From 2a0b18d5f62f43107c55b439238e6528c63b0fcd Mon Sep 17 00:00:00 2001
From: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date: Wed, 27 May 2026 19:43:27 +0200
Subject: [PATCH] packages/ak-common/db: fix certificates options not allowing
 file paths (#22680)

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
---
 packages/ak-common/src/db.rs | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/packages/ak-common/src/db.rs b/packages/ak-common/src/db.rs
index 293faf4439e4..5698da71a04d 100644
--- a/packages/ak-common/src/db.rs
+++ b/packages/ak-common/src/db.rs
@@ -5,6 +5,7 @@ use sqlx::{
     ConnectOptions as _, Executor as _, PgConnection, PgPool,
     postgres::{PgConnectOptions, PgPoolOptions, PgSslMode},
 };
+use tokio::fs::read_to_string;
 use tracing::{info, log::LevelFilter, trace};
 
 use crate::{
@@ -15,7 +16,7 @@ use crate::{
 
 static DB: OnceLock<PgPool> = OnceLock::new();
 
-fn get_connect_opts() -> Result<PgConnectOptions> {
+async fn get_connect_opts() -> Result<PgConnectOptions> {
     let config = config::get();
     let mut opts = PgConnectOptions::new()
         .application_name(&format!(
@@ -30,13 +31,19 @@ fn get_connect_opts() -> Result<PgConnectOptions> {
         .database(&config.postgresql.name)
         .ssl_mode(PgSslMode::from_str(&config.postgresql.sslmode)?);
     if let Some(sslrootcert) = &config.postgresql.sslrootcert {
-        opts = opts.ssl_root_cert_from_pem(sslrootcert.as_bytes().to_vec());
+        let from_fs = read_to_string(sslrootcert).await;
+        let data = from_fs.as_ref().unwrap_or(sslrootcert).as_bytes().to_vec();
+        opts = opts.ssl_root_cert_from_pem(data);
     }
     if let Some(sslcert) = &config.postgresql.sslcert {
-        opts = opts.ssl_client_cert_from_pem(sslcert.as_bytes());
+        let from_fs = read_to_string(sslcert).await;
+        let data = from_fs.as_ref().unwrap_or(sslcert).as_bytes();
+        opts = opts.ssl_client_cert_from_pem(data);
     }
     if let Some(sslkey) = &config.postgresql.sslkey {
-        opts = opts.ssl_client_key_from_pem(sslkey.as_bytes());
+        let from_fs = read_to_string(sslkey).await;
+        let data = from_fs.as_ref().unwrap_or(sslkey).as_bytes();
+        opts = opts.ssl_client_key_from_pem(data);
     }
     Ok(opts)
 }
@@ -49,7 +56,7 @@ async fn update_connect_opts_on_config_change(arbiter: Arbiter) -> Result<()> {
             Ok(Event::ConfigChanged) = events_rx.recv() => {
                 trace!("config change received, refreshing database connection options");
                 let db = get();
-                db.set_connect_options(get_connect_opts()?);
+                db.set_connect_options(get_connect_opts().await?);
             },
             () = arbiter.shutdown() => {
                 info!("stopping database watcher for config changes");
@@ -61,7 +68,7 @@ async fn update_connect_opts_on_config_change(arbiter: Arbiter) -> Result<()> {
 
 pub async fn init(tasks: &mut Tasks) -> Result<()> {
     info!("initializing database pool");
-    let options = get_connect_opts()?;
+    let options = get_connect_opts().await?;
     let config = config::get();
 
     let pool_options = PgPoolOptions::new()
@@ -106,7 +113,7 @@ pub fn get() -> &'static PgPool {
 }
 
 pub async fn create_conn() -> Result<PgConnection> {
-    let options = get_connect_opts()?;
+    let options = get_connect_opts().await?;
     let conn = options.connect().await?;
     Ok(conn)
 }