Avoid using hostssl without certs

yajo · yajo · commit d32e4492dbd5 · 2019-03-21T14:15:43.000+01:00
The default value is a dangerous one as a drop-in replacement for the official postgres image. It produces these errors:

```
LOG:  hostssl requires SSL to be turned on
HINT:  Set ssl = on in postgresql.conf.
CONTEXT:  line 10 of configuration file "/etc/postgres/pg_hba.conf"
FATAL:  could not load pg_hba.conf
LOG:  database system is shut down
```

To avoid that problem, no `hostssl` entries are created if there are no certs.
diff --git a/README.md b/README.md
@@ -85,7 +85,7 @@ Method required to authenticate clients that connect from WAN.
 
 #### `WAN_CONNECTION`
 
-Connection type allowed for WAN connections.
+Connection type allowed for WAN connections. If it is `hostssl`, it will only have effect when the required certs are received.
 
 #### `WAN_DATABASES`
 
diff --git a/autoconf-entrypoint b/autoconf-entrypoint
@@ -101,14 +101,15 @@ for interface in netifaces.interfaces():
                     ))
 
 # Generate WAN auth configuration
-for user, db, cidr in product(WAN_USERS, WAN_DATABASES, WAN_CIDRS):
-    hba_conf.append(WAN_HBA_TPL.format(
-        connection=WAN_CONNECTION,
-        db=db,
-        user=user,
-        cidr=cidr,
-        meth=WAN_AUTH_METHOD,
-    ))
+if WAN_CONNECTION != "hostssl" or ssl_conf:
+    for user, db, cidr in product(WAN_USERS, WAN_DATABASES, WAN_CIDRS):
+        hba_conf.append(WAN_HBA_TPL.format(
+            connection=WAN_CONNECTION,
+            db=db,
+            user=user,
+            cidr=cidr,
+            meth=WAN_AUTH_METHOD,
+        ))
 
 # Write postgres configuration files
 with open(CONF_FILE, "w") as conf_file:
diff --git a/tests/test.py b/tests/test.py
@@ -6,6 +6,7 @@
 
 from plumbum import FG, local
 from plumbum.cmd import cat, docker
+from plumbum.commands.processes import ProcessExecutionError
 
 # Make sure all paths are relative to tests dir
 local.cwd.chdir(os.path.dirname(__file__))
@@ -16,7 +17,8 @@ class PostgresAutoconfCase(unittest.TestCase):
     """Test behavior for this docker image"""
     def setUp(self):
         with local.cwd(local.cwd / ".."):
-            local["./hooks/build"]()
+            print("Building image")
+            local["./hooks/build"] & FG
         docker("network", "create", "lan")
         docker("network", "create", "wan")
         self.version = os.environ["DOCKER_TAG"]
@@ -32,19 +34,19 @@ def tearDown(self):
         try:
             print("Postgres container logs:")
             docker["container", "logs", self.postgres_container] & FG
-            docker("container", "stop", self.postgres_container)
-            docker("container", "rm", self.postgres_container)
+            docker["container", "stop", self.postgres_container] & FG
+            docker["container", "rm", self.postgres_container] & FG
         except AttributeError:
             pass  # No postgres daemon
         docker("network", "rm", "lan", "wan")
         return super().tearDown()
 
-    def generate_certs(self):
+    def _generate_certs(self):
         """Generate certificates for testing the image."""
         certgen("example.com", "test_user")
 
