feat: Support Private CA for server certificates.

hessjcg · hessjcg · commit a39c7fb7ee7d · 2025-01-08T16:13:57.000-07:00
test: Integration test for Customer Private CA CAS instance.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -161,6 +161,8 @@ jobs:
             POSTGRES_DB:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_DB
             POSTGRES_CAS_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CAS_CONNECTION_NAME
             POSTGRES_CAS_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CAS_PASS
+            POSTGRES_CUSTOMER_CAS_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CUSTOMER_CAS_CONNECTION_NAME
+            POSTGRES_CUSTOMER_CAS_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/POSTGRES_CUSTOMER_CAS_PASS
             SQLSERVER_CONNECTION_NAME:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_CONNECTION_NAME
             SQLSERVER_USER:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_USER
             SQLSERVER_PASS:${{ vars.GOOGLE_CLOUD_PROJECT }}/SQLSERVER_PASS
@@ -188,6 +190,8 @@ jobs:
           POSTGRES_DB: "${{ steps.secrets.outputs.POSTGRES_DB }}"
           POSTGRES_CAS_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CAS_CONNECTION_NAME }}"
           POSTGRES_CAS_PASS: "${{ steps.secrets.outputs.POSTGRES_CAS_PASS }}"
+          POSTGRES_CUSTOMER_CAS_CONNECTION_NAME: "${{ steps.secrets.outputs.POSTGRES_CUSTOMER_CAS_CONNECTION_NAME }}"
+          POSTGRES_CUSTOMER_CAS_PASS: "${{ steps.secrets.outputs.POSTGRES_CUSTOMER_CAS_PASS }}"
           SQLSERVER_CONNECTION_NAME: "${{ steps.secrets.outputs.SQLSERVER_CONNECTION_NAME }}"
           SQLSERVER_USER: "${{ steps.secrets.outputs.SQLSERVER_USER }}"
           SQLSERVER_PASS: "${{ steps.secrets.outputs.SQLSERVER_PASS }}"
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/socket.ts b/src/socket.ts
@@ -36,7 +36,10 @@ export function validateCertificate(
   dnsName: string
 ) {
   return (hostname: string, cert: tls.PeerCertificate): Error | undefined => {
-    if (serverCaMode === 'GOOGLE_MANAGED_CAS_CA') {
+    if (
+      serverCaMode === 'GOOGLE_MANAGED_CAS_CA' ||
+      serverCaMode === 'CUSTOMER_MANAGED_CAS_CA'
+    ) {
       return tls.checkServerIdentity(dnsName, cert);
     }
     if (!cert || !cert.subject) {
diff --git a/system-test/pg-tests.ts b/system-test/pg-tests.ts
@@ -91,6 +91,33 @@ function pgTests(t, connectorModule, pgModule) {
       connector.close();
     }
   );
+
+  t.test(
+    'open connection to Customer Private CAS-based CA instance and retrieves standard pg tables',
+    async t => {
+      const connector = new Connector();
+      const clientOpts = await connector.getOptions({
+        instanceConnectionName: String(
+          process.env.POSTGRES_CUSTOMER_CAS_CONNECTION_NAME
+        ),
+      });
+      const client = new Client({
+        ...clientOpts,
+        user: String(process.env.POSTGRES_USER),
+        password: String(process.env.POSTGRES_CUSTOMER_CAS_PASS),
+        database: String(process.env.POSTGRES_DB),
+      });
+      client.connect();
+      const {
+        rows: [result],
+      } = await client.query('SELECT NOW();');
+      const returnedDate = result['now'];
+      t.ok(returnedDate.getTime(), 'should have valid returned date object');
+      await client.end();
+      connector.close();
+    }
+  );
+
 }
 
 export {pgTests};
