Merge pull request #1413 from eclipse-vertx/pendula95-fix-recover-for-ssl-mode-always

Correct handling of SSL mode always for PostgreSQL

Author: vietj

vertx-pg-client/README.adoc

@@ -307,7 +307,7 @@ mvn test -DcontainerFixedPort
 You can run tests with an external database:
 
 - the script `src/test/resources/create-postgres.sql` creates the test data
-- the `TLSTest` expects the database to be configured with SSL with `src/test/resources/tls/server.key` / `src/test/resources/tls/server.cert``
+- the `TLSTest` expects the database to be configured with SSL with `src/test/resources/tls/server.key` / `src/test/resources/tls/server.cert` `src/test/resources/tls/pg_hba.conf` as an example how to force SSL
 
 You need to add some properties for testing:
 
@@ -317,6 +317,7 @@ You need to add some properties for testing:
 
 - connection.uri(mandatory): configure the client to connect the specified database
 - tls.connection.uri(mandatory): configure the client to run `TLSTest` with the specified Postgres with SSL enabled
+- tls.force.connection.uri(mandatory): configure the client to run `TLSTest` with the specified Postgres with SSL forced (only option)
 - unix.socket.directory(optional): the single unix socket directory(multiple socket directories are not supported) to test Unix domain socket with a specified database, domain socket tests will be skipped if this property is not specified
 (Note: Make sure you can access the unix domain socket with this directory under your host machine)
 - unix.socket.port(optional): unix socket file is named `.s.PGSQL.nnnn` and `nnnn` is the server's port number,
@@ -335,5 +336,5 @@ Run the Postgres containers with `docker compose`:
 Run tests:
 
 ```
-> mvn test -Dconnection.uri=postgres://$username:$password@$host:$port/$database -Dtls.connection.uri=postgres://$username:$password@$host:$port/$database -Dunix.socket.directory=$path -Dunix.socket.port=$port
+> mvn test -Dconnection.uri=postgres://$username:$password@$host:$port/$database -Dtls.connection.uri=postgres://$username:$password@$host:$port/$database -Dtls.force.connection.uri=postgres://$username:$password@$host:$port/$database -Dunix.socket.directory=$path -Dunix.socket.port=$port
 ```

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/PgConnectionFactory.java

@@ -70,56 +70,61 @@ protected Future<Connection> doConnectInternal(PgConnectOptions options, Context
     } catch (Exception e) {
       return context.failedFuture(e);
     }
-    String username = options.getUser();
-    String password = options.getPassword();
-    String database = options.getDatabase();
     SocketAddress server = options.getSocketAddress();
-    Map<String, String> properties = options.getProperties() != null ? Collections.unmodifiableMap(options.getProperties()) : null;
-    return doConnect(server, context, options).flatMap(conn -> {
-      PgSocketConnection socket = (PgSocketConnection) conn;
-      socket.init();
-      return Future.<Connection>future(p -> socket.sendStartupMessage(username, password, database, properties, p))
-        .map(conn);
-    });
+    return connect(server, context, true, options);
   }
 
-  public void cancelRequest(PgConnectOptions options, int processId, int secretKey, Handler<AsyncResult<Void>> handler) {
-    doConnect(options.getSocketAddress(), vertx.createEventLoopContext(), options).onComplete(ar -> {
-      if (ar.succeeded()) {
-        PgSocketConnection conn = (PgSocketConnection) ar.result();
-        conn.sendCancelRequestMessage(processId, secretKey, handler);
-      } else {
-        handler.handle(Future.failedFuture(ar.cause()));
-      }
-    });
+  public Future<Void> cancelRequest(PgConnectOptions options, int processId, int secretKey) {
+    return connect(options.getSocketAddress(), vertx.createEventLoopContext(), false, options)
+      .compose(conn -> {
+        PgSocketConnection socket = (PgSocketConnection) conn;
+        return socket.sendCancelRequestMessage(processId, secretKey);
+      });
   }
 
