feat: use openssl for tls connections, add CA_ROOT_FILE support (#268) (h/t @kapcsandi)

2024-12-18 20:31:54 +03:00 · 2021-10-18 14:35:08 +03:00 · 2021-10-18 14:35:08 +03:00 · 7ad7f1ab8b
commit 7ad7f1ab8b
parent d4d101c7f9
7 changed files with 60 additions and 127 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -545,22 +545,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2df960f5d869b2dd8532793fde43eb5427cceb126c929747a26823ab0eeb536"

-[[package]]
-name = "core-foundation"
-version = "0.9.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6888e10551bb93e424d8df1d07f1a8b4fceb0001a3a4b048bfc47554946f47b3"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
-[[package]]
-name = "core-foundation-sys"
-version = "0.8.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
-
 [[package]]
 name = "cpufeatures"
 version = "0.2.1"
@ -1244,11 +1228,11 @@ dependencies = [
 "env_logger",
 "itertools",
 "log",
- "native-tls",
 "num_cpus",
+ "openssl",
 "postgis",
 "postgres",
- "postgres-native-tls",
+ "postgres-openssl",
 "postgres-protocol",
 "r2d2",
 "r2d2_postgres",
@ -1384,24 +1368,6 @@ dependencies = [
 "winapi 0.3.9",
 ]

-[[package]]
-name = "native-tls"
-version = "0.2.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48ba9f7719b5a0f42f338907614285fb5fd70e53858141f69898a1fb7203b24d"
-dependencies = [
- "lazy_static",
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "net2"
 version = "0.2.37"
@ -1473,12 +1439,6 @@ dependencies = [
 "openssl-sys",
 ]

-[[package]]
-name = "openssl-probe"
-version = "0.1.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a"
-
 [[package]]
 name = "openssl-sys"
 version = "0.9.67"
@ -1668,15 +1628,15 @@ dependencies = [
 ]

 [[package]]
-name = "postgres-native-tls"
+name = "postgres-openssl"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d442770e2b1e244bb5eb03b31c79b65bb2568f413b899eaba850fa945a65954"
+checksum = "1de0ea6504e07ca78355a6fb88ad0f36cafe9e696cbc6717f16a207f3a60be72"
 dependencies = [
 "futures",
- "native-tls",
+ "openssl",
 "tokio 1.12.0",
- "tokio-native-tls",
+ "tokio-openssl",
 "tokio-postgres",
 ]

@ -1914,15 +1874,6 @@ version = "0.6.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"

-[[package]]
-name = "remove_dir_all"
-version = "0.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7"
-dependencies = [
- "winapi 0.3.9",
-]
-
 [[package]]
 name = "resolv-conf"
 version = "0.7.0"
@ -1975,16 +1926,6 @@ dependencies = [
 "winapi-util",
 ]

-[[package]]
-name = "schannel"
-version = "0.1.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f05ba609c234e60bee0d547fe94a4c7e9da733d1c962cf6e59efa4cd9c8bc75"
-dependencies = [
- "lazy_static",
- "winapi 0.3.9",
-]
-
 [[package]]
 name = "scheduled-thread-pool"
 version = "0.2.5"
@ -2000,29 +1941,6 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"

-[[package]]
-name = "security-framework"
-version = "2.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "525bc1abfda2e1998d152c45cf13e696f76d0a4972310b22fac1658b05df7c87"
-dependencies = [
- "bitflags",
- "core-foundation",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
-[[package]]
-name = "security-framework-sys"
-version = "2.4.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a9dd14d83160b528b7bfd66439110573efcfbe281b17fc2ca9f39f550d619c7e"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
 [[package]]
 name = "semver"
 version = "0.9.0"
@ -2298,20 +2216,6 @@ dependencies = [
 "unicode-xid",
 ]

-[[package]]
-name = "tempfile"
-version = "3.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22"
-dependencies = [
- "cfg-if 1.0.0",
- "libc",
- "rand 0.8.4",
- "redox_syscall",
- "remove_dir_all",
- "winapi 0.3.9",
-]
-
 [[package]]
 name = "termcolor"
 version = "1.1.2"
@ -2469,12 +2373,14 @@ dependencies = [
 ]

 [[package]]
-name = "tokio-native-tls"
-version = "0.3.0"
+name = "tokio-openssl"
+version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f7d995660bd2b7f8c1568414c1126076c13fbb725c40112dc0120b78eb9b717b"
+checksum = "f24cddc8445a4dc8359cdd9e91c19d544fc95f672e32afe8945852b9381a09fe"
 dependencies = [
- "native-tls",
+ "futures",
+ "openssl",
+ "openssl-sys",
 "tokio 1.12.0",
 ]

