Merge pull request #1423 from eclipse-vertx/pendula95-fix-recover-for-ssl-mode-always-4.x

Correct handling of SSL mode always for PostgreSQL

Author: vietj

vertx-pg-client/README.adoc

@@ -307,7 +307,7 @@ mvn test -DcontainerFixedPort
 You can run tests with an external database:
 
 - the script `src/test/resources/create-postgres.sql` creates the test data
-- the `TLSTest` expects the database to be configured with SSL with `src/test/resources/tls/server.key` / `src/test/resources/tls/server.cert``
+- the `TLSTest` expects the database to be configured with SSL with `src/test/resources/tls/server.key` / `src/test/resources/tls/server.cert` `src/test/resources/tls/pg_hba.conf` as an example how to force SSL
 
 You need to add some properties for testing:
 
@@ -317,6 +317,7 @@ You need to add some properties for testing:
 
 - connection.uri(mandatory): configure the client to connect the specified database
 - tls.connection.uri(mandatory): configure the client to run `TLSTest` with the specified Postgres with SSL enabled
+- tls.force.connection.uri(mandatory): configure the client to run `TLSTest` with the specified Postgres with SSL forced (only option)
 - unix.socket.directory(optional): the single unix socket directory(multiple socket directories are not supported) to test Unix domain socket with a specified database, domain socket tests will be skipped if this property is not specified
 (Note: Make sure you can access the unix domain socket with this directory under your host machine)
 - unix.socket.port(optional): unix socket file is named `.s.PGSQL.nnnn` and `nnnn` is the server's port number,
@@ -335,5 +336,5 @@ Run the Postgres containers with `docker-compose`:
 Run tests:
 
 ```
-> mvn test -Dconnection.uri=postgres://$username:$password@$host:$port/$database -Dtls.connection.uri=postgres://$username:$password@$host:$port/$database -Dunix.socket.directory=$path -Dunix.socket.port=$port
+> mvn test -Dconnection.uri=postgres://$username:$password@$host:$port/$database -Dtls.connection.uri=postgres://$username:$password@$host:$port/$database -Dtls.force.connection.uri=postgres://$username:$password@$host:$port/$database -Dunix.socket.directory=$path -Dunix.socket.port=$port
 ```

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/PgConnectionFactory.java

@@ -75,21 +75,12 @@ protected Future<Connection> doConnectInternal(SqlConnectOptions options, Contex
     } catch (Exception e) {
       return context.failedFuture(e);
     }
-    String username = options.getUser();
-    String password = options.getPassword();
-    String database = options.getDatabase();
     SocketAddress server = options.getSocketAddress();
-    Map<String, String> properties = options.getProperties() != null ? Collections.unmodifiableMap(options.getProperties()) : null;
-    return doConnect(server, context, pgOptions).flatMap(conn -> {
-      PgSocketConnection socket = (PgSocketConnection) conn;
-      socket.init();
-      return Future.<Connection>future(p -> socket.sendStartupMessage(username, password, database, properties, p))
-        .map(conn);
-    });
+    return connect(server, context, true, pgOptions);
   }
 
   public void cancelRequest(PgConnectOptions options, int processId, int secretKey, Handler<AsyncResult<Void>> handler) {
-    doConnect(options.getSocketAddress(), vertx.createEventLoopContext(), options).onComplete(ar -> {
+    connect(options.getSocketAddress(), vertx.createEventLoopContext(), false, options).onComplete(ar -> {
       if (ar.succeeded()) {
         PgSocketConnection conn = (PgSocketConnection) ar.result();
         conn.sendCancelRequestMessage(processId, secretKey, handler);
@@ -99,39 +90,56 @@ public void cancelRequest(PgConnectOptions options, int processId, int secretKey
     });
   }
 