-    def check_cert_config(self):
-        """Check that the cert config is OK."""
+    def _check_local_connection(self):
+        """Check that local connection works fine."""
         # The 1st test could fail while postgres boots
         for attempt in range(10):
             try:
@@ -65,31 +67,40 @@ def check_cert_config(self):
                     raise
             else:
                 continue
-        run = docker[
+
+    def _check_password_auth(self, host=None):
+        """Test connection with password auth work fine."""
+        if not host:
+            # Connect via LAN by default
+            host = self.postgres_container[:12]
+        self.assertEqual("1\n", docker(
             "container", "run",
-        ]
-        # Test LAN connection with password auth works fine
-        self.assertEqual("1\n", run(
             "--network", "lan",
             "-e", "PGDATABASE=test_db",
             "-e", "PGPASSWORD=test_password",
             "-e", "PGSSLMODE=disable",
             "-e", "PGUSER=test_user",
             self.image, "psql",
-            "--host", self.postgres_container[:12],
+            "--host", host,
             "--command", "SELECT 1",
             "--no-align",
             "--tuples-only",
         ))
-        # Attach a new network to mock a WAN connection
+
+    def _connect_wan_network(self, alias="example.com"):
+        """Bind a new network, to imitate WAN connections."""
         docker(
             "network", "connect",
-            "--alias", "example.com",
+            "--alias", alias,
             "wan",
             self.postgres_container,
         )
-        # Test WAN connection with cert auth works fine
-        self.assertEqual("1\n", run(
+
+    def _check_cert_auth(self):
+        """Test connection with cert auth work fine."""
+        # Test connection with cert auth works fine
+        self.assertEqual("1\n", docker(
+            "container", "run",
             "--network", "wan",
             "-e", "PGDATABASE=test_db",
             "-e", "PGSSLCERT=/certs/client.cert.pem",
@@ -109,7 +120,7 @@ def test_server_certs_var(self):
         """Test server enables cert authentication through env vars."""
         with local.tempdir() as tdir:
             with local.cwd(tdir):
-                self.generate_certs()
+                self._generate_certs()
                 certs_var = {name: cat(name) for name in self.cert_files}
                 self.postgres_container = docker(
                     "container", "run",
@@ -120,13 +131,16 @@ def test_server_certs_var(self):
                     "-e", "POSTGRES_USER=test_user",
                     self.image,
                 ).strip()
-                self.check_cert_config()
+                self._check_local_connection()
+                self._check_password_auth()
+                self._connect_wan_network()
+                self._check_cert_auth()
 
     def test_server_certs_mount(self):
         """Test server enables cert authentication through file mounts."""
         with local.tempdir() as tdir:
             with local.cwd(tdir):
-                self.generate_certs()
+                self._generate_certs()
                 cert_vols = [
                     "-v{0}/{1}:/etc/postgres/{1}".format(local.cwd, cert)
                     for cert in [
@@ -144,7 +158,65 @@ def test_server_certs_mount(self):
                     *cert_vols,
                     self.image,
                 ).strip()
-                self.check_cert_config()
+                self._check_local_connection()
+                self._check_password_auth()
+                self._connect_wan_network()
+                self._check_cert_auth()
+
+    def test_no_certs_lan(self):
+        """Normal configuration without certs works fine."""
+        self.postgres_container = docker(
+            "container", "run", "-d",
+            "--network", "lan",
+            "-e", "POSTGRES_DB=test_db",
+            "-e", "POSTGRES_PASSWORD=test_password",
+            "-e", "POSTGRES_USER=test_user",
+            self.image,
+        ).strip()
+        self._check_local_connection()
+        self._check_password_auth()
+        self._connect_wan_network()
+        with self.assertRaises(ProcessExecutionError):
+            self._check_password_auth("example.com")
+
+    def test_no_certs_wan(self):
+        """Unencrypted WAN access works (although this is dangerous)."""
+        self.postgres_container = docker(
+            "container", "run", "-d",
+            "--network", "lan",
+            "-e", "POSTGRES_DB=test_db",
+            "-e", "POSTGRES_PASSWORD=test_password",
+            "-e", "POSTGRES_USER=test_user",
+            "-e", "WAN_AUTH_METHOD=md5",
+            "-e", "WAN_CONNECTION=host",
+            self.image,
+        ).strip()
+        self._check_local_connection()
+        self._check_password_auth()
+        self._connect_wan_network()
+        with self.assertRaises(ProcessExecutionError):
+            self._check_password_auth("example.com")
+
+    def test_certs_falsy_lan(self):
+        """Configuration with falsy values for certs works fine."""
+        self.postgres_container = docker(
+            "container", "run", "-d",
+            "--network", "lan",
+            "-e", "POSTGRES_DB=test_db",
+            "-e", "POSTGRES_PASSWORD=test_password",
+            "-e", "POSTGRES_USER=test_user",
+            "-e", "CERTS={}".format(json.dumps({
+                "client.ca.cert.pem": False,
+                "server.cert.pem": False,
+                "server.key.pem": False,
+            })),
+            self.image,
+        ).strip()
+        self._check_local_connection()
+        self._check_password_auth()
+        self._connect_wan_network()
+        with self.assertRaises(ProcessExecutionError):
+            self._check_password_auth("example.com")
 
 
 if __name__ == "__main__":
