Adding support for insecure connections with plain TCP socket

Author: gionatamettifogo

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sqlitecloud/drivers",
-  "version": "0.0.40",
+  "version": "0.0.41",
   "description": "SQLiteCloud drivers for Typescript/Javascript in edge, web and node clients",
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",

src/transport-tls.ts

@@ -2,19 +2,18 @@
  * transport-tls.ts - handles low level communication with sqlitecloud server via tls socket and binary protocol
  */
 
-import { SQLiteCloudConfig, SQLCloudRowsetMetadata, SQLiteCloudError, SQLiteCloudDataTypes, ErrorCallback, ResultsCallback } from './types'
+import { SQLiteCloudConfig, SQLiteCloudError, ErrorCallback, ResultsCallback, SQLCloudRowsetMetadata, SQLiteCloudDataTypes } from './types'
 import { SQLiteCloudRowset } from './rowset'
-import { ConnectionTransport, getInitializationCommands } from './connection'
-import { anonimizeError, anonimizeCommand } from './connection'
+import { ConnectionTransport, getInitializationCommands, anonimizeError, anonimizeCommand } from './connection'
 
-import tls, { TLSSocket } from 'tls'
+import net from 'net'
+import tls from 'tls'
 const lz4 = require('lz4js')
 
-/**
- * The server communicates with clients via commands defined
- * in the SQLiteCloud Server Protocol (SCSP), see more at:
- * https://github.com/sqlitecloud/sdk/blob/master/PROTOCOL.md
- */
+// The server communicates with clients via commands defined in
+// SQLiteCloud Server Protocol (SCSP), see more at:
+// https://github.com/sqlitecloud/sdk/blob/master/PROTOCOL.md
+
 const CMD_STRING = '+'
 const CMD_ZEROSTRING = '!'
 const CMD_ERROR = '-'
@@ -34,6 +33,7 @@ const CMD_ARRAY = '='
 
 /**
  * Implementation of SQLiteCloudConnection that connects directly to the database via tls socket and raw, binary protocol.
+ * Connects with plain socket with no encryption is the ?insecure=1 parameter is specified.
  * SQLiteCloud low-level connection, will do messaging, handle socket, authentication, etc.
  * A connection socket is established when the connection is created and closed when the connection is closed.
  * All operations are serialized by waiting for any pending operations to complete. Once a connection is closed,
@@ -43,7 +43,7 @@ export class TlsSocketTransport implements ConnectionTransport {
   /** Configuration passed to connect */
   private config?: SQLiteCloudConfig
   /** Currently opened tls socket used to communicated with SQLiteCloud server */
-  private socket?: tls.TLSSocket | null
+  private socket?: tls.TLSSocket | net.Socket | null
 
   /** True if connection is open */
   get connected(): boolean {
@@ -69,36 +69,51 @@ export class TlsSocketTransport implements ConnectionTransport {
 
     this.config = config
 
-    // connect to tls socket, initialize connection, setup event handlers
-    this.socket = tls.connect(this.config.port as number, this.config.host, this.config.tlsOptions, () => {
-      if (!this.socket?.authorized) {
-        const anonimizedError = anonimizeError((this.socket as TLSSocket).authorizationError)
-        console.error('Connection was not authorized', anonimizedError)
-        this.close()
-        finish(new SQLiteCloudError('Connection was not authorized', { cause: anonimizedError }))
-      } else {
-        // the connection was closed before it was even opened,
-        // eg. client closed the connection before the server accepted it
-        if (this.socket === null) {
-          finish(new SQLiteCloudError('Connection was closed before it was done opening'))
-          return
-        }
-
-        // send initialization commands
-        console.assert(this.socket, 'Connection already closed')
-        const commands = getInitializationCommands(config)
-        this.processCommands(commands, error => {
-          if (error && this.socket) {
-            this.close()
-          }
-          if (callback) {
-            callback?.call(this, error)
-            callback = undefined
-          }
-          finish(error)
-        })
+    if (config.insecure) {
+      // connect to plain socket, without encryption, only if insecure parameter specified
+      // this option is mainly for testing purposes and is not available on production nodes
+      // which would need to connect using tls and proper certificates as per code below
+      const connectionOptions: net.SocketConnectOpts = {
+        host: config.host,
+        port: config.port as number
       }
-    })
+      this.socket = net.connect(connectionOptions, () => {
+        console.warn(`TlsTransport.connect - connected to ${config.host}:${config.port} using insecure protocol`)
+        callback?.call(this, null)
+      })
+    } else {
+      // connect to tls socket, initialize connection, setup event handlers
+      this.socket = tls.connect(this.config.port as number, this.config.host, this.config.tlsOptions, () => {
+        const tlsSocket = this.socket as tls.TLSSocket
+        if (!tlsSocket?.authorized) {
+          const anonimizedError = anonimizeError(tlsSocket.authorizationError)
+          console.error('Connection was not authorized', anonimizedError)
+          this.close()
+          finish(new SQLiteCloudError('Connection was not authorized', { cause: anonimizedError }))
+        } else {
+          // the connection was closed before it was even opened,
+          // eg. client closed the connection before the server accepted it
+          if (this.socket === null) {
+            finish(new SQLiteCloudError('Connection was closed before it was done opening'))
+            return
+          }
+
+          // send initialization commands
+          console.assert(this.socket, 'Connection already closed')
+          const commands = getInitializationCommands(config)
+          this.processCommands(commands, error => {
+            if (error && this.socket) {
+              this.close()
+            }
+            if (callback) {
+              callback?.call(this, error)
+              callback = undefined
+            }
+            finish(error)
+          })
+        }
+      })
+    }
 
