feat: Make Database SSL Configurable

This makes it configurable either through a single JSON file with all
three certificates as separate keys or via separate files per
ca/cert/key key.

fixes #6718

src/lib/create-config.ts

@@ -1,25 +1,26 @@
 import { parse } from 'pg-connection-string';
 import merge from 'deepmerge';
 import * as fs from 'fs';
+import { readFileSync } from 'fs';
 import {
-    type IUnleashOptions,
-    type IUnleashConfig,
-    type IDBOption,
-    type ISessionOption,
-    type IServerOption,
-    type IVersionOption,
     type IAuthOption,
     IAuthType,
-    type IImportOption,
-    type IEmailOption,
-    type IListeningPipe,
-    type IListeningHost,
-    type IUIConfig,
+    type IClientCachingOption,
     type ICspDomainConfig,
     type ICspDomainOptions,
-    type IClientCachingOption,
+    type IDBOption,
+    type IEmailOption,
+    type IImportOption,
+    type IListeningHost,
+    type IListeningPipe,
     type IMetricsRateLimiting,
     type IRateLimiting,
+    type IServerOption,
+    type ISessionOption,
+    type IUIConfig,
+    type IUnleashConfig,
+    type IUnleashOptions,
+    type IVersionOption,
 } from './types/option';
 import { getDefaultLogProvider, LogLevel, validateLogProvider } from './logger';
 import { defaultCustomAuthDenyAll } from './default-custom-auth-deny-all';
@@ -182,17 +183,63 @@ const dateHandlingCallback = (connection, callback) => {
     });
 };
 
+const databaseSslFromFile = (caFilePath: string) => {
+    try {
+        return readFileSync(caFilePath).toJSON();
+    } catch (e) {
+        return {};
+    }
+};
+
+const filesExists = (...filePath: string[]): boolean => {
+    return filePath.every((file) => fs.existsSync(file));
+};
+
+const databaseSsl = () => {
+    if (process.env.DATABASE_SSL != null) {
+        return JSON.parse(process.env.DATABASE_SSL);
+    } else if (
+        process.env.DATABASE_SSL_CA_CONFIG != null &&
+        filesExists(process.env.DATABASE_SSL_CA_CONFIG)
+    ) {
+        return databaseSslFromFile(process.env.DATABASE_SSL_CA_CONFIG);
+    } else if (
+        process.env.DATABASE_SSL_CA_FILE != null &&
+        process.env.DATABASE_SSL_KEY_FILE != null &&
+        process.env.DATABASE_SSL_CERT_FILE != null &&
+        filesExists(
+            process.env.DATABASE_SSL_CA_FILE,
+            process.env.DATABASE_SSL_KEY_FILE,
+            process.env.DATABASE_SSL_CERT_FILE,
+        )
+    ) {
+        return {
+            rejectUnauthorized: parseEnvVarBoolean(
+                process.env.DATABASE_SSL_REJECT_UNAUTHORIZED,
+                true,
+            ),
+            ca: readFileSync(process.env.DATABASE_SSL_CA_FILE),
+            key: readFileSync(process.env.DATABASE_SSL_KEY_FILE),
+            cert: readFileSync(process.env.DATABASE_SSL_CERT_FILE),
+        };
+    } else {
+        return {
+            rejectUnauthorized: parseEnvVarBoolean(
+                process.env.DATABASE_SSL_REJECT_UNAUTHORIZED,
+                false,
+            ),
+        };
+    }
+};
+
 const defaultDbOptions: WithOptional<IDBOption, 'user' | 'password' | 'host'> =
     {
         user: process.env.DATABASE_USERNAME,
         password: process.env.DATABASE_PASSWORD,
         host: process.env.DATABASE_HOST,
         port: parseEnvVarNumber(process.env.DATABASE_PORT, 5432),
         database: process.env.DATABASE_NAME || 'unleash',
-        ssl:
-            process.env.DATABASE_SSL != null
-                ? JSON.parse(process.env.DATABASE_SSL)
-                : { rejectUnauthorized: false },
+        ssl: databaseSsl(),
         driver: 'postgres',
         version: process.env.DATABASE_VERSION,
         acquireConnectionTimeout: secondsToMilliseconds(30),