feat(pgstac, server): add tls support

johnnylarner · gadomski · commit fb145cb3007b · 2024-09-16T05:53:14.000-06:00
diff --git a/cli/Cargo.toml b/cli/Cargo.toml
@@ -16,14 +16,15 @@ default = ["gdal", "geoparquet", "pgstac"]
 duckdb = ["dep:stac-duckdb", "dep:duckdb"]
 gdal = ["stac/gdal"]
 geoparquet = ["stac/geoparquet-compression"]
-pgstac = ["stac-server/pgstac"]
+pgstac = ["stac-server/pgstac", "dep:pgstac"]
 python = ["dep:pyo3", "pgstac", "geoparquet"]
 
 [dependencies]
 axum = "0.7"
 clap = { version = "4", features = ["derive"] }
 duckdb = { version = "1", optional = true } # We have this dependency only to allow us to bundle it
 object_store = "0.11"
+pgstac = { version = "0.1", path = "../pgstac", optional = true }
 pyo3 = { version = "0.22", optional = true }
 reqwest = "0.12"
 serde = "1"
diff --git a/cli/src/args/serve.rs b/cli/src/args/serve.rs
@@ -177,7 +177,7 @@ where
 enum Backend {
     Memory(MemoryBackend),
     #[cfg(feature = "pgstac")]
-    Pgstac(stac_server::PgstacBackend),
+    Pgstac(stac_server::PgstacBackend<pgstac::MakeRustlsConnect>),
 }
 
 impl Backend {
diff --git a/pgstac/Cargo.toml b/pgstac/Cargo.toml
@@ -10,14 +10,23 @@ license = "MIT OR Apache-2.0"
 keywords = ["geospatial", "stac", "metadata", "raster", "database"]
 categories = ["database", "data-structures", "science"]
 
+[features]
+tls = ["dep:rustls", "dep:tokio-postgres-rustls", "dep:webpki-roots"]
+
 [dependencies]
 geojson = "0.24"
+rustls = { version = "0.23", optional = true, features = [
+    "ring",
+    "std",
+], default-features = false }
 serde = "1"
 serde_json = "1"
 stac = { version = "0.9.0", path = "../core" }
 stac-api = { version = "0.5.0", path = "../api" }
 thiserror = "1"
 tokio-postgres = { version = "0.7", features = ["with-serde_json-1"] }
+tokio-postgres-rustls = { version = "0.12", optional = true }
+webpki-roots = { version = "0.26", optional = true }
 
 [dev-dependencies]
 pgstac-test = { path = "pgstac-test" }
diff --git a/pgstac/src/client.rs b/pgstac/src/client.rs
@@ -249,7 +249,7 @@ impl<'a, C: GenericClient> Client<'a, C> {
 }
 
 #[cfg(test)]
-mod tests {
+pub(crate) mod tests {
     use super::Client;
     use geojson::{Geometry, Value};
     use pgstac_test::pgstac_test;
@@ -264,7 +264,7 @@ mod tests {
     // the code generated by `pgstac_test`.
     //
     // There's got to be a better way.
-    static MUTEX: Mutex<()> = Mutex::new(());
+    pub(crate) static MUTEX: Mutex<()> = Mutex::new(());
 
     fn longmont() -> Geometry {
         Geometry::new(Value::Point(vec![-105.1019, 40.1672]))
diff --git a/pgstac/src/lib.rs b/pgstac/src/lib.rs
@@ -36,8 +36,12 @@
 
 mod client;
 mod page;
+#[cfg(feature = "tls")]
+mod tls;
 
 pub use {client::Client, page::Page};
+#[cfg(feature = "tls")]
+pub use {tls::make_unverified_tls, tokio_postgres_rustls::MakeRustlsConnect};
 