-  private Future<Connection> doConnect(SocketAddress server, ContextInternal context, PgConnectOptions options) {
+  private Future<Connection> connect(SocketAddress server, ContextInternal context, boolean sendStartupMessage, PgConnectOptions options) {
     SslMode sslMode = options.isUsingDomainSocket() ? SslMode.DISABLE : options.getSslMode();
     Future<Connection> connFuture;
     switch (sslMode) {
       case DISABLE:
-        connFuture = doConnect(server, context, false, options);
+        connFuture = connect(server, options, context, false, sendStartupMessage);
         break;
       case ALLOW:
-        connFuture = doConnect(server, context,false, options).recover(err -> doConnect(server, context,true, options));
+        connFuture = connect(server, options, context,false, sendStartupMessage).recover(err -> connect(server, options, context, true, sendStartupMessage));
         break;
       case PREFER:
-        connFuture = doConnect(server, context,true, options).recover(err -> doConnect(server, context,false, options));
+        connFuture = connect(server, options, context,true, sendStartupMessage).recover(err -> connect(server, options, context, false, sendStartupMessage));
         break;
       case REQUIRE:
       case VERIFY_CA:
       case VERIFY_FULL:
-        connFuture = doConnect(server, context, true, options);
+        connFuture = connect(server, options, context, true, sendStartupMessage);
         break;
       default:
         return context.failedFuture(new IllegalArgumentException("Unsupported SSL mode"));
     }
     return connFuture;
   }
 
-  private Future<Connection> doConnect(SocketAddress server, ContextInternal context, boolean ssl, PgConnectOptions options) {
+  private Future<Connection> connect(SocketAddress server, PgConnectOptions connectOptions, ContextInternal context, boolean ssl, boolean sendStartupMessage) {
+    Future<Connection> res = doConnect(server, connectOptions, context, ssl);
+    if (sendStartupMessage) {
+      return res.flatMap(conn -> {
+        PgSocketConnection socket = (PgSocketConnection) conn;
+        socket.init();
+        String username = connectOptions.getUser();
+        String password = connectOptions.getPassword();
+        String database = connectOptions.getDatabase();
+        Map<String, String> properties = connectOptions.getProperties() != null ? Collections.unmodifiableMap(connectOptions.getProperties()) : null;
+        return Future.future(p -> socket.sendStartupMessage(username, password, database, properties, p));
+      });
+    } else {
+      return res;
+    }
+  }
+
+  private Future<Connection> doConnect(SocketAddress server, PgConnectOptions connectOptions, ContextInternal context, boolean ssl) {
     Future<NetSocket> soFut;
     try {
-      soFut = netClient(options).connect(server, (String) null);
+      soFut = netClient(connectOptions).connect(server, (String) null);
     } catch (Exception e) {
       // Client is closed
       return context.failedFuture(e);
     }
-    Future<Connection> connFut = soFut.map(so -> newSocketConnection(context, (NetSocketInternal) so, options));
+    Future<Connection> connFut = soFut.map(so -> newSocketConnection(context, (NetSocketInternal) so, connectOptions));
     if (ssl && !server.isDomainSocket()) {
       // upgrade connection to SSL if needed
       connFut = connFut.flatMap(conn -> Future.future(p -> {

vertx-pg-client/src/test/java/io/vertx/pgclient/TLSTest.java

@@ -34,7 +34,13 @@
 public class TLSTest {
 
   @ClassRule
-  public static ContainerPgRule rule = new ContainerPgRule().ssl(true);
+  public static ContainerPgRule ruleOptionalSll = new ContainerPgRule().ssl(true);
+
+  @ClassRule
+  public static ContainerPgRule ruleForceSsl = new ContainerPgRule().ssl(true).forceSsl(true);
+
+  @ClassRule
+  public static ContainerPgRule ruleSllOff = new ContainerPgRule().ssl(false);
 
   private Vertx vertx;
 
@@ -52,7 +58,7 @@ public void teardown(TestContext ctx) {
   public void testTLS(TestContext ctx) {
     Async async = ctx.async();
 
