split ssl root cert from client

hasura · Aug 19, 2024 · 997bd6e · 997bd6e
1 parent 0b89ef8
commit 997bd6e
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 20 deletions.
diff --git a/crates/cli/src/lib.rs b/crates/cli/src/lib.rs
@@ -106,17 +106,17 @@ async fn initialize(with_metadata: bool, context: Context<impl Environment>) ->
 				},
 				metadata::EnvironmentVariableDefinition {
 					name: "CLIENT_CERT".to_string(),
-					description: "The SSL client certificate".to_string(),
+					description: "The SSL client certificate (Optional)".to_string(),
 					default_value: None,
 				},
 				metadata::EnvironmentVariableDefinition {
 					name: "CLIENT_KEY".to_string(),
-					description: "The SSL client key".to_string(),
+					description: "The SSL client key (Optional)".to_string(),
 					default_value: None,
 				},
 				metadata::EnvironmentVariableDefinition {
 					name: "ROOT_CERT".to_string(),
-					description: "The SSL root certificate".to_string(),
+					description: "The SSL root certificate (Optional)".to_string(),
 					default_value: None,
 				},
 			],

diff --git a/crates/configuration/src/connect.rs b/crates/configuration/src/connect.rs
@@ -24,25 +24,33 @@ pub fn get_connect_options(
 
     let ssl = read_ssl_info(environment);
 
-    // Add ssl info if present.
-    Ok(match ssl {
+    // Add ssl client info if present.
+    let connect_options = match ssl.client {
         None => connect_options,
-        Some(secret) => connect_options
-            .ssl_client_cert_from_pem(secret.certificate)
-            .ssl_client_key_from_pem(secret.key)
-            .ssl_root_cert_from_pem(secret.root_certificate),
+        Some(client) => connect_options
+            .ssl_client_cert_from_pem(client.certificate)
+            .ssl_client_key_from_pem(client.key),
+    };
+    // Add ssl root certificate if present.
+    Ok(match ssl.root_certificate {
+        None => connect_options,
+        Some(root_certificate) => connect_options.ssl_root_cert_from_pem(root_certificate),
     })
 }
 
+/// SSL certificate information.
+struct SslInfo {
+    client: Option<SslClientInfo>,
+    root_certificate: Option<Vec<u8>>,
+}
 /// SSL client certificate information.
 struct SslClientInfo {
     certificate: String,
     key: String,
-    root_certificate: Vec<u8>,
 }
 
 /// Read ssl certificate and key from the environment.
-fn read_ssl_info(environment: impl Environment) -> Option<SslClientInfo> {
+fn read_ssl_info(environment: impl Environment) -> SslInfo {
     // read ssl info
     let certificate = environment.read(&Variable::from("CLIENT_CERT")).ok();
     let key = environment.read(&Variable::from("CLIENT_KEY")).ok();
@@ -51,16 +59,28 @@ fn read_ssl_info(environment: impl Environment) -> Option<SslClientInfo> {
         .ok()
         .map(|text| text.as_bytes().to_vec());
 
-    match (certificate, key, root_certificate) {
-        (Some(certificate), Some(key), Some(root_certificate))
-            if !certificate.is_empty() && !key.is_empty() && !root_certificate.is_empty() =>
-        {
-            Some(SslClientInfo {
-                certificate,
-                key,
-                root_certificate,
-            })
+    let client = match (certificate, key) {
+        (Some(certificate), Some(key)) if !certificate.is_empty() && !key.is_empty() => {
+            Some(SslClientInfo { certificate, key })
+        }
+        (Some(certificate), None) if !certificate.is_empty() => {
+            tracing::warn!("SSL client certificate set without key. Ignoring.");
+            None
+        }
+        (_, Some(key)) if !key.is_empty() => {
+            tracing::warn!("SSL client key set without key. Ignoring.");
+            None
         }
         _ => None,
+    };
+
+    let root_certificate = match root_certificate {
+        Some(root_certificate) if !root_certificate.is_empty() => Some(root_certificate),
+        _ => None,
+    };
+
+    SslInfo {
+        client,
+        root_certificate,
     }
 }