--- a/Cargo.toml
+++ b/Cargo.toml
@ -24,12 +24,12 @@ docopt = "1"
 env_logger = "0.9"
 itertools = "0.10"
 log = "0.4"
-native-tls = "0.2"
 num_cpus = "1.13"
-postgres = { version = "0.19.1", features = ["with-time-0_2", "with-uuid-0_8", "with-serde_json-1"] }
-postgres-native-tls = "0.5.0"
-postgres-protocol = "0.6.2"
+openssl = "0.10.36"
 postgis = "0.9.0"
+postgres = { version = "0.19.1", features = ["with-time-0_2", "with-uuid-0_8", "with-serde_json-1"] }
+postgres-openssl = "0.5.0"
+postgres-protocol = "0.6.2"
 r2d2 = "0.8"
 r2d2_postgres = "0.18"
 semver = "1.0"
--- a/README.md
+++ b/README.md
@ -366,6 +366,7 @@ Options:
  --pool-size=<n>                   Maximum connections pool size [default: 20].
  --watch                           Scan for new sources on sources list requests.
  --workers=<n>                     Number of web server workers.
+  --ca-root-file=<path>             Loads trusted root certificates from a file. The file should contain a sequence of PEM-formatted CA certificates.
  --danger-accept-invalid-certs     Trust invalid certificates. This introduces significant vulnerabilities, and should only be used as a last resort.
 ```

@ -374,10 +375,11 @@ Options:
 You can also configure martin using environment variables

 | Environment variable          | Example                            | Description                                   |
-| --------------------------- | -------------------------------- | ---------------------------- |
-| DATABASE_URL                | postgres://postgres@localhost/db | postgres database connection |
-| WATCH_MODE                  | true                             | scan for new sources         |
-| DANGER_ACCEPT_INVALID_CERTS | false                            | Trust invalid certificates   |
+| ----------------------------- | ---------------------------------- | --------------------------------------------- |
+| `DATABASE_URL`                | `postgres://postgres@localhost/db` | Postgres database connection                  |
+| `WATCH_MODE`                  | `true`                             | Scan for new sources on sources list requests |
+| `CA_ROOT_FILE`                | `./ca-certificate.crt`             | Loads trusted root certificates from a file   |
+| `DANGER_ACCEPT_INVALID_CERTS` | `false`                            | Trust invalid certificates                    |

 ## Configuration File

--- a/src/bin/main.rs
+++ b/src/bin/main.rs
@ -32,6 +32,7 @@ Options:
  --pool-size=<n>                   Maximum connections pool size [default: 20].
  --watch                           Scan for new sources on sources list requests.
  --workers=<n>                     Number of web server workers.
+  --ca-root-file=<path>             Loads trusted root certificates from a file. The file should contain a sequence of PEM-formatted CA certificates.
  --danger-accept-invalid-certs     Trust invalid certificates. This introduces significant vulnerabilities, and should only be used as a last resort.
 ";

@ -46,6 +47,7 @@ pub struct Args {
    pub flag_watch: bool,
    pub flag_version: bool,
    pub flag_workers: Option<usize>,
+    pub flag_ca_root_file: Option<String>,
    pub flag_danger_accept_invalid_certs: bool,
 }

@ -70,6 +72,7 @@ pub fn generate_config(args: Args, pool: &Pool) -> io::Result<Config> {
        worker_processes: args.flag_workers,
        table_sources: Some(table_sources),
        function_sources: Some(function_sources),
+        ca_root_file: None,
        danger_accept_invalid_certs: Some(args.flag_danger_accept_invalid_certs),
    };

@ -82,6 +85,7 @@ fn setup_from_config(file_name: String) -> io::Result<(Config, Pool)> {

    let pool = setup_connection_pool(
        &config.connection_string,
+        &config.ca_root_file,
        Some(config.pool_size),
        config.danger_accept_invalid_certs,
    )
@ -124,6 +128,7 @@ fn setup_from_args(args: Args) -> io::Result<(Config, Pool)> {
    info!("Connecting to database");
    let pool = setup_connection_pool(
        &connection_string,
+        &args.flag_ca_root_file,
        args.flag_pool_size,
        args.flag_danger_accept_invalid_certs,
    )
@ -141,6 +146,10 @@ fn parse_env(args: Args) -> Args {
