PostgreSQL certs from guest mount

Signed-off-by: itowlson <ivan.towlson@fermyon.com>

Author: itowlson

Cargo.lock

@@ -14,16 +14,20 @@ native-tls = "0.2"
 postgres-native-tls = "0.5"
 postgres_range = "0.11"
 rust_decimal = { version = "1.37", features = ["db-tokio-postgres"] }
+tokio-rustls = { workspace = true }
 serde_json = { workspace = true }
+spin-common = { path = "../common" }
 spin-core = { path = "../core" }
 spin-factor-otel = { path = "../factor-otel" }
 spin-factor-outbound-networking = { path = "../factor-outbound-networking" }
 spin-factors = { path = "../factors" }
+spin-locked-app = { path = "../locked-app" }
 spin-resource-table = { path = "../table" }
 spin-world = { path = "../world" }
 tokio = { workspace = true, features = ["rt-multi-thread"] }
 tokio-postgres = { version = "0.7", features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-1"] }
 tracing = { workspace = true }
+url = { workspace = true }
 uuid = "1"
 
 [dev-dependencies]

crates/factor-outbound-pg/Cargo.toml

@@ -2,11 +2,12 @@ use anyhow::{Context, Result};
 use native_tls::TlsConnector;
 use postgres_native_tls::MakeTlsConnector;
 use spin_world::async_trait;
-use spin_world::spin::postgres4_0_0::postgres::{
+use spin_world::spin::postgres4_1_0::postgres::{
     self as v4, Column, DbValue, ParameterValue, RowSet,
 };
+use tokio_postgres::config::SslMode;
 use tokio_postgres::types::ToSql;
-use tokio_postgres::{config::SslMode, NoTls, Row};
+use tokio_postgres::{NoTls, Row};
 
 use crate::types::{convert_data_type, convert_entry, to_sql_parameter};
 
@@ -22,12 +23,12 @@ pub trait ClientFactory: Default + Send + Sync + 'static {
     /// The type of client produced by `get_client`.
     type Client: Client;
     /// Gets a client from the factory.
-    async fn get_client(&self, address: &str) -> Result<Self::Client>;
+    async fn get_client(&self, address: &str, root_ca: Option<&String>) -> Result<Self::Client>;
 }
 
 /// A `ClientFactory` that uses a connection pool per address.
 pub struct PooledTokioClientFactory {
-    pools: moka::sync::Cache<String, deadpool_postgres::Pool>,
+    pools: moka::sync::Cache<(String, Option<String>), deadpool_postgres::Pool>,
 }
 
 impl Default for PooledTokioClientFactory {
@@ -42,10 +43,11 @@ impl Default for PooledTokioClientFactory {
 impl ClientFactory for PooledTokioClientFactory {
     type Client = deadpool_postgres::Object;
 
-    async fn get_client(&self, address: &str) -> Result<Self::Client> {
+    async fn get_client(&self, address: &str, root_ca: Option<&String>) -> Result<Self::Client> {
+        let pool_key = (address.to_string(), root_ca.cloned());
         let pool = self
             .pools
-            .try_get_with_by_ref(address, || create_connection_pool(address))
+            .try_get_with_by_ref(&pool_key, || create_connection_pool(address, root_ca))
             .map_err(ArcError)
             .context("establishing PostgreSQL connection pool")?;
 
@@ -54,7 +56,10 @@ impl ClientFactory for PooledTokioClientFactory {
 }
 
 /// Creates a Postgres connection pool for the given address.
-fn create_connection_pool(address: &str) -> Result<deadpool_postgres::Pool> {
+fn create_connection_pool(
+    address: &str,
+    root_ca: Option<&String>,
+) -> Result<deadpool_postgres::Pool> {
     let config = address
         .parse::<tokio_postgres::Config>()
         .context("parsing Postgres connection string")?;
@@ -68,7 +73,11 @@ fn create_connection_pool(address: &str) -> Result<deadpool_postgres::Pool> {
     let mgr = if config.get_ssl_mode() == SslMode::Disable {
         deadpool_postgres::Manager::from_config(config, NoTls, mgr_config)
     } else {
-        let builder = TlsConnector::builder();
+        let mut builder = TlsConnector::builder();
+        if let Some(root_ca) = root_ca {
+            let cert_bytes = root_ca.as_bytes();
+            builder.add_root_certificate(native_tls::Certificate::from_pem(cert_bytes)?);
+        }
         let connector = MakeTlsConnector::new(builder.build()?);
         deadpool_postgres::Manager::from_config(config, connector, mgr_config)
     };

