diff options
| author |  Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com> | 2021-07-19 18:03:07 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2021-07-19 18:03:07 +0200 |
| commit | 677490bc4e8d61627bcab32ed801c10a27139f29 (patch) | |
| tree | 8ef634f6cf46886fa0baf83dc096824c05078096 /internal/db/pg/pg.go | |
| parent | Static fileserver improvements, optional admin panel route (#100) (diff) | |
| download | gotosocial-677490bc4e8d61627bcab32ed801c10a27139f29.tar.xz | |
Db tls (#102)
* go mod tidy
* complete example config
* add tls support for db connection
* add certpool to tlsConfig
* add some lil docker scripts
Diffstat (limited to 'internal/db/pg/pg.go')
| -rw-r--r-- | internal/db/pg/pg.go | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/internal/db/pg/pg.go b/internal/db/pg/pg.go index ad75cef15..5301f0410 100644 --- a/internal/db/pg/pg.go +++ b/internal/db/pg/pg.go @@ -22,10 +22,14 @@ import ( "context" "crypto/rand" "crypto/rsa" + "crypto/tls" + "crypto/x509" + "encoding/pem" "errors" "fmt" "net" "net/mail" + "os" "strings" "time" @@ -133,6 +137,53 @@ func derivePGOptions(c *config.Config) (*pg.Options, error) { return nil, errors.New("no database set") } + var tlsConfig *tls.Config + switch c.DBConfig.TLSMode { + case config.DBTLSModeDisable, config.DBTLSModeUnset: + break // nothing to do + case config.DBTLSModeEnable: + tlsConfig = &tls.Config{ + InsecureSkipVerify: true, + } + case config.DBTLSModeRequire: + tlsConfig = &tls.Config{ + InsecureSkipVerify: false, + } + } + + if tlsConfig != nil && c.DBConfig.TLSCACert != "" { + // load the system cert pool first -- we'll append the given CA cert to this + certPool, err := x509.SystemCertPool() + if err != nil { + return nil, fmt.Errorf("error fetching system CA cert pool: %s", err) + } + + // open the file itself and make sure there's something in it + caCertBytes, err := os.ReadFile(c.DBConfig.TLSCACert) + if err != nil { + return nil, fmt.Errorf("error opening CA certificate at %s: %s", c.DBConfig.TLSCACert, err) + } + if len(caCertBytes) == 0 { + return nil, fmt.Errorf("ca cert at %s was empty", c.DBConfig.TLSCACert) + } + + // make sure we have a PEM block + caPem, _ := pem.Decode(caCertBytes) + if caPem == nil { + return nil, fmt.Errorf("could not parse cert at %s into PEM", c.DBConfig.TLSCACert) + } + + // parse the PEM block into the certificate + caCert, err := x509.ParseCertificate(caPem.Bytes) + if err != nil { + return nil, fmt.Errorf("could not parse cert at %s into x509 certificate: %s", c.DBConfig.TLSCACert, err) + } + + // we're happy, add it to the existing pool and then use this pool in our tls config + certPool.AddCert(caCert) + tlsConfig.RootCAs = certPool + } + // We can rely on the pg library we're using to set // sensible defaults for everything we don't set here. options := &pg.Options{ @@ -141,6 +192,7 @@ func derivePGOptions(c *config.Config) (*pg.Options, error) { Password: c.DBConfig.Password, Database: c.DBConfig.Database, ApplicationName: c.ApplicationName, + TLSConfig: tlsConfig, } return options, nil |