 /// Crate-specific error enum.
 #[derive(Debug, thiserror::Error)]
diff --git a/pgstac/src/tls.rs b/pgstac/src/tls.rs
@@ -0,0 +1,109 @@
+use rustls::{
+    client::danger::{ServerCertVerified, ServerCertVerifier},
+    crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider},
+    pki_types::{CertificateDer, ServerName, UnixTime},
+    ClientConfig, Error, RootCertStore,
+};
+use std::sync::Arc;
+use tokio_postgres_rustls::MakeRustlsConnect;
+use webpki_roots::TLS_SERVER_ROOTS;
+
+/// Make an unverified tls.
+///
+/// # Examples
+///
+/// ```
+/// #[cfg(feature = "tls")]
+/// {
+/// let tls = pgstac::make_unverified_tls();
+/// }
+/// ```
+pub fn make_unverified_tls() -> MakeRustlsConnect {
+    let mut root_cert_store = RootCertStore::empty();
+    root_cert_store.extend(TLS_SERVER_ROOTS.iter().cloned());
+
+    let verifier = DummyTlsVerifier::default();
+    let config = ClientConfig::builder()
+        .dangerous()
+        .with_custom_certificate_verifier(Arc::new(verifier))
+        .with_no_client_auth();
+    MakeRustlsConnect::new(config)
+}
+
+// A TLS verifier copied from the `sqlx` library
+// [here](https://github.com/launchbadge/sqlx/blob/a892ebc6e283f443145f92bbc7fce4ae44547331/sqlx-core/src/net/tls/tls_rustls.rs#L208)
+// This verifier _does not_ verify certificates, but instead decrypts TLS
+// connections using default cipher codes
+#[derive(Debug)]
+struct DummyTlsVerifier {
+    provider: Arc<CryptoProvider>,
+}
+
+impl ServerCertVerifier for DummyTlsVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer<'_>,
+        _intermediates: &[CertificateDer<'_>],
+        _server_name: &ServerName<'_>,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> Result<ServerCertVerified, Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, Error> {
+        verify_tls12_signature(
+            message,
+            cert,
+            dss,
+            &self.provider.signature_verification_algorithms,
+        )
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &rustls::DigitallySignedStruct,
+    ) -> Result<rustls::client::danger::HandshakeSignatureValid, Error> {
+        verify_tls13_signature(
+            message,
+            cert,
+            dss,
+            &self.provider.signature_verification_algorithms,
+        )
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+        self.provider
+            .signature_verification_algorithms
+            .supported_schemes()
+    }
+}
+
+impl Default for DummyTlsVerifier {
+    fn default() -> Self {
+        Self {
+            provider: Arc::new(rustls::crypto::ring::default_provider()),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::client::tests::MUTEX;
+
+    #[tokio::test]
+    async fn connect() {
+        let _mutex = MUTEX.lock().unwrap();
+        let config = std::env::var("PGSTAC_RS_TEST_DB")
+            .unwrap_or("postgresql://username:password@localhost:5432/postgis".to_string());
+        let tls = super::make_unverified_tls();
+        let (_, _) = tokio_postgres::connect(&config, tls).await.unwrap();
+    }
+}
diff --git a/server/CHANGELOG.md b/server/CHANGELOG.md
@@ -6,6 +6,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
 
+- Make TLS the default for `PgstacBackend` ([#383](https://github.com/stac-utils/stac-rs/pull/383))
+
 ### Removed
 
 - **stac-async** dependency ([#369](https://github.com/stac-utils/stac-rs/pull/369))
@@ -44,4 +46,4 @@ Initial release.
 [0.1.1]: https://github.com/stac-utils/stac-rs/compare/stac-server-v0.1.0..stac-server-v0.1.1
 [0.1.0]: https://github.com/stac-utils/stac-rs/releases/tag/stac-server-v0.1.0
 
-<!-- markdownlint-disable-file MD024 -->
+<!-- markdownlint-disable-file MD024 -->
diff --git a/server/Cargo.toml b/server/Cargo.toml
@@ -22,7 +22,9 @@ bb8-postgres = { version = "0.8", optional = true }
 bytes = { version = "1", optional = true }
 http = "1"
 mime = { version = "0.3", optional = true }
-pgstac = { version = "0.1", path = "../pgstac", optional = true }
+pgstac = { version = "0.1", path = "../pgstac", features = [
+    "tls",
+], optional = true }
 serde = "1"
 serde_json = "1"
 serde_urlencoded = "0.7"
diff --git a/server/src/backend/pgstac.rs b/server/src/backend/pgstac.rs
@@ -2,20 +2,33 @@ use crate::{Backend, Error, Result};
 use bb8::Pool;
 use bb8_postgres::PostgresConnectionManager;
 use pgstac::Client;
+use pgstac::MakeRustlsConnect;
 use serde_json::Map;
 use stac::{Collection, Item};
 use stac_api::{ItemCollection, Items, Search};
-use tokio_postgres::tls::NoTls;
+use tokio_postgres::{
+    tls::{MakeTlsConnect, TlsConnect},
+    Socket,
+};
 