-  private Future<Connection> doConnect(SocketAddress server, ContextInternal context, PgConnectOptions options) {
+  private Future<Connection> connect(SocketAddress server, ContextInternal context, boolean sendStartupMessage, PgConnectOptions options) {
     SslMode sslMode = options.isUsingDomainSocket() ? SslMode.DISABLE : options.getSslMode();
     ConnectOptions connectOptions = new ConnectOptions()
       .setRemoteAddress(server);
     Future<Connection> connFuture;
     switch (sslMode) {
       case DISABLE:
-        connFuture = doConnect(connectOptions, context, false, options);
+        connFuture = connect(connectOptions, context, false, sendStartupMessage, options);
         break;
       case ALLOW:
-        connFuture = doConnect(connectOptions, context, false, options).recover(err -> doConnect(connectOptions, context, true, options));
+        connFuture = connect(connectOptions, context, false, sendStartupMessage, options).recover(err -> connect(connectOptions, context, true, sendStartupMessage, options));
         break;
       case PREFER:
-        connFuture = doConnect(connectOptions, context, true, options).recover(err -> doConnect(connectOptions, context, false, options));
+        connFuture = connect(connectOptions, context, true, sendStartupMessage, options).recover(err -> connect(connectOptions, context, false, sendStartupMessage, options));
         break;
       case REQUIRE:
       case VERIFY_CA:
       case VERIFY_FULL:
-        connFuture = doConnect(connectOptions, context, true, options);
+        connFuture = connect(connectOptions, context, true, sendStartupMessage, options);
         break;
       default:
         return context.failedFuture(new IllegalArgumentException("Unsupported SSL mode"));
     }
     return connFuture;
   }
 
+  private Future<Connection> connect(ConnectOptions connectOptions, ContextInternal context, boolean ssl, boolean sendStartupMessage, PgConnectOptions options) {
+    Future<Connection> res = doConnect(connectOptions, context, ssl, options);
+    if (sendStartupMessage) {
+      return res.flatMap(conn -> {
+        PgSocketConnection socket = (PgSocketConnection) conn;
+        socket.init();
+        String username = options.getUser();
+        String password = options.getPassword();
+        String database = options.getDatabase();
+        Map<String, String> properties = options.getProperties() != null ? Collections.unmodifiableMap(options.getProperties()) : null;
+        return socket.sendStartupMessage(username, password, database, properties);
+      });
+    } else {
+      return res;
+    }
+  }
+
   private Future<Connection> doConnect(ConnectOptions connectOptions, ContextInternal context, boolean ssl, PgConnectOptions options) {
     Future<NetSocket> soFut;
     try {

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/PgConnectionImpl.java

@@ -123,7 +123,7 @@ public Future<Void> cancelRequest() {
     Promise<Void> promise = context.owner().getOrCreateContext().promise();
     context.emit(promise, p -> {
       PgSocketConnection unwrap = (PgSocketConnection) conn.unwrap();
-      ((PgConnectionFactory) factory).cancelRequest(unwrap.connectOptions(), this.processId(), this.secretKey(), p);
+      ((PgConnectionFactory) factory).cancelRequest(unwrap.connectOptions(), this.processId(), this.secretKey()).onComplete(p);
     });
     return promise.future();
   }

vertx-pg-client/src/main/java/io/vertx/pgclient/impl/PgSocketConnection.java

@@ -83,29 +83,26 @@ public void init() {
   }
 
   // TODO RETURN FUTURE ???
-  void sendStartupMessage(String username, String password, String database, Map<String, String> properties, Promise<Connection> completionHandler) {
+  Future<Connection> sendStartupMessage(String username, String password, String database, Map<String, String> properties) {
     InitCommand cmd = new InitCommand(this, username, password, database, properties);
-    schedule(context, cmd).onComplete(completionHandler);
+    return schedule(context, cmd);
   }
 
-  void sendCancelRequestMessage(int processId, int secretKey, Handler<AsyncResult<Void>> handler) {
+  Future<Void> sendCancelRequestMessage(int processId, int secretKey) {
     Buffer buffer = Buffer.buffer(16);
     buffer.appendInt(16);
     // cancel request code
     buffer.appendInt(80877102);
     buffer.appendInt(processId);
     buffer.appendInt(secretKey);
 
-    socket.write(buffer).onComplete(ar -> {
+    return socket.write(buffer).andThen(ar -> {
       if (ar.succeeded()) {
         // directly close this connection
         if (status == Status.CONNECTED) {
           status = Status.CLOSING;
           socket.close();
         }
-        handler.handle(Future.succeededFuture());
-      } else {
-        handler.handle(Future.failedFuture(ar.cause()));
       }
     });
   }

vertx-pg-client/src/test/java/io/vertx/pgclient/TLSTest.java

@@ -35,7 +35,13 @@
 public class TLSTest {
 
   @ClassRule
-  public static ContainerPgRule rule = new ContainerPgRule().ssl(true);
+  public static ContainerPgRule ruleOptionalSll = new ContainerPgRule().ssl(true);
+
+  @ClassRule
+  public static ContainerPgRule ruleForceSsl = new ContainerPgRule().ssl(true).forceSsl(true);
+
+  @ClassRule
+  public static ContainerPgRule ruleSllOff = new ContainerPgRule().ssl(false);
 
   private Vertx vertx;
 
