feat: add basic ssl for postgres

Signed-off-by: Kim Ebert <[email protected]>

Author: KimEbert42

experimental/plugins/postgres_storage/Cargo.toml

@@ -14,7 +14,7 @@ crate-type = ["staticlib","rlib","cdylib"]
 
 [features]
 default = ["bn_openssl", "ed25519_sign_sodium", "ed25519_box_sodium", "sealedbox_sodium", "base58_rust_base58", "base64_rust_base64", "xsalsa20_sodium", "chacha20poly1305_ietf_sodium", "hash_openssl", "local_nodes_pool", "revocation_tests", "pwhash_argon2i13_sodium", "hmacsha256_sodium", "memzero_sodium", "randombytes_sodium"]
-bn_openssl = ["openssl", "int_traits"]
+bn_openssl = ["int_traits"]
 ed25519_sign_sodium = ["sodiumoxide"]
 ed25519_box_sodium = ["sodiumoxide"]
 sealedbox_sodium = ["sodiumoxide"]
@@ -23,7 +23,7 @@ base64_rust_base64 = ["base64"]
 xsalsa20_sodium = ["sodiumoxide"]
 chacha20poly1305_ietf_sodium = ["sodiumoxide"]
 pwhash_argon2i13_sodium = ["sodiumoxide"]
-hash_openssl = ["openssl"]
+hash_openssl = []
 local_nodes_pool = []
 revocation_tests = []
 sodium_static = []
@@ -46,7 +46,7 @@ hex = "0.2.0"
 libc = "0.2.60"
 log = "0.4.1"
 dirs = "1.0.4"
-openssl = { version = "=0.10.12", optional = true }
+openssl = { version = "=0.10.12" }
 owning_ref = "0.3.3"
 rand = "0.3"
 rust-base58 = {version = "0.0.4", optional = true}
@@ -65,7 +65,8 @@ named_type = "0.1.3"
 named_type_derive = "0.1.3"
 byteorder = "1.3.2"
 log-panics = "2.0.0"
-postgres = "0.15.2"
+postgres = { version = "0.15" }
+postgres-openssl = "0.1.0"
 r2d2 = "0.8.2"
 r2d2_postgres = "0.14.0"
 percent-encoding = "2.1.0"

experimental/plugins/postgres_storage/src/postgres_storage.rs

@@ -2,12 +2,17 @@ extern crate owning_ref;
 extern crate sodiumoxide;
 extern crate r2d2;
 extern crate r2d2_postgres;
+extern crate postgres_openssl;
 extern crate percent_encoding;
 
 use ::std::sync::RwLock;
 
 use postgres;
 use self::r2d2_postgres::{TlsMode, PostgresConnectionManager};
+use self::postgres_openssl::{OpenSsl};
+use self::postgres_openssl::openssl::ssl::{SslMethod, SslConnector} ;
+use postgres_storage::postgres_openssl::openssl::ssl::SslConnectorBuilder;
+
 use serde_json;
 
 use self::owning_ref::OwningHandle;
@@ -369,10 +374,11 @@ impl StorageIterator for PostgresStorageIterator {
     }
 }
 
-#[derive(Deserialize, Debug)]
+#[derive(Deserialize)]
 pub struct PostgresConfig {
     url: String,
     tls: Option<String>,
+    tls_ca: Option<String>,
     // default off
     max_connections: Option<u32>,
     // default 5
@@ -384,28 +390,57 @@ pub struct PostgresConfig {
     // default 5
     wallet_scheme: Option<WalletScheme>,   // default DatabasePerWallet
     database_name: Option<String>,   // default _WALLET_DB
+    
+    // For TLS
+    #[serde(skip)]
+    negotiator: Option<OpenSsl>,
+
 }
 
 impl PostgresConfig {
+
+    fn init_tls(&mut self) {
+        debug!("initializing postgresql builder");
+
+        let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();
+
+        if self.tls_ca.is_some() {
+            builder.set_ca_file(self.tls_ca.as_ref().unwrap());
+        }
+
+        debug!("initializing postgresql negotiator");
+        self.negotiator = Some(OpenSsl::from(builder.build()));
+    }
+
     fn tls(&self) -> postgres::TlsMode {
+        debug!("tls");
         match &self.tls {
             Some(tls) => match tls.as_ref() {
                 "None" => postgres::TlsMode::None,
                 // TODO add tls support for connecting to postgres db
-                //"Prefer" => postgres::TlsMode::Prefer(&postgres::Connection),
-                //"Require" => postgres::TlsMode::Require(&postgres::Connection),
+                "Prefer" => postgres::TlsMode::Prefer(self.negotiator.as_ref().unwrap()),
+                "Require" => postgres::TlsMode::Require(self.negotiator.as_ref().unwrap()),
                 _ => postgres::TlsMode::None
             },
             None => postgres::TlsMode::None
         }
     }
     fn r2d2_tls(&self) -> TlsMode {
+
+        let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();
+
+        if self.tls_ca.is_some() {
+            builder.set_ca_file(self.tls_ca.as_ref().unwrap());
+        }
+
+        let negotiator = OpenSsl::from(builder.build());
+
         match &self.tls {
             Some(tls) => match tls.as_ref() {
                 "None" => TlsMode::None,
                 // TODO add tls support for connecting to postgres db
-                //"Prefer" => TlsMode::Prefer(&postgres::Connection),
-                //"Require" => TlsMode::Require(&postgres::Connection),
+                "Prefer" => r2d2_postgres::TlsMode::Prefer(Box::new(negotiator)),
+                "Require" => r2d2_postgres::TlsMode::Require(Box::new(negotiator)),
                 _ => TlsMode::None
             },
             None => TlsMode::None
@@ -511,7 +546,7 @@ impl WalletStrategy for MultiWalletSingleTableStrategySharedPool {
         let url_base = PostgresStorageType::_admin_postgres_url(&config, &credentials);
         let url = PostgresStorageType::_postgres_url(_WALLETS_DB, &config, &credentials);
 
