Option to allow only SSL connection

VERSION

@@ -1 +1 @@
-0.2.12
+0.2.13

lib/supavisor/client_handler.ex

@@ -108,10 +108,16 @@ defmodule Supavisor.ClientHandler do
 
  case Tenants.get_user(external_id, user) do
  {:ok, user_info} ->
- new_data = update_user_data(data, external_id, user_info)
+ if user_info.enforce_ssl and !data.ssl do
+ Logger.error("Tenant is not allowed to connect without SSL, user #{user}")
+ :ok = send_error(sock, "XX000", "SSL connection is required")
+ {:stop, :normal, data}
+ else
+ new_data = update_user_data(data, external_id, user_info)
 
- {:keep_state, new_data,
- {:next_event, :internal, {:handle, fn -> user_info.db_password end}}}
+ {:keep_state, new_data,
+ {:next_event, :internal, {:handle, fn -> user_info.db_password end}}}
+ end
 
  {:error, reason} ->
  Logger.error("User not found: #{inspect(reason)} #{inspect({user, external_id})}")

lib/supavisor/tenants.ex

@@ -52,14 +52,15 @@ defmodule Supavisor.Tenants do
  nil ->
  {:error, :not_found}
 
- [[db_alias, pass, mode, timeout, ps]] ->
+ [[db_alias, pass, mode, timeout, ps, enforce_ssl]] ->
  {:ok,
  %{
  db_password: pass,
  db_user_alias: db_alias,
  mode_type: mode,
  pool_checkout_timeout: timeout,
- default_parameter_status: ps
+ default_parameter_status: ps,
+ enforce_ssl: enforce_ssl
  }}
 
  _ ->
@@ -258,7 +259,8 @@ defmodule Supavisor.Tenants do
  u.db_password,
  u.mode_type,
  u.pool_checkout_timeout,
- t.default_parameter_status
+ t.default_parameter_status,
+ t.enforce_ssl
  ]
  )
 

lib/supavisor/tenants/tenant.ex

@@ -20,6 +20,7 @@ defmodule Supavisor.Tenants.Tenant do
  field(:upstream_ssl, :boolean, default: false)
  field(:upstream_verify, Ecto.Enum, values: [:none, :peer])
  field(:upstream_tls_ca, :binary)
+ field(:enforce_ssl, :boolean, default: false)
 
  has_many(:users, User,
  foreign_key: :tenant_external_id,
@@ -43,7 +44,8 @@ defmodule Supavisor.Tenants.Tenant do
  :ip_version,
  :upstream_ssl,
  :upstream_verify,
- :upstream_tls_ca
+ :upstream_tls_ca,
+ :enforce_ssl
  ])
  |> check_constraint(:upstream_ssl, name: :upstream_constraints, prefix: "_supavisor")
  |> check_constraint(:upstream_verify, name: :upstream_constraints, prefix: "_supavisor")

lib/supavisor_web/views/tenant_view.ex

@@ -21,6 +21,7 @@ defmodule SupavisorWeb.TenantView do
  ip_version: tenant.ip_version,
  upstream_ssl: tenant.upstream_ssl,
  upstream_verify: tenant.upstream_verify,
+ enforce_ssl: tenant.enforce_ssl,
  users: render_many(tenant.users, UserView, "user.json")
  }
  end

priv/repo/migrations/20230711142028_add_enforce_ssl.exs

@@ -0,0 +1,15 @@
+defmodule Supavisor.Repo.Migrations.AddEnforceSsl do
+ use Ecto.Migration
+
+ def up do
+ alter table("tenants", prefix: "_supavisor") do
+ add(:enforce_ssl, :boolean, null: false, default: false)
+ end
+ end
+
+ def down do
+ alter table("tenants", prefix: "_supavisor") do
+ remove(:enforce_ssl)
+ end
+ end
+end