Add an SSL connection test.

Author: elprans

asyncpg/_testbase.py

@@ -172,12 +172,16 @@ def create_pool(dsn=None, *,
 
 
 class ClusterTestCase(TestCase):
+    @classmethod
+    def get_server_settings(cls):
+        return {
+            'log_connections': 'on'
+        }
+
     @classmethod
     def setUpClass(cls):
         super().setUpClass()
-        cls.cluster = _start_default_cluster({
-            'log_connections': 'on'
-        })
+        cls.cluster = _start_default_cluster(cls.get_server_settings())
 
     def create_pool(self, pool_class=pg_pool.Pool, **kwargs):
         conn_spec = self.cluster.get_connection_spec()

asyncpg/cluster.py

@@ -178,6 +178,15 @@ def start(self, wait=60, *, server_settings={}, **opts):
         if sockdir is None:
             sockdir = '/tmp'
 
+        ssl_key = server_settings.get('ssl_key_file')
+        if ssl_key:
+            # Make sure server certificate key file has correct permissions.
+            keyfile = os.path.join(self._data_dir, 'srvkey.pem')
+            shutil.copy(ssl_key, keyfile)
+            os.chmod(keyfile, 0o400)
+            server_settings = server_settings.copy()
+            server_settings['ssl_key_file'] = keyfile
+
         if self._pg_version < (9, 3):
             sockdir_opt = 'unix_socket_directory'
         else:

tests/certs/ca.cert.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGFzCCA/+gAwIBAgIJAPTCST3Z/WinMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD
+VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEQMA4GA1UEBwwHVG9yb250bzEYMBYG
+A1UECgwPTWFnaWNTdGFjayBJbmMuMRYwFAYDVQQLDA1hc3luY3BnIHRlc3RzMR0w
+GwYDVQQDDBRhc3luY3BnIHRlc3Qgcm9vdCBjYTEdMBsGCSqGSIb3DQEJARYOaGVs
+bG9AbWFnaWMuaW8wHhcNMTcwNDAzMTYxMzMwWhcNMzcwMzI5MTYxMzMwWjCBoTEL
+MAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xEDAOBgNVBAcMB1Rvcm9udG8x
+GDAWBgNVBAoMD01hZ2ljU3RhY2sgSW5jLjEWMBQGA1UECwwNYXN5bmNwZyB0ZXN0
+czEdMBsGA1UEAwwUYXN5bmNwZyB0ZXN0IHJvb3QgY2ExHTAbBgkqhkiG9w0BCQEW
+DmhlbGxvQG1hZ2ljLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+zxreg1IEqX/g1IFwpNCc9hKa7YYMPk8mo4l+pE4CKXA9cQreaIiDg+l7+pJL3FMa
+a/7cuUsBlVOq/T+9gmjzdWDTHTdq55PQx6co4OlRyPGad2kMwYlAERB6s2jGfuwM
+sS0JJ3VPxUBXwB5ljq18L+HPsZXZhZOl6pBW74dfQE5SJZLTGIX6mbtwR+uQgaow
+1RsMwFAGvwDu8c8+3lmUinGhlHXRJAhbncnlOWmAqa3Yf8rny0JeX7wz5x3vbxnX
+9p9XMaXtV+hQWFHn21nAYjsCnDin6oyC2zUi9ahN5njKu+tUYA+K0ImliTAQNQ39
+m9SZvGNS2uIj/ryYVsI9FjgyJgV6JGcb0q1j2BPUmpPKwHN+sPkdKZy+Z4mVBiel
+mc7X6J9aEXxrvFIjhZOwhYn3RwpwguDFU5qY1Y9wzTg1HMLfQfzWdyInNEi4s96z
+biicisVMnR84syClg2RN56U+0hTJeYKTnYh/xV959EqoFfpUI2GZIxNmHr5p8S3M
+7uSeBxoovmUYadhF9SlKx+dABd/K1HBKfMC4z2iw9z6r4QGOnKoMy0eAn5wzL7wL
++h6znRPm28Qr9NEg8qJ9r1pfF3uhwgZw8hL8iytNfdUIneQVqoHApd33SxHFaO29
+2Nuc19ucySNsMFBIVSg1D5LGjcJYz3NZpleQsIwLhvMCAwEAAaNQME4wHQYDVR0O
+BBYEFOcVk1n/NisD3qXqtpSsWm+pXd0XMB8GA1UdIwQYMBaAFOcVk1n/NisD3qXq
+tpSsWm+pXd0XMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAEFyCFmn
+vc6EjKRld+G8Q1UBRCviNwAvTUyn6LfGFKeimCGlrXEIj08e15oSMVtbWYrs1vWk
+x9JJIJYSbaWJM6eaWmbPYgYzQaiDdWnZb/fXg20gDaFtTamDrqws44yPHgkF8B+k
+fBdkG6w59lGuwz2n8shag4ATDRambJBW1TV+6WAOH2FRQ6Mn/yz4qFGlI/r7yeCJ
+CcQ3KWcrmbqA+GeNCNFyP1CHh+1DXYydVJULZ8hO7TcAkHgKZuHA37N5WGr2Yb+1
+wVH8v2vXpka1wosENU5dMPgtJQ9raEVZEh6HQY81G5/rtUIEuLuHFGkMv9LiuV2/
+FhXGjwyfmDaRADIEH0j0e2NeKk3tLlHb+2cZgKRvwL0a/RkovgUtKN3/ZGHsuPFe
+YTk7RXn3DFpnhVltrg1vRPgR3euKKSVyw/DTPo1sQN205Lgcot+zshUIER/ELZBu
+77AeDK9wbjxG34vdPaNz+bpVpJxZWHyO0CSKpXYwUcdr5iU2VrWJrj4Mnvat9Elo
+BV6lkgdM47ngJ+bS4QpbvZG0YBzaN6mnXEQf3Zw1TkR+31m7vhRKilnObhG+Ylzq
+H6E/a1MVtTRu1FkhTHdHJmolMVSHAytZZnee5PC/1AlMcKdWEv8A5up9sTjGesFM
+ztcZLWC9GiyC/TFSJ1hDylkvvwcCX6PD7fLu
+-----END CERTIFICATE-----

