Skip to content

Commit 8d56f86

Browse files
hjr3hjr3
committed
introduce sslcompat=libpq flag to support libpq sslmode semantics
1 parent c3aebe7 commit 8d56f86

3 files changed

Lines changed: 86 additions & 30 deletions

File tree

packages/pg-connection-string/README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -87,12 +87,17 @@ Query parameters follow a `?` character, including the following special query p
8787
* `host=<host>` - sets `host` property, overriding the URL's host
8888
* `encoding=<encoding>` - sets the `client_encoding` property
8989
* `ssl=1`, `ssl=true`, `ssl=0`, `ssl=false` - sets `ssl` to true or false, accordingly
90-
* `sslmode=<sslmode>`
90+
* `sslcompat=libpq` - use libpq semantics for `sslmode`
91+
* `sslmode=<sslmode>` when `sslcompat=libpq`
9192
* `sslmode=disable` - sets `ssl` to false
9293
* `sslmode=no-verify`, `sslmode=prefer` - sets `ssl` to `{ rejectUnauthorized: false }`
9394
* `sslmode=require` - sets `ssl` to `{ rejectUnauthorized: false }` unless `sslrootcert` is specified, in which case it behaves like `verify-ca`
9495
* `sslmode=verify-ca` - sets `ssl` to `{ checkServerIdentity: no-op }` (verify CA, but not server identity)
9596
* `sslmode=verify-full` - sets `ssl` to `{}` (verify CA and server identity)
97+
* `sslmode=<sslmode>` when `sslcompat` is not set
98+
* `sslmode=disable` - sets `ssl` to false
99+
* `sslmode=no-verify` - sets `ssl` to `{ rejectUnauthorized: false }`
100+
* `sslmode=prefer`, `sslmode=require`, `sslmode=verify-ca`, `sslmode=verify-full` - sets `ssl` to true
96101
* `sslcert=<filename>` - reads data from the given file and includes the result as `ssl.cert`
97102
* `sslkey=<filename>` - reads data from the given file and includes the result as `ssl.key`
98103
* `sslrootcert=<filename>` - reads data from the given file and includes the result as `ssl.ca`

packages/pg-connection-string/index.js

Lines changed: 41 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -87,31 +87,50 @@ function parse(str) {
8787
config.ssl.ca = fs.readFileSync(config.sslrootcert).toString()
8888
}
8989

90-
switch (config.sslmode) {
91-
case 'disable': {
92-
config.ssl = false
93-
break
94-
}
95-
case 'prefer':
96-
case 'no-verify': {
97-
config.ssl.rejectUnauthorized = false
98-
break
99-
}
100-
case 'require': {
101-
if (config.sslrootcert) {
102-
// If a root CA is specified, behavior of `sslmode=require` will be the same as that of `verify-ca`
103-
config.ssl.checkServerIdentity = function () {}
104-
} else {
90+
if (config.sslcompat === 'libpq') {
91+
switch (config.sslmode) {
92+
case 'disable': {
93+
config.ssl = false
94+
break
95+
}
96+
case 'prefer':
97+
case 'no-verify': {
10598
config.ssl.rejectUnauthorized = false
99+
break
100+
}
101+
case 'require': {
102+
if (config.sslrootcert) {
103+
// If a root CA is specified, behavior of `sslmode=require` will be the same as that of `verify-ca`
104+
config.ssl.checkServerIdentity = function () {}
105+
} else {
106+
config.ssl.rejectUnauthorized = false
107+
}
108+
break
109+
}
110+
case 'verify-ca': {
111+
config.ssl.checkServerIdentity = function () {}
112+
break
113+
}
114+
case 'verify-full': {
115+
break
106116
}
107-
break
108-
}
109-
case 'verify-ca': {
110-
config.ssl.checkServerIdentity = function () {}
111-
break
112117
}
113-
case 'verify-full': {
114-
break
118+
} else {
119+
switch (config.sslmode) {
120+
case 'disable': {
121+
config.ssl = false
122+
break
123+
}
124+
case 'prefer':
125+
case 'require':
126+
case 'verify-ca':
127+
case 'verify-full': {
128+
break
129+
}
130+
case 'no-verify': {
131+
config.ssl.rejectUnauthorized = false
132+
break
133+
}
115134
}
116135
}
117136

packages/pg-connection-string/test/parse.js

Lines changed: 39 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
'use strict'
22

