Jsonata: Support creating TLS server (#73)

* Jsonata: Support creating TLS server

Signed-off-by: Pierangelo Di Pilato <[email protected]>

* Docker exclude dev ssl certs

Signed-off-by: Pierangelo Di Pilato <[email protected]>

---------

Signed-off-by: Pierangelo Di Pilato <[email protected]>

Author: pierDipi

transform-jsonata/.dockerignore

@@ -1,3 +1,4 @@
 node_modules
 examples
 README.md
+ssl

transform-jsonata/README.md

@@ -15,9 +15,12 @@ broker <- trigger <- (response) <-
 Assuming current working directory is `transform-jsonata`
 
 ```shell
-npm dev
+npm run dev
 
-# or npm dev-kubevirt to inject a different example transformation
+npm run dev-kubevirt # to inject a different example transformation
+
+npm run dev-tls      # to start the HTTP and HTTPS Servers
+npm run dev-tls-only # to start the HTTPS Server only
 ```
 
 ### Tracing

transform-jsonata/jsonata.js

@@ -2,6 +2,8 @@ const express = require('express');
 const {HTTP} = require("cloudevents");
 const jsonata = require('jsonata');
 const fs = require('node:fs');
+const http = require('http');
+const https = require('https');
 const fsPromises = require('node:fs').promises;
 const {buffer} = require('node:stream/consumers');
 
@@ -31,10 +33,18 @@ const {ZipkinExporter} = require('@opentelemetry/exporter-zipkin');
 const {W3CTraceContextPropagator, CompositePropagator} = require("@opentelemetry/core");
 const {B3InjectEncoding, B3Propagator} = require("@opentelemetry/propagator-b3");
 
-const port = process.env.PORT = process.env.PORT || 8080;
+const httpPort = process.env.HTTP_PORT || 8080;
+const httpsPort = process.env.HTTPS_PORT || 8443;
+const httpsCertPath = process.env.HTTPS_CERT_PATH;
+const httpsKeyPath = process.env.HTTPS_KEY_PATH;
+const disableHTTPServer = process.env.DISABLE_HTTP_SERVER === 'true';
 const k_sink = process.env.K_SINK || undefined;
 const jsonata_transform_file_name = process.env.JSONATA_TRANSFORM_FILE_NAME || undefined;
 
+if (disableHTTPServer && (!httpsKeyPath || !fs.existsSync(httpsKeyPath) || !httpsCertPath || !fs.existsSync(httpsCertPath))) {
+   throw new Error(`HTTP and HTTPS server are both disabled, disableHTTPServer='${disableHTTPServer}', httpsKeyPath='${httpsKeyPath}', httpsCertPath=${httpsCertPath}`);
+}
+
 // Allow transforming the response received by the endpoint defined by K_SINK
 const jsonata_response_transform_file_name = process.env.JSONATA_RESPONSE_TRANSFORM_FILE_NAME || undefined;
 
@@ -250,7 +260,7 @@ app.post("/", async (req, res) => {
         const k_sink_url = new URL(k_sink)
         const kSinkSendSpan = tracer.startSpan('k_sink_send', {
             attributes: {
-                [ATTR_URL_SCHEME]: k_sink_url.protocol.endsWith(':') ? k_sink_url.protocol.substring(0, k_sink_url.protocol.length-1) : k_sink_url.protocol,
+                [ATTR_URL_SCHEME]: k_sink_url.protocol.endsWith(':') ? k_sink_url.protocol.substring(0, k_sink_url.protocol.length - 1) : k_sink_url.protocol,
                 [ATTR_SERVER_ADDRESS]: k_sink_url.hostname,
                 [ATTR_SERVER_PORT]: k_sink_url.port,
             }
@@ -267,6 +277,7 @@ app.post("/", async (req, res) => {
                         headers: k_sink_request_headers,
                         body: JSON.stringify(transformed),
                         redirect: 'error',
+                        signal: req.signal,
                     })
                     kSinkSendSpan.setAttributes({
                         'http.status_code': result.status,
@@ -360,7 +371,7 @@ app.post("/", async (req, res) => {
 });
 
