Respect PGSSLMODE for setting SSL connection

2025-12-08 20:16:25 +00:00 · 2013-09-05 16:51:16 -05:00 · 2013-09-05 16:51:16 -05:00 · bfdea752b2
commit bfdea752b2
parent e8f7f38e18
4 changed files with 52 additions and 2 deletions
--- a/lib/connection-parameters.js
+++ b/lib/connection-parameters.js
@ -35,6 +35,19 @@ var parse = function(str) {
  return config;
 };

+var useSsl = function() {
+  switch(process.env.PGSSLMODE) {
+  case "disable":
+    return false;
+  case "prefer":
+  case "require":
+  case  "verify-ca":
+  case "verify-full":
+    return true;
+  }
+  return defaults.ssl;
+};
+
 var ConnectionParameters = function(config) {
  config = typeof config == 'string' ? parse(config) : (config || {});
  this.user = val('user', config);
@ -43,7 +56,7 @@ var ConnectionParameters = function(config) {
  this.host = val('host', config);
  this.password = val('password', config);
  this.binary = val('binary', config);
-  this.ssl = config.ssl || defaults.ssl;
+  this.ssl = config.ssl || useSsl();
  this.client_encoding = val("client_encoding", config);
  //a domain socket begins with '/'
  this.isDomainSocket = (!(this.host||'').indexOf('/'));
--- a/lib/defaults.js
+++ b/lib/defaults.js
@ -36,7 +36,9 @@ var defaults = module.exports = {
  //pool log function / boolean
  poolLog: false,

-  client_encoding: ""
+  client_encoding: "",
+
+  ssl: false
 };

 //parse int8 so you can get your count values as actual numbers
--- a/test/unit/connection-parameters/creation-tests.js
+++ b/test/unit/connection-parameters/creation-tests.js
@ -151,11 +151,14 @@ test('libpq connection string building', function() {
  });

  test('password contains weird characters', function() {
+    var defaults = require('../../../lib/defaults');
+    defaults.ssl = true;
    var strang = 'postgres://my first name:is&%awesome!@localhost:9000';
    var subject = new ConnectionParameters(strang);
    assert.equal(subject.user, 'my first name');
    assert.equal(subject.password, 'is&%awesome!');
    assert.equal(subject.host, 'localhost');
+    assert.equal(subject.ssl, true);
  });

 });
--- a/test/unit/connection-parameters/environment-variable-tests.js
+++ b/test/unit/connection-parameters/environment-variable-tests.js
@ -76,6 +76,38 @@ test('connection string parsing - ssl', function(t) {
  assert.equal(!!subject.ssl, false, 'ssl');
 });

+//clear process.env
+for(var key in process.env) {
+  delete process.env[key];
+}
+
+
+test('ssl is false by default', function() {
+  var subject = new ConnectionParameters()
+  assert.equal(subject.ssl, false)
+})
+
+var testVal = function(mode, expected) {
+  //clear process.env
+  for(var key in process.env) {
+    delete process.env[key];
+  }
+  process.env.PGSSLMODE = mode;
+  test('ssl is ' + expected + ' when $PGSSLMODE=' + mode, function() {
+    var subject = new ConnectionParameters();
+    assert.equal(subject.ssl, expected);
+  });
+};
+
+testVal('', false);
+testVal('disable', false);
+testVal('allow', false);
+testVal('prefer', true);
+testVal('require', true);
+testVal('verify-ca', true);
+testVal('verify-full', true);
+
+
 //restore process.env
 for(var key in realEnv) {
  process.env[key] = realEnv[key];