Support SCRAM via TLS for client connections (#530)

* Fix #48

* remove sha

* Sleep before checking process

* Use tls in CI

Author: levkk

Cargo.lock

@@ -12,6 +12,8 @@ pushd ${SCRIPT_DIR}
 python shutdown.py pgdog
 popd
 
+sleep 1
+
 if pgrep pgdog; then
     echo "Shutdown failed"
     exit 1
@@ -24,6 +26,8 @@ pushd ${SCRIPT_DIR}
 python shutdown.py pgdog_sharded
 popd
 
+sleep 1
+
 if pgrep pgdog; then
     echo "Shutdown failed"
     exit 1

integration/complex/shutdown.sh

@@ -16,6 +16,8 @@ query_cache_limit = 500
 pub_sub_channel_size = 4098
 two_phase_commit = false
 healthcheck_port = 8080
+tls_certificate = "integration/tls/cert.pem"
+tls_private_key = "integration/tls/key.pem"
 
 # ------------------------------------------------------------------------------
 # ----- Database :: pgdog ------------------------------------------------------

integration/pgdog.toml

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF7zCCA9egAwIBAgIUbzkoynbPz2lq2enZqe00RMSeQccwDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAlhYMRIwEAYDVQQIDAlTdGF0ZU5hbWUxETAPBgNVBAcM
+CENpdHlOYW1lMRQwEgYDVQQKDAtDb21wYW55TmFtZTEbMBkGA1UECwwSQ29tcGFu
+eVNlY3Rpb25OYW1lMR0wGwYDVQQDDBRDb21tb25OYW1lT3JIb3N0bmFtZTAeFw0y
+NDEyMjkwMDEzMjVaFw0zNDEyMjcwMDEzMjVaMIGGMQswCQYDVQQGEwJYWDESMBAG
+A1UECAwJU3RhdGVOYW1lMREwDwYDVQQHDAhDaXR5TmFtZTEUMBIGA1UECgwLQ29t
+cGFueU5hbWUxGzAZBgNVBAsMEkNvbXBhbnlTZWN0aW9uTmFtZTEdMBsGA1UEAwwU
+Q29tbW9uTmFtZU9ySG9zdG5hbWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQCXeyKPV5zhBok+yeGgTYQjO+SakHkJ80NSxkKqXi1bIwlHZukROEt4T7h5
+qiV3TlomC5d6iUnLOG8EDFuZfIfRZOsvF99aCzk92MQ+EcezLSm3EXZm2+LjVH5s
+hWcDxc7X6T8ZTcOTRnlO0RamYgUtuI/0kPK0mj+cJNF8OKXrz74BdwKvn+VmLY4H
+fW1Y49FylSKIZGyb56ki24yzcwSBaSuwW8XkknuTW/w3ScmUTlwKvg55HmAqi2XC
+OV0+I09XtoXGxde80DU1e/5NYjXxJ3IokiEByKMLBpVi3/B+p3VxsIHskTKjDSh0
+AyNZyacnqHtoWoHaU1iD9k/aJjK3StTJZl3JZr/SrV1u1evRZF9IlayZagaYauTq
+Ms5MHie9M822x108viYMfWTtzXai5VNTWBz3Agpr459JD5cL1XFxeuGj1csRQ5dV
+SbfeZF8s/lE6aMxUn1uLQyd2W+44RchgGfb1ek6KyDFsS1YB0qQNktaGQVnoKtKC
+Y0dhUon6r+DN8biO3zm9v95NFql45BiJFLESImF1Qs/FR7LzU/YeFTVffjEpvuVy
+kqOEBPqtnNLKXzxpky6qmuSnI5jD3w5Nw68peSyFcTB5Vc0zBfofEraUN8a81mg9
+SL491tkI7/6ZkEL+zEKdoJKS3QfTHa03AOIRLuALJH9m1x0P1QIDAQABo1MwUTAd
+BgNVHQ4EFgQU6TmTbgrh4q68CxQbs6D1Ql1UN8UwHwYDVR0jBBgwFoAU6TmTbgrh
+4q68CxQbs6D1Ql1UN8UwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEAHWca690XikBloy6WEqm6xz8JAe/+Q9SAImvgkdCsw5k07GWUWAW4vEjNtJK5
+6D3Ky+zY13gfDy2n7xyum+Kwt01/tXmRLSTv+OE7tA75reBG2ZY9YzV5sLiW9Fza
++ukJCbLdYOuNG7eOr7rQWFrm7ARmRkqPAKA5QCNKszFYUj8C/nmKvrT6N9CUzryv
+xGXEXxcQLIf+S7v1yhI18Vbe0B1aDvwruwuULcMmW+OpKHF37NxbcL5dGLMZv1CZ
+ezW+zqOurPNvDXHvz/TSDfmUyP8Kl4wnsHYiX+on4ewcPY/yxwMJKOsdPemP6Neg
+anJAL15JDC0k2c0YDS8T2JdSt6YmsczD8EUQgWzOBgvM4K4j3qFbe5z1qCGCoMIG
+veEWKschmCUu3WBlYZjye4BnAdKAuM54+PJm3Y385zAPhP4aaoQJuJWE9eTEAOAB
+s4yBQyHSMq2W2D/Ku1Rt48kU2/2MdSXr+G3vvs7XzpBcrYF341S+MGDF3ErKxgrT
+IDRHZBPPiggkJbCjJSoK2MA7grXnxdNb8RU3ZVPM0tMlB3EojXtZesdGadLP6ej9
+fE7VMix81WayoY7JrRKN9Q5jGKYhcmVWie4M0W2Ypl6pZ4Y7L/7jNijYvDeh6j14
+m5Z+/IpLsssLk6K1Kdloj3FHZYgHkt1Lh1XphOJ/yL8xmOw=
+-----END CERTIFICATE-----

