feat: support PGSSL* env variables for configuring the ssl mode (#187)

When creating database connections, lookup the SSL related flags from
the standard PGSSL* env varibles. This allows configuring the connection
via the same values that can be used to configure psql or other postgres
tools.

Signed-off-by: Lucas Roesler <[email protected]>

Author: LucasRoesler

pkg/config/database.go

@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"io/ioutil"
+	"os"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -12,7 +13,28 @@ var defaultPorts = map[string]uint32{
 	"postgres": 5432,
 }
 
+const (
+	// these environment variables can be used to control the SSL
+	// validation behavior and behave the same as the documented
+	// postegres environment variables
+	PGSSLModeEnvKey         = "PGSSLMODE"
+	PGSSLCertPathEnvKey     = "PGSSLCERT"
+	PGSSLKeyPathEnvKey      = "PGSSLKEY"
+	PGSSLRootCertPathEnvKey = "PGSSLROOTCERT"
+)
+
+const (
+	pgSSLDisabled   = "disable"
+	pgSSLRequire    = "require"
+	pgSSLVerifyCA   = "verify-ca"
+	pgSSLVerifyFull = "verify-full"
+)
+
 // Database contains all the configuration parameters for a database
+// SSL mode and options can be configured via the standard Postgres env variables
+// documented here https://www.postgresql.org/docs/current/libpq-envars.html
+//
+// Specifically, it supports:  PGSSLMODE, PGSSLCERT, PGSSLKEY, PGSSLROOTCERT.
 type Database struct {
 	// Host of the database server
 	Host string `json:"host"`
@@ -65,7 +87,30 @@ func (cfg *Database) GetPort() uint32 {
 
 // GetConnectionString returns the formed connection string
 func (cfg *Database) GetConnectionString() (connStr string, err error) {
-	connStr = "sslmode=disable "
+	sslMode, found := os.LookupEnv(PGSSLModeEnvKey)
+	if !found {
+		sslMode = pgSSLDisabled
+	}
+
+	switch sslMode {
+	case pgSSLDisabled, pgSSLRequire, pgSSLVerifyCA, pgSSLVerifyFull:
+		// nothing to do
+	default:
+		return "", fmt.Errorf("unknown or unsupported ssl mode: %q", sslMode)
+	}
+
+	connStr = fmt.Sprintf("sslmode=%s ", sslMode)
+	if value, found := os.LookupEnv(PGSSLCertPathEnvKey); found {
+		connStr += fmt.Sprintf("sslcert=%s ", value)
+	}
+
+	if value, found := os.LookupEnv(PGSSLKeyPathEnvKey); found {
+		connStr += fmt.Sprintf("sslkey=%s ", value)
+	}
+
+	if value, found := os.LookupEnv(PGSSLRootCertPathEnvKey); found {
+		connStr += fmt.Sprintf("sslrootcert=%s ", value)
+	}
 
 	if cfg.Host != "" {
 		connStr += fmt.Sprintf("host=%s ", cfg.Host)

pkg/config/database_test.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -61,6 +62,7 @@ func TestDatabaseGetConnectionString(t *testing.T) {
 	cases := []struct {
 		name     string
 		cfg      Database
+		env      map[string]string
 		expected string
 		err      string
 	}{
@@ -75,6 +77,23 @@ func TestDatabaseGetConnectionString(t *testing.T) {
 			},
 			expected: "sslmode=disable host=example.com port=80 dbname=database user=root password=password",
 		},
+		{
+			name: "Can set sslmode to require via env variables",
+			cfg: Database{
+				Host:         "example.com",
+				Port:         80,
+				Name:         "database",
+				Username:     "root",
+				PasswordPath: "./testdata/password",
+			},
+			env: map[string]string{
+				"PGSSLMODE":     "require",
+				"PGSSLCERT":     "/cert/path",
+				"PGSSLKEY":      "/key/path",
+				"PGSSLROOTCERT": "/root/cert/path",
+			},
+			expected: "sslmode=require sslcert=/cert/path sslkey=/key/path sslrootcert=/root/cert/path host=example.com port=80 dbname=database user=root password=password",
+		},
 		{
 			name: "Returns a connection string when Host is not set",
 			cfg: Database{
@@ -140,6 +159,9 @@ func TestDatabaseGetConnectionString(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
+			reset := envSetup(tc.env)
+			defer reset()
+
 			str, err := tc.cfg.GetConnectionString()
 			if tc.err != "" {
 				require.Error(t, err)
@@ -151,3 +173,29 @@ func TestDatabaseGetConnectionString(t *testing.T) {
 		})
 	}
 }
+
+func envSetup(envs map[string]string) (resetter func()) {
+	if len(envs) == 0 {
+		return func() {}
+	}
+
+	originalEnvs := map[string]string{}
+
+	for name, value := range envs {
+		if originalValue, ok := os.LookupEnv(name); ok {
+			originalEnvs[name] = originalValue
+		}
+		_ = os.Setenv(name, value)
+	}
+
+	return func() {
+		for name := range envs {
+			origValue, has := originalEnvs[name]
+			if has {
+				_ = os.Setenv(name, origValue)
+			} else {
+				_ = os.Unsetenv(name)
+			}
+		}
+	}
+}