From 6ba837dcd92c3f577ecdccdc0f6e81b09479f294 Mon Sep 17 00:00:00 2001 From: Scott Prutton Date: Tue, 2 Jan 2024 14:01:16 -0500 Subject: [PATCH] feat: add ssl to postgres --- Cargo.lock | 78 ++- Cargo.toml | 4 + bin/module-index/BUCK | 1 + bin/module-index/src/args.rs | 14 + bin/pinga/BUCK | 3 +- bin/pinga/src/args.rs | 14 + bin/sdf/BUCK | 3 +- bin/sdf/src/args.rs | 14 + component/postgres/BUCK | 2 + component/postgres/Dockerfile | 5 + component/postgres/entrypoint-wrapper.sh | 5 +- component/postgres/server.crt | 20 + component/postgres/server.key | 28 + config/keys/BUCK | 5 + config/keys/dev.postgres.root.crt | 20 + lib/dal-test/src/lib.rs | 14 + lib/dal/BUCK | 1 + lib/module-index-server/src/config.rs | 15 + lib/pinga-server/src/config.rs | 13 + lib/sdf-server/BUCK | 1 + lib/sdf-server/src/server/config.rs | 13 + lib/si-cli/src/cmd/start.rs | 5 +- lib/si-cli/src/engine/docker_engine.rs | 6 + lib/si-cli/src/engine/podman_engine.rs | 16 + lib/si-cli/src/key_management.rs | 32 ++ lib/si-data-pg/BUCK | 5 + lib/si-data-pg/Cargo.toml | 5 + lib/si-data-pg/src/lib.rs | 89 ++- third-party/rust/BUCK | 695 +++++++++++++++++++++++ third-party/rust/Cargo.toml | 4 + 30 files changed, 1111 insertions(+), 19 deletions(-) create mode 100644 component/postgres/server.crt create mode 100644 component/postgres/server.key create mode 100644 config/keys/dev.postgres.root.crt diff --git a/Cargo.lock b/Cargo.lock index 5901676a61..cd240ce7c1 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -188,10 +188,10 @@ dependencies = [ "once_cell", "rand 0.8.5", "regex", - "ring", + "ring 0.17.7", "rustls", "rustls-native-certs", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "rustls-webpki", "serde", "serde_json", @@ -4108,7 +4108,7 @@ dependencies = [ "percent-encoding", "pin-project-lite", "rustls", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_json", "serde_urlencoded", @@ -4134,6 +4134,21 @@ dependencies = [ "subtle", ] +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin 0.5.2", + "untrusted 0.7.1", + "web-sys", + "winapi", +] + [[package]] name = "ring" version = "0.17.7" @@ -4144,7 +4159,7 @@ dependencies = [ "getrandom 0.2.11", "libc", "spin 0.9.8", - "untrusted", + "untrusted 0.9.0", "windows-sys 0.48.0", ] @@ -4295,7 +4310,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", - "ring", + "ring 0.17.7", "rustls-webpki", "sct", ] @@ -4307,7 +4322,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "schannel", "security-framework", ] @@ -4321,14 +4336,30 @@ dependencies = [ "base64 0.21.5", ] +[[package]] +name = "rustls-pemfile" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4" +dependencies = [ + "base64 0.21.5", + "rustls-pki-types", +] + +[[package]] +name = "rustls-pki-types" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b" + [[package]] name = "rustls-webpki" version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "ring", - "untrusted", + "ring 0.17.7", + "untrusted 0.9.0", ] [[package]] @@ -4373,8 +4404,8 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "ring", - "untrusted", + "ring 0.17.7", + "untrusted 0.9.0", ] [[package]] @@ -4883,6 +4914,7 @@ dependencies = [ name = "si-data-pg" version = "0.1.0" dependencies = [ + "base64 0.21.5", "bytes 1.5.0", "deadpool", "deadpool-postgres", @@ -4891,12 +4923,16 @@ dependencies = [ "ouroboros 0.18.1", "refinery", "remain", + "rustls", + "rustls-pemfile 2.0.0", "serde", "si-std", "telemetry", "thiserror", "tokio", "tokio-postgres", + "tokio-postgres-rustls", + "webpki-roots", ] [[package]] @@ -5177,7 +5213,7 @@ dependencies = [ "percent-encoding", "rust_decimal", "rustls", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_json", "sha2", @@ -5740,6 +5776,20 @@ dependencies = [ "whoami", ] +[[package]] +name = "tokio-postgres-rustls" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dd5831152cb0d3f79ef5523b357319ba154795d64c7078b2daa95a803b54057f" +dependencies = [ + "futures", + "ring 0.16.20", + "rustls", + "tokio", + "tokio-postgres", + "tokio-rustls", +] + [[package]] name = "tokio-retry" version = "0.3.0" @@ -6191,6 +6241,12 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ab4c90930b95a82d00dc9e9ac071b4991924390d46cbd0dfe566148667605e4b" +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "untrusted" version = "0.9.0" diff --git a/Cargo.toml b/Cargo.toml index cf823e3223..755664bd7c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -111,6 +111,8 @@ regex = "1.8.1" remain = "0.2.8" reqwest = { version = "0.11.17", default-features = false, features = ["rustls-tls", "json", "multipart"] } ring = "=0.17.5" # Upgrading this is possible, but a pain, so we don't want to pick up every new minor version (see: https://github.com/facebook/buck2/commit/91af40b66960d003067c3d241595fb53d1e636c8) +rustls = { version = "0.21.1" } # pinned because ring above depends on it +rustls-pemfile = { version = "2.0.0" } rust-s3 = { version = "0.34.0-rc4", default-features = false, features = ["tokio-rustls-tls"] } sea-orm = { version = "0.12.0", features = ["sqlx-postgres", "runtime-tokio-rustls", "macros", "with-chrono", "debug-print"] } self-replace = "1.3.7" @@ -130,6 +132,7 @@ test-log = { version = "0.2.11", default-features = false, features = ["trace"] thiserror = "1.0.40" tokio = { version = "1.28.0", features = ["full"] } tokio-postgres = { version = "0.7.8", features = ["runtime", "with-chrono-0_4", "with-serde_json-1"] } +tokio-postgres-rustls = { version = "0.10.0" } tokio-serde = { version = "0.8.0", features = ["json"] } tokio-stream = "0.1.14" tokio-test = "0.4.2" @@ -147,6 +150,7 @@ url = { version = "2.3.1", features = ["serde"] } uuid = { version = "1.3.2", features = ["serde", "v4"] } vfs = "0.10.0" vfs-tar = { version = "0.4.0", features = ["mmap"] } +webpki-roots = { version = "0.25.3" } y-sync = { version = "0.4.0", features = ["net"] } yrs = { version = "0.17.2" } diff --git a/bin/module-index/BUCK b/bin/module-index/BUCK index 404cedf91b..2e6ef08d1a 100644 --- a/bin/module-index/BUCK +++ b/bin/module-index/BUCK @@ -18,6 +18,7 @@ rust_binary( resources = { "dev.jwt_signing_public_key.pem": "//config/keys:dev.jwt_signing_public_key.pem", "prod.jwt_signing_public_key.pem": "//config/keys:prod.jwt_signing_public_key.pem", + "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt", # "pkgs_path": "//pkgs:pkgs", }, ) diff --git a/bin/module-index/src/args.rs b/bin/module-index/src/args.rs index 45f37f662d..822b266dfd 100644 --- a/bin/module-index/src/args.rs +++ b/bin/module-index/src/args.rs @@ -45,6 +45,14 @@ pub(crate) struct Args { #[arg(long, env)] pub(crate) pg_password: Option, + /// PostgreSQL connection certification path + #[arg(long)] + pub(crate) pg_cert_path: Option, + + /// PostgreSQL connection certification base64 string + #[arg(long)] + pub(crate) pg_cert_base64: Option, + /// The address and port to bind the HTTP server to [example: 0.0.0.0:80] #[arg(long, env)] pub(crate) socket_addr: Option, @@ -105,6 +113,12 @@ impl TryFrom for Config { if let Some(password) = args.pg_password { config_map.set("pg.password", password); } + if let Some(cert) = args.pg_cert_path { + config_map.set("pg.certificate_path", cert); + } + if let Some(cert) = args.pg_cert_base64 { + config_map.set("pg.certificate_base64", cert); + } if let Some(socket_addr) = args.socket_addr { config_map.set("socket_addr", socket_addr); } diff --git a/bin/pinga/BUCK b/bin/pinga/BUCK index e1e1328364..9bf7f0e3ee 100644 --- a/bin/pinga/BUCK +++ b/bin/pinga/BUCK @@ -18,6 +18,7 @@ rust_binary( resources = { "dev.encryption.key": "//lib/cyclone-server:dev.encryption.key", "dev.donkey.key": "//lib/dal:dev.donkey.key", + "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt", }, ) @@ -32,4 +33,4 @@ nix_omnibus_pkg( name = "omnibus", pkg_name = "pinga", build_dep = "//bin/pinga:pinga", -) \ No newline at end of file +) diff --git a/bin/pinga/src/args.rs b/bin/pinga/src/args.rs index a3654722dd..0533368e74 100644 --- a/bin/pinga/src/args.rs +++ b/bin/pinga/src/args.rs @@ -41,6 +41,14 @@ pub(crate) struct Args { #[arg(long)] pub(crate) pg_user: Option, + /// PostgreSQL connection certification path + #[arg(long)] + pub(crate) pg_cert_path: Option, + + /// PostgreSQL connection certification base64 string + #[arg(long)] + pub(crate) pg_cert_base64: Option, + /// NATS