mirror of
https://github.com/jackc/pgx.git
synced 2025-05-31 11:42:24 +00:00
Make ParseURI() compatible with lib/pq's TLS keywords.
Add support for: - `sslrootcert` - `sslcert` - `sslkey` All three arguments, like thir `gitub.com/lib/pq` counterparts, are filesystem paths.
This commit is contained in:
Sean Chittenden
parent
4506a3e359
commit
d7f24b91f4
41
conn.go
41
conn.go
@ -4,10 +4,12 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
"net"
|
"net"
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
@ -706,9 +708,46 @@ func ParseURI(uri string) (ConnConfig, error) {
|
|||||||
return cp, err
|
return cp, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Extract optional TLS parameters and reconstruct a coherent tls.Config based
|
||||||
|
// on the DSN input. Reuse the same keywords found in github.com/lib/pq.
|
||||||
|
if cp.TLSConfig != nil {
|
||||||
|
{
|
||||||
|
caCertPool := x509.NewCertPool()
|
||||||
|
|
||||||
|
caPath := url.Query().Get("sslrootcert")
|
||||||
|
caCert, err := ioutil.ReadFile(caPath)
|
||||||
|
if err != nil {
|
||||||
|
return cp, errors.Wrapf(err, "unable to read CA file %q", caPath)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !caCertPool.AppendCertsFromPEM(caCert) {
|
||||||
|
return cp, errors.Wrap(err, "unable to add CA to cert pool")
|
||||||
|
}
|
||||||
|
|
||||||
|
cp.TLSConfig.RootCAs = caCertPool
|
||||||
|
cp.TLSConfig.ClientCAs = caCertPool
|
||||||
|
}
|
||||||
|
|
||||||
|
sslcert := url.Query().Get("sslcert")
|
||||||
|
sslkey := url.Query().Get("sslkey")
|
||||||
|
if (sslcert != "" && sslkey == "") || (sslcert == "" && sslkey != "") {
|
||||||
|
return cp, fmt.Errorf(`both "sslcert" and "sslkey" are required`)
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, err := tls.LoadX509KeyPair(sslcert, sslkey)
|
||||||
|
if err != nil {
|
||||||
|
return cp, errors.Wrap(err, "unable to read cert")
|
||||||
|
}
|
||||||
|
|
||||||
|
cp.TLSConfig.Certificates = []tls.Certificate{cert}
|
||||||
|
}
|
||||||
|
|
||||||
ignoreKeys := map[string]struct{}{
|
ignoreKeys := map[string]struct{}{
|
||||||
"sslmode": {},
|
|
||||||
"connect_timeout": {},
|
"connect_timeout": {},
|
||||||
|
"sslcert": {},
|
||||||
|
"sslkey": {},
|
||||||
|
"sslmode": {},
|
||||||
|
"sslrootcert": {},
|
||||||
}
|
}
|
||||||
|
|
||||||
cp.RuntimeParams = make(map[string]string)
|
cp.RuntimeParams = make(map[string]string)
|
||||||
|
|||||||
@ -228,7 +228,8 @@ func TestConnectWithTLSFallback(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
connConfig.UseFallbackTLS = true
|
connConfig.UseFallbackTLS = true
|
||||||
connConfig.FallbackTLSConfig = &tls.Config{InsecureSkipVerify: true}
|
connConfig.FallbackTLSConfig = tlsConnConfig.TLSConfig
|
||||||
|
connConfig.FallbackTLSConfig.InsecureSkipVerify = true
|
||||||
|
|
||||||
conn, err = pgx.Connect(connConfig)
|
conn, err = pgx.Connect(connConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user