-    PgConnectOptions options = new PgConnectOptions(rule.options())
+    PgConnectOptions options = new PgConnectOptions(ruleOptionalSll.options())
       .setSslMode(SslMode.REQUIRE)
       .setPemTrustOptions(new PemTrustOptions().addCertPath("tls/server.crt"));
     PgConnection.connect(vertx, options.setSslMode(SslMode.REQUIRE), ctx.asyncAssertSuccess(conn -> {
@@ -72,7 +78,7 @@ public void testTLS(TestContext ctx) {
   @Test
   public void testTLSTrustAll(TestContext ctx) {
     Async async = ctx.async();
-    PgConnection.connect(vertx, rule.options().setSslMode(SslMode.REQUIRE).setTrustAll(true), ctx.asyncAssertSuccess(conn -> {
+    PgConnection.connect(vertx, ruleOptionalSll.options().setSslMode(SslMode.REQUIRE).setTrustAll(true), ctx.asyncAssertSuccess(conn -> {
       ctx.assertTrue(conn.isSSL());
       async.complete();
     }));
@@ -81,7 +87,7 @@ public void testTLSTrustAll(TestContext ctx) {
   @Test
   public void testTLSInvalidCertificate(TestContext ctx) {
     Async async = ctx.async();
-    PgConnection.connect(vertx, rule.options().setSslMode(SslMode.REQUIRE), ctx.asyncAssertFailure(err -> {
+    PgConnection.connect(vertx, ruleOptionalSll.options().setSslMode(SslMode.REQUIRE), ctx.asyncAssertFailure(err -> {
 //      ctx.assertEquals(err.getClass(), VertxException.class);
       ctx.assertEquals(err.getMessage(), "SSL handshake failed");
       async.complete();
@@ -91,7 +97,7 @@ public void testTLSInvalidCertificate(TestContext ctx) {
   @Test
   public void testSslModeDisable(TestContext ctx) {
     Async async = ctx.async();
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.DISABLE);
     PgConnection.connect(vertx, new PgConnectOptions(options), ctx.asyncAssertSuccess(conn -> {
       ctx.assertFalse(conn.isSSL());
@@ -102,18 +108,30 @@ public void testSslModeDisable(TestContext ctx) {
   @Test
   public void testSslModeAllow(TestContext ctx) {
     Async async = ctx.async();
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.ALLOW);
     PgConnection.connect(vertx, new PgConnectOptions(options), ctx.asyncAssertSuccess(conn -> {
       ctx.assertFalse(conn.isSSL());
       async.complete();
     }));
   }
 
+  @Test
+  public void testSslModeAllowFallback(TestContext ctx) {
+    Async async = ctx.async();
+    PgConnectOptions options = ruleForceSsl.options()
+      .setSslMode(SslMode.ALLOW)
+      .setTrustAll(true);
+    PgConnection.connect(vertx, new PgConnectOptions(options)).onComplete(ctx.asyncAssertSuccess(conn -> {
+      ctx.assertTrue(conn.isSSL());
+      async.complete();
+    }));
+  }
+
   @Test
   public void testSslModePrefer(TestContext ctx) {
     Async async = ctx.async();
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.PREFER)
       .setTrustAll(true);
     PgConnection.connect(vertx, new PgConnectOptions(options), ctx.asyncAssertSuccess(conn -> {
@@ -122,9 +140,21 @@ public void testSslModePrefer(TestContext ctx) {
     }));
   }
 
+  @Test
+  public void testSslModePreferFallback(TestContext ctx) {
+    Async async = ctx.async();
+    PgConnectOptions options = ruleSllOff.options()
+      .setSslMode(SslMode.PREFER)
+      .setTrustAll(true);
+    PgConnection.connect(vertx, options).onComplete(ctx.asyncAssertSuccess(conn -> {
+      ctx.assertFalse(conn.isSSL());
+      async.complete();
+    }));
+  }
+
   @Test
   public void testSslModeVerifyCaConf(TestContext ctx) {
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.VERIFY_CA)
       .setTrustAll(true);
     PgConnection.connect(vertx, new PgConnectOptions(options), ctx.asyncAssertFailure(error -> {
@@ -134,8 +164,9 @@ public void testSslModeVerifyCaConf(TestContext ctx) {
 