connection URL [example: demo.nats.io] #[arg(long)] pub(crate) nats_url: Option, @@ -101,6 +109,12 @@ impl TryFrom for Config { if let Some(user) = args.pg_user { config_map.set("pg.user", user); } + if let Some(cert) = args.pg_cert_path { + config_map.set("pg.certificate_path", cert); + } + if let Some(cert) = args.pg_cert_base64 { + config_map.set("pg.certificate_base64", cert); + } if let Some(url) = args.nats_url { config_map.set("nats.url", url); } diff --git a/bin/sdf/BUCK b/bin/sdf/BUCK index e0ea652ce1..71691d266e 100644 --- a/bin/sdf/BUCK +++ b/bin/sdf/BUCK @@ -19,6 +19,7 @@ rust_binary( "dev.jwt_signing_public_key.pem": "//config/keys:dev.jwt_signing_public_key.pem", "prod.jwt_signing_public_key.pem": "//config/keys:prod.jwt_signing_public_key.pem", "dev.encryption.key": "//lib/cyclone-server:dev.encryption.key", + "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt", "dev.donkey.key": "//lib/dal:dev.donkey.key", "pkgs_path": "//pkgs:pkgs", }, @@ -38,4 +39,4 @@ nix_omnibus_pkg( name = "omnibus", pkg_name = "sdf", build_dep = "//bin/sdf:sdf", -) \ No newline at end of file +) diff --git a/bin/sdf/src/args.rs b/bin/sdf/src/args.rs index 60256220fa..e6cd7074a8 100644 --- a/bin/sdf/src/args.rs +++ b/bin/sdf/src/args.rs @@ -43,6 +43,14 @@ pub(crate) struct Args { #[arg(long)] pub(crate) pg_user: Option, + /// PostgreSQL connection certification path + #[arg(long)] + pub(crate) pg_cert_path: Option, + + /// PostgreSQL connection certification base64 string + #[arg(long)] + pub(crate) pg_cert_base64: Option, + /// NATS connection URL [example: demo.nats.io] #[arg(long)] pub(crate) nats_url: Option, @@ -119,6 +127,12 @@ impl TryFrom for Config { if let Some(user) = args.pg_user { config_map.set("pg.user", user); } + if let Some(cert) = args.pg_cert_path { + config_map.set("pg.certificate_path", cert); + } + if let Some(cert) = args.pg_cert_base64 { + config_map.set("pg.certificate_base64", cert); + } if let Some(migration_mode) = args.migration_mode { config_map.set("migration_mode", migration_mode); } diff --git a/component/postgres/BUCK b/component/postgres/BUCK index 17faacbcdd..67649016ad 100644 --- a/component/postgres/BUCK +++ b/component/postgres/BUCK @@ -14,6 +14,8 @@ docker_image( "multiple-database-support.sh": ".", "pganalyze-collector.conf.sample": ".", "postgresql-additions.conf": ".", + "server.key": ".", + "server.crt": ".", }, build_args = { "BASE_VERSION": "14.5-bullseye", diff --git a/component/postgres/Dockerfile b/component/postgres/Dockerfile index dbffc556a4..8dbf70640c 100644 --- a/component/postgres/Dockerfile +++ b/component/postgres/Dockerfile @@ -32,6 +32,11 @@ COPY multiple-database-support.sh /docker-entrypoint-initdb.d/ COPY entrypoint-wrapper.sh /usr/local/bin/entrypoint-wrapper.sh COPY pganalyze-collector.conf.sample /etc/pganalyze-collector.conf.sample COPY postgresql-additions.conf /etc/postgresql-additions.conf +COPY server.key /var/lib/postgresql/ +COPY server.crt /var/lib/postgresql/ + +RUN chown root:ssl-cert /var/lib/postgresql/server.key && chmod 740 /var/lib/postgresql/server.key +RUN chown root:ssl-cert /var/lib/postgresql/server.crt && chmod 740 /var/lib/postgresql/server.crt RUN chmod +x /usr/local/bin/entrypoint-wrapper.sh \ && mkdir -p /etc/postgresql \ diff --git a/component/postgres/entrypoint-wrapper.sh b/component/postgres/entrypoint-wrapper.sh index 3302ba3675..a99ed875af 100644 --- a/component/postgres/entrypoint-wrapper.sh +++ b/component/postgres/entrypoint-wrapper.sh @@ -11,7 +11,10 @@ trap 'kill -TERM $(jobs -p); wait' SIGINT SIGTERM /usr/local/bin/docker-entrypoint.sh \ "$@" \ - -c config_file=/etc/postgresql/postgresql.conf & + -c config_file=/etc/postgresql/postgresql.conf \ + -c ssl=on \ + -c ssl_cert_file=/var/lib/postgresql/server.crt \ + -c ssl_key_file=/var/lib/postgresql/server.key & if [ -n "${PGANALYZE:-}" ]; then echo '--- pganalyze enabled' diff --git a/component/postgres/server.crt b/component/postgres/server.crt new file mode 100644 index 0000000000..6de97bd3dc --- /dev/null +++ b/component/postgres/server.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNzCCAh+gAwIBAgIIJB180Ufm2cYwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMDIxMTg0MB4XDTI0MDEwMjE4MjI1NloXDTI2MDIw +MTE4MjI1NlowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAo6AmFdhKoE1KWEGHof3mhYgtXxXjYTgE7ux25cpJmg2l +TuQL/AhUkJqTdcRwjQeNZdp7YgnuzxnOCyZWddyRn68fxfAhRUlv0aBMedLrF4/O +aEekRC8hxlLFSATe1w2/dc7EIVsezSlBAHCzwAlpaaWA275LxEuVR+N/+esFxgkw +3qOyutylxEaeeH2ELdV2PW8GuXCQHCISlQa0blaTsBeG8bLJpuUjFeo3vYj7rP3E +dtFoEEJ3tMbd3ku5m5iLubfHlnHDZIY/EF29j3frI7KLRuEhzhOL8F0/U7iLATgj +yit3dZvBQYw/XZqTlDs7/WES+eqFJpaVMhb6QcDhMQIDAQABo4GAMH4wDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMB8GA1UdIwQYMBaAFAcYAHyM52e+nG6VLw2UjYvSNHFTMB4GA1UdEQQX +MBWCCWxvY2FsaG9zdIIIcG9zdGdyZXMwDQYJKoZIhvcNAQELBQADggEBAJWrwSaz +rT+Q9lMmvW64L+b6r6X4vi3gHhQzZnbfj/7KhNxdbfIromoN0tYjhWrH4Uy+w4Oc +8Mz+KDXqu1XzHMbSSt4w75GnZ2YJuLu6lIbJtX3l3Q1LAai+tZ6FoqIdBIBKe7Ft +tbn8lCYRh0vFtTTbUSWX8IHAd1fnP36OFrvj/pO+4c739jVMkMFShE4QabRPJCBP +zOssFHjfM7cKjbIdwkvWySQK2lVC1iSPPSblLn1r++vxHDWy+rBAZnpB32lthJMY +WKBH0xI1Ry2UhlJexyOH+VhACeKCIsWCFN8oRyPISumhe4dYUCgUA2fV6xfsMR/A +zOF5rW9cqadRYAk= +-----END CERTIFICATE----- diff --git a/component/postgres/server.key b/component/postgres/server.key new file mode 100644 index 0000000000..4b7268baa6 --- /dev/null +++ b/component/postgres/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjoCYV2EqgTUpY +QYeh/eaFiC1fFeNhOATu7HblykmaDaVO5Av8CFSQmpN1xHCNB41l2ntiCe7PGc4L +JlZ13JGfrx/F8CFFSW/RoEx50usXj85oR6RELyHGUsVIBN7XDb91zsQhWx7NKUEA +cLPACWlppYDbvkvES5VH43/56wXGCTDeo7K63KXERp54fYQt1XY9bwa5cJAcIhKV +BrRuVpOwF4bxssmm5SMV6je9iPus/cR20WgQQne0xt3eS7mbmIu5t8eWccNkhj8Q +Xb2Pd+sjsotG4SHOE4vwXT9TuIsBOCPKK3d1m8FBjD9dmpOUOzv9YRL56oUmlpUy +FvpBwOExAgMBAAECggEAAudVpa+X625Tsms/R+2kiJwZCgXuagw/cin6FivX0IcL +dvHvEILpVUOY+E8LHEWVCcitxdidR0mS8Xm1sRO/9dB6xN11CbC67kJk+Qh4KYvg +wtL6pEcd11IitBt6BOD2k9Wef2UJj+R6hdJ6Lh88oqZQOhYPbCVXOdZcsAeuq4v4 +8TsEGCvOHNSaZtLi9g+Ui+lJftfsOjlrrhdHCY6KMdkaHXmkwV9YsNx4SXDcVqGu +ONZ2o4JFeRYgiZvr6F1cOP22LVNI9rhQsnHtiOv3+mEm2ZP58bJZqBD49f+C/zCv +mDaHnq2jCG52nOr8e9IvtbMnOBXZrXjZCbBO723djQKBgQDJe4H7KufBb1gnVtV7 +rYXmsDzQO4sDcPZsgAok3OMsFaAqqpP47ebpfBnHAVcflwYZreYiA0LWGehqc54V +yJreJ7Fnp/AZcBSr5r9AUnvpBQgmi6afqHTmWOZ8vLl/Urg9+JwNwINt8eQArcgh +PQj2/Tj1AR8Vc/O6JOnR3nCpZwKBgQDP5lUnV6C+VMYh2dVs4z7rA2/6Jmq06xU3 +sGahbzSBRaeTLkzFDX8znKPxhnPxxPV/hvPA4lCjujbNSK2/Dl1NFJIdOiBOmpK4 +osSTEDBrQryc6+nUUuZUDjDBfuYsUzgvlMeUlcgLiXCLbMYIEJxALto2WkrwLVkA +y0jBbexJpwKBgQCzhcLJIu+g4S7wzmQlcPVwGPP2rjcs98f54RQoyE/6BcLSgW6b +TI6E17i4Iq+YTB55XwNApxs0XZ1CzIW87yNecouVyoMah01D5bPfAh+5/mvGvIPY +mmaen/OujRHTKsdTIGMbtb7lhbQcDrvVMeb8+592Xmtt2AUAhMd54fMMXQKBgGqV +nKx52Vga4CU0p52Wd4hHD96AWY59Qzh0wHkdKR7pVfs37nXL8J3GPaqykritkGsc +BdWqcUsvSa8/Box/0ceVtz8ysKN7zaLJF9yJnTkwUsBkllGbWqhXShm5dEnfNFv4 +e8WqcI+xm7hvQKub0G97VbYt3mN57Dpi/d7k+xHbAoGACJvt4qgS1oZYWkbx2wYi +4rlah74ymH8uURMmJoNA8jf+z+P/JW9r/qco3JnxVoPbGx63UQDz+8lmsWI3u4FZ +aUKE798bxMcoj7osRrmrWEsvEAJJyRjTetCs6/MaLEBt7gl7V92ztAxxlwh5LtL1 +1MqPgoBS9RifLgIPz2KlKd0= +-----END PRIVATE KEY----- diff --git a/config/keys/BUCK b/config/keys/BUCK index 8fd03dc9a5..ce28afc38d 100644 --- a/config/keys/BUCK +++ b/config/keys/BUCK @@ -12,3 +12,8 @@ export_file( name = "prod.jwt_signing_public_key.pem", visibility = ["PUBLIC"], ) + +export_file( + name = "dev.postgres.root.crt", + visibility = ["PUBLIC"], +) diff --git a/config/keys/dev.postgres.root.crt b/config/keys/dev.postgres.root.crt new file mode 100644 index 0000000000..b54db075a3 --- /dev/null +++ b/config/keys/dev.postgres.root.