Merge pull request #43068 from mbayucot/42994-add-support-for-postgresql-certs-on-db-tasks

Add ssl support for postgresql database tasks
2021-09-12 16:59:01 -07:00 · 2021-09-12 16:59:01 -07:00 · 203e757fd3
commit 203e757fd3
parent c0e17d4520 99bc69ad28
3 changed files with 63 additions and 4 deletions
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@ -1,3 +1,31 @@
+* Add ssl support for postgresql database tasks
+
+    Add `PGSSLMODE`, `PGSSLCERT`, `PGSSLKEY` and `PGSSLROOTCERT` to pg_env from database config
+    when running postgresql database tasks.
+
+    ```yaml
+    # config/database.yml
+
+    production:
+      sslmode: verify-full
+      sslcert: client.crt
+      sslkey: client.key
+      sslrootcert: ca.crt
+    ```
+
+    Environment variables
+
+    ```
+    PGSSLMODE=verify-full
+    PGSSLCERT=client.crt
+    PGSSLKEY=client.key
+    PGSSLROOTCERT=ca.crt
+    ```
+
+    Fixes #42994
+
+    *Michael Bayucot*
+
 *   Avoid scoping update callbacks in `ActiveRecord::Relation#update!`.

    Making it consistent with how scoping is applied only to the query in `ActiveRecord::Relation#update`
--- a/activerecord/lib/active_record/tasks/postgresql_database_tasks.rb
+++ b/activerecord/lib/active_record/tasks/postgresql_database_tasks.rb
@ -99,10 +99,14 @@ def establish_master_connection

        def psql_env
          {}.tap do |env|
-            env["PGHOST"]     = db_config.host                     if db_config.host
-            env["PGPORT"]     = configuration_hash[:port].to_s     if configuration_hash[:port]
-            env["PGPASSWORD"] = configuration_hash[:password].to_s if configuration_hash[:password]
-            env["PGUSER"]     = configuration_hash[:username].to_s if configuration_hash[:username]
+            env["PGHOST"]         = db_config.host                        if db_config.host
+            env["PGPORT"]         = configuration_hash[:port].to_s        if configuration_hash[:port]
+            env["PGPASSWORD"]     = configuration_hash[:password].to_s    if configuration_hash[:password]
+            env["PGUSER"]         = configuration_hash[:username].to_s    if configuration_hash[:username]
+            env["PGSSLMODE"]      = configuration_hash[:sslmode].to_s     if configuration_hash[:sslmode]
+            env["PGSSLCERT"]      = configuration_hash[:sslcert].to_s     if configuration_hash[:sslcert]
+            env["PGSSLKEY"]       = configuration_hash[:sslkey].to_s      if configuration_hash[:sslkey]
+            env["PGSSLROOTCERT"]  = configuration_hash[:sslrootcert].to_s if configuration_hash[:sslrootcert]
          end
        end

--- a/activerecord/test/cases/tasks/postgresql_rake_test.rb
+++ b/activerecord/test/cases/tasks/postgresql_rake_test.rb
@ -383,6 +383,18 @@ def test_structure_dump_with_env
        end
      end

+      def test_structure_dump_with_ssl_env
+        expected_env = { "PGSSLMODE" => "verify-full", "PGSSLCERT" => "client.crt", "PGSSLKEY" => "client.key", "PGSSLROOTCERT" => "root.crt" }
+        expected_command = [expected_env, "pg_dump", "--schema-only", "--no-privileges", "--no-owner", "--file", @filename, "my-app-db"]
+
+        assert_called_with(Kernel, :system, expected_command, returns: true) do
+          ActiveRecord::Tasks::DatabaseTasks.structure_dump(
+            @configuration.merge(sslmode: "verify-full", sslcert: "client.crt", sslkey: "client.key", sslrootcert: "root.crt"),
+            @filename
+          )
+        end
+      end
+
      def test_structure_dump_with_extra_flags
        expected_command = [{}, "pg_dump", "--schema-only", "--no-privileges", "--no-owner", "--file", @filename, "--noop", "my-app-db"]

@ -550,6 +562,21 @@ def test_structure_load_with_env
        end
      end

+      def test_structure_load_with_ssl_env
+        filename = "awesome-file.sql"
+        expected_env = { "PGSSLMODE" => "verify-full", "PGSSLCERT" => "client.crt", "PGSSLKEY" => "client.key", "PGSSLROOTCERT" => "root.crt" }
+        expected_command = [expected_env, "psql", "--set", "ON_ERROR_STOP=1", "--quiet", "--no-psqlrc", "--file", filename, "--noop", @configuration["database"]]
+
+        assert_called_with(Kernel, :system, expected_command, returns: true) do
+          with_structure_load_flags(["--noop"]) do
+            ActiveRecord::Tasks::DatabaseTasks.structure_load(
+              @configuration.merge(sslmode: "verify-full", sslcert: "client.crt", sslkey: "client.key", sslrootcert: "root.crt"),
+              filename
+            )
+          end
+        end
+      end
+
      def test_structure_load_with_hash_extra_flags_for_a_different_driver
        filename = "awesome-file.sql"
        expected_command = [{}, "psql", "--set", "ON_ERROR_STOP=1", "--quiet", "--no-psqlrc", "--file", filename, @configuration["database"]]