fix: enable rustls-backed Postgres TLS connections (#729)

psteinroe · web-flow · commit 2c7f5a314df5 · 2026-04-04T21:16:46.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -44,7 +44,7 @@ dir-test                 = "0.4.1"
 prost                    = "0.13.5"
 prost-reflect            = "0.15.3"
 protox                   = "0.8.0"
-sqlx                     = { version = "0.8.2", features = ["runtime-tokio", "runtime-async-std", "postgres", "json"] }
+sqlx                     = { version = "0.8.2", features = ["runtime-tokio-rustls", "runtime-async-std-rustls", "postgres", "json"] }
 syn                      = { version = "1.0.109", features = ["full"] }
 termcolor                = "1.4.1"
 test-log                 = "0.2.17"
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,15 @@ FROM postgres:15
 
 # Install build dependencies
 RUN apt-get update && \
-    apt-get install -y postgresql-server-dev-15 gcc make git curl pkg-config libssl-dev libclang-dev clang libicu-dev && \
+    apt-get install -y postgresql-server-dev-15 gcc make git curl pkg-config libssl-dev libclang-dev clang libicu-dev openssl && \
+    mkdir -p /etc/postgresql/ssl && \
+    openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes \
+      -subj "/CN=localhost" \
+      -keyout /etc/postgresql/ssl/server.key \
+      -out /etc/postgresql/ssl/server.crt && \
+    chmod 600 /etc/postgresql/ssl/server.key && \
+    chmod 644 /etc/postgresql/ssl/server.crt && \
+    chown postgres:postgres /etc/postgresql/ssl/server.key /etc/postgresql/ssl/server.crt && \
     # Install plpgsql_check (C extension - simple make install)
     # Pin to v2.7.11 for stability with PG15
     cd /tmp && \
@@ -24,12 +32,12 @@ RUN apt-get update && \
     git clone --depth 1 https://github.com/pmpetit/pglinter.git && \
     cd pglinter && \
     cargo pgrx install --pg-config $(which pg_config) --release && \
-    # Cleanup Rust and build dependencies
+    # Cleanup Rust toolchains and temporary sources
     rm -rf /tmp/pglinter $HOME/.cargo $HOME/.rustup && \
-    apt-get remove -y gcc make git curl pkg-config libssl-dev libclang-dev clang libicu-dev && \
-    apt-get autoremove -y && \
     rm -rf /var/lib/apt/lists/*
 
+RUN printf "\nssl = on\nssl_cert_file = '/etc/postgresql/ssl/server.crt'\nssl_key_file = '/etc/postgresql/ssl/server.key'\n" >> /usr/share/postgresql/postgresql.conf.sample
+
 # Add initialization script for extensions
 # Create extensions in a dedicated 'extensions' schema to avoid triggering extensionInPublic lint
 # Create in template1 so they're available in all new databases (for SQLx tests)
diff --git a/crates/pgls_cli/tests/assert_check.rs b/crates/pgls_cli/tests/assert_check.rs
@@ -1,6 +1,10 @@
 use assert_cmd::cargo_bin_cmd;
 use insta::assert_snapshot;
+#[cfg(target_os = "linux")]
+use sqlx::PgPool;
 use std::path::Path;
+#[cfg(target_os = "linux")]
+use std::path::PathBuf;
 use std::process::ExitStatus;
 const CONFIG_PATH: &str = "tests/fixtures/postgres-language-server.jsonc";
 
@@ -125,6 +129,75 @@ fn check_directory_traversal_snapshot() {
     ));
 }
 
+#[cfg(target_os = "linux")]
+fn get_database_url(pool: &PgPool) -> String {
+    let opts = pool.connect_options();
+    format!(
+        "postgres://postgres:postgres@{}:{}/{}",
+        opts.get_host(),
+        opts.get_port(),
+        opts.get_database().unwrap_or("postgres")
+    )
+}
+
+#[cfg(target_os = "linux")]
+fn create_temp_sql_file(contents: &str) -> PathBuf {
+    let path = std::env::temp_dir().join(format!(
+        "pgls-tls-{}-{}.sql",
+        std::process::id(),
+        std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .expect("system clock should be after unix epoch")
+            .as_nanos()
+    ));
+
+    std::fs::write(&path, contents).expect("failed to write temporary SQL file");
+    path
+}
+
+#[cfg(target_os = "linux")]
+#[sqlx::test(migrator = "pgls_test_utils::MIGRATIONS")]
+async fn check_accepts_tls_connection_strings(test_db: PgPool) {
+    let sql_file = create_temp_sql_file("select 1;\n");
+    let connection_string = format!(
+        "{}?sslmode=require&channel_binding=require",
+        get_database_url(&test_db)
+    );
+
+    let mut cmd = cargo_bin_cmd!("postgres-language-server");
+    let output = cmd
+        .args([
+            "check",
+            sql_file
+                .to_str()
+                .expect("temporary SQL file path should be valid UTF-8"),
+            "--connection-string",
+            &connection_string,
+            "--log-level",
+            "none",
+        ])
+        .output()
+        .expect("failed to run CLI");
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    let stderr = String::from_utf8_lossy(&output.stderr);
+
+    assert!(
+        output.status.success(),
+        "expected TLS-backed check to succeed\nstdout:\n{stdout}\nstderr:\n{stderr}"
+    );
+    assert!(
+        !stdout.contains("TLS upgrade required") && !stderr.contains("TLS upgrade required"),
+        "TLS support error should not appear\nstdout:\n{stdout}\nstderr:\n{stderr}"
+    );
+    assert!(
+        stdout.contains("Checked 1 file"),
+        "expected successful CLI output\nstdout:\n{stdout}\nstderr:\n{stderr}"
+    );
+
+    std::fs::remove_file(sql_file).expect("failed to remove temporary SQL file");
+}
+
 fn run_check(args: &[&str]) -> String {
     let mut full_args = vec!["--config-path", CONFIG_PATH, "--log-level", "none"];
     full_args.extend_from_slice(args);