tests/certs/server.cert.pem

@@ -0,0 +1,40 @@
+-----BEGIN CERTIFICATE-----
+MIIHFjCCBP6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAkNB
+MRAwDgYDVQQIDAdPbnRhcmlvMRAwDgYDVQQHDAdUb3JvbnRvMRgwFgYDVQQKDA9N
+YWdpY1N0YWNrIEluYy4xFjAUBgNVBAsMDWFzeW5jcGcgdGVzdHMxHTAbBgNVBAMM
+FGFzeW5jcGcgdGVzdCByb290IGNhMR0wGwYJKoZIhvcNAQkBFg5oZWxsb0BtYWdp
+Yy5pbzAeFw0xNzA0MDMxNjIxMjhaFw0zNzAzMjkxNjIxMjhaMIGEMQswCQYDVQQG
+EwJDQTEQMA4GA1UECAwHT250YXJpbzEYMBYGA1UECgwPTWFnaWNTdGFjayBJbmMu
+MRYwFAYDVQQLDA1hc3luY3BnIHRlc3RzMRIwEAYDVQQDDAlsb2NhbGhvc3QxHTAb
+BgkqhkiG9w0BCQEWDmhlbGxvQG1hZ2ljLmlvMIICIjANBgkqhkiG9w0BAQEFAAOC
+Ag8AMIICCgKCAgEA+0WH9PX4a6Tsnp7xtUbZ51c77aqVagdfj9xYJPqD3X7u2Odf
+yyYivZ91DiS23acfLOEQOfBNn2ZFcrLaXy33UAXo1VcvCsKNJY4FfS9A5OBZ4UTL
+peagrTnZuRS4KMadg0V9jb5au6+s7jExPty9c+nZ59Kd6IbkPn31l9K5rj4/2WvG
+pIj9k5YaXswJVBiTWGKxP9a3xMb9CG9bqNCD5kXo+1K2oDJyGE3mj6QSjlnFw6NN
+f+dCOGWSs7JHMNZVVtRG2qsEIssZgpHseu9he684ZqdqrMCG6wBDW58sUBp6Dt6z
+jyTLefs8ht0tT+ZcmPno2G3mgs1bLyQsQB8a7fqzzaW6wPwdZJBGO/qI7Zr/30VD
+I7InLmxbg62tdrTP4CibXWfe6Qoi6xSNZd7FvP2OoCA7Nk6HahdwDocInB9fWV2j
+jkqyeIdDSd9QUItCUSgyVm+XefO/T8B75PNCykyWAMMDGOBE706KZh4oXeMORoYp
+LxsbtL0/7n/JPwQDHeLQHHRjiw2ydxH2/940jngnL1YCqWiUq06FPvl3zn+Qgim+
+kIhfJeYuQ8zxdh8P7Ay4i5neuum+FQZspPiSzx6jMQIOu+e+iBP2AIdu/UQK+JPU
+epE2Pt5aEyuzgNEbg0cR6tQ3rJCbj0DdtU26ale5EeD8y1JYCXEYkED88bMCAwEA
+AaOCAXEwggFtMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMGCWCGSAGG
++EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
+VR0OBBYEFHWtuEuKYLSw/iqmyBEyjcSxq0LHMIHWBgNVHSMEgc4wgcuAFOcVk1n/
+NisD3qXqtpSsWm+pXd0XoYGnpIGkMIGhMQswCQYDVQQGEwJDQTEQMA4GA1UECAwH
+T250YXJpbzEQMA4GA1UEBwwHVG9yb250bzEYMBYGA1UECgwPTWFnaWNTdGFjayBJ
+bmMuMRYwFAYDVQQLDA1hc3luY3BnIHRlc3RzMR0wGwYDVQQDDBRhc3luY3BnIHRl
+c3Qgcm9vdCBjYTEdMBsGCSqGSIb3DQEJARYOaGVsbG9AbWFnaWMuaW+CCQD0wkk9
+2f1opzATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwDQYJKoZIhvcN
+AQELBQADggIBAFUik2de0QH9gjHb0DeNRUpzHf67sVejqJoB0YCAlwhMTCwnMasR
+YQVeD6+L1KCoyynhwZE99B9LlWcL5V/uR++S88azc35mFVJ6j5b0zxT6nTOQE2Oe
+oOZrjhFDmdRQDyZl3oOQZD0CD2VoRZK2uGG1Isv8cC17ImC1bMNHbU+0Sc5twUtj
+jLvyoJNASQess35c+V/w6rdlXy2g19vSiR3nQPsh/HMv2Kx0sJaSIVKTdVBlH3FH
+o+v7tR2YRMxNw4olalxXJzvt1KgbNGczi4Yd/XnTQKCJx4xvJLhE/9R6Cj6vLeFZ
+YpSp1ftXBAQCQn6lv0fMe7az3fmXRJ692514F00zmJUI6EW1wqD4yx2Q8JgqmQ4k
+2oz4HBk/6Sh6Hf43KZAnLUMZ0VvkzhUTTp5/BwlhLjbWQdR6Lrf/8SRdEVzdco6F
+zmawidqeQCASHKbLfFfWbh+A0mzHhkcnvczM803oX1iOnaDQVIYWqZwJxmB+bsB9
+99/yBCxJw1YGIcHss97olsx2HReCVmcUZA3TBBG/WFATYV0DlVdApEPcR6a+NWE/
+W3EhPsZhUdSzjdlP1Yt9awq+V5eHHVA/ve0PufPW6nmxIXXpIuX2YGIRqEmWWSO8
++sKguObZvWZnj/D04GPjJTozy82vebiWGG1NODGO/4vCB0Zp/MbjYQb8
+-----END CERTIFICATE-----

