Postgres Source Strict Encrypt: Add tests with SSL and SSH (#19388)

* Postgres Source Strict Encrypt: Add tests with SSL and SSH

* updated No tunnel test

* fixed spec test

* fixed spec test

* refactoring

Author: VitaliiMaltsev

airbyte-integrations/connectors/source-postgres/src/main/java/io/airbyte/integrations/source/postgres/PostgresSourceStrictEncrypt.java

@@ -4,24 +4,36 @@
 
 package io.airbyte.integrations.source.postgres;
 
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ArrayNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import io.airbyte.commons.json.Jsons;
 import io.airbyte.db.jdbc.JdbcUtils;
 import io.airbyte.integrations.base.IntegrationRunner;
 import io.airbyte.integrations.base.Source;
 import io.airbyte.integrations.base.spec_modification.SpecModifyingSource;
+import io.airbyte.protocol.models.AirbyteConnectionStatus;
 import io.airbyte.protocol.models.ConnectorSpecification;
+import java.util.Set;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static io.airbyte.protocol.models.AirbyteConnectionStatus.Status;
+
 /**
  * This class is copied from source-postgres-strict-encrypt. The original file can be deleted
  * completely once the migration of multi-variant connector is done.
  */
 public class PostgresSourceStrictEncrypt extends SpecModifyingSource implements Source {
 
   private static final Logger LOGGER = LoggerFactory.getLogger(PostgresSourceStrictEncrypt.class);
+  public static final String TUNNEL_METHOD = "tunnel_method";
+  public static final String NO_TUNNEL = "NO_TUNNEL";
+  public static final String SSL_MODE = "ssl_mode";
+  public static final String MODE = "mode";
+  public static final String SSL_MODE_ALLOW = "allow";
+  public static final String SSL_MODE_PREFER = "prefer";
+  public static final String SSL_MODE_DISABLE = "disable";
 
   public PostgresSourceStrictEncrypt() {
     super(PostgresSource.sshWrappedSource());
@@ -39,6 +51,27 @@ public ConnectorSpecification modifySpec(final ConnectorSpecification originalSp
     return spec;
   }
 
+  @Override
+  public AirbyteConnectionStatus check(final JsonNode config) throws Exception {
+    // #15808 Disallow connecting to db with disable, prefer or allow SSL mode when connecting directly
+    // and not over SSH tunnel
+    if (config.has(TUNNEL_METHOD)
+        && config.get(TUNNEL_METHOD).has(TUNNEL_METHOD)
+        && config.get(TUNNEL_METHOD).get(TUNNEL_METHOD).asText().equals(NO_TUNNEL)) {
+      // If no SSH tunnel
+      if (config.has(SSL_MODE) && config.get(SSL_MODE).has(MODE)) {
+        if (Set.of(SSL_MODE_DISABLE, SSL_MODE_ALLOW, SSL_MODE_PREFER).contains(config.get(SSL_MODE).get(MODE).asText())) {
+          // Fail in case SSL mode is disable, allow or prefer
+          return new AirbyteConnectionStatus()
+              .withStatus(Status.FAILED)
+              .withMessage(
+                  "Unsecured connection not allowed. If no SSH Tunnel set up, please use one of the following SSL modes: require, verify-ca, verify-full");
+        }
+      }
+    }
+    return super.check(config);
+  }
+
   public static void main(final String[] args) throws Exception {
     final Source source = new PostgresSourceStrictEncrypt();
     LOGGER.info("starting source: {}", PostgresSourceStrictEncrypt.class);

airbyte-integrations/connectors/source-postgres/src/test/java/io/airbyte/integrations/source/postgres/PostgresSourceStrictEncryptTest.java

@@ -5,9 +5,12 @@
 package io.airbyte.integrations.source.postgres;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.google.common.collect.ImmutableMap;
+import io.airbyte.commons.json.Jsons;
 import io.airbyte.db.jdbc.JdbcUtils;
 import io.airbyte.integrations.base.ssh.SshBastionContainer;
 import io.airbyte.integrations.base.ssh.SshTunnel;
@@ -18,6 +21,7 @@
 import org.junit.jupiter.api.Test;
 import org.testcontainers.containers.Network;
 import org.testcontainers.containers.PostgreSQLContainer;
+import org.testcontainers.utility.DockerImageName;
 
 public class PostgresSourceStrictEncryptTest {
 
@@ -76,4 +80,67 @@ private ImmutableMap.Builder<Object, Object> getDatabaseConfigBuilderWithSSLMode
         .put(JdbcUtils.SSL_MODE_KEY, Map.of(JdbcUtils.MODE_KEY, sslMode));
   }
 