crates/factor-outbound-pg/src/client.rs

@@ -1,7 +1,7 @@
 use anyhow::Result;
 use spin_core::wasmtime::component::Resource;
 use spin_world::spin::postgres3_0_0::postgres::{self as v3};
-use spin_world::spin::postgres4_0_0::postgres::{self as v4};
+use spin_world::spin::postgres4_1_0::postgres::{self as v4};
 use spin_world::v1::postgres as v1;
 use spin_world::v1::rdbms_types as v1_types;
 use spin_world::v2::postgres::{self as v2};
@@ -17,11 +17,12 @@ impl<CF: ClientFactory> InstanceState<CF> {
     async fn open_connection<Conn: 'static>(
         &mut self,
         address: &str,
+        root_ca: Option<&String>,
     ) -> Result<Resource<Conn>, v4::Error> {
         self.connections
             .push(
                 self.client_factory
-                    .get_client(address)
+                    .get_client(address, root_ca)
                     .await
                     .map_err(|e| v4::Error::ConnectionFailed(format!("{e:?}")))?,
             )
@@ -102,7 +103,7 @@ impl<CF: ClientFactory> v3::HostConnection for InstanceState<CF> {
 
         self.ensure_address_allowed(&address).await?;
 
-        Ok(self.open_connection(&address).await?)
+        Ok(self.open_connection(&address, None).await?)
     }
 
     #[instrument(name = "spin_outbound_pg.execute", skip(self, connection, params), err(level = Level::INFO), fields(otel.kind = "client", db.system = "postgresql", otel.name = statement))]
@@ -140,14 +141,67 @@ impl<CF: ClientFactory> v3::HostConnection for InstanceState<CF> {
     }
 }
 
+pub(crate) struct ConnectionBuilder {
+    address: String,
+    root_ca: Option<String>,
+}
+
+impl<CF: ClientFactory> v4::HostConnectionBuilder for InstanceState<CF> {
+    async fn new(&mut self, address: String) -> Result<Resource<v4::ConnectionBuilder>> {
+        let builder = ConnectionBuilder {
+            address,
+            root_ca: None,
+        };
+        let rep = self
+            .builders
+            .push(builder)
+            .map_err(|_| anyhow::anyhow!("out of builder table space"))?;
+        let rsrc = Resource::new_own(rep);
+        Ok(rsrc)
+    }
+
+    async fn set_ca_root(
+        &mut self,
+        self_: Resource<v4::ConnectionBuilder>,
+        certificate: String,
+    ) -> Result<(), v4::Error> {
+        let builder = self
+            .builders
+            .get_mut(self_.rep())
+            .ok_or_else(|| v4::Error::ConnectionFailed("no builder found".into()))?;
+        builder.root_ca = Some(certificate);
+        Ok(())
+    }
+
+    async fn build(
+        &mut self,
+        self_: Resource<v4::ConnectionBuilder>,
+    ) -> Result<Resource<v4::Connection>, v4::Error> {
+        let builder = self
+            .builders
+            .get_mut(self_.rep())
+            .ok_or_else(|| v4::Error::ConnectionFailed("no builder found".into()))?;
+        // borrow checker gets pedantic here, so we need to outsmart it
+        let address = builder.address.clone();
+        let root_ca = builder.root_ca.clone();
+        let conn = self.open_connection(&address, root_ca.as_ref()).await;
+        conn
+    }
+
+    async fn drop(&mut self, builder: Resource<v4::ConnectionBuilder>) -> Result<()> {
+        self.builders.remove(builder.rep());
+        Ok(())
+    }
+}
+
 impl<CF: ClientFactory> v4::HostConnection for InstanceState<CF> {
     #[instrument(name = "spin_outbound_pg.open", skip(self, address), err(level = Level::INFO), fields(otel.kind = "client", db.system = "postgresql", db.address = Empty, server.port = Empty, db.namespace = Empty))]
     async fn open(&mut self, address: String) -> Result<Resource<v4::Connection>, v4::Error> {
         spin_factor_outbound_networking::record_address_fields(&address);
 
         self.ensure_address_allowed(&address).await?;
 
