db: Use danger_accept_invalid_certs() if TLS is not enforced

Turbo87 · Turbo87 · commit f04c55095e49 · 2024-07-30T13:46:43.000+02:00
diff --git a/src/app.rs b/src/app.rs
@@ -88,7 +88,8 @@ impl App {
             };
 
             let url = connection_url(&config.db, config.db.primary.url.expose_secret());
-            let manager = AsyncDieselConnectionManager::new_with_config(url, make_manager_config());
+            let manager_config = make_manager_config(config.db.enforce_tls);
+            let manager = AsyncDieselConnectionManager::new_with_config(url, manager_config);
 
             DeadpoolPool::builder(manager)
                 .runtime(Runtime::Tokio1)
@@ -108,7 +109,8 @@ impl App {
             };
 
             let url = connection_url(&config.db, pool_config.url.expose_secret());
-            let manager = AsyncDieselConnectionManager::new_with_config(url, make_manager_config());
+            let manager_config = make_manager_config(config.db.enforce_tls);
+            let manager = AsyncDieselConnectionManager::new_with_config(url, manager_config);
 
             let pool = DeadpoolPool::builder(manager)
                 .runtime(Runtime::Tokio1)
diff --git a/src/bin/background-worker.rs b/src/bin/background-worker.rs
@@ -82,7 +82,8 @@ fn main() -> anyhow::Result<()> {
     let fastly = Fastly::from_environment(client.clone());
     let team_repo = TeamRepoImpl::default();
 
-    let manager = AsyncDieselConnectionManager::new_with_config(db_url, make_manager_config());
+    let manager_config = make_manager_config(config.db.enforce_tls);
+    let manager = AsyncDieselConnectionManager::new_with_config(db_url, manager_config);
     let deadpool = Pool::builder(manager).max_size(10).build().unwrap();
 
     let environment = Environment::builder()
diff --git a/src/db.rs b/src/db.rs
@@ -49,16 +49,20 @@ fn maybe_append_url_param(url: &mut Url, key: &str, value: &str) {
 
 /// Create a new [ManagerConfig] for the database connection pool, which can
 /// be used with [diesel_async::pooled_connection::AsyncDieselConnectionManager::new_with_config()].
-pub fn make_manager_config() -> ManagerConfig<AsyncPgConnection> {
+pub fn make_manager_config(enforce_tls: bool) -> ManagerConfig<AsyncPgConnection> {
     let mut manager_config = ManagerConfig::default();
-    manager_config.custom_setup = Box::new(|url| Box::pin(establish_async_connection(url)));
+    manager_config.custom_setup =
+        Box::new(|url| Box::pin(establish_async_connection(url, enforce_tls)));
     manager_config
 }
 
 /// Establish a new database connection with the given URL.
 ///
 /// Adapted from <https://github.com/weiznich/diesel_async/blob/v0.5.0/examples/postgres/pooled-with-rustls/src/main.rs>.
-async fn establish_async_connection(url: &str) -> ConnectionResult<AsyncPgConnection> {
+async fn establish_async_connection(
+    url: &str,
+    enforce_tls: bool,
+) -> ConnectionResult<AsyncPgConnection> {
     use diesel::ConnectionError::BadConnection;
 
     let cert = Certificate::from_pem(CRUNCHY).map_err(|err| BadConnection(err.to_string()))?;
@@ -72,7 +76,7 @@ async fn establish_async_connection(url: &str) -> ConnectionResult<AsyncPgConnec
         //
         // See also https://github.com/sfackler/rust-native-tls/issues/143.
         //
-        // .danger_accept_invalid_certs(true)
+        .danger_accept_invalid_certs(!enforce_tls)
         .build()
         .map_err(|err| BadConnection(err.to_string()))?;
 