        env::var_os("DATABASE_URL").and_then(|connection| connection.into_string().ok())
    });

+    let flag_ca_root_file = args.flag_ca_root_file.or_else(|| {
+        env::var_os("CA_ROOT_FILE").and_then(|connection| connection.into_string().ok())
+    });
+
    let flag_danger_accept_invalid_certs = args.flag_danger_accept_invalid_certs
        || env::var_os("DANGER_ACCEPT_INVALID_CERTS").is_some();

@ -149,6 +158,7 @@ fn parse_env(args: Args) -> Args {
    Args {
        arg_connection,
        flag_watch,
+        flag_ca_root_file,
        flag_danger_accept_invalid_certs,
        ..args
    }
--- a/src/config.rs
+++ b/src/config.rs
@ -17,6 +17,7 @@ pub struct Config {
    pub connection_string: String,
    pub table_sources: Option<TableSources>,
    pub function_sources: Option<FunctionSources>,
+    pub ca_root_file: Option<String>,
    pub danger_accept_invalid_certs: bool,
 }

@ -30,6 +31,7 @@ pub struct ConfigBuilder {
    pub connection_string: String,
    pub table_sources: Option<TableSources>,
    pub function_sources: Option<FunctionSources>,
+    pub ca_root_file: Option<String>,
    pub danger_accept_invalid_certs: Option<bool>,
 }

@ -46,6 +48,7 @@ impl ConfigBuilder {
            connection_string: self.connection_string,
            table_sources: self.table_sources,
            function_sources: self.function_sources,
+            ca_root_file: self.ca_root_file,
            danger_accept_invalid_certs: self.danger_accept_invalid_certs.unwrap_or(false),
        }
    }
--- a/src/db.rs
+++ b/src/db.rs
@ -1,8 +1,8 @@
 use std::io;
 use std::str::FromStr;

-use native_tls::TlsConnector;
-use postgres_native_tls::MakeTlsConnector;
+use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
+use postgres_openssl::MakeTlsConnector;
 use r2d2::PooledConnection;
 use r2d2_postgres::PostgresConnectionManager;
 use semver::Version;
@ -14,25 +14,37 @@ pub type ConnectionManager = PostgresConnectionManager<MakeTlsConnector>;
 pub type Pool = r2d2::Pool<ConnectionManager>;
 pub type Connection = PooledConnection<ConnectionManager>;

-fn make_tls_connector(danger_accept_invalid_certs: bool) -> io::Result<MakeTlsConnector> {
-    let connector = TlsConnector::builder()
-        .danger_accept_invalid_certs(danger_accept_invalid_certs)
-        .build()
-        .map_err(prettify_error("Can't build TLS connection".to_owned()))?;
+fn make_tls_connector(
+    ca_root_file: &Option<String>,
+    danger_accept_invalid_certs: bool,
+) -> io::Result<MakeTlsConnector> {
+    let mut builder = SslConnector::builder(SslMethod::tls())?;

-    let tls_connector = MakeTlsConnector::new(connector);
+    if danger_accept_invalid_certs {
+        builder.set_verify(SslVerifyMode::NONE);
+    }
+
+    if let Some(ca_root_file) = ca_root_file {
+        info!("Using {} as trusted root certificate", ca_root_file);
+        builder.set_ca_file(ca_root_file)?;
+    }
+
+    let tls_connector = MakeTlsConnector::new(builder.build());
    Ok(tls_connector)
 }

 pub fn setup_connection_pool(
-    cn_str: &str,
+    connection_string: &str,
+    ca_root_file: &Option<String>,
    pool_size: Option<u32>,
    danger_accept_invalid_certs: bool,
 ) -> io::Result<Pool> {
-    let config = postgres::config::Config::from_str(cn_str)
+    let config = postgres::config::Config::from_str(connection_string)
        .map_err(prettify_error("Can't parse connection string".to_owned()))?;

-    let tls_connector = make_tls_connector(danger_accept_invalid_certs)?;
+    let tls_connector = make_tls_connector(ca_root_file, danger_accept_invalid_certs)
+        .map_err(prettify_error("Can't build TLS connection".to_owned()))?;
+
    let manager = PostgresConnectionManager::new(config, tls_connector);

    let pool = r2d2::Pool::builder()
--- a/src/dev.rs
+++ b/src/dev.rs
@ -128,7 +128,7 @@ pub fn make_pool() -> Pool {
    let connection_string: String = env::var("DATABASE_URL").unwrap();
    info!("Connecting to {}", connection_string);

-    let pool = setup_connection_pool(&connection_string, Some(1), false).unwrap();
+    let pool = setup_connection_pool(&connection_string, &None, Some(1), false).unwrap();
    info!("Connected to {}", connection_string);

    pool