Allow users to pass certs with PG environment variables

RichardJCai · rafiss · commit 7b1c4b1b0e0e · 2022-03-25T16:50:26.000-04:00
If PGSSLMODE is specified and is either require, verify-ca or verify-full, then the PGSSLROOTCERT, PGSSLCERT, and PGSSLKEY environment variables will be checked for certificate paths and used to connect. This also includes a fix to CI to stop getting the following error: ``` yarn install v1.22.17 [1/4] Resolving packages... [2/4] Fetching packages... error Command failed. Exit code: 128 Command: git Arguments: ls-remote --tags --heads git://github.com/BonsaiDen/Fomatto.git Directory: /home/runner/work/node-postgres/node-postgres Output: fatal: remote error: The unauthenticated git protocol on port 9418 is no longer supported. Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information. info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command. ```
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,6 +21,8 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
     name: Node.js ${{ matrix.node }} (${{ matrix.os }})
     steps:
+      - name: Fix up git URLs
+        run: echo -e '[url "https://github.com/"]\n  insteadOf = "git://github.com/"' >> ~/.gitconfig
       - uses: actions/checkout@v2
       - name: Setup node
         uses: actions/setup-node@v2
diff --git a/packages/pg/lib/connection-parameters.js b/packages/pg/lib/connection-parameters.js
@@ -1,6 +1,7 @@
 'use strict'
 
 var dns = require('dns')
+var fs = require('fs')
 
 var defaults = require('./defaults')
 
@@ -23,10 +24,15 @@ var readSSLConfigFromEnvironment = function () {
     case 'disable':
       return false
     case 'prefer':
+      return true
     case 'require':
     case 'verify-ca':
     case 'verify-full':
-      return true
+      return {
+        ca: process.env.PGSSLROOTCERT ? fs.readFileSync(process.env.PGSSLROOTCERT).toString() : undefined,
+        key: process.env.PGSSLKEY ? fs.readFileSync(process.env.PGSSLKEY).toString() : undefined,
+        cert: process.env.PGSSLCERT ? fs.readFileSync(process.env.PGSSLCERT).toString() : undefined,
+      }
     case 'no-verify':
       return { rejectUnauthorized: false }
   }
diff --git a/packages/pg/test/integration/connection-pool/tls-tests.js b/packages/pg/test/integration/connection-pool/tls-tests.js
@@ -9,13 +9,9 @@ const suite = new helper.Suite()
 
 if (process.env.PG_CLIENT_CERT_TEST) {
   suite.testAsync('client certificate', async () => {
-    const pool = new pg.Pool({
-      ssl: {
-        ca: fs.readFileSync(process.env.PGSSLROOTCERT),
-        cert: fs.readFileSync(process.env.PGSSLCERT),
-        key: fs.readFileSync(process.env.PGSSLKEY),
-      },
-    })
+    // PGSSLROOTCERT, PGSSLCERT, and PGSSLKEY are all set as environment
+    // variables in .travis.yml
+    const pool = new pg.Pool()
 
     await pool.query('SELECT 1')
     await pool.end()
diff --git a/packages/pg/test/unit/connection-parameters/environment-variable-tests.js b/packages/pg/test/unit/connection-parameters/environment-variable-tests.js
@@ -117,9 +117,9 @@ testVal('', false)
 testVal('disable', false)
 testVal('allow', false)
 testVal('prefer', true)
-testVal('require', true)
-testVal('verify-ca', true)
-testVal('verify-full', true)
+testVal('require', { ca: undefined, cert: undefined, key: undefined })
+testVal('verify-ca', { ca: undefined, cert: undefined, key: undefined })
+testVal('verify-full', { ca: undefined, cert: undefined, key: undefined })
 testVal('no-verify', { rejectUnauthorized: false })
 
 // restore process.env
