Use postgres-native-tls to connect to the database with TLS

Turbo87 · Turbo87 · commit f04318d8ef7e · 2024-07-30T12:38:45.000+02:00
`diesel-async` by default does not support TLS directly. Instead it offers the `custom_setup` option which allows its users to choose their TLS stack between `native-tls`, `openssl` and `rustls`.

This change implements a `custom_setup` hook based on `postgres-native-tls`, whose dependencies are mostly already in our lockfile anyway. The code was mostly adapted from the official example code in `diesel-async`.

Before `diesel-async` we relied on the regular `diesel` connection implementation, which uses `pg-sys` under the hood, which uses `libpq`, which uses OpenSSL for TLS. In other words: this slightly changes how TLS is handled for the database connections. Specifically, on OSX the server certificate is rejected as "not trusted" due to a long validity period. On production this should not be relevant, but during local development against the staging database this can cause issues, thus I've included a code comment with a temporary workaround for these cases.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -91,11 +91,13 @@ tikv-jemallocator = { version = "=0.6.0", features = ['unprefixed_malloc_on_supp
 lettre = { version = "=0.11.7", default-features = false, features = ["file-transport", "smtp-transport", "native-tls", "hostname", "builder"] }
 minijinja = "=2.1.0"
 mockall = "=0.13.0"
+native-tls = "=0.2.12"
 oauth2 = "=4.4.2"
 object_store = { version = "=0.10.2", features = ["aws"] }
 p256 = "=0.13.2"
 parking_lot = "=0.12.3"
 paste = "=1.0.15"
+postgres-native-tls = "=0.5.0"
 prometheus = { version = "=0.13.4", default-features = false }
 quick-xml = "=0.36.1"
 rand = "=0.8.5"
@@ -113,6 +115,7 @@ tar = "=0.4.41"
 tempfile = "=3.10.1"
 thiserror = "=1.0.63"
 tokio = { version = "=1.39.2", features = ["net", "signal", "io-std", "io-util", "rt-multi-thread", "macros", "process"]}
+tokio-postgres = "=0.7.11"
 toml = "=0.8.15"
 tower = "=0.4.13"
 tower-http = { version = "=0.5.2", features = ["add-extension", "fs", "catch-panic", "timeout", "compression-full"] }
diff --git a/src/app.rs b/src/app.rs
@@ -1,7 +1,7 @@
 //! Application-wide components in a struct accessible from each request
 
 use crate::config;
-use crate::db::{connection_url, ConnectionConfig};
+use crate::db::{connection_url, make_manager_config, ConnectionConfig};
 use std::ops::Deref;
 use std::sync::Arc;
 
@@ -88,7 +88,7 @@ impl App {
             };
 
             let url = connection_url(&config.db, config.db.primary.url.expose_secret());
-            let manager = AsyncDieselConnectionManager::<AsyncPgConnection>::new(url);
+            let manager = AsyncDieselConnectionManager::new_with_config(url, make_manager_config());
 
             DeadpoolPool::builder(manager)
                 .runtime(Runtime::Tokio1)
@@ -108,7 +108,7 @@ impl App {
             };
 
             let url = connection_url(&config.db, pool_config.url.expose_secret());
-            let manager = AsyncDieselConnectionManager::<AsyncPgConnection>::new(url);
+            let manager = AsyncDieselConnectionManager::new_with_config(url, make_manager_config());
 
             let pool = DeadpoolPool::builder(manager)
                 .runtime(Runtime::Tokio1)
diff --git a/src/bin/background-worker.rs b/src/bin/background-worker.rs
@@ -15,6 +15,7 @@ extern crate tracing;
 
 use anyhow::Context;
 use crates_io::cloudfront::CloudFront;
+use crates_io::db::make_manager_config;
 use crates_io::fastly::Fastly;
 use crates_io::storage::Storage;
 use crates_io::team_repo::TeamRepoImpl;
@@ -27,7 +28,6 @@ use crates_io_index::RepositoryConfig;
 use crates_io_worker::Runner;
 use diesel_async::pooled_connection::deadpool::Pool;
 use diesel_async::pooled_connection::AsyncDieselConnectionManager;
-use diesel_async::AsyncPgConnection;
 use reqwest::Client;
 use secrecy::ExposeSecret;
 use std::sync::Arc;
@@ -82,7 +82,7 @@ fn main() -> anyhow::Result<()> {
     let fastly = Fastly::from_environment(client.clone());
     let team_repo = TeamRepoImpl::default();
 
-    let manager = AsyncDieselConnectionManager::<AsyncPgConnection>::new(db_url);
+    let manager = AsyncDieselConnectionManager::new_with_config(db_url, make_manager_config());
     let deadpool = Pool::builder(manager).max_size(10).build().unwrap();
 
     let environment = Environment::builder()
diff --git a/src/db.rs b/src/db.rs
@@ -1,6 +1,9 @@
 use diesel::{Connection, ConnectionResult, PgConnection, QueryResult};
 use diesel_async::pooled_connection::deadpool::{Hook, HookError};
+use diesel_async::pooled_connection::ManagerConfig;
 use diesel_async::{AsyncPgConnection, RunQueryDsl};
+use native_tls::TlsConnector;
+use postgres_native_tls::MakeTlsConnector;
 use secrecy::ExposeSecret;
 use std::time::Duration;
 use url::Url;
@@ -43,6 +46,45 @@ fn maybe_append_url_param(url: &mut Url, key: &str, value: &str) {
     }
 }
 
+/// Create a new [ManagerConfig] for the database connection pool, which can
+/// be used with [diesel_async::pooled_connection::AsyncDieselConnectionManager::new_with_config()].
+pub fn make_manager_config() -> ManagerConfig<AsyncPgConnection> {
+    let mut manager_config = ManagerConfig::default();
+    manager_config.custom_setup = Box::new(|url| Box::pin(establish_async_connection(url)));
+    manager_config
+}
+
+/// Establish a new database connection with the given URL.
+///
+/// Adapted from <https://github.com/weiznich/diesel_async/blob/v0.5.0/examples/postgres/pooled-with-rustls/src/main.rs>.
+async fn establish_async_connection(url: &str) -> ConnectionResult<AsyncPgConnection> {
+    use diesel::ConnectionError::BadConnection;
+
+    let connector = TlsConnector::builder()
+        // The TLS certificate of our current database server has a long validity
+        // period and OSX rejects such certificates as "not trusted". If you run
+        // into "Certificate was not trusted" errors during local development,
+        // you may consider temporarily (!) enabling the following instruction.
+        //
+        // See also https://github.com/sfackler/rust-native-tls/issues/143.
+        //
+        // .danger_accept_invalid_certs(true)
+        .build()
+        .map_err(|err| BadConnection(err.to_string()))?;
+
+    let connector = MakeTlsConnector::new(connector);
+    let result = tokio_postgres::connect(url, connector).await;
+    let (client, conn) = result.map_err(|err| BadConnection(err.to_string()))?;
+
+    tokio::spawn(async move {
+        if let Err(e) = conn.await {
+            eprintln!("Database connection: {e}");
+        }
+    });
+
+    AsyncPgConnection::try_from(client).await
+}
+
 #[derive(Debug, Clone, Copy)]
 pub struct ConnectionConfig {
     pub statement_timeout: Duration,