 /// A backend for a [pgstac](https://github.com/stac-utils/pgstac) database.
 #[derive(Clone, Debug)]
-pub struct PgstacBackend {
-    pool: Pool<PostgresConnectionManager<NoTls>>,
+pub struct PgstacBackend<Tls>
+where
+    Tls: MakeTlsConnect<Socket> + Clone + Send + Sync + 'static,
+    <Tls as MakeTlsConnect<Socket>>::Stream: Send + Sync,
+    <Tls as MakeTlsConnect<Socket>>::TlsConnect: Send,
+    <<Tls as MakeTlsConnect<Socket>>::TlsConnect as TlsConnect<Socket>>::Future: Send,
+{
+    pool: Pool<PostgresConnectionManager<Tls>>,
 }
 
-impl PgstacBackend {
+impl PgstacBackend<MakeRustlsConnect> {
     /// Creates a new PgstacBackend from a string-like configuration.
     ///
+    /// This will use an unverified tls. To provide your own tls, use
+    /// [PgstacBackend::new_from_stringlike_and_tls].
+    ///
     /// # Examples
     ///
     /// ```no_run
@@ -24,18 +37,53 @@ impl PgstacBackend {
     /// let backend = PgstacBackend::new_from_stringlike("postgresql://username:password@localhost:5432/postgis").await.unwrap();
     /// # })
     /// ```
-    pub async fn new_from_stringlike(params: impl ToString) -> Result<PgstacBackend> {
-        let connection_manager = PostgresConnectionManager::new_from_stringlike(params, NoTls)?;
-        let pool = Pool::builder().build(connection_manager).await?;
-        Ok(PgstacBackend::new(pool))
+    pub async fn new_from_stringlike(
+        params: impl ToString,
+    ) -> Result<PgstacBackend<MakeRustlsConnect>> {
+        let tls = pgstac::make_unverified_tls();
+        PgstacBackend::new_from_stringlike_and_tls(params, tls).await
     }
+}
 
-    fn new(pool: Pool<PostgresConnectionManager<NoTls>>) -> PgstacBackend {
-        PgstacBackend { pool }
+impl<Tls> PgstacBackend<Tls>
+where
+    Tls: MakeTlsConnect<Socket> + Clone + Send + Sync + 'static,
+    <Tls as MakeTlsConnect<Socket>>::Stream: Send + Sync,
+    <Tls as MakeTlsConnect<Socket>>::TlsConnect: Send,
+    <<Tls as MakeTlsConnect<Socket>>::TlsConnect as TlsConnect<Socket>>::Future: Send,
+{
+    /// Creates a new PgstacBackend from a string-like configuration and a tls.
+    ///
+    /// # Examples
+    ///
+    /// ```no_run
+    /// use stac_server::PgstacBackend;
+    ///
+    /// let tls = pgstac::make_unverified_tls();
+    /// # tokio_test::block_on(async {
+    /// let backend = PgstacBackend::new_from_stringlike_and_tls(
+    ///     "postgresql://username:password@localhost:5432/postgis",
+    ///     tls
+    /// ).await.unwrap();
+    /// # })
+    /// ```
+    pub async fn new_from_stringlike_and_tls(
+        params: impl ToString,
+        tls: Tls,
+    ) -> Result<PgstacBackend<Tls>> {
+        let connection_manager = PostgresConnectionManager::new_from_stringlike(params, tls)?;
+        let pool = Pool::builder().build(connection_manager).await?;
+        Ok(PgstacBackend { pool })
     }
 }
 
-impl Backend for PgstacBackend {
+impl<Tls> Backend for PgstacBackend<Tls>
+where
+    Tls: MakeTlsConnect<Socket> + Clone + Send + Sync + 'static,
+    <Tls as MakeTlsConnect<Socket>>::Stream: Send + Sync,
+    <Tls as MakeTlsConnect<Socket>>::TlsConnect: Send,
+    <<Tls as MakeTlsConnect<Socket>>::TlsConnect as TlsConnect<Socket>>::Future: Send,
+{
     fn has_item_search(&self) -> bool {
         true
     }

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ where`
`177`	`177`	`enum Backend {`
`178`	`178`	`Memory(MemoryBackend),`
`179`	`179`	`#[cfg(feature = "pgstac")]`
`180`		`- Pgstac(stac_server::PgstacBackend),`
	`180`	`+ Pgstac(stac_server::PgstacBackend<pgstac::MakeRustlsConnect>),`
`181`	`181`	`}`
`182`	`182`
`183`	`183`	`impl Backend {`