Enable setting custom psql connection parameters

This makes it possible to ensure we're connecting over TLS and validate
the connection against a known CA. And everything else that be
configured as connection parameters, like TCP keepalive behavior,
timeouts, etc. Full spec:
https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS

Closes #2138.

diff --git a/docs/markdown/authoritative/backend-generic-postgresql.md b/docs/markdown/authoritative/backend-generic-postgresql.md
index 4dcb6d8bd4e6925b9b1ccbdc3035dde70dc9e152..ec9181024a555d871be0a117cb064b709ac90e56 100644 (file)
--- a/docs/markdown/authoritative/backend-generic-postgresql.md
+++ b/docs/markdown/authoritative/backend-generic-postgresql.md
@@ -48,6 +48,11 @@ The password to for [`gpgsql-user`](#gpgsql-user).
 ## `gpgsql-dnssec`
 Enable DNSSEC processing for this backend. Default=no.
 
+## `gpsql-extra-connection-parameters`
+Extra connection parameters to forward to postgres. If you want to pin a specific certificate for
+the connection you should set this to `sslmode=verify-full sslrootcert=<path-to-CA-cert>`. Accepted
+parameters are documented [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS).
+
 # Default schema
 ```
 !!include=../modules/gpgsqlbackend/schema.pgsql.sql

diff --git a/modules/gpgsqlbackend/gpgsqlbackend.cc b/modules/gpgsqlbackend/gpgsqlbackend.cc
index e540de3227f3370e19464e2954bf203d78a5dd3a..bb80d1f3c3fa35f3462a581b9e01dc40b25391de 100644 (file)
--- a/modules/gpgsqlbackend/gpgsqlbackend.cc
+++ b/modules/gpgsqlbackend/gpgsqlbackend.cc
@@ -44,7 +44,8 @@ gPgSQLBackend::gPgSQLBackend(const string &mode, const string &suffix)  : GSQLBa
                  getArg("host"),
                  getArg("port"),
                  getArg("user"),
-                 getArg("password")));
+                 getArg("password"),
+                 getArg("extra-connection-parameters")));
   }
 
   catch(SSqlException &e) {
@@ -66,6 +67,7 @@ public:
     declare(suffix,"host","Pdns backend host to connect to","");
     declare(suffix,"port","Database backend port to connect to","");
     declare(suffix,"password","Pdns backend password to connect with","");
+    declare(suffix,"extra-connection-parameters", "Extra parameters to add to connection string","");
 
     declare(suffix,"dnssec","Enable DNSSEC processing","no");
 

diff --git a/modules/gpgsqlbackend/spgsql.cc b/modules/gpgsqlbackend/spgsql.cc
index ed80d4c53bc3bbeaf5a269339d692a6f15da0f3f..6b63e7d68fd5b7899f99b1f73ffbe6bcecfcbd67 100644 (file)
--- a/modules/gpgsqlbackend/spgsql.cc
+++ b/modules/gpgsqlbackend/spgsql.cc
@@ -265,7 +265,7 @@ private:
 bool SPgSQL::s_dolog;
 
 SPgSQL::SPgSQL(const string &database, const string &host, const string& port, const string &user,
-               const string &password)
+               const string &password, const string &extra_connection_parameters)
 {
   d_db=0;
   d_in_trx = false;
@@ -283,6 +283,9 @@ SPgSQL::SPgSQL(const string &database, const string &host, const string& port, c
   if(!port.empty())
     d_connectstr+=" port="+port;
 
+  if(!extra_connection_parameters.empty())
+    d_connectstr+=" " + extra_connection_parameters;
+
   d_connectlogstr=d_connectstr;
 
   if(!password.empty()) {

diff --git a/modules/gpgsqlbackend/spgsql.hh b/modules/gpgsqlbackend/spgsql.hh
index 8e9dd544feedc2fb60261b9f81891ddc8461664c..f00fcf987db67b7be9d2648bbf1a96d07cc8c041 100644 (file)
--- a/modules/gpgsqlbackend/spgsql.hh
+++ b/modules/gpgsqlbackend/spgsql.hh
@@ -29,7 +29,8 @@ class SPgSQL : public SSql
 {
 public:
   SPgSQL(const string &database, const string &host="", const string& port="",
-         const string &user="", const string &password="");
+         const string &user="", const string &password="",
+         const string &extra_connection_parameters="");
 
   ~SPgSQL();