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIIAhGEx24hny0wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMDIxMTg0MCAXDTI0MDEwMjE4MjEyOVoYDzIxMjQw +MTAyMTgyMTI5WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAwMjExODQwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDoByK7UWZsjrKw31m6SwwiIplQ +d9MvfcD0+Gvvx1Lx0DNNangU/xqc0K5puNAPqwOToKLihbnJwqjXNUazXaM3ojcn +dkeRs3Cz7KVZkiu+sXqiecMXL2nFkNBSPhiXRumFOw3Qhz6v6dCMZxXcHUIgeBnp +q0oCQprCSt+S2TpgsPrNxCbByB/ICfI/rT+/QOVeJjqcJe5RMFAIR8pxaBcTlScL +fwj7PPd2eW/jZ1+pVfYYqKwbLwv14faElMZ2MZwRANDHo7lPA4riB6m7yfRXN7Cn +bwKGMJFPVoO71UL/ArAr/8bTEf1FZejMPzG7oEqXSGyYTLi0ybLr7G6QVqpJAgMB +AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQHGAB8jOdnvpxu +lS8NlI2L0jRxUzAfBgNVHSMEGDAWgBQHGAB8jOdnvpxulS8NlI2L0jRxUzANBgkq +hkiG9w0BAQsFAAOCAQEANH3AydMZZGDeTP7SaHPc/+XsRu/0cTTCXd0Jr56RbnPg +Y2B5jq2WfN7DO7uCva2N4Q6oILMH8JBonFgGh5/LKrFrfzOQBuHWTqyA55QfkYlY +bZv3zWj3X3UqQcKWJW21P/cWiLiABQD3ahTNaWop1yu2nWvjTosE6/iXloOfTHfx +XEyztSRLxYGoqrba7MW2RKAo31ENrZVKtI+X8vjxJa1s/sqLQUbyCDVF+l6tsR0T +kN1/Vtm5EUdiEvDRETI4pQ9b1FSXulSaQJVNFWONXjrb5fhXpnPQ+zG3COdKbKz8 +OGyod3OoVim6KL7RFkjqu2SYWrc5/tmOn+VWBEim/w== +-----END CERTIFICATE----- diff --git a/lib/dal-test/src/lib.rs b/lib/dal-test/src/lib.rs index 7a0dde0728..8c17bec048 100644 --- a/lib/dal-test/src/lib.rs +++ b/lib/dal-test/src/lib.rs @@ -89,6 +89,7 @@ pub struct Config { cyclone_encryption_key_path: String, jwt_signing_public_key_path: String, jwt_signing_private_key_path: String, + postgres_key_path: String, #[builder(default)] pkgs_path: Option, symmetric_crypto_service_config: SymmetricCryptoServiceConfig, @@ -113,6 +114,7 @@ impl Config { } config.pg.dbname = env::var(ENV_VAR_PG_DBNAME).unwrap_or_else(|_| pg_dbname.to_string()); config.pg.pool_max_size *= 32; + config.pg.certificate_path = Some(config.postgres_key_path.clone().try_into()?); if let Ok(value) = env::var(ENV_VAR_MODULE_INDEX_URL) { config.module_index_url = value; @@ -660,6 +662,10 @@ fn detect_and_configure_testing_for_buck2(builder: &mut ConfigBuilder) -> Result .get_ends_with("dev.donkey.key")? .to_string_lossy() .to_string(); + let postgres_key = resources + .get_ends_with("dev.postgres.root.crt")? + .to_string_lossy() + .to_string(); let pkgs_path = resources .get_ends_with("pkgs_path")? .to_string_lossy() @@ -670,6 +676,7 @@ fn detect_and_configure_testing_for_buck2(builder: &mut ConfigBuilder) -> Result jwt_signing_private_key_path = jwt_signing_private_key_path.as_str(), jwt_signing_public_key_path = jwt_signing_public_key_path.as_str(), symmetric_crypto_service_key = symmetric_crypto_service_key.as_str(), + postgres_key = postgres_key.as_str(), pkgs_path = pkgs_path.as_str(), "detected development run", ); @@ -685,6 +692,7 @@ fn detect_and_configure_testing_for_buck2(builder: &mut ConfigBuilder) -> Result } .try_into()?, ); + builder.postgres_key_path(postgres_key); builder.pkgs_path(Some(pkgs_path.into())); Ok(()) @@ -707,6 +715,10 @@ fn detect_and_configure_testing_for_cargo(dir: String, builder: &mut ConfigBuild .join("../../lib/dal/dev.donkey.key") .to_string_lossy() .to_string(); + let postgres_key = Path::new(&dir) + .join("../../config/keys/dev.postgres.root.crt") + .to_string_lossy() + .to_string(); let pkgs_path = Path::new(&dir) .join("../../pkgs") .to_string_lossy() @@ -717,6 +729,7 @@ fn detect_and_configure_testing_for_cargo(dir: String, builder: &mut ConfigBuild jwt_signing_private_key_path = jwt_signing_private_key_path.as_str(), jwt_signing_public_key_path = jwt_signing_public_key_path.as_str(), symmetric_crypto_service_key = symmetric_crypto_service_key.as_str(), + postgres_key = postgres_key.as_str(), pkgs_path = pkgs_path.as_str(), "detected development run", ); @@ -732,6 +745,7 @@ fn detect_and_configure_testing_for_cargo(dir: String, builder: &mut ConfigBuild } .try_into()?, ); + builder.postgres_key_path(postgres_key); builder.pkgs_path(Some(pkgs_path.into())); Ok(()) diff --git a/lib/dal/BUCK b/lib/dal/BUCK index fd19da6d61..76e30d9808 100644 --- a/lib/dal/BUCK +++ b/lib/dal/BUCK @@ -101,6 +101,7 @@ rust_test( "dev.encryption.key": "//lib/cyclone-server:dev.encryption.key", "dev.jwt_signing_private_key.pem": "//config/keys:dev.jwt_signing_private_key.pem", "dev.jwt_signing_public_key.pem": "//config/keys:dev.jwt_signing_public_key.pem", + "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt", "dev.donkey.key": "//lib/dal:dev.donkey.key", "lang-js": "//bin/lang-js:bin", "pkgs_path": "//pkgs:pkgs", diff --git a/lib/module-index-server/src/config.rs b/lib/module-index-server/src/config.rs index 797e13f4f1..2107837cf0 100644 --- a/lib/module-index-server/src/config.rs +++ b/lib/module-index-server/src/config.rs @@ -193,12 +193,20 @@ fn buck2_development(config: &mut ConfigFile) -> Result<()> { .to_string() }; + let postgres_cert = resources + .get_ends_with("dev.postgres.root.crt") + .map_err(ConfigError::development)? + .to_string_lossy() + .to_string(); + warn!( jwt_signing_public_key_path = jwt_signing_public_key_path.as_str(), + postgres_cert = postgres_cert.as_str(), "detected development run", ); config.jwt_signing_public_key_path = jwt_signing_public_key_path; + config.pg.certificate_path = Some(postgres_cert.try_into()?); Ok(()) } @@ -220,12 +228,19 @@ fn cargo_development(dir: String, config: &mut ConfigFile) -> Result<()> { .to_string() }; + let postgres_cert = Path::new(&dir) + .join("../../config/keys/dev.postgres.root.crt") + .to_string_lossy() + .to_string(); + warn!( jwt_signing_public_key_path = jwt_signing_public_key_path.as_str(), + postgres_cert = postgres_cert.as_str(), "detected development run", ); config.jwt_signing_public_key_path = jwt_signing_public_key_path; + config.pg.certificate_path = Some(postgres_cert.try_into()?); // todo!(); // config.cyclone_encryption_key_path = cyclone_encryption_key_path; diff --git a/lib/pinga-server/src/config.rs b/lib/pinga-server/src/config.rs index 6d057d6cae..21337b8fac 100644 --- a/lib/pinga-server/src/config.rs +++ b/lib/pinga-server/src/config.rs @@ -191,10 +191,16 @@ fn buck2_development(config: &mut ConfigFile) -> Result<()> { .map_err(ConfigError::development)? .to_string_lossy() .to_string(); + let postgres_key = resources + .get_ends_with("dev.postgres.root.crt") + .map_err(ConfigError::development)? + .to_string_lossy() + .to_string(); warn!( cyclone_encryption_key_path = cyclone_encryption_key_path.as_str(), symmetric_crypto_service_key = symmetric_crypto_service_key.as_str(), + postgres_key = postgres_key.as_str(), "detected development run", ); @@ -204,6 +210,7 @@ fn buck2_development(config: &mut ConfigFile) -> Result<()> { active_key_base64: None, extra_keys: vec![], }; + config.pg.certificate_path = Some(postgres_key.try_into()?); Ok(()) } @@ -217,10 +224,15 @@ fn cargo_development(dir: String, config: &mut ConfigFile) -> Result<()> { .join("../../lib/dal/dev.donkey.key") .to_string_lossy() .to_string(); + let postgres_key = Path::new(&dir) + .join("../../config/keys/dev.postgres.root.crt") + .to_string_lossy() + .to_string(); warn!( cyclone_encryption_key_path = cyclone_encryption_key_path.as_str(), symmetric_crypto_service_key = symmetric_crypto_service_key.as_str(), + postgres_key = postgres_key.as_str(), "detected development run", ); @@ -230,6 +242,7 @@ fn cargo_development(dir: String, config: &mut ConfigFile) -> Result<()> { active_key_base64: None, extra_keys: vec![], }; + config.pg.certificate_path = Some(postgres_key.try_into()?); Ok(()) } diff --git a/lib/sdf-server/BUCK b/lib/sdf-server/BUCK index 9ec14c62c3..95c66c984f 100644 --- a/lib/sdf-server/BUCK +++ b/lib/sdf-server/BUCK @@ -94,6 +94,7 @@ rust_test( "dev.encryption.key": "//lib/cyclone-server:dev.encryption.key", "dev.jwt_signing_private_key.pem": "//config/keys:dev.jwt_signing_private_key.pem", "dev.jwt_signing_public_key.pem": "//config/keys:dev.jwt_signing_public_key.pem", + "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt", "dev.donkey.key": "//lib/dal:dev.donkey.key", "lang-js": "//bin/lang-js:bin", "pkgs_path": "//pkgs:pkgs", diff --git a/lib/sdf-server/src/server/config.rs b/lib/sdf-server/src/server/config.rs index 32f98105f1..3d1903be5e 100644 --- a/lib/sdf-server/src/server/config.rs +++ b/lib/sdf-server/src/server/config.rs @@ -318,6 +318,11 @@ fn buck2_development(config: &mut ConfigFile) -> Result<()> { .map_err(ConfigError::development)? .to_string_lossy() .to_string(); + let postgres_cert = resources + .get_ends_with("dev.postgres.root.crt") + .map_err(ConfigError::development)? + .to_string_lossy() + .to_string(); let pkgs_path = resources .get_ends_with("pkgs_path") .map_err(ConfigError::development)? @@ -328,6 +333,7 @@ fn buck2_development(config: &mut ConfigFile) -> Result<()> { jwt_signing_public_key_path = jwt_signing_public_key_path.as_str(), cyclone_encryption_key_path = cyclone_encryption_key_path.as_str(), symmetric_crypto_service_key = symmetric_crypto_service_key.as_str(), + postgres_cert = postgres_cert.as_str(), pkgs_path = pkgs_path.as_str(), "detected development run", ); @@ -342,6 +348,7 @@ fn buck2_development(config: &mut ConfigFile) -> Result<()> { active_key_base64: None, extra_keys: vec![], }; + config.pg.certificate_path = Some(postgres_cert.try_into()?); config.pkgs_path = pkgs_path; Ok(()) @@ -371,6 +378,10 @@ fn cargo_development(dir: String, config: &mut ConfigFile) -> Result<()> { .join("../../lib/dal/dev.donkey.key") .to_string_lossy() .to_string(); + let postgres_cert = Path::new(&dir) + .join("../../config/keys/dev.postgres.root.crt") + .to_string_lossy() + .to_string(); let pkgs_path = Path::new(&dir) .join("../../pkgs/") .to_string_lossy() @@ -380,6 +391,7 @@ fn cargo_development(dir: String, config: &mut ConfigFile) -> Result<()> { jwt_signing_public_key_path = jwt_signing_public_key_path.as_str(), cyclone_encryption_key_path = cyclone_encryption_key_path.as_str(), symmetric_crypto_service_key = symmetric_crypto_service_key.as_str(), + postgres_cert = postgres_cert.as_str(), pkgs_path = pkgs_path.as_str(), "detected development run", ); @@ -394,6 +406,7 @@ fn cargo_development(dir: String, config: &mut ConfigFile) -> Result<()> { active_key_base64: None, extra_keys: vec![], }; + config.pg.certificate_path = Some(postgres_cert.try_into()?); config.pkgs_path = pkgs_path; Ok(()) diff --git a/lib/si-cli/src/cmd/start.rs b/lib/si-cli/src/cmd/start.rs index ebe916711a..e3960e2452 100644 --- a/lib/si-cli/src/cmd/start.rs +++ b/lib/si-cli/src/cmd/start.rs @@ -1,6 +1,6 @@ use crate::key_management::{ - ensure_encryption_keys, ensure_jwt_public_signing_key, ensure_symmetric_crypto_key, - format_credentials_for_veritech, get_si_data_dir, get_user_email, + ensure_encryption_keys, ensure_jwt_public_signing_key, ensure_postgres_root_cert, + ensure_symmetric_crypto_key, format_credentials_for_veritech, get_si_data_dir, get_user_email, }; use crate::state::AppState; use crate::{CliResult, CONTAINER_NAMES}; @@ -27,6 +27,7 @@ async fn invoke(app: &AppState, is_preview: bool) -> CliResult<()> { ensure_encryption_keys().await?; ensure_symmetric_crypto_key().await?; + ensure_postgres_root_cert().await?; ensure_jwt_public_signing_key().await?; let si_data_dir = get_si_data_dir().await?; diff --git a/lib/si-cli/src/engine/docker_engine.rs b/lib/si-cli/src/engine/docker_engine.rs index 65d2e7712d..1a07c6abe0 100644 --- a/lib/si-cli/src/engine/docker_engine.rs +++ b/lib/si-cli/src/engine/docker_engine.rs @@ -422,6 +422,7 @@ impl ContainerEngine for DockerEngine { .env(vec![ "SI_PINGA__CRYPTO__ENCRYPTION_KEY_FILE=/run/pinga/cyclone_encryption.key", "SI_PINGA__NATS__URL=nats", + "SI_PINGA__PG__CERTIFICATE_PATH=/run/pinga/dev.postgres.root.crt", "SI_PINGA__PG__HOSTNAME=postgres", "SI_PINGA__SYMMETRIC_CRYPTO_SERVICE__ACTIVE_KEY=/run/pinga/donkey.key", "OTEL_EXPORTER_OTLP_ENDPOINT=http://otelcol:4317", @@ -454,6 +455,7 @@ impl ContainerEngine for DockerEngine { "SI_SDF__CRYPTO__ENCRYPTION_KEY_FILE=/run/sdf/cyclone_encryption.key", "SI_SDF__JWT_SIGNING_PUBLIC_KEY__KEY_FILE=/run/sdf/jwt_signing_public_key.pem", "SI_SDF__NATS__URL=nats", + "SI_SDF__PG__CERTIFICATE_PATH=/run/sdf/dev.postgres.root.crt", "SI_SDF__PG__HOSTNAME=postgres", "SI_SDF__SYMMETRIC_CRYPTO_SERVICE__ACTIVE_KEY=/run/sdf/donkey.key", "OTEL_EXPORTER_OTLP_ENDPOINT=http://otelcol:4317", @@ -472,6 +474,10 @@ impl ContainerEngine for DockerEngine { "{}:/run/sdf/donkey.key:z", data_dir.join("donkey.key").display() ), + format!( + "{}:/run/sdf/dev.postgres.root.crt:z", + data_dir.join("dev.postgres.root.crt").display() + ), format!( "{}:/run/sdf/jwt_signing_public_key.pem:z", data_dir.join("jwt_signing_public_key.pem").display() diff --git a/lib/si-cli/src/engine/podman_engine.rs b/lib/si-cli/src/engine/podman_engine.rs index 925367150c..752f40da77 100644 --- a/lib/si-cli/src/engine/podman_engine.rs +++ b/lib/si-cli/src/engine/podman_engine.rs @@ -605,6 +605,10 @@ impl ContainerEngine for PodmanEngine { "/run/pinga/cyclone_encryption.key", ), ("SI_PINGA__NATS__URL", "nats"), + ( + "SI_PINGA__PG__CERTIFICATE_PATH", + "/run/pinga/dev.postgres.root.crt", + ), ("SI_PINGA__PG__HOSTNAME", "postgres"), ( "SI_PINGA__SYMMETRIC_CRYPTO_SERVICE__ACTIVE_KEY", @@ -665,6 +669,10 @@ impl ContainerEngine for PodmanEngine { "/sdf/jwt_signing_public_key.pem", ), ("SI_SDF__NATS__URL", "nats"), + ( + "SI_SDF__PG__CERTIFICATE_PATH", + "/run/sdf/dev.postgres.root.crt", + ), ("SI_SDF__PG__HOSTNAME", "postgres"), ( "SI_SDF__SYMMETRIC_CRYPTO_SERVICE__ACTIVE_KEY", @@ -701,6 +709,14 @@ impl ContainerEngine for PodmanEngine { uid_mappings: None, gid_mappings: None, }, + ContainerMount { + destination: Some("/run/sdf/dev.postgres.root.crt".to_owned()), + source: Some(data_dir.join("dev.postgres.root.crt").display().to_string()), + options: Some(get_container_mount_opts()), + _type: Some("bind".to_owned()), + uid_mappings: None, + gid_mappings: None, + }, ContainerMount { destination: Some("/run/sdf/jwt_signing_public_key.pem".to_owned()), source: Some( diff --git a/lib/si-cli/src/key_management.rs b/lib/si-cli/src/key_management.rs index f923e77b13..6a205732a3 100644 --- a/lib/si-cli/src/key_management.rs +++ b/lib/si-cli/src/key_management.rs @@ -35,6 +35,27 @@ fJwjkI25wNiOHD7LI8nWUqXOM0ZcQQ/4HJwG9IT6flvRQwLi9UrC8FTos4jPeZcA T7Pftf1OUGsDQsmx/eAS4GUCAwEAAQ== -----END PUBLIC KEY-----"; +const DEV_POSTGRES_ROOT_CRT: &str = "-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIIAhGEx24hny0wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgMDIxMTg0MCAXDTI0MDEwMjE4MjEyOVoYDzIxMjQw +MTAyMTgyMTI5WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAwMjExODQwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDoByK7UWZsjrKw31m6SwwiIplQ +d9MvfcD0+Gvvx1Lx0DNNangU/xqc0K5puNAPqwOToKLihbnJwqjXNUazXaM3ojcn +dkeRs3Cz7KVZkiu+sXqiecMXL2nFkNBSPhiXRumFOw3Qhz6v6dCMZxXcHUIgeBnp +q0oCQprCSt+S2TpgsPrNxCbByB/ICfI/rT+/QOVeJjqcJe5RMFAIR8pxaBcTlScL +fwj7PPd2eW/jZ1+pVfYYqKwbLwv14faElMZ2MZwRANDHo7lPA4riB6m7yfRXN7Cn +bwKGMJFPVoO71UL/ArAr/8bTEf1FZejMPzG7oEqXSGyYTLi0ybLr7G6QVqpJAgMB +AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQHGAB8jOdnvpxu +lS8NlI2L0jRxUzAfBgNVHSMEGDAWgBQHGAB8jOdnvpxulS8NlI2L0jRxUzANBgkq +hkiG9w0BAQsFAAOCAQEANH3AydMZZGDeTP7SaHPc/+XsRu/0cTTCXd0Jr56RbnPg +Y2B5jq2WfN7DO7uCva2N4Q6oILMH8JBonFgGh5/LKrFrfzOQBuHWTqyA55QfkYlY +bZv3zWj3X3UqQcKWJW21P/cWiLiABQD3ahTNaWop1yu2nWvjTosE6/iXloOfTHfx +XEyztSRLxYGoqrba7MW2RKAo31ENrZVKtI+X8vjxJa1s/sqLQUbyCDVF+l6tsR0T +kN1/Vtm5EUdiEvDRETI4pQ9b1FSXulSaQJVNFWONXjrb5fhXpnPQ+zG3COdKbKz8 +OGyod3OoVim6KL7RFkjqu2SYWrc5/tmOn+VWBEim/w== +-----END CERTIFICATE-----"; + pub async fn ensure_encryption_keys() -> CliResult<()> { let (public_key, secret_key) = box_::gen_keypair(); @@ -76,6 +97,17 @@ pub async fn ensure_jwt_public_signing_key() -> CliResult<()> { Ok(()) } +pub async fn ensure_postgres_root_cert() -> CliResult<()> { + let si_data_dir = get_si_data_dir().await?; + let postgres_root_cert = si_data_dir.join("dev.postgres.root.crt"); + if !postgres_root_cert.exists() { + let mut file = File::create(&postgres_root_cert)?; + file.write_all(DEV_POSTGRES_ROOT_CRT.as_bytes())?; + } + + Ok(()) +} + pub async fn write_veritech_credentials( credentials: &Credentials, credentials_path: PathBuf, diff --git a/lib/si-data-pg/BUCK b/lib/si-data-pg/BUCK index af0775d132..6abd4b64fb 100644 --- a/lib/si-data-pg/BUCK +++ b/lib/si-data-pg/BUCK @@ -6,17 +6,22 @@ rust_library( "//lib/si-std:si-std", "//lib/telemetry-rs:telemetry", "//third-party/rust:bytes", + "//third-party/rust:base64", "//third-party/rust:deadpool", "//third-party/rust:deadpool-postgres", "//third-party/rust:futures", "//third-party/rust:num_cpus", "//third-party/rust:ouroboros", "//third-party/rust:refinery", + "//third-party/rust:rustls", + "//third-party/rust:rustls-pemfile", "//third-party/rust:remain", "//third-party/rust:serde", "//third-party/rust:thiserror", "//third-party/rust:tokio", "//third-party/rust:tokio-postgres", + "//third-party/rust:tokio-postgres-rustls", + "//third-party/rust:webpki-roots", ], srcs = glob(["src/**/*.rs"]), ) diff --git a/lib/si-data-pg/Cargo.toml b/lib/si-data-pg/Cargo.toml index fc54c7c9b2..74c57e418a 100644 --- a/lib/si-data-pg/Cargo.toml +++ b/lib/si-data-pg/Cargo.toml @@ -6,6 +6,7 @@ rust-version = "1.64" publish = false [dependencies] +base64 = { workspace = true } bytes = { workspace = true } deadpool = { workspace = true } deadpool-postgres = { workspace = true } @@ -14,9 +15,13 @@ num_cpus = { workspace = true } ouroboros = { workspace = true } refinery = { workspace = true } remain = { workspace = true } +rustls = { workspace = true } +rustls-pemfile = { workspace = true } serde = { workspace = true } si-std = { path = "../../lib/si-std" } telemetry = { path = "../../lib/telemetry-rs" } thiserror = { workspace = true } tokio = { workspace = true } tokio-postgres = { workspace = true } +tokio-postgres-rustls = { workspace = true } +webpki-roots = { workspace = true } diff --git a/lib/si-data-pg/src/lib.rs b/lib/si-data-pg/src/lib.rs index 3f89ffccd8..ad5f80b841 100644 --- a/lib/si-data-pg/src/lib.rs +++ b/lib/si-data-pg/src/lib.rs @@ -7,30 +7,39 @@ )] #![allow(clippy::missing_errors_doc)] +use rustls::{Certificate, RootCertStore}; +use tokio_postgres_rustls::MakeRustlsConnect; + +use base64::{engine::general_purpose, Engine}; use std::{ cmp, fmt::{self, Debug}, net::ToSocketAddrs, + path::Path, sync::Arc, time::Duration, }; use bytes::Buf; use deadpool::managed::Object; +use deadpool_postgres::SslMode; use deadpool_postgres::{ Config, ConfigError, CreatePoolError, Manager, ManagerConfig, Pool, PoolConfig, PoolError, RecyclingMethod, Transaction, TransactionBuilder, }; use futures::{Stream, StreamExt}; + use ouroboros::self_referencing; + use serde::{Deserialize, Serialize}; -use si_std::{ResultExt, SensitiveString}; +use si_std::{CanonicalFile, ResultExt, SensitiveString}; use telemetry::prelude::*; use tokio::sync::Mutex; + use tokio_postgres::{ row::RowIndex, types::{BorrowToSql, FromSql, ToSql, Type}, - CancelToken, Client, Column, CopyInSink, CopyOutStream, IsolationLevel, NoTls, Portal, Row, + CancelToken, Client, Column, CopyInSink, CopyOutStream, IsolationLevel, Portal, Row, SimpleQueryMessage, Statement, ToStatement, }; @@ -57,6 +66,10 @@ pub enum PgError { #[remain::sorted] #[derive(thiserror::Error, Debug)] pub enum PgPoolError { + #[error("failed to decode base64 encoded key")] + Base64Decode(#[source] base64::DecodeError), + #[error("failed to certificate from bytes")] + CreateCertificate(#[from] std::io::Error), #[error("creating pg pool error: {0}")] CreatePoolError(#[from] CreatePoolError), #[error("pg pool config error: {0}")] @@ -65,6 +78,8 @@ pub enum PgPoolError { Pg(#[from] PgError), #[error("pg pool error: {0}")] PoolError(#[from] PoolError), + #[error("failed to read pem")] + ReadPem(std::io::Error), #[error("migration error: {0}")] Refinery(#[from] refinery::Error), #[error("failed to resolve pg hostname")] @@ -87,6 +102,8 @@ pub type PgTxn = PgSharedTransaction; pub struct PgPoolConfig { pub user: String, pub password: SensitiveString, + pub certificate_path: Option, + pub certificate_base64: Option, pub dbname: String, pub application_name: String, pub hostname: String, @@ -104,6 +121,8 @@ impl Default for PgPoolConfig { PgPoolConfig { user: String::from("si"), password: SensitiveString::from("bugbear"), + certificate_path: None, + certificate_base64: None, dbname: String::from("si"), application_name: String::from("si-unknown-app"), hostname: String::from("localhost"), @@ -179,9 +198,16 @@ impl PgPool { if let Some(secs) = settings.pool_timeout_recycle_secs { pool_config.timeouts.recycle = Some(Duration::from_secs(secs)); } + + // TODO(scott): we should set this to Require as below once + // the postgres:stable image has been updated + // to include the SSL bits. + // cfg.ssl_mode = Some(SslMode::Require); + cfg.ssl_mode = Some(SslMode::Prefer); + let tls_config = Self::tls_config(settings).await?; debug!(db.pool_config = ?pool_config); cfg.pool = Some(pool_config); - let pool = cfg.create_pool(Some(deadpool_postgres::Runtime::Tokio1), NoTls)?; + let pool = cfg.create_pool(Some(deadpool_postgres::Runtime::Tokio1), tls_config)?; let resolving_hostname = format!("{}:{}", settings.hostname, settings.port); let net_peer_ip = tokio::task::spawn_blocking(move || { @@ -237,6 +263,63 @@ impl PgPool { Ok(pg_pool) } + // Creates a tls_config for connecting to postgres securely + async fn tls_config(settings: &PgPoolConfig) -> PgPoolResult { + let mut root_cert_store = RootCertStore::empty(); + root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| { + rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + })); + if let Some(cert) = &settings.certificate_path { + root_cert_store + .add_parsable_certificates(&Self::get_certificate_from_path(cert).await?); + } + if let Some(cert) = &settings.certificate_base64 { + root_cert_store.add_parsable_certificates( + &Self::get_certificate_from_base64(cert.to_string()).await?, + ); + } + let config = rustls::ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates(root_cert_store) + .with_no_client_auth(); + + Ok(MakeRustlsConnect::new(config)) + } + + // Creates a certificate object from bytes + async fn get_certificate_from_bytes(bytes: &[u8]) -> PgPoolResult> { + let mut reader = std::io::BufReader::new(bytes); + Ok(rustls_pemfile::certs(&mut reader) + .map(|c| { + Certificate( + c.map_err(PgPoolError::CreateCertificate) + .expect( + "errror unpacking root cert, this should have been caught by map_err", + ) + .to_vec(), + ) + }) + .collect::>()) + } + + // Creates a Certificate object from a base64 encoded certificate + async fn get_certificate_from_base64(key_string: String) -> PgPoolResult> { + let buf = general_purpose::STANDARD + .decode(key_string) + .map_err(PgPoolError::Base64Decode)?; + Self::get_certificate_from_bytes(&buf).await + } + + // Creates a Certificate object from a certificate file + async fn get_certificate_from_path(path: impl AsRef) -> PgPoolResult> { + let buf = std::fs::read(path).map_err(PgPoolError::ReadPem)?; + Self::get_certificate_from_bytes(&buf).await + } + // Attempts to establish a database connection and returns an error if not successful. #[instrument( name = "pool.test_connection", diff --git a/third-party/rust/BUCK b/third-party/rust/BUCK index 7bb2e1bc4c..2f9114f785 100644 --- a/third-party/rust/BUCK +++ b/third-party/rust/BUCK @@ -10299,6 +10299,579 @@ cargo.rust_library( ], ) +http_archive( + name = "ring-0.16.20.crate", + sha256 = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc", + strip_prefix = "ring-0.16.20", + sub_targets = [ + "crypto/constant_time_test.c", + "crypto/cpu-intel.c", + "crypto/crypto.c", + "crypto/curve25519/curve25519.c", + "crypto/curve25519/curve25519_tables.h", + "crypto/curve25519/internal.h", + "crypto/fipsmodule/aes/aes_nohw.c", + "crypto/fipsmodule/bn/internal.h", + "crypto/fipsmodule/bn/montgomery.c", + "crypto/fipsmodule/bn/montgomery_inv.c", + "crypto/fipsmodule/ec/ecp_nistz.c", + "crypto/fipsmodule/ec/ecp_nistz.h", + "crypto/fipsmodule/ec/ecp_nistz256.c", + "crypto/fipsmodule/ec/ecp_nistz256.h", + "crypto/fipsmodule/ec/ecp_nistz256_table.inl", + "crypto/fipsmodule/ec/ecp_nistz384.h", + "crypto/fipsmodule/ec/ecp_nistz384.inl", + "crypto/fipsmodule/ec/gfp_p256.c", + "crypto/fipsmodule/ec/gfp_p384.c", + "crypto/internal.h", + "crypto/limbs/limbs.c", + "crypto/limbs/limbs.h", + "crypto/limbs/limbs.inl", + "crypto/mem.c", + "crypto/poly1305/internal.h", + "crypto/poly1305/poly1305.c", + "crypto/poly1305/poly1305_arm.c", + "crypto/poly1305/poly1305_vec.c", + "include/GFp/aes.h", + "include/GFp/arm_arch.h", + "include/GFp/base.h", + "include/GFp/check.h", + "include/GFp/cpu.h", + "include/GFp/mem.h", + "include/GFp/poly1305.h", + "include/GFp/type_check.h", + "pregenerated/aesni-gcm-x86_64-elf.S", + "pregenerated/aesni-gcm-x86_64-macosx.S", + "pregenerated/aesni-gcm-x86_64-nasm.obj", + "pregenerated/aesni-x86_64-elf.S", + "pregenerated/aesni-x86_64-macosx.S", + "pregenerated/aesni-x86_64-nasm.obj", + "pregenerated/aesv8-armx-ios64.S", + "pregenerated/aesv8-armx-linux64.S", + "pregenerated/armv8-mont-ios64.S", + "pregenerated/armv8-mont-linux64.S", + "pregenerated/chacha-armv8-ios64.S", + "pregenerated/chacha-armv8-linux64.S", + "pregenerated/chacha-x86_64-elf.S", + "pregenerated/chacha-x86_64-macosx.S", + "pregenerated/chacha-x86_64-nasm.obj", + "pregenerated/chacha20_poly1305_x86_64-elf.S", + "pregenerated/chacha20_poly1305_x86_64-macosx.S", + "pregenerated/chacha20_poly1305_x86_64-nasm.obj", + "pregenerated/ecp_nistz256-armv8-ios64.S", + "pregenerated/ecp_nistz256-armv8-linux64.