     this.socket.on('close', () => {
       this.socket = null
@@ -408,9 +423,9 @@ function parseRowset(buffer: Buffer, spaceIndex: number): SQLiteCloudRowset {
  * Parse a chunk of a chunked rowset command, eg:
  * *LEN 0:VERS NROWS NCOLS DATA
  */
-function parseRowsetChunks(buffers: Buffer[]) {
+export function parseRowsetChunks(buffers: Buffer[]) {
   let metadata: SQLCloudRowsetMetadata = { version: 1, numberOfColumns: 0, numberOfRows: 0, columns: [] }
-  const data = []
+  const data: any[] = []
 
   for (let i = 0; i < buffers.length; i++) {
     let buffer: Buffer = buffers[i]
@@ -456,7 +471,7 @@ function popIntegers(buffer: Buffer, numberOfIntegers = 1): { data: number[]; fw
 }
 
 /** Parse command, extract its data, return the data and the buffer moved to the first byte after the command */
-function popData(buffer: Buffer): { data: SQLiteCloudDataTypes | SQLiteCloudRowset; fwdBuffer: Buffer } {
+export function popData(buffer: Buffer): { data: SQLiteCloudDataTypes | SQLiteCloudRowset; fwdBuffer: Buffer } {
   function popResults(data: any) {
     const fwdBuffer = buffer.subarray(commandEnd)
     return { data, fwdBuffer }
@@ -511,7 +526,7 @@ function popData(buffer: Buffer): { data: SQLiteCloudDataTypes | SQLiteCloudRows
 }
 
 /** Format a command to be sent via SCSP protocol */
-function formatCommand(command: string): string {
+export function formatCommand(command: string): string {
   const commandLength = Buffer.byteLength(command, 'utf-8')
   return `+${commandLength} ${command}`
 }

src/types.ts

@@ -25,6 +25,9 @@ export interface SQLiteCloudConfig {
   host?: string
   /** Port number for tls socket */
   port?: number
+  /** Connect using plain TCP port, without TLS encryption, NOT RECOMMENDED, TEST ONLY */
+  insecure?: boolean
+
   /** Optional query timeout passed directly to TLS socket */
   timeout?: number
   /** Name of database to open */

src/utilities.ts

@@ -139,6 +139,7 @@ export function validateConfiguration(config: SQLiteCloudConfig): SQLiteCloudCon
   config.compression = parseBoolean(config.compression)
   config.createDatabase = parseBoolean(config.createDatabase)
   config.nonlinearizable = parseBoolean(config.nonlinearizable)
+  config.insecure = parseBoolean(config.insecure)
 
   if (!config.username || !config.password || !config.host) {
     console.error('SQLiteCloudConnection.validateConfiguration - missing arguments', config)

test/connection-tls.test.ts

@@ -6,6 +6,7 @@ import { SQLiteCloudError } from '../src/index'
 import { SQLiteCloudConnection, anonimizeCommand } from '../src/connection'
 import {
   CHINOOK_DATABASE_URL,
+  INSECURE_DATABASE_URL,
   LONG_TIMEOUT,
   getTestingConfig,
   getChinookConfig,
@@ -85,6 +86,26 @@ describe('connection-tls', () => {
       expect(conn).toBeDefined()
     })
 
+    it('should connect with insecure connection string', done => {
+      if (INSECURE_DATABASE_URL) {
+        expect(INSECURE_DATABASE_URL).toBeDefined()
+        const conn = new SQLiteCloudConnection(INSECURE_DATABASE_URL, error => {
+          expect(error).toBeNull()
+          expect(conn.connected).toBe(true)
+
+          chinook.sendCommands('TEST STRING', (error, results) => {
+            conn.close()
+            expect(conn.connected).toBe(false)
+            done()
+          })
+        })
+        expect(conn).toBeDefined()
+      } else {
+        console.warn(`INSECURE_DATABASE_URL is not defined, ?insecure= connection will not be tested`)
+        done()
+      }
+    })
+
     it('should throw when connection string lacks credentials', done => {
       // use valid connection string but without credentials
       const testingConfig = getTestingConfig()

test/shared.ts

@@ -33,6 +33,9 @@ expect(CHINOOK_DATABASE_URL).toBeDefined()
 expect(TESTING_DATABASE_URL).toBeDefined()
 expect(GATEWAY_URL).toBeDefined()
 
+/** Url to insecure database used for testing */
+export const INSECURE_DATABASE_URL = process.env.INSECURE_DATABASE_URL as string
+
 export const SELF_SIGNED_CERTIFICATE = `-----BEGIN CERTIFICATE-----
 MIID6zCCAtOgAwIBAgIUI0lTm5CfVf3mVP8606CkophcyB4wDQYJKoZIhvcNAQEL
 BQAwgYQxCzAJBgNVBAYTAklUMQswCQYDVQQIDAJNTjEQMA4GA1UEBwwHVmlhZGFu

webpack.config.js

@@ -21,9 +21,11 @@ const productionConfig = {
     minimize: true
   },
 
+  // add mock 'net' module
   // add mock 'tls' module
   resolve: {
     fallback: {
+      net: false, // tell Webpack to ignore "net"
       tls: false // tell Webpack to ignore "tls"
     }
   }