Skip to content

fix: enforce TLS validation for DB connections [PM-22023]#1104

Draft
m2ux wants to merge 5 commits intomainfrom
fix/PM-22023-enforce-tls-validation-db
Draft

fix: enforce TLS validation for DB connections [PM-22023]#1104
m2ux wants to merge 5 commits intomainfrom
fix/PM-22023-enforce-tls-validation-db

Conversation

@m2ux
Copy link
Copy Markdown
Contributor

@m2ux m2ux commented Mar 27, 2026
edited
Loading

Summary

Enforce TLS validation for PostgreSQL connections and eliminate the plaintext connection path, addressing Least Authority audit finding Issue C (PM-22023).

🎫 Ticket 📐 Engineering

Motivation

See engineering plan

Changes

  • Main chain follower (node) — Extracted build_ssl_connect_options for testable SSL mode selection; removed allow_non_ssl parameter from get_connection; updated all 10 call sites; added deprecation warning when allow_non_ssl=true is configured
  • Configuration (node/cfg) — Added #[validate] path-exists check for ssl_root_cert; updated doc comments marking allow_non_ssl as deprecated
  • Change file — Added audit-enforce-tls-validation-db.md for release notes
  • Tests — 4 new unit tests covering VerifyFull with cert, Require fallback without cert, Disable-never, and invalid connection string

📌 Submission Checklist

  • Changes are backward-compatible (or flagged if breaking)
  • Pull request description explains why the change is needed
  • Self-reviewed the diff
  • I have included a change file, or skipped for this reason: included audit-enforce-tls-validation-db.md
  • If the changes introduce a new feature, I have bumped the node minor version
  • Update documentation (if relevant)
  • Updated AGENTS.md if build commands, architecture, or workflows changed
  • No new todos introduced

🔱 Fork Strategy

  • Node Runtime Update
  • Node Client Update
  • Other
  • N/A

🗹 TODO before merging

  • Implementation complete
  • Tests pass
  • Ready for review

@m2ux m2ux self-assigned this Mar 27, 2026
m2ux added 2 commits March 27, 2026 10:41
@m2ux
chore: add change file for PM-22023 TLS validation enforcement
787ef80 
Initial change file for Least Authority audit finding Issue C —
enforce strict TLS validation for PostgreSQL connections.
@m2ux
chore: add PR link to change file
bab14fb
@m2ux m2ux force-pushed the fix/PM-22023-enforce-tls-validation-db branch from 9775ef7 to bab14fb Compare March 27, 2026 10:42
m2ux added 3 commits March 27, 2026 11:09
@m2ux
fix: enforce TLS validation for PostgreSQL connections
3256416 
Remove PgSslMode::Disable path — plaintext DB connections are no
longer permitted regardless of allow_non_ssl setting. The flag is
deprecated with a startup warning.

When ssl_root_cert is configured, connections use VerifyFull (cert +
hostname validation). Without ssl_root_cert, connections fall back to
Require (encrypted, no cert validation) with a warning.

Add config validation for ssl_root_cert path and unit tests for SSL
mode selection logic.

Addresses: Least Authority Node DIFF Audit Issue C (High severity)
JIRA: PM-22023
@m2ux
fix: restore allow_non_ssl Disable path for local dev environments
9833abe 
The previous commit removed PgSslMode::Disable entirely, but the
node-dev-01 local environment sets ALLOW_NON_SSL=true to connect to
a PostgreSQL without SSL. This caused the e2e Local Environment Tests
to fail in CI.

Restore the Disable path when allow_non_ssl=true with a deprecation
warning. The security improvement (VerifyFull when ssl_root_cert is
configured, Require as fallback) remains intact for production.

Made-with: Cursor
@m2ux
chore: cargo fmt
b9d1773 
Made-with: Cursor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@m2ux m2ux

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@m2ux