 // guessTransformedContentType tries to guess the transformed event content type.
-// 1. If the transformed event contains a special "contentype" field, it returns it.
+// 1. If the transformed event contains a special "contenttype" field, it returns it.
 // 2. Otherwise, it tries to find CloudEvents "specversion" attribute and, if it's present, returns
 // the CloudEvent structured content type "application/cloudevents+json".
 // 3. Lastly, it falls back to "application/json" if none of the above are specified.
@@ -384,19 +395,71 @@ app.get('/readyz', (req, res) => {
 
 app.disable('x-powered-by');
 
-const server = app.listen(port, () => {
-    console.log(`Jsonata server listening on port ${port}`)
-})
+let httpServer = null
+let httpsServer = null
+
+if (!disableHTTPServer) {
+    httpServer = http.createServer(app)
+        .listen(httpPort, () => {
+            console.log(`Jsonata HTTP server listening on port ${httpPort}`)
+        })
+}
+
+if (httpsCertPath && httpsKeyPath) {
+    const httpsServerOptions = {
+        cert: fs.readFileSync(httpsCertPath),
+        key: fs.readFileSync(httpsKeyPath),
+
+        // TLS Versions
+        minVersion: 'TLSv1.2', // Minimum TLS version (avoid older, less secure protocols)
+        maxVersion: 'TLSv1.3', // Maximum TLS version
+
+        // Cipher Suites
+        ciphers: [
+            'ECDHE-ECDSA-AES128-GCM-SHA256',
+            'ECDHE-RSA-AES128-GCM-SHA256',
+            'ECDHE-ECDSA-AES256-GCM-SHA384',
+            'ECDHE-RSA-AES256-GCM-SHA384',
+            'ECDHE-ECDSA-CHACHA20-POLY1305',
+            'ECDHE-RSA-CHACHA20-POLY1305',
+            'DHE-RSA-AES128-GCM-SHA256',
+            'DHE-RSA-AES256-GCM-SHA384'
+        ].join(':'),
+
+        // Attempt to use server cipher suite preference instead of clients
+        honorCipherOrder: true,
+
+        // Additional security options
+        secureOptions:
+            require('constants').SSL_OP_NO_TLSv1 |
+            require('constants').SSL_OP_NO_TLSv1_1 |
+            require('constants').SSL_OP_NO_COMPRESSION,
+    }
+
+    httpsServer = https.createServer(httpsServerOptions, app)
+        .listen(httpsPort, () => {
+            console.log(`Jsonata HTTPS server listening on port ${httpsPort}`)
+        })
+}
 
 process.on('SIGINT', shutDown);
 process.on('SIGTERM', shutDownNow);
 
 let connections = [];
 
-server.on('connection', connection => {
-    connections.push(connection);
-    connection.on('close', () => connections = connections.filter(curr => curr !== connection));
-});
+if (httpServer) {
+    httpServer.on('connection', connection => {
+        connections.push(connection);
+        connection.on('close', () => connections = connections.filter(curr => curr !== connection));
+    });
+}
+
+if (httpsServer) {
+    httpsServer.on('connection', connection => {
+        connections.push(connection);
+        connection.on('close', () => connections = connections.filter(curr => curr !== connection));
+    });
+}
 
 function shutDown() {
     console.log('Received interrupt signal, shutting down gracefully');
@@ -413,14 +476,30 @@ function shutDown() {
 function shutDownNow() {
     console.log('Shutting down gracefully');
 
-    server.close(() => {
-        console.log('Closed out remaining connections');
+    const closePromises = []
+    if (httpServer) {
+        closePromises.push(new Promise((resolve, _) => {
+            httpServer.close(() => {
+                console.log('Closed out remaining HTTP connections');
+                resolve()
+            });
+        }))
+    }
+    if (httpsServer) {
+        closePromises.push(new Promise((resolve, _) => {
+            httpsServer.close(() => {
+                console.log('Closed out remaining HTTPS connections');
+                resolve()
+            });
+        }))
+    }
 
