add tls_client_required setting (#587)

* add tls_client_required setting

* reword TLS error message to be more consistent

Co-authored-by: Lev Kokotov <levkk@users.noreply.github.com>

* warn if TLS should be enforced

* format fixes

---------

Co-authored-by: Lev Kokotov <levkk@users.noreply.github.com>

Author: zxaos

example.pgdog.toml

@@ -106,6 +106,11 @@ tls_certificate = "relative/or/absolute/path/to/certificate.pem"
 # Path to PEM-encoded TLS certificate private key
 tls_private_key = "relative/or/absolute/path/to/private_key.pem"
 
+# Require clients to use TLS when connecting
+#
+# Default: false
+tls_client_required = false
+
 # TLS mode for Postgres server connections.
 #
 # Default: disabled

integration/rust/src/lib.rs

@@ -1 +1,2 @@
 pub mod setup;
+pub mod utils;

integration/rust/src/utils.rs

@@ -0,0 +1,19 @@
+use super::setup::admin_sqlx;
+use sqlx::{Executor, Row};
+
+pub async fn assert_setting_str(name: &str, expected: &str) {
+    let admin = admin_sqlx().await;
+    let rows = admin.fetch_all("SHOW CONFIG").await.unwrap();
+    let mut found = false;
+    for row in rows {
+        let db_name: String = row.get(0);
+        let value: String = row.get(1);
+
+        if name == db_name {
+            found = true;
+            assert_eq!(value, expected);
+        }
+    }
+
+    assert!(found);
+}

integration/rust/tests/integration/auth.rs

@@ -1,6 +1,7 @@
 use rust::setup::admin_sqlx;
+use rust::utils::assert_setting_str;
 use serial_test::serial;
-use sqlx::{Connection, Executor, PgConnection, Row};
+use sqlx::{Connection, Executor, PgConnection};
 
 #[tokio::test]
 #[serial]
@@ -25,23 +26,6 @@ async fn test_auth() {
     assert!(PgConnection::connect(bad_password).await.is_err());
 }
 
-async fn assert_setting_str(name: &str, expected: &str) {
-    let admin = admin_sqlx().await;
-    let rows = admin.fetch_all("SHOW CONFIG").await.unwrap();
-    let mut found = false;
-    for row in rows {
-        let db_name: String = row.get(0);
-        let value: String = row.get(1);
-
-        if name == db_name {
-            found = true;
-            assert_eq!(value, expected);
-        }
-    }
-
-    assert!(found);
-}
-
 #[tokio::test]
 async fn test_passthrough_auth() {
     let admin = admin_sqlx().await;

integration/rust/tests/integration/mod.rs

@@ -17,4 +17,5 @@ pub mod shard_consistency;
 pub mod stddev;
 pub mod syntax_error;
 pub mod timestamp_sorting;
+pub mod tls_enforced;
 pub mod tls_reload;

integration/rust/tests/integration/tls_enforced.rs

@@ -0,0 +1,31 @@
+use rust::setup::admin_sqlx;
+use rust::utils::assert_setting_str;
+use sqlx::{ConnectOptions, Connection, Executor, postgres::PgSslMode};
+
+#[tokio::test]
+async fn test_tls_enforced() {
+    let admin = admin_sqlx().await;
+    let conn_base: sqlx::postgres::PgConnectOptions =
+        "postgres://pgdog:pgdog@127.0.0.1:6432/pgdog?application_name=sqlx"
+            .parse()
+            .unwrap();
+
+    let opts_notls = conn_base.clone().ssl_mode(PgSslMode::Disable);
+    let opts_tls = conn_base.clone().ssl_mode(PgSslMode::Require);
+
+    {
+        let tls = opts_tls.connect().await.unwrap();
+        let notls = opts_notls.connect().await.unwrap();
+        tls.close().await.unwrap();
+        notls.close().await.unwrap();
+    }
+
+    admin
+        .execute("SET tls_client_required TO 'true'")
+        .await
+        .unwrap();
+    assert_setting_str("tls_client_required", "true").await;
+
+    opts_tls.connect().await.unwrap();
+    assert!(opts_notls.connect().await.is_err());
+}

pgdog/src/admin/set.rs

@@ -141,6 +141,10 @@ impl Command for Set {
                 config.config.general.ban_timeout = self.value.parse()?;
             }
 
+            "tls_client_required" => {
+                config.config.general.tls_client_required = Self::from_json(&self.value)?;
+            }
+
             _ => return Err(Error::Syntax),
         }
 

pgdog/src/config/core.rs

@@ -4,7 +4,7 @@ use std::fs::read_to_string;
 use std::path::PathBuf;
 use tracing::{info, warn};
 
-use crate::config::PreparedStatements;
+use crate::config::{PassthoughAuth, PreparedStatements};
 
 use super::database::Database;
 use super::error::Error;
@@ -286,6 +286,17 @@ impl Config {
                 self.general.idle_healthcheck_interval, self.general.ban_timeout
             );
         }
+
+        // Warn about plain auth and TLS
+        match self.general.passthrough_auth {
+            PassthoughAuth::Enabled if !self.general.tls_client_required => {
+                warn!("consider setting tls_client_required while passthrough_auth is enabled to prevent clients from exposing plaintext passwords");
+            }
+            PassthoughAuth::EnabledPlain => {
+                warn!("passthrough_auth plain is enabled - network traffic may expose plaintext passwords")
+            }
+            _ => (),
+        }
     }
 
     /// Multi-tenancy is enabled.

pgdog/src/config/general.rs

@@ -63,6 +63,8 @@ pub struct General {
     pub tls_certificate: Option<PathBuf>,
     /// TLS private key.
     pub tls_private_key: Option<PathBuf>,
+    #[serde(default)]
+    pub tls_client_required: bool,
     /// TLS verification mode (for connecting to servers)
     #[serde(default = "General::default_tls_verify")]
     pub tls_verify: TlsVerifyMode,
@@ -182,6 +184,7 @@ impl Default for General {
             read_write_split: Self::read_write_split(),
             tls_certificate: Self::tls_certificate(),
             tls_private_key: Self::tls_private_key(),
+            tls_client_required: bool::default(),
             tls_verify: Self::default_tls_verify(),
             tls_server_ca_certificate: Self::tls_server_ca_certificate(),
             shutdown_timeout: Self::default_shutdown_timeout(),

pgdog/src/frontend/client/mod.rs

@@ -20,8 +20,7 @@ use crate::net::messages::{
     Authentication, BackendKeyData, ErrorResponse, FromBytes, Message, Password, Protocol,
     ReadyForQuery, ToBytes,
 };
-use crate::net::{parameter::Parameters, Stream};
-use crate::net::{MessageBuffer, ProtocolMessage};
+use crate::net::{parameter::Parameters, MessageBuffer, ProtocolMessage, Stream};
 use crate::state::State;
 use crate::stats::memory::MemoryUsage;
 use crate::util::user_database_from_params;
@@ -135,9 +134,15 @@ impl Client {
         addr: SocketAddr,
         mut comms: Comms,
     ) -> Result<Option<Client>, Error> {
-        let (user, database) = user_database_from_params(&params);
         let config = config::config();
 
+        // Bail immediately if TLS is required but the connection isn't using it.
+        if config.config.general.tls_client_required && !stream.is_tls() {
+            stream.fatal(ErrorResponse::tls_required()).await?;
+            return Ok(None);
+        }
+
+        let (user, database) = user_database_from_params(&params);
         let admin = database == config.config.admin.name && config.config.admin.user == user;
         let admin_password = &config.config.admin.password;
         let auth_type = &config.config.general.auth_type;