Add support for SSL tunnels

mp911de · mp911de · commit d878858104c6 · 2020-07-02T11:26:44.000+02:00
[resolves #295]
diff --git a/README.md b/README.md
@@ -82,7 +82,7 @@ Mono<Connection> connectionMono = Mono.from(connectionFactory.create());
 | `preparedStatementCacheQueries` | Determine the number of queries that are cached in each connection. The default is `-1`, meaning there's no limit. The value of `-1` disables the cache. Any other value specifies the cache size.
 | `options`         | A `Map<String, String>` of connection parameters. These are applied to each database connection created by the `ConnectionFactory`. Useful for setting generic [PostgreSQL connection parameters][psql-runtime-config]. _(Optional)_
 | `schema`          | The search path to set. _(Optional)_
-| `sslMode`         | SSL mode to use, see `SSLMode` enum. Supported values: `DISABLE`, `ALLOW`, `PREFER`, `REQUIRE`, `VERIFY_CA`, `VERIFY_FULL`. _(Optional)_
+| `sslMode`         | SSL mode to use, see `SSLMode` enum. Supported values: `DISABLE`, `ALLOW`, `PREFER`, `REQUIRE`, `VERIFY_CA`, `VERIFY_FULL`, `TUNNEL`. _(Optional)_
 | `sslRootCert`     | Path to SSL CA certificate in PEM format. _(Optional)_
 | `sslKey`          | Path to SSL key for TLS authentication in PEM format. _(Optional)_
 | `sslCert`         | Path to SSL certificate for TLS authentication in PEM format. _(Optional)_
diff --git a/src/main/java/io/r2dbc/postgresql/client/AbstractPostgresSSLHandlerAdapter.java b/src/main/java/io/r2dbc/postgresql/client/AbstractPostgresSSLHandlerAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.r2dbc.postgresql.client;
+
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelInboundHandlerAdapter;
+import io.netty.handler.ssl.SslHandler;
+import io.netty.util.concurrent.Future;
+import io.netty.util.concurrent.GenericFutureListener;
+import io.r2dbc.spi.R2dbcPermissionDeniedException;
+import reactor.core.publisher.Mono;
+
+import javax.net.ssl.SSLEngine;
+import java.net.InetSocketAddress;
+import java.util.concurrent.CompletableFuture;
+
+abstract class AbstractPostgresSSLHandlerAdapter extends ChannelInboundHandlerAdapter implements GenericFutureListener<Future<Channel>> {
+
+    private final SSLConfig sslConfig;
+
+    private final SSLEngine sslEngine;
+
+    private final SslHandler sslHandler;
+
+    private final CompletableFuture<Void> handshakeFuture;
+
+    AbstractPostgresSSLHandlerAdapter(ByteBufAllocator alloc, SSLConfig sslConfig) {
+        this.sslConfig = sslConfig;
+        this.sslEngine = sslConfig.getSslProvider().get()
+            .getSslContext()
+            .newEngine(alloc);
+        this.handshakeFuture = new CompletableFuture<>();
+        this.sslHandler = new SslHandler(this.sslEngine);
+        this.sslHandler.handshakeFuture().addListener(this);
+    }
+
+    @Override
+    public void operationComplete(Future<Channel> future) throws Exception {
+        if (!future.isSuccess()) {
+            completeHandshakeExceptionally(future.cause());
+            return;
+        }
+        if (this.sslConfig.getSslMode() != SSLMode.VERIFY_FULL) {
+            completeHandshake();
+            return;
+        }
+        Channel channel = future.get();
+        InetSocketAddress socketAddress = (InetSocketAddress) channel.remoteAddress();
+        String hostName = socketAddress.getHostName();
+        if (this.sslConfig.getHostnameVerifier().verify(hostName, this.sslEngine.getSession())) {
+            completeHandshake();
+        } else {
+            completeHandshakeExceptionally(new PostgresqlSslException(String.format("The hostname '%s' could not be verified.", socketAddress.getAddress().toString())));
+        }
+    }
+
+    void completeHandshakeExceptionally(Throwable ex) {
+        this.handshakeFuture.completeExceptionally(ex);
+    }
+
+    boolean completeHandshake() {
+        return this.handshakeFuture.complete(null);
+    }
+
+    Mono<Void> getHandshake() {
+        return Mono.fromFuture(this.handshakeFuture);
+    }
+
+    SslHandler getSslHandler() {
+        return this.sslHandler;
+    }
+
+    /**
+     * Postgres-specific {@link R2dbcPermissionDeniedException}.
+     */
+    static final class PostgresqlSslException extends R2dbcPermissionDeniedException {
+
+        PostgresqlSslException(String msg) {
+            super(msg);
+        }
+
+    }
+
+}
diff --git a/src/main/java/io/r2dbc/postgresql/client/ReactorNettyClient.java b/src/main/java/io/r2dbc/postgresql/client/ReactorNettyClient.java
@@ -382,14 +382,19 @@ private static Mono<? extends Void> registerSslHandler(SSLConfig sslConfig, Conn
             if (sslConfig.getSslMode().startSsl()) {
 