S", + "pregenerated/ghash-neon-armv8-ios64.S", + "pregenerated/ghash-neon-armv8-linux64.S", + "pregenerated/ghash-x86_64-elf.S", + "pregenerated/ghash-x86_64-macosx.S", + "pregenerated/ghash-x86_64-nasm.obj", + "pregenerated/ghashv8-armx-ios64.S", + "pregenerated/ghashv8-armx-linux64.S", + "pregenerated/p256-x86_64-asm-elf.S", + "pregenerated/p256-x86_64-asm-macosx.S", + "pregenerated/p256-x86_64-asm-nasm.obj", + "pregenerated/sha256-armv8-ios64.S", + "pregenerated/sha256-armv8-linux64.S", + "pregenerated/sha256-x86_64-elf.S", + "pregenerated/sha256-x86_64-macosx.S", + "pregenerated/sha256-x86_64-nasm.obj", + "pregenerated/sha512-armv8-ios64.S", + "pregenerated/sha512-armv8-linux64.S", + "pregenerated/sha512-x86_64-elf.S", + "pregenerated/sha512-x86_64-macosx.S", + "pregenerated/sha512-x86_64-nasm.obj", + "pregenerated/vpaes-armv8-ios64.S", + "pregenerated/vpaes-armv8-linux64.S", + "pregenerated/vpaes-x86_64-elf.S", + "pregenerated/vpaes-x86_64-macosx.S", + "pregenerated/vpaes-x86_64-nasm.obj", + "pregenerated/x86_64-mont-elf.S", + "pregenerated/x86_64-mont-macosx.S", + "pregenerated/x86_64-mont-nasm.obj", + "pregenerated/x86_64-mont5-elf.S", + "pregenerated/x86_64-mont5-macosx.S", + "pregenerated/x86_64-mont5-nasm.obj", + "third_party/fiat/curve25519_32.h", + "third_party/fiat/curve25519_64.h", + ], + urls = ["https://crates.io/api/v1/crates/ring/0.16.20/download"], + visibility = [], +) + +cargo.rust_library( + name = "ring-0.16.20", + srcs = [":ring-0.16.20.crate"], + crate = "ring", + crate_root = "ring-0.16.20.crate/src/lib.rs", + edition = "2018", + platform = { + "linux-arm64": dict( + deps = [ + ":libc-0.2.151", + ":ring-0.16.20-ring-c-asm-elf-aarch64", + ":spin-0.5.2", + ], + ), + "linux-x86_64": dict( + deps = [ + ":libc-0.2.151", + ":ring-0.16.20-ring-c-asm-elf-x86_84", + ":spin-0.5.2", + ], + ), + "macos-arm64": dict( + deps = [":ring-0.16.20-ring-c-asm-macos-arm64"], + ), + "macos-x86_64": dict( + deps = [ + ":ring-0.16.20-ring-c-asm-macos-x86_64", + ":spin-0.5.2", + ], + ), + "windows-gnu": dict( + deps = [ + ":ring-0.16.20-ring-asm-windows-x86_84-aesni-gcm-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-aesni-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-chacha-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-chacha20_poly1305_x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-ghash-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-p256-x86_64-asm-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-sha256-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-sha512-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-vpaes-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-x86_64-mont-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-x86_64-mont5-nasm.obj", + ":ring-0.16.20-ring-c-win-x86_84", + ":spin-0.5.2", + ":winapi-0.3.9", + ], + ), + "windows-msvc": dict( + deps = [ + ":ring-0.16.20-ring-asm-windows-x86_84-aesni-gcm-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-aesni-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-chacha-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-chacha20_poly1305_x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-ghash-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-p256-x86_64-asm-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-sha256-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-sha512-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-vpaes-x86_64-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-x86_64-mont-nasm.obj", + ":ring-0.16.20-ring-asm-windows-x86_84-x86_64-mont5-nasm.obj", + ":ring-0.16.20-ring-c-win-msvc-x86_84", + ":spin-0.5.2", + ":winapi-0.3.9", + ], + ), + }, + visibility = [], + deps = [":untrusted-0.7.1"], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-aesni-gcm-x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/aesni-gcm-x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-aesni-x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/aesni-x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-chacha-x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/chacha-x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-chacha20_poly1305_x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/chacha20_poly1305_x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-ghash-x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/ghash-x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-p256-x86_64-asm-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/p256-x86_64-asm-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-sha256-x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/sha256-x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-sha512-x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/sha512-x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-vpaes-x86_64-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/vpaes-x86_64-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-x86_64-mont-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/x86_64-mont-nasm.obj]", + visibility = [], +) + +third_party_rust_prebuilt_cxx_library( + name = "ring-0.16.20-ring-asm-windows-x86_84-x86_64-mont5-nasm.obj", + static_lib = ":ring-0.16.20.crate[pregenerated/x86_64-mont5-nasm.obj]", + visibility = [], +) + +cxx_library( + name = "ring-0.16.20-ring-c-asm-elf-aarch64", + srcs = [ + ":ring-0.16.20.crate[crypto/constant_time_test.c]", + ":ring-0.16.20.crate[crypto/crypto.c]", + ":ring-0.16.20.crate[crypto/curve25519/curve25519.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/aes/aes_nohw.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery_inv.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p384.c]", + ":ring-0.16.20.crate[crypto/limbs/limbs.c]", + ":ring-0.16.20.crate[crypto/mem.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_arm.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_vec.c]", + ":ring-0.16.20.crate[pregenerated/aesv8-armx-linux64.S]", + ":ring-0.16.20.crate[pregenerated/armv8-mont-linux64.S]", + ":ring-0.16.20.crate[pregenerated/chacha-armv8-linux64.S]", + ":ring-0.16.20.crate[pregenerated/ecp_nistz256-armv8-linux64.S]", + ":ring-0.16.20.crate[pregenerated/ghash-neon-armv8-linux64.S]", + ":ring-0.16.20.crate[pregenerated/ghashv8-armx-linux64.S]", + ":ring-0.16.20.crate[pregenerated/sha256-armv8-linux64.S]", + ":ring-0.16.20.crate[pregenerated/sha512-armv8-linux64.S]", + ":ring-0.16.20.crate[pregenerated/vpaes-armv8-linux64.S]", + ], + headers = [ + ":ring-0.16.20.crate[crypto/curve25519/curve25519_tables.h]", + ":ring-0.16.20.crate[crypto/curve25519/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256_table.inl]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.inl]", + ":ring-0.16.20.crate[crypto/internal.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.inl]", + ":ring-0.16.20.crate[crypto/poly1305/internal.h]", + ":ring-0.16.20.crate[include/GFp/aes.h]", + ":ring-0.16.20.crate[include/GFp/arm_arch.h]", + ":ring-0.16.20.crate[include/GFp/base.h]", + ":ring-0.16.20.crate[include/GFp/check.h]", + ":ring-0.16.20.crate[include/GFp/cpu.h]", + ":ring-0.16.20.crate[include/GFp/mem.h]", + ":ring-0.16.20.crate[include/GFp/poly1305.h]", + ":ring-0.16.20.crate[include/GFp/type_check.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_32.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_64.h]", + ], + compiler_flags = ["-Wno-error"], + preferred_linkage = "static", + preprocessor_flags = ["-I$(location :ring-0.16.20.crate)/include"], + visibility = [], +) + +cxx_library( + name = "ring-0.16.20-ring-c-asm-elf-x86_84", + srcs = [ + ":ring-0.16.20.crate[crypto/constant_time_test.c]", + ":ring-0.16.20.crate[crypto/cpu-intel.c]", + ":ring-0.16.20.crate[crypto/crypto.c]", + ":ring-0.16.20.crate[crypto/curve25519/curve25519.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/aes/aes_nohw.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery_inv.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p384.c]", + ":ring-0.16.20.crate[crypto/limbs/limbs.c]", + ":ring-0.16.20.crate[crypto/mem.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_arm.