Add support for sslcert, sslkey and sslrootcert parameters in DSNs

Author: jdobes

asyncpg/connect_utils.py

@@ -222,6 +222,7 @@ def _parse_hostlist(hostlist, port, *, unquote=False):
 
 def _parse_connect_dsn_and_args(*, dsn, host, port, user,
                                 password, passfile, database, ssl,
+                                sslcert, sslkey, sslrootcert, sslcrl,
                                 connect_timeout, server_settings):
     # `auth_hosts` is the version of host information for the purposes
     # of reading the pgpass file.
@@ -310,6 +311,26 @@ def _parse_connect_dsn_and_args(*, dsn, host, port, user,
                 if ssl is None:
                     ssl = val
 
+            if 'sslcert' in query:
+                val = query.pop('sslcert')
+                if sslcert is None:
+                    sslcert = val
+
+            if 'sslkey' in query:
+                val = query.pop('sslkey')
+                if sslkey is None:
+                    sslkey = val
+
+            if 'sslrootcert' in query:
+                val = query.pop('sslrootcert')
+                if sslrootcert is None:
+                    sslrootcert = val
+
+            if 'sslcrl' in query:
+                val = query.pop('sslcrl')
+                if sslcrl is None:
+                    sslcrl = val
+
             if query:
                 if server_settings is None:
                     server_settings = query
@@ -427,7 +448,6 @@ def _parse_connect_dsn_and_args(*, dsn, host, port, user,
                 '`sslmode` parameter must be one of: {}'.format(modes))
 
         # docs at https://www.postgresql.org/docs/10/static/libpq-connect.html
-        # Not implemented: sslcert & sslkey & sslrootcert & sslcrl params.
         if sslmode < SSLMode.allow:
             ssl = False
         else:
@@ -436,6 +456,28 @@ def _parse_connect_dsn_and_args(*, dsn, host, port, user,
             ssl.verify_mode = ssl_module.CERT_REQUIRED
             if sslmode <= SSLMode.require:
                 ssl.verify_mode = ssl_module.CERT_NONE
+        
+            if sslcert is None:
+                sslcert = os.getenv('PGSSLCERT')
+
+            if sslkey is None:
+                sslkey = os.getenv('PGSSLKEY')
+
+            if sslrootcert is None:
+                sslrootcert = os.getenv('PGSSLROOTCERT')
+
+            if sslcrl is None:
+                sslcrl = os.getenv('PGSSLCRL')
+
+            if sslcert:
+                ssl.load_cert_chain(sslcert, keyfile=sslkey)
+
+            if sslrootcert:
+                ssl.load_verify_locations(cafile=sslrootcert)
+
+            if sslcrl:
+                ssl.load_verify_locations(cafile=sslcrl)
+
     elif ssl is True:
         ssl = ssl_module.create_default_context()
         sslmode = SSLMode.verify_full
@@ -463,7 +505,8 @@ def _parse_connect_arguments(*, dsn, host, port, user, password, passfile,
                              statement_cache_size,
                              max_cached_statement_lifetime,
                              max_cacheable_statement_size,
-                             ssl, server_settings):
+                             ssl, sslcert, sslkey, sslrootcert, sslcrl,
+                             server_settings):
 
     local_vars = locals()
     for var_name in {'max_cacheable_statement_size',
@@ -491,7 +534,8 @@ def _parse_connect_arguments(*, dsn, host, port, user, password, passfile,
     addrs, params = _parse_connect_dsn_and_args(
         dsn=dsn, host=host, port=port, user=user,
         password=password, passfile=passfile, ssl=ssl,
-        database=database, connect_timeout=timeout,
+        sslcert=sslcert, sslkey=sslkey, sslrootcert=sslrootcert,
+        sslcrl=sslcrl, database=database, connect_timeout=timeout,
         server_settings=server_settings)
 
     config = _ClientConfiguration(

asyncpg/connection.py

@@ -1758,6 +1758,10 @@ async def connect(dsn=None, *,
                   max_cacheable_statement_size=1024 * 15,
                   command_timeout=None,
                   ssl=None,
+                  sslcert=None,
+                  sslkey=None,
+                  sslrootcert=None,
+                  sslcrl=None,
                   connection_class=Connection,
                   record_class=protocol.Record,
                   server_settings=None):
@@ -1900,6 +1904,21 @@ async def connect(dsn=None, *,
         .. note::
 
            *ssl* is ignored for Unix domain socket communication.
+    
+    :param sslcert:
+        This parameter specifies the file name of the client SSL certificate.
+
+    :param sslkey:
+        This parameter specifies the location for the secret key used for
+        the client certificate.
+
+    :param sslrootcert:
+        This parameter specifies the name of a file containing SSL certificate
+        authority (CA) certificate(s).
+
+    :param sslcrl
+        This parameter specifies the file name of the SSL certificate
+        revocation list (CRL).
 
     :param dict server_settings:
         An optional dict of server runtime parameters.  Refer to
@@ -1993,6 +2012,10 @@ async def connect(dsn=None, *,
         password=password,
         passfile=passfile,
         ssl=ssl,
+        sslcert=sslcert,
+        sslkey=sslkey,
+        sslrootcert=sslrootcert,
+        sslcrl=sslcrl,
         database=database,
         server_settings=server_settings,
         command_timeout=command_timeout,