                 return Mono.defer(() -> {
-                    SSLSessionHandlerAdapter sslSessionHandlerAdapter = new SSLSessionHandlerAdapter(it.outbound().alloc(), sslConfig);
-                    it.addHandlerFirst(sslSessionHandlerAdapter);
-                    return sslSessionHandlerAdapter.getHandshake();
+                    AbstractPostgresSSLHandlerAdapter sslAdapter;
+                    if (sslConfig.getSslMode() == SSLMode.TUNNEL) {
+                        sslAdapter = new SSLTunnelHandlerAdapter(it.outbound().alloc(), sslConfig);
+                    } else {
+                        sslAdapter = new SSLSessionHandlerAdapter(it.outbound().alloc(), sslConfig);
+                    }
+
+                    it.addHandlerFirst(sslAdapter);
+                    return sslAdapter.getHandshake();
 
                 }).subscribeOn(Schedulers.boundedElastic());
             }
         } catch (Throwable e) {
-            e.printStackTrace();
             throw new RuntimeException(e);
         }
 
diff --git a/src/main/java/io/r2dbc/postgresql/client/SSLMode.java b/src/main/java/io/r2dbc/postgresql/client/SSLMode.java
@@ -45,7 +45,12 @@ public enum SSLMode {
     /**
      * I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify.
      */
-    VERIFY_FULL("verify-full");
+    VERIFY_FULL("verify-full"),
+
+    /**
+     * I want to use a SSL tunnel instead of following Postgres SSL handshake protocol.
+     */
+    TUNNEL("tunnel");
 
     private final String value;
 
diff --git a/src/main/java/io/r2dbc/postgresql/client/SSLSessionHandlerAdapter.java b/src/main/java/io/r2dbc/postgresql/client/SSLSessionHandlerAdapter.java
@@ -18,42 +18,30 @@
 
 import io.netty.buffer.ByteBuf;
 import io.netty.buffer.ByteBufAllocator;
-import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandlerContext;
-import io.netty.channel.ChannelInboundHandlerAdapter;
-import io.netty.handler.ssl.SslHandler;
-import io.netty.util.concurrent.Future;
-import io.netty.util.concurrent.GenericFutureListener;
 import io.r2dbc.postgresql.message.frontend.SSLRequest;
-import io.r2dbc.spi.R2dbcPermissionDeniedException;
 import reactor.core.publisher.Mono;
 
-import javax.net.ssl.SSLEngine;
-import java.net.InetSocketAddress;
-import java.util.concurrent.CompletableFuture;
-
-// https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.5.7.11
-final class SSLSessionHandlerAdapter extends ChannelInboundHandlerAdapter implements GenericFutureListener<Future<Channel>> {
+/**
+ * SSL handler assuming the endpoint a Postgres endpoint following the {@link SSLRequest} flow.
+ *
+ * @see <a href="https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.5.7.11">https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.5.7.11</a>
+ */
+final class SSLSessionHandlerAdapter extends AbstractPostgresSSLHandlerAdapter {
 
     private final ByteBufAllocator alloc;
 
     private final SSLConfig sslConfig;
 
-    private final SSLEngine sslEngine;
-
-    private final SslHandler sslHandler;
-
-    private final CompletableFuture<Void> handshakeFuture;
-
     SSLSessionHandlerAdapter(ByteBufAllocator alloc, SSLConfig sslConfig) {
+        super(alloc, sslConfig);
         this.alloc = alloc;
         this.sslConfig = sslConfig;
-        this.sslEngine = sslConfig.getSslProvider().get()
-            .getSslContext()
-            .newEngine(alloc);
-        this.handshakeFuture = new CompletableFuture<>();
-        this.sslHandler = new SslHandler(this.sslEngine);
-        this.sslHandler.handshakeFuture().addListener(this);
+    }
+
+    @Override
+    public void handlerAdded(ChannelHandlerContext ctx) {
+        Mono.from(SSLRequest.INSTANCE.encode(this.alloc)).subscribe(ctx::writeAndFlush);
     }
 
