SSL support

[f213]

I am trying to use datanymizer in the environment that requires SSL connection (Heroku postgres). It fails with an error:

$ docker run --rm -v /Users/f213/prj/education/dev-db:/app -w /app datanymizer/pg_datanymizer "postgres://user:pwd@<REDACTED>.eu-west-1.compute.amazonaws.com:5432/<REDACTED>?sslmode=require"
Error: error performing TLS handshake: no TLS implementation configured

Caused by:
    no TLS implementation configured

Any chances this great project will support SSL?

[evgeniy-r]

Hello!

I think we will add this option (unless there are any unexpected troubles).

[evgeniy-r]

Hello again!

I add the basic support of SSL (in the main branch). I have tested it with sslmode=require.
Let us know if something will be wrong, please.

[f213]

That's great! It would be nice to add an option for disabling server certificate validation, so i don't have to put my CA in the docker image

[evgeniy-r]

I thought it is controlled by this option: https://www.postgresql.org/docs/13/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS,
am I wrong?

[f213]

When i try to set sslmode to allow, i get

Error: invalid connection string: invalid value for option `sslmode`

Caused by:
    invalid value for option `sslmode`

What i set it to prefer, i get this:

Error: error performing TLS handshake: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: (self signed certificate)

Caused by:
    0: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: (self signed certificate)
    1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915:

[evgeniy-r]

OK, I will take a look.

[evgeniy-r]

The client we are using does not support all SSL modes (https://docs.rs/tokio-postgres/0.7.2/tokio_postgres/config/enum.SslMode.html). This is the reason why allowdoes not work.

I have add the new CLI options here - #64

• --accept_invalid_hostnames
• --accept_invalid_certs

I tested this options, can you check them too?

pg_datanimizer ..... --accept_invalid_certs=true

[f213]

It works like a charm with my Heroku postgres instance, thank you so much!

[evgeniy-r]

The PR #64 was merged in the main branch.

[marmik18]

When will these changes be released?
When I try to use the flag --accept_invalid_certs=true it throws this error so I am assuming the changes haven't been released yet.

error: Found argument '--accept_invalid_certs' which wasn't expected, or isn't valid in this context

[evgeniy-r]

Hello!

This feature is not in the release yet.
We plan to make a new release in a few days (the beginning of the next week).

For now you can use a version from the main branch.

[marmik18]

I am planning to run this on a CI/CD pipeline.
how can I build it from the main branch in the pipeline?
Sorry to ask a naive question, but I don't have experience in rust.

[evgeniy-r]

1. You can build a docker image (with docker build), push it to some docker registry and then use in your pipeline.
   The project contains Dockerfile.

2. You can build the binary. You should install Rust (via rustup).
   Then clone the repo and build the binary:

git checkout git@github.com:datanymizer/datanymizer.git
cd datanymizer
cargo build --release

The pg_datanymizer binary will be in the target/release subdirectory.
You can use it in the pipeline.
If you need the binary for some platform other then yours (for example, musl):

rustup target add x86_64-unknown-linux-musl
cargo build --release --target x86_64-unknown-linux-musl

Here is a list of platforms.

3. Just wait a day or two.

[marmik18]

Thank you so much for the detailed answer.
For now, I will use the Dockerfile to build the image and then update to the released version when you release the update.

[evgeniy-r]

We released the new version (0.3.1).

[marmik18]

@evgeniy-r thank you for informing, I will test it out today.