Improve SSL types naming

lpil · Dec 13, 2024 · 486fd3a · 486fd3a
1 parent 9e7f907
commit 486fd3a
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,7 @@
 ## Unreleased
 
 - Add support for `sslmode` in connection strings.
-- Change SSL from `Bool` to `SslEnabled`, `SslDisabled` and `SslVerify` to match
+- Change SSL from `Bool` to `SslVerify`, `SslUnverify` and `SslDisabled` to match
   against diverse CA certificates or not.
 
 ## v1.1.0 - 2024-12-11

diff --git a/README.md b/README.md
@@ -166,8 +166,8 @@ In Postgres, conventions used, including in connection URI are as follow:
 ### `pog` SSL usage
 
 In `pog`, setting up an SSL connection simply ask you to indicate the proper flag
-in `pog.Config`. The different options are `SslDisabled`, `SslUnsafe` &
-`SslEnabled`. Because of the nature of the 3 modes of SSL, and because talking
+in `pog.Config`. The different options are `SslDisabled`, `SslUnverified` &
+`SslVerified`. Because of the nature of the 3 modes of SSL, and because talking
 to your database should be highly secured to protect you against man-in-the-middle
 attacks, you should always try to use the most secured setting.
 
@@ -176,7 +176,7 @@ import pog
 
 pub fn connect() {
   pog.default_config()
-  |> pog.ssl(pog.SslSecured)
+  |> pog.ssl(pog.SslVerified)
   |> pog.connect
 }
 ```

diff --git a/docs/solving-ssl-issues.md b/docs/solving-ssl-issues.md
@@ -36,7 +36,7 @@ it's properly secured, everyone will have an error, rejecting because the CA
 certificate can not be verified.
 
 To make sure your error comes from an CA certificate issue, it's recommended to
-first test your connection in `pog` with `ssl: pog.SslUnsafe`. Because of the
+first test your connection in `pog` with `ssl: pog.SslUnverified`. Because of the
 nature of the setting, if the only error comes from SSL, it should work directly.
 If it does not work, your problem comes from something else.
 

diff --git a/src/pog.gleam b/src/pog.gleam
@@ -61,16 +61,20 @@ pub type Config {
 }
 
 pub type Ssl {
+  /// Enable SSL connection, and check CA certificate. It is the most secured
+  /// option to use SSL and should be always used by default.
+  /// Never ignore CA certificate checking _unless you know exactly what you are
+  /// doing_.
+  SslVerified
   /// Enable SSL connection, but don't check CA certificate.
-  /// `SslEnabled` should always be prioritized upon `SslUnsafe`.
-  /// As it implies, that option is unsafe, so you should use this option only
-  /// if you know what you're doing. In case `pog` can not find the proper CA
-  /// certificate, take a look at the README to get some help to inject the CA
-  /// certificate in your OS.
-  SslUnsafe
-  /// Enable SSL connection, and check CA certificate.
-  SslEnabled
-  /// Disable SSL connection.
+  /// `SslVerified` should always be prioritized upon `SslUnverified`.
+  /// As it implies, that option enables SSL, but as it is unverified, the
+  /// connection can be unsafe. _Use this option only if you know what you're
+  /// doing._ In case `pog` can not find the proper CA certificate, take a look
+  /// at the README to get some help to inject the CA certificate in your OS.
+  SslUnverified
+  /// Disable SSL connection completely. Using this option will let the
+  /// connection unsecured, and should be avoided in production environment.
   SslDisabled
 }
 
@@ -256,7 +260,9 @@ pub fn url_config(database_url: String) -> Result(Config, Nil) {
 }
 
 /// Expects `userinfo` as `"username"` or `"username:password"`. Fails otherwise.
-fn extract_user_password(userinfo: String) {
+fn extract_user_password(
+  userinfo: String,
+) -> Result(#(String, Option(String)), Nil) {
   case string.split(userinfo, ":") {
     [user] -> Ok(#(user, None))
     [user, password] -> Ok(#(user, Some(password)))
@@ -266,18 +272,18 @@ fn extract_user_password(userinfo: String) {
 
 /// Expects `sslmode` to be `require`, `verify-ca`, `verify-full` or `disable`.
 /// If `sslmode` is set, but not one of those value, fails.
-/// If `sslmode` is `verify-ca` or `verify-full`, returns `SslEnabled`.
-/// If `sslmode` is `require`, returns `SslUnsafe`.
+/// If `sslmode` is `verify-ca` or `verify-full`, returns `SslVerified`.
+/// If `sslmode` is `require`, returns `SslUnverified`.
 /// If `sslmode` is unset, returns `SslDisabled`.
-fn extract_ssl_mode(query: option.Option(String)) {
+fn extract_ssl_mode(query: option.Option(String)) -> Result(Ssl, Nil) {
   case query {
     option.None -> Ok(SslDisabled)
     option.Some(query) -> {
       use query <- result.then(uri.parse_query(query))
       use sslmode <- result.then(list.key_find(query, "sslmode"))
       case sslmode {
-        "require" -> Ok(SslUnsafe)
-        "verify-ca" | "verify-full" -> Ok(SslEnabled)
+        "require" -> Ok(SslUnverified)
+        "verify-ca" | "verify-full" -> Ok(SslVerified)
         "disable" -> Ok(SslDisabled)
         _ -> Error(Nil)
       }