     @Override
@@ -72,67 +60,27 @@ public void channelRead(ChannelHandlerContext ctx, Object msg) {
         }
     }
 
-    @Override
-    public void operationComplete(Future<Channel> future) throws Exception {
-        if (!future.isSuccess()) {
-            this.handshakeFuture.completeExceptionally(future.cause());
-            return;
-        }
-        if (this.sslConfig.getSslMode() != SSLMode.VERIFY_FULL) {
-            this.handshakeFuture.complete(null);
-            return;
-        }
-        Channel channel = future.get();
-        InetSocketAddress socketAddress = (InetSocketAddress) channel.remoteAddress();
-        String hostName = socketAddress.getHostName();
-        if (this.sslConfig.getHostnameVerifier().verify(hostName, this.sslEngine.getSession())) {
-            this.handshakeFuture.complete(null);
-        } else {
-            this.handshakeFuture.completeExceptionally(new PostgresqlSslException(String.format("The hostname '%s' could not be verified.", socketAddress.getAddress().toString())));
-        }
-    }
-
     private void processSslDisabled(ChannelHandlerContext ctx, Object msg) {
         if (this.sslConfig.getSslMode().requireSsl()) {
             PostgresqlSslException e =
                 new PostgresqlSslException("Server support for SSL connection is disabled, but client was configured with SSL mode " + this.sslConfig.getSslMode());
-            this.handshakeFuture.completeExceptionally(e);
+            completeHandshakeExceptionally(e);
         } else {
-            this.handshakeFuture.complete(null);
+            completeHandshake();
         }
     }
 
     private void processSslEnabled(ChannelHandlerContext ctx, Object msg) {
         if (this.sslConfig.getSslMode() == SSLMode.DISABLE) {
 
             PostgresqlSslException e = new PostgresqlSslException("Server requires SSL handshake, but client was configured with SSL mode DISABLE");
-            this.handshakeFuture.completeExceptionally(e);
+            completeHandshakeExceptionally(e);
             return;
         }
         ctx.channel().pipeline()
-            .addFirst(this.sslHandler)
+            .addFirst(this.getSslHandler())
             .remove(this);
         ctx.fireChannelRead(msg);
     }
 
-    @Override
-    public void handlerAdded(ChannelHandlerContext ctx) {
-        Mono.from(SSLRequest.INSTANCE.encode(this.alloc)).subscribe(ctx::writeAndFlush);
-    }
-
-    Mono<Void> getHandshake() {
-        return Mono.fromFuture(this.handshakeFuture);
-    }
-
-    /**
-     * Postgres-specific {@link R2dbcPermissionDeniedException}.
-     */
-    static final class PostgresqlSslException extends R2dbcPermissionDeniedException {
-
-        PostgresqlSslException(String msg) {
-            super(msg);
-        }
-
-    }
-
 }
diff --git a/src/main/java/io/r2dbc/postgresql/client/SSLTunnelHandlerAdapter.java b/src/main/java/io/r2dbc/postgresql/client/SSLTunnelHandlerAdapter.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2017-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.r2dbc.postgresql.client;
+
+import io.netty.buffer.ByteBufAllocator;
+import io.netty.channel.ChannelHandlerContext;
+
+/**
+ * SSL handler assuming the endpoint is a SSL tunnel and not a Postgres endpoint.
+ */
+final class SSLTunnelHandlerAdapter extends AbstractPostgresSSLHandlerAdapter {
+
+    private SSLConfig sslConfig;
+
+    SSLTunnelHandlerAdapter(ByteBufAllocator alloc, SSLConfig sslConfig) {
+        super(alloc, sslConfig);
+    }
+
+    @Override
+    public void handlerAdded(ChannelHandlerContext ctx) {
+
+        if (this.sslConfig.getSslMode() == SSLMode.DISABLE) {
+
+            PostgresqlSslException e = new PostgresqlSslException("Server requires SSL handshake, but client was configured with SSL mode DISABLE");
+            completeHandshakeExceptionally(e);
+            return;
+        }
+        ctx.channel().pipeline()
+            .addFirst(this.getSslHandler())
+            .remove(this);
+    }
+
+}
