Skip to content

Commit

Permalink
Improve SSL types naming
Browse files Browse the repository at this point in the history
  • Loading branch information
ghivert authored and lpil committed Dec 21, 2024
1 parent 7441f6c commit 540aa69
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 20 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
## Unreleased

- Add support for `sslmode` in connection strings.
- Change SSL from `Bool` to `SslEnabled`, `SslDisabled` and `SslVerify` to match
- Change SSL from `Bool` to `SslVerify`, `SslUnverify` and `SslDisabled` to match
against diverse CA certificates or not.

## v1.1.0 - 2024-12-11
Expand Down
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -166,8 +166,8 @@ In Postgres, conventions used, including in connection URI are as follow:
### `pog` SSL usage

In `pog`, setting up an SSL connection simply ask you to indicate the proper flag
in `pog.Config`. The different options are `SslDisabled`, `SslUnsafe` &
`SslEnabled`. Because of the nature of the 3 modes of SSL, and because talking
in `pog.Config`. The different options are `SslDisabled`, `SslUnverified` &
`SslVerified`. Because of the nature of the 3 modes of SSL, and because talking
to your database should be highly secured to protect you against man-in-the-middle
attacks, you should always try to use the most secured setting.

Expand All @@ -176,7 +176,7 @@ import pog
pub fn connect() {
pog.default_config()
|> pog.ssl(pog.SslSecured)
|> pog.ssl(pog.SslVerified)
|> pog.connect
}
```
Expand Down
2 changes: 1 addition & 1 deletion docs/solving-ssl-issues.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ it's properly secured, everyone will have an error, rejecting because the CA
certificate can not be verified.

To make sure your error comes from an CA certificate issue, it's recommended to
first test your connection in `pog` with `ssl: pog.SslUnsafe`. Because of the
first test your connection in `pog` with `ssl: pog.SslUnverified`. Because of the
nature of the setting, if the only error comes from SSL, it should work directly.
If it does not work, your problem comes from something else.

Expand Down
36 changes: 21 additions & 15 deletions src/pog.gleam
Original file line number Diff line number Diff line change
Expand Up @@ -61,16 +61,20 @@ pub type Config {
}

pub type Ssl {
/// Enable SSL connection, and check CA certificate. It is the most secured
/// option to use SSL and should be always used by default.
/// Never ignore CA certificate checking _unless you know exactly what you are
/// doing_.
SslVerified
/// Enable SSL connection, but don't check CA certificate.
/// `SslEnabled` should always be prioritized upon `SslUnsafe`.
/// As it implies, that option is unsafe, so you should use this option only
/// if you know what you're doing. In case `pog` can not find the proper CA
/// certificate, take a look at the README to get some help to inject the CA
/// certificate in your OS.
SslUnsafe
/// Enable SSL connection, and check CA certificate.
SslEnabled
/// Disable SSL connection.
/// `SslVerified` should always be prioritized upon `SslUnverified`.
/// As it implies, that option enables SSL, but as it is unverified, the
/// connection can be unsafe. _Use this option only if you know what you're
/// doing._ In case `pog` can not find the proper CA certificate, take a look
/// at the README to get some help to inject the CA certificate in your OS.
SslUnverified
/// Disable SSL connection completely. Using this option will let the
/// connection unsecured, and should be avoided in production environment.
SslDisabled
}

Expand Down Expand Up @@ -256,7 +260,9 @@ pub fn url_config(database_url: String) -> Result(Config, Nil) {
}

/// Expects `userinfo` as `"username"` or `"username:password"`. Fails otherwise.
fn extract_user_password(userinfo: String) {
fn extract_user_password(
userinfo: String,
) -> Result(#(String, Option(String)), Nil) {
case string.split(userinfo, ":") {
[user] -> Ok(#(user, None))
[user, password] -> Ok(#(user, Some(password)))
Expand All @@ -266,18 +272,18 @@ fn extract_user_password(userinfo: String) {

/// Expects `sslmode` to be `require`, `verify-ca`, `verify-full` or `disable`.
/// If `sslmode` is set, but not one of those value, fails.
/// If `sslmode` is `verify-ca` or `verify-full`, returns `SslEnabled`.
/// If `sslmode` is `require`, returns `SslUnsafe`.
/// If `sslmode` is `verify-ca` or `verify-full`, returns `SslVerified`.
/// If `sslmode` is `require`, returns `SslUnverified`.
/// If `sslmode` is unset, returns `SslDisabled`.
fn extract_ssl_mode(query: option.Option(String)) {
fn extract_ssl_mode(query: option.Option(String)) -> Result(Ssl, Nil) {
case query {
option.None -> Ok(SslDisabled)
option.Some(query) -> {
use query <- result.then(uri.parse_query(query))
use sslmode <- result.then(list.key_find(query, "sslmode"))
case sslmode {
"require" -> Ok(SslUnsafe)
"verify-ca" | "verify-full" -> Ok(SslEnabled)
"require" -> Ok(SslUnverified)
"verify-ca" | "verify-full" -> Ok(SslVerified)
"disable" -> Ok(SslDisabled)
_ -> Error(Nil)
}
Expand Down

0 comments on commit 540aa69

Please sign in to comment.