+  private JsonNode getMockedSSLConfig(String sslMode) {
+    return Jsons.jsonNode(ImmutableMap.builder()
+        .put(JdbcUtils.HOST_KEY, "test_host")
+        .put(JdbcUtils.PORT_KEY, 777)
+        .put(JdbcUtils.DATABASE_KEY, "test_db")
+        .put(JdbcUtils.USERNAME_KEY, "test_user")
+        .put(JdbcUtils.PASSWORD_KEY, "test_password")
+        .put(JdbcUtils.SSL_KEY, true)
+        .put(JdbcUtils.SSL_MODE_KEY, Map.of(JdbcUtils.MODE_KEY, sslMode))
+        .build());
+  }
+
+  @Test
+  void testSslModesUnsecuredNoTunnel() throws Exception {
+    for (String sslMode : List.of("disable", "allow", "prefer")) {
+      final JsonNode config = getMockedSSLConfig(sslMode);
+      ((ObjectNode) config).putIfAbsent("tunnel_method", Jsons.jsonNode(ImmutableMap.builder()
+          .put("tunnel_method", "NO_TUNNEL")
+          .build()));
+
+      final AirbyteConnectionStatus actual = new PostgresSourceStrictEncrypt().check(config);
+      assertEquals(AirbyteConnectionStatus.Status.FAILED, actual.getStatus());
+      assertTrue(actual.getMessage().contains("Unsecured connection not allowed"));
+    }
+  }
+
+  @Test
+  void testSslModeRequiredNoTunnel() throws Exception {
+
+    try (PostgreSQLContainer<?> db =
+        new PostgreSQLContainer<>(DockerImageName.parse("marcosmarxm/postgres-ssl:dev").asCompatibleSubstituteFor("postgres"))
+            .withCommand("postgres -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key")) {
+      db.start();
+
+      final ImmutableMap<Object, Object> configBuilderWithSslModeRequire = getDatabaseConfigBuilderWithSSLMode(db, "require").build();
+      final JsonNode config = Jsons.jsonNode(configBuilderWithSslModeRequire);
+      ((ObjectNode) config).putIfAbsent("tunnel_method", Jsons.jsonNode(ImmutableMap.builder()
+              .put("tunnel_method", "NO_TUNNEL")
+              .build()));
+      final AirbyteConnectionStatus connectionStatusForPreferredMode = new PostgresSourceStrictEncrypt().check(config);
+      assertEquals(AirbyteConnectionStatus.Status.SUCCEEDED, connectionStatusForPreferredMode.getStatus());
+    }
+  }
+
+  @Test
+  void testStrictSSLSecuredWithTunnel() throws Exception {
+    try (PostgreSQLContainer<?> db =
+        new PostgreSQLContainer<>(DockerImageName.parse("marcosmarxm/postgres-ssl:dev").asCompatibleSubstituteFor("postgres"))
+            .withCommand("postgres -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key")
+            .withNetwork(network)) {
+
+      bastion.initAndStartBastion(network);
+      db.start();
+
+      final ImmutableMap.Builder<Object, Object> builderWithSSLModePrefer = getDatabaseConfigBuilderWithSSLMode(db, "require");
+      final JsonNode configWithSslAndSsh = bastion.getTunnelConfig(SshTunnel.TunnelMethod.SSH_PASSWORD_AUTH, builderWithSSLModePrefer);
+      final AirbyteConnectionStatus connectionStatusForPreferredMode = new PostgresSourceStrictEncrypt().check(configWithSslAndSsh);
+      assertEquals(AirbyteConnectionStatus.Status.SUCCEEDED, connectionStatusForPreferredMode.getStatus());
+    } finally {
+      bastion.stopAndClose();
+    }
+  }
+
 }