refactor: Use new ConnectSettings.DnsNames field to validate the server certificate's server name.

Author: hessjcg

package-lock.json

@@ -83,9 +83,9 @@
     "url": "git+https://github.com/GoogleCloudPlatform/cloud-sql-nodejs-connector"
   },
   "dependencies": {
-    "@googleapis/sqladmin": "^24.0.0",
+    "@googleapis/sqladmin": "^27.0.0",
     "gaxios": "^6.1.1",
     "google-auth-library": "^9.2.0",
     "p-throttle": "^7.0.0"
   }
-}
+}

package.json

@@ -232,7 +232,6 @@ export class Connector {
           port,
           privateKey,
           serverCaCert,
-          serverCaMode,
           dnsName,
         } = cloudSqlInstance;
 
@@ -251,8 +250,8 @@ export class Connector {
             port,
             privateKey,
             serverCaCert,
-            serverCaMode,
-            dnsName: instanceInfo.domainName || dnsName, // use the configured domain name, or the instance dnsName.
+            instanceDnsName: dnsName,
+            serverName: instanceInfo.domainName || dnsName, // use the configured domain name, or the instance dnsName.
           });
           tlsSocket.once('error', () => {
             cloudSqlInstance.forceRefresh();

src/connector.ts

@@ -26,17 +26,17 @@ interface SocketOptions {
   instanceInfo: InstanceConnectionInfo;
   privateKey: string;
   serverCaCert: SslCert;
-  serverCaMode: string;
-  dnsName: string;
+  instanceDnsName: string;
+  serverName: string;
 }
 
 export function validateCertificate(
   instanceInfo: InstanceConnectionInfo,
-  serverCaMode: string,
-  dnsName: string
+  instanceDnsName: string,
+  serverName: string
 ) {
   return (hostname: string, cert: tls.PeerCertificate): Error | undefined => {
-    if (!serverCaMode || serverCaMode === 'GOOGLE_MANAGED_INTERNAL_CA') {
+    if (!instanceDnsName) {
       // Legacy CA Mode
       if (!cert || !cert.subject) {
         return new CloudSQLConnectorError({
@@ -54,7 +54,7 @@ export function validateCertificate(
       return undefined;
     } else {
       // Standard TLS Verify Full hostname verification using SAN
-      return tls.checkServerIdentity(dnsName, cert);
+      return tls.checkServerIdentity(serverName, cert);
     }
   };
 }
@@ -66,8 +66,8 @@ export function getSocket({
   instanceInfo,
   privateKey,
   serverCaCert,
-  serverCaMode,
-  dnsName,
+  instanceDnsName,
+  serverName,
 }: SocketOptions): tls.TLSSocket {
   const socketOpts = {
     host,
@@ -80,8 +80,8 @@ export function getSocket({
     }),
     checkServerIdentity: validateCertificate(
       instanceInfo,
-      serverCaMode,
-      dnsName
+      instanceDnsName,
+      serverName
     ),
   };
   const tlsSocket = tls.connect(socketOpts);

src/socket.ts

@@ -132,6 +132,7 @@ export class SQLAdminFetcher {
   private parseIpAddresses(
     ipResponse: sqladmin_v1beta4.Schema$IpMapping[] | undefined,
     dnsName: string | null | undefined,
+    dnsNames: sqladmin_v1beta4.Schema$DnsNameMapping[] | null | undefined,
     pscEnabled: boolean | null | undefined
   ): IpAddresses {
     const ipAddresses: IpAddresses = {};
@@ -149,8 +150,24 @@ export class SQLAdminFetcher {
     // Resolve dnsName into IP address for PSC enabled instances.
     // Note that we have to check for PSC enablement because CAS instances
     // also set the dnsName field.
-    if (dnsName && pscEnabled) {
-      ipAddresses.psc = dnsName;
+    if (pscEnabled) {
+      // Search the dns_names field for the PSC DNS Name.
+      if (dnsNames) {
+        for (const dnm of dnsNames) {
+          if (
+            dnm.name &&
+            dnm.connectionType === 'PRIVATE_SERVICE_CONNECT' &&
+            dnm.dnsScope === 'INSTANCE'
+          ) {
+            ipAddresses.psc = dnm.name;
+            break;
+          }
+        }
+      }
+      // If the psc dns name was not found, use the legacy dns_name field
+      if (!ipAddresses.psc && dnsName) {
+        ipAddresses.psc = dnsName;
+      }
     }
 
     if (!ipAddresses.public && !ipAddresses.private && !ipAddresses.psc) {
@@ -188,6 +205,7 @@ export class SQLAdminFetcher {
     const ipAddresses = this.parseIpAddresses(
       res.data.ipAddresses,
       res.data.dnsName,
+      res.data.dnsNames,
       res.data.pscEnabled
     );
 
@@ -214,6 +232,16 @@ export class SQLAdminFetcher {
     }
 
     cleanGaxiosConfig();
+    // Find a DNS name to use to validate the certificate from the dns_names field. Any
+    // name in the list may be used to validate the server TLS certificate.
+    // Fall back to legacy dns_name field if necessary.
+    let serverName = null;
+    if (res.data.dnsNames && res.data.dnsNames.length > 0) {
+      serverName = res.data.dnsNames[0].name;
+    }
+    if (serverName === null) {
+      serverName = res.data.dnsName;
+    }
 
     return {
       ipAddresses,
@@ -222,7 +250,7 @@ export class SQLAdminFetcher {
         expirationTime: serverCaCert.expirationTime,
       },
       serverCaMode: res.data.serverCaMode || '',
-      dnsName: res.data.dnsName || '',
+      dnsName: serverName || '',
     };
   }
 

src/sqladmin-fetcher.ts

@@ -98,7 +98,13 @@ const mockSQLAdminGetInstanceMetadata = (
 
   sqlAdminClient.get = () => ({
     data: {
-      dnsName: 'abcde.12345.us-central1.sql.goog',
+      dnsNames: [
+        {
+          name: 'abcde.12345.us-central1.sql.goog',
+          connectionType: 'PRIVATE_SERVICE_CONNECT',
+          dnsScope: 'INSTANCE',
+        },
+      ],
       ipAddresses: [
         {
           type: 'PRIMARY',