33
var chai = require('chai')
4+
var expect = chai.expect
45
chai.should()
56

67
var parse = require('../').parse
@@ -255,29 +256,52 @@ describe('parse', function () {
255256
subject.ssl.should.eql(false)
256257
})
257258

258-
it('configuration parameter sslmode=prefer', function () {
259-
var connectionString = 'pg:///?sslmode=prefer'
259+
it('configuration parameter sslmode=prefer with libpq compatibility', function () {
260+
var connectionString = 'pg:///?sslmode=prefer&sslcompat=libpq'
260261
var subject = parse(connectionString)
261262
subject.ssl.should.eql({
262263
rejectUnauthorized: false,
263264
})
264265
})
265266

266-
it('configuration parameter sslmode=require', function () {
267-
var connectionString = 'pg:///?sslmode=require'
267+
it('configuration parameter sslmode=require with libpq compatibility', function () {
268+
var connectionString = 'pg:///?sslmode=require&sslcompat=libpq'
268269
var subject = parse(connectionString)
269270
subject.ssl.should.eql({
270271
rejectUnauthorized: false,
271272
})
272273
})
273274

274-
it('configuration parameter sslmode=verify-ca', function () {
275-
var connectionString = 'pg:///?sslmode=verify-ca'
275+
it('configuration parameter sslmode=verify-ca with libpq compatibility', function () {
276+
var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq'
276277
var subject = parse(connectionString)
277278
subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
278279
expect(subject.ssl.checkServerIdentity()).to.be.undefined
279280
})
280281

282+
it('configuration parameter sslmode=prefer with libpq compatibility', function () {
283+
var connectionString = 'pg:///?sslmode=prefer&sslcompat=libpq'
284+
var subject = parse(connectionString)
285+
subject.ssl.should.eql({
286+
rejectUnauthorized: false,
287+
})
288+
})
289+
290+
it('configuration parameter sslmode=require with libpq compatibility', function () {
291+
var connectionString = 'pg:///?sslmode=require&sslcompat=libpq'
292+
var subject = parse(connectionString)
293+
subject.ssl.should.eql({
294+
rejectUnauthorized: false,
295+
})
296+
})
297+
298+
it('configuration parameter sslmode=verify-ca with libpq compatibility', function () {
299+
var connectionString = 'pg:///?sslmode=verify-ca&sslcompat=libpq'
300+
var subject = parse(connectionString)
301+
subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
302+
expect(subject.ssl.checkServerIdentity()).be.undefined
303+
})
304+
281305
it('configuration parameter sslmode=verify-full', function () {
282306
var connectionString = 'pg:///?sslmode=verify-full'
283307
var subject = parse(connectionString)
@@ -287,9 +311,17 @@ describe('parse', function () {
287311
it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca', function () {
288312
var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require'
289313
var subject = parse(connectionString)
314+
subject.ssl.should.eql({
315+
ca: 'example ca\n',
316+
})
317+
})
318+
319+
it('configuration parameter ssl=true and sslmode=require still work with sslrootcert=/path/to/ca with libpq compatibility', function () {
320+
var connectionString = 'pg:///?ssl=true&sslrootcert=' + __dirname + '/example.ca&sslmode=require&sslcompat=libpq'
321+
var subject = parse(connectionString)
290322
subject.ssl.should.have.property('ca', 'example ca\n')
291323
subject.ssl.should.have.property('checkServerIdentity').that.is.a('function')
292-
expect(subject.ssl.checkServerIdentity()).to.be.undefined
324+
expect(subject.ssl.checkServerIdentity()).be.undefined
293325
})
294326

295327
it('allow other params like max, ...', function () {

0 commit comments

Comments
 (0)