Merge pull request rails#43068 from mbayucot/42994-add-support-for-postgresql-certs-on-db-tasks

guilleiguaran · web-flow · commit 203e757fd3e0 · 2021-09-12T16:59:01.000-07:00
Add ssl support for postgresql database tasks
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
@@ -1,3 +1,31 @@
+* Add ssl support for postgresql database tasks
+
+    Add `PGSSLMODE`, `PGSSLCERT`, `PGSSLKEY` and `PGSSLROOTCERT` to pg_env from database config
+    when running postgresql database tasks.
+
+    ```yaml
+    # config/database.yml
+
+    production:
+      sslmode: verify-full
+      sslcert: client.crt
+      sslkey: client.key
+      sslrootcert: ca.crt
+    ```
+
+    Environment variables
+
+    ```
+    PGSSLMODE=verify-full
+    PGSSLCERT=client.crt
+    PGSSLKEY=client.key
+    PGSSLROOTCERT=ca.crt
+    ```
+
+    Fixes #42994
+
+    *Michael Bayucot*
+
 *   Avoid scoping update callbacks in `ActiveRecord::Relation#update!`.
 
     Making it consistent with how scoping is applied only to the query in `ActiveRecord::Relation#update`
diff --git a/activerecord/lib/active_record/tasks/postgresql_database_tasks.rb b/activerecord/lib/active_record/tasks/postgresql_database_tasks.rb
@@ -99,10 +99,14 @@ def establish_master_connection
 
         def psql_env
           {}.tap do |env|
-            env["PGHOST"]     = db_config.host                     if db_config.host
-            env["PGPORT"]     = configuration_hash[:port].to_s     if configuration_hash[:port]
-            env["PGPASSWORD"] = configuration_hash[:password].to_s if configuration_hash[:password]
-            env["PGUSER"]     = configuration_hash[:username].to_s if configuration_hash[:username]
+            env["PGHOST"]         = db_config.host                        if db_config.host
+            env["PGPORT"]         = configuration_hash[:port].to_s        if configuration_hash[:port]
+            env["PGPASSWORD"]     = configuration_hash[:password].to_s    if configuration_hash[:password]
+            env["PGUSER"]         = configuration_hash[:username].to_s    if configuration_hash[:username]
+            env["PGSSLMODE"]      = configuration_hash[:sslmode].to_s     if configuration_hash[:sslmode]
+            env["PGSSLCERT"]      = configuration_hash[:sslcert].to_s     if configuration_hash[:sslcert]
+            env["PGSSLKEY"]       = configuration_hash[:sslkey].to_s      if configuration_hash[:sslkey]
+            env["PGSSLROOTCERT"]  = configuration_hash[:sslrootcert].to_s if configuration_hash[:sslrootcert]
           end
         end
 
diff --git a/activerecord/test/cases/tasks/postgresql_rake_test.rb b/activerecord/test/cases/tasks/postgresql_rake_test.rb
@@ -383,6 +383,18 @@ def test_structure_dump_with_env
         end
       end
 
+      def test_structure_dump_with_ssl_env
+        expected_env = { "PGSSLMODE" => "verify-full", "PGSSLCERT" => "client.crt", "PGSSLKEY" => "client.key", "PGSSLROOTCERT" => "root.crt" }
+        expected_command = [expected_env, "pg_dump", "--schema-only", "--no-privileges", "--no-owner", "--file", @filename, "my-app-db"]
+
+        assert_called_with(Kernel, :system, expected_command, returns: true) do
+          ActiveRecord::Tasks::DatabaseTasks.structure_dump(
+            @configuration.merge(sslmode: "verify-full", sslcert: "client.crt", sslkey: "client.key", sslrootcert: "root.crt"),
+            @filename
+          )
+        end
+      end
+
       def test_structure_dump_with_extra_flags
         expected_command = [{}, "pg_dump", "--schema-only", "--no-privileges", "--no-owner", "--file", @filename, "--noop", "my-app-db"]
 
@@ -550,6 +562,21 @@ def test_structure_load_with_env
         end
       end
 
+      def test_structure_load_with_ssl_env
+        filename = "awesome-file.sql"
+        expected_env = { "PGSSLMODE" => "verify-full", "PGSSLCERT" => "client.crt", "PGSSLKEY" => "client.key", "PGSSLROOTCERT" => "root.crt" }
+        expected_command = [expected_env, "psql", "--set", "ON_ERROR_STOP=1", "--quiet", "--no-psqlrc", "--file", filename, "--noop", @configuration["database"]]
+
+        assert_called_with(Kernel, :system, expected_command, returns: true) do
+          with_structure_load_flags(["--noop"]) do
+            ActiveRecord::Tasks::DatabaseTasks.structure_load(
+              @configuration.merge(sslmode: "verify-full", sslcert: "client.crt", sslkey: "client.key", sslrootcert: "root.crt"),
+              filename
+            )
+          end
+        end
+      end
+
       def test_structure_load_with_hash_extra_flags_for_a_different_driver
         filename = "awesome-file.sql"
         expected_command = [{}, "psql", "--set", "ON_ERROR_STOP=1", "--quiet", "--no-psqlrc", "--file", filename, @configuration["database"]]