tests/certs/server.key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEA+0WH9PX4a6Tsnp7xtUbZ51c77aqVagdfj9xYJPqD3X7u2Odf
+yyYivZ91DiS23acfLOEQOfBNn2ZFcrLaXy33UAXo1VcvCsKNJY4FfS9A5OBZ4UTL
+peagrTnZuRS4KMadg0V9jb5au6+s7jExPty9c+nZ59Kd6IbkPn31l9K5rj4/2WvG
+pIj9k5YaXswJVBiTWGKxP9a3xMb9CG9bqNCD5kXo+1K2oDJyGE3mj6QSjlnFw6NN
+f+dCOGWSs7JHMNZVVtRG2qsEIssZgpHseu9he684ZqdqrMCG6wBDW58sUBp6Dt6z
+jyTLefs8ht0tT+ZcmPno2G3mgs1bLyQsQB8a7fqzzaW6wPwdZJBGO/qI7Zr/30VD
+I7InLmxbg62tdrTP4CibXWfe6Qoi6xSNZd7FvP2OoCA7Nk6HahdwDocInB9fWV2j
+jkqyeIdDSd9QUItCUSgyVm+XefO/T8B75PNCykyWAMMDGOBE706KZh4oXeMORoYp
+LxsbtL0/7n/JPwQDHeLQHHRjiw2ydxH2/940jngnL1YCqWiUq06FPvl3zn+Qgim+
+kIhfJeYuQ8zxdh8P7Ay4i5neuum+FQZspPiSzx6jMQIOu+e+iBP2AIdu/UQK+JPU
+epE2Pt5aEyuzgNEbg0cR6tQ3rJCbj0DdtU26ale5EeD8y1JYCXEYkED88bMCAwEA
+AQKCAgEAtof0E8b7B3dvTGs6Ou2VLbD5H9VjZPqmOONgRLyXPjgPWhH6TKEPa6CC
+cBvLm4jj5L46A1zFhp3MpV23tJy3o7InSZNj4PUjg7x/0EibY6h2omZPadz3q97y
+grjCbxyZH9tDMcyuLNmZTg7+LyQ7nBCs8vLVMy2KcLsfxYKW0DT4PQFF9BBv5N6N
+mX+u5yBTKUnIaQ+Zv6Ct/4qlkySmLIlsjeWwNP9wUqeEbaRKto4QU+Y1Tky4li9z
+OoavoJKSu9jI/+BryLqxdWB74XIz5p2K40eK/qN9Xwl55PzkO+x/7n1pAvs/tQUF
+GxNg70Hw0k/5DgAIC80SCFTGsG3oKLgPm1BS7Njoz8xcQvtZrYOKfEg/NOjUAWTE
+SvXoLRqTQ4bUS6F6VgSA+qEEXrKFGt+ViddXrfuyXow5ZXjstgwuuZSzjLTM9LPF
+tKEeB+hYbjpg0C7KuRGG5MfQ6eY8TjB3JCBGSBPw/4gv4DzkRoI2e2Qvgon6pNUT
+ZiQMmuQHX3d+5QQErzUgAYF401DBi+9kG6e78hZ5uG3lTUOW372jcAkdkD/DdC1B
+GMt7esIoyrO/57gFQXaFIQjSneWPiaxtYxUqpjbc0lCIfwYr3QFYzumZwUErJljl
+CxDJ2ejW6ONUXDPRbzprHFDi0y71G7WRT7ZmwoQY/q/Yxwg3mAECggEBAP8+cgZl
+001Np3M78KUYuUhDt+6J+ZujJnpCdsWqf0H0cxIA/FL6zpnyYP7nkum/QphE9CST
+jFew1/JnuCtHHzE9BryChjL+kjXswFAhGncsP+UjPI1AEliFhPHIfBF25N3LYBvU
