ssl: only set "sslrootcert" once #573
Conversation
|
I can't tell if it's appropriate to treat |
ssl.go
Outdated
| errorf("couldn't parse pem in sslrootcert") | ||
| } | ||
| } else { | ||
| delete(o, "sslrootcert") |
There was a problem hiding this comment.
iiuc, this has the same problem described in #570. We shouldn't be writing to o.
There was a problem hiding this comment.
I don't think so, because it's now guarded by the presence of a non-empty value, which should only happen once at Dial and not during cancellation.
There was a problem hiding this comment.
I agree that this is safe and fixes the bug there because when this function is re-invoked during cancel, sslrootcert will have been deleted, and so this branch will not be entered.
ssl.go
Outdated
| case "disable": | ||
| return nil | ||
| default: | ||
| errorf(`unsupported sslmode %q; only "require" (default), "verify-full", "verify-ca", and "disable" supported`, mode) | ||
| } | ||
|
|
||
| sslClientCertificates(&tlsConf, o) | ||
| sslCertificateAuthority(&tlsConf, o) |
There was a problem hiding this comment.
This function (or its contents) still need to be invoked when sslmode is verify-ca or verify-full.
There was a problem hiding this comment.
See failing tests TestSSLVerifyCA and TestSSLVerifyFull.
|
All good points, thanks for your review. I'll update it shortly.
…On Mar 6, 2017 6:20 PM, "Chris Bandy" ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In ssl.go <#573 (comment)>:
> case "disable":
return nil
default:
errorf(`unsupported sslmode %q; only "require" (default), "verify-full", "verify-ca", and "disable" supported`, mode)
}
sslClientCertificates(&tlsConf, o)
- sslCertificateAuthority(&tlsConf, o)
See failing tests TestSSLVerifyCA and TestSSLVerifyFull.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#573 (comment)>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/ABdsPHcUIxAZ1Syz8oTqNghxzLpAIwf6ks5rjJTWgaJpZM4MUdXd>
.
|
|
@cbandy addressed your concrete comments; anything else you'd like to see done before merging? |
There was a problem hiding this comment.
The logic/fix for #570 looks sound.
However, I'm convinced we should not change the conditionals that test for empty string. I found (unless I'm mistaken) that the SSL options in this PR are affected negatively, and I suspect other options are affected similarly.
ssl.go
Outdated
| verifyCaOnly = true | ||
| } else { | ||
| o.Set("sslrootcert", "") | ||
| // From http://www.postgresql.org/docs/current/static/libpq- ssl.html: |
There was a problem hiding this comment.
Spaces have appeared after some of the dashes in this paragraph. On this line, it broke this link.
ssl.go
Outdated
|
|
||
| var cinfo, kinfo os.FileInfo | ||
| var err error | ||
|
|
||
| if sslcert != "" && sslkey != "" { | ||
| if sslkeyOK && sslcertOK { |
There was a problem hiding this comment.
As I understand it, this change breaks compatibility with libpq connection strings.
If I'm reading libpq source correctly, these settings fallback to the user/home paths when the supplied value is blank:
There was a problem hiding this comment.
The old code is also incompatible with that libpq logic in that libpq allows either the certificate or the key to be blank, while this only does the right thing if both are blank.
I'm inclined to "break" compatibility in this way until someone reports that they need it, at which time we should add tests and implement the actual libpq behaviour.
There was a problem hiding this comment.
Fixed this, I think, though I think tests are going to break and I've not yet explicitly tested the empty string case.
ssl.go
Outdated
| @@ -105,16 109,15 @@ func sslClientCertificates(tlsConf *tls.Config, o values) { | |||
|
|
|||
| // sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting. | |||
| func sslCertificateAuthority(tlsConf *tls.Config, o values) { | |||
| if sslrootcert := o.Get("sslrootcert"); sslrootcert != "" { | |||
| if sslrootcert, ok := o["sslrootcert"]; ok { | |||
There was a problem hiding this comment.
As I understand it, this change breaks compatibility with libpq connection strings.