@@ -53,7 +59,7 @@ public void teardown(TestContext ctx) {
   public void testTLS(TestContext ctx) {
     Async async = ctx.async();
 
-    PgConnectOptions options = new PgConnectOptions(rule.options())
+    PgConnectOptions options = new PgConnectOptions(ruleOptionalSll.options())
       .setSslMode(SslMode.REQUIRE)
       .setSslOptions(new ClientSSLOptions().setTrustOptions(new PemTrustOptions().addCertPath("tls/server.crt")));
     PgConnection.connect(vertx, options.setSslMode(SslMode.REQUIRE)).onComplete(ctx.asyncAssertSuccess(conn -> {
@@ -74,7 +80,7 @@ public void testTLS(TestContext ctx) {
   @Test
   public void testTLSTrustAll(TestContext ctx) {
     Async async = ctx.async();
-    PgConnection.connect(vertx, rule.options().setSslMode(SslMode.REQUIRE).setSslOptions(new ClientSSLOptions().setTrustAll(true))).onComplete(ctx.asyncAssertSuccess(conn -> {
+    PgConnection.connect(vertx, ruleOptionalSll.options().setSslMode(SslMode.REQUIRE).setSslOptions(new ClientSSLOptions().setTrustAll(true))).onComplete(ctx.asyncAssertSuccess(conn -> {
       ctx.assertTrue(conn.isSSL());
       async.complete();
     }));
@@ -83,7 +89,7 @@ public void testTLSTrustAll(TestContext ctx) {
   @Test
   public void testTLSInvalidCertificate(TestContext ctx) {
     Async async = ctx.async();
-    PgConnection.connect(vertx, rule.options().setSslMode(SslMode.REQUIRE).setSslOptions(new ClientSSLOptions().setTrustOptions(new PemTrustOptions().addCertPath("tls/another.crt")))).onComplete(ctx.asyncAssertFailure(err -> {
+    PgConnection.connect(vertx, ruleOptionalSll.options().setSslMode(SslMode.REQUIRE).setSslOptions(new ClientSSLOptions().setTrustOptions(new PemTrustOptions().addCertPath("tls/another.crt")))).onComplete(ctx.asyncAssertFailure(err -> {
 //      ctx.assertEquals(err.getClass(), VertxException.class);
       ctx.assertEquals(err.getMessage(), "SSL handshake failed");
       async.complete();
@@ -93,7 +99,7 @@ public void testTLSInvalidCertificate(TestContext ctx) {
   @Test
   public void testSslModeDisable(TestContext ctx) {
     Async async = ctx.async();
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.DISABLE);
     PgConnection.connect(vertx, new PgConnectOptions(options)).onComplete(ctx.asyncAssertSuccess(conn -> {
       ctx.assertFalse(conn.isSSL());
@@ -104,18 +110,30 @@ public void testSslModeDisable(TestContext ctx) {
   @Test
   public void testSslModeAllow(TestContext ctx) {
     Async async = ctx.async();
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.ALLOW);
     PgConnection.connect(vertx, new PgConnectOptions(options)).onComplete(ctx.asyncAssertSuccess(conn -> {
       ctx.assertFalse(conn.isSSL());
       async.complete();
     }));
   }
 
+  @Test
+  public void testSslModeAllowFallback(TestContext ctx) {
+    Async async = ctx.async();
+    PgConnectOptions options = ruleForceSsl.options()
+      .setSslMode(SslMode.ALLOW)
+      .setSslOptions(new ClientSSLOptions().setTrustAll(true));
+    PgConnection.connect(vertx, new PgConnectOptions(options)).onComplete(ctx.asyncAssertSuccess(conn -> {
+      ctx.assertTrue(conn.isSSL());
+      async.complete();
+    }));
+  }
+
   @Test
   public void testSslModePrefer(TestContext ctx) {
     Async async = ctx.async();
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.PREFER)
       .setSslOptions(new ClientSSLOptions().setTrustAll(true));
     PgConnection.connect(vertx, new PgConnectOptions(options)).onComplete(ctx.asyncAssertSuccess(conn -> {
@@ -124,9 +142,21 @@ public void testSslModePrefer(TestContext ctx) {
     }));
   }
 