-        let conn = postgres::Connection::connect(&url_base[..], postgres::TlsMode::None)?;
+        let conn = postgres::Connection::connect(&url_base[..], config.tls())?;
 
         if let Err(error) = conn.execute(&_CREATE_WALLETS_DATABASE, &[]) {
             if error.code() != Some(&postgres::error::DUPLICATE_DATABASE) {
@@ -525,7 +560,7 @@ impl WalletStrategy for MultiWalletSingleTableStrategySharedPool {
         }
         conn.finish()?;
 
-        let conn = match postgres::Connection::connect(&url[..], postgres::TlsMode::None) {
+        let conn = match postgres::Connection::connect(&url[..], config.tls()) {
             Ok(conn) => conn,
             Err(error) => {
                 return Err(WalletStorageError::IOError(format!("Error occurred while connecting to wallet schema: {}", error)));
@@ -546,7 +581,7 @@ impl WalletStrategy for MultiWalletSingleTableStrategySharedPool {
         // insert metadata
         let url = PostgresStorageType::_postgres_url(_WALLETS_DB, &config, &credentials);
 
-        let conn = match postgres::Connection::connect(&url[..], postgres::TlsMode::None) {
+        let conn = match postgres::Connection::connect(&url[..], config.tls()) {
             Ok(conn) => conn,
             Err(error) => {
                 return Err(WalletStorageError::IOError(format!("Error occurred while connecting to wallet schema: {}", error)));
@@ -606,7 +641,7 @@ impl WalletStrategy for MultiWalletSingleTableStrategySharedPool {
     fn delete_wallet(&self, id: &str, config: &PostgresConfig, credentials: &PostgresCredentials) -> Result<(), WalletStorageError> {
         let url = PostgresStorageType::_postgres_url(&_WALLETS_DB, &config, &credentials);
 
-        let conn = match postgres::Connection::connect(&url[..], postgres::TlsMode::None) {
+        let conn = match postgres::Connection::connect(&url[..], config.tls()) {
             Ok(conn) => conn,
             Err(error) => {
                 return Err(WalletStorageError::IOError(format!("Error occurred while connecting to wallet schema: {}", error)));
@@ -1856,7 +1891,7 @@ impl WalletStorageType for PostgresStorageType {
             .map_or(Ok(None), |v| v.map(Some))
             .map_err(|err| CommonError::InvalidStructure(format!("Cannot deserialize credentials: {:?}", err)))?;
 
-        let config = match config {
+        let mut config = match config {
             Some(config) => config,
             None => return Err(WalletStorageError::ConfigError)
         };
@@ -1865,6 +1900,8 @@ impl WalletStorageType for PostgresStorageType {
             None => return Err(WalletStorageError::ConfigError)
         };
 
+        config.init_tls();
+
         match config.wallet_scheme {
             Some(scheme) => match scheme {
                 WalletScheme::DatabasePerWallet => {
@@ -1938,7 +1975,7 @@ impl WalletStorageType for PostgresStorageType {
             .map_or(Ok(None), |v| v.map(Some))
             .map_err(|err| CommonError::InvalidStructure(format!("Cannot deserialize credentials: {:?}", err)))?;
 
-        let config = match config {
+        let mut config = match config {
             Some(config) => config,
             None => return Err(WalletStorageError::ConfigError)
         };
@@ -1947,6 +1984,8 @@ impl WalletStorageType for PostgresStorageType {
             None => return Err(WalletStorageError::ConfigError)
         };
 
+        config.init_tls();
+
         let strategy_read_lock = SELECTED_STRATEGY.read().unwrap();
         strategy_read_lock.as_ref().delete_wallet(id, &config, &credentials)
     }
@@ -1988,7 +2027,7 @@ impl WalletStorageType for PostgresStorageType {
             .map_or(Ok(None), |v| v.map(Some))
             .map_err(|err| CommonError::InvalidStructure(format!("Cannot deserialize credentials: {:?}", err)))?;
 
-        let config = match config {
+        let mut config = match config {
             Some(config) => config,
             None => return Err(WalletStorageError::ConfigError)
         };
@@ -1997,6 +2036,8 @@ impl WalletStorageType for PostgresStorageType {
             None => return Err(WalletStorageError::ConfigError)
         };
 
+        config.init_tls();
+
         // initialize using the global selected_strategy object
         let r1 = SELECTED_STRATEGY.read().unwrap();
         r1.as_ref().create_wallet(id, &config, &credentials, metadata)
@@ -2039,7 +2080,7 @@ impl WalletStorageType for PostgresStorageType {
             .map_or(Ok(None), |v| v.map(Some))
             .map_err(|err| CommonError::InvalidStructure(format!("Cannot deserialize credentials: {:?}", err)))?;
 
-        let config = match config
+        let mut config = match config
         {
             Some(config) => config,
             None => return Err(WalletStorageError::ConfigError)
@@ -2049,6 +2090,8 @@ impl WalletStorageType for PostgresStorageType {
             None => return Err(WalletStorageError::ConfigError)
         };
 
+        config.init_tls();
+
         // initialize using the global selected_strategy object
         let r1 = SELECTED_STRATEGY.read().unwrap();
         r1.as_ref().open_wallet(id, &config, &credentials)