Enable TLS support for PostgreSQL (google#3831) (#484)

* Enable TLS support for PostgreSQL (google#3831)

This PR adds TLS support for PostgreSQL connections in the Trillian server/signer. The key changes include:
Added new flags:

postgresql_tls_ca: Path to the CA certificate file for PostgreSQL TLS connection.
postgresql_verify_full: Enable full TLS verification for PostgreSQL (sslmode=verify-full). If false, only sslmode=verify-ca is used.
If no TLS configuration is provided, the connection defaults to non-TLS, ensuring backward compatibility.

Tracking issue: google#3830

---------

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

* update trillian server/signer pipelines on-cel-expression

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

---------

Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>

Author: fghanmi

.tekton/logserver-pull-request.yaml

@@ -10,6 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
       == "main" && ( "go.mod".pathChanged() || "go.sum".pathChanged() || ".tekton/logserver-pull-request.yaml".pathChanged()
       || "Dockerfile.logserver.rh".pathChanged() || "cmd/trillian_log_server/***".pathChanged()
+      || "storage/***".pathChanged()
       || "trigger-konflux-builds.txt".pathChanged() )
   creationTimestamp: null
   labels:

.tekton/logserver-push.yaml

@@ -10,6 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
       == "main" && ( "go.mod".pathChanged() || "go.sum".pathChanged() || ".tekton/logserver-push.yaml".pathChanged()
       || "Dockerfile.logserver.rh".pathChanged() || "cmd/trillian_log_server/***".pathChanged()
+      || "storage/***".pathChanged()
       || "trigger-konflux-builds.txt".pathChanged() )
   creationTimestamp: null
   labels:

.tekton/logsigner-pull-request.yaml

@@ -10,6 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
       == "main" && ( "go.mod".pathChanged() || "go.sum".pathChanged() || ".tekton/logsigner-pull-request.yaml".pathChanged()
       || "Dockerfile.logsigner.rh".pathChanged() || "cmd/trillian_log_signer/***".pathChanged()
+      || "storage/***".pathChanged()
       || "trigger-konflux-builds.txt".pathChanged() )
   creationTimestamp: null
   labels:

.tekton/logsigner-push.yaml

@@ -10,6 +10,7 @@ metadata:
     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
       == "main"  && ( "go.mod".pathChanged() || "go.sum".pathChanged() || ".tekton/logsigner-pull-request.yaml".pathChanged()
       || "Dockerfile.logsigner.rh".pathChanged() || "cmd/trillian_log_signer/***".pathChanged()
+      || "storage/***".pathChanged()
       || "trigger-konflux-builds.txt".pathChanged() )
   creationTimestamp: null
   labels:

CHANGELOG.md

@@ -5,6 +5,9 @@
 * Bump golangci-lint to v2.1.6
 * Fix leader resignation during a graceful shutdown by @osmman in https://github.com/google/trillian/pull/3790
 * Add optional gRPC message size limit via `--max_msg_size_bytes` flag by @fghanmi in https://github.com/google/trillian/pull/3801
+* Add TLS support for PostgreSQL: https://github.com/google/trillian/pull/3831
+  * `--postgresql_tls_ca`: users can provide a CA certificate, that is used to establish a secure communication with PostgreSQL server. 
+  * `--postgresql_verify_full`: users can enable full TLS verification for PostgreSQL (sslmode=verify-full). If false, only sslmode=verify-ca is used.
 
 ## v1.7.2
 

storage/postgresql/provider.go

@@ -16,6 +16,9 @@ package postgresql
 
 import (
 	"flag"
+	"fmt"
+	"net/url"
+	"os"
 	"sync"
 
 	"github.com/google/trillian/monitoring"
@@ -25,7 +28,9 @@ import (
 )
 
 var (
-	postgreSQLURI = flag.String("postgresql_uri", "postgresql:///defaultdb?host=localhost&user=test", "Connection URI for PostgreSQL database")
+	postgreSQLURI        = flag.String("postgresql_uri", "postgresql:///defaultdb?host=localhost&user=test", "Connection URI for PostgreSQL database")
+	postgresqlTLSCA      = flag.String("postgresql_tls_ca", "", "Path to the CA certificate file for PostgreSQL TLS connection ")
+	postgresqlVerifyFull = flag.Bool("postgresql_verify_full", false, "Enable full TLS verification for PostgreSQL (sslmode=verify-full). If false, only sslmode=verify-ca is used.")
 