+  @Test
+  public void testSslModePreferFallback(TestContext ctx) {
+    Async async = ctx.async();
+    PgConnectOptions options = ruleSllOff.options()
+      .setSslMode(SslMode.PREFER)
+      .setSslOptions(new ClientSSLOptions().setTrustAll(true));
+    PgConnection.connect(vertx, options).onComplete(ctx.asyncAssertSuccess(conn -> {
+      ctx.assertFalse(conn.isSSL());
+      async.complete();
+    }));
+  }
+
   @Test
   public void testSslModeVerifyCaConf(TestContext ctx) {
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslMode(SslMode.VERIFY_CA)
       .setSslOptions(new ClientSSLOptions().setTrustAll(true));
     PgConnection.connect(vertx, new PgConnectOptions(options)).onComplete(ctx.asyncAssertFailure(error -> {
@@ -136,7 +166,7 @@ public void testSslModeVerifyCaConf(TestContext ctx) {
 
   @Test
   public void testSslModeVerifyFullConf(TestContext ctx) {
-    PgConnectOptions options = rule.options()
+    PgConnectOptions options = ruleOptionalSll.options()
       .setSslOptions(new ClientSSLOptions().setTrustOptions(new PemTrustOptions().addCertPath("tls/another.crt")))
       .setSslMode(SslMode.VERIFY_FULL);
     PgConnection.connect(vertx, new PgConnectOptions(options)).onComplete(ctx.asyncAssertFailure(error -> {

vertx-pg-client/src/test/java/io/vertx/pgclient/junit/ContainerPgRule.java

@@ -36,18 +36,25 @@ public class ContainerPgRule extends ExternalResource {
 
   private static final String connectionUri = System.getProperty("connection.uri");
   private static final String tlsConnectionUri = System.getProperty("tls.connection.uri");
+  private static final String tlsForceConnectionUri = System.getProperty("tls.force.connection.uri");
 
   private ServerContainer<?> server;
   private PgConnectOptions options;
   private String databaseVersion;
   private boolean ssl;
+  private boolean forceSsl;
   private String user = "postgres";
 
   public ContainerPgRule ssl(boolean ssl) {
     this.ssl = ssl;
     return this;
   }
 
+  public ContainerPgRule forceSsl(boolean forceSsl) {
+    this.forceSsl = forceSsl;
+    return this;
+  }
+
   public PgConnectOptions options() {
     return new PgConnectOptions(options);
   }
@@ -75,6 +82,11 @@ private void initServer(String version) throws Exception {
         .withClasspathResourceMapping("tls/server.crt", "/server.crt", BindMode.READ_ONLY)
         .withClasspathResourceMapping("tls/server.key", "/server.key", BindMode.READ_ONLY)
         .withClasspathResourceMapping("tls/ssl.sh", "/docker-entrypoint-initdb.d/ssl.sh", BindMode.READ_ONLY);
+        if (forceSsl) {
+          server
+            .withClasspathResourceMapping("tls/pg_hba.conf", "/tmp/pg_hba.conf", BindMode.READ_ONLY)
+            .withClasspathResourceMapping("tls/force_ssl.sh", "/docker-entrypoint-initdb.d/force_ssl.sh", BindMode.READ_ONLY);
+        }
     }
     if (System.getProperties().containsKey("containerFixedPort")) {
       server.withFixedExposedPort(POSTGRESQL_PORT, POSTGRESQL_PORT);
@@ -84,7 +96,7 @@ private void initServer(String version) throws Exception {
   }
 
   public static boolean isTestingWithExternalDatabase() {
-    return isSystemPropertyValid(connectionUri) || isSystemPropertyValid(tlsConnectionUri);
+    return isSystemPropertyValid(connectionUri) || isSystemPropertyValid(tlsConnectionUri) || isSystemPropertyValid(tlsForceConnectionUri);
   }
 
   private static boolean isSystemPropertyValid(String systemProperty) {
@@ -133,7 +145,11 @@ protected void before() throws Throwable {
     if (isTestingWithExternalDatabase()) {
 
       if (ssl) {
-        options =  PgConnectOptions.fromUri(tlsConnectionUri);
+        if (forceSsl) {
+          options = PgConnectOptions.fromUri(tlsForceConnectionUri);
+        } else {
+          options = PgConnectOptions.fromUri(tlsConnectionUri);
+        }
       }
       else {
         options = PgConnectOptions.fromUri(connectionUri);

vertx-pg-client/src/test/resources/tls/force_ssl.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# force ssl
+cp /tmp/pg_hba.conf /var/lib/postgresql/data/pg_hba.conf