feat(rbac): add support for rejectUnauthorized in PG SSL options

plugins/rbac-backend/src/database/casbin-adapter-factory.test.ts

@@ -185,6 +185,74 @@ describe('CasbinAdapterFactory', () => {
         },
       });
     });
+
+    it('test building an adapter using a PostgreSQL configuration with intentionally ssl and TLS options.', async () => {
+      const config = new ConfigReader({
+        backend: {
+          database: {
+            client: 'pg',
+            connection: {
+              host: 'localhost',
+              port: '5432',
+              user: 'postgresUser',
+              password: process.env.TEST,
+              ssl: {
+                ca: 'abc',
+                rejectUnauthorized: false,
+              },
+            },
+          },
+        },
+      });
+      const factory = new CasbinDBAdapterFactory(config, mockDatabaseManager);
+      const adapter = await factory.createAdapter();
+      expect(adapter).not.toBeNull();
+      expect(newAdapterMock).toHaveBeenCalledWith({
+        type: 'postgres',
+        host: 'localhost',
+        port: 5432,
+        username: 'postgresUser',
+        password: process.env.TEST,
+        database: 'test-database',
+        ssl: {
+          ca: 'abc',
+          rejectUnauthorized: false,
+        },
+      });
+    });
+
+    it('test building an adapter using a PostgreSQL configuration with intentionally ssl without CA.', async () => {
+      const config = new ConfigReader({
+        backend: {
+          database: {
+            client: 'pg',
+            connection: {
+              host: 'localhost',
+              port: '5432',
+              user: 'postgresUser',
+              password: process.env.TEST,
+              ssl: {
+                rejectUnauthorized: false,
+              },
+            },
+          },
+        },
+      });
+      const factory = new CasbinDBAdapterFactory(config, mockDatabaseManager);
+      const adapter = await factory.createAdapter();
+      expect(adapter).not.toBeNull();
+      expect(newAdapterMock).toHaveBeenCalledWith({
+        type: 'postgres',
+        host: 'localhost',
+        port: 5432,
+        username: 'postgresUser',
+        password: process.env.TEST,
+        database: 'test-database',
+        ssl: {
+          rejectUnauthorized: false,
+        },
+      });
+    });
   });
 
   it('ensure that building an adapter with an unknown configuration fails.', async () => {

plugins/rbac-backend/src/database/casbin-adapter-factory.ts

@@ -9,6 +9,11 @@ import { TlsOptions } from 'tls';
 
 const DEFAULT_SQLITE3_STORAGE_FILE_NAME = 'rbac.sqlite';
 
+type DbSSLOptions = {
+  ca?: string;
+  rejectUnauthorized?: boolean;
+};
+
 export class CasbinDBAdapterFactory {
   public constructor(
     private readonly config: ConfigApi,
@@ -65,6 +70,7 @@ export class CasbinDBAdapterFactory {
     if (!connection) {
       return undefined;
     }
+
     const ssl = (connection as { ssl: Object | boolean | undefined }).ssl;
 
     if (ssl === undefined) {
@@ -76,12 +82,17 @@ export class CasbinDBAdapterFactory {
     }
 
     if (typeof ssl.valueOf() === 'object') {
-      const ca = (ssl as { ca: string }).ca;
-      if (ca) {
-        return { ca };
+      const sslOpts = ssl as DbSSLOptions;
+      const tlsOpts = {
+        ca: sslOpts.ca,
+        rejectUnauthorized: sslOpts.rejectUnauthorized,
+      };
+
+      if (Object.values(tlsOpts).every(el => el === undefined)) {
+        return true;
       }
-      // SSL object was defined with some options that we don't support yet.
-      return true;
+
+      return tlsOpts;
     }
 
     return undefined;