integration/tls/cert.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCXeyKPV5zhBok+
+yeGgTYQjO+SakHkJ80NSxkKqXi1bIwlHZukROEt4T7h5qiV3TlomC5d6iUnLOG8E
+DFuZfIfRZOsvF99aCzk92MQ+EcezLSm3EXZm2+LjVH5shWcDxc7X6T8ZTcOTRnlO
+0RamYgUtuI/0kPK0mj+cJNF8OKXrz74BdwKvn+VmLY4HfW1Y49FylSKIZGyb56ki
+24yzcwSBaSuwW8XkknuTW/w3ScmUTlwKvg55HmAqi2XCOV0+I09XtoXGxde80DU1
+e/5NYjXxJ3IokiEByKMLBpVi3/B+p3VxsIHskTKjDSh0AyNZyacnqHtoWoHaU1iD
+9k/aJjK3StTJZl3JZr/SrV1u1evRZF9IlayZagaYauTqMs5MHie9M822x108viYM
+fWTtzXai5VNTWBz3Agpr459JD5cL1XFxeuGj1csRQ5dVSbfeZF8s/lE6aMxUn1uL
+Qyd2W+44RchgGfb1ek6KyDFsS1YB0qQNktaGQVnoKtKCY0dhUon6r+DN8biO3zm9
+v95NFql45BiJFLESImF1Qs/FR7LzU/YeFTVffjEpvuVykqOEBPqtnNLKXzxpky6q
+muSnI5jD3w5Nw68peSyFcTB5Vc0zBfofEraUN8a81mg9SL491tkI7/6ZkEL+zEKd
+oJKS3QfTHa03AOIRLuALJH9m1x0P1QIDAQABAoICABtzVrqzpYv4v3/HnVHLok2x
+QZbJ5glJ0lIqd/PAL8dzdK/CBCvY8AI8LiGsFfCGHBuHX7q2rM79Kc8Jv0Kz+LfX
+KjBlStYaMRQWV0+pMK91WHkimrp+j+Hi0qsvTJD4NGjXjZX0C+RBMeP4y3o4ypfz
+uXCYIMdeKXdOC8FPUbAHPDcvPicd2ngW+sU8M0fXtwGk6XZefnkNNM8KireNOQyL
+hr2Fj/nBGtBEK9NIFZXA0nim4uALg2FKVBUriIxlYTAztQ/lk9gVQgMwdk/HI5/R
+JmSYQI9+cJ9joMgjbUVCauvAkPbSBCNck89cLziK7LXo1/474oqyLljxlpxhbjCV
+8i9BL6la06DXZULrBryKPc2Ds0eRDW45Sp7oYMR0AzE1iC1d11SvtyVVL3QFxyMj
+NMTZdt13ypL3x4JCtWSq+cOpmwaQkRhUJMGCeGjBPD37q3wDJW6FePLoIBu4ZeY2
+mRj/qTsfuUjqWB29VyqhnVoBuU4ifsmxNJO2Or2NI/sd1mCA9pYVKK2oPNzSPg78
+e9USRTOc8XO9XFUgnGUFdGQYNRNEQ4zLf0RnKZGGQodUQXMA8Px01tW0/eIf/aCt
+f1xiXpoqM1cFjjPxvpWc6gGgYlhEfcqMpWZ3XjJ4a9XrR5KVW+dWc44JgXKObgmI
+0lk9TDAljQr5yfnkEvSRAoIBAQDU2OiMRabtmtFHndreOCiE61B3YJQ1PpxQn/u+
+BJ9KZ3TiE+Z4M4yRXy6HqGVPY2mXeSf6eOtXmmRbQX86YBatsj7ibHDX1f54Ijr3
+auw+/ywwt7SwXfHeJpr4+HxluF9+A/NrBQoZeyyU0TxhbxHBYQH2RHySwnSidYW9