   @Test
   public void testSslModeVerifyFullConf(TestContext ctx) {
-    PgConnectOptions options = rule.options()
-      .setSslMode(SslMode.VERIFY_FULL);
+    PgConnectOptions options = ruleOptionalSll.options()
+      .setSslMode(SslMode.VERIFY_FULL)
+      .setTrustOptions(new PemTrustOptions().addCertPath("tls/another.crt"));
     PgConnection.connect(vertx, new PgConnectOptions(options), ctx.asyncAssertFailure(error -> {
       ctx.assertEquals("Host verification algorithm must be specified under verify-full sslmode", error.getMessage());
     }));

vertx-pg-client/src/test/java/io/vertx/pgclient/junit/ContainerPgRule.java

@@ -36,18 +36,25 @@ public class ContainerPgRule extends ExternalResource {
 
   private static final String connectionUri = System.getProperty("connection.uri");
   private static final String tlsConnectionUri = System.getProperty("tls.connection.uri");
+  private static final String tlsForceConnectionUri = System.getProperty("tls.force.connection.uri");
 
   private ServerContainer<?> server;
   private PgConnectOptions options;
   private String databaseVersion;
   private boolean ssl;
+  private boolean forceSsl;
   private String user = "postgres";
 
   public ContainerPgRule ssl(boolean ssl) {
     this.ssl = ssl;
     return this;
   }
 
+  public ContainerPgRule forceSsl(boolean forceSsl) {
+    this.forceSsl = forceSsl;
+    return this;
+  }
+
   public PgConnectOptions options() {
     return new PgConnectOptions(options);
   }
@@ -75,6 +82,11 @@ private void initServer(String version) throws Exception {
         .withClasspathResourceMapping("tls/server.crt", "/server.crt", BindMode.READ_ONLY)
         .withClasspathResourceMapping("tls/server.key", "/server.key", BindMode.READ_ONLY)
         .withClasspathResourceMapping("tls/ssl.sh", "/docker-entrypoint-initdb.d/ssl.sh", BindMode.READ_ONLY);
+        if (forceSsl) {
+          server
+            .withClasspathResourceMapping("tls/pg_hba.conf", "/tmp/pg_hba.conf", BindMode.READ_ONLY)
+            .withClasspathResourceMapping("tls/force_ssl.sh", "/docker-entrypoint-initdb.d/force_ssl.sh", BindMode.READ_ONLY);
+        }
     }
     if (System.getProperties().containsKey("containerFixedPort")) {
       server.withFixedExposedPort(POSTGRESQL_PORT, POSTGRESQL_PORT);
@@ -84,7 +96,7 @@ private void initServer(String version) throws Exception {
   }
 
   public static boolean isTestingWithExternalDatabase() {
-    return isSystemPropertyValid(connectionUri) || isSystemPropertyValid(tlsConnectionUri);
+    return isSystemPropertyValid(connectionUri) || isSystemPropertyValid(tlsConnectionUri) || isSystemPropertyValid(tlsForceConnectionUri);
   }
 
   private static boolean isSystemPropertyValid(String systemProperty) {
@@ -133,7 +145,11 @@ protected void before() throws Throwable {
     if (isTestingWithExternalDatabase()) {
 
       if (ssl) {
-        options =  PgConnectOptions.fromUri(tlsConnectionUri);
+        if (forceSsl) {
+          options = PgConnectOptions.fromUri(tlsForceConnectionUri);
+        } else {
+          options = PgConnectOptions.fromUri(tlsConnectionUri);
+        }
       }
       else {
         options = PgConnectOptions.fromUri(connectionUri);

vertx-pg-client/src/test/resources/tls/force_ssl.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# force ssl
+cp /tmp/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf