Merge pull request sfackler#2 from uce/6716-config

uce · web-flow · commit 0f57dede5f86 · 2021-05-24T10:56:11.000+02:00
config: add sslmode `verify-ca` and `verify-full`
diff --git a/postgres/src/config.rs b/postgres/src/config.rs
@@ -5,11 +5,11 @@
 use crate::connection::Connection;
 use crate::Client;
 use log::info;
-use std::fmt;
 use std::path::Path;
 use std::str::FromStr;
 use std::sync::Arc;
 use std::time::Duration;
+use std::{fmt, path::PathBuf};
 use tokio::runtime;
 #[doc(inline)]
 pub use tokio_postgres::config::{ChannelBinding, Host, SslMode, TargetSessionAttrs};
@@ -33,8 +33,12 @@ use tokio_postgres::{Error, Socket};
 /// * `dbname` - The name of the database to connect to. Defaults to the username.
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
+/// * `sslcert` - Location of the client SSL certificate file.
+/// * `sslkey` - Location for the secret key file used for the client certificate.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`.
+/// * `sslrootcert` - Location of SSL certificate authority (CA) certificate.
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
@@ -183,6 +187,32 @@ impl Config {
         self.config.get_application_name()
     }
 
+    /// Sets the location of the client SSL certificate file.
+    ///
+    /// Defaults to `None`.
+    pub fn ssl_cert(&mut self, ssl_cert: &str) -> &mut Config {
+        self.config.ssl_cert(ssl_cert);
+        self
+    }
+
+    /// Gets the location of the client SSL certificate file.
+    pub fn get_ssl_cert(&self) -> Option<PathBuf> {
+        self.config.get_ssl_cert()
+    }
+
+    /// Sets the location of the secret key file used for the client certificate.
+    ///
+    /// Defaults to `None`.
+    pub fn ssl_key(&mut self, ssl_key: &str) -> &mut Config {
+        self.config.ssl_key(ssl_key);
+        self
+    }
+
+    /// Gets the location of the secret key file used for the client certificate.
+    pub fn get_ssl_key(&self) -> Option<PathBuf> {
+        self.config.get_ssl_key()
+    }
+
     /// Sets the SSL configuration.
     ///
     /// Defaults to `prefer`.
@@ -196,6 +226,19 @@ impl Config {
         self.config.get_ssl_mode()
     }
 
+    /// Sets the location of SSL certificate authority (CA) certificate.
+    ///
+    /// Defaults to `None`.
+    pub fn ssl_root_cert(&mut self, ssl_root_cert: &str) -> &mut Config {
+        self.config.ssl_root_cert(ssl_root_cert);
+        self
+    }
+
+    /// Gets the location of SSL certificate authority (CA) certificate.
+    pub fn get_ssl_root_cert(&self) -> Option<PathBuf> {
+        self.config.get_ssl_root_cert()
+    }
+
     /// Adds a host to the configuration.
     ///
     /// Multiple hosts can be specified by calling this method multiple times, and each will be tried in order. On Unix
diff --git a/tokio-postgres/src/config.rs b/tokio-postgres/src/config.rs
@@ -42,6 +42,10 @@ pub enum SslMode {
     Prefer,
     /// Require the use of TLS.
     Require,
+    /// Require the use of TLS.
+    VerifyCa,
+    /// Require the use of TLS.
+    VerifyFull,
 }
 