+l2PgoaVfEYc+/cuadwB333UuKNdPXFY6mhQt9NjqofflkEP720icSIfCzFUvRIgd
+3+H3SXb9ry5lXNn8b/TUTPQyA1Ni+lp+6p8bT6rD7VanuEUeKtCb/Ie2xwoTbGd7
+sTQRURdG3is2y94kLRwdP7cjGO+M5vZITkexGV4m7km0CsuRAoIBAQC2MTljmXOM
+sMNcHx3WKGzQYNPjf2XWmW3wP/rrt5lVt7WYlkart+whgcDWJVqMDOuviJdHbFCh
+LxfIjHoe8T/ZLDT0CynUMfsoxRkLedYEp1TVkLD+9P89ZnGYUSJ28uBflQ3RHzOg
+1kkne1LqYjyOkKuBFI9oGHlN6MsHxD8KkbY6cMIXZdPFABGwgewATW5/pvs4UztS
+Dhte0ma7NU/A68K+aVUXm35+akIhNxd535afz+XWuiBZc13kThhExFBZEh19upCc
+e1DLCVhHefKLnoO0AS89KtoNs7aHXQucr/MEI93imNz/IMC32YPUmzHQw8tN6o4Y
+U2lu81KgTrYFAoIBAGUneM1BROXjD9bDVIMLmWYiFynEwmrTiKJghdl2hOVtaYUQ
+BBXYGdP0sj5Sb2NdUY9lSvSkhuQpQcyEwhxSEjUWYwBknPRWhQs+6Vswe3os9ylo
+BP1UiGAVZM0x+py1FNzkr8iKqpQVj8hh8Bo2GPAYVEBfp/xvYdLbm2XRDuxwphEa
+WXY8U4jjSVuu3RfE3R6gOXK8Sx7UIErSEugMueJ2AnoTlkGjrlA6d54LCm7lgSFr
+IdeWWxq3cll7AQrLvdNqO5vZkSf/op5eqzImRuLhYibfyve4fDdi64NDYgVgznkl
+mM//72Ct95CG+Vg6v43tLdqLKVMnRTGnSWvBPaECggEAKtTRqA+YMZgQpWSPUBx6
+0FYjGhWGLHgvd06jP60O+C7TG0cg4BfCBHKLkgyAB/K1qbOT1O+q2OnITpZv0zxm
+BTk2TbUeJUuGvyPu6lq/LKLl97snURjptFaUF/ni/1HD29Sfxezu5z3ZPtXoPT/Q
++rcaCqN5v0AZrG4w5OeG5oYw7/Y4OuXubh7BCdzRTZTmiE4KO0id5oF4f8c47YPv
+9uu2AaujnIQqra9vUn2wIC+nKnTmlJ93IXBUv2p4nBoGxZnTow4sFw2KheDxhwQt
+OBOQ5M1ufJPJZXU9UP9XzoMyv2NrM206byQVCmOxcVb21BxjfDLLKv7ZB4Nehl9a
+vQKCAQAvj/s5kaxv5BKGOce0GYkMUgEHXqHLp5hg07EDuuJbEev5Vq1zZdFffBEc
+xWxXU8gChIsfiTzYDZdoAxJN4M6OoVPFz2LKSPlxRkesD8+bZA5xhGphLk0jR6Ly
+lZJD7lqgG6F1NfzcqYnjZoPlYeaSLvkCoNkJmwYFNTXoK6b+wZj/ghsFj98sZZv/
+daNN/0BACowwrvJX6cJfN1MOkbe4rvuMBdgUMG2nb4kOr9uB2yHt4cPDfoLBDiSw
+0hsPmpvOhof9VnUyQFFSzgr0Au5943DjLVMAtbAdnoqhjePnyNteq2grIcmVZ/oL
+WwV6cBrpOmlqZKPrar6DXY2NLWf/
+-----END PRIVATE KEY-----

