%= dbproxy_host %> \
     port=<%= dbproxy_port %> \
     user=<%= username %>"
+<% else %>
+ psql "sslmode=require \
+     sslcert=client.crt sslkey=client.key \
+     host=<%= dbproxy_host %> \
+     port=<%= dbproxy_port %> \
+     user=<%= username %>"
+<% end %>

 Please note that this feature is a beta version still undergoing testing before an official release.

--- a/config/app_config.yml.sample
+++ b/config/app_config.yml.sample
@ -779,6 +779,7 @@ defaults: &defaults
      aws_access_key_id: ''
      aws_secret_key: ''
      aws_region: us-east-1
+      server_ca: disabled
    pgproxy:
      host: 'dbconn.carto.com'
      port: 5432
--- a/lib/carto/dbdirect/certificate_manager.rb
+++ b/lib/carto/dbdirect/certificate_manager.rb
@ -27,7 +27,7 @@ module Carto
            client_key: key,
            client_crt: certificate
          }
-          certificates[:server_ca] = aws_get_ca_certificate_chain if server_ca
+          certificates[:server_ca] = get_server_ca if server_ca
          certificates[:client_key_pk8] = key_pk8 if pk8
        end
        [certificates, arn]
@ -48,6 +48,18 @@ module Carto
      TEMPLATE_ARN = "arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1".freeze
      VALIDITY_TYPE_DAYS = "DAYS".freeze

+      def get_server_ca
+        # If not configured, the CA used to sign client certifivates will be used (handy for development)
+        return aws_get_ca_certificate_chain unless config['server_ca'].present? || config['server_ca'] == 'client_ca'
+
+        # No server_ca file will be generated (it shouldn't be needed) if special value 'disabled' is used
+        return if config['server_ca'] == 'disabled'
+
+        # Otherwise the certificate chain should be stored and accessible through a url
+        # TODO: cache based on URL (config['server_ca']) with TTL=?
+        open(config['server_ca']) { |io| io.read }
+      end
+
      def openssl_generate_key(passphrase)
        key = OpenSSL::PKey::RSA.new 2048
        if passphrase.present?