-        self.open_connection(&address).await
+        self.open_connection(&address, None).await
     }
 
     #[instrument(name = "spin_outbound_pg.execute", skip(self, connection, params), err(level = Level::INFO), fields(otel.kind = "client", db.system = "postgresql", otel.name = statement))]
@@ -204,7 +258,7 @@ impl<CF: ClientFactory> v4::Host for InstanceState<CF> {
 macro_rules! delegate {
     ($self:ident.$name:ident($address:expr, $($arg:expr),*)) => {{
         $self.ensure_address_allowed(&$address).await?;
-        let connection = match $self.open_connection(&$address).await {
+        let connection = match $self.open_connection(&$address, None).await {
             Ok(c) => c,
             Err(e) => return Err(e.into()),
         };
@@ -224,7 +278,7 @@ impl<CF: ClientFactory> v2::HostConnection for InstanceState<CF> {
 
         self.ensure_address_allowed(&address).await?;
 
-        Ok(self.open_connection(&address).await?)
+        Ok(self.open_connection(&address, None).await?)
     }
 
     #[instrument(name = "spin_outbound_pg.execute", skip(self, connection, params), err(level = Level::INFO), fields(otel.kind = "client", db.system = "postgresql", otel.name = statement))]

crates/factor-outbound-pg/src/host.rs

@@ -2,6 +2,8 @@ pub mod client;
 mod host;
 mod types;
 
+use std::{collections::HashMap, sync::Arc};
+
 use client::ClientFactory;
 use spin_factor_otel::OtelFactorState;
 use spin_factor_outbound_networking::{
@@ -11,15 +13,14 @@ use spin_factors::{
     anyhow, ConfigureAppContext, Factor, FactorData, PrepareContext, RuntimeFactors,
     SelfInstanceBuilder,
 };
-use std::sync::Arc;
 
 pub struct OutboundPgFactor<CF = crate::client::PooledTokioClientFactory> {
     _phantom: std::marker::PhantomData<CF>,
 }
 
 impl<CF: ClientFactory> Factor for OutboundPgFactor<CF> {
     type RuntimeConfig = ();
-    type AppState = Arc<CF>;
+    type AppState = HashMap<String, Arc<CF>>;
     type InstanceBuilder = InstanceState<CF>;
 
     fn init(&mut self, ctx: &mut impl spin_factors::InitContext<Self>) -> anyhow::Result<()> {
@@ -29,16 +30,20 @@ impl<CF: ClientFactory> Factor for OutboundPgFactor<CF> {
             spin_world::spin::postgres3_0_0::postgres::add_to_linker::<_, FactorData<Self>>,
         )?;
         ctx.link_bindings(
-            spin_world::spin::postgres4_0_0::postgres::add_to_linker::<_, FactorData<Self>>,
+            spin_world::spin::postgres4_1_0::postgres::add_to_linker::<_, FactorData<Self>>,
         )?;
         Ok(())
     }
 
     fn configure_app<T: RuntimeFactors>(
         &self,
-        _ctx: ConfigureAppContext<T, Self>,
+        ctx: ConfigureAppContext<T, Self>,
     ) -> anyhow::Result<Self::AppState> {
-        Ok(Arc::new(CF::default()))
+        let mut client_factories = HashMap::new();
+        for comp in ctx.app().components() {
+            client_factories.insert(comp.id().to_string(), Arc::new(CF::default()));
+        }
+        Ok(client_factories)
     }
 
     fn prepare<T: RuntimeFactors>(
@@ -49,12 +54,14 @@ impl<CF: ClientFactory> Factor for OutboundPgFactor<CF> {
             .instance_builder::<OutboundNetworkingFactor>()?
             .allowed_hosts();
         let otel = OtelFactorState::from_prepare_context(&mut ctx)?;
+        let cf = ctx.app_state().get(ctx.app_component().id()).unwrap();
 