integration/tls/key.pem

@@ -0,0 +1,7 @@
+[general]
+tls_certificate = "cert.pem"
+tls_private_key = "key.pem"
+
+[[databases]]
+name = "pgdog"
+host = "127.0.0.1"

integration/tls/pgdog.toml

@@ -0,0 +1,4 @@
+[[users]]
+name = "pgdog"
+password = "pgdog"
+database = "pgdog"

integration/tls/users.toml

@@ -38,7 +38,7 @@ toml = "0.8"
 pgdog-plugin = { path = "../pgdog-plugin", version = "0.1.8" }
 tokio-util = { version = "0.7", features = ["rt"] }
 fnv = "1"
-scram = "0.6"
+scram = { git = "https://github.com/pgdogdev/scram.git", rev = "848003d" }
 base64 = "0.22"
 md5 = "0.7"
 futures = "0.3"

pgdog/Cargo.toml

@@ -10,6 +10,7 @@ use super::networking::TlsVerifyMode;
 use super::pooling::{PoolerMode, PreparedStatements};
 
 #[derive(Serialize, Deserialize, Debug, Clone)]
+#[serde(deny_unknown_fields)]
 pub struct General {
     /// Run on this address.
     #[serde(default = "General::host")]

pgdog/src/config/general.rs

@@ -188,11 +188,8 @@ impl Client {
         };
 
         let auth_type = &config.config.general.auth_type;
-        let auth_ok = match (auth_type, stream.is_tls()) {
-            // TODO: SCRAM doesn't work with TLS currently because of
-            // lack of support for channel binding in our scram library.
-            // Defaulting to MD5.
-            (AuthType::Scram, true) | (AuthType::Md5, _) => {
+        let auth_ok = match auth_type {
+            AuthType::Md5 => {
                 let md5 = md5::Client::new(user, password);
                 stream.send_flush(&md5.challenge()).await?;
                 let password = Password::from_bytes(stream.read().await?.to_bytes()?)?;
@@ -203,15 +200,15 @@ impl Client {
                 }
             }
 
-            (AuthType::Scram, false) => {
+            AuthType::Scram => {
                 stream.send_flush(&Authentication::scram()).await?;
 
                 let scram = Server::new(password);
                 let res = scram.handle(&mut stream).await;
                 matches!(res, Ok(true))
             }
 
-            (AuthType::Trust, _) => true,
+            AuthType::Trust => true,
         };
 
         if !auth_ok {