 	postgresqlMu              sync.Mutex
 	postgresqlErr             error
@@ -76,7 +81,14 @@ func getPostgreSQLDatabaseLocked() (*pgxpool.Pool, error) {
 	if postgresqlDB != nil || postgresqlErr != nil {
 		return postgresqlDB, postgresqlErr
 	}
-	db, err := OpenDB(*postgreSQLURI)
+	uri := *postgreSQLURI
+	var err error
+	uri, err = BuildPostgresTLSURI(uri)
+	if err != nil {
+		postgresqlErr = err
+		return nil, err
+	}
+	db, err := OpenDB(uri)
 	if err != nil {
 		postgresqlErr = err
 		return nil, err
@@ -97,3 +109,31 @@ func (s *postgresqlProvider) Close() error {
 	s.db.Close()
 	return nil
 }
+
+// BuildPostgresTLSURI modifies the given PostgreSQL URI to include TLS parameters based on flags.
+// It returns the modified URI and any error encountered.
+func BuildPostgresTLSURI(uri string) (string, error) {
+	if *postgresqlTLSCA == "" {
+		return uri, nil
+	}
+	if _, err := os.Stat(*postgresqlTLSCA); err != nil {
+		postgresqlErr = fmt.Errorf("postgresql CA file error: %w", err)
+		return "", postgresqlErr
+	}
+	u, err := url.Parse(uri)
+	if err != nil {
+		postgresqlErr = fmt.Errorf("invalid postgresql URI %q: %w", uri, err)
+		return "", postgresqlErr
+	}
+	q := u.Query()
+	q.Set("sslrootcert", *postgresqlTLSCA)
+	if *postgresqlVerifyFull {
+		q.Set("sslmode", "verify-full")
+	} else {
+		if q.Get("sslmode") == "" {
+			q.Set("sslmode", "verify-ca")
+		}
+	}
+	u.RawQuery = q.Encode()
+	return u.String(), nil
+}

storage/postgresql/provider_test.go

@@ -16,6 +16,10 @@ package postgresql
 
 import (
 	"flag"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/google/trillian/storage"
@@ -44,3 +48,105 @@ func TestPostgreSQLStorageProviderErrorPersistence(t *testing.T) {
 		t.Fatalf("Expected second call to 'storage.NewProvider' to fail with %q, instead got: %q", err1, err2)
 	}
 }
+
+func TestBuildPostgresTLSURINoTLS(t *testing.T) {
+	defer flagsaver.Save().MustRestore()
+	originalURI := "postgresql:///defaultdb?host=localhost&user=test"
+	if err := flag.Set("postgresql_tls_ca", ""); err != nil {
+		t.Fatalf("Failed to set flag: %v", err)
+	}
+
+	modified, err := BuildPostgresTLSURI(originalURI)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+	if modified != originalURI {
+		t.Errorf("Expected unmodified URI %q, got %q", originalURI, modified)
+	}
+}
+
+func TestBuildPostgresTLSURIMissingCAFile(t *testing.T) {
+	defer flagsaver.Save().MustRestore()
+
+	if err := flag.Set("postgresql_tls_ca", "/path/does/not/exist.crt"); err != nil {
+		t.Fatalf("Failed to set flag: %v", err)
+	}
+
+	_, err := BuildPostgresTLSURI("postgresql:///defaultdb")
+	if err == nil {
+		t.Fatalf("Expected error due to missing CA file, got nil")
+	}
+	if !strings.Contains(err.Error(), "CA file error") {
+		t.Fatalf("Expected CA file error, got: %v", err)
+	}
+}
+
+func TestBuildPostgresTLSURIVerifyCA(t *testing.T) {
+	defer flagsaver.Save().MustRestore()
+
+	tmp := filepath.Join(t.TempDir(), "ca.pem")
+	if err := os.WriteFile(tmp, []byte("test_ca_cert_content"), 0400); err != nil {
+		t.Fatalf("Failed to write CA file: %v", err)
+	}
+
+	if err := flag.Set("postgresql_tls_ca", tmp); err != nil {
+		t.Fatalf("Failed to set CA flag: %v", err)
+	}
+	if err := flag.Set("postgresql_verify_full", "false"); err != nil {
+		t.Fatalf("Failed to set verify flag: %v", err)
+	}
+
+	original := "postgresql:///defaultdb?host=localhost&user=test"
+	modified, err := BuildPostgresTLSURI(original)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	u, err := url.Parse(modified)
+	if err != nil {
+		t.Fatalf("Failed to parse modified URI: %v", err)
+	}
+	q := u.Query()
+
+	if q.Get("sslrootcert") != tmp {
+		t.Errorf("Expected sslrootcert=%q, got %q", tmp, q.Get("sslrootcert"))
+	}
+	if q.Get("sslmode") != "verify-ca" {
+		t.Errorf("Expected sslmode=verify-ca, got %q", q.Get("sslmode"))
+	}
+}
+
+func TestBuildPostgresTLSURIVerifyFull(t *testing.T) {
+	defer flagsaver.Save().MustRestore()
+
+	tmp := filepath.Join(t.TempDir(), "ca.pem")
+	if err := os.WriteFile(tmp, []byte("test_ca_cert_content"), 0400); err != nil {
+		t.Fatalf("Failed to write CA file: %v", err)
+	}
+
+	if err := flag.Set("postgresql_tls_ca", tmp); err != nil {
+		t.Fatalf("Failed to set CA flag: %v", err)
+	}
+	if err := flag.Set("postgresql_verify_full", "true"); err != nil {
+		t.Fatalf("Failed to set verify_full flag: %v", err)
+	}
+
+	original := "postgresql:///defaultdb?host=localhost&user=test"
+	modified, err := BuildPostgresTLSURI(original)
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	u, err := url.Parse(modified)
+	if err != nil {
+		t.Fatalf("Failed to parse modified URI: %v", err)
+	}
+	q := u.Query()
+
+	if q.Get("sslrootcert") != tmp {
+		t.Errorf("Expected sslrootcert=%q, got %q", tmp, q.Get("sslrootcert"))
+	}
+	if q.Get("sslmode") != "verify-full" {
+		t.Errorf("Expected sslmode=verify-full, got %q", q.Get("sslmode"))
+	}
+}