+IO4syLLUsJsWlAaUbXBD29bSRUYwNPkspmblluZaKdS5fJQR9tiEUkNlPeUcjaMl
+Mhblo4r3lZYMkJqm11DGlNUnXb5/kCMq0D+kvhVvoHfRqk5G30m9Yu0QSR6dVlgi
+HiPXodNJSz0BZpfM/FXdnhAYnIANgPZS/St9JjpFeDTvo6vZgF9be+Tt29Zm7gxZ
+4hvoPCUwE5LhKjMCggEBAPwEEssXK3qkrIYRe1gJjxAkpTHWj5w18QNRRsDvNIT3
+Ode2MtloeOl2csIRtvVZWEHWuFiQyvDbVXQvmoeJT+K1acw0mOOkXLME2BLOHTkJ
+bYU5zd+dnF3W3CaOUagpesP7QZYiqdso88EugFDt5KtonFRtp/YNY4HxmEahE2I2
+KGVN6rFV5WIZsJyXhNCvacci1ZnJqwN/43Vx5ejsqjtypi1XAKlYzGj0ktDbOFGR
+vZQdR5Q8rYQ+V7Bypwzbchq9+Udh3Xd8VmosADE0OoATDU6m1SHvsZMxZ83vcs/8
+pkwtzMlzo3q/yPSG+jTU7kq0PE8z628ol5sFZrFMmoECggEATQpHFmFDnvCSWzi7
+UMmemw49hRVGLtDWu042VUE5+elTlhqQDme/Vj4PQsEY2c6txhIB8sxKLumktHjT
+4NQtuQnnb5yh7uBhtz8HaOgk+dV0T7AMBcJSBz/9uZC+yfKt77gEAUJM0jbYOQnz
+aEwvT7EbOyhwQW3kFORWCOOOMj6YBl0uhRObY4HslLuTrN3xCadNpPGEJd8YNsi1
+8L1IJDW5hZr6rz+bjvUnx0WT57HM4eF4eNHi6o9/s90i79TbjQ8GUcGygTUDlido
+OziiA62OeEhU/hy/l/L7et3fpnG2yR3Qw4GVUDhtA9s0EQwuL4+PyFCU68Fz7fGN
+5uZpewKCAQEAvBAmHhwaPBlrDVk6XEY11mwiQoDFBmNSiZE7ZXqcDKWZKpoyc/78
+S+wyUxR5HbognHEpfB4A86AZsuxbOs2DKcELRHHzrdzXuFfjDpV1RTz91699LGQn
+bfeKrdMCqKTbkiiLlwgjDQMQc5bJ9pqwTCFyl6aE8p6nJS8u3XYSSvXzSzXL764T
+0RMusox3dmuQWiRqlarizWfAS8JFOX5ywo4Z6DfGrJkxYRkx/l25N1W0zTTUV5C4
+Q7lqIqhMdNHF4qLlxRkI9cN5kR1ov08kYLLW+VySLBL8xsTVm94WJZN6XdrHuYVr
+94vq4F9hk89aS7EYWFp8VKVMDUkIi0KJAQKCAQEAmt1zJ9MP2xDIbNCY1Kuk3Zoy
+oYcCqijK6i/9Aeu+9w8U1hSrcU5SOF4VQbDwB00RzzDPL7K4e77GulEDnanKnEpX
+eu4lYuhCgG/G7uECU8jLOUQUVp8c4Fcyp29T0pTkow15TLifUOXAfQGfe8jK/SvI
+jpAAwxBDwQ4HNGA3y3HOzmIt5riRLGahASxDpyTDBmFiuRPwyXNxEoO6ZMtaSL9t
+ThhMc74EU8qFBBnzfaKkUZshB9jkcpQq800M99Wj5t31A4mNwz1tmAEM/Wvvbhea
+Yx2I+nS6CQhg0DMAxGqalTTLWxjY4NK+j6Mb5FVpXGJ5yUef2TWVRUymm5XlSA==
+-----END RSA PRIVATE KEY-----