 /// Channel binding configuration.
@@ -94,8 +98,12 @@ pub enum Host {
 /// * `dbname` - The name of the database to connect to. Defaults to the username.
 /// * `options` - Command line options used to configure the server.
 /// * `application_name` - Sets the `application_name` parameter on the server.
+/// * `sslcert` - Location of the client SSL certificate file.
+/// * `sslkey` - Location for the secret key file used for the client certificate.
 /// * `sslmode` - Controls usage of TLS. If set to `disable`, TLS will not be used. If set to `prefer`, TLS will be used
-///     if available, but not used otherwise. If set to `require`, TLS will be forced to be used. Defaults to `prefer`.
+///     if available, but not used otherwise. If set to `require`, `verify-ca`, or `verify-full`, TLS will be forced to
+///     be used. Defaults to `prefer`.
+/// * `sslrootcert` - Location of SSL certificate authority (CA) certificate.
 /// * `host` - The host to connect to. On Unix platforms, if the host starts with a `/` character it is treated as the
 ///     path to the directory containing Unix domain sockets. Otherwise, it is treated as a hostname. Multiple hosts
 ///     can be specified, separated by commas. Each host will be tried in turn when connecting. Required if connecting
@@ -161,7 +169,10 @@ pub struct Config {
     pub(crate) dbname: Option<String>,
     pub(crate) options: Option<String>,
     pub(crate) application_name: Option<String>,
+    pub(crate) ssl_cert: Option<PathBuf>,
+    pub(crate) ssl_key: Option<PathBuf>,
     pub(crate) ssl_mode: SslMode,
+    pub(crate) ssl_root_cert: Option<PathBuf>,
     pub(crate) host: Vec<Host>,
     pub(crate) port: Vec<u16>,
     pub(crate) connect_timeout: Option<Duration>,
@@ -187,7 +198,10 @@ impl Config {
             dbname: None,
             options: None,
             application_name: None,
+            ssl_cert: None,
+            ssl_key: None,
             ssl_mode: SslMode::Prefer,
+            ssl_root_cert: None,
             host: vec![],
             port: vec![],
             connect_timeout: None,
@@ -266,6 +280,32 @@ impl Config {
         self.application_name.as_deref()
     }
 
+    /// Sets the location of the client SSL certificate file.
+    ///
+    /// Defaults to `None`.
+    pub fn ssl_cert(&mut self, ssl_cert: &str) -> &mut Config {
+        self.ssl_cert = Some(PathBuf::from(ssl_cert));
+        self
+    }
+
+    /// Gets the location of the client SSL certificate file.
+    pub fn get_ssl_cert(&self) -> Option<PathBuf> {
+        self.ssl_cert.clone()
+    }
+
+    /// Sets the location of the secret key file used for the client certificate.
+    ///
+    /// Defaults to `None`.
+    pub fn ssl_key(&mut self, ssl_key: &str) -> &mut Config {
+        self.ssl_key = Some(PathBuf::from(ssl_key));
+        self
+    }
+
+    /// Gets the location of the secret key file used for the client certificate.
+    pub fn get_ssl_key(&self) -> Option<PathBuf> {
+        self.ssl_key.clone()
+    }
+
     /// Sets the SSL configuration.
     ///
     /// Defaults to `prefer`.
@@ -279,6 +319,19 @@ impl Config {
         self.ssl_mode
     }
 
