Support sslmode prefer and require

porsager · porsager · commit 0cb298101635 · 2021-03-09T11:49:47.000+01:00
diff --git a/README.md b/README.md
@@ -51,7 +51,7 @@ const sql = postgres('postgres://username:password@host:port/database', {
   database        : '',         // Name of database to connect to
   username        : '',         // Username of database user
   password        : '',         // Password of database user
-  ssl             : false,      // True, or options for tls.connect
+  ssl             : false,      // true, prefer, require, tls.connect options
   max             : 10,         // Max number of connections
   idle_timeout    : 0,          // Idle connection timeout in seconds
   connect_timeout : 30,         // Connect timeout in seconds
diff --git a/lib/connection.js b/lib/connection.js
@@ -287,11 +287,19 @@ function postgresSocket(options, {
       socket.removeListener('error', error)
       socket.removeListener('close', onclose)
       x.toString() === 'S'
-        ? attach(tls.connect(Object.assign({ socket }, options.ssl)))
-        : /* c8 ignore next */ error('Server does not support SSL')
+        ? attach(tls.connect(Object.assign({ socket }, ssl(options.ssl))))
+        : options.ssl === 'prefer'
+          ? (attach(socket), ready())
+          : /* c8 ignore next */ error('Server does not support SSL')
     })
   }
 
+  function ssl(x) {
+    return x === 'require' || x === 'allow' || x === 'prefer'
+      ? { rejectUnauthorized: false }
+      : x
+  }
+
   function attach(x) {
     socket = x
     socket.on('data', data)
diff --git a/lib/index.js b/lib/index.js
@@ -551,7 +551,7 @@ function parseOptions(a, b) {
     pass            : o.pass || o.password || auth[1] || env.PGPASSWORD || '',
     max             : o.max || url.query.max || 10,
     types           : o.types || {},
-    ssl             : o.ssl || url.ssl || false,
+    ssl             : o.ssl || url.sslmode || url.ssl || false,
     idle_timeout    : o.idle_timeout || url.query.idle_timeout || env.PGIDLE_TIMEOUT || warn(o.timeout),
     connect_timeout : o.connect_timeout || url.query.connect_timeout || env.PGCONNECT_TIMEOUT || 30,
     no_prepare      : o.no_prepare,
diff --git a/tests/index.js b/tests/index.js
@@ -3,6 +3,7 @@
 require('./bootstrap.js')
 
 const { t, not, ot } = require('./test.js') // eslint-disable-line
+const cp = require('child_process')
 const path = require('path')
 const net = require('net')
 
@@ -294,6 +295,31 @@ t('Connect using SSL', async() =>
   }))]
 )
 
+t('Connect using SSL require', async() =>
+  [true, (await new Promise((resolve, reject) => {
+    postgres({
+      ssl: 'require',
+      idle_timeout: options.idle_timeout
+    })`select 1`.then(() => resolve(true), reject)
+  }))]
+)
+
+t('Connect using SSL prefer', async() => {
+  cp.execSync('psql -c "alter system set ssl=off"')
+  cp.execSync('psql -c "select pg_reload_conf()"')
+
+  const sql = postgres({
+    ssl: 'prefer',
+    idle_timeout: options.idle_timeout
+  })
+
+  return [
+    1, (await sql`select 1 as x`)[0].x,
+    cp.execSync('psql -c "alter system set ssl=on"'),
+    cp.execSync('psql -c "select pg_reload_conf()"')
+  ]
+})
+
 t('Login without password', async() => {
   return [true, (await postgres({ ...options, ...login })`select true as x`)[0].x]
 })