tests/test_connect.py

@@ -450,3 +450,66 @@ def check():
 
         with check():
             await self.con.reset()
+
+
+CERTS = os.path.join(os.path.dirname(__file__), 'certs')
+SSL_CERT_FILE = os.path.join(CERTS, 'server.cert.pem')
+SSL_KEY_FILE = os.path.join(CERTS, 'server.key.pem')
+
+
+class TestSSLConnection(tb.ConnectedTestCase):
+    @classmethod
+    def get_server_settings(cls):
+        conf = super().get_server_settings()
+        conf.update({
+            'ssl': 'on',
+            'ssl_cert_file': SSL_CERT_FILE,
+            'ssl_key_file': SSL_KEY_FILE,
+        })
+
+        return conf
+
+    def setUp(self):
+        super().setUp()
+
+        if not self.cluster.is_managed():
+            self.skipTest('unmanaged cluster')
+
+        self.cluster.reset_hba()
+
+        create_script = []
+        create_script.append('CREATE ROLE ssl_user WITH LOGIN;')
+
+        self.cluster.add_hba_entry(
+            type='hostssl', address=ipaddress.ip_network('127.0.0.0/24'),
+            database='postgres', user='ssl_user',
+            auth_method='trust')
+
+        self.cluster.add_hba_entry(
+            type='hostssl', address=ipaddress.ip_network('::1/128'),
+            database='postgres', user='ssl_user',
+            auth_method='trust')
+
+        # Put hba changes into effect
+        self.cluster.reload()
+
+        create_script = '\n'.join(create_script)
+        self.loop.run_until_complete(self.con.execute(create_script))
+
+    def tearDown(self):
+        # Reset cluster's pg_hba.conf since we've meddled with it
+        self.cluster.trust_local_connections()
+
+        drop_script = []
+        drop_script.append('DROP ROLE ssl_user;')
+        drop_script = '\n'.join(drop_script)
+        self.loop.run_until_complete(self.con.execute(drop_script))
+
+        super().tearDown()
+
+    @unittest.expectedFailure
+    async def test_ssl_connection(self):
+        conn = await self.cluster.connect(
+            host='localhost',
+            user='ssl_user', database='postgres', loop=self.loop)
+        await conn.close()