Add verify ca and root cert path to settings (#852)

helium · Aug 7, 2024 · bcfc9f0 · bcfc9f0
1 parent 341b6e1
commit bcfc9f0
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/db_store/src/iam_auth_pool.rs b/db_store/src/iam_auth_pool.rs
@@ -1,6 +1,6 @@
 use crate::{error::invalid_configuration, Error, Result, Settings};
 use sqlx::{
-    postgres::{PgConnectOptions, Postgres},
+    postgres::{PgConnectOptions, PgSslMode, Postgres},
     Pool,
 };
 
@@ -18,6 +18,13 @@ pub async fn connect(settings: &Settings) -> Result<Pool<Postgres>> {
     let client = aws_sdk_sts::Client::new(&aws_config);
     let connect_parameters = ConnectParameters::try_from(settings)?;
     let connect_options = connect_parameters.connect_options(&client).await?;
+    let connect_options = if let Some(ref ca_path) = settings.ca_path {
+        connect_options
+            .ssl_mode(PgSslMode::VerifyCa)
+            .ssl_root_cert(ca_path)
+    } else {
+        connect_options
+    };
 
     let pool = settings
         .pool_options()

diff --git a/db_store/src/settings.rs b/db_store/src/settings.rs
@@ -1,6 +1,11 @@
+use std::path::PathBuf;
+
 use crate::{iam_auth_pool, metric_tracker, Error, Result};
 use serde::Deserialize;
-use sqlx::{postgres::PgPoolOptions, Pool, Postgres};
+use sqlx::{
+    postgres::{PgConnectOptions, PgPoolOptions, PgSslMode},
+    Pool, Postgres,
+};
 
 #[derive(Deserialize, Debug, Clone)]
 #[serde(rename_all = "lowercase")]
@@ -17,6 +22,9 @@ pub struct Settings {
     /// the auth_type is Postgres
     pub url: Option<String>,
 
+    /// Optionally provided certificate authority
+    pub ca_path: Option<PathBuf>,
+
     #[serde(default = "default_auth_type")]
     auth_type: AuthType,
 
@@ -55,12 +63,20 @@ impl Settings {
     }
 
     async fn simple_connect(&self) -> Result<Pool<Postgres>> {
-        let connect_options = self
+        let connect_options: PgConnectOptions = self
             .url
             .as_ref()
             .ok_or_else(|| Error::InvalidConfiguration("url is required".to_string()))?
             .parse()?;
 
+        let connect_options = if let Some(ref ca_path) = self.ca_path {
+            connect_options
+                .ssl_mode(PgSslMode::VerifyCa)
+                .ssl_root_cert(ca_path)
+        } else {
+            connect_options
+        };
+
         let pool = self.pool_options().connect_with(connect_options).await?;
         Ok(pool)
     }