fix: connect to tenant db via ssl by default with override

supabase · Jul 19, 2023 · f419b01 · f419b01
1 parent 9186d0e
commit f419b01
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 34 deletions.
diff --git a/lib/extensions/postgres_cdc_rls/migrations.ex b/lib/extensions/postgres_cdc_rls/migrations.ex
@@ -107,7 +107,7 @@ defmodule Extensions.PostgresCdcRls.Migrations do
  "db_user" => db_user,
  "db_password" => db_password,
  "db_socket_opts" => db_socket_opts
- } = _args
+ } = args
  ) do
  {host, port, name, user, pass} =
  H.decrypt_creds(
@@ -118,26 +118,32 @@ defmodule Extensions.PostgresCdcRls.Migrations do
  db_password
  )
 
- Repo.with_dynamic_repo(
- [
- hostname: host,
- port: port,
- database: name,
- password: pass,
- username: user,
- pool_size: 2,
- socket_options: db_socket_opts
- ],
- fn repo ->
- Ecto.Migrator.run(
- Repo,
- @migrations,
- :up,
- all: true,
- prefix: "realtime",
- dynamic_repo: repo
- )
- end
- )
+ db_config = [
+ hostname: host,
+ port: port,
+ database: name,
+ password: pass,
+ username: user,
+ pool_size: 2,
+ socket_options: db_socket_opts
+ ]
+
+ ssl_enforced = Map.get(args, "ssl_enforced", true)
+
+ if ssl_enforced == true do
+ db_config ++ [ssl: true, ssl_opts: [verify: :verify_none]]
+ else
+ db_config
+ end
+ |> Repo.with_dynamic_repo(fn repo ->
+ Ecto.Migrator.run(
+ Repo,
+ @migrations,
+ :up,
+ all: true,
+ prefix: "realtime",
+ dynamic_repo: repo
+ )
+ end)
  end
 end
diff --git a/lib/extensions/postgres_cdc_rls/replication_poller.ex b/lib/extensions/postgres_cdc_rls/replication_poller.ex
@@ -28,14 +28,17 @@ defmodule Extensions.PostgresCdcRls.ReplicationPoller do
 
  @impl true
  def init(args) do
+ ssl_enforced = Map.get(args, "ssl_enforced", true)
+
  {:ok, conn} =
  connect_db(
  args["db_host"],
  args["db_port"],
  args["db_name"],
  args["db_user"],
  args["db_password"],
- args["db_socket_opts"]
+ args["db_socket_opts"],
+ ssl_enforced
  )
 
  tenant = args["id"]
@@ -306,10 +309,10 @@ defmodule Extensions.PostgresCdcRls.ReplicationPoller do
 
  defp convert_errors(_), do: nil
 
- defp connect_db(host, port, name, user, pass, socket_opts) do
+ defp connect_db(host, port, name, user, pass, socket_opts, ssl_enforced) do
  {host, port, name, user, pass} = decrypt_creds(host, port, name, user, pass)
 
- Postgrex.start_link(
+ db_config = [
  hostname: host,
  port: port,
  database: name,
@@ -320,7 +323,14 @@ defmodule Extensions.PostgresCdcRls.ReplicationPoller do
  application_name: "realtime_rls"
  ],
  socket_options: socket_opts
- )
+ ]
+
+ if ssl_enforced == true do
+ db_config ++ [ssl: true, ssl_opts: [verify: :verify_none]]
+ else
+ db_config
+ end
+ |> Postgrex.start_link()
  end
 
  defp prepare_replication(

diff --git a/lib/extensions/postgres_cdc_rls/subscription_manager.ex b/lib/extensions/postgres_cdc_rls/subscription_manager.ex
@@ -69,8 +69,13 @@ defmodule Extensions.PostgresCdcRls.SubscriptionManager do
 
  Logger.metadata(external_id: id, project: id)
 
- {:ok, conn} = H.connect_db(host, port, name, user, pass, socket_opts, 1)
- {:ok, conn_pub} = H.connect_db(host, port, name, user, pass, socket_opts, subs_pool_size)
+ ssl_enforced = Map.get(args, "ssl_enforced", true)
+
+ {:ok, conn} = H.connect_db(host, port, name, user, pass, socket_opts, 1, 5_000, ssl_enforced)
+
+ {:ok, conn_pub} =
+ H.connect_db(host, port, name, user, pass, socket_opts, subs_pool_size, 5_000, ssl_enforced)
+
  {:ok, _} = Subscriptions.maybe_delete_all(conn)
  Rls.update_meta(id, self(), conn_pub)
 

diff --git a/lib/extensions/postgres_cdc_rls/subscriptions_checker.ex b/lib/extensions/postgres_cdc_rls/subscriptions_checker.ex
@@ -49,7 +49,9 @@ defmodule Extensions.PostgresCdcRls.SubscriptionsChecker do
 
  Logger.metadata(external_id: id, project: id)
 
- {:ok, conn} = H.connect_db(host, port, name, user, pass, socket_opts, 1)
+ ssl_enforced = Map.get(args, "ssl_enforced", true)
+
+ {:ok, conn} = H.connect_db(host, port, name, user, pass, socket_opts, 1, 5_000, ssl_enforced)
 
  state = %State{
  id: id,

diff --git a/lib/realtime/helpers.ex b/lib/realtime/helpers.ex
@@ -29,10 +29,21 @@ defmodule Realtime.Helpers do
  String.t(),
  list(),
  non_neg_integer(),
- non_neg_integer()
+ non_neg_integer(),
+ boolean()
  ) ::
  {:ok, pid} | {:error, Postgrex.Error.t() | term()}
- def connect_db(host, port, name, user, pass, socket_opts, pool \\ 5, queue_target \\ 5_000) do
+ def connect_db(
+ host,
+ port,
+ name,
+ user,
+ pass,
+ socket_opts,
+ pool \\ 5,
+ queue_target \\ 5_000,
+ ssl_enforced \\ true
+ ) do
  secure_key = Application.get_env(:realtime, :db_enc_key)
 
  host = decrypt!(host, secure_key)
@@ -41,7 +52,7 @@ defmodule Realtime.Helpers do
  pass = decrypt!(pass, secure_key)
  user = decrypt!(user, secure_key)
 
- Postgrex.start_link(
+ db_config = [
  hostname: host,
  port: port,
  database: name,
@@ -53,7 +64,14 @@ defmodule Realtime.Helpers do
  application_name: "supabase_realtime"
  ],
  socket_options: socket_opts
- )
+ ]
+
+ if ssl_enforced == true do
+ db_config ++ [ssl: true, ssl_opts: [verify: :verify_none]]
+ else
+ db_config
+ end
+ |> Postgrex.start_link()
  end
 
  @doc """

diff --git a/mix.exs b/mix.exs
@@ -4,7 +4,7 @@ defmodule Realtime.MixProject do
  def project do
  [
  app: :realtime,
- version: "2.18.0",
+ version: "2.18.1",
  elixir: "~> 1.14.0",
  elixirc_paths: elixirc_paths(Mix.env()),
  start_permanent: Mix.env() == :prod,