Skip to content

Commit

Permalink
Allow adding postgres certs to client (#113)
Browse files Browse the repository at this point in the history 
Accept optional envs PGSSLMODE, PGSSLKEY, PGSSLCERT and PGSSLROOTCERT
  • Loading branch information
@sandromello
sandromello committed Nov 4, 2022
1 parent cbb03ec commit 4aca87e
Showing 1 changed file with 71 additions and 27 deletions.
98 changes: 71 additions & 27 deletions src/agent/agent.clj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@
[clostache.parser :as parser]
[tracer.honeycomb :refer [with-tracing
with-tracing-end]])
(:import java.io.File))
(:import java.io.File
java.nio.file.attribute.PosixFilePermissions
java.nio.file.Files))

(defn decode-base64 [str]
(String. (b64/decode str)))
Expand Down Expand Up @@ -97,33 +99,75 @@
:proc-chan (:proc-chan task))
outcome))))

(def sh-postgres
(fn [task] (shell/sh "psql"
"-A"
(format "-F%s" (or (:FIELD_SEPARATOR (:secrets task)) "\t"))
"-h" (:PG_HOST (:secrets task))
"-U" (:PG_USER (:secrets task))
"-d" (:PG_DB (:secrets task))
"-p" (str (or (:PG_PORT (:secrets task)) "5432"))
"-v" "ON_ERROR_STOP=1"
:env {"PGPASSWORD" (:PG_PASS (:secrets task))
"PATH" (env :path)}
:in (:script task)
:proc-chan (:proc-chan task))))
(defn create-tmp-file ^java.io.File [prefix suffix]
(let [tmp-file (File/createTempFile prefix suffix)
perms (PosixFilePermissions/fromString "rw-------")]
(Files/setPosixFilePermissions (.toPath tmp-file) perms)
tmp-file))

(defn pgssl-config-files [task-id secrets]
(let [pgsslkey-enc (or (:PGSSLKEY secrets) "bnVsbA==")
pgsslcrt-enc (or (:PGSSLCERT secrets) "bnVsbA==")
pgsslroot-enc (or (:PGSSLROOTCERT secrets) "bnVsbA==")
sslkeyfile (create-tmp-file "task-key." (str task-id))
sslcrtfile (create-tmp-file "task-crt." (str task-id))
sslrootfile (create-tmp-file "task-root." (str task-id))
_ (spit sslkeyfile (decode-base64 pgsslkey-enc))
_ (spit sslcrtfile (decode-base64 pgsslcrt-enc))
_ (spit sslrootfile (decode-base64 pgsslroot-enc))]
{:PGSSLKEY sslkeyfile
:PGSSLCERT sslcrtfile
:PGSSLROOTCERT sslrootfile
:delete-fn (fn []
(.delete sslkeyfile)
(.delete sslcrtfile)
(.delete sslrootfile))}))

(defn sh-postgres [task]
(let [secrets (:secrets task)
sslfiles (pgssl-config-files (:id task) secrets)
output (shell/sh
"psql"
"-A"
(format "-F%s" (or (:FIELD_SEPARATOR (:secrets task)) "\t"))
"-h" (:PG_HOST (:secrets task))
"-U" (:PG_USER (:secrets task))
"-d" (:PG_DB (:secrets task))
"-p" (str (or (:PG_PORT (:secrets task)) "5432"))
"-v" "ON_ERROR_STOP=1"
:env {"PGPASSWORD" (:PG_PASS (:secrets task))
"PGSSLMODE" (or (:PGSSLMODE secrets) "prefer")
"PGSSLKEY" (:PGSSLKEY sslfiles)
"PGSSLCERT" (:PGSSLCERT sslfiles)
"PGSSLROOTCERT" (:PGSSLROOTCERT sslfiles)
"PATH" (env :path)}
:in (:script task)
:proc-chan (:proc-chan task))]
((:delete-fn sslfiles))
output))

(def sh-postgres-csv
(fn [task] (shell/sh "psql"
"-A"
(format "-F%s" (or (:FIELD_SEPARATOR (:secrets task)) ","))
"-h" (:PG_HOST (:secrets task))
"-U" (:PG_USER (:secrets task))
"-d" (:PG_DB (:secrets task))
"-p" (str (or (:PG_PORT (:secrets task)) "5432"))
"-v" "ON_ERROR_STOP=1"
:env {"PGPASSWORD" (:PG_PASS (:secrets task))
"PATH" (env :path)}
:in (:script task)
:proc-chan (:proc-chan task))))
(defn sh-postgres-csv [task]
(let [secrets (:secrets task)
sslfiles (pgssl-config-files (:id task) secrets)
output (shell/sh
"psql"
"-A"
(format "-F%s" (or (:FIELD_SEPARATOR (:secrets task)) ","))
"-h" (:PG_HOST (:secrets task))
"-U" (:PG_USER (:secrets task))
"-d" (:PG_DB (:secrets task))
"-p" (str (or (:PG_PORT (:secrets task)) "5432"))
"-v" "ON_ERROR_STOP=1"
:env {"PGPASSWORD" (:PG_PASS secrets)
"PGSSLMODE" (or (:PGSSLMODE secrets) "prefer")
"PGSSLKEY" (:PGSSLKEY sslfiles)
"PGSSLCERT" (:PGSSLCERT sslfiles)
"PGSSLROOTCERT" (:PGSSLROOTCERT sslfiles)
"PATH" (env :path)}
:in (:script task)
:proc-chan (:proc-chan task))]
((:delete-fn sslfiles))
output))

(defn sh-mssql [task]
(let [secrets (:secrets task)
Expand Down

0 comments on commit 4aca87e

Please sign in to comment.