feat: Add TLS connection support for outbound PG

etehtsea · etehtsea · commit fc69afa3d6a8 · 2022-12-21T20:54:14.000+06:00
Underneath it conditionally uses `NoTls` when `sslmode=disable` or sets up ssl connector otherwise. NOTE: By default, `tokio_postgres` is using `sslmode=prefer`, so to avoid SSL setup overhead `sslmode=disable` should be provided explicitly. Refs: #936 Signed-off-by: Konstantin Shabanov <mail@etehtsea.me>
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/outbound-pg/Cargo.toml b/crates/outbound-pg/Cargo.toml
@@ -9,6 +9,8 @@ doctest = false
 
 [dependencies]
 anyhow = "1.0"
+native-tls = "0.2.11"
+postgres-native-tls = "0.5.0"
 spin-core = { path = "../core" }
 tokio = { version = "1", features = [ "rt-multi-thread" ] }
 tokio-postgres = { version = "0.7.7" }
diff --git a/crates/outbound-pg/src/lib.rs b/crates/outbound-pg/src/lib.rs
@@ -1,9 +1,12 @@
 use anyhow::anyhow;
+use native_tls::TlsConnector;
+use postgres_native_tls::MakeTlsConnector;
 use spin_core::HostComponent;
 use std::collections::HashMap;
 use tokio_postgres::{
+    config::SslMode,
     types::{ToSql, Type},
-    Client, NoTls, Row,
+    Client, NoTls, Row, Socket,
 };
 use wit_bindgen_wasmtime::async_trait;
 
@@ -237,15 +240,42 @@ impl OutboundPg {
 }
 
 async fn build_client(address: &str) -> anyhow::Result<Client> {
+    let config = address.parse::<tokio_postgres::Config>()?;
+
     tracing::log::debug!("Build new connection: {}", address);
 
-    let (client, connection) = tokio_postgres::connect(address, NoTls).await?;
+    if config.get_ssl_mode() == SslMode::Disable {
+        connect(config).await
+    } else {
+        connect_tls(config).await
+    }
+}
+
+async fn connect(config: tokio_postgres::Config) -> anyhow::Result<Client> {
+    let (client, connection) = config.connect(NoTls).await?;
+
+    spawn(connection);
+
+    Ok(client)
+}
 
+async fn connect_tls(config: tokio_postgres::Config) -> anyhow::Result<Client> {
+    let builder = TlsConnector::builder();
+    let connector = MakeTlsConnector::new(builder.build()?);
+    let (client, connection) = config.connect(connector).await?;
+
+    spawn(connection);
+
+    Ok(client)
+}
+
+fn spawn<T>(connection: tokio_postgres::Connection<Socket, T>)
+where
+    T: tokio_postgres::tls::TlsStream + std::marker::Unpin + std::marker::Send + 'static,
+{
     tokio::spawn(async move {
         if let Err(e) = connection.await {
             tracing::warn!("Postgres connection error: {}", e);
         }
     });
-
-    Ok(client)
 }
