From 31354622859a9bbccbd91ac402d1299aee7b827d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tarjei=20Hus=C3=B8y?= Date: Fri, 25 Nov 2016 17:07:43 -0800 Subject: [PATCH] Enable setting custom psql connection parameters This makes it possible to ensure we're connecting over TLS and validate the connection against a known CA. And everything else that be configured as connection parameters, like TCP keepalive behavior, timeouts, etc. Full spec: https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS Closes #2138. --- docs/markdown/authoritative/backend-generic-postgresql.md | 5 +++++ modules/gpgsqlbackend/gpgsqlbackend.cc | 4 +++- modules/gpgsqlbackend/spgsql.cc | 5 ++++- modules/gpgsqlbackend/spgsql.hh | 3 ++- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/docs/markdown/authoritative/backend-generic-postgresql.md b/docs/markdown/authoritative/backend-generic-postgresql.md index 4dcb6d8bd4..ec9181024a 100644 --- a/docs/markdown/authoritative/backend-generic-postgresql.md +++ b/docs/markdown/authoritative/backend-generic-postgresql.md @@ -48,6 +48,11 @@ The password to for [`gpgsql-user`](#gpgsql-user). ## `gpgsql-dnssec` Enable DNSSEC processing for this backend. Default=no. +## `gpsql-extra-connection-parameters` +Extra connection parameters to forward to postgres. If you want to pin a specific certificate for +the connection you should set this to `sslmode=verify-full sslrootcert=`. Accepted +parameters are documented [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS). + # Default schema ``` !!include=../modules/gpgsqlbackend/schema.pgsql.sql diff --git a/modules/gpgsqlbackend/gpgsqlbackend.cc b/modules/gpgsqlbackend/gpgsqlbackend.cc index e540de3227..bb80d1f3c3 100644 --- a/modules/gpgsqlbackend/gpgsqlbackend.cc +++ b/modules/gpgsqlbackend/gpgsqlbackend.cc @@ -44,7 +44,8 @@ gPgSQLBackend::gPgSQLBackend(const string &mode, const string &suffix) : GSQLBa getArg("host"), getArg("port"), getArg("user"), - getArg("password"))); + getArg("password"), + getArg("extra-connection-parameters"))); } catch(SSqlException &e) { @@ -66,6 +67,7 @@ public: declare(suffix,"host","Pdns backend host to connect to",""); declare(suffix,"port","Database backend port to connect to",""); declare(suffix,"password","Pdns backend password to connect with",""); + declare(suffix,"extra-connection-parameters", "Extra parameters to add to connection string",""); declare(suffix,"dnssec","Enable DNSSEC processing","no"); diff --git a/modules/gpgsqlbackend/spgsql.cc b/modules/gpgsqlbackend/spgsql.cc index ed80d4c53b..6b63e7d68f 100644 --- a/modules/gpgsqlbackend/spgsql.cc +++ b/modules/gpgsqlbackend/spgsql.cc @@ -265,7 +265,7 @@ private: bool SPgSQL::s_dolog; SPgSQL::SPgSQL(const string &database, const string &host, const string& port, const string &user, - const string &password) + const string &password, const string &extra_connection_parameters) { d_db=0; d_in_trx = false; @@ -283,6 +283,9 @@ SPgSQL::SPgSQL(const string &database, const string &host, const string& port, c if(!port.empty()) d_connectstr+=" port="+port; + if(!extra_connection_parameters.empty()) + d_connectstr+=" " + extra_connection_parameters; + d_connectlogstr=d_connectstr; if(!password.empty()) { diff --git a/modules/gpgsqlbackend/spgsql.hh b/modules/gpgsqlbackend/spgsql.hh index 8e9dd544fe..f00fcf987d 100644 --- a/modules/gpgsqlbackend/spgsql.hh +++ b/modules/gpgsqlbackend/spgsql.hh @@ -29,7 +29,8 @@ class SPgSQL : public SSql { public: SPgSQL(const string &database, const string &host="", const string& port="", - const string &user="", const string &password=""); + const string &user="", const string &password="", + const string &extra_connection_parameters=""); ~SPgSQL(); -- 2.47.2