From 1afa8edbc2c84d88cca8ec8de469a0531e7bfc4b Mon Sep 17 00:00:00 2001
From: Matthew Plant <matty@nova-labs.com>
Date: Tue, 6 Aug 2024 14:09:28 -0400
Subject: [PATCH] Add verify ca and root cert path to settings

---
 db_store/src/iam_auth_pool.rs |  9 ++++++++-
 db_store/src/settings.rs      | 20 ++++++++++++++++++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/db_store/src/iam_auth_pool.rs b/db_store/src/iam_auth_pool.rs
index a21c801f7..28427d5b4 100644
--- a/db_store/src/iam_auth_pool.rs
+++ b/db_store/src/iam_auth_pool.rs
@@ -1,6 +1,6 @@
 use crate::{error::invalid_configuration, Error, Result, Settings};
 use sqlx::{
-    postgres::{PgConnectOptions, Postgres},
+    postgres::{PgConnectOptions, PgSslMode, Postgres},
     Pool,
 };
 
@@ -18,6 +18,13 @@ pub async fn connect(settings: &Settings) -> Result<Pool<Postgres>> {
     let client = aws_sdk_sts::Client::new(&aws_config);
     let connect_parameters = ConnectParameters::try_from(settings)?;
     let connect_options = connect_parameters.connect_options(&client).await?;
+    let connect_options = if let Some(ref ca_path) = settings.ca_path {
+        connect_options
+            .ssl_mode(PgSslMode::VerifyCa)
+            .ssl_root_cert(ca_path)
+    } else {
+        connect_options
+    };
 
     let pool = settings
         .pool_options()
diff --git a/db_store/src/settings.rs b/db_store/src/settings.rs
index 9a46b7b74..b788b9d5f 100644
--- a/db_store/src/settings.rs
+++ b/db_store/src/settings.rs
@@ -1,6 +1,11 @@
+use std::path::PathBuf;
+
 use crate::{iam_auth_pool, metric_tracker, Error, Result};
 use serde::Deserialize;
-use sqlx::{postgres::PgPoolOptions, Pool, Postgres};
+use sqlx::{
+    postgres::{PgConnectOptions, PgPoolOptions, PgSslMode},
+    Pool, Postgres,
+};
 
 #[derive(Deserialize, Debug, Clone)]
 #[serde(rename_all = "lowercase")]
@@ -17,6 +22,9 @@ pub struct Settings {
     /// the auth_type is Postgres
     pub url: Option<String>,
 
+    /// Optionally provided certificate authority
+    pub ca_path: Option<PathBuf>,
+
     #[serde(default = "default_auth_type")]
     auth_type: AuthType,
 
@@ -55,12 +63,20 @@ impl Settings {
     }
 
     async fn simple_connect(&self) -> Result<Pool<Postgres>> {
-        let connect_options = self
+        let connect_options: PgConnectOptions = self
             .url
             .as_ref()
             .ok_or_else(|| Error::InvalidConfiguration("url is required".to_string()))?
             .parse()?;
 
+        let connect_options = if let Some(ref ca_path) = self.ca_path {
+            connect_options
+                .ssl_mode(PgSslMode::VerifyCa)
+                .ssl_root_cert(ca_path)
+        } else {
+            connect_options
+        };
+
         let pool = self.pool_options().connect_with(connect_options).await?;
         Ok(pool)
     }