Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(electric): Fix the order of case clauses when parsing database SSL config #1261

Merged
merged 2 commits into from
Jun 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/eight-suits-boil.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@core/electric": patch
---

Bring back the enforcement of SSL use for database connections. The default value was changed to `false` in v0.9.1 by accident. This version restores the intended behaviour. To use unencrypted database connections, you must explicitly configure Electric with DATABASE_REQUIRE_SSL=false.
24 changes: 17 additions & 7 deletions components/electric/config/runtime.exs
Original file line number Diff line number Diff line change
Expand Up @@ -214,22 +214,32 @@ connector_config =
# database will be treated as a fatal error.
#
# 2. Or it is not required, in which case Electric will still try connecting with SSL first
# and will only fallback to using unencrypted connection if that fails.
# and will only fall back to using unencrypted connection if that fails.
#
# When DATABASE_REQUIRE_SSL is set by the user, the sslmode query parameter in DATABASE_URL is ignored.
require_ssl? =
case {require_ssl_config, conn_config[:sslmode]} do
{nil, :require} -> true
{nil, _} -> false
{nil, nil} -> default_database_require_ssl
{true, _} -> true
{false, _} -> false
{nil, nil} ->
# neither DATABASE_REQUIRE_SSL nor ?sslmode=... are present, use the default setting
default_database_require_ssl

{true, _} ->
# DATABASE_REQUIRE_SSL=true: require database connections to use SSL
true

{nil, :require} ->
# ?sslmode=require and DATABASE_REQUIRE_SSL is not set: require database connections to use SSL
true

_ ->
# any other value of ?sslmode=... or DATABASE_REQUIRE_SSL means SSL is not required
false
end

# When require_ssl?=true, epgsql will try to connect using SSL and fail if the server does not accept encrypted
# connections.
#
# When require_ssl?=false, epgsql will try to connect using SSL first, then fallback to an unencrypted connection
# When require_ssl?=false, epgsql will try to connect using SSL first, then fall back to an unencrypted connection
# if that fails.
use_ssl? =
if require_ssl? do
Expand Down
Loading