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_vec.c]", + ":ring-0.16.20.crate[pregenerated/aesni-gcm-x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/aesni-x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/chacha-x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/chacha20_poly1305_x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/ghash-x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/p256-x86_64-asm-elf.S]", + ":ring-0.16.20.crate[pregenerated/sha256-x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/sha512-x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/vpaes-x86_64-elf.S]", + ":ring-0.16.20.crate[pregenerated/x86_64-mont-elf.S]", + ":ring-0.16.20.crate[pregenerated/x86_64-mont5-elf.S]", + ], + headers = [ + ":ring-0.16.20.crate[crypto/curve25519/curve25519_tables.h]", + ":ring-0.16.20.crate[crypto/curve25519/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256_table.inl]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.inl]", + ":ring-0.16.20.crate[crypto/internal.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.inl]", + ":ring-0.16.20.crate[crypto/poly1305/internal.h]", + ":ring-0.16.20.crate[include/GFp/aes.h]", + ":ring-0.16.20.crate[include/GFp/arm_arch.h]", + ":ring-0.16.20.crate[include/GFp/base.h]", + ":ring-0.16.20.crate[include/GFp/check.h]", + ":ring-0.16.20.crate[include/GFp/cpu.h]", + ":ring-0.16.20.crate[include/GFp/mem.h]", + ":ring-0.16.20.crate[include/GFp/poly1305.h]", + ":ring-0.16.20.crate[include/GFp/type_check.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_32.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_64.h]", + ], + compiler_flags = ["-Wno-error"], + preferred_linkage = "static", + preprocessor_flags = ["-I$(location :ring-0.16.20.crate)/include"], + visibility = [], +) + +cxx_library( + name = "ring-0.16.20-ring-c-asm-macos-arm64", + srcs = [ + ":ring-0.16.20.crate[crypto/constant_time_test.c]", + ":ring-0.16.20.crate[crypto/crypto.c]", + ":ring-0.16.20.crate[crypto/curve25519/curve25519.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/aes/aes_nohw.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery_inv.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p384.c]", + ":ring-0.16.20.crate[crypto/limbs/limbs.c]", + ":ring-0.16.20.crate[crypto/mem.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_arm.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_vec.c]", + ":ring-0.16.20.crate[pregenerated/aesv8-armx-ios64.S]", + ":ring-0.16.20.crate[pregenerated/armv8-mont-ios64.S]", + ":ring-0.16.20.crate[pregenerated/chacha-armv8-ios64.S]", + ":ring-0.16.20.crate[pregenerated/ecp_nistz256-armv8-ios64.S]", + ":ring-0.16.20.crate[pregenerated/ghash-neon-armv8-ios64.S]", + ":ring-0.16.20.crate[pregenerated/ghashv8-armx-ios64.S]", + ":ring-0.16.20.crate[pregenerated/sha256-armv8-ios64.S]", + ":ring-0.16.20.crate[pregenerated/sha512-armv8-ios64.S]", + ":ring-0.16.20.crate[pregenerated/vpaes-armv8-ios64.S]", + ], + headers = [ + ":ring-0.16.20.crate[crypto/curve25519/curve25519_tables.h]", + ":ring-0.16.20.crate[crypto/curve25519/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256_table.inl]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.inl]", + ":ring-0.16.20.crate[crypto/internal.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.inl]", + ":ring-0.16.20.crate[crypto/poly1305/internal.h]", + ":ring-0.16.20.crate[include/GFp/aes.h]", + ":ring-0.16.20.crate[include/GFp/arm_arch.h]", + ":ring-0.16.20.crate[include/GFp/base.h]", + ":ring-0.16.20.crate[include/GFp/check.h]", + ":ring-0.16.20.crate[include/GFp/cpu.h]", + ":ring-0.16.20.crate[include/GFp/mem.h]", + ":ring-0.16.20.crate[include/GFp/poly1305.h]", + ":ring-0.16.20.crate[include/GFp/type_check.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_32.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_64.h]", + ], + compiler_flags = ["-Wno-error"], + preferred_linkage = "static", + preprocessor_flags = ["-I$(location :ring-0.16.20.crate)/include"], + visibility = [], +) + +cxx_library( + name = "ring-0.16.20-ring-c-asm-macos-x86_64", + srcs = [ + ":ring-0.16.20.crate[crypto/constant_time_test.c]", + ":ring-0.16.20.crate[crypto/cpu-intel.c]", + ":ring-0.16.20.crate[crypto/crypto.c]", + ":ring-0.16.20.crate[crypto/curve25519/curve25519.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/aes/aes_nohw.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery_inv.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p384.c]", + ":ring-0.16.20.crate[crypto/limbs/limbs.c]", + ":ring-0.16.20.crate[crypto/mem.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_arm.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_vec.c]", + ":ring-0.16.20.crate[pregenerated/aesni-gcm-x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/aesni-x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/chacha-x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/chacha20_poly1305_x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/ghash-x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/p256-x86_64-asm-macosx.S]", + ":ring-0.16.20.crate[pregenerated/sha256-x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/sha512-x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/vpaes-x86_64-macosx.S]", + ":ring-0.16.20.crate[pregenerated/x86_64-mont-macosx.S]", + ":ring-0.16.20.crate[pregenerated/x86_64-mont5-macosx.S]", + ], + headers = [ + ":ring-0.16.20.crate[crypto/curve25519/curve25519_tables.h]", + ":ring-0.16.20.crate[crypto/curve25519/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256_table.inl]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.inl]", + ":ring-0.16.20.crate[crypto/internal.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.inl]", + ":ring-0.16.20.crate[crypto/poly1305/internal.h]", + ":ring-0.16.20.crate[include/GFp/aes.h]", + ":ring-0.16.20.crate[include/GFp/arm_arch.h]", + ":ring-0.16.20.crate[include/GFp/base.h]", + ":ring-0.16.20.crate[include/GFp/check.h]", + ":ring-0.16.20.crate[include/GFp/cpu.h]", + ":ring-0.16.20.crate[include/GFp/mem.h]", + ":ring-0.16.20.crate[include/GFp/poly1305.h]", + ":ring-0.16.20.crate[include/GFp/type_check.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_32.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_64.h]", + ], + compiler_flags = ["-Wno-error"], + preferred_linkage = "static", + preprocessor_flags = ["-I$(location :ring-0.16.20.crate)/include"], + visibility = [], +) + +cxx_library( + name = "ring-0.16.20-ring-c-win-msvc-x86_84", + srcs = [ + ":ring-0.16.20.crate[crypto/constant_time_test.c]", + ":ring-0.16.20.crate[crypto/cpu-intel.c]", + ":ring-0.16.20.crate[crypto/crypto.c]", + ":ring-0.16.20.crate[crypto/curve25519/curve25519.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/aes/aes_nohw.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery_inv.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p384.c]", + ":ring-0.16.20.crate[crypto/limbs/limbs.c]", + ":ring-0.16.20.crate[crypto/mem.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_arm.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_vec.c]", + ], + headers = [ + ":ring-0.16.20.crate[crypto/curve25519/curve25519_tables.h]", + ":ring-0.16.20.crate[crypto/curve25519/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256_table.inl]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.inl]", + ":ring-0.16.20.crate[crypto/internal.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.inl]", + ":ring-0.16.20.crate[crypto/poly1305/internal.h]", + ":ring-0.16.20.crate[include/GFp/aes.h]", + ":ring-0.16.20.crate[include/GFp/arm_arch.h]", + ":ring-0.16.20.crate[include/GFp/base.h]", + ":ring-0.16.20.crate[include/GFp/check.h]", + ":ring-0.16.20.crate[include/GFp/cpu.h]", + ":ring-0.16.20.crate[include/GFp/mem.h]", + ":ring-0.16.20.crate[include/GFp/poly1305.h]", + ":ring-0.16.20.crate[include/GFp/type_check.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_32.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_64.h]", + ], + preferred_linkage = "static", + preprocessor_flags = ["-I$(location :ring-0.16.20.crate)/include"], + visibility = [], +) + +cxx_library( + name = "ring-0.16.20-ring-c-win-x86_84", + srcs = [ + ":ring-0.16.20.crate[crypto/constant_time_test.c]", + ":ring-0.16.20.crate[crypto/cpu-intel.c]", + ":ring-0.16.20.crate[crypto/crypto.c]", + ":ring-0.16.20.crate[crypto/curve25519/curve25519.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/aes/aes_nohw.