+    Promise.all(closePromises).then(() => {
         console.log('Shutting down tracing...');
         batchSpanProcessor.shutdown().then(() => {
             process.exit(0);
         });
-    });
+    })
 
     setTimeout(() => {
         console.error('Could not close connections in time, forcefully shutting down');

transform-jsonata/package-lock.json

@@ -3,25 +3,28 @@
   "author": "Knative authors",
   "scripts": {
     "dev": "NODE_ENV=development OIDC_TOKEN_FILE=./examples/example-token.txt JSONATA_TRANSFORM_FILE_NAME=./examples/jsonata_transform_identity.jsonata nodemon ./jsonata.js",
+    "dev-tls": "HTTPS_CERT_PATH=./ssl/server.crt HTTPS_KEY_PATH=./ssl/server.key npm run dev",
+    "dev-tls-only": "DISABLE_HTTP_SERVER=true HTTPS_CERT_PATH=./ssl/server.crt HTTPS_KEY_PATH=./ssl/server.key npm run dev",
     "dev-kubevirt": "NODE_ENV=development OIDC_TOKEN_FILE=./examples/example-token.txt JSONATA_TRANSFORM_FILE_NAME=./examples/ce_apiserversource_kubevirt.jsonata nodemon ./jsonata.js",
     "dev-zipkin": "NODE_ENV=development K_TRACING_CONFIG='{\"backend\":\"zipkin\", \"zipkin-endpoint\": \"http://localhost:9411/api/v2/spans\", \"sample-rate\":\"1\"}' OIDC_TOKEN_FILE=./examples/example-token.txt JSONATA_TRANSFORM_FILE_NAME=./examples/jsonata_transform_identity.jsonata nodemon ./jsonata.js"
   },
   "dependencies": {
-    "jsonata": "^2.0.6",
-    "cloudevents": "^8.0.2",
-    "express": "^4.21.2",
     "@opentelemetry/api": "1.9.0",
     "@opentelemetry/core": "^1.30.1",
-    "@opentelemetry/sdk-trace-node": "^1.30.1",
+    "@opentelemetry/exporter-zipkin": "^1.30.1",
+    "@opentelemetry/propagator-b3": "^1.30.1",
     "@opentelemetry/resources": "^1.30.1",
-    "@opentelemetry/semantic-conventions": "^1.30.0",
     "@opentelemetry/sdk-trace-base": "^1.30.1",
-    "@opentelemetry/exporter-zipkin": "^1.30.1",
-    "@opentelemetry/propagator-b3": "^1.30.1"
+    "@opentelemetry/sdk-trace-node": "^1.30.1",
+    "@opentelemetry/semantic-conventions": "^1.30.0",
+    "cloudevents": "^8.0.2",
+    "constants": "^0.0.2",
+    "express": "^4.21.2",
+    "jsonata": "^2.0.6"
   },
   "devDependencies": {
-    "nodemon": "^3.1.9",
+    "@types/express": "^4.17.21",
     "@types/node": "^22.13.1",
-    "@types/express": "^4.17.21"
+    "nodemon": "^3.1.9"
   }
 }

transform-jsonata/package.json

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIUYXiPhq/+IDzjVDxnsqaGlLgNxOAwDQYJKoZIhvcNAQEL
+BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNTAzMDQxNTI1MzhaFw0zNTAzMDIx
+NTI1MzhaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCj9jIL/fhhn2WKcqgose1uXwSvv8OwdBuX7XtcvFD6TiXgyckR
+fnJMHM+UM5oQvr7dDrzksDy62I/xHL6+pKIP6aLpMGgC27qz8EFkK5UcErs6+5xj
+wcY3zWEwMWaohcnN/O5uh0Oy0ijk8/sx4GNjhupJ+DMXAupyXE8c3GOoK6Gn2jMa
+wyUy8e2Xy5pj4vqIvuv0D0N5xGcMu4JA/7pxmbeP1USVVNf+3hDxO4Vm7jVPIiYW
+24gzaY5OghyJFz6ebbj7ngLlcMEHZsCwTHzY+BiCTy2dB9IMfOXmBs6iAZUTceJV
+jDrXo4b3W9FL95+nfUDQtmBMmIO5SCvXse1tAgMBAAGjUzBRMB0GA1UdDgQWBBRf
+f/9QWyfX2Ch2oZdCW1aNKm9LlDAfBgNVHSMEGDAWgBRff/9QWyfX2Ch2oZdCW1aN
+Km9LlDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBJSKdV+ALQ
+KBymOHveJJNIqEJBsr5QmBN+JX2zRehE2C+yIX3oDpUqM8Ter3xS3nghmsf3JkFn
+HVYo1DqkTtN7QvoCSeZacCul51RYgWIRP4p+CyaizNSbhb79YDtjBgq2kriKccYf
+PDYhWV7fSd9UYMfNm9mOOr59I7JhK3+4CBWdctKPQb45Tv9C3k+hr5g4XOn/+f3F
+VByoFFrxTWFkXDAgMBeYrp94rkIcOqTdCEjwr1pZghONasl+nuGDFf7CeltYtJ30
+vZ9AsO/55lW2XLm14RqeUEm6DSej7JbD6B8ggOie9QVD+Mma29EXcdAeedzjeoBg
++DscIEgUdZW5
+-----END CERTIFICATE-----

