Merge pull request #1952 from MarcoIeni/rds-ca

Kobzol · web-flow · commit 38c1b72cf392 · 2024-07-25T09:47:13.000+02:00
Update the RDS root CA list
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/database/Cargo.toml b/database/Cargo.toml
@@ -24,3 +24,4 @@ log = "0.4"
 bytes = "1"
 csv = "1"
 clap = { version = "4.1", features = ["cargo"] }
+x509-cert = { version = "0.2.5", features = ["pem"] }
diff --git a/database/src/pool/postgres.rs b/database/src/pool/postgres.rs
@@ -22,10 +22,10 @@ impl Postgres {
     }
 }
 
-const CERT_URL: &str = "https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem";
+const CERT_URL: &str = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem";
 
 lazy_static::lazy_static! {
-    static ref CERTIFICATE_PEM: Vec<u8> = {
+    static ref CERTIFICATE_PEMS: Vec<u8> = {
         let client = reqwest::blocking::Client::new();
         let resp = client
             .get(CERT_URL)
@@ -37,12 +37,11 @@ lazy_static::lazy_static! {
 
 async fn make_client(db_url: &str) -> anyhow::Result<tokio_postgres::Client> {
     if db_url.contains("rds.amazonaws.com") {
-        let cert = &CERTIFICATE_PEM[..];
-        let cert = Certificate::from_pem(cert).context("made certificate")?;
-        let connector = TlsConnector::builder()
-            .add_root_certificate(cert)
-            .build()
-            .context("built TlsConnector")?;
+        let mut builder = TlsConnector::builder();
+        for cert in make_certificates() {
+            builder.add_root_certificate(cert);
+        }
+        let connector = builder.build().context("built TlsConnector")?;
         let connector = MakeTlsConnector::new(connector);
 
         let (db_client, connection) = match tokio_postgres::connect(db_url, connector).await {
@@ -76,6 +75,16 @@ async fn make_client(db_url: &str) -> anyhow::Result<tokio_postgres::Client> {
         Ok(db_client)
     }
 }
+fn make_certificates() -> Vec<Certificate> {
+    use x509_cert::der::pem::LineEnding;
+    use x509_cert::der::EncodePem;
+
+    let certs = x509_cert::Certificate::load_pem_chain(&CERTIFICATE_PEMS[..]).unwrap();
+    certs
+        .into_iter()
+        .map(|cert| Certificate::from_pem(cert.to_pem(LineEnding::LF).unwrap().as_bytes()).unwrap())
+        .collect()
+}
 
 static MIGRATIONS: &[&str] = &[
     "",
@@ -1349,3 +1358,16 @@ fn parse_artifact_id(ty: &str, sha: &str, date: Option<DateTime<Utc>>) -> Artifa
         _ => panic!("unknown artifact type: {:?}", ty),
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::make_certificates;
+
+    // Makes sure we successfully parse the RDS certificates and load them into native-tls compatible
+    // format.
+    #[test]
+    fn can_make_certificates() {
+        let certs = make_certificates();
+        assert!(!certs.is_empty());
+    }
+}