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/montgomery_inv.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p256.c]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/gfp_p384.c]", + ":ring-0.16.20.crate[crypto/limbs/limbs.c]", + ":ring-0.16.20.crate[crypto/mem.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_arm.c]", + ":ring-0.16.20.crate[crypto/poly1305/poly1305_vec.c]", + ], + headers = [ + ":ring-0.16.20.crate[crypto/curve25519/curve25519_tables.h]", + ":ring-0.16.20.crate[crypto/curve25519/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/bn/internal.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz256_table.inl]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.h]", + ":ring-0.16.20.crate[crypto/fipsmodule/ec/ecp_nistz384.inl]", + ":ring-0.16.20.crate[crypto/internal.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.h]", + ":ring-0.16.20.crate[crypto/limbs/limbs.inl]", + ":ring-0.16.20.crate[crypto/poly1305/internal.h]", + ":ring-0.16.20.crate[include/GFp/aes.h]", + ":ring-0.16.20.crate[include/GFp/arm_arch.h]", + ":ring-0.16.20.crate[include/GFp/base.h]", + ":ring-0.16.20.crate[include/GFp/check.h]", + ":ring-0.16.20.crate[include/GFp/cpu.h]", + ":ring-0.16.20.crate[include/GFp/mem.h]", + ":ring-0.16.20.crate[include/GFp/poly1305.h]", + ":ring-0.16.20.crate[include/GFp/type_check.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_32.h]", + ":ring-0.16.20.crate[third_party/fiat/curve25519_64.h]", + ], + compiler_flags = ["-Wno-error"], + preferred_linkage = "static", + preprocessor_flags = ["-I$(location :ring-0.16.20.crate)/include"], + visibility = [], +) + alias( name = "ring", actual = ":ring-0.17.5", @@ -11337,6 +11910,12 @@ buildscript_run( version = "0.38.28", ) +alias( + name = "rustls", + actual = ":rustls-0.21.10", + visibility = ["PUBLIC"], +) + http_archive( name = "rustls-0.21.10.crate", sha256 = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba", @@ -11423,6 +12002,58 @@ cargo.rust_library( deps = [":base64-0.21.5"], ) +alias( + name = "rustls-pemfile", + actual = ":rustls-pemfile-2.0.0", + visibility = ["PUBLIC"], +) + +http_archive( + name = "rustls-pemfile-2.0.0.crate", + sha256 = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4", + strip_prefix = "rustls-pemfile-2.0.0", + urls = ["https://crates.io/api/v1/crates/rustls-pemfile/2.0.0/download"], + visibility = [], +) + +cargo.rust_library( + name = "rustls-pemfile-2.0.0", + srcs = [":rustls-pemfile-2.0.0.crate"], + crate = "rustls_pemfile", + crate_root = "rustls-pemfile-2.0.0.crate/src/lib.rs", + edition = "2018", + features = [ + "default", + "std", + ], + named_deps = { + "pki_types": ":rustls-pki-types-1.0.1", + }, + visibility = [], + deps = [":base64-0.21.5"], +) + +http_archive( + name = "rustls-pki-types-1.0.1.crate", + sha256 = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b", + strip_prefix = "rustls-pki-types-1.0.1", + urls = ["https://crates.io/api/v1/crates/rustls-pki-types/1.0.1/download"], + visibility = [], +) + +cargo.rust_library( + name = "rustls-pki-types-1.0.1", + srcs = [":rustls-pki-types-1.0.1.crate"], + crate = "rustls_pki_types", + crate_root = "rustls-pki-types-1.0.1.crate/src/lib.rs", + edition = "2021", + features = [ + "alloc", + "default", + ], + visibility = [], +) + http_archive( name = "rustls-webpki-0.101.7.crate", sha256 = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765", @@ -13712,6 +14343,8 @@ cargo.rust_binary( ":reqwest-0.11.23", ":ring-0.17.5", ":rust-s3-0.34.0-rc4", + ":rustls-0.21.10", + ":rustls-pemfile-2.0.0", ":sea-orm-0.12.10", ":self-replace-1.3.7", ":serde-1.0.193", @@ -13730,6 +14363,7 @@ cargo.rust_binary( ":thiserror-1.0.51", ":tokio-1.35.1", ":tokio-postgres-0.7.10", + ":tokio-postgres-rustls-0.10.0", ":tokio-serde-0.8.0", ":tokio-stream-0.1.14", ":tokio-test-0.4.3", @@ -13747,6 +14381,7 @@ cargo.rust_binary( ":uuid-1.6.1", ":vfs-0.10.0", ":vfs-tar-0.4.1", + ":webpki-roots-0.25.3", ":y-sync-0.4.0", ":yrs-0.17.2", ], @@ -14174,6 +14809,37 @@ cargo.rust_library( ], ) +alias( + name = "tokio-postgres-rustls", + actual = ":tokio-postgres-rustls-0.10.0", + visibility = ["PUBLIC"], +) + +http_archive( + name = "tokio-postgres-rustls-0.10.0.crate", + sha256 = "dd5831152cb0d3f79ef5523b357319ba154795d64c7078b2daa95a803b54057f", + strip_prefix = "tokio-postgres-rustls-0.10.0", + urls = ["https://crates.io/api/v1/crates/tokio-postgres-rustls/0.10.0/download"], + visibility = [], +) + +cargo.rust_library( + name = "tokio-postgres-rustls-0.10.0", + srcs = [":tokio-postgres-rustls-0.10.0.crate"], + crate = "tokio_postgres_rustls", + crate_root = "tokio-postgres-rustls-0.10.0.crate/src/lib.rs", + edition = "2018", + visibility = [], + deps = [ + ":futures-0.3.29", + ":ring-0.16.20", + ":rustls-0.21.10", + ":tokio-1.35.1", + ":tokio-postgres-0.7.10", + ":tokio-rustls-0.24.1", + ], +) + http_archive( name = "tokio-retry-0.3.0.crate", sha256 = "7f57eb36ecbe0fc510036adff84824dd3c24bb781e21bfa67b69d556aa85214f", @@ -15333,6 +15999,23 @@ cargo.rust_library( visibility = [], ) +http_archive( + name = "untrusted-0.7.1.crate", + sha256 = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a", + strip_prefix = "untrusted-0.7.1", + urls = ["https://crates.io/api/v1/crates/untrusted/0.7.1/download"], + visibility = [], +) + +cargo.rust_library( + name = "untrusted-0.7.1", + srcs = [":untrusted-0.7.1.crate"], + crate = "untrusted", + crate_root = "untrusted-0.7.1.crate/src/untrusted.rs", + edition = "2018", + visibility = [], +) + http_archive( name = "untrusted-0.9.0.crate", sha256 = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1", @@ -15625,6 +16308,12 @@ cargo.rust_library( deps = [":try-lock-0.2.5"], ) +alias( + name = "webpki-roots", + actual = ":webpki-roots-0.25.3", + visibility = ["PUBLIC"], +) + http_archive( name = "webpki-roots-0.25.3.crate", sha256 = "1778a42e8b3b90bff8d0f5032bf22250792889a5cdc752aa0020c84abe3aaf10", @@ -15686,6 +16375,7 @@ cargo.rust_library( "handleapi", "impl-default", "minwindef", + "ntsecapi", "processenv", "std", "synchapi", @@ -15695,6 +16385,7 @@ cargo.rust_library( "winerror", "winnt", "winuser", + "wtypesbase", ], platform = { "windows-gnu": dict( @@ -15721,6 +16412,7 @@ cargo.rust_binary( "handleapi", "impl-default", "minwindef", + "ntsecapi", "processenv", "std", "synchapi", @@ -15730,6 +16422,7 @@ cargo.rust_binary( "winerror", "winnt", "winuser", + "wtypesbase", ], visibility = [], ) @@ -15745,6 +16438,7 @@ buildscript_run( "handleapi", "impl-default", "minwindef", + "ntsecapi", "processenv", "std", "synchapi", @@ -15754,6 +16448,7 @@ buildscript_run( "winerror", "winnt", "winuser", + "wtypesbase", ], version = "0.3.9", ) diff --git a/third-party/rust/Cargo.toml b/third-party/rust/Cargo.toml index a385564ab8..81f3e2f79a 100644 --- a/third-party/rust/Cargo.toml +++ b/third-party/rust/Cargo.toml @@ -85,6 +85,8 @@ regex = "1.8.1" remain = "0.2.8" reqwest = { version = "0.11.17", default-features = false, features = ["rustls-tls", "json", "multipart"] } ring = "=0.17.5" # Upgrading this is possible, but a pain, so we don't want to pick up every new minor version (see: https://github.com/facebook/buck2/commit/91af40b66960d003067c3d241595fb53d1e636c8) +rustls = { version = "0.21.1" } # pinned because ring above depends on it +rustls-pemfile = { version = "2.0.0" } rust-s3 = { version = "0.34.0-rc4", default-features = false, features = ["tokio-rustls-tls"] } sea-orm = { version = "0.12.0", features = ["sqlx-postgres", "runtime-tokio-rustls", "macros", "with-chrono", "debug-print"] } self-replace = "1.3.7" @@ -104,6 +106,7 @@ test-log = { version = "0.2.11", default-features = false, features = ["trace"] thiserror = "1.0.40" tokio = { version = "1.28.0", features = ["full"] } tokio-postgres = { version = "0.7.8", features = ["runtime", "with-chrono-0_4", "with-serde_json-1"] } +tokio-postgres-rustls = { version = "0.10.0" } tokio-serde = { version = "0.8.0", features = ["json"] } tokio-stream = "0.1.14" tokio-test = "0.4.2" @@ -121,6 +124,7 @@ url = { version = "2.3.1", features = ["serde"] } uuid = { version = "1.3.2", features = ["serde", "v4"] } vfs = "0.10.0" vfs-tar = { version = "0.4.0", features = ["mmap"] } +webpki-roots = { version = "0.25.3" } y-sync = { version = "0.4.0", features = ["net"] } yrs = { version = "0.17.2" }