If I'm reading libpq source correctly, the CA certificate is only loaded when this setting is not blank:
There was a problem hiding this comment.
I think you're right, but as mentioned above, I think this is OK until we get a report of someone relying on this behaviour. WDYT?
There was a problem hiding this comment.
Fixed and added a test.
|
If compatibility with |
ssl.go
Outdated
| verifyCaOnly = true | ||
| } else { | ||
| o.Set("sslrootcert", "") | ||
| // From http://www.postgresql.org/docs/current/static/libpq- ssl.html: |
ssl.go
Outdated
|
|
||
| var cinfo, kinfo os.FileInfo | ||
| var err error | ||
|
|
||
| if sslcert != "" && sslkey != "" { | ||
| if sslkeyOK && sslcertOK { |
There was a problem hiding this comment.
The old code is also incompatible with that libpq logic in that libpq allows either the certificate or the key to be blank, while this only does the right thing if both are blank.
I'm inclined to "break" compatibility in this way until someone reports that they need it, at which time we should add tests and implement the actual libpq behaviour.
ssl.go
Outdated
| @@ -105,16 109,15 @@ func sslClientCertificates(tlsConf *tls.Config, o values) { | |||
|
|
|||
| // sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting. | |||
| func sslCertificateAuthority(tlsConf *tls.Config, o values) { | |||
| if sslrootcert := o.Get("sslrootcert"); sslrootcert != "" { | |||
| if sslrootcert, ok := o["sslrootcert"]; ok { | |||
There was a problem hiding this comment.
I think you're right, but as mentioned above, I think this is OK until we get a report of someone relying on this behaviour. WDYT?
I didn't mean to imply that we should improve compatibility in this PR. I mean that we should not regress compatibility.
I'm not sure what you're trying to imply with the quotes here. I think I sufficiently (?) demonstrated that the behavior of SSL options should be based on blank values rather than the presence of keys in the map.
🤔 I'm still not convinced... Maybe you see some other benefits to these |
|
Well, in general, |
|
@cbandy OK, I think this is good to go with new tests exercising the treatment of empty |
Fixes #570, though I have not been able to write a test for this. Remove methods on `values`. These methods are not a useful abstraction and only serve to obscure that the underlying structure is a map. Their presence is particularly inconvenient in that they promote confusing empty values with the lack of value. While I'm here, also improve conformance with libpq's treatment of blank sslcert and sslkey option values. See the test changes for specific changes.
|
Review status: 0 of 6 files reviewed at latest revision, 1 unresolved discussion. ssl_test.go, line 44 at r1 (raw file):
Why don't we need to close the db here? Comments from Reviewable |
|
Review status: 0 of 6 files reviewed at latest revision, 1 unresolved discussion. ssl_test.go, line 44 at r1 (raw file): Previously, mjibson (Matt Jibson) wrote…
I mean, we do, but it doesn't really matter since a nil error will result in a test failure, and the leaked database handle won't turn up anywhere. Comments from Reviewable |
|
Review status: 0 of 6 files reviewed at latest revision, 1 unresolved discussion. ssl_test.go, line 44 at r1 (raw file): Previously, tamird (Tamir Duberstein) wrote…
Will it remain open on the server until a timeout? When running Comments from Reviewable |
|
Review status: 0 of 6 files reviewed at latest revision, 1 unresolved discussion. ssl_test.go, line 44 at r1 (raw file): Previously, mjibson (Matt Jibson) wrote…
There will never be a non-nil connection here in a passing test run. Comments from Reviewable |
|
Well then LGTM, again. I agree that there is (was?) a problem since empty strings had their meaning changed in this PR. It seems like this code handles those in at least a well documented way, and if there are missing combinations we can add those as test cases. |
Fixes #570, though I have not been able to write a test for this.
Remove methods on
values. These methods are not a useful abstractionand only serve to obscure that the underlying structure is a map. Their
presence is particularly inconvenient in that they promote confusing
empty values with the lack of value.
This change is