transform-jsonata/ssl/server.crt

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCj9jIL/fhhn2WK
+cqgose1uXwSvv8OwdBuX7XtcvFD6TiXgyckRfnJMHM+UM5oQvr7dDrzksDy62I/x
+HL6+pKIP6aLpMGgC27qz8EFkK5UcErs6+5xjwcY3zWEwMWaohcnN/O5uh0Oy0ijk
+8/sx4GNjhupJ+DMXAupyXE8c3GOoK6Gn2jMawyUy8e2Xy5pj4vqIvuv0D0N5xGcM
+u4JA/7pxmbeP1USVVNf+3hDxO4Vm7jVPIiYW24gzaY5OghyJFz6ebbj7ngLlcMEH
+ZsCwTHzY+BiCTy2dB9IMfOXmBs6iAZUTceJVjDrXo4b3W9FL95+nfUDQtmBMmIO5
+SCvXse1tAgMBAAECggEAD6cSuwtZWXR+nJt6izwFNyqyB1cuxtsmwTfGNaGyt1qb
+ihypadag8bw0YukUNbIIBZGBHfHnMk03XKTKXufXot5Ck7Fv1IoGhmQS0g3JE9+D
+6UsY8HsQwcYFF7U3oDH5hIU3e+zE3T7r8YOLQQUzZ8568mnT8sfv+s/uK4qspuKw
+OS9Dgp8LeNQuxuf2JBsPIw/FJ0/Yy9iRTmsabzs67NCCwPFhCROhP+lCnRhT3lM1
+I8nB2B59kzk8V5jqza4jxsA/v4Ru6G/QPZcKl1kkGbnU3pOgTm5bBPQ6tYZuAQZo
+Dufx8N5O7g+2ssNBiLdEDNgUGhRyB51U4wFt/zz93wKBgQDcRJk60z8eWy27bYHv
+tYNYxIdhqGCkCgYxcZlBcjY/Wivk1KNoSWVch3vsvsn/jV7gGdyCqxJl6mAJy67s
+4fjLWFSGHjcL6bwF+87hXg+ylc8QuVSMs0GqbmHx4Q5LWTSDB5slDMmst6QqIODt
+0xEMI51oXcwasKAQMSXi3lhcVwKBgQC+j0gPoKG1YaGjCEaOGPnMhS/7bdPk6Au9
+4dKIEn+oy2L08Kseyg6GeLE72m6zd2/OsTHZb+eWyfnNeUKWg+lsTUdFkt0YtFt7
+gSM1lGl0Hbk9c7pKaU6d0MA7iF8XeADEKuUgzZaY/nB34p0qTTBHMxkclyVFN9Sr
+P16onJcp2wKBgQDQfN3MoEcOJJ+U2II0skowq1S5SvauTg6unifBmqleLat+XQaO
+n2ohutvBqpToHpe+5ruhsusnLEDbBL/916X2UxUuHUtdK0+dGksnZjDViJcF7WXq
+B4IQH4r1t2AgUb8yhvCCkSgTI39voM9GTJHGO6+yKZYXbTcUHHEP3AUm4QKBgFvq
+Co0XIsi1Rdy4cie6Hksq9uDksa8YygkVspHVsmO9bobMyw030tfDwWEoU/sWogRl
+bbD+jAsscuRMF/U3vVBy2ezSEPkIjZO9zzjZ1B+g8qeUeYfI0ZXHieFtPsi4Jk54
+jjpLT9eN6ru4v6wWvTGqkPM8aErByj+rekID/dm/AoGBAKZiUICaXF1wIfvzGx7c
+VYc/7vpme//fQ6x+oQnZ4j7KIVc9gzPoe+uj2qIniymUNnGPeV0tUI41clCqHohU
+nT0YiDeaZ5QCig+si6ywQXxJ/pmcuzGACKkYHbYGpSPUQftBhczCQTwPz3GCsnQo
+2uYRf7jtxuuXy30AzjMjfcmu
+-----END PRIVATE KEY-----