+    /// Sets the location of SSL certificate authority (CA) certificate.
+    ///
+    /// Defaults to `None`.
+    pub fn ssl_root_cert(&mut self, ssl_root_cert: &str) -> &mut Config {
+        self.ssl_root_cert = Some(PathBuf::from(ssl_root_cert));
+        self
+    }
+
+    /// Gets the location of SSL certificate authority (CA) certificate.
+    pub fn get_ssl_root_cert(&self) -> Option<PathBuf> {
+        self.ssl_root_cert.clone()
+    }
+
     /// Adds a host to the configuration.
     ///
     /// Multiple hosts can be specified by calling this method multiple times, and each will be tried in order. On Unix
@@ -427,15 +480,35 @@ impl Config {
             "application_name" => {
                 self.application_name(&value);
             }
+            "sslcert" => {
+                if std::fs::metadata(&value).is_err() {
+                    return Err(Error::config_parse(Box::new(InvalidValue("sslcert"))));
+                }
+                self.ssl_cert(&value);
+            }
+            "sslkey" => {
+                if std::fs::metadata(&value).is_err() {
+                    return Err(Error::config_parse(Box::new(InvalidValue("sslkey"))));
+                }
+                self.ssl_key(&value);
+            }
             "sslmode" => {
                 let mode = match value {
                     "disable" => SslMode::Disable,
                     "prefer" => SslMode::Prefer,
                     "require" => SslMode::Require,
+                    "verify-ca" => SslMode::VerifyCa,
+                    "verify-full" => SslMode::VerifyFull,
                     _ => return Err(Error::config_parse(Box::new(InvalidValue("sslmode")))),
                 };
                 self.ssl_mode(mode);
             }
+            "sslrootcert" => {
+                if std::fs::metadata(&value).is_err() {
+                    return Err(Error::config_parse(Box::new(InvalidValue("sslrootcert"))));
+                }
+                self.ssl_root_cert(&value);
+            }
             "host" => {
                 for host in value.split(',') {
                     self.host(host);
@@ -574,7 +647,10 @@ impl fmt::Debug for Config {
             .field("dbname", &self.dbname)
             .field("options", &self.options)
             .field("application_name", &self.application_name)
+            .field("ssl_cert", &self.ssl_cert)
+            .field("ssl_key", &self.ssl_key)
             .field("ssl_mode", &self.ssl_mode)
+            .field("ssl_root_cert", &self.ssl_root_cert)
             .field("host", &self.host)
             .field("port", &self.port)
             .field("connect_timeout", &self.connect_timeout)
diff --git a/tokio-postgres/src/connect_tls.rs b/tokio-postgres/src/connect_tls.rs
@@ -21,7 +21,7 @@ where
         SslMode::Prefer if !tls.can_connect(ForcePrivateApi) => {
             return Ok(MaybeTlsStream::Raw(stream))
         }
-        SslMode::Prefer | SslMode::Require => {}
+        SslMode::Prefer | SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {}
     }
 
     let mut buf = BytesMut::new();
@@ -32,10 +32,11 @@ where
     stream.read_exact(&mut buf).await.map_err(Error::io)?;
 
     if buf[0] != b'S' {
-        if SslMode::Require == mode {
-            return Err(Error::tls("server does not support TLS".into()));
-        } else {
-            return Ok(MaybeTlsStream::Raw(stream));
+        match mode {
+            SslMode::Require | SslMode::VerifyCa | SslMode::VerifyFull => {
+                return Err(Error::tls("server does not support TLS".into()))
+            }
+            SslMode::Disable | SslMode::Prefer => return Ok(MaybeTlsStream::Raw(stream)),
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ where`
`21`	`21`	`SslMode::Prefer if !tls.can_connect(ForcePrivateApi) => {`
`22`	`22`	`return Ok(MaybeTlsStream::Raw(stream))`
`23`	`23`	`}`
`24`		`- SslMode::Prefer \| SslMode::Require => {}`
	`24`	`+ SslMode::Prefer \| SslMode::Require \| SslMode::VerifyCa \| SslMode::VerifyFull => {}`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`let mut buf = BytesMut::new();`
`@@ -32,10 +32,11 @@ where`
`32`	`32`	`stream.read_exact(&mut buf).await.map_err(Error::io)?;`
`33`	`33`
`34`	`34`	`if buf[0] != b'S' {`
`35`		`- if SslMode::Require == mode {`
`36`		`- return Err(Error::tls("server does not support TLS".into()));`
`37`		`- } else {`
`38`		`- return Ok(MaybeTlsStream::Raw(stream));`
	`35`	`+ match mode {`
	`36`	`+ SslMode::Require \| SslMode::VerifyCa \| SslMode::VerifyFull => {`
	`37`	`+ return Err(Error::tls("server does not support TLS".into()))`
	`38`	`+ }`
	`39`	`+ SslMode::Disable \| SslMode::Prefer => return Ok(MaybeTlsStream::Raw(stream)),`
`39`	`40`	`}`
`40`	`41`	`}`
`41`	`42`