         Ok(InstanceState {
             allowed_hosts,
-            client_factory: ctx.app_state().clone(),
+            client_factory: cf.clone(),
             connections: Default::default(),
             otel,
+            builders: Default::default(),
         })
     }
 }
@@ -78,6 +85,7 @@ pub struct InstanceState<CF: ClientFactory> {
     client_factory: Arc<CF>,
     connections: spin_resource_table::Table<CF::Client>,
     otel: OtelFactorState,
+    builders: spin_resource_table::Table<host::ConnectionBuilder>,
 }
 
 impl<CF: ClientFactory> SelfInstanceBuilder for InstanceState<CF> {}

crates/factor-outbound-pg/src/lib.rs

@@ -1,4 +1,4 @@
-use spin_world::spin::postgres4_0_0::postgres::{DbDataType, DbValue, ParameterValue};
+use spin_world::spin::postgres4_1_0::postgres::{DbDataType, DbValue, ParameterValue};
 use tokio_postgres::types::{FromSql, Type};
 use tokio_postgres::{types::ToSql, Row};
 

crates/factor-outbound-pg/src/types.rs

@@ -2,7 +2,7 @@
 //! the tokio_postgres driver.
 
 use anyhow::{anyhow, Context};
-use spin_world::spin::postgres4_0_0::postgres::{self as v4};
+use spin_world::spin::postgres4_1_0::postgres::{self as v4};
 
 use super::decimal::RangeableDecimal;
 

crates/factor-outbound-pg/src/types/convert.rs

@@ -1,5 +1,5 @@
 use anyhow::Result;
-use spin_world::spin::postgres4_0_0::postgres::{self as v4};
+use spin_world::spin::postgres4_1_0::postgres::{self as v4};
 use tokio_postgres::types::{FromSql, ToSql, Type};
 
 #[derive(Debug)]

crates/factor-outbound-pg/src/types/interval.rs

@@ -7,10 +7,10 @@ use spin_factor_variables::VariablesFactor;
 use spin_factors::{anyhow, RuntimeFactors};
 use spin_factors_test::{toml, TestEnvironment};
 use spin_world::async_trait;
-use spin_world::spin::postgres4_0_0::postgres::Error as PgError;
-use spin_world::spin::postgres4_0_0::postgres::HostConnection;
-use spin_world::spin::postgres4_0_0::postgres::{self as v2};
-use spin_world::spin::postgres4_0_0::postgres::{ParameterValue, RowSet};
+use spin_world::spin::postgres4_1_0::postgres::Error as PgError;
+use spin_world::spin::postgres4_1_0::postgres::HostConnection;
+use spin_world::spin::postgres4_1_0::postgres::{self as v2};
+use spin_world::spin::postgres4_1_0::postgres::{ParameterValue, RowSet};
 
 #[derive(RuntimeFactors)]
 struct TestFactors {
@@ -112,7 +112,7 @@ pub struct MockClient {}
 #[async_trait]
 impl ClientFactory for MockClientFactory {
     type Client = MockClient;
-    async fn get_client(&self, _address: &str) -> Result<Self::Client> {
+    async fn get_client(&self, _address: &str, _root_ca: Option<&String>) -> Result<Self::Client> {
         Ok(MockClient {})
     }
 }

crates/factor-outbound-pg/tests/factor_test.rs

@@ -3,7 +3,7 @@ use super::*;
 mod rdbms_types {
     use super::*;
     use spin::postgres3_0_0::postgres as pg3;
-    use spin::postgres4_0_0::postgres as pg4;
+    use spin::postgres4_1_0::postgres as pg4;
 
     impl From<v2::rdbms_types::Column> for v1::rdbms_types::Column {
         fn from(value: v2::rdbms_types::Column) -> Self {
@@ -15,7 +15,7 @@ mod rdbms_types {
     }
 
     impl From<pg4::Column> for v1::rdbms_types::Column {
-        fn from(value: spin::postgres4_0_0::postgres::Column) -> Self {
+        fn from(value: pg4::Column) -> Self {
             v1::rdbms_types::Column {
                 name: value.name,
                 data_type: value.data_type.into(),
@@ -422,7 +422,7 @@ mod rdbms_types {
 mod postgres {
     use super::*;
     use spin::postgres3_0_0::postgres as pg3;
-    use spin::postgres4_0_0::postgres as pg4;
+    use spin::postgres4_1_0::postgres as pg4;
 
     impl From<pg4::RowSet> for v1::postgres::RowSet {
         fn from(value: pg4::RowSet) -> v1::postgres::RowSet {